Re: NSP-SEC
Conclusion : if you can't reply to these fundamental questions, hire a CISO and build a CSIRT. sigh I *so* hate making an argument from authority (other than I think smb published a paper on that already), but in your case I'll make an exception. Go read http://www.sans.org/dosstep/roadmap.php Read the date, read the signatories. I have read with interest this document. 1) Remarks : -Bill Clinton is no longer the president of USA . Howard Schmidt is the new cybersecurity czar : http://www.facebook.com/howardas (By the way, Gadi Evron is in his Facebook friends ?!?) 2) Notes : a) Problem 1: Spoofing Problem 2: Broadcast Amplification http://docs.google.com/viewer?url=http://www.dca.fee.unicamp.br/~chesteve/pubs/LIPSIN_sigcomm2009_jokela.pdf b) Problem 3: Lack of Appropriate Response To Attacks http://docs.google.com/viewer?url=http://nanog.org/meetings/nanog47/presentations/Sunday/Green_Top10_Security_N47_Sun.pdf c) Problem 4: Unprotected Computers http://docs.google.com/viewer?url=http://www.whitehouse.gov/files/documents/cyber/Gourley_Bob_Open_Source_Software_and_Cyber_Defense_01_April_2009.pdf Ask yourself if you *really* want to be telling me that we need to build a CSIRT. (Answer - our CIRT was up and running back in 1991, and was well-known in 2000. So no, we don't need advice on how to start one. VT-CIRT : http://docs.google.com/viewer?url=http://www.it.vt.edu/publications/annualreports/annualreport2007-2008.pdf o Students designed, built, and are maintaining the vulnerability scan engines that are the core of the www.ids.cirt.vt.edu site. CSIRT-MU : http://docs.google.com/viewer?url=http://www.vabo.cz/spi/2009/presentations/03/02-celeda_rehak_CAMNEP_no_video.pdf Project Results Further Information: 3 Journal papers, including IEEE Intelligent Systems 20+ conference papers (RAID, AAMAS, IAT, FloCon,...) How to get it? University startups: -INVEA-TECH a.s. - FlowMon probes, collectors for high-speed data monitoring (with MU, VUT and CESNET) -Cognitive Security s.r.o. - CAMNEP system for real-time data mining (with CTU) Supported by: U.S. ARMY RDECOM-CERDEC, CESNET, Czech MOD We've got literally man-centuries of experience in running one already. By the way, where were you in 1991?) In 1991, I was in primary school. In 2000, the date of your link, I got my first access to Internet. And now ? ;) ! Best Regards, Guillaume FORTAINE
Re: NSP-SEC
On Tue, 23 Mar 2010 11:13:48 BST, Guillaume FORTAINE said: I have read with interest this document. (lots of irrelevant commentary elided - the vast majority of which merely confirms the point that a lot of people have been doing further research on issues that we identified a decade and more ago) In 1991, I was in primary school. In 2000, the date of your link, I got my first access to Internet. And now ? ;) ! And now, you're still acting like you've got new unique insights and going out of your way to irritate the very same more experienced people that you probably should be trying to learn from, when you haven't bothered to find out that you're once again 10 and 20 years behind the curve: http://en.wikipedia.org/wiki/Plonk_%28Usenet%29 Wow. Rich Sexton really *did* contribute something important to the Net. pgp2gUu5cXeJ9.pgp Description: PGP signature
Re: NSP-SEC
On 23/03/2010 12:59, valdis.kletni...@vt.edu wrote: And now, you're still acting like you've got new unique insights and going out of your way to irritate the very same more experienced people that you probably should be trying to learn from, when you haven't bothered to find out that you're once again 10 and 20 years behind the curve: Do not feed the troll. Nick
Re: NSP-SEC
Guillaume FORTAINE wrote: This is a very pertinent question. My reply would be : How much money would you evaluate a security incident on your Cisco device ? Because, the fundamental questions are : a) How much value does your network bring to your business ? b) How much money are you ready to spend to ensure its security ? Conclusion : if you can't reply to these fundamental questions, hire a CISO and build a CSIRT. Best Regards, Guillaume FORTAINE Folks, this is why you shouldn't let your kids do crystal meth, just in case you were wondering. Andrew
Re: NSP-SEC
Guillaume FORTAINE wrote: On 03/20/2010 09:12 PM, Gadi Evron wrote: 2. Show you are responsive and responsible in handling issues in your own back yard. http://docs.google.com/viewer?a=vq=cache:ENEl1xrgXNwJ:https://ow.feide.no/_media/geantcampus:s5.2-flows_at_mu.pdf%3Fid%3Dgeantcampus%253Anetw_monitoring_oct_2009%26cache%3Dcache+s5.2-flows_at_muhl=enpid=blsrcid=ADGEEShCR2bC8bfpSow5e5Ebqi-x0szdV_rZN15cDn6t_nZpD6Vd-K-FRZ-sMpZy4k-7XJKWQdcsXt3hKYpc1M5RtNB_LMPahnYx9Zw8gSxEJ2WTjBQ5rn-KISGF8vE7qCOkyvHsPyStsig=AHIEtbTjuYrs5deXJTat5R5_8Xb1oDQFNg http://isotf.org/pipermail/cii/2010-February/000137.html Best Regards, Guillaume FORTAINE Are you done yet? Please go away. You're here posting from a webmail account at Microsoft, dictating some sort of network policy? Andrew
Re: NSP-SEC
