--- snasl...@medline.com wrote:
From: "Naslund, Steve"
You are free to disagree all you want with the default
deny-all policy but it is a DoD 5200.28-STD requirement
and NSA Orange Book TCSEC requirement. It is baked into
all approved secure operating systems including SELINUX
so it is
On Wed, Oct 10, 2018 at 02:21:40PM +, Naslund, Steve wrote:
> Allowing an internal server with sensitive data out to "any" is a
> serious mistake and so basic that I would fire that contractor immediately
> (or better yet impose huge monetary penalties.
I concur, and have been
On Wed, 10 Oct 2018, Naslund, Steve wrote:
I am wondering if this seems common to most of you on here. In my area
it seems that all cellular sites have backup generators and battery
backup. Seems like the biggest issues we see are devices remote from
the central offices that lose power and
> From: NANOG On Behalf Of Naslund, Steve
> Sent: Wednesday, October 10, 2018 1:06 PM
> If there was a waiver issued for your ATO, it would have had to have been
> issued by a
> department head or the OSD and approved by the DoD CIO after Director DISA
> provides a
> recommendation and it is
On October 10, 2018 at 17:58 snasl...@medline.com (Naslund, Steve) wrote:
> It only proves that you have seen the card at some point. Useless.
>
> Steven Naslund
> Chicago IL
>
> >I'm pretty sure the "entire point" of inventing CVV was to prove you
> >physically have the card.
>
On 10/9/18 10:35 AM, Jason Lixfeld wrote:
Has anyone played around with this? Curious if the BCM (or whatever other
chip) can do this, and if not, if any of the box vendors have tried to find a
way to get these things to do a bunch of NAT - say some flavour of NAT,
line-rate @ 10G. If so,
On 10/09/2018 06:24 PM, Philip Loenneker wrote:
> I have asked several vendors we deal with about the newer technologies
> such as 464XLAT, and have had some responses indicating they will
> investigate internally, however we have not made much progress yet. One
> vendor suggested their device
If you're only talking about classified systems, sure.
But it didn't sound to me like we were only talking exclusively about
those kind of systems.
On Wed, Oct 10, 2018 at 11:08 AM Naslund, Steve wrote:
>
> Remember we are talking about classified intelligence systems and large IT
>
On Wed, Oct 10, 2018 at 1:53 PM Naslund, Steve wrote:
> Mr Herrin, you are asking us to believe one or all of the following :
>
> 1. You believe that it is good security policy to NOT
> have a default DENY ALL policy in place on firewalls
> for DoD and Intelligence systems handling sensitive
On 10/10/18, Mike Hale wrote:
> To be fair, the idea that your security costs shouldn't outweigh
> potential harm really shouldn't be controversial. You don't spend a
> billion dollars to protect a million dollars worth of product.
The problem with that idea is that it's almost always
Remember we are talking about classified intelligence systems and large IT
organization infrastructure (Google, Yahoo, Apple) here (in the original
Supermicro post).
That would be information whose unauthorized disclosure would cause grave or
exceptional grave harm (definition of secret and
To be fair, the idea that your security costs shouldn't outweigh
potential harm really shouldn't be controversial. You don't spend a
billion dollars to protect a million dollars worth of product.
That's hardly trolling.
On Wed, Oct 10, 2018 at 10:54 AM Naslund, Steve wrote:
>
> Mr Herrin, you
It only proves that you have seen the card at some point. Useless.
Steven Naslund
Chicago IL
>I'm pretty sure the "entire point" of inventing CVV was to prove you
>physically have the card.
Mr Herrin, you are asking us to believe one or all of the following :
1. You believe that it is good security policy to NOT have a default DENY ALL
policy in place on firewalls for DoD and Intelligence systems handling
sensitive data.
2. You managed to convince DoD personnel of that fact and
On Wed, Oct 10, 2018 at 1:06 PM Naslund, Steve wrote:
> Want to tell us what system this is?
Yes, I want to give you explicit information about a government system
in this public forum and you should encourage me to do so. I thought
you said you had some skill in the security field?
