Re: Cisco moves even more to china.
Nicole wrote: So.. I guess we will be cranking out those H1b's...Plan to kiss your raises and or jobs bye bye to some specialized cheap imported Cisco trained networking person from China. There is an implicit assumption here that the objective of 100% of these trainees will be to move as economic migrants to the West. Wrong folks. Very very wrong. Notice how China as a *consumer* is growing faster than anyone else around ? While there may well be some (what's the right word ?) retro-sourcing of cheap labour into the US (and the EU), I suspect that once any initial levelling of the field happens, there will be just as much, if not more, movement the other way. There is a lot of jingoistic rhetoric here, and not enough rational thought about the objective - building big networks in the biggest economy of the near future. PS I hate *all* certification with a passion, regardless of level and including things like my BSc which was just a great excuse to drink lots for a few years. The person doing the selection of candidates should have enough expertise themselves to make a rational judgement based on a face to face interview. Peter
Re: Are AOL's MXs mass rejecting anyone else's emails?
Robert Blayzor wrote: One would hope that they're rejecting the incoming mail with a 400 series error and not 500 series. Where does the 400lb gorilla lie down ? Whereever it likes. AOL does pretty much anything it wants to. If they start 500'ing your mail, it becomes your problem. Unless you have a large budget and a good legal team. Peter
Re: OT- need a new GSM provider
Paul Vixie wrote: besides which, i hated the phone. i couldn't get it out of my pocket without hitting the voice-call button. the asynchronous nature of the java-based UI meant that the softkeys often changed what they meant while i was trying to press one. what a total piece of garbage. Yep, also hated here. The law of least astonishment should be a real law, with criminal penalties for those designers who break it - or for negligence if they provide facilities for others to break it. I typicaly use (in the UK) an older Nokia, BW screen, normal buttons, long battery life - while everyone appears to be over tempted by the new soft phones, with colour, cameras, music etc. Battery life is crap, they take seconds to do anything and some of the keyboard layouts... let's not even go there. Peter
Re: Senator Diane Feinstein Wants to know about the Benefits of P2P
Michel Py wrote: In other words: as of today a large part of the bandwidth is allocated to building everyone's collection of files. This might gradually change to become bandwidth being used only for incremental updates as huge local file libraries become common place. But this possible assumes that production of new media will either slow or stay at a constant rate. The never-yet-realised side effect of all this distribution capacity is that possible many more artists will have access to the listeners / viewers and in more narrow niches than the existing system allows. And that may be the real nightmare for the existing vested-interest groups. Peter
Re: Senator Diane Feinstein Wants to know about the Benefits of P2P
Michel Py wrote: 2) Make audio CD's unreadable in a computer so nobody can rip the .wav tracks to .mp3. Totally stupid: 2.a) Remember the last ones that tried (namely Sony)? Their protection scheme could be defeated in 2 seconds with a sharpie. I'm still laughing at it. Hara-kiri comes to mind. ... 2.c) Anyway, given the audio quality of standard gear today, a single digital.wav - analog - digital.mp3 pass is not going to degrade the audio quality enough to bother anybody. In other words: connect a good CD player to a PC with a good soundcard with a grounded gold-plated cable and rip to .mp3 from the analog input, nobody will know that it's not a direct CD audio track to .mp3 rip. If it can come out the speaker or the screen *and* we don't collectively submit to some in-body DRM tech, then it can be copied and redistributed. Any sane media exec (and I use the word in a general sense, not clinical) person would have realised that copy protection is only putting another row of sandbags ontop of the old to stop the eventual innundation. These folks are playing the long game, and are using recent P2P illegal distribution stories (in a mass media that they control, ipso facto) as the straw man to buy better laws for themselves for the future. Reality is something that can be legislated against, at least that appears to be the gist of it. 3. Finally, and although it is true that copyright infringement is very often associated with P2P, I found myself downloading a lot of .mp3 files that I actually own on LP, simply because it's faster to download the file than it is to rip it from the LP (I know because I tried: I actually have a few CDs that I ripped myself from the LP). I bought the 33 1/3 album, I am entitled to a backup on another media. My personal reasons for any downloading of audio, specifically, in it's unavailability through retail channels. I keep picking up references to older stuff that has been dumped by the pop-bods many years ago and cannot be bought for love nor money. I may be breaking some law, but in these cases I do not feel a moral problem. If I could find the artist, in many cases I would even pay them the equiv. of the CD price directly. Perhaps the new business models that will have to be rolled out, either by the existing companies or new, will allow for the full back catalogues to be availale to those of us willing to pay - and then my minor infractions can stop. Back closer to topic, networks. P2P is a bandwidth spiral as we all know - more broadband, more sharing. Will it ever slow down ? Not in our career lifetimes I think. Whether legal or not, content is going to be doing this merry-go-round for the forseeable future, and the best we can hope for is to build and maintain the networks while it happend. Peter
Re: optics pricing (Re: Weird GigE Media Converter Behavior)
