Re: WaPo writes about vulnerabilities in Supermicro IPMIs
just so we're all clear, SuperMicro wasn't the only one... link: http://pastebin.com/syXHLuC5 1. CVE-2013-4782 CVSS Base Score = 10.0 2. The SuperMicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 3. 4. CVE-2013-4783 CVSS Base Score = 10.0 5. The Dell iDRAC 6 BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 6. 7. CVE-2013-4784 CVSS Base Score = 10.0 8. The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 9. 10. CVE-2013-4785 CVSS Base Score = 10.0 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. 12. 13. CVE-2013-4786 CVSS Base Score = 7.8 14. The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 responses from a BMC. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782 = http://fish2.com/ipmi/cipherzero.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783 = http://fish2.com/ipmi/cipherzero.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784 = http://fish2.com/ipmi/cipherzero.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785 = http://fish2.com/ipmi/dell/secret.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786 = http://fish2.com/ipmi/remote-pw-cracking.html On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth j...@baylink.com wrote: Presumably, everyone else's are very religious as well. Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN? http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/ And should I be nervous that Usenix pointed me *there* for the story, rather than a tech press outlet? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 -- Kyle Creyts Information Assurance Professional Founder BSidesDetroit
Re: .nyc - here we go...
+10 On Tue, Jul 2, 2013 at 10:04 PM, Paul Ferguson fergdawgs...@gmail.comwrote: Why does this discussion have to always be one or the other? We have multiple problems here, friends. Focus. - ferg On Tue, Jul 2, 2013 at 9:39 PM, Andrew Sullivan asulli...@dyn.com wrote: On Wed, Jul 3, 2013 at 12:15 AM, Larry Sheldon larryshel...@cox.net wrote: Makes me wonder if concern for routing table size is worrying about the right thing. Because obviously, the problems of scaling router memory and scaling DNS servers are the same kind? Yes, having many many new TLDs introduces new problems. (If you're not scared enough, I encourage you to go read the output of the Variant Issues Project. Full disclosure: I had a hand in.) Why are we talking about this non-news now? We all knew about three years ago, at the latest, that ICANN was planning to do this. If we didn't, shame on us. A -- Fergie, a.k.a. Paul Ferguson fergdawgster(at)gmail.com -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: looking for documents describing frequent causes for line cuts
thanks! also amusing: http://blog.lafayetteprofiber.com/2008/06/nutria-ratsand-fiber.html http://news.techeye.net/internet/internet-attacked-by-bears#.TnZXk5rhOv8.reddit but I'm looking for something slightly more efficacious than anecdotal. off-list replies (and, why not, some of them are really funny) anecdotes are welcome. On Fri, May 17, 2013 at 8:00 PM, staticsafe m...@staticsafe.ca wrote: On 5/17/2013 22:16, Kyle Creyts wrote: has anyone come by documents containing some statistics regarding leading causes for cuts in fiber, power, cable lines? I seem to remember one which included % cuts due to equipment failure, maintenance, weather, rodents, boring, car accidents, etc. but alas, I cannot find it in my archives. On an amusing note: http://blog.level3.com/level-3-network/the-10-most-bizarre-and-annoying-causes-of-fiber-cuts/ -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
looking for documents describing frequent causes for line cuts
has anyone come by documents containing some statistics regarding leading causes for cuts in fiber, power, cable lines? I seem to remember one which included % cuts due to equipment failure, maintenance, weather, rodents, boring, car accidents, etc. but alas, I cannot find it in my archives.
Re: Is multihoming hard? [was: DNS amplification]
As an under-30, working in the industry, I have to say, when the power goes out at home for a few days, we pull out the camping gear. When our cable-based internet goes out, our life changes hardly at all. We go for a walk, or hike, do the things we would normally. I can imagine that an outage of 1 week would be slightly different, but I'm pretty sure that the spans of most of the outages which would be resolved by multi-provider solutions like those outlined herein would probably only apply to situations where the outage would only last less than 48 hours. On Sun, Mar 24, 2013 at 9:06 AM, William Herrin b...@herrin.us wrote: On Sat, Mar 23, 2013 at 10:47 PM, Kyle Creyts kyle.cre...@gmail.com wrote: Will they really demand ubiquitous, unabridged connectivity? When? When the older generation that considers the Internet a side show dies off. When your grandparents' power went out, they broke out candles and kerosene lamps. When yours goes out, you pull out flashlights and generators. And when it stays out you book a motel room so your family can have air conditioning and television. For most folks under 30 and many who are older, Internet isn't a side show, it's a way of life. An outage is like a power failure or the car going kaput: a major disruption to life's flow. This need won't be ubiquitous for two to three decades, but every year between now and then the percentage of your customer base which demands unabridged connectivity will grow. What do you have in the pipeline to address that demand as it arrives? BGP multihoming won't get the job done for the hundred million households in North America, let alone the seven billion people in the world. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Is multihoming hard? [was: DNS amplification]
You do realize that there are quite a few people (home broadband subscribers?) who just go do something else when their internet goes down, right? There are people who don't understand the difference between a site being slow and packet-loss. For many of these people, losing internet service carries zero business impact, and relatively little life impact; they might even realize they have better things to do than watch cat videos or scroll through endless social media feeds. Will they really demand ubiquitous, unabridged connectivity? When? On Mar 23, 2013 12:58 PM, Owen DeLong o...@delong.com wrote: On Mar 23, 2013, at 12:12 , Jimmy Hess mysi...@gmail.com wrote: On 3/23/13, Owen DeLong o...