Re: RIPE our of IPv4
Thanks I am lurking on this mail list. Sometimes is hard to decipher whats goin on. Always interesting. You guys are awesome. On Mon, 25 Nov 2019 at 16:57, Donald Eastlake wrote: > > I think it is less historic than when IANA ran out of blocks to > delegate to the regional registries. > https://en.wikipedia.org/wiki/IPv4_address_exhaustion > > Thanks, > Donald > === > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 2386 Panoramic Circle, Apopka, FL 32703 USA > d3e...@gmail.com > > On Mon, Nov 25, 2019 at 10:34 AM Tei wrote: > > > > Nice! > > > > Is this what I think it is?a historical moment for the internet > > for the story books? > > > > On Mon, 25 Nov 2019 at 15:59, Dmitry Sherman wrote: > > > > > > Just received a mail that RIPE is out of IPv4: > > > > > > Dear colleagues, > > > > > > Today, at 15:35 UTC+1 on 25 November 2019, we made our final /22 IPv4 > > > allocation from the last remaining addresses in our available pool. We > > > have now run out of IPv4 addresses. > > > > > > > > > Best regards, > > > Dmitry Sherman > > > Interhost Networks > > > www.interhost.co.il > > > dmi...@interhost.net > > > Mob: 054-3181182 > > > Sent from Steve's creature > > > > > > > > -- > > -- > > ℱin del ℳensaje. -- -- ℱin del ℳensaje.
Re: RIPE our of IPv4
Nice! Is this what I think it is?a historical moment for the internet for the story books? On Mon, 25 Nov 2019 at 15:59, Dmitry Sherman wrote: > > Just received a mail that RIPE is out of IPv4: > > Dear colleagues, > > Today, at 15:35 UTC+1 on 25 November 2019, we made our final /22 IPv4 > allocation from the last remaining addresses in our available pool. We have > now run out of IPv4 addresses. > > > Best regards, > Dmitry Sherman > Interhost Networks > www.interhost.co.il > dmi...@interhost.net > Mob: 054-3181182 > Sent from Steve's creature -- -- ℱin del ℳensaje.
Re: the e-mail of the future is the e-mail oft the past, was Enough port 26 talk...
On Tue, 15 Jan 2019 at 09:21, Bjørn Mork wrote: .. > open protocols, just shut off SMTP completely. They'll > probably "invent" something much better as an excuse... And the masses > will love them for that, because it finally removed the spam "problem". > > And everyone has a gmail account anyway, so why bother with outside > email? I think the newsgroups died because was expensive for ISPs and filled with nasty stuff (warez and porn). Gopher died because HTML was a improvement in every possible way. IRC still exist, because it don't need to be hosted by a ISP. Forums still exist. Mail list still exist (we are on one) Homesites where replaced by blogs. Gmail? G Suite accounts are expensive. I believe you have to pay by email address and get quite pricey. "Free" alternatives have a place because can be cheaper than that. Gmail have not added the "Foo has read your message" or "Foo is replying to your email". Two things that would be easy for them to do in Gmail to Gmail communication, and would be must-have features for a mail user. So maybe they don't aim to world domination? Is very hard to replace a open protocol, wrapping may work if the protocol is mostly abandoned (IRC) but thats not the case for email. I don't think email is going to be replaced soon. -- -- ℱin del ℳensaje.
Re: plaintext email?
Email for personal use is turning rare. And people need to use *bold* in text more than not. So most clients are configured to send html by default, and people have no reasons to change that. I think LISTSERV software used to require plain text to send commands like subscribe, but I think they made their parser accept html mails and still find the commands. On 2019, nobody cares if you uses plain text or html in emails. If somebody write a bot that accept commands through email (like a GETWEB gateway) is very easy to make it accept html and flat it to text. -- -- ℱin del ℳensaje.
Re: Proving Gig Speed
On 19 July 2018 at 07:06, Mark Tinka wrote: > > > On 18/Jul/18 17:20, Julien Goodwin wrote: > >> Living in Australia this is an every day experience, especially for >> content served out of Europe (or for that matter, Africa). >> >> TCP & below are rarely the biggest problem these days (at least with >> TCP-BBR & friends), far too often applications, web services etc. are >> simply never tested in an environment with any significant latency. >> >> While some issues may exist for static content loading for which a CDN >> can be helpful, that's not helpful for application traffic. > > Yip. > > Mark. Sorry about that. I feel bad has a webmaster. Most of us on the web we are creating websites that are not documents to be download and viewed, but applications that require to work many small parts that are executed togeter. Most VRML examples from 1997 are unavailable because host moved, directories changed name, whole websites where redone with new technologies. Only a 1% of that exist in a readable format. But the current web is much more delicate, and will break more and sooner than that. Perhaps something can be done about it. Chrome already include a option to test websites emulating "Slow 3G" that webmasters may use and want to use. I suggest a header or html meta tag where a documents disable external js scripts, or limit these to a white list of hosts. . So if you are a Vodafone customer. And you are reading a political document. Vodafone can inject a javascript script in the page. But it will not run because of the presence of . Vodafone can still further alter the html of the page to remove this meta and inject their script. Get webmasters into the idea of making websites that are documents. That require no execution of scripts. So they will still work in 2048. And will work in poor network conditions, where a website that load 47 different js files may break. tl:dr: the web is evolving into a network of applications, instead of documents. Documents can't "break" easily. Programs may break completelly even to tiny changes. Maybe getting webmasters on board of biasing in favor of documents could do us all a favour. -- -- ℱin del ℳensaje.
Re: Is WHOIS going to go away?
