Re: looking for feedback on virtual/dedicated server providers in latin/south america/UK
I have to recommend Linode in the UK, from my experience they have their act together and their prices are reasonable. Sam Moats Circle Net On 2014-02-18 12:50, Carlos Kamtha wrote: Hi, Just wondering if anyone could share some experiences with server providers specifically in argentina, columbia and costa rica, and pretty much anywhere in the UK region. Please respond offlist. Any feedback would be greatly appreciated. :) Carlos.
Re: carrier comparison
+1 Same feeling here. Sam Moats On 2014-02-06 16:22, Matthew Crocker wrote: IMHO Cogent bandwidth is fine so long as it isn’t your only bandwidth. Good, Cheap, Fast, Pick any two. -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com On Feb 6, 2014, at 10:17 AM, Adam Greene maill...@webjogger.net wrote: Hi, We're a small ISP / datacenter with a Time Warner fiber-based DIA contract that is coming up for renewal. We're getting much better pricing offers from Cogent, and are finding out what Level 3 can do for us as well. Both providers will use Time Warner fiber for last mile. My questions are: - Will we be sacrificing quality if we spring for Cogent? (yesterday's Cogent/Verizon thread provided some cold chills for my spine) - Is there a risk with contracting a carrier that utilizes another carrier (such as Time Warner) for the last mile? (i.e. if there is a downtime situation, are we going to be caught in a web of confusion and finger-pointing that delays problem resolution)? - How are peoples' experiences with L3 vs TWC? Although I assume everyone on the list would be interested in what others have to say about these questions, out of respect for the carriers in question, I encourage you to email frank opinions off list. Or if there are third party tools or resources you know that I could consult to deduce the answers to these questions myself, they are most welcome. Thanks, Adam
Re: NSA able to compromise Cisco, Juniper, Huawei switches
This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005 Sam Moats On 2013-12-30 11:16, Enno Rey wrote: On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. at least back in 2007 it could be enabled/configured by SNMP RW access [see slide 43 of the presentation referenced in this post http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/] so knowing the term private m ight be enough to perform the task remotely. have a good one Enno --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
RE: Help me make sense of these traceroutes please
Thanks to everyone who responded off list and on. Sam Moats On 2013-12-26 11:21, Josephson, Marcus wrote: Start at slide 50: This is documented further by the following Nanog presentation. http://www.nanog.org/meetings/nanog47/presentations/Sunday/RAS_Traceroute_N47_Sun.pdf -Marcus -Original Message- From: Jimmy Hess [mailto:mysi...@gmail.com] Sent: Wednesday, December 25, 2013 10:28 AM To: Martin Hotze Cc: nanog@nanog.org Subject: Re: Help me make sense of these traceroutes please On Wed, Dec 25, 2013 at 8:03 AM, Martin Hotze m.ho...@hotze.com wrote: On 2013-12-25 00:16, Sam Moats wrote: ... You are likely seeing the effects of asymmetric routing. . .. or the effect of passing traffic through NSA infrastructure. Ah... NSA. That's probably it. So much for my theory of a Router virtual chassis straddling the atlantic. or the extra kinetic energy carried by the overseas-bound packet took longer for the router to absorb and rebound with an ICMP. But in all seriousness --- what is probably happening here, is the result of extra hops that don't show up in traceroute. MPLS tunnels could well fit the bill. Other things to consider when latency seems sensitive to destination IP --- are preceding device in the traceroute might also have multiple links to the same device; with one link congested and some form of IP-based load sharing, that happens to be the toward-overseas link. SCNR, #m -- -JH
Help me make sense of these traceroutes please
