Cogent DNS Contact
Hi All, If anyone has a contact at Cogent, who might be able to solve a reverse DNS issue, could they contact me offline? Thanks! Garret
Re: Cogent DNS Contact
I have always had excellent response if you open up a ticket with their helpdesk. Cogent helpdesk has solved some rather complex issues so I would try there first. Justin -- Justin Wilson j...@mtin.net Aol Yahoo IM: j2sw http://www.mtin.net/blog xISP News http://www.twitter.com/j2sw Follow me on Twitter -Original Message- From: Garret Picchioni gar...@picchioni.org Date: Saturday, June 23, 2012 12:38 PM To: nanog@nanog.org Subject: Cogent DNS Contact Hi All, If anyone has a contact at Cogent, who might be able to solve a reverse DNS issue, could they contact me offline? Thanks! Garret
Re: NYC to DEU packet loss
As suspected, this ended up being an XO/DTAG peering issue. Took a long time to get sorted out, but thanks to any and all who assisted! Tim: On Fri, May 4, 2012 at 12:01 PM, Tim Durack tdur...@gmail.com wrote: Trying to troubleshoot packet loss from NYC to DEU. Traceroute shows: tdurack@2ua82715mg:~$ traceroute -I 194.25.250.73 traceroute to 194.25.250.73 (194.25.250.73), 30 hops max, 60 byte packets -- Tim:
RE: LinkedIn password database compromised
Leo, This will never work. The vested profiteers will all get together and make it a condition that in order to use this method the user has to have purchased a verified key from them. Every site will use different profiteers (probably whoever gives them the biggest kickback). You will end up paying thousands of dollars a year (as a user) to buy multiple keys from the profiteers, and provide them all sorts of private information in the process. They will then also insist that web sites using this method provide tracking information on key usage back to the profiteers. The profiteers will then sell all this information to whomever they want, for whatever purpose, so long as it results in a profit. Some of this will get kicked back to participating web sites. Then there will be affiliate programs where any web site can sign up with the profiteers to silently do key exchanges without the users consent so that more tracking information can be collected, for which the participating affiliate web site will get a kickback. Browser vendors will assist by making the whole process transparent. Contracts in restraint of trade will be enforced by the profiteers to prevent any browser from using the method unless it is completely invisible to the user. Then (in the US) the fascist government will step in and require registration of issued keys along with the verified real-world identity linkage. If it does not use self-generated unsigned keys, it will never fly. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org -Original Message- From: Leo Bicknell [mailto:bickn...@ufp.org] Sent: Wednesday, 20 June, 2012 15:39 To: nanog@nanog.org Subject: Re: LinkedIn password database compromised In a message written on Wed, Jun 20, 2012 at 02:19:15PM -0700, Leo Vegoda wrote: Key management: doing it right is hard and probably beyond most end users. I could not be in more violent disagreement. First time a user goes to sign up on a web page, the browser should detect it wants a key uploaded and do a simple wizard. - Would you like to create an online identity for logging into web sites?Yes, No, Import User says yes, it creates a key, asking for an e-mail address to identify it. Import to drag it in from some other program/format, No and you can't sign up. Browser now says would you like to sign up for website 'foobar.com', and if the user says yes it submits their public key including the e-mail they are going to use to log on. User doesn't even fill out a form at all. Web site still does the usual e-mail the user, click this link to verify you want to sign up thing. User goes back to web site later, browser detects auth needed and public key foo accepted, presents the cert, and the user is logged in. Notice that these steps _remove_ the user filling out forms to sign up for simple web sites, and filling out forms to log in. Anyone who's used cert-based auth at work is already familiar, the web site magically knows you. This is MUCH more user friendly. So the big magic here is the user has to click on yes to create a key and type in an e-mail once. That's it. There's no web of trust. No identity verification (a-la ssl). I'm talking a very SSH like system, but with more polish. Users would find it much more convenient and wonder why we ever used passwords, I think... -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
RE: LinkedIn password database compromised
2. Pre-compromised-at-the-factory smartphones and similar. There's no reason why these can't be preloaded with spyware similar to CarrierIQ and directed to upload all newly-created private keys to a central collection point. This can be done, therefore it will be done, and when some security researcher discovers it, the usual excuses and justifications will be made by the designated spokesliars for the companies involved... which will of course keep right on doing it, albeit perhaps with more subterfuge. Problem #2 is newer, but I'm willing to bet that it will also last at least a decade and that it will get worse, since there are substantial economic incentives to make it so. This doesn't only apply to SmartPhones. The most widely used Operating System (by this I mean Windows) has been issued pre-compromised and has intentionally implanted compromise via Vendor Update for many years. It is only unethical when a non-American does it. The excuses and justifications are no different. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
Re: LinkedIn password database compromised
