RE: Fourth cable damaged in Middle Eest (Qatar to UAE)

[Marcus H. Sachs]

So is this cause for concern or just "business as usual" with respect to the
daily operations of USFO cables?  Seems somewhat out of place to have four
within five days but then it might be only slightly abnormal and amplified
by the media paying more attention.

-Original Message-
From: Sean Donelan [mailto:[EMAIL PROTECTED] 
Sent: Sunday, February 03, 2008 8:22 PM
To: Marcus H. Sachs
Cc: nanog@merit.edu
Subject: RE: Fourth cable damaged in Middle Eest (Qatar to UAE)



http://afp.google.com/article/ALeqM5i03tUdyj8wf2Xa9P4trWEjqAJdyQ
DOHA (AFP) . An undersea telecoms cable linking Qatar to the United Arab 
Emirates was damaged, disrupting services, telecommunications provider 
Qtel said on Sunday, the latest such incident in less than a week.

The cable was damaged between the Qatari island of Haloul and the UAE 
island of Das on Friday, Qtel's head of communications Adel al Mutawa told 
AFP.




On Sun, 3 Feb 2008, Marcus H. Sachs wrote:

> Sean, do you have any URLs with additional info on the new cut?  Questions
> are being asked.
>
> Marc
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sean
> Donelan
> Sent: Sunday, February 03, 2008 6:52 PM
> To: nanog@merit.edu
> Subject: Fourth cable damaged in Middle Eest (Qatar to UAE)
>
>
>
> A fourth submarine cable in the middle east was damaged Sunday
> between Haloul, Qatar and Das, United Arab Emirates.
>
> This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON
> cables.
>
> Afer reviewing surveillance video of the area, Egypt's ministry of
> maritime transportation is reporting no ships were near the FLAG or
> SAE-ME-WE4 cables 12-hours before or after the cable damage near
> Alexanderia, Egypt.  The reason for outage of the cables has
> not been identified yet.
>
>

RE: Fourth cable damaged in Middle Eest (Qatar to UAE)

[Marcus H. Sachs]

Sean, do you have any URLs with additional info on the new cut?  Questions
are being asked.

Marc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean
Donelan
Sent: Sunday, February 03, 2008 6:52 PM
To: nanog@merit.edu
Subject: Fourth cable damaged in Middle Eest (Qatar to UAE)



A fourth submarine cable in the middle east was damaged Sunday
between Haloul, Qatar and Das, United Arab Emirates.

This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON
cables.

Afer reviewing surveillance video of the area, Egypt's ministry of 
maritime transportation is reporting no ships were near the FLAG or
SAE-ME-WE4 cables 12-hours before or after the cable damage near 
Alexanderia, Egypt.  The reason for outage of the cables has
not been identified yet.

Any Amazon security folks here?

[Marcus H. Sachs]

I need an Amazon.com network security person to contact me ASAP.

Thanks.

Marc


--
Marc Sachs
SANS ISC
[EMAIL PROTECTED]

RE: How to get help from your ISP for security problems

[Marcus H. Sachs]

Sean, great idea!  May we point to your page from the Internet Storm Center?
We've got an external links page at http://isc.sans.org/links.html that I'd
like to put it on.

Marc
SANS ISC

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean
Donelan
Sent: Thursday, August 30, 2007 2:27 PM
To: nanog@merit.edu
Subject: How to get help from your ISP for security problems



I'm used to the fingerpointing, but I was amazed when I met a lot of 
security researchers which didn't seem to know about all the different
things ISPs are doing to help customers avoid having their computers 
compromised by intrusions and repairing their computers afterwards.

So I started putting together a web page of paid and free ISP security 
support links.  If you are a national or large regional ISP in the US,
send me your link and I'll add it.



Note: I haven't said how to get help from some other ISP.

RE: BotHunter

[Marcus H. Sachs]

Not soon but maybe eventually.  You could also install this on a low-end
spare computer at home, and see if you are comfortable with it.