On 19 March 2010 14:19, valdis.kletni...@vt.edu wrote: You *do* realize that there's an estimated 140,000,000 bots on the net, right As many as that? Thats 1 in 12 according to http://www.internetworldstats.com/stats.htm. Lets be honest, I don't follow the world wide bot crisis because as your figure suggests, its just to much to keep your head on top of it, but is it really than many? I'm rather shocked its that high tbh! -- Regards, James ;)
Re: NSP-SEC
On Sun, Mar 21, 2010 at 09:37:09PM +, James Bensley wrote: On 19 March 2010 14:19, valdis.kletni...@vt.edu wrote: You *do* realize that there's an estimated 140,000,000 bots on the net, right As many as that? Thats 1 in 12 according to http://www.internetworldstats.com/stats.htm. I think that estimate's a bit on the low side, but it's certainly very plausible, based on growth rates that have been observed over the past seven years. I think any estimate under 100M should be laughed out of the room, and that 200M is not unreasonable, although it's arguably edging toward the upper error bars. What's disconcerting about this -- well, actually there are a number of disconcerting things about this, but let me pick one -- is that our adversaries have convincingly demonstrated that they understand concepts like reserves, concealment, and misdirection. It's therefore entirely sensible to wonder how many system which are not presently displaying any externally-observable symptoms are in fact bots but are simply not being used as such -- for now. There is, by the way, no relief from this due to events like the recent bust of the Mariposa botnet (13M systems); all that means is that there are now 13M pre-compromised systems waiting for the first person clever enough to conscript them into *their* botnet. ---Rsk
RE: NSP-SEC
From: Rich Kulawiec [...@gsp.org] Sent: Sunday, March 21, 2010 8:43 PM To: nanog@nanog.org Subject: Re: NSP-SEC There is, by the way, no relief from this due to events like the recent bust of the Mariposa botnet (13M systems); The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time. When I've had visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots count over a time period of a week. Happy to make the raw pcap data available to anyone who is curious. The UCSB guys showed similar results in their excellent Torpig paper. http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of monitoring IP connections. Regards, Alex Lanstein
Re: NSP-SEC
On Sun, 21 Mar 2010 21:37:09 -, James Bensley said: On 19 March 2010 14:19, valdis.kletni...@vt.edu wrote: You *do* realize that there's an estimated 140,000,000 bots on the net, right As many as that? Thats 1 in 12 according to That was Vint Cerf's number as of 2007 or so. He dropped that estimate at a major keynote address, and for the next 2 weeks, every security expert out there was going OK, who's going to tell Vint he's full of it? - but nobody could find non-laughable countering estimates. Want a more depressing number? http://blog.trendmicro.com/1h-2009-malware-threat-grows-ever-larger/ TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million. The mind boggles. I would appreciate it if somebody would find the massive statistical error that inflated those numbers by a factor of 5 or 10. (Note that number probably includes adware and spyware as well as full-blown zombies, but any adware or spyware that can phone home can at least in principle upgrade itself to a bot if desired..) Operational impact: For close to half of your customers, the billing address no longer matches the effective owner's address. pgpTsKYqC2sAV.pgp Description: PGP signature
Re: NSP-SEC
On Mar 21, 2010, at 9:52 PM, Alex Lanstein wrote: There is, by the way, no relief from this due to events like the recent bust of the Mariposa botnet (13M systems); The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time. When I've had visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots count over a time period of a week. Happy to make the raw pcap data available to anyone who is curious. The UCSB guys showed similar results in their excellent Torpig paper. http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of monitoring IP connections. First, Alex, don't you know all security people are 100% secretive? :) Back on topic, there is good data out there showing far, far more than 1 million hosts on the Internet infected. Hrmm, my first two Google searches did not turn anything up. So maybe those security guys are being secretive! -- TTFN, patrick
Re: NSP-SEC
On Fri, 19 Mar 2010, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. How exactly would being transparent for the following help Internet security: I am seeing a new malware infection vector via port 91714 coming from the IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page http://www.trythisoutnow.com/. In addition, it has credit card and pswd stealing capabilities and sends the details to a maildrop at trythisout...@gmail.com The only upside of being transparent is alerting the miscreant to change the vector and maildrop. Regards, Hank
Re: NSP-SEC
