开发者
Iran abused mobile networks’ vulnerabilities to locate US military in the Middle East, report says
The Iranian government exploited well-known flaws in cellphone networks to locate and then strike U.S. military personnel in the build-up and beginning of the war.
AI 资讯
Meta's Noninvasive Brain–Computer Interface Brain2Qwerty Achieves 61% Accuracy
Meta recently open-sourced Brain2Qwerty v2, a noninvasive Brain–Computer Interface (BCI) that can decode sentences from thoughts using electroencephalography (EEG) or magnetoencephalography (MEG) signals from the brain. In evaluations, the system achieved a word accuracy rate 61% on average, compared to 8% for other non-invasive methods. By Anthony Alford
AI 资讯
A Differential Test Harness for Native vs. Generic XDP: Methodology and Baseline
Native XDP and generic SKB-mode XDP are not the same thing in practice. The same BPF program can pass the verifier and still behave differently depending on which mode the kernel uses, this could be a different verdict, different frame bytes, or different metadata. This post ships three things: an open differential test harness, a fixed eleven-packet corpus, and a simple way to classify the differences it finds. A tagged release lets anyone reproduce the virtio/veth baseline on Linux 6.8. The operational risk is straightforward. A firewall or rate-limiter validated only under native XDP can fall back to generic mode on an unsupported driver, a veth port, or after a reload. You keep the same bytecode, but behaviour can change, often without a clear error line. What this release includes: A harness loop: corpus → inject on the RX path → native vs generic sweep → xdpdump capture → compare.py manifest, comparing both the captured frame bytes and the XDP verdict ( PASS / DROP / TX / REDIRECT ). A deterministic corpus with eleven embedded test IDs ( 0xA001 – 0xA005 , 0xA007 – 0xA00C ; 0xA006 is intentionally omitted as a reserved gap in the generator). An operational divergence taxonomy (Class A / B / C). A virtio/veth smoke gate on Linux 6.8; now gating on frame bytes and verdict agreement that shows the full path is reproducible end to end. Scope for this post: native vs generic XDP on the virtio_vm profile only (five BPF programs, pinned manifests). This is part 1 of 2; it establishes the harness and an instrument-validity baseline; a follow-up post covers bare-metal divergence results. Physical NIC results are not part of this baseline. Ordinary conformance checks stop at “did the program load?” Differential testing asks a sharper question: given identical input packets, do the backends produce the same observable outcome at the hook? Background: native vs generic XDP Both modes load the same BPF object. They diverge at the hook point and in how the packet is represen
开发者
The US government warns that Russia state hackers are coming after your router
With residential proxies all the rage, CISA urges router users to be vigilant.
AI 资讯
PHP Speaks QUIC Now, and OpenSSL Did the Hard Part
I released php-quic 1.0.0, a PHP extension that gives you raw QUIC transport with first-class access to streams. It links against the same OpenSSL that PHP already links against, and that is the whole trick. Why This Was Awkward Before QUIC is not a protocol you bolt on in userland. It is TLS 1.3, congestion control, loss recovery, and stream multiplexing, all riding on UDP, and all of it has to be right before you can send a single useful byte. You could get there from PHP if you were willing to bind to a foreign QUIC library like ngtcp2 or quiche through FFI. That works, but now your PHP app carries a second TLS stack, a second set of CVEs to track, a build story that involves Rust, and a version matrix that has nothing to do with the one your distro maintains. For a language whose entire deployment story is "the package manager handles it," that is a lot of rope. What Changed OpenSSL 3.5 shipped a native QUIC stack. Client and server, in the library PHP is already built against. That reframes the problem. The extension is no longer "embed a QUIC implementation into PHP." It is "expose the QUIC that is already sitting there." No new TLS stack, no FFI layer, no Rust toolchain in your build. If your OpenSSL is patched, your QUIC is patched. The requirements fall out of that directly: PHP 8.4 or newer (8.5 on Windows), NTS or ZTS OpenSSL 3.5.0 or newer, built with QUIC support Transport, Not HTTP/3 The thing I most wanted to avoid was shipping an HTTP/3 client and calling it a QUIC library. QUIC is a transport. HTTP/3 is one protocol that runs on it, and it is not the interesting one for everybody. DNS-over-QUIC runs on it. So does anything you want to invent that needs multiplexed, ordered, loss-recovered streams without head-of-line blocking across them. So php-quic hands you connections and streams, and stays out of the framing business. If you want HTTP/3, you build HEADERS frames and QPACK on top of it, and the README has a worked example. If you want something
AI 资讯
Wi-Fi 8 Explained: Features, Release Date, and More
Chipset makers and router manufacturers are talking about Wi-Fi 8, but what is the new standard, and when will it arrive?
