Re: Please run windows update now

2017-05-15 Thread valdis . kletnieks 
On Mon, 15 May 2017 16:19:37 -0700, "Aaron C. de Bruyn via NANOG" said:

> Combine that with fail2ban.  When one user has more than 60 writes in
> 60 seconds *or* a write contains a well-known cryptolocker name (i.e.
> *DECRYPT_INSTRUCT*)

Oddly enough, we've seen *lots* of spammers that are *totally* able to
auto-tune their spew rate to whatever you set the knob to.  Set it to 3,293,
and it will quickly adjust to 3,250 or so.  Knock the knob down to 67, it will
tune down to 65. There's no reason to expect that the same methods won't
be used again.

If it's an entire network of vulnerable systems, it's perfectly reasonable for
malware to pick one system (the one with the least number of likely-valuable
files) as a sacrificial goat and burn it down, just to see where you've set the
knobs, and then fly under the radar for the rest of the network.

If malware waits till 5:01PM Friday or whenever it detects the user has left
for the weekend, and does a careful search of file extensions for files most
likely to be valuable enough to make the victim pay the ransom, and does them
at 3 per minute, how bad is the situation Monday morning?

So you restrict file change rate to 1 per hour or something draconian when the
user isn't at the keyboard.

What is the likely amount of time the malware can get away with doing 3 files a
minute in the background while the user *is* using the system, before they hit
an encrypted file and realize there's a problem (hint - avoid files modified in
the last few days and target more static files)?

What is the likely amount of time you can restrict the user to 2 files per
minute before they come looking for you with an ax?

Remember - the first rule of designing security is that if you haven't already
thought through the first several iterations of blatantly obvious ways to work
around your proposal, and dealt with them, it's guaranteed that the bad guys
will do so for you.

Remember this as well - the entire reason why Snowden walked away with so many
files was because the NSA was not using all the available security features
*because it put too much of a crimp in legitimate analyst activity*.  It's also
why almost nobody outside military and spook systems actually deploys MLS/MCS
security.

Given that we've been at this for well over 4 decades now, and we *still* can't
actually do it right, you should be *very* suspicious of any proposal that says
"Just count the number of opens, tie it to fail2ban, handwave yadda yadda
handwave *SECURE*".



pgpDLoLGGyvGm.pgp
Description: PGP signature

Re: Carrier classification

2017-05-15 Thread Randy Bush 
> Putting aside the question of their importance, there is a small number
> of ISPs that do no pay for transit. If you don't call them Tier 1, what
> do you call them? Transit Free Providers (TFPs)?

LFB, late for breakfast

Re: Carrier classification

2017-05-15 Thread joel jaeggli 
On 5/15/17 10:01 PM, Ken Chase wrote:
> so cogent has no routes to some amount of v6? ie no routes
> to some prefixes?

it's easy enough to test

TestRouter Location Hostname / IP Address   

2607:f8b0:4005:801::200e
Go!
Tue May 16 04:00:27.010 UTC
% Network not in table

http://www.cogentco.com/en/network/looking-glass

They're not the sole provider with a hole in their routing table, nor is
that the only hole. I would probably choose not to single home behind
any nominally SFI carrier, but on the other hand how useful such carrier
is in the first place has a lot to do with can they offload the traffic
you choose to send them, which is a different problem and should be
assessed accordingly.


> /kc
> 
> On Mon, May 15, 2017 at 07:56:14PM -0700, Large Hadron Collider said:
>   >My terminology of tiers are:
>   >
>   >Tier 1 - is in few or no major disputes, has no transit, and is able to
>   >access over three nines percent of the internet
>   >
>   >Tier 2 - as Tier 1, but has transit.
>   >
>   >Cogent is neither on v6, and I have no clue about v4.
>   >
>   >HE is probably Tier 2 on v4, and is Tier 1 on v6.
>   >
>   >
>   >On 15/05/2017 19:27, Ca By wrote:
>   >> On Mon, May 15, 2017 at 6:44 PM Bradley Huffaker  
> wrote:
>   >>
>   >>> On Sun, May 14, 2017 at 09:24:18AM +0200, Mark Tinka wrote:
>    Nowadays, I'm hearing this less and less, but it's not completely gone.
>   >>> Putting aside the question of their importance, there is a small number
>   >>> of ISPs that do no pay for transit. If you don't call them Tier 1, what
>   >>> do you call them? Transit Free Providers (TFPs)?
>   >>
>   >> I think the broader and more relevant question is -- Does it matter who
>   >> pays who ? Why name an irrelevant characteristic?
>   >>
>   >> Cogent may not buy transit but i would not purchase their service since
>   >> they fail to have full internet reach (google and HE)
>   >>
>   >> And xyz incumbent may have a poor network, but they may get free peering 
> or
>   >> may get paid-peering because of their incumbent / monopoly status... that
>   >> is not a reason for me to purchase from them or think they are an elite
>   >> tier 1.
>   >>
>   >> The dynamica of the day are more around reach and quality, not some 
> legacy
>   >> measure of how market-failure facilitate anti-social behavior
>   >>
>   >>
>   >>
>   >>> --
>   >>> the value of a world model is not how accurately it captures reality
>   >>> but how often it leads us to take appropriate action
>   >>>
>   >
> 




signature.asc
Description: OpenPGP digital signature

Re: Carrier classification

2017-05-15 Thread Ken Chase 
so cogent has no routes to some amount of v6? ie no routes
to some prefixes?

/kc

On Mon, May 15, 2017 at 07:56:14PM -0700, Large Hadron Collider said:
  >My terminology of tiers are:
  >
  >Tier 1 - is in few or no major disputes, has no transit, and is able to
  >access over three nines percent of the internet
  >
  >Tier 2 - as Tier 1, but has transit.
  >
  >Cogent is neither on v6, and I have no clue about v4.
  >
  >HE is probably Tier 2 on v4, and is Tier 1 on v6.
  >
  >
  >On 15/05/2017 19:27, Ca By wrote:
  >> On Mon, May 15, 2017 at 6:44 PM Bradley Huffaker  
wrote:
  >>
  >>> On Sun, May 14, 2017 at 09:24:18AM +0200, Mark Tinka wrote:
   Nowadays, I'm hearing this less and less, but it's not completely gone.
  >>> Putting aside the question of their importance, there is a small number
  >>> of ISPs that do no pay for transit. If you don't call them Tier 1, what
  >>> do you call them? Transit Free Providers (TFPs)?
  >>
  >> I think the broader and more relevant question is -- Does it matter who
  >> pays who ? Why name an irrelevant characteristic?
  >>
  >> Cogent may not buy transit but i would not purchase their service since
  >> they fail to have full internet reach (google and HE)
  >>
  >> And xyz incumbent may have a poor network, but they may get free peering or
  >> may get paid-peering because of their incumbent / monopoly status... that
  >> is not a reason for me to purchase from them or think they are an elite
  >> tier 1.
  >>
  >> The dynamica of the day are more around reach and quality, not some legacy
  >> measure of how market-failure facilitate anti-social behavior
  >>
  >>
  >>
  >>> --
  >>> the value of a world model is not how accurately it captures reality
  >>> but how often it leads us to take appropriate action
  >>>
  >

-- 
Ken Chase - k...@heavycomputing.ca skype:kenchase23 +1 416 897 6284 Toronto 
Canada
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: Carrier classification

2017-05-15 Thread Large Hadron Collider 
My terminology of tiers are:

Tier 1 - is in few or no major disputes, has no transit, and is able to
access over three nines percent of the internet

Tier 2 - as Tier 1, but has transit.

Cogent is neither on v6, and I have no clue about v4.

HE is probably Tier 2 on v4, and is Tier 1 on v6.


On 15/05/2017 19:27, Ca By wrote:
> On Mon, May 15, 2017 at 6:44 PM Bradley Huffaker  wrote:
>
>> On Sun, May 14, 2017 at 09:24:18AM +0200, Mark Tinka wrote:
>>> Nowadays, I'm hearing this less and less, but it's not completely gone.
>> Putting aside the question of their importance, there is a small number
>> of ISPs that do no pay for transit. If you don't call them Tier 1, what
>> do you call them? Transit Free Providers (TFPs)?
>
> I think the broader and more relevant question is -- Does it matter who
> pays who ? Why name an irrelevant characteristic?
>
> Cogent may not buy transit but i would not purchase their service since
> they fail to have full internet reach (google and HE)
>
> And xyz incumbent may have a poor network, but they may get free peering or
> may get paid-peering because of their incumbent / monopoly status... that
> is not a reason for me to purchase from them or think they are an elite
> tier 1.
>
> The dynamica of the day are more around reach and quality, not some legacy
> measure of how market-failure facilitate anti-social behavior
>
>
>
>> --
>> the value of a world model is not how accurately it captures reality
>> but how often it leads us to take appropriate action
>>

Re: Please run windows update now

2017-05-15 Thread Joe 
Hi Scott

 As with any open forum you take the good with the bad. I've been on this
list since 2001, you learn to dump the static and learn from the good
advise.
Too much information (whether good or bad) is better than none.

