AFRINIC IP Block Thefts -- The Saga Continues

South African tech journalist Jan Vermeulen has written a new chapter in this ongoing saga of greed, theft, and skulduggery. EXECUTIVE SUMMARY: Maikel Uerlings and Elad Cohen registered a bunch of new domain names as part of their overall scheme to steal AFRINIC legacy blocks by fiddling the AFRIN

AFRINIC: The Saga Continues

For the benefit of those of you who may have been living in caves for the past two months, I would like to share the following links regarding a massive fraud that appears to have been perpetrated by at least one AFRINIC insider. (It has still not been definitively determined if he had help or not

Re: AFRINIC: The Saga Continues

In message , thomas brenac wrote: >Thank you Ronald, I also heard of governance issue in AFRINIC by some >people during the last RIPE meeting so the word is spreading. Now is >there any other /16 impacted to your knowledge ? Would be worth pushing >to have them in as many Drop list as possibl

The curious case of 159.174.0.0/16

[[ Fair warning to newcomers: I write and post longish pieces here regarding my various investigations of funny business I find going on within the IPv4 address space and the allocations and uses thereof. If you're looking for a quick 2 minute read then you are advised to skip this mes

AFRINIC: The Saga Continues

My apologies to all. Certain of the blocks mentioned in my prior posting here have already been reclaimed, and are currently being routed by appropriate parties. In particular, these ones: 152.108.0.0/16 155.237.0.0/16 165.4.0.0/16 165.5.0.0/16 Also, I somehow managed to miss mentioning a few b

Re: AFRINIC: The Saga Continues

In message , Dan Hollis wrote: >What can or should be done when a registry goes rogue? Answering that question is a task which is above my pay grade. I would be remiss however if I did not take this opportunity to make a few brief and relevant points. *) There are other and additional shoes

Re: Tell me about AS19111

In message <20200206013024.4b0b213c2...@ary.qy>, "John Levine" wrote: >1800vitamins.org has a web site at 12.180.219.234 which looks like >they would sell me vitamins should I or my dog need any. > >Routeviews tells me that IP is in AS19111, routed via AS7018. AS7018 >is AT&T which isn't surpri

Re: Tell me about AS19111

For all of the people who have elected to pick on me for my less that diplomatic assertion(s), I can only suggest that your time and effort would be more well spent by looking at the hard data that I suggested that everyone look at, and then looking to see if any of the bogus ASNs being used, day i

Re: Tell me about AS19111

In message , Shane Ronan wrote: >It's not clear to me that HE having reserved AS numbers in THEIR routing >table is actually a problem. These AS numbers are actually reserved for >private use. Perhaps they have a customer who wants to do BGP but doesn't >want to register their own AS number and

Re: Tell me about AS19111

In message <24124.27418.388460.814...@gargle.gargle.howl>, Barry Shein wrote: >Given events including the IPv4 runout etc perhaps it's long overdue >that the RIRs should hire a professional big-name (we used to call >them Big 5) accounting firm to audit or at least review IP address, >ASN, etc.

Re: Tell me about AS19111

In message <24124.30737.599536.809...@gargle.gargle.howl>, Sandra Murphy wrote: >It could measure the extent of the problem and would be within what I >suggested. > >For example if there were only one AS being abused that would make it >a different priority than 1,000 or 10,000 (some seem to be

Re: DiviNetworks

Regarding DiviNetworks... I am not personally persuaded that an Israeli company that inserted a route object into the RADB data base to act as a cover for the company's apparent theft of a nice juicy /16 AFRINIC region legacy block that actually belongs to, and belonged to a South African state ow

DiViNetworks

I mention in passing also that at the present time, DiViNetworks has a grand total of some 6,070 unique route objects registered in the RADB data base. Where I come from, that's a lot of routes. https://pastebin.com/raw/YeFBd1qZ I would be gnerally unconcerned if not for the fact that two of

Monetizing IPv4 addresses / DiViNetworks

My apologies to all. I previously posted here some inaccurate information, which I must now retract and correct. I incorrectly asserted that "DiViNetworks has received $15 million USD worth of venture capital from the International Finance Corporation, a commercial lender and member of the World

