Re: NYT covers China cyberthreat
::This all seems to be noobie stuff. There's nothing technically cool ::to see here You mean the report or the activity? You seem upset that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix? Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$. They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's business profitable. You need to look at this action from business perspective. IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system. Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found. Cheers, Calin On Thu, 21 Feb 2013 01:29:48 +0100 Scott Weeks wrote --- valdis.kletni...@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott
Re: NYT covers China cyberthreat
The focus on platform here is ridiculous; can someone explain how platform of attacker or target is extremely relevant? Since when did people fail to see that we have plenty of inter-platform tools and services, and plenty of tools for either platform built with the express purpose of interaction with the other? Just because you learned to code/operate on/for/with/from a *nix doesn't mean that teams of Chinese coders can't make a tool that gets the job done on/for/with/from a Windows box. Many people write many softwares of diverse purpose and use for many platforms. Platform is, as far as I can tell, moot in this discussion. Feel free to enlighten me. Consider the US's indignation over the targeting of civillian or corporate intellectual property and the shifting of reality from preconceived expectation. I have had it explained to me as a purely ideological difference between the US and China. Simply put: just because we might find it immoral for state-sponsored espionage to feed stolen IP into the private sector, doesn't mean that China will feel the same; to some, it is perceived as nationalistic, another way the government helps to strengthen the nation. For another example of this, an acquaintance once told me about the process of getting internationally standardized technologies approved for deployment in China; the process that was described to me involved giving China the standards-based spec that had been drafted and approved, being told that for deployment, they would have to improve upon it in a laundry list of ways to bring it some 5-10 years ahead of the spec, and THEN it would be allowed to be deployed. Whenever you have enough new players, or the game goes on long enough, the rules end up changing. On Thu, Feb 21, 2013 at 12:28 AM, calin.chiorean calin.chior...@secdisk.net wrote: ::This all seems to be noobie stuff. There's nothing technically cool ::to see here You mean the report or the activity? You seem upset that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix? Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$. They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's business profitable. You need to look at this action from business perspective. IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system. Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found. Cheers, Calin On Thu, 21 Feb 2013 01:29:48 +0100 Scott Weeks wrote --- valdis.kletni...@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
On 21-Feb-13 04:25, Kyle Creyts wrote: For another example of this, an acquaintance once told me about the process of getting internationally standardized technologies approved for deployment in China; the process that was described to me involved giving China the standards-based spec that had been drafted and approved, being told that for deployment, they would have to improve upon it in a laundry list of ways to bring it some 5-10 years ahead of the spec, and THEN it would be allowed to be deployed. My recent experience doing exactly this at $EMPLOYER doesn't match this story at all. The main problem, as with several other second world countries, is that the standards you must comply with are only in the local language and you must make your submission in the local language as well. However, if you have a local technical presence, you can often get software approval (or a formal notice of exemption--even for products that contain dangerous features like encryption) in a matter of days or even hours. If you don't, it can drag on for months. Hardware testing can be even worse because it must be performed in their labs and can cost tens of thousands of dollars, but at least that doesn't have to be repeated each time you publish a new version of code. In contrast, first world countries generally publish their standards in, and accept submissions in, English. They also tend not to care about software features, just hardware. The standards tend to be shared across countries (eg. EU/EFTA and US/Canada), or at least they accept test results from third-party labs that can test for all such countries at the same time. As a result, many vendors simply don't bother going past that group--or do it so infrequently that they don't gain the institutional knowledge of how to navigate the approval processes in the other group successfully and with minimal effort/cost. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: NYT covers China cyberthreat