-Joe

On Mon, May 15, 2017 at 8:12 PM, Scott Weeks  wrote:

>
>
> --- na...@incomingmta.com wrote:
> From: "Phillip White" 
>
> ...I have been on this list for many years...Today, though,
> I felt the need to create the mailbox just so I could reply
> since your posts have been the most irritating I have ever
> seen on this list.
> --
>
>
> "the most irritating I have ever seen on this list"
>
> You can't have been on this list very long, then... ;-)
>
> scott
>

Re: Please run windows update now

2017-05-15 Thread Joe 
Hi Scott

 As with any open forum you take the good with the bad. I've been on this
list since 2001, you learn to dump the static and learn from the good
advise.
Too much information (whether good or bad) is better than none.



-Joe

On Mon, May 15, 2017 at 8:12 PM, Scott Weeks  wrote:

>
>
> --- na...@incomingmta.com wrote:
> From: "Phillip White" 
>
> ...I have been on this list for many years...Today, though,
> I felt the need to create the mailbox just so I could reply
> since your posts have been the most irritating I have ever
> seen on this list.
> --
>
>
> "the most irritating I have ever seen on this list"
>
> You can't have been on this list very long, then... ;-)
>
> scott
>

Re: Carrier classification

2017-05-15 Thread Ca By 
On Mon, May 15, 2017 at 6:44 PM Bradley Huffaker  wrote:

> On Sun, May 14, 2017 at 09:24:18AM +0200, Mark Tinka wrote:
> >
> > Nowadays, I'm hearing this less and less, but it's not completely gone.
>
> Putting aside the question of their importance, there is a small number
> of ISPs that do no pay for transit. If you don't call them Tier 1, what
> do you call them? Transit Free Providers (TFPs)?


I think the broader and more relevant question is -- Does it matter who
pays who ? Why name an irrelevant characteristic?

Cogent may not buy transit but i would not purchase their service since
they fail to have full internet reach (google and HE)

And xyz incumbent may have a poor network, but they may get free peering or
may get paid-peering because of their incumbent / monopoly status... that
is not a reason for me to purchase from them or think they are an elite
tier 1.

The dynamica of the day are more around reach and quality, not some legacy
measure of how market-failure facilitate anti-social behavior



>
> --
> the value of a world model is not how accurately it captures reality
> but how often it leads us to take appropriate action
>

Re: Please run windows update now

2017-05-15 Thread Jonathan Roach 
Microsoft aren't stupid. They have learned lessons from the days in the
90s and early 2000s when they were a laughing stock in terms of
security, and since then Windows security has improved enormously. OK,
so it's not perfect, but what software is? Dirty Cow, Shellshock and
Heartbleed for example weren't exactly minor flaws, but the world moved on.

What's key is that administrators need to know how to secure their
estates. If they've failed to apply the patch, that's their failure, not
Microsoft's, but patching was not the only way to have curtailed this
weekend's outbreak. Admins may have had their reasons for not patching -
maybe to do so would have invalidated some kind of certification on an
embedded system for example - but there should have been other controls
in place to limit the spread of this outbreak or others like it.

Something that's puzzled me about events this weekend is that hardly
anyone is mentioning firewalling. Servers generally need ports
135-139/445 to be accessible in order to act as, well, servers - but
workstations don't. Why aren't people - even cash-starved organisations
like the NHS - using the Windows firewall to protect at least their
workstations on an ongoing basis? How did this infection spread between
organisations without being stopped by a border firewall at any point?
Was nothing learned from the Blaster days? (I don't have the answer.)

Although the malware was probably injected into multiple organisations
in numerous countries via multiple phishing attacks, the spread as
reported seemed too fast between organisations and countries for it to
have been driven by phishing attacks alone, and I haven't seen any
reports showing people how to spot the phishing attempts. So I'm
guessing a lot of the propagation even between orgs was by MS17-010.

It would be interesting to find out if anyone saw unusual spikes in SMB
traffic over the weekend? Or if there are insights into any of the
semi-rhetorical questions I posed above?

Cheers,
Jon

Re: Carrier classification

2017-05-15 Thread Bradley Huffaker 
On Sun, May 14, 2017 at 09:24:18AM +0200, Mark Tinka wrote:
>
> Nowadays, I'm hearing this less and less, but it's not completely gone.

Putting aside the question of their importance, there is a small number
of ISPs that do no pay for transit. If you don't call them Tier 1, what
do you call them? Transit Free Providers (TFPs)?

-- 
the value of a world model is not how accurately it captures reality
but how often it leads us to take appropriate action

RE: Please run windows update now

2017-05-15 Thread Scott Weeks 


--- na...@incomingmta.com wrote:
From: "Phillip White" 

...I have been on this list for many years...Today, though, 
I felt the need to create the mailbox just so I could reply 
since your posts have been the most irritating I have ever 
seen on this list. 
--


"the most irritating I have ever seen on this list"

You can't have been on this list very long, then... ;-)

scott

Re: Please run windows update now

2017-05-15 Thread Aaron C. de Bruyn via NANOG 
On Mon, May 15, 2017 at 2:48 PM, J. Oquendo  wrote:
> On Mon, 15 May 2017, b...@theworld.com wrote:

>> You count the number of destructive opens in the kernel and if it
>> exceeds a threshold (for example) you stop it and pop up a warning.

That's basically what I did.  I got tired of users constantly opening
any attachment that came at them through e-mail and encrypting all the
files on their systems and other network systemsso...I installed a
Linux box running Samba backed by a ZFS file store.

Samba spits out syslog records on file writes.

Combine that with fail2ban.  When one user has more than 60 writes in
60 seconds *or* a write contains a well-known cryptolocker name (i.e.
*DECRYPT_INSTRUCT*) it immediately blocks their IP on the server,
looks up their MAC address, scans the switch for their MAC, and
disables the switch port.

Then I have a list of files in syslog that were encrypted and ZFS
snapshots I can restore from.

Additionally, some of the workstations were PXE or iSCSI booted from
the NAS so it was as simple as "Hold down the power button to turn off
your computer.  Ok, let me 'zfs rollback' your machine image...ok, now
turn your computer back on.  All set."

Plus adding new workstations was as easy as getting the MAC address
and doing a 'zfs clone' of a clean machine image.

Upgrades are easy too--boot a VM, install the latest version of
WIndows, update drivers, install software packages, then shutdown,
snapshot and clone.  Tell the user to reboot their PC and they are now
running the newer OS.

Windows isn't hard if you have Linux and Unix running underneath,
behind, and between everything. ;)

-A

Re: Please run windows update now

2017-05-15 Thread J. Oquendo 
On Mon, 15 May 2017, b...@theworld.com wrote:

> Oh great a design review!
> 
> Hello Valdis, I am Barry Shein. I've done decades of internals and
> kernel work.
> 
> Ever use any Windows since about Vista? It throws up those warning
> pop-ups when you're about to do something it decides needs
> confirmation?
> 
> That was almost certainly my invention.
> 
> I described the idea on an anti-spam list and two Microsoft engineers
> contacted me to discuss whether this is feasible etc.
> 
> Never got a thank you tho.
> 
>  > 
>  > How do you throw a pop-up warning for that?  Pre-run it and see how many >
>  > might get executed? And how do you tell that the sequence ends up 
> destroying
>  > the file rather than creating a new one?
> 
> You count the number of destructive opens in the kernel and if it
> exceeds a threshold (for example) you stop it and pop up a warning.
> 
> For example.
> 
> As I said this is the sort of thing which is suitable for an end-user
> OS and no doubt annoying in a server OS.
> 

*popcorn* ... What was the original thread about? Because
once upon a time as a proof of concept for "undetectable"
viruses on *nix, (was for a competition where I was not
allowed to be play post disclosure of PoC), anyway, I
created a really really bad mechanism to negatively
impact ALL BSDs, Solaris, Linux, it was *nix agnostic.


Bigger takeaway, malware/scumware/whateverware authors
target Windows because there are more users. For someone
dealing with security 24x7x365, I can state MS has come
a very long way from what they were, including dealing
with MSRC and other departments. Do you have any idea
how difficult it is to deal with certain *nix projects?
Freshmeat? Github, hobby...

Apples and oranges. And I CAN COUNT the number of
destructive opens read, and write on any nix system, so
perhaps we should kill this thread before it becomes:
my NetBSD toaster is better than your windows powered
refrigetor.


