Re: New minimum speed for US broadband connections

[Peter Kristolaitis]

On 2021-06-02 4:25 a.m., Mark Tinka wrote:

On 6/1/21 20:46, Andy Ringsmuth wrote:
How about the farmer using an HD or 4k drone with WAPs on his center 
pivot irrigation sprinklers to monitor crops? Or monitor the cattle 
herd that is currently growing the next T-bone or porterhouse steak 
you’ll be eating?


Is that a thing?

Just kidding :-).

Mark.


Of course it is.  Commonly referred to as SaaS -- Steak As A Service.   
You order whatever type of steak you want, then the vendor manages the 
rest for you -- allocating a slice of the hardware, managing the entire 
lifecycle from system assembly to deprovisioning, system burn-in, etc.  
The more modern vendors can even provide real-time GPS tracking and 
fault monitoring of your hardware (though automated remediation is 
lacking as it's unable to handle common problem like "hardware tangled 
in barbed geofence").


The lead time kinda sucks though, and it's often worth the premium to be 
able to immediately get what you want from a local vendor.

Re: NDAA passed: Internet and Online Streaming Services Emergency Alert Study

[Peter Kristolaitis]

Most civilized societies immensely value a great many things, and for 
exactly zero of them is it acceptable for the government to kick down my 
door, wake me up, and scrawl a message on my wall to make sure I hear 
about it.  Just because digital tools can save the government millions 
of man-hours because they no longer have to go house-to-house doesn't 
justify the theft and use of my personal property against my wishes.



On 2021-01-04 3:56 a.m., Krassimir Tzvetanov wrote:
Also a PSA: Amber alerts, Emergency alerts, and Public Safety alerts 
all go over cell broadcast. Think of it as a broadcast message on a 
LAN where the LAN is the local mobile phone cell. The reason you get 
that message 600 miles away for an amber alert is because in most 
civilized societies children's lives are immensely valued. And a 5-6 
hour driving distance is not much knowing the lifecycle of reporting 
of such things and activation of the system, and also the time it 
takes for some of those kidnappings to be discovered before it can 
even be reported.

Re: A letter from the CEO

[Peter Kristolaitis]

On 2020-11-20 6:06 p.m., Aaron C. de Bruyn via NANOG wrote:

> high speed, safe, secure global fiber connectivity

More importantly, can someone tell me what 'safe global fiber 
connectivity' is?  As opposed to 'unsafe global fiber connectivity'?


Do these guys have the market cornered on not string fiber optic cable 
at throat-level across roads or something?


Freaking marketing droids.

-A


Other providers don't account for the effects of photonic friction and 
the resulting generation of heat in their fiber lines.  This has 
resulted in at least one documented case of spontaneous combustion 
resulting in damage to fiber lines[1].


6x7 controls for photonic friction by utilizing its proprietary SPAM 
(Specified Photonic Agitation Moderation) technology.


[1]  Uncle Cletus (1993)  Mind control, spontaneous combustion and other 
extraterrestrial phenoma. /Lecture at Billy-Sue's house./

Re: questions asked during network engineer interview

[Peter Kristolaitis]

On 2020-07-24 3:06 a.m., Mark Tinka wrote:


On 24/Jul/20 00:26, William Herrin wrote:


Many moons ago, I interviewed at Google. During one of the afternoon
sessions the interviewer and I spent about half an hour spitballing
approaches for system monitoring problem at scale. I no longer
remember the details. With a little over 15 minutes remaining he
handed me a marker and said, "Okay, now write code for that on the
whiteboard." For an abstract problem without foundation that I had
never considered prior to that discussion. I said, "I really don't
think I can do a credible job of that in the time we have." He says,
"Well it's okay to use pseudocode. Don't you want to try?" I think
you're missing the point dude. It's still an abstract problem and
after half an hour's discussion I might be ready to draw boxes and
arrows. I'm certainly not ready to reduce it to code.

I said, "No," and needless to say I didn't get an offer. And I'm okay
with that. I really didn't fancy making a career of competing to be
the first to write poorly considered software.

The booby prize for failing the interview was a Google coffee mug. I
still have it in storage somewhere.

Where the industrial revolution praised expertise, the digital
revolution rewards curiousity.

I prefer to have staff that are burdened with being curious, rather than
staff who think they don't. After all, all the information is already
out there. Having experience is just as important as being diligent to
obtain it.

Mark.


I would suggest that companies who follow FAANG-type development models 
actually value both expertise and curiosity, and also throw in the 
ability and willingness to rapidly iterate.  Certainly one can search 
Google for solutions to nearly any problem, but it takes expertise to 
take the bits you find and structure them in a way that makes sense for 
your particular problem -- both to solve the immediate problem and to 
make addition of future features or bug fixes easier.


I suspect the question posed to Mr. Herrin was intended to probe not 
just the expertise factor, but the iteration factor as well -- firstly, 
can you, with only partial requirements (or minimally-viable-product 
requirements), structure your code in such a way that it covers the 
currently-known requirements and reasonable design assumptions given the 
nature of the system (how does the control loop work?  are we collecting 
data by polling or pushing?  what layer is responsible for aggregation?  
how do we define a new monitoring check?  what are the interface points 
with external systems?  how are alert thresholds set?)?   Secondly, 
after you're done that exercise, if we throw a (reasonable) new 
requirement at you, is your code well-structured enough that the change 
doesn't necessitate a complete rewrite?


I've never been to an interview where I received a 400-page design 
document that is blessed by all 18 major stakeholders before being asked 
to write code.    It's almost always either small, well-defined problems 
(which are often related to your understanding of algorithmic 
complexity) or an iterative design process as above.  In the latter 
case, the point isn't to write perfect and flawless code for version 1, 
it's to see how you write version 0.1alpha and then how you think about 
getting to version 5.


And, realistically, we're talking about an interview here.  There are 
time constraints, and no one (interviewer or interviewee) should expect 
a production-grade system as the output of some whiteboarding exercises.

Re: CloudFlare Issues?

[Peter Kristolaitis]

Cloudflare's status page acknowledged a recursive DNS issue as of a few 
minutes ago.  Lots of reports of problems on the Outages list and Reddit.


From their status page:

*Investigating*- Cloudflare is investigating issues with Cloudflare 
Resolver and our edge network in certain locations.


Customers using Cloudflare services in certain regions are impacted as 
requests might fail and/or errors may be displayed.


Data Centers impacted include: SJC, DFW, SEA, LAX, ORD, IAD, EWR, ATL, 
LHR, AMS, FRA, CDG

Jul17,21:37UTC


On 2020-07-17 5:38 p.m., Chris Grundemann wrote:
Looks like there may be something big up (read: down) at CloudFlare, 
but their status page is not reporting anything yet.


Am I crazy? Or just time to give up on the internet for this week?

--
@ChrisGrundemann
http://chrisgrundemann.com

Re: questions asked during network engineer interview

[Peter Kristolaitis]

On 2020-07-14 1:55 p.m., Michael Thomas wrote:
But I try as much as possible to put candidates at ease because I know 
that not everybody reacts to interviews the same, which is sadly not 
the case far too often.


Mike

I often ask a question early in the interview to the effect of "Tell me 
about a tech project you've worked on outside of your professional 
work.  It doesn't have to be related at all to this role or any other 
professional role you've worked on, just something cool involving tech 
that you've done on your own time."


I don't care if the answer is setting up a complicated home lab, or 
programming Arduinos to make a robotic cat feeder, or 3D printing, or 
whatever.   I ask this question for two reasons: first, there is a 
correlation between being passionate about technology and being good at 
working with it and learning it professionally;  and second, talking 
about not-directly-related-to-the-resume stuff for a couple of minutes 
often lets the "introvert geek" personality-types relax and open up a 
lot.  I find this is particularly helpful when hiring for junior and 
intermediate roles, but I will sometimes ask it of senior candidates too.

Re: DNS Qtypes and class values are a social construct

[Peter Kristolaitis]

On 2019-04-01 10:59 AM, Mark E. Jeftovic wrote:


The DNS is an inverted-tree hierarchy, which is problematic and 
promotes unequal outcomes among system participants.


After a lengthy contemplative process we have enacted a system of 
social justice pricing which will rectify historical inequality. The 
new pricing is effective immediately and retroactive across all 
customers.


Details - 
https://easydns.com/blog/2019/04/01/easydns-social-justice-pricing-goes-into-effect-today/ 



- mark

--
Mark E. Jeftovic 
Co-founder & CEO, easyDNS Technologies Inc.
/Author of Managing Mission Critical Domains & DNS: The Book 
/
/Personal Blog: Guerrilla-Capitalism.com 
/


Your lack of consideration for the latency-impaired is triggering for 
me.  I demand that you address the problems of network-topology 
inequality and bandwidth privilege by ensuring that everyone gets 
identical response times to their DNS queries, or else I and the other 
member of the Democratic Union for Meme-access Balance (DUMB) will shame 
you on Tumblr.

Re: Should Netflix and Hulu give you emergency alerts?

[Peter Kristolaitis]

It can be blocked, FYI.  Just... not as easily as it should be. On 
Android, if you remove the CellBroadcastReceiver service, the phone no 
longer listens for the alerts.


I rooted my phone specifically to be able to do this after the alerting 
system rolled out in Canada.  The test was bad enough, then within the 
first week we had several alerts for a single event that happened 
literally an entire day's drive away from me.


And thus, in the first week the system was alive, alarm fatigue set in, 
the government confirmed that it cannot be trusted, and I revoked their 
privilege to use my personal devices for stuff I don't want.



On 2019-03-08 7:51 p.m., Clayton Zekelman wrote:


Absolutely, we need public emergency alerting.  What we don't need is 
every alert to go out mandatory highest level sound the klaxon, can't 
be blocked, even when it's an "all clear" cancelling a previous alert, 
and is being sent in the middle of the night.


That's the system that has been foisted upon us here.   I'm all for 
emergency alerting, but please make sure it's a real emergency.


At least in the US version, they target the region affected, and code 
it with the appropriate alert level instead of sending alerts to 
people 1400 km away.


https://www.thestar.com/news/gta/2018/05/14/first-emergency-alert-sets-off-phones-ontario-wide-following-thunder-bay-amber-alert.html 





At 07:43 PM 08/03/2019, Sean Donelan wrote:
Canada made a lot of improvements with its alert implementation.  It 
got to see all the things the U.S. did wrong. Unfortuantely, Canada 
also copied some wrong lessons from the the U.S. version.


South Korea probably has the most ludicrous emergency alerts in the 
world.


While improvements are needed, the various alert systems have saved 
people's lives.


On Fri, 8 Mar 2019, Clayton Zekelman wrote:
Just wait until your connected home speakers, smart smoke detector, 
smart
refrigerator, smart tv, cell phone, IP streaming box, satellite 
receiver,
cable box, home security panel and your Fitbit all go off warning 
you of the

cancellation of an Amber alert at 1:30am, because the good folks at
AlertReady.Ca and Pelmorex think that everything needs to go out at 
highest

precedence, because, well, think of the children!

Re: Blockchain and Networking

[Peter Kristolaitis]

On 2018-01-08 10:19 PM, John Levine wrote:

In article <0c45eee2-ffcb-2066-1456-eb2d38075...@alter3d.ca>,
Peter Kristolaitis  <alte...@alter3d.ca> wrote:

We can build all of the above in other ways today, of course.  But
there's certainly something to be said for a vendor-supported solution
that is inherent in the platform and requires no additional
infrastructure. ...

No additional infrastructure?  Blockchains need multiple devices that
are online and have enough storage to keep a full copy of the chain.
There is absolutely no reason that the networking equipment itself can't 
both operate the blockchain and keep a full copy.  It's a pretty good 
bet that your own routers will probably be online;  if not, you have 
bigger problems.


The storage requirements aren't particularly onerous.  The entire 
Bitcoin blockchain is around 150GB, with several orders of magnitude 
more transactions (read: config changes) than you're likely to see even 
on a very large network.  SSDs are small enough and reliable enough now 
that the physical space requirements are quite small.



They make sense in an environment with multiple sophisticated parties
that sort of but not entirely trust each other, but there aren't as
many of those as you might think.
You (presumably) trust your own routers.  There is absolutely no reason 
that your own little network can't run your own private blockchain.   In 
fact, for my use case of configuration management, you wouldn't WANT to 
use a single global public blockchain.


- Peter

Re: Blockchain and Networking

[Peter Kristolaitis]

On 2018-01-08 12:52 AM, William Herrin wrote:

I'm having trouble envisioning a scenario where blockchain does that any
better than plain old PKI.

Blockchain is great at proving chain of custody, but when do you need to do
that in computer networking?

Regards,
Bill Herrin


There's probably some potential in using a blockchain for things like 
configuration management.  You can authenticate who made what change and 
when (granted, we can kinda-sorta do this already with the various 
authentication and logging mechanisms, but the blockchain is an 
immutable, permanent record inherently required for the system to work 
at all).


That immutable, sequenced chain of events would let you do things like 
"make my test environment look like production did last Thursday at 9AM" 
trivially by reading the blockchain up until that timestamp, then 
running a fork of the chain for the new test environment to track its 
own changes during testing.


Or when you know you did something 2 months ago for client A, and you 
need your new NOC guy to now do it for client B -- the blockchain 
becomes the documentation of what was done.


