Rejecting years of settled precedent, a federal court in New York has ruled [PDF] that you could infringe copyright simply by embedding a tweet in a web page. Even worse, the logic of the ruling applies to all in-line linking, not just embedding tweets. If adopted by other courts, this legally and technically misguided decision would threaten millions of ordinary Internet users with infringement liability. —Daniel Nazer @EFF
Security advances throughout the centuries have been mostly technical adjustments in response to evolving weaponry. Fortification — the art and science of protecting a place by imposing a barrier between you and an enemy — is as ancient as humanity. From the standpoint of theory, however, there is very little about modern network or airport security that could not be learned from a 17th century artillery manual. That should trouble us more than it does. —Jack Anderson
Akamai’s Fourth Quarter, 2017 State of the Internet, was released today in which it states that the analysis of more than 7.3 trillion bot requests per month has found a sharp increase in the threat of credential abuse, with more than 40 percent of login attempts being malicious. Additionally, the report warns DDoS attacks remain a consistent threat and the Mirai botnet is still capable of strong bursts of activity. @CircleID
Section 1201 of the DMCA bans the bypassing of “access controls” for copyrighted works. Originally, this meant that even though you owned your DVD player, and even though it was legal to bring DVDs home with you from your European holidays, you weren’t allowed to change your DVD player so that it would play those out-of-region DVDs. —Cory Doctorow @EFF
Patrick Reames had no idea why Amazon.com sent him a 1099 form saying he’d made almost $24,000 selling books via Createspace, the company’s on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that’s full of nothing but gibberish. —Krebs on Security
Citing the potential threat to law enforcement and the general public, correctional facility officials have pushed for the FCC to address the issue of contraband phone use in prisons. In a recent meeting hosted by the FCC, Department of Justice officials and local law enforcement argued for aggressive technological approaches to addressing contraband phones. —Ferras Vinh @CDT
While perhaps best known for funding academic research, the US National Science Foundation (NSF) conducts many other activities, including an annual survey of doctoral graduates called the Survey of Earned Doctorates (SED). While an important data source for understanding the societal impact of doctoral education, the way in which the NSF conducts its survey offers a case study in cybersecurity through obscurity, the importance of paying attention to the entire lifecycle of data and several useful lessons to other organizations managing sensitive data in 2018. —Kalev Leetaru @Forbes
My first short take at The Network Collective is up discussing the Broadcom SDKLT announcement. Does this really mean the end of vendors or network engineering? You can guess my answer, or you can watch the video and hear it for yourself.
Policy at Internet scale is a little understood, and difficult (potentially impossible) to solve problem. Joel Halpern joins the History of Networking over at the Network Collective to talk about the history of policy in the Internet at large, and networked systems in general.
The recent Meltdown and Spectre attacks illustrate the problematic nature of modern computing systems. While the earlier Rowhammer attack could read or attack one process running in a virtual environment from another process running on the same processor, the Meltdown and Spectre attacks are of a completely different class, enabling a process to read large amounts of information from another process’ memory space. @GestaltIT
Two ideas that are widespread, and need to be addressed—
FANG (read this hyper/web/large scale network operators) have very specific needs; they run custom-built single-purpose software in a very big scale. So all the really want/need are dumb boxes and smart people. … Enterprise have another view, they want smart boxes run by dumb people.
First, there is no enterprise, there are no service providers. There are problems, and there are solutions.
When I was young (and even more foolish than I am now) I worked for a big vendor. When this big vendor split the enterprise and service provider teams, I thought this kindof made sense. After all, providers have completely different requirements, and should therefore run with completely different technologies, equipment, and software. When I thought of providers in those days, I thought of big transit network operators, like AT&T, and Verizon, and Orange, and Level3, and Worldcom, and… The world has changed since then, but our desire to split the world into two neat halves has not.
