validation DoS
vulnerabilities - both CVE-2023-50387 ("KeyTrap") and CVE-2023-50868 (NSEC3
vuln) - improvements welcome)
--
Royce Williams
Tech Solvency
On Sat, Feb 17, 2024 at 1:11 AM Dave Taht wrote:
> Really long list of fixed dns servers here:
>
>
> https://www.linkedin
misuse_and_abuse#
> <https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#:~:text=NTP%20server%20misuse%20and%20abuse%20covers%20a%20number%20of%20practices,the%20NTP%20rules%20of%20engagement.>
>
>
> -mel
>
> On Aug 6, 2023, at 12:03 PM, Royce Williams
> wrote:
>
&
Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering
a reasonable mitigation for this, as designed?
Royce
On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman wrote:
> William,
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
> flaws make it trivial
On Tue, Jan 3, 2023 at 11:59 AM John Curran wrote:
> FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor
> authentication (2FA) - this is a noted priority for some organizations.
>
John - this is a great step forward! Kudos to the tech team who helped make
the leap - it can be
On Fri, May 27, 2022, 9:55 PM Peter Beckman wrote:
> Not to be confused with FIDO U2F, which is basically what TOTP 2FA is,
> just implemented differently.
>
FIDO U2F is materially different from TOTP 2FA.
With TOTP, there is no cryptographic validation of the requester / server.
A user
The recent thread on CIDR aggregation cleanup scripts reminds me that I'm
looking for a similarly efficient implementation of a related tool. (I'm
gearing up to write my own in Perl, but don't want to reinvent the wheel.)
I'd like a fast, Unix-pipeline-ready tool that *replaces* all IPs within
On Tue, Dec 31, 2019 at 7:46 AM Matt Harris wrote:
>
> On Tue, Dec 31, 2019 at 10:34 AM Royce Williams
> wrote:
>
>> On Tue, Dec 31, 2019 at 7:17 AM Matt Harris wrote:
>>
>>>
>>> The better solution here isn't to continue to support known-flawed
&g
On Tue, Dec 31, 2019 at 7:32 AM Royce Williams
wrote:
> On Tue, Dec 31, 2019 at 7:17 AM Matt Harris wrote:
>
>> On Tue, Dec 31, 2019 at 9:11 AM Seth Mattinen wrote:
>>
>>> On 12/31/19 12:50 AM, Ryan Hamel wrote:
>>> > Just let the old platforms
On Tue, Dec 31, 2019 at 7:17 AM Matt Harris wrote:
> On Tue, Dec 31, 2019 at 9:11 AM Seth Mattinen wrote:
>
>> On 12/31/19 12:50 AM, Ryan Hamel wrote:
>> > Just let the old platforms ride off into the sunset as originally
>> > planned like the SSL implementations in older JRE installs, XP, etc.
On Tue, Dec 31, 2019 at 6:12 AM Seth Mattinen wrote:
> On 12/31/19 12:50 AM, Ryan Hamel wrote:
> > Just let the old platforms ride off into the sunset as originally
> > planned like the SSL implementations in older JRE installs, XP, etc. You
> > shouldn't be holding onto the past.
>
>
> Because
On Wed, Dec 25, 2019 at 1:15 AM william manning
wrote:
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-189.pdf
>
I can't speak to the technical content, but this put a curdle in my morning
coffee:
"... that comprise the internet [sic]" .
Et tu, NIST?
I will die on this
The difference is that Chrome won't use resolvers other than the ones
you've configured yourself, and will simply opportunistically upgrade to
DoH if they detect that those resolvers support it.
In other words, there is no usurpation of administrative intent.
Royce
On Wed, Oct 30, 2019 at 7:30
On Wed, May 8, 2019 at 11:12 PM Eric S. Raymond wrote:
> Chris Adams :
> > Once upon a time, Royce Williams said:
> > > The La Crosse 404-1235UA-SS UltrAtomic (not affiliated, just a fan)
> tracks
> > > DST - and even leap seconds. They have much better reach than
On Wed, May 8, 2019 at 7:16 PM Bryan Holloway wrote:
> On 5/8/19 7:55 PM, Brian Kantor wrote:
> > On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote:
> >> 100% true. But there is also a practical side to this ...
