Joseph Lorenzo Hall, PhDLike others, I received a cease and desist letter [2] from Cloud Innovation regarding Emmanuel Vitus' Medium article "AFRINIC: Hope, Hijack, and the Harsh Lessons of African Multistakeholderism". 1/
| Homepage | https://dataplane.org/jtk |
John Kristoff
@jtk@infosec.exchange
- 941 Followers
- 482 Following
- 1.6K Posts
UIC PhD candidate | https://Dataplane.org | Netscout. Internet infrastructure (#BGP, #DNS) and #infosec. Bit mechanic. Also: #Blues / tfr / #fedi22
Colocrossing posted details about the incident yesterday. The incident was more extensive than previously known. The attacker had access to ColoCloud meta data, customer names, email addresses (many reports of those email receiving lots of new spam), and VNC passwords. ColoCrossing reset all VNC passwords yesterday.
Reportedly 4% of VMs experienced data loss. 4% of what? Not sure, but they announce over 2800 IP4 prefixes of nearly 1 million addresses - many of which are dedicated servers and used by resellers. My guess is at least thousands of VM potentially at risk.
Monday jam: Josh Smith | When I Get Mine | https://song.link/us/i/972233496 #blues
Dataplane.orgThe Internet Last Week
* Let's Encrypt IP address certs
https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
* AFRINIC board elections scheduled
https://lists.afrinic.net/pipermail/announce/2025/002469.html
* Aeza Group sanctioned
https://home.treasury.gov/news/press-releases/sb0185
* RIPE NCC services disruption
https://status.ripe.net/incidents/qjxmb00xhmst
https://mastodon.social/@ripencc/114789368007206778
We've Issued Our First IP Address Certificate
Since Let’s Encrypt started issuing certificates in 2015, people have repeatedly requested the ability to get certificates for IP addresses, an option that only a few certificate authorities have offered. Until now, they’ve had to look elsewhere, because we haven’t provided that feature. Today, we’ve issued our first certificate for an IP address, as we announced we would in January. As with other new certificate features on our engineering roadmap, we’ll now start gradually rolling out this option to more and more of our subscribers.
IPng NetworksIf you're curious as to how a Go based replacement to Rancid could look like, take a look at:
Weekend Reads
* A new RPKI design https://arxiv.org/abs/2507.01465
* Finding New IP KVMs https://www.runzero.com/blog/oob-p1-ip-kvm/
* Burner phone basics https://www.hackerfactor.com/blog/index.php?/archives/1071-Feel-the-Burn.html
* Radio frequency basics https://insights.sei.cmu.edu/blog/radio-frequency-101-can-you-really-hack-a-radio-signal/
* Detecting non-spoofed traffic https://labs.ripe.net/author/petros_gigis/openpenny-developing-an-open-source-tool-for-detecting-non-spoofed-traffic/
A new efficient RPKI Design
Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP, but the complexity of its architecture is a growing concern as its adoption scales. Current RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols, all these introduce excessive cryptographic validation, redundant metadata, and inefficiencies in both storage and processing. We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment. In this paper, we perform the first systematic analysis of the root causes of complexity in RPKI's design and experimentally quantify their real-world impact. We show that over 70% of validation time in RPKI relying parties is spent on certificate parsing and signature verification, much of it unnecessary. Building on this insight, we introduce the improved RPKI (iRPKI), a backwards-compatible redesign that preserves all security guarantees while substantially reducing protocol overhead. iRPKI eliminates EE-certificates and ROA signatures, merges revocation and integrity objects, replaces verbose encodings with Protobuf, and restructures repository metadata for more efficient access. We experimentally demonstrate that our implementation of iRPKI in the Routinator validator achieves a 20x speed-up of processing time, 18x improvement of bandwidth requirements and 8x reduction in cache memory footprint, while also eliminating classes of vulnerabilities that have led to at least 10 vulnerabilities in RPKI software. iRPKI significantly increases the feasibility of deploying RPKI at scale in the Internet, and especially in constrained environments. Our design may be deployed incrementally without impacting existing operations.
Color me cynical, but I wonder if Google, like Cloudflare and Fastly, will soon be announcing its own AI crawling traffic monetization scheme for all you content creators. Everyone gonna want their cut?
The reading of IETF RFC 2119 going around reminded me that I had recorded myself reading the classic e2e paper and Clark's later design philosophy paper for my students. I certainly am not a trained voice actor, but I seem to recall at least a couple of students appreciating that format.
I'm pretty sure I did this around the mid 2000s when iPods were at their peak popularity, but the Wayback Machine doesn't have a record of them until much later.
If I ever teach again I might have to dig them up.
https://web.archive.org/web/20160419121039/http://tdc.iorc.depaul.edu/media/
ssharwoodAre you an #AFRINIC resource member? Did you try to vote at last week's election? I'm trying to figure out why the election was anulled ... if you want to chat, I can be reached in confidence here https://www.theregister.com/Author/Email/Simon-Sharwood
Tom Lyon ✅I scanned a handful of old commercial UNIX newsletters from 1983:
https://drive.google.com/drive/folders/1su6vVa5vXe5FpI-4WB5AQyex_jS_t2XI?usp=sharing
"commUNIXations" Number 12 is particularly interesting - an issue dedicated to the commercial databases available on UNIX at the time.