Regards,
On October 10, 2018 at 15:55 snasl...@medline.com (Naslund, Steve) wrote:
> The entire point of the CVV has become useless. Recently my wife was talking
> to an airline ticket agent on the phone (American Airlines) and one of the
> things they ask for on the phone is the CVV. If you are
If there was a waiver issued for your ATO, it would have had to have been
issued by a department head or the OSD and approved by the DoD CIO after
Director DISA provides a recommendation and it is mandatory that it be posted
at https://gtg.csd.disa.mil. Please see this DoD Instruction
It is good but has several inherent problems (other than almost no one using
it). Your card number is static and so is your pin. If they get compromised,
you are done. Changing token/pin resolve the static number problem completely,
compromise of a used token has no impact whatsoever.
On Wed Oct 10, 2018 at 09:17:37AM -0700, Brian Kantor wrote:
> I understand that in some countries the common practice is that the
> waiter or clerk brings the card terminal to you or you go to it at the
> cashier's desk, and you insert or swipe it, so the card never leaves
> your hand. And you
On Wed, Oct 10, 2018 at 11:25 AM Naslund, Steve wrote:
> You are free to disagree all you want with the default deny-all
> policy but it is a DoD 5200.28-STD requirement and NSA
> Orange Book TCSEC requirement.
And yet I got my DoD system ATOed my way earlier this year by
demonstrating to the
IVR credit card PIN entry is a thing
For example -
https://www.hdfcbank.com/personal/making-payments/security-measures/ivr-3d-secure
On 10/10/18, 9:57 PM, "NANOG on behalf of Naslund, Steve"
wrote:
True and that should be mandatory but does not solve the telephone agent
problem.
True and that should be mandatory but does not solve the telephone agent
problem.
Steven Naslund
Chicago IL
> I understand that in some countries the common practice is that the
> waiter or clerk brings the card terminal to you or you go to it at the
> cashier's desk, and you insert or
This is common in India but then chip and pin has been mandatory for a good few
years, as has 2fa (vbv / mastercard secure code) for online transactions.
Waiters would earlier ask for people's pins so they could go back and enter it
- back when a lot of the POS terminals were connected to POTS
I understand that in some countries the common practice is that the
waiter or clerk brings the card terminal to you or you go to it at the
cashier's desk, and you insert or swipe it, so the card never leaves
your hand. And you have to enter the PIN as well. This seems
notably more secure against
Sure and with the Exp Date, CVV, and number printed on every card you are open
to compromise every time you stay in the hotel or go to a restaurant where you
hand someone your card. Worse yet, the only option if you are compromised is
to change all your numbers and put the burden on your of
Having gone through this I know that it's all on you which is why no one really
cares. You have to notice a fraudulent charge (in most cases), you have to
dispute it, you have to prove it was not you that made the charge, and if they
agree then they change all of your numbers at which point
The entire point of the CVV has become useless. Recently my wife was talking
to an airline ticket agent on the phone (American Airlines) and one of the
things they ask for on the phone is the CVV. If you are going to read that all
out over the phone with all the other data you are completely
Well,
( I'm sorry but I cannot resist )
Seriously mate, trolling this list using "deny-all is bad m'kay" is
not a good idea.
-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel:
Well,
Once you get the Expiry Date (which is the most prevalent data that
is not encoded with the CHD)
CVV is only 3 digits, we saw ppl using parallelizing tactics to
find the correct sequence using acquirers around the world.
With the delays in the reporting pipeline, they
You are free to disagree all you want with the default deny-all policy but it
is a DoD 5200.28-STD requirement and NSA Orange Book TCSEC requirement. It is
baked into all approved secure operating systems including SELINUX so it is
really not open for debate if you have meet these
I agree 100% and also have noticed that severe weather systems tend to more
severe in rural areas due to either open spaces (the plains) or trees (forested
areas) doing more damage. I can tell you from living the in Midwest that the
storms in Iowa and Nebraska are way worse than the ones that
On Wed, Oct 10, 2018 at 10:22 AM Naslund, Steve wrote:
> Allowing an internal server with sensitive data out to "any" is
> a serious mistake and so basic that I would fire that contractor
> immediately (or better yet impose huge monetary penalties.