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

Re: Please run windows update now

2017-05-15 Thread Royce Williams 
On Fri, May 12, 2017 at 10:30 AM, Royce Williams 
wrote:

> My $0.02, for people doing internal/private triage:
>
> - If your use of IPv4 space is sparse by routes, dump your internal
> routing table and convert to summarized CIDR.
>
> - Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
> randomizes targets, so destination office WAN links won't saturate, but
> local/intermediate might if you're not careful, so tune):
>
> sudo masscan -p445 --rate=[packets-per-second safe for your network]
> -iL routes.list -oG masscan-445.out
>
> - Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the
> python2 one, or the Metasploit one if you can use that internally) to
> detect vuln. the python one is not* a parallelized script, so consider
> breaking it into multiple parallel runners if you have a lot of scale.
>

Note - I've learned that the detection rate for the Python script above is
*much* lower than this nmap script. I recommend using the nmap script
instead:

https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse



> - If you're using SCCM/other, verify that MS17-010 was applied - but be
> mindful of Windows-based appliances not centrally patched, etc. Trust but
> verify.
>
> - In parallel, consider investigating low-hanging fruit by OU
> (workstations?) to disable SMBv1 entirely.
>
> Royce
>
> 1. https://github.com/robertdavidgraham/masscan
>
>

Re: Please run windows update now

2017-05-15 Thread bzs 

On May 15, 2017 at 16:17 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) 
wrote:
 > On Mon, 15 May 2017 15:45:26 -0400, b...@theworld.com said:
 > 
 > > So for example why does a client OS produced with that much money
 > > available even allow things like wholesale encryption of files without
 > > at least popping up one of those warnings to confirm that you really
 > > meant to run a program on $THRESHOLD files, opening them for update
 > > etc, not just read?
 > 
 > Well Barry, I can tell you why, with examples from the Unix world.
 > 
 > for i in *; do encrypt < $i > $i.new; mv $i.new $i; done

Oh great a design review!

Hello Valdis, I am Barry Shein. I've done decades of internals and
kernel work.

Ever use any Windows since about Vista? It throws up those warning
pop-ups when you're about to do something it decides needs
confirmation?

That was almost certainly my invention.

I described the idea on an anti-spam list and two Microsoft engineers
contacted me to discuss whether this is feasible etc.

Never got a thank you tho.

 > 
 > How do you throw a pop-up warning for that?  Pre-run it and see how many >
 > might get executed? And how do you tell that the sequence ends up destroying
 > the file rather than creating a new one?

You count the number of destructive opens in the kernel and if it
exceeds a threshold (for example) you stop it and pop up a warning.

For example.

As I said this is the sort of thing which is suitable for an end-user
OS and no doubt annoying in a server OS.

 > 
 > OK. How about this one?
 > 
 > cat > ./wombat << EOF
 > ##!/bin/bash
 > encrypt < $1 > $1.new; mv $1.new $1
 > EOF
 > chmod +x ./wombat
 > for i in *; do ./wombat $i; done
 > 
 > Now convert that to C and  bury that whole thing inside a binary.  How does 
 > the
 > operating system detect that and throw a pop-up *before* that executes?
 > 
 > It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD thesis
 > showed that detecting malware is isomorphic to the Turing Halting Problem.
 > 
 > 
 > x[DELETED ATTACHMENT , application/pgp-signature]

You don't seem to understand how OS's work which surprises me in your
case.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

vFlow :: IPFIX, sFlow and Netflow collector

2017-05-15 Thread Mehrdad Arshad Rad 
Hi all,

I just wanted to share the vFlow - IPFIX, sFlow and Netflow collector, it's
scalable and reliable, written by pure Golang!
It doesn't have any library dependency and works w/ Kafka and NSQ (you can
write your own MQ plugin).

https://github.com/VerizonDigital/vflow

For more information
https://www.linkedin.com/pulse/high-performance-scalable-reliable-ipfix-sflow-open-arshad-rad

It can be able to integrate w/ MemSQL easy and you can have kind of below
SQL query:

memsql> select * from samples order by bytes desc limit 20;
++-+-+++---+-+-+--++-+
| device | src | dst | srcASN | dstASN
| proto | srcPort | dstPort | tcpFlags | bytes  | datetime
|
++-+-+++---+-+-+--++-+
| 192.129.230.0  | 87.11.81.121| 61.231.215.18   | 131780 |  21773
| 6 |  80 |   64670 | 0x10 | 342000 | 2017-04-27 22:05:55
|
| 52.20.79.116   | 87.11.81.100| 216.38.140.154  |  41171 |   7994
| 6 | 443 |   26798 | 0x18 | 283364 | 2017-04-27 22:06:00
|
| 52.20.79.116   | 192.229.211.70  | 50.240.197.150  |  41171 |  33651
| 6 |  80 |   23397 | 0x10 | 216000 | 2017-04-27 22:05:55
|
| 108.161.249.16 | 152.125.33.113  | 74.121.78.10|  13768 |   9551
| 6 |  80 |   49217 | 0x18 | 196500 | 2017-04-27 22:05:59
|
| 192.229.130.0  | 87.21.81.254| 94.56.54.135| 132780 |  21773
| 6 |  80 |   52853 | 0x18 | 165000 | 2017-04-27 22:05:55
|
| 108.161.229.96 | 93.184.215.169  | 152.157.32.200  |  12768 |  11430
| 6 | 443 |   50488 | 0x18 |  86400 | 2017-04-27 22:06:01
|
| 52.22.49.106   | 122.229.210.189 | 99.31.208.183   |  22171 |   8018
| 6 | 443 |   33059 | 0x18 |  73500 | 2017-04-27 22:05:55
|
| 52.22.49.126   | 81.21.81.131| 66.215.169.120  |  22171 |  20115
| 6 |  80 |   57468 | 0x10 |  66000 | 2017-04-27 22:05:59
|
| 108.160.149.96 | 94.184.215.151  | 123.90.233.120  |  16768 |  14476
| 6 |  80 |   63905 | 0x18 |  65540 | 2017-04-27 22:05:57
|
| 52.22.79.116   | 162.129.210.181 | 60.180.253.156  |  21271 |  31651
| 6 | 443 |   59652 | 0x18 |  64805 | 2017-04-27 22:06:00
|
| 108.161.149.90 | 93.184.215.169  | 80.96.58.146|  13868 |  22394
| 6 | 443 |1151 | 0x18 |  59976 | 2017-04-27 22:05:54
|
| 102.232.179.20 | 111.18.232.131  | 121.62.44.149   |  24658 |   4771
| 6 |  80 |   61076 | 0x10 |  59532 | 2017-04-27 22:05:54
|
| 102.232.179.20 | 192.129.145.6   | 110.49.221.232  |  24658 |   4804
| 6 | 443 |   50002 | 0x10 |  58500 | 2017-04-27 22:05:55
|
| 102.232.179.20 | 192.129.232.112 | 124.132.217.101 |  24658 |  43124
| 6 | 443 |   37686 | 0x10 |  57000 | 2017-04-27 22:06:00
|
| 192.229.230.0  | 87.11.81.253| 219.147.144.22  | 132380 |   2900
| 6 |  80 |   25202 | 0x18 |  56120 | 2017-04-27 22:05:58
|
| 192.129.130.0  | 87.21.11.200| 180.239.187.151 | 132380 |   8151
| 6 | 443 |   55062 | 0x18 |  52220 | 2017-04-27 22:05:59
|
| 52.12.79.126   | 87.21.11.254| 64.30.125.221   |  21071 |  14051
| 6 |  80 |   57072 | 0x10 |  51000 | 2017-04-27 22:05:54
|
| 192.229.110.1  | 150.195.33.40   | 98.171.170.51   | 132980 |  28773
| 6 |  80 |   53270 | 0x18 |  51000 | 2017-04-27 22:05:57
|
| 192.229.110.1  | 87.21.81.254| 68.96.162.21| 132980 |  28773
| 6 |  80 |   46727 | 0x18 |  49500 | 2017-04-27 22:06:01
|
| 52.22.59.110   | 192.129.210.181 | 151.203.130.228 |  21271 |  12452
| 6 |  80 |   43720 | 0x18 |  49500 | 2017-04-27 22:05:55
|
++-+-+++---+-+-+--++-+
20 rows in set (0.06 sec)


Please let me know if you have any questions.

Thanks,
Mehrdad

-- 
*M*ehrdad Arshad Rad
*P*rincipal Software Engineer
https://www.linkedin.com/in/mehrdadrad

Re: Please run windows update now

2017-05-15 Thread William Waites 

> On May 15, 2017, at 21:17, valdis.kletni...@vt.edu wrote:
> 
>> So for example why does[n’t] a client OS confirm that you really
>> meant to run a program on $THRESHOLD files…

> How does the operating system detect that and throw a pop-up
> *before* that executes?
> 
> It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD
> thesis showed that detecting malware is isomorphic to the Turing
> Halting Problem.

The general problem might well be that hard, I don’t know, it seems
plausible. However Barry’s suggestion doesn’t seem impossible.

One strategy is as follows. Have a counter in the kernel about writes to
files. Have some sort of log-structured filesystem with checkpoints or
whatever. When the counter goes too fast, show Barry’s dialog box and
if the user says no, roll back the filesystem to the time just before the
process (or its parent, or its parent’s parent, …) started. There are 
details to be ironed out, of course, but there’s no reason in principle
that it couldn’t be done like this.

The reason that you don’t have to make the operating system solve
the halting problem is because you ask the user.

William Waites
Laboratory for Foundations of Computer Science
School of Informatics, University of Edinburgh
Informatics Forum 5.38, 10 Crichton St.
Edinburgh, EH8 9AB, Scotland

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Please run windows update now

2017-05-15 Thread valdis . kletnieks 
On Mon, 15 May 2017 15:45:26 -0400, b...@theworld.com said:

> So for example why does a client OS produced with that much money
> available even allow things like wholesale encryption of files without
> at least popping up one of those warnings to confirm that you really
> meant to run a program on $THRESHOLD files, opening them for update
> etc, not just read?

