• Human Infrastructure
  • Posts
  • Human Infrastructure 397: CVE Panic, Is DNS a Database?, DepEx Costs, and More

Human Infrastructure 397: CVE Panic, Is DNS a Database?, DepEx Costs, and More

AuthorAuthor

Ethan Banks & Drew Conry-Murray
April 17, 2025

THIS WEEK’S MUST-READ BLOGS 🤓

It’s been a crazy couple of days for the Common Vulnerabilities and Exposures (CVE) program, which maintains a widely-used registry of known cybersecurity vulnerabilities. The program was created by the MITRE Corporation in 1999, and has been operated by MITRE with funding from various US federal agencies. At present, the Department of Homeland Security is the funder. 

On April 15th, an internal memo from MITRE was leaked. The memo warned that government funding was set to expire on the 16th. The cybersecurity reacted with alarm. James Berthoty noted on LinkedIn “The CVE ecosystem is a complicated mess, and MITRE is the ultimate source of truth making the whole thing work at scale. Without it, security scanners and teams would need to once again rely on incomplete data from a myriad of vendors and sources.” James’s post also provides an illustration of the complexity of the ecosystem, which I found very helpful.

Since that memo, two significant developments occurred. First, the US Cybersecurity and Infrastructure Security Agency, or CISA, announced that it would extend funding for MITRE to operate the CVE program for another 11 months. Second, the board the runs the CVE program announced that it was establishing the CVE Foundation, a non-profit entity that would “ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.”

There’s no detail on how this Foundation will operate or where its funding will come from. However, a brief press release says a goal of the foundation is to eliminate single points of failure in the ecosystem, and to ensure the program maintains global trust for the global infosec community. I’ll be keeping an eye on this story as it develops. - Drew

Network engineer and content creator Kevin Nanns failed the LinkedIn Challenge of a post per day for 100 consecutive days. Of course, as any good content creator knows, there’s an opportunity to take that failure and turn it into…content.  😀 

Kevin writes that he’s glad he failed, because it forced him to reflect on why writes and podcasts and shoots video: “Authenticity means more to me than anything else. I like sharing things I’m genuinely interested in, things that help people, spark curiosity, or just make me laugh. But I can only do that when inspiration hits. If I force it, it shows. Not just to me, but to anyone reading or watching my content.”

He’s absolutely right. Now that AI can churn out “content” with a simple prompt, the barrier to content generation is basically zero. The challenge isn’t volume; the challenges are quality, authenticity, and value to the reader/viewer/listener. Social media wants to turn content creation into a numbers game because social media thrives on volume and novelty. But we shouldn’t play that game. Craft, care, and enthusiasm are what make something worth creating—and consuming. - Drew

IT cost discussions tend to focus on CapEx and OpEx. Gian Paolo is here to remind us of DepEx, or Decommissioning Expenditure. DepEx is the cost of getting rid of IT things, be it a server, firewall, a circuit, or even a policy. Decommissioning does come with costs, especially if you do it right (wiping drives, responsibly disposing of e-waste, and so on). The post also notes that decommissioning involves a bit of detective work: “You’ll need to verify documentation (if it exists and is accurate), collect logs, check traffic metrics, and maybe even fire up a packet capture to confirm that the asset is no longer in use. And only then can you safely remove it, hopefully without taking down something critical by accident.” - Drew 

Tech Safari is an excellent newsletter on startup activity across Africa. This post declares that the world has too many software companies, and that Africa is following suit. It makes a strong argument for why more hardware-focused startups in sectors such as energy, manufacturing, and agriculture are necessary to accelerate the continent’s development. While a robust software startup scene is good for Africa, increased investment in hardware development could have more material impact on people’s lives. (Frankly, I think the US could also use more startups targeting hard problems in energy, climate, medicine, and so on, and fewer get-rich-quick schemes built around AI and/or the harvesting of consumer data, or building surveillance apps for the police state.)

