| Contact | https://ryanhamel.com/contact |
| Pronouns | He/Him/They/That SOB |
| Website | https://ryanhamel.com |
Is FlexOptix's price worth it? I've never ran into issues with FS SFP's for both 1G/10G, however 80km DWDM has had interesting failure rates.
For my personal rack I'm looking for 40G/100G QSFP's and AOC/DAC that will last forever, as in no spares kept in the drawer.
@kwf Fun Fact: NAT was created to quickly get companies onto the Internet without renumbering from whatever public IP space they squatted on.
AMD's EPYC Rome Chips Crash After 1044 Days of Uptime
AMD's latest processor revision guide for the EPYC 7002 'Rome' server chips reveals an interesting new bug (errata) that can cause a core on the chip to hang after 1,044 days of uptime (~2.93 years), after which you'll have to reset the server for the chip to run correctly. AMD says it will not fix the issue.
https://www.tomshardware.com/news/amds-epyc-rome-chips-could-hang-after-1044-days-of-uptime
Ouch.
Gmail's BIMI implementation only requires SPF to match, the DKIM signature can be from any domain.
This means that any shared or misconfigured mail server in a BIMI-enabled domain's SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail.
Until today, there was a Microsoft 365 configuration that would happily forward messages with a spoofed RFC5321.MailFrom (envelope) address intact, which allowed spoofing messages from any of the 775 domains that are both BIMI-enabled and allow outlook.com in their SPF.
More vectors like this almost certainly exist, the implementations and configurations of email forwarding are extremely complicated, as discussed in the recent Forward Pass paper: https://arxiv.org/abs/2302.07287
BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.
Other BIMI implementations:
iCloud: properly checks that DKIM matches the From domain
Yahoo: only attaches BIMI treatment to bulk sends with high reputation
Fastmail: vulnerable but also supports Gravatar and uses the same treatment for both so the impact is minimal
Apple Mail + Fastmail: vulnerable with a dangerous treatment
The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding -- used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com) and news (e.g., washingtonpost.com) among others.
Lauren Weinstein
Sue Smith
IPng Networks
Jonathan Rudenberg