Well Barry, I can tell you why, with examples from the Unix world.

for i in *; do encrypt < $i > $i.new; mv $i.new $i; done

How do you throw a pop-up warning for that?  Pre-run it and see how many >
might get executed? And how do you tell that the sequence ends up destroying
the file rather than creating a new one?

OK. How about this one?

cat > ./wombat << EOF
##!/bin/bash
encrypt < $1 > $1.new; mv $1.new $1
EOF
chmod +x ./wombat
for i in *; do ./wombat $i; done

Now convert that to C and  bury that whole thing inside a binary.  How does the
operating system detect that and throw a pop-up *before* that executes?

It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD thesis
showed that detecting malware is isomorphic to the Turing Halting Problem.




pgpPisOZIogHA.pgp
Description: PGP signature

Re: Please run windows update now

2017-05-15 Thread bzs 

Since everyone else is bloviating I may as well also...

The underlying problem is that Microsoft tried to produce basically
one operating system for both servers and end-users and most anything
in between.

Putting some lipstick on them and names such as "server 2008" doesn't
negate that.

Ok so did everyone, sort of (does Apple even make servers? ok ok I
know the response, cylindrical things.)

But others, which means the un*x sphere, at least had the excuse that
they were practically unfunded with a few notable exceptions (but Sun
is gone no sense beating the dead.)

MS has about $100B cash on hand and has generally been a quite
profitable enterprise for longer than probably most people on this
list have been alive.

So for example why does a client OS produced with that much money
available even allow things like wholesale encryption of files without
at least popping up one of those warnings to confirm that you really
meant to run a program on $THRESHOLD files, opening them for update
etc, not just read? Even backup doesn't do that. I suppose update does
but that and similar could be handled specially.

Why?

Because it would be annoying to their server customers if they
interfered and it seems that's how decisions are made. Over and
over. And over.

What we really have is the end result of a company spending as little
as possible on their product and optimizing their bottom line because
no one has any power to make them produce anything better.

  One code base to rule them all, One code base to sell them, One code
  base to bring them all, And in their darkness bind them.

That's what MS needs to be held accountable for, sucking literally
hundreds of billions from companies and consumers (that is, no lack of
money) and passing the pain of an inferior product to those consumers
much like the car industry did until Ralph Nader ("Unsafe At Any
Speed") and others began pointing this out in the 1960s and action was
taken and we got some omg seat belts and attention paid to how easily
a car of that era could roll over on a turn at 25mph, etc.

I think making feelgood comments like one has to be an idiot to run
Windows is a huge waste of time at this point. That horse is out of
the barn, has sailed, the barn door is still wide open, and it's
become too way late to fret over saving nine except forward.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

RE: Please run windows update now

2017-05-15 Thread timrutherford 
>>  
>> 
>>  
>> https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

>> Look near the bottom under Further Resources.

 

Those are the links appear to be patches for older versions of Windows.

 

The link that Josh sent initially is probably the most straight forward for 
currently supported versions.  

 


https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

Scroll down below “Affected Software and Vulnerability Severity Ratings” and 
click on the link in the left column it will being you to the MS Update Catalog 
download page for the patch in question.

 



 

 

Keep in mind that since MS started doing monthly patch rollups instead of 
individual patches, they are listing a “rollup” KB# and “security only” KB# for 
each version of Windows.

 

For example, look at Windows 2012/2012R2 above – there are four different KB#s 
depending on the OS version and update method being used.  

 

KB4012217 : “monthly rollup” version for 2012 (gets delivered via windows 
update - contains this patch and several others)

KB4012214 : “security only” version for 2012 for this one patch 

 

KB4012216 : 2012R2 version of the rollup 

KB4012213 : 2012R2 version of the security only patch 

 

 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Keith Stokes
Sent: Monday, May 15, 2017 11:49 AM
To: Keith Medcalf 
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

 

 

 
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

 

Look near the bottom under Further Resources.

 

 

On May 15, 2017, at 10:44 AM, Keith Medcalf < 
 
kmedc...@dessus.com> wrote:

 

 

I do not see any links to actually download the actual patches.  Just a bunch 
of text drivel.

 

 

--

˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

 

-Original Message-

From: NANOG [  mailto:nanog-boun...@nanog.org] 
On Behalf Of   
timrutherf...@c4.net

Sent: Monday, 15 May, 2017 09:23

To: 'Josh Luthman'; 'Nathan Fink'

Cc:   nanog@nanog.org

Subject: RE: Please run windows update now

 

I should clarify, the link in my email below is only for windows versions that 
are considered unsupported.

 

This one has links for the currently supported versions of windows

 

  
https://support.microsoft.com/en-us/help/4013389/title

 

 

-Original Message-

From:   timrutherf...@c4.net [ 
 mailto:timrutherf...@c4.net]

Sent: Monday, May 15, 2017 11:12 AM

To: 'Josh Luthman' <  
j...@imaginenetworksllc.com>; 'Nathan Fink'

<  nef...@gmail.com>

Cc: 'nanog@nanog.org' <  nanog@nanog.org>

Subject: RE: Please run windows update now

 

They even released updates for XP & 2003

 

  
http://www.catalog.update.microsoft.com/search.aspx?q=4012598

 

 

-Original Message-

From: NANOG [  mailto:nanog-boun...@nanog.org] 
On Behalf Of Josh Luthman

Sent: Monday, May 15, 2017 10:45 AM

To: Nathan Fink <  nef...@gmail.com>

Cc:   nanog@nanog.org

Subject: Re: Please run windows update now

 

Link?

 

I only posted it as reference to the vulnerability.

 

 

Josh Luthman

Office: 937-552-2340

Direct: 937-552-2343

1100 Wayne St

Suite 1337

Troy, OH 45373

 

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <  
nef...@gmail.com> wrote:

 

I show MS17-010 as already superseded in SCCM

 

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> 
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

Josh Luthman

Office: 937-552-2340

Direct: 937-552-2343

1100 Wayne St

Suite 1337

Troy, OH 45373

 

On Fri, May 12, 2017 at 2:35 PM, JoeSox <  
joe...@gmail.com> wrote:

 

Thanks for the headsup but I would expect to see some references to the patches 
that need to be installed to block the vulnerability (Sorry for sounding like a 
jerk).

We all know to update systems ASAP.

 

--

Later, Joe

 

On Fri, May 12, 2017 at 10:35 AM, Ca By <  
cb.li...@gmail.com> wrote:

 

This looks like a major worm that is going global

 

Please run windows update as soon as po

RE: Please run windows update now

2017-05-15 Thread Eliezer Croitoru 
Calling someone who uses Windows un-professional would be a "gossip" style
phrase.
This is a piece of software which can be tested and compared to others.
Would Android be better then windows only because it is based on the Linux
kernel or since it's based on the full engineering it was invested from the
bottom up? 

So from my point of view on things:
Windows is good
Linux is good
BSD is good
Mac is good
Others, good...

But depends on what you need.
If you need to work with a system that has a specific compatibility or
usability levels then this is what you need.
If it works for me it doesn't mean that it's either good or bad for me and
others!

I love Linux based systems but they all need some "magic hands" on them to
convert them from Linux to "something better".
So with this in mind: If you are a magician and Linux feels good for you it
doesn't mean that everybody should be magicians!

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
valdis.kletni...@vt.edu
Sent: Monday, May 15, 2017 10:47 AM
To: Rich Kulawiec 
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

On Mon, 15 May 2017 02:12:27 -0400, Rich Kulawiec said:

> Or BSD, or anything but Windows.  Anyone running Microsoft products is 
> quite clearly an unprofessional, unethical moron and fully deserves 
> all the pain they get

Tell you what.  Go over to http://line6.com/software/ - You convince them to
produce a Linux version of the software for their musician's gear, and I'll
get rid of the Toshiba laptop running Windows.  Alternatively, find me an
OSX laptop that costs anywhere near the $400 I paid for the Toshiba
Satellite.

(And yes, I already tried running their software in a VM, neither VirtualBox
or VMWare does a good enough job of emulating MIDI-over-USB2 to let the
drivers in the VM connect to my Pod HD, so don't bother suggesting that).

You want to repeat your claim that I'm an unprofessional, unethical moron
because I have a fully patched Windows 10 laptop that's backed up on a
regular basis because there's no realistic alternative?

Re: Question to Google

2017-05-15 Thread Christopher Morrow 
On Mon, May 15, 2017 at 1:25 PM, Damian Menscher via NANOG 
wrote:

> On Mon, May 15, 2017 at 8:07 AM, Stephane Bortzmeyer 
> wrote:
>
> > On Mon, May 15, 2017 at 07:55:41AM -0700,
> >  Damian Menscher  wrote
> >  a message of 82 lines which said:
> >
> > > Can you point to published studies where the root and .com server
> > > operators analyzed Todd's questions?
> >
> > For the root, the most comprehensive one is probably SAC 18
> >  A good summary is
> > 
> >
>
> Thanks for sharing.  From my quick read, it looks like this was a careful
> analysis of the expected impact, not a review of the actual impact.  It
> reminds me of an instructive joke: "In theory, theory and practice are the
> same.  In practice, they are not."
>
>
> also, a BUNCH has changed since 2007... with respect to the ipv4/ipv6
landscape.

