RE: US slaps fine on company blocking VoIP
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Blayzor > Sent: March 4, 2005 9:02 PM > To: Bill Nash > Cc: [EMAIL PROTECTED] > Subject: Re: US slaps fine on company blocking VoIP > > > > Bill Nash wrote: > > At the root of it, it's deliberate anti-competitive behavior, and > > that's what the fine is for. I'm generally fine to have the > government > > stay out of the internet as much as possible, but this move was the > > correct one, as it was on behalf of the end consumer. It's not the > > choice of port blocking that matters, it's the intent. > > > Wait a minute, since when is the Internet service I provide > regulated by ANY entity? It's not, therefore I can run the > network any way I see fit. If customers don't like it, they > can choose another ISP; if they can't choose another ISP, not > my problem, I'm not a regulated entity, you get my service or > none at all. > > While I don't run my network with that attitude, I certainlly > have the right to. You do? Since when do you (or any ISP, which is fundamentally a corporation like any other) have an exemption to antitrust, fair competition, and every other law regulating business practices? Just because you don't have a regulator setting prices and/or quality standards for your product, like you have in all kinds of sectors (ranging from electricity to automobiles to just about everything), does not mean you are free to run your business "any way you see fit". While you're at it, why not say that since you're an unregulated business that can "run your network any way [you] like", you can prioritize traffic from customers of one ethnic group rather than another? In most sane jurisdictions, a court would tell you that everybody using your "Whatever" service and paying you $Y/month for it must get the same quality of service whether they have black or white skin. Would you scream on NANOG about that, too, and claim that your right to run your network any way you see fit is denied? And guess what, to get back to this issue? Ask an antitrust lawyer. If company A has a quasi-monopoly (or is dominant) in product X, and company A and B both provide product Y, which requires product X (at least for company B's product Y to work), and company A deliberately acts to make sure that company B's product Y cannot work with the product X from company A, they're eventually going to get in trouble. That's the situation here. You need IP transit to do VoIP. Some company with a dominant position in IP transit that also provides phone service is preventing somebody else's VoIP service from working with their IP transit to product their own phone service business. That, under most reasonable fair competition statutes, would be prohibited. "Regulated" industry or not. Vivien (as always, speaking for myself, not any organizations that may appear in the headers)
RE: Email Complexes
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: September 14, 2004 5:47 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Email Complexes > > > > Fantastic. Call the providers, purchase an account and let's > be done with this thread. I hate to state the obvious, but at least two of the providers on his list were other cable companies. Given that cable companies don't generally sell standalone POP3 service without some home/small-biz cable modem service, how exactly do you propose purchasing an account at a cable company that doesn't serve your area (I'm assuming that Charter's HQ/datacenter/etc is in a territory it, and not another company, serves...) and actually using said account? Vivien
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Schwartz > Sent: April 19, 2004 12:57 PM > To: 'Dr. Jeffrey Race' > Cc: [EMAIL PROTECTED] > Subject: RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT) > > > > Firstly, who enforces it? The reason it "works" with cars > is that the > > state (or province for those of us north of the border) effectively > > says "you can't drive a car without this lovely piece of > paper/plastic > > that we'll give > > you" and "if we find you driving a car without the lovely piece of > > paper/plastic, you're going to be in serious trouble". Are > you proposing > > that each jurisdiction that currently licences drivers also > > licence Internet > > users and tell ISPs "sorry, but if they don't give their licence, > > you can't > > give them an account"? > > That's not a problem. The state licenses drivers but it > also owns the roads. Yes... And the state doesn't own the Internet, and can't SEE the Internet (or its component networks). How does it enforce who uses it? > > Secondly, HOW do you enforce it? Motor vehicles only > require a licence > > to be operated on public roads in all jurisdictions I'm aware of. > > IANAL, but if some 14 year old kid without a licence wants to drive > > around on his parents' > > private property, that is not illegal. > > So? If you want to mess around on your private network, > I don't care either. And exactly how do you separate public and private networks, from the point of view of law enforcement? In the driving world, public roads are easy enough to enforce things on... Besides, there are no [major] public networks, if by public, you mean taxpayer-owned... If you mean publicly accessible, that's another story, of course... > > Now, the instant that > > vehicle leaves > > the private property, it's another story (assuming, of course, cops > > around to check licences. In some jurisdictions, this is more true > > than in others). > > Exactly. You want to go on someone else's roads, you do > so only by their rules. But my point is, they can SEE you. If I drive out on the roads of whatever state/province/municipality/etc, their authorized agents (read: cops) can SEE me and stop me. Try and do that with my IP packets. You try and track the IP packet that you are getting from my machine to me as a human... Sure, you can do it, if you have an army of lawyers in a bunch of jurisdictions, but it's not like the cop who sees a moron driving badly and just pulls them over, at which point they HAVE the moron in their hands... You can have my packets going around into your network without having physical access to me, but you CAN'T have my car driving around (unless I'm not driving it :P) in your roads without me being in it. So, how do you ask my packets for my computer licence? > > My point is, driving is ONLY regulated when it is done in > public view, > > for obvious reasons. Computer use is an inherently private > activity, > > so how do you propose to verify that the person using a > computer is in > > fact licenced? Mandatory webcams? :P > > So you can drive however you want on *my* driveway? > That's not public view, is it? If there only private roads, > I'll bet you that private road owners would have come up with > a licensing system quite similar to what we have today, for > liability reasons if nothing else. You might also notice that > you can't get liability insurance without a license even > though that insurance is issued privately, and there aren'y > many road owners who let you drive on their roads without insurance. If I drive on YOUR driveway without a licence, assuming I can GET to your driveway without driving on a public road (e.g. someone with a licence drives me to your driveway), I'm guilty of tresspassing on your property, but I don't think I'm guilty of driving without a licence. And why would any insurer insure somebody without a licence? Sounds to me like financial suicide, assuming driver licencing actually DOES keep morons off roads... > > Thirdly, WHO do you enforce it against? It's pretty difficult (and > > illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and > > drive someone's car > > without their explicit knowledge and permission. (Okay, so you > > can hotwire a > > car, but...) It's very easy for someone other than the computer > > owner or ISP > > contractholder to have access to it and abuse it and stuff. > > I'm not sure I understand why you think this is so. My > kids know that my computer is off-limits to them just like > they know my car is off-limits to them. They are physically > capable of obtaining access to either without my permission. You're an IT professional. This isn't about you. This is about the random family with the "family computer" that everybody installs random crapware onto in the kitchen or den. Does the same apply in that situ
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dr. Jeffrey Race > Sent: April 19, 2004 9:11 AM > To: Jeffrey Race > Cc: [EMAIL PROTECTED] > Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) > > > > On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: > > > An uneducated > >end user is not something you can fix with a service pack. > > > A profound point, again highlighting the fact that there > are no technical solutions to this problem. (Though > technical measures to enhance traceability are a big help.) > > So, the logical inference is training and licensing to > get internet access. When I was 16 in Connecticut many > many years ago, we had to take a driver-training course > (given by a policeman) to get a driver's license. > > I see no discussion about this approach, here or elsewhere. Well, there are a number of problems with this. Firstly, who enforces it? The reason it "works" with cars is that the state (or province for those of us north of the border) effectively says "you can't drive a car without this lovely piece of paper/plastic that we'll give you" and "if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble". Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs "sorry, but if they don't give their licence, you can't give them an account"? Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated into keyboards? How else can you avoid Mom logging online, and then letting the unlicenced kids roam free online, allegedly to do "research for school"? Do you want to fine/jail/etc Mom if the kids download a trojan somewhere? Fourthly, as someone pointed out, the first generation always complains. I hate to show how young I probably am compared to many on this list, but my jurisdiction introduced graduated driver's licencing a few years before I was old enough to get a driver's licence, and it angers me that the random guy who's out on the road driving like a moron had to go through way less bureaucracy, road tests, etc than me simply because he was born ten years before me. That said, if no reforms are made to make this system stricter, I'm sure the next generation won't see this system as an outrage simply because they won't remember an era when the bureaucracy. Currently, people can buy computers/Internet access/etc unregulated at the random store down the street. You're proposing that some regulatory authority require licencing... Why should these voters accept it? Especially since, unlike with cars, the damage done by poorly-operated computers is rather hard to explain to a technologically-unskilled person. Most would respond something like "well, it's not my fault some criminal wrote a virus/exploit/whatever. Put that person in jail, and let me mind my own business." Good luck educating them on the fallacies in that statement. Fact is, until home computer security issues result in a pile of bloody bodies to show on CNN, no one in the general public and/or the legislative branches of government has any incentive to care... Vivien
RE: Lazy network operators
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Stephen J. Wilcox > Sent: April 14, 2004 9:59 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Lazy network operators > > > > On Wed, 14 Apr 2004, [EMAIL PROTECTED] wrote: > > > > Not being happy with the ISP's smarthost is not > justification to run > > > your own; you should change ISPs.. assuming we implement this > > > locked > > > > That's a super idea. Now explain how that works when you > have access > > to only a single broadband provider. If you already > thought of this > > scenario, you're seriously underestimating the number of people in > > this situation. > > In my example I suggested that there would be tiers of > service, for an extra fee > they would give you a service where you could run your smarthost. I don't know how they do it in the UK, but in many North American places, the random large corporation providing high-speed residential/small-biz services don't WANT to offer tiered services. Oh, sure, they have a few tiers that differ on speed (and sometimes monthly bandwidth restrictions), but that's it, and that's all they want to do. These providers like providing the same thing to everybody (for example, if you get X POP3 accounts with your service, and you need X+1, they will NOT sell you an extra POP3 for $2/month or whatever), because it reduces cost, and they do NOT give a damn about the technologically-skilled user who wants to run their own small-scale $PROTOCOL server, etc. It's not a matter of "give us $Y and we'll do/let you do it", it's a "you can't do that. End of story." from their outsourced tech support guy. The "go elsewhere" argument against big impersonal ISPs that aren't able to match your needs isn't workable for many people, as was pointed out. For some people, the best solution is to buy IP connectivity from the big ISP, avoid using any of their other services (yes, I have fetchmail download mail from my POP3 at my ISP, but do I _use_ that account for anything? Obviously not), and do your own thing. If you advocate restricting this IP connectivity further, then you're screwing such people over, and possibly creating a big market for people on Mr. Vixie's list of colo providers... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: who offers cheap (personal) 1U colo?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Andrew Dorsett > Sent: March 15, 2004 11:17 PM > To: John Kristoff > Cc: [EMAIL PROTECTED] > Subject: Re: who offers cheap (personal) 1U colo? > > > > I'm not referring to the time required to implement. I'm > talking about the time it takes for the user. On the user > end. Lets do some simple math. Lets say I turn on my laptop > before I shower, I power it down during the day while I'm in > class and I turn it back on when I get home in the evening. > This means two logins per day. Lets say that the login > process is very rapid and takes 30 seconds. This is a whole > minute per day required to login. Now multiply this by a > month and you've wasted 30 minutes of my time. I coulda > spent that time watching TV or heaven forbid, doing homework. > :) My big thing is that often users are the one who are > paying the price and spending the time. I think either > system (the mac-ip lookup or the user auth) system could be > created in a week using C++ or perl. This week of > development is nothing in the long run when compared to the > amount of time it now costs the users. Come on, how many > users save their mail passwords so they don't have to type it > in everytime? What about your dialup password? Too bad I > can't automate the web logins. You must be talking about a different Netreg system that the one everyone else has used. The one we're talking about involves you logging in when you connect with an unknown MAC - once you've used the system to match your MAC to your student number/login/etc, then the DHCP server will give you a real IP the next time you request a lease... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: who offers cheap (personal) 1U colo?
