Re: Vendors spamming NANOG attendees

2017-06-14 Thread Brett Frankenberger
On Wed, Jun 14, 2017 at 01:21:21PM +, Mel Beckman wrote:
> Rodney,
> 
> You make a good point. But I wonder how often spammers are so
> obvious, and I wonder if his "leveraging" falls amiss of CAN-SPAM's
> specific prohibition:
> 
> (I) harvesting electronic mail addresses of the users of a website,
> proprietary service, or other online public forum operated by another
> person, without the authorization of such person; and
> 
> (II) randomly generating electronic mail addresses by computer;
> 
> Technically, this spammer harvested the names of attendees at a
> physical conference, not of some online resource, which is what
> CAN-SPAM prohibits.  I know it's splitting hairs, but that's what
> spammers do.

There is no such specific prohibition in CAN-SPAM.

The section of CAN SPAN from which you are quoting (15 USC 7703)
instructs the Sentencing Commission to consider sentence enhancements
for criminals convicted under existing computer crimes laws if they did
one of the two things you list above.

The part you left out (and which immediately precedes the part you
quoted) reads:

(2) In carrying out this subsection, the Sentencing
Commission shall consider providing sentencing enhancements for—
(A) those convicted under section 1037 of title 18 who—
(i) obtained electronic mail addresses through improper means,
including—
  [ then (I) and (II) from above ]

Merely sending non-misleading spam does not violate 18 USC 1037.

> My point is that CAN-SPAM is virtually useless. There have been a
> handful of prosecutions in more than a decade, and spammers are not
> seeming to be deterred.
> 
> I know there are honeypots that try to catch electronic harvesters,
> but I don't think they could provide proof of someone who got his
> emails from a list of attendees at an event, a shared customer list,
> etc.

And even if someone did, no crime is committed.

But if someone uses those addresses in the commission of another crime,
he might go to prison for longer.

 -- Brett


Re: Vendors spamming NANOG attendees

2017-06-14 Thread Mel Beckman
Ge,

On the contrary, the discussion has been limited, focused, and amazingly civil 
for NANOG :)

I find it valuable.

 -mel

On Jun 14, 2017, at 5:33 AM, Ge Dupin > 
wrote:

It looks like there are more spams coming from these discussions than from the 
original Scams/Spams..
Ge

Le 14 juin 2017 à 14:26, Rodney Joffe 
> a écrit :



On Jun 13, 2017, at 10:28 PM, Mel Beckman 
> wrote:

But as I said, harvesting emails is not illegal under can spam. And the 
requirement to not send you UCE to harvested emails is pointless, because how 
do you prove that someone did that?

Because he said so?

The spammer had the balls to say, in his email:


We do not know each other. I'm leveraging the attendee list for NANOG to reach 
out and raise awareness of the value of OCS (Optical Circuit Switching) in the 
data center and in particular, the Carrier Neutral Hotel where we've been 
active with next generation MeetMeRoom discussions.





Re: Vendors spamming NANOG attendees

2017-06-14 Thread Rodney Joffe


> On Jun 13, 2017, at 10:28 PM, Mel Beckman  wrote:
> 
> But as I said, harvesting emails is not illegal under can spam. And the 
> requirement to not send you UCE to harvested emails is pointless, because how 
> do you prove that someone did that?
> 
Because he said so?

 The spammer had the balls to say, in his email:
 
> 
> We do not know each other. I'm leveraging the attendee list for NANOG to 
> reach out and raise awareness of the value of OCS (Optical Circuit 
> Switching) in the data center and in particular, the Carrier Neutral 
> Hotel where we've been active with next generation MeetMeRoom discussions.




Re: Vendors spamming NANOG attendees

2017-06-14 Thread Mel Beckman
Rodney,

You make a good point. But I wonder how often spammers are so obvious, and I 
wonder if his "leveraging" falls amiss of CAN-SPAM's specific prohibition:


(I) harvesting electronic mail addresses of the users of a website, proprietary 
service, or other online public forum operated by another person, without the 
authorization of such person; and

(II) randomly generating electronic mail addresses by computer;

Technically, this spammer harvested the names of attendees at a physical 
conference, not of some online resource, which is what CAN-SPAM prohibits. I 
know it's splitting hairs, but that's what spammers do.

My point is that CAN-SPAM is virtually useless. There have been a handful of 
prosecutions in more than a decade, and spammers are not seeming to be deterred.

I know there are honeypots that try to catch electronic harvesters, but I don't 
think they could provide proof of someone who got his emails from a list of 
attendees at an event, a shared customer list, etc.