RE: Please run windows update now

2017-05-15 Thread Phillip White 

You, sir, are to be congratulated!  I have been on this list for many years
- mainly to keep in the loop.  Up until today the list went to a catch-all
account as I have never felt the need to post.  Today, though, I felt the
need to create the mailbox just so I could reply since your posts have been
the most irritating I have ever seen on this list.  The complete ineptness
in any of the points you shared was astonishing.  If you are on this list
you are most likely in some business associated with the Internet so if you
are like some of those that "just want to get some regular work done" let me
remind you that this _is_ regular work.  Get it done.  Microsoft isn't to
blame here.  It's the people who refuse to upgrade their Operating Systems
or patch religiously who are (read: IT departments here too).  A lot more of
the world use Microsoft products than you seem to think - it is the dominant
and it's not going away.  If this causes you more work than the random
scripts you google on the Internet to run on your *nix boxes perhaps your
time in the business is up.  I too prefer and enjoy running all sorts of
flavors of unix/Linux and sometimes you will find that I bash the occasional
Windows user for being less than diligent but there is a limit to this
bashing and you, Rich, have well exceeded that IMO.

For those of you on this list that feel that this post was not necessary, I
am sorry and would normally agree with you and I hardly think it will happen
again.

Phillip White

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec
Sent: Monday, May 15, 2017 4:37 AM
To: nanog@nanog.org
Subject: Re: Please run windows update now


You make some excellent points: but I grow very, very tired of having to
spend my time and my energy -- note timestamp on my message -- dealing with
the fallout.  It should be painfully clear to everyone that there is no such
thing as a secure Windows system.  [1]  It should have been painfully clear
after Code Red, after the rise of bots, and after a hundred other incidents
before/since of varying severity and duration.
But apparently it's not and so despite the impact of this current one --
including large-scale disruption of healthcare in the UK -- this will keep
happening over and over again.  And even those of us who have the good
judgment to never use Microsoft products have to pay the price for the poor
decision-making of others.  Again.  And again.

It's getting old.  Just like all the other things that people do (many of
which have been discussed here at great length) that cause problems for
others who are making an earnest attempt to do things right.
How bad do things have to get before the people who are stubbornly
clinging to this finally let go?   Does someone have to die?  Because --
again, see healthcare provider impact in the UK -- we're not that far from
it.

---rsk

[1] There may be no such thing as a secure system, period.  But it would be
better to deploy things that may have a fighting chance instead of things
that have long since proven to have none at all.

Re: Question to Google

2017-05-15 Thread Damian Menscher via NANOG 
On Mon, May 15, 2017 at 8:07 AM, Stephane Bortzmeyer 
wrote:

> On Mon, May 15, 2017 at 07:55:41AM -0700,
>  Damian Menscher  wrote
>  a message of 82 lines which said:
>
> > Can you point to published studies where the root and .com server
> > operators analyzed Todd's questions?
>
> For the root, the most comprehensive one is probably SAC 18
>  A good summary is
> 
>

Thanks for sharing.  From my quick read, it looks like this was a careful
analysis of the expected impact, not a review of the actual impact.  It
reminds me of an instructive joke: "In theory, theory and practice are the
same.  In practice, they are not."

Damian

Re: Please run windows update now

2017-05-15 Thread Brad Knowles 
On May 15, 2017, at 11:21 AM, J. Oquendo  wrote:

>> Not everyone licks their chops and thinks "fresh meat" when they see 
>> worldwide panic that results from a massive security hole like this.
> 
> Jump in the security space, where we may gladly trade our
> cats and dogs for Porsche Panameras

Thanks, but no.  I am already forced to do much more in the security space than 
I would like.

And I love my little miracle kitty very much.  I wouldn't trade her for any 
kind of vehicle in this world.  I am rather less materialistic than that.

-- 
Brad Knowles

Re: Please run windows update now

2017-05-15 Thread J. Oquendo 
On Mon, 15 May 2017, Brad Knowles wrote:

> If Microsoft didn't open the security hole in the first place, then there 
> wouldn't be a need to patch it afterwards.

You are very correct. Microsoft opened the hole because
they had nothing better to do. Or, could it be that these
things happen, akin to a car having to perform a recall.
I am sure (with the exception of Volkswagen's clusterf^W)
no vendor in any vertical wants to put out subpar products
(call me a dreamer.)

> Of course, there will always be patches that need to be applied, and people 
> do have to decide what is a sane patching process.  But if a patch can be 
> completely avoided because they were more careful and rigorous in their 
> development to begin with, then as a whole the world would be better off.

Rigorous in development means little. Go pick an RFC and
you will find that over time, even the foundations have at
some point or another been broken/circumvented. I have a
mental running joke "Blame Paul Vixie!!!" (Sorry Paul :))
When the world lost their ability to use common sense,
anything related to DNS became a blame Paul for writing
BIND. No... Old saying: "Any time you point the finger,
remember, there are more of your fingers pointing back at
you."

Organizations do perform testing, and some don't. Just
because some don't does not mean the industry as a whole
won't, or doesn't do it. The fact MS went out of their way
to make patches for systems they SPECIFICALLY stated they
would not support no more gives them kudos across the
board.
 
> An ounce of prevention on their part would prevent a pound of cure having to 
> be applied by everyone else in the world.

With 20/20 vision, should that mean I should be expected
to see someone throwing a 100MPH fastball at me from
my back? Would my pound of cure be ESP for seeing the
future?

> But then Microsoft couldn't extract their value from selling that pound of 
> cure, so that would be another problem.

Sorry to tell you this, that comment makes little sense.
I didn't know Microsft sold that pound of cure (patch).

> Not everyone licks their chops and thinks "fresh meat" when they see 
> worldwide panic that results from a massive security hole like this.

Jump in the security space, where we may gladly trade our
cats and dogs for Porsche Panameras

> Some of us just want to get regular work done.

And some of us find that life goes on. This is no different
than Nimda, and other minor fiascos that occur every once
in a while. With the exception of Morris. No one, not even
the worms in the dirt like him.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

Re: Please run windows update now

2017-05-15 Thread Brad Knowles 
On May 15, 2017, at 10:08 AM, J. Oquendo  wrote:

> Spot on. Shame on Microsoft for releasing patches and not
> forcing the installation versus letting security managers
> open up ISC^, and other nonsensical frameworks to do things
> like "change/patch management" tasks. I mean, who cares if
> one little patch knocks a business out of existence.

If Microsoft didn't open the security hole in the first place, then there 
wouldn't be a need to patch it afterwards.

Of course, there will always be patches that need to be applied, and people do 
have to decide what is a sane patching process.  But if a patch can be 
completely avoided because they were more careful and rigorous in their 
development to begin with, then as a whole the world would be better off.

> I do believe Microsoft is directly responsible for making
> people such daft "To patch or not to patch" admins. Force
> feed patches on everyone! Then your next message will be:
> "I believe Microsoft is responsible for trillions of
> dollars by pushing out patches forcefully and negatively
> impacting businesses worldwide."

An ounce of prevention on their part would prevent a pound of cure having to be 
applied by everyone else in the world.

But then Microsoft couldn't extract their value from selling that pound of 
cure, so that would be another problem.

> Pain and anguish? I'm smiling and drinking coffee. I adore
> when security shenanigas occur. That is the sound of a cash
> register to me.

Not everyone licks their chops and thinks "fresh meat" when they see worldwide 
panic that results from a massive security hole like this.

Some of us just want to get regular work done.

-- 
Brad Knowles

Re: Please run windows update now

2017-05-15 Thread Keith Stokes 
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


Look near the bottom under Further Resources.


On May 15, 2017, at 10:44 AM, Keith Medcalf 
mailto:kmedc...@dessus.com>> wrote:


I do not see any links to actually download the actual patches.  Just a bunch 
of text drivel.


--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
timrutherf...@c4.net
Sent: Monday, 15 May, 2017 09:23
To: 'Josh Luthman'; 'Nathan Fink'
Cc: nanog@nanog.org
Subject: RE: Please run windows update now

I should clarify, the link in my email below is only for windows versions
that are considered unsupported.

This one has links for the currently supported versions of windows

https://support.microsoft.com/en-us/help/4013389/title


-Original Message-
From: timrutherf...@c4.net [mailto:timrutherf...@c4.net]
Sent: Monday, May 15, 2017 11:12 AM
To: 'Josh Luthman' ; 'Nathan Fink'

Cc: 'nanog@nanog.org' 
Subject: RE: Please run windows update now

They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Monday, May 15, 2017 10:45 AM
To: Nathan Fink 
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink  wrote:

I show MS17-010 as already superseded in SCCM

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:

Thanks for the headsup but I would expect to see some references
to the patches that need to be installed to block the
vulnerability (Sorry for sounding like a jerk).
We all know to update systems ASAP.