> >>
> >> When a NOC-ling, in their own local timezone, says, "hey,
On Sat, May 4, 2019 at 8:02 AM Royce Williams
wrote:
> On Sat, May 4, 2019 at 7:40 AM Royce Williams
> wrote:
>
>> On Sat, May 4, 2019 at 7:32 AM Keith Medcalf wrote:
>>
>>>
>>> I will stick to the "clearly false" since it is now well to the po
On Sat, May 4, 2019 at 7:40 AM Royce Williams
wrote:
> On Sat, May 4, 2019 at 7:32 AM Keith Medcalf wrote:
>
>>
>> I will stick to the "clearly false" since it is now well to the point
>> where we are in 2019-05-04 (even in local UT1, let alone UTC), studies ar
On Sat, May 4, 2019 at 7:32 AM Keith Medcalf wrote:
>
> I will stick to the "clearly false" since it is now well to the point
> where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are
> disabled (and have been since forever), no studies have been loaded, and my
> extensions
On Wed, Apr 24, 2019 at 8:33 PM Mike Bolitho wrote:
> "than the relatively low risk of a database compromise leading to a
>> miscreant getting ahold of their wireless password and using their access
>> point as free wifi."
>>
>
> And this is the thing, not only does someone have to 'hack' the
And just imagine what email threading might be like today ...
... if early email clients had defaulted to displaying the *bottom* of the
thread (as if you'd scrolled there).
Thoughtful UX design matters.
--
Royce Williams
Tech Solvency
On Mon, Jan 14, 2019 at 8:39 PM wrote:
> A: Beca
Obligatory list of all known same-quad servers and their DNS status -
corrections welcome:
https://gist.github.com/roycewilliams/6cb91ed94b88730321ca3076006229f1
If there is info about previous/historical use of these IPs, I'd like to
find a way to incorporate that as well.
--
Royce
On Thu,
On Sun, Jul 29, 2018 at 8:58 PM wrote:
>
> On Mon, 30 Jul 2018 06:43:35 +0200, Ramy Hashish said:
> > If you are going to start a security team in a newly founded IT
> > organization, what will the objectives/results be?
>
> The answer will depend heavily on the organization that contains the IT
On Sat, May 26, 2018 at 4:57 PM Dan Hollis wrote:
> I imagine small businesses who do a small percentage of revenue to EU
> citizens will simply decide to do zero percentage of revenue to EU
> citizens. The risk is simply too great.
That would be a shame. I would expect
And FWIW, there are currently a few other other same-quad open resolvers:
# IP - desc | CIDR | recursion-yes
1.1.1.1 - APNIC-LABS - Research prefix for APNIC Labs (now Cloudflare
distributed public recursive DNS) | 1/8 | recursion-yes
8.8.8.8 - Google LLC (public recursive DNS) | 8.8.8/24 |
On Fri, Mar 30, 2018 at 5:30 AM, Christopher Morrow
wrote:
>
> On Thu, Mar 29, 2018 at 10:32 AM, Stephane Bortzmeyer
> wrote:
>
> > Public DNS resolvers still help against "ordinary" adversaries. (If
> > your ennemy is the NSA, you have other problems,
On Thu, Mar 1, 2018 at 1:38 PM, Randy Bush wrote:
>
> > this is sort of why openbsd listens only on 127.0.0.1/::1 by default,
> > right? it's the only sane choice for 'fresh out of the box' network
> > daemons: "Yes, it's running, yes I can healthcheck it locally to prove
> > it's
On Sun, Dec 3, 2017 at 10:31 AM, Grant Taylor via NANOG
wrote:
> On 12/03/2017 10:08 AM, Filip Hruska wrote:
>
>> It's kind of a pain to manage a mail server.
>>
>
> I disagree.