> -Original Message- > From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] > Sent: March 14, 2004 10:16 PM > To: Andrew Dorsett > Cc: Vivien M.; 'North American Noise and Off-topic Gripes' > Subject: Re: who offers cheap (personal) 1U colo? > > And what is wrong with setting up a hub or something in a > dormroom? I > find it quite convenient to leave both my PC and a laptop > running on my > desk, for various reasons (too many open terminals and > windows is one of > them ...) Nothing wrong with it as far as I'm concerned, but IT departments in post-secondary institutions seem/seemed to have a problem with it, for some reason. Perhaps they just figure that two machines means increased potential for abuse (since presumably two people could use the port simultaneously)? Vivien P.S. I do the same thing you do... -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: who offers cheap (personal) 1U colo?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Brian Bruns > Sent: March 14, 2004 5:19 PM > To: [EMAIL PROTECTED] > Subject: Re: who offers cheap (personal) 1U colo? > > > Hm, are there companies out there that offer outbound SMTP > services (for people who are blocked, or which need a mail > server thats not blacklisted because their provider isn't > dealing with spam problems)? I never really looked into too > much, but I haven't seen it offered on provider's sites outright. Have you been looking at providers in the right industry? Such services are usually offered as addons by people who sell DNS services (especially dynamic DNS) and other such things designed to make it easier for people to run their own servers. They do exist, and as was pointed out earlier in this discussion, cost much less than the 1U colo alternative. We do it, and I know at least one or two others in our industry do... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: who offers cheap (personal) 1U colo?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Andrew Dorsett > Sent: March 14, 2004 1:29 AM > To: North American Noise and Off-topic Gripes > Subject: Re: who offers cheap (personal) 1U colo? > > > This is a topic I get very soap-boxish about. I have too > many problems with providers who don't understand the college > student market. I can think of one university who requires > students to login through a web portal before giving them a > routable address. This is such a waste of time for both > parties. Sure it makes tracking down the abusers much > easier, but is it worth the time and effort to manage? This > is a very legitimate idea for public portals in common areas, > but not in dorm rooms. In a dorm room situation or an > apartment situation, you again know the physical port the > DHCP request came in on. You then know which room that port > is connected to and you therefore have a general idea of who > the abuser is. So whats the big deal if you turn off the > ports to the room until the users complain and the problem is > resolved? Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue "But I never read this AUP". The web-based DHCP registration system prevents that. Other advantages would be A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases... C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob. Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)? [Note: most of the argument above assumes that people are not clueful enough to change their MAC address, of course... And I would argue that most college students are too busy getting drunk or saturating networks with P2P software to figure this out] Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: Possibly yet another MS mail worm
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Curtis Maurand > Sent: March 1, 2004 10:38 AM > To: Todd Vierling > Cc: [EMAIL PROTECTED] > Subject: Re: Possibly yet another MS mail worm > > > My point is that the COM/DCOM/OLE/ActiveX is what allows for > a script in > an email message that gets executed to have access to the rest of the > system, rather than executing within a protected sandbox. Of course > scripts within email messages shouldn't execute at all. Once they do > execute, they have access to the OLE objects on the machine. Its a > security hole big enough to drive a tank through. And I hate to point out the obvious, but that's not what we're discussing here. If you receive a .zip attachment, save it to disk, open it up in WinZip or the integrated ZIP utility (which I might add is a feature GUI OSes made outside Redmond also share), extract the .exe in it, and open it up, ActiveX/OLE/DCOM/etc has NOTHING to do with the fact that the thing is destructive and that you were allowed to run it. Sure, having an executable flag like on *NIX would make it a little harder, but you know what? If I send you a shell script on *NIX called run-me.sh in a tarball that does a rm -rf / if you're root, and tells you to be root if you're not, then your session will look like this: 1. Save blah.tar.gz to disk. 2. tar zxf blah.tar.gz 3. chmod 755 run-me.sh 4. ./run-me.sh 5. "Error. This script must be run as root." 6. su - 7. ./run-me.sh 8. Wave byebye to your filesystems. The problem then isn't technological: an alternative OS, with an equally-determined (and idiotic) user as the Windows user, provides ZERO protection against this type of attack. And if you think that step 3 or 5 provided any protection against a determined user, you're wrong. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: Stopping open proxies and open relays
> -Original Message- > From: Randy Bush [mailto:[EMAIL PROTECTED] > Sent: February 7, 2004 1:10 AM > To: Vivien M > Cc: [EMAIL PROTECTED] > Subject: RE: Stopping open proxies and open relays > > > > I have no objection to the electric chair for script kiddies > > an interesting position. and how do you feel about folk who > violate rfcs? I leave them in your more-than-capable hands to do as you best see fit? ;-)
RE: Stopping open proxies and open relays
> -Original Message- > From: Adi Linden [mailto:[EMAIL PROTECTED] > Sent: February 7, 2004 12:54 AM > To: Vivien M. > Cc: 'Michel Py'; [EMAIL PROTECTED] > Subject: RE: Stopping open proxies and open relays > > > > If stricter laws on computers forced even 50% of people to start > > caring a little more, wouldn't that be progress? The day a > couple of > > grandmothers get taken away in handcuffs because a script > kiddie took > > up residence in her computer is the day a few people will > wake up to > > the fact that computers need regular maintenance... > > The the script kiddie gets taken away in handcuffs and lined > up for the > electric chair is when we see progress. I think you're confusing the > criminal and the victim! I have no objection to the electric chair for script kiddies, but tracing them seems to be somewhat challenging sometimes. Identifying people who don't maintain their computers is usually easier :) And no, I'm not confusing the criminal and the victim. If you leave a loaded handgun on your front porch and I come along and take it, then shoot your neighbour's kid with it, then I would expect both you and I to be prosecuted (though not for the same crime, of course). Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: Stopping open proxies and open relays
> -Original Message- > From: Michel Py [mailto:[EMAIL PROTECTED] > Sent: February 7, 2004 12:43 AM > To: Vivien M.; [EMAIL PROTECTED] > Subject: RE: Stopping open proxies and open relays > > > > Vivien M. wrote: > > Now, if hooking up an unsecured computer to a network was > punishable > > by a $1000 fine, and law enforcement somehow had the staff to > > prosecute all offenders (or a representative sample), I'm sure > > everybody would agree that suddenly they'd be able to afford > > antiviruses. > > It's not that I don't like the idea, but it's been tried > before. Making stupidity punishable by fines does not work; > if it did we would not have a budget deficit issue. Well, it seems to work relatively well when it comes to motor vehicles... Oh, sure, there are still lots of morons driving unsafe poorly-maintained vehicles around, but I'm sure there would be WAY way more if traffic laws (and inspection requirements, etc, depending on your jurisdiction) went byebye tomorrow. The problem, in any case, is one of limited enforcement resources: triple the highway police force, and I'm sure a lot more morons will get caught/fined/forced to fix their vehicles. If stricter laws on computers forced even 50% of people to start caring a little more, wouldn't that be progress? The day a couple of grandmothers get taken away in handcuffs because a script kiddie took up residence in her computer is the day a few people will wake up to the fact that computers need regular maintenance... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: Stopping open proxies and open relays
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robin Lynn Frank > Sent: February 7, 2004 12:29 AM > To: [EMAIL PROTECTED] > Subject: Re: Stopping open proxies and open relays > > > > On Friday 06 February 2004 21:00, Adi Linden wrote: > > > > There are valid reasons not to run antivirus software, > > > > > > And they are? > > > > P90w/32MB running Win95 used for email only... or insufficient > > finances to purchase anti virus software... to name a couple. > > > Not to be argumentative, but by that logic, I guess it is > okay to drive my > 1948 Ford which doesn't have brakes if I don't have the cash > to fix it. There's a big difference between the two. If you drive your 1948 Ford without brakes, the local law enforcement agency will make sure it's not in your interest to repeat the mistake a second time. If you leave your computer unsecured, well... realistically, no one is going to fine/jail/etc you whatever the law provides for driving an unfit vehicle. Now, if hooking up an unsecured computer to a network was punishable by a $1000 fine, and law enforcement somehow had the staff to prosecute all offenders (or a representative sample), I'm sure everybody would agree that suddenly they'd be able to afford antiviruses. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: MS is vulnerable
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Laurence F. Sheldon, Jr. > Sent: January 29, 2004 1:55 PM > To: [EMAIL PROTECTED] > Subject: Re: MS is vulnerable > > > > "Vivien M." wrote: > > > And when she asks why it can't be as simple as buying a > microwave or a > > washing machine, what do I do? > > What does she do when she is buying a microve or a washing machine? Look for the one that provides the desired functionality for the lowest price? Without worrying about whether one brand's washing machine will somehow spew anthrax into the neighbourhood's water network, or into her clothes? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: MS is vulnerable