@delong.com wrote: A reliable cost-effective means for FTL signaling is a hard problem without a known solution. Faster than light signalling is not merely a hard problem. Special relativity doesn't provide that information may travel faster than the maximum speed C.If you want to signal faster than light, then slow down the light. An idiot-proof simple BGP configuration is a well known solution. Automating it would be relatively simple if there were the will to do so. Logistical problems... if it's a multihomed connection, which of the two or three providers manages it, and gets to blame the other provider(s) when anything goes wrong: or are you gonna rely on the customer to manage it? The box could (pretty easily) be built with a Primary and Secondary port. The cable plugged into the primary port would go to the ISP that sets the configuration. The cable plugged into the other port would go to an ISP expected to accept the announcements of the prefix provided by the ISP on the primary port. BFD could be used to illuminate a tri-color LED on the box for each port, which would be green if BFD state is good and red if BFD state is bad. At that point, whichever one is red gets the blame. If they're both green, then traffic is going via the primary and the primary gets the blame. If you absolutely have to troubleshoot which provider is broken, then start by unplugging the secondary. If it doesn't start working in 5 minutes, then clearly there's a problem with the primary regardless of what else is happening. Lather, rinse, repeat for the secondary. Someone might be able to make a protocol that lets this happen, which would need to detect on a per-route basis any performance/connectivity issues, but I would say it's not any known implementation of BGP. A few additional options to DHCP could actually cover it from the primary perspective. For the secondary provider, it's a little more complicated, but could be mostly automated so long as the customer identifies the primary provider and/or provides an LOA for the authorized prefix from the primary to the secondary. The only complexity in the secondary case is properly filtering the announcement of the prefix assigned by the primary. 1. ISPs are actually motivated to prevent customer mobility, not enable it. 2. ISPs are motivated to reduce, not increase the number of multi-homed sites occupying slots in routing tables. This is not some insignificant thing. The ISPs have to maintain routing tables as well; ultimately the ISP's customers are in bad shape, if too many slots are consumed. I never said it was insignificant. I said that solving the multihoming problem in this manner was trivial if there was will to do so. I also said that the above were contributing factors in the lack of will to do so. How about 3. Increased troubleshooting complexity when there are potential issues or complaints. I do not buy that it is harder to troubleshoot a basic BGP configuration than a multi-carrier NAT-based solution that goes woefully awry. I'm sorry, I've done the troubleshooting on both scenarios and I have to say that if you think NAT makes this easier, you live in a different world than I do. The concept of a fool proof BGP configuration is clearly a new sort of myth. Not really. Customer router accepts default from primary and secondary providers. So long as default remains, primary is preferred. If primary default goes away, secondary is preferred. Customer box gets prefix (via DHCP-PD or static config or whatever either from primary or from RIR). Advertises prefix to both primary and secondary. All configuration of the BGP sessions is automated within the box other than static configuration of customer prefix (if static is desired). Primary/Secondary choice is made by plugging providers into the Primary or Secondary port on the box. The idea that the protocol on its own, with a very basic config, does not ever require any additional attention, to achieve expected results; where expected results include isolation from any faults with the path from one of of the user's two, three, or four providers,
Re: NYT covers China cyberthreat
I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just IPs from country $x) is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec r...@gsp.org wrote: On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
The focus on platform here is ridiculous; can someone explain how platform of attacker or target is extremely relevant? Since when did people fail to see that we have plenty of inter-platform tools and services, and plenty of tools for either platform built with the express purpose of interaction with the other? Just because you learned to code/operate on/for/with/from a *nix doesn't mean that teams of Chinese coders can't make a tool that gets the job done on/for/with/from a Windows box. Many people write many softwares of diverse purpose and use for many platforms. Platform is, as far as I can tell, moot in this discussion. Feel free to enlighten me. Consider the US's indignation over the targeting of civillian or corporate intellectual property and the shifting of reality from preconceived expectation. I have had it explained to me as a purely ideological difference between the US and China. Simply put: just because we might find it immoral for state-sponsored espionage to feed stolen IP into the private sector, doesn't mean that China will feel the same; to some, it is perceived as nationalistic, another way the government helps to strengthen the nation. For another example of this, an acquaintance once told me about the process of getting internationally standardized technologies approved for deployment in China; the process that was described to me involved giving China the standards-based spec that had been drafted and approved, being told that for deployment, they would have to improve upon it in a laundry list of ways to bring it some 5-10 years ahead of the spec, and THEN it would be allowed to be deployed. Whenever you have enough new players, or the game goes on long enough, the rules end up changing. On Thu, Feb 21, 2013 at 12:28 AM, calin.chiorean calin.chior...@secdisk.net wrote: ::This all seems to be noobie stuff. There's nothing technically cool ::to see here You mean the report or the activity? You seem upset that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix? Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$. They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's business profitable. You need to look at this action from business perspective. IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system. Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found. Cheers, Calin On Thu, 21 Feb 2013 01:29:48 +0100 Scott Weeks wrote --- valdis.kletni...@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth j...@baylink.com wrote: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Gmail and SSL
other relevant links for this: http://krebsonsecurity.com/2013/01/turkish-govt-enabled-phishers-to-spoof-google/ http://technet.microsoft.com/en-us/security/advisory/2798897 On Thu, Jan 3, 2013 at 4:25 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Jan 3, 2013, at 3:52 PM, Matthias Leisi matth...@leisi.net wrote: On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher dam...@google.com wrote: While I'm writing, I'll also point out that the Diginotar hack which came up in this discussion as an example of why CAs can't be trusted was discovered due to a feature of Google's Chrome browser when a cert was Similar to http://googleonlinesecurity.blogspot.ch/2013/01/enhancing-digital-certificate-security.html? Thanks; I was just about to post that link to this thread. Certificates don't spread virally, and random browsers don't go looking for whatever interesting certificates they find. They also don't like certs that say *.google.com when the user is trying to go somewhere else; that web site would be non-functional unless it was trying to impersonate a Google domain. Taken all together, this sounds to me like deliberate mischief by someone. In fact, were it not for the facts that the blog post says that Google learned of this on December 24 and this thread started on December 14, I'd wonder if there was a connection -- was this the incident that made Google reassess its threat model? Of course, this attack was carried out within the official PKI framework... --Steve Bellovin, https://www.cs.columbia.edu/~smb -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: William was raided for running a Tor exit node. Please help if you can.