Scott Weeks wrote: Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf Anybody happen to notice that the report sounds awfully like the scenario laid out in Tom Clancy's latest book, Threat Vector? -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 01:34:13AM +, Warren Bailey wrote: I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. Would it hurt their business? Really? Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of dirt or a tasty croissant from Joe. So would it actually matter if they couldn't get to Joe's web site or Joe's mail server or especially Joe's VPN server? Probably not. Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time soon either. This is why I've been using geoblocking at the network and host levels for over a decade, and it works. But it does require that you make an effort to study and understand your own traffic patterns as well as your organizational requirements. [1] I use it on a country-by-country basis (thank you ipdeny.com) and on a service-by-service basis: a particular host might allow http from anywhere, but ssh only from the country it's in. I also deny selected networks access to selected services, e.g., Amazon's cloud doesn't get access to port 25 because of the non-stop spam and Amazon's refusal to do anything about it. Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part of my view of the Internet. And so on. Combined, all this achieves lossless compression of abusive traffic. This is not a security fix, per se; any services that are vulnerable are still vulnerable. But it does cut down on the attack surface as measured along one axis, which in turn reduces the scope of some problems and renders them more tractable to other approaches. An even better approach, when appropriate, is to block everything and then only enable access selectively. This is a particularly good idea when defending things like ssh. Do you *really* need to allow incoming ssh from the entire planet? Or could the US, Canada, the UK and Germany suffice? If so, then why aren't you enforcing that? Do you really think it's a good idea to give someone with a 15-million member global botnet 3 or 5 or 10 brute-force attempts *per bot* before fail2ban or similar kicks in? I don't. I think 0 attempts per most bots is a much better idea. Let 'em eat packet drops while they try to figure out which subset of bots can even *reach* your ssh server. Which brings me to the NYTimes, and the alleged hacking by the Chinese. Why, given that the NYTimes apparently handed wads of cash over to various consulting firms, did none of those firms get the NYTimes to make a first-order attempt at solving this problem? Why in the world was anything in their corporate infrastructure accessible from the 2410 networks and 143,067,136 IP addresses in China? Who signed off on THAT? (Yes, yes, I *know* that the NYTimes has staff there, some permanently and some transiently. A one-off solution crafted for this use case would suffice. I've done it. It's not hard. And I doubt that it would need to work for more than, what, a few dozen of the NYTimes' 7500 employees? Clone and customize for Rio, Paris, Moscow, and other locations. This isn't hard either. Oh, and lock it out of everything that a field reporter/editor/photographer doesn't need, e.g., there is absolutely no way someone coming in through one of those should be able to reach the subscriber database.) Two more notes: first, blocking inbound traffic is usually not enough. Blocks should almost always be bidirectional. [2] This is especially important for things like the DROP/EDROP lists, because then spam payloads, phishes, malware, etc. won't be able to phone home quite so readily, and while your users will still be able to click on links that lead to bad things...they won't get there. Second, this may sound complex. It's not. I handle my needs with make, rsync, a little shell, a little perl, and other similar tools, but clearly you could do the same thing with any system configuration management setup. And with proper logging, it's not hard to discover the mistakes and edge cases, to apply suitable fixes and temporary point exceptions, and so on. ---rsk [1] 'Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is! To which I respond, How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing? A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning,
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On 2/21/2013 12:03 AM, Scott Weeks wrote: I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott Agreed. I've generally skipped the line side and stuck with L3 side encryption for the same reason. Jack
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On Thu, Feb 21, 2013 at 11:23 AM, Jack Bates jba...@brightok.net wrote: On 2/21/2013 12:03 AM, Scott Weeks wrote: I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott Agreed. I've generally skipped the line side and stuck with L3 side encryption for the same reason. and... some (most?) line-side encryptors light the line up fullspeed between the encryptors... if they are also attempting to suppress traffic analysis... so that can be costly if you don't own the whole pipe :)
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
Not to mention, the KG units are dot government only.. For obvious reasons. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Christopher Morrow morrowc.li...@gmail.com Date: 02/21/2013 8:37 AM (GMT-08:00) To: Jack Bates jba...@brightok.net Cc: nanog@nanog.org Subject: Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) On Thu, Feb 21, 2013 at 11:23 AM, Jack Bates jba...@brightok.net wrote: On 2/21/2013 12:03 AM, Scott Weeks wrote: I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott Agreed. I've generally skipped the line side and stuck with L3 side encryption for the same reason. and... some (most?) line-side encryptors light the line up fullspeed between the encryptors... if they are also attempting to suppress traffic analysis... so that can be costly if you don't own the whole pipe :)
RE: NYT covers China cyberthreat
