Re: BlackWorm infected IP's reporting
Hi. In the next day or so some of us will cooperate to bring to the attention of all effected AS's information about infected users in their net-space. That would be affected. This will be coordinated with several groups and organizations. Please expect these emails, thanks. In other words, NANOG is a step child of these and we'll only see the PR? If you're going to keep the mitigations off of NANOG, it's probably safe to keep it all off. We all read newspapers, blogs, and slashdot. I'll post my pre-94 copy of the Compuserve Directory if someone can prove this story didn't come from this list: http://www.eweek.com/article2/0,1895,1915070,00.asp SANS has it, but they aren't being authoritative about it, quoting elsewhere: http://isc.sans.org/diary.php?storyid=1067 I'd love to see the US authoritative sources jump in on these and advise us to cough up our dimes for the dances or not. -M
Re: cctld server traffic
On Mon, Jan 23, 2006 at 01:48:19PM -0800, william(at)elan.net [EMAIL PROTECTED] wrote a message of 18 lines which said: Maybe I'm ignorant, but isn't there [cc]tld operations mail list somewhere? There is no worldwide TLD (or even ccTLD) operations list (I would be on it). There are several possible lists, but all of them are partial (purely european, for instance).
Update: BlackWorm infected IP's reporting
Gadi Evron wrote: Hi. In the next day or so some of us will cooperate to bring to the attention of all effected AS's information about infected users in their net-space. This will be coordinated with several groups and organizations. Please expect these emails, thanks. Small update: It is possible later reports will be received as well, but if you have infected users, you should get the emails within a few hours. These email messages will include a web link to the SANS ISC where you would be able to securely reach IP addresses relevant to you. It is possible (although we try and avoid it) that you will get notifications twice, from different email addresses. If that happens, we can only apologize. I am sure you understand that despite coordination, some confusion happens when so much is done by so many people in so short a time. If you get no email message for whatever reason, and wish to *make sure* this was not because of some fluke and your net-space really is clean, feel free to ping me back in a day or so (off-list). Thanks again, Gadi.
BlackWorm: updated snort signatures
Can be found: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Nyxem?rev=1.5only_with_tag=HEADview=markup Thanks, Gadi.
Terminal server problem
Hi, I got a CCM1650 Avocent terminal server, if i use windows to login to their console, upon hitting enter, the password prompt is bypassed because another enter is also hit, so i get a wrong password everytime. But if i do the same from a linux machine, that doesnt happen and i get to log in fine, which tells me that windows telnet is the problem, but i dont know which knob i need to fix ? Microsoft Telnet set ? bsasdel Backspace will be sent as delete crlf New line mode - Causes return key to send CR LF delasbs Delete will be sent as backspace escape x x is an escape charater to enter telnet client prompt localecho Turn on localecho. logfile x x is current client log file logging Turn on logging mode x x is console or stream ntlm Turn on NTLM authentication. term x x is ansi, vt100, vt52, or vtnt Avocent CCM1650 S/W Version 2.1 Username: noc Password: Authentication Complete (DEC-VT100) Connected to Port: 1 9600,8,N,2,NONE Login: cisco password: login incorrect Login: cisco password: login incorrect Login:
Re: Terminal server problem
On Wednesday 25 January 2006 08:05, Kim Onnel wrote: Hi, I got a CCM1650 Avocent terminal server, if i use windows to login to their console, upon hitting enter, the password prompt is bypassed because another enter is also hit, so i get a wrong password everytime. But if i do the same from a linux machine, that doesnt happen and i get to log in fine, which tells me that windows telnet is the problem, but i dont know which knob i need to fix ? Microsoft Telnet set ? bsasdel Backspace will be sent as delete crlfNew line mode - Causes return key to send CR LF cut Believe your problem is the CRLF, try just LF or just CR (believe my Linx term is set to just LF but not in office at moment). -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
Re: Split flows across Domains
In message [EMAIL PROTECTED], Matt Buford writes: Actually, TCP handles out of order packets rather well as long as the reordering isn't too severe. You see a bunch of SACKs flying around, but as long as it doesn't get too out of hand it doesn't affect throughput. Actually, it isn't that great. See draft-ietf-tcpm-tcp-dcr-06 and its references. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Split flows across Domains
Robert E Seastrom writes:
Yes and no. CEF is {src, dst} hash IIRC, and per-flow usually
means {src, srcport, dst, dstport, [proto, tos]} hash in my
experience.
