Re: gmail security is a joke
On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said: that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password. And you have to pre-register the phone number. Sounds about as secure as you're going to get when trying to scale to 10 digits of users And as I said earlier - if your threat model involves needing more security than that, you have bigger problems.. :) pgpru2moccYdQ.pgp Description: PGP signature
Re: gmail security is a joke
On 5/27/2015 03:17, valdis.kletni...@vt.edu wrote: On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said: that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password. And you have to pre-register the phone number. Sounds about as secure as you're going to get when trying to scale to 10 digits of users And as I said earlier - if your threat model involves needing more security than that, you have bigger problems.. :) As they say, I no longer have a dog in this fight beyond myself and to an extent (advisory capacity) my wife, but I have been having trouble understanding the concept of organizations (network operators) with large and legitimate concerns for security issues, using gmail. -- sed quis custodiet ipsos custodes? (Juvenal)
Re: looking glass software
On 27/May/15 06:52, Bogdan wrote: hello what software do you use for looking glass. for cisco ios and ios-xr? i use the old cougar/version6.net for ios, but ios-xr is not supported. i came across https://github.com/tmshlvck/ulg/ but did't installed yet. are there any other interesting lg's out there? That's the one we use, but we run it against IOS. Should also work for IOS XE. I think I've seen some folk use it for Junos as well. Mark.
Re: Multiple vendors' IPv6 issues
On 27/May/15 01:27, Ca By wrote: Had ipv4 ever hurt you ? Me too. IPv4 still hurts me (in some ways, worse than IPv6), and it's 2015. Figures... You just need to open cases with your vendors and help them fix these issues. Sadly, no way around this. Software is not perfect. The humans that write it, even less so. Mark.
Re: Multiple vendors' IPv6 issues
On Tue, 26 May 2015, David Sotnick wrote: Arista EOS code — and it only appears to affect Virtual Machines which are behind our RedHat Enterprise Virtualization cluster. None of the hundreds of VMware-connected hosts are affected. The symptom is basically the same as the Palo Alto bug. Neighbor table gets in some weird state where ND Is VMWare contributing somehow to the problem? Marcin
Re: gmail security is a joke
On (2015-05-27 14:19 +0200), Owen DeLong wrote: Hey, If someone has the ability to hijack your BGP, then you???ve got bigger problems than having them take over your Gmail account. This is second reply to this notion. I don't understand what is attempted to communicate. I'm sure no one on nanog thinks BGP hijacks are rare, difficult or yield to consequences when called out. That???s interesting??? Why do you choose to give access to your personal SMS messages to so many of your coworkers? I don't, but they can provision my number to any SIM they want to. -- ++ytti
Re: gmail security is a joke
On 27 May 2015, at 13:19, Owen DeLong wrote: If someone has the ability to hijack your BGP, then you’ve got bigger problems than having them take over your Gmail account. Could we perhaps summarise this entire thread with if you have tighter security requirements for your e-mail than a particular e-mail provider can give you, host your e-mail somewhere else? Also, if you get a stabbing pain in your eye every time you drink tea, take the spoon out of the cup. Joe
Re: gmail security is a joke
Security is an illusion - Confucius probably On Wed, May 27, 2015 at 8:42 AM, Joel Maslak jmas...@antelope.net wrote: I also suspect not every telco validates number porting requests against social engineering properly. A telephone number isn't something you have, it is something your provider has. On Wednesday, May 27, 2015, Saku Ytti s...@ytti.fi wrote: On (2015-05-27 14:19 +0200), Owen DeLong wrote: Hey, If someone has the ability to hijack your BGP, then you???ve got bigger problems than having them take over your Gmail account. This is second reply to this notion. I don't understand what is attempted to communicate. I'm sure no one on nanog thinks BGP hijacks are rare, difficult or yield to consequences when called out. That???s interesting??? Why do you choose to give access to your personal SMS messages to so many of your coworkers? I don't, but they can provision my number to any SIM they want to. -- ++ytti
Re: gmail security is a joke
On May 26, 2015, at 6:11 PM, Saku Ytti s...@ytti.fi wrote: On (2015-05-26 17:44 +0200), Owen DeLong wrote: Hey, I think opt-out of password recovery choices on a line-item basis is not a bad concept. This sounds reasonable. At least then you could decide which balance of risk/convenience fits their use-case for given service. OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn???t want to opt out of that. It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email. If someone has the ability to hijack your BGP, then you’ve got bigger problems than having them take over your Gmail account. Recovery by SMS to a previously registered phone likewise seems reasonably secure and I wouldn???t want to opt out of that, either. I have tens of coworkers who could read my SMS. That’s interesting… Why do you choose to give access to your personal SMS messages to so many of your coworkers? Really, you don???t need to strongly authenticate a particular person for these accounts. You need, instead, to authenticate that the person attempting recovery is reasonably likely to be the person who set up the account originally, whether or not they are who they claimed to be at that time. As long as user has the power to choose which risks are worth carrying, I think it's fine. For my examples, I wouldn't care about email/SMS risk if it's linkedin/twitter/facebook account. But if it's my domain hoster, I probably wouldn't want to carry either risk, as the whole deck of cards collapses if you control my domains (all email recoveries compromised) We agree that different risks are appropriate for different levels of sensitivity. Owen
Re: gmail security is a joke
You can also register a U2F key. On Wed, May 27, 2015 at 3:17 AM, valdis.kletni...@vt.edu wrote: On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said: that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password. And you have to pre-register the phone number. Sounds about as secure as you're going to get when trying to scale to 10 digits of users And as I said earlier - if your threat model involves needing more security than that, you have bigger problems.. :)
RE: SAS Drive Enclosure