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Jonathan Nichols > Sent: January 29, 2004 12:53 PM > To: [EMAIL PROTECTED] > Subject: Re: MS is vulnerable > > The reason there aren't any Mac viruses most certainly is > *not* because > "there are not as many of them." One could even go so far as > to say that > the Mac would be a more likely target because of Apple's security > claims. It's a much more high-profile target. Imagine the boasting > rights one would have if they could get a Mac virus to spread > in these > modern days! I'm sure boasting about writing a Mac virus will make you the big man on the block in your wing at Club Fed :) Seriously, boasting about writing damaging viruses is downright stupid... So the only way to make headlines is to write a really damaging virus that gets lots of publicity. Compare the following scenarios. Scenario A: Person writes damaging Mac virus. 1-3% of computers out there are infected. Network operators barely notice a blip on their MRTG Media doesn't pick up on the story, except for slashdot (and is /. really media?). Person feels his genius is underappreciated. Person posts to bugtraq to boast of his achievement. FBI shows up and takes him to Club Fed. Scenario B: Person writes damaging Windows virus/worm. 20% of computers out there are infected Network operators scramble on this mailing list to figure out the right ACL in vendor C, J, and others' syntax to slow down the thing. CNN makes it one of the top ten headlines on their web site TV news makes it the second story, right after the latest accusations that Bush lied about something in Iraq. Virus author quietly sits in the background smirking while he watches the TV news. Isn't B more fun for a virus author (and network operators' cardiologists)? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: [Nanog] RE: MS is vulnerable
> -Original Message- > From: Remko Lodder [mailto:[EMAIL PROTECTED] > Sent: January 29, 2004 12:43 PM > To: Vivien M.; 'Jason Lixfeld' > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [Nanog] RE: MS is vulnerable > > > It's better to educate your mum how she keeps windows secure. > It can be done, there are a lot of Windows machine in the > wild out there that are actually almost up to date, (everyone > should be that far), I've managed to educate my dad on the critical updates. He's better at it than me, actually - when the little icon shows up in the taskbar, he knows that he's supposed to click on it and do what it tells him to do. Then again, my dad also takes his car to the dealer the day after he gets a recall letter, so perhaps he's just more responsible than many... My mom's, though, tends to have the little icon staying in the tray, unless I'm visiting... but I'm still working on educating her :) Much easier to convince her to click that icon than to make her hand over her American Express for a shiny new iBook, anyways. > let her run antivirus software, update it frequently, learn > her how to handle unknown email, how to handle weird > attachments, delete mails who look suspicious, install a > decent windows firewall that allows you to select what should > be openend and what should be closed (windows own firewall > might be in help her) Antivirus software, these days, updates itself. If you run the home/SOHO Norton line, I believe that was added in the 2002 version - the 2001 reminded you to run LiveUpdate, but you actually had to go through the wizards and stuff each time. No more, now it updates itself and just pops up a little thingy saying it did so. The big problem with "weird attachments" is that they seem to come from a trusted sender. The usual excuse is "but Joe wouldn't send me a virus", and it's very hard to make people understand that some computer out there, not even necessarily Joe's, is sending a virus in Joe's name without Joe knowing about it. At least these days, viruses aren't MS Word documents, which helps... No need for firewalls - I continue to maintain a FreeBSD firewall system at my parents' house, and I trust it a lot more than I'd trust a personal firewall. I'm weary about personal firewalls, though, because sometimes their interface causes problems (and a _properly_ locked down box shouldn't need one): eg, one relative who somehow got Norton's firewall to block outbound IE. Not easy to fix over the phone... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: MS is vulnerable
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Jason Lixfeld > Sent: January 29, 2004 11:55 AM > To: Vivien M. > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: MS is vulnerable > > Agreed. That's where you educate your mom on why Macs are godly, PCs > running windows are evil and Linux is a little to complex still for > the end user, and bluntly doesn't look as pretty out of the box. And when she asks why it can't be as simple as buying a microwave or a washing machine, what do I do? > If she squaks at the price, you tell her that you get what > you pay for. > How many times has her printer stopped working or she's > been unable to > download her pics or watch some video or a dvd or something else that > XP touts as super easy, and integrated? My mom still uses Windows Me (yes, I know... I wouldn't recommend 95/98/98SE/Me to anyone, but good luck convincing her to upgrade), and it works fine for her. She even manages to make it stay up for more than a few days, which is more than what I've ever managed to do with the 9X family. You're making the assumption here that there are real non-security, usability benefits to switching to a Mac/OS X. That's not what we're discussing here, we're talking about security. How can I argue to my mom that getting a Mac (which would prevent her from running the Windoze-only software she needs for work, FWIW) would let her printer keep working when the only printing problem she's had was caused by clogged print heads? You know, I don't want her to commit me to a mental hospital... > Actually, since I got my first Mac last year, I've been > barking up and > down about how amazing it is. I told everyone I sold every PC I ever > owned because I could do it all on my powerbook. They are > all jealous. > I had XP for my email, visio and word, *nix for my geek > router & perl > stuff, another PC for my audio production stuff. All gone. > All I have > now is a 17" Powerbook. It's all I'll ever need. Well, no -- it's > not. When I need something for music, I'll get a G5. Plain and > simple, I will never own a PC again. Great. I'm glad that you have the ca$h to make the switch. Some of us, though, have too much invested in a platform to write it off and start over with another platform... especially when the current one meets our needs. > It's funny, I went out of town for thanksgiving with my family. When > we got to where we were going, my mom was complaining that > her digital > camera flash was full and she didn't have another one. I > told her that > I could download the pictures to my powerbook and email them to her > later. As I was connecting the camera, she asked "Well, > don't you need > to download and install the softw" she stopped > mid-sentence as the > Mac found the PowerShot, opened iphoto and proceeded to download the > pictures -- no software needed. She looked Jealous. WinXP will download pictures from cameras without the software, too. Most camera manufacturers downplay that ability to push their own software, though. > When the last big MS virus/worm caused it's major shitstorm, my mom > asked me if I ever get infected with viruses. I said no, I > run a Mac. > They are immune to these viruses. She looked jealous. Remember, Apple only has 3% market share. If that goes up to 20%, we'll see what happens to their 'secure' reputation... > It's all about educating the less fortunate :) There is a very fine > line between pay now, save later and save now, pay later. The latter > almost always works out to cost a hell of a lot more than the former > ever would have. > > (hypothetical) Buy the $12,000.00 (CDN) KIA with no snow > tires, no ABS, > no nothing. Drive somewhere in a snow storm, get stuck going up a > hill, try to back down the hill, get sideswiped by the guy in the > Touareg because he can't see your tiny little $12,000.00 KIA > soap box, > get flung over the guardrail, down the hill and into the valley. Pay > the tow truck to come bail your ass out, pay your insurance > deductible > and the extra rates you are going to ensue because you just wrote off > your car. Add all that up and compare that to the price of a > brand new > Touareg over 10 years. Guess what, your analogy just lost ground :) And guess what, many people can't afford Touaregs. You came up with an extreme example... And the fact that KIA dealers aren't out of business suggests that real life isn't that extreme. For many people who need a car to go to work and shop for groceries (w
RE: MS is vulnerable
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Jason Lixfeld > Sent: January 29, 2004 10:58 AM > To: [EMAIL PROTECTED] > Cc: Vivien M.; [EMAIL PROTECTED] > Subject: Re: MS is vulnerable > > > This is because your mom doesn't want to have to hire a technical > > consultant to manage her IT infrastructure when all she > wants to do is > > get email pictures of her grandkids. > > Then yer mom should get a Mac. And if she's like my mom, she'll be in the aisle in the computer store (well, the big box electronics store, more realistically) and be like "Why should I pay $2000 for this one when I can get 'a computer' for $500?" [1] You can't expect people's mothers to actually know the differences between the different platforms, just like I'm sure that when most people's mothers shop for cars, they can't tell you the advantage of a particular engine type over another. They just end up picking based on price and "ability to meet need", and for most mothers old-enough-to-have-NANOG-posting-kids out there, your $500 eMachines or whatever is more than enough. Expecting them to spend additional money to address a problem they don't understand is an unrealistic expectation. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: in case nobody else noticed it, there was a mail worm released today
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Roger Marquis
> Sent: January 28, 2004 11:31 PM
> To: [EMAIL PROTECTED]
> Subject: RE: in case nobody else noticed it, there was a mail
> worm released today
>
> > The reason they don't do it is
> because there isn't a critical mass of
> > Evolution/GNU/Linux/glibcX.Y to make a big stink... And
> there is such
> > a critical mass for MS.