>
> I have been running my own mail server for > 15 years and extremely happy
> with it.
>
> I spend
On Fri, May 12, 2017 at 10:30 AM, Royce Williams <ro...@techsolvency.com>
wrote:
> My $0.02, for people doing internal/private triage:
>
> - If your use of IPv4 space is sparse by routes, dump your internal
> routing table and convert to summarized CIDR.
>
> - Feed
My $0.02, for people doing internal/private triage:
- If your use of IPv4 space is sparse by routes, dump your internal routing
table and convert to summarized CIDR.
- Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
randomizes targets, so destination office WAN links won't
On Mon, Mar 6, 2017 at 5:12 AM, Andrew Gallo wrote:
>
> On 3/6/2017 3:55 AM, Majdi S. Abbas wrote:
>>
>> On Wed, Feb 22, 2017 at 04:59:53AM -0800, Hal Murray wrote:
>>>
>>> Any suggestions for gear and/or software that works with WWV (or CHU)?
>>> Or general suggestions for non
On Wed, Mar 1, 2017 at 7:57 PM, James DeVincentis via NANOG
wrote:
[ reasonable analysis snipped :) ]
> With all of these reasons all wrapped up. It clearly shows the level of hype
> around this attack is the result of sensationalist articles and clickbait
> titles.
I have
We just need to keep the likely timeline in mind.
As I saw someone say on Twitter today ... "don't panic, just deprecate".
Valeria Aurora's hash-lifecycle table is very informative (emphasis mine):
http://valerieaurora.org/hash.html
Reactions to stages in the life cycle of cryptographic hash
On Sat, Jan 28, 2017 at 2:22 AM, Shahab Vahabzadeh
wrote:
>
> Hello Hello,
> Can anybody help me to find out IP Address Ranges of Akamai and Instagram?
> I wanna do some optimizations on my cache side?
> Thanks
I do not know the difference between Akamai's corporate
On Tue, Jan 17, 2017 at 3:04 PM, Eric Tykwinski wrote:
> So I’ve come across this on Qualys and just wondering if there’s any
> practical examples out there in the wild.
> I know some BIND guys are on here, so I’m sure I’m missing something from the
> RFCs.
> Just wanted
On Thu, Dec 22, 2016 at 4:05 PM, Harlan Stenn wrote:
> This sort of misconfiguration will happen and the NTP Pool Project
> clearly isn't the place to solve this problem overall. It *is*
> something NTF is in a position to address.
Harlan, could you be more specific about how
beat it into a plowshare. :)
Royce
>> On Dec 21, 2016, at 22:16, Royce Williams <ro...@techsolvency.com> wrote:
>>
>> On Tue, Dec 20, 2016 at 7:08 AM, Royce Williams <ro...@techsolvency.com>
>> wrote:
>>
>> [snip]
>>
>>> IM
On Tue, Dec 20, 2016 at 7:08 AM, Royce Williams <ro...@techsolvency.com> wrote:
[snip]
> IMO, *operational, politics-free* discussion of items like these would
> also be on topic for NANOG:
>
> - Some *operational* workarounds for country-wide blocking of
> Facebook, Wha
On Wed, Dec 21, 2016 at 3:49 PM, Ken Chase wrote:
> On Wed, Dec 21, 2016 at 04:41:29PM -0800, Doug Barton said:
> [..]
> >>Everyone has a line at which "I don't care what's in the pipes, I just
> >>work here" changes into something more actionable.
> >
> >Stretched far
On Tue, Dec 20, 2016 at 8:19 PM, Royce Williams <ro...@techsolvency.com> wrote:
> On Tue, Dec 20, 2016 at 8:04 PM, Yury Shefer <she...@gmail.com> wrote:
>>
>> Google announced public NTP service some time ago:
>> https://developers.google.com/time/
>
> Lea
On Tue, Dec 20, 2016 at 8:04 PM, Yury Shefer wrote:
>
> Google announced public NTP service some time ago:
> https://developers.google.com/time/
Leap smearing does look interesting as way to sidestep the
potentially-jarring leap-second problem ... but a note of caution.