 -mel

On Jun 14, 2017, at 5:26 AM, Rodney Joffe 
> wrote:



On Jun 13, 2017, at 10:28 PM, Mel Beckman 
> wrote:

But as I said, harvesting emails is not illegal under can spam. And the 
requirement to not send you UCE to harvested emails is pointless, because how 
do you prove that someone did that?

Because he said so?

The spammer had the balls to say, in his email:


We do not know each other. I'm leveraging the attendee list for NANOG to reach 
out and raise awareness of the value of OCS (Optical Circuit Switching) in the 
data center and in particular, the Carrier Neutral Hotel where we've been 
active with next generation MeetMeRoom discussions.




Re: Vendors spamming NANOG attendees

2017-06-14 Thread Rodney Joffe
I guess that explains why so many newcomers are confused about what spam is. 

> On Jun 14, 2017, at 5:33 AM, Ge Dupin  wrote:
> 
> It looks like there are more spams coming from these discussions than from 
> the original Scams/Spams..
> Ge
> 
>>> Le 14 juin 2017 à 14:26, Rodney Joffe  a écrit :
>>> 
>>> 
>>> 
>>> On Jun 13, 2017, at 10:28 PM, Mel Beckman  wrote:
>>> 
>>> But as I said, harvesting emails is not illegal under can spam. And the 
>>> requirement to not send you UCE to harvested emails is pointless, because 
>>> how do you prove that someone did that?
>>> 
>> Because he said so?
>> 
>> The spammer had the balls to say, in his email:
>> 
>>> 
>>> We do not know each other. I'm leveraging the attendee list for NANOG 
>>> to reach out and raise awareness of the value of OCS (Optical Circuit 
>>> Switching) in the data center and in particular, the Carrier Neutral 
>>> Hotel where we've been active with next generation MeetMeRoom 
>>> discussions.
>> 
>> 
> 


Re: Vendors spamming NANOG attendees

2017-06-14 Thread John Levine
In article <63cd2031-701d-4567-b88a-2986e8b3f...@beckman.org> you write:
>But as I said, harvesting emails is not illegal under can spam. 

This might be a good time to review 15 USC 7704(b)(1), which is titled
"Address harvesting and dictionary attacks".

>And the requirement to not send you UCE to harvested emails
>is pointless, because how do you prove that someone did that?

This is law, not software.  If a bunch of people who went to a trade
show get spam to the addresses they used when they registered, well,
duh.

R's,
John


Re: Vendors spamming NANOG attendees

2017-06-14 Thread Brett Frankenberger
On Wed, Jun 14, 2017 at 02:02:47PM -, John Levine wrote:
> In article <63cd2031-701d-4567-b88a-2986e8b3f...@beckman.org> you write:
> >But as I said, harvesting emails is not illegal under can spam. 
> 
> This might be a good time to review 15 USC 7704(b)(1), which is titled
> "Address harvesting and dictionary attacks".

When reviewing it, make sure to read the whole thing.  Including the
part where it doesn't prohibit those things (harvesting and dictionary
attacks), but, instead, declares that those things are aggravating
factors if done my someone as part of doing things that are prohibited
by the section that actually prohibits things, which is 7704(a).

 -- Brett


Re: Vendors spamming NANOG attendees

2017-06-14 Thread bzs

On June 13, 2017 at 22:16 niels=na...@bakker.net (Niels Bakker) wrote:
 > * m...@beckman.org (Mel Beckman) [Tue 13 Jun 2017, 21:26 CEST]:
 > >And your proposed solution is?
 > 
 > Simple.  Stop buying from spammers.

Although a perfectly reasonable suggestion the problem is that the
cost of spamming is so low that even yielding zero clients isn't much
of a loss. And if just one person finds the tease interesting it's a
big win for the vendor.

So there's a huge scaling advantage with spam, always has been.

It's more akin to someone going thru your neighborhood with a vehicle
with a bullhorn at 3AM suggesting some product.

Merely deciding not to patronize them may not be sufficient and that's
why we make that sort of thing just outright illegal rather than hope
market forces will suffice.

Another problem is that even with zero direct returns the sender gets
other value.

The usual rule of thumb used to be that you had to see an ad about
eight times before your were likely to remember the product. So, spam,
7 more times.

And branding.

You goog for a particular type of router or whatever and you're hit
with several that seem like they'd do the job.

But you don't recognize the vendor names which makes you
uneasy...except that one, hmm, that's a familiar name...not sure
why...ok let's give them a closer look...

