On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
They do have a lousy track record. I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard. In fact, I hope that some other vendors follow their
lead.
Of course we need to be honest with
On Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan wrote:
FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
the computer to check array lengths or pointers. Programmers know what
they are doing, and don't need to be constrained by the programming
language. Everyone
His main thesis was basically that every
OS in common use today, from Windows to UNIX variants, has a fundamental
flaw in the way privileges and permissions are handled - the concept of
superuser/administrator. He argued instead that OSes should be
redesigned to
implement the principle of
Has anyone had experiences with Arbor Networks Peakflow DOS and Traffic
products? If so could you share your experiences, whitepapers, evaluations,
etc. off list? I am interested in the generalized view of the effectiveness
of the product as well as any enhancement requests that operators
On Wednesday, January 29, 2003, at 02:32 AM, Sean Donelan wrote:
On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
They do have a lousy track record. I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard. In fact, I hope that some other
A world before buffer overflow exploits ?
The first (Fortran) programming course I ever took at MIT on the first
day of lab they said
1.) If you set an array index to a sufficiently large negative number
you would overwrite
the operating system and crash the system (requiring a reboot from
Though it was written nearly two years ago, John
Quarterman's Monoculture Considered Harmful
remains the very best exposition of this issue.
//www.firstmonday.org/issues/issue7_2/quarterman/
Peter
On Wed, 29 Jan 2003, Richard A Steenbergen wrote:
On Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan wrote:
FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
the computer to check array lengths or pointers. Programmers know what
they are doing, and don't need
Hopefully I can stay within the bounds of NANOG's traditions against
marketing material if I limit myself to thanking Kyle for his comments,
and encourage anyone attending NANOG 27 who would like more info on
automated control of routing for load objectives to come find me at the
meeting.
In a message written on Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan wrote:
Multics security. Bell Labs answer: Unix. Who needs all that extra
security junk in Multics. We don't need to protect /etc/passwd because
we use DES crypt and users always choose strong passwords. We'll make
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the transaction. I'd be willing to bet the
failure
A single point of consumer data. I haven't checked by home router logs
since Monday night but I was seeing a pattern of significant incoming
port 80 traffic (I'm not running any services) over the last week or so,
similar to increased 1433/1434 traffic before Saturday's flurry.
Best regards,
On Wed, Jan 29, 2003 at 08:50:56AM -0500, Marshall Eubanks wrote:
A world before buffer overflow exploits ?
The first (Fortran) programming course I ever took at MIT on the first
day of lab they said
1.) If you set an array index to a sufficiently large negative number
you would
I am seeing this as well, but only from a few hosts on a single network.
I have contacted their NOC and asked them to knock it off - no pun
intended...
Could be some nimda infected boxes or whatever. Firewalls are stopping
it, but it is annoying to wade through the logs.
Todd
-Original
One thing that I see remaining since this past weekend is massive timeouts
and latencies in mail delivery to very popular addresses (@hotmail, @rr.com,
and @earthlink) @att.net seems to be accepting email without any major
issues, hopefully all these issues will continue to slowly return to
We are a RouteScience customer. We are using this box and it rules. We
have been extremely happy with the results. We have multiple OC-x
circuits that we are engineering traffic over, and this box gives us the
ability to see things that we could not see before.
It also really allows us to
On Tue, 28 Jan 2003, Scott Francis wrote:
I'm still looking for a copy of the presentation, but I was able to find a
slightly older rant he wrote that contains many of the same points:
http://www.bsdatwork.com/reviews.php?op=showcontentid=2
Good reading, even if it's not very much practical
AR Date: Wed, 29 Jan 2003 07:20:35 -0800
AR From: Al Rowland
AR IIRC, the ATM system is similar to CC transactions. A best
AR effort is made to authorize against your account (Credit Card
AR or Banking) but if it fails and the transaction is within a
AR normal range (your daily card limit) the
On Wed, Jan 29, 2003 at 05:26:06PM +, E.B. Dreger wrote:
If you check before each byte. Checking for sufficient space
first (is there room for a 245-byte string?) is much faster.
Besides, looking at all the bloated code using indirect function
calls[*] and crappy code using poor
IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the transaction.
