The Internet “Just Works”: The EARN IT Act Threatens That and More

When the EARN IT Act was introduced in March 2020, technologists, civil society organizations, academics, and even a former FBI General Counsel blasted the bill as a thinly veiled attempt to prevent platforms from keeping users safe with strong encryption. The bill had implications for intermediary liability, of course, but it was clearly a play to take down the strongest digital security tool we have online.

The EARN IT Act is now a monstrous version of its previous self. It would not only weaken the ability of platforms to protect users through encryption, but fundamentally alter how platforms operate, leading to dangerous consequences for users and the global Internet.

While the new version of the bill would prevent the federal government from forcing platforms to weaken encryption to maintain their intermediary liability protection (a foundational aspect of most companies’ business plans), it would essentially allow states to pass their own version of the original EARN IT Act. This would create a chaotic patchwork of state-level laws, threatening user security across the country and creating borders for a networking system that was never meant to recognize them. This bill would not only weaken the ability of platforms to protect users through Continue reading

Bayesian Non-Finite Mixture Models

Motivation

Following up from our previous post on Bayesian Finite Mixture Models, here are my notes on Non-Finite mixture model.

Non-finite Mixture Models

Bayesian finite mixture models can be used when we have a prior knowledge or some good guess on the number of groups present in the dataset. But if we do not know this beforehand, then we can use Non-Finite mixture models. Bayesian solution for this kind of problems is related to Dirichlet process.

Dirichlet Process(DP)

We briefly mentioned about Dirichlet distribution in the previous post Bayesian Finite Mixture Models, which is a generalization of beta distribution, similarly Dirichlet Process is an infinite-dimensional generalization of Dirichlet distribution. The Dirichlet distribution is a probability distribution on the space of probabilities, while Dirichlet Process is a probability distribution on the space of distributions. A Dirichlet Process is a distribution over distributions. When I first read this, my mind went
.

What this means is, that a single draw from a Dirichlet distribution will give us a probability and a single draw from a Dirichlet Process will give us a Dirichlet distribution. For finite mixture models, we used Dirichlet distribution to assign a prior for the fixed number of clusters, Continue reading

Cisco ACI Tips and Tricks

Cisco ACI does things a bit differently to traditional networking. I find myself constantly duck hunting to do simple things so I am documenting them here so they are easier for me to fine. Get VRF Names Get a list of VRFs with the show vrf command from a leaf node. How to Ping To ping a...

How to Meet Interesting People in Your Industry

The easiest way to meet interesting people in your industry is to attend a networking event, work related conference, or a training course. These types of event usually do attract a high turnout so as well as the information on offer; you do get a chance to network with others who are in the same business as you.

Mingling at Industry Events

The good thing about industry events is that you will meet people at all different levels and stages of their career. This can seem daunting if you are just starting out, but remember that everyone had to start somewhere and most people are going to be supportive and friendly if you have the right approach.

To handle a networking event and actually get to meet interesting people, you can employ some handy strategies to make introductions and social interaction much easier.  One tip is to email the organizers and let them know that you are new. You will probably find that they offer to meet you and introduce you to a couple of people which will help get the ball rolling.

In addition, it is a good idea to arrive a bit early, rather than fashionably late Continue reading

Make Consistent Enterprise Automation a Reality with Ansible Content for AIX and IBM i

As we navigate through unprecedented times, the spotlight is on enhancing IT resilience and ensuring business continuity. We see that enterprises are experiencing shifts in market conditions and automation can be a key to rapidly responding to changes. With many enterprises having hybrid IT and multiple operating system environments, each with its own tooling and processes, implementing a consistent automation strategy to help scale and maximize impact has been a challenge. This is where Red Hat Ansible Automation Platform can help, by more easily enabling automation across different IT environments.

Red Hat Ansible Automation Platform provides automation in areas that span across development, DevOps, compute, network, storage, applications, security, and Internet of Things (IoT). A common request we at IBM had been getting from our users was for Ansible Automation support of AIX and IBM i operating systems. Red Hat and IBM are pleased to announce the general availability of Red Hat Ansible Certified Content for IBM Power Systems.  Red Hat Ansible certification involves Red Hat testing the Collections developed by IBM and a commitment to provide enterprise support. The Collections for AIX and IBM i are maintained and supported by IBM.

Ansible content for AIX and IBM i helps Continue reading

Internet Society Foundation Announces $1.5 Million in COVID-19 Response Grants

The Internet plays a more important role than ever, serving as a lifeline so that children can continue learning, families and friends can stay connected, and vital public health information can keep circulating. At the Internet Society Foundation, we believe access to the Internet and its solutions can create healthier and safer communities, reduce vulnerabilities, and help build the resilience communities need to navigate the COVID-19 pandemic and emerge better prepared in the future.