I've
n Sat, Dec 17, 2016 at 6:15 PM, Doug Barton wrote:
> On 12/16/2016 1:48 PM, Hugo Slabbert wrote:
>>
>> This started as a technical appeal, but:
>>
>> https://www.nanog.org/list
>>
>> 1. Discussion will focus on Internet operational and technical issues as
>> described in the
On Mon, Dec 19, 2016 at 12:49 PM, Dan Drown wrote:
> Quoting David :
>>
>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>
>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
I found devices doing lookups for all of these at the same time
See also:
https://twitter.com/textfiles/status/808715999042117632
https://twitter.com/textfiles/status/808922272551550976
Jason Scott@textfiles
When your boss gives you the goahead to mirror 200tb of NOAA data,
you run with it
Don't let the fact that The Internet Archive is all over
On Wed, Nov 2, 2016 at 6:47 PM, William Herrin wrote:
> On Wed, Nov 2, 2016 at 10:39 PM, Randy Bush wrote:
> > the sysadmins' dilemma: do you install today's critical update or wait a
> > day until the next one is out before you reboot 50 servers?
>
> Neither. You
On Mon, Sep 26, 2016 at 7:23 AM, Mark Milhollan wrote:
>
> On Sun, 25 Sep 2016, Stephen Satchell wrote:
>
> >Yeah, right. I looked at BCP38.info, and there is very little concrete
> >information.
>
> Yeah, it's pretty naked. But how-to isn't the usual stumbling block, as
>
On Tue, Aug 30, 2016 at 9:11 PM, Royce Williams <ro...@techsolvency.com> wrote:
> On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:
>>
>> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
>>
>> One of the lar
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke wrote:
>
> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
>
> One of the largest Chinese root certificate authority WoSign issued many
> fake certificates due to an vulnerability. WoSign's free certificate
It might also be interesting to post some redacted/simplified examples of
both formats. If the conversion is "just" text manipulation and reworking
of logic, it might not be hard to cobble something basic together quickly,
and then crowdsource improvements quickly on Github.
Royce
On Mon, Apr
On Thu, Mar 10, 2016 at 6:57 AM, John R. Levine wrote:
>>>
>>> I've set up .ws.sp.am (that's ws for Whois Server) which is
>>> updated every day from a variety of sources so it's pretty accurate.
>>> It's had the right server for pro.ws.sp.am all along.
>
>
>> Hey, that's
On Thu, Mar 10, 2016 at 4:32 AM, John Levine wrote:
> > _whois._tcp.pro. srv 0 100 43 whois.afilias.net.
>
> A swell idea, but unfortunately the idea of putting SRV records in
> gTLD zones makes heads at ICANN explode. For RDAP there's a registry
> at IANA but it's not
On Wed, Mar 9, 2016 at 3:54 PM, Mark Andrews wrote:
>
> Additionally 'whois' is free form text. Whois doesn't include a
> AI to workout what this free form text means so, no, there isn't a
> actual referral for a whois application to use.
I'm not affiliated, but there are a
On Tue, Mar 8, 2016 at 10:21 AM, Hugo Slabbert wrote:
> On Tue 2016-Mar-08 19:10:14 +, Gavin Henry
> wrote:
>
> Really love the Opengear IM range. We use IM4216's
>>
>
> I'm surprised no one's mentioned freetserv[1] yet. I haven't used them so
>
On Thu, Feb 18, 2016 at 5:40 AM, Jay R. Ashworth wrote:
> Let me be, apparently, the first to extend congratulations to long time
> NANOGer, Columbia CS professor, security researcher, and co-inventor of
> Usenet -- does anybody remember Usenet? :-) -- Steven M. Bellovin, who,
>
No direct knowledge, but from comments on another list, it may be intermittent.
Jason Fesler of test-ipv6.com reported on Jan 30 2016 at 2:08 PM PST
that his Team Cymru API connections for ISP ASN and Name checks broke,
and pushed a workaround to all test nodes. He then reported at 7:30
PM PST
On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin
wrote:
> On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
>
>> On 18 Dec 2015, at 7:28, Dave Taht wrote:
>>
>>> I think "unauthorized code" is still plausible newspeak for "bug".
