Article: IPv6 host scanning attacks

[Fernando Gont]

Folks,

TechTarget has published an article I've authored for them, entitled
"Analysis: Vast IPv6 address space actually enables IPv6 attacks".

The aforementioned article is available at:


(FWIW, it's a human-readable version  of the IETF Internet-Draft I
published a month ago or so about IPv6 host scanning (see:
))

You can get "news" about this sort of stuff by following @SI6Networks on
Twitter.

Cheers,
-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: EBAY and AMAZON

[Rich Kulawiec]

On Tue, Jun 12, 2012 at 11:44:44AM +, Jamie Bowden wrote:
> While MS may be a favorite whipping boy, let's not pretend that if the
> dominant OS were Apple or some flavor of *nix, things would be any better.

I've heard this argument many times, and I reject it this time as I
have before.

If popularity were the measure of relative OS security, then we would
expect to see infection rates proportional to deployment rates: thus if
operating systems A, B and C respectively accounted for 85%, 10%, and 5%
of deployments, we should see those numbers reflected in infection rates.

But we don't.  For example, passive OS fingerprinting of about a decade's
worth of spam-spewing botnets indicates that they are running Windows to
at least six 9's, quite possibly more -- which is a markedly higher
fraction than we would expect if this hypotheis were true.

Windows is not attacked because it's the most popular.  Windows is
attacked because it's the weakest.  (And yes, if it instantly disappeared --
oh happy day! -- the next-most-weakest would take its place, but at least
we would have incrementally improved the state of security.)

---rsk

Re: EBAY and AMAZON

[Astro Dog]

(Sorry for the top post. Mail client is being obnoxious.)


 Why? The prevalence of malware for a given OS is going to, generally, be a 
matter of most return for least work.
 If you're writing malware to steal credit card numbers, say, you're much 
better served writing it for Windows than you are OSX or Linux,
 even if it were slightly more difficult to do, because that will get you the 
largest number of card numbers, simply because more people use
 Windows. It's generally safe to assume that malware writers want to target as 
many machines as possible, thus they will focus on Windows, reg
 ardless of the relative ease or difficulty of the other platforms.

 There is no reason to believe that the platform distribution of malware would 
have a linear relationship with general usage rates or ease of
 exploitation, given the motivations and methods involved.

 --- Harrison
- Original Message -
From: Rich Kulawiec
Sent: 06/13/12 06:55 AM
To: nanog@nanog.org
Subject: Re: EBAY and AMAZON

 On Tue, Jun 12, 2012 at 11:44:44AM +, Jamie Bowden wrote: > While MS may 
be a favorite whipping boy, let's not pretend that if the > dominant OS were 
Apple or some flavor of *nix, things would be any better. I've heard this 
argument many times, and I reject it this time as I have before. If popularity 
were the measure of relative OS security, then we would expect to see infection 
rates proportional to deployment rates: thus if operating systems A, B and C 
respectively accounted for 85%, 10%, and 5% of deployments, we should see those 
numbers reflected in infection rates.

vulnerability and popularity (was: EBAY and AMAZON)

[Andrew Sullivan]

On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:

> If popularity were the measure of relative OS security, then we would
> expect to see infection rates proportional to deployment rates

I don't buy that premise, or at least not without reservation.  The OS
market happens to be a superstar economy.  On desktops and laptops,
which still happen to be the majority of devices, the overwhelming
winner is Windows.  Therefore, if you are going to invest in any
product for which you want ubiquitous deployment, Windows is the first
platform you aim for.  You only aim for the others if you're chasing a
niche.

There is no reason whatever to chase a niche market if your goal is
spewing spam, collecting credit cards, or whatever.  

Perhaps fortunately, we're about to have an empirical trial of these
different possibilities.  If the above analysis is correct, then we
should expect malware targetting iOS and Android in about equal
proportions as those sorts of devices displace laptops and desktops as
the majority (though there will be some bias and therefore lag in
favour of Windows just because of the fact that people already have
tools and techniques built around Windows).  If you're right that the
primary issue is the fundamental security of the target, then perhaps
we will not see that pattern emerge.

