HackerTrans
トップ新着トレンドコメント過去質問紹介求人

pjf

no profile record

投稿

Audit: Vuln-discovery agent reimplementing the Cloudflare Project Glasswing

github.com
1 ポイント·投稿者 pjf·2 か月前·0 コメント

CPanel and WHM Authentication Bypass Affecting 70M Domains

labs.watchtowr.com
6 ポイント·投稿者 pjf·2 か月前·0 コメント

Golang Constmap by Daniel Lemire

twitter.com
4 ポイント·投稿者 pjf·3 か月前·1 コメント

Coursera prompt injection on copy and paste

twitter.com
4 ポイント·投稿者 pjf·5 か月前·1 コメント

The Day the Telnet Died

labs.greynoise.io
499 ポイント·投稿者 pjf·5 か月前·385 コメント

Show HN: Bgpipe – pipe live BGP sessions through Python, add RPKI, etc.

bgpipe.org
2 ポイント·投稿者 pjf·5 か月前·0 コメント

コメント

pjf
·26 日前·議論
I'm pushing the https://bgpipe.org/ project, bringing one of the first BGP ASPA route path validators to the open source world - see:

- https://bgpipe.org/stages/aspa/

- https://www.ripe.net/manage-ips-and-asns/resource-management...
pjf
·2 か月前·議論
There are situations [1] where you could reliably BGP-hijack the IP prefix of the target domain authoritative nameserver, and obtain your own domain-validated cert for the target (by effectively controlling the zone file contents). And yeah, CAs do have their BGP protections, but still there's at least partial assumption BGP is secure enough to run DNS-based validation for new SSL certs, in our world where DNSSEC is still rare.

  [1] https://www.ietf.org/proceedings/104/slides/slides-104-maprg-dns-observatory-monitoring-global-dns-for-performance-and-security-pawel-foremski-and-oliver-gasser-00.pdf (see slide 15; yeah, it's already a bit old, yet still the case from my practice)
pjf
·2 か月前·議論
On the other front (Chrome), their crlset-tools [1] just fetched me 64k (~1.1MiB) of revoked certs just fine, contrary to the article (quote: "After retrieving and running this tool, I was surprised to see a total of 1,081 revoked certificate serial numbers in this list. This seems oddly low.")

[1] https://github.com/agl/crlset-tools
pjf
·2 か月前·議論
Good that at least BGP is secure.
pjf
·3 か月前·議論
NB: this is not "IPv6 traffic crosses the 50% mark" but "availability of IPv6 connectivity among Google users", which is a very important difference. This means roughly half of Google users have IPv6 capability, which does not 1:1 correspond how much traffic is actually transferred over IPv6, which is what this submission says in the title.
pjf
·4 か月前·議論
great post! key points for me:

1. 100 IXes alone would get 56% IPv4 and 61% IPv6 prefixes, but ~14% reachability

2. little uniqueness between exchanges: not many new prefixes after the top 5

3. for outbound-heavy networks IXes are great, but to attract traffic they are not (edit: applies to automatic peering via route servers)
pjf
·5 か月前·議論
Kind of "funny" affected service is BGP RouteViews CLI access, still running over telnet: https://archive.routeviews.org/ (scroll to bottom of the page)

Isn't this one of the remaining, "legit" uses of the Telnet protocol on TCP/23 port over the public Internet?
pjf
·6 か月前·議論
One reason is there already was exabgp, written in Python, which in my experience is slow and resource hungry. Golang is much faster, easily portable, and produces static binaries (easy to deploy).

Another thing is bgpipe speaks JSON to background (or even remote) packet processors, so basically you can use whatever language you want with it to drive your BGP routers.
pjf
·6 か月前·議論
I'd advise to first compare with:

- https://bgp.tools/ - https://bgproutes.io/ - https://bgp.he.net/ - https://radar.qrator.net/ - https://github.com/nttgin/BGPalerter

...all of which are (usually) free. IMHO you should have a competing product + money strategy before you continue. Many people have tried (and failed) to make money off BGP.

BTW, author of https://bgpipe.org/ here, an open-source BGP data tool
pjf
·8 か月前·議論
https://bgpipe.org/

I'm working on a man in the middle proxy for BGP, which can fix and inspect routing sessions on the fly. Like a firewall for the BGP control plane.