Flowspec and RFC1998?

In a recent comment, Dave Raney asked:

Russ, I read your latest blog post on BGP. I have been curious about another development. Specifically is there still any work related to using BGP Flowspec in a similar fashion to RFC1998. In which a customer of a provider will be able to ask a provider to discard traffic using a flowspec rule at the provider edge. I saw that these were in development and are similar but both appear defunct. BGP Flowspec-ORF https://www.ietf.org/proceedings/93/slides/slides-93-idr-19.pdf BGP Flowspec Redirect https://tools.ietf.org/html/draft-ietf-idr-flowspec-redirect-ip-02.

This is a good question—to which there are two answers. The first is this service does exist. While its not widely publicized, a number of transit providers do, in fact, offer the ability to send them a flowspec community which will cause them to set a filter on their end of the link. This kind of service is immensely useful for countering Distributed Denial of Service (DDoS) attacks, of course. The problem is such services are expensive. The one provider I have personal experience with charges per prefix, and the cost is high enough to make it much less attractive.

Why would the cost be so high? The same Continue reading

Worth Reading: Changing Slack to break down silos

Collaboration and information silos are a reality in most organizations today. People tend to regard them as huge barriers to innovation and organizational efficiency. They’re also a favorite target for solutions from software tool vendors of all types. Tools by themselves, however, are seldom (if ever), the answer to a problem like organizational silos. The reason for this is simple: Silos are made of people, and human dynamics are key drivers for the existence of silos in the first place. —Guy Martin @ opensource.com

39% off American Red Cross Blackout Buddy Emergency Nightlight – Deal Alert

Just leave the slim and trim Blackout Buddy in your wall socket and you’ll never be in the dark. It automatically turns on when the power goes out so that you can easily locate it. Then, fold away the prongs and you've got yourself a flashlight. A very bright idea from the American Red Cross. Flip a switch and the Blackout Buddy also doubles as an LED nightlight, so you can keep your kids' rooms, hallways, or kitchen always illuminated. The Blackout Buddy keeps itself charged and provides up to 4 hours of light when needed. It averages 4.5 out of 5 stars from over 1,800 people on Amazon (read reviews). Its typical list price of $14.64 has been reduced 39% to just $8.98.To read this article in full, please click here

34% off TurboTax Deluxe 2017 Tax Software, Federal & State – Deal Alert

TurboTax coaches you every step of the way and double checks your return as you go to handle even the toughest tax situations, so you can be confident you’re getting every dollar you deserve. Its typical list price of $59.99 has been reduced a generous 34% to $39.86 in a deal that is exclusive to Amazon. Also exclusive to this Amazon deal, receive a free 1-year subscription to Quicken Starter Edition 2018. Learn more, or take advantage of the deal now, on Amazon.To read this article in full, please click here

Intel’s processor flaw is a virtualization nightmare

2018 is off to a very bad start for Intel after the disclosure of a flaw deep in the design of its processors, dubbed Meltdown. And while the company has publicly said the issue won’t affect consumers, they aren’t the ones who need to be worried.The issue is found in how Intel processors work with page tables for handling virtual memory. It is believed that an exploit would be able to observe the content of privileged memory by exploiting a technique called speculative execution.Speculative execution exploit Speculative execution is a part of a methodology called out-of-order execution (OOE), where basically the CPU makes an educated guess on what will happen next based on the data it has. It’s designed to speed up the CPU rather than burn up CPU cycles working its way through a process. It’s all meant to make the CPU as efficient as possible.To read this article in full, please click here

Intel’s processor flaw is a virtualization nightmare

2018 is off to a very bad start for Intel after the disclosure of a flaw deep in the design of its processors. And while the company has publicly said the issue won’t affect consumers, they aren’t the ones who need to be worried.The issue is found in how Intel processors work with page tables for handling virtual memory. It is believed that an exploit would be able to observe the content of privileged memory by exploiting a technique called speculative execution.Speculative execution exploit Speculative execution is a part of a methodology called out-of-order execution (OOE), where basically the CPU makes an educated guess on what will happen next based on the data it has. It’s designed to speed up the CPU rather than burn up CPU cycles working its way through a process. It’s all meant to make the CPU as efficient as possible.To read this article in full, please click here

Meltdown and Spectre

While many have already seen something on these two, this is the best set of articles I’ve found on these vulnerabilities and the ramifications.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. —meltdownattack.com

Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it’s been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches. —ARS Technica

You don’t have to worry if you patch. If you download the Continue reading

25% off SanDisk 256GB iXpand Base for iPhone charging and backup – Deal Alert

Here's something you probably didn't know existed. With SanDisk's iXpand iPhone base, you'll never have to worry about losing your memories again. Every time you charge your iPhone with the iXpand Base, it automatically backs up your photos, videos and contacts. The iXpand Base offers plenty of room to save your files in their original quality with no worry about recurring monthly fees for Internet-based storage. Designed for everyday use with a soft rubber top, a sturdy base, and a wrap-around groove to keep your Apple Lightning to USB cable tidy. Its typical list price has been discounted $50, for now, to $149.99. See this deal on Amazon.To read this article in full, please click here

