Mrs Mouse at workWhat's a MAC address and Ethernet frame header for? Why don't packets simply start with an IP header?
| blog | https://blog.erratasec.com |
| blog | https://cybersec.substack.com |
| github | https://github.com/robertdavidgraham |
Robert Graham
- 8.3K Followers
- 344 Following
- 912 Posts
Created BlackICE, Sidejacking, Masscan, and other infosec things.
@ErrataRob
We’ve reached an absurd state of affairs where everybody knows the OSI Model is false, where everyone is confused by most of it. Yet, people still defend it, claiming some of it is helpful. Many remember some epiphany, where OSI helped them “get” a difficult concept. The problem is that these cases are almost always misconceptions, such as “layers”.
I love this already.
Consider Ethernet. It's trivially simple frame format with destination and source address, followed by a type field, and faster versions are the outgrowth of the latest technology.
But STILL, you really don't understand until understand history. Why is there an Ethernet separate from the Internet? Why not just have the frame start at the IP header, getting rid of the Ethernet header completely???
Computer science is like art history: almost everything was created in reaction to the status quo. You won't understand it until you first understand the status quo of the time.
Them: "I don't really get Z"
Me: Well, yea, it's because you are trying to understand it outside the context of history.
Me: <Gives hour long history lesson>
Them: <eyes glaze over>
Me: Well, yea, it's because you are trying to understand it outside the context of history.
Me: <Gives hour long history lesson>
Them: <eyes glaze over>
How do you understand the term "Zero-Trust"?
I wrote up a blogpost about how I understand it, where I try to provide a serious answer instead of just cynicism and sarcasm. I mean, the cynical/sarcastic/humorous answers are better, but at some point, we need a serious discussion, too.
https://cybersect.substack.com/p/a-serious-definition-of-the-unserious
A serious definition of the unserious "zero-trust" buzzword
A saw a tweet that went something like this: “I have 10 years of experience and several certifications, and I still don’t know what the heck ‘zero-trust’ is” A lot of responses are sarcastic and humorous, so I thought I’d write up something sincere and serious, defining what this word actually means.
Your regular reminder that I've written a textbook debunking the OSI Model. I appreciate your questions posted here, it'll take a few days to answer, though.
It's a long textbook that covers a tiny topic because all the experts on the subject are "wrong". To substantiate this claim, I have to undo 40 years of history of the Internet and go back to first principles.
https://docs.google.com/document/d/1iL0fYmMmariFoSvLd9U5nPVH1uFKC7bvVasUcYq78So/edit?usp=sharing
Eloy.@ErrataRob Hi Robert, I have a question about the model on page 60 of your book: would you put BGP in the 'internet' or 'services' part? I could argue both ways, that it is part of the control plane of the Internet, or that it is a service that runs on top of TCP. Or that it is both simultaneously. I'm not strongly convinced the new model removes this ambiguity that OSI had. If I'm completely missing the point, let me know.
Alex Stamos has published a LinkedIn post claiming Microsoft is immorally earning money from its security failures.
I wrote up a rebuttal. tl;dr: I don't think he accurately describes what happened with Midnight Blizzard, and I don't think he substantiates his claims -- they are the sort of thing partisans agree to without needing substantiation.
https://cybersect.substack.com/p/notes-on-microsofts-midnight-blizzard
I wrote up a rebuttal. tl;dr: I don't think he accurately describes what happened with Midnight Blizzard, and I don't think he substantiates his claims -- they are the sort of thing partisans agree to without needing substantiation.
https://cybersect.substack.com/p/notes-on-microsofts-midnight-blizzard
Notes on Microsoft's Midnight Blizzard attack
I’m not liking this post from Alex Stamos critical of Microsoft “addiction to security revenue”. He pretends that instead of fixing security problems for free, Microsoft is charging for the fixes. It’s a cheap accusation that he doesn’t substantiate, knowing that his readers hate Microsoft anyway, and that he needs no substantiation.
Mike Masnick ✅I've seen some people argue that the NYT's new lawsuit against OpenAI/Microsoft is the strongest such lawsuit yet, but... I don't think so. I also don't think the NY Times would actually like the world if it wins, because the NYT *itself* does what it is accusing OpenAI of doing.
https://www.techdirt.com/2023/12/28/the-ny-times-lawsuit-against-openai-would-open-up-the-ny-times-to-all-sorts-of-lawsuits-should-it-win/
https://www.techdirt.com/2023/12/28/the-ny-times-lawsuit-against-openai-would-open-up-the-ny-times-to-all-sorts-of-lawsuits-should-it-win/
The NY Times Lawsuit Against OpenAI Would Open Up The NY Times To All Sorts Of Lawsuits Should It Win
This week the NY Times somehow broke the story of… well, the NY Times suing OpenAI and Microsoft. I wonder who tipped them off. Anyhoo, the lawsuit in many ways is similar to some of the over a doz…