We can build all of the above in other ways today, of course.  But 
there's certainly something to be said for a vendor-supported solution 
that is inherent in the platform and requires no additional 
infrastructure.  Whether or not that's worth the complexities of 
managing a blockchain on networking devices is, perhaps, a whole other 
discussion.   :)


- Peter

Re: SHA1 collisions proven possisble

[Peter Kristolaitis]

On 3/1/2017 10:50 PM, James DeVincentis via NANOG wrote:

Realistically any hash function *will* have collisions when two items are 
specifically crafted to collide after expending insane amounts of computing 
power, money, and… i wonder how much in power they burned for this little stunt.


Easy enough to estimate.

A dual-socket server with 2 X5675 CPUs (12 cores total) draws about 225W 
under full load, or about 18.75W per core.


0.01875 kW * 8766 h/y * 6500 y = about 1,070,000 kWh

For the GPU side, an NVIDIA Tesla K80 GPU accelerator draws 300W at full 
load.


0.3 kW * 8766 h/y * 110 y = about 290,000 kWh.

So the total calculation consumed about 1.36M kWh.

A quick Google search tells me the US national average industrial rate 
for electricity is $0.0667/kWh, for a cost of $90,712. That's not 
counting AC-DC conversion loss, or the power to run the cooling.  Or the 
cost of the hardware, though it's fair to assume that in Google's case 
they didn't have to buy any new hardware just for this.

Re: DNS Services for a registrar

[Peter Kristolaitis]

On 2016-08-12 11:36 AM, Keith Stokes wrote:

Route53 can get expensive for lots of domains. Queries are cheap with the first 
1M free, but if you have 1000 domains you’ll pay $500/month.
If you had 1000 domains, you'd pay $110/month, not $500.   The first 25 
domains at $0.50/month each, after that it's $0.10.   And that's based 
on the publicly available pricing -- they have special pricing if you're 
hosting >500 domains.


Including queries, if each hosted domain had a million queries a month, 
your total bill would $310.


That's probably a high estimate because it doesn't account for the >500 
domain special pricing and your average registrar-hosted domain doesn't 
get anywhere near 1M queries a month.  Your actual bill would probably 
be significantly less.



You can build dedicated servers in multiple AZs and data centers able to handle 
that many domains for far less.
If you were to use c4.large instances, it would cost just under 
$400/month to have 6 instances spread across 2 regions with 3 AZs each, 
after instances, load balancers and bandwidth.  That's assuming you do 
the discounted 1-year, no-upfront-fee term on the instances.


And you're still not as redundant or fast as Route 53, which is anycast 
from way more than 6 places.


The math gets a little trickier when we start looking at labour costs 
for both initial development of your platform and ongoing maintenance, 
but from strictly an infrastructure cost perspective, I don't think the 
claim that it would cost "far less" to run your own infrastructure is 
necessarily true for a registrar-doing-hosting scenario.

Re: Stop IPv6 Google traffic

[Peter Kristolaitis]

I don't think it's "groupthink" so much as it is "the mark of 
experienced tech people who are good at their job".


At $DAYJOB, a HUGE part of my time is spent as a "technical firewall" -- 
stopping the company from blindly implementing something based on 
incomplete information.  When someone comes to me and says "I need to do 
$X in the dev/QA/prod environment", my first question is "What are you 
trying to accomplish?"   A good percentage of the time, it turns out 
that Group A didn't talk to Group B, and the requirements were 
misunderstood -- after discussion, we end up NOT implenting their 
original request, and either implement it in a different way, implement 
a solution to a completely different problem, or do nothing at all.


All of the really good technical people I know have learned to do this 
through experience, and the habit of asking "What are you REALLY trying 
to do here?" is ingrained in their response to any question.


The only thing worse than a half-baked question is running full tilt 
into a wall with a half-baked solution to a half-baked question.


- Peter


On 4/10/2016 3:33 PM, b...@theworld.com wrote:



Ya know, this is the problem with this kind of list groupthink.

Who cares what his motivations are unless he asks for help with that
underlying problem?

Do you (plural, whoever is replying) know the answer to his question
or where to find the answer or not?

It seems like every technical list is over-run with
meta-conversations, how do I (blah), WHY WOULD YOU WANT TO (blah)?!?!

Often in a sort of accusatory tone, only someone dumb would want to
(blah)!

I think the answer is to disable IPv6 in the web server config or
startup (see flags) but hey I just thought I would meta the meta.

Sorry but I went through about an hour of looking for some way to
trace systemd and all I found on various lists in answer to others
asking the same thing was why would you want to trace systemd? Is this
a standard package causing problems if not then use the standard
package and if there is none then don't use that software (wow what a
good answer...not), or a lot of "it must just be something simple you
don't need to trace anything" (which was probably true but kind of
useless.)

Re: Why the US Government has so many data centers

[Peter Kristolaitis]

On 2016-03-11 04:40 PM, Scott Weeks wrote:

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sean Donelan

The U.S. government definition of data center is a bit like defining
a warehouse as any room containing a single ream of paper.  Yes,
warehouses are used to store reams of paper; but that doesn't make
every place containing a ream of paper a warehouse.


--- steve.mikula...@civeo.com wrote:

This is a great way to create a mess of rules. Need a server
for running an app locally to a site? You need XYZ standards
that make no sense for your deploy and increase the cost by
10 times.

Our server guys always try to set standards, then they run
into a deploy where the needs are simple, but the standards
make it significantly uneconomical.
-


Been there, done that, got many t-shirts.  There is no thought
at all to economics.  None.  People that have absolutely no
experience in networking or computers (read: can barely operate
M$ computers) make these rules/definitions/processes.  It's not
even sausage when they're done.  It's post-digested sausage.
For example, read about the OPM fiasco:

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

I'm one of those 21.5 million people.  Fingerprints, SSN,
address, etc, etc, etc.


scott


I disagree.  Government departments are heavily concerned about 
economics.  Specifically, "how can we maintain, or preferably increase, 
our budget in the next fiscal cycle?"   If that means feeding 500 lbs of 
pork to a chihuahua so you can burn up this year's budget, then so be 
it.  Next year you can ask for extra money to put the chihuahua on a 
special, extremely expensive diet while simultaneously asking for more 
pork to enrich its diet.

Re: IP-Echelon Compliance

[Peter Kristolaitis]

On 10/13/2015 11:30 AM, Bob Evans wrote:

WAIT WAIT - I know the solution to all of this.  Let's pass a law that
requires everyone to fill out a form to buy a device with a MAC address.
Make them wait 10 days to verify the buyer has never committed a digital
crime. While law enforcement puts it in a pile forms and pretends they can
verify through the process of piling and ignoring it. 10 days later, If
law enforcement doesn't call - the store can then call the buyer and tell
them they can pick up their new potential crime committing internet
device.


Background checks are great and all, but really what we need to do is 
restrict the ability of criminals to access illegal information, and we 
also need to get high-powered crime devices off of our streets.


To that end, we're currently working on drafting new legislation which 
we're calling the "Personal Access To Restricted Information Over 
Telecommunications Act" (PATRIOT Act) that will give the government the 
ability to remove illegal information from the internet, monitor global 
internet access so we can detect criminal activity, and also streamline 
the process for dealing with offenders.  In talking with our 
intelligence and police services, we've found that there are several key 
areas that can be improved to be able to deal with threats faster and 
more efficiently.  For example, "due process" is quite slow, requiring 
the gathering of something I believe is called "evidence", and we are 
currently examining ways to simply make it "process".  This will give 
our law enforcement the tools that they desperately want.


On the hardware level, we need to get rid of all devices with more than 
1 USB port.  No one other than a criminal needs more than 1 external 
hard drive.   This will inconvenience a very small number of people who 
also use USB ports for devices such as keyboards, mice and printers, but 
we commissioned a study that said the impact should be minor.  We 
recommend that those affected by this change look at alternatives such 
as "PS2".  The government computing infrastructure has been using this 
standard for several years now with great success.


Limiting USB ports on a device introduces another problem -- the "USB 
hub loophole", which we will address with future legislation. We will 
need to work with the ATF and Homeland Security to identify the best way 
to deal with this issue.  We will probably need to bring in CIA and NSA 
as well, to monitor the production and sale of these devices both abroad 
and domestically.  We are also in talks at the UN to introduce a new, 
multinational, multilateral civilian oversight committee to monitor and 
regulate the international trade of these dangerous items.  However, we 
are having difficulties getting some member states to accept the 
inspection requirements, and talks are ongoing.


Next, we're going to limit the general availability of network 
connections to no more than 32kbit/sec in either direction.  Faster 
network connections will be available, but you will have to register 
with the government and pay for a tax stamp.  This ensures that 
criminals can't misuse high-speed network connections, unless they can 
afford to pay $200.


Finally, we are going to introduce a total digital-crime-device ban to 
help tackle the problem in high-crime areas.  We are going to give 
states and municipalities the ability to make "digital-free zones" where 
the possession of digital crime devices is prohibited. This will result 
in the complete elimination of digital crimes committed in public areas 
such as schools and movie theaters, because it will be double-illegal to 
commit crimes there.

Re: BRAS sugestion

[Peter Kristolaitis]

The Walmart ones cost less upfront, but their support sucks.  This often 
leads to sags in performance, especially from the view of the average 
eyeball network user, which results in personal discomfort when senior 
management determines that the best way to resolve the issue is to bring 
in some external consultants to really strip the system down and get 
hands-on with optimizing heap sizes.




On 08/14/2015 12:04 PM, Alistair Mackenzie wrote:

I'm pretty sure this would get expensive for 30k+.

Perhaps try Walmart?

On 14 August 2015 at 17:01, Mike Lyon mike.l...@gmail.com wrote:


Victoria's Secret
On Aug 14, 2015 8:08 AM, Julian Eble juliane...@yahoo.com.br wrote:


Hello Nanog,
Our company are constantly growing and we're looking for a 30k+
subscribers BRAS, does the community have a sugestion?

Thank you!

Re: Remember Internet-In-A-Box?

[Peter Kristolaitis]

On 7/14/2015 8:02 PM, Mike wrote:
The flame wars and vitrol and rhetoric is too much noise for me to 
derive anything useful from. Someone needs to stand up and lead. I 
will happily follow.


Too much noise has been v6's problem from the start.  Every time I've 
looked at v6 for use in the enterprise or even at home over the last ~15 
years, the answer is always wait -- v6 isn't standardized yet, 
implement now -- v6 is ready for production, wait -- v6 is missing 
critical features, implement now -- v6 is easier than v4 and wait -- 
v6 is too complex, and we don't have the best practices figured out yet 
-- all simultaneously, depending on who you ask, the phase of the moon, 
local weather patterns, etc.And, to a significant degree, that's 
still happening today.


That's exarcerbated by the long development cycle, multiple conflicting 
revisions/implementations over the years, and a severe case of feature 
creep.  Most people started to tune out around the third time we heard 
it's really here, for real this time!, and were completely 
underwhelmed (or overwhelmed, as the case may be) when the really here 
for real version arrived after a long hype cycle.


So basically IPv6 is the Duke Nukem Forever of the networking 
world.  Took forever to get here, was completely underwhelming when it 
did, and wasn't compelling enough for people to pony up money for other 
than as a curiosity.  Unfortunately v6 is an essential part of making 
the Internet continue to work, because in any other scenario it would 
have been abandoned as vaporware 10-15 years ago.  If a product is in 
development for 20 years, the expectation is that it's perfect out of 
the box, reduced to the simplest possible implementation, and easily 
understood -- and that's not what we have.


- Pete

Re: World's Fastest Internet™ in Canadaland

[Peter Kristolaitis]

On 6/26/2015 7:26 PM, Joe Abley wrote:


On 26 Jun 2015, at 15:04, Hank Disuko wrote:

Bell Canada is apparently gearing up to provide the good people of 
Toronto with the World's Fastest Internet™.
http://www.thestar.com/news/city_hall/2015/06/25/bell-canada-to-give-toronto-worlds-fastest-internet.html 



Bell Canada is in the business of defending the current regulatory 
regime from claims that internet speeds are slow, or that investment 
by incumbents in the last mile is lacking, or that it ought to be 
required to share its access network with competitors. Read the press 
with that context in mind.


There's cooperative, rural broadband in the UK [1] that offers 10G 
access to farms at a lower price than Bell charges for some satellite 
TV bundles. I don't think anybody need waste any cycles persuading 
other people here that the fastest internet claims are not aligned 
precisely with the kind reality you find even on this list.


Joe

[1] http://b4rn.org.uk


And defend the current regulatory regime well they do.  I live literally 
minutes outside of the Ottawa urban area and I have as choices for 
network connectivity either LoS wireless or satellite. I can, however, 
stand at the end of my driveway and look in EITHER direction to see 
houses that can get cable service, yet none of the incumbents are 
willing to service my little stretch of road (affecting me and ~5 
neighbours).


I'm told by the neighbours (I just moved here) that they've been bugging 
the incumbents for YEARS and getting no traction at all. I'm thinking of 
pricing out a fiber run and running a little local co-op network access 
provider for me and the neighbours, but I suspect that install costs 
might nix that idea.


(For extra fun, I was told by one of the incumbents that my address was 
serviceable with up to 150Mbps cable before I purchased the property.  
Then when I took possession and tried to get service set up -- nope, 
sorry.  But that's a whole other story...)

Re: eBay is looking for network heavies...