On Sat, 2010-03-20 at 20:30 +0200, Hank Nussbacher wrote: On Fri, 19 Mar 2010, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. How exactly would being transparent for the following help Internet security: I am seeing a new malware infection vector via port 91714 coming from the IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page http://www.trythisoutnow.com/. In addition, it has credit card and pswd stealing capabilities and sends the details to a maildrop at trythisout...@gmail.com The only upside of being transparent is alerting the miscreant to change the vector and maildrop. That is not what I mean and you know it. What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. If you're a 15 year old kid and you just discovered a way to own the latest IOS, for example, how do you know who to tell about it? William
Re: NSP-SEC
On Sat, 20 Mar 2010, William Pitcock wrote: What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. If you're a 15 year old kid and you just discovered a way to own the latest IOS, for example, how do you know who to tell about it? If I was such a clever 15 year old I would go to Google and enter contacting cisco ios security which would lead me to - http://www.cisco.com/en/US/products/products_security_advisories_listing.html which would lead me to - http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Same exercise can be repeated for most vendors you can choose. -Hank
Re: NSP-SEC
On 03/20/2010 07:37 PM, William Pitcock wrote: On Sat, 2010-03-20 at 20:30 +0200, Hank Nussbacher wrote: On Fri, 19 Mar 2010, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. How exactly would being transparent for the following help Internet security: I am seeing a new malware infection vector via port 91714 coming from the IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page http://www.trythisoutnow.com/. In addition, it has credit card and pswd stealing capabilities and sends the details to a maildrop at trythisout...@gmail.com The only upside of being transparent is alerting the miscreant to change the vector and maildrop. That is not what I mean and you know it. What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. I totally agree with William. Best Regards, Guillaume FORTAINE
Re: NSP-SEC
If I was such a clever 15 year old I would go to Google and enter contacting cisco ios security which would lead me to - http://www.cisco.com/en/US/products/products_security_advisories_listing.html which would lead me to - http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Same exercise can be repeated for most vendors you can choose. I would counter argue by quoting this article : http://www.breakingpointsystems.com/community/blog/cisco-becomes-the-weakest-link-in-national-infrastructure-security Cisco Becomes The Weakest Link In National Infrastructure Security Last week Cisco released patches in their semi-annual security announcement. The publication includes 11 advisories that address 12 individual vulnerabilities. Ten of the advisories address vulnerabilities in Cisco IOS and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Together these can affect routers and switches that not only use the Cisco Unified Communications Manager, but any device relying on the Cisco IOS operating system. To put it bluntly, this means a ton of devices critical to any network, and these vulnerabilities leave businesses and government agencies exposed to a barrage of attacks including denial-of-service (DDoS) or policy bypass. Much has been written about the announcement of the vulnerabilities. However, details are lacking and there are more questions than answers. This lack of information leads me to believe Cisco does not take security seriously and continues to not know how to work with the security community. Considering the lack of details and opinions, I thought I would provide a few of my own. 1) Twice A Year Is Not Enough The number of vulnerabilities patched by Cisco is not the issue. It is the potential danger these vulnerabilities pose. One of the IOS vulnerabilities allows unauthenticated attackers to bypass access control policies when the “Object Groups for Access Control Lists (ACLs)” feature is used. Your company is most likely protecting your critical components by leveraging ACLs, now imagine they are no longer in place. The human resources database with all that W-2 information? Hackers now have your salary, your direct deposit account, your medical history and of course your social security number. To make matters worse, replace that HR database with our government’s nuclear secrets; don’t you think Iran is aware of the Cisco vulnerabilities? Scary stuff, for sure, but how long has the vulnerability been around and recognized. The answer is unknown. The only fact we have is that each of these eleven vulnerabilities may have been around for at least six months. That is an eternity in the security space and has given hackers too much time to walk in through an open door. Microsoft is often a punching bag when it comes to vulnerabilities and it is sometimes warranted, but let’s be honest, the company does a good job of patching issues on a regular basis. With Microsoft, you know that you are going to get a patch each month and important details that help you make an informed security decision. Cisco should examine its patching schedule in light of the September 24th announcement; every six months is not acceptable. 