date:20140414

Just a thought.  I keep thinking that Yahoo's publishing of their 
p=reject policy, and the subsequent massive denial of service to lost 
of list traffic might be viewed as a computer security incident.


Anybody think that reporting via CERT channels might be an appropriate 
response?


(I do, and probably will - but curious what others think.)

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread TGLASSEY


Yes Matthew it should. The question is whether they do or not.

Todd

On 4/14/2014 7:38 AM, Matthew Black wrote:

Shouldn't a decent OS scrub RAM and disk sectors before allocating them to 
processes, unless that process enters processor privileged mode and sets a call 
flag? I recall digging through disk sectors on RSTS/E to look for passwords and 
other interesting stuff over 30 years ago.

matthew black
california state university, long beach

-Original Message-
From: Randy Bush [mailto:ra...@psg.com]
Sent: Sunday, April 13, 2014 7:31 AM
To: Bengt Larsson
Cc: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


It's quite plausible that they watch the changes in open-source
projects to find bugs. They could do nice diffs and everything.

the point of open source is that the community is supposed to be doing this.  
we failed.

randy







--
-

Personal Email - Disclaimers Apply

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread TGLASSEY

Vladis is %100 on the money here. Lets take this a step farther and ask 
is there a criminal liability for the person who checked that code in - 
Oh you bet there is...


Todd

On 4/11/2014 5:49 PM, valdis.kletni...@vt.edu wrote:

On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:


The interesting thing to me is that the article claims the NSA have been
using this for over two years, but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012.  That means that either:
  * The NSA found it *amazingly* quickly (they're very good at what they do,
but I don't believe them have superhuman talents); or

You seriously think the NSA *isn't* watching the commits to security-relevant
open source?  Remember - it was a bonehead bug, it's *not* unreasonable for
somebody who was auditing the code to spot it.  Heck, there's a good chance that
automated tools could have spotted it.


--
-

Personal Email - Disclaimers Apply

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Matthew Petach

On Mon, Apr 14, 2014 at 9:27 AM, TGLASSEY tglas...@earthlink.net wrote:

 Vladis is %100 on the money here. Lets take this a step farther and ask is
 there a criminal liability for the person who checked that code in - Oh you
 bet there is...

 Todd


Thank you--I needed some humour in my
morning, I was starting to take the day too
seriously.  Thank you for putting a smile
back on my face, and giving me something
to laugh about today.   ^_^

Matt

Re: DMARC - CERT?

2014-04-14 Thread Laszlo Hanyecz

I don't see what the big deal is here.  They don't want your messages and they 
made that clear.  Their policy considers these messages spam.  If you really 
want to get your mailing list messages through, then you need to evade their 
filters just like every other spammer has to.

-Laszlo


On Apr 14, 2014, at 4:32 PM, Miles Fidelman mfidel...@meetinghouse.net wrote:

 Well... how about this, from Yahoo's own posting:
 We know there are about 30,000 affected email sending services, but we also 
 know that the change needed to support our new DMARC policy is important and 
 not terribly  difficult to implement.
 
 To me - this sure looks, smells, and quacks like a denial-of-service attack 
 against a system I operate, and the subscriber to the lists that I support -- 
 somewhat akin to exploding a bomb in a public square, and then taking credit 
 for it.
 
 Miles Fidelman
 
 -- 
 In theory, there is no difference between theory and practice.
 In practice, there is.    Yogi Berra

Re: DMARC - CERT?

2014-04-14 Thread Valdis . Kletnieks

On Mon, 14 Apr 2014 16:56:46 -, Laszlo Hanyecz said:
   If you really want to get your mailing list messages through,

The problem isn't the rest of us trying to mail to Yahoo.

The problem is when Yahoo users post to lists that use DMARC, and the
result is the yahoo user's mail getting bounced or dumped on the postmaster.


pgpb7noPKGPZd.pgp
Description: PGP signature

Re: DMARC - CERT?

Isn't it the other way around?  They don't want their users to be able 
to send to mailing lists.  They receive traffic from the lists just 
fine.  Their policy considers only effects mail originating from their 
users.  Yahoo subscribers can receive messages form nanog just fine, but 
they can't send to it.


Miles

Laszlo Hanyecz wrote:

I don't see what the big deal is here.  They don't want your messages and they 
made that clear.  Their policy considers these messages spam.  If you really 
want to get your mailing list messages through, then you need to evade their 
filters just like every other spammer has to.

-Laszlo


On Apr 14, 2014, at 4:32 PM, Miles Fidelman mfidel...@meetinghouse.net wrote:


Well... how about this, from Yahoo's own posting:
We know there are about 30,000 affected email sending services, but we also 
know that the change needed to support our new DMARC policy is important and 
not terribly  difficult to implement.

To me - this sure looks, smells, and quacks like a denial-of-service attack 
against a system I operate, and the subscriber to the lists that I support -- 
somewhat akin to exploding a bomb in a public square, and then taking credit 
for it.

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra





--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?

2014-04-14 Thread Laszlo Hanyecz

By their statement it's obvious that yahoo doesn't care about what they broke.  
It's unfortunate that email has become so centralized that one entity can cause 
so much 'trouble'.  Maybe it's a good opportunity to encourage the affected 
mailing list subscribers to use their own domains for email, and host it 
themselves if possible.

-Laszlo


On Apr 14, 2014, at 5:05 PM, Miles Fidelman mfidel...@meetinghouse.net wrote:

 Isn't it the other way around?  They don't want their users to be able to 
 send to mailing lists.  They receive traffic from the lists just fine.  Their 
 policy considers only effects mail originating from their users.  Yahoo 
 subscribers can receive messages form nanog just fine, but they can't send to 
 it.
 
 Miles
 
 Laszlo Hanyecz wrote:
 I don't see what the big deal is here.  They don't want your messages and 
 they made that clear.  Their policy considers these messages spam.  If you 
 really want to get your mailing list messages through, then you need to 
 evade their filters just like every other spammer has to.
 
 -Laszlo
 
 
 On Apr 14, 2014, at 4:32 PM, Miles Fidelman mfidel...@meetinghouse.net 
 wrote:
 
 Well... how about this, from Yahoo's own posting:
 We know there are about 30,000 affected email sending services, but we also 
 know that the change needed to support our new DMARC policy is important 
 and not terribly  difficult to implement.
 
 To me - this sure looks, smells, and quacks like a denial-of-service attack 
 against a system I operate, and the subscriber to the lists that I support 
 -- somewhat akin to exploding a bomb in a public square, and then taking 
 credit for it.
 
