It

during the last 30 years, processor speeds has increased from millions of cycles to billions - multiplied by multi-core and special mechanisms that increase the efficiency of working with ‘boring’ cores. Pentium 66 processor from 1993 contained 3.2 million transistors, which is anyway quite a value, considering they are packed into a space comparable to that of four dices - and contains one main unit. available today Xeon E5-2699v4 has 22 cores operating at nominal frequency 2....

getting grip of reality after moving is not easy in some situations. when everything is still fresh, and on the other hand - so well known :) you know obviously that stopgaps tend to last for years after they were put “just for a moment”? my december cleaning started with true horror of moving my emails server from FreeBSD 9-STABLE (just EoLed) to 11-STABLE. traditional make buildworld; make kernel KERNCONF=server; mergemaster -FiU; make installworld; reboot didn’t work, but (WTF?...

OpenSSH 7 among other things discontinued older key exchange protocols for Diffie-Hellmans group 1 (diffie-hellman-group1-sha1). we already know that it can be compromised by executing attack known as Logjam. that’s all good and nice, until you try to connect to such device using newly upgraded SSH. if your device doesn’t support DH group 1 key exchange, you need to upgrade software. if you already have software capable of doing so, it needs to be configured on the box....

i was travelling recently to US and back, essentially sitting for a 10+ hours in planes each way. i decided to invest in myself, and bought myself a gadget - my friend praised it years ago. i’m talking about active noise cancelling headphones - Bose QC35. after 10 hours of listening to music and podcasts and NOT listening to engines, people, coughing, snoring and other traditional noises during transatlantic flight… i have to say, this is technology that really makes a difference....

every two (or three, depending how desperate you are) years, in life of every CCIE and CCDE there is this looming deadline called ‘recertification’. panic is usually short lived and ends with ‘push’ - succesful recertification. in variable styles and techniques, but successful nonetheless. i had opportunity recently to execute this dance. and wise words people say, that if you loose daily connection with networking gear and technologies, you very quickly loose and forget expert level skills....

interesting blog article how to create truly free way of publishing without fear of censorship. it seems that the last reddit problem restarted discussion about free speech and crypto non-repudiation of published content. in the context of rising pressure from US to build backdoors in every equipment, maybe this is some kind of solution? if you think about it… no, actually you no longer need to do so. it was already thought out....

weekend at countryside kind of suprised me… :) so, Cisco 887VAGW+7-E-K9, a little configuration and here we are. ! chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 15 "OK" ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 300 dialer string gsm dialer-group 1 async mode interactive ! ip nat translation timeout 60 ip route 0.0.0.0 0.0.0.0 Cellular0 ! dialer-list 1 protocol ip permit !...

it’s interesting to take a look. and then a second look - as a lot of well known networks and hosts appear on those maps: SenderBase malware SenderBase spam and for general SenderBase reports, biggest threat intelligence network go here: SenderBase

google again dropped out of the internet because of failure to filter prefixes. SIDR configuration on Cisco gear is really simple - for IOS-XE, IOS-XR. if you have Juniper it takes like half a second of searching. of course configuring is one thing, visiting RIPE and cerfifying your own resources is another thing. then it’s all done. every prefix signed, and every autonomous system checking for certification data is helping. every single one....

i’m just finishing upgrading my different servers from FreeBSD 9 to FreeBSD 10.1-STABLE. …and i just realized, that my FreeBSD adventure started around 4.1 (well, i may have got older 3.4 CDs, but didn’t install it then yet). and it was 14 years ago today. it was just after i, like thousands of linux users around the world, tried to upgrade glibc libs on the fly on my beloved (at that time and today) Slackware installation....

it seems that F-35 can’t end it’s failure series. despite GAO audits, model of building military equipment for biggest army in the world didn’t change a bit since end of second world war. they’re still ordering and building things that will bring maximum revenue to military vendors and not what military customers actually need. i immediately got back to one of the articles i’ve read recently in ACM Queue - responsive enterprise: embracing the hacker way....

some time ago I changed my BIND at home to Unbound, due to the change of the default DNS server in FreeBSD (yes, I do have my own DNS server at home, and it serves all local queries). actually, I have four right now ;) back in BIND times, i used a lot of scripts to add zones containing 127.0.0.1 for domains serving ads. after switching to Unbound - i forgot about it completely....

…or who needs them anyway today? there’s interesting article written down by one of Google employees, that perfectly describes how ineffective today standard bodies are, and how less and less influence they have on the market. cisco decided to spearhead new solutions without waiting for multi-year discussions, true to the ‘good description and working code’ motto. if we wouldn’t be doing that, there would be no PVLANs, FabricPath (TRILL) but also protocols like LDP or HSRP/VRRP/GLBP....

