Comment by kachapopopow
4 days ago
can confirm this is true - a single rack of servers can now handle terabits of traffic.. in real time with near zero added latency, anti-ddos companies do this as a service.
4 days ago
can confirm this is true - a single rack of servers can now handle terabits of traffic.. in real time with near zero added latency, anti-ddos companies do this as a service.
Is it the powerful servers making the difference here? Or the coveted back haul connections which have access to the data passing by?
I suppose it's both but the latter is a more scarce resource
It used to be that they needed to dedicate entire rooms for interception hardware, and tighter maintenance schedules. Nowadays, the devices they use are tiny in comparison, way easier to hide. I've encountered infrastructure companies discovering hardware that doesn't belong to them, in their local infrastructure, and when detected and reported, law enforcement came to pick it up, and refused to talk about it. That case still hasn't had a resolution, and it's about 4 years ago now.
> and when detected and reported, law enforcement came to pick it up, and refused to talk about it.
By "law enforcement", I'd assume the feds and not local. Why not just say which agency? Wouldn't this pretty much be FBI? Why use such a generic term?
6 replies →
be afraid of that random raspberry pi device dangling off the switch.
just kidding, it's just backup access via the datacenter wifi.
1 reply →
> That case still hasn't had a resolution, and it's about 4 years ago now.
Sure it has!
The resolution was “go fuck yourself, what the fuck are you going to do about it?”.
Y’know: respectfully.
It's the servers specifically the parallelization with more cores and better math functions like AVX512.
Let's say I have a public website with https. I allow anyone to post a message to an api endpoint. Could a server like this read the message? How?
They may not be able to decrypt it now, but it is well known that most of encrypted Internet traffic is permanently stored in NSA data centers [1] with hopes of decrypting it soon once quantum computing can do it.
[1] https://en.wikipedia.org/wiki/Utah_Data_Center
> but it is well known that most of encrypted Internet traffic is permanently stored in NSA data centers
It's "well known"? News to me.
I doubt the NSA has storage space for even 1 year's worth of "most of encrypted Internet traffic", much less for permanently storing it.
They have a relationship with your cert provider and get a copy of your cert or the root so they can decrypt the traffic.
I thought the whole point of the acme client was that the private key never leaves my server to go to let's encrypt servers. Now yes, if I am using cloudflare tunnel, I understand the tls terminates at cloudflare and they can share with anyone but still it has to be a targeted operation, right? It isn't like cloudflare would simply share all the keys to the kingdom?
1 reply →
no, the private keys are yours - the root CA just 'signs' your key in a wrapper that is was "issued" by ex: letsencrypt, and letsencrypt just has one job: validate that you own the domain via acme validation.
That is not how PKI works. Your cert provider does not have a copy of your private key to give out in the first place.
Having the private key of the root cert does not allow you to decrypt traffic either.
they would just compromise wherever your tls is terminated (if not E2E which most of the time it is not), but also just taking a memory dump of your vm / hardware to grab the tls keys and being able to decrypt most future traffic and past is also an option.
It's funny that people still have any expectation of privacy when using a vm hosted at a place like AWS or Azure... They're giving any and every last bit you have, if the right people ask.
6 replies →
yes, unless you pinned the public key