IoT: A vulnerable asset but also a recovery tool in disasters

If you think the proliferation of mobile devices changed the concept of the network edge, get ready for the emerging Internet of Things (IoT), where a network-connected sensor could be located on top of a mountain, in a corn field or even in the ocean.So, how does an enterprise incorporate IoT into its disaster recovery plan? In one sense, IoT creates a unique challenge because it is far-flung and vulnerable. But it can also become part of a DR solution, helping to protect the business in the event of a disaster, according to experts.+Also on Network World: REVIEW: 4 top disaster-recovery platforms compared; Review: Microsoft Azure IoT Suite+To read this article in full, please click here

32% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery – Deal Alert

Carbon Monoxide is odorless, tasteless and invisible, and it accounts for over 72,000 cases of poisoning each year. Kidde calls their C3010D model "worry free" because its sensor and sealed battery provide 10 years of uninterrupted CO detection, and a digital display that updates every 15 seconds. The unit will chirp when its reaching the ends of its life, so you don't have to wonder. The Kidde C3010D alarm is currently discounted 32% to $34.91. See this deal now on Amazon.To read this article in full, please click here

32% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery – Deal Alert

Carbon Monoxide is odorless, tasteless and invisible, and it accounts for over 72,000 cases of poisoning each year. Kidde calls their C3010D model "worry free" because its sensor and sealed battery provide 10 years of uninterrupted CO detection, and a digital display that updates every 15 seconds. The unit will chirp when its reaching the ends of its life, so you don't have to wonder. The Kidde C3010D alarm is currently discounted 32% to $34.91. See this deal now on Amazon.To read this article in full, please click here

Some notes on Meltdown/Spectre

I thought I'd write up some notes.

You don't have to worry if you patch. If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don't have to worry. If you aren't up to date, then there's a lot of other nasties out there you should probably also be worrying about. I mention this because while this bug is big in the news, it's probably not news the average consumer needs to concern themselves with.

This will force a redesign of CPUs and operating systems. While not a big news item for consumers, it's huge in the geek world. We'll need to redesign operating systems and how CPUs are made.

Don't worry about the performance hit. Some, especially avid gamers, are concerned about the claims of "30%" performance reduction when applying the patch. That's only in some rare cases, so you shouldn't worry too much about it. As far as I can tell, 3D games aren't likely to see less than 1% performance degradation. If you imagine your game is suddenly slower after the patch, then something else broke it.

This wasn't foreseeable. A common cliche is that such bugs Continue reading

Why Meltdown exists

So I thought I'd answer this question. I'm not a "chipmaker", but I've been optimizing low-level assembly x86 assembly language for a couple of decades.





The tl;dr version is this: the CPUs have no bug. The results are correct, it's just that the timing is different. CPU designers will never fix the general problem of undetermined timing.

CPUs are deterministic in the results they produce. If you add 5+6, you always get 11 -- always. On the other hand, the amount of time they take is non-deterministic. Run a benchmark on your computer. Now run it again. The amount of time it took varies, for a lot of reasons.

That CPUs take an unknown amount of time is an inherent problem in CPU design. Even if you do everything right, "interrupts" from clock timers and network cards will still cause undefined timing problems. Therefore, CPU designers have thrown the concept of "deterministic time" out Continue reading

Let’s see if I’ve got Metldown right

I thought I'd write down the proof-of-concept to see if I got it right.

So the Meltdown paper lists the following steps:

 ; flush cache
 ; rcx = kernel address
 ; rbx = probe array
 retry:
 mov al, byte [rcx]
 shl rax, 0xc
 jz retry
 mov rbx, qword [rbx + rax]
 ; measure which of 256 cachelines were accessed

So the first step is to flush the cache, so that none of the 256 possible cache lines in our "probe array" are in the cache. There are many ways this can be done.

Now pick a byte of secret kernel memory to read. Presumably, we'll just read all of memory, one byte at a time. The address of this byte is in rcx.

Now execute the instruction:
    mov al, byte [rcx]
This line of code will crash (raise an exception). That's because [rcx] points to secret kernel memory which we don't have permission to read. The value of the real al (the low-order byte of rax) will never actually change.

But fear not! Intel is massively out-of-order. That means before the exception happens, it will provisionally and partially execute the following instructions. While Intel has only 16 Continue reading

Fortinet FortiGate-VMX and NSX use cases

Fortinet FortiGate-VMX NSX is an extensible platform; other vendors security solutions can be added to it by means of the Northbound REST API, and two private APIs: NETX for network introspection, and EPSEC for guest introspection. Fortinet’s FortiGate-VMX solution uses the NSX NETX API to provide advanced layer 4-7 services via service insertion, also called service chaining.  This enables... Read more →

1 1,787 1,788 1,789 1,790 1,791 3,856