Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote: Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. It´s very challenging to say that the world´s most profitable company should do anything significantly different. s/most profitable company/convicted (and continuing) OS\browser monopolist/ Still feel the same? Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money. Forcing OEM pre-loads is where they get most of their money. Maybe if they spent less on money-losing ventures like X-Box and WebTV, and maybe if they spent their RD $Billions more wisely, and further if they spent less time and money knifing others' babies and put more genuine effort into it... This is not that they would not be trying their best. There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running. Well, if they would just admit as such (Keep the Money Machine Running!), instead of offering endless platitudes and excuses (and FUD) and press releases about how much $money they are donating (yeah, right) to libraries and schools and ... -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: Lazy network operators - NOT
Paul Vixie wrote: so, we know that a broadband customer netblock operator will not handle complaints, will not fix the systems that are known to be running third-hand malware, and that the only recourse against abuse from those places is blackholing them one (ipv4) /32 at a time, or blackholing them all at once and forcing mail servers (whether legit or not) to operate from a higher-rent neighborhood. there's no choice at all, really. Are you suggesting to drop all traffic (which, if widespread would get attention) or just email? If you´re suggesting only email blocking, you'll promote email-peering agreement, eventually with settlement, architechture. Pete
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Henry Yen wrote: s/most profitable company/convicted (and continuing) OS\browser monopolist/ Sadly the two are not incompatible it appears. If the rewards of breaking the law were normally so good, then most of us would be down at the localbank with a shotgun... actually, given the audience, no physical attendance would be expected. Peter
Re: Lazy network operators
We need one (or more) of the p2p vendors to support it. ask not what X can do for you, but what you can do for X. i.e., what does ipv6 do for the p2p vendors? randy
Fingerprints (was Re: Lazy network operators - NOT)
On Sun, 18 Apr 2004, Matt Hess wrote:
late-night-humor
# Do not allow Windows 9x SMTP connections since they are typically
# a viral worm. Alternately we could limit these OSes to 1 connection each.
block in on $ext_if proto tcp from any os {Windows 95, Windows 98} \
to any port smtp
The OS fingerprint list they have is rather extensive..
/late-night-humor
This has been suggested before.
Remember Windows 9x is essentially a single-user operating system.
Once a machine has been compromised, lots of things can be altered by
the intruder. Some of the modifications are trivial, such as registry
entries. Others changes can get more interesting. Fingerprints work
best if the adversary isn't actively trying to munge them. It doesn't
always look like another operating system, but it ceases to look like
a Windows 9x box.
The arms race continues.
Figuring out what the intruder changed, and cleaning it up continues to
get more complicated. Last year running a major anti-virus program was
usually enough. Now it can take hours, and sometimes its faster to
re-install the operating system, assuming the user still has their
original CD's and various Microsoft anti-piracy keys and then downloads
all the patches they were missing.
http://www.washingtonpost.com/wp-dyn/articles/A22514-2004Apr18.html
The Federal Trade Commission today is hosting a daylong workshop in
Washington to discuss the effects of hidden software that may be used to
control or spy on a computer without its user's knowledge.
So far most spyware and adware programs, often placed on Windows PCs
by such downloaded programs as file-sharing programs, appear to have
been used for the relatively benign purpose of tracking consumer
preferences, said Howard Beales, director of the FTC's consumer
protection division. The FTC is watching to see if criminals start
making widespread use of this technology to steal credit-card and
Social Security numbers of unwitting computer users, he said.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
First time user of the net in '87 when CompuServe announced it to its denizens. Thank [deity] for Micro$oft or we'd have to get a real job. - Original Message - From: Henry Yen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 18, 2004 8:14 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote: Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. It´s very challenging to say that the world´s most profitable company should do anything significantly different. s/most profitable company/convicted (and continuing) OS\browser monopolist/ Still feel the same? Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money. Forcing OEM pre-loads is where they get most of their money. Maybe if they spent less on money-losing ventures like X-Box and WebTV, and maybe if they spent their RD $Billions more wisely, and further if they spent less time and money knifing others' babies and put more genuine effort into it... This is not that they would not be trying their best. There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running. Well, if they would just admit as such (Keep the Money Machine Running!), instead of offering endless platitudes and excuses (and FUD) and press releases about how much $money they are donating (yeah, right) to libraries and schools and ... -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: why use IPv6, was: Lazy network operators
On 18-apr-04, at 23:25, Paul Jakma wrote: Sure. But I do find myself saying if we were doing IPv6 right now we wouldn't have this problem more and more. Which problem is that? ;) (and if it involves NAT... sorry, no.) There are actually problems in networking that don't involve NAT... :-) Here's a good one: a customer of mine is a fast growing web hosting outfit. Many of their customers start out with one or two boxes and a handful addresses, and then grow. They put a bunch of these customers in a /24, but after a while the /24 is full and/or the customer gets a subnet of their own. So far so good. They use a layer 2 setup with significant redundancy, which inevitably leads to traffic being flooded by the switches some of the time. This means a customer receives a LOT of traffic they have no interest in. The solution here would be giving each customer their own VLAN, but this is hard to do at this juncture as the IP subnets are tightly interwoven between customers. (Doing it from the start would take too much configuration and burn address space a lot faster.) And since invariably one of the first IP addresses such a customer gets is used as an authoritative DNS, they're in no hurry to renumber. With IPv6, every customer would get their own /48, whether they need a single address or thousands. This makes moving a customer from one VLAN to another very simple, allowing the flooding problem to be controlled much better. See http://countipv6.bgpexpert.com/. The different numbers under site represent different web pages. 8 is a fairly standard one, and it gets around 0.15% visits from people who are v6-capable. And are these sites in any way related to IPv6 or networking? (news at 11, Web sites about IPv6 get less than 1% v6 traffic ;) ) Number 8 isn't. The other ones are to different degrees. Haesu wrote: Renumbering is much easier. I like this one. Now this is a funny one about IPv6. How is renumbering *any* easier than IPv4? Yes you have autoconf based on route advertisements/solicits on the client end from the routers, but how is that any different than IPv4+DHCP? Is it perhaps b/c IPv6 uses classful styled numbering scheme? (i.e. you have /64 to end sites, where you simply s/old:old:old:old/new:new:new:new/ ) This helps in editing the config files of course. However, the main difference is that with IPv6 you can change router advertisements, and within minutes all the boxes start using the new addresses, *without* breaking running sessions toward the old addresses. With DHCP you're at the mercy of the lease time timeouts and the way operating systems handle those. (For instance, under certain circumstances Windows stores its DHCP address on disk and doesn't bother to refresh it even after a reboot. Nice.) Michel's bottom line: - Today, what to do with IPv6 is simple: nothing. Whether you are an end-user/small business, large enterprise or provider everyone is in the same situation: is costs money to upgrade, causes trouble, Actually it's cheaper and easier than expected: http://nwfusion.com/news/2003/1215ipv6.html not the only thing we have to do anyway, there is no demand and therefore no ROI. It is urgent to wait. The nice (but sometimes frustrating) thing about IPv6 is that we can take (in internet time) forever to upgrade. At this point, the most important thing is to avoid building new stuff that will get in the way of IPv6 when the time comes that deploying v6 starts making sense. Unfortunately, few people understand the idea of taking 5 or 10 years to upgrade, they think this means doing nothing for 4,5 or 9,5 years and then frantically start throwing money at the problem. Oh well.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Sun, 2004-04-18 at 23:16, Sean Donelan wrote: When the Morris worm was release, there wasn't a patch available. Since then essentially every compromised computer has been via a vulnerability with a patch available or misconfiguration (or usually lack of configuration). Key word here is essentially. I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today. As far as improvements go, Microsoft's XP SP2 is a great improvement. If you have a Window's machine, implementing XP SP2 could help with a lot of the stupid vulnerabilities. Unfortunately less than 50% of Internet users have XP. This ends up being a catch 22 all the way around. Since MS has focused on locking down XP, they have ended up focusing on a minimal market share of the problem. With this in mind, I don't think we are going to see things getting any better now that SP2 is out. For the end user running 2000 or less, it ends up sounding like we screwed up and sold you an insecure product so now we want you to to give us more money in order to fix the problem. A fix that addressed the problem in a more universal fashion would have been cool. Should ISPs start requiring their users to install Windows XP SP2? Many folk have already commented on the economics of trying to require this. I think technically it would be hard to implement as well. I've done a lot of work with passive fingerprinting and from my observations you don't see enough of a difference in the packet creation to tell the difference between patched and unpatched systems. This leaves you with active fingerprinting which may fail if a personal firewall is active, or loading software on their system which is now a whole other support nightmare. Lots of overhead for little gain in my opinion. Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the turn everything on to get it working thing. An uneducated end user is not something you can fix with a service pack. Chris
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At Mon, Apr 19, 2004 at 06:12:16AM -0400, Chris Brenton wrote: Key word here is essentially. I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today. There're a lot more 0-days than that. They just tend to remain within a smaller community (typically the ones who discover it) and are used carefully/intelligently for compromises, often for a very long time. Then it gets leaked by someone and released into the wild/script kiddie community or someone else discovers it... (more for benefit of others than a response to you) Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the turn everything on to get it working thing. An uneducated end user is not something you can fix with a service pack. Agreed, and even conscientious users screw up. I did this some months ago when installing MS SQL Server Desktop Engine from a third-party CD (packaged with software). This was well after the whole Slammer affair, memories fade and I didn't stop to realize they used the same codebase (oops) - bri
Automated Copyright Notice System
Someone coming up with tools to solve Paul's problems. Anyone can send an XML formated notice to an ISP, and the user's Internet access is automatically restricted. Spoofing? Btw, the music industry has applied for a patent on the technique. Prior art anyone? http://news.com.com/2100-1027_3-5194341.html Known as the Automated Copyright Notice System (ACNS), the technology promises to ease copyright enforcement on peer-to-peer networks, saving schools and Internet service providers (ISPs) time and money. It would allow them to restrict or cut off Internet access for alleged infringers automatically on notice from a record label or movie studio. For example, universities using ACNS could instantly send notices of copyright infringement to students by e-mail and restrict their network access until they have removed the file. [...] We're helping the ISP or university with policy enforcement, we're not dictating the policy but we're saying here's a tool to help with automating the process. We're the friends of the ISP, said Mark Ishikawa, chief executive officer of BayTSP, a Los Gatos, Calif.-based company that is using the system on behalf of copyright holders.