Hello Nanog community, I would like to enlist your help with understanding this latency I'm seeing. First some background, I have Level3 circuits in the US and some services in Europe. From Comcast to the US level3 IPs the performance is excellent. The same traceroute to Europe is terrible. The strange part is the problem appears to begin stateside on the same infrastructure that carriers the us traffic. Here is a trace to one of my IPs in the US from Comcast Tracing route to 4.30.x.x over a maximum of 30 hops 1 3 ms 1 ms 1 ms 10.1.1.1 230 ms29 ms29 ms 71.62.150.1 3 9 ms 9 ms 9 ms xe-0-1-0-32767-sur01.winchester.va.richmond.comc ast.net [68.85.71.165] 4 9 ms14 ms10 ms xe-9-0-3-0-ar02.staplesmllrd.va.richmond.comcast .net [68.86.125.149] 532 ms30 ms34 ms 68.86.91.153 636 ms38 ms53 ms 23.30.207.98 734 ms28 ms33 ms vlan51.ebr1.Atlanta2.Level3.net [4.69.150.62] 829 ms28 ms20 ms ae-63-63.ebr3.Atlanta2.Level3.net [4.69.148.241] 927 ms29 ms30 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 1024 ms30 ms24 ms ae-71-71.csw2.Washington1.Level3.net [4.69.134.1 34] 1129 ms31 ms39 ms ae-41-90.car1.Washington1.Level3.net [4.69.149.1 95] 1230 ms30 ms29 ms ae-2-23.edge7.Washington1.Level3.net [4.68.106.2 38] 1338 ms44 ms43 ms 4.79.x.x 14 *** Request timed out. (My firewall) 1539 ms39 ms39 ms 4.30.x.x Trace complete. Now here is the same computer tracing to a level3 circuit in Ireland. Tracing route to xxx.yyy.ie [193.1.x.x] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 10.1.1.1 238 ms33 ms25 ms 71.62.150.1 310 ms 9 ms 9 ms xe-0-1-0-32767-sur01.winchester.va.richmond.comc ast.net [68.85.71.165] 414 ms15 ms15 ms xe-9-0-3-0-ar02.staplesmllrd.va.richmond.comcast .net [68.86.125.149] 528 ms30 ms30 ms 68.86.95.65 637 ms37 ms37 ms 23.30.207.98 7 118 ms* 218 ms vlan51.ebr1.Atlanta2.Level3.net [4.69.150.62] 8 119 ms 218 ms 119 ms ae-63-63.ebr3.Atlanta2.Level3.net [4.69.148.241] 9 221 ms 119 ms 119 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 10 118 ms 119 ms 118 ms ae-91-91.csw4.Washington1.Level3.net [4.69.134.1 42] 11 119 ms 119 ms 119 ms ae-92-92.ebr2.Washington1.Level3.net [4.69.134.1 57] 12 117 ms 126 ms 120 ms ae-43-43.ebr2.Paris1.Level3.net [4.69.137.57] 13 128 ms 118 ms 120 ms ae-6-6.car1.Dublin3.Level3.net [4.69.148.53] 14 122 ms 225 ms 124 ms 4.69.148.58 15 124 ms 118 ms 120 ms ae-11-11.car1.Dublin1.Level3.net [4.69.136.93] Notice that the hop from 23.30.207.98 to 4.69.150.62 seems very respectable at around 30ms for US bound traffic. However when I'm tracing from the same Comcast network to an IP that is in Europe the very same hope produces 100ms of latency and about 12% packet loss. Why does this hop treat traffic differently based on it's destination? Is this some weird result of complex asymmetrical routing or something else? I can route around this problem, but it does seem strange and I want to understand it Thanks, Sam Moats
Re: Help me make sense of these traceroutes please
On 2013-12-24 18:55, Jeroen Massar wrote: On 2013-12-25 00:16, Sam Moats wrote: Hello Nanog community, I would like to enlist your help with understanding this latency I'm seeing. You are likely seeing the effects of asymmetric routing. That's what I was thinking to. [..] Tracing route to xxx.yyy.ie [193.1.x.x] www.heanet.ie by chance? :) Yes they were the owners of the IP I used for the example case and the heanet folks are actually totally awesome :-) Though you could use for instance: http://planchet.heanet.ie/toolkit/gui/reverse_traceroute.cgi to do a reverse traceroute, do make sure you force your connectivity to IPv4 as that host will do IPv6 too. (locally nullrouting the destination /128 is the trick I use for 'disabling' IPv6 temporarily). Otherwise the HEANET folks are extremely helpful and clued in, you can always ask them for help with issues. It is the end-of-year though and those Irish folks have lots of really good whiskey, Guinness thus you might have to be patient till the new year. Also you'd be amazed how many network issues can be solved with a bunch of IT folks and an ample supply of Guinness Alternatively, you could use a tool like 'tracepath' or 'mtr' as those reports multiple answers to a response and also check for the TTL on the return packets. Greets, Jeroen Thanks, this isn't affecting my service now I've worked around it so it's more a curiosity than anything. It seems really odd to me that the same L3 edge router would route the ICMP unreachable back to me via different paths based on the final destination IP of the of the ICMP echo packet. Well its Christmas eve here and the customers are happy so Guinness seems like the best approach now :-) Thanks and have a good Holiday, Sam Moats
Re: do ISPs keep track of end-user IP changes within thier network?
