Re: Hotmail/Outlook/Microsoft Email Switches to IPv6, Causing Email Failures
SERVICE SEEMS RECOVERED as of 8:09pm EDT Oct 27, 2022 It looks like lots of complaints finally got a change made -- the hotmail MX records have removed IPv6 records from DNS, and now all of our 945 delayed emails are delivered. The records were removed sometime between 6:49:28pm EDT and 8:13:52pm EDT. Logs show that sendmail stopped trying IPv6 at 8:09:11pm EDT and went back to IPv4, and then all emails were accepted finally. Seems like that was about the time that either the DNS record expired or when Sendmail got around to checking DNS again. 30 second TTL on the record for hotmail-com.olc.protection.outlook.com so it does seem like the change happened very recently. Thanks to whomever finally took action to resolve it! And to Microsoft, please update all of your Email Service Provider functionality to support IPv6 BEFORE enabling it again please! Beckman On Thu, 27 Oct 2022, Peter Beckman wrote: At Oct 24 21:06:13 UTC, after years of being IPv4-only, Microsoft Hotmail published two IPv6 records for the hotmail.com MX record. Great! Progress! Hurrah! Except that one hour later, Oct 24 22:00:57 UTC, our IPv6 address was blocked, after just 9 emails sent, as "spam." Prior to this date, as far back as our logs go, we have had ZERO issue with the almost 700,000 emails sent and accepted by Hotmail users since May 29, 2022. So I visited the trusty Smart Network Data Service and Junk Mail Reporting Program to try to troubleshoot. Except that these two services are still IPv4-only, so I cannot even attempt to try to self-troubleshoot why Microsoft is blocking email via IPv6. I have opened a support ticket, but I figured I would see if anyone here has seend or heard or had this issue, or if any Microsoft lurkers might see this and investigate. Support request number: SR1543766049 I have not been able to find any mention in Google or elsewhere of the planned switch to enable IPv6 for Hotmail, nor any updated way to register with Microsoft with IPv6 address space. Yes, we sign with DKIM and have up-to-date SPF records with both IPv4 and IPv6 addresses. Google seems to have no issue here. Thanks All Beckman ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ --- ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Hotmail/Outlook/Microsoft Email Switches to IPv6, Causing Email Failures
At Oct 24 21:06:13 UTC, after years of being IPv4-only, Microsoft Hotmail published two IPv6 records for the hotmail.com MX record. Great! Progress! Hurrah! Except that one hour later, Oct 24 22:00:57 UTC, our IPv6 address was blocked, after just 9 emails sent, as "spam." Prior to this date, as far back as our logs go, we have had ZERO issue with the almost 700,000 emails sent and accepted by Hotmail users since May 29, 2022. So I visited the trusty Smart Network Data Service and Junk Mail Reporting Program to try to troubleshoot. Except that these two services are still IPv4-only, so I cannot even attempt to try to self-troubleshoot why Microsoft is blocking email via IPv6. I have opened a support ticket, but I figured I would see if anyone here has seend or heard or had this issue, or if any Microsoft lurkers might see this and investigate. Support request number: SR1543766049 I have not been able to find any mention in Google or elsewhere of the planned switch to enable IPv6 for Hotmail, nor any updated way to register with Microsoft with IPv6 address space. Yes, we sign with DKIM and have up-to-date SPF records with both IPv4 and IPv6 addresses. Google seems to have no issue here. Thanks All Beckman ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: FCC chairwoman: Fines alone aren't enough (Robocalls)
On Tue, 4 Oct 2022, Michael Thomas wrote: Exactly. And that doesn't require an elaborate PKI. Who is allowed to use what telephone numbers is an administrative issue for the ingress provider to police. It's the equivalent to gmail not allowing me to spoof whatever email address I want. The FCC could have required that ages ago. How does one carrier that gets DIDs from multiple other carriers communicate to the termination carrier selected during LCR that the DID set as CallerID is indeed serviced by that carrier and authorized to use said DID as CallerID? If a call is asynchronous, e.g. the DID carrier is not the terminating carrier, how can the termination carrier trust/know definitively that someone is allowed to use that CallerID? Don't forget the resellers!!! Beckman --- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: Google Abuse
To make this more NANOGy, what is OUR role in all of this? Two questions that relate here: How does NANOG make inbound network abuse easier to stop and harder or costlier for networks and clouds to ignore? How do NANOG operators attempt to keep private things private? For the latter, IMHO most NANOG members likely also run, manage, or interact with businesses that hold data. Three of the NANOG Principles apply here: Security within our digital platforms Sustainability of Internet technology professions Innovation within the community We all should be doing whatever we can within our own organizations to improve end user privacy and security. I'm going to make another go at it within my own. And anything we can do to make it harder for networks and cloud providers to ignore abuse reports and stop it is an Innovation that might move the burden of network attacks off of the recipients and onto the sources. Beckman On Tue, 16 Aug 2022, richey goldberg wrote: “thought that google fi was a neutral pipe.” There is nothing neutral about Google or any of companies that are their competitors.They all have some sort of agenda which is to do what’s best for them or what they *think* is best for everyone else. Even if it’s not. “are google, like fb, recording and retaining direct messages and sms/mms contents” They may tell you they are not but there is no doubt in my mind they are and if they got caught their response would be “Oopsie, my bad”. -richey From: NANOG on behalf of Mark Seiden Date: Tuesday, August 16, 2022 at 3:48 PM To: Jon Lewis Cc: nanog@nanog.org Subject: Re: Google Abuse well, that isn’t exactly true. ALL of the fraudsters, business email compromisers, spoofing accounts are now from gmail and as far as i can tell, there is no evidence that they do ANYTHING about them.i recently gave a talk on fraudulent restaurant reviews in google maps. easy for humans to spot. (hundreds of machine learning engineers at google. what are they doing?) but here’s a counterexample… not that it serves anyone particularly well: a colleague of mine (ex googler, superb engineer, with a brother who is a current googler) had ALL of his google accounts deactivated recently. a google fi customer, he used it to send an mms photo of a rash on his toddler’s crotch to his wife, so she could upload it (using https) to their pediatrician’s portal for diagnosis. a few days later the cops were at the door with a search warrant. the cops agreed it was a false positive, but despite that, the accounts were deactivated (including gmail), seemingly permanently, despite multiple attempts to revive it and attempts at escalation. i was actually surprised. i thought that google fi was a neutral pipe. who knew that google mines mms images for pink parts? do the other cell phone companies do the same? (not that i particularly need to test it…) (is there any transparency here regarding the scanning and retention policy for sms and mms contents?) which raises, in the post-boggs world, another question: are google, like fb, recording and retaining direct messages and sms/mms contents, so they can turn them over to law enforcement who have become “interested" in who was pregnant and who stopped being pregnant? https://www.vice.com/en/article/n7zevd/this-is-the-data-facebook-gave-police-to-prosecute-a-teenager-for-abortion (once again, there ain’t no sanity clause.) On Aug 16, 2022, at 10:43 AM, Jon Lewis wrote: On Tue, 16 Aug 2022, Cristian Cardoso wrote: Hi I'm receiving thousands of requests from a Google Clou VM on my network, I've already sent reports to Abuse from GCP, but without success, does anyone happen to have a Google abuse contact to indicate? There is no Google abuse. It's just traffic you don't want that they don't care about. Block it at your edge and move on. -- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ --- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
RE: IERS ponders reverse leapsecond...
On Wed, 3 Aug 2022, Matthew Huff wrote: But it's hard enough to get developers to understand the need to code for 61 seconds in a minute, and now they would need to code for 59 seconds as well. If time systems simply skewed the time so that 60 seconds actually just took 61 seconds or 59 seconds, there would be other issues, but coders wouldn't be involved. Code will always be prone to failure due to inconsistent and incorrect assumptions. And blindly trusting dependencies. Hell, even the smartest engineers at Amazon built AWS using Pacific Time in the DB rather than GMT/UTC. It was still Pacific Time when I left in 2014. I'm sure there is/was code to calculate billing related to the jump forward / fall back between Daylight Saving and Standard Time... I'm looking forward to January 19, 2038 at 3:14am UTC when the 32-bit Unix Timestamp will overflow. This shouldn't cause huge issues, as most systems will not freak out and die if the system clocks goes from 23:59:58 to 00:00:00. But things that were supposed to happen at 23:59:59 on that day will never occur. Hopefully the impact is minimal, but it won't be none. -Original Message- From: NANOG On Behalf Of Stephane Bortzmeyer Sent: Wednesday, August 3, 2022 11:19 AM To: Jay Ashworth Cc: nanog@nanog.org Subject: Re: IERS ponders reverse leapsecond... On Wed, Aug 03, 2022 at 11:09:25AM -0400, Jay Ashworth wrote a message of 32 lines which said: General press loses its *mind*: Indeed, they seem not to know what they write about. "atomic time – the universal way time is measured on Earth – may have to change" They don't even know the difference between TAI and UTC. ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: Aftermarket switches that were manufactured in any sort of quantity?
Let us change the focus here to offering some alternatives that people DO recommend for best value for the dollar, used OR new. Beckman, Amateur Internet Referee :-) On Thu, 9 Jun 2022, Saku Ytti wrote: On Thu, 9 Jun 2022 at 21:59, Eric Kuhnke wrote: With all due respect, without sharing NDA protected information about the specific quantity and model numbers of FS switches I have personal experience with in a certain network, there are very valid reasons to have significant concerns about the stability and feature set of the operating system that ships on them. Perhaps if you cannot offer context, then the message of 'fs is bad' is best shared elsewhere. There is a reason they are abnormally cheap, in exactly the same way that FS transceivers which are literally the cheapest 1Gbps and 10Gbps OOK optics you can "Add to cart" and buy online are the cheapest transceivers you can buy on the market. They're not really particularly cheap, they are 'market rate', you can get 'market rate' from multiple suppliers, directly from manufacturers too. They are only cheaper than most EU+US resellers, that's about it. -- ++ytti ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
On Wed, 25 May 2022, Crist Clark wrote: FIDO2 I'm in full support of ARIN implementing FIDO2 IN ADDITION TO TOTP 2FA. For the uninitiated -- FIDO2 requires you to have one of the following in order for you to log into your ARIN account: - A security key (like Yubikey): USB, NFC, Bluetooth - A mobile device capable of biometric confirmation (FaceID, TouchID, etc) FIDO2 does NOT support older browsers, text-based browsers, and generally non-mainstream modern devices. Not to be confused with FIDO U2F, which is basically what TOTP 2FA is, just implemented differently. Beckman --- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: FYI - 2FA to be come mandatory for ARIN Online?
Most services that implement 2FA using SMS and/or Email have been compromised multiple times. Services that implement 2FA using TOTP or even App-based Push Notifications have not. If someone has your ARIN login, and you use the same passwords on ARIN as you do with your email provider, then they have access to your email account. And they can impersonate you to ARIN using the emailed code. Beckman On Tue, 24 May 2022, Raymond Burkholder wrote: What about optional additional second factor of sending out an email with digits to enter or a link to confirm login / some other critical operation? --- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: BANDWIDTH and VONAGE lose FCC rules exemption for STIR/SHAKEN
On Fri, 18 Feb 2022, Michael Thomas wrote: On 2/17/22 11:58 AM, Sean Donelan wrote: https://www.fcc.gov/document/fcc-finds-two-providers-failed-fully-implement-stirshaken-0 The Federal Communications Commission today took action to ensure that voice service providers meet their commitments and obligations to implement STIR/SHAKEN standards to combat spoofed robocall scams. Specifically, voice service providers Bandwidth and Vonage lost a partial exemption from STIR/SHAKEN because they failed to meet STIR/SHAKEN implementation commitments and have been referred to the FCC’s Enforcement Bureau for further investigation. So for probably a year or so before the Stir/Shaken mandate came, I have been seeing a lot less phone spam. I don't know if that's typical but it was quite noticeable for me. What that tells me is that providers likely started clamping down on their shady customers well ahead of the mandate which says that regulatory fiat would have been sufficient too. But that hinges on whether my situation is typical though. Reading the actual FCC order, Bandwidth HAS implemented STIR/SHAKEN everywhere EXCEPT on some legacy hardware that does not support adding the headers. While Bandwidth should have either replaced the hardware or updated the software to support it by now, they did not, and they got slapped for it. It may be that the customers connected to that hardware are being difficult, or that, as a CLEC, they have a crap-ton of older hardware in different physical switch locations that they couldn't or just didn't get to upgrading or replacing. I asked Bandwidth for details, nothing yet. Beckman --- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: Authoritative Resources for Public DNS Pinging
On Tue, 8 Feb 2022, Christopher Morrow wrote: you know what you COULD do though... probe it with DNS requests, and then you know, test the service being offered, and still know that 'the internet is not on fire'. What?!? Use UDP to test the Internet? How would you even know if the Internet was fine but some router didn't like how your packet smelled and dropped it? ;-) Seriously though, if ICMP is becoming the problem this thread seems to believe, TCP rather than UDP is probably a better judge of the "availability of the Internet" as the remote end is going to attempt to respond. Though I cannot argue that lack of DNS also can indicate why Chicken Little is perturbed. I don't have any issues with ICMP generally, though I'm usually sending such packets to systems and servers and networks I control or have permission/access to. For people that don't have access to multiple servers dotted around the Internet, is it time for them to move away from ICMP and start using HTTP HEAD TCP requests to well-known websites to determine if a route is available and functioning? That's a lot more data when multiplied by a few million queries per second, just to check that the Internet is up... but also less likely to get filtered or throttled to the point where you get no response, even though the sky is not falling. Beckman ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: Slack.com DNSSEC on Feb 12th 15:00 UTC
Agreed! Slack should probably move away from the custom domain model, and go with slack.com/w/bjornbjorn moving forward. On Fri, 4 Feb 2022, Christopher Morrow wrote: On Fri, Feb 4, 2022 at 10:54 AM Bjørn Mork wrote: I assume you know which names you are going to serve? how would they be able to serve: footgun.slack.com bjornbjorn.slack.com ilovecorn.slack.com so immediately without that wildcard though? :) --- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: enom giving Google a bad name
What do you mean by "takes responsibility?" When my vendor goes down, I do whatever I can to get the end user back up and running again. I take _ownership_ of the situation and work dilligently to resolve it, as best I can, within my sphere of control. However, because I cannot control how my vendor operates their business, how can I take responsiblity for its actions and operations? My option is to decide if the vendor had a bad day or if they are inept and I need to replace them. Finding them inept and NOT replacing them THEN puts the responsibility on my shoulders, IMHO. Has enom been demonstrably inept leading up to this point? Beckman On Sun, 16 Jan 2022, Hank Nussbacher wrote: But I just found out that Google is an enom reseller: So who takes responsibility when a fiasco happens like this: Google or Enom? ------- Peter Beckman Internet Guy beck...@angryox.comhttps://www.angryox.com/ ---
