Some notes on why crypto backdoors are unreasonable
Today, a congressional committee held hearings about 'crypto backdoors' that would allow the FBI to decrypt text messages, phone calls, and data on phones. The thing to note about this topic is that it's not anywhere close to reasonable public policy. The technical and international problems are unsolvable with anything close to the proposed policy. Even if the policy were reasonable, it's unreasonable that law enforcement should be lobbying for it.Crypto is end-to-end
The debate hinges on a huge fallacy, that it's about regulating industry, forcing companies like Apple to include backdoors. This makes it seem like it's a small law. The truth is that crypto is end-to-end. Apple sells a generic computer we hold in our hand. As a user, I can install any software I want on it -- including software that completely defeats any backdoor that Apple would install. Examples of such software would be Signal and Silent Circle.
It seems reasonable that you could extend the law so that it covers any software provider. But that doesn't work, because software is often open-source, meaning that anybody can build their own app from it. Starting from scratch, it would take me about six-months to write my Continue reading
Interop Liveblog: IPv6 Microsegmentation
This session was titled “IPv6 Microsegmentation,” and the speaker was Ivan Pepelnjak. Ivan is, of course, a well-known figure in the networking space, and publishes content at http://ipspace.net.
The session starts with a discussion of the problems found in Layer 2 IPv6 networks. Some of the problems include spoofing RA (Router Advertisement) messages, NA (Neighbor Advertisement) messages, DHCPv6 spoofing, DAD (Duplicate Address Detection) DoS attacks, and ND (Neighbor Discovery) DoS attacks. All of these messages derive from the assumption that one subnet = one security zone, and therefore intra-subnet communications are not secured.
Note that some of these attacks are also common to IPv4 and are not necessarily unique to IPv6. The difference is that these problems are well understood in IPv4 and therefore many vendors have implemented solutions to mitigate the risks.
According to Ivan, the root cause of all these problems originates with the fact that all LAN infrastructure today emulates 40 year old thick coax cable.
The traditional fix is to add kludges….er, new features—like RA guard (prevents non-routers from sending RA messages), DHCPv6 guard (same sort of functionality), IPv6 ND inspection (same idea), and SAVI (Source Address Verification Inspection; complex idea where all these Continue reading
Google’s Urs Hölzle: Containers Will Rule the Cloud
Google doesn't use VMs, only containers, Interop keynoter Urs Hölzle says.