Re: Tell me about AS19111

Sorry to follow up on myself, but it seems that one figure I gave here regarding the value of the IPv4 space that was gifted to AFRINIC at its inception was off by roughly an order of magnitude. I said that at its inception, AFRINIC had been gifted with two /8 IPv4 blocks with a current open marke

RIPE NCC Executive Board election

Many of you here may be dues-paying members of both ARIN and RIPE. Those of you who are may wish to be aware of the fact that there will be an election held on (I believe) May 14th, just a day or two from now, for three open RIPE NCC Executive Board seats. I have it on good authority that one of

Re: Don't forget RFG (was: Re: RIPE NCC Executive Board election)

I want to thank Joe Greco for his kind and generous comments. That having been said, I'm not sure that I either should, or even want to take credit for having kicked off *with a single message* "a 100+-message flamefest on NANOG". That was not my intent, and it is quite clear that those NANOG su

Friday Reminder: Web Site Security

This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/

AFRINIC vote buying

Even though this relates to a whole different region of the world, I think that some (many) of you may be interested to watch this video and to learn what's been going on of late down in the AFRINIC region. https://www.youtube.com/watch?v=32xCurWfJo4

Scanning the Internet for Vulnerabilities

I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities. In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras

Re: Scanning the Internet for Vulnerabilities

In message Dovid Bender I know that in Israel the cyber dept of the government scans IL IP space >then notifies ISP's to notify their clients. This helps where you have >clueless people that don't know they have devices that can easily be >compromised. That's most interesting and I certainly did

Re: Scanning the Internet for Vulnerabilities

In message , Mark Seiden wrote: >it should be mentioned that shadowserver also notifies those who >register as the owners of that address space. Yes. That is quite a public spirited endeavor in the best traditions of the Internet. >my thinking about this sort of thing, in general, is: > >- i

Re: Scanning the Internet for Vulnerabilities

In message , Mark Seiden wrote: >btw, if you want to do this yourself, you might consider using something like > >https://github.com/opsdisk/scantron Thank you, but as I noted in the post beginning this thread, I personally have no interest in performing this type of activity at the present tim

Re: Scanning the Internet for Vulnerabilities

In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1...@si6networks.com>, Fernando Gont wrote: >Note: What's most usually done out there is scanning for ports, rather >than for vulnerabilities. Yes, and at least some of the responses in this thread have not, I think, noted this rather important disti

Re: Scanning the Internet for Vulnerabilities

In message <4e6319ba-d332-f25e-d128-1b8abc724...@si6networks.com>, Fernando Gont wrote: >> Depending on who is doing it, and why, my personal feeling is that even >> here in 2022 this should still be viewed as being exceptionally anti-social, >> and worthy of calling out publicly, but I must all

Re: [anti-abuse-wg] Yet another BGP hijacking towards AS16509

In message , Siyuan Miao wrote: >Hjacking didn't last too long. AWS started announcing a more specific >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's >security team :-) Sorry. I'm missing something here. If the hijack was of 44.235.216.0/24, then how did AWS propa

Webzilla

[[ My apologies to thos eof you who may see this twice. I have posted the message below also to the RIPE Anti-Abuse Working Group mailing list, so any of you who are on that list also will see this twice. But I believe that it is relevant here also. ]]

Re: Webzilla

In message , Eric Kuhnke wrote: >Looking at the AS adjacencies for Webzilla, what would prevent them from >disconnecting all of their US/Western Euro based peers and transits, and >remaining online behind a mixed selection of the largest Russian ASes? I do >not think that any amount of well-res

Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

OVH, DigitalOcean, and Microsoft... Is there anybody awake and conscious at any of these places? I mean anybody who someone such as myself... just part of the Great Unwashed Masses... could actually speak to about a real and ongoing problem? Maybe most of you here will think that this is just

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

In message , Christian Kuhtz wrote: >we are asking Microsoft CDOC to investigate. Thank you. I am not at all sure who the mysterious "we" is intended to represent in that sentence. Perpahs it is just intended as the royal "we" as in "We are not amused." But I don't really care. I am gre

Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

Nikolas Geyer wrote: >I have passed your email on to the relevant team within DO to have a look at. Thank you, but that wasn't what I requested, I asked for a contact there. (I know that this may be hard to understand, but it's like the difference between giving a man a fish, and teaching him

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

and start reading there. ]] In message <50414.162.155.102.254.1553001814.ig...@webmail.iglou.com>, "Jeff McAdams" wrote: >(Disclosure: I, too, work for DigitalOcean as the Manager of Network >Engineering. Nikolas does not work for me, nor I for him.) > >On Tue, Mar

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

In message , Tom Beecher wrote: >Calling everyone an idiot in the midst of Endless Pontification isn't >really a recipe for success. I did not call "everyone" an idiot. I'm quite completely sure that there are innumerable people in all of the referenced companies who are consumate and hardw

AS24940 Hetzner -- non-role contact wanted

Subtitle: Another Big Mess On Aisle Thirteen. Somebody Grab The Mop! Just over a month ago, I was here, doing what I always do, bitching and moaning about the low-life trash that is typically allowed to roam free and unfettered on the Internet: https://mailman.nanog.org/pipermail/nanog/201

Russian Anal Probing + Malware

https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248 Friday Questionaire: Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?

Re: Russian Anal Probing + Malware

In message , "Keith Medcalf" wrote: >On Friday, 21 June, 2019 18:14, Ronald F. Guilmette com> wrote: > >>https://twitter.com/GreyNoiseIO/status/1129017971135995904 >>https://twitter.com/JayTHL/status/1128718224965685248 > >Sorry, don't twitte

Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Corporate identity theft is a simple ploy which may be used to illicitly obtain valuable IPv4 address space. Actual use of this fradulent ploy was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ). Quite simply, a party bent on undertaking this ploy may just search the publicly av

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Further investigation of this case obliges me to post the following correction and retraction. Additional evidence now strongly suggests that the 216.179.128.0/17 IP address block has NOT been "stolen" as I had suggested yesterday. I simply mis-read the ARIN historical registration ("WhoWas") data

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message , Brandon Price wrote: > > > 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the >registration of the 216.179.128.0/17 block from itself to the >2009 vintage Delaware entity Azuki, LLC. If this is what happened, >then it is likely that the tran

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message Ross Tajvar wrote: >First he thought that a /17 got stolen (by creating a company with the same >name as the original, now-defunct owner), but he then said he was wrong and >actually it either 1) got transferred against ARIN policy or 2) was made to >look like it was transferred by al

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message , John Curran wrote: >On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette wrote: >> ... >> Unfortunately, we cannot read too much into this change that was made >> to the block's public-facing WHOIS record. Neither the new WHOIS info >> nor even t

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message Ross Tajvar wrote: >Seems like submitting a fraud request to ARIN is more effective than >writing a novel and sending it to NANOG, and doesn't require the latter... As noted in my immediately prior posting, ARIN's careful adjudication of this or any other possible case of fraud coul

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message , Eric Kuhnke wrote: rfg>> 4) Filing a "fraud request" with ARIN is a serious step and one that rfg>could quite conceivably end up with the party filing such a formal rfg>report being on the business end of lawsuit, just for having filed rfg>such a report. rf

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

In message <06570278-e1ad-4bb0-a9fc-11a77bed7...@arin.net>, John Curran wrote: >Even so, we at ARIN are in the midst of a Board-directed review of the RPKI >legal framework to see if any improvements can be made vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rp

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

In message , John Curran wrote: >Alas, it’s not those who fail to properly configure RPKI that are likely to be >litigating, but rather their impacted customers and those customers' business >partners who all were unable to communicate due to no fault of their own. > >Such a matter will not be

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message <4fcb73bf-224f-e011-f310-522193c86...@efes.iucc.ac.il>, Hank Nussbacher wrote: >Just as an observer to your long resource theft postings: >- Do you attempt to contact directly the organization or person who have >had their resource taken over? To the extent that I can spare the time

