I was invited by Adam Lange and Adam Haertle to share my story in “rozmowa KONtrolowana” podcast (in Polish). I’d like to thank both of them and of course all of participants for invitation, leading it, questions and nice way to spend time in familiar, geeky environment :) now - just view/listen to it your favorite format :)
…but tools have to be used responsibly. first of all, short disclaimer - I’d like to make it perfectly clear before we go into this long piece, that I’m a: …big fan of discussing merits of technology and technology overall. I love technology. I believe having opportunity to create networks, solutions that really connect people and give us chance to exchange information is something I could do for the rest of my life, with full focus and commitment....
due to COVID-19 outbreak, we’ve been flooded with request to provide assistance with deploying secure connectivity for remote workers. in some organizations number of remote workers grown from 0 to 7000-10000 in week. some others are serving today over 30000, and here at Cisco, we’re working mostly out of home those days (over 100k people!). thanks to help from my fellow engineers and specialists, we were able to publish following guides, related to building and scaling out VPN headends - both hardware and virtual:...
ARPA, established in 1958, was first and only space agency at that time in United States. to this day it drives fantasies and is unequivocally identified with the emergence of the Internet, but did you know that ARPA (before it became DARPA in 1972) was responsible for underground nuclear testing (as seismology allowed to determine whether other countries somewhere on Earth were conducting their nuclear tests), guerilla warfare (ARPA reps travelled to and stayed in Vietnam, Thailand and Laos long before US under falsifed “proofs” attacked North Vietnam), or development of machine rifle that became what is today known as M-16?...
…if everyone is trying to make your life harder. couple weeks ago I refreshed my private email server on FreeBSD. for some time spam levels were raising and I had to do something about it. old spamassassin was not handling it accurately enough anymore. enter spamd from OpenBSD. current postfix has built in greylisting server that’s working quite well. for my installation I tuned it a bit, by extending period of time that has to pass from last delivery attempt (to 1200 seconds, which is 20 minutes):...
during one of the design discussions with one of our Customers, I had a chance to discuss a bit about using anycast to scale out delivery via CDN. unfortunately, as more ads served even on popular sites is malware or even miners for different cryptocoins it begs a question - how should you protect the site you’re maintaining? using reputable CDN is good first step. the other one, i didn’t know about (and it seems to be quite natural if you think about it) is to verify hash of the attached resources....
it’s hard to disagree with Bruce’s article. would blockchain-based solution be the best approach here for accounting? accounted access to data, accounted transactions … something must change. we can’t deal properly with data.
…resent encryption. in particular those that were caught red handed doing mass surveillance of its own and foreign citizens. it’s worth to read this article to understand how PR (written by Camerons speech author) is trying to turn everyone using security and encryption to those helping terrorist. it’s enough today to name somebody ’terrorist’ and suddenly every option is on the table. interrogation, wiretapping, dropping bombs or simply investigating without any specific reason is fair call....
interesting blog article how to create truly free way of publishing without fear of censorship. it seems that the last reddit problem restarted discussion about free speech and crypto non-repudiation of published content. in the context of rising pressure from US to build backdoors in every equipment, maybe this is some kind of solution? if you think about it… no, actually you no longer need to do so. it was already thought out....
it’s interesting to take a look. and then a second look - as a lot of well known networks and hosts appear on those maps: SenderBase malware SenderBase spam and for general SenderBase reports, biggest threat intelligence network go here: SenderBase
it’s subject old as world (password-protected world, that is). i had to do some of cleanup on my devices and i hit a problem with 4096 bit keys. so, just as a reference that may be helpful somewhere for someone - you import keys to Cisco IOS without any special problems: router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip ssh pubkey-chain router(conf-ssh-pubkey)#username TEST router(conf-ssh-pubkey-user)#key-string router(conf-ssh-pubkey-data)#AAAAB3NzaC1yc2EAAAADAQABAAACAQDCiLBaopUwsFb9YJNhGqVYqBajlrH S/zwD6/yR6N8VcRzrpqMMNCFXe1q5GMGM[...]ANWInd9GHBjTzbJWVwavxy1ooQewii8ErofZuv1l/SXSdXLzfL p0zMoZ0L+BNPS0j4XBS0N3t8Vl8oVixqIeG2BNTCNaDDt6hx2Q== lukasz@bromirski....
google again dropped out of the internet because of failure to filter prefixes. SIDR configuration on Cisco gear is really simple - for IOS-XE, IOS-XR. if you have Juniper it takes like half a second of searching. of course configuring is one thing, visiting RIPE and cerfifying your own resources is another thing. then it’s all done. every prefix signed, and every autonomous system checking for certification data is helping. every single one....
it seems that F-35 can’t end it’s failure series. despite GAO audits, model of building military equipment for biggest army in the world didn’t change a bit since end of second world war. they’re still ordering and building things that will bring maximum revenue to military vendors and not what military customers actually need. i immediately got back to one of the articles i’ve read recently in ACM Queue - responsive enterprise: embracing the hacker way....
some time ago I changed my BIND at home to Unbound, due to the change of the default DNS server in FreeBSD (yes, I do have my own DNS server at home, and it serves all local queries). actually, I have four right now ;) back in BIND times, i used a lot of scripts to add zones containing 127.0.0.1 for domains serving ads. after switching to Unbound - i forgot about it completely....
