State of MAC address randomization

tldr: I went to DragonCon, a conference of 85,000 people, so sniff WiFi packets and test how many phones now uses MAC address randomization. Almost all iPhones nowadays do, but it seems only a third of Android phones do.


Ten years ago at BlackHat, we presented the "data seepage" problem, how the broadcasts from your devices allow you to be tracked. Among the things we highlighted was how WiFi probes looking to connect to access-points expose the unique hardware address burned into the phone, the MAC address. This hardware address is unique to your phone, shared by no other device in the world. Evildoers, such as the NSA or GRU, could install passive listening devices in airports and train-stations around the world in order to track your movements. This could be done with $25 devices sprinkled around a few thousand places -- within the budget of not only a police state, but also the average hacker.

In 2014, with the release of iOS 8, Apple addressed this problem by randomizing the MAC address. Every time you restart your phone, it picks a new, random, hardware address for connecting to WiFi. This causes a few problems: every time you restart Continue reading

Worth Reading: Malware in your screen

Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by thirdparty manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor’s source code. In contrast to “pluggable” drivers, such as USB or network drivers, the component driver’s source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device’s main processor. —Shattered Trust (PDF)

The post Worth Reading: Malware in your screen appeared first on rule 11 reader.

Hey Alexa, Turn my lab on!

TL/DR Put together a custom Alexa Skill so I can turn switches and routers off in my lab as shown in the video here. Feels pretty great.

 

As most of my twitter followers have noticed, I’ve been doing a lot of Home Automation, mostly with Apple #homeKit. But I also picked up an Amazon Dot because… well why not?

One of the great things abut the digital voice assistance from Amazon, is that they have created an extensible framework that enables those with a little bit of coding skills to add to Mrs. A’s already already impressive impressive array of abilities.

The Amazon Alexa developer page is pretty impressive. There’s a ton of information and tutorials there, as well as an SDK and code examples in Node.js. I’m almost exclusively a python coder at this point, so I decided to look for something a little more familiar and came upon this.

Flask-Ask

Flask-Ask is a Flask extension that makes building Alexa skills for the Amazon Echo easier and much more fun.

Essentially, John Wheeler took the flask WSGI ( web) framework and made it super easy to be able to create Amazon Alexa skills using this familiar library. Continue reading

Worth Reading: It’s okay to forget what you read

Many of us feel this near-existential fear that we might “lose” what wisdom we extract from the books we read.Such fears are unfounded. First of all, if you love books, memory is never a problem. If I read for pure pleasure, what harm is there is forgetting? I get to enjoy the same wonderful book over and over again — for the book-lover, what better gift is there than forgetfulness? But many of us read books for reasons other than pleasure. We want to get something from the books we read. There is much written on retaining what you read (note it, connect it, summarize it, teach it, yawn…), but Paul Graham, I think, has something new and interesting to say. —Charles Chu on Medium

The post Worth Reading: It’s okay to forget what you read appeared first on rule 11 reader.

Upcoming Events and Webinars

You might have noticed the “upcoming webinars” blog widget is gone and I’ll write a blog post every two weeks or so to keep you updated on upcoming webinars and other events.

Here’s what’s coming in September and October 2017:

Istanbul/Turkey Onsite CCDE Training – 50% OFF until Sep-15, 2017

Istanbul/Turkey Onsite CCDE Training will be held between October 30 – November 4.   Course will be in English as usual, everyday will be between 9am – 6pm, 9 hours.   I am going to extend my CCDE Materials for this course as there was new scenarios and the technologies after August 29, 2017 CCDE […]

The post Istanbul/Turkey Onsite CCDE Training – 50% OFF until Sep-15, 2017 appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Docker Networking Tip – Load balancing options in Docker

I had promised earlier that I will continue my Docker Networking Tip series. This is second in that series. The first one on Macvlan driver can be found here. In this presentation, I have covered different load balance options with Docker. Following topics are covered in this presentation: Overview of Service Discovery and Load balancing … Continue reading Docker Networking Tip – Load balancing options in Docker

Change VM Hardware Version

The VM hardware version designates the virtual hardware functions supported by a virtual machine, which relates to the hardware on the host server. A VMware product will not be able to power on a VM with a hardware version higher than what it supports.

oVirt Now Supports OVS-DPDK

DPDK (Data Plane Development Kit) provides high-performance packet processing libraries and user space drivers. Open vSwitch uses DPDK libraries to perform entirely within the user space. According to Intel ONP performance tests, using OVS with DPDK can provide a huge performance enhancement, increasing network packet throughput and reducing latency.

OVS-DPDK has been added to the oVirt Master branch as an experimental feature. The following post describes the OVS-DPDK installation and configuration procedures.