 Miles Fidelman
 
 -- 
 In theory, there is no difference between theory and practice.
 In practice, there is.    Yogi Berra
 
 
 
 
 -- 
 In theory, there is no difference between theory and practice.
 In practice, there is.    Yogi Berra

Re: DMARC - CERT?

2014-04-14 Thread William Herrin

On Mon, Apr 14, 2014 at 1:03 PM,  valdis.kletni...@vt.edu wrote:
 The problem is when Yahoo users post to lists that use DMARC, and the
 result is the yahoo user's mail getting bounced or dumped on the postmaster.

Basically, this is just like old ORBS. If you were an ISP, you had to
check your local users' IP addresses smarthosting through your mail
server against ORBS or your mail server would inevitably be listed.

Now, as then, the solution is: if the domain has a DMARC listing, mail
addresses using it aren't permitted to post to the list.


As I tried to say before but was probably too subtle -- just flunk
validation for all DMARC-using messages, across the board without
exception, and then act on that failure as the DMARC DNS records
indicate that the sender wants you to. Especially the ones to abuse@
and your other POCs. That'll clean up the use of DMARC right quick.

Regards,
Bill Herrin



-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz las...@heliacal.net wrote:
 By their statement it's obvious that yahoo doesn't care about what they 
 broke.  It's
 unfortunate that email has become so centralized that one entity can cause so
 much 'trouble'.  Maybe it's a good opportunity to encourage the affected 
 mailing list
 subscribers to use their own domains for email, and host it themselves if 
 possible.


I sort of wonder if this is really just yahoo trying to use a stick to
motivate people to do the right thing? It seems like everyone's been
trying for a while to 'make email better'... and that perhaps DMARC
will make it somewhat better, and if setup properly this is a
non-issue... after much faffing: Welp, how about we whack the
mail-lists (and others) with a stick and get movement int he right
direction?

not sure this is all bad... and i think the fix is pretty
straightforward for list folk, right? so all the faffing on this list
and others took longer to do than the fix-action?

-chris

Re: DMARC - CERT?

2014-04-14 Thread Matthew Petach

On Mon, Apr 14, 2014 at 10:25 AM, Laszlo Hanyecz las...@heliacal.netwrote:

 By their statement it's obvious that yahoo doesn't care about what they
 broke.  It's unfortunate that email has become so centralized that one
 entity can cause so much 'trouble'.  Maybe it's a good opportunity to
 encourage the affected mailing list subscribers to use their own domains
 for email, and host it themselves if possible.

 -Laszlo


So, I take it you prefer a world in which there's no sender
validation, and receiving floods of spoofed sender email
spam is just part of the price of being on the internet?

I'm finding myself vaguely annoyed that for so long
people have complained that big mail providers need
to clean up their act; and now, when one of them
decides to respond to the complaints and start
taking action to try to clean things up, the response
seems to be wait, we were happy just bitching
and moaning--we didn't want you to actually
*change* anything!

Matt

Re: DMARC - CERT?


Christopher Morrow wrote:

On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz las...@heliacal.net wrote:

By their statement it's obvious that yahoo doesn't care about what they broke.  
It's
unfortunate that email has become so centralized that one entity can cause so
much 'trouble'.  Maybe it's a good opportunity to encourage the affected 
mailing list
subscribers to use their own domains for email, and host it themselves if 
possible.


I sort of wonder if this is really just yahoo trying to use a stick to
motivate people to do the right thing? It seems like everyone's been
trying for a while to 'make email better'... and that perhaps DMARC
will make it somewhat better, and if setup properly this is a
non-issue... after much faffing: Welp, how about we whack the
mail-lists (and others) with a stick and get movement int he right
direction?

not sure this is all bad... and i think the fix is pretty
straightforward for list folk, right? so all the faffing on this list
and others took longer to do than the fix-action?


Well, if you consider writing software patches to complicated software 
simple.


And it would certainly help if the guidance on what to do is clearer - 
last week, dmarc.org's FAQ listed, as among the options for list operators:


Add an Original Authentication Results 
http://tools.ietf.org/html/draft-kucherawy-original-authres-00 (OAR) 
header to indicate that the list operator has performed authentication 
checks on the submitted message and share the results.  -- which would 
be transparent to list subscribers


but, as of a couple of days ago, that's qualified by:

*This is not a short term solution.* Assumes a mechanism to establish 
trust between the list operator and the receiver. No such mechanism is 
known to be in use for this purpose at this time. Without such a 
mechanism, bad actors could simply add faked OAR headers to their 
messages to circumvent such measures. OAR was only described as a draft 
document, which expired in 2012. No receivers implementing DMARC are 
currently known to make use of OAR from external sources.


So the low-impact (to end users) fix is now not recommended, and all the 
other available fixes require changes that degrade long-accepted 
functionality of mailing lists (e.g., the ability to reply to the author 
of a message).


Miles Fidelman




--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 1:33 PM, Matthew Petach mpet...@netflight.com wrote:

 So, I take it you prefer a world in which there's no sender
 validation, and receiving floods of spoofed sender email
 spam is just part of the price of being on the internet?

That is clearly not what this issue is about.

 I'm finding myself vaguely annoyed that for so long
 people have complained that big mail providers need
 to clean up their act; and now, when one of them
 decides to respond to the complaints and start
 taking action to try to clean things up, the response
 seems to be wait, we were happy just bitching
 and moaning--we didn't want you to actually
 *change* anything!

What yahoo didn't do was first tell their users to unsubscribe from
all mailinglists.

DMARC hasn't cut down on yahoo spam so far.   Yahoo's spam problem was
(is?) centered on account hijacks.

-Jim P.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote:

 At least one vendor, Akamai is helping out now:
 http://marc.info/?l=openssl-usersm=139723710923076w=2
 I hope other vendors will follow suit.


Although it appears they may now be regretting doing so...

http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_faulty_reissues_keys/

(Of course, the end result is positive, but...)

  Scott

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Patrick W. Gilmore

On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote:
 On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote:

 At least one vendor, Akamai is helping out now:
 http://marc.info/?l=openssl-usersm=139723710923076w=2
 I hope other vendors will follow suit.
 
 
 Although it appears they may now be regretting doing so...
 
 http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_faulty_reissues_keys/
 
 (Of course, the end result is positive, but...)

[NOTE: I'll just remind everyone up front that I worked at Akamai for a very 
long time, so take my comments with however many grains of salt you feel 
appropriate.]

If the only thing that happens when a large company steps up to help the open 
source community is ridicule and/or derision, one should probably not in the 
same breath ask why no companies are publishing any code.

I applaud Akamai for trying, for being courageous enough to post code, and for 
bucking the trend so many other companies are following by being more secretive 
every year.