Marc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Kadow
Sent: Thursday, August 02, 2007 3:02 PM
To: Nanog
Cc: Marcus H. Sachs
Subject: Re: BotHunter
>

Any chance of a platform-independent source release of BotHunter?
I have neither Linux nor Intel available, and a policy forbidding running
unknown binaries.

Kevin

BotHunter

[Marcus H. Sachs]

All,

SRI and Georgia Tech have been working on a pretty cool new tool that will
quickly locate bot traffic inside a network.  A government/military version
of this software has been in use successfully for about a month, and a
public version was made available this week.  BotHunter introduces a new
kind of passive network perimeter monitoring scheme, designed to recognize
the intrusion and coordination dialog that occurs during a successful
malware infection.  It employs a novel dialog-based correlation engine
(patent pending), which recognizes the  communication patterns of
malware-infected computers within your network perimeter.  BotHunter is
available for download at http://www.cyber-ta.org/BotHunter/ and runs under
Linux Fedora, SuSE, and Debian distributions.

There is also a highly interactive honeynet using BotHunter run by SRI you
should look at.  The URL is
http://www.cyber-ta.org/releases/malware-analysis/public/.  We are detecting
dozens of new infections each day and this site is very helpful in
understanding the behavior of the received malware.  Also, it generates a
nice list of potentially evil IP addresses and DNS queries.

For both the BotHunter software and the honeynet we'd appreciate any
feedback on ways to improve them.  Contact details are in the download
package and on the website.


Marc

--
Marcus H. Sachs, P.E. <[EMAIL PROTECTED]>   
SRI International  1100 Wilson Blvd Suite 2800, Arlington VA  22209  USA
tel +1 703 247 8717   fax +1 703 247 8569   mob +1 703 932 3984

RE: DNS Hijacking by Cox

[Marcus H. Sachs]

DNSSEC provides source authenticity and data integrity.  You may get a bogus
answer, but with DNSSEC in place at least you have a way of verifying the
bogosity (is that a word?) of the reply.

I agree with Steve, DNSSEC won't stop these tricks but it makes them
detectable.

I'm a Cox user at home but I have my Linksys home router configured to use
DNS servers of my own choosing rather than Cox' choice.  I also tunnel my
email through SSH to a mail server I control so that I'm not blocked by
their port 25 filters.

Marc 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Steven M. Bellovin
Sent: Sunday, July 22, 2007 9:46 PM
To: Patrick W. Gilmore
Cc: nanog@merit.edu; Patrick W. Gilmore
Subject: Re: DNS Hijacking by Cox


On Sun, 22 Jul 2007 21:40:05 -0400
"Patrick W. Gilmore" <[EMAIL PROTECTED]> wrote:

> 
> On Jul 22, 2007, at 9:29 PM, Steven M. Bellovin wrote:
> > On Sun, 22 Jul 2007 14:56:13 -0700
> > "Andrew Matthews" <[EMAIL PROTECTED]> wrote:
> >
> >> It looks like cox is hijacking dns for irc servers.
> >>
> > And people wonder why I support DNSsec
> 
> Steve,
> 
> One of us is confused.  It might be me, but right now I think it's 
> you.
> 
> To be clear, here is the situation as I understand it: Cox has 
> configured their recursive name servers such that when an end user 
> queries the recursive server for a specific host name (names?), the 
> recursive server responds with an IP address the host's owner did not 
> configure.
> 
> How exactly is DNSSEC going to stop them from doing this?
> 
If my host expects the response to be signed and it isn't, my host can
scream bloody murder.  The whole point of DNSSEC is to prevent random
changes to DNS replies, whether by hackers or by ISPs.

Yes, they can change it, but they can't change it without being caught.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

RE: Current routing issues?

[Marcus H. Sachs]

Thanks, Rob.  Whatever the issue was it seems to have fixed itself.
Normally we don't ask but in this case it we received queries from Europe
and from the USA, all with different data sources, but all seeing what
looked like a routing problem.  So we felt it was better to ask then to just
sit on the info.

