Well,
I was just a suit drone into one of their 100 little IT firm around
the world.
The nearest I got to an actual AA associate was during a 1 month
project in Chicago (:
Wasted my time really... They billed 3 months to their clients, for
a project that took 1 month, and I was
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 30/04/14 17:30, valdis.kletni...@vt.edu wrote:
...
Anybody got recommendations on how to make sure the company you engage
for the audit ends up sending you critters that actually have a clue? (Not
necessarily PCI, but in general)
If more
security
David
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ulf Zimmermann
Sent: Wednesday, April 30, 2014 8:36 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: Dealing with auditors (was Re: We hit half-million: The
Cidr Report
On Thu, May 1, 2014 at 6:29 AM, Alain Hebert aheb...@pubnix.net wrote:
Bill Telnet...
I hope that QSA didn't let you keep that telnet facing any
public interface without any protection.
Hi Alain,
The point I made, successfully, was that it was outside the firewall
hence out of
Bill - anything that puts another routable network alongside of the card
processing info is in scope. The real; issue is that the PCI-SSC decided
to formally create a policy to hold the auditors harmless in their
actions and that is about to change.
Todd
On 5/1/2014 8:52 AM, William Herrin
On May 1, 2014, at 2:01 AM, John Souter j...@linx.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 30/04/14 17:30, valdis.kletni...@vt.edu wrote:
...
Anybody got recommendations on how to make sure the company you engage
for the audit ends up sending you critters that actually
On 01/05/14 17:41, Owen DeLong wrote:
The problem with this theory is that if auditors can be so easily put to the
street, you run into the risk of auditors altering behavior to increase
customer
satisfaction in ways that prevent them from providing the controls that are
the
reason
On May 1, 2014, at 11:07 AM, John Souter j...@linx.net wrote:
On 01/05/14 17:41, Owen DeLong wrote:
The problem with this theory is that if auditors can be so easily put to the
street, you run into the risk of auditors altering behavior to increase
customer
satisfaction in ways that
Hey,
I worked for them (AA) in the early 90's =D
-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443
On 05/01/14
On 4/29/2014 10:54 PM, Jeff Kell wrote:
Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
etc had been eliminated by process of can't get there from here... we
expose millions more endpoints...
/me ducks too (but you know *I* had to say it)
Slammer actually caused many
Care to comment on how you feel about the COI that developed between AA
Consulting business at Enron and AA auditing Enron?
Not asking you to disclose anything confidential, but if you have wisdom to
impart about any sort of generic lessons learned, etc. that might be relevant
to this
On 14-05-01 14:34, Owen DeLong wrote:
Believe me, I cringe every time I hear “our auditors require NAT as a
security mechanism”
Pardon my ignorance here. But in a carrier-grade NAT implementation that
serves say 5000 users, when happens when someone from the outside tries
to connect to port
On 5/1/2014 7:10 PM, Jean-Francois Mezei wrote:
Pardon my ignorance here. But in a carrier-grade NAT implementation that
serves say 5000 users, when happens when someone from the outside tries
to connect to port 80 of the shared routable IP ? you still need to
have explicit port forwarding to
On May 1, 2014, at 4:10 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca
wrote:
Pardon my ignorance here. But in a carrier-grade NAT implementation that
serves say 5000 users, when happens when someone from the outside tries
to connect to port 80 of the shared routable IP ?
More to the
On Fri, May 2, 2014 11:57 am, Fred Baker (fred) wrote:
On May 1, 2014, at 4:10 PM, Jean-Francois Mezei
jfmezei_na...@vaxination.ca wrote:
Pardon my ignorance here. But in a carrier-grade NAT implementation that
serves say 5000 users, when happens when someone from the outside tries
to
On May 1, 2014, at 4:57 PM, Fred Baker (fred) f...@cisco.com wrote:
On May 1, 2014, at 4:10 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca
wrote:
Pardon my ignorance here. But in a carrier-grade NAT implementation that
serves say 5000 users, when happens when someone from the
Security is a layered approach though. I can't recall any server or service
that runs in listening state (and reachable from public address space) that
hasn't had some type of remotely exploitable vulnerability. It's hard to
lean on operating systems and software companies to default services to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Le 29/04/2014 04:39, valdis.kletni...@vt.edu a écrit :
Do we have a handle on what percent of the de-aggrs are legitimate
attempts at TE, and what percent are just whoopsies that should be
re-aggregated?
