AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot.
Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration.
Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available.
The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do.
This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.
What most likely happened, instead of a purposeful attempt to leak routes and MITM traffic, is CANTV had too loose of a routing export policy facing their upstream AS52320 neighbor, and accidentally redistributed the Dayco prefixes that they learned indirectly from Sparkle (AS6762) when the direct Dayco routes became unavailable to them.
This is a pretty common mistake and would explain the leak events that were written about here.
Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself.
(1) https://radar.cloudflare.com/?ref=loworbitsecurity.com#dns-q...
It's one way, but a H1/H2 connection can also be promoted to H3 via the alt-svc header. The DNS method is slightly better though since it potentially allows a client to utilize H3 immediately from the first request.
The new development (encrypted client hello) is you no longer have to send the hostname. So someone listening in the middle would only see you connected to an AWS/etc IP. This will make blocking websites very difficult if they use shared services like cloudflare or cloud VPS hosting.
I see this as a very good development and a big win for privacy. I have been running my own DNS server for years to prevent passive logging, but could basically do nothing against the SNI leak.
Until some clueless judge orders all of cloudflare to be blocked.
If you don’t use a CDN at all, the destination IP leaks what site you’re trying to connect to (if the domain is well known). If you use a CDN without ECH, you send an unencrypted domain name in the HTTPS negotiation so it’s visible there. ECH+CDN is an attempt to have the best of both worlds: your traffic to the site will not advertise what site you’re connecting to, but the IP can still be shared between a variety of sites.
It’ll be interesting to see how countries with lighter censorship schemes adapt - China etc. of course will just block the connection.
It’s not just encrypted server name indication (ESNI), it is the whole hello now (ECH)! So you don’t leak anything.
HTTPS is the name of a protocol, which is mostly used to make the World Wide Web work, but we do lots of other things with it, such as DNS-over-HTTPS aka DoH.
However HTTPS is also the name of a type of DNS record, this record contains everything you need to best reach the named HTTPS (protocol) server, and this is the type of record your parent didn't previously know about
In the boring case, say, 20 years ago, when you type https://some.name/stuff/hats.html into a web browser your browser goes "Huh, HTTPS to some.name. OK, I will find out the IPv4 address of some.name, and it makes a DNS query asking A? some.name. The DNS server answers with an IPv4 address, and then as the browser connects securely to that IP address, it asks to talk to some.name, and if the remote host can prove it is some.name, the browser says it wants /stuff/hats.html
Notice we have to tell the remote server who we hope they are - and it so happens eavesdroppers can listen in on this. This means Bad Guys can see that you wanted to visit some.name. They can't see that you wanted to read the document about hats, but they might be able to guess that from context, and wouldn't you rather they didn't know more than they need to?
With the HTTPS record, your web browser asks (over secure DNS if you have it) HTTPS? some.name and, maybe it gets a positive answer. If it does, the answer tells it not only where to try to connect, but also it can choose to provide instructions for a cover name to always use, and how to encrypt the real name, this is part of Encrypted Client Hello (or ECH)
Then the web server tells the server that it wants to talk to the cover name and it provides an encrypted version of some.name. Eavesdroppers can't decrypt that, so if many people share the same endpoints then eavesdropper can't tell which site you were visiting.
Now, if the server only contains documents about hats, this doesn't stop the Secret Hat Police from concluding that everybody connecting to that server is a Hat Pervert and needs to go to Hat Jail. But if you're a bulk host then you force such organisations to choose, they can enforce their rules equally for everything (You wanted to read News about Chickens? Too bad, Hat Jail for you) or they can accept that actually they don't know what people are reading (if this seems crazy, keep in mind that's how US Post worked for many years after Comstock failed, if you get a brown paper package posted to you, well, it's your business what is in there, and your state wasn't allowed to insist on ripping open the packaging to see whether it is pornography or communist propaganda)
Which is why it is so important/useful to Cloudflare but of much lower utility to most nginx users.
The short answer is that there hasn't been a ton of movement across the market at large, but since Saturday, bonds have been swinging up towards the all-time high they set last December. Can't say for certain that that movement is tied to VZ though.
https://finance.yahoo.com/news/one-polymarket-user-made-more...
