How to improve IoT security

The tsunami-sized trend to add intelligence with sensors and actuators and to connect devices, equipment and appliances to the internet poses safety, security and privacy risks.Proof comes from a recent meta-study titled The Internet of Hackable Things (pdf) from researchers at the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation—compiled from industry and academic research reports—that finds smart devices used in healthcare and smart homes and buildings pose daunting risks.The authors quantify the risks of Internet of Things (IoT) devices:To read this article in full or to leave a comment, please click here

How to improve IoT security

The tsunami-sized trend to add intelligence with sensors and actuators and to connect devices, equipment and appliances to the internet poses safety, security and privacy risks.Proof comes from a recent meta-study titled The Internet of Hackable Things (pdf) from researchers at the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation—compiled from industry and academic research reports—that finds smart devices used in healthcare and smart homes and buildings pose daunting risks.The authors quantify the risks of Internet of Things (IoT) devices:To read this article in full or to leave a comment, please click here

Top 5 Windows Server 2016 features that enterprises are deploying

Windows Server 2016 has been out for a year now, the “we’ll wait for the first service pack” delay is behind us, and there are clear features in Windows 2016 that enterprises are adopting and integrating into their network environment. Here's a look at five of those features.Windows Server 2016 as the base server operating system This isn't a specific “feature” in Windows 2016, but there's an overall general acceptance by enterprises deploying Windows Server applications to install them on the latest Windows Server 2016 operating system.To read this article in full or to leave a comment, please click here

Top 5 Windows Server 2016 features that enterprises are deploying

Windows Server 2016 has been out for a year now, the “we’ll wait for the first service pack” delay is behind us, and there are clear features in Windows 2016 that enterprises are adopting and integrating into their network environment. Here's a look at five of those features.Windows Server 2016 as the base server operating system This isn't a specific “feature” in Windows 2016, but there's an overall general acceptance by enterprises deploying Windows Server applications to install them on the latest Windows Server 2016 operating system.To read this article in full or to leave a comment, please click here

Top 5 Windows Server 2016 features that enterprises are deploying

Windows Server 2016 has been out for a year now, the “we’ll wait for the first service pack” delay is behind us, and there are clear features in Windows 2016 that enterprises are adopting and integrating into their network environment. Here's a look at five of those features.Windows Server 2016 as the base server operating system This isn't a specific “feature” in Windows 2016, but there's an overall general acceptance by enterprises deploying Windows Server applications to install them on the latest Windows Server 2016 operating system.To read this article in full or to leave a comment, please click here

Top 5 Windows Server 2016 features that enterprises are deploying

Windows Server 2016 has been out for a year now, the “we’ll wait for the first service pack” delay is behind us, and there are clear features in Windows 2016 that enterprises are adopting and integrating into their network environment. Here's a look at five of those features.Windows Server 2016 as the base server operating system This isn't a specific “feature” in Windows 2016, but there's an overall general acceptance by enterprises deploying Windows Server applications to install them on the latest Windows Server 2016 operating system.To read this article in full or to leave a comment, please click here

Network Interconnection videos have been added into Self Paced SP Training

Recently, I published Self Paced Service Provider Training Course. I didn’t make an Internet wide announcement yet as I still upload the content to the course.   Though I haven’t announced it yet, some people have already purchased it and the previous Instructor Led Service Provider course attendees got the access to the self paced […]

The post Network Interconnection videos have been added into Self Paced SP Training appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Performance progression of IPv6 route lookup on Linux

In a previous article, I explained how Linux implements an IPv6 routing table. The following graph shows the performance progression of route lookups through Linux history:

IPv6 route lookup performance progression

All kernels are compiled with GCC 4.9 (from Debian Jessie). This version is able to compile older kernels as well as current ones. The kernel configuration is the default one with CONFIG_SMP, CONFIG_IPV6, CONFIG_IPV6_MULTIPLE_TABLES and CONFIG_IPV6_SUBTREES options enabled. Some other unrelated options are enabled to be able to boot them in a virtual machine and run the benchmark.