Re: Automated Copyright Notice System
On Mon, 19 Apr 2004, Sean Donelan wrote: Someone coming up with tools to solve Paul's problems. Anyone can send an XML formated notice to an ISP, and the user's Internet access is automatically restricted. Spoofing? I can't wait for the first viruses to start flooding bogus acns messages in order to make acns worthless. Also expect spammers to start flooding forged acns messages in order to try to take down RBLs etc. -Dan
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 2004-04-19 at 06:27, Brian Russo wrote: There're a lot more 0-days than that. Agreed. My ego has not grown so large as to think I've seen every 0-day. ;-) As I said however, the true number of 0-day is less than ground noise compared to the number of systems that *could* have remained safe with proper patching or configuring. They just tend to remain within a smaller community (typically the ones who discover it) and are used carefully/intelligently for compromises, often for a very long time. Agreed. I think part of what makes 0-day easier to hide *is* the raw quantity of preventable exploits that are taking place. In many ways we have become numb to compromises so that the first response ends up being format and start over. If 0-day was a higher percentage, it would be easier to catch them when they occur and do a proper forensic analysis. Agreed, and even conscientious users screw up. I did this some months ago when installing MS SQL Server Desktop Engine from a third-party CD (packaged with software). RANT I guess I have a hard time blaming this type of thing on the end user. Part of the fall out from making computers easier to use, is making it easier for end users to shoot themselves in the foot. One of the benefits of complexity is that it forces end user education. I'm guessing that if you had to load SQL as a dependency you would have caught your mistake before you made it. Let me give you an example of the easy to use interface thing. Back in 2000 I made it a personal goal to try and get the top 5 SMURF amplifier sites shut down. I did some research to figure out what net blocks were being used and started contacting the admins. Imagine my surprise when I found out that 3 of the 5 _had_ a firewall. They had clicked their way though configuring Firewall-1, didn't know they needed to tweak the default property settings, and were letting through all ICMP unrestricted and unlogged. IMHO its only getting worse. I teach a lot of perimeter security folks and it seems like more and more of them are moving up the ranks without ever seeing a command prompt. I actually had one guy argue that everything in Windows is point and click and if you could not use a mouse to do something, it was not worth doing. Again, I don't see this as an end user problem because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when its more like flying an airplane. /RANT Cheers, Chris
Re: Automated Copyright Notice System
On Mon, 19 Apr 2004, Sean Donelan wrote: Someone coming up with tools to solve Paul's problems. Anyone can send an XML formated notice to an ISP, and the user's Internet access is automatically restricted. Spoofing? No need for spoofing. Their auto-reports are already bogus. I blocked mails from Media Sentry because they were sending hundreds of reports/day for IPs not even close with my allocated ranges and they failed to answer to any of my complains (mail, fax, voice messages even messages to their rep. lawyer). Tim --- Be different. Think.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) So, the logical inference is training and licensing to get internet access. When I was 16 in Connecticut many many years ago, we had to take a driver-training course (given by a policeman) to get a driver's license. I see no discussion about this approach, here or elsewhere. Jeffrey Race
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
- Original Message - From: Dr. Jeffrey Race [EMAIL PROTECTED] To: Jeffrey Race [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 11:10 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) So, the logical inference is training and licensing to get internet access. When I was 16 in Connecticut many many years ago, we had to take a driver-training course (given by a policeman) to get a driver's license. I see no discussion about this approach, here or elsewhere. I would love to know the average age of the list inhabitants. It has been my observation that things which are new become better known when a generation has grown up, completely, with it and is teaching the next generation. Until that occurs, you are going to get one heck of a larger lot of uninformed users because they are not only young and clueless but every other age and clueless. Worse, they are clueless in a lot of cases because they are frightened by new technology. Eventually, it will become as common as a car on the road and at that point, taking obvious steps wont even be a topic for discussion any longer. When that happens, arts majors wont be the only ones serving fries at Maccas. Greg.
Re: why use IPv6, was: Lazy network operators
On Sun, 18 Apr 2004, John Curran wrote: : And customers who do ask, are routinely turned down. : : Change providers. A request for new functionality from existing : customers may not always get the attention it deserves, but I don't : know of a provider that doesn't sit up and pay attention when a : customer leaves to the competition. : : And what does it say if you're not willing to go through the hassle : to change providers to get IPv6 services? When searching for colo providers, I've gone through the hassle myself, and I've yet to find so much as a single provider whose *uplinks*[!] support IPv6 native, much less the provider itself, in the southeastern US. (You must live in a nice place. Not all of us do.) I can definitely say from experience that the low supply and adamant refusal to adopt is squelching the demand. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Lazy network operators - NOT
there's no choice at all, really. Are you suggesting to drop all traffic (which, if widespread would get attention) or just email? at the moment i'm proposing just e-mail. but that's only because we should already be rejecting udp/137 and udp/138 and udp/139 from outside our campuses and there's no reason to selectively reject that stuff from broadband nets. in the future we may find ourselves rejecting all non-pull transactions of whatever protocol. these are fundamentally access networks, and statistically speaking, everything that's been done with service or p2p from a broadband network has been bad for somebody, somewhere. If you´re suggesting only email blocking, you'll promote email-peering agreement, eventually with settlement, architechture. actually i'm not suggesting it, i'm letting you all know that it's coming; and, i'm not promoting settlements, but rather whitelists.
Re: why use IPv6, was: Lazy network operators
On Mon, 19 Apr 2004, Iljitsch van Beijnum wrote: not the only thing we have to do anyway, there is no demand and therefore no ROI. It is urgent to wait. The nice (but sometimes frustrating) thing about IPv6 is that we can take (in internet time) forever to upgrade. At this point, the most important thing is to avoid building new stuff that will get in the way of IPv6 when the time comes that deploying v6 starts making sense. Unfortunately, few people understand the idea of taking 5 or 10 years to upgrade, they think this means doing nothing for 4,5 or 9,5 years and then frantically start throwing money at the problem. Oh well. Yep. That is the main point for me! The larger the transition phase, the smoother... starting as soon as possible will cause less pain for everybody... From the cost point of view: + IPv6 should be seen as an evolution of current IP version 4. People that understand IP version 4 (network admins) should also learn easily IP version 6. Unfortunately IPv6 is often referred to as a new technology, but in the end... it is not. It is (only?) the plain old IP, with some improvements... + On the vendor front. IPv6 should be seen also as the natural evolution on IP technology. If any vendor wished to keep their share in the IP market, they should be able to support it, without any significant extra cost for customers. However... i dont really think the hardware factor is nowadays a serious problem for people currently building dual-stack networks (yes, in some parts of the world, people are doing it!!!) To conclude, nobody (i think) wishes to end IPv4 addresses anywhere in the years to follow... Regards, ./Carlos -- IPv6 - http://www.ip6.fccn.pt Wide Area Network Workgroup, CMF8-RIPE, CF596-ARIN FCCN - Fundacao para a Computacao Cientifica Nacional http://www.fccn.pt Internet is just routes (135072/470), naming (millions) and... people!