Re: Reminder: Never connect a generator to home wiring without transfer switch
On Tue, 31 Aug 2021, Forrest Christian (List Account) wrote: I just wish the electrical code would permit or require certain low cost things which make temporary generator connections more likely to be safe. For example, code requires most furnaces to be hardwired. But a furnace is one of the first things you want on a generator in an extended winter power outage. If instead of hardwired, the code required plug and socket connections at each 120v furnace then Joe homeowner would be more likely to run an extension cord from his generator to his furnace instead of trying to rig up his generator with a suicide cord. Is $40-60 low cost enough for you for safe, temporary generator connections? - Generator Interlock Kit: $20-25 (Safety) - Breaker: $5 (30amp 120v) to $20 (60amp 240v) (Dedicated Power connection) - Generator Power Inlet Input: $15 (indoor 120v) to $50 (outdoor 240v) A Generator Interlock Kit is a few pieces of metal that, once installed on your existing electrical panel, allows one to run a properly-sized circuit and breaker to an outlet that you can plug your 120v or 240v generator inverter RV output into. Add a Generator Power Inlet Input (indoor or outdoor) rated at 30Amp 240v NEMA L6-30P, for example, then plug your generator into that. The Generator Interlock Kit physically prevents the mains from being on when the generator Breaker is on. This is the safety component. This seems affordable ($60 plus some wire and a few minutes inside your electrical panel) and safe. Add a few bucks to have your locality inspect and certify the work. If this is too much, why? What would be easier while also being equally as safe? This is work that, with a few minutes on YouTube, could do safely, as long as the power is disconnected at the meter outside the home during installation. PS - I suppose you could also move all of your emergency 120v stuff to one side of your panel and also provide only 120V to one side of your panel. This would also reduce costs a bit. Why believe me? In 2019 I read the NEC code and learned how to install a 60amp circuit for an electric charger. I did the work myself. I had it inspected and certified by the county. I did so for about $100 total for all parts and wire. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Google uploading your plain text passwords
On Fri, 11 Jun 2021, William Herrin wrote: On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho wrote: Google does not have access to your plain-text passwords in either case. If they can display the plain text passwords to me on my screen in a non-Google web browser then they have access to my plain text passwords. Everything else is semantics. Untrue. If you have a key on your computer, such as was mentioned that the Google key may be stored locally in the MacOS Keychain, and you unlock your MacOS Keychain with your local laptop login password, which is also stored on an encrypted disk volume, that does not mean those passwords have left your computer in plain text, or that Google has this key that lives in your keychain. I agree, if they do, that's terrible. But I haven't seen any evidence that they do. You can have multiple keys to encrypted data, and it is still stored in a cryptographically secure way, assuming it is implemented well, despite those multiple keys having the ability to decrypt your data. I use 1Password. There are multiple keys that can unlock the other key that can unlock my encrypted data. But just because I can see my passwords in the app, and that there is a mechanism/code that can do the same without the 1Password app to unlock and view my data, this does not mean that 1Password has my keys, nor access to all my passwords. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Can't Port from a Particular Rate Center
I had this happen to me recently. Customer came in with a number that had very little coverage, but our carrier had a 1,000 block in the same ratecenter, so we held out some hope. Once we dug into it, the 1,000 block was designated for a different "service offering" with the carrier. They were not offering portability in that Ratecenter, despite having coverage, or even hardware or leased hardware there. So we had to send the customer off. There really were only about 5 carriers serving the Ratecenter, 3 of them wireless, one very local, and our carrier. If your carrier decides not to port a number, even when they seem to be present in the ratecenter in question, they are not required by any law or rule to port, AFAIK. If a company will port in, the other carrier must (IMHO) port out. If not, then you can't port. There may be some subtleties to that, but this is my understanding. Fun! Beckman On Wed, 9 Jun 2021, Mike Hammett wrote: I first asked on a list much more narrow in scope, but failing to get sufficient data points, I've expanded my scope. Assuming the number isn't held by someone exempt from porting, what would prevent someone from being able to port a number from a particular rate center in a LATA they have coverage in? We picked up a particular carrier for our out-of-area needs and the first thing we throw at them in a LATA we know they have coverage in, they can't do. They have a non-useful reason why. It doesn't appear to have moved to a state where they contacted the losing provider as the response was very fast, so my provider rejected the port, not theirs. When I started at this company (where we do our own porting), I made sure to port a bunch of numbers from all over our LATA to see what would happen. All successful. That seems to indicate that it doesn't matter which xLEC or tandem currently serves that number, it can move elsewhere. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Carriers need to independently verify LOAs
US/Canada (ideally all of NANPA) Carriers need to standardize the porting process. Right now, I have an anecdotal database for each carrier which requires a slightly different process. For Verizon Wireless, you have to generate a Port Out PIN for each number, which expire after 7 days. Excellent! But only if there isn't a Freeze on the number. For another, you have to call to get your account number and PIN, as you cannot get it without calling the carrier, and it is different. For some carriers, the address on file isn't the End-user's address, which causes regular and constant rejections. Must request a CSR. For Google Voice, pay $3 first, then unlock. For $random_carrier, provide anything and they release the number, without notice to anyone. Many carriers do not require an LOA to Port, usually where porting is automated, and the automated carriers require a PIN and Account Number and service/billing address to ensure numbers don't get "accidentally" ported, either due to fraud or a typo. And while it would be nice if everyone "independently verified every LOA" the cost of doing so in the far-too-many edge cases is business-endingly high. It is the lack of a standard that all carriers share that cause these problems. In Europe, you generate a UUID, give the UUID and number to Port to the new carrier, and it's done. If every NANPA carrier allowed the End-User to generate a UUID for Porting Out that expired after 7 days, all of this inconsistency would go away. Mostly. Probably. Beckman On Mon, 19 Apr 2021, Joe Greco wrote: On Mon, Apr 19, 2021 at 01:20:22PM -0400, Sean Donelan wrote: On Sat, 17 Apr 2021, Eric Kuhnke wrote: Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'. All carriers should independently verify any LOAs received for account changes. Documents received from third-parties, without independently verifying with the customer of record, using the carriers own records, are just junk papers. Almost no carriers verify LOAs by contacting the customer of record. Worse, they call the phone number on the letterhead provide by the scammer for "verification." Presumably we're kinda talking about a problem parallel to the Internet ASN/IP space LOA problem here. It would be awesome if there were a nice easy way to identify the responsible parties, so you could figure out WHOIS the appropriate party to contact. If you've ever tried Googling a company with a hundred thousand employees, calling their contact number on the Web, and getting through to anybody who knows anything at all about IT, well, you can spend a day at it and still have gotten nowhere. It's too bad that this information is so frequently redacted for privacy. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Texas internet connectivity declining due to blackouts
On Tue, 16 Feb 2021, Rod Beck wrote: Are the power lines buried like in Europe where I live? I really think using poles is crazy and global warming guarantees enough atmospheric turbulence to make it untenable. Florida is moving to bury power lines. Only 41% of European lines are underground [1]. Population density is higher in the UK, 280 per sq km, versus the US, 34 per sq km [2]. Netherlands: 423 per sq km Belgium: 376 per sq km Germany: 233 per sq km Switzerland: 208 per sq km Italy: 200 per sq km When population density is low, the cost to install buried lines does not make financial sense, even considering the outages. In major cities, lines are buried in the US. Granted, there are several US States that individually are similar to Europe: New Jersey: 467 per sq km Massachussetts: 331 per sq km New York: 161 per sq km (despite having NYC, largest city in the US) California: 95 per sq km (despite having LA, 2nd largest city in the US) Texas: 39 per sq km Buried lines makes sense where it makes sense. Comparing Europe to the US is way too broad, and I don't know where you live. [1] https://www.bloomberg.com/news/articles/2019-03-05/why-europe-pays-less-than-u-s-to-put-power-lines-underground [2] https://en.wikipedia.org/wiki/List_of_countries_and_dependencies_by_population_density From: NANOG on behalf of Mikael Abrahamsson via NANOG Sent: Tuesday, February 16, 2021 9:06 AM To: Sean Donelan Cc: nanog@nanog.org Subject: RE: Texas internet connectivity declining due to blackouts On Mon, 15 Feb 2021, Sean Donelan wrote: Strange the massive shortages and failures are only in one state. The extreme cold weather extends northwards across many states, which aren't reporting rolling blackouts. https://www.texastribune.org/2011/02/08/texplainer-why-does-texas-have-its-own-power-grid/ Going at it alone can be beneficial sometimes, sometimes it's not. -- Mikael Abrahamssonemail: swm...@swm.pp.se --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Texas internet connectivity declining due to blackouts
On Tue, 16 Feb 2021, Robert Jacobs wrote: How about letting us Texans have more natural gas power plants or even let the gas be delivered to the plants we have so they can provide more power in an emergency. Did not help that 20% of our power is now wind which of course in an ice storm like we are having is shut off... Lots of issues and plenty of politics involved here.. Turns out that you Texans already get a majority of your power from Natural Gas. So there's already a significant amount of power from natural gas already. Things I learned about the most-of-Texas Grid today: - Natural Gas plants provide MORE THAN HALF of their total electricity generation in 2019 (WOW!) - Texas has their own grid to avoid Federal regulation. - Texas does have some links to other grids but they don't trigger federal regulation for some reason. - Texas is the largest energy-producing and energy-consuming state in the nation. The industrial sector, including its refineries and petrochemical plants, accounts for half of the energy consumed in the state. - 5 Gigawatts of coal-fired capacity has retired since 2016, and supplies 20% of power currently. - Wind power provided about 17% of their usage - There are two nuclear plants in Texas, only providing 10% of power. - One of those nuclear plants are offline due to weather-related issues. From the WashPost: "The Texas grid got crushed because its operators didn’t see the need to prepare for cold weather" https://www.washingtonpost.com/business/2021/02/16/ercot-texas-electric-grid-failure/ ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Apple Catalina Appears to Introduce Massive Jitter
I'd need more data than your anecdotal experience with a POE device to throw out my Unifi gear and ban the company. But I'm dealing with 2 devices: a Security Gateway and a single Access Point (plus the Controller software running on my Mac). There are some quirky things about Unifi that can be annoying, but it is mostly around common stuff like running a DNS Caching server on the Security Gateway or force-pushing a DDNS update. It's been way better than the ad-hoc varied brand of network I was running before, and I get to see and manage a lot more as well, quite reliably. We all know that hardware failures happen, and you definitely had a bad experience, and that sucks. I'll take all of your Unifi gear, PM me for an address. :-) Beckman On Thu, 29 Oct 2020, Aaron C. de Bruyn via NANOG wrote: On Thu, Oct 29, 2020 at 5:43 AM Jared Mauch wrote: I have all UBNT at home for wireless and periodically have some random issues which I can't explain, but for the most part have things tuned to ensure there's little to no interference. All UBNT at home? Ouch. They're on my banned list after one of their POE devices caught on fire after being in service for 11 months. Then they went round and round for a week saying they weren't going to pay for a shipping label. I wasn't going to pay for one because I didn't want their gear back. Finally someone with a bit of common sense sent a shipping label so they could figure out why it caught on fire. They ended up sending a replacement back that was obviously used. Instead of letting it go to waste, I installed it. It died two weeks later. When I contacted them, they said the original purchase was over a year ago so they wouldn't RMA it. Then a second device (plugged into an entirely different switch in a different building) started smoking and emitting an electrical smell. I pulled all of them and tossed them in the dumpster. They are an absolutely atrocious company to deal with. I'm betting some day real soon they'll be sued into oblivion when their crap burns down someone's home or office building. Friends don't let friends buy UniFi. -A --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Telehouse London Fire Evacuation Notice
Any updates? On Fri, 21 Aug 2020, Phil Lavin wrote: TH ops are saying there’s a fire (or at least an alarm) in THN2. Will update as we find out more. On 21 Aug 2020, at 21:24, Phil Lavin wrote: Hi folks, Did anyone else just get an email notice from Telehouse re fire evacuation? Any idea if it’s legitimate or some sort of testing following the LD8 debacle? Phil --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: South Africa On Lockdown - Coronavirus - Update!
Software-based TOTP offer more security than no one-time passwords, but admittedly less than the physical tokens. Google Authenticator, Authy, 1Password, LastPass all support TOTP. On Mon, 23 Mar 2020, Alexandre Petrescu wrote: I dont know where are people about supporting VPN and one-time passwords on tokens. At my work place a few people dont have tokens (OTP - One Time PAsswords). The reserve of these tokens has been exhausted. NEw ones are being on order. Until then some people cant get on VPN. Some people forgot their token on their desk and had to to travel to office to get it, a thing not good to do to go to office now. Some (not sure) might have issues with syncing these devices. An OTP token has a certain skew about clock, and a battery that lasts long. Hopefully, one's token has been synchronised recently and the battery is new. The length of time one cant go to office might be anywhere between 21 days (announced) and 2 months (experrience eg in Wuhan still closed). Some times the synching of clock can be performed remotely, and some 'coin' batteries can be replaced by the person with skill and tools, could be extracted from a quartz watch for example. An OTP device can be of many kinds. Some people keep OTPs on paper (I did some time ago). Some OTP devices are like Japanese 'tamaguchi' format, others like a credit card format. Alex, LF/HF 3 Le 23/03/2020 à 20:47, Mark Tinka a écrit : On 23/Mar/20 21:20, Peter Beckman wrote: But also: "The categories of people who will be exempted from this lockdown are... those involved in the production, distribution and supply of... telecommunications services" https://www.cnbcafrica.com/news/2020/03/23/breaking-nationwide-lockdown-announced-in-south-africa/ I think most anyone on this list could be considered exempt. I do hope the same will be true should our respective local and national governments take similar action. Yes, a number of "essential services" have been identified as needing to continue to operate under special dispensation during the lockdown, and telecoms falls within that. The details of the implementation of the dispensation may be nuanced. Experience will tell us more in the coming days. Mark. ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: South Africa On Lockdown - Coronavirus - Update!