Best,

A

-- 
Andrew Sullivan
Dyn Labs
asulli...@dyn.com

XO/DTAG Contact?

[Tim Durack]

Looking for a technical contact within XO and/or DTAG, preferably one
who can interpret a traceroute accurately :-)

Please hit me up offline.

Thanks,

-- 
Tim:>

Re: vulnerability and popularity (was: EBAY and AMAZON)

[Aled Morris]

On 13 June 2012 13:33, Andrew Sullivan  wrote:

> On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:
>
> > If popularity were the measure of relative OS security, then we would
> > expect to see infection rates proportional to deployment rates
>
> I don't buy that premise, or at least not without reservation.  The OS
> market happens to be a superstar economy.  On desktops and laptops,
> which still happen to be the majority of devices, the overwhelming
> winner is Windows.  Therefore, if you are going to invest in any
> product for which you want ubiquitous deployment, Windows is the first
> platform you aim for.  You only aim for the others if you're chasing a
> niche.
>


I note also that many so-called operating system vulnerabilities are
actually flaws in third-party subsystems like Flash or Java.

Unix has traditionally had a better isolation model than Windows and so
exploits via these attack vectors would be able to infiltrate the Windows
core operating system whereas on Linux or OS-X platforms, the attacks might
technically be more limited in their impact - not that this would be much
consolation to the end user.

Aled

Heads-up: spammer Scott Whittle/iptechlabs.com/iptechnologylabs.com hitting addresses harvested from NANOG list

[Rich Kulawiec]

Spammer Scott Whittle has harvested not only email addresses from the
NANOG list archives, but also Message-IDs, and is busily trying to
abuse the hell out of them.  I've seen 6 (edit: 11) (edit: 14) copies
so far this morning, and no doubt more are on the way.

He identifies himself thusly:

IP Technology Labs
Network Communications Simplified
Scott Whittle | President | T: +1 301 570 6611 x601 | M/SMS: +1 301 339 
3237 |
E: sc...@iptechnologylabs.com | W: http://iptechnologylabs.com

Although the spam itself carries a return address of

Return-Path: 

So blocking on the latter should suffice, at least for this round.

---rsk

p.s. Pro tip: proofread your spam content before sending:

"I am looking contact your Product Manager/Sales Manager regarding
possible distribution of our USA made and designed Plug-and-Play
VPN products.

We are the are a channel friendly company, can offer account
protection, and ensure your margins."

Re: vulnerability and popularity (was: EBAY and AMAZON)

[Astro Dog]

- Original Message -
From: Andrew Sullivan
Sent: 06/13/12 07:33 AM
To: nanog@nanog.org
Subject: vulnerability and popularity (was: EBAY and AMAZON)

 On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote: > If popularity 
were the measure of relative OS security, then we would > expect to see 
infection rates proportional to deployment rates I don't buy that premise, or 
at least not without reservation. The OS market happens to be a superstar 
economy. On desktops and laptops, which still happen to be the majority of 
devices, the overwhelming winner is Windows. Therefore, if you are going to 
invest in any product for which you want ubiquitous deployment, Windows is the 
first platform you aim for. You only aim for the others if you're chasing a 
niche. There is no reason whatever to chase a niche market if your goal is 
spewing spam, collecting credit cards, or whatever. Perhaps fortunately, we're 
about to have an empirical trial of these different possibilities. If the above 
analysis is correct, then we should expect malware targetting iOS and Android 
in about equal proportions as those sorts of devices displace laptops and 
desktops as the majority (though there will be some bias and therefore lag in 
favour of Windows just because of the fact that people already have tools and 
techniques built around Windows). If you're right that the primary issue is the 
fundamental security of the target, then perhaps we will not see that pattern 
emerge. Best, A -- Andrew Sullivan Dyn Labs asulli...@dyn.com
 I'm not sure the iOS/Android situation provides a great emperical test, either.