Or we can flame anyone who tries, then wonder why no one is trying.

-- 
TTFN,
patrick



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread William Herrin

On Mon, Apr 14, 2014 at 3:59 PM, Patrick W. Gilmore patr...@ianai.net wrote:
 I applaud Akamai for trying, for being courageous enough to post
 code, and for bucking the trend so many other companies are
 following by being more secretive every year.

 Or we can flame anyone who tries, then wonder why no one is trying.

I thought vendors existed primarily as a place to hang the blame when
dealing with a manager or customer who just doesn't get it.

-Bill


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


On 04/14/2014 12:59 PM, Patrick W. Gilmore wrote:

On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote:

On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote:



At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-usersm=139723710923076w=2
I hope other vendors will follow suit.



Although it appears they may now be regretting doing so...

http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_faulty_reissues_keys/

(Of course, the end result is positive, but...)


[NOTE: I'll just remind everyone up front that I worked at Akamai for a very 
long time, so take my comments with however many grains of salt you feel 
appropriate.]

If the only thing that happens when a large company steps up to help the open 
source community is ridicule and/or derision, one should probably not in the 
same breath ask why no companies are publishing any code.

I applaud Akamai for trying, for being courageous enough to post code, and for 
bucking the trend so many other companies are following by being more secretive 
every year.

Or we can flame anyone who tries, then wonder why no one is trying.


Agreed ... review is good, comments on needed fixes are good, but saying 
that Akamai, should not be sending out non-functional, bug ridden 
patches to the OpenSSL community as Pinckaers did is not constructive.


Part of the problem here is the whole You can't play in my sandbox! 
attitude.


Doug

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 11:24 AM, Jim Popovitch jim...@gmail.com wrote:

 DMARC hasn't cut down on yahoo spam so far.   Yahoo's spam problem was
 (is?) centered on account hijacks.


I just checked my spam folder for the past month.

Out of about 80 messages from Yahoo, I can see about 3 that went via
Yahoo's mail servers. ie, 90% were/would have been blocked using DMARC.

Of course, I'm sure the spammers will simply start changing yahoo.com to
somethingelse.com once they realize - but from Yahoo's perspective, that's
obviously a positive.

Whilst I don't agree with the way that Yahoo has done this (particularly
around communication), I think the end result is only going to be positive.
 At a high level it's no different than when people started rejecting mail
from hosts without PTR records, or when ISPs started blocking outbound port
25 - they both caused things to break, and both caused people to have to
take action to fix the brokenness, but in the long run they were both
hugely positive.

  Scott

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
 Whilst I don't agree with the way that Yahoo has done this (particularly
 around communication),

how could they have communicated this better? how can we all learn from this?

-chris

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread bmanning

On Mon, Apr 14, 2014 at 03:59:21PM -0400, Patrick W. Gilmore wrote:
On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker
niels=na...@bakker.netwrote:

At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-usersm=139723710923076w=2
I hope other vendors will follow suit.

Although it appears they may now be regretting doing so...

http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_faulty_reissues_keys/

(Of course, the end result is positive, but...)

[NOTE: I'll just remind everyone up front that I worked at Akamai for a very
long time, so take my comments with however many grains of salt you feel
appropriate.]

If the only thing that happens when a large company steps up to help the open
source community is ridicule and/or derision, one should probably not in the
same breath ask why no companies are publishing any code.

I applaud Akamai for trying, for being courageous enough to post code, and
for bucking the trend so many other companies are following by being more
secretive every year.

Or we can flame anyone who tries, then wonder why no one is trying.

--
TTFN,
patrick

well, if $vendor publishes code frags, the code must have been vetted
and ready for
_my_ environment so i'll just cut/paste and then when it doesn't work,
its their
fault for leading me down the primrose path...

$vendor, that why I pay you... to read my mind! darn it.

/bill

Re: DMARC - CERT?


On 04/14/2014 01:20 PM, Christopher Morrow wrote:

On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:

Whilst I don't agree with the way that Yahoo has done this (particularly
around communication),


how could they have communicated this better? how can we all learn from this?


The obvious ones would have been to announce a flag day somewhere far 
enough in advance to give list software devs time to adapt, and to work 
with list software devs on a solution.


Everyone involved in DMARC has known from day 1 that it will break 
mailing lists. There has been an enormous amount of whinging about this. 
(If you think NANOG is bad, you should see the IETF lists.) But if 
Yahoo! had stood up and said, We know that this mailing lists are a 
problem, but we think that the value of DMARC outweighs this because 
 and then actually set a data, maybe some of the whinging could 
have turned into actual productive work on fixing the problem.


Doug

Re: DMARC - CERT?

2014-04-14 Thread Matthias Leisi

On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow 
morrowc.li...@gmail.com wrote:

 On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
  Whilst I don't agree with the way that Yahoo has done this (particularly
  around communication),

 how could they have communicated this better? how can we all learn from
 this?


They could have communicated, as in listen folks, we are going to make a
critical change that will affect mailing lists (etc...) in four weeks
time.

They could have made the change not late on a Friday afternoon (or well
into the weekend for most of the world).

-- Matthias

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote:
 The obvious ones would have been to announce a flag day somewhere far enough
 in advance to give list software devs time to adapt, and to work with list
 software devs on a solution.

where would they communicate this?
on the blog that matt pointed at?
in bgp announcements?
err... homepage?


-chris

(I watch the ietf list for this, and muted the conversation...)

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote:
 They could have communicated, as in listen folks, we are going to make a
 critical change that will affect mailing lists (etc...) in four weeks time.

communicated it where?

 They could have made the change not late on a Friday afternoon (or well into
 the weekend for most of the world).

a friday change like this is not ideal... but, it looks like any time
change like this would have had fallout.

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:38 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
 On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote:
 The obvious ones would have been to announce a flag day somewhere far enough
 in advance to give list software devs time to adapt, and to work with list
 software devs on a solution.

 where would they communicate this?
 on the blog that matt pointed at?
 in bgp announcements?
 err... homepage?

What they should have done is followed their (the dmarc spec authors,
of which one works for Yahoo) own advice that dmarc wasn't for domains
with users.   But, hey, we all know it's hard to get good tech press
by simply sponsoring and spec'ing a backend tech solution for some
dark corner of the internet.

-Jim P.

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow morrowc.li...@gmail.com
 wrote:

 On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net
 wrote:
  They could have communicated, as in listen folks, we are going to make a
  critical change that will affect mailing lists (etc...) in four weeks
 time.

 communicated it where?


The Internet.