>
> No, sorry, false analogy though it does account for some
> portion of MS' mess. The larger reason is that viruses are
> substantially easier to write for Outlook, Exchange, et al.
> For another example look at Unix Apache's market share (>75%)
> and it's vulnerability share (<1%).
And look at the people who administer/use these things.
MS' problem, if you ask me, isn't poor engineering (though I'll grant you
I'm sure there stuff could be designed WAY better). The problem is that, as
would seem logical for a publicly-traded company out to maximize profits for
its shareholders, it designed its stuff to be used/administered by the
broadest range of people. Hence, they make it easy to setup (at the cost of
security, absolutely), and easy to forget about (especially as it crashes
less than it used to)... And then, people don't install the security patches
and have no idea about what proper security practices are. So when they find
out about the new cool screensaver... Oops.
Open source projects aren't out to maximize profits, generally... And they
don't generally aim at ease of setup. Whoever sets up Apache using vi to
edit httpd.conf needs to have at least a fractional degree of clue. Not
enough clue, no doubt... But some clue. Setting up the MS equivalent can
probably be done by the random guy on the street wearing a blindfold and
with one hand tied to the chair with a Cat 5 UTP cable. That's the problem.
Someone made the argument to me privately that the problem is that MS lets
you run attachments from Outlook, while other clients would require you to
save the files to disk. That's not a solution: if these people are like my
parents used to be, they'd dutifully save the attachment, open up a file
manager, and open it up to see the "cool new screensaver" their best friend
sent them ("hey, even if it's a virus, I have an antivirus" is the usual
excuse). Sure, that's three steps instead of one, but for as long as the
HUMAN behind the keyboard wants to open the attachments, whether it takes
two clicks or fifty keystrokes, that attachment will get open. Why doesn't
this happen to Evolution users? My guess is, if you a) know what Linux is,
b) know how to set it up, and c) know what Evolution is, you have enough
CLUE to know that executable attachments from your friends that come with a
gramatically-incorrect email body are trouble.
MS has made a business of putting computers into the hands of people who do
not have that clue, and do not want to acquire that clue. The fact that
they've been INCREDIBLY successful at doing it is the problem. Sure, they
could put a few more hoops to slow the viruses down... but for as long as
the person behind the keyboard wants to run the attachment, a way will be
found (and ISTR one patch for Outlook 2000 that blocked your ability to save
executables was released), and whoever tries to stop them will be seen as
the mean party here.
Vivien
--
Vivien M.
[EMAIL PROTECTED]
Assistant System Administrator
Dynamic Network Services, Inc.
http://www.dyndns.org/
RE: in case nobody else noticed it, there was a mail worm released today
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Roger Marquis > Sent: January 28, 2004 10:37 PM > To: [EMAIL PROTECTED] > Subject: Re: in case nobody else noticed it, there was a mail > worm released today > > > > (Note: I really do not want this to degenerate into another rant > > against vendor M; > > Sorry for not sharing your disinterest in the actual reasons > we continue to see these viruses and trojans infecting MS > and, for all intents and purposes, only MS operating systems. If Microsoft is the problem, you care to tell me why I haven't gotten infected by a single one of those emailed viruses/worms/trojans despite years of running MS software? (And for that matter, neither have my parents... Apparently, years of yelling at them that 3+ meg binary "Christmas cards" from their friends were not worth opening, or their friends learned the hard way and hence stopped sending them) I don't think my MS software is any different from anyone else's, except that A) I don't open .SCR attachments B) I actually believe Windows/Office Update is for me, not for the random dude/gal working down at the Burger King down the street. So why is it that idiots doing/not doing these things can't be the problem, but MS must be? And, care to tell me why, as someone else pointed out, if I were to switch to Evolution on your random GNU/Linux distribution, someone couldn't write a similar worm. The reason they don't do it is because there isn't a critical mass of Evolution/GNU/Linux/glibcX.Y to make a big stink... And there is such a critical mass for MS. Let me put it this way: if you know one bank has 100 million dollars in the vault, and another has 5000 dollars, wouldn't you expect most of the bank robbers to focus on robbing the first bank, irrelevant of whether the first bank's fault is better protected than the second's? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: Anit-Virus help for all of us??????
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ryan Dobrynski > Sent: November 25, 2003 12:21 PM > To: [EMAIL PROTECTED] > Subject: Re: Anit-Virus help for all of us?? > > like everyone else, I don't have the answer. Just another way > of looking at it. I have learned however that trying to fix a > behavioral problem with technology generally doesn't work. > Untill "the users" in general get a little smarter about > thier new toy, things won't get much better. No, the solution seems to me to increase the liability involved. If a couple of people who neglected to take care of their computers got hauled into court and made to pay a fine and/or spend a few weeks in a jail cell, and if the mainstream media got to watch (and didn't take a "those poor people" stance that makes the whole initiative look bad), things would change. Fact is, if I don't properly maintain my brakes on my car and I crash into something/someone, there will be legal consequences enforced with the full coercive power of the government. If I don't properly maintain my computer and as a result, it harms someone else (eg: by allowing others to use it for DDoSing that other person's network), there should also be serious legal consequences. And just like saying "Oh, I didn't know brakes weren't supposed to last for 15km" wouldn't be an acceptable excuse for my poorly-maintained car harming others, neither should "I didn't know that computers needed security regular updates" be an excuse for me to have a virus/trojan/etc-infected computer that harms others. Yes, this is a political solution, but this is a political and social (and economic, to a lesser extent) problem, not a technological one. When technology has the potential to cause harm, it (except for computer technology) is regulated to limit the amount of harm that is done. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Anit-Virus help for all of us??????
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Brian Bruns > Sent: November 25, 2003 10:21 AM > To: Vivien M.; 'Daniel Karrenberg' > Cc: [EMAIL PROTECTED] > Subject: Re: Anit-Virus help for all of us?? > > I know full well about the resource limits. Its a PITA, but > as long as you run a decent set of apps that don't suffer > from resource leaks (Mozilla without a GDI patch does this > for example) that eventually use up all GDI/USER memory, > you'll be fine. I use Win98SE here all day with only one > reboot needed most days, and I run WinAMP, Putty, K-Meleon, > Outlook Express, Cygwin, mIRC, Xnews (which has a bad habit > of crashing the whole system at times), as well as AIM, > Miranda IM, SST, Yahoo Messenger, and various other tools. > Thats all at once, multitasking. I know, I could reduce the > clutter by letting Miranda IM do AIM and Yahoo, but thats not > the point. :-) > > Many times, resource suckage comes from those ugly faceless > background programs that run at startup. Kill as many icons > as you can on the desktop and the task bar, and clean out > your startup list, and you'll free up alot of GDI resources. You've just conceded that you reboot every day, and honestly, to do what do with Win98 SE, that's what's required. You've also conceded that how you use your system is chosen based around those resource limitations: if $BROWSER_1 uses less resources than $BROWSER_2, that's what you'll use. If Win98 SE was the only game in town, well, you could do that and curse Redmond every time you reboot. However, it is NOT the only game in town. A reasonable OS (Win2K/XP, Linux, etc) will let you run all the things you're running, and will stay up for weeks unless your hardware really sucks. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Anit-Virus help for all of us??????
