Re: [swinog] Hackerparagraph (fwd)
Andreas Fink af...@list.fink.org 2009-03-17: Collegues, The federal adminstration wants to change the law about cyber crime. See also: http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD (or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität ) [...] Note that according to the Adressatenliste, SwiNOG was explicitly invited to comment on the proposed change of law. I guess SwiNOG should comment on Art. 143bis Abs. 2 and request a clarification, in order to make sure that academical, commercial and private IT security research will not be affected by the change of law. The proposed wording of Abs. 2 currently does not adequatly honour the fact that security tools are dual-use goods by nature; i.e. they are not inherently good or evil. Or in other words, there is no practical way to distinguish a tool used by a professional penetration tester from a tool used by a blackhat. The difference between the two is not in the tools, it's in the contracts (i.e. approval of the target's owner). -- Daniel Roethlisberger http://daniel.roe.ch/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] SCTP port scanning - call for testers
Hi SwiNOGers, I'm looking for systems speaking SCTP [1] in order to expose the experimental SCTP port scanning support for Nmap [2] to some more real-world testing. If you have network access to systems with (non-trivial) SCTP-based services, and would be willing to run a scan for me, then I'd be interested in hearing from you off-list. I'm especially interested in tests against proprietary SCTP stacks, but any real-world SCTP services would be of interest. Thanks, -Daniel [1] http://en.wikipedia.org/wiki/SCTP [2] http://www.roe.ch/Nmap_SCTP -- Daniel Roethlisberger http://daniel.roe.ch/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] anyone from netstream (netvs.ch) listening here?
Per Jessen [EMAIL PROTECTED] 2008-02-05: We've got a customer whose emails (from other people but filtered by us) are frequently being rejected by Netstreams harsh SPF-check. I've asked Netstream to add our servers to their whitelist, but nothing has happened. As a more generic alternative, you could implement SRS in order to handle forwarding in an ``SPF compliant'' way. This will fix the problem for all receivers which use SPF for scoring or rejection. I am aware that this suggestion might well provoke yet another SPF/SRS flamewar :-) -Dan -- Daniel Roethlisberger [EMAIL PROTECTED] ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Cablecom Winterthur blocking outgoing SMB connections?
Jeroen Massar [EMAIL PROTECTED] 2007-12-12: Tobias Goeller wrote: Jeroen Massar wrote: You are blocking port 80? Wow. Yes, partly. I force those users to use a proxy-system... works quite well. How exactly does that help anything? [...] Though this might 'help' (ahum) for worms and other such malicious tools which don't understand that they can pick the configuration items for the proxy from IE or Firefox configuration, it won't help a thing for anything else. By enforcing a proxy, you have the option of content filtering, either by MIME type or by running files through an AV scanner. It does not solve all problems, but can solve some of them. (At a cost, of course.) -Dan -- Daniel Roethlisberger [EMAIL PROTECTED] ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] vtx ADSL /30 subnet practice
Pascal Gloor [EMAIL PROTECTED] 2007-06-07: [snip] This is the normal routed case. I think this is what Daniel was looking for. Not quite, but oh never mind. The point I was trying to make is the fact that vtx engineers explained to a customer that he would not be able to assign *any* address of his /30 subnet to a server behind his ADSL router because all of the subnet would be consumed by the link from the LNS to the ADSL router (I guess this hasn't come across too well from my message). It seems nobody can imagine how this is supposed to be the case, so I guess that confirms that it's probably bogus information. Thanks anyway for all responses! Cheers Dan -- Daniel Roethlisberger [EMAIL PROTECTED] ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] vtx ADSL /30 subnet practice
Jérôme Tissières [EMAIL PROTECTED] 2007-06-04: Yes, I confirm if you order a /30, /29, /28, etc to VTX, the first IP of the subnet is assigned to the CPE with the right mask associated. The first being what is normally referred to as the network address (ending in bits 00) or the first normal address (end bits 01)? -Dan -- Daniel Roethlisberger [EMAIL PROTECTED] ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] vtx ADSL /30 subnet practice
It seems that vtx has some very strange way of configuring the /30 subnet when customers order 4 fix IP addresses. Normally when someone orders a /30, the ADSL router's PPP interface would get an address from an unrelated address range. The 4 addresses from the customer's /30 subnet can be used by the custumer for the network and broadcast addresses (-2), the router's LAN interface (-1), leaving one address for a server or desktop machine. However, this seems not to be the case at vtx.ch. As two vtx engineers explained to a (tech-savvy dipl. Inform.) customer, they use the addresses from the /30 subnet for the PPP link between their last router and the customer's ADSL router. So in effect, this means ordering a /30 subnet (the 4 fix IP addresses option) from vtx gets you the same as ordering a single fix IP address -- you get a static address on your ADSL router's PPPoA/PPPoE interface, period. To actually use the static address on a server/desktop, you need to either configure destination NAT on your router or operate it in bridging mode and run PPPoE directly from the server/desktop. Can anybody confirm that this is current practice at vtx? Are other providers doing the same? -Dan -- Daniel Roethlisberger [EMAIL PROTECTED] ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Providers supporting TLS (for SMTP, POP, IMAP, ...)?
Kirill Ponazdyr [EMAIL PROTECTED] 2006-09-16: The subject says it all: do you know which providers support TLS (the technology formerly known as SSL) for SMTP, POP and/or IMAP for their residential or small-office dialup/broadband customers? TLS for SMTP makes no sence since this will only protect your message enroute from your machine to SMTP server but after that it is all open again. Of course TLS does not offer end to end security like S/MIME and PGP do, but still there are plenty of reasons for supporting TLS: * Protection of SMTP AUTH credentials, especially when using insecure auth methods * TLS between MTAs requires no action on behalf of end users and still offers additional protection compared to no TLS, while TLS between MUA and MSA/MTA is still a lot easier to set up for customers than S/MIME or PGP * Given todays many open or insecure wireless networks, TLS on the first hop (MUA - MSA/MTA) helps to better protect messages when they are most vulnerable -- it seems to be considerably more difficult for third parties to read messages in transit between MTAs than to read messages on the first (or last) hop on wifi or shared / public access networks * TLS protects the RFC 2822 headers and RFC 2821 envelope too, which S/MIME and PGP cannot -- Daniel Roethlisberger [EMAIL PROTECTED] ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