That’s why we’re thrilled to announce that we’ve completed the selection process for our Emergency Response: COVID-19 grants, awarding USD$1.5 million in funding to four innovative projects that are using the Internet to help communities respond and adapt to the challenges created by the current pandemic.

The funding will support the following efforts around the globe: 

  • Expanding an online platform which connects and trains caregivers across Asia
  • Extending the reach of a COVID-19 training program to support 10,000 health workers in five African countries
  • Enabling a disaster response team to expand Internet connectivity for 24 critical primary health and coordination facilities across eight countries
  • Expanding the scope of an innovative technology platform that supports fact-checkers in Latin America

Read about each project!

Established Continue reading

How To Setup Your Local Node.js Development Environment Using Docker

Docker is the defacto toolset for building modern applications and setting up a CI/CD pipeline – helping you build, ship and run your applications in containers on-prem and in the cloud. 

Whether you’re running on simple compute instances such as AWS EC2 or Azure VMs or something a little more fancy like a hosted Kubernetes service like AWS EKS or Azure AKS, Docker’s toolset is your new BFF. 

But what about your local development environment? Setting up local dev environments can be frustrating to say the least.

Remember the last time you joined a new development team?

You needed to configure your local machine, install development tools, pull repositories, fight through out-of-date onboarding docs and READMEs, get everything running and working locally without knowing a thing about the code and it’s architecture. Oh and don’t forget about databases, caching layers and message queues. These are notoriously hard to set up and develop on locally.

I’ve never worked at a place where we didn’t expect at least a week or more of on-boarding for new developers. 

So what are we to do? Well, there is no silver bullet and these things are hard to do (that’s why you Continue reading

Creating an AWS Security Group using Pulumi and Go

In this post, I’m going to share some examples of how to create an AWS security group using Pulumi and Go. I’m sharing these examples because—as of this writing—the Pulumi site does not provide any examples on how this is done using Go. There are examples for the other languages supported by Pulumi, but not for Go. The syntax is, to me at least, somewhat counterintuitive, although I freely admit this could be due to the fact that I am still pretty new to Go and its syntax.

As a framework for providing these examples, I’ll use the scenario that I need to create two different security groups. The first security group will allow SSH traffic from the Internet to designated bastion hosts. The second security group will need to allow SSH from those bastion hosts, as well as allow all traffic between/among members of the security group. Between these two groups, I should be able to show enough examples to cover most of the different use cases you’ll run into.

Although no example was present for Go when I wrote this article, readers may still find the API reference for the SecurityGroup resource to be useful nevertheless.

First, let’s Continue reading

Linkerd’s Little Secret: a Lightning Fast, Service Mesh Focused Rust Network Proxy

KubeCon + CloudNativeCon sponsored this post, in anticipation of Linkerd can deliver critical features such as transparent mutual TLS, gRPC load balancing, blue-green deploys, and golden metrics. But like all abstractions, these features come at a cost. Some of this cost is human in nature: the more complex the service mesh, the more effort required to operate it successfully. Some of the cost is system cost: a service mesh consumes CPU and memory, and introduces latency to the application. Linkerd’s goal is to minimize this cost by being the smallest, fastest service mesh for Kubernetes (a claim which

The Hedge Podcast Episode 42: Andrei Robachevsky and MANRS

The security of the global routing table is foundational to the security of the overall Internet as an ecosystem—if routing cannot be trusted, then everything that relies on routing is suspect, as well. Mutually Agreed Norms for Routing Security (MANRS) is a project of the Internet Society designed to draw network operators of all kinds into thinking about, and doing something about, the security of the global routing table by using common-sense filtering and observation. Andrei Robachevsky joins Russ White and Tom Ammon to talk about MANRS.

More information about MANRS can be found on the project web site, including how to join and how to support global routing security.

download

Working with TC on Linux systems

Hi folks! Long time no talk : ) Life has been incredibly busy for me over the last few months so I’ll apologize in advance for the lack of posts. However – I’m aiming to get back on the horse so please stay tuned!

With that out of the way – I wanted to spend some time in this post talking about the command line tool found on Linux systems called tc. We’ve talked about tc before when we discussed creating some network/traffic simulated topologies and it worked awesome for that use case. If you recall from that earlier post tc is short for Traffic Control and allows users to configure qdiscs. A qdisc is short for Queuing Discipline. I like to think of it as manipulating the Linux kernels packet scheduler.

Note: tc is traditionally part of the iproute2 toolset which Im pretty sure (but not positive) is included in most base Linux distros these days.

