Adding Metadata to the Arista vEOS Vagrant Box

This post addresses a (mostly) cosmetic issue with the current way that Arista distributes its Vagrant box for vEOS. I say “mostly cosmetic” because while the Vagrant box for vEOS is perfectly functional if you use it via Arista’s instructions, adding metadata as I explain here provides a small bit of additional flexibility should you need multiple versions of the vEOS box on your system.

If you follow Arista’s instructions, then you’ll end up with something like this when you run vagrant box list:

arista-veos-4.18.0    (virtualbox, 0)
bento/ubuntu-16.04    (virtualbox, 2.3.1)
centos/6              (virtualbox, 1611.01)
centos/7              (virtualbox, 1611.01)
centos/atomic-host    (virtualbox, 7.20170131)
coreos-stable         (virtualbox, 1235.9.0)
debian/jessie64       (virtualbox, 8.7.0)

Note that the version of the vEOS box is embedded in the name. Now, you could not put the version in the name, but because there’s no metadata—which is why it shows (virtualbox, 0) on that line—you wouldn’t have any way of knowing which version you had. Further, what happens when you want to have multiple versions of the vEOS box?

Fortunately, there’s an easy fix (inspired by the way CoreOS distributes their Vagrant box). Just create a file with the Continue reading

Incident report on memory leak caused by Cloudflare parser bug

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand Continue reading

Stop using SHA1: It’s now completely unsafe

Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible.SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made.To read this article in full or to leave a comment, please click here

Stop using SHA1: It’s now completely unsafe

Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible.SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made.To read this article in full or to leave a comment, please click here

11 low-tech, decidedly cool cars

Retromobile 2017 Car ShowImage by Reuters/Benoit TessierOne of the true stellar classic car events on the world happened recently in Paris. “Retromobile” features hundreds of amazingly cool, some one of a kind models.  Here we’ll talk a look at 11 of the decidedly coolest – courtesy of Reuters.To read this article in full or to leave a comment, please click here

Google’s new AI aims to end abusive online comments using ‘Perspective’

The internet is a tough place to have a conversation. Abuse has driven celebrities and ordinary folks from social media platforms that are ill-equipped to deal with it, and some publishers have switched off comment sections.That’s why Google and Jigsaw (an early stage incubator at Google parent company Alphabet) are working on a project called Perspective. It uses artificial intelligence to try to identify toxic comments, with an aim of reducing them. The Perspective API released Thursday will provide developers with a score of how likely users are to perceive a comment as toxic. In turn, that score could be used to develop features like automatic post filtering or to provide users with feedback about what they're writing before they submit it for publication. Starting on Thursday, developers can request access to Perspective's API for use in projects they're working on, and Jigsaw will approve them on a rolling basis.To read this article in full or to leave a comment, please click here

How to institute an agile IT outsourcing process

Traditionally, IT organizations have spent six months to a year or more on the IT outsourcing transaction process, finding the right providers and negotiating a suitable contract. But as IT services — and, increasingly, as-a-service— deals have gotten shorter, that lengthy process may no longer make sense.Industry advisors and consultants have debated the potential benefits of speedier sourcing for several years. In today’s rapidly changing business and technology landscape, it may become an imperative. But an effective outsourcing engagement demands more than just an accelerated version of the traditional IT services transaction process.To read this article in full or to leave a comment, please click here

5G will help autonomous cars cruise streets safely

Years from now, your first autonomous car may have a lot of help from 5G wireless networks to navigate the streets safely.5G will be as important to autonomous cars as 4G has been to mobile phones. The technology will help cars change lanes, recognize signals and draw up accurate maps. 5G will also help vehicles communicate in order to scope out road and weather conditions.For collision avoidance, 5G will connect cars to cloud services for object recognition. It will also provide a constant link to  live TV for backseat passengers to enjoy. Many 5G capabilities for autonomous cars will be on display at the Mobile World Congress trade show in Barcelona, where Intel and Qualcomm will be showing off their latest technologies.To read this article in full or to leave a comment, please click here

4 things we expect from Mobile World Congress 2017

Mobile World Congress, the Davos of wireless technology, is happening next week in Barcelona, and it’s going to be a particularly important year, as the mobile landscape readies itself for a couple of fairly major shifts.Here’s our quick look ahead to next week in sunny Spain and the four main points we expect from the MWC show.5G, or at least previews of it There’s been a big school of 5G press releases floating into our inboxes here in tech media just ahead of MWC (i.e., “Verizon plans 5G wireless trial service in 11 cities this year”), and it’s no real surprise – next-generation mobile networks are going to do a lot more than just boost speeds. They’ll also connect large numbers of devices – not just phones and tablets and laptops – to each other.To read this article in full or to leave a comment, please click here

