@huitema@social.secret-wg.org avatar

huitema

@huitema@social.secret-wg.org

Working on that Internet thing...

https://www.privateoctopus.com/about.html

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mattblaze, to photography
@mattblaze@federate.social avatar

31-41 Union Square West, NYC, 2024.

All the pixels, each of which will be famous for 15 minutes, at https://www.flickr.com/photos/mattblaze/53731622110

huitema,
@huitema@social.secret-wg.org avatar

@mattblaze I am sure it is an optical illusion. The vertical lines, if I measure them, are parallel to the vertical edge. Yet, when I look at the picture, I have the impression that the buildings are wider on top. Any idea why?

joebeone, to random
@joebeone@techpolicy.social avatar

"The US Makes a Big Step Toward Better Routing Security" by Ryan Polk @internetsociety https://www.internetsociety.org/blog/2024/05/the-us-makes-a-big-step-toward-better-routing-security/

huitema,
@huitema@social.secret-wg.org avatar

@enoclue @joebeone RPKI probably helps filtering out bad routes, but it is also introducing its own failure mode. An incorrect RPKI entry, voluntary or not, can create its own outages. See for example:

https://therecord.media/orange-espana-outage-hacker-internet-ripe-bgp-rpki

huitema, to random
@huitema@social.secret-wg.org avatar

Question for DNS experts. Do you know of a DNS resolver software that can be configured to use a different IPv6 privacy address for each outgoing DNS query?

huitema,
@huitema@social.secret-wg.org avatar

@SteveBellovin This is discussed in the thread. The simplest solution is probably to have the server act as a router, and be the sole user of the IPv6 prefix. Maybe using something like prefix delegation.

bert_hubert, to random
@bert_hubert@fosstodon.org avatar

Recently places like @SIDN (Dutch national operator of .NL) have been claiming that nobody in Europe can deliver their computer needs, and that they are therefore forced to outsource operations to American cloud providers. Meanwhile our own IT industry denies this. Here I delve into what's going on, and how Europe is being Cloud Naïve instead of Cloud Native.

https://berthub.eu/articles/posts/cloud-naive-europe-and-the-megascaler/

huitema,
@huitema@social.secret-wg.org avatar

@bert_hubert The silicon valley school of system design emphasizes "build a moat" in order to secure a monopoly. Typically relying on network effects and economies of scale. For the cloud service, what is the moat? It cannot just be individual services like S3, because cheaper copies are doable. Security? Identity? Customer support? It is very hard to compete without understanding that.

huitema,
@huitema@social.secret-wg.org avatar

@jornfranke @bert_hubert @SIDN Bert, did you analyze the market incentives there? Suppose OVH or Hetzner come up with their own version of cloud storage, would it sell? Probably only if there is dome kind of standard, as you say. But could such a standard emerge without Amazon and Microsoft? And if it did, how long before "embrace and extend"?

whitequark, to random
@whitequark@mastodon.social avatar

IEEE 802.3 having a normal one

image/png

huitema,
@huitema@social.secret-wg.org avatar

@raggi @whitequark There was recently a thread in the chat room of QUIC developers -- engineers working on a variety of QUIC implementations, big and small. "Do you implement PMTU discovery". The most interesting answer was something like "we tried, and then we turned it off, because of rare failures that were hard to mitigate, so we just send 1280 bytes packets."

davemark, to tech
@davemark@mastodon.social avatar

"I deleted keys generated by our TV for 5 straight minutes. 5 Minutes of like 200BPM clicking. I restarted. Everything worked again. I laughed so hard I cried. I felt like I'd solved a murder."

Tech people, THIS IS A GREAT FANTASIC READ!!!

The title is, "DO NOT BUY HISENSE TV'S"

https://cohost.org/ghoulnoise/post/5286766-do-not-buy-hisense-t

huitema,
@huitema@social.secret-wg.org avatar

@davemark Thinking of it a bit more, this actually looks like a security bug. Random attacker brings small device to network, starts a loop of DHCP requests from random MAC and with random UUID, watch Windows11 laptops connected to the network start stalling. I don't have the time to repro that, but it is similar to a bunch of low level attacks against OSes.
Corrected 4/21: these were UPNP notifications, not DHCP requests. No random MAC involved.

huitema,
@huitema@social.secret-wg.org avatar

@ljrk @davemark From the documentation, "network discovery" is set by settings/network settings/advanced network settings/advanced sharing settings. On my PC, this is enabled for "private" networks, so I think it is the default. So the main attack is, some buggy device plugged on a home network. Or, the user did voluntarily open network discovery for public networks, in which case all bets are off.

