@huitema@social.secret-wg.org avatar

huitema

@huitema@social.secret-wg.org

Working on that Internet thing...

https://www.privateoctopus.com/about.html

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mekkaokereke, (edited ) to random
@mekkaokereke@hachyderm.io avatar

As we hear reports that it will take 10 years (🤯) to replace the 1.6 mile Francis Scott Key bridge in Baltimore, remember that China built the Danyang-Kunshan bridge and Qingdao Jiaozhou Bay Bridge in 4 years each.

Danyang-Kunshan Bridge is 102 miles long, and 100 ft above the water.

Jiaozhou Bay Bridge is 16 miles and 623 ft tall, earthquake and typhoon proof, and can withstand a direct strike from a 300,000 ton cargo ship. That last point is unfortunately topical.

https://m.youtube.com/watch?v=U7iQqogVmr8

huitema,
@huitema@social.secret-wg.org avatar

@djcapelis @bouriquet @AdeptVeritatis @mekkaokereke @UncivilServant @McBeth @hazelweakly

I don't know where the 10 years figure comes from. Near my home town is the St Nazaire bridge, at the mouth of the river Loire in France. It is larger than the Baltimore bridge, and was completed in 1975 in 3 years. If the French could build that in 3 years 50 years ago, I have a hard time believing it will take 10 years in America now.

ricmac, to fediverse
@ricmac@mastodon.social avatar

Post from @rabble on why he's chosen to use and not and the . He makes some compelling points. Personally I am not too worried about the server admin parts of his argument (I have enough control, even if I don't control the server), but I agree that this isn't ideal:

"You can’t use a single fediverse identity with your profile and followers in Peertube, Mobilizon, WriteFreely, and Pixelfed. You need a totally separate account in each one."
https://njump.me/nevent1qqsfqlx6wpl5267tmnmmjk7v9tzunjvhzav9unc2tjn6k0w82vghprsppamhxue69uhkummnw3ezumt0d5qjxamnwvaz7tmswfhhs7fdv4u8qetjd9kk2mn59ehkuun9dejx2u3wvdhk6qg5waehxw309aex2mrp0yhxgctdw4eju6t0qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqzxrhwden5te0wfjkccte9ehx7umhdpjhyefwvdhk6q3qwmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqxczx4f

huitema,
@huitema@social.secret-wg.org avatar

@maegul @Gargron @rabble @ricmac @simon_lucy be careful what you wish for. Another name for "mobile identity" is "universal tracking".

davemark, to tech
@davemark@mastodon.social avatar

"I deleted keys generated by our TV for 5 straight minutes. 5 Minutes of like 200BPM clicking. I restarted. Everything worked again. I laughed so hard I cried. I felt like I'd solved a murder."

Tech people, THIS IS A GREAT FANTASIC READ!!!

The title is, "DO NOT BUY HISENSE TV'S"

https://cohost.org/ghoulnoise/post/5286766-do-not-buy-hisense-t
#Tech #Android #TV #Debug

huitema,
@huitema@social.secret-wg.org avatar

@davemark This actually looks like a bug in windows. Anything that causes the OS to fail is a bug. OK, so the TV is creating fake UUIDs each time it does a DHCP request. I don't know why HiSense does it, but it is about the only way to obtain privacy addresses and avoid DHCP tracking, so there are legit usages. Someone did not foresee the scenario and used an O(N) or maybe O(N^2) algorithm to maintain device lists, thus the stall. That's a bug.
Corrected 4/21: UPNP requests, not DHCP

huitema,
@huitema@social.secret-wg.org avatar

@davemark Thinking of it a bit more, this actually looks like a security bug. Random attacker brings small device to network, starts a loop of DHCP requests from random MAC and with random UUID, watch Windows11 laptops connected to the network start stalling. I don't have the time to repro that, but it is similar to a bunch of low level attacks against OSes.
Corrected 4/21: these were UPNP notifications, not DHCP requests. No random MAC involved.

huitema,
@huitema@social.secret-wg.org avatar

@ljrk @davemark From the documentation, "network discovery" is set by settings/network settings/advanced network settings/advanced sharing settings. On my PC, this is enabled for "private" networks, so I think it is the default. So the main attack is, some buggy device plugged on a home network. Or, the user did voluntarily open network discovery for public networks, in which case all bets are off.

glennf, to random
@glennf@twit.social avatar

I was unaware that some people pronounced Nike like nyk without the E sound at the end. Like some people say Porsche without the E.

huitema,
@huitema@social.secret-wg.org avatar

@bagder @glennf I have a tendency to say it the same way as "athena nike" -- Neekay.

mhoye, to random
@mhoye@mastodon.social avatar

This is a remarkable graph.