That's the day we decided we needed better edge routers :-).. I watch a modem pool infected with code red melt a cisco 3640. Had to throw a Linux box in it's place while I waited for Cisco equipment. Sam Moats On 2013-12-17 09:54, Blake Dunlap wrote: All I remember from the TNT days is the meltdown when Code Red happened. Why exactly an access platform should melt down when a worm occurs still bothers me. -Blake On Tue, Dec 17, 2013 at 8:44 AM, vinny_abe...@dell.com wrote: Dell - Internal Use - Confidential I personally never ran the Ascend gear (outside of a setting up a customer's Ascend Superpipe 95 dual ISDN router one time), but I heard that the TNT gear doubled as space heaters. I remember one facility we were in that had a catastrophic cooling failure and the temperatures went to insane levels. Our PM3's happily kept running and never had an issue where I heard every TNT box in the facility kept rebooting and crashing. -Vinny -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Monday, December 16, 2013 4:22 PM To: Paul Stewart Cc: nanog@nanog.org Subject: Re: do ISPs keep track of end-user IP changes within thier network? On 16/12/2013 21:09, Paul Stewart wrote: Back in the day (geesh I feel old just saying that), I deployed a lot of PM3’s …. Then we moved to Ascend TNT Max stuff - that was very exciting back then! Exciting was just the word for Ascends. In the mid 90s, I cured lots of this excitement by putting my ascends on a socket timer which physically rebooted them a couple of times daily. The support load dropped off substantially due to that. Nick
Re: do ISPs keep track of end-user IP changes within thier network?
I still have a soft spot for the Portmasters :-). We had rows of PM2's with US robotics 33.6K sportster modems attached on 8mm tape racks. Back when a town of 40K people could all connect through 2XT1's and everyone was happy. Sam Moats On 2013-12-13 16:59, Jon Lewis wrote: On Thu, 12 Dec 2013, Sam Moats wrote: I'm not sure about the current state of the industry it's been a while since I was responsible for an access network. In the past we would keep radius logs for about 4 months, these would include the username,IP address and yes (to date myself) the caller id of the customer at the time. We used to keep several years worth of RADIUS summary data, which included username, call end time, duration, IP, NAS-IP, ANI, and DNIS, except for where the telco wouldn't sell PRI and we had to use CT1, where those weren't available. How's that for dating? :) Want to go back a little further? http://www.lewis.org/~jlewis/modems1.jpg Rack of Sportsters, Digicrap[1] on top, and some Total Control USR modems on the table/overflow. [1] That's what I ended up nicknaming Digicom's rackmount modem chassis as their modems were unreliable (would repeatedly lock up requiring manual/physical resets and causing major problems for our hunt group). We eventually got them to buy it back as they were unable to resolve their problems. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: do ISPs keep track of end-user IP changes within thier network?