In most jurisdictions, wouldn't using a de-gaussing ring in the door frame to wipe any equipment being removed constitute tampering with evidence or interfering with an investigation if the authority in question is in possession of a warrant/subpoena? On Mon, Dec 17, 2012 at 11:33 AM, Jeroen van Aart jer...@mompl.net wrote: On 11/30/2012 02:02 PM, Naslund, Steve wrote: OK, there must be a lot more paranoid people out there than I thought for awhile? I am sure he will let you out to go to the bank, get your stuff, and leave town. I think you have seen way to many movies. So if the cops show up at his door tomorrow and say Here's all your stuff back, there was no evidence of a crime., you are OK with this guys keeping the defense fund? I for one vote for installing a de-gauging ring in your door frame. any removal of equipment you don't approve of will be wiped. That and encryption possibly combined with hiding the real OS (truecrypt can do that). Greetings, Jeroen -- Earthquake Magnitude: 5.1 Date: Monday, December 17, 2012 17:46:48 UTC Location: central East Pacific Rise Latitude: -3.9682; Longitude: -104.0375 Depth: 15.70 km -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: William was raided for running a Tor exit node. Please help if you can.
On Thu, Nov 29, 2012 at 2:00 PM, Jim Mercer j...@reptiles.org wrote: On Thu, Nov 29, 2012 at 01:19:19PM -0600, Naslund, Steve wrote: I think the best analogy I would use in defense is something like the pre-paid cellular phones that are sold. That is about the only anonymous communications service I can think of off the top of my head. Problem is that most people are not licensed carriers and may not be able to hide behind that protection. if your phone is stolen and used by a drug dealer, i'm pretty sure the cops would not be after you for anything the dealer did. if you stand on the corner with a sign saying free cell phone airtime, just ask me, they might take a different view on things. now, whether you are guilty of anything or not, by standing there with a sign you are certainly opening yourself to legal inquiry, delay and hassle. i wouldn't be surprised if the cops didn't accept your i'm just letting people use my phone, i've got nothing to do with their activities defence, at least not without poking about for a bit, which might include looking at your cellphone, your home phone, your bank records, and anything else they think (and a judge agrees) might need viewing to clear you. A few questions this thread raises for me: you are a very trusting person, and frequently let people borrow your things. A friend frequently borrows your phone, which he explains is because he: a) frequently lets his phone die, or has run close to using too many minutes. You frequently allow him (and other people) to borrow your phone. At some point, it becomes clear that his life has taken a turn for the worse, and he has become involved in activities of which you do not approve. You stop allowing him to use your phone. During a criminal investigation of your friend's activities, it later becomes clear that for some time he was using it for illegal activities. At what point did allowing him to use your phone become illegal, and how should a responsible citizen rationally realize or identify this point? How can one be reasonably sure that one knows another person well enough to allow them to use one's equipment/resources? When do you become responsible for the activity of someone else on your equipment? Clearly always is not correct; similarly, never is also not correct. b) (most analogous to the actual situation) has a [legitimate?] reason for wanting to avoid the entity he calls having, being able to predict, see, or otherwise link some information he wishes to give them with some information he does not wish to give them (for example, his phone number [1]) Upon this pretense, which seems fairly reasonable, you allow him access to your phone. In order to enable this pursuit (so that this phone number cannot be attached to a pattern of activity), you also allow others to use your phone for similar reasons. You consider such activity correlation/tracking and data mining to be a violation of privacy (explicitly with regard to data-mining and activity tracking performed in pursuit of selling this data for profit). Now arguably, in the second case, you are operating this service with an explicitly altruistic intent. IF you are not informed about the mechanics of this process, and you are unaware of the issues this creates for law enforcement entities in identifying criminals, what constitutes wrongdoing? If you are not aware of criminal uses of your service which is entirely free and only intended for avoiding data-miners, are you still accountable for the activities of those using it? Why? At what point do you accept or acquire this responsibility? How is this different from operating a party line shared by an apartment building or phone bridge with external calling ability? I am curious about the impact of the nuances of each of these situations. [1] he is paranoid, and doesn't like the pizza place associating his address with his phone number, or perhaps he is calling someone who collects marketing data and attempts to data-mine his activity, or some other more legitimate, applicable and realistic take on appropriate cases for desiring anonymity in such a transaction -- Jim Mercer Reptilian Research j...@reptiles.org+1 416 410-5633 He who dies with the most toys is nonetheless dead -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: 25Mbps vs 4 Mbps
Don't forget that in some cases, there are ISP-local cache boxes... i.e. the Youtube Servers to which you refer may live _at_ the ISP. On Mon, Nov 19, 2012 at 7:19 AM, Nick Olsen n...@flhsi.com wrote: It's all about if the bandwidth is there to use. I'm sure every youtube caching server has a connection which exceeds 4Mb/s. How does a faster connection help? It allows the video to fill the buffer faster. Allowing for smoother playback on less bandwidth consistent circuits. Do you need it really if your video source is under 4Mb/s? In a perfect scenario, No. Now, That's youtube. Using Netflix as an example. I can start streaming a movie. And it'll pull 50-60Mb/s for about 20 seconds, And it's playing HD quality almost immediately. Where on a slower connection it may not switch to HD until its filled its buffer more. Nick Olsen Network Operations (855) FLSPEED x106 From: Glen Kent glen.k...@gmail.com Sent: Monday, November 19, 2012 10:04 AM To: nanog@nanog.org nanog@nanog.org Subject: 25Mbps vs 4 Mbps Hi, The service provider(s) pipe that takes all web traffic from my laptop to the central servers (assume youtube) remain same whether i take a 4Mbps or a 25Mbps connection from my service provider. This means that the internet connection that i take from my service provider only affects the last mile -- from my home network to my service providers first access router. Given this, would one really see a 6 times improvement in a 25Mbps connection over a 4Mbps connection? I assume that the service providers rate limit the traffic much more aggressively in a 4Mbps connection. But this would only matter if the traffic from my youtube server is greater than 4Mbps, which i suspect would be the case. The question then is that how does going for a higher BW connection from the service provider help? Glen -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan
And they do have those towers all over the country... On Tue, Nov 20, 2012 at 12:47 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Christopher Morrow wrote: apologies, I forgot the emoticons after my last comment. i really did mean it in jest... I don't think VZ has harnessed weather-changing-powers. (yet). Well, they ARE The Phone Company! -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: authority to route?