If you want to split the world into two halves, split it this way: There are companies who consider the network an asset, and companies that consider the network a necessary evil. There are companies who consciously depend on the network within their product lifecycle and value chain, and there are companies who see the network as a consumer of money which is best minimized. This has nothing to do with “service provider” and “enterprise,” and everything to do with the company’s attitude towards technology and their future.
Second, the smart boxes/dumb people smart people/dumb boxes pairings is a false dichotomy.
All networks rely on having smart people design and run them. There are two ways you can access the smart people your network needs. You can hire a small group of smart people and allow them to work in the open source/open standards communities. This way you build a community that supports a lot of businesses, including yours. Or you can rely on your vendor to hire the right smart engineers, call them in when you need them, and hope they show up. Both models have positive and negative aspects, but the assumption that there is no cost sharing model in the realm of directly hiring smart engineers distorts the tradeoffs; distroted tradeoffs always lead to poor decisions.
Sometimes smart engineers can design things so you do not need smart boxes. Rather than hiring someone to build the smarts you will be missing by not buying from a vendor, you ask, do I really need this complexity in the first place?
The bottom line.
In my experience, most companies that use the “smart boxes/dumb engineers” line do not understand their business, their operating environment, or network engineering. This response normally comes from either a misunderstanding of the value of the network, a misunderstanding of the value of simplicity, or a fear of smart network engineers (they might actually push back against the application developers and vendors!).
It is much easier to scream at a vendor than it is to change the way you do business to take advantage of the network as an asset.
When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on. @Krebs on Security
Here is a short blog post that explains how you can make your own Man-in-the-Middle (MitM) setup for sniffing the traffic between a SIM card and the backend server. This is NOT a new research but I hope this will help anyone who doesn’t have a telco background to get started to play with mobile data sniffing and fake base stations. This is applicable to many scenarios today as we have so many IoT devices with SIM cards in it that connects to the backend. —Priya Chalakkal @The Insinuator
He got the idea while analyzing the Vawtrak malware after discovering that it read multiple fields in the X.509 certificate provided by the server before proceeding. Jason initially thought these fields were used as a C2 channel, but then realized that Vawtrak performed a variant of certificate pinning in order to discover SSL man-in-the-middle attempts. —Erik Hjelmvik @Netresec
Account takeover attacks are a nearly invisible tactic for conducting cyber espionage. Because these breaches can take months or years to detect, we are slowly discovering that this attack vector is much more common than we thought. The more we learn about new methodologies, the more we realize just how misunderstood account takeover attacks can be. Many of the common myths about account takeover attacks are making it easier for the attackers to continue undetected, which is why we feel obligated to debunk them. —Dylan Press @The Cloud Security Alliance
In advance of Data Privacy & Protection Day, the Online Trust Alliance, an Internet Society initiative, just released the Cyber Incident & Breach Trends Report (press release here), a look back at the cyber incident trends in 2017 and what can be done to address them. This report marks the tenth year OTA has provided guidance in this area, and while the specifics have certainly changed over time, the core principles have not. —Jeff Wilbur @The Internet Society
Got an old Raspberry Pi lying around? Hate seeing ads while browsing the web? Pi-hole is an open source software project that blocks ads for all devices on your home network by routing all advertising servers into nowhere. What’s best is it takes just a few minutes to set up. —Ben Nuttall @opensource.com
Fumbling is a general term for repeated systematic failed attempts by a host to access resources. For example, legitimate users of a service should have a valid email ID or user identification. So if there are numerous attempts by a user from a different location to target the users of this service with different email identifications, then there is a chance that this is an attack from that location. From the data analysis point of view, we say a fumbling condition has happened. —Dipankar-Ray @ opensourceforu
