New collision attacks against triple-DES, Blowfish break HTTPS sessions

There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.To read this article in full or to leave a comment, please click here

New collision attacks against triple-DES, Blowfish break HTTPS sessions

There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.To read this article in full or to leave a comment, please click here

Experts challenge Skyhigh’s patent for cloud-based encryption gateway

Skyhigh announced today that it has received a patent for its technology, which moves that encryption gateway into a hosted environment.Enterprises looking to protect sensitive data stored in cloud services can funnel user traffic through on-premises encryption gateways that allow them to keep control of their encryption keys. Moving the encryption process to Skyhigh's servers allows for easier access by remote employees, mobile users, business partners, or customers, said Rajiv Gupta, Skyhigh's CEO. He says the company offers these encryption gateways in various locations, allowing customers to comply with data residency and privacy laws.To read this article in full or to leave a comment, please click here

Experts challenge Skyhigh’s patent for cloud-based encryption gateway

Skyhigh announced today that it has received a patent for its technology, which moves that encryption gateway into a hosted environment.Enterprises looking to protect sensitive data stored in cloud services can funnel user traffic through on-premises encryption gateways that allow them to keep control of their encryption keys. Moving the encryption process to Skyhigh's servers allows for easier access by remote employees, mobile users, business partners, or customers, said Rajiv Gupta, Skyhigh's CEO. He says the company offers these encryption gateways in various locations, allowing customers to comply with data residency and privacy laws.To read this article in full or to leave a comment, please click here

Trying to make sense of Google’s messaging mess

Google appears to finally be trying to clarify its strategies for communication and messaging. However, the company determined it needs more messaging apps — not fewer apps. By the end of this year, Google will maintain at least eight different messaging apps, including Hangouts, Google Messenger, Google Chat, Google Voice, the Jibe rich communication services (RCS) app for carriers, Allo, Duo and the Spaces group-sharing app. Following the early August release of Duo, a new one-to-one video calling app, and the complementary messaging app Allo, which is expected to launch before summer's end, Google says it plans to reposition Hangouts as an enterprise service.To read this article in full or to leave a comment, please click here

Linux’s brilliant career, in pictures

A momentous milestoneAug. 25 marks the 25th anniversary of Linux, the free and open source operating system that's used around the globe in smarphones, tablets, desktop PCs, servers, supercomputers, and more. Though its beginnings were humble, Linux has become the world’s largest and most pervasive open source software project in history. How did it get here? Read on for a look at some of the notable events along the way.To read this article in full or to leave a comment, please click here

Docker Online Meetup #41: Deep Dive into Docker 1.12 Networking

For this week’s Docker Online Meetup, Sr. Director, Networking at Docker, Madhu Venugopal, joined us to talk about Docker 1.12 Networking and answer questions.

Starting with Docker 1.12, Docker has added features to the core Docker Engine to make multi-host and multi-container orchestration simple to use and accessible to everyone. Docker 1.12 Networking plays a key role in enabling these orchestration features.

In this online meetup, we learned all the new and exciting networking features introduced in Docker 1.12:

  • Swarm-mode networking
  • Routing Mesh
  • Ingress and Internal Load-Balancing
  • Service Discovery
  • Encrypted Network Control-Plane and Data-Plane
  • Multi-host networking without external KV-Store
  • MACVLAN Driver

 

The number of questions Madhu got at the end of the online meetup was amazing and because he did not have time to answer all of them, we’ve added the rest of the Q&A below:

Q: Will you address the DNS configuration in Docker? We have two apps created with docker compose and would like to enable communication and DNS resolution from containers in one of the apps to containers in the other app.

Check out the PTAL external network feature in docker compose in the Docker docs to get started. If that Continue reading

AMD Strikes A Balance – And Strikes Back – With Zen

Being too dependent on one source for a key component is not just a bad idea because of supply chain risks, but because it can result in higher prices.

Intel customers don’t need to be reminded of the lack of direct competitive pressure in the X86 chip market for servers, because they remember what competition that felt like. And customers and system makers that had taken a risk with AMD Opteron processors a decade ago don’t need to be reminded of either of these facts, particularly after AMD walked away from the server business in the wake of technical problems

AMD Strikes A Balance – And Strikes Back – With Zen was written by Timothy Prickett Morgan at The Next Platform.

