Research: HTTPS Interceptions

30 July 2018 | Comments Off on Research: HTTPS Interceptions

I have written elsewhere about the problems with the “little green lock” shown by browsers to indicate a web page (or site) is secure. In that article, I considered the problem of freely available certificates, and a hole in the way browsers load pages. In March of 2017, another paper was published documenting another problem…

On the ‘net: Understanding the Exploit Market

24 July 2018 | Comments Off on On the ‘net: Understanding the Exploit Market

How do attackers find a vulnerability, write a piece of code to take advantage of that vulnerability — i.e., build an exploit — build a software delivery system around the exploit and then deliver the attack itself? The key point to recognize in this process is that no single person undertakes all of this work.…

Research: Even Password Complexity is a Tradeoff

23 July 2018 | Comments Off on Research: Even Password Complexity is a Tradeoff

Stronger passwords are always better—at least this is the working theory of most folks in information technology, security or otherwise. Such blanket rules should raise your suspicions, however; the rule11 maxim if you haven’t found the tradeoff, you haven’t looked hard enough should apply to passwords, too. Dinei Florêncio, Cormac Herley, and Paul C. Van…

Short Take: Security as a Tradeoff

23 May 2018 | Comments Off on Short Take: Security as a Tradeoff

We often treat security as an absolute, “that which must be done, and done perfectly, or is of no value at all.” It’s time to take this myth head on, and think about how we should really think about security.

Research: Bridging the Air Gap

14 May 2018 | Comments Off on Research: Bridging the Air Gap

Way back in the old days, the unit I worked at in the US Air Force had a room with a lot of equipment used for processing classified information. Among this equipment was a Zenith Z-250 with an odd sort of keyboard and a very low resolution screen. A fine metal mesh embedded in a…

Short Take: Disaggregating Firewalls

18 April 2018 | Comments Off on Short Take: Disaggregating Firewalls

Side Channel Attacks in the Wild: The Smart Home

19 March 2018 | Comments Off on Side Channel Attacks in the Wild: The Smart Home

Side channel attacks are not something most network engineers are familiar with; I provided a brief introduction to the concept over at The Network Collective in this Short Take. If you aren’t familiar with the concept, it might be worth watching that video (a little over 4 minutes) before reading this post. Side channel attacks…

Short Take: Side Channel Attacks

13 March 2018 | Comments Off on Short Take: Side Channel Attacks

In this short take, recently posted over at the Network Collective, I discuss what a side channel attack is, and why they are important.

On the ‘net: Spectre, Meltdown, and Flexible Scaleout

20 February 2018 | Comments Off on On the ‘net: Spectre, Meltdown, and Flexible Scaleout

The recent Meltdown and Spectre attacks illustrate the problematic nature of modern computing systems. While the earlier Rowhammer attack could read or attack one process running in a virtual environment from another process running on the same processor, the Meltdown and Spectre attacks are of a completely different class, enabling a process to read large…

Giving the Monkey a Smaller Club

30 January 2018 |

Over at the ACM blog, there is a terrific article about software design that has direct application to network design and architecture. The problem is that once you give a monkey a club, he is going to hit you with it if you try to take it away from him. What do monkeys and clubs…