2) Updating Routers and Switches is Now Critical You can never diminish the importance of a switch or router to your network infrastructure. They are the core to any network whether in a home, a large Enterprise or the Federal Government. If one fails you know it. However, if a vulnerability let’s people through due to a hack do you know it? While everyone remembers to patch their Mac or Windows laptop, how often do they patch the router, firewall or switch? To see how up-to-date folks are with their Cisco firmware I ran a quick test. During a 1-hour scan of the Internet I found 420 responding systems and NONE were patched with any fixes from this cycle or the last. That means 420 systems, at a minimum, are susceptible to a years worth of vulnerabilities. Microsoft had enough of people not patching and now it force feeds the patches. While I’m not a fan of that solution, it does work. Cisco needs to apply the same method to its products. It is irresponsible for Cisco to run its business in a way that could cause mass disruption to critical network infrastructures including government and military services. Cisco is not the only one to blame in this mess, the people responsible for getting their routers, switches and other network equipment up-to-date also must be held accountable. How many of you updated with the patches on September 24th, the day of the announcement? The quick scan I did is telling me not many. Kelly Jackson Higgins of Dark Reading put it best, “The dirty little secret about patching routers is that many enterprises don't bother for fear of the fallout any changes to their Cisco router software could have on the rest of the
Re: NSP-SEC
On Sat, 20 Mar 2010, William Pitcock wrote: If you're a 15 year old kid and you just discovered a way to own the latest IOS, for example, how do you know who to tell about it? Read the manual? Most products and open source projects have a manual which includes information about contacting the vendor or project. If you don't have the manual, but know how to use a search engine, try a search for reporting security vulnerabilities. Most major IT vendors and open source projects have a security reporting page. Some people have suggested vendors and projects have a common URL such as .../security with security information. For example if you found a vulnerability in IOS, look up the following URL to find out Cisco's reporting contacts: http://www.cisco.com/security Report a potential vulnerability in Cisco products: ps...@cisco.com Urgent technical assistance for non-security issues that involve Cisco products: Cisco Technical Support 800 553 2447 (U.S.) Worldwide Contacts Emergency response to active security incidents that involve Cisco products: PSIRT 877 228 7302 (U.S.) +1 408 525 6532 (outside U.S.) Report an incident involving the Cisco corporate network: info...@cisco.com If you still don't know who to contact, CERT/CC maintains a world-wide map of national computer security incident response teams. http://www.cert.org/cert/map_open.html Although some of the intra forums between CSIRT, vendor, project, provider, researcher communities aren't open to everyone, e.g. a CSIRT forum may only have CSIRTs, an academic forum may only have academics; each of the CSIRTs, vendors, projects, providers have contacts for reporting vulnerabilities that may affect their constituencies.
Re: NSP-SEC
On Sat, 2010-03-20 at 22:12 +0200, Gadi Evron wrote: On 3/20/10 8:37 PM, William Pitcock wrote: That is not what I mean and you know it. What do you mean than? Hank made a good point on the type of traffic normally going through these groups. My point hasn't much to do with the NSP-SEC list, I know plenty well what traffic goes through there, but instead that the security community is not welcoming to new contributors. I do run a bloody DNSBL, after all. My point was also that there are people on the NSP-SEC list that can get things done faster than PSIRT/etc do on turnaround times. Many of those same people also exist on a certain irc channel that will remain unnamed, too. William
Re: NSP-SEC
On Sat, 20 Mar 2010, William Pitcock wrote: What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. How do I break into show business? http://www.imdb.com/help/show_leaf?becomeastar Is your goal to contribute valuable information to the security community? Or is your goal to become a security celebrity and hang out with the trusted people? Anyone can contribute valuable information to the security community. There are many channels to achieve this. If in fact your contributions are valuable, you will probably find the security community trying to become your buddy. If instead your goal is to become security celebrity hanging out with trusted people; that's different. Annoying the people you want to hang out with by sending e-mails to their personal addresses, and generally making a fool out of yourself is probably not going to help achieve your goal.
