Misguided House bill could make cars less safe

Car owners could face more danger from hackers if a draft bill (pdf) by the House Energy and Commerce Committee (HECC) becomes law. The law would make independent oversight of the electronic safety of motor vehicles a crime subjecting well intentioned security researchers to a $100,000 fine per instance. Today’s cars have 200 – 400 microcontrollers and microprocessors in them making the access of each an individual offense subject to fines that could add up to millions.The security flaws of the Jeep Grand Cherokee were exposed this summer by security researchers Charlie Miller and Chris Valasek who were able to shut down the vehicle during operation by cracking the Wi-Fi password. The risks of huge fines would stop researchers from exposing critical motor vehicle vulnerabilities but it would not stop hackers with malicious intentions from invading vehicle control systems.To read this article in full or to leave a comment, please click here

Getting Started with Packet Pushers Community Podcasting

We wrote this introductory guide to help those considering Packet Pushers community podcasting understand what is required. This is not a detailed list of everything you will need to know. Rather, this guide shares enough information to get you started. You'll still have to do a bit of Googling, research, and decision making of your own. We hope this helps. Happy podcasting!

The post Getting Started with Packet Pushers Community Podcasting appeared first on Packet Pushers.

A Look at the New WordPress Brute Force Amplification Attack

Recently, a new brute force attack method for WordPress instances was identified by Sucuri. This latest technique allows attackers to try a large number of WordPress username and password login combinations in a single HTTP request.

The vulnerability can easily be abused by a simple script to try a significant number of username and password combinations with a relatively small number of HTTP requests. The following diagram shows a 4-fold increase in login attempts to HTTP requests, but this can trivially be expanded to a thousand logins.

WordPress XML-RPC Brute Force Amplification Attack

This form of brute force attack is harder to detect, since you won’t necessarily see a flood of requests. Fortunately, all CloudFlare paid customers have the option to enable a Web Application Firewall ruleset to stop this new attack method.

What is XML-RPC?

To understand the vulnerability, it’s important to understand the basics of the XML remote procedure protocol (XML-RPC).

XML-RPC uses XML encoding over HTTP to provide a remote procedure call protocol. It’s commonly used to execute various functions in a WordPress instance for APIs and other automated tasks. Requests that modify, manipulate, or view data using XML-RPC require user credentials with sufficient permissions.

Here is an example that requests a list Continue reading

Before adding solid-state drives, right-size your infrastructure using workload profiling

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

If you’re looking to add Solid-State Drives to your storage environment you want to avoid under-provisioning to ensure performance and scalability, but to meet cost goals and avoid unnecessary spending you need to avoid over-provisioning. Workload profiling can help you achieve the critical balance.

A recent survey of 115 Global 500 companies by GatePoint Research and sponsored by Load DynamiX showed that 65% of storage architects say they are doing some sort of pre-deployment testing before making their investment decision.  Alarmingly, only 36% understand their application workload I/O profiles and performance requirements. They don’t know what workload profiling is and how it can be used to accurately evaluate vendors against the actual applications that will be running over their particular storage infrastructure.

To read this article in full or to leave a comment, please click here

Germany will make telcos share customer data with the police

Even as the European Union attempts to tighten privacy laws, law-enforcement interests have won a battle in Germany: a new law forces communications service providers there to once again make data about their customers' communications available to police.On Friday morning, the German parliament approved a law requiring ISPs and mobile and fixed telecommunications operators to retain communications metadata for up to ten weeks.The country has had an on-again, off-again affair with telecommunications data retention, first introducing a law requiring it in 2008 to comply with a European Union directive.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords The German Federal Constitutional Court overturned that law in March 2010 after finding it conflicted with Germany's privacy laws, prompting the European Commission to take the country to court in May 2012 to enforce the directive.To read this article in full or to leave a comment, please click here

Six key challenges loom over car communication technology

As car-makers build more tech-savvy autos, their ability to communicate and interact with smart infrastructure to prevent accidents or warn of impending road hazards faces number of challenges that may hinder its deployment.+More on Network World: Car crash prevention technologies face huge challenges+Watchdogs at the Government Accountability Office this week said while the Department of Transportation will over the next five years spend $100 million via its Connected Vehicle pilot program that deploys Vehicle-to-infrastructure (V2I) technologies in real-world settings – many challenges with the technologies remain.To read this article in full or to leave a comment, please click here

Six key challenges loom over car communication technology

As car-makers build more tech-savvy autos, their ability to communicate and interact with smart infrastructure to prevent accidents or warn of impending road hazards faces number of challenges that may hinder its deployment.+More on Network World: Car crash prevention technologies face huge challenges+Watchdogs at the Government Accountability Office this week said while the Department of Transportation will over the next five years spend $100 million via its Connected Vehicle pilot program that deploys Vehicle-to-infrastructure (V2I) technologies in real-world settings – many challenges with the technologies remain.To read this article in full or to leave a comment, please click here

Stuff The Internet Says On Scalability For October 16th, 2015

Hey, it's HighScalability time:


The other world beauty of the world's largest underground Neutrino Detector. Yes, this is a real thing.