4 things we expect from Mobile World Congress 2017

Mobile World Congress, the Davos of wireless technology, is happening next week in Barcelona, and it’s going to be a particularly important year, as the mobile landscape readies itself for a couple of fairly major shifts.Here’s our quick look ahead to next week in sunny Spain and the four main points we expect from the MWC show.5G, or at least previews of it There’s been a big school of 5G press releases floating into our inboxes here in tech media just ahead of MWC (i.e., “Verizon plans 5G wireless trial service in 11 cities this year”), and it’s no real surprise – next-generation mobile networks are going to do a lot more than just boost speeds. They’ll also connect large numbers of devices – not just phones and tablets and laptops – to each other.To read this article in full or to leave a comment, please click here

How to assess security automation tools

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  During my recent trip to Tel Aviv to attend CyberTech 2017, I had a one-on-one conversation with Barak Klinghofer, co-founder and CTO of Hexadite. He gave me a preview of an educational presentation he was to give two weeks later at the RSA Conference. His insight is worth repeating for anyone looking to add automation tools to their security toolset.As I saw at CyberTech, and I’m sure was the case at RSA, the hottest topics were security automation, automated incident response and security orchestration. These can be confusing terms, as every vendor describes them a little bit differently.To read this article in full or to leave a comment, please click here

How to assess security automation tools

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  During my recent trip to Tel Aviv to attend CyberTech 2017, I had a one-on-one conversation with Barak Klinghofer, co-founder and CTO of Hexadite. He gave me a preview of an educational presentation he was to give two weeks later at the RSA Conference. His insight is worth repeating for anyone looking to add automation tools to their security toolset.As I saw at CyberTech, and I’m sure was the case at RSA, the hottest topics were security automation, automated incident response and security orchestration. These can be confusing terms, as every vendor describes them a little bit differently.To read this article in full or to leave a comment, please click here

Worth Reading: Security in a box

Security in-a-box was created by a diverse team of experts who understand not only the conditions under which advocates work, but also the resource restrictions they face. Although the toolkit was designed primarily to address the growing needs of advocates in the global South – particularly human rights defenders – the software guides and security strategies in this toolkit are relevant to everyone; specifically people working with sensitive information. This may include vulnerable minorities, independent journalists or whistleblowers, as well as advocates working on a range of issues, from environmental justice to anti-corruption. —Security in a Box

The post Worth Reading: Security in a box appeared first on 'net work.

Telefonica-Sigfox deal is a big win for diverse IoT networks

The global partnership announced Wednesday between Telefonica and IoT specialist Sigfox could ensure the latter’s long-term success while accelerating the overall growth of LPWANs (low-power, wide-area networks).Telefonica said it will integrate Sigfox’s energy-sipping, low-data-rate radios into millions of devices used for things like smart metering and asset tracking. The Spain-based mobile carrier operates in 21 countries across Europe and Latin America, so the deal should significantly expand Sigfox’s footprint. It’s talking with customers about possible large-scale rollouts across both regions, including Spain, Germany, Colombia, Argentina, and Brazil.To read this article in full or to leave a comment, please click here

Telefonica-Sigfox deal is a big win for diverse IoT networks

The global partnership announced Wednesday between Telefonica and IoT specialist Sigfox could ensure the latter’s long-term success while accelerating the overall growth of LPWANs (low-power, wide-area networks).Telefonica said it will integrate Sigfox’s energy-sipping, low-data-rate radios into millions of devices used for things like smart metering and asset tracking. The Spain-based mobile carrier operates in 21 countries across Europe and Latin America, so the deal should significantly expand Sigfox’s footprint. It’s talking with customers about possible large-scale rollouts across both regions, including Spain, Germany, Colombia, Argentina, and Brazil.To read this article in full or to leave a comment, please click here

Promises, Challenges Ahead for Near-Memory, In-Memory Processing

The idea of bringing compute and memory functions in computers closer together physically within the systems to accelerate the processing of data is not a new one.

Some two decades ago, vendors and researchers began to explore the idea of processing-in-memory (PIM), the concept of placing compute units like CPUs and GPUs closer together to help reduce to the latency and cost inherent in transferring data, and building prototypes with names like EXECUBE, IRAM, DIVA and FlexRAM. For HPC environments that relied on data-intensive applications, the idea made a lot of sense. Reduce the distance between where data was

Promises, Challenges Ahead for Near-Memory, In-Memory Processing was written by Jeffrey Burt at The Next Platform.

1 2,120 2,121 2,122 2,123 2,124 3,680