产品设计
As TV-tracking app TV Time shuts down, its founder builds Bingers, a new home for fans
The creator of TV Time is building a successor app that will let users import their watch histories and preserve the community that formed around discussing their favorite shows.
AI 资讯
Demystifying LDAP: The Digital Phonebook of Your Network
If you have ever logged into a corporate computer, searched for a colleague in your company’s email directory, or used a single set of credentials to access dozens of different internal applications, you have likely interacted with LDAP . Standing for Lightweight Directory Access Protocol , LDAP is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an IP network. In simpler terms, it is the underlying language that allows different systems and applications to communicate with a central directory to find information about users, devices, and permissions. Think of LDAP as a highly organized, digital phonebook. When an application needs to know if "John Doe" is a valid user and what his password is, it uses LDAP to ask the phonebook. How LDAP Organizes Data Unlike traditional relational databases (like SQL) that store data in tables, LDAP stores data in a hierarchical, tree-like structure known as the Directory Information Tree (DIT) . This makes it incredibly fast at reading and searching for information, which is exactly what an authentication system needs to do millions of times a day. Here are the core components of this structure: Root: The top level of the directory tree, usually representing the organization (e.g., dc=example, dc=com ). Branches (Organizational Units - OU): Categories or departments within the organization (e.g., ou=Marketing , ou=Servers ). Leaves (Entries): The actual objects being stored, such as a specific user, printer, or computer. Attributes: The specific pieces of data tied to an entry. For a user entry, attributes might include givenName (first name), mail (email address), and userPassword . Every entry in an LDAP directory has a unique identifier called a Distinguished Name (DN) . It acts like an absolute file path. For example, John Doe’s DN might look like this: cn=John Doe, ou=Marketing, dc=example, dc=com How Applications Talk to LDAP When an
AI 资讯
EEM 101: On-Box Automation That Runs Even When Your NMS Doesn't
This is Part 1 of a 5-part series on Cisco EEM. We start here with the fundamentals and a few working applets, then build toward self-healing networks, automated diagnostics, compliance guardrails, and a complete real-world deployment. Ask ten network engineers what they use EEM for, and nine will say the same thing: "Oh, I have an applet that auto-recovers err-disabled ports." Then they never touch it again. That's a shame, because Embedded Event Manager is one of the most capable tools already sitting inside every Cisco IOS device you own — and almost nobody uses more than 1% of it. It's a full automation engine that lives on the box . No external server. No API gateway. No orchestration platform. Just the router or switch, watching itself, ready to react the instant something happens — even if the WAN is cut, the NMS is down, and it's three in the morning. This series is about using that other 99%. By the end you'll have a toolkit of applets you can deploy and, more importantly, a way of thinking about on-box automation. But we start at the foundation: what EEM actually is, how it's put together, and why "on the box" is a bigger deal than it sounds. What EEM actually is Embedded Event Manager is an event-driven automation framework built into Cisco IOS, IOS-XE, and NX-OS. Strip away the jargon and it's a very simple idea: When something happens, do something about it — automatically, on the device itself. That "something happens" is an event . That "do something" is one or more actions . Bundle an event with its actions and you have an applet — the basic unit of EEM. That's the whole model. The power comes from how many different things can be an event , and how much an action can do. Events EEM can watch for include: A syslog message matching a pattern (an interface flapping, an HSRP state change, a config being saved). An SNMP OID crossing a threshold (CPU over 85%, a power supply going absent, temperature rising). A CLI command being entered (someone typing wr
AI 资讯
My First Experience with SigNoz
Modern applications, especially AI agents and distributed systems, need more than logs to understand what is happening. That's why I explored SigNoz, an open-source observability platform built on OpenTelemetry. Setting up SigNoz with Docker was simple. After connecting a sample application, I could view logs, metrics, and traces from a single dashboard within minutes. My favorite feature is distributed tracing. Instead of guessing where requests slow down or fail, SigNoz clearly shows the complete request journey across services, making debugging much easier. The built-in dashboards provide valuable insights into CPU usage, memory, request latency, throughput, and error rates. Having centralized logs alongside metrics and traces saves time by eliminating the need to switch between multiple tools. I also liked the alerting feature, which helps detect issues before they affect users. For AI applications, observability is essential. AI agents make multiple API calls, use tools, and perform complex workflows. SigNoz makes it easier to understand each step, identify failures, measure latency, and optimize performance. Overall, my experience with SigNoz was excellent. It combines logs, metrics, traces, dashboards, and alerts into one intuitive platform. Among all its features, distributed tracing impressed me the most because it provides deep visibility into application behavior and simplifies troubleshooting. I'm excited to use SigNoz in future AI and cloud-native projects.
