0

Reaction: DNS Complexity Lessons

Recently, Bert Hubert wrote of a growing problem in the networking world: the complexity of DNS. We have two systems we all use in the Internet, DNS and BGP. Both of these systems appear to be able to handle anything we can throw at them and “keep on ticking.”

But how far can we drive the complexity of these systems before they ultimately fail? Bert posted this chart to the APNIC blog to illustrate the problem—

I am old enough to remember when the entire Cisco IOS Software (classic) code base was under 150,000 lines; today, I suspect most BGP and DNS implementations are well over this size. Consider this for a moment—a single protocol implementation that is larger than an entire Network Operating System ten to fifteen years back.

What really grabbed my attention, though, was one of the reasons Bert believes we have these complexity problems—

DNS developers frequently see immense complexity not as a problem but as a welcome challenge to be overcome. We say ‘yes’ to things we should say ‘no’ to. Less gifted developer communities would have to say no automatically since they simply would not be able to implement all that new stuff. Continue reading

0

BrandPost: The Path to 5G is Paved with Network Visibility

In a report entitled , Gartner discusses the widespread preparation for 5G networks, the Internet of Things (IoT), and machine-to-machine communications. These technologies are preparing to support a worldwide customer base that looks forward to smart cities, autonomous vehicles, and high-speed multimedia over broadband anywhere and anytime. To read this article in full, please click here

0

IBM Injects Double AI Dose Into Security Platform, Managed Services

An IBM security report found a 424-percent jump in breaches related to misconfigured cloud infrastructure in 2017, largely due to human error.

0

Google: A Collection of Best Practices for Production Services

 

Fail Sanely

Sanitize and validate configuration inputs, and respond to implausible inputs by both continuing to operate in the previous state and alerting to the receipt of bad input. Bad input often falls into one of these categories:

Incorrect data

Validate both syntax and, if possible, semantics. Watch for empty data and partial or truncated data (e.g., alert if the configuration is N% smaller than the previous version).

Delayed data

This may invalidate current data due to timeouts. Alert well before the data is expected to expire.

Fail in a way that preserves function, possibly at the expense of being overly permissive or overly simplistic. We’ve found that it’s generally safer for systems to continue functioning with their previous configuration and await a human’s approval before using the new, perhaps invalid, data.

Examples

In 2005, Google’s global DNS load- and latency-balancing system received an empty DNS entry file as a result of file permissions. It accepted this empty file and served NXDOMAIN for Continue reading

0

Woot Woot! 16 Weeks of Security Learning!! — SECURITY ZERO-TO-HERO

Just signed up last week for the Micronic’s “Security Zero-to-Hero” class. I am beyond stoked and excited!  I have been searching for awhile now for a class to take to help me really “go to the next level” in Security. But I just wasn’t finding the kind of class I was looking for. Every class I saw offered was either focused on one narrow aspect of the security landscape OR focused on helping people pass the CCIE Security.  Neither or which matched what I was searching for.

The class I was hoping to find would be structured more like a semester long college class with real world production discussions and also hands on labs. A class where … over weeks of learning and labbing in my personal time… the learning would just continue to seep deeper and deeper and the “aha” moments would just keep coming.  There were lots of one week classes to choose from. But, for me,  I just don’t see a one week class as a great “immersive” experience  into the complex landscape of the world of Security.  There is a “learning limit”, for me, as to how much my brain can retain Continue reading

0

Worth Reading: The Easy Button

Automation has become this “all-encompassing thingy” much like SDN. It’s a software industry problem and it’s critical more now than ever that we do not slip backwards by trying to drag a broken idea forwards. —David Gee

0

New Verizon Channel Helps Enterprises Accelerate Their Digital Transformation

Making that digital transition will not be simple. Take advantage of the resources available on the Verizon Enterprise Solutions channel and learn how to drive positive results while maintaining the security of your network

0

ISOC Engages with R&E Networking in the Asia-Pacific Region

The APAN 45 meeting was held on 25-29 March 2018 in Singapore, where Kevin Meynell presented the MANRS routing security initiative during the Network Engineering Workshop.