Deaggs can legitimatelly occur for a
Just out of curiosity, how does removing port address translation from
the equation magically and suddenly make everything exposed, and
un-invent the firewall?
-Blake
On Tue, Apr 29, 2014 at 11:00 PM, Jeff Kell jeff-k...@utc.edu wrote:
On 4/29/2014 11:37 PM, TheIpv6guy . wrote:
On Tue, Apr 29,
On 4/30/14, 12:00 AM, Jeff Kell jeff-k...@utc.edu wrote:
Not to mention that PCI compliance requires you are RFC1918 (non-routed)
at your endpoints, but I digress...
This is emphatically not true. All PCI compliance requires is that your
private IP addresses are not disclosed to the public,
On Apr 30, 2014, at 09:15 , Jérôme Nicolle jer...@ceriz.fr wrote:
Le 29/04/2014 04:39, valdis.kletni...@vt.edu a écrit :
Do we have a handle on what percent of the de-aggrs are legitimate
attempts at TE, and what percent are just whoopsies that should be
re-aggregated?
Deaggs can
Behalf Of Jeff Kell
Not to mention that PCI compliance requires you are RFC1918 (non-routed)
at your endpoints, but I digress...
You're not funny. And if you're not joking, you're wrong. We just went over
this on this very list two weeks ago.
Jamie
On Wed, 30 Apr 2014 15:40:43 -, Jamie Bowden said:
You're not funny. And if you're not joking, you're wrong. We just went over
this on this very list two weeks ago.
And in that discussion, we ascertained that what the PCI standard actually
says, and what you need to do in order to get
On 4/30/14, 9:30 AM, valdis.kletni...@vt.edu wrote:
On Wed, 30 Apr 2014 15:40:43 -, Jamie Bowden said:
You're not funny. And if you're not joking, you're wrong. We just went over
this on this very list two weeks ago.
And in that discussion, we ascertained that what the PCI standard
Anybody got recommendations on how to make sure the company you engage
for the audit ends up sending you critters that actually have a clue? (Not
necessarily PCI, but in general)
In my previous jobs when I was doing FIPS/NIST/whatever compliance, it
ended up being the case that having a
Patrick,
Le 30/04/2014 16:54, Patrick W. Gilmore a écrit :
It's fairly easy to punch a hole in a larger prefix, but winning
the reachability race while unable to propagate a more specific
prefix significantly increase hijacking costs.
Excellent point, Jérôme.
Let's make sure nothing is
On 4/30/2014 11:30 AM, valdis.kletni...@vt.edu wrote:
On Wed, 30 Apr 2014 15:40:43 -, Jamie Bowden said:
You're not funny. And if you're not joking, you're wrong. We just went over
this on this very list two weeks ago.
And in that discussion, we ascertained that what the PCI standard
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon larryshel...@cox.net wrote:
On 4/30/2014 11:30 AM, valdis.kletni...@vt.edu wrote:
And in that discussion, we ascertained that what the PCI standard actually
says, and what you need to do in order to get unclued boneheaded auditors
to sign the
The auditors VMware sent to us were just as bad. To ensure we weren't
running rogue ESX(i) servers or WorkStation, they made us provide full
arp/cam tables. Then a list of the virtual machines. Oh look, this MAC
isn't listed as one of your virtual machines. It isn't because it was
running on
: We hit half-million: The
Cidr Report)
The auditors VMware sent to us were just as bad. To ensure we weren't
running rogue ESX(i) servers or WorkStation, they made us provide full
arp/cam tables. Then a list of the virtual machines. Oh look, this MAC
isn't listed as one of your virtual machines
On 29 Apr 2014, at 12:39 pm, valdis.kletni...@vt.edu wrote:
On Mon, 28 Apr 2014 21:59:43 -0400, Patrick W. Gilmore said:
On Apr 28, 2014, at 19:41, Chris Boyd cb...@gizmopartners.com wrote:
I'm in the middle of a physical move. I promise I'll take the 3 deagg'd
/24s out as soon as I can.
The remainder of the prefixes (45%) shares the same origin AS and the same
path.
The could be TE prefixes, but as they are identical to their covering
aggregate its hard to appreciate exactly what the engineering intent may be.