AI 资讯
How to usar Docker networks na pratica
Quando voce cria um container e depois outro, eles podem nao se enxergar. O motivo quase sempre e a rede. Entender os tipos de rede que o Docker oferece resolve isso de uma vez. Comece listando as redes que ja existem no seu Docker. docker network ls A rede bridge e a rede host vem de fabrica. Nenhuma delas oferece resolucao de nomes entre containers. Para isso voce precisa criar a sua propria rede. docker network create minha-rede Agora os containers que entrarem nessa rede conseguem se comunicar pelo nome do container. docker run -d --name app1 --network minha-rede nginx docker run -d --name app2 --network minha-rede alpine sleep 3600 Teste a comunicacao. docker exec app2 ping app1 -c 2 O ping funciona. O DNS interno do Docker resolve app1 para o IP interno do container. Isso resolve 90% dos problemas de comunicacao. A rede bridge padrao nao tem esse recurso. Crie sua propria rede sempre que precisar que containers se enxerguem. Agora a rede host. Ela elimina o isolamento de rede. O container usa a placa do host diretamente, sem NAT e sem mapeamento de porta. docker run -d --name web-host --network host nginx O nginx fica acessivel em http://localhost:80 direto. Sem -p 80:80. Mas so um container pode usar cada porta, porque a porta e a do host de verdade. Para ambientes com mais de uma maquina, existe a rede overlay. Ela precisa do Docker Swarm ou de um cluster. docker swarm init docker network create -d overlay rede-overlay docker service create --name api --network rede-overlay --replicas 3 nginx Os containers em maquinas diferentes se enxergam pelo nome como se estivessem na mesma maquina. No dia a dia, a rede bridge personalizada resolve quase todo caso de uso. Host e para performance ou casos especificos. Overlay e para quando voce escala para mais de uma maquina. That's all for now. Thanks for reading!
AI 资讯
Rosemary
Rosemary: Transparent Network Tunneling Over QUIC (Kernel-Level) Ever SSH into a box and wish you could just use its network without setting up proxy chains or VPNs? Rosemary makes that happen. The server intercepts traffic at the kernel level (no proxy settings, no TUN devices) and tunnels it over encrypted QUIC through a lightweight agent on the remote host. From your laptop, curl , ping , or your browser reach private subnets as if you were there. What you get Kernel-level packet interception, transparent to all your apps TCP, UDP, ICMP, and DNS just work without configuration Route all internet traffic through a chosen agent (egress) SOCKS5 proxies, port forwards, and reverse forwards per agent Multi-hop pivoting through several agents Web dashboard with real-time agent graph Full REST API for automation Works on Linux, Windows, macOS, FreeBSD, and OpenBSD Agents run without root; traffic is AES-256-GCM encrypted over QUIC Quick start # install (requires Go) go install github.com/blue0x1/rosemary/rosemary@latest go install github.com/blue0x1/rosemary/agent@latest # start server (needs sudo for kernel interception) sudo rosemary # deploy agent on remote box ./agent-linux-amd64 -s <server-ip>:2048 -k <your-key> That's it. Open http://server-ip:1024 and you'll see the agent's subnets automatically routed. Set a default egress agent to route all traffic through a jump host: egress agent-1 Now your laptop behaves like it's on the remote network. No proxychains, no ssh -D , no friction. Check the repo blue0x1/rosemary for pre-built binaries, PowerShell agents, and the full API. Use only on systems you own or have permission to test.