While on their way out, if the USA could set everything back to IPv6, that would be nice.
* The (remaining) Venezuelan government gets to point to Big Evil America to unify (or crack-down-upon) an unhappy public, and they avoid being personally tarred as unpatriotic.
* Trump et al. get to "wag the dog" as distraction from crimes and mismanagement back home.
As if. Dictators only do things that benefit themselves, and deciding to attack the US is suicide and/or world ending.
You actually think the US would leave things better than they found them?
[Of course i agree with the broader point of dont become dependent on the technology of your geopolitical enemies]
Technology is notoriously expensive to develop and manufacture. One must either have native capacity (and thus, the wealth) to do so, or must get it from someone else.
Other Western/US-aligned countries might have the ability to do so, albeit at geopolitical and economic cost, because the only thing you're likely to gain from kicking the US out of your tech stack and infrastructure is a tech stack and infrastructure free of the US. Meanwhile American companies will be developing new features and ways of doing things that add economic value. So at best, a wash economically. Maybe the geopolitical implications are enticing enough.
Places like Venezuela? Nah. They'll be trading the ability of Americans to jack with their tech infrastructure for the ability of the PRC, Non-US Western nations, or Russia to jack with their tech stack.
The geopolitics of technology are a lot like a $#1+ sandwich: the more bread you have, the less of someone else's $#1+ you have to eat.
I'm not sure why the author singled out Telecom Italia Sparkle.
The data would make that more likely, because deliberately adding a longer route doesn't achieve much. It's not usually going to get any traffic.
For example, maybe some misconfiguration caused these routes to be published because another route was lost. Which could very well be the actual cyber attack, or the effect of jamming, or breaking some undersea cable, or turning off the power to some place.
> The newsletter suggests “BGP shenanigans” and posits that such a leak could be exploited to collect intelligence useful to government entities. > > While we can’t say with certainty what caused this route leak, our data suggests that its likely cause was more mundane.
Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.
From what I remember reading, they were able to gain air dominance not because Iranian air-defense was bad, but because it was put almost completely out of service for a brief period of time by people on the ground - be it through sabotage, cyber-warfare, drone attacks from inside, allowing the Israeli jets to annihilate them.
Wouldn't that constitute air defense being "bad"? There are no "well technically it should have worked" in war. Failing to properly secure the air defense sites is bad air defense.
Although I do agree, that in war only the final outcome is important. It's just that in this case it failed not necessarily because of technology, but because of humans.
I expect every major world power has a plan to (attempt to) do precisely that to their enemies.
https://en.wikipedia.org/wiki/Graphite_bomb
> The US Navy used sea-launched Tomahawk missiles with Kit-2 warheads, involving reels of carbon fibers, in Iraq as part of Operation Desert Storm during the Gulf War in 1991, where it disabled about 85% of the electricity supply. The US Air Force used the CBU-94, dropped by F-117 Nighthawks, during the NATO bombing of Yugoslavia on 2 May 1999, where it disabled more than 70% national grid electricity supply.
I would not, however, take "Trump said something" as indicative of much. "It was dark, the lights of Caracas were largely turned off due to a certain expertise that we have, it was dark, and it was deadly" is both visibly untrue from the video evidence available, and is the precise sort of off-the-cuff low-fact statement he's prone to.
Trump just seems the worst person in the world to play a game of telephone with on such a subject.
For example: https://www.defensenews.com/air/2025/05/16/pentagon-silent-a...
> “The F-35, we’re doing an upgrade, a simple upgrade,” Trump said. “But we’re also doing an F-55, I’m going to call it an F-55. And that’s going to be a substantial upgrade. But it’s going to be also with two engines.”
> Frank Kendall, the secretary of the Air Force during former President Joe Biden’s administration, said in an interview with Defense News that it is unclear what Trump was referring to when he discussed an “F-22 Super,” but it may have been a reference to the F-47 sixth-generation fighter jet… Kendall said it is also unclear what Trump was referring to when he discussed the alleged F-55.
[1]:https://radar.cloudflare.com/routing/as8048ref=loworbitsecur...