Lars Erik Gullerud wrote: Then there's always the option to implement something else. Hm, where can I order a CARP license again...? ... which is why I think I used VRRP as an example - ignore and replace as opposed to embrace and extend. In answer to Mark Borchers' point about the IETF draft mentioning reasonable and non-discriminatory, I have the reply from Cisco's dude (whose name I forget, but I think he reads NANOG) that offers me the license, on non-discrimintory terms, part of which is to never claim against Cisco for any patent I may hold. That's not reasonable to me. But hey. I only used VRRP as an example and by no means as the single only one. I like W3C's way of doing things, and not the IETF's for the moment - but I suppose the subject line should change to reflect a different area of discussion... still about the network operators costs though. Peter
Re: Controls are ineffective without user cooperation
Stephen J. Wilcox wrote: 2) she only uses the pc for web browsing, if it gets infected theres no harm that can be done So how do you argue with that? I think we have to learn to explain to the normal people, without scaring them too much, that their PCs are part of a big online world whenever they are online - which is almost always in the world of broadband - and that even if they don't feel directly affected by Internet bourne viruses, their PC can be turned to evil purposes without them knowing and that it is their duty to behave properly in this online world. Agreeing somewhat with Paul Vixie's earlier comment about learning to use the right analogies or not using them I am still going to try - because when we speak to these normal people, they need analogies to help them understand. So with that in mind; while you may not care while inside it if your car develops a failt and belches smoke and pollution everywhere, you should care because of those other folks on the road and roadside while you are driving it past - not to mention the additional costs in fuel and oil and so on - or in the PC sense, the whole machine can become sluggish and perform poorly when not well maintained as well as causing others grief. rgds, -- Peter
Re: Unplugging spamming PCs
Larry Pingree wrote: Can you suggest another method that would have more accuracy? I think it's ridiculous that every service on the internet is provided without any authentication and integrity services, if we allowed anyone to call from anywhere within the telephone network, you'd have rampant falsification, which is what we have today. It is these characteristics that has made the Internet work and grow the way it has. You comment about the telephone network; Erm, that's just the way it works today - the AAA is in the SS7/C7/etc. layer, similar to BGP in IP. The problem being raised in this thread is too old to solve this way. If e-mail was regulated from early on, then it may have worked. Now there are too many ways to get around any regulations proposed. Anyhow, I don't want my e-mail correspondants vetted and approved by a (never neutral) third party. Peter
OT Re: Points on your Internet driver's license (was RE: Even you can be hacked)
Or, go see the movie Super Size Me - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee. :) Haven't been in one on over 2 years - and not through any great principal, I just stopped. Odd how our tastes change with age ;-) Peter
Re: Cisco HFR
Eric Kuhnke wrote: Here it is, complete with OC-768 interface: http://www.cisco.com/en/US/products/ps5763/index.html Today's Financial Times in the UK carried a mutli-page (1/3rd or so of each broadsheet page) series of ads for this platform. Ergh, the worst fluffy now you can do this marketing I have seen in quite a while. When will they learn that bigger, faster, harder is difficult to PR... Peter
Re: Barracuda Networks Spam Firewall
Eric A. Hall wrote: What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA patriots ? Peter
Re: Flash crowds and DOS on POTS
Richard Cox wrote: This is known as call-gapping and is not without some controversy. Richard doesn't say - cause he's too polite - is that in the UK you can *buy* this service as a customer. Oh, I only want 1 in 20 calls to arrive please... This has started to die as more and more large call terminators (game shows, charities etc.) make money out of interconnect and non-geographic termination revenue. Now the objective is to terminate every call and keep the cumb pleb on hold as long as possible. Strange how I very rarely call a *sales* number now that is neither freephone or real geographic. I know, in the UK at least, that if the company has an 0870 (Netional Call Rate for non UK folks) sales number, then it is not in their interest to get me off hold quickly. The reason I say that is, historically at least, I recall that the provisioning of the network is different in different markets because of the economies of caller-pays vs. called-party-pays. Peter
Re: CiSCO IOS 12.* source code stolen
Alexei Roudnev wrote: Cisco source codes never were a top secret, many people around the world had access to them (and I believe, it explains Cisco's stability and success). ... and here is to hoping that Cisco don't try to use this incident, if it gets coverage outside a narrow readership, as a marketing exercise to blame coding error exploits on anyone but the company itself - unlike our friends in Redmond. Cisco have enough IPR to protect serious commercial exploitation of leaked code in other ways. Peter
Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
Todd Vierling wrote: With this and the patent funny business, I don't know if I can roll my eyes any further into the back of my head. I dunno, but perhaps there is a (new) policy of applying for a patent for every bug fix or code change in IOS - just in case the incompetent USPTO grants one in a thousand out of boredom. Peter
Re: TCP RST attack (the cause of all that MD5-o-rama)