Correct.
The Catalyst 6500/7600 OSR with Sup2/Sup32/Sup720 can be configured to
hash based on L4 ports in addition to the IP addresses (for IPv4):
http://puck.nether.net/pipermail/cisco-nsp/2005-December/026952.html
This is handy when you have multiple striped TCP connections between
a single pair of hosts, and want them to be able to use multiple
equal-cost paths, but still want to avoid reordering inside each
connection (as you would inevitably get with per-packet load
sharing).
--
Simon.
NANOG 36 (Dallas)
If you are planning to attend NANOG 36, hosted by Yahoo! in Dallas, Feb. 12-15, please note the upcoming deadlines: Friday, January 27: the discounted group room rate at the Fairmont Hotel-Dallas expires. Monday, January 30: the meeting registration fee will increase $50. For additional meeting details, please see www.nanog.org See you there!
Re: BlackWorm infected IP's reporting
Hi, On Mi, 2006-01-25 at 03:20 -0500, Martin Hannigan wrote: Hi. In the next day or so some of us will cooperate to bring to the attention of all effected AS's information about infected users in their net-space. That would be affected. This will be coordinated with several groups and organizations. Please expect these emails, thanks. In other words, NANOG is a step child of these and we'll only see the PR? If you're going to keep the mitigations off of NANOG, it's probably safe to keep it all off. We all read newspapers, blogs, and slashdot. sorry, but i couldn't understand your problem. I think it's just a usefull information, wich AS is infected by a critical worm. Also i relay this information to people, who think this informations are usefull, too. Ok, perhaps there are people to advertise themselves, but why not? When they invest time in this work, why aren't they allowed to get some kind of approval? Nah, we already know who those people are. It's more like if you keep predicting a blizzard and I wake up and there was a misting of rain, I keep getting less and less interested in the predictions. It costs real money to get these dances going and unless you're going to give us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source. The third story about this horrrible worm: http://www.commentwire.com/article_news.asp?guid=20856A5C-3952-4F2C-913A-1E963F902D41 If I don't see SANS running around with their capes off, I don't really pay too much attention. The last one wasn't a big hit like they thought, but they do good work. I trust them more than I trust IL-CERT telling North Americans to drop our hotdogs, turn off our football, and get ready for worms. I'd hope to see US-CERT continue making progress and telling North Americans when to worry. The work everyone is doing is fantastic, but it's pretty clear trust is being ignored and while we're ont he subject proper delivery of files with checksums etc. It ain't happening anymore. -M
Martin Hannigan
Serious answers: (much like your 'serious questions'): If I don't see SANS running around with their capes off, I don't http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS. really pay too much attention. The last one wasn't a big hit like they thought, but they do good work. I trust them more than I trust IL-CERT telling North Americans to drop our hotdogs, turn I don't work for IL-CERT (which is actually the GOV cert, not IL-CERT), except in an advisory capacity volunteer-base now. I.e., I am a civilian now. off our football, and get ready for worms. I'd hope to see US-CERT continue making progress and telling North Americans when to worry. US-CERT is kept in the loop every step of the way, as is the FBI, Secret Service and a lot of others who contribute from their time and effort. We can all criticize others, it's easy. How about you start pulling your own weight instead of causing havoc non-stop? Is this some sort of VeriSign plot or did you come up with it all on your own? The work everyone is doing is fantastic, but it's pretty clear trust is being ignored I am not one to keep my mouth shut. I am also not one to answer idi.. err, donkies. Still, I kept quiet about you for a long time, as ignoring trolls is usually the best way of handling them. I am often emotional, straight-forward and tactless, i.e. == rude for some people, which is why I try and speak differently to non-Israelies. Unlike you, I don't impede progress or pick personal fights as a regular day-to-day sport. As the mods say nothing to you for a long time now, I suppose your kind of behavior is fair game. So... Are you going to stop being a troll about everything IL-CERT does, I do or anyone else except for you does? What is it you do again? Anything what-so-ever? Or is it just: pick up on someone and act the a**-h*le so that you can gain respect in the quick and dirty route, because some tech is in there and you act like someone who is authoritative in writing? Use flame techniques such as quote only portions of the text, reply to something a tad bit different than what was written or ignore some of what the other guy said? Anything else? Last time that resulted in harming a big operational forum with one of the mods quitting (who also just HAPPENED to be an Israeli). You should be ashamed. Luckily it usually ends with only flame wars. You use your own name rather than VeriSign's in everything yet are not afraid to speak openly for VeriSign when it suits you. What is it you do on nanog? I've had enough. I knew it was a mistake to quit ignoring you and it probably is a mistake to reply to you, but your personal attacks can't go on, even under the mask of concern. Have the GUTS to come out and say what you want, or is it just flaming? Some of us work day and night on local operational issues, others work day and night on the survivability of the Internet itself. And you? Google the wikipedia entry for STFU. Gadi.