I'm not sure about the current state of the industry it's been a while since I was responsible for an access network. In the past we would keep radius logs for about 4 months, these would include the username,IP address and yes (to date myself) the caller id of the customer at the time. Sam Moats On 2013-12-12 03:49, Ray Wong wrote: been a while, but seems like lately it's more a question of how long. ISPs can be in position where they need to, but as things have consolidated, seems like they'd really like to forget it as soon as they can. If you've got a specific case in mind, likely best to find a direct contact and get a response about policy, even if it has to be off-record. The big ones (like one I likely shouldn't mention by name unless they do as I don't work for them) definitely do, at least long enough to handle DMCA requests and other legal obligations. -R On Wed, Dec 11, 2013 at 9:36 PM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Wed, 11 Dec 2013, Carlos Kamtha wrote: just a general curiousity question. it's been a long time since ive worked at an ISP. back then it was non-expiring DHCP leases and in some cases static IP for all.. (yes it was long ago..) Any feedback would be greatly appreciated.. Yes, it's very common to keep track of what user account/line had what IP at what time. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Automatic abuse reports
I expect this from the doofus in $pain_in_the_butt_county but I am surprised when I see this behavior from large companies and I really don't understand it. Having a working abuse/response system is beneficial to us all including the gorillas. There is a cost to us if we're spending expensive engineering time, and network resources to deal with the traffic. Also there is an intangible affect on our customers opinion of our service. The only thing I can think of is that they are making the decisions about how important their abuse desk is based solely on the cost of running that desk. They are seeing it as a cost center and not thinking about it's long term benefit to the entire network. I can't think of a way to remove the incentive for this short term thinking. If I were the big cheese of the internet? 1. Transit providers would properly implement RFC 2827 filtering facing their downstream single homed customers. If you only connect to me and I send you x.x.x.0/24 down your T1 I shouldn't be getting y.y.y.0 traffic from you. This is easy to do. 2. Tier 1 backbone providers should be willing to de-peer non responsive global networks. I've lost faith in regulations to actually curb the flow but the tier 1 providers may have the leverage to encourage good behavior. For example if $pain_in_the_butt telco in $pain_in_the_butt country has to start paying for transit to get to $big_tier_1 then maybe they would clean up their act. The problem with this is I can't think of a financial way to get buy in to for idea from the business types in these companies. 3. There needs to be more responsible network citizenship among the providers large enough to have an AS number. It's harder to do ingress filtering if your customers are running BGP, I can see reasonable cases where a customer might throw traffic at me from source addresses that I didn't expect. At this point you should require your customers to police their internal network and be willing to give up on their revenue if they refuse to do so. Perhaps requiring a 24 hour human response to abuse@ emails as a condition of having an AS from an RIR or as a requirement for turning up a BGP connection? We expect a good NOC for a peer but care less about a customer in most cases. 4. Large eyeball networks would see the value in protecting their own people and would implement RFC2827 as close to their customers as possible. As soon as you can drop that packet on the floor the better. The giant zombie bot armies are a pain to them to. Thats all I can think of at 4am, I bet you can see why nobody would ever appoint me big cheese of the internet. Sam Moats On 2013-11-13 00:57, Hal Murray wrote: William Herrin b...@herrin.us said: That's the main problem: you can generate the report but if it's about some doofus in Dubai what are the odds of it doing any good? It's much worse than that. Several 500 pound gorillas expect you to jump through various hoops to report abuse. Have you tried reporting a drop box to Yahoo or Google lately? On top of that, many outfits big enough to own a CIDR block are outsourcing their mail to Google. Google has a good spam filter. It's good enough to reject spam reports to abuse@hosted-by-google I wonder what would happen if RIRs required working abuse mailboxes. There are two levels of working. The first is doesn't bounce or get rejected with a sensible reason. The second is actually gets acted upon. If you were magically appointed big-shot in charge of everything, how long would you let an ISP host a spammer's web site or DNS server or ...? What about retail ISPs with zillions of zombied systems?
