Re: OT: Banc of America Article
Al Rowland wrote: The PIN is on your card ... Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so. Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. I'm not surprised. But the PIN is verified as a part of the transaction. I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the invalid PIN message. -- David
Re: Is it time to block all Microsoft protocols in the core?
Joe Abley wrote: You're using mixed tense in these sentences, so I can't tell whether you think that syslog's network port is open by default on operating systems today. On FreeBSD, NetBSD, OpenBSD and Darwin/Mac OS X (the only xterms I happen to have open right now) this is not the case, and has not been for some time. I presume, perhaps naïvely, that other operating systems have done something similar. Current versions of Linux appear to be safe. This is from the syslog package that ships with RedHat version 8 (sysklogd package version 1.4.1-10). NAME sysklogd - Linux system logging utilities. ... OPTIONS ... -rThis option will enable the facility to receive message from the network using an internet domain socket with the syslog service (see services(5)). The default is to not receive any messages from the network. This option is introduced in version 1.3 of the sysklogd package. Please note that the default behavior is the opposite of how older versions behave, so you might have to turn this on. The default RedHat installation does not turn on this option. Looking through RedHat's FTP server, their 4.2 distribution (the oldest on on their server) is at version 1.3-15, and therefore incorporates this feature. This release has a README dated 1997, and the sysklogd package on their server is dated December 1996. I would assume that other Linux distributions from the same era (1997 through the present) would also have sysklogd version 1.3 or later, and therefore have this feature. -- David
Re: Networking in Africa...
So what exactly do people do in regards to Web spam? I block tcp/80 but would like to hear what others are doing. Block or rate limit? I would assume that blocking port 80 in a cybercafe wouldn't really work out in the long run. One possible solution might be to force all traffic through a proxy, and have it cache all outgoing form traffic for several weeks. This way, if someone reports abuse, you can search the cache and find out who is doing it. From there, hopefully you'll have enough information to hand it over to law enforcement, or at least ban the customer from the cafe. I don't know what (if any) legal right of privacy is in Nigeria, but I would suspect that a publicly posted policy notice (like management reserves the right to monitor all traffic and a strict TOS policy) should mitigate any legal concerns about doing this. The only problems I see with this are hard drive space for the cache, and the possibility of spammers using secure web sites. Do any web-mail sites use https these days? -- David
Re: Experts: Don't dismiss cyberattack warning
Rajendra G. Kulkarni wrote: I agree. Never underestimate power of a fringe lunatic group to cause harm. Now, I am going to go out on a thin limb and ask the following: When Experts say, don't dismiss cyberattack warning, what can somebody like me (just a regular user) or for that matter others with several degrees of better knowledge in the workings of cyber networks than I, do to stop cyber attacks from happening? I think the real question (at least for NANOG members) is not whether terrorists are ready willing and able to to launch attacks against networks. It should be obvious that they are. The real question is whether those attacks will be any worse than the attacks from other sources that have been hitting our networks on a regular basis for the past several years. Are these terrorists actually trying to figure out ways to crack Windows, Linux, IOS and other popular operating systems or are they just downloading the same software that the script kiddies are already using? -- David
Re: Even the New York Times withholds the address
Barry Shein wrote: Before we get too, too, smug about this if you view the Manhattan skyline, particularly downtown (e.g., SOHO/Tribeca) you'll see house-sized water tanks on many, many buildings, particularly 3-10 story older buildings. I assume due to inadequate water pressure but I honestly don't know why they're there, but they're all over. I don't know if they're quite large enough for the proposed use, but their existence would seem to defy most of the objections asserted below. It's my understanding that these tanks exist for the purpose of providing adequate water pressure for residential use (e.g. showers, faucets, toilets, etc.) I don't think they could possible hold even a small fraction of the water necessary for emergency power generation. -- David
Re: DNS Subdomains