[Peter Kristolaitis]

On 6/7/2015 4:10 AM, Joshua Riesenweber wrote:

As someone studying their first CCIE (RS), I sometimes find these kind of 
discussions disheartening. They come up every now and again, and the opinions 
seem vary anywhere between 'a good interview tool' and 'less than worthless'.
A certification is like anything else a person puts on their resume -- I 
assume its value is overstated and follow the trust, but verify protocol.


I expect candidates to have the same body of knowledge regardless of 
whether or not they're certified -- I need them to do a job, and that 
job requires certain skills.  If getting that piece of paper taught you 
those skills -- great, though very unlikely.  If you acquired the skills 
without the paper, also great.


Generally I find that candidates with no/few certs are the more 
well-rounded (real-life experience + practical knowledge) candidates. 
The School of Hard Knocks is a great institution of learning.



following a certification track isn't perfect, but it gives (at least to me) 
the structure to cover areas of knowledge that you might not if you were doing 
100% on the job training or some other methods. It gives you something to aim 
for, and helps with motivation and setting goals.
In many ways, certification tracks are something like getting a PhD.  
Completely useless information (and very few skills) to anything you'll 
do in the real world, but if it makes your clock tick, go for it.  
Just don't expect me to be impressed when I'm interviewing you, because 
it has no direct relationship with your ability to do this job.


As a personal growth tool -- great.  As a professional growth tool -- meh.


When I see someone who has a certification, and they can follow it up with 
actual skills, it indicates they have a certain level of dedication to 
improving themselves and their education. (In my experience it takes more time 
to study a certification track than to learn just what you need to get a job 
done.)
My favourite question to ask candidates during an interview is Tell me 
about a cool technology project you've done outside of work.   I don't 
even really care what the answer is, it's more about do they get revved 
up while they're talking about it?


If they fire up to 110% and get super excited to tell you about the 
super-awesome $THING they built/coded/hacked, it bodes well for their 
motivation about all things tech, including learning about it.  The 
geek type, if you will.


If they shrivel up and say I dunno...  Uhh... I installed Exchange 
once.  then I know all I need to know about their dedication to 
improving their knowledge  skills.  They're here for a day job and 
really aren't passionate about technology.


I often ask this question early in the interview process -- I find it 
helps the really-awesome-but-with-poor-interview-skills geeks to relax 
and do well with the rest of the interview, and it it provides me with a 
pretty damned reliable barometer reading of the candidate from the get-go.

Re: OT - Small DNS appliances for remote offices.

[Peter Kristolaitis]

Not industrial grade, but Raspberry Pis are pretty great for this kind 
of low-horsepower application.  Throw 2 at each site for redundancy and 
you have a low-powered, physically small, cheap, dead silent, easily 
replaceable system for ~$150 per site.   Same idea as the Soekris -- 
just ship out replacements instead of trying to repair -- but even cheaper.


Between having 2 (or more) at each site, plus cross-site redundancy via 
anycast, it would be pretty robust (and cheap enough that you could have 
cold-spares at each site).




On 02/18/2015 09:28 AM, Ray Van Dolson wrote:

Hopefully not too far off topic for this list.

Am looking for options to deploy DNS caching resolvers at remote
locations where there may only be minimal infrastructure (FW and Cisco
equipment) and limited options for installing a noisier, more power
hugnry  servers or appliances from a vendor.  Stuff like Infoblox is
too expensive.

We're BIND-based and leaning to stick that way, but open to other
options if they present themselves.

Am considering the Soekris net6501-50.  I can dump a Linux image on
there with our DNS config, indudstrial grade design, and OK
performance.  If the thing fails, clients will hopefully not notice due
to anycast which will just hit another DNS server somewhere else on the
network albeit with additional latency.  We ship out a replacement
device rather than mucking with trying to repair.

There's also stuff like this[1] which probably gives me more horsepower
on my CPU, but maybe not as reliable.

Maybe I'm overengineering this.  What do others do at smaller remote
sites?  Also considering putting resolvers only at hub locations in
our MPLS network based on some latency-based radius.

Ray

[1] http://www.newegg.com/Mini-Booksize-Barebone-PCs/SubCategory/ID-309

Re: Incident notification

[Peter Kristolaitis]

We use OpsGenie for notifications (and on-call scheduling, etc). There 
are other similar options such as PagerDuty, etc, as well.


Notifications can be submitted to the service in a variety of ways 
(email, web API, etc), has a variety of integrations with other tools 
(Nagios, Pingdom, etc) to aggregate all of your alerts, and there is a 
callback mechanism where the user can trigger custom actions right from 
the app (for example, I wrote an interface for it such that when we get 
an alert, the on-call person can choose to restart the affected service 
-- or even reboot the entire VM hosting it -- right from within the 
OpsGenie app).


Each user can choose their method of contact (notification to the 
smartphone app, SMS, phone call, email, whatever), and on-call schedules 
(and exceptions) are easily managed.


It works for us... YMMV. ;)

- Peter


On 11/21/2014 10:52 AM, Thijs Stuurman wrote:

Nanog list members,

I was looking at some statistic and noticed we are sending out a massive amount 
of SMS messages from our monitoring systems.
This left me wondering if there isn't a better (and cheaper) alternative to 
this, something just as reliant but IP based. We all have smartphones these 
days anyway.

Therefore my question, what are you using to notify admins of incidents?

Kind regards / Met vriendelijke groet,

Thijs Stuurman



[IS Logo]




IS Group

Wielingenstraat 8

T

+31 (0)299 476 185

i...@is.nlmailto:i...@is.nl

1441 ZR Purmerend

F

+31 (0)299 476 288

www.is.nlhttp://www.is.nl



IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 
certified. De datacenters zijn PCI DSS en ISO 14001 compliant.

Re: Why is .gov only for US government agencies?

[Peter Kristolaitis]

On 10/21/2014 01:33 PM, Sandra Murphy wrote:

On Oct 21, 2014, at 11:08 AM, David Conrad d...@virtualized.org wrote:


On Oct 20, 2014, at 10:18 PM, Barry Shein b...@world.std.com wrote:

Not that anyone is looking for a solution but I suppose one possible
solution would be to use the two-letter cctld then gov like
parliament.uk.gov or parliament.ca.gov etc.

No doubt there would be some collisions but probably not too serious.

Folks outside of the US have issues with the US government having a role in the 
administration of the root, even if that role is to ensure ICANN does screw the 
pooch.

I'm thinking there's a not missing here.

--Sandy


Depends on whether we're talking about the nominal or effective role of 
government...  ;)


- Peter

Re: AWS EC2 us-west-2 reboot

[Peter Kristolaitis]

Likely not, since it's affecting Windows instances as well.

Also not just us-west-2 -- we have tons of instances scheduled for 
downtime in us-east-1 and eu-west-1 as well.


-Peter


On 09/24/2014 04:51 PM, Gabriel Blanchard wrote:

Bash related?


On Sep 24, 2014, at 4:47 PM, Grant Ridder shortdudey...@gmail.com wrote:

As an FYI,  it looks like Amazon is doing a mass reboot of the physical
hosts in us-west-2 across all AZ's and it is scheduled to start tomorrow
and take a couple days.
Go to *https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#Events
https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#Events:* to
see what instances are affected when.

-Grant

Re: Credit to Digital Ocean for ipv6 offering

[Peter Kristolaitis]

On 06/19/2014 02:07 PM, Daniel Ankers wrote:

On 19 June 2014 18:19, valdis.kletni...@vt.edu wrote:




My WNDR3800 running cerowrt is quite able to use up the /60 Comcast hands me

(it burns 6 /64s by default the instant you turn it on, and can burn more
if
you start doing VLAN'ing or other config stuff).



How does it use those 6 /64s?  That seems to be getting towards the
interesting times where the way devices work with v6 is very different to
how they would have worked with v6


- Public IP
- DMZ IP
- Management IP
- Russian backdoor IP
- Chinese backdoor IP
- NSA backdoor IP

:)

Re: ipmi access

[Peter Kristolaitis]

On 06/02/2014 08:26 AM, Randy Bush wrote:

I use OpenVPN to access an Admin/sandboxed network with insecure portals,
wiki, and ipmi.

h.  'cept when it is the openvpn server's ipmi.  but good hack.  i
may use it, as i already do openvpn.  thanks.

randy
What you can also do if you want to remove the dependence on the OpenVPN 
server (e.g. smaller networks where the overhead would be high, or to 
mitigate failures of the OpenVPN server) is to use your existing pattern 
of whitelisting IPs using ACLs, but instead of modifying the rules all 
the time, just run a small external server with a static IP, and allow 
that IP access through all of your ACLs.


Amazon EC2 instances are great for this.  Assign an Elastic IP (i.e. 
static IP), and turn the instance on when you need it, shut it down when 
you're done.If there happens to be a failure at Amazon right at the 
same time you have a failure... spin up a new instance in a different 
zone and give it the Elastic IP.   No mucking about with ACLs, etc.   
Costs a few cents to run for whatever length of time it takes to fix 
your issue, and is reasonably secure (especially if you shut the box off 
when you're not using it).


- Peter

Re: Requirements for IPv6 Firewalls

[Peter Kristolaitis]

On 4/18/2014 11:29 PM, Jeff Kell wrote:
Anyone ever pentested you? It's an enlightening experience. Jeff 


At a previous job, we hired a company (with CISSP-certified pentesters) 
to do a black box pentest of our network.


Things I was enlightened by:

- It's OK to work in a highly technical field with no technical 
background.  The pentester they sent couldn't get Backtrack running on 
the machine we had provided to him because the onboard video didn't 
support 32-bit color under Linux (IIRC, a P4-era Dell desktop).  The 
concept of reading log files to find out what was wrong was completely 
foreign to him, as was the required 1-line fix in the X11 config.


- It's OK to not report a horribly insecure box to the client if you're 
stupid or lazy.  We had set up a honeypot box on our network to see if 
the pentester would find it, and despite tons of log evidence showing 
that he both found the box and the weak services... no mention of it was 
made on the report submitted to us.  Needless to say, this made the 
entire report suspect, and my boss had great pleasure in yelling at the 
vendor when I brought it to her attention.


- It's OK to not know anything at all about the tools you're using to do 
the job.  The pentester called us because he was getting weird nmap 
results and couldn't grok them (and insisted that we had given him the 
wrong IP addresses).  The reason?  A firewall that dropped unwanted 
traffic.  Seriously.  CISSP certified and he couldn't figure out how to 
detect firewalls that have a default-drop policy.


- It's OK to rely only on automated tools and blindly trust their 
output.   No attempts at targeted attacks were made, despite being 
specifically asked and authorized to do destructive testing against our 
test servers.  We KNEW from our own testing that there were some SQL 
injection and buffer overflow holes there (again, some even placed on 
purpose to see what he'd find), and his automated tools didn't find them 
so he assumed everything was fine.


And that's just SOME of the stuff from that particular experience. 
Enlightening?  Yes.  I now do my own pentesting, because I'd rather not 
waste $20K+ on a report of questionable quality done by someone who may 
or may not know how to run nmap, let alone more technical 
application-level attacks.


There are undoubtedly some good pen-testers out there that are worth 
every dime they charge.  However, like every other technical speciality, 
there are a LOT of really, really, really terrible practitioners.
Shelling out big money to hopefully find the former in a field of mostly 
the latter is bound to be an exercise in both frustration and misspent 
resources.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Peter Kristolaitis]

On 4/11/2014 4:03 PM, William Herrin wrote:

The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security
interests threatens to renew the rancorous debate over the role of the
government's top computer experts.

I call B.S. Do you have any idea how many thousands of impacted NSA
servers run by contractors hung out on the Internet with sensitive NSA
data? If you told me they used it against the targets of the day while
putting out the word to patch I could buy it, but intentionally
leaving a certain bodily extension hanging in the breeze in the hopes
of gaining more valuable data than they lose would have been an
unusually gutsy move.

These two unnamed sources are liars. Bet on it.

Regards,
Bill Herrin


I would imagine that federal contractors have to adhere to FIPS 140-2 
standards (or some similar requirement) for sensitive environments, and 
none of the affected OpenSSL versions were certified to any FIPS 
standard... the last version that WAS certified (0.9.8j) is only rated 
to Level 1, which, being the lowest possible rating, I suspect is not 
permitted for use by NSA contractors -- they're probably required to use 
level 3 or 4 for everything.

Re: Fwd: Serious bug in ubiquitous OpenSSL library: Heartbleed

[Peter Kristolaitis]

OK, now... it's far too late for April Fool's.  :(

That's scary as heck.  :(Guess I know what the first order of 
business will be tomorrow...


- Pete


On 4/8/2014 1:06 AM, Paul Ferguson wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:


From: Rich Kulawiec r...@gsp.org Subject: Serious bug in
ubiquitous OpenSSL library: Heartbleed Date: April 7, 2014 at
9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd
presume, into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-728166/

  Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable



- -- 
Paul Ferguson

VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-

Re: Serious bug in ubiquitous OpenSSL library: Heartbleed

[Peter Kristolaitis]

Not just run the updates -- all private keys should be changed too, on 
the assumption that they've been compromised already.  THAT is going to 
be the crappy part of this.


- Pete


On 4/8/2014 1:13 AM, David Hubbard wrote:

RHEL and CentOS both have patches out as of a couple hours
ago, so run those updates!  CentOS' mirrors do not all have
it yet, so if you are updating, make sure you get the
1.0.1e-16.el6_5.7 version and not older.