Re: Automatic abuse reports
There are good guys out there :-), and some are gorilla sized thats why I obfuscated the names in my response. No offense intended to the goood ones. Sam Moats On 2013-11-13 05:48, Paul Bennett wrote: I can't speak directly for them, as I'm not an official company spokesperson, but this conversation has got my dander up enough that I can't keep my big mouth shut. I know of at least one 500 pound gorilla (with zillions of retail customers, and their share of 500 pound gorillas as customers (and everything in between)) that has a working and effective abuse@ address, one that can and does aggregate and pass on abuse complaints, and that can and does suspend service over failure to fix. On occasion, I understand even significant customers have been not just suspended but terminated over failure to follow the ToS/AUP. The company in question accepts abuse complaints in ARF, MARF, X-ARF and IODEF format, among others, and (I cannot emphasize this enough) does act on them. Anyone who suggests roundfiling abuse@ complaints is (IMNSHO) actively working to make the problem worse, not better. Anyone who thinks that all networks do roundfile abuse@ complaints would seem to be making an over-generalization. Note, once again, that these are my opinions, and not my employers', so much so that I can't even tell you directly who my employer is. Not that it's hard to find out, but I'm so very much not speaking in an official capacity here. -- Paul
Re: Automatic abuse reports
Don't have access to a normal PC right now but I agreed with this approach so much that I'm typing a response on a 10 button pad. Sam On 2013-11-13 21:33, Jimmy Hess wrote: On Wed, Nov 13, 2013 at 3:46 AM, Sam Moats s...@circlenet.us [1] wrote: about its long term benefit to the entire network. I cant think of a way to remove the incentive for this short term thinking. The end users can, by inquiring about the abuse desk, before agreeing to sign up for service. In this manner Not having a good abuse desk becomes a cost center, in the form of suppressed opportunities for future revenue. Federal entities, etc, when soliciting for proposals from ISPs and service providers in addition to the Must have IPv6 support, could add a line Must have a highly-responsive abuse desk/abuse contact; with 4 professional references from email or network operators in the industry who have worked with the abuse desk; must aggregate and report matters of potential abuse or complaints regarding subscribers outgoing mail or IP traffic within 3 hours on average, during business hours and within 5 hours 24x7 ... etc... -- -JH Links: -- [1] mailto:s...@circlenet.us
Re: Automatic abuse reports
We used to use a small perl script called tattle that would parse out the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup the proper abuse contacts and report them. I haven't seen anything similar in years but it would be interesting to do more than null route IPs. The problem we had with the automated reporting was dealing with spoofed sources, we see lots of traffic that is obviously hostile but unless it becomes serious enough to impact performance we rarely report it. An automated system didn't seem to fit anymore due to false positives. A number of providers who aren't exactly interested in the overall good health of the net do a poor job of network ingress filtering that unless I closely examine the traffic and it's origins. Without being able to trust the source address information in the DDOS traffic I run the risk of crying wolf to a provider who is just as much a victim as I am. (Think of my ACK packets piling in his network in response to the bogus SYN packets I'm getting). So we reserve complaints for when there is an actual impact and try to keep the signal to noise ratio in our reports decent. I'm not really happy with this approach and I'm open to ideas! Thanks Sam Moats On 2013-11-12 16:58, Jonas Björklund wrote: Hello, We got often abuse reports on hosts that has been involved in DDOS attacks. We contact the owner of the host help them fix the problem. I also would like to start send these abuse report to the ISP of the source. Are there any avaliable tools for this? Is there any plugin for nfsen? Do I need to write my own scripts for this? /Jonas
Re: Automatic abuse reports
Your right they wouldn't get all of the way through. The three way handshake is great against blind spoofing attacks. That said the original poster was focused on a DOS event,to do that you really don't need the full handshake. I'm not sure if the end goal of whomever we were dealing with was to DOS us or if was some screwed up half open syn scans, or my personnel guess it was to generate enough bogus log traffic to hide which connections were legitimate threats. Either way enough inbound SYN connections on port 22 would tip over the servers, this was LONG ago circa 97~99, so the traffic we saw was an effective DOS. We had inetd calling ssh and also telnet (Change comes slowly and cyrpto was painful to implement for us at the time). In our setup inetd decided to log the sessions both ssh and telnet as soon as the daemon was called. So even if we didn't do the full session setup the machine would still log an event for each tcp session. In hindsight we could have cleaned it up so that it wouldn't log before completing the handshake or tweaked the perl script to filter them out but I was a newbie at that point and placing ACLs in my border router to drop inbound ssh traffic that didn't come from netblocks I expected and moving off of the default port were the easiest solutions at the time. Now it would be trivial to setup syslog and sshd to give only the sessions that complete the handshake, however I'm also not sure how responsive some of the abuse contacts may be. I'll keep my restrictive network settings for the time being. Sam Moats On 2013-11-12 20:43, William Herrin wrote: On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats s...