The others have been variants of "Celebrating liberation of the Venezuelan people from the illegitimate dictator, a new dawn for democracy! (oh and everyone (not naming names) please behave and try to be mindful of international law and human rights from now on)"
Not a single word about the dead, for one.
While the NYTimes headline names France as critical, here's Macron (still only posting) on Twitter: https://xcancel.com/EmmanuelMacron/status/200752538697719404...
Meanwhile POTUS is over there talking literally and openly about how US are "going to run things" and motivating it with taking the oil and how they don't really care about democracy one way or other.
These actions by Trump are only reinforcing that we will see even more of a push for everybody to get their own nukes, even in Europe.
People do not need to yell "bad trump", to have his actions result in decisions being pushed forward like this.
Theodore: "speak softly and carry a big stick"... and nuke(s) is a BIG stick.
It's over for the EU. They rested on their laurels for too long and cowardice rotted them from the inside.
I don't think Denmark will put even a smidge of resistance up. Trump is going to bark some orders, boots are going to hit the ground and it's fait accompli.
Greenland is a massive strategic liability for the US and Europe (although the EU still has its head in the sand they are starting to wake up some).
Yesterday:
> Adding to the alarm, Katie Miller, a right-wing podcast host and the wife of Trump adviser Stephen Miller, posted an image of Greenland superimposed with the American flag and the caption "SOON!"
https://www.nbcnews.com/world/greenland/trump-venezuela-atta...
Fragile egos. Narcissists desperately need to feel good about themselves. They're caught in a cycle: feel worthless -> do bad things (feed the ego) -> feel worthless.
Mr. Trump good.
Trump derangement syndrome bad.
If Mr. Trump does what you say eventually, then it was good. (see rule #1)
I see this frequently on HN since the re-election, won't speculate as to why: only way around the downvote is to criticize policy generically, untethered to time, with some sort of micro-focus like you're sharing new information about how things work, not discussing current events.
When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities.A few thoughts: - The affected prefixes (200.74.224.0/20 block → Dayco Telecom) hosting banks and ISPs feels significant. If you're doing pre-kinetic intelligence gathering, knowing the exact network topology and traffic patterns of critical infrastructure would be valuable. Even a few hours of passive collection through a controlled transit point could map out dependencies you'd want to understand before cutting power. - What's also notable is the transit path through Sparkle, which the author points out doesn't implement RPKI filtering. That's not an accident if you're planning something (you'd specifically choose providers with weaker validation). - The article stops short of drawing conclusions, which is the right call. BGP anomalies are common enough that correlation ≠ causation. But the timing and the specific infrastructure affected make this worth deeper analysis.
Would love to see someone with access to more complete BGP table dumps do a before/after comparison of routing stability for Venezuelan prefixes in that window.
Didn't the US use Chinooks? They're supposed to be loud. And AD didn't take even one out.
If Venezuela as corrupt as most socialist countries, I have no doubt that someone in his inner circle gave him up.
Back in the days of our version of socialism we had Indian politicians selling out for $100K, leave alone $50M.
For the longest time I thought they'd gone too far, but now we're the clowns putting on a show.
https://en.wikipedia.org/wiki/Mount_Weather_Emergency_Operat...
https://en.wikipedia.org/wiki/Raven_Rock_Mountain_Complex
https://en.wikipedia.org/wiki/Project_Greek_Island
https://en.wikipedia.org/wiki/Cheyenne_Mountain_Complex
With the rise of solid fuel ICBM and then MIRV leading to the truly massive number of warheads pointed at the US, the US switched to airplanes for the most important continuity of government issues, figuring that the skies 30,000 above the US will largely be secure (presuming the plane is appropriately EMP shielded) due to the many US geographic advantages, and so it is the best place to ride out the initial attack and then take stock, get to somewhere safe, and figure out what to do from there.
https://en.wikipedia.org/wiki/Operation_Looking_Glass
https://en.wikipedia.org/wiki/TACAMO
https://en.wikipedia.org/wiki/Boeing_E-6_Mercury
But the North Koreans can have no illusion that the skies above their country will be safe: there are several major enemy airbases a few minutes from their border, their entire airspace is routinely surveilled and powers hostile to them have made large investments in stealthy air superiority fighters, so the air is not a safe place for the DPRK continuity of government plans. The DPRK does have trains but I would not consider those safe in the event of a major war, since rails are difficult to keep secret.
https://en.wikipedia.org/wiki/Taeyangho_armoured_train
So bunkers are the best they can do, given their circumstances.