There are three notable performance changes:

  • In Linux 3.1, Eric Dumazet delays a bit the copy of route metrics to fix the undesirable sharing of route-specific metrics by all cache entries (commit 21efcfa0ff27). Each cache entry now gets its own metrics, which explains the performance hit for the non-/128 scenarios.
  • In Linux 3.9, Yoshifuji Hideaki removes the reference to the neighbor entry in struct rt6_info (commit 887c95cc1da5). This should have lead to a performance increase. The small regression may be due to cache-related issues.
  • In Linux 4.2, Martin KaFai Lau prevents the creation of cache entries for most route lookups. The Continue reading

IPv6 route lookup on Linux

TL;DR: With its implementation of IPv6 routing tables using radix trees, Linux offers subpar performance (450 ns for a full view — 40,000 routes) compared to IPv4 (50 ns for a full view — 500,000 routes) but fair memory usage (20 MiB for a full view).


In a previous article, we had a look at IPv4 route lookup on Linux. Let’s see how different IPv6 is.

Lookup trie implementation

Looking up a prefix in a routing table comes down to find the most specific entry matching the requested destination. A common structure for this task is the trie, a tree structure where each node has its parent as prefix.

With IPv4, Linux uses a level-compressed trie (or LPC-trie), providing good performances with low memory usage. For IPv6, Linux uses a more classic radix tree (or Patricia trie). There are three reasons for not sharing:

  • The IPv6 implementation (introduced in Linux 2.1.8, 1996) predates the IPv4 implementation based on LPC-tries (in Linux 2.6.13, commit 19baf839ff4a).
  • The feature set is different. Notably, IPv6 supports source-specific routing1 (since Linux 2. Continue reading

TextFSM Getting Started

Textfsm is a text parsing library written in python to turn plain text into structured data. Originally created by Google, the project seemed largely abandoned until recently being added to github and receiving a small update. This post will show how to extract interesting data from the...

On ISO standardization of blockchains

So ISO, the primary international standards organization, is seeking to standardize blockchain technologies. On the surface, this seems a reasonable idea, creating a common standard that everyone can interoperate with.

But it can be silly idea in practice. I mean, it should not be assumed that this is a good thing to do.

The value of official standards

You don't need the official imprimatur of a government committee for something to be a "standard". The Internet itself is a prime example of that.

In the 1980s, the ISO and the IETF (Internet Engineering Task Force) pursued competing standards for creating a world-wide "internet". The IETF was an informal group of technologist that had essentially no official standing.

The ISO version of the Internet failed. Their process was to bring multiple stakeholders from business, government, and universities together in committees to debate competing interests. The result was something so horrible that it could never work in practice.

The IETF succeeded. It consisted of engineers just building things. Rather than officially "standardized", these things were "described", so that others knew enough to build their own version that interoperated. Once lots of different people built interoperating versions of something, then it became a Continue reading

Announcement: IPS code

So after 20 years, IBM is killing off my BlackICE code created in April 1998. So it's time that I rewrite it.

BlackICE was the first "inline" intrusion-detection system, aka. an "intrusion prevention system" or IPS. ISS purchased my company in 2001 and replaced their RealSecure engine with it, and later renamed it Proventia. Then IBM purchased ISS in 2006. Now, they are formally canceling the project and moving customers onto Cisco's products, which are based on Snort.

So now is a good time to write a replacement. The reason is that BlackICE worked fundamentally differently than Snort, using protocol analysis rather than pattern-matching. In this way, it worked more like Bro than Snort. The biggest benefit of protocol-analysis is speed, making it many times faster than Snort. The second benefit is better detection ability, as I describe in this post on Heartbleed.

So my plan is to create a new project. I'll be checking in the starter bits into GitHub starting a couple weeks from now. I need to figure out a new name for the project, so I don't have to rip off a name from William Gibson like I did last time :).

Some notes:

Securing Bitcoins with TREZOR

TREZOR is a hard wallet for securely storing crypto assets such as Bitcoin, Ethereum, and Litecoin. Protection mechanisms like a mnemonic recovery seed, PIN, and encryption passphrase safeguard your assets (private keys) by requiring your physical interaction in order to make transactions. For those crypto noobies, I think it’s easiest to describe the TREZOR functionality […]

The post Securing Bitcoins with TREZOR appeared first on Overlaid.

App Highlight: Hardenize

Hardenize is a comprehensive security tool that continuously monitors the security and configuration of your domain name, email, and website. Ivan Ristić, the author of Hardenize, gave a demo of his app at our Cloudflare London HQ.



Do you know how secure your site is? View a Hardenize report on your website by clicking this button:



Interested in sharing a demo of your app at a meetup? We can help coordinate. Drop a line to [email protected].