• Human Infrastructure
  • Posts
  • Human Infrastructure 388: Keeping BGP In Check, API Security, Not Letting AI Agents Run Wild, and More

Human Infrastructure 388: Keeping BGP In Check, API Security, Not Letting AI Agents Run Wild, and More

AuthorAuthor

Ethan Banks & Drew Conry-Murray
February 13, 2025

THIS WEEK’S MUST-READ BLOGS 🤓

Jason Gintert introduces the concepts of Internet Routing Registries (IRR) and Routing Policy Specification Language (RPSL). While not new, these technologies might be new to many, especially if you don’t work in the service provider or Internet exchange spaces. In summary, you use IRR and RPSL to help others know that your BGP announcements are legit.

As Jason puts it, “The benefits of IRRs and RPSL are hard to ignore. Industry groups and best practices like MANRS (Mutually Agreed Norms for Routing Security) heavily emphasize their use. It's not just a "nice to have"—it's more like wearing pants to work. You could skip it, but don't be surprised when you get some funny looks if you do.”

Wear your BGP pants, everyone. 😊 - Ethan

Agentic AI is the latest shiny object that the tech industry is gearing up to chase. An AI agent is an autonomous system that users can interact with using natural language. The general idea is that an agent will follow a user’s instructions to complete a given task. This task might involve multiple information systems, and may require multiple agents to actually perform each step of the task. This blog post looks at some security issues the industry will need to grapple with when these agents access business systems and data. They include authentication, ensuring least privilege, traceability or logging, and other concerns. Identity and access management is hard enough with people (and APIs, see below). I don’t know if we’re ready to throw autonomous digital assistants into the mix. - Drew

API security is becoming more critical. For instance, this January security researchers at Salt Labs published what they call an API supply chain attack, in which they were able to manipulate API calls among third-party services that allowed them to take over accounts and redirect traffic to a site they controlled.

While the post linked above is not specifically about preventing an API supply chain attack, it does aim to help you get your arms around API security within an Azure environment. Dan Rios writes “I thought it would be useful to outline one of the many ways to secure your organisation’s protected APIs using Entra token validation, both for local development debugging and when leveraging a managed identity from a Azure Web App.” If you’re in the Azure ecosystem, this post has a ton of detail for enhancing the security posture of your APIs. - Drew

Pat provides a good overview of setting up a hub-and-spoke network in AWS. He includes the major services you’ll need in AWS, including VPCs and a Transit Gateway, and clear steps to set up those services as well as get them connected. If you’re looking to get familiar with AWS or cloud networking in general, this post could serve as a good exercise you can do on your own without incurring much cost. - Drew 

This is a long piece, but very much worth your time. First off, this is not a DEI screed, and Charity Majors is not a DEI warrior. She acknowledges that DEI initiatives can be performative, ham-handed, officious, and eye-rolling.

However, one of the main arguments against DEI is that it prioritizes identity over merit. If you are team merit, Charity Majors would like a word. “Anyone who truly cares about merit should feel compelled to do at least some work to try and lean against the ways our biases cause us to systematically under-value, under-reward, under-recognize, and under-promote some people (and over-value others). Because these effects add up to something cumulatively massive.”

She tells the story of an engineering director at Amazon who wanted to increase gender diversity on their team. This person made one simple change: every application with a female-sounding name got a screening call. Just a screening call. Charity writes “They didn’t change the interview process, they didn’t “lower the bar”, they didn’t do anything except skip the step where women’s resumes were getting filtered out due to the intrinsic biases of the hiring managers.” The result? The number of women hired increased dramatically.

She also dismantles the notion that a diverse and inclusive workforce makes the organization less competitive. “An inclusive culture is one that sets as many people as possible up to soar and succeed, not just the narrow subset of folks who come pre-baked with all of life’s opportunities and advantages. It can be a massive competitive advantage if you build a company that knows how to develop a deep bench of talent and set people up for success.”

Charity also writes “if you don’t give a shit about diversity or inclusion, don’t pretend you give a shit. When I look at the long list of companies who say they are rolling back mentions to DEI internally, I don’t get that depressed. I see a long list of companies who never really meant it anyway.”

To my mind, this piece tries to get beyond the politicization of the acronym to grapple with the underlying goal of diversity, equity, and inclusion: to build an ethical workplace that also makes money and wins in the market. These things do not need to be mutually exclusive. - Drew

Ned and Kyler from the Day Two DevOps podcast are helping to raise funds for The Trevor Project, which provides services, including counseling and suicide prevention, for LGBTQ+ young people. If you want to help, you can buy a Day Two DevOps t-shirt here, and all the proceeds will go to the Trevor Project. What’s more, Ned will match every donation, so your money goes twice as far. I bought one. I hope you will too. - Drew 

MORE BLOGS

  1. Residential Networking Over Telephone (history) - Computers Are Bad Newsletter

  2. The origin and unexpected evolution of the word "mainframe" (more history) - Ken Shirriff’s blog

  3. Life Lessons from the First Half-Century of My Career (excellent) - Communications Of The ACM

  4. WASM will replace containers (hmmmm) - creston.blog

Join us for an exclusive webinar with Google and Catchpoint!

Ben Good and Leo Vasiliou will explore the findings in the 2024 State of DevOps report. For over a decade, the DORA report has provided critical insights into the capabilities and practices that fuel high-performing technology organizations.

