HackerLangs
TopNewTrendsCommentsPastAskShowJobs

pjf

no profile record

Submissions

Audit: Vuln-discovery agent reimplementing the Cloudflare Project Glasswing

github.com
1 points·by pjf·2개월 전·0 comments

CPanel and WHM Authentication Bypass Affecting 70M Domains

labs.watchtowr.com
6 points·by pjf·2개월 전·0 comments

Golang Constmap by Daniel Lemire

twitter.com
4 points·by pjf·3개월 전·1 comments

Coursera prompt injection on copy and paste

twitter.com
4 points·by pjf·5개월 전·1 comments

The Day the Telnet Died

labs.greynoise.io
499 points·by pjf·5개월 전·385 comments

Show HN: Bgpipe – pipe live BGP sessions through Python, add RPKI, etc.

bgpipe.org
2 points·by pjf·5개월 전·0 comments

comments

pjf
·26일 전·discuss
I'm pushing the https://bgpipe.org/ project, bringing one of the first BGP ASPA route path validators to the open source world - see:

- https://bgpipe.org/stages/aspa/

- https://www.ripe.net/manage-ips-and-asns/resource-management...
pjf
·2개월 전·discuss
There are situations [1] where you could reliably BGP-hijack the IP prefix of the target domain authoritative nameserver, and obtain your own domain-validated cert for the target (by effectively controlling the zone file contents). And yeah, CAs do have their BGP protections, but still there's at least partial assumption BGP is secure enough to run DNS-based validation for new SSL certs, in our world where DNSSEC is still rare.

  [1] https://www.ietf.org/proceedings/104/slides/slides-104-maprg-dns-observatory-monitoring-global-dns-for-performance-and-security-pawel-foremski-and-oliver-gasser-00.pdf (see slide 15; yeah, it's already a bit old, yet still the case from my practice)
pjf
·2개월 전·discuss
On the other front (Chrome), their crlset-tools [1] just fetched me 64k (~1.1MiB) of revoked certs just fine, contrary to the article (quote: "After retrieving and running this tool, I was surprised to see a total of 1,081 revoked certificate serial numbers in this list. This seems oddly low.")

[1] https://github.com/agl/crlset-tools
pjf
·2개월 전·discuss
Good that at least BGP is secure.
pjf
·3개월 전·discuss
NB: this is not "IPv6 traffic crosses the 50% mark" but "availability of IPv6 connectivity among Google users", which is a very important difference. This means roughly half of Google users have IPv6 capability, which does not 1:1 correspond how much traffic is actually transferred over IPv6, which is what this submission says in the title.
pjf
·4개월 전·discuss
great post! key points for me:

1. 100 IXes alone would get 56% IPv4 and 61% IPv6 prefixes, but ~14% reachability

2. little uniqueness between exchanges: not many new prefixes after the top 5

3. for outbound-heavy networks IXes are great, but to attract traffic they are not (edit: applies to automatic peering via route servers)
pjf
·5개월 전·discuss
Kind of "funny" affected service is BGP RouteViews CLI access, still running over telnet: https://archive.routeviews.org/ (scroll to bottom of the page)

Isn't this one of the remaining, "legit" uses of the Telnet protocol on TCP/23 port over the public Internet?
pjf
·6개월 전·discuss
One reason is there already was exabgp, written in Python, which in my experience is slow and resource hungry. Golang is much faster, easily portable, and produces static binaries (easy to deploy).

Another thing is bgpipe speaks JSON to background (or even remote) packet processors, so basically you can use whatever language you want with it to drive your BGP routers.
pjf
·6개월 전·discuss
I'd advise to first compare with:

- https://bgp.tools/ - https://bgproutes.io/ - https://bgp.he.net/ - https://radar.qrator.net/ - https://github.com/nttgin/BGPalerter

...all of which are (usually) free. IMHO you should have a competing product + money strategy before you continue. Many people have tried (and failed) to make money off BGP.

BTW, author of https://bgpipe.org/ here, an open-source BGP data tool
pjf
·8개월 전·discuss
https://bgpipe.org/

I'm working on a man in the middle proxy for BGP, which can fix and inspect routing sessions on the fly. Like a firewall for the BGP control plane.