The Overoptimization Meltdown

15 January 2018 |

In simple terms Meltdown and Spectre are simple vulnerabilities to understand. Imagine a gang of thieves waiting for a stage coach carrying a month’s worth of payroll. [time-span] There are two roads the coach could take, and a fork, or a branch, where the driver decides which one to take. The driver could take either…

Meltdown and Spectre (Updated)

4 January 2018 | Comments Off on Meltdown and Spectre (Updated)

Replaced by this page.

Several on KRACK

26 October 2017 | Comments Off on Several on KRACK

Three articles of interest on the new WiFi KRACK— This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug). When a client connects to the network, the access-point will at some point send a random “key” data to use for encryption. Because this packet may be lost in…

OneLogin and Password Managers

6 June 2017 |

An interesting incident this last week brings password managers back to the front of the pile— OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data. —Krebs on…

Reading List: WannaCry and Ransomware

24 May 2017 | Comments Off on Reading List: WannaCry and Ransomware

A good bit has been written about the recent WannaCry outbreak over the last few weeks; rather than stringing the best out through Worth Reading posts, I have collected the three best posts on the topic here. There are a number of takeaways and lessons to learn from the far-reaching attack that we witnessed. Let…

Notes on the FCC and Privacy in the US

11 April 2017 |

I’ve been reading a lot about the repeal of the rules putting the FCC in charge of privacy for access providers in the US recently—a lot of it rising to the level of hysteria and “the end is near” level. As you have probably been reading these stories, as well, I thought it worthwhile to…

Distributed Denial of Service Open Threat Signaling (DOTS)

3 April 2017 | Comments Off on Distributed Denial of Service Open Threat Signaling (DOTS)

When the inevitable 2AM call happens—”our network is under attack”—what do you do? After running through the OODA loop (1, 2, 3, 4), used communities to distribute the attack as much as possible, mitigated the attack where possible, and now you realist there little you can do locally. What now? You need to wander out…

Don’t Leave Features Lying Around

27 March 2017 | Comments Off on Don’t Leave Features Lying Around

Many years ago, when multicast was still a “thing” everyone expected to spread throughout the Internet itself, a lot of work went into specifying not only IP multicast control planes, but also IP multicast control planes for interdomain use (between autonomous systems). BGP was modified to support IP multicast, for instance, in order to connect…

Into the Gray Zone: Considering Active Defense

28 February 2017 | Comments Off on Into the Gray Zone: Considering Active Defense

[time-span] Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including “the old magic bullet,” the firewall. The game of cannons and walls is over, however, and the cannons have won; those who depend on walls are in for a shocking future. What is the proper response, then? What…

Reaction; Do we really need a new Internet?

20 February 2017 |

The other day several of us were gathered in a conference room on the 17th floor of the LinkedIn building in San Francisco, looking out of the windows as we discussed some various technical matters. All around us, there were new buildings under construction, with that tall towering crane anchored to the building in several…