I am primarily wanting something that will act like a DELL MD1200, SAS connected to a server, then run a clustered filesystem on the server(s) which will serve up NFS or iSCSI to client devices. Graham Johnston Network Planner Westman Communications Group 204.717.2829 johnst...@westmancom.com think green; don't print this email. -Original Message- From: Jameson, Daniel [mailto:daniel.jame...@tdstelecom.com] Sent: Tuesday, May 26, 2015 3:11 PM To: Ray Van Dolson; Graham Johnston Cc: 'nanog@nanog.org' Subject: RE: SAS Drive Enclosure What are you thinking for connectivity, Ethernet, FiberChannel, Infiniband ... Building *Storage Nodes* or in need of just drive connectivity? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Van Dolson Sent: Tuesday, May 26, 2015 2:53 PM To: Graham Johnston Cc: 'nanog@nanog.org' Subject: Re: SAS Drive Enclosure On Tue, May 26, 2015 at 07:19:59PM +, Graham Johnston wrote: I am looking for information about SAS drive enclosures, is there a list like NANOG that covers that area of IT? I am specifically looking for an enclosure that can handle 12 or more drives, I am looking to create a clustered file system between multiple servers and would like to avoid a drive enclosure that only works with a very small number of approved drives. I am looking to support traditional HDDs as well as SSDs. There were discussions at some point about setting up a storage-centric list via SNIA or something else fairly 'neutral'. Never really materialized, however. Lists like lopsa-tech and the LISA/USENIX SAGE list are general enough you might get some good responses. WRT your question, we've had good luck with the Dell MD1200 line of JBODs. Ray
Re: gmail security is a joke
I also suspect not every telco validates number porting requests against social engineering properly. A telephone number isn't something you have, it is something your provider has. On Wednesday, May 27, 2015, Saku Ytti s...@ytti.fi wrote: On (2015-05-27 14:19 +0200), Owen DeLong wrote: Hey, If someone has the ability to hijack your BGP, then you???ve got bigger problems than having them take over your Gmail account. This is second reply to this notion. I don't understand what is attempted to communicate. I'm sure no one on nanog thinks BGP hijacks are rare, difficult or yield to consequences when called out. That???s interesting??? Why do you choose to give access to your personal SMS messages to so many of your coworkers? I don't, but they can provision my number to any SIM they want to. -- ++ytti
Indy Telcom Center
Can anyone here tell a bit of a history on the Indy Telcom Center? What operators (network and datacenter) have occupied what properties over the years? There's about a dozen buildings that were all railroad related in the past. You can see abandoned tracks running through the property at different places. http://www.indytelcom.com/IndyTelcom%20Property%20Map.pdf For instance, At one point Avaya's name was attached to 740 W. Henry. I think it was through an acquisition that they did. The last name attached to that property appears to have been Zenality, but they appear dead. There didn't appear to be any activity (air conditioners, etc.) from the building the last time I was there. 730 W. Henry shows up in Google as SP Telcom. I think I saw a Verizon logo on the door when I was last there, but I didn't document it to be sure. 701 W. Henry is now 365 Datacenters, but was Equinix. Being Equinix and not in a major market, I assume it was a Switch and Data property. Not sure what else has or does operate out of there. 733 W. Henry is LifeLine DataCenter and seems to have been for quite some time. We've got a presence there. 731 W. Henry is Lightbound datacenter. I think they have another one as well on the NE side of the campus. Are 650 W. Henry and 550 S. Kentucky the same building? 710 S. Kentucky seems to now be an ATT MSC, but not sure whose it was originally. 720 S. Kentucky, WilTel POP? 800 Oliver seems to be under a few hats including Paragon and GAP. Not sure what's going on there. Some of the remaining buildings are other datacenters or carrier POPs, but I have less on them. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com
Re: SAS Drive Enclosure
MD1200 is a great bet then. Other options -- SuperMicro has lots: http://www.supermicro.com/products/chassis/2U/?chs=216 Quanta: http://www.quantaqct.com/Product/Rack-Systems/Rackgo-X/JBODs/JBR-p247c77c86c88c92 On Wed, May 27, 2015 at 01:06:09PM +, Graham Johnston wrote: I am primarily wanting something that will act like a DELL MD1200, SAS connected to a server, then run a clustered filesystem on the server(s) which will serve up NFS or iSCSI to client devices. Graham Johnston Network Planner Westman Communications Group 204.717.2829 johnst...@westmancom.com think green; don't print this email. -Original Message- From: Jameson, Daniel [mailto:daniel.jame...@tdstelecom.com] Sent: Tuesday, May 26, 2015 3:11 PM To: Ray Van Dolson; Graham Johnston Cc: 'nanog@nanog.org' Subject: RE: SAS Drive Enclosure What are you thinking for connectivity, Ethernet, FiberChannel, Infiniband ... Building *Storage Nodes* or in need of just drive connectivity? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Van Dolson Sent: Tuesday, May 26, 2015 2:53 PM To: Graham Johnston Cc: 'nanog@nanog.org' Subject: Re: SAS Drive Enclosure On Tue, May 26, 2015 at 07:19:59PM +, Graham Johnston wrote: I am looking for information about SAS drive enclosures, is there a list like NANOG that covers that area of IT? I am specifically looking for an enclosure that can handle 12 or more drives, I am looking to create a clustered file system between multiple servers and would like to avoid a drive enclosure that only works with a very small number of approved drives. I am looking to support traditional HDDs as well as SSDs. There were discussions at some point about setting up a storage-centric list via SNIA or something else fairly 'neutral'. Never really materialized, however. Lists like lopsa-tech and the LISA/USENIX SAGE list are general enough you might get some good responses. WRT your question, we've had good luck with the Dell MD1200 line of JBODs. Ray
Re: gmail security is a joke
The OP was correct, if they can send you your cleartext password then their security practices are inadequate, period. Unless I misunderstand what you're saying (I sort of hope I do) this is Security 101. As I've said a couple of times already, but perhaps without the capital letters, from a security point of view, generating a NEW PASSWORD and sending it in cleartext is no worse than sending you a one time reset link. Either way, if a bad guy can intercept your mail, you lose. A few moments' thought will confirm this has nothing to do with the way passwords are stored within the mail system's database. R's, John
Re: gmail security is a joke
On May 27, 2015, at 11:22, John R. Levine jo...@iecc.com wrote: As I've said a couple of times already, but perhaps without the capital letters, from a security point of view, generating a NEW PASSWORD and sending it in cleartext is no worse than sending you a one time reset link. Either way, if a bad guy can intercept your mail, you lose. Well, no… a one time reset link is infinitely better than sending a cleartext password, assuming you don’t have to immediately change the password. A reset link, being usable once, means that you can detect if an attacker has already used it. If you use it first, the attacker has a useless link. If an attacker gets a cleartext password, you probably can’t detect interception. Cheers, -j
Re: gmail security is a joke
