Mythical vuln-disclosure program

In the olden days (the 1990s), we security people would try to do the "right thing" and notify companies about the security vulnerabilities we'd find. It was possible then, because the "Internet" team was a small part of the company. Contacting the "webmaster" was a straightforward process -- indeed their email address was often on the webpage. Whatever the problem, you could quickly get routed to the person responsible for fixing it.

Today, the Internet suffuses everything companies do. There is no one person responsible. If companies haven't setup a disclosure policy (such as an email account "[email protected]"), they simply cannot handle disclosure. Assuming you could tell everyone in the company about the problem, from the CEO on down to the sysadmins and developers, you still won't have found the right person to tell -- because such a person doesn't exist. There's simply no process for dealing with the issue.

I point this out in response to the following Twitter discussion:



Josh's assertion is wrong. There is nobody at American Airlines that can handle a bug report. At some point, Continue reading

Juniper Networks Announces Date of Fourth Quarter and Fiscal Year 2015 Preliminary Financial Results Conference Call and Webcast

SUNNYVALE, CA–(Marketwired – January 05, 2016) – Juniper Networks (: JNPR), the industry leader in network innovation, today confirmed it will release preliminary financial results for the fourth quarter and fiscal year ended Dec. 31, 2015, on Wednesday, Jan. 27, 2016 after the close of the market. The Company’s senior management will host a conference... Read more →

Juniper Networks Announces Date of Fourth Quarter and Fiscal Year 2015 Preliminary Financial Results Conference Call and Webcast

SUNNYVALE, CA–(Marketwired – January 05, 2016) – Juniper Networks (: JNPR), the industry leader in network innovation, today confirmed it will release preliminary financial results for the fourth quarter and fiscal year ended Dec. 31, 2015, on Wednesday, Jan. 27, 2016 after the close of the market. The Company’s senior management will host a conference... Read more →

It’s Time For IPv6, Isn’t It?

 

I made a joke tweet the other day:

It did get lots of great interaction, but I feel like part of the joke was lost. Every one of the things on that list has been X in “This is the Year of X” for the last couple of years. Which is sad because I would really like IPv6 to be a big part of the year.

Ars Technica came out with a very good IPv6-focused article on January 3rd talking about the rise in adoption to 10% and how there is starting to be a shift in the way that people think about IPv6.

Old and Busted

One of the takeaways from the article that I found most interesting was a quote from Brian Carpenter of The University of Aukland about address structure. Most of the time when people complain about IPv6, they say that it’s stupid that IPv6 isn’t backwards compatible with IPv4. Carpenter has a slightly different take on it:

The fact that people don’t understand: the design flaw is in IPv4, which Continue reading

Privacy rules spur Intralinks growth

Intralinks launched in the late 1990s to help companies involved in corporate buyouts and mergers maintain control over critical, shared information during the deal-making process. Today, the company is applying its secure collaboration capabilities to a wide variety of new customers and use cases – from CMOs building marketing campaigns to pharmaceutical companies coordinating data for patients, physicians and regulators involved in major drug trials. Under CEO Ron Hovsepian, Intralinks has created a cloud-based platform that empowers an array of customers who need to share content safely with external partners. In this installment of the IDG CEO Interview Series, Hovsepian spoke with Chief Content Officer John Gallant about how changes in privacy and data sovereignty rules are driving Intralinks’s growth and talked about how the technology may replace secure Web sites for confidential communications among businesses and their customers.To read this article in full or to leave a comment, please click here(Insider Story)

Exploit broker places $100k bounty on bypassing Flash Player’s latest defenses

A little over two weeks have passed since Adobe strengthened Flash Player with new security defenses, and there's already interest in the commercial exploit market for ways around them.Zerodium, a company that buys unpatched and unreported exploits from third-party researchers, announced on Twitter that it is offering $100,000 for exploits that bypass Flash Player's latest "heap isolation" protection. This memory defense mechanism makes exploiting certain types of security flaws much harder. These account for a large portion of the Flash Player flaws exploited by hackers in recent years to infect computers with malware.To read this article in full or to leave a comment, please click here

DARPA targets tiny, battery-powered atomic clocks that could shield GPS outages

The scientists at DARPA will next month detail a new program the group hopes will develop small, portable, battery-powered atomic clocks with stability, repeatability, and environmental sensitivity 1,000 times better than the current generation of atomic clocks.On Feb. 1 DARPA will detail the Atomic Clocks with Enhanced Stability (ACES) program which will aim to develop clocks that must fit into a package about the size of a billfold and run on a quarter-watt of power. “Success will require record-breaking advances that counter accuracy-eroding processes in current atomic clocks, among them variations in atomic frequencies that result from temperature fluctuations and subtle frequency differences that can occur if the power shuts down and then starts up again,” DARPA stated.To read this article in full or to leave a comment, please click here

The hidden costs of NoSQL

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

The NoSQL industry was developed quickly on the promise of schema-free design, infinitely scalable clusters and breakthrough performance. But there are hidden costs, including the added complexity of an endless choice of datastores (now numbering 225), the realization that analytics without SQL is painful, high query latencies require you to pre-compute results, and the inefficient use of hardware leads to server sprawl.