They're getting value even if not immediately obvious. And you'll
probably forget they spammed you long before you stop recognizing
their name as familiar.

The point is why should they get all that value for just about free?

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*


RE: Templating/automating configuration

2017-06-14 Thread Graham Johnston
Job,

Would you be able to provide any further insight into your Don’t #5 – “Don’t 
agree to change management. Managers are rarely engineers and should not be 
making technical decisions. (nor should sales)“.

Thanks,
Graham

From: Job Snijders [mailto:j...@ntt.net]
Sent: Tuesday, June 6, 2017 4:03 PM
To: Brian Knight ; Graham Johnston 

Cc: nanog@nanog.org
Subject: Re: Templating/automating configuration

Hi,

Here are some extra pointers:

https://youtube.com/watch?v=C7pkab8n7ys

https://www.nanog.org/sites/default/files/dosdontsnetworkautomation.pdf

https://github.com/coloclue/kees

Kind regards,

Job


On Tue, 6 Jun 2017 at 13:49, Brian Knight 
> wrote:
Because we had different sources of truth which were written in-house, we wound 
up rolling our own template engine in Python. It took about 3 weeks to write 
the engine and adapt existing templates.  Given a circuit ID, it generates the 
full config for copy and paste into a terminal session.  It also hooks into a 
configuration parser tool, written in-house, that tracks configured interfaces, 
so it is easy to see whether the template would overwrite an existing interface.



I used the Jinja2 template engine, along with pyodbc/unixODBC/FreeTDS for 
access to a Microsoft SQL backend.



The keys for us are:



* extracting information from a source of truth

* validating the information for correctness

* making sure you don't overwrite existing config

* outputting the right templates for the circuit features



It made more sense to write a tool than it did to try to adapt something for 
our environment.



If I had a free hand and unlimited budget, I would find a single app that 
functions as a source of truth for all circuits and products, which includes a 
templating engine that hooks in easily.



-Brian





 On Tue, 06 Jun 2017 08:22:59 -0500 Graham Johnston 
johnst...@westmancom.com wrote 












Short of complete SDN, for those of you that have some degree of configuration 
templating and/or automation tools what is it that you run? I'm envisioning 
some sort of tool that let's me define template snippets of configuration and 
aids in their deployment to devices. I'm okay doing the heaving lifting in 
defining everything, I'm just looking for the tool that stitches it together 
and hopefully makes things a little less error prone for those who aren't as 
adept.



Graham Johnston

Network Planner

Westman Communications Group

204.717.2829

johnst...@westmancom.commailto:johnst...@westmancom.com






Re: Templating/automating configuration

2017-06-14 Thread 'Job Snijders'
Hi Graham,

The talk was giving in context of motivating people to start with
network automation and help them go from 'no automation' to a step
further 'some automation'.

On Wed, Jun 14, 2017 at 07:50:05PM +, Graham Johnston wrote:
> Would you be able to provide any further insight into your Don’t #5 –
> “Don’t agree to change management. 

I think the development team of the network automation software should
define their own process around change management. If you want to use
kanban? great! if you want to use simple fifo model applied to issues
filed on your private github project? great! My point was: don't let
someone from higher up dictate how, and when you do software releases.

Another aspect is that you most likely will have proceses that should
run without any human intervention: such as the nightly update for all
EBGP prefix-filters. You don't want to end up in a situation where a
computer generates those configs and has to hand them over to a human
for some additional checks and subsequently pushing it out to the
network. Imagine having the computer print out your automatically
generated configs, a human pick them up, review them, and type them back
into a computer for the changes to take effect! That would be terrible.

> Managers are rarely engineers and should not be making technical
> decisions. (nor should sales)“.

That was a simple point: ideally a manager enables you to do your work,
and trusts you to do the work. If you have a manager who opinionatedly
argues with you on tabs vs spaces or how to push a configuration to a
device, you might find that you don't have enough freedom of movement to
succesfully bootstrap the automation project.

In other words: don't roll over and blindly accept what other
(inexperienced) folks within the organisation tell you, try to find your
own path. However, do make sure you steal the good ideas from the
sysadmins: they often are ahead of netops in terms of automation and
understanding idempotency.

Kind regards,

Job


Re: Templating/automating configuration

2017-06-14 Thread Nick Hilliard
Graham Johnston wrote:
> Would you be able to provide any further insight into your Don’t #5 –
> “Don’t agree to change management. Managers are rarely engineers and
> should not be making technical decisions. (nor should sales)“.