>>>
>>> Why blame finger foo when you
On Wed, Dec 9, 2015 at 6:32 AM, Brandon Applegate wrote:
> They’ve made some changes recently - I had a perl script that would do the
> lookup and scrape live - it was great. It broke a week or so ago.
>
> This seems to be the page to search for OUI:
>
>
On Sat, Nov 14, 2015 at 3:34 AM, Roland Dobbins wrote:
>>
>> More likely this is going to be iterations of what is already being more
widely accepted. Downloadable pre-configured client software that works
with a particular VPN service.
>
>
> Again, downloading is a barrier to
On Fri, Nov 13, 2015 at 8:28 PM, Roland Dobbins wrote:
> On 14 Nov 2015, at 11:32, Owen DeLong wrote:
>
> Go out onto the street and ask a random number of people over 30 if they
>> know what a URL is and how to enter one into a browser.
>>
>
> They don't know what URIs are,
On Mon, Oct 26, 2015 at 9:10 AM, Pablo Lucena
wrote:
> On Sun, Oct 25, 2015 at 12:22 AM, Josh Luthman <
> j...@imaginenetworksllc.com>
> wrote:
>
> > Can we please get a filter for messages with the subject "Fw: new
> message"
> > ???
> >
> So far I've dealt with it
On Mon, Oct 12, 2015 at 7:23 AM, Todd Underwood wrote:
>
> it's also not entirely obvious what the point of having local IXes
> that serve these kinds of collections of people.
>
> how much inter-ASN traffic is there generally for a city of 100k
> people, even if they all
On Tue, Sep 29, 2015 at 7:12 AM, Job Snijders wrote:
>
> Hi Bob,
>
> On Tue, Sep 29, 2015 at 08:05:45AM -0700, Bob Evans wrote:
> > This seems like a very good proper civil approach - maybe this or
> > something like it ARIN might help promote and endorse as a benefit to
> >
On Wed, Sep 23, 2015 at 1:34 AM, Nick Hilliard wrote:
> What are people using for ear protection for datacenters these days?
For me, it depends on the use case.
If I need to monitor for other sounds, or listen to music:
Bose QuietComfort 15 - discontinued, but still at
HD Moore just posted the results of a full-Internet ZMap scan. I didn't
realize that it was remotely detectable.
79 hosts total in 19 countries.
https://zmap.io/synful/
Royce
On Wed, Dec 24, 2014 at 9:27 AM, Ken Chase m...@sizone.org wrote:
(mtr|lft|traceroute) xmas.futile.net
And be sure to crank up the max hops a little higher than 100.
Royce
On Wed, Dec 24, 2014 at 9:38 AM, Jeroen Massar jer...@massar.ch wrote:
On 2014-12-24 19:27, Ken Chase wrote:
(mtr|lft|traceroute) xmas.futile.net
Welcome to the end of 2014.
If you are going to do a silly traceroute thing that has been done
thousands of times before, at least use this new
On Fri, Oct 10, 2014 at 7:31 AM, Steve Atkins st...@blighty.com wrote:
If your domain publishes p=reject it should not have any users
that participate in mailing lists.
Like many, I was pretty unhappy (and busy) with the unilateral changes
made by Yahoo and AOL. But this understandable stance
On Thu, Oct 9, 2014 at 2:20 PM, Andrew Koch a...@gawul.net wrote:
To correct this moving forward, selective rewriting of the from header
has been recommended, but requires an upgrade to the Mailman software.
If the admins have settled on a best practice, it could help other
Mailman operators
On Wed, Oct 8, 2014 at 8:07 PM, Faisal Imtiaz fai...@snappytelecom.net
wrote:
Like I said, this was my understanding I am glad that it is being
pointed out to be in-correct
I don't have a reason for why a /64 as much as I also don't have any
reason Why NOT
So, let me ask the
On Sun, Sep 28, 2014 at 7:42 PM, Grant Taylor gtay...@tnetconsulting.net
wrote:
My wife is receiving someone else's emails.