Please note: Accessing the OVS-DPDK feature requires installing the oVirt Master version. In addition, OVS-DPDK cannot access any features located within the Linux kernel. This includes Linux bridge, tun/tap devices, iptables, etc.

Requirements

In order to achieve the best performance, please follow the instructions at: http://dpdk.org/doc/guides-16.11/linux_gsg/nic_perf_intel_platform.html

The network card must be on the supported vendor matrix, located here: http://dpdk.org/doc/nics

Ensure that your system supports 1GB hugepages: grep -q pdpe1gb /proc/cpuinfo && echo "1GB supported"

  • Hardware support: Make sure VT-d / AMD-Vi is enabled in BIOS
  • Kernel support: When adding a new host via the oVirt GUI, go to Hosts -> Edit > Kernel, and add the following parameters to the Kernel command line: iommu=pt intel_iommu=on default_hugepagesz=1GB hugepagesz=1G hugepages=N In the event that 1GB Continue reading

SIDH in Go for quantum-resistant TLS 1.3

The Quantum Threat

SIDH in Go for quantum-resistant TLS 1.3

Most of today's cryptography is designed to be secure against an adversary with enormous amounts of computational power. This means estimating how much work certain computations (such as factoring a number, or finding a discrete logarithm) require, and choosing cryptographic parameters based on our best estimate of how much work would be required to break the system.

If it were possible to build a large-scale quantum computer, many of the problems whose difficulty we rely on for security would no longer be difficult to solve. While it remains unknown whether large-scale quantum computers are possible (see this article for a good overview), it's a sufficient risk that there's wide interest in developing quantum-resistant (or post-quantum) cryptography: cryptography that works on ordinary computers we have today, but which is secure against a possible quantum computer.

At Cloudflare, our biggest use of cryptography is TLS, which we use both for serving our customers' websites (all Cloudflare sites get free HTTPS), as well as for internal inter-datacenter communication on our backend.

In the TLS context, we want to create a secure connection between a client and a server. There are basically three cryptographic problems here:

  1. Authenticity: the server Continue reading

New Study: Understanding MANRS’ Potential for Enterprises and Service Providers

Mutually Agreed Norms for Routing Security, or MANRS, was founded with the ambitious goal of improving the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for Internet infrastructure. These are undoubtedly essential pillars supporting the Internet’s tremendous growth and success, but we must better articulate the incentives of contributing to global security and resilience to grow MANRS participation and reach our goals.

To do so, we engaged 451 Research to understand the attitudes and perceptions of Internet service providers and the broader enterprise community around MANRS and how it relates to their organizations. The results of the study are documented in the report: https://www.routingmanifesto.org/resources/research/.

The study results demonstrate considerable unrealized potential for MANRS, showing that enterprises are interested in security and their interest should be a strong incentive for more service providers to participate. Market education could be particularly effective in overcoming the operational inertia that many providers face.

The key points from the study are:

  • While MANRS itself is not well known by enterprises, its attributes are highly valued.
  • Enterprises have high expectations for MANRS efforts.
  • Enterprise perceptions of MANRS can translate into increased revenue for service Continue reading

Time Synchronization, Security, and Trust

Time is something that is often overlooked or taken for granted, but the accuracy and reliability of time is critical to our lives and must be protected. Time is a core concept underlying nearly all physical and virtual systems. Distributed computer systems, key to many functions inherent in our daily lives, rely on accurate and reliable time, yet we rarely stop and think about how that time is constructed and represented. Accurate and reliable time is needed to determine when an event occurs, in what order a particular sequence of events occurs, or when to schedule an event that is to occur at a particular time in the future. Finally, and of particular interest to our trust agenda here at the Internet Society, quality reliable time is required for many of the security technologies that help provide trust for the Internet. It is a vital and often overlooked part of the Internet infrastructure.

Some specific examples where accurate reliable secure time information is vital include:

  • The finance sector where there are high demands on the time synchronization of business clocks in trading systems. This is especially true in the high frequency trading where a new EU legislation called Markets Continue reading

Worth Reading: Wave System’s DPU architecture

Their view is that dataflow architectures are the only way to efficiently train networks with high performance. The CPU is carved out of their systems entirely and as we explained when first details were clear about what they were working on in depth last year, the Hybrid Memory Cube does a great deal of the heavy lifting in terms of both compute and data flow. We now have far more detail than we’ve seen to date about how it works—and where it might carve out market share in the future. —Nicole Hemsoth @The Next Platform

The post Worth Reading: Wave System’s DPU architecture appeared first on rule 11 reader.

1 1,909 1,910 1,911 1,912 1,913 3,833