 Where a duality exists... (or something aproximating one), the security 
situation may
 play a massive role in determining what platforms malware authors target, 
whereas
 when one platform has a massive majority, the security environment likely 
plays a
 very small role in what platforms will be targeted.

 An added issue is the difference in how people use mobile devices versus their
 "stuck to desk" counterparts. They may have less useful information or behave 
in ways
 that are easier to exploit when using a mobile device than they would on their 
PCs.

 Interestingly, from the persective of a malware author, the user-level 
isolation
 provided by the *nix variants may make much less of a difference than one might
 expect. Presumably, they're interested in either stealing information, or 
sending spam.
 Neither one of these activities requires administrative access. Presumably 
*most* users,
 on Windows or Linux conduct the majority of their online transactions from a 
single
 account. An exploit that gives them control of that user account is just as 
damaging, in as
 far as short term stealing your information (or opening network sockets) is 
concerned,
 as gaining root or administrative access.

 Considering that, combined with the fact that it's rarely Windows itself being 
exploited, but
 the applications and plugins themselves, it seems more likely that a change in 
dominant
 platform would be more likely to result in multi-platform payloads. The basic 
targets would
 probably still be the browsers, plugins, etc, which would presumably exist on 
most/all of
 the platforms involved.

 That being said, I've rarely seen a *nix machine trashed by malware or 
exploits to quite
 the same degree as Windows hosts.

 --- Harrison

Re: EBAY and AMAZON

[Doug Barton]

On 06/13/2012 04:55 AM, Rich Kulawiec wrote:
> But we don't.  For example, passive OS fingerprinting of about a decade's
> worth of spam-spewing botnets indicates that they are running Windows to
> at least six 9's, quite possibly more -- which is a markedly higher
> fraction than we would expect if this hypotheis were true.
> 
> Windows is not attacked because it's the most popular.  Windows is
> attacked because it's the weakest. 

Mostly right, except that it is really a weighted average of factors
including installed base (read, popularity), likely success of the
infection, likelihood of the infection being successfully detected by
the user, likelihood of the infection being removable, overall utility
of the system to the spammer once it is infected ... I'm probably
forgetting a few things.

But your basic point, it's not just about the popularity, is sound. The
cautionary tale is that merely improving one of those factors isn't
going to get the job done.

Doug

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

[Owen DeLong]

On Jun 12, 2012, at 10:47 PM, Masataka Ohta wrote:

> Dave Hart wrote:
> 
>> It is
>> not transparent when you have to negotiate an inbound path for each
>> service.
> 
> I mean, for applications, global address and global port
> numbers are visible.
> 

Showing that you don't actually understand what everyone else means when
they say "end-to-end".

>> UPnP
>> is inadequate for carrier NAT due to its model assuming the NAT trusts
>> its clients.
> 
> UPnP gateway configured with purely static port mapping needs
> no security.
> 
> Assuming shared global address of 131.112.32.132, TCP/UDP port
> 100 to 199 may be forwarded to port 100 to 199 of 192.168.1.1,
> port 200 to 299 be forwarded to port 200 to 299 of 192.168.1.2,
> ...
> 

No carrier is going to implement that for obvious reasons.

Besides, that's not transparent end-to-end, that's predictably opaque
end-to-end.

>> When TCP headers are being rewritten, it's a strong hint that
>> transparency has been lost, even if some communication remains
>> possible.
> 
> UPnP provides information for clients to restore IP and TCP
> headers from local ones back to global ones, which is visible
> to applications.
> 

But it doesn't work across multiple layers of NAT.

> See the following protocol stack.
> 
>UPnP capable NAT GW  Client
>   +-+
>   | public  |
>   |  appli- |
>   | cation  |
>  information  +-+
>+--+  for reverse translation  | public  |
>| UPnP |-->|transport|
>   +-+-+   +-+
>   | public  | private |   | private |
>   |transport|transport|   |transport|
>   +-+-++-++-+
>   | public  | private || private || private |
>   |   IP|   IP||   IP||   IP|
>   +-+---+---+
> |   privatte datalink   |   private datalink|
> +---+---+

Now, redraw the diagram for the real world scenario:

host <-> UPnP NAT <-> Carrier NAT <-> Internet <-> Carrier NAT <-> UPnP NAT <-> 
host

Tell me again how the application signaling from UPnP survives through all that 
and comes up with correct answers?