产品设计
Missing network configuration on fresh Ubuntu Server offline installation
Installing Ubuntu Server 24.04 LTS in an offline mode (no LAN cable or WiFi connected) leaves you with an unmanaged network interface which requires manual configuration post-install. The interface enp4s0 is unmanaged by systemd-networkd and also the service itself is disabled. NOTE: This guide applies to Ubuntu server. On Ubuntu desktop you have the NetworkManager service installed and the steps would be different. To fix the problem follow the steps below: Create a Brand New Netplan Configuration File Look into /etc/netplan . You will probably see the dir is empty. This means the installer completely gave up on configuring the network and didn't create any profiles. Create a new file, e.g. vim /etc/netplan/01-netcfg.yaml . Paste the following configuration network : version : 2 renderer : networkd ethernets : enp4s0 : dhcp4 : true This makes the interface managed by networkd instead of the desktop NetworkManager. Fix permissions The new file needs to be readable only by root so fix it's permissions chmod 600 /etc/netplan/01-netcfg.yaml . Enable network service Enable the network service and make it start on boot: systemctl enable systemd-networkd systemctl start systemd-networkd Run netplan Finally, we need to tell Ubuntu to use our new configuration and activate the network netplan generate netplan apply Network should be up! ip a
AI 资讯
Fixing the 550 SPF Check Failed Error: A Technical Step-by-Step Troubleshooting Guide
Understanding the 550 SPF Check Failed Error The "550 SPF Check Failed" error indicates that a receiving mail server rejected an incoming email. This rejection occurs because the sender's domain failed its Sender Policy Framework (SPF) validation. SPF is an email authentication protocol defined in RFC 7208 . SPF helps prevent email spoofing. It allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. Receiving mail servers perform an SPF check by querying the sender's DNS for an SPF TXT record. If the sending server's IP address is not listed in the domain's SPF record, the SPF check fails. The receiving server then rejects the email based on its configured policy, often resulting in a 550 error. This error protects recipients from unauthorized emails and enhances email security. Initial Diagnosis: Identifying the Root Cause Diagnosing an SPF failure requires examining the bounce message and the domain's DNS records. The bounce message often provides specific details about the SPF failure. Look for phrases like "SPF validation failed," "unauthorized sender," or "IP address not permitted." Common reasons for a 550 SPF Check Failed error include: Missing SPF Record: No SPF TXT record exists for the sending domain. Incorrect SPF Syntax: The SPF record contains errors, making it unreadable or invalid. Incomplete SPF Record: The SPF record does not list all legitimate sending IP addresses or hostnames. DNS Lookup Limit Exceeded: The SPF record requires more than 10 DNS lookups, violating RFC 7208. DMARC Policy Enforcement: A DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy ( RFC 7489 ) with p=reject or p=quarantine is in place, enforcing strict SPF failure handling. To begin diagnosis, use our SPF checker to verify your domain's SPF record and its validity. This tool quickly identifies syntax errors and lookup issues. Step-by-Step Troubleshooting and Resolution Resolving SPF failures involves
AI 资讯
The Hidden Dangers of DMARC p=none: Why It's Undermining Your Email Security (Not Just Deliverability)
Understanding DMARC and the 'p=none' Policy DMARC (Domain-based Message Authentication, Reporting, and Conformance), defined in RFC 7489, is an email authentication protocol. It builds upon SPF (Sender Policy Framework, RFC 7208) and DKIM (DomainKeys Identified Mail, RFC 6376) to provide domain owners with greater control. DMARC instructs recipient mail servers on how to handle emails that fail authentication and provides reporting on these failures. The p=none policy is often adopted as a preliminary step in DMARC implementation. It instructs recipient servers to take no specific action on emails failing DMARC alignment. Its primary function is to enable the collection of aggregate and forensic reports without impacting email deliverability. Many organizations view p=none as a safe, non-disruptive way to begin their DMARC journey. This initial perception, however, overlooks critical security implications. While it offers visibility, p=none provides no actual enforcement against malicious email. The Critical Security Vulnerability of p=none The fundamental flaw of DMARC p=none lies in its complete lack of enforcement. When a DMARC record