David

-Original Message-
From: Paul Ferguson [mailto:fergdawgs...@mykolab.com]
Sent: Tuesday, April 08, 2014 1:07 AM
To: NANOG
Subject: Fwd: Serious bug in ubiquitous OpenSSL library: Heartbleed

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:


From: Rich Kulawiec r...@gsp.org Subject: Serious bug in ubiquitous
OpenSSL library: Heartbleed Date: April 7, 2014 at 9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd presume,
into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability
-revealed-728166/

  Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is NOT
vulnerable OpenSSL 0.9.8 branch is NOT vulnerable



- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-

Re: Anternet

[Peter Kristolaitis]

This has been a solved problem for a long time.  You just need to 
implement Virtual Local Ant Nest (VLAN) and use overlapping local 
address schemes.



On 4/5/2014 2:32 AM, Andrew D Kirch wrote:

So, if there's more than 4 billion ants... what are they going to do?

Andrew

On 4/5/2014 1:44 AM, Larry Sheldon wrote:


Offered for your amusement--no followup.

http://kottke.org/14/04/the-anternet

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Peter Kristolaitis]

On 3/28/2014 12:57 AM, Randy Bush wrote:

Alexander Neilson alexan...@neilson.net.nz wrote:

I wonder if they should be invited to only post a single message with
the titles and links to the alerts so that people can follow it up.

i would prefer that the header be in blue, the titles in green, and the
urls in magenta, in comic sans, of course

randy



I disagree vehemently.  That's far too simple of a system and doesn't 
convey the necessary information that should be in a summary document.


Titles should be either cerise, amaranth or raspberry coloured, 
depending on the bug's severity, and the headers should be blue-gray, 
glaucous or steel blue depending on the day of the week the bug was 
discovered.  Some people might whine that those colors are too close to 
each other, but they can just buy a colorimeter -- that's an operational 
problem anyways.


I can agree to comic sans, as long as it blinks.

Actually, we should probably just set up a committee for report 
styling.  We really need an industry standard for this, and one that 
covers all possible reporting needs for at least the next 20 years.   
Shouldn't take more than a few weeks.


I think I have a TPS report template around here that would be a great 
starting point   :p

Re: Reliable Dedicated/VPS providers in Canada?

[Peter Kristolaitis]

I've been quite happy with the servers I'm renting from OVH 
(http://www.ovh.com/ca/en/) in their new Montreal data center, which is their 
entry into the North American market;  they've operated in Europe for quite a 
long time.

- Pete



--- kam...@ak-labs.net wrote:

From: Carlos Kamtha kam...@ak-labs.net
To: nanog@nanog.org
Subject: Reliable Dedicated/VPS providers in Canada?
Date: Tue, 11 Feb 2014 15:01:44 -0500

Hi, 

I was wondering if anyone could share some experiences with providers
in the great white north.

We have a few providers now and not happy with them. Cheap flimsly
virtual servers that charge .50cents a gig for BW overages.. :/

Any feedback would be appreciated..

Cheers, 
Carlos. 

Re: Why won't providers source-filter attacks? Simple.

[Peter Kristolaitis]

On 2/4/2014 5:00 PM, Mark Andrews wrote:

Nope: it's easy to explain; you merely have to be a cynical bastard:

Attack traffic takes up bandwidth.

Providers sell bandwidth.

It *is in their commercial best interest (read: maximizing shareholder
value) *NOT* to filter out DOS, DDOS, and spam traffic until their hand is
forced -- it's actually their fiduciary duty not to.

Then the need to be made criminally liable for the damage that it causes.
Yes, the directors of these companies need to serve gaol time.


That would never fly, because it would put the politicians at odds with 
the telecom buddies that make huge political donations.   Hard to throw 
someone in jail then hit them up for campaign money.   What will 
probably happen is the same thing we do with everything else that might 
be used for evil purposes but where we don't want to tackle the real 
underlying problem -- just write a law banning something and hope the 
problem goes away.


Make it illegal to posses a device capable of bandwith greater than 
33.6Kbps without a special license, and BAM -- no more problems, 
overnight.  For added political-style points, tack on a catchy moniker, 
like Immoral Bandwidth Prohibition, The War on DDOS, or 
High-Capacity Digital Assault Bandwidth to help sell it to the 
public.  The public will be OK with their funny cat videos taking 19 
hours to load if they know they're preventing bad guys from doing 
something evil.


After all, it's worked flawlessly for alcohol, drugs and guns, so it 
MUST work for networks... and it's much easier than those silly, 
so-called solutions y'all are talking about!   :p


- Pete

(P.S.  Dear politicians:  in case you're reading this, the above was 
satire and should not be construed as anything resembling a good idea.)

Re: common method to count traffic volume on IX

[Peter Kristolaitis]

On 9/17/2013 2:51 PM, Leo Bicknell wrote:

In a message written on Tue, Sep 17, 2013 at 07:11:23PM +0300, Martin T wrote:

counting traffic on inter-switch links is kind of cheating, isn't it?
I mean if input bytes and output bytes on all the ports facing the
IX members are already counted, then counting traffic on links between
the switches in fabric will count some of the traffic multiple times.

Sounds like a marketing opportunity.

customer--s1--s2--s3--s4--s5--s6--s7--s8--s9--s10--customer

Presto, highest volume IX!

Maybe I should patent that idea.


Why do you have 10 48-port switches, 239 VLANs, but only 2 peers?

Uhh... for accounting reasons.

Re: Yahoo is now recycling handles

[Peter Kristolaitis]

On 9/5/2013 12:17 AM, valdis.kletni...@vt.edu wrote:

On Wed, 04 Sep 2013 20:47:40 -0500, Leo Bicknell said:

There's still the much more minor point that when I tried to self
serve I ended up at a blank page on the Yahoo! web site, hopefully they
will figure that out as well.

I'm continually amazed at the number of web designers that don't test
their pages with NoScript enabled.  Just sayin'.


NoScript?  That's some kind of antimalvirus thingy for Internet 
Explorer, right?  I think I read something about that in the Website 
Design For Dimwits in 24 Hours book...   ;)





smime.p7s
Description: S/MIME Cryptographic Signature

Re: Yahoo is now recycling handles

[Peter Kristolaitis]

On 9/5/2013 1:20 AM, Larry Sheldon wrote:

On 9/4/2013 11:56 PM, Peter Kristolaitis wrote:

On 9/5/2013 12:17 AM, valdis.kletni...@vt.edu wrote:

On Wed, 04 Sep 2013 20:47:40 -0500, Leo Bicknell said:

There's still the much more minor point that when I tried to self
serve I ended up at a blank page on the Yahoo! web site, hopefully 
they

will figure that out as well.

I'm continually amazed at the number of web designers that don't test
their pages with NoScript enabled.  Just sayin'.


NoScript?  That's some kind of antimalvirus thingy for Internet
Explorer, right?  I think I read something about that in the Website
Design For Dimwits in 24 Hours book...   ;)


I would not use IE on a bet, but I do use NoScript as well as several 
other defensive weapons.


I probably do not give a big rats patotie what your site offers--I 
know it won't be good.




I assume that you intended this for the list and not me directly, and 
that you haven't yet got around to reading Things To Experience On The 
Internet, Volume 1:  Sarcasm.  :)


In case it wasn't abundantly clear, my post was a shot at what often 
passes for web developer these days.  I had hoped that antimalvirus 
would have been an indication that it was a joke, but I guess my sarcasm 
is rusty...  I would hope that no one on this list is ignorant of both 
the failings of IE and of the existence of NoScript.





smime.p7s
Description: S/MIME Cryptographic Signature

Re: Yahoo is now recycling handles

[Peter Kristolaitis]

The issue was studied thoroughly by a committee of MBAs who, after 
extensive thought (read: 19 bottles of scotch), determined that there 
was money to be made.


whatcouldpossiblygowrong?

- Pete


On 9/3/2013 11:09 PM, Jay Ashworth wrote:

Whackiness, predictably, ensues:

   https://medium.com/editors-picks/46b47d95b957

You can do the math how this might affect you, your services, and your users,
if you have those.

Will people *ever* start listening when we tell them how Bad an Idea
something is?  The RISKS are endless...

Cheers,
-- jra





smime.p7s
Description: S/MIME Cryptographic Signature

Re: Vancouver IXP - VanTX - BCNet

[Peter Kristolaitis]

On 08/20/2013 09:52 AM, Harald Koch wrote:

On 20 August 2013 09:05, Randy Bush ra...@psg.com wrote:


ok, i have heard privately from folk who i respect.  cira seems to be on
the up and up and doing good professional work.


haha. yes, because Canadians are normally so sinister and nefarious...
Hey, we're nefarious.  Our plan to take control the world supply of 
poutine is well under way!


First, delicious and fattening food.  Next:  the world!   *cue evil laugh*

- Pete

Re: morning giggle

[Peter Kristolaitis]

On 8/18/2013 1:11 AM, Jimmy Hess wrote:

On Sat, Aug 17, 2013 at 8:58 PM, Randy Bush ra...@psg.com wrote:


for your morning, or whatever time of day it is to you, giggle



lol...

Ah...  they must want form  #298446.3B-II;   request for login shell and
root password from complete random stranger under dubious circumstances,
without justification.

It comes right after the form;  request to un-send previous e-mail and
pretend it didn't exist   :-)

--
-J


Hmm, I thought that they were asking for form numbers

# 298446.4 -- legal agreement for licensing of DNS zone data
# 298446.4-A -- fee schedule for licensing of DNS zone data 
(currently $42M per line of data)
# 298446.4-B -- affidavit that the text of the legal agreement 
(form 298446.4) -- all 403 pages of it -- has been indelibly tattooed on 
the licensee's body.  Photographic evidence is required to be attached.

# 298446.4-C -- notice of revocation of DNS zone licensing rights

Sadly, due to the slow speed of bureaucratic processes, I can never seem 
to get form -C out to the licensee before they've submitted -B.  ;)


- Pete




smime.p7s
Description: S/MIME Cryptographic Signature

Re: will ISP peer with 2 local WAN routers?

[Peter Kristolaitis]

But the switches themselves are a single point of failure, so if a 
switch dies you still only have a single provider (assuming one switch 
per provider).  ;)


All you're doing is moving the your single point of failure from the 
routers to the switches, with arguably very little increase in actual 
reliability (if any, depending on whether you think switches are less 
likely to fail than routers).


- Pete



On 08/16/2013 05:21 PM, Adam Greene wrote:

Thanks, Justin. Yes, we considered that option, too. But then if one WAN
router goes down, the customer will only have connectivity through a single
upstream provider. We'd prefer to maintain connectivity to both even if a
router fails. Switches in front of the routers is no problem.

-Original Message-
From: Justin Vocke [mailto:justin.vo...@gmail.com]
Sent: Friday, August 16, 2013 4:47 PM
To: Adam Greene
Cc: nanog@nanog.org
Subject: Re: will ISP peer with 2 local WAN routers?

The gotcha with that is then you need a switch in front of the routers. I'd
just setup a carrier on each router and run ibgp between.

Sent from my iPhone

On Aug 16, 2013, at 3:35 PM, Adam Greene maill...@webjogger.net wrote:


Hi guys,



I have a customer who peers via eBGP with Lightpath aka Cablevision
(AS
6128) and Level3 (AS 3356) and wants to do some dual-WAN router

redundancy.



I have heard that carriers will sometimes agree to set up a /29 WAN
subnet for a customer and peer with (2) customer routers.



The customer is delaying on providing me with the proper circuit ID 
contact information to be able to call Lightpath and Level3 directly
and find out if they will do this, so I thought of asking this list.



Is anyone aware if Lightpath and Level3 will agree to something like this?


Thanks,

Adam

Re: Quantifying the value of customer support

[Peter Kristolaitis]

You need to talk to your marketing/sales department and have them figure 
out how many existing clients you would retain by maintaining the 
current level of service, how many clients you would lose with lower 
quality of service, and how many clients you would attract with better 
service.  From that, you can figure out a rough ROI for your department.


This isn't a fundamentally technical question, it's a marketing  sales 
one.   You can have the best service ever, but if your company is unable 
to attract or retain clients (whether due to your company's PR 
reputation, market saturation, or whatever), it doesn't matter.


- Pete


On 02/15/2013 05:15 PM, Kasper Adel wrote:

Thanks everyone for the feedback.

Can someone give an example on how i can calculate $ value from improving a
product/service usability and servicability? I am trying to categorize what
we offer :

1) Improve customer experience
2) Reduce service deployment time
3) Improve service availability

Regards
Kim

On Friday, February 15, 2013, Siegel, David wrote:


There is no such thing as a generic business case that can be applied
across all companies in an industry.  Every business is unique in its
product definition and organization structure, but each question is also
unique and therefore the analysis must be done every time.

The way to begin is to ask this manager what he believes the possible
outcomes are (downsize your group, eliminate your group, re-define your
group, etc.) and then work with each of the key stakeholders that you have
to estimate the impact of those outcomes.  For example, if 1st line
operations indicates that eliminating your group would result in decreased
customer satisfaction and missed SLA's, ask them to quantify it as much as
possible and go to take the numbers back to your business people to have
them estimate the impact on revenue.

The analysis should be constructed and presented in standard finance terms
(like NPV) so I would suggest that you make friends with someone in finance
to assist you with the preparation.  You can also take a short two-day
course like this
http://executive.mit.edu/openenrollment/program/fundamentals_of_finance_for_the_technical_executive/16that
 will teach you how to build up these analysis yourself (I have taken
the one referenced and I recommend it to all managers with budget
responsibility).