So -- what did happen to Panix?
It's now been 2.5 business days since Panix was taken out. Do we know what the root cause was? It's hard to engineer a solution until we know what the problem was. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: So -- what did happen to Panix?
On Wed, 25 Jan 2006, Steven M. Bellovin wrote: It's now been 2.5 business days since Panix was taken out. Do we know what the root cause was? It's hard to engineer a solution until we know what the problem was. Is it really that hard to engineer this solution? We do have several of them proposed (SBGP, soBGP, etc) and new WG is likely to be formed soon within IETF to finally work it out. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Martin Hannigan
Serious answers: (much like your 'serious questions'): If I don't see SANS running around with their capes off, I don't http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS. The last time SANS felt something was so serious they needed all of NANOG to dance, they came out and said so. That's their handlers diary. I read it. A lot of people read it. It's well balanced and usually on target. Just like that. It's not alarmist. It seems fairly certain that as long as Symantec et. al. do their thing, we will be able to watch the superbowl in peace. I don't work for IL-CERT (which is actually the GOV cert, not IL-CERT), except in an advisory capacity volunteer-base now. I.e., I am a civilian now. Congratulations. off our football, and get ready for worms. I'd hope to see US-CERT continue making progress and telling North Americans when to worry. US-CERT is kept in the loop every step of the way, as is the FBI, Secret Service and a lot of others who contribute from their time and effort. We can all criticize others, it's easy. How about you start pulling your own weight instead of causing havoc non-stop? I'm glad to hear that, as many times as you state it. Thank you. Trust isn't havoc. Your loose cannon response is an excellent reason why we should be skeptical. My point was around trust and who we should and shouldn't. There are a lot of characters out there doing things that are helpful, but that doesn't mean we should trust them. I don't think that North American Network operators should trust you and my reason why is that I had at one point asked you to disclose how you were collecting information you wanted me to rely on and you refused. My dis-trust is not personal. There are now other reasons that I'd prefer to not have to disclose here as it does nothing to further the conversation. As far as my contribution goes, I'm making it. I read, observe, discuss, and comment. I'm sorry if you feel particularly targeted or flamed. It is not intentional. What would you like me to do to make it better for you? A good example of the interaction I describe is when you were first posting the bot reports and there was discussion. They changed and they were quite ok and I believe I commented to the same. Perhaps my typing style is irritating? I apologize. As far as general security goes, I do not trust DA, NSP-SEC, or many others as the final authoritative source on anything. There are some people I trust more than others, Thomas, Bellovin, Bush, etc., and then there are the people I can't trust i.e. the IRC'ers, etc. Is this some sort of VeriSign plot or did you come up with it all on your own? I think I'll watch White Noise on the DVD now. Admins: Clearly, a personal attack and I'd like the AUP enforced please. -M
Re: Martin Hannigan
Martin Hannigan wrote: Admins: Clearly, a personal attack and I'd like the AUP enforced please. Clearly, exactly what you've been trying to get me to do for a long time, to get me off NANOG, well... I finally decided to comply. Admins: I will answer any call to leave.. Also, I'd like for Martin to see this AUP enforced on his continual attacks on me and many others on-list, regardless of my reply to him. Thanks.