Jeez, isn't RPKI supposed to solve this problem? On Thu, Nov 15, 2012 at 10:36 AM, Schiller, Heather A heather.schil...@verizon.com wrote: ..for some blocks I've taken over admin for. Make sure you are visibly listed as a Point of Contact on those records in the appropriate RIR, so that folks who get your request can verify you. Even better, register in your RIR's RPKI program and generate a ROA for it. Info about ARIN's here: https://www.arin.net/resources/rpki/index.html Then yes, notify their upstreams/peers if needed and post here if things get really desperate - have your records in order first. --Heather -Original Message- From: Jim Mercer [mailto:j...@reptiles.org] Sent: Monday, November 12, 2012 2:44 PM To: nanog@nanog.org Subject: authority to route? Hi, Is there a common practice of providers to vet / validate requests to advertise blocks? Who is the authority when it comes to determining if a request for routing is valid? Is it the WHOIS data maintained by the various RIR? It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for. If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers? Some practical advice would be appreciated. -- Jim Mercer Reptilian Research j...@reptiles.org+1 416 410-5633 He who dies with the most toys is nonetheless dead -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Heads-Up: GoDaddy Broke the Interwebs...
http://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410 On Mon, Sep 10, 2012 at 1:27 PM, Operations Dallas operations.tcdal...@hotmail.com wrote: I thought I saw an article on routergod.com from Dance Patrick regarding anycast DNS.. ~oliver Sent via DynaTAC. Please forgive spelling and grammar. -Original Message- From: bill.ing...@t-systems.com Date: Mon, 10 Sep 2012 19:13:27 To: aa...@heyaaron.com; nanog@nanog.org Subject: RE: Heads-Up: GoDaddy Broke the Interwebs... Looks like this may be a DDoS attack from Anonymous: http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/ -Original Message- From: Aaron C. de Bruyn [mailto:aa...@heyaaron.com] Sent: Monday, September 10, 2012 1:07 PM To: NANOG mailing list Subject: Heads-Up: GoDaddy Broke the Interwebs... For the last ~15 minutes I've been receiving complaints about DNS issues. GoDaddy DNS is apparently b0rked. I'm also seeing a lot of tweets about their hosting and VPS being down. I'm unable to access the control panel for one of my customer accounts. -A -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Heads-Up: GoDaddy Broke the Interwebs...
No DDoS or Anonymous attack appears to have been involved. On Tue, Sep 11, 2012 at 10:54 AM, Kyle Creyts kyle.cre...@gmail.com wrote: http://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410 On Mon, Sep 10, 2012 at 1:27 PM, Operations Dallas operations.tcdal...@hotmail.com wrote: I thought I saw an article on routergod.com from Dance Patrick regarding anycast DNS.. ~oliver Sent via DynaTAC. Please forgive spelling and grammar. -Original Message- From: bill.ing...@t-systems.com Date: Mon, 10 Sep 2012 19:13:27 To: aa...@heyaaron.com; nanog@nanog.org Subject: RE: Heads-Up: GoDaddy Broke the Interwebs... Looks like this may be a DDoS attack from Anonymous: http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/ -Original Message- From: Aaron C. de Bruyn [mailto:aa...@heyaaron.com] Sent: Monday, September 10, 2012 1:07 PM To: NANOG mailing list Subject: Heads-Up: GoDaddy Broke the Interwebs... For the last ~15 minutes I've been receiving complaints about DNS issues. GoDaddy DNS is apparently b0rked. I'm also seeing a lot of tweets about their hosting and VPS being down. I'm unable to access the control panel for one of my customer accounts. -A -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Heads-Up: GoDaddy Broke the Interwebs...