The outcome from these discussions often has surprising but positive
outcomes for everyone...maintaining the status quo is not always the best
possible outcome despite the biases we usually have when we begin the
analysis.  :-)  If you work closely with all of your stakeholders, everyone
will learn and benefit from the experience.

Dave

-Original Message-
From: Kasper Adel [mailto:karim.a...@gmail.com javascript:;]
Sent: Thursday, February 14, 2013 2:16 PM
To: Andrew Latham
Cc: NANOG list
Subject: Re: Quantifying the value of customer support

I used to think that these kind of situations take place when a manager
was never an engineer so he does not understand how things work but i was
surprised when i faced these from managers with an intense engineering
career so i gave up on trying to give conceptual excuses and want to just
give them the dump tables and numbers that they are looking for.

Kim

On Thursday, February 14, 2013, Andrew Latham wrote:


On Thu, Feb 14, 2013 at 3:52 PM, Kasper Adel
karim.a...@gmail.com javascript:;javascript:;
wrote:

Hello,

We are a 2nd level of escalation in a service provider, trying to
put a $ value on the support we give to our NOC and other
implementation teams, when they email us about problems they face.
But we are merely bits and bytes engineers that cant quantify and
justify the value of what we do to the management team. I guess
these smart suits want to see an excel sheet with a table of how
much they save or gain by the support we do. We

respond

to technical questions and simulate problems in a lab.

Can anyone help me with an idea or any material i can reuse? Templates?

Has

any one been in a similar situation.

Thanks
Kim

Kasper/Karim/Kim

Your job is customer retention.  Your value is maintaining all company
income.  Write the yearly revenue on a piece of paper and hand it to
them.


--
~ Andrew lathama Latham lath...@gmail.com javascript:;javascript:;
http://lathama.net ~

Re: Will wholesale-only muni actually bring the boys to your yard?

[Peter Kristolaitis]

There isn't any reason that you couldn't offer ALL of those services.   
Spin off the layer 1  2 services as a separate entity as far as finance 
 legal is concerned, then treat the muni ISP as just another customer 
of that entity, with the same pricing and service that's offered to 
everyone else.  If there is enough competition with the layer 1  2 
services, the muni ISP may or may not have that many customers, but 
it'll still be there as an ISP of last resort, to borrow a concept 
from the financial system, ensuring competitive and fair pricing is 
available.


- Pete


On 01/30/2013 09:37 AM, Art Plato wrote:

I am the administrator of a Municipally held ISP that has been providing 
services to our constituents for 15 years in a competitive environment with 
Charter. We aren't here to eliminate them, only to offer an alternative. When 
the Internet craze began back in the late 1990's they made it clear that they 
would never upgrade the plant to support Internet data in a town this size, 
until we started the discussion of Bonds. We provide a service that is 
reasonably priced with local support that is exceptional. We don't play big 
brother. Both myself and my Director honor peoples privacy. No information 
without a properly executed search warrant. Having said all that. We are 
pursuing the feasibility of the model you are discussing. My director believes 
that we would better serve our community by being the layer 1 or 2 provider 
rather than the service provider. While I agree in principle. The reality is, 
from my perspective is that the entities providing the services will fall back 
to the original position that prompted us to build in the first place. Provide 
a minimal service for the maximum price. There is currently no other provider 
in position in our area to provide a competitive service to Charter. Loosely 
translated, our constituents would lose. IMHO.

- Original Message -
From: William Herrin b...@herrin.us
To: Jay Ashworth j...@baylink.com
Cc: NANOG nanog@nanog.org
Sent: Wednesday, January 30, 2013 9:24:04 AM
Subject: Re: Will wholesale-only muni actually bring the boys to your yard?

On Tue, Jan 29, 2013 at 7:39 PM, Jay Ashworth j...@baylink.com wrote:

- Original Message -

From: Jean-Francois Mezei jfmezei_na...@vaxination.ca
It is in fact important for a government (municipal, state/privince or
federal) to stay at a last mile layer 2 service with no retail
offering. Wholesale only.

Not only is the last mile competitively neutral because it is not
involved in retail, but it them invites competition by allowing many
service providers to provide retail services over the last mile
network.

As long as they support open peering they can probably operate at
layer 3 without harm. Tough to pitch a muni on spending tax revenue
for something that's not a complete product usable directly by the
taxpayers.



It rings true to me, in general, and I would go that way... but there is
a sting in that tail: Can I reasonably expect that Road Runner will in fact
be technically equipped and inclined to meet me to get my residents as
subscribers?  Especially if they're already built HFC in much to all of
my municipality?

Not Road Runner, no. What you've done, if you've done it right, is
returned being an ISP to an ease-of-entry business like it was back in
the dialup days. That's where *small* business plays, offering
customized services where small amounts of high-margin money can be
had meeting needs that a high-volume commodity player can't handle.

Regards,
Bill Herrin

Re: L2 redundant VPN

[Peter Kristolaitis]

Alternatively, just disable encryption by using --cipher none if you 
only care about the L2 bridging and don't care about the encryption 
aspect.  You should get a huge performance boost through the tunnel and 
it would be the same thing as dropping a dedicated circuit in there.


Of course, encryption is generally a Good Thing(tm), and the AES-NI 
stuff is phenomenal, but it's not necessarily required in places where 
you're just trying to get a link set up between 2 sites and you were 
considering MPLS anyways.


- Pete


On 01/21/2013 05:37 PM, Dan Olson wrote:

Can you enable aes-ni on your openvpn servers?  Any newer intel xeon
chipset should support it, but it is usually disabled (bios) by default.

There are more tuning tips at 
http://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux


- Original Message -

From: Tomas Podermanski tpo...@cis.vutbr.cz
To: nanog@nanog.org
Sent: Monday, January 21, 2013 3:37:55 PM
Subject: L2 redundant VPN

Hi networking guys,

 I need some help :-). We try to find for our department reliable
solution for L2 VPN. The task is to connect two remote data centers,
each of them connected two 1Gbps  lines (with link aggregation). Only
IP
connectivity between data centers is available (so there is no
possibility to create circuit based on MPLS or something like that).
The
basic problem is that high reliability is required, so the solution
have
to be fully redundant.

The initial idea was about two OpenVPN servers in each data center +
two
switches (HP E5800) joined into one logical switch via VRF. The link
failure is based on LACP packets between both data centers.  The
solution works, however performance of OpenVPN is really creepy. The
maximum we were able to get from this configuration was about
100Mbps.
We expect at least 500Mbps (or more in the future).

In our thoughts then we were thinking about l2tp on some
cisco/HP(H3C)
device, however there is little information about performance of that
solution and I am not sure how the failure detection would work in
redundant configuration.

Have anybody some experience with similar solution or at least any
idea ?


Thanks a lot for thoughts

 Tomas

Re: Gmail and SSL

[Peter Kristolaitis]

On 1/3/2013 9:08 PM, Jimmy Hess wrote:
I am not sure why this would be classified as a feature request. If it 
is impacting you, and you had service before, then is an 
Outage/Defect/Bug, full stop. Describing working service for a 
previously supported scenario as a feature request would be beyond 
ridiculous :)


Clouds in the sky tend to look pretty until the day they dump rain on 
you and then disappear.  Cloud apps are kind of like that.  ;)


Not to say that SaaS doesn't have its place in enterprise architecture, 
but one of the things that should have a huge, gigantic neon sign on it 
when you're doing your cost-risk-benefit analysis is that you're being 
put at the whim of your SaaS provider.  If they make a change that 
breaks functionality that only a subset of their clients use, you'd 
better hope that one of those clients has enough financial clout with 
the provider to make that functionality come back, otherwise you've just 
painted yourself into a corner.


- Pete




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Gmail and SSL

[Peter Kristolaitis]

On 12/29/2012 7:41 PM, Mark - Syminet wrote:

On Dec 14, 2012, at 7:52 AM, Peter Kristolaitis alte...@alter3d.ca wrote:


On 12/14/2012 10:47 AM, Randy wrote:

I don't have hundreds of dollars to get my ssl certificates signed

You can get single-host certificates issued for free from StartSSL, or for very 
cheaply (under $10) from low-cost providers like CheapSSL.com.  I've never had 
a problem having my StartSSL certs verified by anyone.



So I guess the question really, is this:

Is it bad, therefore - to *force* every holder of a self-signed certificate - 
to transmit in the clear?



There are plenty of good reasons for self-signed certs -- people stuck 
running a Microsoft environment might find it might difficult without 
it, since it's a fundamental feature of Active Directory. ;)   Various 
F/OSS projects, like OpenVPN, generally recommend self-signed certs as a 
standard deployment scenario, because it actually provides an extra 
layer of security -- as the CA, you determine who gets a cert and who 
doesn't.   The difficulty you'll run into is defining self-signed.   
If you generate your own CA and put the certs in your /etc/ssl 
directory, it's still self-signed (as in you're the one signing the 
end-use certs), the only difference is that your browser, etc, won't pop 
up a warning because it's now trusted.


It's also important to not conflate encryption with chain of trust 
validation.   There are good reasons to encrypt without really caring 
who you're talking to.  There are also good reasons to not necessarily 
trust an arbitrary list of CAs as provided by your SSL stack vendor and 
provide your own list, as mentioned above.


Two entirely separate issues, IMHO.

- Pete

Re: SSL Certificates and ... Providers

[Peter Kristolaitis]

Yes, some SSL providers (mostly the overpriced ones) like to license 
their certs on a per-server basis.  If you read the contract language, 
this is how it's written.  However, this is strictly a contractual 
issue, not a technical one.   It's just a way to squeeze more money out 
of people who don't know any better.


Speaking strictly from a technical standpoint, there is nothing at all 
stopping you from using the same cert/keys on as many servers as you'd 
like.  There are SSL providers out there that are reasonable about the 
whole thing and sell you a cert, not a single-device-license.


- Pete


On 12/27/2012 2:47 PM, Blake Pfankuch wrote:

Ok, so this might be a little off topic but I am trying to validate something a 
vendor is telling me and hoping some people here have expertise in this area...

I am working with a SSL certificate provider.  I am trying to purchase a 
quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 
domains.  Vendor is telling me that the Wildcard certificates are licensed per 
physical device it is installed on.  This means instead of using a single 
wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 
servers.

This does not compute in my brain and also in my mind completely defeats the 
purpose of a wildcard cert as I know it.  Has anyone run into this before?

Thanks
Blake

Re: William was raided for running a Tor exit node. Please help if you can.

[Peter Kristolaitis]

Drifting a big off topic for NANOG (but hey, that happens every /pi/ 
days anyways!), but I'll toss this in...


Like every other legal incident, it would be unique to your own 
situation.  Keep in mind that, should any of the charges you mentioned 
go to court, the prosecution would have to prove /mens rea/ (intent).  
They would have to prove that you intended to cause the drives to be 
wiped specifically because you did not want them admitted as evidence.


If you weren't even home at the time the warrant was executed, the worst 
lawyer in the world would be able to argue that you have the system in 
place to prevent sensitive data from leaving in the event of common 
theft, and that it's not your fault the police triggered it (and suggest 
that maybe they should add scan for an intense EM field to their 
standard procedures when dealing with computer equipment :p ).


If you were home at the time (or knew that a warrant was being executed, 
e.g. if the police show up at your workplace to inform you), things 
would be a lot dicier.  Actively hitting the turn on the system button 
would definitely be bad news for you. However, simply not turning it off 
as the officers are walking out the door, well... it was a VERY 
stressful situation for you, with all the police running all over your 
house, and you simply forgot about the system until much later (or so 
your lawyer could argue).


There would definitely be some unhappy people with the situation 
regardless, and either way you'll be contributing to buying your lawyer 
a new car.  ;)


Now, having said all that... I'm not sure I'd want to pay the 
electricity bill for keeping that degausser running... :p


- Pete



On 12/17/2012 02:52 PM, Kyle Creyts wrote:

In most jurisdictions, wouldn't using a de-gaussing ring in the door frame
to wipe any equipment being removed constitute tampering with evidence or
interfering with an investigation if the authority in question is in
possession of a warrant/subpoena?

On Mon, Dec 17, 2012 at 11:33 AM, Jeroen van Aart jer...@mompl.net wrote:


On 11/30/2012 02:02 PM, Naslund, Steve wrote:


OK, there must be a lot more paranoid people out there than I thought


  for awhile?  I am sure he will let you out to go to the bank, get your

stuff, and leave town.  I think you have seen way to many movies.


  So if the cops show up at his door tomorrow and say Here's all your

stuff back, there was no evidence of a crime., you are OK with this
guys keeping the defense fund?


I for one vote for installing a de-gauging ring in your door frame. any
removal of equipment you don't approve of will be wiped. That and
encryption possibly combined with hiding the real OS (truecrypt can do
that).

Greetings,
Jeroen

--
Earthquake Magnitude: 5.1
Date: Monday, December 17, 2012 17:46:48 UTC
Location: central East Pacific Rise
Latitude: -3.9682; Longitude: -104.0375
Depth: 15.70 km

Re: Gmail and SSL

[Peter Kristolaitis]

On 12/14/2012 10:47 AM, Randy wrote:

I don't have hundreds of dollars to get my ssl certificates signed


You can get single-host certificates issued for free from StartSSL, or 
for very cheaply (under $10) from low-cost providers like CheapSSL.com.  
I've never had a problem having my StartSSL certs verified by anyone.