VeriSign
Folks, Since my friend Gadi brought it up, I left VeriSign on January 3 after 3 years of solid employment. It was a good run. I was asked to move to Dulles, VA and I declined for personal reasons. I live in Boston, MA. and was a commuter to the DC area for the most part. I've taken a position at another company working to provide global stability in routing and enhance IP security. Some of you will be customers and I am looking forward to being called 'vendor'. I would like to thank all of you for your support while I worked at VeriSign. Best Regards, -M
Re: Martin Hannigan
On Wed, 25 Jan 2006, Gadi Evron wrote: Martin Hannigan wrote: Admins: Clearly, a personal attack and I'd like the AUP enforced please. Clearly, exactly what you've been trying to get me to do for a long time, to get me off NANOG, well... I finally decided to comply. Admins: I will answer any call to leave.. Also, I'd like for Martin to see this AUP enforced on his continual attacks on me and many others on-list, regardless of my reply to him. I personally do not want to see either Gadi or Martin leave - both have been good contributors on this list and this grudge they got against each other should be settled offline with both of them self-enforcing and not replying to the other one again on the list (so as to not provoke again). -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Martin Hannigan
On 25-Jan-2006, at 16:12, william(at)elan.net wrote: On Wed, 25 Jan 2006, Gadi Evron wrote: Martin Hannigan wrote: Admins: Clearly, a personal attack and I'd like the AUP enforced please. Clearly, exactly what you've been trying to get me to do for a long time, to get me off NANOG, well... I finally decided to comply. Admins: I will answer any call to leave.. Also, I'd like for Martin to see this AUP enforced on his continual attacks on me and many others on-list, regardless of my reply to him. I personally do not want to see either Gadi or Martin leave - both have been good contributors on this list and this grudge they got against each other should be settled offline with both of them self- enforcing and not replying to the other one again on the list (so as to not provoke again). The NANOG list administrators can be reached at nanog- [EMAIL PROTECTED] That is almost certainly a better place to send comments related to the AUP than the this list. (I would have kept this comment to private mail except that it seems possible that a public discussion about the merits of particular subscribers is about to unfold here, which would be a shame.) Joe
Re: Martin Hannigan
On Wed, 25 Jan 2006, Joe Abley wrote: The NANOG list administrators can be reached at [EMAIL PROTECTED] That is almost certainly a better place to send comments related to the AUP than the this list. (I would have kept this comment to private mail except that it seems possible that a public discussion about the merits of particular subscribers is about to unfold here, which would be a shame.) Agreed. All: *PLEASE* let this thread die. Allowing it to continue serves no constructive purpose whatsoever. jms
Re: BGP route flap damping
On Jan 16, 2006, at 8:48 AM, Gustavo Rodrigues Ramos wrote: The problem takes place five or six AS far from me... Where I can't do much. I still can't reach some prefixes announced by large ISPs. On Jan 16, 2006, at 7:29 AM, Gustavo Rodrigues Ramos wrote: Last week we received a DoS attack which got down my BGP connections to my upstream providers (for three or four times I believe). I also belive that event caused some routers to suppress my BGP announcement. We have been conducting simulation studies to quantify the impact of BGP peering session attacks and how RFD could severely amplify the outage periods. I can share some insights we have developed which I hope are helpful although they may not directly address the problem you are experiencing. Please use this link to our BGP attack simulation work (at NIST) for additional details: http://www.antd.nist.gov/iip_pubs/BGP_RFD_NIST_Sept05.pdf One point to be noted with certainty is that if your BGP router loses its BGP session with a peer and when the session gets restored shortly thereafter, the peer then resets your RFD penalty to zero. Hence, even if the attack events happen multiple times, RFD penalties for prefixes in your AS at your peer are not incrementing and your peer does not put your BGP router or prefixes under RFD suppression. However, your peer's peers and other ASs upstream (who are more than one hop away from you) could place the prefixes in your AS under RFD suppression. When the DOS attacks that caused the BGP session to be lost multiple times have subsided, then the RFD penalty will decay below the RFD reuse threshold within a few thousands of seconds. The half-time of the exponential decay is typically 900s and hence it takes a few thousands of seconds for RFD penalty value to fall back below the RFD reuse threshold. The BGP speakers that are two or more hops away from your BGP speaker should