E.B. Dreger wrote: I don't think we're even that far along. If I'm reading FreeBSD 4.9 and NetBSD 1.6.2 source correctly, /usr/src/sys/netinet/in_pcb.c Should have stretched as far as OpenBSD then. Same file. tells all. AFAIK, sequential search is about it. Try a port number, verify that the src/dist ip+port combination is available, then go on to the next lport if the guessed one is in use. As far as I can see - I have never read the code before, just the commit messages - the OpenBSD version does a circular, random search between high and low targets. Peter
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Henry Yen wrote: s/most profitable company/convicted (and continuing) OS\browser monopolist/ Sadly the two are not incompatible it appears. If the rewards of breaking the law were normally so good, then most of us would be down at the localbank with a shotgun... actually, given the audience, no physical attendance would be expected. Peter
Re: SPAM Directly from ATT Data Networking
John Curran wrote: incidents from almost every router vendor on the planet (and simply don't buy from the ones that fail to correct the problem). Yep, that's the important one to me. Most of the time I don't really care when a brand makes a stupid mistake, what I judge the company on is then how they correct their mistake. Many in my personal experience (AMEX Orange in particular for me) fail to do anything and hope that you just go away. So I do. Oh, I then make sure anyone who asks for my opinion in that sector get my real views. Peter
Re: Mailserver requirements
Charles Sprickman wrote: This is yet another misguided effort to semi-telepathically tell if a sender is suspicious. Personally, I see nothing odd about a largish operation having one set of servers accepting mail and another set exclusively acting as smtp relays for customer mail. People that choose to do the does it have an mx check are hopefully blocking some really large amount of legit mail with the spam, as I can think of dozens of reasons why someone might wish to have their inbound mxers seperate from their outbound relays... A simple one would be that my outbound relays have queue and retry schedules different to my inbound SMTP listeners, which may more simply be configured for checking for SPAM etc. Also SMTP authentication for customers relaying may only be enabled on my outbound relays. Peter
Re: Spamhaus Exposed
Alexei Roudnev wrote: Of course, not - he is not from USA (more likely), the end. Why people believe, that this acts means ANYTHING? In Internet, they (acts) means NOTHING. Unless they live in a country that has a secret treaty with the US, like the UK has had for some years, where any US court can issue and arrest warrant for someone in the UK and have it honoured. Why do you think that FBI is even allowed to get involved in arresting 14 year old hackers in Cardiff ? OK, it isn't secret - since I know about it for a start - but the terms are secret and also it is very under-advertised to the locals. Wonder what other countries have sold their souls to Satan ? Peter
Re: Firewall opinions wanted please
Rachael Treu wrote: Guys...firewall is as generic a term as any. Saying grandma needs a router does not mean that an M20 is interchangeable with her Linksys. You're preaching to a list with people on it who invented the terms you are using *and* wrote the books. Stop lecturing and *listen*. Peter
Re: Spamhaus Exposed
[EMAIL PROTECTED] wrote: PS: Without Satan, there would be no Internet for you to express your considered opions on. So the work at the University of London was just incidental ? Peter
Re: Spamhaus Exposed
Dave Howe wrote: cause - which is *not* true in reverse, or for any other country. Up until recently, the US authorities would have had to make a case for extradition and/or arrest to a UK judge before the local plod would even be informed that there was an interest in the kid Not that recent, I believe the original treaty (a touch one sided for a treaty) was signed in 1998. Peter
Re: US Extradition rights (was Re: Spamhaus Exposed)
Joshua Brady wrote: The Child you speak of caused destruction over a network, the same applied for the 2 hackers here who were sent over without even questioning the UK. If the US Government is Satan then I suppose I am going to hell, because I sure as hell support it. Do you support the converse, where some little s*** hacks my London network from some random US college ? At the moment, I have no recourse of any kind and the UK authorities have no power, and as a consequence, no interest. Peter
Re: Spamhaus Exposed
Laurence F. Sheldon, Jr. wrote: Peter Galbavy wrote: OK, it isn't secret - since I know about it for a start - but the terms are secret and also it is very under-advertised to the locals. Wonder what other countries have sold their souls to Satan ? How many dead soldiers from your country are buried here? A very sad, now old, and misused argument to justify (a lack of regard for) current global opinion about your home country. Peter
OpenBSD + new bgpd (Fw: cvs.openbsd.org: src)
For those interested in this sort of thing: (I glanced at the early code a while back, and like anything Henning has written, seemed clean and neat). Henning Brauer wrote: CVSROOT: /cvs Module name: src Changes by: [EMAIL PROTECTED] 2003/12/17 04:46:54 Added files: usr.sbin/bgpd : Makefile bgpd.c bgpd.h buffer.c config.c ensure.h imsg.c log.c mrt.c mrt.h parse.y rde.c rde.h rde_decide.c rde_prefix.c rde_rib.c session.c session.h Log message: welcome, bgpd started by me some time ago with moral support from theo, the proceeded up to the point where the session engine worked correctly. claudio jeker joined then and did a lot of work in the RDE. it is not particulary usefull as application right now as parts are still missing but is imported to enable more people to work on it. status: BGP sessions get established fine, OPEN messages and then KEEPALIVEs exchanged etc. session FSM works fine; NOTIFICATIONs are handled fine, and all connection drops etc I provoked get handled fine. Incoming UPDATE messgages are parsed well and the data entered to the RIB, the decision process is not yet there, neither is outgoing UPDATEs or sync to the kernel routing table. not connected to the builds yet.