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

In message <20190810003820.gd2...@jima.tpb.net>, Niels Bakker wrote: >* r...@tristatelogic.com (Ronald F. Guilmette) [Sat 10 Aug 2019, 02:26 CEST]: >>As far as I am aware, no RIR makes any effort whatsoever to vet >>changes to WHOIS records, either for IP blocks or A

ARIN Fantasy WHOIS: NET-216-179-183-0-1

As if to underscore the point I just tried to make about the fundamental unreliability of ARIN WHOIS records, I just stumbled onto this rather curious entity which was apparently given a sub-allocation of 216.179.183.0/24 beneath the 216.179.128.0/17 (Azuki, Inc.) block as of 2012-01-10: OrgName:

The Curious Case of 143.95.0.0/16

Fair Warning: Those of you not enamored of my long-winded exposés of various remarkable oddities of the IPv4 address space may wish to click on the tiny little wastebasket icons on your mail clients at this point. For the rest of you, please read on. I think you may find the following story intr

The Curious Case of 143.95.0.0/16

Mel Beckman mel at beckman.org wrote: >I have one question, “of late”, regarding your post: Is it “Antia” or “Anita”? Yes. Sorry. There were multiple small typos in what I posted. Not surprising, since I am an utterly awful typist. The link I gave in my post provides enough redundant context

Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

Few of you here probably know about this, but nearly a week ago now an article appeared in South Africa's largest and most popular online tech publication, MyBroadband.co.za. It detailed many, but certainly not all of the results of my multi-month investigation of a massive and ongoing fraud invol

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

In message <5233b9b9-1bff-425d-bb8f-e3853703b...@beckman.org>, Mel Beckman wrote: >A quick check of one of your facts produces unexpected results, so you might >want to perform more research. According the APNIC, 139.44.0.0/16 does not >“belong unambiguously to the Port Authority of Melbourne”.

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

In message <23540.1567802...@segfault.tristatelogic.com>, I wrote: >Is anyone disputing that 168.198.0.0/16 belongs to the Australian >national government, or that AS174, Cogent was, until quite recently, >routing that down to their pals at FDCServers who then were routing >it down to their custom

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

In message <67b3e0d5-7d09-42e2-a753-eb6c93859...@getmailspring.com>, Florian Brandstetter wrote: >if you'd open the traceroute you just sent you'd see that the target >is route looping and not actually used by their alleged customer? Yea. So? How is that relevant to my fundamental narrative?

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

In message , Mel Beckman wrote: >I’m just saying that I randomly checked one fact and it doesn’t meet >the level of positive certainty that you asserted. It’s thus reasonable >to ask you to double check your research all around. I’m not willing >to be your unpaid copy editor, so let me know when

Re: Cogent sales reps who actually respond

In message , Owen DeLong wrote: >Given their practice of harvesting whois updates in order to spam newly >acquired AS contacts, any time it is my decision, Cogent is ineligible >as a vendor. So I guess then that their aiding and abetting of fraud and IP block theft, as I documented here recentl

Re: Cogent sales reps who actually respond

In message , "Stephen M." wrote: >Please don't praise or complain like we're supposed to take >it at a total face value. If you don=E2=80=99t like them so much - we are >you're audience. Explain. > >If you like Cogent - explain. >If you don=E2=80=99t like Cogent - explain. I see that many other

Re: Cogent sales reps who actually respond

In message , Elad Cohen wrote: >The defamatory and invective words, the mudslinging and slander of my name, > by Ronald Guilmette, are not true at all and they are completely false, in > my hand there are all the purchases approval for purchasing ipv4 and that >were paid completely by me. > >Anyo

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

In message <9567b241-12ce-4728-8e73-ff7143907...@apnic.net>, Vivek Nigam wrote: >APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and >brought this matter to their attention. Excellent. Thank you. If possible, it would be Good if APNIC could also make contact with the ri

RPKI (was: Re: Cogent sales reps who actually respond)

