On Thu, Jun 10, 2004, David Schwartz wrote:
> > Take some responsibility.
>
> How does a person with a DSL line at home take responsibilty if he's away
> for a month? Is he supposed to hire someone?
The same way I did it when I went on holiday.
I turned off the DSL router.
Adrian
--
> On Jun 10, 2004, at 10:07 PM, David Schwartz wrote:
> > It all depends upon what the agreement between the customer and the
> > ISP
> > says. It's no unreasonable for the ISP to 'insure' the customer against
> > risks he isn't able to mitigate which the ISP is, even if that means
> > shutting
> Alexei Roudnev wrote:
> Even if I (if been a hacker) scan your networks and find
> this switch (and you did not moved it out of routable P),
> I will have not any idea, what is it about, where this
> switch is, and have not any reason to break it...
You (being a hacker) need a _reason_ to break
Do you have any (even minimal) need to allocate globally routable IP to the
VLAN1 interface?
Other thing is that, even if I can find your switch, I will not have any
minimal idea, that it is _your_ switch and any minimal need to break it. You
can (easily) allocated all switch and router loopback
Hi guyz, long time...
The Electronic Frontier Foundation is currently writing a research
paper geared towards ISPs and other content providers on how to be
CALEA and DMCA-safe. EFF is looking to get in contact with technical
staff at ISPs (both wireless and wired) and content providers (i.e.
Eba
> Sprint did an interesting presentation at San Francisco, they have successfully
> taken p2p addresses out of their IGP and BGP, and are using private addresses
> for loopbacks and other things that dont need to be in public space and are
> filtering as much as possible.
>
indeed, and could
On Jun 10, 2004, at 11:49 PM, David Krikorian wrote:
Sometimes the provider shares the responsibility with the offender.
For example, I can't get my telephone demark inside my house, so it
is unlocked, and open to all comers. This is not, nor has ever been
within my control. Since I'm not allowed
Ahhh, here is it... :)
On Jun 10, 2004, at 10:07 PM, David Schwartz wrote:
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
Uh, no, I wrote this part. :)
The "victim" in the case Sean posted knew he had a worm, got some of
his first bill forgiven, yet did nothing to correct it and acts
On Jun 10, 2004, at 10:21 PM, Laurence F. Sheldon, Jr. wrote:
David Schwartz wrote:
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
The "victim" in the case Sean posted knew he had a worm, got some of
his first bill forgiven, yet did nothing to correct it and acts
surprised when the sa
David Schwartz wrote:
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
The "victim" in the case Sean posted knew he had a worm, got some of
his first bill forgiven, yet did nothing to correct it and acts
surprised when the same thing happens the next month. YES, he is at
fault. Anyo
http://news.google.com/news?hl=en&edition=us&ie=UTF-8&newsclusterurl=http://www.theglobeandmail.com/servlet/ArticleNews/TPStory/LAC/20040610/PHONES10/TPNational/Canada
shorter URL: http://ln.ooz.net/27115
Several days ago somebody cut both sides of a SONET ring in Newfoundland.
From
> On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
> The "victim" in the case Sean posted knew he had a worm, got some of
> his first bill forgiven, yet did nothing to correct it and acts
> surprised when the same thing happens the next month. YES, he is at
> fault. Anyone who thin
http://science.slashdot.org/science/04/06/02/0038223.shtml?tid=126
Reading the posts by slashdot readers (and CWU alumni) it seems as if
they are upgrading to gigabit using the existing 62/125 and singlemode
installed in the late 1980s. Some people say it's rate-limited to
10Mbps...
But if it
Thus spake "Crist Clark" <[EMAIL PROTECTED]>
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
Until a patch was
james edwards wrote:
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
Not a reasonable argument. It is expected that unpatched hosts will
get infected and it has been well reported on how users
It would be great if there always was a negligent party, but there is
not always one. If Widgets Inc.'s otherwise ultra-secure web server
gets
0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
or the ISP?
Widget Inc is still negligent. It is their server. They could have
Andy Dills wrote:
Keep in mind, this guy's ISP, like many (most?) ISPs would do, gave the
guy a serious break on the first jaw-dropping bill.
Why do I have to get two and three copies of each of these? I'm on
the list folks, if you send it to the list I'll get it. I don't need
a copy to the list
** Reply to message from Crist Clark <[EMAIL PROTECTED]> on
Thu, 10 Jun 2004 14:54:07 -0700
>
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats
I completely agree that the customers in these cases should be held
responsible for the services they purchased from their ISPs.