Re: Does your Certifying Authority have a clue who you are? Do they care?
Deepak Jain wrote: Is there a documented process for a new CA to get their certs approved/added or is it a clandestine process? You are in a twisty little maze of corporate back scratching, all political. Peter
Re: This may be stupid but..
[EMAIL PROTECTED] wrote: It's the same reason that I like to ask candidates to tell a story about some past event and how they, personally, dealt with it. If a candidate has had real personal experience of something then they will be able to tell me a story filled with detail. On the other hand, you sometimes get people who can only say we did this and we did that which leads you to believe that maybe the person was the NOC janitor or something. Also an excellent way of checking if your candidate cares about past employers confidentiality. That is if you want to see someone bad-mouth a previous company. Peter
Re: This may be stupid but..
Eric Brunner-Williams in Portland Maine wrote: of my best hires (at sri, .5k hosts, circa 1987) were simply trainable. an english major (f) from reed, and a cs major (m) from a school that taught cobol as a modern language -- i hired him for his night job skills, managing an auto body shop, managing ordinary joes holding tools. My best hire, now one of my good friends, was someone who was on a teacher-training course but had to drop out due to a long term illness. She came to me recommended by my girlfriend-a-the-time as someone who would make a good office junior. She is now one of the bext web/perl/sql coders I know. A willingness, nay - a NEED, to learn and be open to new concepts is what forward moving technology sectors (like ours I hope) need. Acronyms mean sh*t. When involved in any hiring process, I actively avoid CCIE/MSCE/etc. laden resumes. Mentioning once, fine. Using them like religious phrases is an indictation of, well, stupidity. i'm recruiter-proof. i'm not sure i'd want anyone who wasn't. Aye. I have *never* used my CV/Resume in getting a job. I still have one, but it's very out of date. Peter
Re: Web hijacking by router - a new method of advertisement by Belkin
[EMAIL PROTECTED] wrote: How original of them! But for other router manufactures present on this list, make notice - DO NOT DO IT IN YOUR OWN PRODUCT EVER. I (and from newsgrousp there are appears to be many others with same opinion about it) do not want routers modifying my network packets without my knowledge about it and definetly not for marketing of your own products. Note, I am no legal professional here, but to looking forward to others being stupid; In the UK I am reasonable certain that this breaks a number of separate laws that no amount of EULA type small print can get around. For those interested, I suggest looking at the protection offered (assuming this product is sold to consumers in the first instance) the various Sale of Goods acts, UK and EU unfair terms in [consumer] contracts (but the small print says...), computer misuse act (modification of data without permission), data protection (leaked URLs) and I am sure many more. Now if only we had government departments that actually cared and helped lean on these types of idiot. I hope that the US - the largest single market for technology products I assume - has a similar bunch of useful [consumer] law. Peter
Re: cooling systems
Chris Lewis wrote: More intriguing is what has to be done at high arctic places (like little Ellesmere island, the northernmost mine in the world). Most of the vehicles are Toyota diesel pickups (winter weight fuel, you betcha!). They never shut the engines down. Except when they're indoors for an oil change. You foreigners are scary. As a UK resident, born in Oz many many years ago, I consider -10C to be very very cold. Peter
Re: ISPs' willingness to take action
[EMAIL PROTECTED] wrote: So, tell me--are you willing to pay a premium for unfiltered access to the Internet?:) Yes, that's why I don't use AOL. Peter
BGP RFCs and BCPs - query
Sorry, I know many are going to think I should go and scan rfc-index.txt etc., but there is no real better group of people to ask for definitive pointers. I am going to be *trying* to work on some (free) BGP code and stuff aftre I leave my day job (tomorrow!), and I will be spending my spare time in the next week or two reviewing to current RFCs - I am about 3 years out of date in addition to any normal memory loss. Can anyone (off list) point me at the current active list of BGP and related RFCs, primarily for IPv4 but v6 info is welcome. What of the experimental attributes etc. are actually not experimental nowadays and any indication of vendor support compatibility issues that may be published. I *will* be reviewing the rfc-index.txt files but these lists never give the real world picture IMHO. I can summarise (on or off) the list if there is interest. rgds, -- Peter
Re: A RR Wildcards and Stability
Daniel Karrenberg wrote: A contractor drills large holes in the central structural parts of a building to allow installation of their innovative garbage disposal. Civil engineers question the effects this has on the building's stability. The contractor's defense is: Well it is still standing! How much work did those tenants really have patching up the holes to reduce the air drafts and stop the crackling noises? Close :-) but a new garbage disposal in a building may still offer some benfits to the tenants. These wildcards did not. Keep 'em coming... Peter
Re: Kiss-o'-death packets?
Sean Donelan wrote: Should other protocols include the same feature? If someone sends you a Dynamic DNS update, could the protocol include a kiss-o'-death packet to tell clients to go away? If someone keeps probing your HTTP server, should HTTP include a kiss-o'-death packet to tell clients to go away? Erm, I can see a huge DoS hole waiting to happen to any protocol that doesn't in turn implement some sort of authentication of the server. The more protocols you allow to do this, the more potential for DoS of important (possibly) client information. Peter
Re: Kiss-o'-death packets?
