There are a lot of resources out there on Twitter, Reddit, and YouTube about this epic vulnerability. I wanted to create this post to summarize the main things I learned, ways to test it as pentester, and the mitigation controls that help prevent the exploitation of this vulnerability.
A Romanian vulnerability researcher has discovered more than 70 flaws in combinations of cloud applications and content delivery networks (CDNs) that could be used to poison the CDN caches and result in denial-of-service (DoS) attacks on the applications.
One could argue that the last few years have highlighted some of the most pressing semiconductor industry issues but there are challenges on the horizon well beyond current supply chain and silicon manufacturing bottlenecks.
In light of recent incidents that impacted both information technology (IT) and operational technology (OT) environments, organizations are increasingly evaluating the risks associated with growing IT/OT convergence.
On the surface, ISO 27701 and GDPR are entirely different. The GDPR is a mandatory regulation for companies handling European data, and ISO 27701 is an extension of an optional certification, ISO 27001. Despite their differences, they contemplate many of the same considerations.
The Graviton family of Arm server chips designed by the Annapurna Labs division of Amazon Web Services is arguably the highest volume Arm server chips the datacenter market today, and they have precisely one – and only one – customer. Well, direct customer.
If you look at the past, patch management was not a cybersecurity issue; rather, it was an IT issue. And it wasn’t until the emergence of Code Red in 2001 when Microsoft started issuing patches to plug security vulnerabilities in its software.
Verizon and AT&T said on Monday that they have voluntarily agreed to further delay the rollout of their next-generation 5G wireless technology at the request of U.S. Transportation Secretary Pete Buttigieg.
During our 2021 Financial Institution Cyber Drill, 204 security professionals in 38 teams were given the task to act as ‘Incident Handlers’ and identify, investigate and provide recommendations to resolve these issues from the artifacts provided by BGD e-GOV CIRT.
Cybersecurity researchers have detailed a high severity flaw in KCodes NetUSB component that’s integrated into millions of end-user router devices from Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital, among others.
Proving that whenever you buy something new, a better thing immediately comes out, the PCI-Sig Group announced the release of PCIe 6.0 on Tuesday, which will double the raw data rates of the PCIe 5.0 technology that only just debuted in Intel’s 12th-gen ‘Alder Lake’ Core processors.
Not every manufacturing node comes out perfectly and not every one comes out on time, but in the past decade and a half, Taiwan Semiconductor Manufacturing Co, the world’s largest and most technologically advanced etcher of chips in the world, has done far better than any of its few remaining peers to push the chip manufacturing envelope while also maintaining consistent and profitable production of older nodes.
The first half of the year saw massive ransomware attacks that affected parts of critical infrastructure all around the world, as well as a vulnerability in IT management software. This vulnerability targeted the public sector, credit unions, schools, and other essential services.
Satellite broadband made the news again recently when the Chinese government said it had to adjust the orbits of the Chinese space station to avoid collisions with Starlink satellites. China claims it had to make adjustments in July and October of last year.
Devops is the new normal—but, far too often, operations folks (like network engineers) are expected to become full-on developers, and developers are expected to understand operations in ways they never had to before. Mat Duggan joins Tom Ammon and Russ White to discuss why operations is not development IT
I’ve recently finished my 16th book (according to Goodreads, at any rate). This one is a little different than my normal fare—it’s essentially an expanded and revised version of the dissertation. Rather than being about technology proper, this latest is an examination of the history and philosophy of the superset of social media, which I’ve dubbed neurodigital media.
Fair warning, some readers might find this book a little … controversial.
From the back of the book—
Social media, shopping experiences, and mapping programs might not seem like they have much in common, but they are all built on neurodigital media. What is neurodigital media? It lives at the intersection of the Californian Ideology, the digital computing revolution, network ecosystems, the nudge, and a naturalistic view of the person. The Californian Ideology holds individuals should be reshaped, naturalism says individuals may be reshaped, and digital computing provides the tools, through network ecosystems theory and the nudge, that can reshape individuals. This book explores the history and impact of neurodigital media in the lives of everyday users.
Hardware hacking isn’t a topic most network engineers are familiar with—but we always used to say that if I can get access to the console of a router, I can eventually get into the box. The same is largely true of all kinds of computing hardware, including laptops, compute nodes connected to a data center fabric, and, again, routers and switches. In this episode of the Hedge, Federico Lucifredi joins Tom Ammon and Russ White to discuss the many options hardware hackers have today.