huitema,
@huitema@social.secret-wg.org avatar

@davemark This actually looks like a bug in windows. Anything that causes the OS to fail is a bug. OK, so the TV is creating fake UUIDs each time it does a DHCP request. I don't know why HiSense does it, but it is about the only way to obtain privacy addresses and avoid DHCP tracking, so there are legit usages. Someone did not foresee the scenario and used an O(N) or maybe O(N^2) algorithm to maintain device lists, thus the stall. That's a bug.
Corrected 4/21: UPNP requests, not DHCP

bagder, to random
@bagder@mastodon.social avatar

and in case you missed it: with the new addition of --ech, now supports 259 command line options

huitema,
@huitema@social.secret-wg.org avatar

@bagder @jeroen ECH does not only hide the domain name. It hides lots of metadata like the ALPN or the initial parameters of QUIC, etc. It is useful even when domain fronting is not.

ricmac, to fediverse
@ricmac@mastodon.social avatar

Post from @rabble on why he's chosen to use and not and the . He makes some compelling points. Personally I am not too worried about the server admin parts of his argument (I have enough control, even if I don't control the server), but I agree that this isn't ideal:

"You can’t use a single fediverse identity with your profile and followers in Peertube, Mobilizon, WriteFreely, and Pixelfed. You need a totally separate account in each one."
https://njump.me/nevent1qqsfqlx6wpl5267tmnmmjk7v9tzunjvhzav9unc2tjn6k0w82vghprsppamhxue69uhkummnw3ezumt0d5qjxamnwvaz7tmswfhhs7fdv4u8qetjd9kk2mn59ehkuun9dejx2u3wvdhk6qg5waehxw309aex2mrp0yhxgctdw4eju6t0qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqzxrhwden5te0wfjkccte9ehx7umhdpjhyefwvdhk6q3qwmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqxczx4f

huitema,
@huitema@social.secret-wg.org avatar

@maegul @Gargron @rabble @ricmac @simon_lucy be careful what you wish for. Another name for "mobile identity" is "universal tracking".

hrefna, to fediverse
@hrefna@hachyderm.io avatar

The protocol as it now sits will not keep you "safe" from threads in any meaningful way.

Repeat. After. Me.

The protocol as it now sits will not keep you "safe" from threads in any meaningful way.

I don't mean as in "it will not protect from a malevolent actor" sense. I mean in an ordinary, reasonable behavior sense.

not only does not have the tools for this, it makes assumptions that are fundamentally opposed to the kinds of protections that people seem to be seeking.

1/

huitema,
@huitema@social.secret-wg.org avatar

@hrefna Thank you for digging into these issues. I think that we are facing the classic case of a protocol built with an assumption of trust, and then used in a context in which that trust is dubious. The challenge is to retrofit the security controls required when trust is absent, and then do that without breaking the existing community.

glennf, to random
@glennf@twit.social avatar

I’m incapable of adequately conveying just how many crows are in this neighborhood.

video/mp4

huitema,
@huitema@social.secret-wg.org avatar

@iDGS @glennf Same story in Bothell, WA: https://environment.uw.edu/news/2021/12/a-story-of-10000-crows-the-nightly-migration-to-uw-bothell-campus/

huitema, to random
@huitema@social.secret-wg.org avatar

Dave Mills was a great contributor to the IETF and the Internet. Of course, he invented NTP. But he did not just do that. He also kept improving it, solving issues, passing his knowledge, and inspiring many to work in his field. So many reasons to miss him.

https://en.wikipedia.org/wiki/David_L._Mills

huitema, to random
@huitema@social.secret-wg.org avatar

Kudos to Marten Seeman for discovering the first DOS vulnerability in QUIC: attackers could send series of PATH CHALLENGE to force the server to queue large numbers of PATH RESPONSE frames, leading to memory exhaustion if the return path does not have enough congestion control credits. It turns out that many implementations (including picoquic) had foreseen the issue and limit the number of pending challenge, but that's in theory in violation of the standard.

https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/

nyquildotorg, to random
@nyquildotorg@fedia.social avatar

GM Says It's Dropping Apple CarPlay And Android Auto Because They're Unsafe

I can't bring myself to disagree with this. I've been a longtime Android Auto user and on many, many occasions I've thought to myself "ok, this is a bad idea," as I find myself fiddling with shit at a stop sign trying to get my music to play or to get my phone to reconnect or whatever.

huitema,
@huitema@social.secret-wg.org avatar

@nyquildotorg GM says they do that because they do not want to encourage cellphone use when driving. Maybe. But they are also developing systems like OneStar that keeps tracking cars and drivers, and then contracting with Google to install entertainment apps. Feels a lot like "we want to keep all the tracking data for GM, and monetize it ourselves."