But also: "The categories of people who will be exempted from this lockdown are... those involved in the production, distribution and supply of... telecommunications services" https://www.cnbcafrica.com/news/2020/03/23/breaking-nationwide-lockdown-announced-in-south-africa/ I think most anyone on this list could be considered exempt. I do hope the same will be true should our respective local and national governments take similar action. On Mon, 23 Mar 2020, Mark Tinka wrote: And oh, it's for 21 days... Mark. On 23/Mar/20 20:22, Mark Tinka wrote: So the South African president has just announced - full country lockdown from midnight this Thursday, 26th March (SAST). If any of you have any work that needs to be done out here, please bear that in mind. Mark. ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: abrupt speed changes and TCP
I'd hope that the 4G and 5G radios might operate in such a way that it would intelligently manage packets coming from either radio and, when possible, seemlessly merge them virtually and then pass them to the underlying OS stack. Or have the OS do it. Maybe this is why the rollout of 5G is slow as the carriers and handset manufacturers figure out the issues of jumping between 4G and 5G networks. It may be why Apple decided to hold off on 5G in September 2019. Didn't they figure this out between 3G and LTE/4G? Or was it not a problem? And maybe it won't be a problem? On Thu, 30 Jan 2020, Ahmed Borno wrote: I am only guessing here, but I think the Apps of today would have their own built in mechanisms to work around lower layers, starting with DB query timeouts, load balancers performance based resets. CDN segmentation, QUIC, HTTP2etc But it is a valid question and I'd like to know from people with real experience in TCP performance impact of 4 to 5G switching. ~A On Thu, Jan 30, 2020 at 10:59 AM Michael Thomas wrote: So it occurs to me in the rollout of 5G just walking down the street you might shift back and forth between high speed 5G bands and 4G because of uneven deployment and all sorts of other reasons. It sounds like this could vary block by block practically. I assume TCP just views this as congestion? But with all of the congestion avoidance algorithms and the rapidly fluctuating bandwidth, wouldn't that result in the sender essentially adapting to the least common denominator (eg 4G)? The same goes with latency, I suppose for real time apps. Mike --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read
On Dec 31, 2019, at 00:30, Matt Hoppes wrote: Why do I need Wikipedia SSLed? I know the argument. But if it doesn’t work why not either let it fall back to 1.0 or to HTTP. This seems like security for no valid reason. On Dec 31, 2019, at 04:04, John Adams wrote: because no one should know what you read about or check out at wikipedia On Tue, 31 Dec 2019, Mike Hammett wrote: If you care that bad, you work towards meeting the requirement. If you don't care, then you don't. What happens when you care but your current environment, one in which a new-ish phone, tablet, laptop or desktop is not readily available or at a price point that you cannot afford without starving yourself and your family? If there are technically and free-speech reasons to force TLSv1.2, provide an HTTP version that restricts edits or whatever technical reasons Wikimedia Corp is changing for. This may only affect 1% of Wikipedia users, but 1% in a world of 4.48 billion Internet-using humans, where the US population is 4.27% of the world population, 1% is a HUGE number. 1% is about the size of Uganda or Argentina. You and I, sitting comfortably in North America, sipping our Starbucks Latte while casually surfing on our iPads and Lenovos, may have zero problem accessing everything using TLSv1.2. But my iPhone from 2007 won't, despite it still being functional. Let us stand for freedom, free speech, openness and sharing in a world that seems to forget how we got here in the first place. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: FCC proposes $10 Million fine for spoofed robocalls
On Fri, 20 Dec 2019, Keith Medcalf wrote: On Friday, 20 December, 2019 10:57, Mark Milhollan wrote: On Thu, 19 Dec 2019, Keith Medcalf wrote: You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India. Generally the call center phone number is also "local" even if the warm body is in some other country as that usually occurs via SIP. Be that as it may, every minute you keep the call center person on the line is a minute they are not busily scamming someone else. Furthermore, while it is merely anecdotal, I can indeed report that since instituting a policy of ALWAYS answering robocalls and ALWAYS keeping them talking as long as possible, the number of such calls has decreased markedly, from several per day to now only one every couple of weeks / month. Because there *is* a cost associated with robo-scams, they must keep score in order to maximize return for the resources consumed (unlike e-mail spam scams which have effectively no need to prune the potential target list) you simply have to make the "cost" of dialing your telephone more expensive that the other couple billion potential targets. Its like being in a group being chased by a bear. You needn't run faster than the bear, merely faster than the slowest in the group. This assumes my time is worth less than nothing, which is not the case, and that my time will make a material negative impact on these operations, which it will not. I do not believe that all people receiving these calls will spend the time to screw with them at a high enough rate to make it cost-ineffective for the scams to continue, unfortunately due to the high enough rate of success that keeps them in business. ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Short-circuited traceroutes on FIOS
On Wed, 11 Dec 2019, Javier J wrote: If you have static addressing (biz account) then possibly different from what I have. In North NJ, 3 different accounts I can verify have ICMP blocked as of sometime earlier this year or late last year so have to use udp to get a real traceroute. Could not be deployed in all areas the same way. I noticed this about the same time I installed Ubiquiti gear at home, December 2018. Until this thread, I thought there was something wrong with my gateway router config. I could do UDP/TCP traceroutes, but ICMP kept dying. Glad to know it isn't my gateway, but frustrated as hell that Verizon decided that a few customers doing less-than-ideal things was enough to cut a standard network protocol off at the knees. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: all major US carriers received text messages overnight that appear to have been sent around Valentine's Day 2019
On Fri, 8 Nov 2019, Matt Hoppes wrote: “During an internal maintenance cycle last night, 168,149 previously undelivered text messages were inadvertently sent to multiple mobile operators’ subscribers," Syniverse said in a statement. how do you inadvertently send messages that were supposed to be sent but worked and sent? Isn’t that the desired outcome? Monitoring and audits usually come after a failure of some sort. Nobody thought they needed to make sure all servers are checked for queued unsent messages, because the software will *always* do the "right thing." I'm sure email didn't have the 5 day deletion after non-delivery when it first started out either. Someone got an email a few months late and decided some cleanup needed to happen. Now you've got custom software running everywhere and similar alerting and purging requirements were not made explicitly on how long to hold onto the messages. I run a phone company and we do hold messages that cannot be delivered for a period of time less than a week, but I get paged when that queue holds more than X messages or any one message exceeds Y time since attempted send. It's not hard, but I've seen lots of pretty obvious issues like this overlooked and virtually every company regardless of size, even Amazon. Beckman ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
"with the intent to defraud, cause harm, or wrongfully obtain anything of value" Kind of a huge hole that, unless you record all calls which opens other liability, is hard to prove. Beckman On Thu, 11 Jul 2019, Paul Timmins wrote: Pretty simply - Sending caller ID to commit fraud. It's literally already illegal. The legislature has already defined it for us, even. 47 USC 227 https://www.law.cornell.edu/uscode/text/47/227 (B) to initiate any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party, unless the call is initiated for emergency purposes, is made solely pursuant to the collection of a debt owed to or guaranteed by the United States <https://www.law.cornell.edu/uscode/text/47/227>, or is exempted by rule or order by theCommission <https://www.law.cornell.edu/uscode/text/47/227>under paragraph (2)(B); (e)(1)In general It shall be unlawful for any person <https://www.law.cornell.edu/uscode/text/47/227> within the United States <https://www.law.cornell.edu/uscode/text/47/227>, in connection with any telecommunications service <https://www.law.cornell.edu/uscode/text/47/227> orIP-enabled voice service, <https://www.law.cornell.edu/uscode/text/47/227> to cause anycaller identification service <https://www.law.cornell.edu/uscode/text/47/227>to knowingly transmit misleading or inaccuratecaller identification information <https://www.law.cornell.edu/uscode/text/47/227>with the intent to defraud, cause harm, or wrongfully obtain anything of value, unless such transmission is exempted pursuant to paragraph (3)(B). All I'm asking is to make the carrier liable if it should have been obvious to a carrier using basic traffic analysis that the service was a robocaller (low answer rates combined with tons of source numbers, especially situations where the source and destination number share the first 6 digits) that the carrier be liable for failing to look into it. Carriers already look at things like short duration in order to assess higher charges, and already investigate call center traffic. If they then look at the caller ID and it looks "suspect", and the customer then is contacted and barred from sending arbitrary caller ID until they can verify they own the numbers they're calling from, then they're good to go. If the carrier continues to just ensure that call center traffic is a revenue stream they can bill higher without making sure they're outpulsing valid numbers, then they should absorb the social costs of what's going on. Let's not get this confused - this isn't about customer PBXen outpulsing forwarded calls when they do it, it's about people shooting millions of calls a month, the carrier hitting them with short duration charges, making more money, and having zero incentive to question the arrangement. -Paul On 7/11/19 1:18 PM, Christopher Morrow wrote: 'illicit use of caller id' - how is caller-id being illicitly used though? I don't think it's against the law to say a different 'callerid' in the call session, practically every actual call center does this, right? ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
On Thu, 11 Jul 2019, Keith Medcalf wrote: On Thursday, 11 July, 2019 12:38, Ross Tajvar wrote: What if you use different carriers for termination and origination? How does your termination carrier validate that your origination carrier has allocated certain numbers to you and that you're therefore allowed to make outbound calls with a caller ID set to those numbers? That doesn't sound to me like something that can be solved as quickly and easily as you imply. It does not really matter. What matters is that they bear responsibility for an act in furtherance of a conspiracy to commit fraud. Fraud means you'll need to know the content of the call to determine if the spoofing of the CallerID value meets the bar of breaking the law. Truth in CallerID Act is only violated if there is intent to defraud when the CallerID is spoofed. If you spoof CallerID and do not know the content of the call, you cannot know if the Act was violated. And we don't want to get into the business of monitoring the content of phone calls. That opens legal floodgates. If someone complains, at least you have some recourse. But you have that today. And by the time someone complains and you trace the call back to a source in the US (if you can, a woman from AT said a "traceback" now takes days instead of months, still too slow to take any real action), you find out it originated outside the US and you have a dead end. Traceroute for Calls would be nice... each hop adds its own header, kind of like the "Received:" header that exists multiple times in an email. Beckman ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
On Thu, 11 Jul 2019, Ross Tajvar wrote: What if you use different carriers for termination and origination? How does your termination carrier validate that your origination carrier has allocated certain numbers to you and that you're therefore allowed to make outbound calls with a caller ID set to those numbers? That doesn't sound to me like something that can be solved as quickly and easily as you imply. I attended the first panel at the FCC and Scott Mullen, CTO at Bandwidth, was the only one that brought up issues that are not addressed by implementing STIR/SHAKEN. 1. There's no delegation -- there is no standardized means of telling anyone who is the End User of a specific TN. 2. Self-signed certs are being used so far, which means that you need to establish trust in a full mesh in order for STIR/SHAKEN to be of any value. Not feasible, definitely fragile. This could be addressed using a Public Cert Authority. 3. Relies 100% in your trust of the initial carrier to properly set the Attestation level on the call. 4. Does not cover if the call is received with a STIR/SHAKEN header to a termination provider with Full Attestation that turns out to be a lie. 5. Does not actually verify that the CallerID is really the EU generating the call. For Wireless Carriers it can, since calls are both received and placed by the same carrier in most cases, but what about roaming? Is Three UK going to implement STIR/SHAKEN or will it occur at Verizon's edge? How do any of us know that the Identity: header was added at the first point of origin? All STIR/SHAKEN is doing is adding an Identity: header to the SIP payload that one can use to verify that a carrier signed the call at some point. Some carriers may be trustworthy, some may blindly add Full Attestation for a termination customer that has a nice mix legit and spoofed calls. There is still no connection between the End User of a phone number and the call itself. And there's no way for me as a carrier to check to see if a phone number should only originate from specific networks or not. Even if it is signed, I know nothing more than I do now about the legitimacy of the call. Argh. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
On Mon, 8 Jul 2019, Keith Medcalf wrote: The solution is to disallow spoofing. If the "pretty overlay information" does not equal the "billing information" then do not permit the call to be made. Easy Peasy. This assumes that all calls from a phone number originate from the carrier of record for that phone number. This assumption is false. For calls made by Verizon Wireless customers that originate FROM Verizon Wireless's network, STIR/SHAKEN will enable Verizon to tag the call with a crypto sig that we can all verify came from Verizon, thus increasing the trust that the call originated from Verizon Wireless. However, Verizon not-Wireless also does other telephony business, such as termination. Verizon not-Wireless customers can and likely do terminate calls to them with CallerID of phone numbers that may or may not be registered with Level3, Onvoy, Bandwidth or another carrier. However Verizon not-Wireless has NO IDEA if their customer truly owns/leases the value in the CallerID field from another carrier. Thus Verizon not-Wireless may sign the terminating call using STIR/SHAKEN but have *NO IDEA* if their termination customer actually owns/leases/controls the CallerID value. And the absence of a STIR/SHAKEN header also means nothing. While we do LRN lookups for calls, we do not currently use that information to ensure that the originating party owns/leases that number legitimately. As a Tier 2 or 3 carrier, our carrier does not publish anywhere that we lease numbers from them, and our customers are not required to terminate calls using their phone numbers as CallerID with other carriers. The presence of STIR/SHAKEN increases the trust in the CallerID value ONLY when the phone number owner of record in the LNP database matches the signor of the call. The absence of STIR/SHAKEN is where we are already today. And small carriers can implement STIR/SHAKEN without concern for whether or not the CallerID value is their phone number or not. Though if the bad-actor does sign the call, I can distrust or block all of the bad-actor's calls. At least until they stop signing the calls, or they start a new contract with a new cert leaving all of us to play whack-a-mole some more, as we do now. DKIM-signed and SPF approved for all the good it will do, Beckman ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
Summary: SHAKEN/STIR does nothing but sign a call by a carrier that can be verified by another carrier that they signed it. It does nothing to stem Robocalls. Discussion: All SHAKEN/STIR does is have the originating carrier of a call to cryptographically attest, to some degree, that the call originated from their network. One example given was that SHAKEN/STIR can verify that it is really the IRS calling. But that would require knowledge of which carrier currently serves the IRS, and that the IRS use that same carrier for both inbound AND outbound calling, and that the carrier publishes some record that it is the carrier of record for the given phone number. THIS DOES NOT EXIST in SHAKEN/STIR. If Carrier A is taking calls from a spammer and implements SHAKEN/STIR, and their termination Carrier B have also implemented SHAKEN/STIR verification and trusted Carrier A's certificate, all that occurs is that Carrier A says "this call is trustworthy" and Carrier B verifies that Carrier A said so and completes the call. Carrier A can lie all they want, as they do now, providing a false "Full Attestation" that the "service provider has authenticated the calling party and they are authorized to use the calling number." But there's no proof that they are telling the truth, and no way for any other intermediate carrier to verify anything other than the originating carrier. Now if Carrier B decides not to trust Carrier A anymore, they can stop trusting their cert and drop calls. Which Carrier B can do today by terminating the relationship with Carrier A. I still don't see how this will stop CallerID spoofing or Robocalls. Carrier B can block Carrier A at anytime. Carrier A can attest that any call originating from it is authorized to use that number. Plus then there's a ton of intermediates that aren't even addressed here. Do all the Intermediates also need to implement SHAKEN/STIR such that the SIP Identity header is passed onto the next leg? If the intermediate drops the header, does the call fail? And spammers already use real, leased phone numbers for Robocalls. We had a client come to us who wanted 5,000 new/different and not recycled phone numbers across the US each month. When prompted about how they'd be used, they just needed inbound calls and SMS messages routed to their switch hosted at a cloud provider, outbound calls would be made through another carrier. With SHAKEN/STIR, these calls would show up as "Authenticated" as the client could tell their Carrier C that these 5,000 phone numbers were theirs, and Carrier C could do a "Full Attestation" SIP Identity header and the spam calls would show up as "Verified." But still Robocalls, just Verified Robocalls. We declined to do business with this client. In summary, SHAKEN/STIR seems to do nothing but be some extra technical work. Please correct me if I'm missing a key piece of this. I'm in DC, I'm going to try to attend this summit. https://transnexus.com/whitepapers/understanding-stir-shaken/ Beckman On Mon, 8 Jul 2019, Jay R. Ashworth wrote: - Original Message - From: "Sean Donelan" I don't think SHAKEN/STIR really addresses the root problems with spoofing phone numbers, anymore than any of the BGP proposals for spoofing IP addresses. Nevertheless, the FCC wants to be seen as doing something. So Chairman Pai is having a summit to show all the progress. On Thursday, July 11, 2019, FCC Chairman Ajit Pai will convene a summit focused on the industry’s implementation of SHAKEN/STIR, a caller ID authentication framework to combat illegal robocalls and caller ID spoofing. Chairman Pai expects major voice service providers to deploy the SHAKEN/STIR framework this year. The summit will showcase the progress that major providers have made toward reaching that goal and provide an opportunity to identify any challenges to implementation and how best to overcome them. Well, y'know, it's been 10 years since I originated calls to LD carriers. But when I did, 3 of my carriers (VZN and 2 LDs) trapped outgoing calls that weren't for 10D calling numbers *they had assigned us* (and hence I had to work that out with them to prove that *someone* had)... nd the other 2 didn't give a crap. I could send them anything -- even calls with CNID that wasn't a valid NANP address (4th digit 1, frex). Since nearly all of this is being originated over PRIs to LD carriers, right; maybe if the FCC just threatened the LD carriers who do not do the calling number legitimacy enforcement the regs (I think) already require them to do...? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ---
Re: Comcast storing WiFi passwords in cleartext?
On Tue, 23 Apr 2019, Peter Beckman wrote: On Wed, 24 Apr 2019, Luke Guillory wrote: OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info. It is entirely possible that an account separate and hidden from the customer account would be able to access the administrative controls of the router. It is also plausible that the access does not use a username/password to authenticate but another, hopefully secure method. One could make this access secure by: 1. Ensuring any connection originated from Company-controlled IP space 2. Username/Password are not provided to the CS agent but is merely a button they press, after properly authenticating themselves as well as authenticating the customer, that would pass a one-time use token to access the device 3. Every token use was logged and regularly audited 4. Keys were regularly and in an automated fashion rotated, maybe even daily If such precautions are taken, it is their router and it is their service, seems reasonable that Comcast should be able to log into their router and change configs. ... such that the access of the Wifi Password which is likely stored in plain text on the router is accessed by Comcast in a secure manner and not stored in plain text in their internal databases. But I'm guessing probably it's just cached in plain text in their internal DBs. Get your own router if you're worried about your Wifi Password being known by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't supported on the router... --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Comcast storing WiFi passwords in cleartext?
