Validating Leaked Passwords with k-Anonymity
Today, v2 of Pwned Passwords was released as part of the Have I Been Pwned service offered by Troy Hunt. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security.
I have written about how we need to rethink password security and Pwned Passwords v2 in the following post: How Developers Got Password Security So Wrong. Instead, in this post I want to discuss one of the technical contributions Cloudflare has made towards protecting user information when using this tool.
Cloudflare continues to support Pwned Passwords by providing CDN and security functionality such that the data can easily be made available for download in raw form to organisations to protect their customers. Further; as part of the second iteration of this project, I have also worked with Troy on designing and implementing API endpoints that support anonymised range queries to function as an additional layer of security for those consuming the API, that is visible to the client.
This contribution allows for Pwned Passwords clients to use range queries to search for breached passwords, without having to disclose a complete unsalted Continue reading
How Developers got Password Security so Wrong
Both in our real lives, and online, there are times where we need to authenticate ourselves - where we need to confirm we are who we say we are. This can be done using three things:
- Something you know
- Something you have
- Something you are
Passwords are an example of something you know; they were introduced in 1961 for computer authentication for a time-share computer in MIT. Shortly afterwards, a PhD researcher breached this system (by being able to simply download a list of unencrypted passwords) and used the time allocated to others on the computer.
As time has gone on; developers have continued to store passwords insecurely, and users have continued to set them weakly. Despite this, no viable alternative has been created for password security. To date, no system has been created that retains all the benefits that passwords offer as researchers have rarely considered real world constraints[1]. For example; when using fingerprints for authentication, engineers often forget that there is a sizable percentage of the population that do not have usable fingerprints or hardware upgrade costs.
Cracking Passwords
In the 1970s, people started thinking about how to better store passwords and cryptographic hashing started to Continue reading
Vectra Raises $123M for Global Push of its AI-Based Security Platform
The startup’s revenue grew 181 percent in 2017 over the previous year.
Swisscom, Ericsson Team on Network Slicing Tests
Public safety groups may benefit from slicing functionality.
Software-Defined Networking Powers Fixed Wireless Network
EOLO built a custom SDN routing appliance for deployment at radio towers.
History of Networking: Policy with Joel Halpern
Policy at Internet scale is a little understood, and difficult (potentially impossible) to solve problem. Joel Halpern joins the History of Networking over at the Network Collective to talk about the history of policy in the Internet at large, and networked systems in general.
Riverbed Updates SD-WAN to Serve Businesses From Cloud to Network Edge
It added integrations with Xirrus WiFi and enhanced its automated cloud connectivity.
The Next Platform Announces Renowned HPC Expert Joins Team
Former Harvard Computer Science Lead Brings Distributed Systems Experience to Top Publication’s Readers
The Next Platform is proud to announce that former Assistant Dean and Distinguished Engineer for Research Computing at Harvard, Dr. James Cuff, has joined the editorial team in a full-time capacity as Distinguished Technical Author.
As the leading publication covering distributed systems in research and large enterprise, Dr. Cuff rounds out a seasoned editorial team that delivers in-depth analysis from the worlds of supercomputing, artificial intelligence, cloud and hyperscale datacenters, and the many other technology areas that comprise the highest end of today’s IT ecosystems.
Dr. Cuff …
The Next Platform Announces Renowned HPC Expert Joins Team was written by Nicole Hemsoth at The Next Platform.
The Road To 400G Ethernet Is Paved With Bechtolsheim’s Intentions
The best way to make a wave is to make a big splash, which is something that Andy Bechtolsheim, perhaps the most famous serial entrepreneur in IT infrastructure, is very good at doing. As one of the co-founders of Sun Microsystems and a slew of networking and system startups as well as the first investor in Google, he doesn’t just see waves, but generates them and then surfs on them, creating companies and markets as he goes along.
Bechtolsheim was a PhD student at Stanford University, working on a project that aimed to integrate networking interfaces with processors when he …
The Road To 400G Ethernet Is Paved With Bechtolsheim’s Intentions was written by Timothy Prickett Morgan at The Next Platform.
How fast can a bird search a tree?