- Pete

Re: Gmail and SSL

[Peter Kristolaitis]

I've heard this argument fairly often when I mention free/cheap 
certificates to colleagues, etc, but no one has ever actually pointed to 
a reasonable case where this is true (the 20 year old VMS system that 
I've never patched running OpenSSL 0.0.0.0.1-pre-alpha doesn't work 
doesn't count...).


I tested my StartSSL certs against quite a number of clients and haven't 
found anything reasonably modern (say in the last 10 years) that didn't 
work either out of the box or by updating the root CA list from the OS 
vendor via the OS' standard patching mechanism


In my experience, free/cheap certs not working on some clients is, in 
99.9% of cases, a misconfiguration error where the server isn't 
presenting the cert chain properly (usually omitting the intermediate 
cert), which works on some platforms (often because they include the 
intermediate certs to work around these kinds of problems) but not on 
others.  Fixing the cert chain that's presented to the client has ALWAYS 
resolved these types of issues in my experience.


If you have specific example that you know breaks with a specific 
(free/cheap cert, client) pair, I'd love to know so I can test it (if 
possible, i.e. I can actually get my hands on the client device/software).


- Pete


On 12/14/2012 4:45 PM, Matthew Black wrote:

A major problem with free or low-cost certificates is that their intermediate 
CA certificate does not always point back to a root certificate in client 
machines and/or software.

matthew black
california state university, long beach



-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
Sent: Friday, December 14, 2012 7:53 AM
To: nanog@nanog.org
Subject: Re: Gmail and SSL

On 12/14/2012 10:47 AM, Randy wrote:

I don't have hundreds of dollars to get my ssl certificates signed

You can get single-host certificates issued for free from StartSSL, or
for very cheaply (under $10) from low-cost providers like CheapSSL.com.
I've never had a problem having my StartSSL certs verified by anyone.

- Pete








smime.p7s
Description: S/MIME Cryptographic Signature

Re: gmail offline?

[Peter Kristolaitis]

I'm getting the same thing when I try to access the web interface, but 
SMTP  IMAP seem to be working fine at the moment.


- Peter


On 12/10/2012 11:56 AM, Philip Lavine wrote:

getting a 502 error

Re: William was raided for running a Tor exit node. Please help if

[Peter Kristolaitis]

On 12/5/2012 8:35 AM, Joe Greco wrote:

An end user operating a TOR exit node, or  wide open Wireless AP,
intentionally allows other people to connect  to their infrastructure
and the internet  whom  they have no relationship with or prior
dealings with, in spite of the possibility of network abuse or illegal
activities,they choose to allow connectivity  without  first
gathering  information  required to hold the 3rd party responsible for
their activity.

Oh please.  I don't know where you've been hiding out for the last half
a decade or so, but around here, every McDonalds, Starbucks, Sam's Club,
Home Depot, Lowe's, and most libraries, hotels, hospitals, and
laundromats offer WiFi, and those are just the ones I can readily
think of.

The level of wishful-thinking implied by the quoted text about how the
Internet works is mind-boggling.

... JG


Yes, but THAT free WiFi is offered by responsible businesses.  We 
certainly can't trust lowly citizens with such things.  It would be 
chaos!  The sky would fall, the world would end, and puppies would be 
kicked.  No, such power should only be in the hands of those we trust.


- Pete




smime.p7s
Description: S/MIME Cryptographic Signature

Re: William was raided for running a Tor exit node. Please help if you can.

[Peter Kristolaitis]

On 11/30/2012 04:01 PM, Naslund, Steve wrote:

   I am a little concerned that this guy keeps a safe deposit box with a burner
phone and cash around.  Is he a CIA agent? :)
Anyone who DOESN'T have such things stashed away somewhere is, IMHO, 
incredibly naive and taking on quite a large amount of risk.


The likelihood (and hope) is that you'll never need it.  But on the off 
chance that you get f***ed by the legal system because of some power 
hungry, mouth-breather cop who can't/won't understand that you've done 
nothing wrong -- or worse, that you're easily provably within the law, 
but he believes that you're not and drags you through the process 
anyways -- you'll be very happy that you stashed away that old unlocked 
cell phone, old laptop, change of clothes and cash.


I'm a (legal) firearms owner... up here in Canada, where some previous 
governments enacted extreme anti-gun legislation, that pretty much means 
that if I so much as sneeze in a way that a cop doesn't like, I can have 
my life ruined pretty damned fast (not quite, but really close).  I 
wouldn't bet against me having an excrement-hitting-the-oscillator stash 
like this guy does.  ;)


(Note:  I don't mean to imply that all cops are power hungry 
mouth-breathers intent on destroying the lives of citizens.   Most cops 
are fundamentally good people and do a great job.  But like every other 
profession, there ARE bad cops out there, and it's within the realm of 
possibility that you'll deal with one of them one day.)



Why would I donate to his legal defense when he has not been charged
yet?  A little premature, no?

If you think that legal costs in a criminal case only start when you've 
been formally charged, you're grossly misinformed.   At what point you 
personally decide to donate is one thing, but implying that someone 
doesn't need a defense fund prior to charges being laid is a bit naive 
about how the process works.


- Pete

Re: William was raided for running a Tor exit node. Please help if you can.

[Peter Kristolaitis]

I didn't say anything about trying to run away.  That probably won't 
accomplish a whole lot in the long run.   But when all of your bank 
accounts and credit cards are frozen, and your house is a crime scene, 
at least you have the means to rent a hotel room, contact 
family/lawyers, etc.


And no, I'm not OK with people keeping any money that was donated for a 
specific purpose in excess of what was actually used.  You'd hope that 
he'd be a good guy about it and give back the portion that wasn't used, 
or clearly state that any excess will go to charity or something.  
However, there's no such guarantee (short of doing it through a trust 
fund with his lawyer), and just like any philanthropic venture, it's up 
to each donor choose when/if they'll help out.   It's just like 
Kickstarter -- you hope to get something good out of it, but if it 
bombs, well... you pay your money and you take your chances.


- Pete



On 11/30/2012 05:02 PM, Naslund, Steve wrote:

OK, there must be a lot more paranoid people out there than I thought
there were.  I personally don't have a runaway kit stashed away.  I
will get right on that. So when that mouth breather cop won't believe
you are innocent, your answer is to grab your stuff and go on the lamb
for awhile?  I am sure he will let you out to go to the bank, get your
stuff, and leave town.  I think you have seen way to many movies.

So if the cops show up at his door tomorrow and say Here's all your
stuff back, there was no evidence of a crime., you are OK with this
guys keeping the defense fund?

Steve

-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
Sent: Friday, November 30, 2012 3:53 PM
To: nanog@nanog.org
Subject: Re: William was raided for running a Tor exit node. Please help
if you can.


On 11/30/2012 04:01 PM, Naslund, Steve wrote:

I am a little concerned that this guy keeps a safe deposit box with
a burner phone and cash around.  Is he a CIA agent? :)

Anyone who DOESN'T have such things stashed away somewhere is, IMHO,
incredibly naive and taking on quite a large amount of risk.

The likelihood (and hope) is that you'll never need it.  But on the off
chance that you get f***ed by the legal system because of some power
hungry, mouth-breather cop who can't/won't understand that you've done
nothing wrong -- or worse, that you're easily provably within the law,
but he believes that you're not and drags you through the process
anyways -- you'll be very happy that you stashed away that old unlocked
cell phone, old laptop, change of clothes and cash.

I'm a (legal) firearms owner... up here in Canada, where some previous
governments enacted extreme anti-gun legislation, that pretty much means
that if I so much as sneeze in a way that a cop doesn't like, I can have
my life ruined pretty damned fast (not quite, but really close).  I
wouldn't bet against me having an excrement-hitting-the-oscillator stash
like this guy does.  ;)

(Note:  I don't mean to imply that all cops are power hungry
mouth-breathers intent on destroying the lives of citizens.   Most cops
are fundamentally good people and do a great job.  But like every other
profession, there ARE bad cops out there, and it's within the realm of
possibility that you'll deal with one of them one day.)


Why would I donate to his legal defense when he has not been charged
yet?  A little premature, no?


If you think that legal costs in a criminal case only start when you've
been formally charged, you're grossly misinformed.   At what point you
personally decide to donate is one thing, but implying that someone
doesn't need a defense fund prior to charges being laid is a bit naive
about how the process works.

- Pete

Re: CLEC's in Ottawa area?

[Peter Kristolaitis]

I recommend TekSavvy (www.teksavvy.com) as a DSL reseller pretty much 
anywhere in Ontario (and any other provinces they can get service in).  
Not sure why they're not on that CLEC list, but they're a pretty big 
(and awesome) provider up here.  For bonus points, if you have to call 
their support line, you get someone who actually knows something about 
networking.   We have some DSL lines through them at work, and my 
personal home cable connection is through them as well.


- Pete


On 12-09-06 02:33 PM, chris wrote:

Hello,

I have a client in the ottawa ontario canada area who is looking at DSL for
a secondary connection. I am pretty unfamiliar with the state of telecom
industry in Canada, I googled around and found this rather lengthy list of
CLEC's.

http://support.crtc.gc.ca/tlcmlsts/default.aspx?indx=33lang=e

Does anyone have any good experiences with any of these carriers that
service the Ottawa they could share?

Also would be an added plus if they supported MLPPP as the client mentioned
they were concerned with the lower speeds of DSL, so we would love to do
two circuits with MLPPP if possible

thanks!
chris

Re: $10k per BGP prefix? (was Re: Level 3 BGP Advertisements)

[Peter Kristolaitis]

On 12-08-29 04:55 PM, Jay Ashworth wrote:

- Original Message -

From: William Herrin b...@herrin.us
That's very poor practice. Each announcements costs *other people* the
better part of $10k per year.

That sounds ... really really big to me, Bill.  Do you have a source
for that cust-accounting number?

Cheers,
-- jra '2 or 3 orders of magnitude' a


What, you don't spend $4,000,000,000 per year due to the size of the 
global routing table?   I know I've budgeted $4.5B for next year to 
account for growth, which leaves my expected balance sheet at about 
err carry the two... -$4.4999B.   Sweet!


- Pete

Re: Comcast vs. Verizon for repair methodologies

[Peter Kristolaitis]

On 12-08-20 04:25 PM, Leo Bicknell wrote:

In a message written on Mon, Aug 20, 2012 at 04:12:22PM -0400, Patrick W. 
Gilmore wrote:

The story: A piece of underground cable went bad.  The techs didn't pull new underground cable.  
They decided it was better to do it arial (if you can call 2 feet arial).  
They took apart the two pedestals on either side of the break and ran a new strand of RG6 (yes, the 
same stuff you use inside your home, not the outside-plant rated stuff) tied to trees with rope.

Why is that cable still in place?

That's a hint, not really a question. :)



That cable definitely needs to be removed in the interest of... uhh... 
community safety.  Yeah, that's it.  You're worried about the puppies 
and children hurting themselves.  ;)


(Double-mega-extra-bonus points if you convince your local city services 
to do it!)


- Pete

Re: Verizon FiOS - is BGP an option?

[Peter Kristolaitis]

My point is more along the line of if you're depending on a service which 
provides only best-effort on uptime (as Bill Herrin mentioned, some providers 
can barely manage 2 nines of 911 uptime) and to which you're connected by a 
single, fault-prone connection, and which provides no guarantee of service even 
if you CAN contact them,  calling it critical is kind of a joke, and you'd 
probably get laughed at by a risk analyst.  If you're serious about protecting 
health and home, you'd  better have some other plan in place that doesn't have 
a ridiculous number of single points of failure.

Pete


Owen DeLong o...@delong.com wrote:

I've never met a dog properly trained in ACLS and I'm pretty sure that a gun 
isn't even useful for BLS.

Owen

On Aug 4, 2012, at 7:53 PM, Peter Kristolaitis alte...@alter3d.ca wrote:

 Considering that none of the services that can be dispatched by 911 are 
 legally required to help you  in most North American jurisdictions (i.e. if 
 you call 911 and the police don't respond until they finish eating their box 
 of donuts, they're not criminally or civilly liable), having working 911 
 services really doesn't guarantee you anything. Most security monitoring 
 companies have contracts that are completely worthless and guarantee nothing 
 as well.  
 
 If you're depending on 911 for life safety and property protection, I'd 
 recommend revising that plan to include a dog and/or gun.  :-)  
 
 - Pete
 
 
 
 Nathan Eisenberg nat...@atlasnetworks.us wrote:
 
 Residences aren't critical infrastructure, no matter how angry the owners 
 get.
 
 911 access isn't a critical service?  Fire and security panels aren't 
 critical services?
 
 If basic life safety and property protection aren't critical services, I'm 
 not sure what is.  These are peoples' lives and families and homes.  There 
 is nothing - repeat, nothing - more important than that.  It is absolutely 
 a critical service.
 
 Nathan Eisenberg
 
 

RE: Verizon FiOS - is BGP an option?

[Peter Kristolaitis]

Considering that none of the services that can be dispatched by 911 are legally 
required to help you  in most North American jurisdictions (i.e. if you call 
911 and the police don't respond until they finish eating their box of donuts, 
they're not criminally or civilly liable), having working 911 services really 
doesn't guarantee you anything. Most security monitoring companies have 
contracts that are completely worthless and guarantee nothing as well.  

If you're depending on 911 for life safety and property protection, I'd 
recommend revising that plan to include a dog and/or gun.  :-)  

- Pete



Nathan Eisenberg nat...@atlasnetworks.us wrote:

 Residences aren't critical infrastructure, no matter how angry the owners 
 get.