…supports BGP and it’s already out. do you like BGP on your firewalls? i don’t. should we have the tool in hand, just in case? well, sometimes it’s handy. but going back again - do you like BGP on your firewalls? ;)
in 2002 it was calculated that to reach closest star (Proxima Centauri), multigenerational crew would need to start with at least 150 to 180 men and women. latest simulations show however, that to guarantee gen variance you’d need to take between 10000 and 40000 people onboard. it would be interesting to see how those plans will end up - we will stay on Earth until Sun burns out, we’ll kill each other or maybe we’ll start finally intergalactic travels?...
all memory and CPU related features in IPv6 world is major challenge even for modern hardware. unfortunately this is emphasized with lack of best practices followed by developers writing code. i just noticed there’s Microsoft Windows problem with IPv6 RA. it seems that actual problem is not limited only to RA, but actually - to the whole networking stack when working with link-local addresses. under Microsoft Windows code is allocating memory pretty recklessly....
Jennifer Lawrence phenomenon (i can’t quite get Hunger Games popularity, but i love Silver Linings Playbook. how you should do proper conference badges (oh yeah, we’re learning!), Department of Defense outsources to private company management of their own images and movies archive for 10 years, RSA accepted 10M$ of bribe from NSA to promote weaker encryption algorithm and last but not least - DARPA vision of autonomic SkyNet network from eightees....
…so I decided to use youtube to find my favorite Monty Python series, Program will resume soon (quite specific Polish series - BTW, never published on DVD!). i was also able to find archive of our old polish IT magazines - Bajtek, Top Secret and Secret Service. my own archive, collected over years and protected from everyone fell prey one day to suprise ‘cleaning’ organized in the basement where it was stored....
i just got hold of interesting document. let me quote it: As remarked in this table the Windows version of TrueCrypt 7.0a deviates from the Linux version in that it fills the last 65024 bytes of the header with random values whereas the Linux version fills this with encrypted zero bytes. From the point of view of a security analysis the behavior of the Windows version is problematic. By an analysis of the decrypted header data it can’t be distinguished whether these are indeed random values or a second encryption of the master and XTS key with a back door password....
on the upcoming thursday, 10th of october at 7pm i’ll do a short talk with Maciej Broniarz from Warsaw University about security from not-so-typical point of view. please register and see you in Leon Koźmiński Academy hall.
Maciej Broniarz invited us to take part in new security focused conference. Aegis (just like Aegis - American integrated naval weapons system) will take place on 2nd and 3rd July at University of Warsaw. i hope that most of you will decide to take part of it, as judging from agenda. together with Maciej we’d like to also have a panel on DDoS attacks, and then we’ll deliver session together - ‘security by duct tape’....
next thursday, april 11th, i’ll be visiting Warsaw University on invitation from Maciej Broniarz to have a chat about security from service provider point of view. note it will be mechnism and best practice related talk, not vendor pitch. i’ll mention blackholing as well ;) i may have some gadgets and freebies to give away - so please prepare good questions and see you there!
last CloudFlare DDoS demonstrated, that 300Gbps is no longer some magic barrier for attackers. given such throughput, you can easily drop country like Poland from Internet. of course, immediately such concepts like ‘critical infrastructure’, country financial stability come to mind. i’ll be one of the panelists of RIPE 66 meeting dedicated to BCP 38. it’s one of the things (implementing BCP38!) that you just have to do, to make sure internet is safer....
we’re back with Cisco security focused conference in the fall. during Cisco SECURE 2012 we’ll try to demonstrate you the whole security architecture. during two full days of presentations, we’ll try to showcase you all interesting bits and pieces from our portfolio. we already have agenda up, and i’ll be happy to present along Gaweł our security solutions for cloud and data centers - including CSR 1000v, ASAv and other interesting products....
i highly recommend this article from Wired. while we have to live with situation where such wealthy people like Kaspersky himself can influence ITU decisions, we still can stand up and work to make internet free and independent. it’s kind of naive of course, but consequences of having too much money and power - frighten me again every day.
if you visit Western portals or if you look into English-language wikipedia from time to time, you have noticed a significant protest happening today against the two legal acts US advocates want to introduce. the way it unfolds, leads to strong belief controlling everything and everything (due to - of course - money) is true goal. it presents interesting point of view in a discussion on cloud technologies and their real application - take a look here to get some feeling about scale of the games happening at an international level....
there’s a lot of discussions around the net neutrality, as obviously the subject is currently still pretty hot. from the one side we have enormous amount of money from advertising business, spend in interesting, devious and - tempting way. from the other side, we have the ideal information society, in which all information are free from filtering, and available for all willing to read. we point to China, Iran or Saudi Arabia as bad examples, filtering all that their citizens can view using the Internet - but we all use google....
IPsec code in OpenBSD is source of constant discussions. it seems there’s no reason to panic (and OpenBSD penetration is anyway minimal), but there’s a lot of interesting discussions and rumours around code itself and it’s origin. in particular i’d recommend to read this short piece (and this tweet) with code references. they demonstrate for the n-th time, that OpenBSD team, and in particular Theo is really building creative marketing and at the same time patch bugs silently without disclosing them....