I was wondering if you could help me figure something out: what is the algorithmic complexity of a bird searching a tree for food?
Over the years I've had the pleasure of watching a lot of cute little birds feed in our oak trees. I've noticed they have a search pattern.
A bird will hop from branch to branch looking for insects. They don't hop on a branch and explore every square inch of it, so it's not an exhaustive search. They'll take a couple hops, peck at a branch a few times, and hop to a nearby branch. Birds also search the underside of branches, so the whole surface area of a tree is game.
I've often marveled in wonder at how efficient this whole process is. They scour huge trees in no time. Then they'll move on to the next tree and repeat the process until they fly away to a completely different area.
My dog when searching for a ball seems to follow a similar Lévy flight sort of pattern. Search a local area by bouncing around for bit and then take a bee-line for a completely different area and repeat the process.
Often Continue reading
HPE Brings More HPC To The DoD
Much of the focus of the recent high-profile budget battle in Washington – and for that matter, many of the financial debates over the past few decades – has been around how much money should go to the military and how much to domestic programs like Social Security and Medicare.
In the bipartisan deal struck earlier this month, both sides saw funding increase over the next two years, with the military seeing its budget jump $160 billion. Congressional Republicans boasted of a critical win for the Department of Defense (DoD) that will result in more soldiers, better weapons, and improved …
HPE Brings More HPC To The DoD was written by Jeffrey Burt at The Next Platform.
We now offer live, on-site Google Cloud Architect training!
We’re excited to announce the release of our newest bootcamp: The Google Cloud Architect Exam Bootcamp. Currently the only course of it’s kind on the market, this bootcamp focuses specifically on what candidates need to know to pass the GCP Cloud Architect Exam. Like our other bootcamps, this class is taught live, on-site by an expert INE Instructor and will feature 5 days of intensive, hands-on, real world exercises, practice exams, and in-depth case study discussions. Attendees will also be provided access to a complete series of GCP based cloud labs.
The goal of our GCP Cloud Architect Exam Bootcamp is to equip students with a foundation-level knowledge of Google Cloud Platform to pass the exam. The primary focus of the class is core concepts and topics found on the GCP Cloud Architect written exam.
This bootcamp is currently only offered in May and August of 2018, at our NC location, but more dates and locations will likely be added in the future.
Who Should Take it?
Our Written Exam Bootcamp is for anyone who is beginning their GCP Cloud Architect certification journey, but already has at least basic knowledge of cloud computing. We strongly recommend at least 1 Continue reading
eBook: Making Networks Secure
In this SDxCentral eBook, Making Networks Secure, we look at some of the key security strategies that are being used to protect networks in this new virtualized world.
Datanauts 122: Protecting Applications With VMware AppDefense (Sponsored)
The Datanauts delve into application security with sponsor VMware. We discuss VMware's AppDefense software, how it works, and why we need a new model for security. The post Datanauts 122: Protecting Applications With VMware AppDefense (Sponsored) appeared first on Packet Pushers.
Episode 22 – Securing BGP
In part 3 of our deep dive into BGP operations, Nick Russo and Russ White join us again on Network Collective to talk about securing BGP. In this episode we cover topics like authentication, advertisement filtering, best practices, origin security, path security, and remotely triggered black holes.
We would like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is offering you, our listeners, a completely free O’Reilly ebook on the topic of BGP in the data center. You can get your copy of this excellent technical resource here: http://cumulusnetworks.com/networkcollectivebgp
Show Notes:
- Authentication
- Classic MD5
- Enhanced Authentication extensions (EA). Supported by IOS XR and allows for SHA1 as well, along with key-chain rotations. Doesn’t appear commonly used
- GTSM, and how it can be better than the previous option in some cases
- Basic prefix filtering:
- From your customers: allow any number of their own AS prepended
- From the Internet: block bogons (RFC1918, class D/E, etc)
- To your peers: only your local space (ie, your customers)
- From your peers: only routes originating from their AS (any # of prepends)
- BCP38
- Techniques for spoofing prevention
- Describe with a simple snail mail analogy
- Usually uRPF strict Continue reading