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Daniel Karrenberg > Sent: November 25, 2003 3:42 AM > To: William Allen Simpson > Cc: [EMAIL PROTECTED] > Subject: Re: Anit-Virus help for all of us?? > > > > On 24.11 18:20, William Allen Simpson wrote: > > > > Brian Bruns wrote: > > > > > > One thing that many people don't realize (from my personal > > > experience) is that contrary to popular belief, Win98SE is a good > > > all around desktop OS to use. It can run most things like > > > productivity apps and games, and with 128-256MB of RAM, its quite > > > fast even on an old laptop like mine. Unlike XP, it > doesn't have a > > > million services running, nor does it have the nasty UPnP > stuff from WinME. > > I agree wholeheartedly. > > if haveto(M$) > use(W98SE); Have either of you actually followed this advice? Win98SE is totally useless as a desktop OS due to the archaic GDI/USER resource limits. When one average consumerish app (eg: a media player) eats up 10% of those resources, one window in an IM program eats up 2%, etc... it does not take much to bring down an entire system. Last time I was running Win98SE (which is about 3 years ago), it took about 20 minutes after booting while running boring normal apps to get to a dangerously low resource level (30%ish free). That machine got totally unstable needing a reboot after about 3 days. On the same hardware (with additional RAM), Win2K could easily run 3-4 weeks and run any app I wanted just fine. So, some people might say I'm a power user, but the average users I know these days tend to multitask at least a web browser, an IM client with a couple open windows, some bloated media player, perhaps a P2P app, and some office app. This is already stretching Win9X to its limits, and I would expect it to be worse (code just gets sloppier...) than it was three years ago... No wonder people think Windows is unreliable. 98SE may be preferable from a security-from-external-threats POV, yes, but for any type of real use, it's useless. Not to mention the other quirks, like needing to reboot to change network settings, the lack of any local security (or even attempt at local security), etc. I'll take rebooting every week or two for the latest XP security patch any day over rebooting every day or two because Win98SE is an unreliable piece of poorly designed legacy junk. The way I see it, there are two uses for 98SE (or 95, 98, Me, etc) in the modern world: 1) People who use their computers as game-only machines (or who dual boot a real OS for non-game purposes) 2) Advertising for $OTHER_OS, where $OTHER_OS can be Win2K, XP, or your favourite Linux distro with KDE, GNOME, etc. Anything that actually WORKS reliably. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: [Fwd: [IP] VeriSign to revive redirect service]
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Paul Vixie > Sent: October 16, 2003 7:36 PM > To: [EMAIL PROTECTED] > Subject: Re: [Fwd: [IP] VeriSign to revive redirect service] > > > ken is right and i apologize for the confusion. most of the > early patches to bind8 and djbdns that i saw were dependent > on the sitefinder address, and as such, would have enabled > nameserver administrators to break _sitefinder_. isc's > patches for bind9 enable nameserver administrators to break > only the _redirection_ to sitefinder. But aren't we back at the same argument we had a few weeks ago about what is SiteFinder? Some people argue SiteFinder is the thing at sitefinder.verisign.com and, hence, is different from the wildcard that points to it. So your patch breaks the redirection (and personally, I shudder at calling an A record redirection, but perhaps that's a bias from years in the DNS business with customers who throw that word around in all kinds of inappropriate contexts) Others, like myself, would argue that SiteFinder is VeriSign marketing's brand name for the wildcard record and the thing it points to. With that definition, the ISC patch does break SiteFinder... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Extreme BlackDiamond
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matthew S. Hallacy > Sent: October 13, 2003 1:21 PM > To: Shazad - eServers; [EMAIL PROTECTED] > Subject: Re: Extreme BlackDiamond > > > > On Mon, Oct 13, 2003 at 05:52:59PM +0100, Shazad - eServers wrote: > > > > If you are so smart, GO and CHECK the HEADERS of that POST. > Was it me? > > NO IT WASENT. > > No offense, but: [Snip] > Looks like the exact same path to me. You got the wrong post, I think... Here are the headers I'm seeing: Return-Path: <[EMAIL PROTECTED]> Received: from trapdoor.merit.edu ([EMAIL PROTECTED] [198.108.1.26]) by manganese.bos.dyndns.org (8.12.8p2/8.12.8) with ESMTP id h9DFQclx048945; Mon, 13 Oct 2003 11:26:38 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Received: by trapdoor.merit.edu (Postfix) id 13A6191327; Mon, 13 Oct 2003 11:22:27 -0400 (EDT) Delivered-To: [EMAIL PROTECTED] Received: by trapdoor.merit.edu (Postfix, from userid 56) id 4F8D7912A4; Mon, 13 Oct 2003 11:17:54 -0400 (EDT) Delivered-To: [EMAIL PROTECTED] Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 957A9912D2 for <[EMAIL PROTECTED]>; Mon, 13 Oct 2003 11:15:40 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 83AD05DDA1; Mon, 13 Oct 2003 11:15:40 -0400 (EDT) Delivered-To: [EMAIL PROTECTED] Received: from psg.com (psg.com [147.28.0.62]) by segue.merit.edu (Postfix) with ESMTP id 62EAB5DD98 for <[EMAIL PROTECTED]>; Mon, 13 Oct 2003 11:15:40 -0400 (EDT) Received: from [127.0.0.1] (helo=roam.psg.com) by psg.com with esmtp (Exim 4.24; FreeBSD 4.9) id 1A94Q6-0007IZ-Ov for [EMAIL PROTECTED]; Mon, 13 Oct 2003 15:15:39 + Received: from localhost ([127.0.0.1] helo=roam.psg.com) by roam.psg.com with esmtp (Exim 4.24; FreeBSD 4.9) id 1A94Q5-000Bct-K6 for [EMAIL PROTECTED]; Mon, 13 Oct 2003 17:15:37 +0200 Organization: eServers MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcORlxEhs697B4/kSySyoICO+plTjQABXZYg In-Reply-To: <[EMAIL PROTECTED]> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-Id: <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) From: "Shazad - eServers" <[EMAIL PROTECTED]> To: "'Randy Bush'" <[EMAIL PROTECTED]> Subject: RE: Extreme BlackDiamond Date: Mon, 13 Oct 2003 16:13:25 +0100 Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog X-Spam-Status: -3.3 () BAYES_10,FORGED_MUA_OUTLOOK,IN_REP_TO,MISSING_OUTLOOK_NAME,QUOTED_EMAIL_TEXT ,X_LOOP X-Scanned-By: MIMEDefang 2.36 As much as I hate to say it (and I'll probably regret getting into this discussion), it does look like Randy hit the bounce option in pine or whatever and sent Shazad's private reply straight to NANOG. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: More news coverage
> -Original Message- > From: Paul G [mailto:[EMAIL PROTECTED] > Sent: October 8, 2003 8:38 PM > To: Vivien M.; 'ken emery'; [EMAIL PROTECTED] > Subject: Re: More news coverage > > > - Original Message - > From: "Vivien M." <[EMAIL PROTECTED]> > To: "'ken emery'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Wednesday, October 08, 2003 8:28 PM > Subject: RE: More news coverage > > > But isn't the "SiteFinder service" just VeriSign > Marketing's name for > > the wildcard A record? What's the point of the search engine at > > sitefinder.verisign.com (which appears to be down) without the > > wildcard A record directing stuff to it? > > they could try to get some legitimate traffic as , say, > google or yahoo do by providing a valuable service. if it is > as valuable as they claim, users will keep coming back. But for most endusers who are using IE, they already get the MS search page? And who is actually going to manually go to sitefinder and type in their typoed URLs, especially when they're already used to Google or similar? The service's "value", if any (and that's a very big if), depends on it being automatic... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: More news coverage
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of ken emery > Sent: October 8, 2003 6:41 PM > To: [EMAIL PROTECTED] > Subject: Re: More news coverage > > > I think the thing which needs to be gotten across to the > general public (and the decision makers) is the SiteFinder > service itself was NOT shut down. The redirection to the > SiteFinder service was what was shut down. This was done > because this redirection is believed to have adverse side > effects. The way things are being painted it seems that the > SiteFinder service was turned off and there is nothing > further from the truth. But isn't the "SiteFinder service" just VeriSign Marketing's name for the wildcard A record? What's the point of the search engine at sitefinder.verisign.com (which appears to be down) without the wildcard A record directing stuff to it? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Annoying dynamic DNS updates (was Re: someone from attbi please contact me ...)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Brian Bruns > Sent: September 28, 2003 6:00 PM > To: [EMAIL PROTECTED]; Paul Vixie > Subject: Re: Annoying dynamic DNS updates (was Re: someone > from attbi please contact me ...) > > How about just configuring your BIND to return errors when > his queries against your server? He has got to be using you > as either a primary or secondary name server. That would No, that's not how it works... (at least, the Win2K/XP-style of this) It works based on the system's hostname. If you set your Windoze hostname to blah.domain.com, then the server in domain.com's SOA is going to get blasted with all those RFC 2136 updates. In your case, I'm guessing your customers had (automatic DNS configuration through DHCP? PPP?) a hostname in your domain, so that's actually why the updates went your way, not because you were their primary/secondary DNS in their DNS config. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: If Verisign *really* wants to help ...