Specifically she is receiving emails for first namemiddle initiallast
name@gmail.com (no dots) when her email address is really same first
name.same middle initial.same
On Fri, Sep 5, 2014 at 2:15 PM, Eduardo A. Suárez
esua...@fcaglp.fcaglp.unlp.edu.ar wrote:
Hi,
according to this thread:
https://productforums.google.com/forum/#!category-topic/gmail/GyeMcHv1U-g%5B1-25-false%5D
Gmail isn't allowing anymore Send through Gmail option.
Yep. Existing
On Fri, Sep 5, 2014 at 3:01 PM, Hugo Slabbert h...@slabnet.com wrote:
If it really was more the former, there would be a if your SPF
records include:_spf.google.com, you can still do it option, IMO.
Manager: So, you're saying if we just check the SPF record when they set up
the account, we
On Thu, May 22, 2014 at 7:26 AM, Derek Andrew derek.and...@usask.ca wrote:
As others have said, Google's abuse systems are smart enough to understand
NAT and proxies, and won't block on request volume alone. When we
automatically apply a block, we'll generally offer a captcha to give
innocent
On Fri, Apr 25, 2014 at 7:43 AM, Shrdlu shr...@deaddrop.org wrote:
On 4/25/2014 8:00 AM, Leo Bicknell wrote:
On Apr 23, 2014, at 12:45 AM, Grant Riddershortdudey...@gmail.com
wrote:
Thought i would throw this out there.
Curious I unleashed grep on a couple of mailing lists I operate.
I
Am I interpreting this correctly -- that Yahoo's implementation of
DMARC is broken, such that anyone using a Yahoo address to participate
in a mailing list is dead in the water?
http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html
On Sun, Mar 2, 2014 at 4:00 AM, Nick Hilliard n...@foobar.org wrote:
There are many places where automated RPF makes a lot of sense. An IXP is
not one of them.
That make sense. Everyone is rightly resistant to automated filtering.
But could we automate getting the word out instead?
Can
Newb question ... other than retrofitting, what stands in the way of
making BCP38 a condition of peering?
Royce
On Sun, Feb 23, 2014 at 10:48 AM, Royce Williams ro...@techsolvency.com wrote:
Newb question ... other than retrofitting, what stands in the way of
making BCP38 a condition of peering?
In other words ... if it's a problem of awareness, could upstreams
automate warning their downstreams? What
deferred
due to user complaints'.
Royce Williams
On Sat, Jan 4, 2014 at 6:05 AM, Miles Fidelman
mfidel...@meetinghouse.netwrote:
Hi Folks,
I run a few small email lists that have some yahoo users on them - and I
just started getting complaints about receiving multiple copies of messages
On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve snasl...@medline.com wrote:
[snip]
1. We vote in a new executive branch every four years. They control and
appoint the NSA director. Vote them out if you don't like how they run
things. Do you think a President wants to maintain power? Of
On Fri, Sep 6, 2013 at 6:55 AM, Royce Williams ro...@techsolvency.com wrote:
Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a
pretty quick read, with many layers of important observations. (It's Mother
Jones, but this content is apolitical):
http
On Fri, Sep 6, 2013 at 8:02 AM, Naslund, Steve snasl...@medline.com wrote:
I am unclear on what you mean by technical choice. Are you talking about a
technical solution to keep the government from seeing your traffic? That
will not work for two main reasons.
[good reasons snipped]
Ah, I
On Thu, Sep 5, 2013 at 9:28 AM, Kee Hinckley naz...@marrowbones.com wrote:
On Sep 4, 2013, at 9:47 PM, Leo Bicknell bickn...@ufp.org wrote:
I've got to apologize publicly to Yahoo! here as part of my issue was my own
stupidity. It appears in the past I've had multiple Yahoo! ID's and I was
81 matches
Mail list logo