When tc comes up – it’s easy to immediately start thinking about QOS, queuing, and packet(traffic) control. And while some of the actions available to you when using tc seem obvious, or at least fit within the mindset of queue disciplines (the drop Continue reading

Open Standards Everywhere: How the Kolkata Chapter Got a Perfect Score

In early May 2020, the Open Standards Everywhere (OSE) project held a series of virtual training sessions for Internet Society Chapters. Over 70 Chapter representatives from around the world learned, in English, French, or Spanish, how to improve the overall security and availability of their Chapter’s websites and web servers by enabling IPv6, HTTP/2, TLS, and DNSSEC.

To assess everyone’s progress we tested each Chapter’s website before and after the training sessions using internet.nl and http2.pro. As a result of the OSE training sessions, many Chapters were able to significantly increase their website’s compliance. But one Chapter in particular, ISOC Kolkata, was able to take its website from 32% compliance to a whopping 100%. We caught up with ISOC Kolkata member Rittika Ratawa, who was nominated by the Chapter to attend the training, to find out more.

The Internet Society: What changes did you make to isockolkata.in as a direct result of the OSE virtual training session?

Rittika: After the training session, the Chapter made several changes. Firstly, we changed our DNS service provider as the one we had been using did not offer DNSSEC services or IPv6. Then we enabled DNSSEC by providing Continue reading

Urban Terror Server on Cisco CSR1000v

We have discussed the configuration of Guest Shell on Cisco CSR 1000v platform in a previous tutorial. The guest shell is a built-in Linux container with CentOS 7 installed, which can be activated on the fly when Linux applications are needed. Our lives are currently affected by SARS-CoV-2 and long-standing quarantine, so why not do […]
Continue reading...

DevAsc – Python Script To Collect Show Commands Output

A colleague needed to connect to several Cisco devices, run some show commands, and save the output. I decided it would be good to practice my Python skills so I coded something together.

Why didn’t do you do this in Ansible, Nornir, or other tool of choice? Because the goal was to learn Python, not minimize amount of work to solve the task.

This work was highly inspired by others such as Debi, John, and wouldn’t be possible without the work from Kirk. Also thanks to Patrick, and Nick for giving me pointers on the code.

From a high level, the script will perform the following tasks:

  • Read commands from a text file “commands.txt”
  • Read devices from a text file “devices.txt”
  • Ask the user for credentials
  • Log in to the devices
  • Perform show commands
  • Save the output to a text file per device

In order to perform the tasks, the script relies on several modules:

Colorama – Used to color code terminal output
Netmiko – Used to setup SSH connection to device and parse the output
Datetime – Used to create a timestamp
Getpass – To get password from user without displaying it to the Continue reading

Wave Glider Robots

This video opened my mind to the ideas of robotic surveillance and data capture of the ocean. Wide range of civilian applications of course. But also police applications for customs and policing for monitoring the seaways around a country. And the military applications for defense and detection. Potentially even delivering a torpedo style payload.

The post Wave Glider Robots appeared first on EtherealMind.

Deep dive on Cisco ASA resource modules

Recently, we published our thoughts on resource modules applied to the use cases targeted by the Ansible security automation initiative. The principle is well known from the network automation space and we follow the established path. While the last blog post covered a few basic examples, we’d like to show more detailed use cases and how those can be solved with resource modules.

This blog post goes in depth into the new Cisco ASA Content Collection, which was already introduced in the previous article. We will walk through several examples and describe the use cases and how we envision the Collection being used in real world scenarios.

 

The Cisco ASA Certified Content Collection: what is it about?

The Cisco ASA Content Collection provides means to automate the Cisco Adaptive Security Appliance family of security devices - short Cisco ASA, hence the name. With a focus on firewall and network security they are well known in the market.

The aim of the Collection is to integrate the Cisco ASA devices into automated security workflows. For this, the Collection provides modules to automate generic commands and config interaction with the devices as well as resource oriented automation of access control lists Continue reading

Making the WAF 40% faster

Making the WAF 40% faster

Cloudflare’s Web Application Firewall (WAF) protects against malicious attacks aiming to exploit vulnerabilities in web applications. It is continuously updated to provide comprehensive coverage against the most recent threats while ensuring a low false positive rate.

As with all Cloudflare security products, the WAF is designed to not sacrifice performance for security, but there is always room for improvement.

This blog post provides a brief overview of the latest performance improvements that were rolled out to our customers.

Transitioning from PCRE to RE2

Back in July of 2019, the WAF transitioned from using a regular expression engine based on PCRE to one inspired by RE2, which is based around using a deterministic finite automaton (DFA) instead of backtracking algorithms. This change came as a result of an outage where an update added a regular expression which backtracked enormously on certain HTTP requests, resulting in exponential execution time.

After the migration was finished, we saw no measurable difference in CPU consumption at the edge, but noticed execution time outliers in the 95th and 99th percentiles decreased, something we expected given RE2's guarantees of a linear time execution with the size of the input.

As the WAF engine uses a thread Continue reading

1 874 875 876 877 878 3,787