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At Mon, Apr 19, 2004 at 08:22:48AM -0400, Chris Brenton wrote: Agreed. I think part of what makes 0-day easier to hide *is* the raw quantity of preventable exploits that are taking place. In many ways we have become numb to compromises so that the first response ends up being format and start over. If 0-day was a higher percentage, it would be easier to catch them when they occur and do a proper forensic analysis. Right, they fit in with the noise. RANT I guess I have a hard time blaming this type of thing on the end user. Part of the fall out from making computers easier to use, is making it easier for end users to shoot themselves in the foot. One of the benefits of complexity is that it forces end user education. I'm guessing that if you had to load SQL as a dependency you would have caught your mistake before you made it. Let me give you an example of the easy to use interface thing. Back in 2000 I made it a personal goal to try and get the top 5 SMURF amplifier sites shut down. I did some research to figure out what net blocks were being used and started contacting the admins. Imagine my surprise when I found out that 3 of the 5 _had_ a firewall. They had clicked their way though configuring Firewall-1, didn't know they needed to tweak the default property settings, and were letting through all ICMP unrestricted and unlogged. IMHO its only getting worse. I teach a lot of perimeter security folks and it seems like more and more of them are moving up the ranks without ever seeing a command prompt. I actually had one guy argue that everything in Windows is point and click and if you could not use a mouse to do something, it was not worth doing. Again, I don't see this as an end user problem because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when its more like flying an airplane. That's pretty sad, I can forgive users, but nobody doing 'security' should be living in a pure GUI world, to extend your analogy it would be like only knowing how to configure the autopilot and getting a pilot's license. As far as mainstream users.. * Software needs to patch itself, users aren't going to do it. * Software needs to be intuitive, people interact with computers as if they were doing 'real' things. Things like cut and paste are easy because they make sense... * Software patches need to WORK and not screw up Joe User's system, believe me they won't understand that software is never bug-free, they'll instead swear off installing patches in future. * Software needs reasonable defaults.. this doesn't necessarily mean turning every feature off. * Wizards and/or a choice of 'starter' confs can be great.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At Mon, Apr 19, 2004 at 11:22:17PM +1000, Gregh wrote: I would love to know the average age of the list inhabitants. 22 It has been my observation that things which are new become better known when a generation has grown up, completely, with it and is teaching the next generation. Until that occurs, you are going to get one heck of a larger lot of uninformed users because they are not only young and clueless but every other age and clueless. Worse, they are clueless in a lot of cases because they are frightened by new technology. Eventually, it will become as common as a car on the road and at that point, taking obvious steps wont even be a topic for discussion any longer. Of course you're right, but this isn't going to happen for a long time.. and besides.. there are a lot of people in my generation that are not that tech-savvy at all.. I'd say the top uses are Games, IM/blogs/etc and P2P None of these really have anything to do with being good guardians of the net. Of course in the long-run you'll prove me wrong.. but I think it'll take a fair while yet.. anyway, i just hope we'll have made good progress on other fronts. - bri
remote reboot power strips
Hello, Last time I researched remote reboot power strips it seemed like most of the power strips were garbage. Any recommendations for a solid performer would be appreciated. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
Re: remote reboot power strips
On Mon, Apr 19, 2004 at 08:24:29AM -0700, Christopher J. Wolff wrote: Last time I researched remote reboot power strips it seemed like most of the power strips were garbage. Any recommendations for a solid performer would be appreciated. Thank you. We've been pretty happy with the Baytech ones. http://www.baytechdcd.com/ -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
RE: remote reboot power strips
That makes two votes for the Baytech. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Yardley Sent: Monday, April 19, 2004 8:51 AM To: 'nanog list' Subject: Re: remote reboot power strips On Mon, Apr 19, 2004 at 08:24:29AM -0700, Christopher J. Wolff wrote: Last time I researched remote reboot power strips it seemed like most of the power strips were garbage. Any recommendations for a solid performer would be appreciated. Thank you. We've been pretty happy with the Baytech ones. http://www.baytechdcd.com/ -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: Anyone from ATT here? (ATT bogus DNSBL answers)
I finally talked to someone who knows what the problem is. Your sbl sites have been blocked by the standard DNS forwarders supplied by ATT. This is due to the workload being generated on them from mailservers. Duh! This is really dumb. It's not dumb at all. DNSBLs are using the DNS to do general purpose database lookups instead of using a generic database lookup protocol like LDAP. It's not surprising that this sort of ugly hack has unintended side effects. After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups. Funny thing is that most mailer software that uses DNSBLs also supports LDAP database lookups so there is really no good reason why DNSBLs exist in the first place. IMHO, the DNSBL experiment has proved the usefulness of having a variety of blacklist/whitelist/greylist databases for mail servers to query. It's high time that folks shift these databases onto a protocol that does not interfere with the Internet's critical DNS systems and I believe that LDAP is that protocol. --Michael Dillon
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Jeffrey Race Sent: April 19, 2004 9:11 AM To: Jeffrey Race Cc: [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) So, the logical inference is training and licensing to get internet access. When I was 16 in Connecticut many many years ago, we had to take a driver-training course (given by a policeman) to get a driver's license. I see no discussion about this approach, here or elsewhere. Well, there are a number of problems with this. Firstly, who enforces it? The reason it works with cars is that the state (or province for those of us north of the border) effectively says you can't drive a car without this lovely piece of paper/plastic that we'll give you and if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble. Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs sorry, but if they don't give their licence, you can't give them an account? Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated into keyboards? How else can you avoid Mom logging online, and then letting the unlicenced kids roam free online, allegedly to do research for school? Do you want to fine/jail/etc Mom if the kids download a trojan somewhere? Fourthly, as someone pointed out, the first generation always complains. I hate to show how young I probably am compared to many on this list, but my jurisdiction introduced graduated driver's licencing a few years before I was old enough to get a driver's licence, and it angers me that the random guy who's out on the road driving like a moron had to go through way less bureaucracy, road tests, etc than me simply because he was born ten years before me. That said, if no reforms are made to make this system stricter, I'm sure the next generation won't see this system as an outrage simply because they won't remember an era when the bureaucracy. Currently, people can buy computers/Internet access/etc unregulated at the random store down the street. You're proposing that some regulatory authority require licencing... Why should these voters accept it? Especially since, unlike with cars, the damage done by poorly-operated computers is rather hard to explain to a technologically-unskilled person. Most would respond something like well, it's not my fault some criminal wrote a virus/exploit/whatever. Put that person in jail, and let me mind my own business. Good luck educating them on the fallacies in that statement. Fact is, until home computer security issues result in a pile of bloody bodies to show on CNN, no one in the general public and/or the legislative branches of government has any incentive to care... Vivien
Re: Anyone from ATT here? (ATT bogus DNSBL answers)
On Apr 19, 2004, at 11:54 AM, [EMAIL PROTECTED] wrote: I finally talked to someone who knows what the problem is. Your sbl sites have been blocked by the standard DNS forwarders supplied by ATT. This is due to the workload being generated on them from mailservers. Duh! This is really dumb. It's not dumb at all. Yes, it is. It is not only dumb, it is a disservice to their customers. ATT is intentionally distributing known bad information. Worse, they hid this fact from their customer. When customers called the ATT support line to find out what happened, they were told nothing was wrong and it must be on the customer side. My understanding is this was an intentional lie. Lying to your customers is a Bad Thing [tm], IMHO. Perhaps it was just a bunch of front line people who did not know / understand, but considering that they made a change which they knew - they *KNEW* - would break things, they should have made damned sure each and every front line person was prepared for the customer calls. They did not, so they are at best guilty of pathetically poor customer service, and possibly guilty of outright lying to their customers. If I paid ATT for name service (even as part of a larger package of offerings - e.g. transit), I would be *VERY* upset. DNSBLs are using the DNS to do general purpose database lookups instead of using a generic database lookup protocol like LDAP. It's not surprising that this sort of ugly hack has unintended side effects. After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups. A DNS query is a database lookup. It is probably the most widely distributed, robust database ever designed an implemented. But it is a database, and the DNSBL queries are well formed DNS queries. The only difference between a DNSBL query and a normal host lookup is the source zone file and rate. I wonder if Google gets too many DNS hits if ATT will decide to filter that zone? Funny thing is that most mailer software that uses DNSBLs also supports LDAP database lookups so there is really no good reason why DNSBLs exist in the first place. Have the mailers always supported LDAP? Do all firewalls which work as MTAs in many 1000s of corporations allow LDAP queries by default? Perhaps the creators and maintainers of the DNSBLs like to use DNS and do not like LDAP? There are many, many possible good reasons for the DNSBLs to exist. IMHO, the DNSBL experiment has proved the usefulness of having a variety of blacklist/whitelist/greylist databases for mail servers to query. It's high time that folks shift these databases onto a protocol that does not interfere with the Internet's critical DNS systems and I believe that LDAP is that protocol. That is possible, and much more reasonable than claiming that they have no good reason to exist in the first place. If you believe this so fervently, perhaps you should put in effort to make it happen, instead of discarding out of hand the effort, time, and money the current maintainers have donated out to make the community better. -- TTFN, patrick
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Apr 19, 2004, at 4:10 AM, Michael Painter wrote: First time user of the net in '87 when CompuServe announced it to its denizens. Thank [deity] for Micro$oft or we'd have to get a real job. I hear this a lot and it is such BS. Does anyone here HONESTLY believe the computer revolution was caused by MS alone and would never have happened without them? Microsoft *might* have made it happen slightly faster than without them, but a good argument can be made that MS actually set back the software industry in many ways, from stifling competition innovation to the current mess with uneducated users and a homogeneous OS. The truth is, we will not know if things are better or worse because of MS. But it is no _no way_ a slam dunk one way or the other. -- TTFN, patrick
