Rapid7 disclosed 6 XSS and SQLi flaws in 4 Network Management Systems, 2 unpatched

Rapid7 disclosed six vulnerabilities affecting four Network Management Systems, two of which are not patched. The vendors are Opsview, Spiceworks, Ipswitch, and Castle Rock, with the latter having neither issued a security bulletin nor a fix for two vulnerabilities in its NMS.An “an array of cross-site scripting (XSS) and SQL injection (SQLi)” vulnerabilities found in NMS products were discovered by Rapid7’s Deral Heiland, aka Percent_X, and independent researcher Matthew Kienow, aka HacksForProfit. The flaws were responsibly disclosed to the vendors and CERT.To read this article in full or to leave a comment, please click here

Acts of terrorism could push Congress toward encryption backdoors in 2016

Despite the risks to online commerce, international high-tech sales, security of trade secrets and the fact that it won’t actually make encryption useless to criminals, decryption backdoors to let law enforcement access encrypted communications could become U.S. law in 2016 – and a nightmare to enterprises – especially if terrorists succeed in carrying out major acts of violence.So far the arguments against such a law have prevailed, but that could change if public opinion turns strongly in favor of it, which is more likely in the wake of events that generate fear.+More on Network World: 20 years ago: Hot sci/tech images from 1995 | Read all the stories that predict what is to come in 2016 +To read this article in full or to leave a comment, please click here

How Does the Use of Docker Effect Latency?

A great question came up on the mechanical-sympathy list that many others probably have as well: 

I keep hearing about [Docker] as if it is the greatest thing since sliced bread, but I've heard anecdotal evidence that low latency apps take a hit. 

Who better to answer than Gil Tene, Vice President of Technology and CTO, Co-Founder, of Azul Systems? Like Stephen Curry draining a deep transition three, Gil can always be counted on for his insight:

And here's Gil's answer:

Putting aside questions of taste and style, and focusing on the effects on latency (the original question), the analysis from a pure mechanical point of view is pretty simple: Docker uses Linux containers as a means of execution, with no OS virtualization layer for CPU and memory, and with optional (even if default is on) virtualization layers for i/o. 

CPU and Memory

From a latency point of view, Docker's (and any other Linux container's) CPU and memory latency characteristics are pretty much indistinguishable from Linux itself. But the same things Continue reading

Inside AT&T’s grand dynamic network plan

AT&T is pouring billions into its network to make it more dynamic, which is resulting in new capabilities for enterprise customers. Network World Editor in Chief John Dix recently stopped by AT&T headquarters in Dallas to talk to Josh Goodell, VP of Network on Demand, about what the company is learning from early adopters of its Switched Ethernet on Demand service and what comes next. Among other things, Goodell explains how provisioning now takes days vs. weeks, service profiles can be changed in seconds, and how he expects large shops to use APIs to connect their network management systems directly to AT&T controls. Oh, and a slew of virtual functions are on the horizon that will enable you to ditch all those appliances you’ve been accumulating.To read this article in full or to leave a comment, please click here

Vulnerability in popular bootloader puts locked-down Linux computers at risk

Pressing the backspace key 28 times can bypass the Grub2 bootloader's password protection and allow a hacker to install malware on a locked-down Linux system.GRUB, which stands for the Grand Unified Bootloader, is used by most Linux distributions to initialize the operating system when the computer starts. It has a password feature that can restrict access to boot entries, for example on computers with multiple operating systems installed.This protection is particularly important within organizations, where it is also common to disable CD-ROM, USB and network boot options and to set a password for the BIOS/UEFI firmware in order to secure computers from attackers who might gain physical access to the machines.To read this article in full or to leave a comment, please click here

Share And Share Alike

ShareArrows

Every once in a while, I like to see who is clicking through to my blog. It helps me figure out what’s important to write about and who reads things. I found a recent comment that made me think about what I’m doing from a different perspective.