The US is vulnerable to that scenario as well, even though the military’s willingness to comply with literally textbook illegal orders is not encouraging.
I could tolerate a coupe but I’d prefer a sports car :-/
Erm, it's kind of demanded for people to go out and die to defend national sovereignty in nations that have a draft. For myself, I'd prefer to be vaporized than bleed out in a trench if it really comes down to it.
There are 9 nuclear-armed states today. Likely this has set us on a path where nuclear war is inevitable.
It's really hard to guess how retaliation would happen in practice, a large-scale nuclear war certainly isn't inevitable.
The most likely targets for nuclear strikes right now are also non-nuclear states.
Plenty of places have uranium and unless they are being watched like Iran they can just set up clandestine enrichment operations.
It assumes ~130,000 casualties from a worst-case surprise attack on population centers by the North.
If a conflict started ramping up, evacuations would rapidly shrink this.
A significant deterrent, sure. But it rapidly becomes less and less meaningful as the DPRK builds its nuclear arsenal.
They drive old cars, have slow internet and can't visit the coliseum. They're not invited to the cool parties.
It would probably rule out the type of decapitation strike the US did, but bgp hijacking is way way below on the escalation ladder.
The US couldn't just fly a bunch of helicopters to Pyongyang or Tehran and do the same within 30 minutes. Most likely every single one of those helicopters would end up being shot down.
Would your answer change if China were somehow guaranteed to not intervene? Because I'm not sure the obstacle here is North Korean defenses, so much as Chinese intervention.
Tehran? I think it'd go more or less like Caracas did.
1. Did Ukraine control the nukes, or did Russia?
2. Could Ukraine keep them working on its own?
3. If nukes stop invasions, why do nuclear countries still get attacked?
Russia may have just continually pushed the envelope until it became clear there wasn't a bright red line, and eventually someone would push the button.
Russia invades. Ukraine launches nukes. Every major city in Ukraine is ash. Several major cities in Russia are ash. Millions die plausibly.
That scenario is not what would happen from an invasion.
Zelensky would not have used nukes to prompt the death of millions instantly. He would have proceeded with the same defensive war.
The false premise rests on: it's better for everyone to die than live under Russian occupation. That would overwhelmingly be chosen false by the population in question that is being invaded.
All those people that lived under Soviet Russia occupation, they were better off dead in nuclear fire than living under said occupation? Obviously not what the masses would have chosen (just look at what they did choose to do while living under Russian occupation - how many gave up their lives to fight back?). It's fundamentally why nuclear weapons as deterrant is largely fraudulent. They're solely viable as a last option against total oblivion at the hands of an enemy: it entails everyone dies, which means there has to be a good enough reason for everyone to die to justify use.
I think this is a situation where even if Venezuela had nukes, this still would have happened.
a. Don’t use nukes, everyone moves one rung up the ladder. b. Use nukes. Ladder is destroyed, everyone dies horribly.
Using nukes only makes sense if everyone is going to die horribly anyway. It’s an empty threat otherwise.
Our systems are designed around ICBM detection.
A tactical/suitecase nuke like the old US Army Green Light teams wouldn't trigger that. In fact, it would likely take awhile to trace. The "limited nuclear war" concept.
Why would it?
1. "Nuclear capability" is not binary. The available delivery mechanisms and the defensive capabilities of your adversary matter a lot.
2. MAD constrains both sides. It's unlikely that an unpopular Head of State getting kidnapped would warrant a nuclear first strike especially against a country like (Trump's) America, which would not hesitate to glass your whole country in response.
3. It's extremely risky to "try" a nuke, because even if it's shot down, does it mean your enemy treats it as a nuclear strike and responds as if it had landed? That's a very different equation from conventional missiles. E.g. Iran sends barrages of missiles because they expect most of them to be shot down. It's probably not calculating a scenario where all of them land and Israel now wants like-for-like revenge.