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Sean Donelan > Sent: September 20, 2003 6:29 PM > To: Lyndon Nerenberg > Cc: [EMAIL PROTECTED] > Subject: Re: If Verisign *really* wants to help ... > > > > On Sat, 20 Sep 2003, Lyndon Nerenberg wrote: > > The logical follow-on to IP-based Sitefinder is SS7-based > Phonefinder. > > I propose we redirect all "not in service" telephone numbers to > > Verisign's CEOs direct telephone number. > > Actually, AT&T already tried that once upon a time. > > If you dialed a number that was busy or not in service it > redirected you to a "helpful" recording offering for a small > charge to ring you back when the number was available. > > AT&T discontinued it less than a week later. Just out of curiosity, why did they discontinue it? Here in Bell Canada land, this type of thing has been around for hm... 8 years or so? There was a big outcry the first week or so from dialup users (at the time, busy signals were more common than now), then eventually they all did the *XX code to permanently disable it. It is still enabled on new [residential, at least] POTS lines. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
> -Original Message- > From: Matthew Crocker [mailto:[EMAIL PROTECTED] > Sent: August 29, 2003 4:16 PM > To: Vivien M. > Cc: 'Mikael Abrahamsson'; [EMAIL PROTECTED] > Subject: Re: Fun new policy at AOL > > Port forward 127.0.0.1:25 through to someplace.edu:25 using SSH. Or > VPN. Or ... > > More than one way to skin this cat. If you have a shell account on someplace.edu, yes, I agree, that's probably the best way (and if anyone looks at the headers of this message, that's how I've been doing SMTP for like three years now... Too lazy to set up SMTP AUTH somewhere where I'm the admin). But if you have no shell account, or you're not technologically clueful, you're still hopeless... So, the conclusion still seems to be that SPF and such things will break your email, unless i) SMTP AUTH is available ii) You're sufficiently clueful (and required things like VPN, SSH, etc are available) that you can implement a workaround. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of JC Dill > Sent: August 29, 2003 3:43 PM > To: [EMAIL PROTECTED] > Subject: RE: Fun new policy at AOL > > > > At 12:32 PM 8/29/2003, Vivien M. wrote: > > > > Time to switch to SMTP AUTH and use the same relay always. > > > >And what do you do if you're not the admin for the relay? And what > >about if the admin tells you "This is why we installed some webmail > >package. Use that instead."? > > Either the webmail solution meets your needs, or you need to > obtain service > from a company that offers a solution that meets your needs. > Why is this > so hard to understand? Because you're not understanding the issue... If you get an email account from your employer/educational institution/etc and have to access it from home and send mail from it, you can't "obtain service from a company that offers a solution that meets your needs." If you can't convince your admins (and good luck if you don't work in the IT department) that they need to set up SMTP AUTH, then you are screwed... Get used to dialing into your employer/educational institution/etc's network to do email, simply to comply with these things, or hello webmail. And how will you explain to people who quite happily have their POP3 clients set up to get mail from their work's POP3 server, and SMTP to their local ISP that suddenly they can't do it that way anymore? If this solution had been implemented 5 years ago instead of the "no third party relays" system now in place, I wouldn't be opposed to it... But the issue is that the "use the local SMTP server to send" model is the main one deployed in the field today, and if you start staying NOW that mail must be relayed through a domain's particular SMTP server and that server doesn't support SMTP AUTH relaying, you're now screwed... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matthew Crocker > Sent: August 29, 2003 3:58 PM > To: Vivien M. > Cc: 'Mikael Abrahamsson'; [EMAIL PROTECTED] > Subject: Re: Fun new policy at AOL > > > > >> > >> You switch service provider or give them a whack with the cluebat. > > > > And if the "service provider" is your employer/educational > > institution? You > > quit your job? Drop out of school? Swallow your pride and > suffer with > > webmail? > > > > Spend $19.95 getting a dialup account for an ISP with a clue and use > their mail servers. If employed charge the $20/month on your expense > report. You seem to be misunderstanding the issue. Let's say you work at someplace.edu. You want to send mail from home. With the SPF-type schemes being discussed, your mail MUST come from someplace.edu's server. If someplace.edu won't set up an SMTP AUTH relay, what do you do? Your dialup account will let you use the dialup ISP's mail server... But your mail will get bounced because it's not something from someplace.edu. Hence, if no SMTP AUTH relay, you're screwed. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
> -Original Message- > From: Mikael Abrahamsson [mailto:[EMAIL PROTECTED] > Sent: August 29, 2003 3:44 PM > To: Vivien M. > Cc: [EMAIL PROTECTED] > Subject: RE: Fun new policy at AOL > > > On Fri, 29 Aug 2003, Vivien M. wrote: > > > And what do you do if you're not the admin for the relay? And what > > about if the admin tells you "This is why we installed some webmail > > package. Use that instead."? > > You switch service provider or give them a whack with the cluebat. And if the "service provider" is your employer/educational institution? You quit your job? Drop out of school? Swallow your pride and suffer with webmail? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
[Note: I posted something else on this topic, but it doesn't appear to have made it through yet...] > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Mikael Abrahamsson > Sent: August 29, 2003 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: Fun new policy at AOL > > > > On Fri, 29 Aug 2003, Simon Lockhart wrote: > > > I travel around. I read my email by POP3/IMAP, I use local > ISP's SMTP > > server for outgoing - surely that means I can't use my own > domain for > > email? > > Time to switch to SMTP AUTH and use the same relay always. And what do you do if you're not the admin for the relay? And what about if the admin tells you "This is why we installed some webmail package. Use that instead."? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Put part of Google on 69/8 (was Re: 69/8...this sucks)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Jack Bates > Sent: March 12, 2003 9:29 PM > To: [EMAIL PROTECTED] > Subject: Re: Put part of Google on 69/8 (was Re: 69/8...this sucks) > > > > From: "Vivien M." > > > I've had the opposite problem (people thinking I'm female, when I'm > not...), > > and it can get quite annoying, I agree. > > > Is this a pick up list? Find the guy or gal of your dreams > that can think too? I figure that you either earn people's > respect or admiration or you don't. Mailing-list sex hasn't > ever been an interest of mine. :) Well, I've gotten [non-serious, I hope] marriage proposals from guys on Usenet before... I wouldn't go as far as Ms. Dill and saying it's offensive, but it is annoying that whenever you call some company and they look you up in their database, they say "ma'am" instead of "sir" (or, in Ms. Dill's case, presumably the opposite), and whenever you start posting in a new forum (Usenet, mailing list, etc), you inevitably have to correct the first person who refers to you with the wrong gender pronouns, etc, which is always embarassing for both you and the person who made the mistake... That said, this is getting horribly off-topic... though perhaps we should ask whether sex mailing lists are hosted on networks that filter 69/8? :) (Yes, I know, that wasn't a good attempt at being on topic...) Vivien -- (Mr.) Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Put part of Google on 69/8 (was Re: 69/8...this sucks)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of JC Dill > Sent: March 12, 2003 8:37 PM > To: [EMAIL PROTECTED] > Subject: Re: Put part of Google on 69/8 (was Re: 69/8...this sucks) > > It is offensive to many people (both male and female) when > someone automatically assumes that an "unknown" person is > male. Especially since: [snip] > It is doubly offensive when you opine that I have an > obligation to create and use [1] a gender-specific name > solely to make things easier for you and other sexist jerks^W > men^W^W induh^H^Hividuals. What would you do if my name was > Pat or Chris? Or if YOUR name was Pat or Chris? I've had the opposite problem (people thinking I'm female, when I'm not...), and it can get quite annoying, I agree. I wonder if perhaps a solution would be doing something I saw a gentleman from China, IIRC, do on this list quite a while ago. He had added (Mr.) to his .sig to make it easy for people to figure out his gender. Perhaps this would be an easyish way to somewhat-subtly warn people of the correct gender? Vivien -- (Mr.) Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Move all 9-1-1 to 8-5-5
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Sean Donelan > Sent: March 10, 2003 7:51 PM > To: [EMAIL PROTECTED] > Subject: Move all 9-1-1 to 8-5-5 > > > > Whenever the North American Numbering Planning Administration > releases a new toll-free prefix (e.g. 1-800, 1-888, 1-877, > 1-866) there is always a lengthy delay for individuals > operating some telephone switches to update their routing > tables. Its common to be in hotels, and find the hotel PBX > doesn't recognize a recent toll-free prefix. > > So to "fix" this problem, why don't we move all 9-1-1 numbers > to the new toll-free prefix, which will break stuff for > people who don't update their PBX's promptly. When they find > out they can't report a fire in the hotel because their PBX > is blocking the new prefix, then they'll fix the PBX. You're comparing two different situations, though: In your case, the people in the hotel that is doing the blocking will be the ones experiencing the problems. They notice that they can't reach 1-8xx-xxx-, so they call up the hotel management and yell. Hotel management calls the person in charge of their PBX, and the problem would be fixed. I could be wrong (hey, I'm in the DNS business, not the PSTN), but I can't imagine the 1-8xx number calling the hotel and getting the impression that the 1-8xx number's provider has problems... In the 69.0.0.0/8 case, though, the problem is bidirectional. You have people whose ISP/firewall/etc blocks access to 69.0.0.0/8 - presumably, if they can't reach some box on 69.0.0.0, they'll yell at their ISP (and, most likely, at the operator of the thing they're trying to reach, too, but said operator can tell them to yell at their ISP). But, you also have people on 69.0.0.0 who aren't able to reach other sites due to filtering on the other end, and those people are likely to yell at their ISP and blame their ISP for something the ISP can't fix. That second situation, I think, is the situation that this thread is about, and your hotel analogy doesn't address that. With the hotel analogy, basically, the people affected are the ones who have the relationship with the operator of the broken piece of hardware, not the ones with the 1-8xx number (though, if you want to be picky, you could argue they might lose a bit of business to this). With the 69.x.x.x situation, the people affected are the ones with the 69 IP space, and they don't have a relationship with whoever has the misconfigured hardware. Maybe moving the GTLD servers would be overkill... But certainly, the idea of asking Google or Yahoo to move seems like a good one. If people can't reach Google or Yahoo, they'll make their ISP look into the issue, and fix their filters. A random comment now I have been dragged into this thread: this issue is not new with 69.0.0.0/8. When we first got a block from 66.* from an ISP about two years ago, we had problems too with various people (mostly end users, though, I think) firewalling 66.*, and yet ARIN had been assigning 66.* blocks for probably a year or so before we got that IP space. Fortunately for us, though, most problems seemed to be people who wanted to reach us not being able to, and not us not being able to reach sites we wanted to talk to. Still, I suspect the Linux Firewall HOWTO was in large part responsible for the problems we had... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Root server error