Maybe a good balance for whois is to include organization information so I know where a website is hosted, but not personal information, so I can't show in their house and steal their dog. I feel uneasy about having my phone available to literally everyone on the internet. -- -- ℱin del ℳensaje.
Re: SHA1 collisions proven possisble
On 23 February 2017 at 20:59, Ca Bywrote: > On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder > wrote: > > > Coworker passed this on to me. > > > > Looks like SHA1 hash collisions are now achievable in a reasonable time > > period > > https://shattered.io/ > > > > -Grant > > > Good thing we "secure" our routing protocols with MD5 > > :) > > > > > One place that use sha1 seems to be some banking gateways. They sign the parameters of some request to authentificate the request has a valid one doing something like "sha1( MerchantID . secureCode . TerminalID . amount . exponent . moneyCode )".I have no idea how evil people would exploit collisions here, but I guest banking will move to the next hash algorithm (sha256?) and deprecate this one. This may affect more "Mom and Pa Online Shop" than bigger services. -- -- ℱin del ℳensaje.
Re: South Carolina attempts to repeal Rule 34
Users are crafty. One user on a network I had to admin use to mail porn has Microsoft Word documents to his Gmail account. So if you want to stop porn, you have to ban file attachments and monospace fonts. Good luck with that. On 20 December 2016 at 09:25, Jippenwrote: > So, $20 tax on all computers sold in SC in practice > > On Mon, Dec 19, 2016, 11:41 PM Jay Hennigan wrote: > >> Break out the popcorn. >> >> http://www.charlotteobserver.com/news/local/article121673402.html >> >> -- >> -- >> Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net >> Impulse Internet Service - http://www.impulse.net/ >> Your local telephone and internet company - 805 884-6323 - WB6RDV >> -- -- ℱin del ℳensaje.
Re: Microsoft blocking mail
On 18 September 2015 at 10:45, Marcin Cieslak <sa...@saper.info> wrote: > On Fri, 18 Sep 2015, Tei wrote: > >> On 18 September 2015 at 04:48, Keith Medcalf <kmedc...@dessus.com> wrote: >> > >> > Being blocked is probably a good thing ... >> >> >> CGI forms that do the validation in the serverside are not up to >> modern expectations*. You want to do validation clientside. > > If you do client-side and no server-side, you have a huge security problem. > > ~Marcin By now is a industry standard. You have to do the validation serverside and clientside. This of course mean duplicated code. ( Excessively clever people have tried to solve the problem by using the same language/code in both the clientside and serverside. But this feels to me like a overreaction and you will be writing code unrelated to this in a new (?) language On top the... heurhg... creative pipelining.. to make the whole façade works.) Collesterol High Clients + Collesterol High Servers. Unrelated: this is a funny article http://carlos.bueno.org/2014/11/cache.html -- -- ℱin del ℳensaje.
Re: Microsoft blocking mail
On 18 September 2015 at 04:48, Keith Medcalfwrote: > > > You mean to say that you have to enable blanket remote code execution > authority in order to submit a problem report to Microsoft? What a crock of > crap. Thus I will never recommend to anyone that they use Microsoft products > for anything whatsoever, especially not anything in the "Microsoft Cloud" > virus distribution system. > > Being blocked is probably a good thing ... CGI forms that do the validation in the serverside are not up to modern expectations*. You want to do validation clientside. Like everything, is a tradeoff. This is how modern things are build :D Something something something Gödel, Escher, Bach, rendering a document takes N cycles and can be calculate before hand. Running a program takes M cycles and can't be calculate before hand, M can be bigger than 6 times the lifespan of the universe or be infinite ... * is a social problem of expectations management. -- -- ℱin del ℳensaje.
Re: (network)technologies used by NSA for data collection
This stuff is soo cool :D I understands less than half of it, but I have found this link that give some light. https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html It seems they had a system to backup 3 days of the internet, all data. But such system failed because Internet generated too much data. So Turmoil is a programmable event based filter, detect events and when the event is triggered, save data from the stream. So they generate as much data they want or can handle. -- -- ℱin del ℳensaje.
Re: symmetric vs. asymmetric [was: Verizon Policy Statement on Net Neutrality]
imho this two staments are true: - tomorrow a new product or service on the Internet can completely change the ratio download/upload - most probably, this will not happen It may take a few days (hours for early adopters) for a new service to become popular on the Internet, that make a intensive use of upstream. This... so much can happens. But I would bet my fortune and my children's that it will not happen People do try to create this type of service/product. (like this one) http://www.codediesel.com/browser/opera-unite-a-web-server-in-your-browser/ -- -- ℱin del ℳensaje.
Re: gamer lag dashboard
shameless plug If anyone is interested, the Quake engine and variants have created a lot of documentation and tools.Since Quake represent early phases of the development of modern gaming systems, they are simple. As simple they can be. Many open source games can be studied, I suggest OpenArena because is easy available and fun. Modern games don't work standalone. They connect to a master server to find other gamers/active games. Heres a simple one: https://github.com/kphillisjr/dpmaster Example of use: http://dpmaster.deathmask.net/?game=openarena Another game that is interesting for networking, is SubSpace. The history with subspace is that was a commercial game that turned open source. It had already billing server, game server, master server. So is probably very similar to how many commercial games work. http://en.wikipedia.org/wiki/SubSpace_%28video_game%29 http://wiki.minegoboom.com/index.php/Main_Page http://wiki.minegoboom.com/index.php/Category:Protocol It looks to me like somebody can learn stuff by reading this ones. /shameless plug
Re: Office 365 Expert - I am not. I have a customer that...