Gawie Marais (Home) wrote: Might be a simple question But... I've got no idea what the answer could be... In the early days, one only had a .com address space (amongst the most popular ones). These days, there is .com(this) and .com(that) and any kind of .(whatever) you can think of. My question... How does one start a .(whatever) ?? Who is actually controlling these .(whatever) domains ? Anybody can put a DNS server on the internet that serves a top-level domain. The hard part is getting the rest of the world to recognize the existance of your new TLD, and getting them to recognize your server (or pool of servers) as the official server for that TLD. The official way to get this recognition is to get ICANN (http://www.icann.org/) to recognize you. If you are a government, and you want ICANN to recognize your server as serving the TLD corresponding to your ISO country code, I don't think it's too big a deal, although there may be a lot of red tape to cut through. If you want to register some other TLD, however, it's almost impossible. Note how long and drawn out (and politically charged) the process was in getting the most recent top-level domains (.aero, .biz, .coop, .info, .museum, .name and .pro) created. There are many more proposed TLDs that have either been rejected or have been tied up in committees. It is possible to bypass ICANN, but that approach isn't any better. One way is to get listed with an alternate root server, but you will only be recognized by those service providers that choose to use that alternate root. This is not the entire internet. I don't even think it's a significant portion of it (although I might be wrong here.) If you don't get listed with an alternate root, then your only choice is to get service providers to manually configure their DNS servers to point to you for resolving your TLD. IMO, you've got no chance of getting even one major service provider to do this for you. In short, if you want to create a new top-level domain, don't bother. Even if it's possible, I don't think it's worth the effort. -- David
Re: VeriSign Moves DNS Server To Boost Security
Stephen Sprunk wrote: Thus spake Gil Cohen [EMAIL PROTECTED] In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location. Maybe I'm missing something... J's virtual location aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed? And how does it help anybody if a root server's address is made secret? Wouldn't an off-line backup be just as useful and cheaper to implement? -- David
Re: How do you stop outgoing spam?
Brad Knowles wrote: B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account. Then do what hotels do to avoid this problem. When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount. If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application. CyberCafe's can't use (B), even if it did work. That would violate their basic premise. What basic premise? Free anonymous access? That's new to me. Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users. And once a known-valid card is in hand, it can be used to directly impose penalty charges on those that violate the cafe's AUP (which should exist and have no-spamming/no-hacking clauses.) If customers don't want to use charge cards, they can require a large cash deposit up-front, just like the video rental stores do if you try to get a membership without a charge card. -- David
Re: How do you stop outgoing spam?
Rafi Sadowsky wrote: AFAIK you can tunnel IP over(at least): 1) HTTP(not just use port 80 for non HTTP traffic) 2) ICMP ... 3) DNS queries(needs an external custom cooperating DNS) E-mail: http://detached.net/mailtunnel -- David
Re: multicast (was Re: Readiness for IPV6)
Chris Parker wrote: It may be a bit higher, but the number who access multicast content is decidedly tiny. More content would probably push it higher, as much fun as it is watching the ISS live on Nasa TV, it does get a bit dry. :) I think this is a case of if you build it, they will come. RealPlayer's default configuration is to first attempt to use multicast, then fail-over to UDP, then fail-over to TCP. In other words, if multicast is available, the program will use it. I don't know about other streaming clients, but I would guess that others would behave similarly. -- David
Re: How do I log on while in flight?
Leigh Anne Chisholm wrote: The FCC prohibits communication using a cellular telephone while in an aircraft in US airspace. In Canada, I don't believe there is such a regulation. The GTE airfones installed in most large planes have data ports if you must connect a computer. But be prepared to pay a very steep per-minute charge for the connection. -- David
Re: packet inspection and privacy
Steven M. Bellovin wrote: Mark Kent writes: I recently claimed that, in the USA, there is a law that prohibits an ISP from inspecting packets in a telecommunications network for anything other than traffic statistics or debugging. Was I correct? No. Or at least you weren't; the Patriot Act may have changed it. (I assume you're talking about U.S. law.) There was a quirk in the wording of the law -- what you say is correct for *telephone* companies, but not ISPs. You're referring to common carrier status, I think. This isn't exclusively restricted to phone companies, but that's the way it is right now. I think it may also apply to non-voice carriers that sell circuits. I'm pretty certain that it does not apply to ISPs. A common carrier is not allowed to monitor/filter traffic on customer circuits. They also can't be held responsible for the traffic on those circuits. -- David
Re: SPEWS?