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Geo. > Sent: February 27, 2003 2:21 PM > To: [EMAIL PROTECTED] > Subject: Root server error > > > > > Can someone verify something for me? > > Do an NSLOOKUP for www.stemtostern.com and stemtostern.com > against the i.gtld-servers.net > > why would the www one resolve? You have www.stemtostern.com registered as a name server, so there's a glue record for it in the GTLD servers. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: How to secure the Internet in three easy steps
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On > Behalf Of Christopher Schulte > Sent: October 27, 2002 9:22 PM > To: William Warren; [EMAIL PROTECTED] > Subject: Re: How to secure the Internet in three easy steps > > In a public press release dated August, they claim to have > 1.8 million Internet customers. How that compares to the > global pool of cable users, I cannot say. One cable company I've done business here (Ontario, Canada) has over 500K subscribers, and I don't believe it has the largest number of cable modems in the country. So you're probably talking around 1.5-2 million cable modems north of the border. Then you have Europe (I think .nl has decent cable modem penetration), Asia-Pacific, etc. > It'll be interesting to see if att exports their filtering > policies to the newly acquired customers. They'll want to > support a uniform configuration across the whole network, I'm sure. They apparently don't have a uniform configuration now; we have lots of people using AT&T BI complaining about blocked port 80s and whatnot, and yet we have some other AT&T BI users in different locations (but I think both were formerly-@Home AT&T BI areas) who don't have any ports blocked. Bizarre, I have to say. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Martin > Sent: August 26, 2002 10:15 PM > To: [EMAIL PROTECTED] > Subject: Re: Paul's Mailfrom (Was: IETF SMTP Working Group > Proposal at smtpng.org) > > but surely an MTA derives it's usefulness by running on port > 25. i don't remember reading about where in the DNS MX RR you > could specify what port the MTA would be listening on... Well, it must specify it somewhere, since at least a couple of times a week we have our users ask how to stick a port number in an MX record. :) Where they got this idea is beyond me (unfortunately), but it's quite a common question... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: IETF SMTP Working Group Proposal at smtpng.org
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Robert Blayzor > Sent: August 21, 2002 10:53 PM > To: 'Vivien M.'; [EMAIL PROTECTED] > Subject: RE: IETF SMTP Working Group Proposal at smtpng.org > > > Running a mail server off a dynamically assigned dialup *CAN* > work, but it really isn't the thing to do even if you put in > a low TTL on the A record. Sure it works. But what about > all the messages that will requeue on remote mail servers and > depending on the remote queueing strategy of the remote mail > server, it can take hours before mail could be re-attempted > for delivery. A dynamically assigned MX box isn't really the > best thing to do. If you want to do that then you should at > least have a lower preference backup MX that is on 24/7 that > will accept mail on your behalf, and when your server dynamic > SMTP server comes online it can simply do an ETRN to requeue > the mail on the backup MX. > > Having one MX on a dynamic DNS mail server is just rude to > remote mail servers that try to deliver mail. Why should my > servers consume more resources to benefit your customers? You're assuming that these people aren't permanently online. I expect most of our users (I hesitate to call them customers, simply because a lot of them haven't paid anything) are using 24/7 type connections. Certainly, running your own mail server and being online two hours a day is foolish. However, this has NOTHING to do with IP allocation. A friend, years ago, had a static IP dialup with an ISP that billed him for an X hour/month package, where I think X was 120 or so. He could have run a mail server that met your static IP standard of approval, and yet was (unless he wanted to pay extra) only online 1/6th of the time. Now, most of our users may not have static IPs, but they're most likely online 24/7 or close enough. Which of the two uses more resources on your servers? I'm willing to bet the static IP dialup person will, so there goes your argument. Running mail servers on non-permanent dialup connections is foolish, I'll grant you that any day, but that wasn't the point you were making. Your point was that mail servers on dynamic IPs (and you never answered my question on how you define dynamic) are bad, no matter the circumstances surrounding them, and that's just plain not true. Oh, and BTW, you're not benefiting our users by having your servers queue mail for our users. You're benefitting YOUR customers who presumably want to be able to send mail to our users, and who expect your servers to queue mail. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: IETF SMTP Working Group Proposal at smtpng.org
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Robert Blayzor > Sent: August 21, 2002 7:39 PM > To: 'Brad Knowles' > Cc: [EMAIL PROTECTED] > Subject: RE: IETF SMTP Working Group Proposal at smtpng.org > > > Correct, but MX's (mail servers) have static assignments, > unless you change DNS every time. Running MX's on dynamic > IP's to receive mail would be quite silly. Then perhaps you'd like to tell me how we have tens of thousands of users quite happily doing it? True, I wouldn't run Hotmail/AOL/EarthLink/etc's MXes off dynamic IPs, but for a home/small biz mail server... Oh, and one last thing, when you specify an MX (statically, as you say), you don't put in the IP but rather a name created with A record, so what prevents that A record from being a low-TTL dynamic DNS A record? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: IETF SMTP Working Group Proposal at smtpng.org
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Robert Blayzor > Sent: August 21, 2002 7:14 PM > To: 'Gary E. Miller' > Cc: [EMAIL PROTECTED] > Subject: RE: IETF SMTP Working Group Proposal at smtpng.org > > > > > Uh, no. I have seen spammers use dynamic DNS to use throw > > away dial-ups accounts for incoming main service. > > Right, but to run a "real mail server" you need a static > address. Which can be registered as a valid mail server. > Dynamic IP's cannot. Dynamic/static IPs, though, is a distinction that's much harder to make these days (ahhh, how I miss the days of dialup... NOT). There are plenty of people (myself included) who have cable/DSL connections at home with IPs that change every 6 months or a year. Similarly, people whose organizations can't justify the /20 from ARIN will have to renumber their servers every time they change ISPs (how many WorldCom/KPN Qwest/etc single-homed customers have switched or will switch?) or outgrow the ridiculously puny allocation they were able to justify from their upstream will have to change their "static" IPs. Oh, and what about a DHCP setup that's set to allocate the same IP to a certain MAC address? Is that static or dynamic? As for registration, well, let's try to avoid a mess like that created by the mandatory glue record creation process involved in name server registration, shall we? With the name server registration, you end up having all kinds of unnecessary glue records floating around which either a) drive someone crazy when they move their domain around, or b) cause random people out there to end up having DNS queries showing up at machines that aren't DNS servers (anyone care to guess how someone with a "personal firewall" would react when they see the queies on port 53/udp?). Same thing with SWIP delegations and the like; sadly, there are still all kinds of incorrect old information floating around in these databases, and I'd rather not rely on some three year old registration in deciding whether to trust some machine. I admit that something non-IP-specific, like SSL certificates, to me seem like a much more flexible long-term solution. Plus that way when you renumber your mail server, you wouldn't need to reregister the new IP, etc. That said, I (and our several tens of thousands of users running their own mail servers) would like to know how you define a "real mail server". Is a "real mail server" a server that you've arbitrarily decided needs a static IP? Is a "real mail server" a closed relay (if so, someone on this list may feel insulted that his deliberately open relay isn't "real" by your standards)? Is your "real mail server" something operated by an organization with more than 200 accounts (in which case, you're telling me that my mail server with 25 or so accounts sitting in an Exodus colo with a perfectly static IP is not real?)? Etc. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: IETF SMTP Working Group Proposal at smtpng.org
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Gary E. Miller > Sent: August 21, 2002 5:57 PM > To: Robert Blayzor > Cc: [EMAIL PROTECTED] > Subject: RE: IETF SMTP Working Group Proposal at smtpng.org > > Uh, no. I have seen spammers use dynamic DNS to use throw > away dial-ups accounts for incoming main service. Well, that's nice... until their dynamic DNS gets promptly killed (if they got it from us or someone responsible - I can't speak for everyone in this industry), at which point they're back at square one with all their email gone. A lot of people seem to think that dynamic DNS services are a way to cover up abuse (eg: spam, warez, etc); they're not, as a decent amount of spammers have found out the hard way. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: [OT] Re: Readiness for IPV6