Coming from the simple days of peripheral firewalls, the cloud made security more nuanced for IT teams. However, with the advent of containers, this equation reached a new level of complexity. When they started out, the mantra around containers was that “containers do not contain.” Linux security professionals were vocal about the weak process isolation between containers, and that a vulnerability couldn’t be easily contained from spreading to neighboring containers, as multiple containers share the same guest OS. —Twain Taylor @The New Stack
Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats. @Krebs on Security
Republican Sens. Tom Cotton (Ark.) and Marco Rubio (Fla.) introduced a bill Wednesday to prohibit government use of telecommunications products from two Chinese companies. The Defending U.S. Government Communications Act would prohibit the U.S. government from purchasing or leasing equipment or services from Huawei or ZTE, according to a statement from Cotton’s office. Cotton said the government should not trust devices from companies so closely linked to the Chinese communist government. —Paul Crookston @The Free Beacon
Humans are not sleeping the way nature intended. The number of sleep bouts, the duration of sleep, and when sleep occurs have all been comprehensively distorted by modernity. —Matthew Walker @ Delancey Place
Many Americans find their lives devoid of meaning; up to 40 percent of Americans have “not discovered a satisfying life purpose.” Without purpose can anyone truly live a full, happy life? As Bill Murray discovered in his classic comedy Groundhog Day, a life focused on hedonic pleasures won’t lead to happiness. —Barry Brownstein @Intellectual Takeout
In January of 1995, Network Translation’s PIX firewall received the “hot product of the year” award from Data Communications Magazine. While the PIX was originally designed to perform Network Address Translation (NAT), doing for the IP host market what the PBX market did for the telephone, the PIX itself quickly morphed into the original appliance-based firewall. In those heady days in the Cisco Technical Assistance Center (TAC), we spent hours thinking through how best to build a Demilitarized Zone (DMZ) using PIX’s and routers so the network simply could not be penetrated. We built walls around our networks to defend them against the hoards of horseback riding invaders. @ECI
As the processing power of individual, handheld, always on devices has overtaken the computing power of most mainframes of old, and network bandwidth has ramped up, a new trend is emerging towards fog computing. In fog computing as much of the processing as possible is pushed out of large scale data centers and into individual
Paul Vixie joins us on the History of Networking to talk about the spread of the DNS system—like a virus through the body network. All those radios in the background at a bit of history; Paul is an Amateur Radio Operator of many years, though, like me, he is not as active as
Broadcom, to much fanfare, has announced a new open source API that can be used to program and manage their Tomahawk set of chips. As a general refresher, the Tomahawk chip series is the small buffer, moderate forwarding table size hardware network switching platform on which a wide array of 1RU (and some chassis) routers
The regulatory environment for brands and retailers that do business online is getting stricter thanks to regulatory changes in Europe with the General Data Protection Regulation (GDPR), as well as existing regulations in th ompanies that adapt quickly can turn these changes into a competitive advantage. —Christopher Rence @CircleID Europe's General Data Protection Regulation (GDPR)
While at Cisco Live in Barcelona this week, I had a chat with someone—I don't remember who—about certifications. The main point that came out of the conversation was this: One of the big dangers with chasing a certification is you will end up chasing knowledge about using a particular vendor feature set, rather than chasing
Over at the ACM blog, there is a terrific article about software design that has direct application to network design and architecture. The problem is that once you give a monkey a club, he is going to hit you with it if you try to take it away from him. What do monkeys and clubs
A lot of folks ask me about learning theory—they don't have the time for it, or they don't understand why they should. This video is in answer to that question.
Before we begin, its worth mentioning that yes, yesssssssssssssssssssss, I did not have enough protection around my Gmail account. I’ve used Google Authenticator before, for my personal account and for various work emails, but I stopped using it at a certain point out of convenience. —Cody Brow @Medium This report assesses the impact disclosure of
I'm often asked what the trick is to become a smarter person—there are many answers, of course, which I mention in this video. But there is "one weird trick" many people don't think about, which I focus on here.
A while back I posted on section 10 routing loops; Daniel responded to the post with this comment: I am curious how these things are discovered. You said that this is a contrived example, but I assume researchers have some sort of methodology to discover issues like this. I am sure some things have been