Heads of state are generally pretty good at delegating the C&C of their nukes to people they are pretty popular with. That's orthogonal to popularity polls of the populace.
It seems extraordinarily unlikely we'd have attempted such a thing if Venezuela had nukes.
We can see that nobody was going to resist the operation in Venezuela, so it doesn't really matter that Venezuela doesn't have nukes. Using nukes isn't just a matter of pressing a button, it involves a lot of people and processes - thus any significant opposition inside the force or just widespread sabotage will make it unusable.
But it seems equally likely to me that he was sold out by somebody in the VZ government/military. And that the paltry military resistance was because they saw direct confrontation with the US as suicidal.
Not impossible but certainly in the tinfoil hat range of possibilities.
It sounds stupid. Maduro has no way to enforce the deal, and the US has no incentive to fulfill this deal.
> We can see that nobody was going to resist the operation in Venezuela, so it doesn't really matter that Venezuela doesn't have nukes.
To use it, no resistance is matter. One person must do their job to launch a nuclear weapon. That's all.
> it involves a lot of people and processes
It doesn't matter. Nuclear deterrence exercises are conducted regularly. And their peculiarity is that no one except the person with the red button knows whether it's an exercise or whether the missiles will actually be launched this time.
So when the order to launch comes, many people will be performing a large number of complex processes which will result in the use of nuclear weapons. Because they regularly receive such orders and carry out these processes.
You have to assume everyone is willing to die over every single thing short of obliteration.
So what's the scenario then? Venezuela has nukes. The US abducts Maduro. Venezuela launches its nukes, everyone dies on both sides. Please, explain that laughable premise. Everyone in Venezuela dies for Maduro? Go on, explain it, I'll wait.
Back in reality: Venezuela has nukes. The US abducts Maduro. Venezuela shakes its fists at the sky, threatens nuclear hell fire. Nothing happens. Why? The remaining leadership of Venezuela does not in fact want to die for Maduro.
US attacks, Maduro threatens to launch nuke(s) ... then what? Do you call bluff?
Maduro was capture in a militair base (as he did a Saddam, switching sleeping locations), he almost made it into a safe room. What if he had nukes and made it to the safe room. You know the expression "Cornered rat"... For all he knew, the US was there to kill him. The US killed his 30 Cuban bodyguards so high change Maduro thought its his end.
> "Cornered rat" refers to the idiom that even weak individuals become desperate and dangerous when given no escape, often applied to intense political or military pressure.
The scenario that you called, that nobody wants to die for Maduro, is you gambling that nobody want to die for him or not follow the chain of command! Do you want to risk it? No matter how many precaution you take, are you really sure that not one or more nukes go to Texas or Miami?
This is why Nukes are so powerful, even in the hands of weaker countries. It gives a weaker country a weapon that may inflict untold dead to the more powerful country (let alone the political impact). Its a weapon that influences decision making, even in the most powerful countries.
With Iran, North Korea, or Ukraine, the calculus is different.
Do you think the US and EU would have hesitated to send enough arms to keep Ukraine comfortably fending off Russia if they weren't afraid of the nuclear threat that Russia kept toying with?
Now do this same exercise for Taiwan.
The only consistent action for the US to take, given they - and much of the world - do not consider Maduro the legitimate President of Venezuela, was to remove him from power.
Reality is not that black and white. We may no longer have formal colonies, buy the world is still carved up by spheres of influence by the superpowers. Displease them and you'll find out how limited your sovereignty really is.
However, just because there are just war grounds for Maduro's capture per se doesn't mean the operation was justified by just war principles. It wasn't. It takes more than just the fact that the ruler is tyrannical to justify an operation like this. Operations like this can risk civil war and all sorts of horrible fallout that also need to be considered. There must be a realistic plan following the removal of the tyrannical leader. As always, justice must be upheld always. And of course there are the procedural and legal aspects that Trump totally ignored.
Clearly and empirically, BGP can shut off parts of the Internet, just as Trump wanted to do in 2015.
https://finance.yahoo.com/news/dear-donald-trump-no-you-1322...