Yeah, thought so.

Owen

Re: vulnerability and popularity (was: EBAY and AMAZON)

[Owen DeLong]

On Jun 13, 2012, at 5:33 AM, Andrew Sullivan wrote:

> On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:
> 
>> If popularity were the measure of relative OS security, then we would
>> expect to see infection rates proportional to deployment rates
> 
> I don't buy that premise, or at least not without reservation.  The OS
> market happens to be a superstar economy.  On desktops and laptops,
> which still happen to be the majority of devices, the overwhelming
> winner is Windows.  Therefore, if you are going to invest in any
> product for which you want ubiquitous deployment, Windows is the first
> platform you aim for.  You only aim for the others if you're chasing a
> niche.
> 
> There is no reason whatever to chase a niche market if your goal is
> spewing spam, collecting credit cards, or whatever.  
> 
> Perhaps fortunately, we're about to have an empirical trial of these
> different possibilities.  If the above analysis is correct, then we
> should expect malware targetting iOS and Android in about equal
> proportions as those sorts of devices displace laptops and desktops as
> the majority (though there will be some bias and therefore lag in
> favour of Windows just because of the fact that people already have
> tools and techniques built around Windows).  If you're right that the
> primary issue is the fundamental security of the target, then perhaps
> we will not see that pattern emerge.
> 

If that were true, the webserver attacks would be aimed at windows
while the vast majority of them are aimed at IIS.

Attackers aim for the softest targets with sufficient numbers to get what
they want. When it comes to target hardness, Micr0$0ft builds porridge
in a world of thick sludgy oatmeal.

Owen

Heads up: IETF 6man poll for adoption of RA-Guard/firewalling/monitoring-related I-Ds

[Fernando Gont]

Folks,

Just wanted to send a heads up regarding two IETF 6man wg polls that
have just been started for adoption of these documents:

* draft-gont-6man-oversized-header-chain-02 (Security and
Interoperability Implications of Oversized IPv6 Header Chains)

* draft-gont-6man-nd-extension-headers-03 (Security Implications of the
Use of IPv6 Extension Headers with IPv6 Neighbor Discovery)

draft-gont-6man-oversized-header-chain-02 requires that when packets are
fragmented, the first fragment must contain the entire IPv6 header
chain. This is important for a number of reasons: it allows for
stateless filtering (both at firewalls and at RA-Guard-like devices),
prevents stateless translators from breaking, etc. The poll for this
document is available at:


draft-gont-6man-nd-extension-headers-03 forbids the use of fragmentation
with Neighbor Discovery. This essentially enables Neighbor Discovery
monitoring in IPv6, thus providing feature parity with IPv4 (think about
arpwatch and the like) -- not to mention that it obviously mitigates
fragmentation-based attacks against Neighbor Discovery and SEND. The
poll for this document is available at:


IMO, these two I-Ds propose small spec updates which could result in
concrete operational and security benefits.

Thanks!

Best regards,
-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: Heads-up: spammer Scott Whittle/iptechlabs.com/iptechnologylabs.com hitting addresses harvested from NANOG list

[Randy Bush]

> Spammer Scott Whittle has harvested not only email addresses from the
> NANOG list archives, but also Message-IDs

and draft-...@ietf.org addresses

randy

Re: Whither Cometh BCP38?

[Justin M. Streiner]

On Mon, 11 Jun 2012, Mikael Abrahamsson wrote:

This is for IPv4, for IPv6 we're back 10 years again with very lacking 
support.