In this live webinar, you'll learn:

· How AI adoption has impacted job satisfaction, productivity, and burnout

· The role of platform engineering in scaling DevOps workflows and where it fits into the broader AI discussion

· How a positive developer experience (DevEx) improves product quality and productivity and reduces burnout

· How data from the SRE Report bolsters findings from the DORA report

TECH NEWS 📣

The “Cloudflare in the middle” idea is about Cloudflare already being in the middle of lots of lots of web traffic, including AI companies and content creators. Since content creators are not happy that content is being used without compensation to train AI models, Cloudflare implies that they could govern such connections. If you don’t want your site scraped by a bot for AI training, you could limit that with Cloudflare. Of course, Cloudflare has even bigger aspirations as intimated in the article, because everyone does. You can’t be a company these days without attempting to take over the entire world, lest you displease your shareholders and forfeit your third yacht. - Ethan

Unpatched gear continues to pay dividends to attackers.  - Drew    

Ars Technica profiles a software developer who wanted to strike back at Web crawlers sent out by AI companies that ignore “no scraping” rules on Web pages. This developer created malware designed to capture AI Web crawlers  in “an "infinite maze" of static files with no exit links, where they "get stuck" and "thrash around" for months,” according to the story. The malware is called Nepenthese after a carnivorous plant (nice detail). Nepenthes can also feed AI bots textual garbage in hopes of poisoning the models.

One thing I’m curious about. As more AI drivel gets generated, posted, and then re-consumed by content-hungry models, will LLMs eventually become an AI version of the human centipede and poison themselves? - Drew

MORE NEWS

FOR THE LULZ 🤣

RESEARCH & RESOURCES 📒

From the README. “A CLI utility for displaying current network utilization by process, connection and remote IP/hostname…Bandwhich sniffs a given network interface and records IP packet size, cross referencing it with the /proc filesystem on linux, lsof on macOS, or using WinApi on windows.” - Ethan

From the README. “JetKVM is a high-performance, open-source KVM over IP (Keyboard, Video, Mouse) solution designed for efficient remote management of computers, servers, and workstations. Whether you're dealing with boot failures, installing a new operating system, adjusting BIOS settings, or simply taking control of a machine from afar, JetKVM provides the tools to get it done effectively.” Written in Golang. Claims ultra-low latency—1080p@60FPS@30-60ms latency with H.264 encoding. Docs here. - Ethan

A work in progress, but interesting if you have a use case. From the README. “STUNMESH is a Wireguard helper tool to get through Full-Cone NAT…Use raw socket and cBPF filter to send and receive STUN 5389's packet to get public ip and port with same port of wireguard interface. Encrypt public info with Curve25519 sealedbox and save it into Cloudflare DNS TXT record. stunmesh-go will create and update a record with domain <sha1 in hex>.<your_domain>. Once getting info from internet, it will setup peer endpoint with wireguard tools.” - Ethan

In this podcast episode, Chris Wahl looks back at his early days learning and playing with computers. I suspect his reminiscence will trigger some nostalgia in the Packet Pushers audience. - Drew 

There’s a new network automation podcast in town. Called Network Automagic, it’s co-hosted by Steinn "Steinzi" Bjarnarson and Urs Baumann, two very experienced network engineers with a deep interest in automation. The inaugural episode dives into how guest Ryan Shaw is using Temporal to help support his automation workflows. Steinzi was a recent guest on Heavy Networking, so we’d like to think maybe we inspired him and Urs to try this themselves. Welcome to the podcast game! - Drew 

MORE RESOURCES

  1. MTR (network diagnostic tool combining ping & traceroute functionality) - BitWizard B.V.

Symphony 2025 | Palo Alto Networks’ Ultimate Cybersecurity Transformation Event

Don’t miss Symphony 2025–a 1-hour virtual summit for security professionals.

Get the inside track on staying ahead of adversaries, conquering the cloud, unlocking SOC transformation, and more.

Here’s your VIP pass to the future of security innovation, packed with exclusive insights, live demos, and stories from the pros.

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

There’s solid info in here about the risks of both public and private Wi-Fi. It’s a good primer for someone new to the space, and a nice refresher if Wi-Fi isn’t your day job but you want to stay informed. - Drew 

We’ve all heard about (and some of us may be responsible for) large and unexpected cloud bills. This post from Kentik shows how its observability tool can help you monitor, and perhaps optimize, your cloud networking costs using AWS as the example. Using screenshots, it walks through the use of queries you can run in Kentik to help you identify costs in Transit Gateway. It also suggests cheaper options for intra-cloud routing to help you keep those bills down. - Drew  

Meter is a Network as a Service company that builds, installs, and manages network gear on behalf of clients. The company recently announced a partnership with Microsoft in which Meter will use Microsoft’s Azure AI computing infrastructure to build and train new AI models. Meter says its existing generative-AI offering, Command, will move to Azure. In addition, Meter will join the Azure Marketplace in hopes of reaching new customers. The deal also includes a Microsoft investment in Meter, but Meter declined to share details. If you want to know more about Meter’s product and service portfolio, I covered a 2024 funding round. - Drew  

MORE INDUSTRY NOISES

DYSTOPIA IRL 🐙

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

  1. Work at the Mill or, the Story of Digital Equipment Corporation - Abort Retry Fail

  2. Reasoning models are just LLMs - <antirez>

  3. Bitly Has Ads Now - Tedium

  4. It's Later Than You Think (AGI & academia) - Anecdotal Value

  5. Q&A with: Game designer Steve Meretzky (Infocom text adventures) - SpillHistorie.no

  6. The Visible Zorker (Zork 1 source code exposed with game play) - Zarf Updates

LAST LAUGH 😆

By Tom Fishburne. Shared on Bluesky by @jperlow.bsky.social