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response First thing is the Chinese government would rejoice since they don't want their citizens on our networks (except the ones they recruit for cyber warfare, they can get other address ranges for those guys). Second thing is someone will make a ton of money bouncing Chinese traffic through somewhere else (and someone will create a SPAMHAUS like service to detect that, and so on, and so on, and so on) Third thing is all the companies that do business in and around China would be screaming because tons of them use VPNs that are sourced from Chinese IP address space. Some people even like to travel and access things back home, you know weird stuff, like email, news, music, videos. One of the biggest problems with geoblocking is that often the addresses do not reveal the true source of the traffic. If you block everything from China, you miss attacks sourced from China that are bouncing through bot networks with hosts worldwide. Remember Tor, it is built to defeat just that sort of security by obscuring source locations. Corporations also often have egress points to the Internet in countries other than the one the user is in. If you block everything from China, then you are locking out any of your own personnel that travel Internationally or any of your customers that travel. Who here has not surfed the web from a hotel room on business. Anyone with malicious intent has a zillion ways to bypass that sort of security. Obscuring your source address is child's play. The management of the geoblocking will not be worth the minimal protection it provides. Trying to locate someone by address is a complete PITA in my opinion. If you go to Europe you will often get sent to the wrong Google sites because they attempt to locate you instead of just letting you put in the correct URL (if you are in the UK, it is not that hard to include .co.uk in your URL. I have been in the UK and gotten Google Germany and Google Spain for no apparent reason (except that carriers in Europe have addresses from all over the place because of mergers, alliances, and all sort of other arrangements). Blocking networks by service will also be a management nightmare since addresses often change and new blocks get assigned and companies offer different services. Who manages all of that and who is going to tell you when something changes (the answer is nobody, you will know when stuff breaks). If my network security guy had enough time to keep track of all of Amazon's address space and what services they are offering this week and all the services they host in their datacenters, I would fire him for having that much time on his hands. Can you keep track of all the stuff coming from Akamai and where all their servers are at on a continuing basis? Cloud services will make blocking by service nearly impossible since the network can reconfigure at any time. I would love to see this implementation in a large corporate or government network. What a huge game of whack a mole that is. Seems to me that the time would be much better spent tuning up firewalls and securing hosts properly. I think geoblocking gives you nothing but a false sense of security. I also believe that if you see an attack coming from China in particular it is because they WANT you to know it is coming from China. I would think any state sponsor conducting a very serious attack would conceal themselves better than that. I also believe that a lot of attacks that look like they are coming from China are actually coming from elsewhere. Think about this, if I am a hacker in the US, attacking a US victim, it would be a big advantage to look like I was coming from China because it almost guarantees no attempt to prosecute or track me down since everyone in this business knows that if it comes out of China you can't do anything about it. I would not be surprised to find out China is letting their capabilities be known just to remind everyone of what the implications of messing with them is. Remember Doctor Strangelove, what good is a doomsday bomb if you don't tell anyone about it ?!?!? Steven Naslund -Original Message- From: Rich Kulawiec [mailto:r...@gsp.org] Sent: Thursday, February 21, 2013 10:00 AM To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat On Thu, Feb 21, 2013 at 01:34:13AM +, Warren Bailey wrote: I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. Would it hurt their business? Really? Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of
Re: NYT covers China cyberthreat
--- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net :: This all seems to be noobie stuff. There's nothing technically cool :: to see here You mean the report or the activity? The activity. You seem upset that they are using M$ only(target and source). I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... This is a technical mailing list where cutting edge stuff is discussed. The compromise was not using cutting edge stuff and, so, is a big yawn for this list. The report was mainly for reporters. That's why they had the omg sound byte bullet points at the top. It's also why they had to explain several low level things in detail. snip Maybe it was meant to be found. That is a definite possibility. scott
Re: NYT covers China cyberthreat
Scott Weeks wrote: --- calin.chior...@secdisk.net wrote: You seem upset that they are using M$ only(target and source). I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... This is a technical mailing list where cutting edge stuff is discussed. The compromise was not using cutting edge stuff and, so, is a big yawn for this list. Not to be pedantic, but I thought the list was about network operations - and as much (or more) about practice, than about cutting edge stuff. (Well maybe a little pedantic.) From an operational point of view, unless I'm an exceptionally high-value target, I'm more likely to be threatened by the B-team (or C-team), than the A-team (recognizing, of course, that what the A-team is doing today, is what the script kiddies will be doing tomorrow). Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: NYT covers China cyberthreat