Current developing fads include messaging a server POST messages over http, receiving JSON data. Both the request and answer are smallish small. A interface update refresh may depend on this data arriving. So the less latency, the more agile and snappy will feel the application. This is less trafic than webpages. A typical webpage page update may need 400KB / 700KB +. HTML can be wasteful in big pages with a lot of data. The same data coming from in JSON can weight much less, maybe x10 less. I have not tried O365, so I don't know if it follow the typical modern web app. -- -- ℱin del ℳensaje.
Re: Linux: concerns over systemd adoption and Debian's decision to switch [OT]
I pled the Linux people to stay inside the unix philosophy to use text files. Low newbies like me learn from reading config files, and fix thing by reading log files, tryiing to make some sense of the error messages there, and using the most suspicious line as the handle to google for a solution (that is often some stackoverflow article, or some forum posts). I dismay after the idea of somebody replacing all that text by a binary that spouts the service stoped running or that corrupt, because some buffer was not flush when the kerfukle happened. Even if going to binary gives a extra 20% speed, I think speed is important but not that important. I plead save the discoverability, learn-bility, debug-ness of text (even text scripts) over mysterious binary blobs elfs generating mysterious binary blobs journals. If they nerf text files, is like they nerf Google for me, and my ability to maintain and configure systems. -- -- ℱin del ℳensaje.
Re: Why is .gov only for US government agencies?
(very unimportant contribution, please ignore) any change to this things, must be done in the benefit of future users, making the internet a less weird place, with less exceptions everyone else have already learned a .edu domain is probably a USA university, and some .mil domain is the usa military. ((unfunny joke follow, you can stop reading here)) http://www.usma.edu = usma.edu.mil.us -- -- ℱin del ℳensaje.
Re: Scotland ccTLD?
http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Decoding_table VR, GO, ON, NY, ...these seems to be free :D Clearly New York must declare independence. -- -- ℱin del ℳensaje.
Re: Verizon Public Policy on Netflix
Software is... herrr configurable. Maybe Netflix could be convinced so their box had a switch from complete catalog hosting / caching most used data. I get from this discussion thread that small ISP feel having these box download the whole catalog is more than what their customers (1000) need. Moving this discussion away from net neutrality (that seems what netflix is doing in public anouncements) to how these boxes handle and operate would be better for everyone. -- -- ℱin del ℳensaje.
Re: Verizon Public Policy on Netflix
*puts on trolling hat* Maybe the solution can be to have the Netflix client support the torrent protocol, so the upload from netflix is minimal. Maybe pre-distribute files encripted, then distribute the de-crypt key once the medias are distributed enough in different nodes. So netflix would be doing the first upload, then distribute the keys. -- -- ℱin del ℳensaje.
Re: Anternet
On 5 April 2014 07:44, Larry Sheldon larryshel...@cox.net wrote: Offered for your amusement--no followup. http://kottke.org/14/04/the-anternet -- A forager won't return to the nest until it finds food. If seeds are plentiful, foragers return faster, and more ants leave the nest to forage. If, however, ants begin returning empty handed, the search is slowed, and perhaps called off. No wonders ants don't govern us. This algorithm is atrocious. So if food is scarce, most ants will stay at home and play videogames all day, but if theres a lot of food, all of them will go around and return with mountains of food they can't store. Is a algorithm, from a madman, designed to kill the hive if theres very low food or too much food. I propose ants start using food debts/food promises. Ants will print food debts to explorer ants, these explorer ants must pay these debts by finding food. If some ant need a lot of food, that ant will print more debt. The more food the hive need, more debt is printed. -- -- ℱin del ℳensaje.
Re: ID10T out of office responders (was Re: Yahoo DMARC breakage)
So Suppose I configure my email to send a Thanks, we have received your email, we will reply shortly in office hours.. Whats the Holy Headers so even poorly configured servers don't cause a AutoReply Storm? Googling, I found Precedence, X-Auto-Response-Suppress,..? For something like this, normally I would scan lots of opensource projects in www.google.com/codesearch (so I can learn from the projects with a large number of hours in production) , but seems down at the moment. -- -- ℱin del ℳensaje.
Re: Level 3 blames Internet slowdowns on Technica
On 24 March 2014 10:47, Joe Greco jgr...@ns.sol.net wrote: Here in Illinois, we have been paying for the construction of our tollway in perpetuity. When it was originally built the state promised to remove the tolls as soon as construction costs were recovered. We are still waiting and will be forever. As someone who has worked in the Loop on and off for twenty years, I am fully aware of the history and folly of the Illinois trollway. I heard you guys have been paying taxes for the war against my country (Spain) since 1898. http://en.wikipedia.org/wiki/Federal_telephone_excise_tax So yea. Is much easier to create a new tax, than to remove it.
Re: How to catch a cracker in the US?
On 14 March 2014 05:14, shawn wilson ag4ve...@gmail.com wrote: On Mar 13, 2014 7:37 PM, Larry Sheldon larryshel...@cox.net wrote: .. Sorry for my note. Didn't mean it to sidetrack the question (I probably should've). /me o_O Social perception of hacking affect law-making. Computing security is controlled by moral panic and security theater. Maybe someday a young men will enter prision, for possession of hacking tools... a compiler and a debugger. Fighting paranoia and moral panic is something we should be doing. Making the distinction hacker vs cracker is like a small effort for this. -- -- ℱin del ℳensaje.
Re: How to catch a cracker in the US?
On 12 March 2014 14:56, William Herrin b...@herrin.us wrote: .. Who knows, U.S. authorities may already be investigating the same user which would make your job so much easier. lurker mode offAlso, if you just want a deterrent. Having a cop visit the home of the cracker just making questions may send the message we know where you live, so calm the fuck up./lurker mode on -- -- ℱin del ℳensaje.