On Wed, 24 Apr 2019, Luke Guillory wrote: OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info. It is entirely possible that an account separate and hidden from the customer account would be able to access the administrative controls of the router. It is also plausible that the access does not use a username/password to authenticate but another, hopefully secure method. One could make this access secure by: 1. Ensuring any connection originated from Company-controlled IP space 2. Username/Password are not provided to the CS agent but is merely a button they press, after properly authenticating themselves as well as authenticating the customer, that would pass a one-time use token to access the device 3. Every token use was logged and regularly audited 4. Keys were regularly and in an automated fashion rotated, maybe even daily If such precautions are taken, it is their router and it is their service, seems reasonable that Comcast should be able to log into their router and change configs. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: California fires: smart speakers and emergency alerts
It is theoretically simple to: 1. Turn the address of your Smart Speaker into coordinates 2. Receive ALL alerts and only act upon those that apply to your location This way it isn't creepy, because the emergency alert wasn't targeted to you, but your device was aware enough to determine that you are in the warned area. Taking this further, let's have manufacturers build the location awareness into the device, rather than the upstream service (e.g. Amazon, Google, Apple). Your smart speaker receives a stream of ALL the alerts, and if you are in a warned area, and you enable them, they alert you. With the processing power on these speakers, and the likely small quantity and amount of data per alert to determine if it applies, it should be achievable while still protecting your smart speaker location. Beckman On Sun, 15 Oct 2017, Sean Donelan wrote: It would be creepy if an emergency alert was too targetted. It may be better to keep it larger than a mile radius, rather than a single house. Jean-Francois Mezei wrote: So, assuming its Speaker is geolocated, Google would know if an alert is applicable to its location and be able to send it to the unit. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Temperature monitoring
Agreed -- there are already tons of temp sensors throughout old and new hardware. I've used SCSI drive queries via sdparm and more recently hddtemp to get the current temperature of the drives. No need for SNMP or ILO, though that can give you a more detailed picture where possible. You first monitor and record for 24 hours to get your baseline temp for a given rack or server, then set your threshold, then let your monitoring platform do the rest. Since I use hosted dedicated servers, I don't want to pay for yet another device. In monitoring only those disk temps I've caught two cooling issues before they became a crisis, one of which my hosting provider was not aware of. If you control the hardware, or at least have access to it, there should be enough sensors to let you know at least something is causing a problem. Beckman On Thu, 13 Jul 2017, Andrew Latham wrote: On Thu, Jul 13, 2017 at 9:33 PM, Dovid Bender <do...@telecurve.com> wrote: All, We had an issue with a DC where temps were elevated. The one bit of hardware that wasn't watched much was the one that sent out the initial alert. Looking for recommendations on hardware that I can mount/hang in each cabinet that is easy to set up and will alert us if temps go beyond a certain point. TIA. Dovid Most everything has temperature sensors from switches, servers and most modern PDUs. A dedicated solution is just creating the problem again in the future. Monitor the temps on everything and gain knowledge related to failure rates. Most companies with physical infrastructure could pay for another engineer to discover these unexpected expenses. Also note that modern air conditioning and refrigeration have SNMP or BACNET protocol support, just download the manual. -- - Andrew "lathama" Latham - ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Recent NTP pool traffic increase
Mostly out of curiosity, what was the reason for the change in the Snapchat code, and what plans does Snap have for whatever reason the NTP change was put in place? Beckman On Tue, 20 Dec 2016, Jad Boutros via NANOG wrote: Immediately after being notified that our latest iOS release was causing problems with NTP traffic, we started working to disable the offending code in v9.45. We submitted a new mobile release to the Apple App Store earlier this morning for their review, which should disable these NTP requests. We are hoping Apple will be able to review this release in time before the holiday break, and we have stressed its urgency. When the release does get approved, we should very quickly begin to see a decrease in NTP traffic from our app as users start upgrading to the new release. We deeply regret this situation, and we will post an update here once we hear back from Apple. We are also open to any suggestions on how we can help with the present traffic. On Mon, Dec 19, 2016 at 9:27 PM, Jad Boutros <j...@snap.com> wrote: We - at Snap - were forwarded this thread just a few hours ago and are investigating. Please email me should you still be looking for a contact for Snapchat. Thank you, Jad On Mon, Dec 19, 2016 at 9:18 PM, Laurent Dumont <ad...@coldnorthadmin.com> wrote: If anything comes from this, I'd love to hear about it. As a student in the field, this is the kind of stuff I live for! ;) Pretty awesome to see the chain of events after seeing a post on the [pool] list! Laurent On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote: replying off list. Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-na...@drown.org> wrote: Quoting David <open...@shaw.ca>: On 2016-12-19 1:55 PM, Jan Tore Morken wrote: On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania ,africa}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase. Thanks, David. That perfectly matches the list of servers used by older versions of the ios-ntp library[1][2], which would point toward some iPhone app being the source of the traffic. [1] https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0 c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts [2] https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9d ec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 That would make sense - I see a lot of iCloud related lookups from these hosts as well. Also, app.snapchat.com generally seems to follow just after the NTP pool DNS lookups. I don't have an iPhone to test that though. Confirmed - starting up the iOS Snapchat app does a lookup to the domains you listed, and then sends NTP to every unique IP. Around 35-60 different IPs. Anyone have a contact at Snapchat? ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: SNMP syslocation field for GPS coordinates, and use with automation tools
Since we all live on standards, I can suggest RFC7946, GeoJSON (https://tools.ietf.org/html/rfc7946) for all of your location specification needs: { "type" : "Point", "coordinates" : [ -121.556359, 39.5137752 ] } or one line (55 characters, no spaces, hopefully short enough): {"type":"Point","coordinates":[-121.556359,39.5137752]} GeoJSON supports "properties" which you can define how you like: { "type" : "Point", "coordinates" : [ -121.556359, 39.5137752 ], "properties" : { "address" : "121 Gigawatts Ave, Springfield, OH 45501 US", "hardware" : "Cisco 2924", "elevation" : "124m" } } Note that many formats now list Longitude first, Latitude second. http://www.macwright.org/lonlat/ I tend to try to offer/use machine-readable formats first, then human-readable, because I live for automation. GeoJSON benefits from being both. Beckman On Fri, 9 Dec 2016, Eric Kuhnke wrote: Yes, that's along the lines of what I was thinking. Pre-define a certain number of columns of data that will fit in the snmp syslocation field in most devices (some vendors have surprisingly short string length limits, grr). And use something like a pipe delimited CSV format in that field, so it has the comma separated decimal degrees lat/long in one column, and human readable street address in another. Also worth noting that many recent SNMP-enabled, high capacity point to point microwave radios have built in GPS receivers for timing and location purposes, which gather elevation data (in meters above MSL usually). Perhaps a column for elevation in meters MSL. The sort of data that is useful for a mobile network operator with thousands of point to point RF links on rooftops and towers, for auditing and compliance purposes. On Fri, Dec 9, 2016 at 2:09 PM, Alan Buxey <a.l.m.bu...@lboro.ac.uk> wrote: Yes. But don’t just put in coordinates... Put in other details and use a standard separator alan --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: 10G switch drops traffic for a split second
On Tue, 29 Nov 2016, TJ Trout wrote: I plan on disabling FC on everything tonight, I've done that before but I want to be sure. Anything that can be done about the 2 x 1G peers trunking to the 10G router transition that can be fixed? should I be rate limiting the vlan for the peers at 1G so the 10G router isn't trying to send more than 1G? This thread reminded me of a blog post that struck me as useful 5 years ago, and again today. Measuring throughput, when dealing with buffers and troubleshooting errors and packet loss, must be done at a sub-one-second sampling rate. http://blog.serverfault.com/2011/06/27/per-second-measurements-dont-cut-it/ Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Questions re: VPN protocols globally
There is a Mumbai, India three letter company region available as of June 27, 2016 https://aws.amazon.com/blogs/aws/now-open-aws-asia-pacific-mumbai-region/ On Tue, 4 Oct 2016, Eric Germann wrote: I’ve been charged with building a global VPN as an overlay on top of a certain 3 letter company who also sells lots of stuff. We’re looking at US East US West US Central (eventually) Brazil Singapore Frankfurt Ireland Sydney Maybe Canada Maybe India (outsourcesrs) In the planning stages now and wondering if there are any protocols I need to stay away from ITAR wise with this list of countries. Contemplating Suite B with GCM, etc and AES acceleration. Any land mines? Thanks in advance EKG --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Legislative proposal sent to my Congressman
On Mon, 3 Oct 2016, Lyndon Nerenberg wrote: The only cure to this will be changing the law so that the directors of the companies that ship massively insecure devices like these are personally liable for all the financial loss attributed to their products. Bankrupt a few companies' board of directors and you'll start seeing things change in a hurry. Manufacturers are global, and their distribution is global. Local, technical laws are difficult at best to get enacted, much less consistently and by 190+ countries. And even when technically-minded laws are implemented (see US Federal and State Do Not Call Lists) they are problematic and difficult to enforce when abuse may be coming from outside the US. And the tech usually is far ahead of the legislation. The common device through which all of these smart devices will pass is the router. Router manufacturers often build and sell larger big iron routers to ISPs, or ISPs are buying end-user routers from manufacturers and reselling to their customers. ISPs are motivated financially to avoid unwanted and "bad" traffic on their networks. The global ISP community is in the best position here to pressure their vendors to implement a standard on end-user routers which protects their networks from rogue and unsecured devices. The IoT manufacturers will need to follow standards that the router manufacturers implement to limit the negative impact of IoT devices if they want their devices on the network/Internet. When the standards are available to help protect the ISP networks at the end of the last mile from unwanted and fraudulently created traffic, and the ISPs pressure/demand the router manufacturers to implement the protections, IoT and other device manufacturers will fall in line. Beckman ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: BCP38 adoption "incentives"?
On Tue, 27 Sep 2016, White, Andrew wrote: This assumes the ISP manages the customer's CPE or home router, which is often not the case. Adding such ACLs to the upstream device, operated by the ISP, is not always easy or feasible. Which is why the manufacturer should deploy a default config which does this. Whatever the WAN IP, and by default, and in 90%+ configurations, there is a single WAN IP for CPE, ACLs are automatically managed to block all outbound packets that are NOT From: the WAN IP. And when DHCP or PPPoE gives a new IP, the rules are rewritten automatically by the CPE with updated rules. This won't fix the DDOS attach from IoT devices or IP Cameras or whatnot that don't attempt to hide their IP, but it would help with spoofing at the edge for the non-network saavy. It would make sense for most ISPs to have egress filtering at the edge (transit and peering points) to filter out packets that should not originate from the ISP's ASN, although this does not prevent spoofing between points in the ISP's network. Multi-tiered approaches are excellent. Start with the CPE, move to your aggs, then your big iron at the edges. Automate deployments and rule generation. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
On Tue, 27 Sep 2016, Brielle Bruns wrote: I don't see how this is a problem exactly? If people want to buy devices that connect to their home network, they need to be aware of what these devices can do, and it is their responsibility. I understand that is what you want. What you might like. What we all would like. People taking responsibility for their impact on others. Unfortunately people plug things in, and if they work for them, they don't even think about how what they are doing might affect anyone else. In some cases, they don't even care. They've got soccer games and work and TV shows and kids and family. Who has time to become an expert in Internet security? Google is doing a great job of annoying or alerting customers to potential issues, such as the red lock icon on their email, indicating that the email was sent unencrypted. The user gets worried (oooh, a red lock, that must be bad, I'm going to yell at someone to fix it for me) and the service provider jumps to improve the Internet, ideally. FreeBSD updated their default config so you have to proactively remove email encryption. If we are truly worried about IoT and consumers contributing to the downfall of the Internet, force the consumer router manufacturers and third party firmware folks to implement whatever is necessary to make filters and blocking the default. 90%+ of consumers don't change any settings, beyond the SSID and Wifi Password, and those who do might take the responsibility you want. Get the ISPs to realize that secure-by-default consumer routers that they distribute saves them millions/billions of dollars annually in customer service and security personnel. Secure-by-default routers means cost-savings. Get ISPs to pressure manufacturers to implement measures to protect their own network and the Internet from the non-network-admin consumer. We tech folk need to do this for the Internet citizens who don't know, don't care, or don't have time to mess with it. If Timmy Numbnuts doesn't understand that plugging in a random device he found at Goodwill to his network could potentially carry liabilities, then he will keep doing it. Timmy Numbnuts needs to be protected from himself, so when he plugs in that device, it doesn't do any harm to anyone but his own network. He'd have to proactively turn off features or filters on his Router in order to harm others. I point to the current trend of parents watching and smiling, doing nothing as their kids destroy people's stores and restaurants. ISPs are literally doing the exact same thing when it comes to coddling their customers. Automation and default configs means customers don't have to do anything, nor think about it. They are protected both FROM harm from the Internet and FROM harming the Internet, at least by default. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Domain renawals
On Wed, 22 Sep 2016, John Levine wrote: For domain registration I found that joining the GoDaddy Domain Club ( $120/year or less if you pay ahead for multiple years [1] ) ... There's a lot of registrars with prepay discounts. Gandi's domains are cheaper if you prepay $600, a lot cheaper if you prepay $2000. I see the discount, and $600 prepay IS cheaper than Gandi rates with NO prepay. But the other companies are still less expensive even with the Gandi prepay. TLD NearlyFree GoDaddy DDC Gandi B Rates ($600) com $9.34 $10.44 $14.50 org $11.39 $14.14 $16.20 net $10.54 $11.14 $17.00 info$10.69 $12.14 $15.55 name $8.99 $12.14 $14.60 biz $11.19 $14.14 $16.28 Now if you get to $12,000 prepay, you get E Rates, where .com is $8.80 and .net is $11.00. Lower than most, but NearlyFree is still very competitive and even beats Gandi on a few TLDs at E Rates. I'm sure there are more benefits to Gandi over others than just price. I agree with the other poster that other dimensions are also important and valuable: support quality, security, policies, UI, ease of use, communication. Beckman NOTE: All rates quoted are RENEWAL rates, not transfer or new, as of 9/21/16. GoDaddy DDC rates are discounted and adjusted for 56 domains for the DDC fee of $120 per year. More domains == lower prices. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Domain renawals
I use DNS Made Easy for all of my DNS hosting, which I'm happy to recommend. For domain registration I found that joining the GoDaddy Domain Club ( $120/year or less if you pay ahead for multiple years [1] ) is a good deal for the quantity of domains I own (56 and counting). It's kind of like Sam's Club -- you pay a membership fee for lower bulk pricing. Additionally they handle nearly every TLD, like .us, .name and co.uk. NearlyFreeSpeech.net looks to have pricing that is close to that of the Domain Club, may have to check them out. The Domain Club cost of $120 divided by 56 domains is about $2.15 per Domain, so NearlyFree wins handily. I'd like to learn more about the WHO behind NFSN, as well as how and when they offer support. TLD NearlyFree GoDaddy Domain Club [Adjusted] com $9.34 >$8.29 [$10.44] org $11.39 <$11.99 [$14.14] net $10.54 >$8.99 [$11.14] info$10.69 >$9.99 [$12.14] name $8.99 < $9.99 [$12.14] biz $11.19 <$11.99 [$14.14] In the 10-15 years of using GoDaddy, despite my disagreement with some of their marketing and public business positions, my domains don't get stolen, they haven't shut anything down, I haven't lost a domain name, and their support is decent when I need it (and it is 24/7 phone / email / chat). [1] https://www.godaddy.com/domains/discount-domains.aspx Beckman On Mon, 19 Sep 2016, Jeff Jones wrote: Hello All, Sorry if this is low level. But are people sick of registrars jacking up prices? Who is the cheapest and most reliable? I have been using whois.com, networksolutions.com and am looking for input on who is cheap, secure, reliable registrar. Thanks for your input. ~Jeff ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: DNS Services for a registrar
If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return. On Fri, 12 Aug 2016, Keith Stokes wrote: Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure. Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics. It's pretty sweet. Their internal tools team does amazing things with automation. Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month. Who knows if you need that much, but it is pretty affordable. Beckman ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: DNS Services for a registrar
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable. #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 Has been #1 several months this year. Beckman On Fri, 12 Aug 2016, Ryan Finnesey wrote: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. Cheers Ryan --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: NANOG67 - Tipping point of community and sponsor bashing?