huitema, to random
@huitema@social.secret-wg.org avatar

I was carried over when discussing a proposal to revive IPv6 packet fragmentation on the IETF IPv6 mailing list, posting more and more details about QUIC performance and why fragmentation would not help. So I finally collected these arguments into a presentation of what we did to improve the performance of QUIC implementations, and wrote them in a new blog:
https://www.privateoctopus.com/2023/12/12/quic-performance.html

SystemsAppr, to random
@SystemsAppr@discuss.systems avatar

The end of year is a popular time to make tech predictions, but rather than making new ones, we looked back at some old ones from 1995. The details are in our latest newsletter https://open.substack.com/pub/systemsapproach/p/outrageous-opinions?r=cxpek&utm_campaign=post&utm_medium=web 1/n

huitema,
@huitema@social.secret-wg.org avatar

@SteveBellovin @dave_andersen @danmcd @SystemsAppr On the jitter part -- very fast may not have been easy, but it was very clear that the Internet was getting faster quicker. The rule of thumb was that various QOS tricks allowed you to carry 20% more load with the same jitter, but that if capacity doubled every year it really did not matter.

huitema, to random
@huitema@social.secret-wg.org avatar

For a couple of years now, I have been working with Alain Durand at ICANN to collect statistics in DNS usage, patterns, etc. Data is updated monthly. Latest addition is a table of the concentration of DNS name servers, measured by looking at where the IP addresses of the servers are hosted. The big "winner" is of course Cloudflare, but there is also a significant correlation between being hosted by AWS or served by Akamai and have the DNS on the same network.
https://ithi.research.icann.org/graph-m9.html

huitema, to random
@huitema@social.secret-wg.org avatar

Reading the post-mortem published by Cloudflare after their system failure, despite all the redundancies. Two specific point caught my attention. The repair team had a hard time restoring power because the access control system was powered off. I think I had heard that before. And when the service came back up, a thundering herd issue caused them to stumble. I have definitely heard that before...

https://blog.cloudflare.com/post-mortem-on-cloudflare-control-plane-and-analytics-outage/

huitema, to random
@huitema@social.secret-wg.org avatar

For those who are watching the slow decline of crypto, time for popcorn, maybe...
https://www.wired.com/story/us-treasury-crypto-mixer-hamas/

huitema, to random
@huitema@social.secret-wg.org avatar

Ah, the American system of measurements. Speaking of past disasters in Hawaii, the New York Times uses a well known unit of large volumes: "The monthslong eruption of the volcano Kilauea on the island of Hawaii, from May to August of 2018, unleashed 320,000 Olympic-size swimming pools’ worth of lava." Of course, the depth of Olympic swimming pools is not standardized, so you are at a loss if you want to translate in cubic meters...

huitema, to random
@huitema@social.secret-wg.org avatar

A new RFC, about "Maintaining Robust Protocols". The original draft was titled "Postel was wrong", because Martin Thomson wanted to outline that "being tolerant with what you receive" leads to protocols drifting away from the standards, to the benefit of the largest "deviant". But this was too provocative. The final text is much milder.

https://www.rfc-editor.org/rfc/rfc9413.html

b0rk, to random
@b0rk@jvns.ca avatar

one final computer history question: why are Intel processors little endian? Why were some other processors big endian?

Mostly interested in pre-1980 reasons (before the internet)

I'd love citations / links if possible -- I got a lot of guesses and speculation in replies to the last computer history question.

huitema,
@huitema@social.secret-wg.org avatar

@adamshostack @b0rk Danny Cohen's paper tells it all. CPUs and languages can be either big endian (ibm 360, English), little endian (intel 8086, Arabic) or baroque (pdp 11, German). For networking standards, you have to pick just one, you certainly don't want baroque, and thus "network order" is "big endian". And of course the name picked by Danny Cohen is based on Gulliver's Travels by Jonathan Swift, and refers to ways of eating eggs...

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • GTA5RPClips
  • thenastyranch
  • ethstaker
  • everett
  • Durango
  • rosin
  • InstantRegret
  • DreamBathrooms
  • magazineikmin
  • Youngstown
  • mdbf
  • slotface
  • tacticalgear
  • anitta
  • kavyap
  • tester
  • cubers
  • cisconetworking
  • ngwrru68w68
  • khanakhh
  • normalnudes
  • provamag3
  • Leos
  • modclub
  • osvaldo12
  • megavids
  • lostlight
  • All magazines
    •