In message , Martijn Schmidt wrote: >Hi Elad, > >If you were to create RPKI ROAs for the IPs in question... Thanks Martijn, for reminding me of a follow-up point that I had intended to make regarding my recent post about the 143.95.0.0/16 (Athenix) block. RPKI is the best we have and I cannot

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

In message <152f0dbc-f7af-2a78-c5a7-f2062effe...@necom830.hpcl.titech.ac.jp>, Masataka Ohta wrote: > From whois information: > >remarks:reg-date:1993-03-22 > >notify: tmiy...@gaijin.co.jp I already talked to the guy who has o

Elad Cohen (was: Re: Cogent sales reps who actually respond)

In message , Elad Cohen wrote: >Please see the following link: > >https://afrinic.net/resource-certification > >As you can see, a MyAFRINIC account is required. > >Yes, route objects for legacy AFRINIC resources in their RIR operated IRRDB > as a fallback for RPKI can be created and they were cre

Re: Elad Cohen

In message <15744848-5638-ad01-2c9c-a89825f9d...@necom830.hpcl.titech.ac.jp>, Masataka Ohta wrote: >Ronald F. Guilmette wrote: > >> Come now Mr. Cohen, please do tell us who you paid for rights to the >> 168.198.0.0/16 block, which belongs to the Australian governm

Re: Elad Cohen

In message , Masataka Ohta wrote: >Ronald F. Guilmette wrote: > >> It is a well known fundamental tenet of logical reasoning and argument >> that it is not possible for -anyone- to prove a negative, which is what >> you've just asked me to do. > >So, Australia

Re: Elad Cohen (was: Re: Cogent sales reps who actually respond)

In message Christopher Morrow wrote: >"who cares about the sale?" My apologies. I see that I have failed to be adequately clear. There was no "sale". There was only theft, and then stolen goods being passed from hand to hand to hand, ultimately ending up in the hands of Mr. Cohen, who has ac

Re: Elad Cohen

In message , Masataka Ohta wrote: >Ronald F. Guilmette wrote: > > > So, if you are looking for a Crime here, i.e. one defined under law, > > there isn't one. > >You don't know how broadly crime of fraud is defined by the current code. > >Just injecting fa

Re: Elad Cohen

In message , Elad Cohen wrote: >Mr. Ronald Guilmette > >Everything you did and you wrote in this forum until today, including mud- >slinging and slandering, including thieves and crooks, they are libel for all >intents and purposes with everything it implies, and this without to >display any proo

Re: Elad Cohen

In message <8a49bf73-7a68-4b8f-9dc5-e94b7fe63...@globalone.io>, Florian Brandstetter wrote: >... this is certainly not a place where you can >slander his name or anyone associated with him in any manner for the >entertainment of everyone... If I have slandered anyone, then I shall bear the pr

Re: Elad Cohen (was: Re: Cogent sales reps who actually respond)

In message <20190919084649.gc30...@jima.tpb.net>, niels=na...@bakker.net wrote: >* r...@tristatelogic.com (Ronald F. Guilmette) [Thu 19 Sep 2019, 10:05 CEST]: >>I never like to generalize to entire populations, and I will >>therefore refrain from suggesting any endemic

Re: Colombia Network Operators Group

In message <6f2876a6abe02547ba85adb58bd21...@mail.dessus.com>, "Keith Medcalf" wrote: >Fascinating. What is the security threat I wonder, that there is no >JavaScript? Undoubtedly drug smuggling over HTTP.

Malware/ransomware current live distribution points

The various domains and IP address listed in the following file are, as we speak, acting as distribution/infection points for some sort of Javascript malware which is almost certainly a flavor of ransomware. ** FAIR WARNING *** Please use exceptional caution when browsing to any of the domains li

AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

My analysis: Serious and apparently long-lived bogosity, with a clear history of substantial spamming aactivity. But you be the judge. Looks to me like an unregistered RIPE AS announcing a route to a /20 worth of unregistered RIPE IPv4 space. And this didn't exactly crop up just yesterday. Loo