IDG Contributor Network: Shippable ships its newest thing: Industrial strength continuous deployment

Founded back in 2013, Shippable is one of the cool kids in the continuous deployment (CD) space. For those unaware, CD is a movement in which development teams deploy code frequently instead of in irregular and widely spaced occurrences. It is a movement popularized by organizations such as Facebook, Google and Twitter that deploy code many, many times a day.Shippable, therefore builds a platform to reduce friction and therefore allow software development teams to not only ship code fast, but far more frequently as well. DevOps, the movement that brought together the development and operations side of IT departments, aims to increase this velocity.To read this article in full or to leave a comment, please click here

Another lesson in confirmation bias

The biggest problem with hacker attribution is the confirmation bias problem. Once you develop a theory, your mind shifts to distorting evidence trying to prove the theory. After a while, only your theory seems possible as one that can fit all your carefully selected evidence.

You can watch this happen in two recent blogposts [1] [2] by Krypt3ia attributing bitcoin payments to the Shadow Broker hackers as coming from the government (FBI, NSA, TAO). These posts are absolutely wrong. Nonetheless, the press has picked up on the story and run with it [*]. [Note: click on the pictures in this post to blow them up so you can see them better].


The Shadow Brokers published their bitcoin address (19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK) asking for donations to release the rest of their tools. They've received 66 transactions so far, totally 1.78 bitcoin, or roughly $1000 at today's exchange rate.

Bitcoin is not anonymous by pseudonymous. Bitcoin is a public ledger with all transaction visible by everyone. Sometimes we can't tie addresses back to people, but sometimes we can. There are a lot of researchers who spent a lot of time on "taint anlysis" trying to Continue reading

Facebook, Google, Twitter lax on terrorists’ misuse of their sites, say UK MPs

A panel of U.K. lawmakers has described as “alarming” that social networking companies like Facebook, Twitter and Google's YouTube have teams of only a few hundred employees to monitor billions of accounts for extremist content.“These companies are hiding behind their supranational legal status to pass the parcel of responsibility and refusing to act responsibly in case they damage their brands,” said a report released early Thursday in the U.K. by the Home Affairs Committee appointed by the House of Commons.To read this article in full or to leave a comment, please click here

Facebook, Google, Twitter lax on terrorists’ misuse of their sites, say UK MPs

A panel of U.K. lawmakers has described as “alarming” that social networking companies like Facebook, Twitter and Google's YouTube have teams of only a few hundred employees to monitor billions of accounts for extremist content.“These companies are hiding behind their supranational legal status to pass the parcel of responsibility and refusing to act responsibly in case they damage their brands,” said a report released early Thursday in the U.K. by the Home Affairs Committee appointed by the House of Commons.To read this article in full or to leave a comment, please click here

Passwords stolen from Mail.Ru were old, the company says

The 25 million account passwords stolen from Mail.Ru in a recently discovered hack were old and invalid, the Russian internet company said Wednesday.“The security of our users wasn’t compromised in any way,” a Mail.Ru spokeswoman said in an interview.The hack targeted forums for game projects that the company has acquired over the years. These include subdomains at cfire.mail.ru, parapa.mail.ru and tanks.mail.ru. Hackers stole passwords of users who participated in the forums.However, the company said the stolen passwords were legacy data. None of them were related to current email accounts or other Mail.Ru services.To read this article in full or to leave a comment, please click here

Passwords stolen from Mail.Ru were old, the company says

The 25 million account passwords stolen from Mail.Ru in a recently discovered hack were old and invalid, the Russian internet company said Wednesday.“The security of our users wasn’t compromised in any way,” a Mail.Ru spokeswoman said in an interview.The hack targeted forums for game projects that the company has acquired over the years. These include subdomains at cfire.mail.ru, parapa.mail.ru and tanks.mail.ru. Hackers stole passwords of users who participated in the forums.However, the company said the stolen passwords were legacy data. None of them were related to current email accounts or other Mail.Ru services.To read this article in full or to leave a comment, please click here

Meet Me at VMworld 2016?

VMworld is upon us, and if you’ve been to the conference before you know it can sometimes be challenging to catch up with folks. (If this is your first time, now you know it can sometimes be challenging to catch up with folks.) This post is an effort to help make it a bit easier if you’re interested in meeting up with me at VMworld.

In years past, I published my schedule so that others could see what sessions I was attending, find times we could meet, etc. Now that I’m a VMware employee, registering for sessions is not permitted (customers first, as it should be!). However, it may still be helpful to show my schedule, so I’m listing it below. You can also view a read-only version of my calendar here.

Saturday, August 27, 2016

6:00 pm to sometime - vBeers at Ri Ra Irish Pub

Sunday, August 28, 2016

1:30 pm to 3:15 pm - VMworld TAM Day Ask the Experts
5:00 pm to 7:30 pm - Welcome reception in the Solutions Exchange
7:30 pm to sometime - VMUG member party

Monday, August 29, 2016

7:45 am - Prayer time (see here)
9:00 am to Continue reading