Let's all try to keep in mind that the two customers mentioned in the
article as being on the receiving end of large bills were businesses,
not consumers.
In the cou
On Thu, 10 Jun 2004, Crist Clark wrote:
> > Change the word "victim" to "negligent party" and you're correct.
>
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negli
It would be great if there always was a negligent party, but there is
not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
or the ISP?
1. In Sean's example, clearly the customer was a negligent party.
2.
--On Thursday, June 10, 2004 16:31 -0400 Alex Rubenstein <[EMAIL PROTECTED]>
wrote:
On Thu, 10 Jun 2004, Crist Clark wrote:
Sean Donelan wrote:
> If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
That will be
On Thu, 10 Jun 2004 13:50:47 PDT, Eric Rescorla said:
> I'm asking the question:
> If you find some bug in the normal course of your operations
> (i.e. nobody told you where to look) how likely is it that
> someone else has already found it?
>
> And you're asking a question more like:
> Given tha
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the
--On Thursday, June 10, 2004 11:11 -0700 Mark Kent
<[EMAIL PROTECTED]> wrote:
But ultimately, _you_ are responsible for your own systems.
When I detect abusive behavior coming from a customer site then
it is my responsibility to make sure that doesn't affect the
rest of the world.
To some exten
Your contract with the water company is for them to deliver you water.
They make a best effort to do just that, but, inherently, there's stuff
besides dihydrogen-oxide in your water. In most parts of the US, for
the most part, the other stuff isn't significant and nobody worries about
it. However
> Look at it from this perspective: it's the responsibility of the various
> Departments of Transportation (and other Governmental and Private
> authorities) to upkeep roads, but it's not their job to fix your car. If
> your car is broken, you may be stopped by a police officer, but he's not
> goi
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
>
> Jeff Shultz wrote:
>
>
> > But ultimately, _you_ are responsible for your own systems.
>
> Even if the water company is sending me 85% TriChlorEthane?
>
> Right. Got it. The victim is always responsible.
>
> There you have it folks.
Chan
I suspect I might be come after with pitchforks for this analogy, but here
goes... ;)
Look at it from this perspective: it's the responsibility of the various
Departments of Transportation (and other Governmental and Private
authorities) to upkeep roads, but it's not their job to fix your car. If
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 13:30:41 PDT, Eric Rescorla said:
>
>> [0] Note that this doesn't require that the chance of finding
>> any particular bug upon inspection of the code be very low
>> high, but merely that there not be very deep coverage of
>> any particular code sec
On Thu, 10 Jun 2004 13:30:41 PDT, Eric Rescorla said:
> [0] Note that this doesn't require that the chance of finding
> any particular bug upon inspection of the code be very low
> high, but merely that there not be very deep coverage of
> any particular code section.
Right. However, if you hand
I think we're drifting from the original point here..
What it boils down to is this: If I have a DS3 to a provider in my
office and my provider notifies me that I have a worm, is it my
provider's responsibility to fly someone out here to help me fix my
systems? No. I'm the guy controlling them an
>
> Sean Donelan wrote:
>
> > If you leave your lights on, the electric company will send you a bill.
>
> If the neighbor taps into your power lines after the meter...?
Not a reasonable argument. It is expected that unpatched hosts will get
infected
and it has been well reported on how users sho
On Thu, 10 Jun 2004, Crist Clark wrote:
>
> Sean Donelan wrote:
>
> > If you leave your lights on, the electric company will send you a bill.
>
> If the neighbor taps into your power lines after the meter...?
That will be a criminal matter between you and your neighbour.
> > If you leave yo
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 12:23:42 PDT, Eric Rescorla said:
>
>> I'm not sure we disagree. All I was saying was that I don't
>> think we have a good reason to believe that the average bug
>> found independently by a white hat is already known to a
>> black hat. Do you disagr
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
If you leave your faucets running, the water company will send you a bill.
If you leave your computer infected, ???
If you lose your credit card
On Thu, 10 Jun 2004 12:23:42 PDT, Eric Rescorla said:
> I'm not sure we disagree. All I was saying was that I don't
> think we have a good reason to believe that the average bug
> found independently by a white hat is already known to a
> black hat. Do you disagree?
Actually, yes.
Non-obvious bu
We block outgoing port 25 for dynamic address users. It's strict policy.
br
--
Konstantin Barinov
INFONET AS
http://infonet.ee
Thursday, June 10, 2004, 4:03:12 AM, you wrote:
A> Hello,
A> I would like to hear from Charter Communication's network/security team
A> why they have filtered out
In message <[EMAIL PROTECTED]>, Valdis.Kletni
[EMAIL PROTECTED] writes:
Actually, it was Morris, not me, who first pointed it out.