Sean Donelan wrote: Uhm, you are also aware that if the attacker can spoof the kiss-o'-death packets; the same attacker could spoof all sorts of other packets including the time protocol packets to change the clock on your computer. Yes but... there is a strong likelyhood that less paranoid protocol implementors (not necessarily designers, just those coding stuff from spec) could simplify their lives and not check all the right conditions required to filter unwanted stuff. Bye bye farm. Oh, this has happened already ? Now, where is that Windows Update icon again ... Peter
Re: Kiss-o'-death packets?
E.B. Dreger wrote: HTTP implementations have had vulnerabilities due to insufficient checking. Thus HTTP is a bad idea. SMTP implementations have had vulnerabilities due to insufficient checking. Thus SMTP is a bad idea. SNMP implementations have had vulnerabilities due to insufficient checking. Thus SNMP is a bad idea. Come to think of it, IP stacks have had vulnerabilities due to insufficient checking. IP is a bad idea, too. No, please do not twist my words; I referrred to poor implementations of good ideas. Nowhere did I say that the protocol is bad as a result of poor implementations. Peter
Re: Removal of wildcard A records from .com and .net zones
Matt Levine wrote: So now you care about giving notice the community? That didn't seem high on your priority list when you implemented it. The community I suspect that they are sensitive about is not NANOG etc. but the advertisers and the shareholders. Remember, Verisign is the effective monopigly (sic) issuer of certificates and the monopoly controller of the largest TLD. Their long term financial and political power is dependent on these - legitimate or corrupt applications aside. Having any external body (even a semi-legitimate one like ICANN) interfere will result in some real fallout for the power mongers... Peter
offlist: lucent springtide hitachi an-1000 experience(s)
Can anyone who is knowledgeable and possibly willing to help with these devices please contact me off list ? A colleague acquired a small number in a dot.com sale and they sounds really cute / useful, but before even playing with them I would love to here from anyone with wanrings / tips / etc. Especially the BGP side (if these have that license - not checked yet). Peter
address harvesting analysis idea
While sitting here watching bad TV, I had a thought(tm). Has anyone set-up a generic web-page, not linked from anywhere useful, which autogenerates a contact e-mail address (like [EMAIL PROTECTED]) and logs which IP reads what address (even using the remote IP as the username to provide) and then waits for the address to be used for SPAM ? Is there any use in doing this (to try to identify who is harvesting) ? Maybe I should go and eat some food, cool my head down. Peter
anyone from telia online
I need a little help with (what appears to be) an IGP issue withing Telia's UK network. I am stuck in a twisty maze of little resellers. Any response would be appreciated. Peter
Re: Complaint of the week: Ebay abuse mail (slightly OT)
[EMAIL PROTECTED] wrote: And so we should do nothing? No, but neither should we plan on engineering a solution. As Neil say - and many know Neil and I generally disagree on principal about everything - a technical solution will never get rid of spam. It may reduce it for a time, but not for very long. The correct solution is to make spam uneconomic by some means, then it will slow down to a trickle, maybe. Peter
Re: North America not interested in IP V6
Roy wrote: This article seems to imply that North American networks don't care about IP V6 while the rest of the world is suffering great hardship http://www.msnbc.com/news/945119.asp PS. Please don't shoot the messenger Regardless of the content of the above, let me say that with the exception of the academic community (including those in commercial orgs) no one in Europe is interested either. Peter
PSI (UK/Europe) out ??
PSInet Europe (at least my hosted prefix - 146.101.245.xxx) has dropped off the 'net. Not visible via LINX etc. Anyone got any info ? I have been in a voice queue for 5 minutes and being asked to leave a message or hold further. I guess something is broken. rgds, -- Peter
Re: PSI (UK/Europe) out ??
Thorsten Toenges wrote: you're flapping too much :) I wish it were me, but we are not doing BGP at that site. Sigh. Thanks for looking. Still on hold - the uaul recorded platitudes about 'experts' and 'you are important'. Peter
Re: PSI (UK/Europe) out ??
Martin Hepworth wrote: yeah seems to have a few min outage. came back very slow now OK again... Yep. Our net is now back. I will be interested in PSI's explanation of why a power failure at Telehouse (London) killed their LHC site. If anything interesting turns up, I will let NANOG know. Thanks for all the followups. Peter
Re: Remembering history passwords may be bad, but they are getting worse
Kevin Day wrote: The attacks we see now are... well orchestrated. 10-50,000 proxy servers all making login attempts at once, rather slowly. 10-50 login attempts per second, each from a different proxy. Still slow enough per IP that it doesn't hit our threshold for how many bad logins per IP per hour we allow, but enough attempts that just by trying seemingly random username/password combinations they get a couple of successes a day. We've also seen people trying what appear to be known good username/password combos that were presumably acquired from other sites that were compromised in some way. But, in turn, there are at least two distinct aims here; 1. Authorised access; people want free porn. 2. DoS; people object (either on principal or by competitors) to the service you provide, so they want to deny access to others or make it too expensive to run. Defending against one usually makes the other easier :( Peter
Re: User negligence?