All of these costs add up to a picture far less rosy than initially presented. However, the data model for NoSQL does make sense for certain workloads, across key-value and document data types. Fortunately, those are now incorporated into multi-mode and multi-model databases representing a simplified and consolidated approach to data management.

To read this article in full or to leave a comment, please click here

Sponsored Post: Netflix, StatusPage.io, Redis Labs, Jut.io, SignalFx, InMemory.Net, VividCortex, MemSQL, Scalyr, AiScaler, AppDynamics, ManageEngine, Site24x7

Who's Hiring?

  • Manager - Site Reliability Engineering: Lead and grow the the front door SRE team in charge of keeping Netflix up and running. You are an expert of operational best practices and can work with stakeholders to positively move the needle on availability. Find details on the position here: https://jobs.netflix.com/jobs/398

  • Senior Service Reliability Engineer (SRE): Drive improvements to help reduce both time-to-detect and time-to-resolve while concurrently improving availability through service team engagement.  Ability to analyze and triage production issues on a web-scale system a plus. Find details on the position here: https://jobs.netflix.com/jobs/434

  • Manager - Performance Engineering: Lead the world-class performance team in charge of both optimizing the Netflix cloud stack and developing the performance observability capabilities which 3rd party vendors fail to provide.  Expert on both systems and web-scale application stack performance optimization. Find details on the position here https://jobs.netflix.com/jobs/860482

  • Senior Devops Engineer - StatusPage.io is looking for a senior devops engineer to help us in making the internet more transparent around downtime. Your mission: help us create a fast, scalable infrastructure that can be deployed to quickly and reliably.

  • UI EngineerAppDynamics, founded in 2008 and lead Continue reading

Worth Reading: Thoughts on the 5G Network

5G is the current title for much of the network system work in the telco industry these days. All companies, SDOs and industry fora are now working on 5G technologies. There seems to be a rough consensus on requirements and use cases, and first proposals seem to suggest that the design and the implementation will have something to do with SDN/NFV. In general, the assumptions are that 5G will be faster (thanks to better radio), larger (intended to cover more connected devices due to IoT, smart city, new markets), more flexible (network programmability), and converged (unification of mobile and fixed network access/core). -via dirk kutscher

The post Worth Reading: Thoughts on the 5G Network appeared first on 'net work.

IDG Contributor Network: Kaspersky: Ransomware doubled last year, shifted focus to enterprise

A majority of PCs in the workplace were struck by “at least one attempted malware infection” last year, cybersecurity company Kaspersky said in an overview of corporate threats observed throughout 2015 released last month.Well over half, or 58%, of PCs were infected. That’s a gain of 3% over 2014.Meanwhile, CryptoLocker attacks doubled, Kaspersky says in its press release about the report.CryptoLocker attacks are when a trojan-infected PC user receives a ransom demand to decrypt files, stop a denial of service attack, or other onerous result if the ransom isn’t paid.To read this article in full or to leave a comment, please click here

Cisco lining up hyperconvergence deal?

Cisco is reportedly preparing a hyperconvergence appliance through an OEM arrangement with start-up Springpath. According to CRN and The Register, Cisco has invested an undisclosed amount in Springpath as a prelude to the introduction of a hyperconvergence appliance combining Cisco’s UCS server platform with Springpath’s software, which enables compute, storage, networking and virtualization to run on an x86 server.To read this article in full or to leave a comment, please click here

Researcher finds flaw in Comcast XFINITY home security system

Comcast’s XFINITY Home Security System can be readily exploited so it registers that doors and windows in customers’ homes are closed when they are actually open, Rapid7 has discovered.Fixing the problem requires a software or firmware upgrade, Rapid7 says. Comcast hasn’t responded to Rapid7s November notifications about the flaw, the company says.SHOCKER! Cape Cod cops find iPhone stun gunComcast hasn’t responded to an email asking for comment, but this story will be updated when it does.The security system consists of a sensor placed at windows, doors and other locations to detect motion, and a base station. When the sensor is triggered, it notifies the base station, which alarms that there is an intrusion.To read this article in full or to leave a comment, please click here

IS-IS Design: Avoiding Traffic Blackholing

IS-IS, a link state routing protocol, requires careful attention during network design in order to avoid traffic blackholing. In the topology below, IS-IS routing protocol is used. The primary path is the blue link. Using IS-IS, the overload bit signals the BGP. If the overload bit is set on Router B, Router A does not use router B as […]

The post IS-IS Design: Avoiding Traffic Blackholing appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Flaws in Comcast’s Xfinity Home Security: System fails to warn homeowners of intruders

Rapid7 disclosed serious flaws in Comcast’s Xfinity Home Security system which thieves or thugs could exploit to break into homes while the homeowners continue to receive 'it’s-all-good' messages even as an intruder moves about the house. Even worse, there currently is no fix.Comcast customers might be induced to sign up for one of the Xfinity Home Security packages as the company suggests options like being able to check in on your kids, your pets, and “the things you love most.” With Xfinity Home Security, Comcast said you can “Sit back. Relax. You’re in control.” But today Rapid7 publicly disclosed vulnerabilities in Xfinity Home Security, flaws that can cause the security system to fail to sense motion and instead continue to report “All sensors are intact and all doors are closed. No motion is detected.”To read this article in full or to leave a comment, please click here

1 2,967 2,968 2,969 2,970 2,971 3,613