What do you think the purpose of change control / management is?

Nick


Re: Vendors spamming NANOG attendees

2017-06-14 Thread Dave Temkin
On Wed, Jun 14, 2017 at 5:04 PM, Jon Lewis  wrote:

> On Wed, 14 Jun 2017, Dave Temkin wrote:
>
> This is highly inaccurate. The PC and Board have done everything in our
>> power to keep sponsorship out of the program. Yes, Beer & Gear looks like
>> a
>> NASCAR race, but that helps fund not only the program, but the numerous
>> other outreach programs that NANOG has undertaken.
>>
>> Sponsors who have stepped on the rules have had their sponsorship rights
>> revoked - temporarily, and in egregious cases, permanently. We (the NANOG
>> organization) take this incredibly seriously.
>>
>> While it's hard to solve for the exact case above (scraping registrant
>> lists and then comparing to CRM to glean contact info) we absolutely do
>> aggressively pursue any abuse of NANOG's attendee information, trademarks,
>> and mailing list.
>>
>
> Is it too simple a solution to post a warning on the page above the
> Attendee List saying something along the lines of "scraping the Attendee
> List for marketing purposes is forbidden, will result in public shaming,
> and may cause some attendees to completely boycott your company." ?
>


This suggestion was made on the NANOG Facebook group and we will implement
it with the new website coming before NANOG 71.

-Dave


Re: Vendors spamming NANOG attendees

2017-06-14 Thread Dave Temkin
On Tue, Jun 13, 2017 at 11:43 PM, Randy Bush  wrote:

> > It seems that more than just a few of us were spammed by Glenn Stern
> > (gst...@calient.net), an employee of Calient following NANOG 70.
> > ...
> > Hopefully those of you who have traditional community attitudes will
> > show your reaction via your pocketbooks.
>
> traditional community attitudes left the building long ago.  nanog has
> become a trade show, for which this is normal behavior.  i expect mail
> "stop by our booth at nanog 42," and so forth.



This is highly inaccurate. The PC and Board have done everything in our
power to keep sponsorship out of the program. Yes, Beer & Gear looks like a
NASCAR race, but that helps fund not only the program, but the numerous
other outreach programs that NANOG has undertaken.

Sponsors who have stepped on the rules have had their sponsorship rights
revoked - temporarily, and in egregious cases, permanently. We (the NANOG
organization) take this incredibly seriously.

While it's hard to solve for the exact case above (scraping registrant
lists and then comparing to CRM to glean contact info) we absolutely do
aggressively pursue any abuse of NANOG's attendee information, trademarks,
and mailing list.

-Dave Temkin
Chair, NANOG Board of Directors


Re: Templating/automating configuration

2017-06-14 Thread Job Snijders
On Wed, Jun 14, 2017 at 09:35:59PM +0100, Nick Hilliard wrote:
> Graham Johnston wrote:
> > Would you be able to provide any further insight into your Don’t #5 –
> > “Don’t agree to change management. Managers are rarely engineers and
> > should not be making technical decisions. (nor should sales)“.
> 
> What do you think the purpose of change control / management is?

well, http://dilbert.com/strip/1995-05-29


Re: Vendors spamming NANOG attendees

2017-06-14 Thread Jon Lewis

On Wed, 14 Jun 2017, Dave Temkin wrote:


This is highly inaccurate. The PC and Board have done everything in our
power to keep sponsorship out of the program. Yes, Beer & Gear looks like a
NASCAR race, but that helps fund not only the program, but the numerous
other outreach programs that NANOG has undertaken.

Sponsors who have stepped on the rules have had their sponsorship rights
revoked - temporarily, and in egregious cases, permanently. We (the NANOG
organization) take this incredibly seriously.

While it's hard to solve for the exact case above (scraping registrant
lists and then comparing to CRM to glean contact info) we absolutely do
aggressively pursue any abuse of NANOG's attendee information, trademarks,
and mailing list.


Is it too simple a solution to post a warning on the page above the 
Attendee List saying something along the lines of "scraping the Attendee 
List for marketing purposes is forbidden, will result in public shaming, 
and may cause some attendees to completely boycott your company." ?


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Vendors spamming NANOG attendees

2017-06-14 Thread Dan Hollis

On Wed, 14 Jun 2017, b...@theworld.com wrote:

Merely deciding not to patronize them may not be sufficient and that's
why we make that sort of thing just outright illegal rather than hope
market forces will suffice.


Most spam is sent from compromised machines anyway, so there are already 
criminal violations involved in sending spam.


-Dan