Re: Whats going on at Cogent
On Oct 23, 2018, at 10:32 AM, Ross Tajvar wrote: > I am also interested in hearing about this. I think it's relevant to the > current thread. Speaking only for myself, there are companies where I have done short-term contracts, and where I am definitely not interested in any further employment opportunities with them. OTOH, I am totally happy to continue to be a customer of theirs. Further discussion of that sort of thing would not be appropriate here. If Josh is in the same boat with HE, I totally understand. For the Network Time Foundation (and related projects), I think we've been pretty happy as a customer of HE, but then we're just a small customer of theirs. -- Brad Knowles Please forgive any typos. I'm fighting a failing keyboard on my laptop, in addition to having a broken finger.
Re: USB Ethernet Adapters
On May 14, 2018, at 8:20 PM, Colton Conor <colton.co...@gmail.com> wrote: > 1. I like the ones that have lights on the Ethernet port so you can see if > the device is up/down. I find that critical as we go to a lot of sites > where we don't know if the cable is good/bad, so a indication on the lights > is critical. If you're going to do network testing, then an NETool is recommended. That's a complete Linux network testing system in what looks like a larger-than-usual dongle. Beyond that, if you're using an older Mac, then in my experience Apple's Thunderbolt 2/GigE adapter can't be beat. I do not yet have enough experience with USB, or USB-C, or Thunderbolt 3 adapters to be able to make any recommendations. -- Brad Knowles <b...@shub-internet.org> signature.asc Description: Message signed with OpenPGP
Re: Suggestions for a more privacy conscious email provider
On Dec 4, 2017, at 5:22 PM, Naslund, Steve <snasl...@medline.com> wrote: > There are all kinds of factual issues with the arguments in the referenced > document. > > 1. During Desert Storm I personally sent hundreds of STU-IIIs to the > sandbox. They didn't go in diplomatic pouches, they went as Air Force cargo > like everything else. Maybe not all of them went the way I described, but there were public stories at the time regarding ones that had been sent in diplomatic pouches, and which was confirmed by the government. I wasn't concerned about the STU-IIIs that got sent the "normal" way, and therefore I did not mention them. What really concerned me at the time was that it was totally okay to send them in a wide variety of ways before they were keyed, but they had to be sent via diplomatic pouches once they had been keyed, in order to get around our own export controls regarding munitions. Today, I know a bit more about what "keying" means than I did then, but not much more. I guess if you're using shared secrets everywhere, it becomes really important to protect those shared secrets against everyone, including other members of our own government. > 2. Treason is not applicable here because there must be a declared war. > Treason requires interaction with a declared enemy during a time of war. I > know that term gets thrown around haphazardly lately but it is a very > specific legal term. Okay, so treason was the wrong term. I grant you that. In fact, I granted that in my previous message. Let's get over that word. > 3. Asking a government agency act as the KDF is so demonstrably brain > damaged we don't even need to go into the problems with that. They have > shown that: At the time, I think it was reasonable to at least mention using a government agency as a Key Escrow agent, if only to point out one possible solution. Key Escrow has had a lot more research since 1992, and we've learned a lot of lessons since then. > 4. Sending a device or technology out of the US does not equal an export > under ITAR. In your example, if a device is going to be used by US > Government employees or military personnel and kept under their control, it > is not an export. As a matter of fact a US company can use export restricted > software and hardware in foreign countries in most cases if it is under to > control of US Nationals. i.e. US company can use high encryption licenses > for Cisco devices inside of China branch offices to secure their VPN > connections. My company has this in writing, we did all of the appropriate > export paperwork and then was told it was unnecessary since the software > remains under the control of US nationals (of course they know that all the > foreign intel agencies already have it so they are not worried about James > Bond sneaking in the middle of the night to reverse engineer it). The rules regarding the exportation of strong crypto have changed since 1992. Although it now looks like maybe they're soon going to be going back the other direction. However, for the moment, it is still a non-sequitur to apply the rules of exportation under modern law to something that was written in 1992. > 5. The DirNSA has a vested interest in the collection of intelligence and > the security of US GOVERNMENT systems as his primary responsibilities. > Securing US private entities is way down his list of priorities and if in > conflict with his primary missions will take a back seat. Not treason my > friend just focus on his mission. I believed at the time that he was causing Very Grave Harm to National Security Interests, through their actions to try to force the standardization on poor encryption algorithms and prohibit the use of strong crypto. As far as that statement goes, I believe that it is as true and applicable today as it was in 1992. -- Brad Knowles <b...@shub-internet.org> signature.asc Description: Message signed with OpenPGP