Re: NSP-SEC
On Sat, 20 Mar 2010, Hank Nussbacher wrote: How exactly would being transparent for the following help Internet security: I am seeing a new malware infection vector via port 91714 coming from the IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page http://www.trythisoutnow.com/. In addition, it has credit card and pswd stealing capabilities and sends the details to a maildrop at trythisout...@gmail.com The only upside of being transparent is alerting the miscreant to change the vector and maildrop. I disagree. *All* of that information would be useful for configuring filters at my border. Cheers, George AD7RL
Re: NSP-SEC
On Thu, Mar 18, 2010 at 8:43 PM, Guillaume FORTAINE gforta...@live.com wrote: Misses, Misters, You forgot the ballers, shot callers, brawlers, those who dippin' in the benz with the spoilers. [0] I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : I personally believe that that U.S. Americans are unable to do so because, uh, some people out there in our nation don't have maps and, uh, I believe that our, uh, education like such as in South Africa and, uh, the Iraq, everywhere like such as, and, I believe that they should, our education over here in the U.S. should help the U.S., uh, or, uh, should help South Africa and should help the Iraq and the Asian countries, so we will be able to build up our future, for our children. [1] 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : When the Sun shines upon Earth, 2 - major Time points are created on opposite sides of Earth - known as Midday and Midnight. Where the 2 major Time forces join, synergy creates 2 new minor Time points we recognize as Sunup and Sundown. The 4-equidistant Time points can be considered as Time Square imprinted upon the circle of Earth. In a single rotation of the Earth sphere, each Time corner point rotates through the other 3-corner Time points, thus creating 16 corners, 96 hours and 4-simultaneous 24 hour Days within a single rotation of Earth - equated to a Higher Order of Life Time Cube. [2] First question : Why was I able to find this mail on the Internet if it should be kept secret ? ELMSFORD 12 GALAXIES CESJROGENICAL ERGONOMICS NBC: XOXPHROZENIGUL COVERAGE WASPROVENIKIL ADMONISHMENTS MINUSCULE STRATOSPHERICAL [3] Second question : Do you still ask yourself why the Internet is so insecure ? [10] http://www.youtube.com/watch?v=GkMvKeX7erI [4] I am also curious [5], is OBESUS [6] the new IASON [7]? Are you Peter and Karin Dambier [8]? Drive Slow [9], Paul WALL [10] [0] http://www.lyricsmode.com/lyrics/p/p_diddy/all_about_the_benjamins.html [1] http://en.wikipedia.org/wiki/Caitlin_Upton [2] http://en.wikipedia.org/wiki/Time_cube [3] http://en.wikipedia.org/wiki/Frank_Chu [4] http://en.wikipedia.org/wiki/List_of_recurring_characters_in_The_Simpsons#Crazy_Cat_Lady [5] http://www.merriam-webster.com/dictionary/curious [6] http://mailman.nanog.org/pipermail/nanog/2010-March/019518.html [7] http://iason.site.voila.fr/ [8] http://www.peter-dambier.de/ [9] http://en.wikipedia.org/wiki/Drive_Slow [10] http://en.wikipedia.org/wiki/Paul_Wall
Re: NSP-SEC
On Fri, 19 Mar 2010 04:43:18 +0100 Guillaume FORTAINE gforta...@live.com wrote: First question : Why was I able to find this mail on the Internet if it should be kept secret ? nsp-security was originally formed out of the dissatisfaction with other so-called private collaborative channels back when it was formed a number of years ago. There are many more lists and groups that have since formed along the same lines. The existence of nsp-security is no secret and there has been a small number of leaks, that is, mail primarily, that was not meant to be forwarded or copied outside the list that had been. Its been far from perfect from both a secretive standpoint and policy standpoint, but compared to what existed before it, it has proved useful from time to time. The ISP Security BoF/Track meetings at NANOG grew out of the nsp-security effort and those are open to any NANOG attendee. One thing groups like this has perhaps most helped with is building one-to-one relationships between colleagues. Groups like nsp-security help you to learn who the trusted and reliable contacts are at various organizations. An ongoing area of work is to build better closed, trusted communities without leaks. Its still an ongoing problem. Thats why many times really sensitive work gets done in even smaller ad-hoc groups or on a one-to-one basis. John
Re: NSP-SEC