--- kyle.cre...@gmail.com wrote: From: Kyle Creyts kyle.cre...@gmail.com The focus on platform here is ridiculous; can someone explain how platform of attacker or target is extremely relevant? Since when did -- It implies their skillset. Here's something I just saw that says it better than I can... http://www.forbes.com/sites/andygreenberg/2013/02/21/the-shanghai-army-unit-that-hacked-115-u-s-targets-likely-wasnt-even-chinas-a-team/2/ scott
Re: NYT covers China cyberthreat
On Feb 20, 2013, at 9:07 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This strongly suggests that it's not their A-team, for whatever value of their you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Mandiant apparently feels the same way: http://www.forbes.com/sites/andygreenberg/2013/02/21/the-shanghai-army-unit-that-hacked-115-u-s-targets-likely-wasnt-even-chinas-a-team/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: bgp for ipv6 question
On Thu, 14 Feb 2013 13:18:24 -0800, Owen DeLong said: On Feb 14, 2013, at 12:58 , Karl Auer ka...@biplane.com.au wrote: On Thu, 2013-02-14 at 08:08 -0500, Jared Mauch wrote: I recommend keeping your network as congruent between IPv4 and IPv6 as possible, with dual-stack. Why? For one thing, doing otherwise violates the principle of least astonishment. Amen to that. Not too long ago, I blew about 3 hours trying to debug an odd networking issue on my laptop - finally tracked it down to the fact that my IPv4 default route was pointing out the ethernet on the docking station, but IPv6 was defaulting to the wireless card. Took a while because I knew *damned* well that Fedora had long ago included my patch to allow specifying a preference metric for multiple interfaces, and that I had set it to prefer the ethernet when both were connected. Turns out that the patch worked just fine for v4, but nobody ever carried it forward for v6 (I probably should cook up a patch for the v6 side.. :) pgpf3tVBaeX4I.pgp Description: PGP signature
Re: NYT covers China cyberthreat
On 2/21/2013 12:17 PM, Scott Weeks wrote: I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... The A-team doesn't get caught and detailed. The purpose of the other teams is to detect easy targets, handle easy jobs, and create lots of noise for the A-team to hide in. Hacking has always had a lot in common with magic. Misdirection is a useful tool. Jack
Re: Anyone know of a good InfiniBand vendor in the US?
I wanted to bring attention to the following draft proposal from Mellanox to export traffic information from InfiniBand switches: http://sflow.org/draft_sflow_infiniband.txt If you are an InfiniBand user, this is a great opportunity to think about the types of metrics that you woud want from your switches in order to better understand performance. The operational sensibility that the NANOG audience brings is particularly valuable. Comments on the proposal are welcome on the sFlow discussion group: http://groups.google.com/group/sflow On Wed, Feb 20, 2013 at 2:25 PM, Tom Ammon thomasam...@gmail.com wrote: IPoIB looks more like an application than a network protocol to Infiniband. The IB fabric doesn't have a concept of broadcast, so ARP works much differently than it does in IPv4/ethernet world - basically an all-nodes multicast group handles the distribution of ARP messages. That said, the ib drivers that come with redhat/centos are pretty good, and you can always download the official OFED drivers from the OFA at https://www.openfabrics.org/linux-sources.html if the stuff in your linux distribution is missing something. I've set up IPoIB routers running 10G NICs on the ethernet side and QDR HCAs on the IB side, using quagga to plug in to the rest of my OSPF network, and it works fine. Basically you just need to set up quagga like you would if you were going to turn a linux box into an ethernet router and don't worry about the fact that it's actually IB on one side of the router - your network statements, etc., in OSPF in quagga won't change at all. You'll find that some things in IB have no equivalent to ethernet. For example, if you want to have gateway redundancy for traffic exiting the IB fabric, your first instinct will be to look for VRRP for IB, but you won't find it, because of the ARP differences I talked about above. To get around this you can set up linux-ha or some other type of heartbeat arrangement and bring up a virtual IP on the active gateway, which can be shifted over to the standby gateway when the ha scripts detect a problem. Some vendors also have proprietary solutions to this problem but they tend to be expensive. So, I'd say, read up on quagga and give that a try, and I think you'll find that as long as the IB drivers are up to snuff (the sminfo command returns valid results, etc.) it'll pretty much just work for you. I'm also happy to discuss more offline if you prefer. Tom Tom On Tue, Feb 19, 2013 at 5:55 PM, Jon Lewis jle...@lewis.org wrote: On Tue, 19 Feb 2013, Landon Stewart wrote: Oh by vendor I mean VAR I guess. Mostly I'm also wondering how an IB network handles IPoIB and how one uses IB with a gateway to layer 3 Ethernet switches or edge routers. If anyone has any resources that provide details on how this works and how ethernet VLANs are handled I'd appreciate it. My limited IB experience has been that the IB switch acts much like a dumb ethernet switch, caring only about which IB hardware addresses are reachable via which port. Routing between IPoIB and IP over ethernet can be done by any host with interfaces on both networks and IP forwarding enabled. In our setups, we've used IPoIB, but with 1918 addresses and not routed beyond the IB network. --**--**-- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/**pgphttp://www.lewis.org/~jlewis/pgpfor PGP public key_ -- - Tom Ammon Network Engineer M: (801) 674-9273 t...@tomsbox.net -