Re: Suggestions for a more privacy conscious email provider
On Dec 4, 2017, at 4:51 PM, valdis.kletni...@vt.edu wrote: >> Do I count? I only accused the Director of the NSA of High Treason in >> my letter to the editors of the Communications of the ACM (see >> <http://www.shub-internet.org/brad/cacm92nov.html>). > > Treason fail. What declared enemy of the US did the Director provide aid and > comfort to? Technically, I accused him of causing Very Grave Harm to National Security Interests, which is treated at the same severity as High Treason. Or at least, that was the way I read the "Orange Book" TCSEC at the time, because I deliberately took the wording straight from that book. -- Brad Knowles <b...@shub-internet.org> signature.asc Description: Message signed with OpenPGP
Re: Please run windows update now
On May 16, 2017, at 11:40 AM, JoeSox <joe...@gmail.com> wrote: > LOL. I think that is a really bad example and I see many facilities in it, > including a hasty generalization, as intersections, and roads for that > matter, in America have been resigned to improve safety. So, if you want to talk about roads in the US, the first thing you have to do is look at the budgets. There are trillions of dollars worth of road improvements that should have been made over the past decades, but which haven't. You'd have to ask the politicians as to what they think the real reasons are, but my guess is that they were unwilling to make long-term investment on critical infrastructure, because it was seen as being too expensive in the short-term. And I definitely see a strong analogy there with what Microsoft has/has not done. > Isn't it true, with any tech product, the more complex features, the less > secure it is? Ask yourself why this is the case, and I believe the true > issue with tech lays there. To a degree, this is true. But there are more iOS devices out there than there are Windows boxes, and while iOS certainly isn't perfect, it definitely has a much better security posture. So, there is at least one other company out there that can do the job. I have to believe that there is more than just one. > I don't know. It is hard to imagine a professional IT nowadays, seriously > blaming Microsoft for every bad thing out there. I don't blame Microsoft for every bad thing out there. I do think they are, by far, the worst of the Fortune 25. But there are 24 other companies on that list who all have their own part to play -- including Apple. > What would be more of an interesting discussion, to me, would be why > doesn't Microsoft know about these hoarding of vulnerabilities by State > actors and plug them up? Well, this one is actually an old vulnerability, right? One that Microsoft supposedly fixed years ago? So, why didn't they fix it properly back then? > Are they really that clever of vulnerabilities? Does Microsoft not have the > resources? Is Windows like the ocean, where there are just hundreds of new > species awaiting to be discovered? > Did Microsoft at least know of the NSA vulnerabilities, for example, and > kept it classified until NSA told them to plug them up? Good conspiracy questions to ask. But frankly, I don't care that Microsoft wants to blame the NSA for hoarding vulnerabilities. If Microsoft had spent more time/money/effort to get their crap right the first time, then we wouldn't have this mess. We might have a different mess, but we wouldn't have this one. -- Brad Knowles <b...@shub-internet.org>
Re: Please run windows update now
On May 15, 2017, at 4:31 PM, Jonathan Roach <jonathan.ro...@oracle.com> wrote: > What's key is that administrators need to know how to secure their > estates. If they've failed to apply the patch, that's their failure, not > Microsoft's, but patching was not the only way to have curtailed this > weekend's outbreak. But their failure leads to further intrusions elsewhere. Their failure has consequences beyond their own borders. IMO, this is a herd immunity problem that Microsoft needs to get better at. The analogy I would make here is the German versus the American approaches to road fatalities. In the German approach, if there are significant road fatalities in a given location, then that implies there is a failure with the way the road system is engineered, and it needs to be fixed so that the number of fatalities is brought down. No blame is automatically assumed on the part of the drivers who failed at that location. In the American approach, if there are a significant number of road fatalities, then it's the drivers own fault and they should have taken more care. They are automatically to blame for their own failure. But if you're one of the other drivers out there who might be impacted by the lack of due diligence practiced by another driver on the road, which approach are you going to want to see implemented? -- Brad Knowles <b...@shub-internet.org>
Re: Please run windows update now