is set to p=none , recipient mail servers will not block, quarantine, or reject messages that fail DMARC authentication. This includes emails that spoof your domain directly. Threat actors exploit this vulnerability to conduct phishing, business email compromise (BEC), and brand impersonation attacks. They can send emails appearing to originate from your legitimate domain, knowing that p=none offers no protective barrier. The recipient mail server simply delivers the fraudulent message. This policy effectively leaves your domain unprotected against direct domain spoofing. Despite having a DMARC record, your organization remains susceptible to advanced phishing techniques. The security posture of your email ecosystem is compromised. The Illusion of Insight: Data Without Action DMARC p=none does provide valuable data through its repor
AI 资讯
Configuring DMARC p=quarantine: A Technical Step-by-Step Guide to Secure Your Domain and Improve Deliverability
Introduction to DMARC and the p=quarantine Policy DMARC (Domain-based Message Authentication, Reporting, and Conformance), defined in RFC 7489 , is an email authentication protocol. It builds upon SPF and DKIM to provide domain owners with the ability to protect their domain from unauthorized use. DMARC enables senders to specify how receiving mail servers should handle unauthenticated emails originating from their domain. It also provides a mechanism for receiving servers to report back to the domain owner about authentication results. DMARC policies dictate the action receiving mail servers should take when an email fails DMARC authentication. The three primary policies are: p=none : Monitor mode. Receiving servers take no action on failed messages but send reports. This is the initial deployment phase. p=quarantine : Receiving servers should treat failed messages as suspicious. They are typically placed in the recipient's spam folder or flagged for further review. p=reject : Receiving servers should outright reject messages that fail DMARC authentication. This is the strongest enforcement policy. Implementing p=quarantine is a critical step towards full domain protection. It allows domain owners to mitigate spoofing and phishing attempts without immediately blocking legitimate, but misconfigured, email streams. This policy provides a balance between security enforcement and minimizing potential deliverability disruptions. Prerequisites for DMARC p=quarantine Implementation Before deploying a p=quarantine policy, proper configuration of SPF and DKIM is mandatory. DMARC relies on these underlying authentication mechanisms and their alignment with the sending domain. SPF (Sender Policy Framework) SPF, specified in RFC 7208 , allows domain owners to publish a list of authorized sending IP addresses in their DNS. Receiving mail servers check the SPF record to verify if an incoming email originated from an authorized server. An SPF record is a TXT record at the root of
AI 资讯
Dev log #9 Hardening Kademlia DHT and automating the Neovim grind
Seven days of flow. Fixed a peer identity binding issue in py-libp2p, automated my Neovim lockfile merges, and added a massive batch of notes on xv6 and Category Theory. 10 commits and a solid PR in the works. TL;DR I managed to hit a perfect seven-day streak this week, balancing some deep-dive p2p networking work with necessary maintenance on my local environment. The highlight was opening a PR in py-libp2p to tighten up how PeerRecords are handled in the Kademlia DHT. On the side, I spent time automating the annoying parts of my Neovim config and dumping a fresh batch of notes into my knowledge base. 10 commits, 204 lines added, and a much cleaner workflow to show for it. What I Built Neovim Configuration & CI I’m a firm believer that your editor should work for you, not the other way around. My nvim repo saw a lot of action this week—9 commits in total—but most of it was under-the-hood maintenance. I’ve been leaning on Lua to keep things snappy, and this week was about ensuring my plugin ecosystem doesn't rot. I pushed several updates to keep plugins at their latest versions, but the real "quality of life" improvement was adding a chore to auto-resolve lazy-lock.json merge conflicts. If you’ve ever worked on your Neovim config across multiple machines, you know the headache of the lockfile drifting. I set up a flow to prioritize incoming changes, which saves me from manually triaging JSON diffs every time I pull from dev . It’s a small tweak, but it removes a recurring friction point in my daily flow. I also spent time cleaning up the root of the config, with about 37 additions and 33 deletions—refactoring is a constant process when you live in your terminal. The Knowledge Base I also put some serious time into main-notes . I’m currently going deep on a few different subjects, and I use this repo as my "second brain." I added 167 lines of new material across 13 files, covering a pretty diverse range of topics: xv6 (the re-implementation of Unix V6), Category Theo