+1 Announcing a prefix doesn't mean that the traffic to those IPs found within shall ever arrive. On Tue, Sep 11, 2012 at 8:43 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Tue, Sep 11, 2012 at 11:16 PM, Naveen Nathan nav...@lastninja.net wrote: Well, mostly I'm taking GoDaddy at their word that this was not a DoS attack. I also believe it was related to BGP, and am happy to get more info. But we are discussing Anonymous vs. Self-inflicted wound here. I'm skeptical, BGPlay (http://bgplay.routeviews.org/) doesn't show any withdrawn routes for any of their prefixes over Sep 9-11. Infact, their BGP operation looks fairly operational during the time from what I can gather. a bgp error doesn't HAVE to mean that they withdrew (or even re-announced!) anything to the outside world, does it? for instance: border-router - internet redistribute your aggregate networks from statics to Null0 on the border-router accept full routes so you can send them to the other borders and make good decisions at the external edge border-router - internal send default or some version of default via a fitler to internal datacenter routers/aggregation/distribution devices. accept from them (maybe) local subnets that are part of your aggregates now, accidently remove the filter content for the sessions between the border and internal ... oops, your internal devices bounce with 'corrupted tables' (blown tables)... you still send your aggs steadily to the interwebs, wee! -chris -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Heads-Up: GoDaddy Broke the Interwebs...
(Arrive at the intended destination, that is) On Tue, Sep 11, 2012 at 9:18 PM, Kyle Creyts kyle.cre...@gmail.com wrote: +1 Announcing a prefix doesn't mean that the traffic to those IPs found within shall ever arrive. On Tue, Sep 11, 2012 at 8:43 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Tue, Sep 11, 2012 at 11:16 PM, Naveen Nathan nav...@lastninja.net wrote: Well, mostly I'm taking GoDaddy at their word that this was not a DoS attack. I also believe it was related to BGP, and am happy to get more info. But we are discussing Anonymous vs. Self-inflicted wound here. I'm skeptical, BGPlay (http://bgplay.routeviews.org/) doesn't show any withdrawn routes for any of their prefixes over Sep 9-11. Infact, their BGP operation looks fairly operational during the time from what I can gather. a bgp error doesn't HAVE to mean that they withdrew (or even re-announced!) anything to the outside world, does it? for instance: border-router - internet redistribute your aggregate networks from statics to Null0 on the border-router accept full routes so you can send them to the other borders and make good decisions at the external edge border-router - internal send default or some version of default via a fitler to internal datacenter routers/aggregation/distribution devices. accept from them (maybe) local subnets that are part of your aggregates now, accidently remove the filter content for the sessions between the border and internal ... oops, your internal devices bounce with 'corrupted tables' (blown tables)... you still send your aggs steadily to the interwebs, wee! -chris -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Color vision for network techs
Tei: such applications exist, see http://dankaminsky.com/2010/12/15/dankam/ http://www.wpcentral.com/augmented-reality-app-windows-phone-ids-colors-real-world-video http://daily-steampunk.com/steampunk-blog/2012/05/27/augmented-reality-steampunk-and-learing-color-vacuum/ On Sep 3, 2012 5:07 AM, Tei oscar.vi...@gmail.com wrote: Standards can have bugs, and a standard that is not compatible with maybe 5% of the population is buggy. Almost any standard that start this is red and this is green is flawed this way. This mean any future standard created as to look into this type of stuff (and i18n and localization and others) to not create flawed buggy standards. Old standards can be updated ... (maybe include lines of the same color but different contrast), but we all know how hard is to update standards. If I where one of these dudes, I would download/create a app for my iphone that recolorice video to change colours to others I could tell the difference. -- -- ℱin del ℳensaje.
Re: DOCSIS 3.0 PPPoE/L2TP compatibility
to elaborate on Valdis' reply, stick a fork in pptp, it is done. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ On Tue, Jul 31, 2012 at 3:13 PM, iptech ipt...@northrock.bm wrote: Hey Ricky, Yes that is the exact setup, the cableco bring the customer to us via L2TP, and now want to do PPTP only. I will keep digging on the ARRIS, which I have been told is a C4 system. Although their website doesnt show much tech specs. They are pushing for the L3 option since their CMTS will now be a hop in the path between the customer and us, instead of L2 transparent. Suggestions? Thanks, On 7/31/2012 5:19 PM, Ricky Beam wrote: On Mon, 30 Jul 2012 08:33:51 -0400, iptech ipt...@northrock.bm wrote: 3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us. As I recall from my reading of the standard, there's nothing in there to prevent any tunneling on top of the DOCSIS bridged ethernet. I suspect this is not a standard problem but an ISP problem... their new hardware doesn't support PPPoE/L2TP, it's an additional license, or they don't know how (or unwilling) to configure it. (I'm assuming the PPPoE is between you and the customer, and L2TP is between your network and the cable network. i.e. L2TP is how your customers are brought to you from the cable network.) I have no documentation on ARRIS either, so I don't know what they can/cannot do. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: FYI Netflix is down
Tell that to people in the third world without utilities. On Jul 3, 2012 8:32 PM, Randy Bush ra...@psg.com wrote: Also, I don't think there is an acceptable level of downtime for water. coming soon to a planet near you randy
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
. On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote: On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR -- - (2^(N-1)) -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
and upon further investigation, it seems like there might be an actual
organization using a host with that IP...