A blog entry and a post to a few key relevant mailing lists would have
resulted in the message spreading far better than it was.  There's no way
that they could have communicated it to every mailing list admin on the
planet, but they could have at least given a heads-up to some major parts
of the community.

The great thing about the Internet is that if it's important enough to be
shared, you don't need to try too hard to make that happen - others will
look after it for you.  But you need to make the effort to get it started,
and Yahoo didn't do that here (or at least, they did, but they did it by
actually making the change by which time it was too late!)

  Scott

Re: DMARC - CERT?


On 04/14/2014 01:38 PM, Christopher Morrow wrote:

On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote:

The obvious ones would have been to announce a flag day somewhere far enough
in advance to give list software devs time to adapt, and to work with list
software devs on a solution.


where would they communicate this?


Well mailop for one.


on the blog that matt pointed at?


I suppose ... there used to be a Yahoo! mail blog but I think it got 
shut down.


BTW, another obvious benefit to announcing a flag day would have been to 
give more people time to set up DMARC. I haven't yet (on my personal 
mail server) because there hadn't been sufficient uptake to warrant it. 
Yahoo! telling everyone that they will be implementing it would have 
given people incentive.


Doug

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:39 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
 On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote:
 They could have communicated, as in listen folks, we are going to make a
 critical change that will affect mailing lists (etc...) in four weeks time.

 communicated it where?

To their user base?   They could have easily sent an email
announcement to all their users explaining that the change would cause
problems when their users post to mailinglists.

-Jim P.

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard sc...@doc.net.au wrote:
 On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow
 morrowc.li...@gmail.com wrote:

 On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net
 wrote:
  They could have communicated, as in listen folks, we are going to make
  a
  critical change that will affect mailing lists (etc...) in four weeks
  time.

 communicated it where?


 The Internet.

I was trying, really, to be not-funny with my question.

if you're going to do something that has the potential to affect (say,
for example) email to a wide set of people, most of which are NOT your
direct users, how do you go about making that public?

'the internet' isn't really a good answer for 'how do you notify'.
Doug's note that: email mailops is good... but I'm not sure how many
people that run lists listen to mailops? (I don't ... i don't run any
big list, but...)

I also wonder about update cycles for software in this realm? and for
very larger list operators there's probably some customization and
such to hurdle over on the upgrade path, eh? so how much leadtime is
enough? how much is too much? 1yr seems like a long time - people will
forget, 1wk doesn't seem like enough to avoid firedrills and
un-intended bugs.

 A blog entry and a post to a few key relevant mailing lists would have

specifically which mail-lists?

 resulted in the message spreading far better than it was.  There's no way
 that they could have communicated it to every mailing list admin on the
 planet, but they could have at least given a heads-up to some major parts of
 the community.

 The great thing about the Internet is that if it's important enough to be
 shared, you don't need to try too hard to make that happen - others will
 look after it for you.  But you need to make the effort to get it started,
 and Yahoo didn't do that here (or at least, they did, but they did it by
 actually making the change by which time it was too late!)

   Scott

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:44 PM, Doug Barton do...@dougbarton.us wrote:
 On 04/14/2014 01:38 PM, Christopher Morrow wrote:

 On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote:

 The obvious ones would have been to announce a flag day somewhere far
 enough
 in advance to give list software devs time to adapt, and to work with
 list
 software devs on a solution.


 where would they communicate this?


 Well mailop for one.


Or even the dmarc mailing list(s) I've seen Yahoo operate over the
years, they are usually much better at orchestrating changes, which
suggests that this change wasn't well thought out (or possibly even
planned).

-Jim P.

Re: DMARC - CERT?

2014-04-14 Thread Rich Kulawiec

On Mon, Apr 14, 2014 at 10:33:40AM -0700, Matthew Petach wrote:
 So, I take it you prefer a world in which there's no sender
 validation, and receiving floods of spoofed sender email
 spam is just part of the price of being on the internet?

Sender validation means NOTHING in a world with hundreds of millions
of bots and hundreds of millions of email accounts that are either (a)
hijacked or (b) created at will by the bot herders.  My spamtraps see
spam all day every day from all over the world that passes whatever
alleged sender validation technology is the flavor-of-the-month.

Can it work in some isolated edge cases?  Sure.  Can it work
on an Internet scale?  No.

As I've said many times, email forgery is not the problem.  It's a symptom
of the problem, and the problem is rotten underlying security coupled
with negligent and incompetent operational practice.  But fixing that
is hard, and nobody -- not Yahoo and not anybody else either -- wants
to tackle it.  It's much easier to roll out stuff like this and pretend
that it works and write a press release and declare success.

---rsk

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore patr...@ianai.net
wrote:

I applaud Akamai for trying, for being courageous enough to post code, and
 for bucking the trend so many other companies are following by being more
 secretive every year.


Just to be clear, so do I!  As I said, the end result was net positive -
within hours the fact they made this code snippet open source resulted in
it be available to many more eyeballs, and bugs in it being found.

By releasing the code, Akamai has not only helped the community (at least
as a starting point - even if their actual code had issues the concept is
good and no doubt will be improved upon by the wider community), but helped
themselves by discovering that they were operating under the mistaken
impression that their SSL keys were safe when potentially they were not.


On Mon, Apr 14, 2014 at 1:07 PM, Doug Barton do...@dougbarton.us wrote:

 Agreed ... review is good, comments on needed fixes are good, but saying
 that Akamai, should not be sending out non-functional, bug ridden patches
 to the OpenSSL community as Pinckaers did is not constructive.


Especially when the release specifically stated *This should really be
considered more of a proof of concept than something that you want to put
directly into production* and *do not just take this patch and put it
into production without careful review*.  Akamai made mistakes here, but
releasing what they obviously believed to be workable code in the way that
they did wasn't one of them.
  Scott

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 4:52 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:

 if you're going to do something that has the potential to affect (say,
 for example) email to a wide set of people, most of which are NOT your
 direct users, how do you go about making that public?

 'the internet' isn't really a good answer for 'how do you notify'.
 Doug's note that: email mailops is good... but I'm not sure how many
 people that run lists listen to mailops? (I don't ... i don't run any
 big list, but...)

 I also wonder about update cycles for software in this realm? and for
 very larger list operators there's probably some customization and
 such to hurdle over on the upgrade path, eh? so how much leadtime is
 enough? how much is too much? 1yr seems like a long time - people will
 forget, 1wk doesn't seem like enough to avoid firedrills and
 un-intended bugs.