Too bad it is not the case,
On Wed, Jan 29, 2003 at 12:40:00PM -0500, [EMAIL PROTECTED] wrote:
Is there a new top-level whois server or did shared registry whois stop
providing references to the appropriate whois servers for .org? At least a
pair of domain registars cannot adjust any .org records claiming that the
On Wed, Jan 29, 2003 at 12:40:00PM -0500, [EMAIL PROTECTED] wrote:
Is there a new top-level whois server or did shared registry whois stop
providing references to the appropriate whois servers for .org? At least a
pair of domain registars cannot adjust any .org records claiming that the
RAS Date: Wed, 29 Jan 2003 12:36:22 -0500
RAS From: Richard A Steenbergen
RAS Note I'm making a distinction between fixing the string
RAS libraries to handle overflow situations better, and changing
RAS the entire OS to do array bounds checking. One is good, the
RAS other is not.
Okay. I'll
TY Date: Wed, 29 Jan 2003 12:53:20 -0500
TY From: Tim Yocum
TY One can only speculate why the whois servers have vanished,
TY however it should be noted that as of about an hour ago, all
TY sorts of odd whois output was being served - including
TY incorrect contact information for domains
AM Date: Wed, 29 Jan 2003 09:44:05 -0800
AM From: Adam McKenna
AM The root servers aren't providing referrals to the gtld-servers for .org
AM anymore.. Instead they're referring to here:
[ snip new .org glue RRs that point to nstld.com ]
AM Anyone know anything about this? I can't find
Hi, Adam.
] Anyone know anything about this? I can't find anything on ICANN's web site
] regarding a switch.
I noticed it on 8 Jan, and adjusted my monitoring accordingly.
http://www.cymru.com/DNS/gtlddns-o.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
At 12:46 PM 1/29/2003, [EMAIL PROTECTED] wrote:
IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the
On Wed, 29 Jan 2003, Al Rowland wrote:
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the
On Wed, Jan 29, 2003 at 12:40:00PM -0500, [EMAIL PROTECTED] wrote:
Is there a new top-level whois server or did shared registry whois stop
providing references to the appropriate whois servers for .org?
Alex
--
Alex-
The new whois server for the .ORG TLD can be found at
I believe specific account data is not kept on the local machine. I may
be wrong, not to mention the data strip on the card...
Nothing new. Look at what happened to the Chicago Board of Trade a few
years back. I wonder how WCOM reported the out-of-court settlement for
that one their books. ;0
On Wed, Jan 29, 2003 at 12:11:07PM -0600, Rob Thomas wrote:
] Anyone know anything about this? I can't find anything on ICANN's web site
] regarding a switch.
I noticed it on 8 Jan, and adjusted my monitoring accordingly.
http://www.cymru.com/DNS/gtlddns-o.html
Jan 2, 2003
On Wednesday, Jan 29, 2003, at 12:53 Canada/Eastern, Tim Yocum wrote:
on the 31st of December, 02, VeriSign was no longer the registry
operator for .org.
The new registrar is called Public Interest Registry
One can only speculate why the whois servers have vanished,
whois.crsnic.net was
Just for grins,
The PIN is on your card, likely encrypted, this based on the fact that
most ATMs will reject your card at the initial PIN prompt before you try
to execute any transaction, as is likely your balance and daily
withdrawal limit but the Kwik-E-Mart system might not have a way to see
In message [EMAIL PROTECTED], Sean
Donelan writes:
On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
They do have a lousy track record. I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard. In fact, I hope that some other vendors follow
On Tue, 28 Jan 2003, Scott Francis wrote:
He argued instead that OSes should be redesigned to implement the
principle of least privilege from the ground up, down to the
architecture they run on.
[...]
The problem there is the same as with windowsupdate - if one can spoof the
central
Hi,
I apologize if this has been asked before. I work for an ISP that
started very small (hundreds of T1 and 56k customers) and has grown very
large in the last few years (thousands of T1 customers, as well as DS3
customers and OC3 customers).