The problem is that hardware is, well, hard. A software company is much cheaper to start and to scale, and it’s much easier to pivot if an initial plan doesn’t pan out. That’s not the case with hardware, where iteration can be costly, you need an ecosystem of parts and suppliers, and scaling up takes significant investment. The post ends with an example of a Nigerian startup finding success with security drones.

It’s a good read. And BTW, the newsletter is well worth subscribing to. - Drew

Chris argues that what DNS really does, quite often anyway, is lie to you. As such, it’s not reasonable to call it a database.

“DNS is designed from the ground up to lie to you in unpredictable ways, and parts of the DNS system lie to you every day. We call these lies things like 'outdated cached data' or 'geolocation based DNS' (or 'split horizon DNS'), but they're lies, or at least inconsistent alternate versions of some truth.”

I understand the point he’s making, but I don’t think I agree with him. DNS tells falsehoods purposefully for reasons of performance and security. Stale cache aside, the answers are correct for the client that asked the question. I find it easier to argue that DNS is a distributed database than not. You just have to know what to expect from it. The details definitely matter. - Ethan

MORE BLOGS

Get AI-Native Security that moves at the speed of your business

Don’t let network protection slow you or your business down.

Juniper’s new SRX4700 Firewall is designed to protect data in motion, bringing security and networking together in a single, streamlined platform.

That means you can mitigate risk without interruption. Making sure users aren’t just well protected, but enjoying the very best network experience.

And with the Mist AI Predictive Prevention Feature, it’s never been easier to keep the network safe from potential, initial, and subsequent attacks.

That means you, future cybersecurity hero, can detect and stamp out bad actors and sophisticated threats before they wreak havoc on the business.

With Juniper, you’re always one step ahead.

<Explore Our Solutions Now>

TECH NEWS 📣

It’s gotta be hard for tech leaders to come up with long-term business plans in the current uncertainty of Schrodinger’s tariffs. They’re alive. They’re dead. They’re both alive and dead in an economic superposition, and you don’t know which until your product gets to the border and a customs agent opens the container.

It looks like Nvidia hopes to establish some certainty with a promise to do more manufacturing on US soil. But as the Ars Technica story notes, these kinds of developments can’t happen overnight, and in some cases advanced capabilities aren’t even available in the US. That means certain chips could be partially made here, but then have to be sent to Taiwan for “advanced packaging,” thus running afoul of tariffs anyway. - Drew

As of version 8 Update 3e, ESXi is freely available once more. If you read through the “What’s New” section of the release notes, you’re aware. Obviously.

“But the plans were on display…”

“On display? I eventually had to go down to the cellar to find them.”

“That’s the display department.”

“With a flashlight.”

“Ah, well, the lights had probably gone.”

“So had the stairs.”

“But look, you found the notice, didn’t you?”

“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.” - Douglas Adams

For science, I registered an account with Broadcom Support. Found my way to the Free Downloads page. Clicked on “VMware vSphere Hypervisor”. More clicking and sharing of personal details. And then…I was able to download the ISO. I didn’t get further than that, i.e. firing it up & sorting out a license. But that the Broadcom Support Portal let me download the ISO when I have no other support relationship seems promising. - Ethan

MORE NEWS

FOR THE LULZ 🤣

Give it a second and you’ll get there (assuming your ADD isn’t kicking in). Shared on Bluesky by jam.

RESEARCH & RESOURCES 📒

Avi Freedman & Leon Adato have been working on this future O’Reilly Technical Guide. Click through to read this early release version (ungated, no reg required) as Avi and Leon continue to work on it. They’d appreciate your feedback. I know both Avi and Leon a bit, and expect this book to be excellent. - Ethan

From the landing page. “NetStruct is a modern, interactive tool designed to help IT professionals visualize, plan, and manage network infrastructures. With real-time drag & drop capabilities, page-based layouts, and customizable markers, NetStruct makes network mapping intuitive and efficient.”

NetStruct is also open source and available in a multitude of formats. I haven’t tried it, but it’s on the list. I have use cases… - Ethan

From the README. “Cloud Snitch provides a sleek and intuitive way of exploring your AWS account activity. It's a great addition to any toolbox, regardless of if you're a hobbyist that's just getting started with the cloud or a large enterprise with complex and mature cloud infrastructure. With Cloud Snitch, there's no excuse for not knowing everything your AWS accounts are up to.” - Ethan

LLMs used by developers to assist with coding sometimes make reference to software packages that don’t exist: a package hallucination. A group of researchers posit that this creates the potential for software supply chain attacks. A threat actor could create a software package based on a hallucinated package, and perhaps trick a developer into incorporating malicious software into a larger code base. Researchers tested 16 LLMs, commercial and open-source, and had them generate code in Python and JavaScript. 

The results? “Our findings reveal that the average percentage of hallucinated packages is at least 5.2% for commercial models and 21.7% for open-source models, including a staggering 205,474 unique examples of hallucinated package names.” That’s a significant chunk of hallucinated packages.

I’m not sure how much of a threat this is compared to more conventional attacks, such as spear-phishing and credential theft to get access to a code repository, but it’s interesting research, and it would make for a cool plot point in a techno-thriller. - Drew 

Apparently, when using Microsoft Entra ID with NetBox, you can’t get the AD group or role info for users out of the box. So Markku wrote a little program to do that. He says he’s tested it with Netbox 4.2.7. - Drew 

MORE RESOURCES

  1. MeshCore (commercial product) - off-line and off-grid messaging platform

  2. Grafana Foundation SDK - manipulate & generate Grafana resources in code

  3. PodPace - Podcast Speech Normalization - jamesjmcconnell via GitHub

Calling all Wireshark users! 

Register now for the SharkFest’25 US conference - June 14-19 in Richmond, VA - to learn from the best in network analysis. The conference, focused on sharing knowledge, experience and best practices among the Wireshark® developer and user communities, will feature a keynote by Vint Cerf, recognized as one of "the fathers of the Internet". Meet the Wireshark core developers, network with your peers, level up your skills, build your professional network and much more! Don't miss out on what past attendees have called "the best conference in the industry" and "a privilege to catch up with the Wireshark community."

Registration link and more details at: https://sharkfest.wireshark.org/sfus/registration-options/

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

GOOG reports, “Today we are announcing that Google’s global network is available for all businesses and governments to use with our new Cloud WAN solution.

Cloud WAN is a fully managed, reliable, and secure enterprise backbone to transform enterprise wide area network (WAN) architectures. It leverages Google’s planet-scale network, which is optimized for application performance. Cloud WAN provides up to 40% faster performance compared to the public internet, and up to a 40% savings in total cost of ownership (TCO) over a customer-managed WAN solution.”

And why else might you want to run your enterprise traffic over Google’s infrastructure?

“Cloud WAN enables two key use cases: providing high-performance connectivity between geographically dispersed data centers, and connecting branch and campus environments over our Premium Tier network.”

The AI angle mentioned in the headline? That’s about the suitability of the network to carry AI compute workloads, not about AI doing anything interesting with the network itself.

Vendor partner solutions include Infoblox and Juniper Networks Mist.

If any of you price Google Cloud WAN out, I’d love to hear what you think. - Ethan

Cato aims to bolster is CASB offering new capabilities to detect and analyze the use of GenAI applications. In particular, Cato is targeting organizations concerned about the use of shadow AI apps–that is, GenAI apps that might be being used outside of policy guidelines or controls. - Drew 

The consultancy and IT infrastructure service provider Kyndryl is offering a new set of services based around a private cloud for AI. The services include consulting and infrastructure built around NVIDA gear and Dell’s AI Factory, as well as “services and capabilities around containerization, data science tools and microservices to deploy and manage AI applications on the private cloud.” Kyndryl engagements can also help organizations identify “high-ROI industry use cases,” which should be useful when mandates come down from on high to get in on AI. - Drew 

MORE INDUSTRY NOISES

DYSTOPIA IRL 🐙

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

LAST LAUGH 😆

Shared by Kaj on the Packet Pushers Slack channel. You can join us there!