First, you don't start by telling mailinglist admins to NOT worry
about dmarc as they are a special case that will be
handled/whitelisted/etc.   The dmarc discussion archives (of which
Yahoo is a primary sponsor, and a Yahoo employee is one of the spec
authors) are full of discussions that clearly show no cause or care
about mailinglists.  I was told, several times, that mailinglists
would be ok, they would be whitelisted and that there was no need for
all my concern (well over 6 months ago).

-Jim P.

Re: DMARC - CERT?


Matthias Leisi wrote:

On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow 
morrowc.li...@gmail.com wrote:


On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:

Whilst I don't agree with the way that Yahoo has done this (particularly
around communication),

how could they have communicated this better? how can we all learn from
this?


They could have communicated, as in listen folks, we are going to make a
critical change that will affect mailing lists (etc...) in four weeks
time.

They could have made the change not late on a Friday afternoon (or well
into the weekend for most of the world).


On the weekend before tax filings are due in the US!  And a couple of 
days before Passover.


Miles


--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?


Christopher Morrow wrote:

On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard sc...@doc.net.au wrote:

On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:

On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net
wrote:

They could have communicated, as in listen folks, we are going to make
a
critical change that will affect mailing lists (etc...) in four weeks
time.

communicated it where?


The Internet.

I was trying, really, to be not-funny with my question.

if you're going to do something that has the potential to affect (say,
for example) email to a wide set of people, most of which are NOT your
direct users, how do you go about making that public?

'the internet' isn't really a good answer for 'how do you notify'.
Doug's note that: email mailops is good... but I'm not sure how many
people that run lists listen to mailops? (I don't ... i don't run any
big list, but...)

I also wonder about update cycles for software in this realm? and for
very larger list operators there's probably some customization and
such to hurdle over on the upgrade path, eh? so how much leadtime is
enough? how much is too much? 1yr seems like a long time - people will
forget, 1wk doesn't seem like enough to avoid firedrills and
un-intended bugs.


A blog entry and a post to a few key relevant mailing lists would have

specifically which mail-lists?




How about the support lists for all the email list packages they could 
think of - let's start with mailman, majordomo, listserve, listproc, 
sympa, ezmlm, .


Might have been nice if they'd offered some support for patching the 
open source ones.


Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 5:24 PM, Miles Fidelman
mfidel...@meetinghouse.net wrote:
 Matthias Leisi wrote:

 On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow 
 morrowc.li...@gmail.com wrote:

 On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:

 Whilst I don't agree with the way that Yahoo has done this (particularly
 around communication),

 how could they have communicated this better? how can we all learn from
 this?

 They could have communicated, as in listen folks, we are going to make a
 critical change that will affect mailing lists (etc...) in four weeks
 time.

 They could have made the change not late on a Friday afternoon (or well
 into the weekend for most of the world).


 On the weekend before tax filings are due in the US!  And a couple of days
 before Passover.

and in the middle of Heartbleed.

It's enough to make you believe there was absolutely no care or
concern for others.

-Jim P.

Re: Yahoo DMARC breakage

2014-04-14 Thread Jay Hennigan

On 4/10/14 4:29 AM, Rich Kulawiec wrote:
 An aside:
 
 On Wed, Apr 09, 2014 at 05:15:59PM -0400, William Herrin wrote:
 Maybe this is a good thing - we can stop getting all the sorry I'm
 out of the office emails when posting to a list.
 
 I entirely support that goal, but my preferred solution is the complete
 eradication of the software (a lot of which makes mistakes that have
 been well-known as mistakes for decades) and thus the entire practice
 of setting up out of office messages.

As long as we're talking about complete eradication of software, please
include inane disclaimers sent to lists (as well as private email).

This type of thing

NOTICE:  This communication may contain confidential and/or privileged
information.  If you are not the intended recipient or believe that you
have received this communication in error you are obligated to kill
yourself and anyone else who may have read it, not necessarily in that
order.  So there.  My disclaimer is scarier than yours.  Nyaah.  You
started this silly nonsense.  Knock it off and I will too, ok?  It's
worthless from a legal standpoint and is responsible for the needless
suffering of billions of innocent electrons.  Nobody reads it anyway.
You're not actually reading this, are you?  I didn't think so.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

RE: DMARC - CERT?

2014-04-14 Thread rw...@ropeguru.com

Plus I guarantee that something this SIGNIFICANT would catch the attention of 
many tech news outlets, social sites, and many email lists if they had given 
due notice and allowed people time to digest the change. But, I guess since 
everything except their email has become pretty much irrelevant these days, 
they had to do something to get attention and try to be the big bully again.

I personally run only a couple of small email lists in which the subscribers 
are specifically added by me when someone wants on, and this has caused us, 
because the submitter has a long  time Yahoo email address and will not change, 
a huge headache. The sender has had to resort to sending email from Yahoo 
account multiple time in order to get the emails out to the 180+ subscribers. 
Some people cannot change their email due to having it for so long it is just 
not practical. Only other work around I have for this user is to give them a 
private email list on the email server where he can send from that is not a 
Yahoo address. This causes extra work because every email he wants to forward 
on, he must now first send it to the new private address, then login to the 
private email address web mail, then forward.

I have to agree with this others out there that Yahoo SHOULD, not COULD, have 
handled this a lot better. All the other big ISP's out there should be whipping 
Yahoo's a$$ about right now. But as usual, not a peep!

Robert

-Original Message-
From: Miles Fidelman [mailto:mfidel...@meetinghouse.net]
Sent: Monday, April 14, 2014 5:28 PM
Cc: NANOG
Subject: Re: DMARC - CERT?

Christopher Morrow wrote:
 On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard sc...@doc.net.au wrote:
 On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow
 morrowc.li...@gmail.com wrote:
 On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net
 wrote:
 They could have communicated, as in listen folks, we are going to
 make a critical change that will affect mailing lists (etc...) in
 four weeks time.
 communicated it where?

 The Internet.
 I was trying, really, to be not-funny with my question.

 if you're going to do something that has the potential to affect (say,
 for example) email to a wide set of people, most of which are NOT your
 direct users, how do you go about making that public?

 'the internet' isn't really a good answer for 'how do you notify'.
 Doug's note that: email mailops is good... but I'm not sure how many
 people that run lists listen to mailops? (I don't ... i don't run any
 big list, but...)

 I also wonder about update cycles for software in this realm? and for
 very larger list operators there's probably some customization and
 such to hurdle over on the upgrade path, eh? so how much leadtime is
 enough? how much is too much? 1yr seems like a long time - people will
 forget, 1wk doesn't seem like enough to avoid firedrills and
 un-intended bugs.

 A blog entry and a post to a few key relevant mailing lists would have
 specifically which mail-lists?