http://www.robtex.com/dns/chatwithus.net.html#shared
On Tue, Jul 3, 2012 at 2:27 PM, Kyle Creyts kyle.cre...@gmail.com wrote:
it actually appears that skywire has a suballocation for that block,
http://www.robtex.com/ip/208.88.11.111.html#whois
#
# The following results may also be obtained via:
# http://whois.arin.net http://www.robtex.com/dns/whois.arin.net.html
/rest/nets;q=208.88.11.111 http://www.robtex.com/ip/208.88.11.111.html
?showDetails=trueshowARIN=falseext=netref2
#
American West Internet SKYWIRE-SG (NET-208-88-11-0-1)
208.88.11.0http://www.robtex.com/ip/208.88.11.0.html
- 208.88.11.255 http://www.robtex.com/ip/208.88.11.255.html
Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1)
208.88.8.0http://www.robtex.com/ip/208.88.8.0.html
- 208.88.11.255 http://www.robtex.com/ip/208.88.11.255.html
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
https://www.arin.nethttp://www.robtex.com/dns/www.arin.net.html
/whois_tou.html
#
On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black
matthew.bl...@csulb.eduwrote:
By the way, FTP access originated from: 208.88.11.111
Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 -
208.88.11.255
NetRange: 208.88.8.0 - 208.88.11.255
CIDR: 208.88.8.0/22
OriginAS: AS40603
NetName:SKYWIRE-SG
NetHandle: NET-208-88-8-0-1
Parent: NET-208-0-0-0-0
NetType:Direct Allocation
Comment:http://www.skywireusa.com
RegDate:2008-03-04
Updated:2012-03-02
Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1
OrgName:Sky Wire Communications
OrgId: DGSU
Address:946 W Sunset Blvd Ste L
City: St George
StateProv: UT
PostalCode: 84770
Country:US
RegDate:2007-12-04
Updated:2009-11-04
Ref:http://whois.arin.net/rest/org/DGSU
Who We Are
Skywire Communications is the Leading High Speed Internet Provider in
Southern Utah. Offering Service in St George, Washington, Santa Clara,
Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to
provide high speed internet access to 100 Percent of Southern Utah. We are
located in St George, Utah.
matthew black
information technology services
california state university, long beach
-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu]
Sent: Wednesday, June 27, 2012 9:52 AM
To: 'Jason Hellenthal'; Arturo Servin
Cc: nanog@nanog.org
Subject: RE: No DNS poisoning at Google (in case of trouble, blame the
DNS)
Ask and ye shall receive:
# more .htaccess (backup copy)
#c3284d#
IfModule mod_rewrite.c
RewriteEngine On
RewriteCond %{HTTP_REFERER}
^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]
/IfModule
#/c3284d#
# # #
matthew black
information technology services
california state university, long beach
-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net]
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the
DNS)
What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)
On Wed
Re: How to fix authentication (was LinkedIn)
I would suggest that multiple models be pursued (since each appears to have a champion) and that the market/drafting process will resolve the issue of which is better (which is okay by me: widespread adoption of any of the proposed models would advance the state of the norm; progress beats the snot out of stagnation in my book) My earlier replies were reprehensible. This is not a thread that should just be laughed off. Real progress may be occurring here, and at the least, good knowledge and discussion is accumulating in a way which may serve as a resource for the curious or concerned. On Jun 22, 2012 7:25 AM, Leo Bicknell bickn...@ufp.org wrote: In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush wrote: there are no trustable third parties With a lot of transactions the second party isn't trustable, and sometimes the first party isn't as well. :) In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher Morrow wrote: note that yubico has models of auth that include: 1) using a third party 2) making your own party 3) HOTP on token 4) NFC they are a good company, trying to do the right thing(s)... They also don't necessarily want you to be stuck in the 'get your answer from another' Requirements of hardware or a third party are fine for the corporate world, or sites that make enough money or have enough risk to invest in security, like a bank. Requiring hardware for a site like Facebook or Twitter is right out. Does not scale, can't ship to the guy in Pakistan or McMurdo who wants to sign up. Trusting a third party becomes too expensive, and too big of a business risk. There are levels of security here. I don't expect Facebook to take the same security steps as my bank to move my money around. One size does not fit all. Making it so a hacker can't get 10 million login credentials at once is a quantum leap forward even if doing so doesn't improve security in any other way. The perfect is the enemy of the good. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: SIXSS not working?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1820 possibly related? On Wed, Jun 20, 2012 at 11:34 AM, Jeroen Massar jer...@unfix.org wrote: Good morning (at least on this side of the planet), On 2012-06-20 02:14, Hank Nussbacher wrote: On Wed, 20 Jun 2012, Jeroen Massar wrote: Ill report it to them but: NANOG is afaik still not the contact the people who run things email address... Nevertheless, if issues, do not hesitate to report to i...@sixxs.net http://www.sixxs.net/tools/grh/tla/ Shows every country as V=0 (prefixes visible per country). That would mean that every prefix was not updated in the last day, sounds odd to me. On 2012-06-20 04:00, Hank Nussbacher wrote: On Wed, 20 Jun 2012, Hank Nussbacher wrote: It would appear that whatever was broken is now fixed. The only thing I can think of is that you have noticed some weird glitch of the kind there. As mentioned above the Visible is basically the amount of prefixes visible in the last 24 hours. For that to become 0 it would have meant that no prefix would have been seen for the last 24 hours. According to http://www.sixxs.net/tools/grh/status/ which just telnets into grh.sixxs.net and asks for quagga's status, seems that even peering sessions are connected for longer than that, thus I am puzzled to what could have caused that then. Greets, Jeroen -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: How to fix authentication (was LinkedIn)
Guess we all need implants deep in less-than-easily-operable areas to bind us to a digitally-accessible identity. This would make for an interesting set of user-based trust-anchoring paradigms, at least. On Wed, Jun 20, 2012 at 7:26 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Leo Bicknell bickn...@ufp.org SSL certificates could be used this way today. SSH keys could be used this way today. PGP keys could be used this way today. What's missing? A pretty UI for the users. Apple, Mozilla, W3C, Microsoft IE developers and so on need to get their butts in gear and make a pretty UI to create personal key material, send the public key as part of a sign up form, import a key, and so on. Yes, but you're securing the account to the *client PC* there, not to the human being; making that Portable Enough for people who use and borrow multiple machines is nontrivial. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: How to fix authentication (was LinkedIn)