We currently use an IGP to route between our
At 08:27 AM 1/29/2003 -0600, Alif The Terrible wrote:
FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
the computer to check array lengths or pointers. Programmers know what
they are doing, and don't need to be constrained by the programming
language. Everyone knows
We switched to BGP just recently, before things got out of hand. I highly
recommend that you do so. It really does work better. It's very nice seeing
your OSPF config carry essentially just the loopback interfaces.
In particular I'm wondering about the thousands of lines of
configuration
On Wed, 29 Jan 2003, Jeff Godin wrote:
The new whois server for the .ORG TLD can be found at
whois.publicinterestregistry.net. Web interface for .ORG WHOIS can
be found at URI:http://www.pir.org/whois/.
Wed Jan 29 11:08:09
matt@pants:~$ whois -h whois.publicinterestregistry.net
On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote:
The PIN is on your card, likely encrypted,
We're off-topic now, so I won't go into detail, but the PIN is
sometimes on the card and sometimes not. There are different ways of
doing it. (If the sampling of cards in my wallet is
On Wed, Jan 29, 2003 at 01:19:08PM -0500, Charles Sprickman wrote:
On Wed, 29 Jan 2003, Al Rowland wrote:
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is
I've also seen a few 25/110/111 requests in my logs
but it didn't seem higher than 'normal.'
Best regards,
__
Al Rowland
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of Jim Popovitch
Sent: Wednesday, January 29, 2003
ML Date: Wed, 29 Jan 2003 11:07:59 -0800
ML From: Mathew Lodge
ML It doesn't have to be, if your compiler is worth its salt.
ML Take a look at the GNU Ada compiler implementation of bound
ML checking -- incredibly efficient.
s/compiler/programmer/
How about:
struct buf_t {
On Wed, 29 Jan 2003, Mike Bernico wrote:
Hi,
I apologize if this has been asked before. I work for an ISP that
started very small (hundreds of T1 and 56k customers) and has grown very
large in the last few years (thousands of T1 customers, as well as DS3
customers and OC3 customers).
.org is being moved into new Public Internet Registry away from NSI
Their whois server can be found at http://www.orgtransition.info
And if you prefer to get all info at once, I run recursive server at
completewhois.com. It can be used from command-line (unlike PIR's server) -
whois -h
Your assumption is my account is at my local branch. Neither is my safe
deposit box. It's at a different, larger branch in the adjacent suburb.
My 'account' is likely in one of their corporate monoliths downtown,
hence the network connection. That's why my card works as well in
Virginia (my most
My recommendation would be for you to:
o redistribute directly connected interfaces via a strict
filter into BGP and use iBGP to carry it around the local
AS
or
o use passive interfaces in IGPs to do the same
Avoid having to run a topology computation everytime a
I tried an nslookup about 20 minutes after I sent that mail, and it
succeeded as well. Probably a pbi.net barf near my end as all three
auth nameservers returned me the correct info.
Of course, there's still the issue of the whois returning complete
garbage, aside from the two nameserver
On Wed, Jan 29, 2003 at 10:47:30AM -0800, [EMAIL PROTECTED] said:
On Tue, 28 Jan 2003, Scott Francis wrote:
He argued instead that OSes should be redesigned to implement the
principle of least privilege from the ground up, down to the
architecture they run on.
[...]
The problem
On Wed, 29 Jan 2003, Christopher L. Morrow wrote:
On Wed, 29 Jan 2003, Mike Bernico wrote:
We currently use an IGP to route between our distribution routers and
the CPE routers we manage.
So, if customers bounce your IGP churns away? And customers have access to
your IGP data
On Wed, Jan 29, 2003 at 12:21:50PM -0800, [EMAIL PROTECTED] said:
[snip]
So far, the closest thing I've seen to this concept is the ssh
administrative host model: adminhost:~root/.ssh/id_dsa.pub is
copied to every targethost:~root/.ssh/authorized_keys2, such that
commands
Thanks so much for all the feedback. All your input has been extremely
helpful.
Just to clarify:
In our network core all customer routes are summarized and carried in
iBGP. That was a recent change of mine. We use EIGRP to carry loopback
and next hop information. I'm working on migrating
Al Rowland wrote:
The PIN is on your card ...