Marc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob
Thomas
Sent: Tuesday, July 17, 2007 11:55 AM
To: Marcus H. Sachs
Cc: 'Nanog'; [EMAIL PROTECTED]
Subject: Re: Current routing issues?


Hi, Marc.

> The Internet Storm Center just received a couple of notes from readers
> wondering if there are known routing problems happening right now.   
> See
> http://www.internetpulse.net/.  Any ideas?

We saw a BGP blip earlier:

<http://www.cymru.com/BGP/prefix_delta.html>
<http://www.cymru.com/BGP/bgp_prefixes.html>

I'm sure Todd @ Renesys has more insight into that.  Otherwise things look
pretty reasonable overall:

<http://www.cymru.com/Reach/icmp.html>
<http://www.cymru.com/monitoring/dnssumm/index.html>

Even the noise is fairly normal; well, normal for noise.  :)

<http://www.cymru.com/Reach/garbage.html>

Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");

RE: IP Block 99/8 (DHS insanity - offtopic)

[Marcus H. Sachs]

Mr. Oquendo (I presume "Mr." but if it's "Ms." please accept my
apologies...), it appears that there is little common ground between you and
me.  So, rather than stringing this out for the next several days and boring
everybody else to tears, I will say thanks for the "chat" and I look forward
to continuing this in person over a beer or other libation at some future
gathering.

Marc 

-Original Message-
From: J. Oquendo [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 24, 2007 9:58 AM
To: Marcus H. Sachs
Cc: nanog@merit.edu
Subject: Re: IP Block 99/8 (DHS insanity - offtopic)

Alrighty... Since you pointed out this article I already read.


// QUOTE //
"This is the U.S. government stepping forward and showing leadership," 
Douglas Maughan, an official with the Department of Homeland Security's
Science and Technology Directorate, told United Press International.
// END //

Strong leadership? What are they implying they will lead. They can't even
lead their own security issues and I've yet to see anything on GCN, FCW
implying that mil or gov servers had their DNS servers hijacked. So what is
proposed that they will lead?

// MORE //
The DNS Security Extensions Protocol, or DNSSec, is designed to end such
abuse by allowing the instantaneous authentication of DNS information --
effectively creating a series of digital keys for the system.
 
One lingering question -- largely academic until now -- has been who should
hold the key for the so-called DNS Root Zone, the part of the system that
sits above the so-called Top Level Domains, like .com and .org.

...
 
The draft lays out a series of options for who could be the holder, or
"operator," of the Root Zone Key, essentially boiling down to a governmental
agency or a contractor.
// END //


You mean like Verisign? Why should the US handpick a company or one of their
contractors to manage this. You're implying that a PRIVATE CORPORATION would
never follow the will of the one feeding it... I could as could anyone else
point out the systemic abuse that would follow. One would have to be
ignorant to ignore the potential for abuse not solely from a government
whispering sweet nothings in the ear for sake of perhaps censorship, but
what about the private abuse... No form of oversight other than the US and
our Department of Terrorism and Paranoia Security are mentioned.


// QUOTED //
"Nowhere in the document do we make any proposal about the identity of the
Root Key Operator," said Maughan, the cyber-security research and
development manager for Homeland Security.
// END QUOTE//


Uh... In the same article it states "The draft lays out a series of options
for who could be the holder, or "operator," of the Root Zone Key,
essentially boiling down to a governmental agency or a contractor." Yet here
is Maughan stating "Oh no... DHS and the US government won't pick who holds
keys..."


// QUOTE //
"The Root Key Operator is going to be in a highly trusted position. It's
going to be a highly trusted entity. The idea that anyone in that position
would abuse it to spoof addresses is just silly."
// END //


The idea that it has a huge potential for abuse is not silly. I can see
where some would be either too good hearted to take heed to common logic,
but the potential for abuse is right smack dab in anyone's face. You pointed
out the article Mr. Sachs, so please explain to me how you can now come back
and state "But the DHS has no intention on controlling the key... Sure they
intend on handpicking who does, but that doesn't mean said company will not
follow what it is mandated to do by US government, nor will said company
abuse it on their own."