I'd like to nominate this for the Best of Nanog 2010. In a message written on Fri, Mar 19, 2010 at 02:50:37AM -0700, Paul WALL wrote: On Thu, Mar 18, 2010 at 8:43 PM, Guillaume FORTAINE gforta...@live.com wrote: Misses, Misters, You forgot the ballers, shot callers, brawlers, those who dippin' in the benz with the spoilers. [0] I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : I personally believe that that U.S. Americans are unable to do so because, uh, some people out there in our nation don't have maps and, uh, I believe that our, uh, education like such as in South Africa and, uh, the Iraq, everywhere like such as, and, I believe that they should, our education over here in the U.S. should help the U.S., uh, or, uh, should help South Africa and should help the Iraq and the Asian countries, so we will be able to build up our future, for our children. [1] 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : When the Sun shines upon Earth, 2 - major Time points are created on opposite sides of Earth - known as Midday and Midnight. Where the 2 major Time forces join, synergy creates 2 new minor Time points we recognize as Sunup and Sundown. The 4-equidistant Time points can be considered as Time Square imprinted upon the circle of Earth. In a single rotation of the Earth sphere, each Time corner point rotates through the other 3-corner Time points, thus creating 16 corners, 96 hours and 4-simultaneous 24 hour Days within a single rotation of Earth - equated to a Higher Order of Life Time Cube. [2] First question : Why was I able to find this mail on the Internet if it should be kept secret ? ELMSFORD 12 GALAXIES CESJROGENICAL ERGONOMICS NBC: XOXPHROZENIGUL COVERAGE WASPROVENIKIL ADMONISHMENTS MINUSCULE STRATOSPHERICAL [3] Second question : Do you still ask yourself why the Internet is so insecure ? [10] http://www.youtube.com/watch?v=GkMvKeX7erI [4] I am also curious [5], is OBESUS [6] the new IASON [7]? Are you Peter and Karin Dambier [8]? Drive Slow [9], Paul WALL [10] [0] http://www.lyricsmode.com/lyrics/p/p_diddy/all_about_the_benjamins.html [1] http://en.wikipedia.org/wiki/Caitlin_Upton [2] http://en.wikipedia.org/wiki/Time_cube [3] http://en.wikipedia.org/wiki/Frank_Chu [4] http://en.wikipedia.org/wiki/List_of_recurring_characters_in_The_Simpsons#Crazy_Cat_Lady [5] http://www.merriam-webster.com/dictionary/curious [6] http://mailman.nanog.org/pipermail/nanog/2010-March/019518.html [7] http://iason.site.voila.fr/ [8] http://www.peter-dambier.de/ [9] http://en.wikipedia.org/wiki/Drive_Slow [10] http://en.wikipedia.org/wiki/Paul_Wall -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpoJhyNIVl4x.pgp Description: PGP signature
Re: NSP-SEC
On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. William
Re: NSP-SEC
On Fri, 19 Mar 2010 06:42:44 PDT, Leo Bicknell said: I'd like to nominate this for the Best of Nanog 2010. Amen to that. As the Jargon File says, C|NK. Unfortunately, I was eating breakfast, and it was corn flakes not coffee. Ouch. pgpxfLFPGhvAM.pgp Description: PGP signature
Re: NSP-SEC
Total transparency in security matters works about as well as it would for law enforcement: fine for tactical concerns, but not so great for long-term strategic concerns. -David Barak On Fri Mar 19th, 2010 9:44 AM EDT William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. William
Re: NSP-SEC - should read Integrity
On Fri, Mar 19, 2010 at 08:44:29AM -0500, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. I thnk I'd settle for operators with Integrity. those who do what they say. --bill
RE: NSP-SEC - should read Integrity
There are some out there..Infragard?(shrugs shoulders).. -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com] Sent: Friday, March 19, 2010 9:57 AM To: William Pitcock Cc: nanog@nanog.org Subject: Re: NSP-SEC - should read Integrity On Fri, Mar 19, 2010 at 08:44:29AM -0500, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. I thnk I'd settle for operators with Integrity. those who do what they say. --bill
Re: NSP-SEC - should read Integrity
On Mar 19, 2010, at 9:56 AM, bmann...@vacation.karoshi.com wrote: On Fri, Mar 19, 2010 at 08:44:29AM -0500, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. I thnk I'd settle for operators with Integrity. those who do what they say. If we had that, no secrecy would be needed. But anyone who thinks publishing everything we learn about the miscreants is a Good Idea, has never tried to take out a botnet or snow-shoe spammer or Secrecy sucks. If you think those keeping secrets enjoy it[*], you just haven't been bored to tears by working one of these issues. Seriously, most of the work is mind numbingly horrible, and I have nothing but the utmost respect for people who do it on a regular basis. (In case it is not clear, I do not have to do it often, and for that I think whatever ghods there may be.) Put another way: Do not dis those that make the Internet safer for you. They spend time, effort, and money - frequently their own - and risk much more (ever been sued by a spammer?). In return, they often get nothing. Before you question (and to be clear, I am not saying you should not question), offer to help and see things from their side. -- TTFN, patrick [*] I'm sure there are a few who get off on the thrill. But that's the exception, not the rule.