On May 27, 2015 at 14:22 jo...@iecc.com (John R. Levine) wrote: The OP was correct, if they can send you your cleartext password then their security practices are inadequate, period. Unless I misunderstand what you're saying (I sort of hope I do) this is Security 101. As I've said a couple of times already, but perhaps without the capital letters, from a security point of view, generating a NEW PASSWORD and sending it in cleartext is no worse than sending you a one time reset link. Either way, if a bad guy can intercept your mail, you lose. A few moments' thought will confirm this has nothing to do with the way passwords are stored within the mail system's database. Sure, I agree, but that's not what the post I was responding to was discussing so caps wouldn't make much difference. But only the link can be secured by asking a security question before first use. For the cleartext password an attacker only has to wait for you to answer the question and hope you don't immediately change the password. I suppose asking a question on first use of a new cleartext password AND forcing you to change that password immediately is about the same as the link, particularly if it doesn't let you use that same password. But storing cleartext passwords, encrypted or not, is a bad and indefensible practice. I remember a common dial-up login protocol which required the server to encrypt initial interaction with the customer's password so you absolutely had to have their cleartext password if they were ever to log in again. What was it, PAP or CHAP or something like that. Ugh, we resisted that. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: gmail security is a joke
One weakness with sending a new cleartext password rather than a link is that a cleartext password (probably) has to be engineered to be easy to type in and maybe even remembered. Typically one uses some concatenation of CVC (consonant-vowel-consonant) with common punctuations and/or digits otherwise chosen randomly so something like pom%mur or kiv_ler for 7 chars anyhow, maybe add a digit or two, pom%mur87. A link can be much more random, just some long (64 char or more) string of hexified nonsense for example since the user presumably just clicks it and doesn't have to read it or type it in or worse remember it. SOO...an attacker could study your cleartext password generation algorithm which for a shorter, simpler, already structured cleartext password will be more likely to be predictable all else being equal. Perhaps the algorithm itself is is even available if you use some identifiable software package such as an e-commerce suite, I can't imagine every person selling paisley socks writes their own password generation algorithm. Or by studying the passwords it generates (create an acct, send yourself a few hundred or thousand.) I'm not just a-whistlin' dixie (I never a-whistle dixie! :-), I'd consider that a serious potential weakness adding more concern to choice of algorithms. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: 10Gb CPE
I also used brocade icx series for this. Depending on feature requirements the juniper ex3300 might be cheaper. On Tue, May 26, 2015, 12:04 PM Chris Lane clane1...@gmail.com wrote: We use Brocade ICX 6450s for this. -Chris On Tue, May 26, 2015 at 2:40 PM, Daniel Rohan dro...@gmail.com wrote: With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan -- - Chris
Re: Multiple vendors' IPv6 issues
On Tue, May 26, 2015 at 04:19:25PM -0700, David Sotnick wrote: Hi NANOG, The company I work for has no business case for being on the IPv6-Internet. However, I am an inquisitive person and I am always looking to learn new things, so about 3 years ago I started down the IPv6 path. This was early 2012. Fast forward to today. We have a /44 presence for our company's multiple sites; All our desktop computers have been on the IPv6 Internet since June, 2012 and we have a few s in our external DNS for some key services — and, there have been bugs. *Lots* of bugs. Now, maybe (_maybe_) I can have some sympathy for smaller network companies (like Arista Networks at the time) to not quite have their act together as far as IPv6 goes, but for larger, well-established companies to still have critical IPv6 bugs is just inexcusable! My current favorites are: https://tools.cisco.com/bugsearch/bug/CSCut62344 Which doesn't allow you to see the neighbors on an interface. this is fun when diagnosing qemu/kvm issues with the macvtap and hosts with ipv6. turns out you to 'fix it' you need to make the macvtap interface promisc as the icmpv6 messages don't make it through the macvtap driver to the VM breaking neighbor discovery. You can guess how we saw the first bug with the second one. This isn't as bad as a colleague who told me he is taking classes at a university whose professor said that a /20 is neither a class A or class B allocation but in the middle, not knowing that CIDR has existed for the past 20 years. Turns out we need a few more SMEs to teach people about CIDR and IPv6 addressing to prevent univeristy professors from teaching the next generation something that doesn't apply anymore. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: gmail security is a joke
On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote: On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote: If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. No, it doesn't mean that at all. It means they are storing it unhashed which is probably what you mean. Hi Scott, It means they're storing it in a form that reduces to plain text without human intervention. Same difference. Encrypted at rest matters not, if all the likely attack vectors go after the data in transit. It matters a lot. It means their entire username/password collection can be compromised by various means including by an insider. The usual practice is to store a hash which cannot be reversed (at least not without astronomical computation.) Then when a password is presented (e.g., for login) the hash is computed on that cleartext password and the hashes are compared. Getting a copy of the database of hashes and login names is basically useless to an attacker. It's not encrypted in this case, it's hashed and only the hash is stored. The hash cannot be reversed, only compared to a re-hash of the cleartext password when entered. The OP was correct, if they can send you your cleartext password then their security practices are inadequate, period. Unless I misunderstand what you're saying (I sort of hope I do) this is Security 101. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: gmail security is a joke
On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote: If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. No, it doesn't mean that at all. It means they are storing it unhashed which is probably what you mean. Hi Scott, It means they're storing it in a form that reduces to plain text without human intervention. Same difference. Encrypted at rest matters not, if all the likely attack vectors go after the data in transit. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Re: 10Gb CPE