restore all prefixes in your AS in their routing tables within that amount of time (about 2000s to 4000s) after the attacks have subsided. From the experimental results in paper we have written (click on the link noted above for a pdf copy), it can be seen that even under large scale attacks, the unreachability between ASs and prefixes lasts for a few thousands of seconds (after attacks have subsided), and all AS-prefix routes are restored back to their stable paths after that amount of time. If the unreachability in your case has lasted for hours or days after the attacks have happened, then it is not clear what may have caused that. It may be something that is due to operational procedures with some providers that are extraneous to the normal operating principles of RFD (just a thought). Sriram K. Sriram E-Mail: [EMAIL PROTECTED] Web: http://www.antd.nist.gov/iipp.shtml
Blackworm hunbers [Was: Re: Martin Hannigan]
Well, let's hope we can watch the Super Bowl in peace -- I'm turning my pager cell phone off anyways. :-) In any event, as Alex Eckelberry writes over on the Sunbelt Software blog, ...were now seeing infestations for the Blackworm worm (aka KamaSutra) getting close to 2 million. Yesterday it was at close to 700k. Of course, its possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one). However, to my knowledge, this URL is only known in the security community. Remember that this worm has a very destructive payload. Even if you discount the number here, youre still looking at a significant number of people who will suffer potentially devastating data loss. I couldn't agree more. Cheers, - ferg ps. http://sunbeltblog.blogspot.com/2006/01/blackworm-worm-over-18-million.html -- Martin Hannigan [EMAIL PROTECTED] wrote: http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS. The last time SANS felt something was so serious they needed all of NANOG to dance, they came out and said so. That's their handlers diary. I read it. A lot of people read it. It's well balanced and usually on target. Just like that. It's not alarmist. It seems fairly certain that as long as Symantec et. al. do their thing, we will be able to watch the superbowl in peace. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
darknet people - ddos detection
Can we all please take a look at RCN.COM/.NET to see if they are being DDoS'd as retribution for the massive SP and LEO operations going to mitigate this risk of fast becoming millions of infected machines about to be destroyed? We'd appreciate any help given, thanks. Gadi.
Re: Blackworm hunbers
Well, let's hope we can watch the Super Bowl in peace -- I'm turning my pager cell phone off anyways. :-) I'm going for Steelers. You? I've got a couple of fresh Maine Lobsters and Union Oyster House chowdah to put up if you're interested in a wager. [ Removed my name from the subject. I like it in lights, but I've had enough for today! :-) ] In any event, as Alex Eckelberry writes over on the Sunbelt Software blog, ...were now seeing infestations for the Blackworm worm (aka KamaSutra) getting close to 2 million. Yesterday it was at close to 700k. Of course, its possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one). However, to my knowledge, this URL is only known in the security community. The URL is out all over the place. Remember that this worm has a very destructive payload. Even if you discount the number here, youre still looking at a significant number of people who will suffer potentially devastating data loss. I couldn't agree more. People without A/V? How sad can you feel? I don't want anyone to lose data, but I bet a bunch of people by A/V as a result. That's good. Check out this story where it was downplayed: http://www.eweek.com/article2/0,1895,1915070,00.asp http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS. http://isc.sans.org/diary.php?storyid=1073 - but really, do you consider this to be a huge issue that we should prepare to be on call over? Sans, http://isc.sans.org/infocon.php and Symantec, http://www.symantec.com/index.htm , are both at their normal threat levels. The point I was trying to make before the thread went, East?, was that there is a perceived problem in the security community with approrpriate response. I'd tell you how I think that could have been avoided, but then my name would go up in the subject again. *cough full disclosure* Off the top of my head I think the security trust landscape today looks like this. I base this on participation, people I know participating, comments I hear at the NANOG water bubbler, etc. and they are nothing but personal opinions. SANS - Trusted, good reputation growing NSP-SEC - nuetral since it's a collective of people+groups skitter15 - untrusted, but trusted when info leaks. (too long to explain) PSIRT - trusted, borderline. US-CERT - trusted for NA matters, w/other certs UK-CERT - trusted for EU matters, w/other certs IL-CERT - no comment DA - untrusted TISF - untrusted, new, etc. CERTs at large - Nuetral, has to be case by case Carrier Security Groups - Trusted for matters of their own MSS - Neutral AV - Trusted Software Vendors - Neutral Hardware Vendors - Untrusted, case by case Force 10 - Trusted Juniper - Trusted Cisco - Nuetral, case by case Team-Cymru - Trusted case by case SecuriTeam - Untrusted, untested This isn't a popularity contest, so I'll leave individuals off of my list, but you can probably guess who in most cases including using some of the notes above. -M