I can point out hundreds of contractors with the government who so blatantly
con the government and circumvent laws. But that would be geared towards a
political mailing list, not this one.
So if we're to stick to the facts, getting the gist out of the article you
chose... You just re-confirmed the US government's underlying desire to
somehow control the root keys...
 

--

J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say; fools, because they have
to say something." -- Plato

RE: IP Block 99/8 (DHS insanity - offtopic)

[Marcus H. Sachs]

J. Oquendo wrote:

> http://www.heise.de/english/newsticker/news/87655

That is the article that started a very unfortunate chain of events.  The
reporter got all of the facts wrong, then people who I thought had some clue
jumped into the mess and only made it worse.  

> http://www.gcn.com/online/vol1_no1/43443-1.html

DHS does not want the "keys to the Internet" anymore than they want the keys
to your car.  The DNSSEC initiative gets funding from DHS' Science and
Technology directorate as directed by the National Strategy to Secure
Cyberspace, published by the White House in 2003 (disclaimer - I was part of
the team at the WH that wrote that document, so feel free to toss barbs at
me about it, keeping in mind that it was published over four years ago and A
LOT has changed since then...)  

The DNSSEC initiative is supported by many countries, not just the United
States.  The root key (actually, the root zone's Key Signing Key or KSK)
will be held by the Root Key Operator (RKO), which is some yet-to-be
designated organization or group.  Details about all of this is at
http://www.dnssec-deployment.org if you want to get into the weeds of the
initiative.  

It would be nice if reporters had bothered to contact DHS to request an
interview before making statements like, "The Homeland Security Department
has stirred up online controversy with its suggestion that the government
should hold a master key for digitally signing the root zone of the Domain
Name System under the DNS Security scheme."  

For a more accurate perspective, see this:
http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th
e_keys_to_the_internet.


Marc

RE: IP Block 99/8 (DHS insanity - offtopic)

[Marcus H. Sachs]

 
> NANOG is just a mailing list and the people who are on it 
> are just people having a chat.

Whew.  That's refreshing good news.  And here I thought that this was a
place to discuss operational issues.

OK, back to the real world and thanks for the chat.

Marc

RE: IP Block 99/8 (DHS insanity - offtopic)

[Marcus H. Sachs]

>Please provide some evidence of your assertion. I have seen no evidence
that 
>the very folks who work so hard to run the Internet are making any
speculations at all about the DHS.

Scroll backwards through the emails to the first one in this modified thread
(RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few
comments that came in.

Marc

RE: IP Block 99/8 (DHS insanity - offtopic)

[Marcus H. Sachs]

(email string deleted...)

I'm deeply saddened that the very folks who work so hard to run the Internet
are publicly speculating that DHS wants to take over the 'net.  If that's
the message that DHS is sending, then we need to go back to the drawing
boards and re-write the message.  Can somebody point to DHS quotes that lend
support to this idea?  Or are the ideas coming from a bunch of pseudo-news
hacked together by non-technical reporters that have absolutely no idea what
they are talking about?

Unless I'm totally out to lunch, the DHS is not trying to take over the
Internet (nor DoD, nor Commerce, nor DoJ, not even George W. Bush himself.)
The DHS Science and Technology Directorate is funding several programs aimed
at increasing the security of Internet mechanisms, primarily the DNS and the
routing infrastructure.  Funding RDTE&T is not the same as running a global
infrastructure.

Folks, please do some research on this and stop bashing a group that is
working hard to make your jobs easier to perform (unless you think that
bashing is needed, and if so, please cite the sources of your concerns.)  We
need a lot of leadership, both public and private, and I think that DHS is
offering us something that we should be reinforcing, not tearing down.