Brocade. From: Colton Conor Date: Wednesday, May 27, 2015 at 12:52 PM To: branto Cc: Chris Lane, Daniel Rohan, NANOG Subject: Re: 10Gb CPE Who makes the 7250? On Tue, May 26, 2015 at 10:07 PM, Brant Ian Stevens bra...@argentiumsolutions.com wrote: Any feedback on the new 7250’s yet? On 5/26/15, 3:02 PM, NANOG on behalf of Chris Lane nanog-boun...@nanog.org on behalf of clane1...@gmail.com wrote: We use Brocade ICX 6450s for this. -Chris On Tue, May 26, 2015 at 2:40 PM, Daniel Rohan dro...@gmail.com wrote: With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan -- - Chris
Re: 10Gb CPE
Who makes the 7250? On Tue, May 26, 2015 at 10:07 PM, Brant Ian Stevens bra...@argentiumsolutions.com wrote: Any feedback on the new 7250’s yet? On 5/26/15, 3:02 PM, NANOG on behalf of Chris Lane nanog-boun...@nanog.org on behalf of clane1...@gmail.com wrote: We use Brocade ICX 6450s for this. -Chris On Tue, May 26, 2015 at 2:40 PM, Daniel Rohan dro...@gmail.com wrote: With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan -- - Chris
Re: gmail security is a joke
On Wed, 27 May 2015 16:11:19 +0300, Saku Ytti said: This is second reply to this notion. I don't understand what is attempted to communicate. I'm sure no one on nanog thinks BGP hijacks are rare, difficult or yield to consequences when called out. What *is* rare is a BGP hijack done solely to intercept a confirmation e-mail sent to Joe Sixpack when he's trying to get his Gmail account back. Can anybody provide a *single* example of that being done? Now, if it's Joe CEO or Joe Prime Minister, the calculus changes a bit. But as I said - at that point, you have bigger things to worry about. pgplHWQjhcdLU.pgp Description: PGP signature
Re: gmail security is a joke
On Wed, May 27, 2015 at 1:51 PM, Barry Shein b...@world.std.com wrote: On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote: On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: It means they are storing it unhashed which is probably what you mean. It means they're storing it in a form that reduces to plain text without human intervention. Same difference. Encrypted at rest matters not, if all the likely attack vectors go after the data in transit. It matters a lot. [...] The OP was correct, if they can send you your cleartext password then their security practices are inadequate, period. Am I speaking English? I thought I was speaking English. Unless I misunderstand what you're saying (I sort of hope I do) Yeah, I think you probably did since I was largely agreeing with you. What I was trying to say was that there wasn't a heck of a lot of difference between storing a user's password with reversible encryption and storing it in plain text. Both are supremely unsatisfactory. Reasonable security starts by not retaining the user's password at all. Keep only the non-reversible hash. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Re: Multiple vendors' IPv6 issues
On 5/27/2015 3:20 PM, Jared Mauch wrote: On Tue, May 26, 2015 at 04:19:25PM -0700, David Sotnick wrote: Hi NANOG, The company I work for has no business case for being on the IPv6-Internet. However, I am an inquisitive person and I am always looking to learn new things, so about 3 years ago I started down the IPv6 path. This was early 2012. Fast forward to today. We have a /44 presence for our company's multiple sites; All our desktop computers have been on the IPv6 Internet since June, 2012 and we have a few s in our external DNS for some key services — and, there have been bugs. *Lots* of bugs. Now, maybe (_maybe_) I can have some sympathy for smaller network companies (like Arista Networks at the time) to not quite have their act together as far as IPv6 goes, but for larger, well-established companies to still have critical IPv6 bugs is just inexcusable! My current favorites are: https://tools.cisco.com/bugsearch/bug/CSCut62344 Which doesn't allow you to see the neighbors on an interface. this is fun when diagnosing qemu/kvm issues with the macvtap and hosts with ipv6. turns out you to 'fix it' you need to make the macvtap interface promisc as the icmpv6 messages don't make it through the macvtap driver to the VM breaking neighbor discovery. You don't need full promisc mode, just the (poorly documented) allmulticast option (ip link set dev $macvtap allmulticast on)
Re: gmail security is a joke
On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote: Getting a copy of the database of hashes and login names is basically useless to an attacker. Not any more, if the hash algorithm isn't sufficiently strong: 25-GPU cluster cracks every standard Windows password in 6 hours http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ Quoting: Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. Consider as well that not all attackers are interested in all accounts: imagine what this system (or a newer one, this is 2.5 years old) could do if focused on only one account. And of course epidemic password reuse means that cracked passwords are reasonably likely to work at multiple sites. And even if passwords aren't reused, there have now been so many breaches at so many places resulting in so many disclosed passwords that a discerning attacker could likely glean useful intelligence by studying multiple password choices made by a target. (We're all creatures of habit.) ---rsk
Re: gmail security is a joke
On 26 May 2015 at 23:43, Anil Kumar aku...@anilkumar.com wrote: According to this page, the 2-factor authentication does kick in when you finally try to reset the password. http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature “… I was presented with an emailed link to a reset page. When I clicked that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password.” Y'all are way too trusting ;) If I recall from a brief experiment yesterday, three of the four options on that page are variations on I'd like to bypass 2-factor authentication. There is really no point in any of Google's fancy account security if I can bypass all of it using Google's Identity Verification process, especially if that process is based on PII that isn't terribly difficult to obtain. This is just a variation on Apple's give us the last four digits of your credit card to reset your password gigantic security failure, and frankly I expected better from Google. Silly me. -- Harald (who once upon a time worked in the IAM space ;)
Re: gmail security is a joke
On Wed, May 27, 2015 at 4:52 PM, Harald Koch c...@pobox.com wrote: Y'all are way too trusting ;) Or we are much more comfortable with our knowledge. Six in one, If I recall from a brief experiment yesterday, three of the four options on that page are variations on I'd like to bypass 2-factor authentication. There is really no point in any of Google's fancy account security if I can bypass all of it using Google's Identity Verification process, especially if that process is based on PII that isn't terribly difficult to obtain. I think you are overly simplifying a piece of a very large, very complicated, highly dynamic, and daily reviewed, security pipeline. Google's Account security is not a 1 man in the basement operation. You tell me the Sender, time, last Received line, and byte size, of all the emails I received on 1-Jan-2015 and I will give you $100 per email or this thread can just die a miserable hypothetical death that it deserves. -Jim P.