Wifi SIP WPA/PSK Support
I'm working on finding a Wifi SIP phone that supports WPA/PSK that we can recommended to VOIP clients. As everybody knows, currently most Wifi SIP phones support WEP which is demonstrably insecure. For banking and financial customers, or companies that are given passwords or credit cards over the phone, this is a serious security issue. We recently bought a Hitachi-Cable Wireless IPC-5000 WiFi SIP Phone from voipsupply.com after finding some web pages that said that phone supported WPA (the pages were in German), yet once we got the phone all it supported was WEP even after updating the firmware to the latest version using the website mentioned in the documentation that came with the phone. I've had a few people say that there was some sort of conspiracy to keep US citizens from using secure phones, however I found that laughable because the potential risk of terrorist or criminal interception from having all Wifi telephone conversations involving credit cards (let alone social security numbers, bank account numbers, passwords, what have you) in the clear would create an attack vector so large as to exceed all other possible attack vectors... I mean why work on cracking anything when you can just listen to everybody in the clear (well virtually in the clear with WEP). So, back in reality, could anybody in the US that bought their Wifi SIP phone in the US share a success story at getting Wifi SIP setup with WPA/PSK? What model of phone did you buy? Where did you get it? Did you have to upgrade it to any special version of firmware or what? Mike. +- H U R R I C A N E - E L E C T R I C -+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | [EMAIL PROTECTED] http://www.he.net | +---+
Re: Wifi SIP WPA/PSK Support
On 1/26/06, Mike Leber [EMAIL PROTECTED] wrote: I'm working on finding a Wifi SIP phone that supports WPA/PSK that we can recommended to VOIP clients. As everybody knows, currently most Wifi SIP phones support WEP which is demonstrably insecure. For banking and financial customers, or companies that are given passwords or credit cards over the phone, this is a serious security issue. http://www.paesys.com/en/WIFI_wireless_phone_moimstone_Stonehenge_WP150.htm Security Encryption WPA-PSK AES, TKIP 64/128 bit WEP 802.1x certification (Optional) Even seems to do v6. -srs
Re: BlackWorm infected IP's reporting
On Wed, 25 Jan 2006, Martin Hannigan wrote: us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source. Just so people don't get confused: IL-CERT has nothing to do with what Gadi posted and I don't seem to remember that Gadi included any mention of IL-CERT in his postings. In addition, if anyone has any problems with the trustworthiness of IL-CERT (Israeli Academic CERT) as listed on FIRST: http://www.first.org/about/organization/teams/index.html then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise. Hank Nussbacher ILAN-CERT representative IUCC
Re: So -- what did happen to Panix?
On Wed, 25 Jan 2006, william(at)elan.net wrote: On Wed, 25 Jan 2006, Steven M. Bellovin wrote: It's now been 2.5 business days since Panix was taken out. Do we know what the root cause was? It's hard to engineer a solution until we know what the problem was. Is it really that hard to engineer this solution? We do have several of them proposed (SBGP, soBGP, etc) and new WG is likely to be formed soon within IETF to finally work it out. It'd be darn difficult to engineer a solution that would end up being deployed in any reasonable time if we don't know the requirements first. Yes, there's a draft -- draft-ietf-rpsec-bgpsecrec-03.txt -- but it has been woefully lacking on the operator deployment requirements. More people should participate in the effort. -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Re: Wifi SIP WPA/PSK Support
Thank you! We'll order one immediately and report back. Mike. On Thu, 26 Jan 2006, Suresh Ramasubramanian wrote: On 1/26/06, Mike Leber [EMAIL PROTECTED] wrote: I'm working on finding a Wifi SIP phone that supports WPA/PSK that we can recommended to VOIP clients. As everybody knows, currently most Wifi SIP phones support WEP which is demonstrably insecure. For banking and financial customers, or companies that are given passwords or credit cards over the phone, this is a serious security issue. http://www.paesys.com/en/WIFI_wireless_phone_moimstone_Stonehenge_WP150.htm Security Encryption WPA-PSK AES, TKIP 64/128 bit WEP 802.1x certification (Optional) Even seems to do v6. -srs
Re: So -- what did happen to Panix?
