Pull to refresh

Admin

Show first
Rating limit

Eliminating opportunities for traffic hijacking

Qrator Labs corporate blog Information Security *Network technologies *IT Standards *

Beautiful scheme for BGP connection to Qrator filtering network

A little historical overview


  • BGP hijacks — when an ISP originates an advertisement of address space that does not belong to it;
  • BGP route leaks — when an ISP advertises prefixes received from one provider or peer to another provider or peer.

This week it has been 11 years since the memorable YouTube BGP incident, provoked by the global propagation of a more specific prefix announce, originated by the Pakistan Telecom, leading to an almost 2 hour in duration traffic disruption in the form of redirecting traffic from legitimate path to the bogus one. We could guess if that event was intentional, and even a correct answer wouldn’t help us completely prevent such incidents from happening today. While you read this, a route leak or a hijack is spreading over the networks. Why? Because BGP is not easy, and configuring a correct and secure setup is even harder (yet).

In these eleven years, BGP hijacking became quite damaging attack vector due to the BGP emplacement in the architecture of modern internet. Thanks to BGP, routers not only acquire peer information, and therefore all the Internet routes — they are able of calculating the best path for traffic to its destination through many intermediate (transit) networks, each representing an individual AS. A single AS is just a group of IPv4 and/or IPv6 networks operating under a single external routing policy.
Read more →
Total votes 18: ↑18 and ↓0 +18
Views 3.8K
Comments 0

Pentesting Azure  — Thoughts on Security in Cloud Computing

Microsoft corporate blog Cloud computing *Microsoft Azure *Reading room Cloud services *
A few months ago I worked with a customer on how a team should evaluate the security of their Azure implementation. I had never done a pentest(extensive security testing)on an Azure application before, so these ideas were just the thoughts off of the top of my head at that time based on my experience in security.

Matt Burrough’s book, Pentesting Azure Applications, goes even deeper and it is a must-read for security experts focused in Cloud Computing, I’m reading it right now.

Below I share with you these pre-book thoughts, and will compare them in a future article with the ones I will learn — or confirm — after reading Matt's book.

Read more →
Total votes 14: ↑13 and ↓1 +12
Views 1.2K
Comments 0

You Do Not Need Blockchain: Eight Well-Known Use Cases And Why They Do Not Work

Ростелеком-Солар corporate blog Decentralized networks *Information Security *Business Models *IOT

image


People are resorting to blockchain for all kinds of reasons these days. Ever since I started doing smart contract security audits in mid-2017, I’ve seen it all. A special category of cases is ‘blockchain use’ that seems logical and beneficial, but actually contains a problem that then spreads from one startup to another. I am going to give some examples of such problems and ineffective solutions so that you (developer/customer/investor) know what to do when somebody offers you to use blockchain this way.


Disclaimers


  • The described use cases and problems occur at the initial stage. I am not saying these problems are impossible to solve. However, it is important to understand which solutions system creators offer for particular problems.
  • Even though the term ‘blockchain use’ looks strange and I am not sure that blockchain can be used for anything other than money (Bitcoin), I am going to use it without quotes.

1. Supply chain management


Let’s say you ordered some goods, and a carrier guarantees to maintain certain transportation conditions, such as keeping your goods cold. A proposed solution is to install a sensor in a truck that will monitor fridge temperature and regularly transmit the data to the blockchain. This way, you can make sure that the promised conditions are met along the entire route.

Read more →
Total votes 24: ↑23 and ↓1 +22
Views 3.4K
Comments 0

Choosing true wireless earbuds: 6 months later…

Wireless technologies *Gadgets
Translation


Once I put on true wireless headphones and all the cables after that (even if it's a flexible headband on a “wireless” headset), became annoying. So I’ve tried a lot of AirPods-like earbuds in order to find the best ones. In 2018 aside from the AirPods themselves I tried: Jabra Elite 65+, Samsung IconX 2018 and Sony WF-1000X. The result was a neat table with all the objective data. Everything else — my personal opinion — let's discuss in the comments.
Total votes 28: ↑27 and ↓1 +26
Views 5.6K
Comments 6

Introduce Static Analysis in the Process, Don't Just Search for Bugs with It

IT systems testing *Java *DevOps *
This article is an authorized translation of the original post. The translation was made with the kind help of the guys from PVS-Studio. Thank you, guys!

What encouraged me to write this article is considerable quantity of materials on static analysis, which recently has been increasingly coming up. Firstly, this is a blog of PVS-Studio, which actively promotes itself on Habr posting reviews of errors, found by their tool in open source projects. PVS-Studio has recently implemented Java support, and, of course, developers from IntelliJ IDEA, whose built-in analyzer is probably the most advanced for Java today, could not stay away.

When reading these reviews, I get a feeling that we are talking about a magic elixir: click the button, and here it is — the list of defects right in front of your eyes. It seems that as analyzers get more advanced, more and more bugs will be found, and products, scanned by these robots, will become better and better without any effort on our part.