bird rib dump
a friend trying to see if bird will be better than quagga for bgp recording can not see how to get rib dumps, as opposed to just updates. what are we missing? randy
looking for terminology recommendations concerning non-rooted FQDNs
I'm trying to nail down some terminology for doc purposes. The issue: most resources on the net freely describe a fully-qualified domian name ('FQDN') as to exclude the root domain; i.e, they exclude the trailing dot as mandated by some RFCs such as RFC 1535: http://www.ietf.org/rfc/rfc1535.txt An absolute rooted FQDN is of the format {name}{.} A non rooted domain name is of the format {name} I'm trying to come up with some human-facing terminology that names these two forms: a.b.c. a.b.c Many resources on the net use the term 'rooted domain name' for the former, but they're collectively ambigious about what the other form should be called. Does anyone here have any solid advice, or can point me to a resource that would call out useful conventions? This was all fueled by Microsoft's client code apparently stripping the root domain from PTR record results; I'm separately trying to track down why that's occuring... -- Brian Reichert reich...@numachi.com BSD admin/developer at large
Re: NYT covers China cyberthreat
And so their bush league by itself was responsible for all the penetrations that mandiant says they did? Which shows that they don't have to be particularly smart, just a bit smarter than their average spear phish or other attack's victim. On Friday, February 22, 2013, Jack Bates wrote: On 2/21/2013 12:17 PM, Scott Weeks wrote: I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... The A-team doesn't get caught and detailed. The purpose of the other teams is to detect easy targets, handle easy jobs, and create lots of noise for the A-team to hide in. Hacking has always had a lot in common with magic. Misdirection is a useful tool. Jack -- --srs (iPad)
Re: bird rib dump
bird supposedly doesn't support rib dumps at this time. Randy Bush wrote (2013/02/22 7:11): a friend trying to see if bird will be better than quagga for bgp recording can not see how to get rib dumps, as opposed to just updates. what are we missing? randy -- ### Eiichiro Watanabe Internet Multifeed Co. e-mail: watan...@mfeed.ad.jp
Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 3:58 PM, Jack Bates jba...@brightok.net wrote: The A-team doesn't get caught and detailed no, the A-team has BA Baraccus... he pities the fool who gets caught and detailed... the last thing BA detailed was his black van.
Re: NYT covers China cyberthreat
On Fri, 22 Feb 2013 06:11:21 +0530, Suresh Ramasubramanian said: And so their bush league by itself was responsible for all the penetrations that mandiant says they did? Which shows that they don't have to be particularly smart, just a bit smarter than their average spear phish or other attack's victim. As I said - that's the scary part. :) pgpPMq9BxFn7e.pgp Description: PGP signature
Re: looking for terminology recommendations concerning non-rooted FQDNs
In message 20130221225540.ga99...@numachi.com, Brian Reichert writes: I'm trying to nail down some terminology for doc purposes. The issue: most resources on the net freely describe a fully-qualified domian name ('FQDN') as to exclude the root domain; i.e, they exclude the trailing dot as mandated by some RFCs such as RFC 1535: RFC 1535 is Informational. It has no status to mandate anything. http://www.ietf.org/rfc/rfc1535.txt An absolute rooted FQDN is of the format {name}{.} A non rooted domain name is of the format {name} I'm trying to come up with some human-facing terminology that names these two forms: a.b.c. a.b.c Many resources on the net use the term 'rooted domain name' for the former, but they're collectively ambigious about what the other form should be called. Does anyone here have any solid advice, or can point me to a resource that would call out useful conventions? This was all fueled by Microsoft's client code apparently stripping the root domain from PTR record results; I'm separately trying to track down why that's occuring... RFC 952 as modified by RFC 1123 describe the legal syntax of a hostname. There is no trailing period. -- Brian Reichertreich...@numachi.com BSD admin/developer at large -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: looking for terminology recommendations concerning non-rooted FQDNs
On Fri, 2013-02-22 at 16:57 +1100, Mark Andrews wrote: RFC 952 as modified by RFC 1123 describe the legal syntax of a hostname. There is no trailing period. No - but a trailing period is a (common?) way to indicate that the name as given is complete, so in a lot of contexts a trailing period is at least not illegal, and is often usefully meaningful. The best example is inside zone files, where a trailing period indicates that the origin should not be appended. It's used (by the resolver library?) to indicate that any domain search suffixes should not be attempted. In Firefox (and probably other browsers) it indicates that the browser should not try common suffixes like .com if the hostname provided does not resolve. It's a convention common enough and useful enough that I can see why people would want a handy term for it. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017