Re: About ddos-respo...@nfoservers.com
On 24 January 2014 16:23, Chris Boyd cb...@gizmopartners.com wrote: On Jan 24, 2014, at 8:36 AM, Jared Mauch wrote: You haven’t been able to get GTT/nLayer/TINet to track the traffic back? Details are welcome, either here or in private. There are plenty of people who will chase and fix this stuff when they’re aware of it. When OpenResolver Project was announced, there were about 60 abusable addresses in my corner of the Internet. I was able to get that number down under 20 by asking politely. The NFOserver reports have been a pretty good stick to get the number down below 10. http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html Uh.. Oh. I see a lot of references to Teléfonica in Latin America. -- -- ℱin del ℳensaje.
Re: How anti-NSA backlash could fracture the Internet along national borders - The Washington Post
Casual comment: This scheme, have a problem. USA is friend of country A,and country B. A is spying on B, and share the results with USA. B is spying on A and share the results with USA. A and B can make a network, but will be all but private. -- -- ℱin del ℳensaje.
Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty
On 7 September 2013 18:09, Dobbins, Roland rdobb...@arbor.net wrote: On Sep 8, 2013, at 4:08 AM, Paul Ferguson wrote: As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty. Yes, far better to keep those communications within Canada - where CSEC can hand them over to GCHQ, who'll then hand them over to NSA . . . But I don't think every secret service have installed his own backdoors in all popular software and protocols. And the NSA can't share these backdoors/weakness with all his friends, because if you tell a secret to everyone, it stop being a secret. The existence and nature of these backdoors will be revealed, and the affected software will fix them. So probably the NSA works like Wall-Mart Secrets. And they sell secrets, 100.000$ for a list of human rights activist, 2 millions for the emails of the leaders of the opposition. -- -- ℱin del ℳensaje.
Re: The US government has betrayed the Internet. We need to take it back
On 6 September 2013 11:37, Eugen Leitl eu...@leitl.org wrote: http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying The US government has betrayed the Internet. We need to take it back Its like you have to abandon USA based encryptation systems that are closed source. But I dunno, maybe open source solutions can have problems. http://xkcd.com/221/ http://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL I think the encryptation world will think about this, and will recommend a group of products (like PGP) that are almost sure safe. The NSA can spy on underwater internet cables, but they can't abolish Math. If you have a encryptation system that is not backdoored and is cryptographically strong enough the NSA or anyone will have a hard time to uncover your secrets. -- -- ℱin del ℳensaje.
Re: The US government has betrayed the Internet. We need to take it back
On 6 September 2013 10:52, Sam Moats s...@circlenet.us wrote: The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. Only if are on USA territory. You can also push for distributed services that don't depend on one fat server farm. -- -- ℱin del ℳensaje.
Re: How big is the Internet?
I know the exact size: Infinite. When I was in the university I was downloading many things at the night, while the whole internet bandwith was wasted (hehehehe). Many times my wget -r -l 32 got stuck on things like CGI's that point to itself creating a infinite loop. This was in 2002, but probably still exist many CGI's like this one. I imagine spider programmers have many fun similar histories, of websites that seems infinite to the spider. -- -- ℱin del ℳensaje.
Re: Revealed: NSA program collects 'nearly everything a user does on the internet'
On 31 July 2013 16:46, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Tin foil hat Wednesday, limited supplies. Revealed: NSA program collects 'nearly everything a user does on the internet' http://gu.com/p/3hy4h - Have I read it correctly. Can then break into a vpn connection, then leach documents that a german in pakistan is sending to his office in germany? - So excel documents store MAC address?... time to set them to random numbers :D - What is the red dots in the bottom of the map? satellites? penguin powered servers on the south pole? - The document make it looks like this exist to spy religious terrorist and industrial espionage. But who know. Woah, thats a lot of red dots in europe. Must be to protect the europeans. -- -- ℱin del ℳensaje.
Re: Office 365..? how Microsoft handed the NSA access to encrypted messages
It would be fun to make a encryptation keyboard. A keyboard that add the text you write to a buffer, and wen the buffer is full, output it to the computer encrypted. Maybe with pgp. Such machine would probably need a led with the text you are writing. That way, you coud be using Google Docs or Office 365. And the computer OS can have a keylogger and a backdoor. And you will still be somewhat safe if pgp provide you with strong enough level of encryptation. -- -- ℱin del ℳensaje.
Re: Office 365..? how Microsoft handed the NSA access to encrypted messages
Whos doing the spyiing, anyway?, sounds like a colaboration betwen Microsoft and the NSA. Sounds to me like Microsoft, and the NSA,are doing the spyiing.If some judge declare this actions illegal, a crime, Microsoft will be co-perpetrators. Even if no judge declare this a crime, what about the customer position? a) Microsoft lied to you. b) Microsoft conspired with others to break your privacy. c) They did more than the law forced them, to break your privacy. d) You are the product that Microsoft sells to the NSA. Somebody, somewhere on the USA governement, trought that after the 9/11, normal laws not-apply, including the constitution. New laws where made to give free reign, and people like Microsoft happyly jumped to make some money out of it. This is wrong. -- -- ℱin del ℳensaje.
Re: huawei (ZTE too)
I am only a lurker in this list. I am curious why nobody has mentioned open source. Theres no way all these router-thingies would have all his source code visible? a house made of glass? -- -- ℱin del ℳensaje.
