Cliché: Security through obscurity (again)

This post keeps popping up in my timeline. It's wrong. The phrase "security through/by security" has become such a cliché that it's lost all meaning. When somebody says it, they are almost certainly saying a dumb thing, regardless if they support it or are trying to debunk it.

Let's go back to first principles, namely Kerckhoff's Principle from the 1800s that states cryptography should be secure even if everything is known about it except the key. In other words, there exists no double-secret military-grade encryption with secret algorithms. Today's military crypto is public crypto.

Let's apply this to port knocking. This is not a layer of obscurity, as proposed by the above post, but a layer of security. Applying Kerkhoff's Principle, it should work even if everything is known about the port knocking algorithm except the sequence of ports being knocked.

Kerkhoff's Principle is based on a few simple observations. Two relevant ones today are:
* things are not nearly as obscure as you think
* obscurity often impacts your friends more than your enemies
I (as an attacker) know that many sites use port knocking. Therefore, if I get no response from an IP address (which I have reason Continue reading

LinkedIn blames Russian hacking suspect for 2012 breach

A suspected Russian hacker arrested recently in the Czech Republic was involved in a massive 2012 data breach at LinkedIn, the professional social networking company says. LinkedIn said Wednesday that it has been working with the FBI to track down the culprits behind the data breach, which exposed hashed passwords from 117 million accounts."We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity," LinkedIn said in an email.To read this article in full or to leave a comment, please click here

LinkedIn blames Russian hacking suspect for 2012 breach

A suspected Russian hacker arrested recently in the Czech Republic was involved in a massive 2012 data breach at LinkedIn, the professional social networking company says. LinkedIn said Wednesday that it has been working with the FBI to track down the culprits behind the data breach, which exposed hashed passwords from 117 million accounts."We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity," LinkedIn said in an email.To read this article in full or to leave a comment, please click here

Yahoo asks US for clarity on email scanning controversy

Yahoo is asking that the U.S. government set the record straight on requests for user data, following reports saying the internet company has secretly scanned customer emails for terrorism-related information.  On Wednesday, Yahoo sent a letter to the Director of National Intelligence James Clapper, saying the company has been "unable to respond" to news articles earlier this month detailing the alleged government-mandated email scanning."Your office, however, is well positioned to clarify this matter of public interest," the letter said.The scanning allegedly involved searching through the email accounts of every Yahoo user and may have gone beyond other U.S. government requests for information, according to a report from Reuters.  To read this article in full or to leave a comment, please click here

Yahoo asks US for clarity on email scanning controversy

Yahoo is asking that the U.S. government set the record straight on requests for user data, following reports saying the internet company has secretly scanned customer emails for terrorism-related information.  On Wednesday, Yahoo sent a letter to the Director of National Intelligence James Clapper, saying the company has been "unable to respond" to news articles earlier this month detailing the alleged government-mandated email scanning."Your office, however, is well positioned to clarify this matter of public interest," the letter said.The scanning allegedly involved searching through the email accounts of every Yahoo user and may have gone beyond other U.S. government requests for information, according to a report from Reuters.  To read this article in full or to leave a comment, please click here

Turning OpenMP Programs into Parallel Hardware

Systems built from commodity hardware such as servers, desktops and laptops often contain so-called general-purpose processors (CPUs)—processors that specialize in doing many different things reasonably well. This is driven by the fact that users often perform various types of computations; the processor is expected to run an Operating System, browse the internet and even run video games.

Because general-purpose processors target such a broad set of applications, they require having hardware that supports all such application areas. Since hardware occupies silicon area, there is a limit to how many of these processor “cores” that can be placed—typically between 4 and

Turning OpenMP Programs into Parallel Hardware was written by Nicole Hemsoth at The Next Platform.