How about the support lists for all the email list packages they could
think of - let's start with mailman, majordomo, listserve, listproc,
sympa, ezmlm, .

Might have been nice if they'd offered some support for patching the
open source ones.

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?

2014-04-14 Thread Leo Bicknell


On Apr 14, 2014, at 3:58 PM, Rich Kulawiec r...@gsp.org wrote:

 As I've said many times, email forgery is not the problem.  It's a symptom
 of the problem, and the problem is rotten underlying security coupled
 with negligent and incompetent operational practice.  But fixing that
 is hard, and nobody -- not Yahoo and not anybody else either -- wants
 to tackle it.  It's much easier to roll out stuff like this and pretend
 that it works and write a press release and declare success.

I think you're on the right track, but still suggesting their is a
technical solution.  I submit there is not.

There is no car alarm that prevents all car thefts, no door lock that
prevents all burglaries.  No trigger lock that prevents all gun deaths,
no lane departure system that prevents all car crashes.

Spam cannot, and will never be solved by technological measures alone.
They can help reduce the levels in some cases, or squeeze the balloon
and move the spam to some other form.

Ultimately the way to reduce spam is to catch spammers, prosecute them,
and put them in prison.  The way we keep all of those other crimes low 
is primarily by enforcement; making the punishment not worth the crime.
With spam, the chance that a spammer will be punished is infinitesimal.
There are hundreds, or thousands, or tens of thousands of spammers for
every one that is put into jail.

If we'd put even 1% of the effort that's been thrown at technical measures
over the years into better laws, tools for law enforcement, and helping
them build cases we'd be several orders of magnitude better off than
technological solutions that are little more than wack-a-mole.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: DMARC - CERT?


Jim Popovitch wrote:

On Mon, Apr 14, 2014 at 5:24 PM, Miles Fidelman
mfidel...@meetinghouse.net wrote:

Matthias Leisi wrote:

On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow 
morrowc.li...@gmail.com wrote:


On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:

Whilst I don't agree with the way that Yahoo has done this (particularly
around communication),

how could they have communicated this better? how can we all learn from
this?


They could have communicated, as in listen folks, we are going to make a
critical change that will affect mailing lists (etc...) in four weeks
time.

They could have made the change not late on a Friday afternoon (or well
into the weekend for most of the world).



On the weekend before tax filings are due in the US!  And a couple of days
before Passover.

and in the middle of Heartbleed.

It's enough to make you believe there was absolutely no care or
concern for others.



And.. it's worth contrasting the community response to Heartbleed - 
which didn't actually cause widespread denial of service!


Miles



--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch jim...@gmail.com wrote:

  They could have made the change not late on a Friday afternoon (or well
  into the weekend for most of the world).
 
 
  On the weekend before tax filings are due in the US!  And a couple of
 days
  before Passover.

 and in the middle of Heartbleed.


You might have had a point - if it had been ANY of those.  Other than the
original claim of Friday afternoon it was none of those things.

  Scott

Re: DMARC - CERT?


Leo Bicknell wrote:


Ultimately the way to reduce spam is to catch spammers, prosecute them,
and put them in prison.  The way we keep all of those other crimes low
is primarily by enforcement; making the punishment not worth the crime.
With spam, the chance that a spammer will be punished is infinitesimal.
There are hundreds, or thousands, or tens of thousands of spammers for
every one that is put into jail.


Follow their money trails and take their bank accounts. Counterpunch 
with DDoS attacks.  Attack them with drones.


We're investing a lot of tax dollars into offensive cybersecurity - 
let's give those guys some practice!


Makes sense to me!

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 5:48 PM, Scott Howard sc...@doc.net.au wrote:
 On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch jim...@gmail.com wrote:

  They could have made the change not late on a Friday afternoon (or well
  into the weekend for most of the world).
 
 
  On the weekend before tax filings are due in the US!  And a couple of
  days
  before Passover.

 and in the middle of Heartbleed.


 You might have had a point - if it had been ANY of those.  Other than the
 original claim of Friday afternoon it was none of those things.


7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
last full week before the US tax filing deadline.

7-April: OpenSSL's *public* advisory (after a full week of private
notifications, of which yahoo surely was one tech company in on the
early notifications)

11-April: Yahoo discusses what needs to be done on their public tumblr account.


-Jim P.

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Matthew Black

IIRC, the message was sent via courier instead of cable or telephone to prevent 
interception. Did the military not even trust its own cryptographic methods? Or 
did they not think withdrawal of the Japanese ambassador was not very critical?

matthew black
california state university, long beach

From: Donald Eastlake [mailto:d3e...@gmail.com]
Sent: Monday, April 14, 2014 8:28 AM
To: Matthew Black
Cc: William Herrin; nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Matthew,

On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black 
matthew.bl...@csulb.edumailto:matthew.bl...@csulb.edu wrote:
Also on this same idea, in his book The Puzzle Palace, James Bamford claims 
that we knew of the pending attack on Pearl Harbor but did nothing, because 
that would compromise we broke the Japanese Purple Cipher.

I assume you refers to pages 36 through 39 of The Puzzle Palace which is 
almost entirely a recounting of bureaucratic fumbling and delay. The 
sensitivity of a Purple Cipher decode did cause the intercepted information to 
be sent by a less immediate means to the US Naval authorities in Hawaii. 
Nevertheless, it was sent with every expectation that those authorities would 
receive it before the time of the attack. We do not know what those authorities 
would have done it they had received the intercept information as expected, 
instead of receiving it about 6 hours after the first bomb struck Pearl Harbor. 
Your implication that Bamford says we decided to do nothing bears no 
relationship to what Bamford actually wrote.

Thanks,
Donald
=
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e...@gmail.commailto:d3e...@gmail.com

matthew black
california state university, long beach

-Original Message-
From: William Herrin [mailto:b...@herrin.usmailto:b...@herrin.us]
Sent: Friday, April 11, 2014 2:06 PM
To: nanog@nanog.orgmailto:nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker 
niels=na...@bakker.netmailto:na...@bakker.net wrote:
 Please go read up on some recent and less recent history before making
 judgments on what would be unusually gutsy for that group of people.

 I'm not saying this has been happening but you will have to come up
 with a better defense than it seems unlikely to me personally.

Let me know when someone finds the second shooter on the grassy knoll.
As for me, I do have some first hand knowledge as to exactly how sensitive 
several portions of the federal government are to the security of the servers 
which hold their data. They may not hold YOUR data in high regard... but the 
word sensitive does not do justice to the attention lavished on THEIR 
servers' security.

In WW2 we protected the secret of having cracked enigma by deliberately 
ignoring a lot of the knowledge we gained. So such things have happened. But we 
didn't use enigma ourselves -- none of our secrets were at risk. And our 
adversaries today have no secrets more valuable than our own.