Well, but there are no magic elixirs. I would like to talk about what is usually not spoken in posts like «here are things that our robot can find»: what analyzers are not able to do, what's their real part and place in the process of software delivery, and how to implement the analysis properly.


Ratchet (source: Wikipedia).
Read more →
Total votes 32: ↑31 and ↓1 +30
Views 4.8K
Comments 0

Flightradar24 — how does it work?

Network technologies *Computer hardware DIY Systems engineering *
I’m going to hazard a guess and say that everyone whose friends or family have ever flown on a plane, have used Flightradar24 — a free and convenient service for tracking flights in real time.



But, if my friends are any indication, very few people know that the service is community-driven and is supported by a group of enthusiasts gathering and sending data. Even fewer people know that anyone can join the project — including you.

Let’s see how Flightradar and similar other services works.
Read more →
Total votes 80: ↑79 and ↓1 +78
Views 119K
Comments 13

6 Applications for the Industrial IoT

Wireless technologies *Cloud services *IOT
“Come on, baby, what’s wrong? Tell me what you need,” my uncle Nicholas was shredding up his old car’s engine, which totally refused to start. Being a schoolboy back then, I was absolutely sure that any exhortation my uncle voiced was powerless against a dumb ton of metal. Talking to a car was just a psychological trick that probably helped my uncle cope with exasperation. Moreover, neither me nor my uncle believed in a possibility to communicate with “dead metal” sometime in the near future. That was in the mid-1980s. When I reached the age of my uncle, the situation changed radically.
Read more →
Total votes 24: ↑23 and ↓1 +22
Views 1.9K
Comments 0

Building a Private Currency Service Using Exonum

Bitfury Group corporate blog Development for e-commerce *Distributed systems *Finance in IT
Zero-knowledge proofs/arguments are an emerging cryptographic technology that promises to bring us closer to the Holy Grail of blockchain: providing data privacy and auditability.

Potential applications for zero-knowledge include, but are not limited to:


Another application for zero-knowledge proofs is helping blockchains scale. ZKPs allow for the “compressing” of computations for blockchain transactions without sacrificing security.

In this article, we describe how zero-knowledge (specifically, Bulletproofs) can be applied to build a privacy-focused service using Bitfury’s Exonum platform.

Read more →
Total votes 28: ↑28 and ↓0 +28
Views 1.1K
Comments 1

Internet Issues & Availability Report 2018–2019

Qrator Labs corporate blog Information Security *Network technologies *
image

While working on the annual report this year we have decided to avoid retelling the news headlines of the previous year and, though it is almost impossible to ignore memories absolutely, we want to share with you the result of a clear thought and a strategic view to the point where we all are going to arrive in the nearest time — the present.

Leaving introduction words behind, here are our key findings:

  • Average DDoS attack duration dropped to 2.5 hours;
  • During 2018, the capability appeared for attacks at hundreds of gigabits-per-second within a country or region, bringing us to the verge of “quantum theory of bandwidth relativity”;
  • The frequency of DDoS attacks continues to grow;
  • The continuing growth of HTTPS-enabled (SSL) attacks;
  • PC is dead: most of the legitimate traffic today comes from smartphones, which is a challenge for DDoS actors today and would be the next challenge for DDoS mitigation companies;
  • BGP finally became an attack vector, 2 years later than we expected;
  • DNS manipulation has become the most damaging attack vector;
  • Other new amplification vectors are possible, like memcached & CoAP;
  • There are no more “safe industries” that are invulnerable to cyberattacks of any kind.

In this article we have tried to cherry-pick all the most interesting parts of our report, though if you would like read the full version in English, the PDF is available.
Read more →
Total votes 27: ↑25 and ↓2 +23
Views 1.3K
Comments 0

How does a barcode work?

Python *Programming *Algorithms *Popular science Systems engineering *
Hi all!

Every person is using barcodes nowadays, mostly without noticing this. When we are buying the groceries in the store, their identifiers are getting from barcodes. Its also the same with goods in the warehouses, postal parcels and so on. But not so many people actually know, how it works.

What is 'inside' the barcode, and what is encoded on this image?



Lets figure it out, and also lets write our own bar decoder.
Read more →
Total votes 27: ↑25 and ↓2 +23
Views 12K
Comments 0

How to prevent targeted cyber attacks? 10 best network sandboxes

ROI4CIO corporate blog Information Security *Antivirus protection *Virtualization *Cloud services *


Targeted attacks are the most dangerous among the multitude of modern cyber threats. They are also known as ATP (an abbreviation which stands for Advanced Persistent Threat). Those are not viruses that can accidentally get into the computer due to user's carelessness. Neither it is an attempt to replace the address of a popular site in order to cheat billing information from credulous users. Targeted cyber attacks are prepared and thought out carefully and pose a particular threat.
Read more →
Total votes 17: ↑17 and ↓0 +17
Views 2.6K
Comments 0

Open Source developer's life in GIFs

Сбер corporate blog Open source *Apache *Open data *
Sberbank is the largest bank in Russia and Eastern Europe. Our team in Sbertech teaches Sberbank efficient work with Free & Open Source Software. You can read more about this on Habr (what we exactly do, yet in Russian).