> As long as your security policy is defaulted
I am wondering if this seems common to most of you on here. In my area it
seems that all cellular sites have backup generators and battery backup. Seems
like the biggest issues we see are devices remote from the central offices that
lose power and cause disruptions, like RSTs and SLCs.
They actually profit from fraud; and my theory is that that's why issuers have
mostly ceased allowing consumers to generate one time use card numbers via
portal or app, even though they claim it's simply because "you're not
responsible for fraud." When a stolen credit card is used, the
On Wed, Oct 10, 2018 at 6:50 AM Philip Loenneker <
philip.loenne...@tasmanet.com.au> wrote:
> Hi Tom,
>
>
>
> This article is now 11 months old, but may be of interest to you:
>
> https://blog.apnic.net/2017/11/09/ce-vendors-share-thoughts-ipv6-support/
>
>
>
> Some quotes:
>
>- The major
Yet this data gets compromised again and again, and I know for a fact that the
CVV was compromised in at least four cases I personally am aware of. As long
as the processors are getting the money, do you really think they are going to
kick out someone like Macy's or Home Depot? After all, it
Communication service providers play a critical role, but too often
view public alerting as "someone else's job."
https://www.dhs.gov/sites/default/files/publications/1051_IAS_Report-on-Alerting-Tactics_180807-508.pdf
Report on Alerting Tactics
August 7, 2018
However, there was not consensus
On Wed, Oct 10, 2018 at 02:21:40PM +, Naslund, Steve wrote:
> For example, with tokenization there is no reason at all for any
> retailer to be storing your credit card data (card number, CVV, exp
> date) at all (let alone unencrypted) but it keeps happening over
> and over.
It's been a while
Allowing an internal server with sensitive data out to "any" is a serious
mistake and so basic that I would fire that contractor immediately (or better
yet impose huge monetary penalties. As long as your security policy is
defaulted to "deny all" outbound that should not be difficult to
Hi,
On 9/10/2018 11:37 PM, endre.szabo@nanog-list-kitfvhs.redir.email wrote:
I wonder how they generate these rDNS PTR records? I was always curious,
hope someone knows.
I do it for our various IPv6 (and IPv4) allocations by using PowerDNS
with a remote backend. If there is no existing PTR
Hi Tom,
This article is now 11 months old, but may be of interest to you:
https://blog.apnic.net/2017/11/09/ce-vendors-share-thoughts-ipv6-support/
Some quotes:
* The major issue is the lack of support provided by CE vendors for both
older (DS-Lite, lw4o6), and newer (464XLAT, MAP T/E)
Hey there,
On 10/10/18 10:09 AM, Marco Davids via NANOG wrote:
Op 10-10-18 om 00:42 schreef Brandon Applegate:
I’m guessing synthesized. There are a couple of dns servers out
there that can do this. An interesting one I just found:
https://all-knowing-dns.zekjur.net
Or, if you prefer
Op 10-10-18 om 00:42 schreef Brandon Applegate:
I’m guessing synthesized. There are a couple of dns servers out there that can
do this. An interesting one I just found:
https://all-knowing-dns.zekjur.net
Or, if you prefer DNSSEC capable alternatives, try:
Hey,
> Important distinction; You fire any contractor who does it *repeatedly* after
> communicating the requirements for securing your data.
>
> Zero-tolerance for genuine mistakes (we all make them) just leads to high
> contractor turnaround and no conceivable security improvement; A a
You may use this document, which passed already the last-call and is in the
AD/IESG review:
https://datatracker.ietf.org/doc/draft-ietf-v6ops-transition-ipv4aas/
My co-authors may help you to get those products …
I’ve been using myself OpenWRT for such deployments.
Regards,
Jordi
45 matches
Mail list logo