Worth Reading: The balancing act of freelancing

By the end of the work day, the last thing you want to do is look at another pixel. Since 8:30am, you’ve been firing on all cylinders. Deadlines, meetings and requests have been swarming your desk as restlessly as your fingers against your keys. The mental expenditure you endure each day is taxing. Yet, you’re not done. You have even more deadlines, calls, meetings and requests to honor once you get home–your place of solitude. They belong to your freelance clients. You must pay them the same amount of attention and focus as you give to your day job. —Line 25

LinkedInTwitterGoogle+Facebook

The post Worth Reading: The balancing act of freelancing appeared first on 'net work.

Russian hacker group used phony Google login page to hack Clinton campaign

A Russian hacking group used spearphishing to steal the Gmail login credentials of Hillary Clinton campaign staff, and that may be how campaign emails now being released were stolen, according to Secure Works. The attack targeted 108 hillaryclinton.com email addresses, and was carried out by a Russian group called Threat Group-4127 (TG-4127), according to Secure Works’ Counter Threat Unit (CTU) blog. CTU can’t directly link the spearphishing operation against the Clinton campaign with the hack of Democratic National Committee emails revealed June 14, but “CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network. “To read this article in full or to leave a comment, please click here

Russian hacker group used phony Google login page to hack Clinton campaign

A Russian hacking group used spearphishing to steal the Gmail login credentials of Hillary Clinton campaign staff, and that may be how campaign emails now being released were stolen, according to Secure Works. The attack targeted 108 hillaryclinton.com email addresses, and was carried out by a Russian group called Threat Group-4127 (TG-4127), according to Secure Works’ Counter Threat Unit (CTU) blog. CTU can’t directly link the spearphishing operation against the Clinton campaign with the hack of Democratic National Committee emails revealed June 14, but “CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network. “To read this article in full or to leave a comment, please click here

Your robot doctor overlords will see you now

Seems the days of the annual trip to your doctor’s office may be fading in favor of a virtual healthcare provider. At least if you follow the research presented by Gartner this week which predicted by 2025, 50% of the population will rely on what it called virtual personal health assistants (VPHAs) for primary care, finding them more responsive and accurate than their human counterparts. +More on Network World: Gartner Top 10 strategic technology trends you should know for 2017To read this article in full or to leave a comment, please click here

Your robot doctor overlords will see you now

Seems the days of the annual trip to your doctor’s office may be fading in favor of a virtual healthcare provider. At least if you follow the research presented by Gartner this week which predicted by 2025, 50% of the population will rely on what it called virtual personal health assistants (VPHAs) for primary care, finding them more responsive and accurate than their human counterparts. +More on Network World: Gartner Top 10 strategic technology trends you should know for 2017To read this article in full or to leave a comment, please click here

Webinar Recap: Docker for Windows Server 2016

Last week, we held our first webinar on “Docker for Windows Server 2016” to a record number of attendees, showcasing the most exciting new Windows Server 2016 feature – containers powered by Commercially Supported Docker Engine.

Docker CS Engine and containers are now available natively on Windows and supported by Microsoft with Docker’s Commercially Supported (CS) Engine included in Windows Server 2016.Now developers and IT pros can begin the same transformation for Windows-based apps and infrastructure to reap the benefits they’ve seen with Docker for Linux: enhanced security, agility, and improved portability and freedom to run applications on bare metal, virtual or cloud environments.

Watch the on-demand webinar to learn more about the technical innovations that went into making Docker containers run natively on Windows and how to get started.

Webinar: Docker for Windows Server 2016

Here are just a few of the most frequently asked questions from the session.  We’re still sorting through the rest and will post them in a follow up blog.

Q: How do I get started?

A: Docker and Microsoft have worked to make getting started simple, we have some great resources to get you started whether you’re a developer or an IT pro:

Flaw in Intel CPUs could help attackers defeat ASLR exploit defense

A feature in Intel's Haswell CPUs can be abused to reliably defeat an anti-exploitation technology that exists in all major operating systems, researchers have found.The technique, developed by three researchers from State University of New York at Binghamton and the University of California in Riverside, can be used to bypass address space layout randomization (ASLR) and was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, so that attackers don't know where to inject their exploit shellcode.To read this article in full or to leave a comment, please click here