Re: PRISM: NSA/FBI Internet data mining project
This is one of these Save the forest by burning it situations that don't have any logic. To save a forest firefighters often cut a few tree. Don't cut all the trees in a forest to save it from a fire. Exceptions must be made for police forces to violate rights (like privacy). Exceptions can't be the norm. A exception can't be we have accesss to all emails all the time. Thats cutting all the forest. If you give police forces the ability to violate personal rights all the time (not as exceptions) what this cause is people running away from the police forces. And turn the police forces in some type of criminal, the only difference is better organized and backed by the law. -- -- ℱin del ℳensaje.
Re: What hath god wrought?
On 20 May 2013 01:58, Michael Painter tvhaw...@shaka.com wrote: http://arstechnica.com/security/2013/05/ddos-for-hire-service-works-with-blessing-of-fbi-operator-says/ More on the same topic. http://krebsonsecurity.com/2013/05/ragebooter-legit-ddos-service-or-fed-backdoor/#more-19475 Maybe the FBI use this to commit crimes in USA using a foreign company as proxy so nothing dirty show on the books. That way the FBI can avoid respecting USA laws. -- -- ℱin del ℳensaje.
Re: Color vision for network techs
Standards can have bugs, and a standard that is not compatible with maybe 5% of the population is buggy. Almost any standard that start this is red and this is green is flawed this way. This mean any future standard created as to look into this type of stuff (and i18n and localization and others) to not create flawed buggy standards. Old standards can be updated ... (maybe include lines of the same color but different contrast), but we all know how hard is to update standards. If I where one of these dudes, I would download/create a app for my iphone that recolorice video to change colours to others I could tell the difference. -- -- ℱin del ℳensaje.
Re: stanford-biologist-computer-scientist-discover-anternet
On 27 August 2012 02:58, Suresh Ramasubramanian ops.li...@gmail.com wrote: On Mon, Aug 27, 2012 at 2:54 AM, Andre Gironda an...@operations.net wrote: http://engineering.stanford.edu/news/stanford-biologist-computer-scientist-discover-anternet Looks like at least one component of unseen university's Hex is alive and kicking. Good fun. Ank-Morpock already have his own p2p client http://antsp2p.sourceforge.net/ -- -- ℱin del ℳensaje.
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 27 June 2012 09:50, Stephane Bortzmeyer bortzme...@nic.fr wrote: (trollspecially for a Web site written in PHP/troll)? We software makers have a problem, when a customer ask for a application, often theres a wen project that already do it ( for the most part is a round peg on a round hole). So a natural solution is to install this project and customize it to his needs (theme, perhaps some programming). The other option is to create a code from scratch (perhaps using a framework). If you create the code from scratch, it will be safe. A tree cant get a human virus, and a human can't get a tree virus. You are not unhackable, bad practices will byte you on the long term, but you don't see exploits made specifically for this custom made code daily. Too bad, the features the code allow will be few, limited to the budget to the project. Programming sucks, and generate code and bugs, and everybody suffer for it. This option suck. If you use these project that already do 99% of what the customer need, plus a 120% the customer not need (and perhaps don't want). The code quality will be normally be good, with **horrible** exceptions. But sooner or later, (weeks) there will be exploits for this codebase, to hack the site in horrible ways. If the customer don't pay maintenance and dont do the maintenance himself the code will turn comically outdated. Hacking the site will be easy for childrens age 5 and high. Maintenance suck. This option suck. All options suck. Your browser will call you a idiot if you try to browse with a outdated version. But web projects are not this rude on owners. So you have people browsing forums in Chrome 18, where the forums software is a version of 2004 (heavily customized, but this will not save you). Then a cracker comes, uses a know exploit from 2008, and download 1.2 million unhashed passwords. Where 98% of these passwords are reused on facebook, twitter, linkedin and gmail. -- -- ℱin del ℳensaje.
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 28 June 2012 14:48, Arturo Servin arturo.ser...@gmail.com wrote: ... Think about sql injection, they are not only to specific platforms but to general bad programming practices. If you are already a good programmer, writing code that is safe against sql inyections is trivial. So is not a real problem, and thats why I don't mention it. A real problem is one that you can't avoid by just walking one step to the left. But I support that you champion it, and I fully agree bad code is possible and some people do write it. We don't really disagree. -- -- ℱin del ℳensaje.
Re: LinkedIn password database compromised
Anonymity on the Internet is a feature, because a lot of the world netcitizens come from countries where saying this or that is a crime, and can get you in trouble. Any asymetric cryptography solution that remove anonymity is a bad thing. Making censorship easier on the internet is making it worse. What could do some good, is to discredit some bad practices, and propose alternate better practices. This is hard, and part of it is because some people good practices is other people good practices. We can't start this yet, because we don't agree on these good practices. Theres something weird with passwords length, on most websites you are allowed to type a 80 or 120 characters long name. But if you try that with your password, you find a problem. Somehow VARCHAR(120) is unfeasible for passwords, but ok for first_name,second_name. Is even more weird wen people are storing hashs. The length of a md5 don't change if I choose very long passwords, so why are people limiting password length? Other weird limitations that must go, is the idea that you can't use special characters. The expresion special characters is a red flag itself. Most passwords sould allow UTF-8, and allow anything that UTF-8 allow. Forcing people to mix uppercase and lowercase.. I understand where this come from. It enhance the password strength. A what price? Making passwords a random mix of letter and numbers make then hard to remember and make life miserable for everyone. Practices to make passwords stronger may be pushing people to write password down, or reuse passwords. -- ℱin del ℳensaje.
Re: LinkedIn password database compromised
If anyone have a really good idea how to fix this mess, It will be a good idea to contact with Jeff Atwood (of codehorror.com and stackoverflow.com fame). He and other people is working on a new internet approach to discussions. Think forums 2.0. If this new pet rock succeed, could change how the world use, eerrh... forums. We could hit two problems with the same rock. -- -- ℱin del ℳensaje.