Capacity/transit costs vs growth
I am looking for some rough estimates of the ratio of capacity (equipment) pricing declines versus average increase in end user capacity. For instance, say end user average capcity usage increases 50% over 3 years, would the ISP's costs also increase by 50% ? Or would increased efficency of equipment result in a 50% decrease in capacity costs yielding roughly the same total cost to the service provider ? So I am looking are some sort of ratio of gross costs increases/decreases relative to end user usage increase in usage over time. Context: Wholesale services in Canada are priced linearly and there is a process trying to convince the CRTC to review them ASAP. So if average use grows from 1mbps during peak to 1.2mbps, we are looking at 20% increase in costs in a linear pricing scheme. But if this happens over a period where there have been improvements in equipment/efficiency, then one would think the increase in costs would be less than 20%. So I am looking for any and all information that can help convince the regulator that current linear increase is not right and needs a review. any help appreciated.
RE: Multiple vendors' IPv6 issues
David, While I agree with you that there is no excuse for the general IPv6 brokenness across all vendors, they are just doing what participants on lists like this one tell them. NameShame may help a little, but until a large number of people get serious and stop prioritizing IPv4 in their purchasing demands, the vendors are not going to prioritize IPv6. Until the vendors clearly hear a collective we are not buying this product because IPv6 is broken, everyone will get exactly the behavior you are witnessing. While I appreciate the challenges you are facing, it is likely that you will be helped by documenting the percentage of IPv6 traffic you see when things do work. While it may not be much now, that can change quickly and will provide internal ammunition when you try to take a stand about refusing to use a product. If your IPv6 percentage grows anywhere near the 2x/yr rate that Google has been seeing it won't take long before IPv6 is the driving protocol. For fun, project this http://www.google.com/intl/en/ipv6/statistics.html forward 4 years and hand it to the vendors that can't get their IPv6 act together. Then ask them how they plan to still be in business at that point .. Tony -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of David Sotnick Sent: Tuesday, May 26, 2015 4:19 PM To: NANOG Subject: Multiple vendors' IPv6 issues Hi NANOG, The company I work for has no business case for being on the IPv6-Internet. However, I am an inquisitive person and I am always looking to learn new things, so about 3 years ago I started down the IPv6 path. This was early 2012. Fast forward to today. We have a /44 presence for our company's multiple sites; All our desktop computers have been on the IPv6 Internet since June, 2012 and we have a few s in our external DNS for some key services — and, there have been bugs. *Lots* of bugs. Now, maybe (_maybe_) I can have some sympathy for smaller network companies (like Arista Networks at the time) to not quite have their act together as far as IPv6 goes, but for larger, well-established companies to still have critical IPv6 bugs is just inexcusable! This month has just been the most disheartening time working with IPv6. Vendor 1: Aruba Networks. Upon adding an IPv6 address to start managing our WiFi controller over IPv6, I receive a call from our Telecom Lead saying that or WiFi VoIP phones have just gone offline. WHAT? All I did was add an IPv6 address to a management interface which has *nothing* to do with our VoIP system or SSID, ACLs, policies, roles, etc. Vendor 2: Palo Alto Networks: After upgrading our firewalls from a version which has a nasty bug where the IPv6 neighbor table wasn't being cleaned up properly (which would overflow the table and break IPv6), we now have a *new* IPv6 neighbor discovery bug where one of our V6-enabled DMZ hosts just falls of the IPv6 network. The only solution: clear the neighbor table on the Palo Alto or the client (linux) host. Vendor 3: Arista Networks: We are seeing a very similar ND bug with Arista. This one is slightly more interesting because it only started after upgrading our Arista EOS code — and it only appears to affect Virtual Machines which are behind our RedHat Enterprise Virtualization cluster. None of the hundreds of VMware-connected hosts are affected. The symptom is basically the same as the Palo Alto bug. Neighbor table gets in some weird state where ND breaks and the host is unreachable until the neighbor table is cleared. Oh, and the final straw today, which is *almost* leading me to throw in the IPv6 towel completely (for now): On certain hosts (VMs), scp'ing a file over the [Arista] LAN (10 gigabit LAN) takes 5 minutes over IPv6 and 1 second over IPv4. What happened? It really saddens me that it is still not receiving anywhere near the kind of QA (partly as a result of lack of adoption) that IPv4 has. Oh, and let's not forget everybody's favorite vendor, Cisco. Why is it, Cisco, that I have to restart my IPv6 OSPF3 process on my ASA every time my Palo Alto firewall crashes and fails over, otherwise none of my VPN clients can connect via IPv6? Why do you hurt me so, IPv6? I just wanted to be friends, and now I just want to break up with you. Maybe we can try to be friends again when your vendors get their shit together. -David
Re: Capacity/transit costs vs growth
On 15-05-27 19:20, Faisal Imtiaz wrote: The above hypothesis why imply that the 20% linear increase is not fair, vs directly making the case that the base rate, set in some point in the past is not fair/appropriate anymore ? These rates cover aggregation between an end user's CO and a central CO where an ISP connects. For instance, a Toronto based ISP can serve all of Bell Canada's DSL footprint by connecting to the Adelaide Street CO in Toronto. BUT, Bell charges $1016 per 100mbps to carry traffic between that point and the CO serving an end user. (for Cable, I am not 100% sure if it include the fibre to the node, or just aggregation to the CMTS). there is a separate fixed fee for the last mile infrastructure. The point i am trying to make that that during the period where usage increase, the cost per gbps decreases, so it shgould not be a 1:1 relationship over time. Currently, the CRTC sets 1:1 relationship over 10 years. So having *rough* idea of decreases in per gbps of capacity over the years would help me make the point that the current rate structure is flawed. (I don't need precise at this point, just rough ideas). Different slant to question: when you move from 1gbps to 10gbps to 40gbps links, what sort of price/gnps reduction do you get ? 20% ? 30% ?
Atlanta Remote Hands needed for Server Move.