On Tue, 14 Jun 2016, William Herrin wrote: Anyway, not a fan of dancing on eggshells. If something deserves to be said, it should be said. If we can't take a little honesty, we're in the wrong line of work. Yes! Though the "Hey that was negative! Don't say negative things about me!" mentality is not specific to our industry, but the American culture. As I parent, I see this every day with children -- parents dealing with everything that could be considered unpleasant on behalf of their child, and blaming others (teachers, other kids, other parents, solar flares) rather than taking on personal ownership of sometimes negative and complicated issues. Negative feedback, respectfully and objectively delivered, should be embraced as opportunities to improve ourselves, our products and our services, not shunned and silenced because it points out a flaw. ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: [lists] Re: phone fun, was GeoIP database issues and the real world consequences
I highly doubt that your SIM card is depleted due to the US mobile phone billing structure. Sounds like a bad contract with a carrier that is billing you for incoming calls even though you aren't on the network, or bills you a fee each month when your SIM is inactive. Don't blame a country's mobile telephone billing structure for a carrier's cell phone billing plan that seems confusing. That's like blaming the Department of Transportation for your faulty airbag. Beckman On Sat, 16 Apr 2016, Mark Andrews wrote: I've also got a US SIM and had my credit run to zero dollars with the phone turned off due to the sillyness of the US system. No calls or SMS being delivered but I'm still getting charged. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: phone fun, was GeoIP database issues and the real world consequences
On Wed, 13 Apr 2016, Jay Hennigan wrote: On 4/13/16 4:28 PM, Larry Sheldon wrote: I am in frequent contact by a person that has a 917 NNX--numbered telephone who spends a lot of time with a person that has a 408 NNX--numbered telephone, and they both live in Metropolitan Boston When either of those people dial 9-1-1, where does the ambulance show up? I suspect your response was sarcastic, but when you dig into what really happens, it's not nearly as sophisticated as one might hope. If the numbers are land or VoIP lines, and the address associated with the numbers are registered with the Automatic Location Information (ALI) database run by ILECs or 3rd parties to fetch the address keyed on the calling number, and the 911 PSAP is E911 capable, they operator will see the ALI address. If they are mobile devices, it depends. Basic gives you nothing (all phones since 2003 should have GPS, but people hang on to phones a long time..); Phase I Enhanced gives you the location of the cell site/tower, Phase II gives you lat/lon within 50 to 300 meters within 6 minutes of a request by the PSAP. Yep, the PSAP has to make a request for the phone location to the carrier, in which they have 6 minutes to reply. I assume this is or can be automated. After 6 minutes, you could be a long way away from where you started the call. If the phone numbers are not in the ALI, or are not wireless, or the PSAP (Public Safety Answering Point, the 911 office) is not set up for e911, they probably get nothing, relying solely on the caller to provide location information. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Uptick in spam
On Tue, 27 Oct 2015, Rich Kulawiec wrote: It would be nice if it did; it would be nice if the fatuous claim made at SPF's introduction ("Spam as a technical problem is solved by SPF") were true. But it's not. It's worthless. I disagree. Since implementing SPF, there have been no joe-jobs on my accounts, and attempting to pretend to be me via email is difficult where SPF is implemented. I never read or understood that SPF was created to solve the spam problem. It was to give owners of domains a way to say "If you got an email from us from these IPs/hosts, then it is probably from us." It gave domain owners a standardized programmatic way to say to email recipients when to accept or reject email from their domains. SPF is not worthless. However, SPF IS worthless at preventing spam. And while SPF *could* have been implemented by the owner of the email/domain that sent all of the spam to the NANOG list and *if* the mail server for NANOG respected SPF then the emails would have been dropped, it seems one or both is not the case. ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: AW: Uptick in spam
Wouldn't that be interesting -- you can't join NANOG unless your email domain publishes an SPF record with a -all rule. That would raise the bar AND prevent the kind of thing that happened this weekend. On Tue, 27 Oct 2015, Geoffrey Keating wrote: ... and thus a suitable topic for NANOG, I guess, rather than a mail abuse list, because it's best use is for domains that send no mail and recieve no mail and don't want anything to do with mail and stil get spam complaints. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: How to force rapid ipv6 adoption
That reminds me of a story. Once a teacher gave each of his students a tube of toothpaste. He said "Squeeze all of the toothpaste out of the tube on to your desk." The kids laughed and did it, making a giant mess and having a ball. When things settled down, the teacher said "Now put all of the toothpaste back into the tube." The kids fell silent. A few of them even tried the futile task. Then the teacher said "The toothpaste is the Internet. Once it's deployed, it is nearly impossible to put it back the way it was."* Beckman * OK, the teacher said "The toothpaste are your words. Once they come out, you can't put them back in." Or something. My storytelling skills need work. On Thu, 1 Oct 2015, jungle Boogie wrote: On 29 September 2015 at 13:37, David Hubbard <dhubb...@dino.hostasaurus.com> wrote: Had an idea the other day; we just need someone with a lot of cash (google, apple, etc) to buy Netflix and then make all new releases v6-only for the first 48 hours. I bet my lame Brighthouse and Fios service would be v6-enabled before the end of the following week lol. Let's just put less stuff on the internet and revert pre-internet days. -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Sign-On Letter to the Court in the FCC's Net Neutrality Case
Why don't you post a copy here or a link? The message seems good; the process is broken. Beckman On Tue, 15 Sep 2015, Eric Brunner-Williams wrote: i read it, its rather good. -e On 9/12/15 12:45 PM, John Levine wrote: /*If you're willing to sign on and help today, please email me directly (off list) */and I will be happy to share a copy of the letter for you to review before you agree to sign on. Why don't you just send us a copy or a link? If you're planning to file it as an amicus it's not like it's going to be a secret for very long. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly ------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: gmail security is a joke
I use completely random strings for security questions. The company doesn't care what my answer is, so instead of knowing that my favorite sports team is [REDACTED] they can see that it is WheF7?ydk/cBG8MgZf7w Go WheF7?ydk/cBG8MgZf7w! I store all of the security questions in my password manager (1Password), and though annoying if prompted for them often, my account is more secure as a result. It's also a lot of fun when you call in and they ask you the answer to your security question. Just because someone asks you a question it does not require you to give an answer they expect. (Or any answer) Beckman On Fri, 29 May 2015, Joe Abley wrote: On Thu, May 28, 2015 at 03:13:37PM -0400, William Herrin wrote: My first dog's name was a random and unpronounceable 30-character string. That's what I should do. Instead, I pull down the list of candidate questions and think to myself... - I didn't go to a high school - I don't understand this other high school reference - I don't watch sports - I don't have a favourite sports team - I wonder vaguely whether that question actually had anything to do with sports - I don't have a favourite pet - I don't know my grandmother's middle name, and never did - I don't have a favourite colour - I've never owned a dog - Are pets ever really owned? - Doesn't that speak to the denegration of others based on species? - Aren't we against that? and around this point, I start to think - I've had enough of this - this is too hard - I don't even remember what I am signing up for at this point - I am going to look for amusing cats on youtube --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: gmail security is a joke
LinkedIn used SHA-1, a fast algorithm. At 350-billion guesses per second on the mentioned rig for fast algorithms, yeah, you can get through a lot of passwords quickly. Hopefully LinkedIn has changed their ways. In that same article: ...functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt... And if you use a different salt for each password stored with Bcrypt, the hacker must test each password separately -- no rainbow tables here. Unfortunately they don't say how many iterations of Bcrypt equals 71,000, since you can add more iterations of the algorithm. An example cipher text from bcrypt: $2a$13$Ejtc1pVjyLkZn4eU9FGCg.gOQ3QtbWOsUOvSUKbU2anywhoO04ESy $2a$ indicates the blowfish algorithm, $13$ is the cost factor (number of iterations), the first 22 chars after are the salt and the rest is the cipher text. The higher the number of iterations, the harder computationally it is to go from a password to the cipher text. As hardware improves, the iterations should increase. I was thinking about using the last 2 digits of the year as the cost factor, but that might not scale with hardware linearly. Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today. Beckman On Wed, 27 May 2015, Rich Kulawiec wrote: On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote: Getting a copy of the database of hashes and login names is basically useless to an attacker. Not any more, if the hash algorithm isn't sufficiently strong: 25-GPU cluster cracks every standard Windows password in 6 hours http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ Quoting: Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. Consider as well that not all attackers are interested in all accounts: imagine what this system (or a newer one, this is 2.5 years old) could do if focused on only one account. And of course epidemic password reuse means that cracked passwords are reasonably likely to work at multiple sites. And even if passwords aren't reused, there have now been so many breaches at so many places resulting in so many disclosed passwords that a discerning attacker could likely glean useful intelligence by studying multiple password choices made by a target. (We're all creatures of habit.) ---rsk --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: AWS EC2 us-west-2 reboot
Likely some sort of potentially serious bug or flaw in EC2 or Xen. AWS Security is really on the ball on such things and do everything they can to make invisible fixes with no customer impact, but sometimes a reboot is required in order to apply the changes necessary to keep customer instances safe from attacks and vulnerabilities. Another possibility: getting rid of older hardware. A reboot will keep you in the same class of service but may move you to a new physical machine. Unlikely though at this reported scale. Same thing happened in December 2011 [1]. Beckman [1] http://www.crn.com/news/cloud/232300111/widespread-amazon-ec2-cloud-instance-reboots-spark-questions-concerns.htm On Wed, 24 Sep 2014, Javier J wrote: Just got the same email. Not just US. Servers in Sydney we have also. Why such short notice? On Sep 24, 2014 4:58 PM, Grant Ridder shortdudey...@gmail.com wrote: Doubt it since a bash patch shouldn't require a reboot On Wed, Sep 24, 2014 at 1:51 PM, Gabriel Blanchard g...@teksavvy.ca wrote: Bash related? On Sep 24, 2014, at 4:47 PM, Grant Ridder shortdudey...@gmail.com wrote: As an FYI, it looks like Amazon is doing a mass reboot of the physical hosts in us-west-2 across all AZ's and it is scheduled to start tomorrow and take a couple days. Go to * https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#Events https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#Events:* to see what instances are affected when. -Grant --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Client on OS X, Browsers ALL fail DNS Lookup off net Hosts, SMTP+shell OK
1. It could be that DNS is working fine but port 80/443 is blocked or filtered when you leave the local LAN. New Firewall? Proxy authentication required? 2. The DNS server (cat /etc/resolv.conf) that the Mac hosts are pointed to can resolve internal but cannot reach external DNS hosts due to the upstream blocking DNS due to DNS amplification attacks (or bonehead admin). 3. Your resolver has a static configuration pointed to an upstream DNS server, and it has stopped responding and no backups are available. 4. Your resolver has a static configuration pointed to an upstream DNS server, and the primary DNS upstream server is offline and you aren't waiting 60 seconds for it to fail to the next DNS server. That's my off-the-cuff assessment. On Wed, 18 Jun 2014, Everett F Batey II Gi wrote: Newly evolved problems (network has been good for years, no recent known upgrades, config changes): Clients on MAC OS X, Browsers ALL (FFox, Opera, Safari, Chrome) fail DNS Lookups for non-local web servers, BUT: SMTP mail, POP, IMAP and shell commands (ping, trace route) fully OK AND: www.google.com and a very few .orgs resolve on web browsers. Connected via TWBC: RCWE, 13820 Sunrise Valley Drive, Herndon, Allocations for this OrgID serve Road Runner commercial customers out of the Honolulu, HI, Kansas City, KS, Orange, CA and San Diego, CA RDCs. (Probably Orange Co, CA) No, MAC has no nsswitch.conf .. to there. MAC HACKED ( )DNS HACKED ( ) ISP FAILED fwdg DNS ( ) OTHER IDEA, START POINT Thnx — VR, Ev / efba...@gmail.com / +1-805-616-2471 --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Overall Netflix bandwidth usage numbers on a network?
On Sun, 11 Dec 2011, Christopher Morrow wrote: On Sun, Dec 11, 2011 at 10:46 PM, Faisal Imtiaz fai...@snappydsl.net wrote: Simple, keep traffic off paid ip transit circuits (I think joel's point was: peer with amazon, done-and-done) DirectConnect seems to be a good way to get a dedicated 1G or 10G link with AWS: http://aws.amazon.com/directconnect/ It's not settlement-free peering, but it's an option if you can't negotiate something. Maybe it will reduce costs in some use cases. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Verizon acquiring Terremark
On Mon, 31 Jan 2011, Jimmy Hess wrote: On Mon, Jan 31, 2011 at 3:42 PM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: One cannot be owned by a carrier and remain carrier neutral. My two cents, Agreed. An organization being a fully owned subsidiary of one carrier, and claiming to be completely carrier neutral, is an indelible conflict of interest; One of my colleagues was discussing this today. http://bit.ly/emZ7uA - http://www.alcatel-lucent.com/wps/portal/... Equinix has been claiming to have carrier neutral exchanges since Oct 2009. Who is using them and are they, in your opinion, being completely carrier neutral? Maybe it is possible. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: anyone running GPS clocks in Southeastern Georgia?