-Bill

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote:

 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
 last full week before the US tax filing deadline.


The change was made on the previous Friday, so that date is largely
irrelevant.

7-April: OpenSSL's *public* advisory (after a full week of private
 notifications, of which yahoo surely was one tech company in on the
 early notifications)


Given that many of their main services were vulnerable at the time of
public disclosure, I think that's a very large assumption to make...

If nothing else, I suspect the odds of it being known by the same people
that made the DMARC decision/changes is low.

  Scott

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 3:21 PM, Scott Howard sc...@doc.net.au wrote:

 7-April: OpenSSL's *public* advisory (after a full week of private
 notifications, of which yahoo surely was one tech company in on the
 early notifications)


 Given that many of their main services were vulnerable at the time of
 public disclosure, I think that's a very large assumption to make...


Based on the article below it would appear that Yahoo did NOT know about
Heartbleed at the time of public disclosure.

http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html

  Scott

Re: DMARC - CERT?

2014-04-14 Thread John Levine

In article cal9jlazjjppz7vzw2ue4qfqwrkcbu7cs1ed3uu1nhudhxxk...@mail.gmail.com 
you write:
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
 Whilst I don't agree with the way that Yahoo has done this (particularly
 around communication),

how could they have communicated this better? how can we all learn from this?

Well, telling people in advance that they were planning to do it
rather than just dropping it on the world over the weekend would be a
good start.

R's,
John

Re: DMARC - CERT?


Jim Popovitch wrote:

On Mon, Apr 14, 2014 at 5:48 PM, Scott Howard sc...@doc.net.au wrote:

On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch jim...@gmail.com wrote:

They could have made the change not late on a Friday afternoon (or well
into the weekend for most of the world).



On the weekend before tax filings are due in the US!  And a couple of
days
before Passover.

and in the middle of Heartbleed.


You might have had a point - if it had been ANY of those.  Other than the
original claim of Friday afternoon it was none of those things.


7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
last full week before the US tax filing deadline.

7-April: OpenSSL's *public* advisory (after a full week of private
notifications, of which yahoo surely was one tech company in on the
early notifications)

11-April: Yahoo discusses what needs to be done on their public tumblr account.


14-April: 1st night of Passover
15-April: Tax Filings due in the US

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: DMARC - CERT?

On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard sc...@doc.net.au wrote:
 On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote:

 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
 last full week before the US tax filing deadline.


 The change was made on the previous Friday, so that date is largely
 irrelevant.

 7-April: OpenSSL's *public* advisory (after a full week of private
 notifications, of which yahoo surely was one tech company in on the
 early notifications)


 Given that many of their main services were vulnerable at the time of public
 disclosure, I think that's a very large assumption to make...

 If nothing else, I suspect the odds of it being known by the same people
 that made the DMARC decision/changes is low.

I think you are right on that, but that doesn't change the fact that
the sum of those things overburdened a lot of mailinglist operators.
It is what it is, and the press has covered it and mailinglists are
blocking/unsub'ing yahoo accounts in order to cope.

-Jim P.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


On 4/14/2014 9:38 AM, Matthew Black wrote:

Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I recall digging through disk sectors on
RSTS/E to look for passwords and other interesting stuff over 30
years ago.


I have been out of the loop for quite a while but my strongly held 
belief is that such scrubbing would be an enormous (and intolerable) 
overhead in any but a classified system running up around secret or 
higher. (I know of a system in Silicon Valley where they would bring us 
core dumps to print because their system was down so hard.


The dump program would take about a third of a box of fanfold and stack 
it, still blank, as I recall, in the stacker.


Seems like the law of the land was If you did not set the value, you 
can make no assumptions about it.


--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Randy Bush

 for those you can blame the vendor.  this one is owned by the
 community.  it falls on us to try to lower the probability of a next
 one by actively auditing source as our civic duty.
 is that kind of like jury duty?  if only it were more like literature,
 which we could read for enjoyment.

true.  also, as someone whacked me, far too many networkers can not read
code at all.

randy

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


On 4/14/2014 2:59 PM, Patrick W. Gilmore wrote:


Or we can flame anyone who tries, then wonder why no one is trying.



Amen.

I was just thinking, after reading the umpteenth message here about 
spam, about the times in the 1990's that I was literally driven away 
because I was trying to get ahead of the spam problem (which was then a 
drop in the bucket as compared to now).



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


On 4/14/2014 3:05 PM, William Herrin wrote:


I thought vendors existed primarily as a place to hang the blame when
dealing with a manager or customer who just doesn't get it.


Truth value very high.  Humor value, less than none.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Michael Thomas


On 4/14/14 4:06 PM, Randy Bush wrote:

for those you can blame the vendor.  this one is owned by the
community.  it falls on us to try to lower the probability of a next
one by actively auditing source as our civic duty.

is that kind of like jury duty?  if only it were more like literature,
which we could read for enjoyment.

true.  also, as someone whacked me, far too many networkers can not read
code at all.




It's much, much worse than that. I can still read code plenty fine, but bugs 
can be
extremely obscure, and triply so with convoluted security code where people are
actively going after you to find problems in most inventive ways. Openssl, etc,
probably need to be treated more like Mars Landers than the typical github 
forkfest.

Mike

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Seth David Schoen

Larry Sheldon writes:

 On 4/14/2014 9:38 AM, Matthew Black wrote:
 Shouldn't a decent OS scrub RAM and disk sectors before allocating
 them to processes, unless that process enters processor privileged
 mode and sets a call flag? I recall digging through disk sectors on
 RSTS/E to look for passwords and other interesting stuff over 30
 years ago.
 
 I have been out of the loop for quite a while but my strongly held
 belief is that such scrubbing would be an enormous (and intolerable)
 overhead in any but a classified system running up around secret
 or higher. (I know of a system in Silicon Valley where they would
 bring us core dumps to print because their system was down so hard.

In 2005, Stanford researchers found that with careful design and
implementation, secure deallocation can be accomplished with minimal
overhead (roughly 1% for most workloads).

https://www.usenix.org/legacy/events/sec05/tech/full_papers/chow/chow.pdf

This is for the RAM case rather than the disk case; maybe disk is worse
because writes are more expensive.

-- 
Seth David Schoen sch...@loyalty.org  |  No haiku patents
 http://www.loyalty.org/~schoen/|  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |-- Don Marti

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Nathan Angelacos


On 04/14/2014 07:14 PM, Michael Thomas wrote:


It's much, much worse than that. I can still read code plenty fine, but
bugs can be
extremely obscure, and triply so with convoluted security code where
people are
actively going after you to find problems in most inventive ways.
Openssl, etc,
probably need to be treated more like Mars Landers than the typical
github forkfest.