I have half a dozen servers in the Netstream DC that I need moved to the Cyberwurx DC in Atlanta. I'm looking for some remote hands to assist with moving these machines. Cheers Don http://www.netstreamcom.net/ 200 Sandy Springs Place Atlanta, GA 30328 Cyberwurxhttps://cyberwurx.com/datacenter/ 55 Marietta Street -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb)
Predicting TCP throughput
Hi, I am looking at deterministic ways (perhaps employing data science) to predict TCP throughput that i can expect between two end points. I am using the latency (RTT) and the packet loss as the parameters. Is there anything else that i can use to predict the throughput? A related question to this is; If i see an RTT of 150ms and packet loss of 0.01% between points A and B and the maximum throughput then between these as, say 250Mbps. Then can i say that i will *always* get the same (or in a close ballpark) throughput not matter what time of the day i run these tests. My points A and B can be virtual machines spawned on two different data centers, say Amazon Virgina and Amazon Tokyo? So we're talking about long distances here. What else besides the RTT and packet loss can affect my TCP throughput between two end points. I am assuming that the effects of a virtual machine overload would have direct bearing on the RTT and packet loss, and hence should cancel out. What i mean by this is that even if a VM is busy, then that might induce larger losses and increased RTT, and that would affect my TCP throughput. But then i already know what TCP throughput i get when i have a given RTT and loss, and hence should be able to predict it. Is there something that i am missing here? Thanks, Glen
Re: Capacity/transit costs vs growth
Telco's cost structure model is very different from Cable Co's. Additionally the way they are regulated is also very different. Based on the additional details you have shared, you are saying that Bell charges $1016/100meg of Colo to Colo Transport ? Now you also need to add a bit more info, like. What type of transport is this ? (Layer 1).. TDM (OC3/OCX) ? SONET ? or Ethernet ? Is this connectivity flat rate ? or distance sensitive ? Keep in mind that the Cost Efficiency in conjunction with Increase in Traffic is/has been only for Ethernet Transport not in the TDM or SONET when you move from 1gbps to 10gbps to 40gbps links, what sort of price/gnps reduction do you get ? 20% ? 30% ? While the question may be simple, the answer is more of a What if type When you move from 1gbps Ethernet Switches, to 10gbps Ethernet Switches you can easily spend between $5,000 to $25,000 for each Ethernet Switch. So, if you have only 2gbps of traffic, i.e. 1gpbs infrastructure is out of capacity, you have the spend the money for 10gpbs switches, and the cost of the upgrade has to be justified via the increase in traffic of only 1gbs. I think you should be making the case of total Revenues generated due to increase in traffic to the same location, thus the justification of the need to reduce the per 100meg rate. I highly doubt if anyone here can give you any reasonable number on what is the cost of per 1G connection when using 10G infrastructure..simply because 10G infrastructure has different meaning (cost wise) to different folks. I don't doubt for a moment that you can get consensus that 10gb infrastructure can move 10gbs of traffic at a lower per unit cost, but how much lower will be a very subjective number. Regards. Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: Jean-Francois Mezei jfmezei_na...@vaxination.ca To: Nanog@nanog.org Sent: Wednesday, May 27, 2015 7:54:57 PM Subject: Re: Capacity/transit costs vs growth On 15-05-27 19:20, Faisal Imtiaz wrote: The above hypothesis why imply that the 20% linear increase is not fair, vs directly making the case that the base rate, set in some point in the past is not fair/appropriate anymore ? These rates cover aggregation between an end user's CO and a central CO where an ISP connects. For instance, a Toronto based ISP can serve all of Bell Canada's DSL footprint by connecting to the Adelaide Street CO in Toronto. BUT, Bell charges $1016 per 100mbps to carry traffic between that point and the CO serving an end user. (for Cable, I am not 100% sure if it include the fibre to the node, or just aggregation to the CMTS). there is a separate fixed fee for the last mile infrastructure. The point i am trying to make that that during the period where usage increase, the cost per gbps decreases, so it shgould not be a 1:1 relationship over time. Currently, the CRTC sets 1:1 relationship over 10 years. So having *rough* idea of decreases in per gbps of capacity over the years would help me make the point that the current rate structure is flawed. (I don't need precise at this point, just rough ideas). Different slant to question: when you move from 1gbps to 10gbps to 40gbps links, what sort of price/gnps reduction do you get ? 20% ? 30% ?
Re: Capacity/transit costs vs growth
What I am looking for is the networking equivalent to Moore's law: on average, every year, cost of 1gbps capacity goes down by x% The immediate goal is to show that rates that are fixed for 10 years are not just and reasonable (text from the canadian Telecom Act) and need a review. In the case of Bell Canada, it carries PPPoE traffic from CO to the BRAS location on ethernet, and from the BRAS to the aggregation point for each ISP over L2TP (aka: IP based intranet). So the core is assume to be modern ethernet traveling on fibre. bell recently upgraded its BRAS from ERX 310s to ERX 320s (but claimed to the CRTC the 320s were only capable of 1gbps capacity, on which they were challenged as this inflated cost per gbps by a factor of roughly 80). For cablecos, it is MPLS from the CMTS to an aggregation point. Another aspect to demostrate is that with growing capacity purchases, the cost per gbps should go down.