Re: LinkedIn password database compromised
The problem: - Modern internet users must have lots of different login/passwords around the internet. Most of then in easy-to-break poorly-patched poorly-managed servers, like linkedin. The solution: - Reduce the number of authentication. Allow anonymous posting in more sites. Imagine this. I post something on the blog yadaydayda. I give my email and nothing else. The blog software sends me a email to confirm the post. I click on it, and the post is published. The real problem is that nowdays everybody and his dog want a password, and a password is expensive for the user. The internet need more anonymous ways to publish content. -- -- ℱin del ℳensaje.
this NANOG wiki is getting spammed
I don't think this is the official nanog wiki, but anyway probably the owners are on this mail list. Spammers is wasting everyone time by filling it with crap. http://nanog.cluepon.net/index.php/Special:RecentChanges -- -- ℱin del ℳensaje. . . . . . postdata: Blizzard is getting strange slower speeds for some customers (300ms ping, wen other have a normal of 100ms). I blame this in evil ISP's doing evil things, or routing problems. Ignore this line.
Re: VoIP vs POTS (was Re: Operation Ghost Click)
Perhaps cell towers can be made to fail sooner, and enter some emergency mode where only 911 calls get service. -- -- ℱin del ℳensaje.
Re: Host scanning in IPv6 Networks
On 20 April 2012 17:16, Owen DeLong o...@delong.com wrote: exec ? exceed ? Not a lot of x's in hexidecimal numbers outside of C-style formatting (0x). IPv6 addresses are not generally notated in said style and certainly don't include said x in a suitable context for that to be part of a dictionary attack. However, he also left out the common use of 7(t), 6/9(g), 1/7(I/L/T), 2(Z), 5(S), and 0(O). c is also often substituted for k (as in face:b00c). Owen Sorry. I did a quick filter of the openoffice dictionary file. seems that I made a ugly mistake :-/ postdata: I have made a [0-9] to [aeioutnshrdlcmwf] conversor. http://jsbin.com/ibepup/ This convert a decimal number into a hexadecimal number not using the [0-9A-F] table, but the [aeioutnshrdlcmwf] table. The aeioutnshrdlcmwf table may allow a big number of numbers have a existing word of expression. postdata2: Using this conversor, 123442553445523 is the word NaouuScuch. -- -- ℱin del ℳensaje.
Re: Host scanning in IPv6 Networks
It would be a very fast dictionary attack :D accede bade dad decade face axed babe deaf bed Abe bee Decca exec fade bead bedded deed exceed Abba deface efface feed On 20 April 2012 09:08, Fernando Gont ferna...@gont.com.ar wrote: FYI Original Message Subject: IPv6 host scanning in IPv6 Date: Fri, 20 Apr 2012 03:57:48 -0300 From: Fernando Gont fg...@si6networks.com Organization: SI6 Networks To: IPv6 Hackers Mailing List ipv6hack...@lists.si6networks.com Folks, We've just published an IETF internet-draft about IPv6 host scanning attacks. The aforementioned document is available at: http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt The Abstract of the document is: cut here IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible. cut here Any comments will be very welcome (note: this is a drafty initial version, with lots of stuff still to be added... but hopefully a good starting point, and a nice reading ;-) ). Thanks! Best regards, -- -- ℱin del ℳensaje.
Re: April fools joke?
On 2 April 2012 06:56, Robert Bonomi bon...@mail.r-bonomi.com wrote: Keith Medcalf wrote: {prior attributions lost} http://www.bbc.co.uk/news/uk-politics-17576745 It's sad when you just can't tell with things like this.. I was hoping for something good, like maybe an extension of RFC 1149 implementing ECN (aka SQUAWK) in avian carriers. I'm disappointed. ECN doesn't help if the Hunting Season bit is set. That's a situation where you *want* Bugs in the project. Wabbit Season! Joke is on then. I make all my terrorist talking in Counter-Strike. Since the game packets are not logued, nothing is logued. And we use a special language so a possible spy would not understand us. 1. OMFG! It's a deagle train! Camp for your life! 2. W00T kill #7 Total deagle-train! 3. Why don't you use that M4 you have? 2. Because I'm deagle-training n00b! Logging emails: - 100% false positives: log data from everyone not evil - 100% missed messages: don't log data from evil people The very definition of useless. Probably another feel good, look how we combat the evuuul politics. -- -- ℱin del ℳensaje.
Re: April fools joke?
On 2 April 2012 13:40, Tei oscar.vi...@gmail.com wrote: On 2 April 2012 06:56, Robert Bonomi bon...@mail.r-bonomi.com wrote: Keith Medcalf wrote: {prior attributions lost} http://www.bbc.co.uk/news/uk-politics-17576745 It's sad when you just can't tell with things like this.. I was hoping for something good, like maybe an extension of RFC 1149 implementing ECN (aka SQUAWK) in avian carriers. I'm disappointed. ECN doesn't help if the Hunting Season bit is set. That's a situation where you *want* Bugs in the project. Wabbit Season! Joke is on then. I make all my terrorist talking in Counter-Strike. Since the game packets are not logued, nothing is logued. And we use a special language so a possible spy would not understand us. 1. OMFG! It's a deagle train! Camp for your life! Oops. sorry, seems will use deep packet inspection for games. I suppose the trigger for wen the terrorist say we have setup the bomb will trigger a few hundreds of times per minute. :-/ -- -- ℱin del ℳensaje.