On Fri, 21 Jan 2011, Robert E. Seastrom wrote: Firstly (idle curiosity) - does anyone have further publicly divulgable details on what's apparently a terrestrial jammer test or maybe an operational exercise involving the Bermuda Triangle and making planes and ships disappear... My first thought was testing UAVs and what they do in situations where GPS is jammed, blocked or provides false information. Doing so in an area where a total loss of control of the aircraft would result in a drop in the ocean rather than in or around a populated area is a good idea. Maybe there are already unit tests for such situations. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: NTP Server
On Sun, 24 Oct 2010, George Bonser wrote: The main reason for that is that the free servers won't remain free if every single individual host on the Internet is hitting them. By running your own internal servers a stratum down you offload that traffic from the public servers and preserve that resource. NTP is a great candidate for v4 anycast, too, so you can have a common configuration at all your locations if you want. It sure would be nice if datacenter facilities offered an independent NTP time source as a benefit for hosting with them. It would also be great if ISPs would offer this on the local network as well for their customers, as likely they are already have one in several regions. time.windows.com and time.apple.com are also fine, though I'm not sure either has published their NTP source, whether it is a device or they are simply using the same ntp.org pool as many of us. I've never had a problem with the public NTP sources, but as George said, free may not always be free. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Enterprise DNS providers
On Sat, 16 Oct 2010, Ken Gilmour wrote: We are looking at urgently deploying an outsourced DNS provider for a critical domain which is currently unavailable but are having some difficulty. I've tried contacting UltraDNS who only allow customers from US / Canada to sign up (we are in Malta) and their Sales dept are closed, and Easy DNS who don't have .com.mt as an option in the dropdown for transferring domain names (and also support is closed). Just throwing my hat in the ring. DNSmadeEasy has handled my DNS traffic, both personal and professional, for several years with an uptime of 99.%* over 8 years of service (I've been with them for at least 4). Very honest, very responsive, great service, and very good pricing for an Enterprise Anycasted DNS network. Beckman * They were DDOSed recently with an enormous amount of traffic. First outage in their 8 year history. www.dnsmadeeasy.com --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Internationalized domain names in the root
On Fri, 7 May 2010, Jeroen van Aart wrote: David Conrad wrote: Perhaps a bit off-topic, but some folks might get support calls... http://وزارة-الأتصالات.مصر/ That actually looks quite handsome. :-) And this is what it looks like to DNS: http://xn--4gbrim.xnrmckbbajlc6dj7bxne2c.xn--wgbh1c/ Hurrah for Punycode. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: SSH brute force China and Linux: best practices
On Sat, 30 Jan 2010, Bazy wrote: On Sat, Jan 30, 2010 at 6:47 AM, Bobby Mac bobby...@gmail.com wrote: So after many years of a hiatus from Linux, I recently dropped XP in favour of Fedora. Now that my happy windows blinders are off, I see alarming things. Ugly ssh brute force, DNS server IP spoofing with scans and typical script kiddie tactics. Take a look at http://www.fail2ban.org and http://denyhosts.sourceforge.net. I'm not Chinese but I'm sure that brute-force attacks come from all over the world. Here's a little from my logwatch. For securing ssh, better than either of those is sshguard. fail2ban is a Python script, as is denyhosts. Script-based services are fine, but native compiled code is better, lower memory, less overhead. sshguard is better because it's written in C, can read multiple log formats, can block for many popular services (dovecot, ftp daemons, even an imap daemon) and it works with many popular existing firewalls: pf, netfilter, iptables, ipfw, ipfilter, tcpd, even IBM's AIX firewall. http://www.sshguard.net/ I've run it for 3 years now, solid as a rock. Questions are quickly answered in the mailing lists by the lead developer Mij. Additionally, you may want to consider using SSH Key Authorization only, and disable password authentication. This guarantees that brute force attacks will fail, because they only use username + Password (AFAICT), not random private keys. Here is a good article on how to enable Key-based auth (may already be enabled), as well as how to turn Password Auth off in ssh to protect/eliminate ssh brute force successes. http://www.debuntu.org/ssh-key-based-authentication Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: news from Google
On Fri, 11 Dec 2009, Seth Mattinen wrote: It's better than the maybe you shouldn't be doing things you don't want people to know about statement. That right there gives me some insight on where Google wants to go in the future with privacy. At least Google seems to be honest about it. What does Bing say they keep about you when you search, not logged into your Passport account? IP + searches, date and time? And what do they actually do? What about Yahoo, now that they will use Bing? Or even AltaVista? How do we know the difference between the reality of what they do versus their Privacy Policy? If you aren't breaking the law, the government won't be looking for your data, and won't ask Google/Yahoo/Bing/AltaVista or other search companies for your data. If you ARE breaking the law, and you live in the US, you gotta be careful about what you do on the Internet, 'cause it all gets logged differently in different places. I find it REALLY HARD TO BELIEVE that NO OTHER SEARCH ENGINE COMPANY is retaining search data with IP address and maybe even account ID for a period of time. Not even Netflix, who thought they scrubbed the Netflix Prize Dataset, was able to rid the data of your personal information. http://www.cs.utexas.edu/~shmat/netflix-faq.html We're living in a world where every web request writes to a log file. Those log files live for days, weeks, years, even decades, and depend on the admins running the site, not the Privacy Policy. If you've ever visited my site, I've kept those logs for 10 years. Your IP, your browser, all that crap. This is the internet. You are logged at almost every action you take, somewhere. It's easy to archive those logs, and hard to cull them of personally identifiable information. Because disk is cheap, we tend to horde data, not delete it. I'd like to see an independent source compare Mozilla's Privacy Policy to their actual practices, and see if they are truly leaders in personal privacy or just being hypocritical. And even if they do keep to their Privacy Policy, they provide a useful service, and I'm not breaking the law (that I know of). They can have my IP, what I search, what AddOns I've added, my crash signatures. At least I know what they have and that they will follow US Law and give it to authorities when properly requested. You don't get to have Privacy on the Internet. It's a fallacy. You have to work really hard to truly have privacy on the 'net. And lie a lot. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: news from Google
On Fri, 11 Dec 2009, Seth Mattinen wrote: We want your money versus we want your life. I don't pay any of those search engines -- they make money off of advertising. Huh, just like Google. And to think that none of the search engines are taking that data and trying to build better products or services is naive. We are all likely breaking some law on a daily basis. Now this I agree with. There are so many laws, so many unenforced, that it is hard to know all of them, and to know which ones (in which state, city, local, or country!) you are breaking. You have the choice to be more private -- pay cash for everything, wear a hood or a mask to avoid being caught on camera, no EZpass, no bank account, no credit card, no cell phone, no phone at all, no Internet access. But that's kinda difficult to do, given that most of us have jobs and income based solely on this medium. The ease of logging and the human justifcation of hording that data pretty much prevents you from having a private life. Trust me, what you search on Google is much less valuable than your cell phone records, credit card statements and EZpass records. Your search records are just icing on the cake to the proscecutor. Here's a pretty common line that Microsoft has that Google completely omits (or that I can't find): We do not sell, rent, or lease our customer lists to third parties. Have you opted out of your credit card company from doing so? Do you feel as comfortable with your Credit Card company as you do with Google? Do you feel MORE comfortable with Microsoft managing your Credit Card? C'mon. Your personal information is so easily gotten right now it's silly for anyone to think that knowing Microsoft won't sell their customer lists will somehow protect you. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: news from Google
On Fri, 11 Dec 2009, Scott Weeks wrote: --- beck...@angryox.com wrote: From: Peter Beckman beck...@angryox.com At least Google seems to be honest about it. -- Yeah, trust them... I said seems. It's hard to verify if ANY company follows what is said in their Privacy Policy. --- What does Bing say they keep about you when you search, not logged into your Passport account? IP + searches, date and time? And what do they actually do? --- NOW you're getting warm. What IS the difference in what a corp says they do and what they actually do? Who knows? Since they won't let you check (then again, I never asked if I could), how do you know what they are really doing with the data you know they might have? --- What about Yahoo, now that they will use Bing? Or even AltaVista? How do we know the difference between the reality of what they do versus their Privacy Policy? Yahoo and Altavista are one and the same. Excite is owned by www.iac.com who own many other companies that collect and make money from knowing what you do. Webcrawler is owned by InfoSpace (www.infospaceinc.com). They are ALL making money doing the same thing. I don't see that trend slowing. So when you search on AltaVista, assuming AltaVista uses Yahoo and Yahoo using Bing, does AV, Yahoo! AND Microsoft (via Bing) all get a copy of that single search request and thusly your data? I'm guessing the 3 companies have different privacy policies that each apply to that data separately... makes your head spin. -- You don't get to have Privacy on the Internet. It's a fallacy. You have to work really hard to truly have privacy on the 'net. And lie a lot. -- Yes, you have to work hard and (one last time :-) DBS. Use your sniffers at home to see what's talking to what; manage your cookies; force your ISPs machinery to change your DHCP-assigned address a lot; use SSH tunnels, blah, blah, blah. That's a lot of work, more overhead than many are willing to put in. Maybe someday I'll eat my words, but I'm just not paranoid enough to work that hard to avoid search engines or other companies to log my use of their service. I'm more worried about all the data at the doctor's office, the federal government, credit card and reporting companies, phone companies, etc. and I'm not doing much about that either. In FF goto Tools, 'Options', 'Privacy', and select: Accept cookies from sites'; 'Accept third-party cookies'; 'Keep until: ask me every time just to get a taste. Be sure to click on 'Show Details' when the flood of cookies comes and pay attention to the details. Don't go to sites that bork when you use these settings any longer. Also, look in 'Show cookies' and 'Exceptions'. Funny how M$ won't let you do that in IE AFAICT. Using a combo of Ad Blocker Plus and NoScript in Firefox helps reduce that significantly, without all the popups. But yeah, it's hard to use the Internet and not get tracked by a bunch of different entities you know nothing about. Which gives further proof that my earlier statement rings true: You don't get to have Privacy on the Internet. It's a fallacy. You have to work really hard to truly have privacy on the 'net. And lie a lot. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: news from Google
On Fri, 11 Dec 2009, sth...@nethelp.no wrote: If you aren't breaking the law, the government won't be looking for your data, and won't ask Google/Yahoo/Bing/AltaVista or other search companies for your data. That's an extremely naive view of how governments operate. To put it mildly. That may be. But the government has a lot better data than what did Peter Beckman search for online in the last 12 years? Could it help them build a case against me? Sure. Should I be more careful about using search engines? Probably. I know there is TORbutton (easily turn on and off TOR) and tor-proxy.net plugins for Firefox, but is there a plugin that will use a user-defined proxy for certain user-defined sites/URLs (such as Google, Bing, etc) and allow one to surf directly on all other URLs? Or even a NoScript (whitelist) type deal that sends everything via a proxy except for those sites you decide to trust? That'd be handy to avoid this privacy stuff. Getting offtopic. You simply need to assume that every company who you reveal even small pieces of your identity or online persona will sell, reveal, badly secure or misuse the information you provide. I think this assumption is realistic, and that you need to be aware of it. Google is simply telling you what all the other companies already do -- archive their data, which you generated, and which can be used to identify you and against you in a court of law. I'm shocked that really smart people like Asa Dotzler are shocked by what Eric Schmidt said, what I assumed was simply common knowledge - that there is no real privacy on the internet. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Earthlink SMTP Admin Contact?
On Tue, 8 Dec 2009, Jason Williams wrote: On Dec 8, 2009, at 11:42 AM, Ryan Gelobter wrote: Any chance there's someone from Earthlink on nanog or anyone that has contact information? Their NOC has an unlisted number: +1 404-815-0770 x22277 Not anymore, it would seem. NANOG Archives FTW. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: news from Google
On Thu, 3 Dec 2009, Seth Mattinen wrote: Jorge Amodio wrote: now Google DNS, anything more? I'm surprised that Google's new DNS service does not return better results for google.com than some local DNS resolvers do. My server is in Fairfax, VA. Does Google use Anycast'ed IPs or is it still a hybrid of split-horizon DNS and other things, as discussed previously: http://www.merit.edu/mail.archives/nanog/2009-02/threads.html#00269 Here's the results from some various DNS servers for Google.com. I thought Google had a datacenter in Ashburn, VA, but I'm not getting there. Maybe it's gone. Maybe the shortest route doesn't matter anymore. -- dig +short google.com @208.67.222.222 # OpenDNS 74.125.53.100 74.125.67.100 74.125.45.100 -- dig +short google.com @8.8.8.8 # Google DNS 74.125.67.100 74.125.53.100 74.125.45.100 -- dig +short google.com @8.8.4.4 # Google DNS 2 74.125.67.100 74.125.53.100 74.125.45.100 -- dig +short google.com @198.6.1.1 # UUNET/Verizon Cache server (cache00.ns.uu.net) 74.125.53.100 74.125.67.100 74.125.45.100 -- dig +short google.com @198.6.1.2 74.125.45.100 74.125.53.100 74.125.67.100 -- dig +short google.com @198.6.1.3 74.125.45.100 74.125.67.100 74.125.53.100 -- dig +short google.com @198.6.1.4 74.125.45.100 74.125.53.100 74.125.67.100 -- dig +short google.com @198.6.1.5 74.125.67.100 74.125.45.100 74.125.53.100 * -- dig +short google.com @70.164.18.41 # Nova.org (Small VA ISP) Caching DNS 74.125.45.100 74.125.53.100 74.125.67.100 * -- dig +short google.com @208.94.147.150 # Tiggee DNS (VA company) 74.125.45.100 74.125.67.100 74.125.53.100 -- ping -c 10 74.125.45.100 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 18.079/20.522/25.272/2.200 ms -- ping -c 10 74.125.53.100 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 97.721/101.267/107.770/2.856 ms -- ping -c 10 74.125.67.100 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 97.531/99.238/101.206/1.420 ms Only the last two starred DNS records returned what _seems_ to be the best result for Google.com. Then again, someone from Google might be able to explain the logic behind the results. And to rip off the bandaid on the What DNS Is Not discussion, Google's DNS does return the expected NXDOMAIN for the very small test I did. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Password repository
On Thu, 19 Nov 2009, John Adams wrote: I'm a big fan of 1password, but I'm on mac and iPhone. I'll second that. 1Password truly is fabulous, though it's strength is the Auto-website login feature with a hotkey. When in your browser, Command+Option+\, type some characters of the site or description, hit enter, and it opens your default browser, goes to the site and logs you in. Integrates on all browsers: Safari, Firefox, Opera and others. Supports secure notes, has a well designed strong password generator, can be synced over the network to multiple other computers via Dropbox (or whatever you want to use, rsync works too), and has great integration with the iPhone as well as a browser-based client for use on non-Mac computers. If you are not using a Mac, or are using a mixed bag of operating systems, 1Password is probably not best. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Level3 90+% Packet Loss in New York
Anyone know anything? Has happened twice today, right now, and between 12:22pm and 12:49pm (at least same symptoms as this issue) Packets Pings HostLoss% Snt Last Avg Best Wrst StDev 1. 208.72.185.1770.0% 7850.3 0.3 0.2 20.4 1.1 2. 208.72.184.2450.0% 7850.6 0.4 0.2 78.7 2.9 3. ge-6-7.car3.NewYork1.Level3.net 0.0% 7850.6 11.7 0.4 316.3 37.7 4. vlan69.csw1.NewYork1.Level3.net 96.4% 7848.2 5.4 0.6 13.5 4.2 5. ae-64-64.ebr4.NewYork1.Level3.net97.1% 7843.6 11.1 1.7 25.2 6.4 6. ae-6-6.ebr2.NewYork2.Level3.net 95.5% 7849.0 5.5 1.0 13.7 4.1 7. ae-2-2.ebr1.Chicago1.Level3.net 94.9% 784 39.1 31.2 22.0 41.6 6.5 8. ae-1-53.edge3.Chicago3.Level3.net96.3% 784 33.4 29.9 21.6 83.6 12.8 9. BANDCON.edge3.Chicago3.Level3.net95.7% 784 26.8 32.4 22.3 150.1 23.2 10. po2.core3.chi01.steadfast.net96.3% 784 33.0 30.1 22.2 93.0 13.0 11. ip76.216-86-150.static.steadfast.net 96.3% 777 33.5 28.4 22.6 35.4 4.5 --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Looks like ISP-to-customer notification of possible infection is starting on Comcast in the US now. http://news.cnet.com/8301-27080_3-10370996-245.html --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Dutch ISPs to collaborate and take responsibility for botted clients
On Sun, 4 Oct 2009, Owen DeLong wrote: * Provide a short period of time (3 days) after notification and before disconnect to give an opportunity to fix the issue without service interruption Uh... Here I differ. The rest of the internet should put up with the abuse flowing out of your network for 3 days to avoid disruption to you? Why? Sorry, if you have a customer who is sourcing malicious activity, whether intentional or by accident, I believe the ISP should take whatever action is necessary to stop the outflow of that malicious behavior as quickly as possible while simultaneously making all reasonable effort to contact the customer in question. Yeah, after a few people privately emailed me regarding the same, the short period of time should be thrown out, for the good of the rest of the 'net. The short period was initially intended for infections that were not active or immediately impacting, but were detected to be infected none-the-less. Assuming active bad behavior immediate disconnect is prudent and wise. As our ability to remotely detect virus and trojans improves, I suspect such an ISP-provided service would as well. * Offer a simple, automated way to get the connection re-tested and unblocked immediately (within 15 minutes) using a web service accessible even if the connection is blocked Either a web interface or even a telephonic process. It doesn't necessarily need to be automated, but, it shouldn't be a 3 day wait for a technician to get back to you. It should definitely be a pretty rapid process once the abuse is resolved. Agreed. Another emailer mentioned that it's not always simple to determine if the abuse is resolved or not, nor is it easy to explain this to a non-technical customer in a way that makes them happy with their service being cut off. However it is ignorance and lack of maintenance that makes viruses and botnets so prevelant that it may just be time to bite the bullet and force users to learn how to maintain their machines. * Force the customer to call customer service to ask for a retest or reconnect I don't really see a problem with this, so long as customer service is responsive to such a call. I like self-service. If it is 3am and staff is not available, making the process automated would be ideal. If the staff is 24/7, agreed. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Repeated Blacklisting / IP reputation
On Thu, 10 Sep 2009, Mark Andrews wrote: What a load of rubbish. How is ARIN or any RIR/LIR supposed to know the intent of use? Why don't we just blacklist everything and only whitelist those we know are good? Because the cost of determining who is good and who is not has a great cost. If you buy an IP block, regardless of your intent, that IP block should not have the ill-will of the previous owner passed on with it. If the previous owner sucked, the new owner should have the chance to use that IP block without restriction until they prove that they suck, at which point it will be blocked again. That system seems to work well enough: blacklist blocks when they start do be evil, according to your own (you being the neteng in charge) definition of evil. ARIN needs to be impartial. If they are going to sell the block, they should do their best to make a coordinated effort to make sure the block is as unencumbered as possible. I get that there is a sense that ARIN needs to do more due dilligence to determine if the receiving party is worthy of that block, but I'm not aware of the process, and from the grumblings it doesn't seem like fun. Note we all could start using IPv6 and avoid this problem altogether. Because as we know IPv6 space is inexhaustable. Just like IPv4 was when it began its life. ;-) That won't avoid the problem, it will simply put the problem off until it rears its head again. I'm sure that IPv6 space will be more easily gotten until problems arise, and in a few years (maybe decades, we can put this problem on our children's shoulders), we'll be back where we are now -- getting recycled IP space that is blocked or encumbered due to bad previous owners. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Repeated Blacklisting / IP reputation
On Thu, 10 Sep 2009, Benjamin Billon wrote: Why don't we just blacklist everything and only whitelist those we know are good? snip Note we all could start using IPv6 and avoid this problem altogether. snip Yeah. When ISP will start receiving SMTP traffic in IPv6, they could start to accept whitelisted senders only. IPv6 emails == clean Utopian thought? My statement about blacklisting everything was sarcastic. Clearly blacklisting everything and whitelisting individual blocks is not a viable, reasonable nor cost-effective option. Clearly I also suck at conveying sarcasm via email. :-) Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Repeated Blacklisting / IP reputation
How about a trial period from ARIN? You get your IP block, and you get 30 days to determine if it is clean or not. Do some testing, check the blacklists, do some magic to see if there are network-specific blacklists that might prevent your customers from sending or receiving email/web/other connections with that new IP block. If there are problems, go back to ARIN and show them your work and if they can verify your work (or are simply lazy) you get a different block. ARIN puts the block into another quiet period. Maybe they use the work you did to clean up the block, maybe they don't. Cleaning up a block of IPs previously used by shady characters has a real cost, both in time and money. The argument as I see it is who bears the responsibility and cost of that cleanup. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
83.222.0.0/19 Unroutable on Verizon
I can't reach 83.222.0.0/19 from Verizon, but I can via Cox Communications Business Fiber as well as Level3. Dies at a peering point it seems: HOST: homeLoss% Snt Last Avg Best Wrst StDev 1. mph 0.0%200.7 0.6 0.5 0.7 0.1 2. 10.1.41.890.0%202.3 3.6 1.7 26.4 5.6 3. G2-0-3-891.WASHDC-LCR-08.ver 0.0%202.1 1.9 1.6 2.2 0.2 4. so-1-1-0-0.RES-BB-RTR2.veriz 0.0%202.3 2.4 2.2 2.8 0.1 5. 0.so-6-1-0.XL4.IAD8.ALTER.NE 0.0%202.8 2.8 2.6 3.0 0.1 6. 0.xe-8-1-0.BR1.IAD8.ALTER.NE 0.0%205.1 8.4 3.0 40.3 9.4 7. 64.212.107.1570.0%20 203.2 14.0 3.0 203.2 44.6 8. ??? 100.0200.0 0.0 0.0 0.0 0.0 Hop 7 alternates between 64.212.107.157 (GBLX) and 204.255.169.202 (MCI dba Verizon) and dies after that. 83.222.32.0/19 seems to route correctly. Can anyone else confirm? Bad BGP Announcement? Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: 83.222.0.0/19 Unreachable on Verizon
Subject updated to be less wrong. On Thu, 3 Sep 2009, Peter Beckman wrote: I can't reach 83.222.0.0/19 from Verizon, but I can via Cox Communications Business Fiber as well as Level3. Dies at a peering point it seems: HOST: homeLoss% Snt Last Avg Best Wrst StDev 1. mph 0.0%200.7 0.6 0.5 0.7 0.1 2. 10.1.41.890.0%202.3 3.6 1.7 26.4 5.6 3. G2-0-3-891.WASHDC-LCR-08.ver 0.0%202.1 1.9 1.6 2.2 0.2 4. so-1-1-0-0.RES-BB-RTR2.veriz 0.0%202.3 2.4 2.2 2.8 0.1 5. 0.so-6-1-0.XL4.IAD8.ALTER.NE 0.0%202.8 2.8 2.6 3.0 0.1 6. 0.xe-8-1-0.BR1.IAD8.ALTER.NE 0.0%205.1 8.4 3.0 40.3 9.4 7. 64.212.107.1570.0%20 203.2 14.0 3.0 203.2 44.6 8. ??? 100.0200.0 0.0 0.0 0.0 0.0 Hop 7 alternates between 64.212.107.157 (GBLX) and 204.255.169.202 (MCI dba Verizon) and dies after that. 83.222.32.0/19 seems to route correctly. I've called both the Verizon NOC and UUNET NOC, talked to friendly people who told me nicely to go talk to someone else. My next step will be to contact ip-...@verizonbusiness.com as per the netops NOC list. Any IPs in 83.222.0.0/19 that ARE reachable on L3 and Cox are not reachable on Verizon. Please note I'm not doing traceroutes to 83.222.0.0 or 83.222.0.0/19. I'm tracing hosts that are known to be up and traceable, and are within this block. An interesting side note -- I can't get to retn.net either on Verizon, but can elsewhere, which is 81.222.33.89. As an end user smart enough to figure out why a website isn't loading, it is a GIANT PAIN and next to impossible to report a network issue when you are a non-customer, non-ISP employee. This is why I posted this on NANOG, because I'm trying to promote dialog between people concerning the operation of IP networks. Verizon asked me to reboot my router. I hung up. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Ready to get your federal computer license?