Re: AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

In message <20161006163137.uvcnzodrve6to...@cisco.com>, Joseph Karpenko wrote: >> >> P.S. This crap appears to be be brought to us courtesy of AS29632, >> NetAssist, LLC: >> >> http://new.netassist.ua/ >> > >assuming accuracy of records, etc... ;-) Right. An that doesn't seem to be R

Route It Or Lose It

What a friendly, helpful place the modern Internet is! Like the forrest floor, its an ecosystem where things don't go to waste. If you happen to inadvertantly leave your shiny /18 IPv4 block lying around, don't worry. It won't be long before some helpful Bulgarian, Romania, Ukranian or Russian

Death of the Internet, Film at 11

VICTOR LASZLO: If we stop fighing our enemies, the world will die. RICK BLAINE: Well, what of it? It will be out of its misery. -- From the movie "Casablanca" (1942) Sorry, but some days I just can't help thinking to myself "Oh well, as much fun as it

Re: Death of the Internet, Film at 11

Laszlo Hanyecz wrote: >What does BCP38 have to do with this? Your're right. That's not specifically related to *this* attack. Nobody needs to spoof anything when you've got a zillion fire hoses just lying around where any 13 year old can command them from the TRS 80 in his mom's basement. (I'

Re: Death of the Internet, Film at 11

a modicum of self-regulation, I, for one, look forward to the Clean Internet Act, whenever that may arrive. Regards, Ronald F. Guilmette (DDoS'd off the Internet, to little or no public fanfare, 2003)

Re: Death of the Internet, Film at 11

In message <580bf49c.5090...@vaxination.ca>, Jean-Francois Mezei wrote: >10s of millons of IP addresses. Is it realistic to have 10s of millions >of infected devices ? Or is that the dense smoke that points to IP >spoofing ? I haven't read the latest up-to-the-minute reports on this event, but

Re: FW: Death of the Internet, Film at 11

In message <580bf91d.9060...@vaxination.ca>, Jean-Francois Mezei wrote: >Problem is that many of these gadgets want to be internet connected so >mother at work can check on her kids at home... Ah, technology! Just think what certain people could have accomplished if they had only lived long e

Re: Death of the Internet, Film at 11

In message <26b01962-9b09-11cb-0ac8-89cf3e0a5...@nuclearfallout.net>, John Weekes wrote: >... I've recorded >about 2.4 million IP addresses involved in the last two months (a number >that is higher than the number of actual devices, since most seem to >have dynamic IP addresses). The ISPs be

Re: Death of the Internet, Film at 11

In message <874m43qsk2@mid.deneb.enyo.de>, Florian Weimer wrote: >Not that the underlying threat will go away until we find a way to >clean up almost all of the compromised devices (and without breaking >the Internet along the way, forever). The Internet *is* already broken. After the att

Spitballing IoT Security

In message , John Weekes wrote: >On 10/23/2016 4:19 PM, Ronald F. Guilmette wrote: jw>>> ... The ISPs behind those IP addresses have jw>>> received notifications via email... rfg>> Just curious... How well is that working out? > >For the IoT botnets, most of t

Re: Dyn DDoS this AM?

In message , Alexander Lyamin wrote: >Its not a first time we have and large scale DDoS incident. >Its not a first time we have (a kind of) knee-jerk reaction. I could be wrong, but I think its the first time I've turned on CNN and seen a "heat map" of the incident showing the entire NorthEa

Re: Spitballing IoT Security

In message , Jared Mauch wrote: >Top posting to provide some clarity: That's funny. Personally, I have always felt that top posting -destroys- clarity. But as Chaplin Tapman said in Catch-22 "I'm not here to judge you." >1) Many IoT devices are connected via some cloud service, think Nest

Re: Death of the Internet, Film at 11

In message <4FBAFC2ECF5D6244BA4A26C1C94A1E270D579C1CD9@exchange>, Emille Blanc wrote: >I can recall at least a half-dozen scenarios where the customer actually >takes up the problem with the manufacturer. In each of those cases, and >they're effectively told to push off because the devices are

