Hacker Newsnew | past | comments | ask | show | jobs | submit | hroi's commentslogin

Looks like they are encountering the issue of head-of-line blocking. Since HTTP/2 multiplexes streams on a single tcp connection, all streams suffer when packet loss occurs. This is a well-known flaw in HTTP/2. HTTP/1 creates multiple tcp connections; if one connection needs to wait for retransmissions, the others are not impeded.


Not really, considering any single subscriber could be assigned a whole /56, and that machines with privacy addressing would be periodically changing the last 64 bits of their address.


AKA Genuine People Personalities as predicted in Hitchhiker's Guide.


What is your point? u32/u128 are not mathematical integers. They are actually bit strings, just like IP addresses and unlike mathematical integers.


They are mathematical cyclic groups!


You can learn the community string by monitoring traffic. The community string is included in each and every SNMPv2 PDU. SNMPv2 performs no handshake, so is vulnerable to trivial spoofing. Enterprises and ISPs reusing community strings on every device and never rotating them is not unheard of.


Yes, obviously you can sniff community strings, but that only helps if you're speaking SNMP over the Internet.

Again the case I'm making is that this particular bug is really only useful for persisting onto networks you've already compromised.


I would not be surprised if there are companies & organizations out there using SNMP monitoring tools to monitor cloud hosted systems in the same on-prem instance they're monitoring their on-prem systems from.

I'm thinking specifically of my old company, which used Nagios to monitor a few hundred VMs on AWS in addition to the several thousand servers & all the networking gear running locally.


NSA supposedly listens to our traffic, so learning the community string and management station's IP address is straight forward.


They capture at the fiber going out or in (or undersea), if you follow the other commenters here SNMP traffic would never go over those.


I mean never say never. You definitely CAN tell an ASA to allow SNMP on an external interface. But it's probably not where you end up by default.


That's true if you're speaking SNMP over the Internet. But how many ASAs actually do that?


ASAs are often used at the perimeter of small satellite networks using a local ISP's internet access, and then connecting back to HQ with IPSEC tunnels. I would guess that it is not uncommon, though bad practice, to centrally monitor SNMP on the external interface instead of over the IPSEC tunnel (which can be a little tricky to do).


Yeah, it's true I guess, and if you're using a random community string and this is NSA, I think we can all safely assume NSA knows every community string spoken anywhere on the public Internet.


I can count over a dozen easily, off the top of my head, without even looking into our customer database. I'm certain I'm not alone.


When was this? For a long time IPv6 suffered from people running services over tunnels via tunnel brokers, which resulted in horrible performance, MTU issues, timeouts and so on. I have noticed recently that the situation has improved a lot, with more and more "real", native deployments coming online.


Two weeks ago. But I would rather blamemyself for a lack of knowledge that the VPS provider for providing OS images that don't fit my expectations.


I think you are confusing hash functions with key derivation functions..


I'm not. Hash functions are used in cryptography for password storage (eg SHA2-512).

Best practice would be to use a KDF with a hash salt, but in a lot of cases, SHA2 + salt + pepper is sufficient.


> Hash functions are used in cryptography for password storage

hint: they're used for more than that.

you are woefully out of your depth here.


> you are woefully out of your depth here.

I very much doubt that since I've been able to provide back up sources to evidence my points. However if I am wrong then please do educate me instead of posting uninformative troll comments like the above.


"If BLAKE isn't intended for cryptography then it's not a direct competitor to SHA-3."

If you didn't know that BLAKE was one of the entries in the SHA3 competition (one of the finalists in fact), I think you are out of your depth.


Those two points aren't mutually inclusive. I do understand cryptography and hashes - maybe not to a security researchers level nor be up to date with the latest proposals - but that doesn't mean I'm out of my depth to ask the questions I've been asking either.

Furthermore, the way you conduct yourself in these posts isn't exactly helpful. You're condescending and terse. Your comments contain the bare minimum information (or in the case of this latest exchange, no useful information what-so-ever) and it feels very much like you're more interested in winning ego points than you are in educating someone who could clearly benefit from your greater wisdom. Which is sad because without that exchange of knowledge, these kinds of threads will keep happening.

edit: that said, I did appreciate your comment about hardware vs software: https://news.ycombinator.com/item?id=10012537 so thank you for that post :)


If you're interested in learning, ask more questions. This thread started off with some dubious statements, and when that was pointed out, you dug in deeper and deeper. That doesn't inspire much confidence that you will appreciate someone taking the time to educate you. Hence, the terseness.


My first draft of that post was more question-based than statement-based but for some reason I thought the rewritten version was better presented. In hindsight that was really poor judgement on my part. Sorry for that. But I assure you that I'm very much interested in learning :)

The "digging deeper" was more down to responding to other people who had misunderstood my original comment. And lets be honest, there has been a lot of that as well.

edit: oh jeez, someone's been on the rampage with the ▾ clicking. I think it's time I get HN a break because the moderation on here has really been bugging me in recent months. I know it's a tired cliche, but I'm sure this community used to be less hostile. </soliloque>


KDF should be slow.

Stream ciphers should be fast.

Message authentication should be fast.

Hash functions can be used in any of the above, therefore it should be fast. Key derivation functions generally work by taking a secure hash (that can be done fast), and then taking an operation that transforms the output of the hash function to another output that requires a lot of time and/or memory. And then possibly takes the hash of this as well to obscure the internal workings. The "slowness" is part of the KDF, and not part of the hash function. The reason it's tuneable is because it doesn't matter how fast the hash is, you can just run more iterations.


> SHA2 + salt + pepper is sufficient

Not even close. The attempts/sec you can run against SHA-2 vs. the attempts/sec you can run against bcrypt or scrypt are an order of magnitude apart.

You should not use anything less than a proven KDF (scrypt, bcrypt, PBKDF2-HMAC-SHA2 with a lot of rounds) for password storage.

Many of your posts conflate "cryptographic" with "password hashing", which is certainly not the case. Note that PBKDF2-HMAC-SHA2 does not (at all) mean that SHA-2 is useful for password hashing. As someone else pointed out, that's just an implementation detail.


As always, Luigi is totally neglected.


Luigi just had a whole year to himself :)

http://www.mariowiki.com/Year_of_Luigi


I am quite worried about this development as someone who has to deal with DDoS traffic on a regular basis. I am starting to feel like UDP and UDP-like protocols should be abolished outright.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: