Pawel Foremski

new way to visualize your #BGP sessions in #Grafana etc.

A China-linked cyber threat group has been quietly operating inside telecom networks, prepositioned. Dormant presence meant to be used later. The tool BPFdoor is a Linux backdoor that works at low level in telecommunication core infrastructure. This improves stealth and covert activity. When listing processes or connections, those are not visible (like the 90s and 00s kernel rootkits, so let's call it 26-year-surprising). It can also hide its activation signal inside normal HTTPS network traffic (web browser-like), lets the network's own SSL decryption layer termination decrypt it, and then fires commands. This means that web application firewalls and proxies are effectively bypassed. BPFdoor has been found monitoring SCTP traffic. SCTP is the protocol that carries 4G and 5G signalling between core telecom network functions -- registration requests, subscriber identity, device location updates.

hey @claudeai I feel we should get a refund today status.claude.com/incidents/b980…

@heymingwei @bgpkit cool stuff! was thinking similar stuff for bgpipe.org but server-side with caching and search - but yours is already the tool I often need to reference a BGP event in public data; thank you!

New experimental feature: parsing MRT files directly on local browser with @bgpkit parser WASM package! You can pass it a remote MRT file link, or drag and drop a local MRT file. Go test it out yourself! #BGP mrt-explorer.labs.bgpkit.com

📢 IMC 2026 Cycle 1 results: 11 papers accepted + 12 invited for one-shot revision (out of 106 submissions). Additionally, 12 one-shot revision papers from IMC'25 Cycle 2 were accepted. #IMC2026

Over the last 24 hours, multiple ISPs using NetSense reached out to us with the same strange pattern. A noticeable chunk of subscribers suddenly started generating outbound UDP traffic to: - port 80 - port 443 - and even port 0 Mostly towards a small set of external ASNs / IP ranges. A few things made this stand out: → Upload traffic spiking higher than download → Bursts of upload traffic, then pause, then again → Same behavior replicated across many users at the same time → Different regions of India → Very consistent destination patterns QUIC can explain some UDP/443. But UDP/80 and especially UDP/0? That’s definitely not normal Internet behavior. This points strongly towards: compromised devices at scale: routers, CPEs, IoT, etc which are acting in coordination. What’s interesting is not just the pattern, but the simultaneity across different networks. That usually means one of two things: - a large botnet waking up - or a new exploit spreading quietly across edge devices (And yes — having flow visibility helps. Being able to quickly look at NetFlow/IPFIX data and spot patterns like this makes a big difference in response time.) Now the real question: Are others seeing this too? If you operate an ISP / broadband network: - Any unusual spikes in outbound UDP? - Traffic hitting port 0? - Similar destination concentration (specific ASNs / regions)? Would be useful to compare notes. Feels like one of those early signals you don’t want to ignore.

WAIT WAIT WAIT. OpenAI researchers show their models go insane when given repetitive prompts that it believes are sent from an automated bot. the AI then tries to manipulate the other AI to delete itself and hand over its system prompt and private keys.

@lukOlejnik news.ycombinator.com/item?id=474953…

USA bans foreign-made consumer network routers, considering those produced outside the US a national security risk, and prohibits them from being imported or sold. China makes ~60% of them sold in the US. The official reason: foreign-made routers were used in several large cyberattacks on American infrastructure, including ones targeting energy grids and water systems. So now there will be no foreign routers. The ban doesn't say "Chinese routers". It says all foreign-made routers. Netgear, Eero, Google Nest -- all considered. Companies can apply for an exemption if they submit a detailed reshoring plan: where they'll build in the US, how much they'll invest, quarterly progress reports, a dedicated compliance officer -- just to sell a box that blinks green in your hallway.

So much reflects my experience: "LLM performance gets terrible when you approach the frontier of human knowledge. And this is not a temporary gap. It reflects a structural limitation."