…supports BGP and it’s already out. do you like BGP on your firewalls? i don’t. should we have the tool in hand, just in case? well, sometimes it’s handy. but going back again - do you like BGP on your firewalls? ;)

all memory and CPU related features in IPv6 world is major challenge even for modern hardware. unfortunately this is emphasized with lack of best practices followed by developers writing code. i just noticed there’s Microsoft Windows problem with IPv6 RA. it seems that actual problem is not limited only to RA, but actually - to the whole networking stack when working with link-local addresses. under Microsoft Windows code is allocating memory pretty recklessly....

don’t start your php upgrade at 2:40 in the morning. as you’ll stay awake until 5am :)

it seems that GPUs can be reasonably well tasked to handle additional work that x86 CPUs simply can’t. i’m talking about network monitoring and NetFlow processing - good reading when travelling or before sleep.

…so I decided to use youtube to find my favorite Monty Python series, Program will resume soon (quite specific Polish series - BTW, never published on DVD!). i was also able to find archive of our old polish IT magazines - Bajtek, Top Secret and Secret Service. my own archive, collected over years and protected from everyone fell prey one day to suprise ‘cleaning’ organized in the basement where it was stored....

i just got hold of interesting document. let me quote it: As remarked in this table the Windows version of TrueCrypt 7.0a deviates from the Linux version in that it fills the last 65024 bytes of the header with random values whereas the Linux version fills this with encrypted zero bytes. From the point of view of a security analysis the behavior of the Windows version is problematic. By an analysis of the decrypted header data it can’t be distinguished whether these are indeed random values or a second encryption of the master and XTS key with a back door password....

you could meet me sometimes during late night hours on Call of Duty Modern Warfare 2 multiplayer servers. now, i decided to change environment a bit and return to love of my life - flight simulators. i dusted off CD with Microprose Falcon 4.0 and i’m downloading BMS patches while reading about Allied Force (CD is already on my way from one of the Amazon warehouses). i’m still using Saitek Fly 5 but if i’ll be able to find more time to fly - there are couple of better sticks out there....

…you have to get back to good old CLI. i’m trying to export VM from very remote VMware vSphere 5.1 to OVA. unfortunately, packing 40GB is not apparently easy, as the whole process fails at different stages with error called by VMware simply timeout (yeah, kudos for brevity). so you have to enable SSH and then copy whole directory with SCP. for optimal transfer from remote location it make sense to use additional parameters: -C and -o CompressionLevel=9 to get locally fully functional and packed OVA: scp -C -o CompressionLevel=9 xyz@zdalne_IP:/vmfs/volumes/very-long-uuid-string/vm_name/\* ....

next thursday, april 11th, i’ll be visiting Warsaw University on invitation from Maciej Broniarz to have a chat about security from service provider point of view. note it will be mechnism and best practice related talk, not vendor pitch. i’ll mention blackholing as well ;) i may have some gadgets and freebies to give away - so please prepare good questions and see you there!

last CloudFlare DDoS demonstrated, that 300Gbps is no longer some magic barrier for attackers. given such throughput, you can easily drop country like Poland from Internet. of course, immediately such concepts like ‘critical infrastructure’, country financial stability come to mind. i’ll be one of the panelists of RIPE 66 meeting dedicated to BCP 38. it’s one of the things (implementing BCP38!) that you just have to do, to make sure internet is safer....

i’ve just stumbled upon this gem - it’s hard to find these days such well aggregated and summarized information.

it seems that EU has made a reasonable choice to oppose ITU’s taking control over internet. consequences of handing over real control over future of internet to entity that’s slowly sliding into oblivion and has hardly any real influence on the development of technology are not hard to imagine.

…how tightly coupled should it be? i can’t help to think about it. i’m writing this post on construction that was defended to his last days by Steve Jobs. according to his belief, only software tightly integrated with software can be effective and predictable. independently of what Steve believed, there are other examples of such thinking in the world. let’s take for an example company i work for - Cisco. most of our solutions are based on software integrated with hardware without ability to add questionable “apps” to the mix....

using our new blogging platform, i just published short piece about just announced onePK. i’m watching live discussions for over two years now about network control capabilities. i was one of those distanced guys when it comes to OpenFlow “explosion” in popularity. and as time did show - I was right. today even hardware vendors suddenly slowed down a bit and distance themselves from new standard versions, and development tempo also falls down....

i just made a short post describing a bit behavior and characteristics of new Sup720-10GE switching matrix that can be installed in Catalyst 6500 - for cisco-nsp@ folks: In old Sup720 design, the Supervisor itself is connected to the fabric using one channel. This channel is used by Hyperion ASIC to provide for bus interface, and multicast/SPAN features. Because there’s no other way to connect the uplinks on the Sup itself, the Hyperion has it’s interface also terminating the uplinks (2xGE) thus limiting effective throughput/etc....

interesting enhancement to transport traffic in HTTP sessions proposed by Google is starting to gain popularity and traction. while i don’t use Chrome browser, in Firefox starting from version 11 you can turn the protocol on (about:config -> network.http.spdy.enable=true). on the server side you should run mod_spdy if you’re running Apache server. it also makes sense to install Firefox extension signalling SPDY work. the end effect? SPDY gets the traffic faster (usually), as multiple sessions are initiated at the same time....