>
>Data point: When did Steve Bellovin point out the issues with non-random
>TCP ISNs? When did Mitnick use an exploit for this against Shimomura?
>
>And now ask y
Laurence F. Sheldon, Jr. wrote:
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Are they really a victim though? In Sean's post the person had fair
warning. The problem in this day in age is the terrible lack
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
>
>> My hypothesis is that the sets of bugs independently found by white
>> hats and black hats are basically disjoint. So, you'd definitely
>> expect that there were bugs found by the black hats and then used as
>>
On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
> My hypothesis is that the sets of bugs independently found by white
> hats and black hats are basically disjoint. So, you'd definitely
> expect that there were bugs found by the black hats and then used as
> zero-days and eventually leaked to
- Original Message -
From: "Eric Rescorla" <[EMAIL PROTECTED]>
> Paul G <[EMAIL PROTECTED]> wrote:
>
> > - Original Message -
> > From: "Eric Rescorla" <[EMAIL PROTECTED]>
> >
> > -- snip ---
> >
> > > If we assume that the black hats aren't vastly more
> > > capable than the
Paul G <[EMAIL PROTECTED]> wrote:
> - Original Message -
> From: "Eric Rescorla" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: "Sean Donelan" <[EMAIL PROTECTED]>; "'Nanog'" <[EMAIL PROTECTED]>
> Sent: Thursday, June 10, 2004 2:37 PM
> Subject: Re: AV/FW Adoption Sudies
>
> -- snip
Laurence F. Sheldon, Jr. wrote:
>Even if the water company is sending me 85% TriChlorEthane?
>Right. Got it. The victim is always responsible.
>There you have it folks.
Ok.
Being resposible as network manager, if I think something is strange and I nor my staff
can fix it. I call for help. E
- Original Message -
From: "Eric Rescorla" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Sean Donelan" <[EMAIL PROTECTED]>; "'Nanog'" <[EMAIL PROTECTED]>
Sent: Thursday, June 10, 2004 2:37 PM
Subject: Re: AV/FW Adoption Sudies
-- snip ---
> If we assume that the black hats aren't vas
** Reply to message from "Laurence F. Sheldon, Jr."
<[EMAIL PROTECTED]> on Thu, 10 Jun 2004 13:06:43 -0500
> Jeff Shultz wrote:
>
>
> > But ultimately, _you_ are responsible for your own systems.
>
> Even if the water company is sending me 85% TriChlorEthane?
>
> Right. Got it. The victim i
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 08:50:18 PDT, Eric Rescorla said:
>> [EMAIL PROTECTED] writes:
>
>> > Remember that the black hats almost certainly had 0-days for the
>> > holes, and before the patch comes out, the 0-day is 100% effective.
>>
>> What makes you think that black ha
On Thu, Jun 10, 2004 at 01:06:43PM -0500, Laurence F. Sheldon, Jr. wrote:
>
> Jeff Shultz wrote:
>
> >But ultimately, _you_ are responsible for your own systems.
>
> Even if the water company is sending me 85% TriChlorEthane?
>
> Right. Got it. The victim is always responsible.
>
> There yo
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
> > But ultimately, _you_ are responsible for your own systems.
>
> Even if the water company is sending me 85% TriChlorEthane?
Which water company is sending you 85% TriChlorEthane? More than likely
its your next door neighbor with a defectiv
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
The "victim" in the ca
>> But ultimately, _you_ are responsible for your own systems.
When I detect abusive behavior coming from a customer site then
it is my responsibility to make sure that doesn't affect the
rest of the world.
Also, if I know how to fix it at source and the customer doesn't know
then it's my respo
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
On Thu, 10 Jun 2004 08:50:18 PDT, Eric Rescorla said:
> [EMAIL PROTECTED] writes:
> > Remember that the black hats almost certainly had 0-days for the
> > holes, and before the patch comes out, the 0-day is 100% effective.
>
> What makes you think that black hats already know about your
> average
This may be somewhat off-topic here, but still..
Today at about 00:00 UTC, one of SORBS official
nameservers somehow got a corrupt datafile, and
started spreading incorrect information. The
problem had gone at next reload or next data
transfer (which was after about 20 minutes),
but some caches go
** Reply to message from "Laurence F. Sheldon, Jr."
<[EMAIL PROTECTED]> on Thu, 10 Jun 2004 12:39:41 -0500
> Sean Donelan wrote:
>
> > Does the water company fix your toilet if it leaks water? Or do you call
> > a plumber?