--
Later, Joe

On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:

This looks like a major worm that is going global

Please run windows update as soon as possible and spread the
word

It may be worth also closing down ports 445 / 139 / 3389

http://www.npr.org/sections/thetwo-way/2017/05/12/
528119808/large-cyber-attack-hits-englands-nhs-hospital-
system-ransoms-demanded











---

Keith Stokes

RE: Charter engineer

2017-05-15 Thread Manser, Charles J 
Mr. Carman,

Did someone already reach out to you off-list?

Charles Manser | Principal Engineer I, Network Security | [c] 813-422-4281
14810 Grasslands Dr, Englewood, CO 80112

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Samual Carman
Sent: Sunday, May 14, 2017 1:28 PM
To: nanog@nanog.org
Subject: Charter engineer 

Can a charter engineer please contact me off list I am getting slammed from a 
charter ip address on a local cable node and normal support channels have been 
unhelpful at bet and unwilling to escalate the issue if anyone else has any 
suggestion please feel free to contact Contact may be delayed as I will flying 
back from Dubai today

In addition would a charter voice /internet engineer please contact me off list 
 or someone who specialize in fax machines on the charter network Thanks Sam 
Mettai Inc Yakima, Branch Sent from my home please excuse grammar and spelling 
issues Sent from my iPhone

Get Outlook for iOS
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

RE: Please run windows update now

2017-05-15 Thread Keith Medcalf 

I do not see any links to actually download the actual patches.  Just a bunch 
of text drivel.


--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> timrutherf...@c4.net
> Sent: Monday, 15 May, 2017 09:23
> To: 'Josh Luthman'; 'Nathan Fink'
> Cc: nanog@nanog.org
> Subject: RE: Please run windows update now
>
> I should clarify, the link in my email below is only for windows versions
> that are considered unsupported.
>
> This one has links for the currently supported versions of windows
>
>   https://support.microsoft.com/en-us/help/4013389/title
>
>
> -Original Message-
> From: timrutherf...@c4.net [mailto:timrutherf...@c4.net]
> Sent: Monday, May 15, 2017 11:12 AM
> To: 'Josh Luthman' ; 'Nathan Fink'
> 
> Cc: 'nanog@nanog.org' 
> Subject: RE: Please run windows update now
>
> They even released updates for XP & 2003
>
> http://www.catalog.update.microsoft.com/search.aspx?q=4012598
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
> Sent: Monday, May 15, 2017 10:45 AM
> To: Nathan Fink 
> Cc: nanog@nanog.org
> Subject: Re: Please run windows update now
>
> Link?
>
> I only posted it as reference to the vulnerability.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Sat, May 13, 2017 at 2:07 AM, Nathan Fink  wrote:
>
> > I show MS17-010 as already superseded in SCCM
> >
> > On Fri, May 12, 2017 at 1:44 PM, Josh Luthman
> >  > >
> > wrote:
> >
> > > MS17-010
> > > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> > >
> > >
> > > Josh Luthman
> > > Office: 937-552-2340
> > > Direct: 937-552-2343
> > > 1100 Wayne St
> > > Suite 1337
> > > Troy, OH 45373
> > >
> > > On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
> > >
> > > > Thanks for the headsup but I would expect to see some references
> > > > to the patches that need to be installed to block the
> > > > vulnerability (Sorry for sounding like a jerk).
> > > > We all know to update systems ASAP.
> > > >
> > > > --
> > > > Later, Joe
> > > >
> > > > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> > > >
> > > > > This looks like a major worm that is going global
> > > > >
> > > > > Please run windows update as soon as possible and spread the
> > > > > word
> > > > >
> > > > > It may be worth also closing down ports 445 / 139 / 3389
> > > > >
> > > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > > system-ransoms-demanded
> > > > >
> > > >
> > >
> >
>

RE: Please run windows update now

2017-05-15 Thread timrutherford 
I should clarify, the link in my email below is only for windows versions that 
are considered unsupported.

This one has links for the currently supported versions of windows 

https://support.microsoft.com/en-us/help/4013389/title


-Original Message-
From: timrutherf...@c4.net [mailto:timrutherf...@c4.net] 
Sent: Monday, May 15, 2017 11:12 AM
To: 'Josh Luthman' ; 'Nathan Fink' 

Cc: 'nanog@nanog.org' 
Subject: RE: Please run windows update now

They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Monday, May 15, 2017 10:45 AM
To: Nathan Fink 
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink  wrote:

> I show MS17-010 as already superseded in SCCM
>
> On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
>  >
> wrote:
>
> > MS17-010
> > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
> >
> > > Thanks for the headsup but I would expect to see some references 
> > > to the patches that need to be installed to block the 
> > > vulnerability (Sorry for sounding like a jerk).
> > > We all know to update systems ASAP.
> > >
> > > --
> > > Later, Joe
> > >
> > > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> > >
> > > > This looks like a major worm that is going global
> > > >
> > > > Please run windows update as soon as possible and spread the 
> > > > word
> > > >
> > > > It may be worth also closing down ports 445 / 139 / 3389
> > > >
> > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > system-ransoms-demanded
> > > >
> > >
> >
>

RE: Please run windows update now

2017-05-15 Thread timrutherford 
They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Monday, May 15, 2017 10:45 AM
To: Nathan Fink 
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink  wrote:

> I show MS17-010 as already superseded in SCCM
>
> On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
>  >
> wrote:
>
> > MS17-010
> > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
> >
> > > Thanks for the headsup but I would expect to see some references 
> > > to the patches that need to be installed to block the 
> > > vulnerability (Sorry for sounding like a jerk).
> > > We all know to update systems ASAP.
> > >
> > > --
> > > Later, Joe
> > >
> > > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> > >
> > > > This looks like a major worm that is going global
> > > >
> > > > Please run windows update as soon as possible and spread the 
> > > > word
> > > >
> > > > It may be worth also closing down ports 445 / 139 / 3389
> > > >
> > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > system-ransoms-demanded
> > > >
> > >
> >
>

Re: Please run windows update now

2017-05-15 Thread J. Oquendo 
On Mon, 15 May 2017, Brad Knowles wrote:

> As much as I hate, loathe, and despise Microsoft, there's always going to be 
> someone/something out there that is "the worst".  Eliminate the current 
> "worst", and there will be another one right behind them.
> 
> I do believe that Microsoft is directly responsible for trillions of 
> dollars/euros of damage done to economies worldwide, due to their lax 
> security practices over the years.  Their advances have only come at the cost 
> of great pain on the part of others, and they have been kicking and screaming 
> all the while being dragged into the modern world.
> 
> The rest of us will continue to bear the pain and anguish that they create.  
> That's just the way things are.  Not the way they should be, but the way they 
> are.
> 
> -- 
> Brad Knowles 


Spot on. Shame on Microsoft for releasing patches and not
forcing the installation versus letting security managers
open up ISC^, and other nonsensical frameworks to do things
like "change/patch management" tasks. I mean, who cares if
one little patch knocks a business out of existence.

I do believe Microsoft is directly responsible for making
people such daft "To patch or not to patch" admins. Force
feed patches on everyone! Then your next message will be:
"I believe Microsoft is responsible for trillions of
dollars by pushing out patches forcefully and negatively
impacting businesses worldwide."

Pain and anguish? I'm smiling and drinking coffee. I adore
when security shenanigas occur. That is the sound of a cash
register to me.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

Re: Question to Google

2017-05-15 Thread Stephane Bortzmeyer 
On Mon, May 15, 2017 at 07:55:41AM -0700,
 Damian Menscher  wrote 
 a message of 82 lines which said:

> Can you point to published studies where the root and .com server
> operators analyzed Todd's questions?

For the root, the most comprehensive one is probably SAC 18
 A good summary is

Re: Please run windows update now

2017-05-15 Thread Brad Knowles 
On May 15, 2017, at 5:37 AM, Rich Kulawiec  wrote:
> [1] There may be no such thing as a secure system, period.  But it
> would be better to deploy things that may have a fighting chance
> instead of things that have long since proven to have none at all.

As much as I hate, loathe, and despise Microsoft, there's always going to be 
someone/something out there that is "the worst".  Eliminate the current 
"worst", and there will be another one right behind them.

I do believe that Microsoft is directly responsible for trillions of 
dollars/euros of damage done to economies worldwide, due to their lax security 
practices over the years.  Their advances have only come at the cost of great 
pain on the part of others, and they have been kicking and screaming all the 
while being dragged into the modern world.

The rest of us will continue to bear the pain and anguish that they create.  
That's just the way things are.  Not the way they should be, but the way they 
are.