Thanks.

Marc


Marcus H. Sachs, P.E.
SRI International
1100 Wilson Blvd Suite 2800, Arlington VA  22209
tel +1 703 247 8717   fax +1 703 247 8569
mob +1 703 932 3984   [EMAIL PROTECTED]

RE: IP Block 99/8

[Marcus H. Sachs]

If we had "clean" registries and signed/verifiable advertisements this would
not be an issue.  Most of you know that DHS was pushing the Secure Protocols
for the Routing Infrastructure initiative
(http://www.cyber.st.dhs.gov/spri.html).  Due to budget cuts this program is
on the shelf for now.  However, we are still interested in making it happen.

I think that the discussion about 7.0.0.0/24 several days ago could also
have been avoided if we had already implemented some of the SPRI ideas.

Marc


Marcus H. Sachs, P.E.
SRI International
1100 Wilson Blvd Suite 2800, Arlington VA  22209
tel +1 703 247 8717   fax +1 703 247 8569
mob +1 703 932 3984   [EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shai
Balasingham
Sent: Friday, April 20, 2007 1:55 PM
To: nanog@merit.edu
Subject: IP Block 99/8


Hi,

I am Shai from Rogers Cable Inc. ISP in Canada. We have IP block 99.x.x.x
assigned to our customers. Which happened to be bogons block in the past and
was given to ARIN in Oct 2006. As we have recently started using this block,
we are getting complains from our customers who are unable to surf some web
site. After investigation we found that there are still some prefix
lists/acls blocks this IP block. 

We own the following blocks:

99.224.0.0/12
99.240.0.0/13
99.248.0.0/14
99.252.0.0/16
99.253.128.0/19

Please update your bogons list.

Shai.

end

RE: Undersea fiber cut after Taiwan earthquake - PCCW / Singtel / KT e tc connectivity disrupted

[Marcus H. Sachs]

That massive bundle of visible conduit running under the toll road where
Centreville Road crosses always grabs my attention.  I'm sure there's
nothing critical inside of it.

Marc 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Robert E. Seastrom
Sent: Monday, January 22, 2007 11:04 AM
To: Jamie Bowden
Cc: Marshall Eubanks; nanog@merit.edu
Subject: Re: Undersea fiber cut after Taiwan earthquake - PCCW / Singtel /
KT e tc connectivity disrupted


>
>
the only fiber that i'm aware of that is actually along the toll road itself
belongs to the toll road folks.  it would screw up the smart tag
transponders for sure, but the ensuing traffic backups are unlikely to
affect half the east coast (even though traffic in nova sometimes feels that
way).

sunrise valley dr. and sunset hills rd. are an entirely different matter
though.  update your maps before you go to us rentals eh?  :-)

---rob

RE: DNSSEC in public

[Marcus H. Sachs]

Dan, check out http://www.dnssec-deployment.org/

Marc


Marcus H. Sachs, P.E.
SRI International
1100 Wilson Blvd Suite 2800
Arlington VA  22209
www.hsarpacyber.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan
Mahoney, System Admin
Sent: Monday, September 12, 2005 6:15 AM
To: [EMAIL PROTECTED]
Subject: DNSSEC in public



In response to a recent question I saw regarding DNSSEC on RIPE domains, 
I'd like to ask if there's any sort of draft or standard that anyone knows 
about for doing DNSSEC in the public, using either a "root" key and/or 
possibly having master keys pulished in WHOIS?

I see a very experimental thing Verisign is doing for the .net zone, and 
also for some other opt-in zone, but I'm sure that's highly experimental 
at this point.

I guess my question is: is there even something up for discussion at this 
point?  I know it's early in the game.

Thanks

Dan

--

"I can feel it, comin' back again...Like a rolling thunder chasin' the
wind..."

-Dan Mahoney, JS, JB & SL, May 10th, 1997, Approx 1AM

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

RE: FW: Need some help: IDEAS, Inc.