Re: gmail security is a joke
On Wed, May 27, 2015 at 6:04 PM, Peter Beckman beck...@angryox.com wrote: [snip] I was thinking about using the last 2 digits of the year as the cost factor, but that might not scale with hardware linearly. It is strongly recommended that when used for password storage, the work factor for BCRYPT, SCRYPT, or PBKDF2 be hand-tuned based on the current best available consumer desktop computing hardware. Whenever it is manually adjusted; it should be tuned so that 1 password hash generation on a newly generated hash takes a minimum 500 milliseconds average at full throughput on the best current generally available consumer hardware. Or for an application where performance is more critical than security no less than 100ms on the server hardware. Today; I believe the baseline would be a workstation with 4 5th generation Intel i7 3.1GHz Quad-Core procs. And I would suggest SCrypt() with a hefty selection for required amount of RAM to compute the hash; in order to help foil attempts to accelerate a hash-breaking process using GPU or FPGA technology. Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today. Beckman -- -JH
Re: Capacity/transit costs vs growth
If I understand your question correctly, the answer is: it depends. You can model the cost of delivering your service and keep track of three types of cost: fixed, variable and marginal. Here is a really good video that explains these: https://youtu.be/bBQVaRnHqLs You might find an industry average for certain economies of scale, but each system is so unique in it's cost structure that you have to model it from scratch. Just keep in mind that every model works with TRASH IN = TRASH OUT, so if you make the wrong assumptions, your answers won't be realistic. On Wed, May 27, 2015 at 6:54 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: On 15-05-27 19:20, Faisal Imtiaz wrote: The above hypothesis why imply that the 20% linear increase is not fair, vs directly making the case that the base rate, set in some point in the past is not fair/appropriate anymore ? These rates cover aggregation between an end user's CO and a central CO where an ISP connects. For instance, a Toronto based ISP can serve all of Bell Canada's DSL footprint by connecting to the Adelaide Street CO in Toronto. BUT, Bell charges $1016 per 100mbps to carry traffic between that point and the CO serving an end user. (for Cable, I am not 100% sure if it include the fibre to the node, or just aggregation to the CMTS). there is a separate fixed fee for the last mile infrastructure. The point i am trying to make that that during the period where usage increase, the cost per gbps decreases, so it shgould not be a 1:1 relationship over time. Currently, the CRTC sets 1:1 relationship over 10 years. So having *rough* idea of decreases in per gbps of capacity over the years would help me make the point that the current rate structure is flawed. (I don't need precise at this point, just rough ideas). Different slant to question: when you move from 1gbps to 10gbps to 40gbps links, what sort of price/gnps reduction do you get ? 20% ? 30% ?
Colo Capacity quote in Renton, WA 98057, USA needed
Hi, I have half a dozen servers in a DC in Renton, WA 98057, USA. I'm looking for quotes 7 RU with 100mbit PIR. I do need A and B side power. The pricing from my current provider has got out of hand and they have burnt the relationship. As a result I am interested in hearing from others who might be interested in servicing this small requirement. Cheers Don -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb)
Re: Capacity/transit costs vs growth
On Thu, May 28, 2015 at 03:07:45AM +, Faisal Imtiaz wrote: Telco's cost structure model is very different from Cable Co's. Additionally the way they are regulated is also very different. Based on the additional details you have shared, you are saying that Bell charges $1016/100meg of Colo to Colo Transport ? Now you also need to add a bit more info, like. What type of transport is this ? (Layer 1).. TDM (OC3/OCX) ? SONET ? or Ethernet ? Is this connectivity flat rate ? or distance sensitive ? Keep in mind that the Cost Efficiency in conjunction with Increase in Traffic is/has been only for Ethernet Transport not in the TDM or SONET I would add here, some people face no incentive to modernize this equipment, and in fact they may lack an incentive at all due to the fact they are only 3 years into a 15 year capital plan, despite the fact that we're not still using a 7500 with your vip2-40 to operate a backbone these days, or even a GSR. There may be some accountant though who sees that unused asset and gives you a run for your money though. when you move from 1gbps to 10gbps to 40gbps links, what sort of price/gnps reduction do you get ? 20% ? 30% ? While the question may be simple, the answer is more of a What if type When you move from 1gbps Ethernet Switches, to 10gbps Ethernet Switches you can easily spend between $5,000 to $25,000 for each Ethernet Switch. So, if you have only 2gbps of traffic, i.e. 1gpbs infrastructure is out of capacity, you have the spend the money for 10gpbs switches, and the cost of the upgrade has to be justified via the increase in traffic of only 1gbs. As mentioned above, there are some points where the scale and per unit costs make more sense. I'm not familar with the model in Canada but cost models SHOULD be revisited less than 10 years apart from each other. Most people are not going to sign a 10 year deal for IP transit, and if you still want to pay 1000/Mbit please contact me, I'll setup a LLC and resell you something quickly in the US. Most 1G hardware is inexpensive these days and you can find 'cheap' 10G hardware out there as well depending on what your use case is. Real routers tend to cost real money and can even cost more to power over the lifecycle than to purchase (depending on how long you are looking at). If everyone is picking up service from Bell at Front st in Toronto, you may be able to make the case that going from Windsor to Toronto doesn't make a lot of sense and you should be able to purchase/lease your own 10 or 100G backhaul between those areas to offset cost, either with a bell provided service or by rolling your own. I highly doubt if anyone here can give you any reasonable number on what is the cost of per 1G connection when using 10G infrastructure..simply because 10G infrastructure has different meaning (cost wise) to different folks. These usually take off when the 10G costs less than 10*1G. There should be some regular open bidding that occurs as part of the CRTC model allowing for resetting the regulated rate. It's way cheaper to reach the stadium from Front st than reaching Alert, NU. I don't doubt for a moment that you can get consensus that 10gb infrastructure can move 10gbs of traffic at a lower per unit cost, but how much lower will be a very subjective number. This is important, unless there is an incentive for people to compete in the market, you see odd things occur. I live in an ATT territory and their fiber goes within 1200 feet of my house but there are no services available. I could pay a local provider $50k to build fiber to me, but it's much cheaper to do something else (yay WISP). Unless there is some risk of business loss due to having a rate, there is no incentive for change. I await someone willing to issue a press release so Comcast or ATT will take these territories without basic broadband and announce fiber services in Michigan. - jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Predicting TCP throughput
You need to account for window size as well. You should also account for the details of the specific implementation of the TCP stack you are dealing with if you truly need a deterministic result. On Wed, May 27, 2015 at 8:15 PM, Glen Kent glen.k...@gmail.com wrote: Hi, I am looking at deterministic ways (perhaps employing data science) to predict TCP throughput that i can expect between two end points. I am using the latency (RTT) and the packet loss as the parameters. Is there anything else that i can use to predict the throughput? A related question to this is; If i see an RTT of 150ms and packet loss of 0.01% between points A and B and the maximum throughput then between these as, say 250Mbps. Then can i say that i will *always* get the same (or in a close ballpark) throughput not matter what time of the day i run these tests. My points A and B can be virtual machines spawned on two different data centers, say Amazon Virgina and Amazon Tokyo? So we're talking about long distances here. What else besides the RTT and packet loss can affect my TCP throughput between two end points. I am assuming that the effects of a virtual machine overload would have direct bearing on the RTT and packet loss, and hence should cancel out. What i mean by this is that even if a VM is busy, then that might induce larger losses and increased RTT, and that would affect my TCP throughput. But then i already know what TCP throughput i get when i have a given RTT and loss, and hence should be able to predict it. Is there something that i am missing here? Thanks, Glen
Re: Capacity/transit costs vs growth
On 27/May/15 23:36, Jean-Francois Mezei wrote: I am looking for some rough estimates of the ratio of capacity (equipment) pricing declines versus average increase in end user capacity. For instance, say end user average capcity usage increases 50% over 3 years, would the ISP's costs also increase by 50% ? Or would increased efficency of equipment result in a 50% decrease in capacity costs yielding roughly the same total cost to the service provider ? So I am looking are some sort of ratio of gross costs increases/decreases relative to end user usage increase in usage over time. To be more accurate with this, you might want to consider what portion of every part of the overall network is attributed to the costs your customer burdens you with. This isn't necessarily easy to do, but is more accurate than thinking of only the box the customer physically connects to. You will spend differently in different parts of the network, e.g., peering, core, edge, services, e.t.c. How much of that goes back to (or is caused by) your customers? Mark.