Amen to that.  At first glance, building IPv6 ACLs/firewall rules/filters 
isn't much different from building IPv4 equivalents in many environments, 
but there are lots of vendor-specific 'gotcha's out there that make for 
more work to get to a point of sanity with IPv6.  To be fair, at the 
application level, things are still pretty similar - the sun still rises 
in the east, HTTP still normally works on well-known destination port 
tcp/80, etc.


Examples:
1. Junos firewall filters can be bypassed in some cases with appropriately 
crafted extension headers, depending on how the filter is built.  In the 
case of border ingress/egress filters, which are often written in a "deny 
specific types of traffic, but permit everything else" fashion, re-working 
the order of the filter elements is often not practical.


2. Cisco's handling of ICMPv6 on the ASA platform still seems a bit 
'green' to me.  Hopefully the kinks will get worked out as everyone 
(vendors included) get more operational experience with IPv6.  I'm basing 
this on my efforts to develop a set of basic firewall rules for our IPv6 
deployment templates, with the goal being to allow necessary ICMPv6 
traffic through, while limiting the exposure of the hosts behind the 
firewall.  A lot of this has been based on RFC 4890 as a starting point.


3. Some devices leak link-local traffic beyond the link, in violation of 
RFC 4192, sec 2.5.6.  This can have implications for filter/acl/ruleset 
design, since the assumption that devices will always 'do the right thing' 
with link-local traffic is not valid.


jms

Re: Heads-up: spammer Scott Whittle/iptechlabs.com/iptechnologylabs.com hitting addresses harvested from NANOG list

[Patrick W. Gilmore]

On Jun 13, 2012, at 10:12 , Randy Bush wrote:

>> Spammer Scott Whittle has harvested not only email addresses from the
>> NANOG list archives, but also Message-IDs
> 
> and draft-...@ietf.org addresses

Is his upstream, or the upstream of his hosting provider, on NANOG or IETF?

Or is he using a botnet?

(I got a couple dozen, but deleted them.)

-- 
TTFN,
patrick

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

[valdis . kletnieks]

On Wed, 13 Jun 2012 14:47:35 +0900, Masataka Ohta said:
> Dave Hart wrote:

> > is inadequate for carrier NAT due to its model assuming the NAT trusts
> > its clients.
>
> UPnP gateway configured with purely static port mapping needs
> no security.
>
> Assuming shared global address of 131.112.32.132, TCP/UDP port
> 100 to 199 may be forwarded to port 100 to 199 of 192.168.1.1,
> port 200 to 299 be forwarded to port 200 to 299 of 192.168.1.2,

And you tell the rest of the world that customer A's SMTP port is on
125, and B's is on 225, and Z's is up at 2097, how?

(HInt - we haven't solved that problem for NAT yet, it's one of the big
reasons that NAT breaks stuff)

(Totally overlooking the debugging issues that arise when a customer tries
to run a combination of applications that in aggregate have 101 ports open..)



pgpty9ayzmHgd.pgp
Description: PGP signature

Re: Article: IPv6 host scanning attacks

[Dave Hart]

On Wed, Jun 13, 2012 at 6:52 AM, Fernando Gont  wrote:
> Folks,
>
> TechTarget has published an article I've authored for them, entitled
> "Analysis: Vast IPv6 address space actually enables IPv6 attacks".
>
> The aforementioned article is available at:
> 

"published" and "available" are misleading at best.  The article is
teased with a sentence and a half, truncated by a demand for an email
address with tiny legalese mentioning a privacy policy and terms of
use that undoubtedly would take far longer to read than Gont's
valuable content.

> (FWIW, it's a human-readable version  of the IETF Internet-Draft I
> published a month ago or so about IPv6 host scanning (see:
> ))

I guess I'll take a look at this to see what you're smoking.

> You can get "news" about this sort of stuff by following @SI6Networks on
> Twitter.

"news" in quotes is appropriate given it's really eyeball harvesting
for marketing purposes.