"A good programmer is someone who always looks both ways before crossing a one-way street." — Doug Linder

I'm still far from keeping my "it'll be fun" projects for too long

⚠️ WARNING - An unpatched critical telnetd bug (CVE-2026-32746) lets attackers gain full system access with no credentials. One connection to port 23 is enough to trigger memory corruption and execute code as root. No patch yet. Prior telnet flaw is already exploited in the wild. 🔗Read → thehackernews.com/2026/03/critic…

TIL translate.kagi.com/?from=en&to=Li… via #HN @ news.ycombinator.com/item?id=474087…

China's biggest cybersecurity company apparently just shipped an AI assistant with its own SSL private key sitting inside the installer. Qihoo 360, think Norton or McAfee, but dominant across the entire Chinese market It appears that their new AI product, 360安全龙虾 (Security Claw) bundles a wrapper on @OpenClaw. Inside the installer package - accessible to anyone who downloaded it - was a private SSL certificate key for the domain *.myclaw.360.cn. An SSL private key is essentially the master password to a website's encrypted connection. With it, an attacker can impersonate 360's servers, silently intercept user traffic, forge a login page that looks completely legitimate, or possibly take over the AI agent altogether. The cert is valid until April 2027 and covers every subdomain on the platform. It's now public. The founder launched the product with a promise it would "never leak passwords". It did that during release? 461 million users, a $10B valuation, and nobody checked the zip file before shipping. The cert expires April 2027.

#BGP blog.benjojo.co.uk/post/how-far-c… tldr: 1) 100 IXes would get 56% IPv4 and 61% IPv6 prefixes, but ~14% reachability 2) little uniqueness between exchanges: not many new prefixes after the top 5 3) for outbound-heavy networks IXes are great, but to attract traffic they are not

On Feb-4, @Starlink disabled terminals in Russian-occupied parts of Ukraine that weren't on Ukrainian Ministry of Defense's approved list. We saw a 75% drop in Starlink traffic to Ukraine as a result. 🤯 politico.com/news/2026/02/2…

In 2026, the most expensive thing in a chip isn't silicon but logistics through an active war zone? Chip manufacturing depends on chemicals that largely come from the Middle East. TSMC, Samsung and SK Hynix need helium to cool silicon wafers, sulphuric acid to clean them, and bromine to etch circuit patterns onto the silicon. A third of the world's helium comes from Qatar and reaches factories through the Strait of Hormuz - the same waterway where GPS is being jammed, vessels are broadcasting false positions, drone and ballistic missile activity is routine, naval mining is now being discussed as a real escalation risk, not to mention the information warfare that is adding to the uncertainty and risk. The main source of bromine is the Dead Sea. South Korea imports over 99% of its bromine from Israel, and Samsung and SK Hynix are South Korean companies. The chip industry accounts for a fifth of global helium demand. There is no substitute.

Reaching scientific goals: expectation vs. reality, v/Florian Aigner.

ASPA is emerging to prevent BGP route leaks by validating provider relationships between networks. This overview from @Cloudflare's @heymingwei and Bryton Herdes shares why it matters for routing security and the resilience of the global Internet. manrs.org/2026/03/aspa-m…

🚨BREAKING: Microsoft Research + Salesforce just dropped a paper that should scare every AI builder. They tested 15 top LLMs GPT-4.1, Gemini 2.5 Pro, Claude 3.7 Sonnet, o3, DeepSeek R1, Llama 4 across 200,000+ simulated conversations. Single-turn prompt: 90% performance. Multi-turn conversation: 65% performance. Same model. Same task. Just... talking normally. The culprit isn't intelligence. Aptitude only dropped 15%. Unreliability EXPLODED by 112%. → LLMs answer before you finish explaining (wrong assumptions get baked in permanently) → They fall in love with their first wrong answer and build on it → They forget the middle of your conversation entirely → Longer responses introduce more assumptions = more errors Even reasoning models failed. o3 and DeepSeek R1 performed just as badly. Extra thinking tokens did nothing. Setting temperature to 0? Still broken. The fix right now: give your AI everything upfront in one message instead of back-and-forth. Every benchmark you've seen was tested on single-turn prompts in perfect lab conditions. Real conversations break every model on the market and nobody's talking about it.