I’m a little late in posting this, but I thought I’d put it out here anyway. Tomorrow I’m teaching through a three-hour webinar, How the Internet Really Works part 2. From the session description—
This training will provide short reviews of many of these systems and a deeper look at the many tools network engineers can use to discover the information they need to navigate through the DNS and routing systems on the global Internet. This training will be arranged as a set of case studies posing a problem, and then working through tools available to gather the information needed to understand the problem.
Over the last few episodes of the Hedge, we’ve been talking to folks involved in bringing network products to market. In this episode, Tom Ammon and Russ White talk to Jeff Jakab about the role of the Product Line Manager in helping bring new networking products to life. Join us to understand the roles various people play in the vendor side of the world—both so you can understand the range of roles network engineers can play at a vendor, and so you can better understand how products are designed, developed, and deployed.
Software Eats the World?
I’m told software is going to eat the world very soon now. Everything already is, or will be, software based. To some folks, this sounds completely wonderful, but—leaving aside the privacy issues—I still see an elephant in the room with this vision of the future.
Let me give you some recent examples.
First, ceiling fans. Modern ceiling fans, in case you didn’t know, don’t rely on the wall switch and pull chains. Instead, they rely on remote controls. This is brilliant—you can dim the light, change the speed of the fan, etc., from a remote control. No unsightly chains hanging from the ceiling.
Well, it’s brilliant so long as it works. I’ve replaced three of the four ceiling fans in my house. Two of the remote controls have somehow attached themselves to two of the three fans. It’s impossible to control one of the fans without also controlling the other. They sometimes get into this entertaining mode where turning one fan off turns the other one on.
For the third one—the one hanging from a 13-foot ceiling—the remote control sometimes operates one of the other fans, and sometimes the fan its supposed to operate. Most of the time it doesn’t seem to do much of anything.
The fan manufacturer—a large, well-known company—mentions this situation in their instructions and points to a FAQ that doesn’t exist. Searching around online I found instructions for solving this problem that involve unwiring the fans and repeating a set of steps 12 times for each fan to correct the situation. These instructions, needless to say, don’t work.
There is no way to reset the remote, nor the connection between the remote and the fan. There is no way to manually select some dip switch so the remote has a specific fan it talks to. Just some mystical software that’s supposed to work (but doesn’t) and no real instructions on how to resolve the problem. The result will be a multi-hour wait on a customer support line, spending hours of my time to sort the problem out, and the joy of climbing (tall) ladders to unwire and wire ceiling fans in four different rooms.
Thinking through possible problems and building software interfaces that take those situations into account … might be a bit more important than we think they are if software is really going to eat the world.
Second, the retailer’s web site—a large retailer with thousands of physical stores across the United States. Twice I’ve ordered from this site, asking to have the item held in the local store so I can pick it up. The site won’t let you order the item for store pickup unless they have it in stock.
The first time they called me to say they couldn’t find the item I ordered, but they found a “newer model” that was a lot less expensive. It was a lot less expensive because it wasn’t the same item. They never did find the item I originally ordered.
The second time they called me to say they couldn’t find the item I ordered. I asked if they could just ship the item to my house when it’s back in stock. “I’m sorry, our system doesn’t allow us to do that …” Several hours later, they called back to tell me they found it, but they cannot reinstate my order—I must place a new order.
Again, software quality strikes … what should be a simple process just isn’t. There will always be mismatches between the state in software and the state in the real world—but design the system so it’s possible to adapt when this happens, rather than shutting down the process and starting over.
Third, I own a car that has all the “bells and whistles,” including an adaptive cruise control system. There are certain situations, however, where this adaptive control does the wrong thing, producing potentially dangerous results. There is no way to set the car to use the non-adaptive cruise control permanently (I called and waited on the phone for several hours to discover this). You can set the non-adaptive cruise control on a per-use basis by going through set of menus to change the settings … while driving.
Software quality anyone?
Software eats the world might be someone’s ultimate dream—but I suspect that software quality will always be the fly in the ointment. People are not perfect (even in crowds); software is created by people; hence software will always suffer from quality problems.
Maybe a little humility about our ability to make things as complex as we might like because “we can always have software do that bit” would be a good thing—even in the networking world.