You might have heard that "EV sales are slumping", "people are starting to avoid EVs", etc.

That's not what's happening.

What's happening is "Tesla is cratering so hard that it's skewing the aggregate market data."

huitema,
@huitema@social.secret-wg.org avatar

@peterbutler @mhoye
I don't know how they come to "excluding Tesla, 13.3%". If I do the math, the sum for all vendors except Tesla went from 92,206 to 119,467, i.e., +27,261, or +29.6%. The market share of Tesla dropped from 63.7% to 54.0%. It is probably going to drop further if the trend continues.

mattblaze, to photography
@mattblaze@federate.social avatar

31-41 Union Square West, NYC, 2024.

All the pixels, each of which will be famous for 15 minutes, at https://www.flickr.com/photos/mattblaze/53731622110

huitema,
@huitema@social.secret-wg.org avatar

@mattblaze I am sure it is an optical illusion. The vertical lines, if I measure them, are parallel to the vertical edge. Yet, when I look at the picture, I have the impression that the buildings are wider on top. Any idea why?

whitequark, to random
@whitequark@mastodon.social avatar

IEEE 802.3 having a normal one

image/png

huitema,
@huitema@social.secret-wg.org avatar

@raggi @whitequark There was recently a thread in the chat room of QUIC developers -- engineers working on a variety of QUIC implementations, big and small. "Do you implement PMTU discovery". The most interesting answer was something like "we tried, and then we turned it off, because of rare failures that were hard to mitigate, so we just send 1280 bytes packets."

bert_hubert, to random
@bert_hubert@fosstodon.org avatar

Recently places like @SIDN (Dutch national operator of .NL) have been claiming that nobody in Europe can deliver their computer needs, and that they are therefore forced to outsource operations to American cloud providers. Meanwhile our own IT industry denies this. Here I delve into what's going on, and how Europe is being Cloud Naïve instead of Cloud Native.

https://berthub.eu/articles/posts/cloud-naive-europe-and-the-megascaler/

huitema,
@huitema@social.secret-wg.org avatar

@bert_hubert The silicon valley school of system design emphasizes "build a moat" in order to secure a monopoly. Typically relying on network effects and economies of scale. For the cloud service, what is the moat? It cannot just be individual services like S3, because cheaper copies are doable. Security? Identity? Customer support? It is very hard to compete without understanding that.

huitema,
@huitema@social.secret-wg.org avatar

@jornfranke @bert_hubert @SIDN Bert, did you analyze the market incentives there? Suppose OVH or Hetzner come up with their own version of cloud storage, would it sell? Probably only if there is dome kind of standard, as you say. But could such a standard emerge without Amazon and Microsoft? And if it did, how long before "embrace and extend"?

mnot, to random
@mnot@techpolicy.social avatar

Yes, please.

https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/

huitema,
@huitema@social.secret-wg.org avatar

@jeroen @feld @mnot If a CA is caught playing games, they will be taken out of the trust list of lots of key software and the domains will just get certs from different CA. But if a TLD plays games, the only remedy for existing domain users is to change domain names. That's why many people are uneasy, especially when it comes to ccTLD.

huitema,
@huitema@social.secret-wg.org avatar

@mnot The Internet is always evolving, and Geoff is right that security-by-TLS has beaten security-by-DNSSEC hands down. But then TLS credentials depend on proof-by-DNS, and thus from the security of DNS resolution. If we want to ditch DNSSEC, it would be nice to have some theory on the security of DNS resolution that does not have a circular dependency on the security of TLS.

huitema,
@huitema@social.secret-wg.org avatar

@jeroen @feld @mnot Dane pretty much means that the TLD managers set the policy. So we would get up to 1400 CA, probably much less because many orgs manage multiple TLDs. Still some competition, but changing CA would require changing name, and that's a big hurdle.

huitema,
@huitema@social.secret-wg.org avatar

@jeroen @feld @mnot the domain operation depends on the TLD continuing to advertise the name, and neither Dane not PKI will change that. The failure mode of Dane is if the TLD registry somehow hacks the client domain DNS data, so that a hacker (or a state agency) can intercept the domain's traffic. The domain has to "trust" the TLD management, because there is not much they can do if the TLD managers start colluding with attackers.

hrefna, to fediverse
@hrefna@hachyderm.io avatar

The protocol as it now sits will not keep you "safe" from threads in any meaningful way.

Repeat. After. Me.

The protocol as it now sits will not keep you "safe" from threads in any meaningful way.