who would mediate/verify/validate the trust transactions, though... thats the hard part. On Wed, Jun 20, 2012 at 7:46 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Jun 2012 19:31:40 -0400, Kyle Creyts said: Guess we all need implants deep in less-than-easily-operable areas to bind us to a digitally-accessible identity. This would make for an interesting set of user-based trust-anchoring paradigms, at least. Credential revocation would suddenly get more interesting. And I'm sure there's a divorce lawyer or 3 out there who will get some creatively evil ideas... -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Vixie warns: DNS Changer ‘blackouts’ inevitable
It makes for a more sensational story. On Wed, May 23, 2012 at 12:24 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: bmann...@vacation.karoshi.com On Tue, May 22, 2012 at 07:14:16PM -0700, Henry Linneweh wrote: http://www.theregister.co.uk/2012/05/17/dns_changer_blackouts/ Paul certainly knows how to manipulate the press. You don't know journalists very well, do you? Paul almost certainly (p 0.995) had nothing to do with the writer's chosen appellation, and wouldn't have been able to change it if he had. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Operation Ghost Click
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf On Apr 26, 2012 5:48 PM, Leigh Porter leigh.por...@ukbroadband.com wrote: On 26 Apr 2012, at 22:47, Andrew Latham lath...@gmail.commailto: lath...@gmail.com wrote: On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart jer...@mompl.netmailto: jer...@mompl.net wrote: Yes its a major problem for the users unknowingly infected. To them it will look like their Internet connection is down. Expect ISPs to field lots of support s Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact? -- Leigh __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
Re: Operation Ghost Click
Thanks, Andrew. I was out and about, and couldn't remember the prefixes off-hand. They should have been in that PDF, iirc On Apr 26, 2012 6:01 PM, Andrew Latham lath...@gmail.com wrote: On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts kyle.cre...@gmail.com wrote: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf On Apr 26, 2012 5:48 PM, Leigh Porter leigh.por...@ukbroadband.com wrote: On 26 Apr 2012, at 22:47, Andrew Latham lath...@gmail.commailto:lath...@gmail.com wrote: On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart jer...@mompl.netmailto:jer...@mompl.net wrote: Yes its a major problem for the users unknowingly infected. To them it will look like their Internet connection is down. Expect ISPs to field lots of support s Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact? -- Leigh 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
admin for fixedorbit.com
The contact form appears to be down (503 bad gateway on submit), and if it is actively maintained, I would be very interested in talking to someone about how it works, and how its path tracing simulations or estimates compare with real-world numbers. (or if it is driven by real world numbers, how it compares to what we observe) Some of the information in the output of the path trace tool is less than verbose. -- Kyle Creyts
Re: Routing issues?
Kinda looks like a problem with their monitor. On Mar 22, 2012 6:07 PM, Jeff Harper jhar...@well.com wrote: Anyone else noticing some routing abnormalities today? http://www.internettrafficreport.com/details.htm Jeff Harper | www.well.com ip access-list extended jeff permit ip any any eq intelligence log deny ip any any eq stupid-people
Re: AS Connectivity Lookup
bgptables.merit.edu On Mar 7, 2012 2:06 PM, Radke, Justin jra...@canbytel.com wrote: All great answers! Thank you! -=JGR On Wed, Mar 7, 2012 at 10:35 AM, David Walker davidianwal...@gmail.com wrote: On 08/03/2012, Anurag Bhatia m...@anuragbhatia.com wrote: Hi Radke You can try http://bgp.he.net Example: http://bgp.he.net/AS4739 Guest login here: http://peeringdb.com/ On Wed, Mar 7, 2012 at 10:59 PM, Radke, Justin jra...@canbytel.com wrote: How can I easily view the current peering relationship of a particular AS? Assume the AS you are researching does not have a looking glass and you are not going to do lookups from the top 10 providers route servers to get some glimpse of their connectivity. In my particular search bgplay.routeviews.org does not have any information and as-rank.caida.org is out of date. In the past there was a great website called webtrace.info but it is no longer online. Any suggestions? -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia https://twitter.com/#!/anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com
Re: Water Utility SCADA 'Attack': The, um, washout
I would actually carry this to another level, and say this leak could be considered evidence that the fusion centers are working quite well. The fact is that a fusion center, in this case, enabled the community to: 1)respond to an event (together); 2)know where to contribute any coordinating information, now or in the future; 3)be on the lookout for similar events; 4)raise awareness about a perceived problem that doesn't seem to be getting better; 5)perceive a measure of transparency in the operation and utility of these fusion centers. From where I stand this disclosure being dubbed a leak is improper. Perhaps it was a leak, perhaps it was an intentional disclosure. Either way, it showed that fusion centers are working to escalate the attention given to potentially serious issues, with a defined benefit to the community they serve, while operating with an appropriate degree of cooperation between TLAs. And while there was media FUD early on, the final output was clear, concise, and non-speculative. On Sat, Nov 26, 2011 at 7:40 PM, valdis.kletni...