We’ve previously discussed the underlying trust-based issues of BGP that MANRS attempts to address in a number of blogs, but we’re particularly interested in partnering with R&E networking communities for the reasons that National Research and Education Networks (NRENs) are often early adopters of new technologies and initiatives, they’re interested in distinguishing themselves from commercial operators, and the R&E community is a collaborative one.

This engagement resulted in significant interest from a number of NRENs in becoming MANRS participants, with AARNet (Australian Academic and Research Network) signing-up shortly afterwards (AS 7575). The presentation is available on the APAN 45 website, and may be freely used by those interested in promoting MANRS to raise awareness of routing security issues and promote the initiative.

APAN (Asia Pacific Advanced Network) supports the R&E networks in the region to help them to connect to each other and to other R&E networks around the world, allows knowledge to be exchanged, and coordinates the activities, services and applications of its members for their common good. APAN and the preceding APNG Continue reading

0

Network Break 180: Tetration In The Cloud; Attackers Target Cisco Switches

0

The Week in Internet News: AI Goes to the Dogs

Do you trust this documentary? Do You Trust This Computer? is a new documentary from filmmaker Chris Paine that’s dedicated to the dangers of artificial intelligence. Elon Musk, who’s been vocal about the potential downsides of the technology, appears in the film and has promoted it. But The Verge finds the film a bit overly dramatic, saying “feels more like a trailer for a bad sci-fi movie than a documentary on AI.”

Or you could just get a dog: Speaking of AI, researchers at the University of Washington in Seattle are using canine behavior to train an AI system to make dog-like decisions, reports MIT Technology Review.  The researchers are using dog behavior as a way to help AI better learn how to plan, with hopes of helping AI better understand visual intelligence, among other things.

News apps meet the Great Firewall: The Chinese government has temporarily blocked four news apps from being downloaded from Android app stores, ZDNet reports. The apps, with a combined user base of more than 400 million, have been suspended for up to three weeks in an apparent government media crackdown. Meanwhile, Chinese regulators have permanently banned a joke app for supposed vulgar content.

Continue reading

0

At RSA USA 2018 in San Francisco this week? Join the IoT Security conversation on Tuesday, April 17

Are you attending the RSA USA 2018 Conference this week in San Francisco? If so, please plan to join this panel session happening Tuesday, April 17, 2018, from 3:30 – 4:14pm (PDT):

IoT Trust by Design: Lessons Learned in Wearables and Smart Home Products

Moderated by my colleague Jeff Wilbur, Director of the Online Trust Alliance (OTA), the panel abstract is:

---

The world has awakened to the need for tighter security and privacy in consumer-grade IoT offerings. This panel will present a trust framework for IoT, and wearable and smart home experts will discuss top attack vectors, typical vulnerabilities in devices, apps and systems, common reasons for design compromise, the evolution of security and privacy in IoT and where it needs to go.

---

They will be discussing the OTA’s IoT Trust Framework, as well as some new mechanisms available to help enterprises understand the risks associated with IoT devices.

If you believe securing the Internet of Things is a critical step to having a secure Internet, please join Jeff and his panelists to learn more.

Unfortunately there appears to be no live stream available but they do seem to be recording many of the sessions. If Jeff’s Continue reading

0

Juniper – NXTWORK 2018 – Save the date!

Juniper has finally released the dates for 4th annual partner and customer Juniper NXTWORK conference – and the event has …

Continue reading →

The post Juniper – NXTWORK 2018 – Save the date! appeared first on Fryguy's Blog.

0

Notes on setting up Raspberry Pi 3 as WiFi hotspot

I want to sniff the packets for IoT devices. There are a number of ways of doing this, but one straightforward mechanism is configuring a "Raspberry Pi 3 B" as a WiFi hotspot, then running tcpdump on it to record all the packets that pass through it. Google gives lots of results on how to do this, but they all demand that you have the precise hardware, WiFi hardware, and software that the authors do, so that's a pain.


I got it working using the instructions here. There are a few additional notes, which is why I'm writing this blogpost, so I remember them.
https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md

I'm using the RPi-3-B and not the RPi-3-B+, and the latest version of Raspbian at the time of this writing, "Raspbian Stretch Lite 2018-3-13".