Re: NSP-SEC
On Fri, 19 Mar 2010 04:43:18 BST, Guillaume FORTAINE said: First question : Why was I able to find this mail on the Internet if it should be kept secret ? Congratulations. You found an example of a mailing list where applying a standard disclaimer by default *does* make sense, which then got forwarded *by a coordination team leader at a national CERT* to an appropriate forum so that action could be taken, but failed to take the disclaimer off the bottom of that posting. Double bonus points for finding a posting that discussed something *really* sensitive, like we've seen bots connecting to You *do* realize that there's an estimated 140,000,000 bots on the net, right, and as a result, some operation lists have *dozens* of bots spotted connecting to postings *per day*. And you wonder why you have a hard time being taken seriously. pgp3Jpqo6VoVi.pgp Description: PGP signature
RE: NSP-SEC
IMHO, I think you have it backwards. I see strategic discussions (like new crypto algorithms, technologies, initiatives, etc) should be open to public debate, review, and scrutiny. But operational/tactical discussions (like new malware, software exploits, virus infected hosts, botnets, etc) don't need public review. Rather, those types of communications should be streamlined that would allow for quick resolution. -Original Message- From: David Barak [mailto:thegame...@yahoo.com] Sent: Friday, March 19, 2010 8:55 AM To: neno...@systeminplace.net; j...@cymru.com Cc: nanog@nanog.org Subject: Re: NSP-SEC Total transparency in security matters works about as well as it would for law enforcement: fine for tactical concerns, but not so great for long-term strategic concerns. -David Barak On Fri Mar 19th, 2010 9:44 AM EDT William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. William
Re: NSP-SEC
On Fri, 19 Mar 2010 10:08:55 CDT, Adam Stasiniewicz said: IMHO, I think you have it backwards. I see strategic discussions (like new crypto algorithms, technologies, initiatives, etc) should be open to public debate, review, and scrutiny. But operational/tactical discussions (like new malware, software exploits, virus infected hosts, botnets, etc) don't need public review. Reducto ad absurdum: The police don't usually phone ahead to a suspect and say We're planning to stop by around 4PM and execute a search warrant, so please don't destroy any evidence before then, ktxbai pgpXVRUB61uB2.pgp Description: PGP signature
RE: NSP-SEC
--- On Fri, 3/19/10, Adam Stasiniewicz a...@adamstas.com wrote: IMHO, I think you have it backwards. I see strategic discussions (like new crypto algorithms, technologies, initiatives, etc) should be open to public debate, review, and scrutiny. But operational/tactical discussions (like new malware, software exploits, virus infected hosts, botnets, etc) don't need public review. Rather, those types of communications should be streamlined that would allow for quick resolution. Fair point - I was using strategic in the law enforcement with things like long-term undercover investigation in mind, but your point is well taken. I think we agree that some things benefit from increased transparency and other things don't. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: NSP-SEC
On 3/19/10 6:42 AM, Leo Bicknell wrote: I'd like to nominate this for the Best of Nanog 2010. I'd like to second/third/whatever that nomination as well. :) Epic win. Not only did it make me fall off the chair laughing, but I highly doubt Fortaine will understand why its so funny. Paul, remind me if I ever get into politics, that I hire you as a consultant for speeches. :-D -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: NSP-SEC
When the Sun shines upon Earth, 2 - major Time points are created on opposite sides of Earth - known as Midday and Midnight. Where the 2 major Time forces join, synergy creates 2 new minor Time points we recognize as Sunup and Sundown. The 4-equidistant Time points can be considered as Time Square imprinted upon the circle of Earth. In a single rotation of the Earth sphere, each Time corner point rotates through the other 3-corner Time points, thus creating 16 corners, 96 hours and 4-simultaneous 24 hour Days within a single rotation of Earth - equated to a Higher Order of Life Time Cube. [2] [2] http://en.wikipedia.org/wiki/Time_cube Uhhh, yeah... WOW man, like FARM OUT man! The best thing I've learned on NANOG all year is this message about Gene Ray. And as an added bonus that led me to the Peirce quincuncial projection which is actually something useful to know about. --Michael Dillon
Re: NSP-SEC