Re: Spitballing IoT Security

In message <580f19bf.2070...@vaxination.ca>, Jean-Francois Mezei wrote: >One way around this is for the pet feeder to initiate outbound >connection to a central server, and have the pet onwer connect to that >server to ask the server to send command to his pet feeder to feed the dog. > >This wa

Re: Spitballing IoT Security

In message <20161026120634.ga20...@gsp.org>, Rich Kulawiec wrote: >On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote: >>2) Second, once elected I will decree that in future all new IoT devices, >> and also all updates to firmware for existing

Re: Spitballing IoT Security

In message <20161026123043.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >There is, however, a chokepoint we have more hope of getting decent software >deployed to. I refer to home and small-business routers. OpenWRT and kin >are already minor but significant players here. And there's an NRE

Re: Spitballing IoT Security

In message Ken Matlock wrote: >- End users need to have ways to easily see what's going on over their >local networks, to see botnet-like activity and DDoS participation (among >other things) in a more real-time fashion This is an interesting point. I'm not actually an ISP guy, although I do

Re: Spitballing IoT Security

In message <20161026205800.7188d57b2...@rock.dv.isc.org>, Mark Andrews wrote: >Actually things have changed a lot in a positive direction. >... >* Microsoft, Apple, Linux and *BSD issue regular fixes for their > products and users do intall them. At the risk of repeating a point I have alread

Re: Spitballing IoT Security

In message <58111bd4.80...@vaxination.ca>, Jean-Francois Mezei wrote: >My smart TV not only hasn't gotten updates in years, but Sharp has >stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere). A little more than 2 years ago, I bought a last-of-its-kind demo model of a 50

Re: Spitballing IoT Security

In message <89795.1477520...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu wrote: >> Given that, and given that "OpenWRT and kin" often provide the end-user >> with readily accessible dials and knobs via which the user can force the >> device to *exceed* legal/FCC limits on power output, I a

Re: Spitballing IoT Security

In message <58112f9f.6060...@vaxination.ca>, Jean-Francois Mezei wrote: >A camera showing the baby in 4K resolution along witgh sounds of him >crying on dolby surround to the mother who is at work would likely >saturate upload just as much as the virus sending DNS requests. This >falls into the

Re: Spitballing IoT Security

In message <20161027084939.5bdf457d0...@rock.dv.isc.org>, Mark Andrews wrote: >Well the last update for the 3GS was iOS 6.1.6 in Feb 2014. Bingo! Less than a year and a half after they stopped selling it, they effectively stopped supporting it.

Re: Spitballing IoT Security

In message <1477558411.730528...@apps.rackspace.com>, "t...@pelican.org" wrote: >...I back up to the cloud... Yes, I confess that this reasonable use case had not occured to me, and yes, it utterly negates what I was saying. (I myself am the paranoid type, so I -do not- back up -any- of my st

Re: Spitballing IoT Security

In message <20161027112601.ga17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Problems I think consumer safety legislation can solve: > >* SSH and Telnet were enabled, but there was no notification in the UI > that they were enabled and no way to turn them off. Requirements > could be set

Re: Spitballing IoT Security

In message <20161027112940.gb17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Actually, they encourage you to trade {your old iPhone} in... >... >If your device is too old for that program, they will still take >it for free and recycle it in an enviornmentally friendly way... OK, so good on

Re: Spitballing IoT Security

In message Ken Matlock wrote: >Fixing the current wave of 'IoT' devices and phones and Tv's etc is only >putting a bandaid on a broken arm. It gives the illusion of progress... >Until we accept that it's *everyone's* problem and work to fix the things >under our control and work as an advocate

Re: Spitballing IoT Security

In message <20161027204258.cd18057d5...@rock.dv.isc.org>, Mark Andrews wrote: >> The problem is, as I have said, this device is now the Apple equivalent >> of Windows XP. There could be a horrendous collection of a dozen or >> more known critical security bugs in the thing by now, but as someo

Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

I just got a spam from 103.11.67.105. The containing /24 appears to be unallocated APNIC space. RIPE tools seem to say that AS18450 has been routing this block since around May 23rd. I see this kind of stuff almost every day now, it seems. And you know, there are days when I really do start t

  1   2   >