Re: $1.5 billion: The cost of cutting London-Tokyo latency by 60ms
On 23 March 2012 13:31, Aled Morris al...@qix.co.uk wrote: On 23 March 2012 11:53, Eugen Leitl eu...@leitl.org wrote: All three cables are being laid for the same reasons: Redundancy and speed. As it stands, it takes roughly 230 milliseconds for a packet to go from London to Tokyo; the new cables will reduce this by 30% to 170ms. This speed-up will be gained by virtue of a much shorter run: If they could armor the cable sufficiently perhaps they could drill the straigh line path through the Earth's crust (mantle and outer core) and do London-Tokyo in less than 10,000km. Aled I imagine a easier solution. Use a random number generator in both sides, with the same seed. Then use a slower way to send packets re-sync that will contain the delta from the generated number, to the real actual number. I suppose this speeds are needed for some fast speed transaction, that are leeching money from the background noise on the market. This is not like the Roman empire, where you could make a lot of money buying wheat wen theres a dry year in egypt. note: I could be wrong. -- -- ℱin del ℳensaje.
Re: Programmers with network engineering skills
On 12 March 2012 09:59, Carlos Martinez-Cagnazzo carlosm3...@gmail.com wrote: Hey! On 3/8/12 8:24 PM, Lamar Owen wrote: On Monday, March 05, 2012 09:36:41 PM Jimmy Hess wrote: ... (16) The default gateway's IP address is always 192.168.0.1 (17) The user portion of E-mail addresses never contain special characters like - + $ ~ . ,, [, ] I've just had my ' xx AT cagnazzo.name' email address rejected by a web form saying that 'it is not a valid email address'. So I guess point (17) can be extended to say that 'no email address shall end in anything different that .com, .net or the local ccTLD' :=) Carlos Yea, I don't even know how programmers can get that wrong. The regex is not even hard or anything. (?:[a-z0-9!#$%'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%'*+/=?^_`{|}~-]+)*|(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*)@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) -- -- ℱin del ℳensaje.
Re: Programmers with network engineering skills
On 27 February 2012 23:23, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Owen DeLong o...@delong.com I think you're more likely to find a network engineer with (possibly limited) programming skills. That's certainly where I would categorize myself. And you're the first I've seen suggest, or even imply, that going that direction instead might be more fruitful; seemed to me that the skills necessary to make a decent network engineer would support learning programming better than the other way round -- though in fact I personally did it the other way. I agree. And I am just a programmer. Part of it, is that our job is to obscure implementation details to these in higuer levels. We think hard to build stuff, so other people don't have to. If theres a program that create a conexion, and that conexion can break, we silently repeat the re-conexion part, so these that use the program ignore these problems and can live happy. A bad programmer will show a message Conexion break, please connect again. Having the human manually pressing the connect button again. I have no words for how lame is that. So we hide implementation details for us, and for others. Programmers that write compilers hide implementation details to others. Designers of CPU's microcode hide implementation details to mere assembler programmers. -- -- ℱin del ℳensaje.
Re: DNS Attacks
I am a mere user, so I all this stuff sounds to me like giberish. The right solution is to capture the request to these DNS servers, and send to a custom server with a static message warning.html. Nothing fancy. With a phone number to get out of jail, so people can call to op-out of this thing, so can browse the internet to search for a solution. This or do nothing. http://www.guardian.co.uk/world/2012/jan/18/iran-death-sentence-porn-programmer Interpol helps Iran capture a programmer for creating porn sites. Now, if the Interpol want you to block a DNS server, or worse, to spy on users conecting to a DNS server. Will you help? doing nothing is also a good option, methinks. Start medling, redirecting dns trafic, spyiing on the user... all these things are dirty and can't end well. (note, of course, I am a user, so I have a user opinion. ) -- -- ℱin del ℳensaje.
Re: Megaupload.com seized
On 23 January 2012 04:05, Jacob Taylor orangewi...@gmail.com wrote: .. Tahoe-lafs can be fast. A grid I help out with is often capable of 600kilobyte/per/second downloads (or faster), and I personally have several files stored on there in excess of 500mb. Close enough to your 700mb movie example. I use this storage as a CDN of sorts, as a friend wrote an HTTP interface to the Tahoe-lafs grid. Fast and not centralized seems good traits. Urls are ugly, but thats manageable, are not human readable, but humans can copy it around. Should you wish to see it in action, the code and download links are over here -- http://cryto.net/projects/tahoe.html I get this: 2012-01-24 10:01:22 ERROR 504: Gateway Time-out. Googling for VVJJOkNISzp3NWo1aWd2M3NmYnlsM21pczZ5enRjN2thbTpmMjdjenBtNW13ZmxkY2Rud2NpM3NxeGVkamRncmt0ZGljYTd4bXFsNWN3bGh0c2x4bWdhOjM6NjozMTM2 finds only this site. (I somehow expected to find other servers hosting a gateway to the same file). -- -- ℱin del ℳensaje.
Re: Megaupload.com seized
What sould fileshares must do, is to store files in these services in a encrypted way, and anonimized name. So these services have absolutelly no way to tell what are hosting. Fileshares can organize thenselves in sites based on a forum software that is private by default (open with registration), then share some information file that include the url to the files hosted, and the key to unencrypt these files, and some metadata. A special desktop program* would load that information file, and start the http download. This way can combine the best of the old BBS systems to the best of the current caching and hosting technologies. These http hosting services seems to operate well enough. A % of the users go premium to allow more and better downloads. *Maybe is time to write such program. -- -- ℱin del ℳensaje.