I don't mean as in "it will not protect from a malevolent actor" sense. I mean in an ordinary, reasonable behavior sense.

#ActivityPub not only does not have the tools for this, it makes assumptions that are fundamentally opposed to the kinds of protections that people seem to be seeking.

1/

huitema,
@huitema@social.secret-wg.org avatar

@hrefna Thank you for digging into these issues. I think that we are facing the classic case of a protocol built with an assumption of trust, and then used in a context in which that trust is dubious. The challenge is to retrofit the security controls required when trust is absent, and then do that without breaking the existing community.

huitema, to random
@huitema@social.secret-wg.org avatar

A new RFC, about "Maintaining Robust Protocols". The original draft was titled "Postel was wrong", because Martin Thomson wanted to outline that "being tolerant with what you receive" leads to protocols drifting away from the standards, to the benefit of the largest "deviant". But this was too provocative. The final text is much milder.

https://www.rfc-editor.org/rfc/rfc9413.html

bagder, to random
@bagder@mastodon.social avatar

and in case you missed it: with the new addition of --ech, now supports 259 command line options

huitema,
@huitema@social.secret-wg.org avatar

@bagder @jeroen ECH does not only hide the domain name. It hides lots of metadata like the ALPN or the initial parameters of QUIC, etc. It is useful even when domain fronting is not.

huitema, to random
@huitema@social.secret-wg.org avatar

Ah, the American system of measurements. Speaking of past disasters in Hawaii, the New York Times uses a well known unit of large volumes: "The monthslong eruption of the volcano Kilauea on the island of Hawaii, from May to August of 2018, unleashed 320,000 Olympic-size swimming pools’ worth of lava." Of course, the depth of Olympic swimming pools is not standardized, so you are at a loss if you want to translate in cubic meters...

whitequark, to random
@whitequark@mastodon.social avatar

python is a great and fun language to write device drivers in :D

huitema,
@huitema@social.secret-wg.org avatar

@whitequark Writing drivers in Python looks like fun. I once wrote an X.25 Linux driver in Pascal, and a drawing program in Cobol. All languages can be misused, if enough creativity...

huitema, to random
@huitema@social.secret-wg.org avatar

Question for DNS experts. Do you know of a DNS resolver software that can be configured to use a different IPv6 privacy address for each outgoing DNS query?

huitema,
@huitema@social.secret-wg.org avatar

@SteveBellovin This is discussed in the thread. The simplest solution is probably to have the server act as a router, and be the sole user of the IPv6 prefix. Maybe using something like prefix delegation.

joebeone, to random
@joebeone@techpolicy.social avatar

"The US Makes a Big Step Toward Better Routing Security" by Ryan Polk @internetsociety https://www.internetsociety.org/blog/2024/05/the-us-makes-a-big-step-toward-better-routing-security/

huitema,
@huitema@social.secret-wg.org avatar

@enoclue @joebeone RPKI probably helps filtering out bad routes, but it is also introducing its own failure mode. An incorrect RPKI entry, voluntary or not, can create its own outages. See for example:

https://therecord.media/orange-espana-outage-hacker-internet-ripe-bgp-rpki

huitema, to random
@huitema@social.secret-wg.org avatar

For a couple of years now, I have been working with Alain Durand at ICANN to collect statistics in DNS usage, patterns, etc. Data is updated monthly. Latest addition is a table of the concentration of DNS name servers, measured by looking at where the IP addresses of the servers are hosted. The big "winner" is of course Cloudflare, but there is also a significant correlation between being hosted by AWS or served by Akamai and have the DNS on the same network.
https://ithi.research.icann.org/graph-m9.html

huitema, to random
@huitema@social.secret-wg.org avatar

Reading the post-mortem published by Cloudflare after their system failure, despite all the redundancies. Two specific point caught my attention. The repair team had a hard time restoring power because the access control system was powered off. I think I had heard that before. And when the service came back up, a thundering herd issue caused them to stumble. I have definitely heard that before...

https://blog.cloudflare.com/post-mortem-on-cloudflare-control-plane-and-analytics-outage/

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • magazineikmin
  • everett
  • InstantRegret
  • rosin
  • Youngstown
  • slotface
  • love
  • Durango
  • kavyap
  • ethstaker
  • tacticalgear
  • DreamBathrooms
  • provamag3
  • cisconetworking
  • mdbf
  • tester
  • khanakhh
  • osvaldo12
  • normalnudes
  • GTA5RPClips
  • ngwrru68w68
  • modclub
  • anitta
  • Leos
  • cubers
  • JUstTest
  • All magazines
    •