@vt.edu wrote: On Sat, 26 Nov 2011 17:38:55 EST, Jared Mauch said: I suggest new secrecy legislation, for fusion centres. It already exists :) People may be subject to prosecution for leaking this to the public. It's that simple. Problem is it can't be undone, so it's not an interesting case in some regards... Actually, it's *not* that simple - it's complicated enough that a quick knee-jerk There should be a law against it reaction is probably a bad idea. (In fact, I'll go out on a limb and say that one-sentence there should be a law agains it reactios are almost always a bad idea). After all, fusion centers were originally created because too many agencies had laws and regulations banning the sharing of information. We saw a decade ago just how well *that* worked out for us. So it's not at all clear that new laws making things *more* classified are a good idea in this case. Nor is it obvious how to code useful laws to prohibit the dissemination of data from a group set up for the express purpose of mining data and disseminating the results. Sure you can tighten things down, but if a fusion center can't release something quickly, it's not a lot of use, is it? (We've more than once gotten stuff from various TLA's stamped with a default No Foreign Nationals that ended up being totally unusable because we've got foreign nationals all over the place, and had to wait for a second copy that had gotten kicked down to FOUO so we could use it - loads of fun) So the last thing we need is people who don't even know what laws already exist calling for the creation of *new* laws. And quite frankly, which way do you want these things to fail? Do you want an early alert that says evil packets may be coming in from Russia, or do you want it to wait till they've verified it's a contractor's employee ssh'ing in while on vacation? Sure, a few people have some egg on their faces and now have a really good bar story. But let's keep in mind that it took several days to sort this one out - coincidentally, just about the same number of day that it took Sony to come out and say that PSN got whacked. You really can't have it both ways. Which do you want, false positives or false negatives? -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: XSServer / Taking down a spam friendly provider
I would agree that at the moment, we exist in what is supposed to be a self-policing community. How long will it stay so, if livelihoods are jeopardized? Some are paid to move bits, and consider that their only obligation. Others are charged with operating services that are impacted by the aforementioned types of pollution. But each party cannot exist without the other, at the end of the day; the economic relationship between the two, at some level, makes this a shared problem. While bit-movers _may not_ have an explicit and direct business reason to aid in reducing the pollution in the community, as members of the community, is it not our collective responsibility to work against those polluting it? It is disrespectful, IMHO, to those who worked so hard to make this communal resource the shared treasure it is, for us to neglect the duty to protect and care for it. I understand that not everyone feels that it should be policed. I have respect for those who feel this way. To me, this is a complicated ecosystem, and we are its custodians, responsible for its continued health and function. Who among you do not have a custodial relationship with some network or inter-networking? Do none of you feel a responsibility to maintain it for those who will come after you? As a part of ensuring the continued function of our ecosystem, in light of the reality of this pollution, I think ensuring the integrity of our individual administrative domains, and working with others, in some capacity, to ensure the health and integrity of their own, is paramount. I would make a reference to the way we have treated and are treating our planet, but the analogy is tired. I do fear that some day, the 'way we treated the internet' will be a similarly tired metaphor. -k On Oct 27, 2011 8:47 PM, William Herrin b...@herrin.us wrote: On Thu, Oct 27, 2011 at 1:52 AM, William Pitcock neno...@systeminplace.net wrote: On Wed, 26 Oct 2011 20:22:53 -0400 Chris cal...@gmail.com wrote: This is a huge business. Shady SEO companies are charging individuals at least $250 per month to use their spam tools of choice to spam forums and Wordpress blogs. I got one of the major players on the run right now because he cannot seem to keep his business page hosted with a company longer than a few weeks and I keep playing whack-a-mole with him. McColo and Atrivo were not terminated because of spam. If you believe they are, then you are simply misinformed. Atrivo and McColo were terminated over their network being used extensively for botnet control centers. William, Atrivo and McColo were terminated _late_. As an industry, might we not consider finding a reasonable way to do a more effective job identifying and dealing with shops who can't seem to keep out the customers who use those facilities to hurt and abuse the rest of us? If we fail to adequately self-regulate, the courts and entities like the U.S. Congress will surely find a way to do it for us. And they won't care nearly as much about the technical constraints as we do. I make no judgment about XSServer and offer no solution. I merely suggest that Chris has posed a legitimate operational problem that our community may wish to redress while the while the details of such a choice are still in our hands. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
[routing-wg] The Cidr Report
I may not read it for the purpose of aggregation, but it is useful data to me for other purposes. As long as there is one person talking and at least one person listening, a thread is in order, and it isn't spam. On Oct 15, 2011 3:25 PM, Geoff Huston g...@apnic.net wrote: From what I learned at the latest NANOG it's very clear that nobody reads this any more. Is there any good reason to persist in spamming the nanog list with this report? thanks, Geoff
Re: ICANN to allow commercial gTLDs
Or .inc? On Jun 21, 2011 10:57 AM, valdis.kletni...@vt.edu wrote: On Mon, 20 Jun 2011 18:39:00 MDT, Joel Maslak said: I wonder what sort of money .wpad would be worth... I was thinking .gbmh myself...
Re: Yup; the Internet is screwed up.
I think the point is the ubiquity of access isn't what it should be. On Fri, Jun 10, 2011 at 9:47 AM, Chris Adams cmad...@hiwaay.net wrote: Once upon a time, Jared Mauch ja...@puck.nether.net said: On Jun 9, 2011, at 8:43 PM, Jay Ashworth wrote: Even Cracked realizes this: http://www.cracked.com/blog/5-reasons-internet-access-in-america-disaster I would describe this as local market failure. It's common even in highly populated areas, not just rural ones here in the US. I'd go so far as to say user failure. If I wanted cable TV (especially if I needed it at home as part of my job), I wouldn't buy/rent/lease/whatever a home without checking that cable TV is available at that location. I live in a city with two cable providers, each of which covers the whole city, yet there are pockets where one (or even both) don't provide service. Before I bought my house, I made sure I could get my preferred Internet service at my house. There are definately things wrong with the state of last-mile Internet access in the US, but moving somewhere without checking is IMHO your own fault. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- Kyle Creyts Information Assurance Professional
Wire-rate Packet Capture on 10gbE
How is this being done? I've looked at looked at PF_RING and TNAPI... is there anything better out there? --Kyle