-- 
Brad Knowles

Re: Question to Google

2017-05-15 Thread Damian Menscher via NANOG 
On Mon, May 15, 2017 at 7:06 AM, Stephane Bortzmeyer 
wrote:

> On Mon, May 15, 2017 at 09:20:17AM -0400,
>  Todd Underwood  wrote
>  a message of 66 lines which said:
>
> > so implications that this is somehow related to Google dragging
> > their feet are silly.
>
> Implying that the root name server operators, or Verisign (manager of
> the .com name servers) did not test very thoroughly that everything is
> fine with their DNS service is just as silly.
>

I guess it's obvious they had different techniques for measuring the impact
of their changes Can you point to published studies where the root and
.com server operators analyzed Todd's questions?

"""
"didn't notice a problem" is woefully insufficient here.

how carefully was this measured?  how was it measured?  across what
diversity of traffic.  what was the threshold for "a problem" here.

different use cases have different tolerances for the kinds of bad user
experience that google is concerned about here, both in terms of percentage
and in amount of impact.
"""

As others have said, things will improve as more sites go dual-stack, and
google.com will enable dual-stack as soon as it's viable.  In the meantime,
we encourage our competitors to try. ;)

Damian

Re: Please run windows update now

2017-05-15 Thread Josh Luthman 
Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink  wrote:

> I show MS17-010 as already superseded in SCCM
>
> On Fri, May 12, 2017 at 1:44 PM, Josh Luthman  >
> wrote:
>
> > MS17-010
> > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
> >
> > > Thanks for the headsup but I would expect to see some references to the
> > > patches that need to be installed to block the vulnerability (Sorry for
> > > sounding like a jerk).
> > > We all know to update systems ASAP.
> > >
> > > --
> > > Later, Joe
> > >
> > > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> > >
> > > > This looks like a major worm that is going global
> > > >
> > > > Please run windows update as soon as possible and spread the word
> > > >
> > > > It may be worth also closing down ports 445 / 139 / 3389
> > > >
> > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > system-ransoms-demanded
> > > >
> > >
> >
>

Re: Question to Google

2017-05-15 Thread Matt Mathis via NANOG 
One badly configured mid sized ISP might blow search's entire failure
budget.  (Read the SRE book.)

I have been trying for years to get somebody to do a measurement to show
that properly configured dual stack generally has better user QoE than
either protocol alone, largely because CGN doesn't scale well enough.

Thanks,
--MM--
The best way to predict the future is to create it.  - Alan Kay

Privacy matters!  We know from recent events that people are using our
services to speak in defiance of unjust governments.   We treat privacy and
security as matters of life and death, because for some users, they are.

On Mon, May 15, 2017 at 6:33 AM, Randy Bush  wrote:

> > It wouldn't suprise me if the dispute between Google and Cogent was
> > not part of the issue.  Pure speculation on my part.  I could be
> > completely off base.
>
> here in japan, if you are using ntt bflets layer two, your layer three
> provider is likely to present you with a dns server which does not
> return s because the v6 connectivity over ntt bflets transport sucks
> caterpillar snot.
>
> it's a whacky world.  as geoff said long ago, if there ever is real
> money counting on v6 transport, these messes will straighten out.
>
> randy
>

Re: Please run windows update now

2017-05-15 Thread Nathan Fink 
I show MS17-010 as already superseded in SCCM

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
wrote:

> MS17-010
> https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
>
> > Thanks for the headsup but I would expect to see some references to the
> > patches that need to be installed to block the vulnerability (Sorry for
> > sounding like a jerk).
> > We all know to update systems ASAP.
> >
> > --
> > Later, Joe
> >
> > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> >
> > > This looks like a major worm that is going global
> > >
> > > Please run windows update as soon as possible and spread the word
> > >
> > > It may be worth also closing down ports 445 / 139 / 3389
> > >
> > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > system-ransoms-demanded
> > >
> >
>

Re: Please run windows update now

2017-05-15 Thread Jorge Amodio 

With that kind of attitude and disconnect from reality I wonder who is the 
unprofessional moron...

- Jorge (mobile)


> On May 15, 2017, at 1:12 AM, Rich Kulawiec  wrote:
> 
>> On Sat, May 13, 2017 at 12:07:39AM -0500, Joe wrote:
>> One word. Linux.
> 
> Or BSD, or anything but Windows.  Anyone running Microsoft products
> is quite clearly an unprofessional, unethical moron and fully deserves
> all the pain they get -- including being sued into oblivion by their
> customers and clients for their obvious incompetence and negligence.
> 
> ---rsk

Re: Please run windows update now

2017-05-15 Thread Andrew Kerr 
Just a note folks that while this particular ransomware is using the
MS17-010 exploit to help spread, it does not rely on it.  This is still a
regular piece of ransomware that if someone opens the malicious file, will
encrypt files.

SANS has some IoCs and more information:
https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/

On Fri, 12 May 2017 at 11:45 Josh Luthman 
wrote:

> MS17-010
> https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
>
>
> Josh Luthman
> Office: 937-552-2340 <(937)%20552-2340>
> Direct: 937-552-2343 <(937)%20552-2343>
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
>
> > Thanks for the headsup but I would expect to see some references to the
> > patches that need to be installed to block the vulnerability (Sorry for
> > sounding like a jerk).
> > We all know to update systems ASAP.
> >
> > --
> > Later, Joe
> >
> > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> >
> > > This looks like a major worm that is going global
> > >
> > > Please run windows update as soon as possible and spread the word
> > >
> > > It may be worth also closing down ports 445 / 139 / 3389
> > >
> > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > system-ransoms-demanded
> > >
> >
>

Re: Question to Google

2017-05-15 Thread Christopher Morrow 
On Mon, May 15, 2017 at 10:06 AM, Stephane Bortzmeyer 
wrote:

> On Mon, May 15, 2017 at 09:20:17AM -0400,
>  Todd Underwood  wrote
>  a message of 66 lines which said:
>
> > so implications that this is somehow related to Google dragging
> > their feet are silly.
>
> Implying that the root name server operators, or Verisign (manager of
> the .com name servers) did not test very thoroughly that everything is
> fine with their DNS service is just as silly.
>

I don't think that was todd's implication.

I had thought i saw lorenzo/erik with some presentation materials about how
ipv6 (and dns) can go wrong. I know geoff has presentation work on this
matter, which he's given at least at IEPG meetings in the past.


there is work ongoing though, it seems:

;; ANSWER SECTION:
google.fi. 345600 IN NS ns2.google.com.
google.fi. 345600 IN NS ns4.google.com.
google.fi. 345600 IN NS ns1.google.com.
google.fi. 300 IN NS ns3ds.google.com.

;; Query time: 10 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)

;; ANSWER SECTION:
ns3ds.google.com. 300 IN  2001:4860:4802:36::a

-chris

Re: Question to Google

2017-05-15 Thread Stephane Bortzmeyer 
On Mon, May 15, 2017 at 09:20:17AM -0400,
 Todd Underwood  wrote 
 a message of 66 lines which said:

> so implications that this is somehow related to Google dragging
> their feet are silly.

Implying that the root name server operators, or Verisign (manager of
the .com name servers) did not test very thoroughly that everything is
fine with their DNS service is just as silly.

Re: Question to Google

2017-05-15 Thread Bjørn Mork 
Todd Underwood  writes:
> On Mon, May 15, 2017 at 8:43 AM, Stephane Bortzmeyer 
> wrote:
>
>>
>> There are many zones (including your isc.org) that have several name
>> servers dual-stacked, and they didn't notice a problem. Furthermore,
>> since the DNS is a tree, resolution of google.com requires a proper
>> resolution of the root and .com, both having IPv6 name servers.
>>
>
> "didn't notice a problem" is woefully insufficient here.
>
> how carefully was this measured?  how was it measured?  across what
> diversity of traffic.  what was the threshold for "a problem" here.

Agreed.  Most domain owners/zone admins probably would not notice this,
even if it was a very real problem for one or two ISPs.

But given that, I do wonder how such an ISP could provide any service at
all. As pointed out by Stephane, there are so many zones having dual
stacked DNS servers nowadays that one more or less makes little
difference.  Even if that zone is google.com.  The rest of the world are
dual stacked wrt DNS, with very few exceptions.

What about the root zone?  Or microsoft.com?  Or facebook.com?  No users
interested in either of those?  Only google.com?

Sorry, I do not buy the excuse.