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
** Reply to message from Brian Russo [EMAIL PROTECTED] on Mon, 19 Apr 2004 10:51:18 -0400 As far as mainstream users.. * Software needs to patch itself, users aren't going to do it. * Software needs to be intuitive, people interact with computers as if they were doing 'real' things. Things like cut and paste are easy because they make sense... * Software patches need to WORK and not screw up Joe User's system, believe me they won't understand that software is never bug-free, they'll instead swear off installing patches in future. * Software needs reasonable defaults.. this doesn't necessarily mean turning every feature off. * Wizards and/or a choice of 'starter' confs can be great. Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? -- Jeff Shultz Network Technician Willamette Valley Internet
RE: Anyone from ATT here? (ATT bogus DNSBL answers)
I've personally seen them blackhole a customer ip and never contact them. The excuse was that, normally, their customers can't get the mail because it's a mailserver that gets blacklisted. I'm not sure that it's an excuse. I don't even mind that they blackholed a security problem. It's the lack of contact in association with the action that I consider bad customer service. Eric Krichbaum, Chief Engineer Citynet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick W.Gilmore Sent: Monday, April 19, 2004 12:26 PM To: [EMAIL PROTECTED] Cc: Patrick W.Gilmore Subject: Re: Anyone from ATT here? (ATT bogus DNSBL answers) On Apr 19, 2004, at 11:54 AM, [EMAIL PROTECTED] wrote: I finally talked to someone who knows what the problem is. Your sbl sites have been blocked by the standard DNS forwarders supplied by ATT. This is due to the workload being generated on them from mailservers. Duh! This is really dumb. It's not dumb at all. Yes, it is. It is not only dumb, it is a disservice to their customers. ATT is intentionally distributing known bad information. Worse, they hid this fact from their customer. When customers called the ATT support line to find out what happened, they were told nothing was wrong and it must be on the customer side. My understanding is this was an intentional lie. Lying to your customers is a Bad Thing [tm], IMHO. Perhaps it was just a bunch of front line people who did not know / understand, but considering that they made a change which they knew - they *KNEW* - would break things, they should have made damned sure each and every front line person was prepared for the customer calls. They did not, so they are at best guilty of pathetically poor customer service, and possibly guilty of outright lying to their customers. If I paid ATT for name service (even as part of a larger package of offerings - e.g. transit), I would be *VERY* upset. DNSBLs are using the DNS to do general purpose database lookups instead of using a generic database lookup protocol like LDAP. It's not surprising that this sort of ugly hack has unintended side effects. After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups. A DNS query is a database lookup. It is probably the most widely distributed, robust database ever designed an implemented. But it is a database, and the DNSBL queries are well formed DNS queries. The only difference between a DNSBL query and a normal host lookup is the source zone file and rate. I wonder if Google gets too many DNS hits if ATT will decide to filter that zone? Funny thing is that most mailer software that uses DNSBLs also supports LDAP database lookups so there is really no good reason why DNSBLs exist in the first place. Have the mailers always supported LDAP? Do all firewalls which work as MTAs in many 1000s of corporations allow LDAP queries by default? Perhaps the creators and maintainers of the DNSBLs like to use DNS and do not like LDAP? There are many, many possible good reasons for the DNSBLs to exist. IMHO, the DNSBL experiment has proved the usefulness of having a variety of blacklist/whitelist/greylist databases for mail servers to query. It's high time that folks shift these databases onto a protocol that does not interfere with the Internet's critical DNS systems and I believe that LDAP is that protocol. That is possible, and much more reasonable than claiming that they have no good reason to exist in the first place. If you believe this so fervently, perhaps you should put in effort to make it happen, instead of discarding out of hand the effort, time, and money the current maintainers have donated out to make the community better. -- TTFN, patrick
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Firstly, who enforces it? The reason it works with cars is that the state (or province for those of us north of the border) effectively says you can't drive a car without this lovely piece of paper/plastic that we'll give you and if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble. Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs sorry, but if they don't give their licence, you can't give them an account? That's not a problem. The state licenses drivers but it also owns the roads. Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. So? If you want to mess around on your private network, I don't care either. Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). Exactly. You want to go on someone else's roads, you do so only by their rules. My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P So you can drive however you want on *my* driveway? That's not public view, is it? If there only private roads, I'll bet you that private road owners would have come up with a licensing system quite similar to what we have today, for liability reasons if nothing else. You might also notice that you can't get liability insurance without a license even though that insurance is issued privately, and there aren'y many road owners who let you drive on their roads without insurance. Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. I'm not sure I understand why you think this is so. My kids know that my computer is off-limits to them just like they know my car is off-limits to them. They are physically capable of obtaining access to either without my permission. So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated into keyboards? How else can you avoid Mom logging online, and then letting the unlicenced kids roam free online, allegedly to do research for school? Do you want to fine/jail/etc Mom if the kids download a trojan somewhere? I would presume that a license would include the rights to allow others to use your access under appropriate supervision or with appropriately restrictive software. Fourthly, as someone pointed out, the first generation always complains. I hate to show how young I probably am compared to many on this list, but my jurisdiction introduced graduated driver's licencing a few years before I was old enough to get a driver's licence, and it angers me that the random guy who's out on the road driving like a moron had to go through way less bureaucracy, road tests, etc than me simply because he was born ten years before me. That said, if no reforms are made to make this system stricter, I'm sure the next generation won't see this system as an outrage simply because they won't remember an era when the bureaucracy. Currently, people can buy computers/Internet access/etc unregulated at the random store down the street. You're proposing that some regulatory authority require licencing... Why should these voters accept it? Because their failure to cooperate will result in ostracism. That's how the Internet has always worked. Especially since, unlike with cars, the damage done by poorly-operated computers is rather hard to explain to a technologically-unskilled person. Most would respond something like well, it's not my fault some criminal wrote a virus/exploit/whatever. Put that person in jail, and let me mind my own business. Good luck educating them on the fallacies in that statement. The point is, you don't have to. You just have to not let them on your roads. If they think the things they have to do to get on your roads are worth the value of those roads, they'll do them. If not, not. You don't care why people comply with your rules. People don't get driver's licenses because they think the piece of paper makes them a better driver, they do it because that is what's required for them to get insurance and avoid tickets and even jail. Fact is, until home
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? Amen to that. My mom lives in a small town with very spotty Internet access. The fastest possible connection speed is 28.8 but her actual connection is usually slower than that, probably thanks to the quality of lines in the area. You wouldn't believe how long those patches take to download over 28.8. In fact, I've given up on it because the phone simply can't be tied up for that long and she's not going to get a second line for the sole purpose of downloading MS patches. Periodic Windows Update on a CD-ROM is a must-have until more of the world has high-speed access. John --
RE: remote reboot power strips
We use a number of both the APC Masterswitch and the WTS NPS-115 with good results. I don't think either of them have had a failure. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher J. Wolff Sent: Monday, April 19, 2004 8:24 AM To: 'nanog list' Subject: remote reboot power strips Hello, Last time I researched remote reboot power strips it seemed like most of the power strips were garbage. Any recommendations for a solid performer would be appreciated. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever flavor of the month backdoor spam proxy virus I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. -Drew
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs.. Geo.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 -- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Responsible? No. Able to assist in maintaining that security (and thus that of the ISP's network)? Yes. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever flavor of the month backdoor spam proxy virus Ah, now you are talking about why I happily promote Ad-Aware and Spybot. I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. And your problem with the local ISP having this stuff available for their users is? However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) Some of ours are like that. Most seem to realize their limitations and are happy to know that at some level we are looking out for them. BTW, for me 13 was many more years ago than that... RTM wasn't even in college yet, I imagine. and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Dial-up, or using their systems at the library? And you weren't paying for the privilege, at least not directly. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. That's a whole 'nuther horse to kill there. -- Jeff Shultz Network Technician Willamette Valley Internet
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Sorry about the double sending - I wasn't subscribed to nanog-post from this address. -- Jonathan -Original Message- From: Jonathan M. Slivko [EMAIL PROTECTED] Sent: Apr 19, 2004 1:51 PM To: Jeff Shultz [EMAIL PROTECTED], '[EMAIL PROTECTED]' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) -Original Message- From: Jeff Shultz, WIllamette Valley Internet [EMAIL PROTECTED] Sent: Apr 19, 2004 1:39 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Doesn't Windows XP automatically do this by default currently? If not, it's something that Microsoft should consider setting to ON automatically to help defend the users from hackers, and in the same turn, help defend the ISP's network from being maliciously attacked or used for illegitimate purposes. However - I do think that Windows needs some more improvements in the area of security (which UNIX/Linux already has). However - to Microsoft's credit, they seem to be doing a rather nice job of actually beefing up their security practices. Now, if only they could figure out how to make Outlook/Outlook Express more security-concious because as of the time of this writing, the Outlook Express/Outlook defaults are extremely unsafe. Does anyone have/care to post a URL that explains how to set Outlook Express/Outlook to be more secure? -- Jonathan -- Jonathan M. Slivko - [EMAIL PROTECTED] Linux: The Choice for the GNU Generation - http://www.linux.org/ - Don't fear the penguin. .^. /V\ /( )\ ^^-^^ He's here to help. -- Jonathan M. Slivko - [EMAIL PROTECTED] Linux: The Choice for the GNU Generation - http://www.linux.org/ - Don't fear the penguin. .^. /V\ /( )\ ^^-^^ He's here to help.