Dan Hollis wrote: Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. If you're installing a blacklist on a mail server you keep at home for yourself, then yes. If you're running an ISP with thousands of customers, then you also have to deal with how you're impacting them. Sure, it may still be your equipment, but that won't matter if you tick off your paying customers and they decide to cancel their accounts and go to your competitors. Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept. -- David
Re: SPEWS?
Dan Hollis wrote: On Thu, 20 Jun 2002, David Charlap wrote: Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept. if grandma is hosted on chinanet she is already blackholed by most western civilization anyway Who said anything about chinanet? You're the only one who keeps on harping back to them. In case you weren't paying attention, much of this discussion got started because of a comment about blocking all of sprintlink.net. -- David
Re: Routers vs. PC's for routing - was list problems?
Vinny Abello wrote: First off, you're right about moving parts generally being a bad thing. However, it is not always necessary to eliminate the hard drive. Two drives in a RAID-0 configuration may be reliable enough. Especially if the failure of a single drive sets off sufficient alarms so that it can quickly be hot-swapped for a new drive. I'm assuming you meant RAID-1. In RAID-0 if you 'swapped' any drive all your striped data is toast. ;) Oops. Yes. of course I meant RAID-1. Then there's the issue of the PCI bus. Standard PCI (32-bit 33MHz) has a theoretical maximum bandwidth of about 1Gbit/s. But you can never use all of a PCI bus's bandwidth, so actual limits will be less than this. True... unless going for 64 bit PCI at 66MHz... 64/66 PCI has 4 times as much bandwidth - about 4Gbit/s. Much better than standard PCI, but hard to find on a PC-compatible motherboard, and expensive when you do find it. Enough bandwidth for 10 line-rate 100M Ethernet ports or six line-rate OC-3 ports (in theory, anyway). But not really enough for anything faster (OC-12 or GigE) if you want line-rate forwarding. -- David
Re: DoS on ftp port
Rob Thomas wrote: There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. ... One things I know of that helps here is to make sure you never have a single directory that is both readable and writeable to an anonymous user. In general, restrict writing to users with logins and passwords. If you must have an anonymous-write directory (like an incoming folder), make sure that that directory is not also readable by anonymous users. This probably won't eliminate all the abuse, but it should make it impractical enough that the warez servers will probably start looking elsewhere. -- David
Re: anybody else been spammed by no-ip.com yet?
Jim Hickstein wrote: My customers who reach me (a mail service) from Earthlink dialups are affected by this. Apparently it's still happening. I run a listener on another host and port, known only to this (so far) small subset of people, to be able to serve them. In general, we advise people to use their ISP's relay for outgoing mail, but Earthlink won't let them relay because the sender domain is not one that Earthlink knows about (i.e. is charging them for). Apparently. Something's weird here. My home DSL line is Earthlink. I send out mail through their server (specifically through smtp.mindspring.com), and I have my mail client cofigured to use my yahoo.com address as the return address. They don't seem to care about the message's sender address as long as it comes from an Earthlink link. Is the dial-up any different? Now, I do know that I can't send through the Earthlink/Mindspring server from outside their network. But that's not a big deal for me. When I'm away from home, I just use the server of whatever network I'm connected to at the time, which has never given me a problem. I think Earthlink has an SMTP-AUTH mail server as well. It's not the same one that the default dialups use, however. I think it's smtpauth.earthlink.com, but I haven't actually tried using it. -- David
Re: anybody else been spammed by no-ip.com yet?
Jim Hickstein wrote: One clarification: Can these users relay through that host, using SMTP AUTH, from anywhere, or only from within your network? I observe, for instance, that the instructions for Outlook 2000 (Windows) does not have them check my [outgoing SMTP] server requires authentication. If the former, great! I'll inform my affected customers. If the latter, they'll have to fool with settings as they move around -- which you no doubt already know is asking too much of 99% of the population. :-) According to a message posted to one of the EL support newsgroups a while back, they run a separate SMTP AUTH mail server that will work as you describe. It's not the same server that customers use from an EL line, however. I haven't actually used this server. I also don't know if it's a permenant thing or if it's just an experiment at this time. -- David