Re: Megaupload.com seized
On 20 January 2012 12:14, Alec Muffett alec.muff...@gmail.com wrote: On 20 Jan 2012, at 11:00, Tei wrote: Fileshares can organize thenselves in sites based on a forum software that is private by default (open with registration), then share some information file that include the url to the files hosted, and the key to unencrypt these files, and some metadata. A special desktop program* would load that information file, and start the http download. At the risk of kicking over old ground, there are a bunch of privacy solutions like this; possibly the most complete attempt (in terms of attempted privacy and distribution) is Freenet: http://freenetproject.org/whatis.html ...but it's slow; then there's Tahoe-LAFS - a decentralised filesystem: https://tahoe-lafs.org/trac/tahoe-lafs ...but it's slow; then there are connection anonymisation tools like I2P and Tor, but - wonderful as they are - they're slow. Can you see a pattern developing that would be relevant to the downloader of 700Mb+ AVIs? :-) It would be great to speed them through wider adoption, but until then... -a These services are not needed yet. But is good that are under study, in case changes in laws or balance of power make it needed. For now, I think people will continue using HTTP download/stream movies and tv series. Perhaps countries where the 3 strikes legislation is aprobed will make one of these systems necesary. But I think speed is a important factor, and no slow system will suceed. -- -- ℱin del ℳensaje.
Re: Whacky Weekend: Is Internet Access a Human Right?
On 5 January 2012 16:22, Jay Ashworth j...@baylink.com wrote: Vint Cerf says no: http://j.mp/wwL9Ip But I wonder to what degree that's dependent on how much our governments make Internet access the most practical/only practical way to interact with them. Understand: I'm not saying that FiOS should be a human right. But as a society, America's recognized for decades that you gotta have a telephone, and subsidized local/lifeline service to that extent; that sort of subsidy applies to cellular phones now as well. Thoughts? You don't need a new right. The human rights include education and access to be able to participate in your culture. A human banned from using the internet would not have access to culture, and will be banned from participate in it. Based on this page: http://en.wikipedia.org/wiki/Human_rights 5.5 5.7 5.7.* Practical terms: The ugly conclusion is that you can put a men in jail, but that don't include ban such men to access the internet. Say, you put in jail a cracker. The judge as to remove him from two rights, the right to freelly walk anywhere, and the right to post in his favorite forum/mail list. -- -- ℱin del ℳensaje.
Re: next-best-transport! down with ethernet!
I am php/javascript programmer. The web used to be request/reply. With the request small (but not small enough), and the reply long. But the time for permanent connections is comming. Links from clients to server that are permanent. Or look like that in the application layer. On one sense, this is a optimization, no more pooling the server do you have something for me? every n seconds. But I imagine mostly make things like caching and proxies pointless. At some point, users will start getting unhappy with web pages replies slower than 100 ms. ATM my webpages takes longer to start Jquery that all the server-client interactions. Most obvious optimization is never reload the page, and run everything trough ajax calls. I am not dumb, I know turning webpages into applications make webpages to fragile. But I am scared of javascripts. Javascript is just too dawmn usefull now, browsers too broken (mostly IE), and Javascript is like a superhero that fix all. The web is going to change in a few years, from a request reply interchange network, to something more like a computer bus.I don't know how the wires will react to this. On 30 December 2011 10:58, Vitkovsky, Adam avitkov...@emea.att.com wrote: Actually an a Cisco presentation on Nexus 7k I asked whether it's possible to transport the FCoE over let's say EoMPLS or VPLS and did not get a straight answer though that was half a year ago -but it would be really cool to connect hard-drives directly over continents adam -Original Message- From: Tom Hill [mailto:t...@ninjabadger.net] Sent: Thursday, December 29, 2011 8:58 PM To: nanog@nanog.org Subject: Re: next-best-transport! down with ethernet! On Thu, 2011-12-29 at 10:06 -0500, Christopher Morrow wrote: yes, let's get something with say fixed sized packets, ability to have predictable jitter and also, for fun, no more STP! Ethernet is too complex, maybe something simpler? I hear there's this new tech 'ATM'? it seems to fit the bill! Pfft. Everyone knows that Fibre Channel's going to replace everything... The minute we get those 128Gbit/sec transmission characteristics, Ethernet's gonna be as good as RS-485. -- -- ℱin del ℳensaje.
Re: Happy xmas folks
On 12/20/2011 10:08 PM, andrew.wallace wrote: I just want to say happy xmas to everyone at NANOG. I'm about to sign off for the holidays. Andrew enjoy your chistmas, and you don't have to come back after the holidays, we'll be fine without you. Has a gamer, I hope ipv6 come sooon. Singleplayer videogames are a historic weird thing. Since the begin of humanity most games has ben cooperative or competitive. But tryiing to host a videogame (serving the game) from behind a crappy router, using NAT, is not fun. It is even more crappy because hardware manufactures produce these horrible interfaces in these routers ( my favorte pet-peeve is limit to forward 6 ports). I suppose nobody in this mail list will have any problem in configuring one of these things. But for 99.999% of the gamers, even the concepts are unknowm. Now that gaming is mainstream, and more than 500 millions persons play games daily, more and more people his exposed to the crappyness of crappy NAT configure dialogs on crappy routers. Please made the pain stop. I am looking forward for a day where you would be able to avoid NAT, and share your ip with your teammates, to have a pain-free experience. So gamers don't have to study sites like this one: http://portforward.com/ -- -- ℱin del ℳensaje.
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
*a random php programmer shows* He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I just don't want to use cleartext for internet data transfer. HTTP is like telnet, and HTTPS is like ssh. But with ssh is just can connect, with browsers theres this ugly warning and fuck you, self-signed certificate from the browsers. Please make the pain stop!. --Tei -- -- ℱin del ℳensaje.