On Fri, 19 Mar 2010, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. That's fine, in theory, but in practice it doesn't work. Part of the issue is that information that could be considered sensitive generally has to have a level of trust for both the sender(s) and receiver(s), and that level of trust is generally not possible in an open forum. By level of trust I mean that if I have sensitive intel about an ongoing incident (attack, pwnd box, etc) I need to have some assurance that the information gets to people who can and will act on it, and keep that information confidential. nsp-sec has worked to build that level of trust (in general, work pretty good success) through the vetting process that every potential participant goes through. Is it a perfect system? No, but it does serve a useful and important purpose. Many security people have to keep things quiet for the same reasons, in addition to (not an all-inclusive list): 1. They might be under NDA or be employed at a company that has a policy against any sort of unapproved disclosures 2. The sources of various bits of intel is confidential and releasing unfiltered information could compromise that source. 3. Releasing unfiltered information could compromised intel gathering methods, potentially rendering them useless for further action. The likelihood that a secret will be kept goes down by the square of the number of people who know it -- source unknown The likelihood that a meeting will be productive goes down by the square of the number of people who attend -- me jms
Re: NSP-SEC
On Fri, Mar 19, 2010 at 8:42 AM, Leo Bicknell bickn...@ufp.org wrote: I'd like to nominate this for the Best of Nanog 2010. +1. Does the nomination include a sample ? J
NSP-SEC
Misses, Misters, I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. First question : Why was I able to find this mail on the Internet if it should be kept secret ? 2) includes [5] a) Spammers (Rodney Joffe) [6] [7] b) Freelancers (Gadi Evron) [8] [9] Second question : Do you still ask yourself why the Internet is so insecure ? [10] Best Regards, Guillaume FORTAINE [0] http://puck.nether.net/mailman/listinfo/nsp-security [1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders [2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf [3] http://en.wikipedia.org/wiki/Security_through_obscurity [4] http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html [5] http://www.google.com/search?hl=ensource=hpq=nsp-sec+site:mailman.nanog.orgaq=faqi=aql=oq=gs_rfai=esrch=FT1 [6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html [7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html [8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html [9] http://il.linkedin.com/in/gadievron [10] http://caislab.kaist.ac.kr/77ddos/
Re: NSP-SEC
Hello, Few people actually care about nsp-sec so what exactly are you getting at? Guillaume FORTAINE gforta...@live.com wrote: Misses, Misters, I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. First question : Why was I able to find this mail on the Internet if it should be kept secret ? 2) includes [5] a) Spammers (Rodney Joffe) [6] [7] b) Freelancers (Gadi Evron) [8] [9] Second question : Do you still ask yourself why the Internet is so insecure ? [10] Best Regards, Guillaume FORTAINE [0] http://puck.nether.net/mailman/listinfo/nsp-security [1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders [2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf [3] http://en.wikipedia.org/wiki/Security_through_obscurity [4] http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html [5] http://www.google.com/search?hl=ensource=hpq=nsp-sec+site:mailman.nanog.orgaq=faqi=aql=oq=gs_rfai=esrch=FT1 [6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html [7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html [8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html [9] http://il.linkedin.com/in/gadievron [10] http://caislab.kaist.ac.kr/77ddos/ -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: NSP-SEC
Why respond to an obvious troll? Regards, -drc On Mar 18, 2010, at 8:46 PM, William Pitcock wrote: Hello, Few people actually care about nsp-sec so what exactly are you getting at? Guillaume FORTAINE gforta...@live.com wrote: ...
Re: NSP-SEC
On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a few) will not be force to see them. Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]? -- TTFN, patrick [*] Lest you receive a bazillion unicast messages CC'ed to a bazillion other people who don't care.
Re: NSP-SEC
On 03/19/2010 04:52 AM, Patrick W. Gilmore wrote: On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment Could you argue, if possible, please ? I look forward to your answer, Best Regards, Guillaume FORTAINE
Re: NSP-SEC
On Thu, 2010-03-18 at 23:52 -0400, Patrick W. Gilmore wrote: On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a few) will not be force to see them. I would say that, in general, more people care about NANOG than nsp-security, although nsp-security is a worthwhile resource for those who are dealing with backbone-level problems (which is a minority of the people on NANOG, who generally are managing single typically-not-multihomed sites for the most part). Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]? Ugh, that IADL guy. I blackholed his entire IP block at edge because I got tired of receiving his crap. :D And yeah, I'm surprised Guillaume can actually post here still. William