On May 15, 2017, at 11:21 AM, J. Oquendo <joque...@e-fensive.net> wrote: >> Not everyone licks their chops and thinks "fresh meat" when they see >> worldwide panic that results from a massive security hole like this. > > Jump in the security space, where we may gladly trade our > cats and dogs for Porsche Panameras Thanks, but no. I am already forced to do much more in the security space than I would like. And I love my little miracle kitty very much. I wouldn't trade her for any kind of vehicle in this world. I am rather less materialistic than that. -- Brad Knowles <b...@shub-internet.org>
Re: Please run windows update now
On May 15, 2017, at 10:08 AM, J. Oquendo <joque...@e-fensive.net> wrote: > Spot on. Shame on Microsoft for releasing patches and not > forcing the installation versus letting security managers > open up ISC^, and other nonsensical frameworks to do things > like "change/patch management" tasks. I mean, who cares if > one little patch knocks a business out of existence. If Microsoft didn't open the security hole in the first place, then there wouldn't be a need to patch it afterwards. Of course, there will always be patches that need to be applied, and people do have to decide what is a sane patching process. But if a patch can be completely avoided because they were more careful and rigorous in their development to begin with, then as a whole the world would be better off. > I do believe Microsoft is directly responsible for making > people such daft "To patch or not to patch" admins. Force > feed patches on everyone! Then your next message will be: > "I believe Microsoft is responsible for trillions of > dollars by pushing out patches forcefully and negatively > impacting businesses worldwide." An ounce of prevention on their part would prevent a pound of cure having to be applied by everyone else in the world. But then Microsoft couldn't extract their value from selling that pound of cure, so that would be another problem. > Pain and anguish? I'm smiling and drinking coffee. I adore > when security shenanigas occur. That is the sound of a cash > register to me. Not everyone licks their chops and thinks "fresh meat" when they see worldwide panic that results from a massive security hole like this. Some of us just want to get regular work done. -- Brad Knowles <b...@shub-internet.org>
Re: Please run windows update now
On May 15, 2017, at 5:37 AM, Rich Kulawiec <r...@gsp.org> wrote: > [1] There may be no such thing as a secure system, period. But it > would be better to deploy things that may have a fighting chance > instead of things that have long since proven to have none at all. As much as I hate, loathe, and despise Microsoft, there's always going to be someone/something out there that is "the worst". Eliminate the current "worst", and there will be another one right behind them. I do believe that Microsoft is directly responsible for trillions of dollars/euros of damage done to economies worldwide, due to their lax security practices over the years. Their advances have only come at the cost of great pain on the part of others, and they have been kicking and screaming all the while being dragged into the modern world. The rest of us will continue to bear the pain and anguish that they create. That's just the way things are. Not the way they should be, but the way they are. -- Brad Knowles <b...@shub-internet.org>
Re: Microsoft O365 labels nanog potential fraud?
On Mar 29, 2017, at 11:06 AM, Leo Bicknell <bickn...@ufp.org> wrote: > While I haven't looked at real mailing list software recently > (e.g. mailman) when I last did they didn't suport this either and > it took a pile of 3rd party hacks to make it work. The latest versions of Mailman (2.1.23 and 3.0.0) both work reasonably well out-of-the-box with SPF, DKIM, and DMARC. Some additional configuration tuning might be necessary for additional compatibility. However, those features are still available in an out-of-the-box configuration, they’re just not enabled by default because they might cause more problems than they would solve for certain types of typical installations. So, if you want those features, you need to turn them on. IMO, Mailman3 works better out-of-the-box with SPF, DKIM, and DMARC as compared to Mailman 2.1.x, but that codebase is still pretty fresh. We’re now using it by default for mailing lists hosted on python.org, but we have not yet converted any of the older Mailman 2.1.x lists over to Mailman 3. We haven’t noticed any major problems yet with the latest version of Mailman3, but we still want to be careful in our testing. > For that matter, setting up DKIM is horrendously complicated for > no good reason… Sites like DMARCian help with that process to a degree, but there’s still a lot of complexity there that I would like to see handled automatically. Unfortunately, that’s kind of the nature of the beast right now with these tools. The technology is still complex and difficult to configure, and it’s easy to set things up in a way that you wind up shooting yourself in the foot — and possibly with a large thermonuclear device. No provider is immune to these mistakes, and some providers are more likely to make big mistakes than others. -- Brad Knowles <b...@shub-internet.org>
Gmail or GAFYD SREs on the list?
Folks, Do we have any SREs from the Gmail or Google Apps For Your Domain teams on the list? I’m helping to support some domains related to the Network Time Foundation and NTP.org, and we’re having some problems with IPv6 connectivity to them. Thanks! -- Brad Knowles <b...@shub-internet.org> signature.asc Description: Message signed with OpenPGP using GPGMail