911 access isn't a critical service?  Fire and security panels aren't critical 
services?

If basic life safety and property protection aren't critical services, I'm not 
sure what is.  These are peoples' lives and families and homes.  There is 
nothing - repeat, nothing - more important than that.  It is absolutely a 
critical service.

Nathan Eisenberg

Re: F-ckin Leap Seconds, how do they work?

[Peter Kristolaitis]

On 7/5/2012 12:47 AM, Roy wrote:
Rather than discussing the pros and cons of UTC and leap seconds, just 
create your own time system.


You could call it OpenTime.  OpenTime will use NTP servers where the 
Stratum 1 servers are synced to some time standard that doesn't care 
about leap seconds.  That way the consumer can chose to connect his 
machines to UTC or OpenTime.




Oblig:  http://xkcd.com/927/

- Pete




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [c-nsp] NTP Servers

[Peter Kristolaitis]

You could have saved yourself a bit of typing by leaving off the last 5 
words of that sentence.  ;)


- Pete


On 6/30/2012 6:42 PM, Grant Ridder wrote:

I don't understand why anyone would use windows server for anything that
needed precision like time.

On Sat, Jun 30, 2012 at 5:39 PM, Keith Medcalf kmedc...@dessus.com wrote:







smime.p7s
Description: S/MIME Cryptographic Signature

Re: Dear Linkedin,

[Peter Kristolaitis]

On 12-06-11 03:14 PM, Simon Perreault wrote:

On 2012-06-11 15:05, Owen DeLong wrote:

OK, someone shows you a Quebec driver's license.  You ask for a
passport, she says, I don't have one, and points at the blue word Plus
after the words Permis de Conduire at the top of the license.  Now
what?


To the best of my knowledge, ICE stopped accepting DL for admission 
from Canada several years ago.


Your knowledge needs an update! ;)

http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php 



Simon


Yup, various Canadian provinces now issue newer, better driver's 
licenses that are accepted by ICE for entry to the US by land or sea 
only (not by air, you still need a passport or NEXUS for that).   Here 
in Ontario, they're called Enhanced driver's licenses, and only have 
minor differences from regular driver's licenses -- they have the word 
Enhanced on them, and they contain an RFID chip which is scanned at 
the border for ID  verification purposes.  Oh, and they cost an extra 
$40 when you renew them.  The enhanced licenses were rolled out at 
pretty much the same time as the US entry requirements changed, so if 
you were a keener and got an enhanced card when they were first 
available, absolutely nothing would have changed for you, except that 
your wallet is now a bit lighter and you have a shiny new card.


It's left as an exercise to the reader as to whether the word Enhanced 
printed on a card and an RFID tag are, in fact, any more secure than 
what we had before


- Pete

Re: LinkedIn password database compromised

[Peter Kristolaitis]

On 6/7/2012 9:22 AM, James Snow wrote:

On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:

Imaging signing up for a site by putting in your email and pasting
your public key.

Yes! Yes! Yes!

I've been making this exact argument for about a year. It even retains
the same email a link reset mechanism when someone needs to reset
their key.

A common counter-argument is, But ordinary Internet users won't
understand SSH keys. They don't need to! The idea is easily explained
via a lock-and-key metaphor that people already understand. The UI for
walking users through key creation is easily imagined.


-Snow


Oh yeah, I can just imagine that lock and key conversation now...

Imagine if the website has a lock on it, and you tell them what key you 
want to use by giving them a copy.
But if they have a copy of my key, couldn't they use it to open all of 
the other locks I've set up to use it?

(explain public key crypto)
(drool, distraction by the latest Facebook feature)

The other problem with this approach is that, as bad as trusting remote 
sites to do security properly is, I'm not sure that putting a one key 
to rule them all on users' machines is that much better, given the 
average user's penchant for installing malware on their machine because 
FunnyMonkeyScreensaver.exe sounded like such a good idea at the 
time...   I suspect we'd see a huge wave of malware whose sole purpose 
is to steal public keys (and you KNOW users won't password-protect their 
private keys!).   Plus, now you have the problem of users not being able 
to login to their favourite websites when they're using a friend's 
computer, internet cafe, etc, unless they've remembered to bring a copy 
of their private key with them.


I think public key auth for websites is a great idea for geeks who 
understand the benefits, limitations and security concerns, but I have 
serious doubts that it would hold up when subjected to the idiot test.


- Pete




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Penetration Test Assistance

[Peter Kristolaitis]

On 12-06-05 11:32 AM, Andrew Latham wrote:

On Tue, Jun 5, 2012 at 10:52 AM, Green, Timothy
timothy.gr...@mantech.com  wrote:

Howdy all,

I'm a Security Manager of a large network, we are conducting a Pentest next month and the 
testers are demanding a complete network diagram of the entire network.  We don't have a 
complete network diagram that shows everything and everywhere we are.  At 
most we have a bunch of network diagrams that show what we have in various areas 
throughout the country. I've been asking the network engineers for over a month and they 
seem to be too lazy to put it together or they have no idea where everything is.

I've never been in this situation before.  Should I be honest to the testers 
and tell them here is what we have, we aren't sure if it's accurate;  find 
everything else?  How would they access those areas that we haven't identified? 
  How can I give them access to stuff that I didn't know existed?

What do you all do with your large networks?  One huge network diagram, a bunch 
of network diagrams separated by region, or both?  Any pentest horror stories?

Thanks,

Tim

Any penetration test should only require your networks and masks.  As
far as a diagram it is of value to keep a staff member with the
singular task of documentation and auditing or an optional contract
basis.  Small things like typographical errors can cause great
confusion in emergency situations.  Take the time and do it right.  I
personally prefer the flexibility and ease of use that Mediawiki
offers but other free and pay solutions exist.



Yup, a list of subnets in use on your network is all I've ever needed to 
provide to pen testers in the past on the few occasions I've worked with 
them.  A good pen test should scan everything on your network anyways, 
with a reasonable chance of figuring out what everything is.


As far as horror stories... yeah.   My most memorable experience was a 
guy (with a CISSP designation, working for a company who came highly 
recommended) who:
- Spent a day trying to get his Backtrack CD to work properly.  
When I looked at it, it was just a color depth issue in X that took 
about 45 seconds from why is this broken? to hey look, I fixed it!.
- Completely missed the honeypot machine I set up for the test.  I 
had logs from the machine showing that his scanning had hit the machine 
and had found several of the vulnerabilities, but the entire machine was 
absent from the report.
- Called us complaining that a certain behavior that he'd never 
seen before was happening when he tried to nmap our network.  The 
certain behavior was a firewall with some IPS functionality, along 
with him not knowing how to read nmap output.
- Completely messed up the report -- three times.  His report had 
the wrong ports  vulnerabilities listed on the wrong IPs, so according 
to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
- Stopped taking our calls when we asked why the honeypot machine 
was completely missing from the report.


In general, my experience with most pen testers is a severe 
disappointment, and isn't anything that couldn't be done in-house by 
taking the person in your department who has the most ingrained 
hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza 
and a big ass pot of coffee, and saying Find stuff we don't know about. 
Go..   There is the occasional pen tester who is absolutely phenomenal 
and does the job properly (i.e. the guys who actually write their own 
shellcode, etc), but the vast majority of pen testers just use 
automated tools and call it a day.  Like everything else in IT, security 
has been commercialized to the point where finding really good 
vendors/people is hard, because everyone and their mom has CEH, CISSP, 
and whatever other alphabet soup certifications you can imagine.

Re: Penetration Test Assistance

[Peter Kristolaitis]

On 12-06-05 03:48 PM, Brett Watson wrote:

On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:


As far as horror stories... yeah.   My most memorable experience was a guy 
(with a CISSP designation, working for a company who came highly recommended) 
who:
- Spent a day trying to get his Backtrack CD to work properly.  When I looked at it, it was 
just a color depth issue in X that took about 45 seconds from why is this broken? to hey 
look, I fixed it!.
- Completely missed the honeypot machine I set up for the test.  I had logs 
from the machine showing that his scanning had hit the machine and had found 
several of the vulnerabilities, but the entire machine was absent from the 
report.
- Called us complaining that a certain behavior that he'd never seen before was 
happening when he tried to nmap our network.  The certain behavior was a firewall with 
some IPS functionality, along with him not knowing how to read nmap output.
- Completely messed up the report -- three times.  His report had the wrong 
ports  vulnerabilities listed on the wrong IPs, so according to the report, we 
apparently had FreeBSD boxes running IOS or MS SQL...
- Stopped taking our calls when we asked why the honeypot machine was 
completely missing from the report.

In general, my experience with most pen testers is a severe disappointment, and isn't anything that 
couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, 
giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying Find stuff we don't know 
about. Go..   There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the 
guys who actually write their own shellcode, etc), but the vast majority of pen testers just use automated 
tools and call it a day.  Like everything else in IT, security has been commercialized to the point where 
finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet 
soup certifications you can imagine.

I agree with a lot of what you've said, but there are absolutely good security 
guys (pen tester, vulnerability assessors, etc) that use both open source and 
commercial automated tools, but still do a fantastic job because they 
understand the underlying technologies and protocols.

I used to do a lot of this in the past, had lots of automated tools, and only 
occasionally wrote some assessment modules or exploit code if necessary.

But again, a person in that position has to understand technology holistically 
(network, systems, software, protocols, etc).

-b


I completely agree.   I didn't mean to imply that using automated tools 
is a bad thing -- simply that running an automated tool to pump out a 
report with no further investigation isn't really a useful pen test.  
I've seen vendors whose comprehensive penetration testing was 
basically We'll run Nessus against your network, write up an executive 
summary and email you the scan results.  Quite the bargain for $20K!


Automated tools are definitely good to provide a first pass over a 
network, but even then multiple tools should be used, and an experienced 
eye should review the results for anomalies (whether that's a 
vulnerability that has a chance for false positives, discrepancies 
between the results of two or more automated tools, etc).   That kind of 
work, along with more aggressive pen tests and exploit development, need 
a guru meditation-level understanding of the involved technologies, 
protocols, etc, as you mentioned.


Like everything else IT, the specific tools used are more or less 
immaterial to an excellent practitioner -- a good programmer can hack 
code in any language, a good network engineer can use any brand of 
network equipment, etc -- because these types of people truly understand 
the systems they're dealing with, and use tools to accomplish a specific 
task which fits into part of the big picture they have in their 
heads.   Poor practitioners in a field use tools for the sake of using 
the tool (I'm scanning a network with Nessus because that's what the 
certification course told me to do) without that deep level of 
understanding, and therefore don't provide any real value to the process.


- Pete

Re: Comcast Paid Peer Pricing

[Peter Kristolaitis]

You're not allowed to sign an NDA, but you expect other people to 
violate the ones that they've signed by disclosing pricing to you?  
Yeah, I'm sure everyone will get right on that...


- Pete


On 6/3/2012 12:41 AM, Nabil Sharma wrote:

I am not allowed to sign NDA, can someone please send me sample pricing in 
private mail?

Sincerely,
Nabil


From: apishd...@gmail.com
Subject: Re: Comcast Paid Peer Pricing
Date: Sat, 2 Jun 2012 19:44:53 -0500
To: strei...@cluebyfour.org
CC: nanog@nanog.org

Concast I love it!!

Thanks,
Ameen Pishdadi


On Jun 2, 2012, at 6:57 PM, Justin M. Streinerstrei...@cluebyfour.org  
wrote:


On Sat, 2 Jun 2012, Nabil Sharma wrote:


Dear NANOG:
I seek pricing on Comcast AS7922 paid peer at following commit level:
1G
10G
100G
Please reply in private and I will sum up on list.

Perhaps these would be worth reviewing?

http://www.concast.com/peering/
http://www.comcast.com/dedicatedinternet/?SCRedirect=true
http://as7922.peeringdb.com/

Your best bet would be to hit up their sales contact if you want pricing on 
non-SFI peering.

jms







smime.p7s
Description: S/MIME Cryptographic Signature

Re: Comcast Paid Peer Pricing

[Peter Kristolaitis]

If you believe that they have no legal right to keep the data private, 
then obviously any NDA surrounding that data is unenforceable, so you 
should have no problems signing it yourself and then completely ignoring 
its terms as you're asking others to do.   I'm sure the judge at your 
civil suit will find your arguments interesting and will weigh them 
appropriately.


Keep in mind that anyone who provides pricing data to you may not only 
be violating any Comcast NDA that they may have signed, but possibly the 
NDA they have with their employer as well.  Even if there is no NDA 
covering the Comcast-Employer relationship, any employee of Employer 
may be legally bound not to discuss the terms of ANY of Employer's 
contracts with third parties.


- Pete


On 6/3/2012 1:03 AM, Nabil Sharma wrote:
Yes sir.  They're a cable monopoly, I don't think they have any legal 
or moral right to keep the data private.


 Date: Sun, 3 Jun 2012 00:45:38 -0400
 From: alte...@alter3d.ca
 To: nanog@nanog.org
 Subject: Re: Comcast Paid Peer Pricing

 You're not allowed to sign an NDA, but you expect other people to
 violate the ones that they've signed by disclosing pricing to you?
 Yeah, I'm sure everyone will get right on that...

 - Pete


 On 6/3/2012 12:41 AM, Nabil Sharma wrote:
  I am not allowed to sign NDA, can someone please send me sample 
pricing in private mail?