Re: gmail security is a joke
LinkedIn used SHA-1, a fast algorithm. At 350-billion guesses per second on the mentioned rig for fast algorithms, yeah, you can get through a lot of passwords quickly. Hopefully LinkedIn has changed their ways. In that same article: ...functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt... And if you use a different salt for each password stored with Bcrypt, the hacker must test each password separately -- no rainbow tables here. Unfortunately they don't say how many iterations of Bcrypt equals 71,000, since you can add more iterations of the algorithm. An example cipher text from bcrypt: $2a$13$Ejtc1pVjyLkZn4eU9FGCg.gOQ3QtbWOsUOvSUKbU2anywhoO04ESy $2a$ indicates the blowfish algorithm, $13$ is the cost factor (number of iterations), the first 22 chars after are the salt and the rest is the cipher text. The higher the number of iterations, the harder computationally it is to go from a password to the cipher text. As hardware improves, the iterations should increase. I was thinking about using the last 2 digits of the year as the cost factor, but that might not scale with hardware linearly. Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today. Beckman On Wed, 27 May 2015, Rich Kulawiec wrote: On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote: Getting a copy of the database of hashes and login names is basically useless to an attacker. Not any more, if the hash algorithm isn't sufficiently strong: 25-GPU cluster cracks every standard Windows password in 6 hours http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ Quoting: Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. Consider as well that not all attackers are interested in all accounts: imagine what this system (or a newer one, this is 2.5 years old) could do if focused on only one account. And of course epidemic password reuse means that cracked passwords are reasonably likely to work at multiple sites. And even if passwords aren't reused, there have now been so many breaches at so many places resulting in so many disclosed passwords that a discerning attacker could likely glean useful intelligence by studying multiple password choices made by a target. (We're all creatures of habit.) ---rsk --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: gmail security is a joke
I was thinking about using the last 2 digits of the year as the cost factor, but that might not scale with hardware linearly. How about: 2 ^ (last 2 digits of year / 2) This would track per Moore's Law. John John Souvestre - New Orleans LA
Re: Capacity/transit costs vs growth
But if this happens over a period where there have been improvements in equipment/efficiency, then one would think the increase in costs would be less than 20%. The above hypothesis why imply that the 20% linear increase is not fair, vs directly making the case that the base rate, set in some point in the past is not fair/appropriate anymore ? Faisal Imtiaz Snappy Internet Telecom - Original Message - From: Jean-Francois Mezei jfmezei_na...@vaxination.ca To: Nanog@nanog.org Sent: Wednesday, May 27, 2015 5:36:23 PM Subject: Capacity/transit costs vs growth I am looking for some rough estimates of the ratio of capacity (equipment) pricing declines versus average increase in end user capacity. For instance, say end user average capcity usage increases 50% over 3 years, would the ISP's costs also increase by 50% ? Or would increased efficency of equipment result in a 50% decrease in capacity costs yielding roughly the same total cost to the service provider ? So I am looking are some sort of ratio of gross costs increases/decreases relative to end user usage increase in usage over time. Context: Wholesale services in Canada are priced linearly and there is a process trying to convince the CRTC to review them ASAP. So if average use grows from 1mbps during peak to 1.2mbps, we are looking at 20% increase in costs in a linear pricing scheme. But if this happens over a period where there have been improvements in equipment/efficiency, then one would think the increase in costs would be less than 20%. So I am looking for any and all information that can help convince the regulator that current linear increase is not right and needs a review. any help appreciated.
Re: gmail security is a joke
I am truly relieved that this was just a misunderstanding! -b On May 27, 2015 at 16:05 b...@herrin.us (William Herrin) wrote: On Wed, May 27, 2015 at 1:51 PM, Barry Shein b...@world.std.com wrote: On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote: On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: It means they are storing it unhashed which is probably what you mean. It means they're storing it in a form that reduces to plain text without human intervention. Same difference. Encrypted at rest matters not, if all the likely attack vectors go after the data in transit. It matters a lot. [...] The OP was correct, if they can send you your cleartext password then their security practices are inadequate, period. Am I speaking English? I thought I was speaking English. Unless I misunderstand what you're saying (I sort of hope I do) Yeah, I think you probably did since I was largely agreeing with you. What I was trying to say was that there wasn't a heck of a lot of difference between storing a user's password with reversible encryption and storing it in plain text. Both are supremely unsatisfactory. Reasonable security starts by not retaining the user's password at all. Keep only the non-reversible hash. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Re: gmail security is a joke
Good name in man and woman, dear my lord, Is the immediate jewel of their souls. Who steals my purse steals trash; 'tis something, nothing; 'Twas mine, 'tis his, and has been slave to thousands; But he that filches from me my good name Robs me of that which not enriches him, And makes me poor indeed. --Othello Act 3, Scene 3 -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*