[Marcus H. Sachs]

Thanks very much Reed!!!  Great solution by the way.

Marc
SANS ISC
[EMAIL PROTECTED]


-Original Message-
From: Reed Loden [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 03, 2005 3:05 PM
To: Marcus H. Sachs
Cc: nanog@merit.edu; [EMAIL PROTECTED]
Subject: Re: FW: Need some help: IDEAS, Inc.


On Sat, 3 Sep 2005 11:00:03 -0400
"Marcus H. Sachs" <[EMAIL PROTECTED]> wrote:

> The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this 
> point... the only other possibility that I can think of it to take 
> them out at the DNS level.  All of the "slave" sites at 206.251.184.10 
> use DirectNIC for their DNS...  Anyone got sway with them?

Relayed to DirectNIC staff via IRC. They are dealing with it.

Instead of just dropping the redirection service and making it go to some
invalid page, they are going to redirect all the sites to the official Red
Cross site. ;)

~reed

-- 
Reed Loden - <[EMAIL PROTECTED]>

FW: Need some help: IDEAS, Inc.

[Marcus H. Sachs]

One of our incident handlers at the SANS Internet Storm Center has been
trying to chase down the bogus Katrina assistance web sites.  Below is a
note of frustration he sent internally to us this morning.  I asked if I
could cross-post over to NANOG to see if any of you could assist.

Thanks in advance!

Marc


++
Marcus H. Sachs, P.E.  KJ4WA :   [EMAIL PROTECTED]
Director, SANS Internet Storm Center :isc.sans.org
Washington D.C.  USA(EDT, GMT-4) : +1 703 707 9293
++


-Original Message-
Sent: Saturday, September 03, 2005 9:32 AM
Subject: Need some help: IDEAS, Inc.


Morning all:

Last night, I pulled a new copy of the .com and .net zone files down and did
another grep for "katrina" domains.  Obviously, there are now more...

In the process of checking and cross-referencing, I found that our friends
"IDEAS, Inc" are a little more "involved" than we originally thought:

http://www.hurricanekatrinarelief.com
http://www.hurricanekatrinapics.com
http://www.hurricanekatrinaneworleans.com
http://www.hurricanekatrinaflooding.com
http://www.hurricanekatrinainfo.com
http://www.hurricanekatrinamap.com
http://www.hurricanekatrinanews.com
http://www.hurricanekatrinapath.com
http://www.hurricanekatrinaphoto.com
http://www.hurricanekatrinaphotos.com
http://www.hurricanekatrinarelieffund.com
http://www.hurricanekatrinatracking.com
http://www.hurricanekatrinaupdate.com
http://www.hurricanekatrinavideos.com
http://www.katrinadamage.com
http://www.katrinapics.com
http://www.katrinavideos.com 
http://www.neworleanshurricanekatrina.com

...and those are just the 18 I was able to find.

Right now, there are two weak points to this particular house of cards.

1) The first site listed, "http://www.hurricanekatrinarelief.com"; is what
drives all of the others.  Each of the other sites, loads the first one in
an IFRAME.  That makes it easy for the bastards to update them all.  This
site is hosted by Interland.  Their final word on shutting these scumballs
down until they could prove they were legitimate was:

"We have been advised by our legal department that the local authorities
should be contacted. The local authorities can submit a subpoena to our
legal department.  We will be glad to comply to such a request."

ie. "We have no balls.  Go away".

2) All of the other sites are hosted at the IP address 206.251.184.10.
Immediate upstream is "datasync.net/.com" and they are located in (of
course...) Louisiana.  I've emailed them numerous times, and tried to call
("all circuits are busy..."), but they're probably running in lights-out
mode right now.

The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... the
only other possibility that I can think of it to take them out at the DNS
level.  All of the "slave" sites at 206.251.184.10 use DirectNIC for their
DNS...  Anyone got sway with them?

Frankly, gang, I'm at my wits end on this one...