If you like Stuff The Internet Says On Scalability then please consider supporting me on Patreon.
  • 170,000: depression era photos; $465m: amount lost due to a software bug; 368,778: likes in 4 hours as a reaction to Mark Zuckerberg's post on Reactions; 1.8 billion: pictures uploaded every day; 158: # of families generously volunteering to privately fund US elections.

  • Quotable Quotes:
    • @PreetamJinka: I want to run a 2 TB #golang program with 100 vCPUs on an AWS X1 instance.
    • Richard Stallman: The computer industry is the only industry that is more fashion-driven than women's fashion.
    • The evolution of bottlenecks in the Big Data ecosystem: Seeing all these efforts to bypass the garbage collector, we are entitled to wonder why we use a platform whose main asset is to offer a managed memory, if it is to avoid using it?
    • James Hamilton: Services like Lambda that abstract away servers entirely make it even easier to run alternative instruction set architectures.
    • @adrianfcole: Q: Are we losing money? A: Continue reading

AT&T to ‘lifelong customer:’ Shut up & talk to the lawyers

You don't need an MBA to know that in business, few things are more important than listening to your customers. So it's surprising that AT&T CEO Randall Stephenson, who earned an MBA from the University of Oklahoma, told a customer that AT&T isn't at all interested in his suggestions. Ever. In fact, if you send Stephenson an unsolicited suggestion, you'll get a similar response from his lawyers. Reuters/Kevin Lamarque AT&T CEO Randall StephensonTo read this article in full or to leave a comment, please click here

Musings on Datanauts #9

I listened to episode 9 of the excellent Datanauts podcast with Ethan Banks and Chris Wahl recently.

Great job with this one, guys. I can tell how engaged I am in a podcast by how often I want to interrupt you :)

For this episode, that was lots of times!

Since I couldn't engage during the podcast, I'm going to have a one-sided discussion here, about the topics that grabbed my attention.

RARP?
Chris explained that the 'notify switches' feature of an ESXi vSwitch serves to update the L2 filtering table on upstream physical switches. This is necessary any time a VM moves from one physical link (or host) to another.

Updating the tables in all of the physical switches in the broadcast domain can be accomplished with any frame that meets the following criteria:

  • Sourced from the VM's MAC address
  • Destined for an L2 address that will flood throughout the broadcast domain
  • Specifies an Ethertype that the L2 switches are willing to forward
VMware chose to do it with a RARP frame, probably because it's easy to spoof, and shouldn't hurt anything. What's RARP? It's literally Reverse ARP. Instead of a normal ARP query, which asks: "Who has IP Continue reading

IDG Contributor Network: Make passwords easier, spy agency says

Complex passwords don’t “frustrate hackers,” all they do is make life “harder for users,” Claran Martin, the Director General of Cyber Security at the United Kingdom’s spy agency GCHQ says in a new guidance document published online (PDF). The advice contradicts previous GCHQ guidance that says that system owners should “adopt the approach that complex passwords are ‘stronger.’” GCHQ, or he Government Communications Headquarters, is the British equivalent of the National Security Agency (NSA). Amusingly, both agencies have been exposed recently as conducting widespread surveillance on their respective citizens. The more cynical might think there was secondary motive for this advice.To read this article in full or to leave a comment, please click here

QOTW: Knowledge

Knowledge depends on the direction given to our passions and on our moral habits. To calm our passions is to awaken in ourselves the sense of the universal; to correct ourselves is to bring out the sense of the true.
Sertillanges, The Intellectual Life

LinkedInTwitterGoogle+FacebookPinterest

The post QOTW: Knowledge appeared first on 'net work.

Defining SDN Down

If a WAN product that uses software to control the flow of traffic is an SD-WAN, and a data center than uses software to build a virtual topology is an SD-DC, and a storage product that uses software to emulate traditional hardware storage products is SD storage, and a network where the control plane has been pulled into some sort of controller an SDN, aren’t my profile on LinkedIn, and my twitter username @rtggeek software defined people (SDP)? A related question — if there are already IoT vendors, and the IoT already has a market, can we declare the hype cycle dead and move on with our lives? Or is hype too useful to marketing folks to let it go that easily? One thing we do poorly in the networking world is define things. We’re rather sloppy about the language we use — and it shows.

Back on topic, but still to the point — maybe it’s time to rethink the way we use the phrase software defined. Does SD mean one thing emulating another? Does SD mean centralized control? Does SD mean software controlled? Does SD mean separating the control plane from the data plane? Does SD mean OpenFlow?

Continue reading

1 3,229 3,230 3,231 3,232 3,233 3,787