The Con Game

I get occasional inbound traffic from Reddit. The comments on Reddit are a huge reason to follow threads on the site. In one particular thread on /r/networking linked back to my blog as a source of networking news and discussion. But a comment gave me pause:

https://www.reddit.com/r/networking/comments/3mpjpz/networking_websites/cvgyfye

And I quote:

Cons : they almost all know each other and tend to promote each other content.

This was a bit fascinating to me. Of the people in that particular comment, I’ve only ever met one in person. I do know quite a few people in the networking space as part of my career, both related to Tech Field Day and just through writing.

It is true that I share quite a bit of content from other writers. My day job notwithstanding, I feel it is my duty to identify great pieces of writing or thought-provoking ideas and share it Continue reading

Data center tax break ignites political battle in Michigan

The U.S. data center industry is now operating just like a sports franchise. When a local NFL football team wants a new stadium, it can threaten to move to a city promising a bigger and better stadium.Michigan now faces the data center version of this dilemma.The state's data center industry is growing at about 12% a year, thanks to a shift to cloud computing. Life has been good for commercial data center operators, and they haven't been pushing for tax breaks. But that changed once Nevada-based Switch, a data center facilities firm, arrived with a plan to build a mega data center.To read this article in full or to leave a comment, please click here

Encryption used by terrorists provides lively GOP debate fodder

The ongoing political discourse over encrypted Internet communications used by potential terrorists sparked some major fireworks in last night's GOP presidential debate.Republican frontrunner Donald Trump was booed by some in the Las Vegas crowd when he called for "getting our smartest minds to infiltrate [ISIS's] Internet." In reaction to the boos, Trump told the crowd, "You're objecting to infiltrating their communications -- I don't get that."It wasn't only some in the crowd that objected to Trump's view. U.S. Sen. Rand Paul (R-Ky.) took Trump to task, saying Trump had argued to "close the Internet, which defies the First Amendment...Are you going to change the Constitution?"To read this article in full or to leave a comment, please click here

Broadcom Tomahawk 101

Juniper recently launched their Tomahawk-based switch (QFX5200) and included a lot of information on the switching hardware in one of their public presentations (similar to what Cisco did with Nexus 9300), so I got a non-NDA glimpse into the latest Broadcom chipset.

You’ll get more information on QFX5200 as well as other Tomahawk-based switches in the Data Center Fabrics Update webinar in spring 2016.

Here’s what I understood the presentation said:

Read more ...

How to not present to the Swiss

Being English and being constantly exposed to bad language practice (not the curse word type), during a recent trip to Switzerland, I totally failed in keeping my English plain and vanilla. Their English was better than my own and in this sense I totally failed. Here is my top five of innocently said statements that just do not translate. If nothing else, it might help you to not make the same mistake when presenting to others not of your own tongue.

1) Shooting fish in a barrel
2) Stuck under a rock
3) Lots of ways to skin a cat, including with a machine gun
4) Everything including the kitchen sink
5) More features than you can shake a stick at

Speaking English is really hard to do when you’re English!!!

The post How to not present to the Swiss appeared first on ipengineer.net.

No, you can’t shut down parts of the Internet

In tonight's Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I'd create some quick notes why.

This post claims it would be easy, just forge a BGP announcement. Doing so would then redirect all Syrian traffic to the United States instead of Syria. This is too simplistic of a view.

Technically, the BGP attack described in the above post wouldn't even work. BGP announcements in the United States would only disrupt traffic to/from the United States. Traffic between Turkey and ISIS would remain unaffected. The Internet is based on trust -- abusing trust this way could only work temporarily, before everyone else would untrust the United States. Legally, this couldn't work, as the United States has no sufficient legal authority to cause such an action. Congress would have to pass a law, which it wouldn't do.

But "routing" is just a logical layer built on top of telecommunications links. Since Syria and Iraq own their respective IP address space, I'm not even sure ISIS is allowed to use it. Instead, ISIS has to pay for telecommunications links to route traffic through other countries. This causes Continue reading

DNS Terminology

The DNS is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. I saw this RFC
1 3,144 3,145 3,146 3,147 3,148 3,773