Not for any card I've ever owned. I've changed my PIN several times
over the years, and the bank has never re-encoded my card or sent me a
new card as a result of doing so.
Maybe some banks do store the PIN on the card, but I'm certain that
Richard A Steenbergen [EMAIL PROTECTED] writes:
(pointers ARE your friend god damnit :P)
Most C programmers have no clue about the C pointer semantics, I'm
afraid, so this powerful feature is often abused.
--
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart
Richard A Steenbergen [EMAIL PROTECTED] writes:
I said exploits, not ways to get outside your proper address space and
crash the OS. Any sufficiently powerful language presents an opportunity
to do bad things to an ill prepared OS, but the answer isn't to make the
language less powerful.
Halleluljah. A voice of knowledge as opposed to conjecture. Different
bank ATMs operate differently. There are online and offline modes.
The PIN may or may not be recorded on the card. Some of these
differences are due to the fact that not all financial institutions
were connected to interbank
On Tue, Jan 28, 2003 at 11:49:16AM +, Miquel van Smoorenburg wrote:
I found out that our outgoing SMTP servers have been blocked by
the msn.com MXes. In a nasty way, too -- no SMTP error, the TCP
connection is simply closed by them immidiately after establishing it.
We're not listed on
So, by accepting routes from CPE you create a huge security
vulnerability
for your customers, and other parties. This practice was understood
as a
very bad network engineering for decades.
Is there someplace I can find tidbits of information like this? I
haven't been alive decades so I
Have you tried [EMAIL PROTECTED] maybe [EMAIL PROTECTED] (they could forward
you).. They are quite responsive (hotmail, abuse), at least from a hotmail
address :).
mark
--
Mark Segal
Director, Data Services
Futureway Communications Inc.
Tel: (905)326-1570
-Original Message-
From:
I'm actually dealing with the same issue as we speak. Out of racks of
web servers doing shared hosting, MSN decided to block the eth0 on one
of our Linux boxes. I called a friend and was given a direct number to
level 3 MSN technical support; they are the last tier of support you can
speak to
ML Date: Wed, 29 Jan 2003 12:58:58 -0800
ML From: Mathew Lodge
ML No, it isn't, as is doing buf_t[x] rather than pointer
True. I just like having a struct so I may pass a single
variable in function calls instead of a whole mess of them.
ML arithmetic, but the *practical* problem is that
On 29.01 03:32, Sean Donelan wrote:
... Multics security. Bell Labs answer: Unix. Who needs all that extra
security junk in Multics. .
[reader warning: diatribe following]
Gee, there once were a handflul of people;
their principle goal was to make an OS for their own use.
They
Not to sound to pro-MS, but if they are going to sue, they should be able to
sue ALL software makers. And what does that do to open source? Apache,
MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun
vendor because some moron shoots himself in the head with it? No.
Similarly, you _pay_ MS for a product. A product which is repeatedly
vulnerable.
I think this is key. People (individuals/corporations) keep buying crappy
software. As long as people keep paying the software vendors for these
broken products what incentives do they have to actually fix
On Wed, 29 Jan 2003, Mike Bernico wrote:
Is there someplace I can find tidbits of information like this? I
haven't been alive decades so I must have missed that memo. Other than
this list I don't know where to find anyone with lots of experience
working for a service provider.
Well, this
A few I've found but not tried out yet:
OpenSource:
http://www.freeipdb.org/
http://www.brownkid.net/NorthStar/
Windows:
http://myips.dzoul.com/main.asp
http://www.enterpriseip.net/
I make no promises as to applicability or suitability.
www.sourceforge.net
www.freshmeat.net
These two sites
On Tue, Jan 28, 2003 at 11:13:19AM -0200, [EMAIL PROTECTED] said:
[snip]
But this worm required external access to an internal server (SQL Servers
are not front-end ones); even with a bad or no patch management system, this
simply wouldn't happen on a properly configured network. Whoever got
Any opinion on Inferno ? It seems more suited to build a
packet-eating-machine (router, firewall, vpn, choose your favorite
flavour)...
Rubens Kuhl Jr.
- Original Message -
From: Vadim Antonov [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, January 30,
68 matches
Mail list logo