One of the main challenges is to open the mind of managers and engineers for using FOSS (Free & Open Source Software) properly. Because we have a lot of them, we have tried to use GIFs for answer the most common questions.

image

Read more →
Total votes 29: ↑22 and ↓7 +15
Views 3.4K
Comments 0

Generic Methods in Rust: How Exonum Shifted from Iron to Actix-web

Bitfury Group corporate blog Programming *System Analysis and Design *Rust *Distributed systems *
The Rust ecosystem is still growing. As a result, new libraries with improved functionality are frequently released into the developer community, while older libraries become obsolete. When we initially designed Exonum, we used the Iron web-framework. In this article, we describe how we ported the Exonum framework to actix-web using generic programming.

Read more →
Total votes 28: ↑27 and ↓1 +26
Views 5.4K
Comments 0

Understanding the POCSAG paging protocol

Python *Network standards *Gadgets Old hardware Systems engineering *
Long time ago, when a mobile phone costed about 2000$ and one minute of voice call was 50 cents, pagers were really popular. Later cellular phones became cheaper, calls and SMS prices became lower, and finally pagers mostly disappeared.


For people, who owned a pager before, and want to know how it works, this article will be useful.
Read more →
Total votes 21: ↑20 and ↓1 +19
Views 9.2K
Comments 0

Checklist: what had to be done before deploying microservices to production

DevOps *Microservices *

This article contains a brief squeeze from my own experience and that of my colleagues, with whom I had been fighting incidents day and night. And many incidents would never have occurred if all these microservices that we love so much were written at least a little more carefully.


Unfortunately, some programmers seriously believe that a Dockerfile with any team at all inside is a microservice in itself and can be deployed even now. Dockers are running — money are incoming. This approach turns into problems starting from performance degradation, inability to debug, service failures and ending in a nightmare called Data Inconsistency.


If you feel that the time has come to launch one more app in Kubernetes / ECS / whatever, then I have something to object to.

Read more →
Total votes 20: ↑19 and ↓1 +18
Views 8.7K
Comments 1

A small notebook for a system administrator

System administration *Prototyping *Design Gadgets Laptops
I am a system administrator, and I need a small, lightweight notebook for every day carrying. Of course, not just to carry it, but for use it to work.

I already have a ThinkPad x200, but it’s heavier than I would like. And among the lightweight notebooks, I did not find anything suitable. All of them imitate the MacBook Air: thin, shiny, glamorous, and they all critically lack ports. Such notebook is suitable for posting photos on Instagram, but not for work. At least not for mine.

After not finding anything suitable, I thought about how a notebook would turn out if it were developed not with design, but the needs of real users in mind. System administrators, for example. Or people serving telecommunications equipment in hard-to-reach places — on roofs, masts, in the woods, literally in the middle of nowhere.

The results of my thoughts are presented in this article.

Figure to attract attention
Read more →
Total votes 91: ↑88 and ↓3 +85
Views 152K
Comments 57

The authoritative guide to Blockchain Sharding

High performance *Distributed systems *Cryptocurrencies

Hi, I'm one of the developers of the sharded blockchain Near Protocol, and in this article want to talk about what blockchain sharding is, how it is implemented, and what problems exist in blockchain sharding designs.


It is well-known that Ethereum, the most used general purpose blockchain at the time of this writing, can only process less than 20 transactions per second on the main chain. This limitation, coupled with the popularity of the network, leads to high gas prices (the cost of executing a transaction on the network) and long confirmation times; despite the fact that at the time of this writing a new block is produced approximately every 10–20 seconds the average time it actually takes for a transaction to be added to the blockchain is 1.2 minutes, according to ETH Gas Station. Low throughput, high prices, and high latency all make Ethereum not suitable to run services that need to scale with adoption.

Read more →
Total votes 15: ↑14 and ↓1 +13
Views 1.1K
Comments 0

Monitoring System for Windows servers on pure SQL, and how I had secretly dragged it into the Production

IT Infrastructure *Microsoft SQL Server *
A long time ago in a galaxy far, far away there was a company grown from a startup to something much bigger, but for a while the IT department was still compact and very efficient. That company hosted on prem hundreds of virtual Windows servers, and of course these servers were monitored. Even before I joined the company, NetIQ had been chosen as a monitoring solution.

One of my new tasks was to support NetIQ. The person, who worked with NetIQ before, said a lot about his experience with NetIQ, unfortunately, if I try to put it here it would be just a long line of ‘****’ characters. Soon I realized why. Steve Jobs is probably spinning in his grave looking at the interface like this:

image
Read more →
Total votes 22: ↑21 and ↓1 +20
Views 1.1K
Comments 0