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: April 19, 2004 12:57 PM To: 'Dr. Jeffrey Race' Cc: [EMAIL PROTECTED] Subject: RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT) Firstly, who enforces it? The reason it works with cars is that the state (or province for those of us north of the border) effectively says you can't drive a car without this lovely piece of paper/plastic that we'll give you and if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble. Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs sorry, but if they don't give their licence, you can't give them an account? That's not a problem. The state licenses drivers but it also owns the roads. Yes... And the state doesn't own the Internet, and can't SEE the Internet (or its component networks). How does it enforce who uses it? Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. So? If you want to mess around on your private network, I don't care either. And exactly how do you separate public and private networks, from the point of view of law enforcement? In the driving world, public roads are easy enough to enforce things on... Besides, there are no [major] public networks, if by public, you mean taxpayer-owned... If you mean publicly accessible, that's another story, of course... Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). Exactly. You want to go on someone else's roads, you do so only by their rules. But my point is, they can SEE you. If I drive out on the roads of whatever state/province/municipality/etc, their authorized agents (read: cops) can SEE me and stop me. Try and do that with my IP packets. You try and track the IP packet that you are getting from my machine to me as a human... Sure, you can do it, if you have an army of lawyers in a bunch of jurisdictions, but it's not like the cop who sees a moron driving badly and just pulls them over, at which point they HAVE the moron in their hands... You can have my packets going around into your network without having physical access to me, but you CAN'T have my car driving around (unless I'm not driving it :P) in your roads without me being in it. So, how do you ask my packets for my computer licence? My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P So you can drive however you want on *my* driveway? That's not public view, is it? If there only private roads, I'll bet you that private road owners would have come up with a licensing system quite similar to what we have today, for liability reasons if nothing else. You might also notice that you can't get liability insurance without a license even though that insurance is issued privately, and there aren'y many road owners who let you drive on their roads without insurance. If I drive on YOUR driveway without a licence, assuming I can GET to your driveway without driving on a public road (e.g. someone with a licence drives me to your driveway), I'm guilty of tresspassing on your property, but I don't think I'm guilty of driving without a licence. And why would any insurer insure somebody without a licence? Sounds to me like financial suicide, assuming driver licencing actually DOES keep morons off roads... Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. I'm not sure I understand why you think this is so. My kids know that my computer is off-limits to them just like they know my car is off-limits to them. They are physically capable of obtaining access to either without my permission. You're an IT professional. This isn't about you. This is about the random family with the family computer that everybody installs random crapware onto in the kitchen or den. Does the same apply in that situation? So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
** Reply to message from Jonathan M. Slivko [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:57:43 -0400 (GMT-04:00) -Original Message- From: Jeff Shultz, WIllamette Valley Internet [EMAIL PROTECTED] Sent: Apr 19, 2004 1:39 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Doesn't Windows XP automatically do this by default currently? No, but it will ask you if you want to configure automatic updates. That's still not going to do much for the dialup user who has to download SP1. And we're also talking about the majority of customers who don't have WinXP - and won't be getting it. If not, it's something that Microsoft should consider setting to ON automatically to help defend the users from hackers, and in the same turn, help defend the ISP's network from being maliciously attacked or used for illegitimate purposes. Then you come up against the I don't want MS messing with my machine without my permission! bunch. Who, incidentally, have a valid point. Turning the firewall on by default in SP2 is going to have... interesting results I imagine. Esp. in company environments that use Netbios over TCP/IP. I assume it will firewall 137-140/445 by default. However - I do think that Windows needs some more improvements in the area of security (which UNIX/Linux already has). However - to Microsoft's credit, they seem to be doing a rather nice job of actually beefing up their security practices. Now, if only they could figure out how to make Outlook/Outlook Express more security-concious because as of the time of this writing, the Outlook Express/Outlook defaults are extremely unsafe. Does anyone have/care to post a URL that explains how to set Outlook Express/Outlook to be more secure? That's easy. In Outlook Express: Tools--Options--Read. Check the box Read all messages in plain text You've just massively improved OE's security. Outlook doesn't do this yet, does it? I haven't dug through Office 2003 much yet. -- Jeff Shultz Network Technician Willamette Valley Internet
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote: ** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. He's right. Most customers get defensive/hostile when you tell them there's something wrong with their system. However I've encountered the same attitude with many NOCs when informing them they have open relays / smurf amps / owned servers. First they deny it - you must be mistaken, then get defensive what business is it of yours anyway? or hostile you can't possibly know that without having broken into our network, I'm calling the police (yeah right, I need to break into your network in order to be smurfed by your broken routers.) So this isnt unique to end users. It seems most people would rather discover problems themselves, and go into a sort of panic mode when informed by a third party. Many (including NOCs) aren't emotionally prepared to handle anything beyond hit ctrl-alt-del. I'm still looking for a good way to gently inform end users/nocs of problems without having them fly off the handle. -Dan
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, Apr 19, 2004 at 12:03:32PM -0700, Dan Hollis wrote: On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote: ** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 [...notification of the...] average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. He's right. Most customers get defensive/hostile when you tell them there's something wrong with their system. For what it's worth, our (dial-up and DSL) customers have generally act thankful when contact them about the problems their machines are causing. I guess nothing changes -- the world is full of people. :-)
Re: Lazy network operators - NOT
On Sun, 18 Apr 2004 20:03:04 EDT, Sean Donelan said: For example if VIX.COM had SPF records for its domain, other people could check the SPF records and not send anti-virus bounce messages when mail didn't originate from VIX.COM SPF listed systems. Yeah. They could. Let me know when Beelzebub is spotted ordering parkas from Land's End. pgp0.pgp Description: PGP signature
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 09:10:32 EDT, Dr. Jeffrey Race said: On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) Well, there *are* technical solutions, but over the last few hundred years we've managed to essentially stop Darwinian selection against idiots, and we as a society seem to frown on the forced sterilization of same. pgp0.pgp Description: PGP signature
RE: remote reboot power strips
http://www.apc.com/resource/include/techspec_index.cfm?base_sku=AP7900 On Mon, 19 Apr 2004, Christopher J. Wolff wrote: That makes two votes for the Baytech. Thank you. [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At 02:27 PM 4/19/2004, you wrote: I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Doesn't Windows XP automatically do this by default currently? No, but it will ask you if you want to configure automatic updates. That's still not going to do much for the dialup user who has to download SP1. And we're also talking about the majority of customers who don't have WinXP - and won't be getting it. http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true You can download anything on Windows Update here. We make many of this update files part of our standard dialup install CD. Especially service packs. They aren't installed by default, but they are on the CD if they need them. No 24 hour downloads needed. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Good will, like a good name, is got by many actions, and lost by one. - Francis Jeffrey
Re: Anyone from ATT here? (ATT bogus DNSBL answers)
On Mon, 19 Apr 2004 [EMAIL PROTECTED] wrote: After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups. Wait. What's the difference? I must have missed something. matt ghali [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Anyone from ATT here? (ATT bogus DNSBL answers)
On Mon, 19 Apr 2004 12:45:19 PDT, just me said: On Mon, 19 Apr 2004 [EMAIL PROTECTED] wrote: After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups. Wait. What's the difference? I must have missed something. LDAP is on port 389. ;) DNS is intended for give me the A record for the hostname FOO. LDAP is a more proper tool for Give me the list of hosts that user Q-Froob is allowed to post mail from on Tuesdays after 5PM. Unfortunately, some of the anti-spam proposals look more like the latter than the former pgp0.pgp Description: PGP signature
Re: remote reboot power strips
Christopher J. Wolff wrote: Last time I researched remote reboot power strips it seemed like most of the power strips were garbage. Any recommendations for a solid performer would be appreciated. apc's are working well. You can control then even with snmp. -- Kind regards / Mit freundlichen Gruessen, Degirmenci
Re: remote reboot power strips
On Mon, 19 Apr 2004 22:09:56 +0200 Cemil Degirmenci [EMAIL PROTECTED] wrote: apc's are working well. You can control then even with snmp. We use them too and they seem to be fine. The only problem we have found is that they do something a little different with EOL when logged into them. Normally this is not a problem but we use an ssh client with the Blackberry and we can't use the menu over those. It would have been nice if it worked. However, we don't run MS so emergency reboots haven't really been an issue. The devices are an expense that we are happy to have wasted our money on. -- D'Arcy J.M. Cain [EMAIL PROTECTED]|vex}.net | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: Anyone from ATT here? (ATT bogus DNSBL answers)
On 19 Apr 2004, at 16:04, [EMAIL PROTECTED] wrote: DNS is intended for give me the A record for the hostname FOO. DNS is currently used for give me the resource record set of type X for the query key Y. LDAP is a more proper tool for Give me the list of hosts that user Q-Froob is allowed to post mail from on Tuesdays after 5PM. DNS has the advantages that its scaling properties are fairly well-known, it distributes easily across servers and administrative boundaries, records can be cached, and the delegation points can provide some measure of confidence that the server you're obtaining data from have some authority to dispense it (confidence ranging from a little bit, maybe to high if zones and delegations are signed, and there's a secure entry point to the chain somewhere). There are also few devices in the world that speak IP and don't already include a resolver. DNS has lots of disadvantages too, and is cumbersome and obtuse for distribution of many types of data. The general rule that if it's not for associating addresses with host names, LDAP is better is flawed though, I think. Joe