ken emery wrote: I'm not sure what needs to be done, but the security as now implemented is not even close to enough IMHO. Networkwise (to bring this back on topic) I'm not sure there is really much that can be done. Don't forget the desperate need for user *and* staff education. I have now multiple time got calls from my bank asking to discuss my account. Could I just verify my details ? they asked. Er, you first, I said. They didn't get it. They didn't understand why, as someone who is lightly paranoid and understand more about security than they do, I was concerned that they couldn't prove they were from the bank... Peter
Re: Cisco Vulnerability Testing Results
Neil J. McRae wrote: How so unlike you to take an anti-establishment view! Not anti-establishment. I am far from an anarchist. I am anti-idiot. Peter
Re: Cisco Vulnerability Testing Results
Richard Irving wrote: David Kelly has been dispatched by Tony Blair, s/disp/desp/ You don't know quite how rife that rumour is over here at the moment. Petre
Re: Backbone Infrastructure and Secrecy
[EMAIL PROTECTED] wrote: I think London is rather more paranoid. I work in London and just on Monday I was stopped by police at Tower Hill tube station and searched for explosive paraphernalia as part of their programme of random searches. When I told people about this in the office, several others had stories about friends who had been detained or searched within the city for one reason or another. Maybe I don't look like a tourist ;-) but this doesn't happen to me ... OK, so as a fat geek in shorts and a t-shirt I look mostly harmless. I don't believe that it would be as easy as you say for someone to open manholes, cut cables (very thick cables of glass and tough plastics), then run on to the next location. Certainly, in London, anything like this would be picked up on CCTV and the police would be rapidly dispatched to investigate. Hmm. I have direct evidence (of my own eyes) to the contrary. No one cares. Luckily, in this case, those who had the manhole covers up were 'borrowing' some ducting from one side of the road to the other. Does anyone from the Goodge St. area recall ? I know the one person at least is on the mailing list :) Yes, the single points of failure abound, but getting access to them for evil purposes is not as easy as it looks. Until it happens. Peter
Re: Backbone Infrastructure and Secrecy
Gil Levi wrote: While it is impossible to stop someone (a terrorist) from cutting fiber, it is possible to limit his ability to do damage. It is possible to create alternative routes to be used in such cases. Then while the primary route may be down, the alternate route will be used and no terrorist should be able to locate the alternative route since this is something known only to the telecom carrier and is definitely not public knowledge. While this is not new to anyone, what is new is I am sure you have direct experience of networks that work like this. I have direct experience of the opposite. I am sure there is a whole bell curve distribution from bad to good - and sadly the point the bell curve tries to make it that most occurances are in the middle... Peter
Re: Backbone Infrastructure and Secrecy
E.B. Dreger wrote: Perhaps some security measures have a different purpose -- as you say, LOOKS great (emphasis added). Just like 99% of all recent airport security measures... reassure the sheep, then they might stop bleating and march to order instead. Baauy McDonalds, Bauy Gas, Bauy SUV. This is OT. Obviously. Peter
Re: Backbone Infrastructure and Secrecy
[EMAIL PROTECTED] wrote: However we can work to spread out the infrastructure more so that it is harder for terrorists to find a single point of failure to attack. If they have to coordinate an attack on 3 or 4 locations, there is an increased probability that something will go wrong (as on 9/11) and one or more of their targets will escape total destruction. I hate to be a doom sayer, but any chump with a couple of tools and rudimentary knowledge can lift manholes, cut cables and jump to another location in minutes. No amount of diversity could defend against a concerted attack like that unless you start installing very special low-level routes away from street level into many many buildings. Maybe you guys in the US are historically more paranoid, but London is just covered in single points of major failure for telecoms. Protecting the switching centres (IP or voice) looks great, but walk a few hundred feet and all senblence of physical security breaks. Peter
Re: Country of Origin for Malicious Attacks
Jamie Reid wrote: I'd be interested in knowing how linking aggregated attack information to country of origin is actually valuable relative to our ability to respond to it. It mostly salves the prejudices of those who want to see certain other countries as the enemy. My view, as most of this stuff advertises US based 'products and services' (generous description), it should really be a case of 'follow the money' as per previous thread. Peter
Re: companies like microsoft and telia...
Paul Vixie wrote: consider microsoft-yahoo-aol's big fad of the moment which is suing spammers and blaming asia. the number one (#1) contributor to spam And then: http://news.bbc.co.uk/1/hi/business/3020566.stm Not in that report, but on TV last night a M$ spokedroid was quoted as saying something like ... if Mr. Grainger offers definative proof he is innocent, we will drop the action. Erm, I thought that both the US and the UK subscribed to a doctrine of burden-of-proof on the accuser ? Peter
Re: companies like microsoft and telia...
Kevin Oberman wrote: You confuse civil and criminal law. Always happy to learn. I hope M$ get very very embarassed in open court if this makes it that far. Pot calling the milk bottle black. Peter
Re: companies like microsoft and telia...
