Hedge 171: Paul Grubb on Zero Knowledge Middleboxes

Middleboxes are used in modern networking to sniff out attack traffic (IDS), block unwanted traffic (stateful packet filters), and share load among several different servers. Encryption, however, is making it hard for the middleboxes to do their job. Paul Grubb joins Tom Ammon and Russ White to discuss zero knowledge middle boxes, which allow operators to enforce arbitrary policies on the underlying traffic of an encrypted connection without decrypting it.


To find out more about Paul’s work in this and other areas, please see Paul’s research page, this article on zero-knowledge middleboxes, and this research paper on zero knowledge middle boxes.

Weekend Reads 031723

Fujitsu’s Arm-based A64FX processor may have driven the most powerful supercomputer in the world, but it looks like its successor will be a more general-purpose chip that will focus on energy efficiency.

Hi everyone! In this article we’re going to take a look at the different rendering pattern options available nowadays for web applications.

Spurred by unprecedented unit pricing, the IPv4 market in North America experienced its second-best year ever in market history.

Getting a new technology out to consumers will usually require good people and boat loads of resources – including money. Generally, lots of money.

The Global Domain Report 2023 shows the domain industry is absorbing the shock waves, proving that the market is resilient and domains are solid assets for digitalization.

A proposed rule change at the Federal Communications Commission (FCC) would expand the definition of a data breach for communications carriers. If approved by the agency, the rule would cover any incident that affects the confidentiality of customer information, even if no harm to customers results.

Threat actors with a connection to the Chinese government are infecting a widely used security appliance from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.

Akamai has just mitigated a distributed denial of service (DDoS) attack of epic proportions. While it was short-lived, it was very intense, and it most likely could have easily taken the target server offline.

While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes.

Is the current arrangement of keys on the keyboard the most efficient and intuitive solution? Open source aims to address this question with a circular one-handed keyboard.

Software-defined WAN offers a lot of potential benefits including price, efficiency, and performance, but it’s not right for all sites.

But given the expansive capabilities of today’s technology, combined with how integrated it is in every aspect of our lives, there’s a danger of either purposefully or inadvertently collecting unnecessary and private data.

You may be wondering what folks mean when they talk about a [BGP Free Core], and also you may ask yourself why would I decide to retrofit this in our network.

To that end, three vendors have announced new capabilities in the high-speed networking game. So, let’s run them down.

Privacy experts can now rely on a new standard, the ISO/IEC 27559:2022 privacy-enhancing data deidentification framework, in an area that has been the subject of much discussion and development.

Upcoming Training: How the Internet Really Works Part 1

I’m teaching How the Internet Really Works over on Safari Books Online on the 24th of March—in a couple of weeks. From the description:

This live training will provide an overview of the systems, providers, and standards bodies important to the operation of the global Internet, including the Domain Name System (DNS), the routing and transport systems, standards bodies, and registrars. For DNS, the process of a query will be considered in some detail, who pays for each server used in the resolution process, and tools engineers can use to interact DNS. For routing and transport, the role of each kind of provider will be considered, along with how they make money to cover their costs, and how engineers can interact with the global routing table (the Default Free Zone, of DFZ). Finally, registrars and standards bodies will be considered, including their organizational structure, how they generate revenue, and how to find their standards.

Register here.

Weekend Reads 031123

Featuring 18 different participating member companies, the Ethernet Alliance interoperability demo in booth #5417 spans diverse Ethernet technologies ranging from 10 Gigabit Ethernet (GbE) to 800GbE

Every few months, an important ceremony takes place. It’s not splashed all over the news, and it’s not attended by global dignitaries. It goes unnoticed by many, but its effects are felt across the globe. This ceremony helps make the internet more secure for billions of people.

Major cloud platforms, such as Google Cloud Platform (GCP), fail to adequately log the event data that could facilitate the detection of compromises and the forensic analysis during post-compromise response, according to an analysis.

Software dependencies, or a piece of software that an application requires to function, are notoriously difficult to manage and constitute a major software supply chain risk. If you’re not aware of what’s in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal.

As a primary working interface, the browser plays a significant role in today’s corporate environment. The browser is constantly used by employees to access websites, SaaS applications and internal applications, from both managed and unmanaged devices.

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what’s a sobering reminder of the dangers of failing to keep software up-to-date.

The Cyble analysis identified 10 indicators of compromise (IoCs) for this threat—six malware hashes and four URLs.

As global conflicts continue, cyber has become the fifth front of warfare. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal.

For decades, scholars and litigators have been talking about imposing legal liability on the makers of insecure software. But the objections of manufacturers were too strong, concerns about impeding innovation were too great, and the conceptual difficulties of the issue were just too complex.

So, who will the winners and losers in this new world be? According to Entner, “it’s not set in stone yet.” He noted the result partially depends on whether DOCSIS 4.0 is able to deliver better reliability than DOCSIS 3.1.

A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022.

Hedge 169: Network Address Translation with Steinn

Network Address translation is one of those phrases that strikes fear into the hearts of some network engineers … and joy into the hearts of others! Steinn Bjarnarson joins us to discuss the history of NAT, its uses, its misuses, and how NAT fits into the big picture of network design today. Steinn just finished writing a paper on the history of NAT.


Controversial Reads 030423

Privacy campaigners say such systems could be used as tools of oppression. In Moscow, Vyborov and countless others now face that oppression on a daily basis.

The general problem statement for technological standards is how to avoid the power imbalance of a single source for essential goods and services; in other words, standards are a line of defense against concentration risk. Interoperability is the goal, and multiple suppliers is the proof.

In this episode, they focus particularly on how social media has become a place where predators will search and highlight children’s vulnerabilities — which so many young people share online.

Tech policy, however, has its own set of “culture war issues” including net neutrality and encryption that largely serve as a distraction from the real issues at stake. Victims of child porn are now caught in the fray.

A major escalation in official online censorship regimes is progressing rapidly in Brazil, with implications for everyone in the democratic world. Under Brazil’s new government headed by President Lula da Silva, the country is poised to become the first in the democratic world to implement a law censoring and banning “fake news and disinformation” online, and then punishing those deemed guilty of authoring and spreading it.

In addition to federal agencies, could the major accounting firms provide algorithmic audits as they do in auditing financial statements of publicly listed companies?

The click-based economy has made the world more efficient in some ways, but it turned this miraculous global information databank into a frenzied real estate auction with every website scrabbling to climb to the top of the search results, collect the most clicks, and retain the most eyeballs.

A former ASML worker accused of stealing trade secrets for advanced chip-making equipment from his employer is now suspected of spying for the Chinese government.

China’s attempts to influence technical standards groups have mostly been uncoordinated, unsophisticated and unsuccessful – but the US needs to keep watch on Beijing’s activities, especially at the International Telecommunications Union.