On 06/23/2012 05:52 PM, Keith Medcalf wrote: Leo, This will never work. The vested profiteers will all get together and make it a condition that in order to use this method the user has to have purchased a verified key from them. Every site will use different profiteers (probably whoever gives them the biggest kickback). What is their leverage to extort? A web site just needs to make the client and server end agree on a scheme, and they control both ends. They can't force me to use their scheme any more than they can force me to not use Basic and use their scheme instead. Keep in mind that asymmetric keys do not imply certification, and asymmetric keys are cheap and plentiful -- as in a modest amount of CPU time these days. Mike You will end up paying thousands of dollars a year (as a user) to buy multiple keys from the profiteers, and provide them all sorts of private information in the process. They will then also insist that web sites using this method provide tracking information on key usage back to the profiteers. The profiteers will then sell all this information to whomever they want, for whatever purpose, so long as it results in a profit. Some of this will get kicked back to participating web sites. Then there will be affiliate programs where any web site can sign up with the profiteers to silently do key exchanges without the users consent so that more tracking information can be collected, for which the participating affiliate web site will get a kickback. Browser vendors will assist by making the whole process transparent. Contracts in restraint of trade will be enforced by the profiteers to prevent any browser from using the method unless it is completely invisible to the user. Then (in the US) the fascist government will step in and require registration of issued keys along with the verified real-world identity linkage. If it does not use self-generated unsigned keys, it will never fly. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org -Original Message- From: Leo Bicknell [mailto:bickn...@ufp.org] Sent: Wednesday, 20 June, 2012 15:39 To: nanog@nanog.org Subject: Re: LinkedIn password database compromised In a message written on Wed, Jun 20, 2012 at 02:19:15PM -0700, Leo Vegoda wrote: Key management: doing it right is hard and probably beyond most end users. I could not be in more violent disagreement. First time a user goes to sign up on a web page, the browser should detect it wants a key uploaded and do a simple wizard. - Would you like to create an online identity for logging into web sites?Yes, No, Import User says yes, it creates a key, asking for an e-mail address to identify it. Import to drag it in from some other program/format, No and you can't sign up. Browser now says would you like to sign up for website 'foobar.com', and if the user says yes it submits their public key including the e-mail they are going to use to log on. User doesn't even fill out a form at all. Web site still does the usual e-mail the user, click this link to verify you want to sign up thing. User goes back to web site later, browser detects auth needed and public key foo accepted, presents the cert, and the user is logged in. Notice that these steps _remove_ the user filling out forms to sign up for simple web sites, and filling out forms to log in. Anyone who's used cert-based auth at work is already familiar, the web site magically knows you. This is MUCH more user friendly. So the big magic here is the user has to click on yes to create a key and type in an e-mail once. That's it. There's no web of trust. No identity verification (a-la ssl). I'm talking a very SSH like system, but with more polish. Users would find it much more convenient and wonder why we ever used passwords, I think... -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: How to fix authentication (was LinkedIn)
I would suggest that multiple models be pursued (since each appears to have a champion) and that the market/drafting process will resolve the issue of which is better (which is okay by me: widespread adoption of any of the proposed models would advance the state of the norm; progress beats the snot out of stagnation in my book) My earlier replies were reprehensible. This is not a thread that should just be laughed off. Real progress may be occurring here, and at the least, good knowledge and discussion is accumulating in a way which may serve as a resource for the curious or concerned. On Jun 22, 2012 7:25 AM, Leo Bicknell bickn...@ufp.org wrote: In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush wrote: there are no trustable third parties With a lot of transactions the second party isn't trustable, and sometimes the first party isn't as well. :) In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher Morrow wrote: note that yubico has models of auth that include: 1) using a third party 2) making your own party 3) HOTP on token 4) NFC they are a good company, trying to do the right thing(s)... They also don't necessarily want you to be stuck in the 'get your answer from another' Requirements of hardware or a third party are fine for the corporate world, or sites that make enough money or have enough risk to invest in security, like a bank. Requiring hardware for a site like Facebook or Twitter is right out. Does not scale, can't ship to the guy in Pakistan or McMurdo who wants to sign up. Trusting a third party becomes too expensive, and too big of a business risk. There are levels of security here. I don't expect Facebook to take the same security steps as my bank to move my money around. One size does not fit all. Making it so a hacker can't get 10 million login credentials at once is a quantum leap forward even if doing so doesn't improve security in any other way. The perfect is the enemy of the good. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/