Envision a homelab scenario with a feature-rich router that's suitable as a container host with storage and memory. Locking down the router's container network policy is surprisingly difficult to set up and manage.
SPR makes it easy with secure by default network controls. Instead of worrying about IP ranges and interfaces, join the interfaces to the groups of devices they can communicate with and set internet access policy.
Association in the 802.11/ WiFi World comes in the "loose" variety of the term, and why Hostapd disconnect events are confusing...
As a quick recap: when a station connects to an Access Point, it goes through a series of request/reply interactions. Several frames are in play including Probes, Authentication, Association, and finally Data frames with EAPOL. The EAPOL payloads perform all the fun cryptography with the passphrase for WPA2, WPA3, and 802.1X Authentication mechanisms.
Rust is taking off in the Linux Kernel and improved support and features make it possible to develop drivers with Rust.
All Apple Smartphones and Laptops as well as Google Devices passively collect Access Point Names (the SSID) and their hardware address (the BSSID), and they then tag it with the GPS location. With billions of customers, tech giants have been able to build databases that contain the physical position of almost every access point in the world.
Researchers from the University of Maryland published that the privacy features in the public APIs were insufficient to protect the privacy of individuals. See the paper from Erik Rye, Dave Levin for the details: "Surveilling the Masses with Wi-Fi-Based Positioning Systems"
Krebs On Security has a through review of the issue: "Why Your Wi-Fi Router Doubles as an Apple AirTag"
I'm excited to announce that Supernetworks will be releasing Compute Module based and Pi5 Expansion HAT based access points. The HATs and Compute Modules are expected to be generally available this summer.
The second tenant of Sustainability is Reuse. Companies like Framework have been spearheading the charge towards a better form of computing by building upgradable laptops and soon other devices.
With what the Raspberry Pi Foundation offers people, we are able to bring some of the benefits of modular computing to Access Points as well. Modularity takes ownership one step further, letting people reuse the hardware for other projects, and upgrade it to make it powerful, without any soldering required.
Over the weekend a ctf team I help with, HackingForSoju, hosted the Midnight Sun CTF Qualifiers. The finals will take place in Stockholm, Sweden on June 14-16.
I put together a challenge around WPA3's Password Authenticated Key Exchange: Dragonfly
WPA3 has quite a few notes during our our wifi training where we discuss the background to the protocol, because it was so very worrisome from the start.
We've released a new iteration of the TailScale integration for SPR! This plugin was put together with @willy_wong.
Social Media has a lot of criticism lately for the push for memory safety as a metric for the labeling of software security. Between software supply chain susceptibility, command injection, and logic bugs obliterating software regularly, it doesn't seem like its the best candidate for a software safety metric.
The background for why the federal government is reporting in the area is E.O. 14028
From the EO there's several pushes for software and network safety. These are things like requiring Zero Trust Access for the Federal Government, EDR on federal systems for monitoring and responding to attacks, SBOMs for supply chain safety, and creating safety standards for IOT devices. Although the main focus is the federal government there's an aim to push out software safety standards to the public as a whole.
And it's regulation for consumers that I see getting some criticism. NIST's key areas interact with the labeling of safety for IOT and consumer software -- which has everyone skeptical because the government may not seem to be the best equipped for leading edge software practices, and regulatory overhead will raise the burden for software developers without necessarily moving software security forward.
On memory safety specifically, two key documents have been released over the past two quarters. The first is CISA's report on Memory Safety. The second is the ONCD Report on Measuring Memory Safety.
"The documents come from iSoon, also known as Auxun, a Chinese firm headquartered in Shanghai that sells third-party hacking and data-gathering services to Chinese government bureaus, security groups and state-owned enterprises. "
The Washington Post writes that "The documents show that iSoon met and worked with members of APT41, a Chinese hacking group that was charged by the U.S. Justice Department in 2020 for targeting more than 100 video game firms, universities and other victims worldwide."