On Mon, 31 Aug 2009, Jason Jenisch wrote: Hiers, David wrote: http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-president-emergency-power-internet-raises-concerns.htm I must have missed something here... I cannot find in the article or the bill where it states or alludes to a federal computer license requirement for computer users. The proposal also includes a federal certification program for cyber security professionals, and a requirement that certain computer systems and networks in the private sector be managed by people who receive that license, CNET said. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: FCCs RFC for the Definition of Broadband
On Fri, 28 Aug 2009, Leo Bicknell wrote: In most areas of the country you can't get a permit to build a house without electrical service (something solar and other off the grid people are fighting). Since it is so much more cost effective to install with new construction, why don't we have codes requring Cat5 drops in every room, and fiber to the home for all new construction? And where does that fiber go to? Home runs from a central point in the development, so any provider can hook up to any house at the street? Deregulation means those lines should be accessible to any company for a fee. How do you give House A Verizon and House B Cox, especially if Cox doesn't support fiber? Granted, I don't do residential broadband deployments, maybe all of those issues are trivial, but something that needs to be considered. Just because there is only one player in a certain market now doesn't mean we shouldn't plan now for 10 players 10 years from now in the same market. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: FCCs RFC for the Definition of Broadband
On Fri, 28 Aug 2009, Joe Abley wrote: On 28-Aug-2009, at 08:14, Peter Beckman wrote: And where does that fiber go to? Home runs from a central point in the development, so any provider can hook up to any house at the street? Deregulation means those lines should be accessible to any company for a fee. How do you give House A Verizon and House B Cox, especially if Cox doesn't support fiber? His general idea was that the homeowner owns conduit and fibre from the house to a shared neighbourhood colo facility, and has rights to some space in that facility. The facility then acts as a junction point between houses in the neighbourhood (if the neighbours want to connect) or as a place where a service provider could build to in order to deliver service to the homeowner. I like that idea, except for the problem that I don't want my neighbors to have access to the colo, or at least my feed, but I want access to my feed to I can reboot whatever device is connected there. There would have to be individual locked cages of some standard size so I could access and reboot or change my router out, but could not disconnect or modify my neighbors connection. It would really suck if my router locked up and it was locked in the colo room and I had to wait for someone to let me in to powercycle it. It would also really suck if my neighbor hated me and simply loosened my connection when they felt like it. I'm sure there are solutions to that problem, but moving the demarc line outside the home does bring up new and interesting challenges. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Level3 Routing Problems in Atlanta?
I'm having a few troubles with L3 on this fine, dreadfully humid evening. HOST: max Loss% Snt Last Avg Best Wrst StDev 1. mph 0.0%100.7 0.6 0.5 0.8 0.1 2. 10.1.41.890.0%101.7 1.9 1.7 2.3 0.2 3. G2-0-3-891.WASHDC-LCR-08.ver 0.0%101.8 1.8 1.7 1.9 0.1 4. so-1-1-0-0.RES-BB-RTR2.veriz 0.0%102.3 2.4 2.2 2.6 0.1 5. 0.so-1-2-0.XL4.IAD8.ALTER.NE 0.0%102.8 2.8 2.6 3.0 0.1 6. 0.xe-8-1-0.BR1.IAD8.ALTER.NE 0.0%104.8 4.6 2.9 4.9 0.6 7. te-11-3-0.edge1.Washington4. 0.0%105.1 3.4 2.8 5.1 0.9 8. vlan69.csw1.Washington1.Leve 0.0%103.6 6.7 3.5 14.6 4.1 9. ae-61-61.ebr1.Washington1.Le 0.0%10 12.8 9.2 5.7 16.0 3.6 10. ae-2.ebr3.Atlanta2.Level3.ne 10.0%10 19.9 23.9 19.9 31.8 4.1 11. ge-5-0-0-52.gar2.Atlanta1.Le 0.0%10 21.4 21.3 21.0 21.8 0.2 12. COX-COMMUNI.gar2.Atlanta1.Le 0.0%10 209.8 201.7 197.4 209.8 4.0 -- ew 13. mrfddsrj01-ge710.rd.dc.cox.n 10.0%10 230.3 230.5 223.9 234.1 3.4 14. 70.164.18.1 10.0%10 233.3 231.7 225.1 236.7 4.0 Return trip: HOST: 70.164.19.xxLoss% Snt Last Avg Best Wrst StDev 1. 70.164.19.3 0.0%200.2 0.2 0.2 0.4 0.0 2. wsip-70-168-111-17.dc.dc.cox 5.0%20 11.2 17.7 1.6 97.1 28.5 3. mrfddsrj01-ge706.rd.dc.cox.n 10.0%20 36.9 42.0 1.4 282.6 79.5 4. 68.1.1.1210.0%20 31.4 39.1 24.0 157.9 28.6 5. ae-2-52.edge2.Atlanta2.Level 5.0%20 211.9 212.2 208.0 215.7 2.1 -- ew 6. 0.so-1-1-0.BR2.ATL4.ALTER.NE 0.0%20 214.4 213.7 209.0 224.7 3.8 7. 0.so-2-1-0.XT1.ATL4.ALTER.NE 0.0%20 51.7 55.6 50.6 62.5 3.3 8. 0.so-6-2-0.ATL01-BB-RTR1.VER 0.0%20 56.7 60.0 51.0 123.1 15.1 9. so-7-1-0-0.LCC1-RES-BB-RTR1- 0.0%20 229.6 231.6 228.6 239.7 2.8 10. P14-0.WASHDC-LCR-01.verizon- 0.0%20 51.5 50.3 46.5 59.0 2.5 11. P13-0.WASHDC-LCR-03.verizon- 0.0%20 226.9 245.0 226.9 363.4 33.0 12. P12-0.WASHDC-LCR-05.verizon- 0.0%20 229.3 231.7 225.6 236.5 3.1 13. P15-0.WASHDC-LCR-07.verizon- 5.0%20 320.0 243.6 226.6 324.9 29.3 14. ??? 100.0200.0 0.0 0.0 0.0 0.0 15. mph (verizon vios in DC) 5.0%20 231.3 232.1 227.2 235.2 2.3 Anyone else see this? Know what's going on? My route is kind of silly... I'm in Northern VA on Verizon FIOS, about 2 physical miles from the IP on Cox. Thank goodness for the speed of light. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Opensource or Low Cost NMS for Server Hardware / Application Monitoring
Munin http://munin.projects.linpro.no/ Example: http://munin.ping.uio.no/ping.uio.no/dahl.ping.uio.no.html On Tue, 21 Jul 2009, Jason Granat wrote: Spiceworks? http://www.spiceworks.com/ Sent while mobile On Jul 21, 2009, at 10:06, Matthew Huff mh...@ox.com wrote: I'm putting together a list of NMS systems for system (hardware, cpu util%, memory util%) and application monitoring rather than network management for our environment. We are looking for low cost / opensource solutions that have agents and/or reliable agentless monitoring for windows, linux and solaris hosts. I've put together a preliminary list, but was hoping that if someone has a solution they are happy with they would forward the info to me. Once I get the complete list, I'll re-post what I've found. The list I have so far is: Hyperic http://www.hyperic.com/ OpenNMS http://www.opennms.org/wiki/Main_Page opsview http://www.opsview.org/ osimius http://www.osmius.net/en/ PandoraFMS http://pandorafms.org/ Zabbix http://www.zabbix.com/ Groundwork http://www.groundworkopensource.com/ Nagios http://www.nagios.org Zenoss http://zenoss.com OpManager http://www.manageengine.com Orion http://www.solarwinds.com/products/orion/ BigBrother http://bb4.com/ Any others that should be added to the list to eval? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 http://slash128.com --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: GoDaddy issues this morning?
On Wed, 8 Jul 2009, Sean wrote: Anyone know what was the deal with GoDaddy this morning? I sporadically could not resolve a domain I own this morning. Checked the authoritative and it was fine... then noticed that it was completely not working from some ISPs but OK from others, etc. Went to GoDaddy's site and finally saw a small notice on their support page saying they were having issues with Verizon customers on the east coast. Well, I'm in Illinois and I certainly don't consider this the east coast, however some people I know on a Verizon DSL account could not resolve any of the domains I had registered on GoDaddy. Also, results from a L3 DIA were sporadic as well. I really didn't have much time to look at it this morning and now the notice is gone from their site so I assume it's fixed...? Anyone shed some light on this? Registrar issues are so rare IMHO, Verizon routing issues on the other hand, I'm not really sure about as I live in ATT/Comcast country. I can confirm a lot of trouble on Verizon's network from the time I got to my desk (10am EDT) until about 1:45pm EDT. The evidence was very inconsistent: I could get all the way to the last hop before www.cnn.com, but http://www.cnn.com/ (TCP) did not work. Same with several other URLs. In another case, login.oscar.aol.com traceroutes died within Verizon's network. The fact that I could trace to IPs, but not get to them via TCP (or at least the web), was very strange. Maybe Verizon is implementing an Application Layer filter? That would be VERY disappointing. Then again, it could just be a big TCP issue, but I don't know why ICMP would work when TCP didn't. I had no noticable issues once I created an ssh SOCKS proxy through one of my hosted servers on Cox Business fiber, so the issue definitely resided somewhere on Verizon's network. Rackspace also got a lot of complaints, but they pointed the finger at Verizon. Verizon FIOS Tech support also said they were aware of the issue, so I'm guessing something went down with Verizon, not GoDaddy. Search the dslreports.com forums for loud complaining and theories about the Verizon outage. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Fiber cut - response in seconds?
On Tue, 2 Jun 2009, JC Dill wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? Because if they DON'T hit the line, it is still a secret. Then again, if they DO hit the line, it's pretty obvious what the line is for and at least one place it runs. I wonder if the Gov't schedules a move of the line once it's operational security is comprimised by an accidental cut. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Fiber cut - response in seconds?
On Mon, 1 Jun 2009, Charles Wyble wrote: Right. So why the near instant response time. Extra budgets, job creation. Knowing ahead of time where and when work is going to be done (easily found out), have someone around the corner at a Starbucks so they can jump into action if/when something goes down. Just because you have a redundant path doesn't mean you shouldn't get the broken path repaired ASAP. Maybe there are only two paths. If the other goes down, and something happens and the Gov't can't mobilize in time, something bad happens. It's a perfect storm to be sure, but when you have the lives of 300 million people at stake, I appreciate the diligence. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Why choose 120 volts?