 
  Sincerely,
  Nabil
 
  From: apishd...@gmail.com
  Subject: Re: Comcast Paid Peer Pricing
  Date: Sat, 2 Jun 2012 19:44:53 -0500
  To: strei...@cluebyfour.org
  CC: nanog@nanog.org
 
  Concast I love it!!
 
  Thanks,
  Ameen Pishdadi
 
 
  On Jun 2, 2012, at 6:57 PM, Justin M. 
Streinerstrei...@cluebyfour.org wrote:

 
  On Sat, 2 Jun 2012, Nabil Sharma wrote:
 
  Dear NANOG:
  I seek pricing on Comcast AS7922 paid peer at following commit 
level:

  1G
  10G
  100G
  Please reply in private and I will sum up on list.
  Perhaps these would be worth reviewing?
 
  http://www.concast.com/peering/
  http://www.comcast.com/dedicatedinternet/?SCRedirect=true
  http://as7922.peeringdb.com/
 
  Your best bet would be to hit up their sales contact if you want 
pricing on non-SFI peering.

 
  jms
 
 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Cogent for ISP bandwidth

[Peter Kristolaitis]

You're using Verizon Math.  ;)   (If you don't know what this is, go 
Google it!)


0.75 cents is not 0.75 dollars.point 75 cents == $0.0075.
$0.0075 * 1000 = $7.50


- Peter


On 12-05-15 05:51 PM, A. Pishdadi wrote:

last time i checked .75 x 1000 = 750

On Tue, May 15, 2012 at 9:58 AM, Nicolainicolai-na...@chocolatine.orgwrote:


On Mon, May 14, 2012 at 09:38:34PM -0500, Ameen Pishdadi wrote:

No way they stack up against level3 or any of the other 4 big tier 1s
but if you throw them in a blend with level3 there shouldn't be any
issue and I wouldn't pay more the .75 cents a meg for a gig

That's $7.50 per 1000mbps.  Sign me up!

Nicolai

Re: Cogent for ISP bandwidth

[Peter Kristolaitis]

I use Cogent as one of our upstreams at work, and I'll basically 
reiterate what others have said -- overall, I'd have no problems 
recommending them.   Their routing can sometimes be a little weird 
(though this is MUCH better now than it was a couple of years ago), so I 
wouldn't necessarily use them as my main provider for latency-sensitive 
applications, but this isn't normally a problem with 'general' 
traffic.The A peer/B peer stuff they used to do was definitely 
weird, but they migrated us away from that configuration a few months 
ago (peering with them out of TorIX).   Presumably they're doing that 
across the rest of their network.   Their support has been fantastic in 
my experience..


I'd have to say they're probably the least painful provider I've dealt 
with overall (unlike some providers *cough*Telus*cough* who I've been 
waiting 7 weeks for to set up a freaking BGP session...).   I'd have no 
problems picking Cogent as a provider, though of course as one of many 
providers for redundancy (which would be no different than any other 
single provider).


- Pete


On 5/14/2012 6:33 PM, Michael J McCafferty wrote:

Jason,

I agree with John. You can't use them as your only provider, but you
wouldn't do that with *any* provider. I will add that they answer the
phone quickly, and the person who answers usually has a clue, has access
to the routers, and can be helpful. It's one of the benefits that they
really only sell one product. Honestly, I think their support is better
than most and the deliver what they say or better.

In the past the had a A peer / B peer setup that was a little funky, but
I think they are getting rid of that as they upgrade hardware throughout
their network.

We do also use Level3 (and others). As long as they come in to your
facility on different fiber or otherwise meet you physical diversity
requirements, you should be pretty happy. Add low commits to other
providers for more diversity as needed.

Good luck,
Mike

On Mon, 2012-05-14 at 15:12 -0700, John T. Yocum wrote:

In my experience Cogent is fine when used in a BGP mix. When we used
them, our service was quite reliable. Routing was funky at times, but we
never had packet loss.

--John

On 5/14/2012 3:03 PM, Jason Baugher wrote:

The emails on the Outages list reminded me to ask this question...

I've done some searching and haven't been able to find much in the last
3 years as to their reliability and suitability as an upstream provider.
For a regional ISP looking for GigE ports in the Chicago/St. Louis area,
is Cogent a reasonable solution? Our gut feeling is that they don't
stack up against a Level3 or Sprint, but they are being very aggressive
with pricing to try and get our business.

Thanks,
Jason





smime.p7s
Description: S/MIME Cryptographic Signature

Re: Whitelist of update servers

[Peter Kristolaitis]

I'm trying to determine if this is supposed to be an exercise in
How To Annoy Your Sysadmins
or
How To Do Network Security The Really, Really Wrong Way
or some combination of the two

- Pete



On 12-03-12 04:34 PM, Maverick wrote:

Like list of sites that operating systems or applications installed on
your machines go to update themselves. One way could be to go on each
vendors site and look at their update servers like
microsoft.update.com but it would be good if there is a list of such
servers for all OS and applications so that it could be used as a
whitelist.

On Mon, Mar 12, 2012 at 4:30 PM, Keegan Holley
keegan.hol...@sungard.com  wrote:

2012/3/12 Maverickmyeaddr...@gmail.com

Is there a whitelist that applications have to talk to in order to
update themselves?


sometimes

Re: Whitelist of update servers

[Peter Kristolaitis]

On 12-03-12 04:53 PM, William Herrin wrote:

On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitisalte...@alter3d.ca  wrote:

On 12-03-12 04:34 PM, Maverick wrote:

Like list of sites that operating systems or applications installed on
your machines go to update themselves. One way could be to go on each
vendors site and look at their update servers like
microsoft.update.com but it would be good if there is a list of such
servers for all OS and applications so that it could be used as a
whitelist.

I'm trying to determine if this is supposed to be an exercise in
How To Annoy Your Sysadmins
or
How To Do Network Security The Really, Really Wrong Way
or some combination of the two

Pete,

There are scenarios in which it is completely reasonable to provide
white listed Web access instead of general Internet access. Consider:
PCs in a prison with access to legal library and off-site education
web sites. It would be helpful if they could also access automatic
updates so they don't get malware but God help the sysadmin if one of
the prisoners figures out how to get to child porn.

That having been said, this is almost certainly the wrong mailing list
to ask. It just isn't the kind of work we do here.

Regards,
Bill Herrin


In my experience, if you're dealing with a locked down environment like 
that, one or both of the following will be true:
- The users won't have sufficient privileges on the workstation to 
apply updates anyways

- Software updates and configuration changes are managed centrally

I agree that there are situations where whitelisted Web access might be 
suitable, but I expect the number of situations where you'd want 
whitelisted Web access AND ad-hoc software updates AND users to have 
local admin access on their workstations would be... very low.


- Pete

Re: WW: Colo Vending Machine

[Peter Kristolaitis]

On 12-02-17 03:05 PM, Leigh Porter wrote:

Did anybody say beer yet?



Don't forget the 30lb sledgehammer for those times when, ah, percussive 
maintenance is the only possible solution.  ;)


(Might be a bit hard to fit into a vending machine though... maybe the 
colo staff could just rent one out...)


- Pete

Re: RIS raw data

[Peter Kristolaitis]

On 12-01-19 10:46 AM, valdis.kletni...@vt.edu wrote:

On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said:


uselessness, with more crap welded on to it than envisioned in mad max.

oooh... steampunk BGP. ;)


The Internet is like a series of (steam) tubes?   ;)

- Peter

Re: Comcast DNSSEC

[Peter Kristolaitis]

Wow!  Congrats to the Comcast crew, that's absolutely awesome!

Definitely interested in hearing any lessons learned that you can 
share from the exercise.


- Pete



On 1/10/2012 6:24 PM, Jeremy Bresley wrote:

Hadn't seen this mentioned yet.

http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html

Comcast has signed all their managed domains, as well as deployed 
DNSSEC resolvers for their customers.  And they're encouraging others 
to make the jump to DNSSEC now as well, especially e-comm/banking sites.


Nice work guys, any of the Comcast guys on the list want to give us an 
idea how much work is involved in this from a large-scale service 
provider perspective to do it?  Any big caveats you encountered that 
people should watch out for?


Jeremy TheBrez Bresley
b...@brezworks.com





smime.p7s
Description: S/MIME Cryptographic Signature

Comcast Mail Admin

[Peter Kristolaitis]

Apologies to the list for the noise, but if there's a clueful Comcast 
mail admin on list, can you please get in touch with me off list?  My 
employer's network is having problems sending mail to your domain, and 
several attempts to clear it up using the Blocked Provider Request 
Form have failed (it looks like the comments I provided on the form 
aren't being read, as the link I provided to some of our log snippets 
showing the problem hasn't been hit).


Thanks!
- Peter Kristolaitis
http://www.comcastsupport.com/rbl

Re: Firewalls - Ease of Use and Maintenance?

[Peter Kristolaitis]

Your hypothetical scenario assumes you're the only organization 
compromised by the flaw (or one of very few), and not #3972 on the list, 
in which case the company could go bankrupt before a court can hear your 
case, and the liability protection they offered you is worth the 
electrons it's printed on.It's great if you're a Fortune 50 and have 
the legal, political and financial clout to be #1 on the lawsuit list, 
but nearly worthless for most organizations.


- Peter


On 11/10/2011 10:39 AM, -Hammer- wrote:
OK. Right off the bat you know I can't and won't. But in some places 
it is common practice to make sure agreements are in place to make 
sure all parties are protected based on how a product is 
expected/designed to perform. I can't say more than that. Realize I'm 
speaking about things that are solely on the vendor. Not Did you 
configure the ACL properly?


What you can Google is the names of companies who have settled out of 
court against various trolling lawsuits vs the names of companies that 
are still in litigation. There is a mix of both manufacturer/vendor 
and end customer. It all depends on the case.


This shouldn't surprise you. If Toyota makes a defective brake and you 
slam into someone else, your insurance covers you. Eventually, if the 
issue scales out to the point that it is obvious that Toyota made a 
defective brake and it is not your fault, some insurance companies 
collectively will go to the government or directly to the manufacturer 
for compensation. This is no different. If you sell me a FW and it 
catches on fire thru no fault of my own and then the public finds out 
that FWs are catching on fire all over the place, it's a good bet that 
that FW vendor will be getting some lawsuits. If a FW vendor reports a 
product to work a certain way and instead thru a massive vulnerability 
or development oversight it does not the same applies. Software. 
Hardware. Physical (fire). Logical (vulnerability). I'm not saying 
that it happens all the time and I'm not even saying it's a general 
practice. What I'm saying is it happens. And depending on your 
business vertical it could be a very real consideration.


COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:

I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't 
say I block HTTPS. I block 443. I test it by telnetting from the 
Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A 
month later our CEO is surfing the Internet. Thru a development 
oversight in the product, when I NAT or PAT him to the Internet his 
source port is not pulled from the Ephemeral range but is instead 
sourced as port 443. He of course goes to sites riddled with Malware 
because that's what CEOs do. They click on links. So the Malware 
website initiates a new TCP session to destination port 443 with his 
NATted IP. The state table has an entry for that IP and 443 and even 
though this is a new TCP session the FW lets it thru. The malware site 
bad guys are able to retrieve confidential information about a merger 
and publish it. The other company that we were merging with sues us 
because the information is leaked to the public and adversely impacted 
their stock value. Everything in the above paragraph is able to be 
documented thru forensics and it is indisputable that the FW was 
properly configured and should have blocked it but didn't. The FW did 
NOT perform as advertised/designed. This is NOT the fault of me or my 
company. If a few thousand dollars is at stake nothing may come of 
this. If tens or hundreds of millions of dollars are at stake I 
promise you that our lawyers will be contacting the manufacturer whose 
product did not perform as advertised. They will compensate (in one 
way or another) us for our losses. It's a big ugly world full of lots 
of lawyers.


-Hammer-

I was a normal American nerd
-Jack Herer



On 11/10/2011 09:14 AM, Richard Kulawiec wrote:

On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:

The other high cost of free that people sometimes overlook is
liability.

Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, held
responsible by a court of law for a failure of their product to provide
the functionality that it's claimed to provide.

---rsk

Re: Logs Bank

[Peter Kristolaitis]

Octopussy (8pussy.org) is another option as well.   Natively ties into 
various network monitoring packages (Nagios, Zabbix) for alerting 
capabilities.


- Peter


On 11/8/2011 3:00 PM, Charles N Wyble wrote:

Yes. Check out rsyslog and logstash.

joshua.kl...@gmail.com wrote:


Hi,

If I may ask, is there any OSS that can serve as a log bank or log
server, where it aggregate logs from  different sources , and the logs
can be accessed using the web from any location on the network and can
do graphical presentations based on.the frequency or content os the
logs.

Thank you

Joshua

--
Sent from my Nokia N9

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Peter Kristolaitis]

Really?  You can just connect with SSH?

root@somebox:~# ssh 1.2.3.4
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
RSA key fingerprint is 03:26:2c:b2:cd:fd:05:fc:87:70:4b:06:58:40:e7:c3.
Are you sure you want to continue connecting (yes/no)?

That's no different that having to permanently accept a self-signed SSL 
cert...


- Pete


On 9/13/2011 10:29 AM, Tei wrote:

*a random php programmer shows*

He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer.  HTTP is like
telnet, and HTTPS is like ssh. But with ssh is just can connect, with
browsers theres this ugly warning and fuck you, self-signed certificate
from the browsers.  Please make the pain stop!.

--Tei