@circlenet.us wrote: We used to use a small perl script called tattle that would parse out the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup the proper abuse contacts and report them. I haven't seen anything similar in years but it would be interesting to do more than null route IPs. The problem we had with the automated reporting was dealing with spoofed sources, we see lots of traffic that is obviously hostile but unless it becomes serious enough to impact performance we rarely report it. An automated system didn't seem to fit anymore due to false positives. Hi Sam, Out of curiosity -- how does one get a false positive on an ssh exploit attempt? Does the origin IP not have to complete a 3-way handshake before it can attempt an exploit? Regards, Bill Herrin
Re: google / massive problems
Works for me from Nova, Level3 and Cogent. Sam Moats On 2013-10-09 12:17, Anthony Williams wrote: Same. Works for me (WashDC/NoVA Area). -Alby On 10/9/2013 12:14 PM, Paul Ferguson wrote: On 10/9/2013 9:00 AM, Blair Trosper wrote: Can someone from Google Drive or Gmail contact me off-list? The sign in services and applications are outright down trying to use them in Chrome. Trying to contact enterprise support via several numbers just results in an immediate disconnect. I can't speak to enterprise services, but I just logged in to my own personal GMail account -- with 2 FA -- with no problems, from the Seattle metro area. - ferg
Re: The US government has betrayed the Internet. We need to take it back
I'm sorry if you don't share my view. Personally I think the Patriot Act is unconsitutional and CALEA is a tool to enable the total invasion of privacy. I think the laws need changed, I want to change. That said I will not break them and neither will you. How would/does your company respond to NSLs or subpoenas? Do you comply with FCC 499 requirements and with CALEA requirements? I do, and I'm betting you will to. Does it suck? Yea of course it does but unless you have a better plan for a US based provider I will keep doing what I'm doing. Sam On 2013-09-06 18:29, Scot Weeks wrote: --- s...@circlenet.us wrote: From: Sam Moats s...@circlenet.us There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. So, there's no choice except to get a 5-gallon bucket of gov't-ky jelly and take it? So many things come to mind on your flag-waving emails, I can't think of what to say first. And believe me, that's not usual... ;-) After a while, you'll become raw and probably change your mind. scott
Re: The US government has betrayed the Internet. We need to take it back
I believe you are correct, whatever technical hurdles we put in place will be overcome by policy. As long as you can legally require me to make my network intercept able for lawful purposes and are able to prevent me from explaining these purposes to my users any security that I would put in place is effectively neutered. I give up trying to resist, I am now firmly in the tin foil hat club. Sam On 2013-09-06 05:57, Roland Dobbins wrote: Eugen Leitl eu...@leitl.org wrote: We engineers built the Internet – and now we have to fix it Nonsense. This is not a technical issue, it's a socio-political issue. It’s both naive distracting to try solve this set of problems with code and/or silicon, when it must in fact be addressed within the civic arena. There are no purely technical solutions to social ills. Schneier of all people should know this. --- Roland Dobbins rdobb...@arbor.net
Re: The US government has betrayed the Internet. We need to take it back
True I shot from the hip, he does address the concerns later. I'm used to implementing technologies to solve security problems. It's just damn frustrating to have your hands tied in such a way that you can not and that's the position that I see myself and most other network ops in. Our customers decided at the ballot box that they didn't want protection and it was acceptable to entrust their privacy to the system. They seem to forget that decision when they ask if they are vulnerable to this type of intercept and what they can do about it. The answer is not much because I will not and can not break the law, it's unethical and wrong. I will encourage people to seek to change the laws to encourage true end to end security but the odds of that happening are near 0. Sam On 2013-09-06 06:47, John S. Quarterman wrote: On 2013-09-06 05:57, Roland Dobbins wrote: There are no purely technical solutions to social ills. Schneier of all people should know this. Schneier does know this, and explicitly said this. -jsq http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
RE: The US government has betrayed the Internet. We need to take it back
+1 I couldn't have said it any better. Sam On 2013-09-06 10:27, Naslund, Steve wrote: The error in this whole conversation is that you cannot take it back as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a social contract to ensure that I do not run over squirrels with my Explorer, will they take it back if I do so? The whole social contract argument is ridiculous. You have a contract (or most likely an at will agreement) with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do. In the United States there are two main centers of power that can affect these policies, the consumer and the voter. 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. 3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their social contract to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the right thing. The problem with social contracts is that they are relative. As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China. Steven Naslund Chicago IL -Original Message- From: Jorge Amodio [mailto:jmamo...@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