On Thu, 26 Jan 2006 07:54:30 +0200, Pekka Savola said: It'd be darn difficult to engineer a solution that would end up being deployed in any reasonable time if we don't know the requirements first. Fortunately, when we know the requirements and engineer a solution, deployment is straightforward. RFC2827, for example, has a stellar deployment record. In other words - what is the business case for deploying this proposed solution? I may be able to get things deployed at $WORK by arguing that it's The Right Thing To Do, but at most shops an ROI calculation needs to be attached to get movement pgpDLlZdD3ply.pgp Description: PGP signature
Re: So -- what did happen to Panix?
On Thu, 26 Jan 2006, [EMAIL PROTECTED] wrote: In other words - what is the business case for deploying this proposed solution? I may be able to get things deployed at $WORK by arguing that it's The Right Thing To Do, but at most shops an ROI calculation needs to be attached to get movement Exactly. If $OTHER_FOLKS don't deploy it, cases like Panix may not really be avoided. I think that's what folks proposing perfect -- but practically undeployable -- security solutions are missing. -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Re: So -- what did happen to Panix?
In message [EMAIL PROTECTED], Pekka Savola writes: On Thu, 26 Jan 2006, [EMAIL PROTECTED] wrote: In other words - what is the business case for deploying this proposed solution? I may be able to get things deployed at $WORK by arguing that it's The Right Thing To Do, but at most shops an ROI calculation needs to be attached to get movement Exactly. If $OTHER_FOLKS don't deploy it, cases like Panix may not really be avoided. I think that's what folks proposing perfect -- but practically undeployable -- security solutions are missing. That is, of course, why I asked the question -- I'm trying to understand the actual failure modes and feasible fixes. I agree that many of the solutions proposed thus far are hard to deploy; some colleagues and I are working on variants that we think are deployable. But we need data first. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: BlackWorm infected IP's reporting
On Wed, 25 Jan 2006, Martin Hannigan wrote: us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source. Just so people don't get confused: IL-CERT has nothing to do with what Gadi posted and I don't seem to remember that Gadi included any mention of IL-CERT in his postings. In addition, if anyone has any problems with the trustworthiness of IL-CERT (Israeli Academic CERT) as listed on FIRST: http://www.first.org/about/organization/teams/index.html then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise. This is a professional network managers/operators list. As the manager of a Gov't CERT, you can't walk away from your comments posting from a vanity domain. This isn't a random discussion list. At least it didn't used to be. FIRST knows how to get ahold of me if they need to. I'm reachable. If any FIRST secretariat would like to discuss trust, they can also subscribe here. We're free, and open. Thanks, -M
Re: BlackWorm infected IP's reporting
In addition, if anyone has any problems with the trustworthiness of whoever then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise. Trust is earned, it cannot be gained by shouting brandon
Re: BlackWorm infected IP's reporting
At 01:46 AM 26-01-06 -0500, Martin Hannigan wrote: On Wed, 25 Jan 2006, Martin Hannigan wrote: us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source. Just so people don't get confused: IL-CERT has nothing to do with what Gadi posted and I don't seem to remember that Gadi included any mention of IL-CERT in his postings. In addition, if anyone has any problems with the trustworthiness of IL-CERT (Israeli Academic CERT) as listed on FIRST: http://www.first.org/about/organization/teams/index.html then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise. This is a professional network managers/operators list. As the manager of a Gov't CERT, you can't walk away from your comments posting from a vanity domain. This isn't a random discussion list. At least it didn't used to be. You are clearly confused. I am not the manager of a Gov't CERT. I am a member of the academic CERT group. The domain I am posting from is not a vanity domain - it is the organization I represent here - iucc.ac.il (Israel Academic Compution Center). Nothing at all related to the Israeli Gov't. -Hank