On Wed, 27 May 2009, Peter Dambier wrote: Theory says no matter whether the setting of the powersupply is 120 AC ord 240 AC it should work. Try at your own risk. I haven't :) I have. Was in the Netherlands last week, and plugged my laptop power supply into the 240v (or so) feed, without incident (after referring to the label). I haven't seen a PC power supply which is incapable of both 120v/60hz and 240v/50hz in a very long time. I think even my 486 from 1994 had a switch for 120/240 -- nowadays it auto-senses, no switch required. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: delays to google
On Thu, 14 May 2009, Graeme Fowler wrote: On Thu, 2009-05-14 at 12:34 -0400, Justin M. Streiner wrote: I'm guessing whatever the issue is has been resolved, or the storm has passed? http://www.google.com/appsstatus#rm:1/di:1/do:1/ddo:0 Not that it would have been much use to you at the time. It's clear the problem was not affecting a small subset of users: We're aware of a problem with Google Mail affecting a small subset of users. If ISC has an issue open on it, and there is chatter on Nanog about it, unless they consider their userbase to be 6 billion potential users, the issue affected more than a small subset. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Fiber cut in SF area
On Mon, 13 Apr 2009, Dylan Ebner wrote: It will be easier to get more divergence than secure all the manholes in the country. I still think skipping the securing of manholes and access points in favor of active monitoring with offsite access is a better solution. You can't keep people out, especially since these manholes and tunnels are designed FOR human access. But a better job can be done of monitoring and knowing what is going on in the tunnels and access points from a remote location. Cheap: light sensor + cell phone = knowing exactly when and where the amount of light in the tunnel changes. Detects unauthorized intrusions. Make sure to detect all visible and IR spectrum, should someone very determined use night vision and IR lights to disable the sensor. Mid-Range: Webcam + cell phone = SEEING what is going on plus everything above. High-end: Webcam + cell phone + wifi or wimax backup both watching the entrance and the tunnels. James Bond: Lasers. Active monitoring of each site makes sure each one is online. Pros: * Knowing immediately that there is a change in environment in your tunnels. * Knowing who or at least THAT something is in there * Being able to proactively mitigate attempts * Availability of Arduino, SIM card adapters, and sophisticated sensor and camera equipment at low cost Cons: * Cell provider outage or spectrum blocker removes live notifications * False positives are problematic and can lower monitoring thresholds * Initial expense of deployment of monitoring systems Farmers use tiny embedded devices on their farms to monitor moisture, rain, etc. in multiple locations to customize irrigation and to help avoid loss of crops. These devices communicate with themselves, eventually getting back to a main listening post which relays the information to the farmer's computers. Tiny, embedded, networked devices that monitor the environment in the tunnels that run our fiber to help avoid loss of critical communications services seems to be a good idea. Cheap, disposable devices that can communicate with each other as well as back to some HQ is a way to at least know about problems of access before they happen. No keys to lose, no technology keeping people out and causing repair problems. Some other things that could detect access problems: * Pressure sensors (maybe an open manhole causes a detectable change in air pressure in the tunnel) * Temperature sensors (placed near access points, detects welding and thermite use) * Audio monitor (can help determine if an alert is just a rat squealing or people talking -- could even be automated to detect certain types of noises) * IR (heat) motion detection, as long as giant rats/rodents aren't a problem * Humidity sensors (sell the data to weatherbug!) One last thought inspired by the guy who posted about pouring quick-set concrete in to slow repair. Get some heavy-duty bags, about 10 feet long and large enough to fill the space in the tunnel. More heavily secure the fiber runs directly around the access space, then inflate two bags on either side of the access point. Easily deflated, these devices also have an electronic device which can notify HQ that they are being deflated or the pressure inside is changing (indicating pushing or manipulation). That way you only need to put these bags at access points, not throughout the whole tunnel. Kinda low-tech, but could be effective. No keys needed, could be inflated/deflated quickly, and you still get notification back to a monitoring point. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Fiber cut in SF area
On Mon, 13 Apr 2009, chris.ra...@nokia.com wrote: Peter Beckman [mailto:beck...@angryox.com] wrote: Sent: Monday, April 13, 2009 11:19 AM To: Dylan Ebner Cc: nanog@nanog.org Subject: RE: Fiber cut in SF area On Mon, 13 Apr 2009, Dylan Ebner wrote: It will be easier to get more divergence than secure all the manholes in the country. I still think skipping the securing of manholes and access points in favor of active monitoring with offsite access is a better solution. The only thing missing from your plan was a cost analysis. Cost of each, plus operational costs, * however many of each type. How much would that be? So, let's see. I'm pulling numbers out of my butt here, but basing it on non-quantity-discounted hardware available off the shelf. $500,000 to get it built with off-the-shelf components, tested in hostile tunnel environments and functioning. Then $350 per device, which would cover 1000 feet of tunnel, or about $2000 per mile for the devices. I'm not sure how things are powered in the tunnels, so power may need to be run, or the system could run off sealed-gel batteries (easily replaced and cheap, powers device for a year), system can be extremely low power. Add a communication device ($1000) every mile or two (the devices communicate between themselves back to the nearest communications device). Total cost, assuming 3 year life span of the device, is about $3000 per mile for equipment, or $1000 per year for equipment, plus $500 per year per mile for maintenance (batteries, service contracts, etc). Assumes your existing cost of tunnel maintenance can also either replace devices or batteries or both. Add a speedy roomba like RC device in the tunnel with an HD cam and a 10 or 20 mile range between charging stations that can move to the location where an anomaly was detected, and save some money on the per-device cost. It could run on an overhead monorail, or just wheels, depending on the tunnel configuration and moisture content. Add yet another system -- an alarm of sorts -- that goes off upon any anomaly being detected, and goes off after 5 minutes of no detection, to thwart teenagers and people who don't know how sophisticated the monitoring system really is. Put the alarm half way between access points, so it is difficult to get to and disable. Network it all, so that it can be controlled and updated from a certain set of IPs, make sure all changes are authenticated using PKI or certificates, and now you've made it harder to hack. Bonus points -- get a communication device that posts updates via SSL to multiple pre-programmed or random Confickr-type domains to make sure the system continues to be able to communicate in the event of a large outage. Then amortize that out to our bills. Extra credit: would you pay for it? Assuming bills in the hundreds of thousands of dollars per month, maybe to the millions of dollars, and then figure out what an outage costs you according to the SLAs. Then figure out how much a breach and subsequent fiber cut costs you in SLA payouts or credits, multiply by 25%, and that's your budget. If the proposed system is less, why wouldn't you do it? The idea is inspired by the way Google does their datacenters -- use cheap, off-the-shelf hardware, network it together in smart ways, make it energy efficient, ... profit! Anyone want to invest? Maybe I should start the business. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Fiber cut in SF area
On Mon, 13 Apr 2009, Scott Weeks wrote: --- beck...@angryox.com wrote: I still think skipping the securing of manholes and access points in favor of active monitoring with offsite access is a better solution. The only thing missing from your plan was a cost analysis. Cost of each, plus operational costs, * however many of each type. How much would that be? So, let's see. I'm pulling numbers out of my butt here, but basing it on non-quantity-discounted hardware available off the shelf. - Manpower to design, build, maintain, train folks and monitor in the NOC. Costs of EMS, its maintenance. blah, blah, blah... My estimates are for getting something off the ground, equipment-wise, not operationally. What is the cost of the outages? And if this setup can detect un-reported backhoe activity via accelerometers BEFORE it slices through the cable and you can get someone out to investigate the activity before it gets cut, how much is that worth? And my estimate was for the hardware, not training, etc. I'm guessing existing NOCs can easily incorporate new SNMP traps or other methods of alerts into their system fairly easily. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Fiber cut in SF area
On Mon, 13 Apr 2009, chris.ra...@nokia.com wrote: I get the feeling you haven't deployed or operated large networks. Nope. You never did say what the multiplier was. How many miles or detection nodes there were. Think millions. The number that popped into my head when thinking of active detection measures for the physical network is $billions. It depends on where you want to deploy it and how many miles you want to protect. I was thinking along the lines of $1.5 million for 1000 miles of tunnel, equipment only. It assumes existing maintenance crews would replace sensors that break or go offline, and that those expenses already exist. All for a couple of minutes advanced notice of an outage? Would it reduce the risk? No. Would it reduce the MTBF or MTTR? No. Of all outages, how often does this scenario (or one that would trigger your alarm) occur? I'm sure it's down on the list. What if you had 5 minutes of advanced notice that something was happening in or near one of your Tunnels that served hundreds of thousands of people and businesses and critical infrastructure? Could you get someone on site to stop it? Maybe. Is it worth it? Maybe. Given my inexperience with large networks, maybe fiber cuts and outages due to vandals, backhoes and other physical disruptions are just what we hear about in the news, and that it isn't worth the expense to monitor for those outages. If so, my idea seems kind of silly. SLA's account for force de majure (including sabotage), so I really doubt there will be any credits. In fact, there will likely be an uptick on spending as those who really need nines build multi-provider multi-path diversity. Here come the microwave towers! *laugh* Thank goodness for standardized GIS data. :-) --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Fiber cut in SF area
Though I think networked environmental monitoring has its merits, it's clear the technology is unproven in monitoring fiber tunnels, and my inexperience in running and managing such tunnels makes this thread bordering on off-topic. I'm happy to continue conversations via email, but this will be my last on-list reply regarding the topic I started. On Mon, 13 Apr 2009, Crist Clark wrote: But would alarms prevent any, or what proportion, of these incidents? It's hard to say without researching. Sometimes such research shows amazing results that shock people in the industry. Hospitals were shocked to see surgical mistakes reduced by 80+% after implementing a checklist that both doctors and nurses had to go through prior to starting the procedure, and having the patient also go over and approve what was to be done. The stories you hear of people who are getting amputated writing this leg and X X X NOT THIS LEG before surgery is a result of these studies and checklists. RFID-tagged surgical components and gauze pads are another tech tool being used after such research. You'd think a checklist wouldn't really help, but in reality it made industry changing and life-saving differences. While active alarms and monitoring of fiber tunnels would do the same, but without research, nobody can say for sure how effective or ineffective such a system would be. From what we know of this specific one, would an alarm have stopped the perpetrator(s)? It would have bought the NOC five, ten minutes tops before they got the alarm on the circuit. And in practice would a manhole alarm translate to a call to Homeland Security to have the SEALs descend the site pronto, a police unit to roll by when it has the time, or is it going to be an ATT truck rolling by between calls? I'm guessing number two or three, probably three. So what would it get them in this case. If it doesn't deter these guys, who does it deter? It's not there as a deterrent. It's there to allow a NOC to know that something is going on in a tunnel where potentially critical infrastructure resides. Maybe it doesn't prevent the malicious cut, but combined with video surveilence, it could identify the cutters. Audio recording devices could record voices. I assume large networks have large 24/7 crews. Get a truck to roll (once you sufficiently trust the system) or get a contractor who resides nearby to check out the area. When the alarm goes off, you go check it. If you welded the manholes shut, and there are no scheduled maintenance windows for that area, you can be pretty damn sure something untoward is going on, or it'll be a company truck roll that didn't follow procedure. And what are the costs of false alarms? What will the ratio of real alarms to false ones be? Maybe lower-stakes vandals take to popping the edge of manhole covers as a little prank. Weld 'em shut. Use one of those special screws that you can only unscrew with the right equipment (worked wonders for the tire industry with the lock nut). It won't stop anyone determined, but 13 year olds with M80s will move on. If you get a certain location that continues to get false alarms due to vandals, put in a highpowered webcam to monitor the location. Use ZoneMinder to monitor and record motion. Make sure the camera does nighttime well. Then when you have an alarm, check the video. Or that one that triggers whenever a truck tire hits it right. I would envision that though every device would report the same data with the same sensitivity, false alarms could be mitigated through filters for a given location. Tunnels near train tracks would be filtered differently than tunnels in the middle of a field under high power lines. Or the whole line of them that go off whenever the temperature drops below freezing. The device would go through a lot of environmental testing, so that its upper and lower operating limits could be known. Hardened where necessary. Or, what I am absolutely sure will happen, miscommunication between repair crews and the NOC about which ones are being moved or field crews opening them without warning the NOC (or even intra-NOC communication). Will they be a boy who cried wolf? Maybe. Maybe the whole idea is way too far fetched. Maybe my impression of the state of affairs when it comes to fiber tunnels is really not that big of a deal, and that outages due to physical access (humans, backhoes, floods) don't make up a significant portion of outages, and this is not a problem that fiber companies want to solve. Clearly there are a lot of problems that this sort of monitoring could face. Given sufficient time to mature, I think cheap, repeatable monitoring devices networked together can be a valuable asset, rather than yet another annoying alarm NOC folk and maintenance crews grow to hate and simply not be effective. --- Peter
Re: Fiber cut in SF area
On Sat, 11 Apr 2009, Christopher Morrow wrote: I'm not sure that the manholes == atm discussion is valid, but in the end the same thing is prone to happen to the manholes, there isn't going to be a unique key per manhole, at best it'll be 1/region or 1/manhole-owner. In the end that key is compromised as soon as the decision is made :( Also keep in mind that keyed locks don't really provide much protection, since anyone can order lockpicks over the interwebs these days, even to states where ownership is apparently illegal :( Too bad there isn't 1Password for manhole covers. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: [OT] Re: Fiber cut in SF area
On Sat, 11 Apr 2009, Lamar Owen wrote: The locking covers I have seen here put the lock(s) on the inside cover cam jackscrew (holes through the jackscrew close to the inside cover seal rod nut), rather than on the outside cover, thus keeping the padlocks out of the weather. I'm starting to wonder what makes more sense -- locking down thousands of miles of underground tunnel with mil-spec expensive locks that ideally keep unauthorized people out, OR simple motion and or video cameras in the tunnels themselves which relay their access back to a central facility, along with a video feed of sorts, to help identify who is there, whether approved or not. With locks, you know they gained access after the fact and that your locking wasn't sufficient enough. With active monitoring of the area where the cables live, you at least know the moment someone goes in, and have some lead time (and maybe a video) to do something to prevent it, or catch them in the act. Unfortunately, that kind of monitoring is also expensive and complex. I wonder what the cost of the outage was, and how much it might cost to monitor it? Would it be worth $2,000 per site per year? A great webcam, with day/night capability, and a cell phone, in a locked box, with a solar panel, on top of a pole, near the site. Sure, if you know it's there, taking it out is easy, but someone will still know something is wrong when it goes dark or the picture changes significantly. Are there some low-cost, highly-effective ways that the tunnels which carry our precious data and communications can at least be monitored remotely? Waiting for someone to cut a cable and then deploying a crew seems reactive, whereas knowing the moment someone goes INTO the tunnel is proactive, whether the person(s) are there to do some normal maintenance or something malicious. Beckman I suppose rats and other rodents could cause such a system to be too annoying to pay attention to. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: shipping pre-built cabinets vs. build-on-site
On Mon, 6 Apr 2009, Joe Abley wrote: We've located a few vendors who sell shock-tolerant cabinets, but they're expensive and seem to me to be aimed at people who need to ship a set of equipment frequently (e.g. to support movie shoots, outside broadcasts, etc), rather than people who want to ship just once. Do I even need to spend time wondering about shock-tolerant cabinets, or should I instead be concentrating on finding the right company to wrap the cabinets for shipping, and to do the shipping itself? Probably be cheaper to get shock-tolerant packing crates and use normal cabinets. You'll probably learn a few hard lessons the first time around -- should have put in styrofoam wedges between servers, or the rackmounts you used didn't hold up to shipping, or your shipper isn't as careful as they said they'd be -- but with the right packing crates and shipping partner, it's doable. Plus the crates can be re-used, lowering your costs. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Register.com DNS hosting issues
On Fri, 3 Apr 2009, Charles Wyble wrote: This is probably a good time to remind the uninitiated to have some secondary DNS with a totally separate company if your DNS is that important to you. Preferably with a provider that announces out of multiple ASN :) ATT and Akami both provide good distributed DNS service. I imagine there are other carriers, but I can't comment on them as I haven't used them. I can highly recommend DNSmadeEasy.com. Inexpensive, Anycasted, always fast and reliable. Good for primary and/or secondary, IMO, though it is sage advice to use two different providers if you are super ultra serious about never being down. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Leap second tonight
On Tue, 17 Mar 2009, valdis.kletni...@vt.edu wrote: They may suck for being a Stratum-1/2 server, but even the most jittery Cisco is still far and away good enough to serve up a ntpdate so that an end-user PC-class machine is in the right minute. As long as the end-user is made aware that the accuracy of said NTP clock is +/- 30.000 seconds (or whatever jitter might exist). Seems kind of ridiculous to use an NTP source that is, for many purposes, wildly inaccurate. For my purposes, wildly is more than +/- 0.1 seconds. Trying to troubleshoot a problem, network or server, where the timestamps on each server/router/device vary inconsistently, is like walking on broken fluorescent bulbs -- painful and dangerous to one's health. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---