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Matthew S. Hallacy > Sent: July 9, 2002 8:28 PM > To: [EMAIL PROTECTED] > Subject: [OT] Re: Readiness for IPV6 > > > Pardon me: > > Microsoft Windows XP [Version 5.1.2600] > > C:\>command /? > Starts a new instance of the MS-DOS command interpreter. > > COMMAND [[drive:]path] [device] [/E:n] [/P] [/C string] [/MSG] > > [snip rest of output] > > Looks like it still claims to be the MS-DOS command > interpreter to me, using the 'user friendly' name of 'Command > Prompt' doesn't change what it is. Pardon me: [brand new command prompt from the WinXP command prompt button] Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Vivien>command Microsoft(R) Windows DOS (C)Copyright Microsoft Corp 1990-2001. C:\DOCUME~1\VIVIEN> C:\DOCUME~1\VIVIEN> It looks to me like you have cmd.exe, which is a 32-bit Windoze-native etc shell, and then you have command.com which is used to run legacy DOS stuff. Command.com feels a _lot_ slower to me, too. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: anybody else been spammed by "no-ip.com" yet?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Michael H. Warfield > Sent: May 3, 2002 10:22 PM > To: Vivien M. > Cc: 'Paul Vixie'; [EMAIL PROTECTED] > Subject: Re: anybody else been spammed by "no-ip.com" yet? > > > > On Fri, May 03, 2002 at 05:08:44PM -0400, Vivien M. wrote: [snip your total misunderstanding of the secret admirer thing, as "PS" already posted a well-worded explanation of what I wanted to say. No need to waste people's time repeating things in a less polite fashion] > > Random disclaimer: Yes, we're a competitor of > no-ip.com's... And yes, > > we used to send similar emails to people signing up for an account, > > although nowadays instead of sending them an initial > password we send > > a confirm URL instead. > > So it appears you wised up... How is it different whether you use an initial password or a confirm URL to confirm? The old emails said "Here's your initial password. Log in with it within 48 hours to confirm the account. If someone else requested the account, do nothing and it'll be deleted along with any trace of your email address in 48 hours." > Yeah, I help run a system with over 100 mailing lists > and over 10,000 subscribers to one or more of those mailing > lists. You learn. We learned YEARS ago. No open > subscriptions. Confirm everything. We got tired of half the > planet subscribing Rep N. Gingrich to all of our mailing > lists. We may have had really REALLY good information and > service, but I honestly DON'T think he as interested and > those 100,000 "secret admirers" really didn't think they were > doing him a favor. We've been confirming every user we've had for the past three years or so, which is pretty much how long we've been around (for the first few months, we used a totally different system/database, but all records of that are gone now. Every one of our users right now has a confirmed email address.). I may be dumb, but I don't see how giving the user a password to confirm as opposed to a random confirmation URL is being a spammer. What one DOES with unconfirmed accounts, no matter the confirmation method, determines whether one is a spammer, and that may very well have been what angered Mr. Vixie with no-ip.com's email as it didn't specify that the account would be deleted unless Mr. Vixie actually took action to keep it. > The "secret admirer" thing is so rare it makes the > lottery look like a sure bet. Hell! It makes Schroeder's > cat look immortal. It's an excuse and a fraud. That's all > it ever was and that's all it will ever be. Your lack of ability to read and interpret posts is even more rare than the winning lottery combination, too, you know... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: anybody else been spammed by "no-ip.com" yet?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Paul Vixie > Sent: May 3, 2002 5:18 PM > To: [EMAIL PROTECTED] > Subject: Re: anybody else been spammed by "no-ip.com" yet? > > > > > I hate to sound like the big idiot here, but what exactly > in the email > > you received indicates no-ip.com spammed? It looks to me > like you just > > have some secret "admirer" who thought you wanted a > no-ip.com account, > > and no-ip.com emailed you to confirm that you do want the account. > > spam is like pollution in that (a) whenever you're not sure > if you're doing it, you probably are, and (b) if everybody > did whatever it is, life would be universally worse for, > well, everybody. You have a broader definition of spam than me, I guess. And yet, believe me, I do hate spammers... > > Random disclaimer: Yes, we're a competitor of > no-ip.com's... And yes, > > we used to send similar emails to people signing up for an account, > > although nowadays instead of sending them an initial > password we send > > a confirm URL instead. > > that's the right approach. no-ip's problem was they presumed > my permission. Well, they might have stolen that approach from us, though, in a way (at least, it seems vaguely familiar to me)... The way we used to do it was this: you go to our site, read the AUP (which has a strict no-spamming clause, but every day a few idiots forget to read that section and find out it exists the hard way ;-)), fill out a form with your choice of username and your email address (the form also warns _in advance_ that we do require people to be on an announcements mailing list, but these days we send about one email every four months). Then our system would send you an email that says basically "You (or someone else) requested an account at our site. If it was you, log in within the next 48 hours with this initial password to confirm your account. If it wasn't you, then we apologize for the inconvenience, and the unconfirmed account, along with any reference to your email address in our database, will be automatically deleted in 48 hours" Isn't that the same as what no-ip.com is doing, except that they don't have the "if you don't reply in 48 hours, we'll forget you ever existed"? Is that the part you find to be missing in no-ip's modus operandi? FYI, our new approach is that you fill out choice of username, choice of password, and email address. We send a thing to you with a confirmation URL; if you go to that URL within 48 hours or so, great, the account keeps existing. If not, then byebye account, and we expunge any trace of you from the database. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: RoadRunner abuse?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Hermann Wecke > Sent: May 3, 2002 4:44 PM > To: [EMAIL PROTECTED] > Cc: Mitch Halmu > Subject: Re: RoadRunner abuse? > > > > On Fri, 3 May 2002, Mitch Halmu wrote: > > > Good luck. Roadrunner is a (presumed paying) MAPS customer: > > > >- Transcript of session follows - > > ... while talking to vamx01.mgw.rr.com.: > > >>> MAIL From:<[EMAIL PROTECTED]> > > <<< 553 5.3.0 Mail from 205.159.140.2 rejected,see > > http://mail-abuse.org/rbl/enduser.html > > 501 [EMAIL PROTECTED],[EMAIL PROTECTED] Data format error > > 205.159.140.2 is listed as an open-relay. > >http://www.mail-abuse.org/cgi-bin/lookup?205.159.140.2 > >To see this IP removed, check http://work-rss.mail-abuse.org/rss/howtofix.html >(I'm seeing it is only listed at RSS and relays.osirusoft.com, so I'm assuming it is a closed relay - isn't it?) Stop. Think. Read NANOG archives. :) Mr. Halmu's open relay and very conscious decision to operate such a thing have been discussed at length before, believe me. Take a look at the archives around http://www.merit.edu/mail.archives/nanog/2001-05/threads.html#01127 Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: anybody else been spammed by "no-ip.com" yet?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Paul Vixie > Sent: May 3, 2002 11:47 AM > To: [EMAIL PROTECTED] > Subject: anybody else been spammed by "no-ip.com" yet? > > > > as a coauthor of rfc2136, my curiousity is always > piqued when spammers use the technology. can i get > private forwards of other similar messages? (see > below.) > > (and yes, i'll also be in touch with level3, who > serves 166.90.15.236, from whence this message came.) > > (time was, anyone who could use postfix and php would > also know better than to spam, or at least, to spam *me*. > .) [snip] I hate to sound like the big idiot here, but what exactly in the email you received indicates no-ip.com spammed? It looks to me like you just have some secret "admirer" who thought you wanted a no-ip.com account, and no-ip.com emailed you to confirm that you do want the account. Vivien Random disclaimer: Yes, we're a competitor of no-ip.com's... And yes, we used to send similar emails to people signing up for an account, although nowadays instead of sending them an initial password we send a confirm URL instead. -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: is your host or dhcp server sending dns dynamic updatesfor rfc1918?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Doug Barton > Sent: April 19, 2002 2:56 PM > To: [EMAIL PROTECTED] > Subject: Re: is your host or dhcp server sending dns dynamic > updatesfor rfc1918? > > Also, since I operate authoritative DNS servers for our > *mumble*BIGNUM*mumble* customers, we used to get besieged by > these update requests from our eager new customers who named > their home (or office, > whatever) computers in their shiny new domain name. At one > point, the server listed in the MNAME field of the SOA got > more update requests than queries! My solution for this was > to change the MNAME field to no-dyn-updates.san.yahoo.com, > which resolves to the loopback address. (After overcoming > tremendous temptation to make it resolve to > 207.46.138.20.) W2k's behavior here is truly horrible... it > sends 5 requests at startup, then keeps sending requests, > apparently forever, till it gets an answer it thinks it likes. We have the same problem here; people get a shiny new hostname like blah.dyndns.org and set their computer to that name. It starts bombarding our servers with update attempts; I'm not the one here who handles looking at BIND logs, but I think even a year ago or so we were getting like 5 update attempts per second. It's probably WAY more now, since our userbase has like doubled in a year. We used to try to hunt the people down and get them to turn it off; we don't anymore, there's just too many of them... It's not just Win2000, either: ISC's DHCP client (or server?) version 3.something (might have been a beta?) and I think WinME (and naturally, XP since it's just 2000 on steroids) have been known in the past to send us those silly updates... And then, there's the problem of people whose mail servers think their domain is dyndns.org and their *NIX cron sends mail to [EMAIL PROTECTED] instead of root on their machine, but that's an entirely different issue... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: 216.119.248.0/21
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of J.D. Falk > Sent: March 6, 2002 4:22 PM > To: [EMAIL PROTECTED] > Subject: 216.119.248.0/21 > > > > Has ARIN begun assigning from 216 (but not updating whois), or > is AS16994 playing silly buggers here? ARIN's been assigning from 216 for something like two years now, I think... We got some 216.* IPs from one of our upstreams like a year and a bit ago, and I recall having seen them around for quite some time before then. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