Flaw in Intel CPUs could help attackers defeat ASLR exploit defense

A feature in Intel's Haswell CPUs can be abused to reliably defeat an anti-exploitation technology that exists in all major operating systems, researchers have found.The technique, developed by three researchers from State University of New York at Binghamton and the University of California in Riverside, can be used to bypass address space layout randomization (ASLR) and was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, so that attackers don't know where to inject their exploit shellcode.To read this article in full or to leave a comment, please click here

Verizon may back out of Yahoo deal due to email snooping

The deal for Verizon to purchase struggling Yahoo became endangered thanks to reports of Yahoo spying on user email for the U.S. government, not to mention the lost data on 500 million accounts and a decline in revenue.Earlier this month, Verizon publicly declared it was looking for a $1 billion discount on the original $4.8 billion it offered to purchase Yahoo. Verizon sought the discount because of Yahoo’s enormous data breach and because of reports that Yahoo was under a court order to scan emails for terrorist chatter, according to the New York Post. To read this article in full or to leave a comment, please click here

Gartner sees 2.9 percent growth in IT spending in 2017

Worldwide IT spending should rebound in 2017 with a 2.9 percent increase over 2016, after a slight decrease this year, according to Gartner projections.Spending on software and IT services should drive the 2017 growth in global IT spending to US$3.49 trillion, the market research group said Wednesday. Gartner projects IT spending will drop by 0.3 percent between 2015 and 2016, with the U.K.'s Brexit vote to leave the European Union swinging IT spending from a modest increase to negative numbers.Driving the spending growth in 2017 will be businesses' efforts to expand, John-David Lovelock, Garter's research vice president, said by email. To read this article in full or to leave a comment, please click here

Dell EMC aims for a converged, custom fit in an off-the-rack world

It may be a cloud world, but Dell EMC is still invested in on-premises systems, in particular converged systems. At VMworld 2016 in late August, the company took the wraps off a new product line called Validated System for Virtualization, which reflects a significant shift in the company’s converged systems portfolio.The new solution, according to Dell EMC, represents what it calls “service-defined infrastructure” by incorporating a wide range of form-factors, technology choices and deployment options, all designed to fit the needs of a customer ranging from midsized to the Fortune 10.Converged systems, a recent trend in hardware, combine compute, storage, networking and the software workload all into one fully integrated system rather than piecing it together. They are designed for easy installation and use by customers.To read this article in full or to leave a comment, please click here

What is it really like to work for Apple

What's it really like to work for Apple?The work culture at Cupertino isn't like that of other companies. Apple is famously secretive (more so, even, than most tech companies), and employees are expected to do the best work of their lives. Apple is very effective at keeping secrets, and that includes what it's like to work there.Even so, there are many sources of great information about what it's like to work for Apple. In this article we're going to look at what ex-employees, their friends and family, and people who've researched the company have to say about what it's like to be an Apple employee.Read next: How to work for Apple | How to get a job at AppleTo read this article in full or to leave a comment, please click here

Thoughts on the Tomahawk II

Broadcom released some information about the new Tomahawk II chip last week in a press release. For those who follow hardware, there are some interesting points worth considering here.

First, the chip supports 256x25g SERDES. Each pair of 25G SERDES can be combined into a single 50g port, allowing the switch to support 128 50g ports. Sets of four SERDES can be combined into a single 100g port, allowing the switch to support 64 100g ports.

Second, there is some question about the table sizes in this new chip. The press release notes the chip has “Increased On-Chip Forwarding Databases,” but doesn’t give any precise information. Information from vendors who wrap sheet metal around the chipset to build a complete box don’t seem to be too forthcoming in their information about this aspect of the new chip, either. The Tomahawk line has long had issues with its nominal 100,000 forwarding table entry limit, particularly in large scale data center fabrics and applications such as IX fabrics. We’ll simply have to wait to find out more about this aspect of the new chip, it seems.

Third, there is some question about the forwarding buffers available on the chip. Again, the Tomahawk Continue reading

1 2,532 2,533 2,534 2,535 2,536 3,787