AI 资讯
I run my homelab like a miniature data centre — here's the network design that made it possible
The homelab started flat. One /24, everything on it. My workstation, the NAS, the Proxmox host, and — over time — a growing list of workloads sharing the same broadcast domain because that was the path of least resistance. For a while, that was fine. A homelab running one workload doesn't need segmentation any more than a house needs an office door. Then I stood up an Akash provider. An Akash provider is, in shape, a Kubernetes cluster that accepts inbound tenant workloads from the internet — real deployments, paying for compute, containers I didn't write landing in namespaces on my hardware. The provider itself is documented at github.com/jjozzietech/akash-provider-ops-public — this piece is about the network underneath it. The containerisation posture itself is fine. I trust the isolation model. But trust isn't a network design. And the network at that moment had the tenant workload cluster sitting on the same subnet as my workstation, my NAS, and my Proxmox management interface. That was the moment I stopped thinking of the rack as a home network with extra boxes, and started thinking of it as a small data centre. This piece is the network design that came out of that shift. I'll cover the layout, the rules that hold it together, and the Nexus and Proxmox configs that anchor it — with the specifics of my own deployment sanitised. It's not a step-by-step replication guide. It's the design pattern, with enough of the shape to be useful and enough restraint to not double as a recon document for my own rack. // the original design The flat layout looked like this: home lan — 192.168.1.0/24 opnsense (perimeter) cisco nexus (dumb L2 switching) proxmox host workload VMs (all on the same subnet) What it got right: zero routing complexity, everything reachable from everywhere, fast to stand up. If you're running one project on a homelab, this is the correct design. Don't over-engineer it. What stopped working, as soon as the second project landed on the rack, was that the
AI 资讯
A small C++ library for sending structured commands and telemetry between devices — no schema files, just add your parameters and serialize
If you've ever tried to build a simple command/telemetry protocol between a PC and a fleet of SDR receivers, sensors, or embedded devices, you know the usual options aren't great: Roll your own binary format — fast, but you end up writing and maintaining custom serialization code for every device type, and debugging mismatched structs across machines is painful. Protobuf / FlatBuffers — robust, but require you to define your message layout in a schema file upfront, run a code generator as part of your build, and commit to a fixed structure. Adding a new device type or a new parameter means editing the schema, regenerating, recompiling everything. JSON over the wire — easy to debug, but heavy for anything real-time or bandwidth-constrained. I ran into this while working on a multi-SDR receiver system and ended up writing MessageFrame — a small C++17 library that lets you build structured messages dynamically, without any schema files or code generation. The basic idea Instead of defining a struct for each device type, you address each parameter with two strings — a device name and a parameter name — and the library handles the rest: // One message, multiple devices, assembled at runtime msgframe :: MessageFrame msg ( MSG_TELEMETRY , TYPE_PERIODIC , src = 1 , tgt = 2 ); msg . add ( "sdr_1" , "rx_gain" , VALUE ( 30.0 )); msg . add ( "sdr_1" , "center_freq" , VALUE ( 915'000'000.0 )); msg . add ( "sdr_1" , "sample_rate" , VALUE ( 2'000'000.0 )); msg . add ( "sdr_2" , "rx_gain" , VALUE ( 25.0 )); msg . add ( "sdr_2" , "lock_status" , VALUE ( true )); msg . add ( "psu_1" , "voltage" , VALUE ( 12.04 )); msg . add ( "psu_1" , "temp_c" , VALUE ( 47.3 )); // Attach raw IQ data alongside the parameters std :: vector < uint8_t > iq_buffer = { 0x01 , 0x02 , 0x03 , 0x04 }; msg . add_attachment ( "raw_iq" , std :: move ( iq_buffer )); // Serialize into a buffer, send over whatever transport you use std :: vector < uint8_t > out ; msg . serialize ( out ); send_udp ( out . data (),
工具
Back online after a summer cold knocked me out for a bit. Excited to catch up on everyone’s posts and share some progress on my networking tools!