Fearghas McKay wrote: ... Scotland has its own seperate legal system that is based on Roman law. But that's OK - no one want to go there anyway, eh Fearghas and Neil ? Look, even most of the UK cabinet have left to be corrupt in London instead... :-) - for the humour impaired from north of the border. Peter
Re: Spammers use Trojans
Dan Hollis wrote: law enforcement seems to be much more interested in prosecuting hard to trace underage script kiddies, that it does prosecuting easily traceable adult porn spammers who trojan 1000's of peoples machines. I suspect that the latter can pay for 'lobbying' better. Cough. Peter
Re: Rescheduled: P2P file sharing national security and personal security risks
Stephen J. Wilcox wrote: Hmm where do you draw the line.. peer2peer file sharing, MS Networking, SMTP, telephones, snail mail, visiting foreign countries, meeting people at all.. ? I am a very very poor student of history (my secondary school only offered a strange variety that I never paid attention to) but I recently have come to associate in my mind the current US (and UK) admisitrations to the distant TV-based views of the 1950s in the US, when accusations 'anti-americanism' or being a communist meant the administration waived your constitutional rights for you - just now the accusations are either 'terrorism' or 'anti-globalism' (to grasp at a poor analogy). The problem - to try to steer this bus back onto topic - is the sheer amount of self-policing that the powers-that-want-to-be want us to do. Or it becomes our fault. Peter
Re: Rescheduled: P2P file sharing national security and personal security risks
Neil J. McRae wrote: The problem - to try to steer this bus back onto topic - is the sheer amount of self-policing that the powers-that-want-to-be want us to do. Or it becomes our fault. Who should do the policing then Peter? The police ? From a viewpoint in the UK, the real police (as in the ones doing the work - not the management) are getting more and more frustrated, they have been reported as saying, at the increasing level of work they are expected to do following the continual implmentation of new legislation. I am sure that police forces around the world have similar viewpoints. One of the parts of the process of introducing new criminal law should (nay - must be) a consideration for how it is going to be actually implemented on a day-to-day basis. Pouring money into the bottomless pit that is any civil service project (the police included) very rarely solves the underlying problems. Perhaps more thought is required by the legislators before they pass new acts ? By trying to get around this and requiring soft targets, such as under-represented (OK - under-lobbied to be accurate) industry segments like ISPs, to do this work 'unpaid' is a way of making the politicians look competent and make any self-policed industry look bad when something is missed or goes wrong. rgds, -- Peter
Re: Rescheduled: P2P file sharing national security and personal security risks
Sean Donelan wrote: Except this is not self-policing. ISPs are not being asked to police what ISPs do. For the most part ISPs don't attack their customer's (or anyone else's) computers. Remember, the traffic generally flows THROUGH the ISP's network, it doesn't come FROM the ISP. OK - my mis-wording. You have expressed what I meant. Yet another analogy, its a bit like asking grocery stores to self-police their customer's eating habits. Should grocery stores be responsible that the public only buys healthy food or holding the grocery store liable for the hospital bills when customers buy junk food. ISPs generally exert even less control over their customers than a grocery store, and don't have double coupons. My turn - grocery stores can police much better than ISPs - they just do not stock products that are classified as 'bad' by some established standard. This sort of happens in the Internet, with prefix filters, routeing registries etc. but I see your point. Most ISPs don't police (or self-police) their customers' use of the Internet. Like a grocery store, if a customer is harassing other customers, the grocery store may ask them not to come back. But generally the customer just moves on to another grocery store. Its up to the police to arrest people engaged in criminal activity. The grocery store analogy breaks down and we are back to the tired old 'highway' nonsense. This is more like the 'public spirited' induhviduals (sic) that block lanes to prevent others 'speeding' - or rather requiring property owners to perform this task on the parts of the road that run past their turf. Which is scarier. Peter
Re: AC/AC power conversion for datacenters
Matthew Zito wrote: This is marginally related to the power discussions earlier, but does anyone know of a product that steps up 120V AC to 220V AC and is reasonably datacenter-friendly? We're looking at an environment where there's no 220V available - but we only need ~7 amps so conversion could be possible to my high-school-physics mind. I've found some products that seem to be appropriate, but they're geared towards a more industrial purpose. Is there a rackmount 120-220V converter that people out there have used and would recommend? My suggestion, which I have never tried, is to get a UPS with the right wattage and that support 240V out but variable (90V-300V) input. Just a thought. PS Please don't make the mistake that a certain US supplier made with kit shipped to UK and specify 16A connectors which required special wiring (over standard 13A in the UK) as at 240V the current is lower by 240/110 :) Measure watts, not amps. Unless you have a weird PSU of course. Peter
Re: State Super-DMCA Too True
Jack Bates wrote: Please see Saphire worm. Then tell me that an ISP doesn't oversell services. The fact is, the entire Internet is oversold. If everyone did their full capacity, it would crash. DSL is also based on this assumption. Most of the providers selling DSL at the cheap rates are Er, isn't that the fundamental difference between IP and fixed-bandwidth voice ? I have spent any number of years trying to 'educate' old guard telco management and planners that one of the key economic benefits of the Internet over old fashioned private networks is that the sharing of capacity actully works 99.99% of the time... To many telcos came into this market and sold 'no overbooking' QOS and then wondered why so few bought their overpriced services compared to the new (also going bust now) network operators ? Peter
Fw: Freedom to Tinker: Use a Firewall, Go to Jail
From another mailing list; Not being from the US, I have very little idea if this is a reality based simply on this story... - Original Message - From: Dave Feustel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 28, 2003 1:31 PM Subject: Freedom to Tinker: Use a Firewall, Go to Jail Use a Firewall, Go to Jail The states of Massachusetts and Texas are preparing to consider bills that apparently are intended to extend the national Digital Millennium Copyright Act. (TX bill; MA bill) The bills are obviously related to each other somehow, since they are textually similar. Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that conceal from a communication service provider ... the existence or place of origin or destination of any communication. Your ISP is a communcation service provider, so anything that concealed the origin or destination of any communication from your ISP would be illegal -- with no exceptions. http://www.freedom-to-tinker.com/archives/000336.html
Re: Freedom to Tinker: Use a Firewall, Go to Jail
Not being from the US, I have very little idea if this is a reality based simply on this story... And having left a couple of unread messages in my nanog folder, I noticed this was raised in another thread. Apologies for double posting. Peter
different use of a backhoe
http://news.bbc.co.uk/1/hi/england/2879833.stm Peter
Re: Issue with 208.192.0.0/8 - 208.196.93.0/24?