Bjørn

Re: Question to Google

2017-05-15 Thread Todd Underwood 
On Mon, May 15, 2017 at 9:33 AM, Randy Bush  wrote:

>
> it's a whacky world.  as geoff said long ago, if there ever is real
> money counting on v6 transport, these messes will straighten out.
>

totally agree. and i'd like someone else to volunteer the "real money"
traffic, please.  :-)

t

Re: Question to Google

2017-05-15 Thread Randy Bush 
> It wouldn't suprise me if the dispute between Google and Cogent was
> not part of the issue.  Pure speculation on my part.  I could be
> completely off base.

here in japan, if you are using ntt bflets layer two, your layer three
provider is likely to present you with a dns server which does not
return s because the v6 connectivity over ntt bflets transport sucks
caterpillar snot.

it's a whacky world.  as geoff said long ago, if there ever is real
money counting on v6 transport, these messes will straighten out.

randy

Re: Question to Google

2017-05-15 Thread Todd Underwood 
On Mon, May 15, 2017 at 8:43 AM, Stephane Bortzmeyer 
wrote:

>
> There are many zones (including your isc.org) that have several name
> servers dual-stacked, and they didn't notice a problem. Furthermore,
> since the DNS is a tree, resolution of google.com requires a proper
> resolution of the root and .com, both having IPv6 name servers.
>

"didn't notice a problem" is woefully insufficient here.

how carefully was this measured?  how was it measured?  across what
diversity of traffic.  what was the threshold for "a problem" here.

different use cases have different tolerances for the kinds of bad user
experience that google is concerned about here, both in terms of percentage
and in amount of impact.

please note that google has been super aggressively implementing and
promoting IPv6 for years, so implications that this is somehow related to
Google dragging their feet are silly.

t


>
> So, this answer is at least insufficient.
>

Re: Question to Google

2017-05-15 Thread Mark Andrews 

In message <20170515124359.a3o7evaostrvm...@nic.fr>, Stephane Bortzmeyer writes
:
> > Unfortunately, every time we've looked at the data, the
> > conclusion has been that it would cause unwarranted user
> > impact. IIRC the most recent blocker was a major US ISP whose
> > clients would experience breakage if even just one NS record
> > was dual-stacked.
> 
> There are many zones (including your isc.org) that have several name
> servers dual-stacked, and they didn't notice a problem. Furthermore,
> since the DNS is a tree, resolution of google.com requires a proper
> resolution of the root and .com, both having IPv6 name servers.
> 
> So, this answer is at least insufficient.

It wouldn't suprise me if the dispute between Google and Cogent was
not part of the issue.  Pure speculation on my part.  I could be
completely off base.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Question to Google

2017-05-15 Thread Stephane Bortzmeyer 
>   Unfortunately, every time we've looked at the data, the
>   conclusion has been that it would cause unwarranted user
>   impact. IIRC the most recent blocker was a major US ISP whose
>   clients would experience breakage if even just one NS record
>   was dual-stacked.

There are many zones (including your isc.org) that have several name
servers dual-stacked, and they didn't notice a problem. Furthermore,
since the DNS is a tree, resolution of google.com requires a proper
resolution of the root and .com, both having IPv6 name servers.

So, this answer is at least insufficient.

Re: Question to Google

2017-05-15 Thread Mark Andrews 

In message , "Marco Davids (Pr
ivate)" writes:
>
> Hi,
>
> Anyone knows why coogle.com only have IPv4-adresses on their
> authoritative DNS?
>
> https://ip6.nl/#!google.com
>
> Are there any plans to fix this?
>
> --
> Marco

Lorenzo's reply to this statement

Google isn't reachable.   There are no IPv6 servers for google.com.

was 

Unfortunately, every time we've looked at the data, the
conclusion has been that it would cause unwarranted user
impact. IIRC the most recent blocker was a major US ISP
whose clients would experience breakage if even just one
NS record was dual-stacked. It's not an infrastructure
problem: the servers have supported IPv6 for years, and
some zones like google.fi do have IPv6 NS records.

See Message-ID: 



-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Please run windows update now

2017-05-15 Thread Randy Bush 
fyi, current opinion in the security community seems to be that win10 is
better secured than linuxes, bsds, ...  see http://cyber-itl.org/; still
pretty sparse, but getting flushed out.

randy

Question to Google

2017-05-15 Thread Marco Davids (Private) 
Hi,

Anyone knows why coogle.com only have IPv4-adresses on their
authoritative DNS?

https://ip6.nl/#!google.com

Are there any plans to fix this?

-- 
Marco



smime.p7s
Description: S/MIME Cryptographic Signature

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-15 Thread JORDI PALET MARTINEZ 
Just make sure that nothing breaks PTB as it happens if you don’t pay attention 
to ECMP.

RFC7690

1&1 in Germany has this issue since at least 18-24 months ago, so all their 
customers with IPv6 enabled are *broken* for anyone having a smaller MTU 
because tunnels or the ISP technology, etc. They are aware of that, I told them 
for many months, but is not yet fixed, so make sure you don’t use those data 
centers if you want to enable IPv6.

You can check this with any of their IPv6 enabled sites (thousands I guess), 
for example http://diskmakerx.com/

And a nice tool to check it:

https://nat64check.go6lab.si/

Regards,
Jordi
 

-Mensaje original-
De: NANOG  en nombre de Rich Kulawiec 
Responder a: 
Fecha: lunes, 15 de mayo de 2017, 12:57
Para: nanog list 
Asunto: Re: BCP for securing IPv6 Linux end node in AWS

On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> I???ve reviewed some of the stuff out there, but apparently I???m
> catching too many of the ICMP types in the rejection as routing eventually
> breaks.  My guess is router discovery gets broken by too tight of filters.

That's a good guess, but I would also guess that path MTU discovery
may be breaking.  (Or not.)  I think you may want to implement RFC 4890,
with a look at RFC 4443.

---rsk





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-15 Thread Rich Kulawiec 
On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> I???ve reviewed some of the stuff out there, but apparently I???m
> catching too many of the ICMP types in the rejection as routing eventually
> breaks.  My guess is router discovery gets broken by too tight of filters.

That's a good guess, but I would also guess that path MTU discovery
may be breaking.  (Or not.)  I think you may want to implement RFC 4890,
with a look at RFC 4443.

---rsk

Re: Please run windows update now

2017-05-15 Thread Rich Kulawiec 

You make some excellent points: but I grow very, very tired of having
to spend my time and my energy -- note timestamp on my message -- dealing
with the fallout.  It should be painfully clear to everyone that there
is no such thing as a secure Windows system.  [1]  It should have been
painfully clear after Code Red, after the rise of bots, and after a
hundred other incidents before/since of varying severity and duration.
But apparently it's not and so despite the impact of this current one --
including large-scale disruption of healthcare in the UK -- this will keep
happening over and over again.  And even those of us who have the good
judgment to never use Microsoft products have to pay the price for
the poor decision-making of others.  Again.  And again.

It's getting old.  Just like all the other things that people do (many
of which have been discussed here at great length) that cause problems
for others who are making an earnest attempt to do things right.
How bad do things have to get before the people who are stubbornly
clinging to this finally let go?   Does someone have to die?  Because --
again, see healthcare provider impact in the UK -- we're not that
far from it.

---rsk

[1] There may be no such thing as a secure system, period.  But it
would be better to deploy things that may have a fighting chance
instead of things that have long since proven to have none at all.

Re: Please run windows update now

2017-05-15 Thread Randy Bush 
> Or BSD, or anything but Windows.  Anyone running Microsoft products
> is quite clearly an unprofessional, unethical moron and fully deserves
> all the pain they get -- including being sued into oblivion by their
> customers and clients for their obvious incompetence and negligence.

aside from being grossly rude, hyperbolic, and uninteligent, this rant
ignores reality enough to make you a viable presidential candidate.

80% of desk/laptops run windows.  get over it.  windows is embedded in
many systems which will be hard to update in an hour or 100 hours.  and
rude ranting is not doing one micron to help deal with it.

embedded systems are very hard to update, think special drivers, kinky
mods, ...  aside from the long softdev time, how much time do you think
QA will take for moving a piece of medical equipment from xp to win10,
let alone bsd?  and the state of the bsd update process is not something
to describe in polite company.

we have a vulnerable chain from weak software (which is improving, and
msoft has been in the lead there for a decade), to nsa/cia not
disclosing, to people choosing or having to run old versions (of
whatever (and linux/bsd are not immune) for financial or technical
reasons, to the conservative or lazy logistics of patching.  we can try
to improve things at each link.  but this is gonna be slow.

though this ransomware attack is not really that much larger than other
attacks in the past (and the future is not cheering), at least it has
reached the front pages and maybe people will patch more and vendors
will issue more/better updates.  but, as @zeynep says, the lack of
liability along the chain above allows bad practices to continue.

in the meantime, backup, backup and take it offline so it does not get
encrypted for you, patch, turn off unnecessary services/options, rinse
repeat.  and try to promote prudent use among friends, family, and
workplace.

randy

Re: Please run windows update now

2017-05-15 Thread valdis . kletnieks 
On Mon, 15 May 2017 02:12:27 -0400, Rich Kulawiec said:

> Or BSD, or anything but Windows.  Anyone running Microsoft products
> is quite clearly an unprofessional, unethical moron and fully deserves
> all the pain they get

Tell you what.  Go over to http://line6.com/software/ - You convince them to
produce a Linux version of the software for their musician's gear, and I'll get
rid of the Toshiba laptop running Windows.  Alternatively, find me an OSX
laptop that costs anywhere near the $400 I paid for the Toshiba Satellite.

(And yes, I already tried running their software in a VM, neither VirtualBox
or VMWare does a good enough job of emulating MIDI-over-USB2 to let the drivers
in the VM connect to my Pod HD, so don't bother suggesting that).

You want to repeat your claim that I'm an unprofessional, unethical moron
because I have a fully patched Windows 10 laptop that's backed up on a regular
basis because there's no realistic alternative?




pgpMRMcAz9P_o.pgp
Description: PGP signature