Ad blocking with squid
Hi Folks. Anyone doing ad blocking with Squid cache engine out there ? Is there a comprehensive URL list out there on the net ? Thanx Paul Paul Khavkine Network Administrator DISTRIBUTEL Communications. 740 Notre Dame West, Suite 1135 Montreal, Quebec, Canada, H3C 3X6 1-514-877-5505 x 263 http://www.distributel.net
Re: Ad blocking with squid
Take a peek at sleezeball - it has a url list plus recognizes banner-ad sized images and blocks them out: http://www.rambris.com/fredrik/sleezeball/ John On Mon, Apr 19, 2004 at 04:33:49PM -0400, Paul Khavkine wrote: Hi Folks. Anyone doing ad blocking with Squid cache engine out there ? Is there a comprehensive URL list out there on the net ? Thanx Paul Paul Khavkine Network Administrator DISTRIBUTEL Communications. 740 Notre Dame West, Suite 1135 Montreal, Quebec, Canada, H3C 3X6 1-514-877-5505 x 263 http://www.distributel.net
Re: Ad blocking with squid
On Apr 19, 2004, at 4:33 PM, Paul Khavkine wrote: Anyone doing ad blocking with Squid cache engine out there ? I'm not sure if this is a kosher question for nanog, but what the hell. Personally, I've been very pleased with Privoxy, especially if you don't want or need to install a full-blown proxy like Squid. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Ad blocking with squid
Well i can see a few ways to do it with Squid (or not Squid). What i'm interested in is an allways up to date glogal URL list that has all Ad url's constantly updated. Was just wondering if such thing exists. Thanx Paul On Mon, 19 Apr 2004, Jason Dixon wrote: On Apr 19, 2004, at 4:33 PM, Paul Khavkine wrote: Anyone doing ad blocking with Squid cache engine out there ? I'm not sure if this is a kosher question for nanog, but what the hell. Personally, I've been very pleased with Privoxy, especially if you don't want or need to install a full-blown proxy like Squid. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net Paul Khavkine Network Administrator DISTRIBUTEL Communications. 740 Notre Dame West, Suite 1135 Montreal, Quebec, Canada, H3C 3X6 1-514-877-5505 x 263 http://www.distributel.net
Responsibility: user or OS? (Re: Microsoft XP SP2)
JS Date: Mon, 19 Apr 2004 10:39:10 -0700 JS From: Jeff Shultz JS Also, do you realize how much the 'average technical school JS graduate type' makes just from acquaintances who complain JS that their computers are slow, by simply removing whatever JS flavor of the month backdoor spam proxy virus JS JS Ah, now you are talking about why I happily promote Ad-Aware JS and Spybot. They're a start. However, I've encountered many systems with suspicious/malicious ActiveX controls or BHOs that neither AdAware nor Spybot caught. I can't think of many other people who are willing to rip out chunks of the Registry manually. How savvy should users be expected to be? Education is good, but there comes a point where the OS/software need to make abuse a bit more difficult. I'm curious to see how Win2003 Server and its executable restrictions fare. Not a silver bullet, of course, but a good start. I've given several presentations where I ask an audience member to stand up and blindly do whatever I instruct. Nobody has been willing yet. Most people will only perform certain whitelisted actions in a public crowd. Perhaps software should observe similar defaults. Java applets are scored for safety based on what calls the execute; why not extend the approach to all applications? Why not run with safe defaults? Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Ad blocking with squid
What i'm interested in is an allways up to date glogal URL list that has all Ad url's constantly updated. Was just wondering if such thing exists. We have some linked from here: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.12 Duane W.
Re: Ad blocking with squid
Seems like SquidGuard has an auto-updated list. Looks like SquidGuard it is. Thanx folks Paul On Mon, 19 Apr 2004, Duane Wessels wrote: What i'm interested in is an allways up to date glogal URL list that has all Ad url's constantly updated. Was just wondering if such thing exists. We have some linked from here: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.12 Duane W. Paul Khavkine Network Administrator DISTRIBUTEL Communications. 740 Notre Dame West, Suite 1135 Montreal, Quebec, Canada, H3C 3X6 1-514-877-5505 x 263 http://www.distributel.net
Re: Anyone from ATT here? (ATT bogus DNSBL answers)
i consider myself an expert on the question, what dns is not. for example, dns is not a directory service, or, dns is not a load balancer, or, dns is about fact rather than policy. so, when Michael Dillon wrote about this topic today, i decided to pay attention: DNSBLs are using the DNS to do general purpose database lookups instead of using a generic database lookup protocol like LDAP. dns is a distributed, reliable, autonomous, hierarchical database. any data you can map into rrsets and ownernames is fair game. see the second half of rfc1101 (the part that goes beyond network naming) to see what the inventor had in mind. dns blackhole lists (of which eric ziegast invented the first one as a way to encode the first RBL into a format sendmail could read) are an excellent example of what i call DNS Services. just as the web has all kinds of things on it that aren't web pages (or web browsers) and we call those Web Services. It's not surprising that this sort of ugly hack has unintended side effects. After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups. just because it isn't gethostbyname() or gethostbyaddr() and isn't replacing the use of YP/NIS or /etc/hosts or HOSTS.TXT, does not make it inappropriate for dns. indeed, RFC1034 2.1, 2.2 and especially 2.3 go into this in detail, so you don't need to read the (later) RFC1101 document to get the full flavour of the inventor's intentions for DNS. Funny thing is that most mailer software that uses DNSBLs also supports LDAP database lookups so there is really no good reason why DNSBLs exist in the first place. at the time the first DNS blackhole list was invented (here, by ziegast), there was no support for LDAP in the version of sendmail we were running. now that there are a hundred or more diverse/disparite DNS blackhole lists, i think the likelihood of changing the way blackhole data is delivered to be LDAP rather than DNS should be considered a very long range goal, or worse. IMHO, the DNSBL experiment has proved the usefulness of having a variety of blacklist/whitelist/greylist databases for mail servers to query. It's high time that folks shift these databases onto a protocol that does not interfere with the Internet's critical DNS systems and I believe that LDAP is that protocol. re-inventing a distributed, hierarchical, autonomous, reliable database just to avoid using DNS as its inventor intended it, seems like a great waste of time, IMHO. -- Paul Vixie
Re: Lazy network operators - NOT
Well, Paul did advance a methodology - blackhole them all grin If Paul came up with a practical way to fix millions of compromised computers which didn't involve hiring entire second-world countries to talk grandma through the process, I think many people would be interested in talking to him. two things, though: (1) you'll never get those things fixed and (we both know it), (2) so you'd better prepare for the inevitability of widespread filtering against your DSL/Cable blocks (whether you talk to me or not.) 550 IP blocked for USE - for resolution contact your service provider. If you haven't noticed, the infected user doesn't notice this. However many other people with legitimate uses are frequently caught up in the collateral damage. sadly, those other people have had their expectations falsely set, and they are going to find their way to http://www.vix.com/personalcolo/ or an SMTP AUTH provider because market forces are completely without mercy. DSL/Cable is a fine access product, it's better than a phone line modem because it allows faster web surfing, movies/mp3/etc on demand, and soon VoIP. but no e-mail server anywhere can afford the risk of accepting e-mail or any other push-data from them. risk management, in this case, is going to come in the form of widespread e-mail rejection from all DSL/ Cable blocks. talk to the hand. That's why I keep advocating better ways to identify the specific sources of the unwanted traffic, even if they change IP addresses. my informal survey says the bad guys are better at this stuff than we are, and they're getting better every day, and we're not. the trend isn't good. With better identification, you directly receive the benefit of keeping your computer clean. You eliminate the third-party dependency of needing to fix other's peoples mistakes in order to do your work. It also makes it easier for other people to take action, because the collateral damage is less. you sound like a man with a vision. care to pass that bong over this way? -- Paul Vixie
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Should ISPs start requiring their users to install Windows XP SP2? nope. especially since, according to bill gates, linux would have the same reputation if it was a popular a platform (and therefore a target of more virii.) now, you could go further, and say if you emit streams of wierd(*) looking traffic we'll shut your line down and wait for you to call us and give us an explaination but then you're just going to be on the phone all the time and that's no good for anybody -- especially since cleanup costs are high, and reinfection costs are low, and phone time is really expensive. so why not just disallow all that bad junk all the time, instead of waiting for it to be seen in flight? [(*) wierd could mean streams of tcp/syn or tcp/rst, or forged source addresses, or streams of unanswered udp, or streams of ourbound tcp/25, or udp/137..139, or who knows what it'll be by this time next month?] Let's face it -- this shouldn't have to be the ISP's problem. you're right, and it won't be for very much longer. access isp's cannot take responsibility for the health of their customers' computers, they just need to work harder to ensure that access is all they provide, and that servers don't work, udp/137..139 doesn't work, and outbound e-mail is via tunnel or proxy. since access isp's aren't able to do even that much (for fear of their customers wraith, or due to lack of technology inside the headend, or whatever), it's going to get done by the dreaded giant merciless monster known as market forces. -- Paul Vixie
Re: Lazy network operators - NOT
On Mon, 19 Apr 2004, Paul Vixie wrote: two things, though: (1) you'll never get those things fixed and (we both know it), (2) so you'd better prepare for the inevitability of widespread filtering against your DSL/Cable blocks (whether you talk to me or not.) Paul, where have you been? There is already widespread filtering of DSL/Cable/Dialup blocks. Some DSL/Cable/Dialup providers even provide daily/weekly feeds to various third-party list operators and other service providers so they can more accurately mantain lists of dynamic addresses. Accurate lists of dynamic addresses are encouraged. Or are you suggesting the SPEWS approach of blacklisting everything. DSL/Cable/Dialup users won't be able to send e-mail directly from those addresses, and in addition, do you intend to go further and also black list all the provider's e-mail servers and static addresses and dedicated addresses so any provider which has DSL/Cable/Dialup pools can't have any e-mail servers on any address block registered to the same provider.