You mean this one? http://en.wikipedia.org/wiki/Mars_Climate_Orbiter

;)

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread John Levine

In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
 Shouldn't a decent OS scrub RAM and disk sectors before allocating
 them to processes, unless that process enters processor privileged
 mode and sets a call flag? I recall digging through disk sectors on
 RSTS/E to look for passwords and other interesting stuff over 30
 years ago.

I have been out of the loop for quite a while but my strongly held 
belief is that such scrubbing would be an enormous (and intolerable) 
overhead ...

It must be quite a while.  Unix systems have routinely cleared the RAM
and disk allocated to programs since the earliest days.

Pre-VM OS/360 may not have.

R's,
John

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


On 4/14/2014 7:50 PM, John Levine wrote:

In article 534c68f4@cox.net you write:

On 4/14/2014 9:38 AM, Matthew Black wrote:

Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I recall digging through disk sectors on
RSTS/E to look for passwords and other interesting stuff over 30
years ago.


I have been out of the loop for quite a while but my strongly held
belief is that such scrubbing would be an enormous (and intolerable)
overhead ...


It must be quite a while.  Unix systems have routinely cleared the RAM
and disk allocated to programs since the earliest days.

Pre-VM OS/360 may not have.


HP-UX did not.  Exec8 (OS1100) did not.  What ever it was we ran on the 
1401s and 360/30s (and 9300s) did not.


We manually zeroed core on the 707xs but even then we knew it was a 
wasted 3 minutes because that was only done before the firs run of the 
day and might not happen again for several days (because each daily 
cycle took several days in some offices).


MS-DOS and Windows (even still?) were notorious for not hurting 
deleted files.


Is the heartbleed bug not proof positive that it is not being done today?

--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-14 Thread Michael Thomas


On 04/14/2014 05:02 PM, Nathan Angelacos wrote:

On 04/14/2014 07:14 PM, Michael Thomas wrote:


It's much, much worse than that. I can still read code plenty fine, but
bugs can be
extremely obscure, and triply so with convoluted security code where
people are
actively going after you to find problems in most inventive ways.
Openssl, etc,
probably need to be treated more like Mars Landers than the typical
github forkfest.



You mean this one? http://en.wikipedia.org/wiki/Mars_Climate_Orbiter

;)




That of course wasn't an orbiter, it was a splater. :)

Mike

Pearl Harbor

2014-04-14 Thread Donald Eastlake

This is getting pretty far afield so I thought I should at least
change the subject.

There was no initial withdrawal of the Japanese ambassador - it was
the Japanese withdrawing from negotiations with the USA over USA
demands -- essentially Japan declaring that it had given up on finding
compromise and would not accede to USA demands for Japanese troop
withdrawals.

There were two messages related to the negotiations from the Japanese
government to their embassy in Washington. The first was so long and
meandering, that it has to be broken into 14 parts for transmission.
Only in the final and 14th part, which was transmitted more than 24
hours after the first 13 parts were sent, did it direct the withdrawal
from negotiations. This was considered within the Japanese government
as tantamount to a declaration of war and it was felt that the attack
would be dishonorable if it was not communicated to the USA government
before the attack. Thus, there was a second much shorter message that
specifically directed that the withdrawal be communicated to the US
Government, if possible to the US Secretary of State, no later than
1pm later that day, Sunday December 7th. (It was immediately apparent
to the American's reading this message that 1pm in Washington was dawn
in Hawaii and probably the time of an attack.)

There were some other messages sent about the same time including one
ordering the Japanese embassy to destroy all cipher machines and
codes. There were delays in USA decryption and translation of all of
these messages. Then there was delay in getting what was clearly a
threat of war to someone in Washington high enough to take action. But
those were accomplished more than two hours before the attack. (The
Japanese embassy in Washington was by no means immune to bureaucracy
and delay and did not read the messages in time to implement then
before the attack.)

The fastest way to communicate with the US military in Hawaii would
have been analog scrambled telephone which was, correctly, considered
to be insecure and inappropriate for information derived from a Purple
intercept. Such scrambled calls had been unscrambled by other
countries before. So, it was given to the War Department's message
center, who said that it would be delivered directly within a half an
hour, after they encrypted it and sent it by radio. However,
atmospheric conditions blocked that method and the encrypted message
was given by the message center to a commercial wire carrier to send.
It arrived and was printed out at the carrier's office in Honolulu at
7:33am local time, 22 minutes before the first bomb fell. Although
obviously encrypted, it was apparently not marked for any special
urgent handling -- remember the sender had though it would arrive
directly at the military authorities in Hawaii over an hour earlier.
As a result, it was not actually delivered to those authorities until
2:40pm, after the attack was over, and not read until 20 minutes later
after decryption.

Thanks,
Donald
=
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e...@gmail.com

On Mon, Apr 14, 2014 at 6:09 PM, Matthew Black matthew.bl...@csulb.edu wrote:

 IIRC, the message was sent via courier instead of cable or telephone to 
 prevent interception. Did the military not even trust its own cryptographic 
 methods? Or did they not think withdrawal of the Japanese ambassador was not 
 very critical?



 matthew black

 california state university, long beach



 From: Donald Eastlake [mailto:d3e...@gmail.com]
 Sent: Monday, April 14, 2014 8:28 AM
 To: Matthew Black
 Cc: William Herrin; nanog@nanog.org


 Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]



 Matthew,



 On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black matthew.bl...@csulb.edu 
 wrote:

 Also on this same idea, in his book The Puzzle Palace, James Bamford claims 
 that we knew of the pending attack on Pearl Harbor but did nothing, because 
 that would compromise we broke the Japanese Purple Cipher.



 I assume you refers to pages 36 through 39 of The Puzzle Palace which is 
 almost entirely a recounting of bureaucratic fumbling and delay. The 
 sensitivity of a Purple Cipher decode did cause the intercepted information 
 to be sent by a less immediate means to the US Naval authorities in Hawaii. 
 Nevertheless, it was sent with every expectation that those authorities would 
 receive it before the time of the attack. We do not know what those 
 authorities would have done it they had received the intercept information as 
 expected, instead of receiving it about 6 hours after the first bomb struck 
 Pearl Harbor. Your implication that Bamford says we decided to do nothing 
 bears no relationship to what Bamford actually wrote.


 Thanks,
 Donald
 =
  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
  155 Beaver Street, Milford, MA 01757 USA
  d3e...@gmail.com



 matthew

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]