I don't suggest a riot. I do believe in the rule of law, as a member of a democracy I need to accept that I will not always agree with the laws that are enacted. If we lived in China or somewhere else where there was no method to change laws that were unfair or unjust then yea I would support the civil disobiedence approach whole heartedly I do love my country, always have and I firmly believe in the concept of government by the consent of the governed. These rules were made by the people we choose, perhaps these were bad choices but they were are collective choices. Perhaps we should educate our user base so that in the future they make better choices. I suggest in an only half snarky way we just push out the standard DOD warning banner to them all. Since it now seems to apply... Below is a sample banner (IS is information System) By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Sam On 2013-09-06 10:14, Ishmael Rufus wrote: So when do we riot? I've been waiting for months now. On Fri, Sep 6, 2013 at 8:50 AM, Jorge Amodio jmamo...@gmail.com wrote: The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
This is part of the purpose behind the separation of powers between executive, legislative and judicial. William Pitt wrote Unlimited power is apt to corrupt the minds of those who possess it . As such constraints are needed and in place. We expect politician to cheat,lie,be stupid and self serving. Because we like people who tell us what we want to hear and most of us vote for people that we like. The do not have to be wise, or even competent. Personally I think most of the fault currently lies with the Judicial side. These laws were enacted as a knee jerk reaction to an event. I can understand the passions of people at that time because I shared them, however the courts are supposed to be a bulwark against this very kind of rash action. These men and women are supposed to be well educated in the fundamental concepts that constructed our republic and appointed to terms that prevent them from worrying about the political whims of the time. Sam On 2013-09-06 10:55, Royce Williams wrote: On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve snasl...@medline.com wrote: [snip] 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function. Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical): http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be made, the good technical choices must be the only ones available. Security engineering must pave the way to the high road -- so that it's the only road to get there. Royce
Re: The US government has betrayed the Internet. We need to take it back
The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote: On Fri, Sep 06, 2013 at 02:27:32PM +, Naslund, Steve wrote: If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about. Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace. Nicolai
Re: Parsing Syslog and Acting on it, using other input too
My view on splunk, +1 if you intend to have a human act on the reports, it does an excellent job of reducing huge amounts of audit data into the valuable bits. -1 Seemed to be a pita to integrate with my scripting enviroment. I ended up kludging wget,awk and telnet together in a totally undignified way to make it reach out and act on something. +2 Customizable ingestion/parsing, I'm feeding everything from linux audit data to weird proprietary serial output from a multiplexer into it. -1 Proprietary database I would have liked to see an sql plugin for data storage, I would like the data in Mysql/Oracle but no-joy from splunk so that I can use other tools on it easily. +1 Free demo. You can download an eval version that is rate limited and cripples itself after a fixed time. -1 because The license costs are a bit high if your moving lots of data through it Sam Moats On 2013-08-29 09:10, Jason Biel wrote: You should look into SPLUNK (http://www.splunk.com/), it will collect/store your syslog data and you can run customized reports and then act on them. On Thu, Aug 29, 2013 at 8:03 AM, Kasper Adel karim.a...@gmail.com wrote: Hello. I am looking for a way to do proactive monitoring of my network, what I am specifically thinking about is receiving syslog msgs from the routers and the backend engine would correlate certain msgs with output/data that i am receiving through SSH/telnet sessions. What i am after is not exposed to SNMP so i need to do it on my own. I am sure there are many tools that can do parsing of syslog and acting upon it but i wonder if there is something more flexible out there that I can just re-use to do the above ? Please point me to known public or home-grown scripts in use to achieve this. Regards, Sam
Feds snooping and FCC 477 and FCC 499 forms and 214 licenses
On 2013-08-01 10:57, Sam Moats wrote: Good Morning Nanog List, I'm not normally the tinfoil hat type howerver I do want to know other operators opinions on the FCC 477, 499 and the 214 license requirements in light of the recent revealations. Do you think the info is actually for the stated purposes? I'm trying hard not to become a member of the tin foil club but it's getting hard each day. Thanks. Sam
FCC 477 and FCC499 forms
Good Morning Nanog List, I'm not normally the tinfoil hat type howerver I do want to know other operators opinions on the FCC 477, 499 and the 214 license requirements in light of the recent revealations. Do you think the info is actually for the stated purposes? I'm trying hard not to become a member of the tin foil club but it's getting hard each day. Thanks. Sam