>
> On the other hand, if the water company was sending pollutants in t
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
> > Does the water company fix your toilet if it leaks water? Or do you call
> > a plumber?
>
> On the other hand, if the water company was sending pollutants in the
> water you bought, there was a perceived responsibility upon the water
> comp
Sean Donelan wrote:
Does the water company fix your toilet if it leaks water? Or do you call
a plumber?
On the other hand, if the water company was sending pollutants in the
water you bought, there was a perceived responsibility upon the water
company.
Now, which broken metaphor (leaky toilet, pol
Does the water company fix your toilet if it leaks water? Or do you call
a plumber?
Every consumer computer has a power switch. How to stop a virus, turn off
the power switch and take your computer to a repair shop.
http://www.globeandmail.com/servlet/story/RTGAM.20040609.wispp0609/BNStory/T
On Thu, 10 Jun 2004, joshua sahala wrote:
> On (10/06/04 15:26), Christopher L. Morrow wrote:
> >
> > dns is your friend here :( People love to name things such that they are
> > easy to remember. cat5500.floor2.build3.you.com
> >
>
> only if the dns/security/network/whatever admins are stupid en
[EMAIL PROTECTED] writes:
> On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <[EMAIL PROTECTED]> said:
>
>> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
>> publicity doesn't change them much. If it is six months before the
>> exploit, about 40% will be patched (60% unpat
On Thu, 10 Jun 2004, Jeroen Massar wrote:
: > That's why port 587 was invented. It's the MSA (mail *submission* agent)
: > port, intended only for initial injection of mail into the SMTP delivery
: > network. Learn it, believe it, use it. 8-)
:
: Mail *SPAM* Agent? ;)
Port 587 should always b
On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <[EMAIL PROTECTED]> said:
> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
> publicity doesn't change them much. If it is six months before the
> exploit, about 40% will be patched (60% unpatched). If it is 2 weeks,
> about
On Thu, 2004-06-10 at 16:28, Todd Vierling wrote:
> On Wed, 9 Jun 2004, matthew zeier wrote:
>
> : But this is different - I'm not running a mail server -on- my Cox
> : connection. I'm running one external to Cox but I can't connect to
> : port 25 on it.
>
> That's why port 587 was invented. It
On Wed, 9 Jun 2004, Alexei Roudnev wrote:
>
> This is minor exploit - usually you set up VLAN1 interface with IP addres,
'usually' doesn't cover everyone, and some people didn't think ahead or
realize that they might have a problem with this :(
> which is filterd out from outside. Moreover, th
On Wed, 9 Jun 2004, matthew zeier wrote:
: But this is different - I'm not running a mail server -on- my Cox
: connection. I'm running one external to Cox but I can't connect to
: port 25 on it.
That's why port 587 was invented. It's the MSA (mail *submission* agent)
port, intended only for in
I just tested it and it looks like it isn't happening anymore. But it
definitely was (smtp.east.cox.net), and made me look like an idiot in one
situation where I was convinced the recepient's filter is dropping my
e-mail. If you google usenet for "cox root password" you'll see other
people descri
On 8 Jun 2004, at 19:32, James Baldwin wrote:
I'm looking for recommendations for network load balancers. These, at
this time, will primarily be used to attach to a cluster of webservers
although I would like a solution which can be repurposed to other
applications later. I am looking at F5's B
On Thu, 10 Jun 2004, Sean Donelan wrote:
>
> On Wed, 9 Jun 2004, Alexei Roudnev wrote:
> > This is minor exploit - usually you set up VLAN1 interface with IP addres,
> > which is filterd out from outside. Moreover, there is not any good way to
> > find switch IP - it is transparent for user's de
* Arman <[EMAIL PROTECTED]> [2000-01-09 03:07]:
> Does anybody else know of other cable/DSL providers that simply block
> outbound port 25?
wish just everybody did...
On Wed, 9 Jun 2004, Alexei Roudnev wrote:
> This is minor exploit - usually you set up VLAN1 interface with IP addres,
> which is filterd out from outside. Moreover, there is not any good way to
> find switch IP - it is transparent for user's devices.
Yeah, port scanners are so rare on the Intern
On Mon, 7 Jun 2004, Randy Bush wrote:
> building from certifiable open source that has been inspected
> by many is the only half-credible scheme of which i am aware.
More flaws foul security of open-source repository
By Robert Lemos
Staff Writer, CNET News.com
http://news.com.com/2100-7344-522975
72 matches
Mail list logo