Topics for SF
Greetings - here are the presentations we've lined up so far for San Francisco. Keep your eye on www.nanog.org for updates. Sunday Tutorials - BGP Techniques for Service Providers Level: Introductory/Intermediate Philip Smith, Cisco - Using IPsec to Encrypt Your Wireless Traffic at NANOG Level: Introductory, Hands-on Duane Wessels, Measurement Factory - IS-IS Up to Date Level: Intermediate/Advanced Shankar Vemulapalli, Cisco General Session --- - Implications of Securing Backbone Router Infrastructure Ryan McDowell, Sprint - Panel: VoIP and Regulation - How Government and Telcos Expect to Regulate VoIP to the Disadvanatage of Smaller ISPs ... Or Not Bill Manning, moderator - Appropriate Layer 2 Interconnection Between IXPs Keith Mitchell, XchangePoint - Benefits of Negotiated Interdomain Traffic Engineering Ratul Mahajan, David Wetherall, and Thomas Anderson, University of Washington - Panel: Network Augmentation - Experiences in Adding IPv6 Services/Support to Existing IPv4 Networks Bill Manning, moderator - Verifying Wide-Area Routing Configuration Nick Feamster, MIT - Tulip: A Tool for Locating Performance Problems Along Internet Paths Ratul Mahajan, Neil Spring, David Wetherall, and Thomas Anderson, University of Washington - Case Studies in Intra-Domain Routing Instability Zhang Shu, Nat'l. Institute of Information and Communications Technology, Japan - Integrated Security for SNMP-Based Management Wes Hardaker, Sparta - Preparing RIR Allocation Data for Network Security Analysis Tasks Brian Trammell, CERT Research Forum -- - Predicting Public Internet Growth With Classical Economic Theory, or, The Wealth of Networks Tom Vest, AOL Monday Evening BOF - - ISP Security and NSP-SEC BOF VI Danny McPherson, Arbor, and Merike Kaeo, moderators
Backbone IP network Economics - peering and transit
Peering? Who needs peering if transit can be had for $20 per megabit per second? I last had a detailed look at peering and transit economics in the summer of 2002. It is pretty amazing to see what has happened to prices since then. I have a private mail list underway on this subject and published the first part of a two part study on Saturday. Details available at http://cookreport.com/13.03.shtml Any opinions here on what MCI coming out of bankruptcy will mean? How will once mighty ATT compete? How can it possibly compete if it actually tries to pay the interest on its bonds? June 2004 COOK Report page one: Economic Pressure on Long Haul Fiber Five Years After Bubble Burst Prices Have Plunged Yet Nothing Fundamental Has Been Fixed Examination of Data Network Woes Shows Termite-Riddled Foundation Leading to More Bankruptcies in Absence of Broader Understanding Tech-Telcom Recovery, or just a pause before the next round of bankruptcies? In this issue we explain why we believe that competitive fiber backbones have a failing business model that has driven prices below the cost of maintenance and replacement. We point out that the carriers are making up the difference with cost cutting in every way imaginable and by subsidizing the loosing backbones with what profits remain from voice. As the voice profits disappear via government (GIG BE), corporate, and municipal networks that are buying and lighting their own strands of fiber, and hence leaving the PSTN, another round of bankruptcies looks to be inevitable. As Eli Noam has warned, when the dominoes start to fall again, the US government, rather than let the telecommunications system collapse, will have no choice but to step in and start regulating IP networks. The kind of regulation that is coming will have little to do with encouraging common carriage or wide spread access to broadband. Instead it will have everything to do with consolidating a few remaining survivors and enabling them to pay their bondholders. The scene is not a pretty one and the miserable policy is being made exacerbated by American bankruptcy law that permits bankrupt fiber carrier to reorganize through Chapter 11 rather than insisting on disbandment via Chapter 7. What is especially pernicious about this situation is that permitting bankrupt carriers such as MCI to reorganize makes a bad situation worse. It does nothing to get rid of the company's massive glut of fiber. Instead, by wiping out its debt, it ensures a cost cutting advantage to the reorganized company. Still, blessed with the same massive amount of fiber it had before, it can gain income by again cutting prices below what its not-yet-bankrupt cousins like ATT and Sprint can afford to sell, if they are to every pay off their bonds. Roxanne Googin, in an interview to be published next month, was scathing in her comments on MCI being allowed by the Bush Justice Department to file Chapter 11 rather than 7 - given the company's acknowledged massive fraud. She added that, given the MCI example, in her opinion any carrier that makes a good faith effort to pay back its bond holders is just plain foolish. With this issue we turn to the badly broken economics of peering and the attendant backbone business models. After three hours conversation with Farooq Hussain and ninety minutes with Farooq and Roxane Googin we have a clearer picture of where things went wrong beginning with the privatization of the NSF Net backbone in April 1995. The plan when implemented was a reasonable one, but it is fascinating to look back and understand how all the dominoes fell the wrong way. The result made a bad situation steadily worse until the Cable and Wireless bankruptcy of 2002 ripped a major hole in the Tier One hierarchical façade and pointed the way to the technology topology business case issues pointed out by Farooq during our conversation of April 4, 2004. This fairly short issue lays the foundations for the mail list discussion that began on March 18 and will be published in the next issue in about mid May. In focusing on the woes of the LECs during the past two years, we have overlooked the fact that the carriers are in worse shape and that the telcos are again speeding toward the precipice. Most everything is broken and, one of the frustrating issues, is that it is difficult to get agreement on just where. The phone companies do need to die and be replaced. But a huge problem that remains is that, unlike Japan, and many other countries, the US is in gridlock. For, in the US, the ILECS and IXCs own the FCC. There is still enough money left in the industry that government is hobbled by a political unwillingness to let the bond and equity holders take the consequences and get on with life. Looking for the Big Picture and By Passing the Carrier Let's look more closely at what is going on. One consequence of the fiber glut has been
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On 19 Apr 2004 22:16:58 + Paul Vixie [EMAIL PROTECTED] wrote: [(*) wierd could mean streams of tcp/syn or tcp/rst, or forged source addresses, or streams of unanswered udp, or streams of ourbound tcp/25, or udp/137..139, or who knows what it'll be by this time next month?] Precisely. It could be most anything and likely will be eventually. Why not stop the hacks that are filtering, whitelists and rate limiting and just replace end hosts with dumb terminals, the links with fixed rate channels and in the network place all the controls and content? Instead of network service providers we would mostly be a collection of systems operators. inside the headend, or whatever), it's going to get done by the dreaded giant merciless monster known as market forces. This and the installed base is probably why the above won't occur over night, but things are veering in that direction. While end users will resist many attempts to remove their freedom of bits, freedom of cpu and freedom of connectivity, what is being designed, or better, re-designed is a network with a very fragile infrastructure. This is good for no one. The ideas about tussle (D. Clark, et al) are a way to think about the problems and solutions, but still the difficulty, because of market forces and installed base, is how to get there from here. John
RE: Backbone IP network Economics - peering and transit
Peering? Who needs peering if transit can be had for $20 per megabit per second? The smaller guys that don't buy transit buy the gigabit. Michel.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004, Dr. Jeffrey Race wrote: : On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: : : An uneducated : end user is not something you can fix with a service pack. : : A profound point, again highlighting the fact that there : are no technical solutions to this problem. (Though : technical measures to enhance traceability are a big help.) : : So, the logical inference is training and licensing to : get internet access. When I was 16 in Connecticut many : many years ago, we had to take a driver-training course : (given by a policeman) to get a driver's license. : : I see no discussion about this approach, here or elsewhere. Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. scott
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 17:07:45 -1000 (HST), Scott Weeks wrote: Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. We are in violent agreement about this. Since many gateway service providers will not prevent insufficiently skilled users from connecting to the internet and injuring others, the only remaining solution, as far as I can see, is cutting connectivity with those enablers. That is the proposal I advanced in http://www.camblab.com/misc/univ_std.txt. The logic seems quite simple: either fix all the users (impossible as you state) or keep them off the net (which you say many SPs won't do; I believe some will but many won't) so the only solution is to cut the latter off. If you are not willing to do that, then you will just have to accept the spam and we might as well stop whining about it. It is your choice. Jeffrey Race