Some things didn't work as described. The first is that it couldn't find the package "hostapd". That solution was to run "apt-get update" a second time.

The second problem was error message about the NAT not working when trying to set the masquerade rule. That's because the 'upgrade' updates the kernel, making the running system out-of-date with the files on the disk. The solution to that is make Continue reading

0

Cisco Ramps Up RSA Conference Security Services Roll Out

It added new email security services, visibility and malware protection features, and managed security offerings through IT services company ConnectWise.

0

My letter urging Georgia governor to veto anti-hacking bill

February 16, 2018

Office of the Governor
206 Washington Street
111 State Capitol
Atlanta, Georgia 30334


Re: SB 315

Dear Governor Deal:

I am writing to urge you to veto SB315, the "Unauthorized Computer Access" bill.

The cybersecurity community, of which Georgia is a leader, is nearly unanimous that SB315 will make cybersecurity worse. You've undoubtedly heard from many of us opposing this bill. It does not help in prosecuting foreign hackers who target Georgian computers, such as our elections systems. Instead, it prevents those who notice security flaws from pointing them out, thereby getting them fixed. This law violates the well-known Kirchhoff's Principle, that instead of secrecy and obscurity, that security is achieved through transparency and openness.

That the bill contains this flaw is no accident. The justification for this bill comes from an incident where a security researcher noticed a Georgia state election system had made voter information public. This remained unfixed, months after the vulnerability was first disclosed, leaving the data exposed. Those in charge decided that it was better to prosecute those responsible for discovering the flaw rather than punish those who failed to secure Georgia voter information, hence this law.

Too many security experts oppose Continue reading

0

Should I Take CCIE DC or ipSpace.net Data Center Online Course?

Got this question from a networking engineer who couldn’t decide whether to go for CCIE Data Center certification or attend my Building Next-Generation Data Center online course:

I am considering pursuing CCIE DC. I found your Next-Generation DC course very interesting. Now I am bit confused trying to decide whether to start with CCIE DC first and then do your course.

You might be in a similar position, so here’s what I told him.

Read more ...

0

IaaS Cloud Adoption Trends

0

Cleared JNCIS-Devops

Last week I went to write JNCIS-Devops exam, I was under an impression that I may not be able to clear it but good did happen!

First and Foremost

-> I had the official training for JAUTcourse – The course is extremetly helpful as it provides the precise material and also the structured lab environment for you to explore and study, nothing beats a class-room study and training environment

But, after appearing I can tell you that you dont really require the offiicial training (if that is the only thing stopping you to think about the exam), the exam will test you for your understanding of automation philosophy and also how Juniper Implements it.

Topics of Interest

– Juniper  pyez – understand how everything helps in Pyez

Dayone Books Helps – https://www.juniper.net/uk/en/training/jnbooks/day-one/automation-series/junos-pyez-cookbook/

– Juniper ansible – https://www.juniper.net/uk/en/training/jnbooks/day-one/automation-series/junos-pyez-cookbook/

-Book – Network Programmability and Automation

https://www.safaribooksonline.com/library/view/network-programmability-and/9781491931240/

— Jsnapy – https://www.juniper.net/uk/en/training/jnbooks/day-one/automation-series/using-jsnap-automate-network-verifications/

All you need to have are couple of VMX devices a Linux machine and you should be able to deploy all of the automation efforts discussed in above books.

You dont have to know the code in your head or how to write a Continue reading

0

ipSpace.net Subscription Now Available with PayPal

Every second blue moon someone asks me whether they could buy ipSpace.net subscription with PayPal. So far, the answer has been no.

Recently we started testing whether we could use Digital River to solve a few interesting challenges we had in the past, and as they offer PayPal as a payment option, it seemed to be a perfect fit for a low-volume trial.

The only product that you can buy with PayPal during the trial is the standard subscription – just select PayPal as the payment method during the checkout process.

Finally: the first three subscribers using PayPal will get extra 6 months of subscription.

0

Let’s stop talking about password strength

Picture from EFF -- CC-BY license

Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it Continue reading