I could
make a wild guess and call these 45% of more specifics
, Cloud Services and more.
Datacenters in Los Angeles, Dallas and Miami.
Follow us on:
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Patrick W. Gilmore
Sent: Tuesday, April 29, 2014 9:23 AM
To: NANOG list
Subject: Re: We hit half-million: The Cidr Report
on:
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Patrick W. Gilmore
Sent: Tuesday, April 29, 2014 9:23 AM
To: NANOG list
Subject: Re: We hit half-million: The Cidr Report
The remainder of the prefixes (45%) shares the same origin AS and the same path.
The could be TE
Dedicated Servers, Colocation, Cloud Services and more.
Datacenters in Los Angeles, Dallas and Miami.
Follow us on:
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Patrick W. Gilmore
Sent: Tuesday, April 29, 2014 9:23 AM
To: NANOG list
Subject: Re: We hit half
On Apr 28, 2014, at 6:59 PM, Patrick W. Gilmore patr...@ianai.net wrote:
Composed on a virtual keyboard, please forgive typos.
On Apr 28, 2014, at 19:41, Chris Boyd cb...@gizmopartners.com wrote:
On Apr 28, 2014, at 2:27 AM, Andy Davidson wrote:
now aggregate it back down
On 4/29/2014 2:06 PM, Owen DeLong wrote:
If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or
even 3) IPv6 prefixes…
As a bonus, we could get rid of NAT, too. ;-)
/me ducks (but you know I had to say it)
Yeah, just when we thought Slammer / Blaster / Nachi / Welchia
On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell jeff-k...@utc.edu wrote:
On 4/29/2014 2:06 PM, Owen DeLong wrote:
If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or
even 3) IPv6 prefixes…
As a bonus, we could get rid of NAT, too. ;-)
/me ducks (but you know I had to say
On 4/29/2014 11:37 PM, TheIpv6guy . wrote:
On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell jeff-k...@utc.edu wrote:
On 4/29/2014 2:06 PM, Owen DeLong wrote:
If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or
even 3) IPv6 prefixes…
As a bonus, we could get rid of NAT, too.
On Apr 29, 2014, at 7:54 PM, Jeff Kell jeff-k...@utc.edu wrote:
On 4/29/2014 2:06 PM, Owen DeLong wrote:
If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or
even 3) IPv6 prefixes…
As a bonus, we could get rid of NAT, too. ;-)
/me ducks (but you know I had to say
Hi,
Patrick wrote:
25-04-14500177 282878
I think congratulations are still in order, but frankly,
I am less impressed with getting to 500 than 150.
[...]
Anyway, congratulations everyone.
now aggregate it back down again, please. :-)
(If only)
Andy
On Apr 28, 2014, at 2:27 AM, Andy Davidson wrote:
now aggregate it back down again, please. :-)
I'm in the middle of a physical move. I promise I'll take the 3 deagg'd /24s
out as soon as I can.
--Chris
Composed on a virtual keyboard, please forgive typos.
On Apr 28, 2014, at 19:41, Chris Boyd cb...@gizmopartners.com wrote:
On Apr 28, 2014, at 2:27 AM, Andy Davidson wrote:
now aggregate it back down again, please. :-)
I'm in the middle of a physical move. I promise I'll take
On Mon, 28 Apr 2014 21:59:43 -0400, Patrick W. Gilmore said:
On Apr 28, 2014, at 19:41, Chris Boyd cb...@gizmopartners.com wrote:
I'm in the middle of a physical move. I promise I'll take the 3 deagg'd
/24s out as soon as I can.
Do not laugh. If everyone who had 3 de-agg'ed prefixes fixed
On Mon, Apr 28, 2014 at 10:39 PM, valdis.kletni...@vt.edu wrote:
On Mon, 28 Apr 2014 21:59:43 -0400, Patrick W. Gilmore said:
On Apr 28, 2014, at 19:41, Chris Boyd cb...@gizmopartners.com wrote:
I'm in the middle of a physical move. I promise I'll take the 3
deagg'd
/24s out as soon
25-04-14500177 282878
Half a million prefixes. 'Wow .. just wow.' There was a time when even I would
have laughed at the thought of 500K.
Just a round number, but a milestone nonetheless.
I checked, back in 2004, a little under 10 years ago, I posted this to NANOG:
46 matches
Mail list logo