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
: Think globally. Even though this forum has NA as its heading, we need to : think globally when suggesting solutions. You'll never get any sort of : licensing globally nor will you EVER get end users (globally) educated : enough to stop doing the things that they do which allow these events to : continually occur. : : Since many gateway service providers will not prevent insufficiently : skilled users from connecting to the internet and injuring others, the : only remaining solution, as far as I can see, is cutting connectivity : with those enablers. That is the proposal I advanced in : http://www.camblab.com/misc/univ_std.txt. : : The logic seems quite simple: either fix all the users (impossible : as you state) or keep them off the net (which you say many SPs won't : do; I believe some will but many won't) so the only solution is to : cut the latter off. Neither can happen. That's just another way of saying make all your users skilled or go out of business. For example, cutting granny out of the $9.95 dialup service is comitting hari-kari for those that do that type of business. You'll never get her to complete training so she can send baby pictures to all her friends. Especially all the grannies in all the countries globally. : If you are not willing to do that, then you will just have to accept : the spam and we might as well stop whining about it. It is your : choice. While I'm listening to all the smart (and many not so) folks figure it out, I can press d quickly. I'm not whining, I'm listening intently... :-) scott
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
- Original Message - From: Scott Weeks [EMAIL PROTECTED] To: Dr. Jeffrey Race [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 1:07 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. I would like to point out one little area of concern in this discussion for me - that was the critical update for Win XP of March 28th, 2002 in it's original output, not the amended one. I don't know how many of your clients were affected by this but I had to rush about in circles like a duck with a broken wing simply because some users had altered their own settings, regardless of policy at each company, so that they could apply updates for themselves. Consequently some XP (and I believe W2K as well but I didn't see this on a W2K machine personally) setups just went down in a heap and it took some time to fix them all. So, while considering global solutions, if anyone were to seriously decide all Windows machines will now be auto updated whether you like it or not, I would definitely put a block on Windows web sites - as I had to do at that time - so that no-one could get an update I didn't apply. Since that time, any XP update gets tested on a machine that doesn't matter should it go down prior to installation. We are all so busy, here, looking at ways to solve a problem that is already there. It should be stopped prior to it coming out and fixed at that point. This means REAL beta testers, not whatever is going on in MS right now. There should also be consequences. That implies a lot of people in I.T. acting as one mind and enforcing something upon MS. That is where we will always fail. Like the untended hard drive, we are too fragmented. Greg.
Re: Backbone IP network Economics - peering and transit
On Apr 19, 2004, at 10:45 PM, Michel Py wrote: Peering? Who needs peering if transit can be had for $20 per megabit per second? The smaller guys that don't buy transit buy the gigabit. Then their traffic will not justify 1000s of $$ per month for lines, racks, and NAP connection. Unless they have cheap access to a free NAP (TorIX, SIX, etc.), transit, even at higher prices, is probably be the best / cheapest way to reach the Internet. OTOH, for the guys who do buy a lot of traffic, a NAP connection might be worth it. For instance, if you have a node in 151 Front Street, it would be silly not to connect to the TorIX for a one-time fee and send free traffic to a lot of good eyeballs in Canada - not to mention the performance benefits. The same might be true of an PAIX / Equinix location. Saying who needs [foo] is not a good question without supplying the other variables. It all depends on your traffic mix, locations, deals you can make with the NAPs, networks who will peer with you, etc. -- TTFN, patrick
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 17:53:45 -1000 (HST), Scott Weeks wrote: Neither can happen. That's just another way of saying make all your users skilled or go out of business. The SPs whose business model entails externalizing the costs SHOULD go out of business
Re: Backbone IP network Economics - peering and transit
Peering? Who needs peering if transit can be had for $20 per megabit per second? anyone whose applications are too important to risk dependency on OPNs (other people's networks). -- Paul Vixie
Re: Backbone IP network Economics - peering and transit
On Mon, 19 Apr 2004, Gordon Cook wrote: Peering? Who needs peering if transit can be had for $20 per megabit per second? Isnt the companies still doped from the bubble in 2000-2001? Price example: You have three cities. Two 12400 GSRs per city, and OC192 to connect them, that's a total of 12 $150k ($225k minus rebate) cards and let's say $100k per router for customer facing interfaces etc (unrealistically low). If you want to pay this investment back over three years and let's say you'll push 10gigs of customer paying traffic (because of redundancy etc). You end up with close to $10 per megabit in just equipment fee to cisco so you have half of the money left from the initally stated price of $20 per megabit, this for a small inter-metro network. Since Cisco basically hasnt lowered the price per megabit on any interface cards for the GSR platform, it cannot be used apart from doing very long distance transfer via DWDM where the links are full of revenue-generating traffic all the time. Juniper is even more expensive. We like these platforms, they're very stable and well performing, but I just cannot see where they can be justified investing in at todays megabit price. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: Backbone IP network Economics - peering and transit
Patrick W.Gilmore wrote: Unless they have cheap access to a free NAP (TorIX, SIX, etc.), transit, even at higher prices, is probably be the best / cheapest way to reach the Internet. This is true, but there are plenty of other opportunities for peering, such as: both parties buy DS-3 class transit from the same tier-2 or even maybe tier-3 provider in a colo (which will likely be a BFM, other problem) not a formal IX. In other words, peering in an IX does cost money, but peering at a colo might not, as these messy colos are mostly unmanaged and nobody cares about that 25ft cross-over cable :-) Michel.
Re: remote reboot power strips
The same. - Original Message - From: Roy [EMAIL PROTECTED] To: 'Nanog List' [EMAIL PROTECTED] Sent: Monday, April 19, 2004 10:10 AM Subject: RE: remote reboot power strips We use a number of both the APC Masterswitch and the WTS NPS-115 with good results. I don't think either of them have had a failure. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher J. Wolff Sent: Monday, April 19, 2004 8:24 AM To: 'nanog list' Subject: remote reboot power strips Hello, Last time I researched remote reboot power strips it seemed like most of the power strips were garbage. Any recommendations for a solid performer would be appreciated. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Yes. Unfortunately, one day 1,000,000 users will find in their mail boxes fully automated CD with 'Microsoft Update' on the label and 1,000 viruses / trojans inside. -:) Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs.. Geo.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
I agree. 90% users CAN NOT UPDATE. How? - (1) updates are too big to be diownloaded by modem , which fail every 20 - 40 minutes (which is common in many countries); - (2) if you connect to Internet for update, you are infected by virus much faster than you install update. I saw it. Home user install Win2K, then connect to internet to get update... and catch virus. ** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 -- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Responsible? No. Able to assist in maintaining that security (and thus that of the ISP's network)? Yes. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever flavor of the month backdoor spam proxy virus Ah, now you are talking about why I happily promote Ad-Aware and Spybot. I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. And your problem with the local ISP having this stuff available for their users is? However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) Some of ours are like that. Most seem to realize their limitations and are happy to know that at some level we are looking out for them. BTW, for me 13 was many more years ago than that... RTM wasn't even in college yet, I imagine. and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Dial-up, or using their systems at the library? And you weren't paying for the privilege, at least not directly. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. That's a whole 'nuther horse to kill there. -- Jeff Shultz Network Technician Willamette Valley Internet