Stephen J. Wilcox [EMAIL PROTECTED] wrote: posts. Perhaps clueful folk should sneak off and form nanog-clueful mailing list ;) S the'll all want one. Peter
Re: 69/8...this sucks -- Centralizing filtering..
If all routes in the routing table are good (which soBGP and S-BGP can do for you) and routers filter based on the contents of the routing table, hosts will not see any bogon packets except locally generated ones so they shouldn't have bogon filters of their own. So this will indeed solve the problem for these people. I believe you are confusing authentication with authorisation. Having authentic routes does not imply that all the traffic will be 'correct'. Various networks will always fail to filter customer traffic at ingress etc. and then source address spoofing becomes trivial. Peter
Re: UK ISPs not cooperating with law enforcement
The issue at the core is whether ISPs should just roll over and cough up anything to law enforcement, any time, without valid warrants. I am sure that such a cosmopolitan bunch as NANOG will also understand that EU Data Protection laws give people quite a big comeback when they find someone has not treated their personal information in the way they are entitled to expect. While the US may be the litigous society in truth, we are catching up quite fast here on this front... Policy was, many years ago, when we were 'all' at Demon that we would *never* hand out any logs until there was a court order. Period. At that point we would roll over and stick our paws in the air... subtle hints from the police and others were met with this policy. Of course, the RIP Act brings big brother truly to life now. If only the civil service would stop infighting long enough to implement it ;-) Peter
Re: 923 Mbps across the Ocean ...
Dave Israel wrote: There's no real science here. This is a geek publicity stunt. s/geek/funding/ Peter
Re: Abstract of proposed Internet Draft for Best Current Practice (please comment)
McBurnett, Jim wrote: To be blunt: It seems that your opinion is: If a company wants to dump trash in my email account and they are able to find an ISP who is so blindly just taking a payment and cares less about what who they provide service to, so be it, I don't care. I did not even know that's what the proposal was about - I did say I objected to the whole having not even read it - simply because of the holier-than-thou wording of that specific paragraph. Well to that sir, I say this: In the United States capitalism is a way of life, but YOUR freedom's only extend to the point at which they impeach upon MY freedoms, at which point you and every SPAMMER out there IS WRONG. I have sent several letters as of recent to my congressional representatives with the points that a business cannot and should allow their services to be used to force feed me unsolicited email. And that any provider that does may be fined... Why do many - especially the uneducated and ignorant ones I suppose ? - assume that everyone lives under US jurisdiction ? I dislike SPAM, I have my own tools to fight SPAM and I have been doing it for quite some time thanks. When some meta-literate comes along telling me that their proposal is perfection and that anyone not believing their preaching is the enemy, I get annoyed. Live with it. Peter
LINX problem ?
Not as well connected as I once was and so I can only try from a couple of upstreams, but I have lost all LINX transit traffic... www.linx.net is also failing - which is not a good sign. Anyone know different or better ? Peter
Re: SPEWS?
But then there are the whacko's like SpamCop who just ignore every mail you send them anyway. i.e. My company set up the RIPE LIR for the UK company 'III' many years ago. I was listed as a contact for a while, then when we stopped providing services I removed my contact from the RIPE records. I am regularly getting SpamCop alerts that I am a spammer - from an obviously out of date copy of the RIPE database (which breaches RIPE copyright anyhow). But will they respond to any e-mail ? Hell no. What makes me laugh more is that SpamAssissin labels SpamCop alerts as spam and they get dumped in my SPAM catch mailbox. Almost cute. Peter
Re: packet reordering at exchange points
Note that the previous example was about end to end systems achieving line rate across a continent, nothing about routers was mentioned. Fair enough - for that I can see the point. Maybe I need to read more though :) Peter