Cheers,
Dave Hart

Re: Heads-up: spammer Scott Whittle/iptechlabs.com/iptechnologylabs.com hitting addresses harvested from NANOG list

[Chris Boyd]

On Jun 13, 2012, at 10:56 AM, Patrick W. Gilmore wrote:
> Is his upstream, or the upstream of his hosting provider, on NANOG or IETF?

My sample came via GoDaddy:

Return-Path: 
Received: from p3plsmtps2ded01-02.prod.phx3.secureserver.net 
(p3plsmtps2ded01.prod.phx3.secureserver.net [208.109.80.58])
by gandalf.gizmopartners.com (8.14.3/8.14.3) with SMTP id q5D5ERPD029411
for ; Wed, 13 Jun 2012 00:14:58 -0500 (CDT)
(envelope-from scott.whit...@iptechlabs.com)

--Chris

Re: EBAY and AMAZON

[Barry Shein]

On June 12, 2012 at 12:33 wa...@staff.msen.com (Michael R. Wayne) wrote:
 > On Tue, Jun 12, 2012 at 11:44:44AM +, Jamie Bowden wrote:
 > > 
 > > While MS may be a favorite whipping boy, let's not pretend that if the 
 > > dominant OS were Apple or some flavor of *nix, things would be any better. 
 > >  

That assumes the security architectures of all these OS's is similar
which is simply not true.

There have been security flaws in Microsoft OS's which led to the
spread of malware which would have been almost impossible on any
unix-like operating system.

One of the biggest problems was creating the first and often only user
on MS systems with administrator privileges allowing any piece of
software they ran to do anything on the system.

Even Microsoft recognized this to be a huge flaw beginning with Vista,
no need to be more catholic than the pope.

The problem at this point is that even with improvements in newer
Windows systems there are probably on the order of a billion systems
out there, attached to the net, and still running these deeply flawed
OS's which can be taken over by just clicking on the wrong mail
message.

-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: Article: IPv6 host scanning attacks

[Fernando Gont]

On 06/13/2012 02:28 PM, Dave Hart wrote:

>> The aforementioned article is available at: 
>> 
>
>> 
> "published" and "available" are misleading at best. 

It is not. Just scroll down the page, and you'll find the whole article.
-- it was easy to talk crap than to do that, right?


> The article is 
> teased with a sentence and a half, truncated by a demand for an
> email address with tiny legalese mentioning a privacy policy and
> terms of use that undoubtedly would take far longer to read than
> Gont's valuable content.

You don't need to read that to scroll the page down past it.


>> (FWIW, it's a human-readable version  of the IETF Internet-Draft I 
>> published a month ago or so about IPv6 host scanning (see: 
>> ))
> 
> I guess I'll take a look at this to see what you're smoking.

I find it amazing the number of people that will talk crap when one
publishes something when compared to the number of people that provides
technical comments or criticism (even if it's "you're completely wrong
because of this and that).

Read the article. Have something to add or complain about the technical
contents? -- Do it. But otherwise try to keep a good signal/noise ratio,
please.


>> You can get "news" about this sort of stuff by following
>> @SI6Networks on Twitter.
> 
> "news" in quotes is appropriate given it's really eyeball harvesting 
> for marketing purposes.

Please do the math regarding the number of posts/tweets announcing
publications to the number of posts/tweets doing marketing (probably
just those about trainings). Then comment.

Cheers,
-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: LinkedIn password database compromised

[Phil Pishioneri]

On 6/8/12 7:22 PM, Luke S. Crawford wrote:

I haven't found any way that is as simple and as portable as using
ssh that works in a web browser.


The Enigform Firefox Add-on (plus mod_openpgp on Apache httpd) seems 
similar:


http://wordpress.org/extend/plugins/wp-enigform-authentication/


Enigform is a Firefox Add-On which uses OpenPGP to digitally sign
outgoing HTTP requests and Securely login to remote web sites, as long
as the remote web server is Enigform-compliant.


-Phil

Re: EBAY and AMAZON

[JC Dill]

On 13/06/12 5:17 AM, Astro Dog wrote:

(Sorry for the top post. Mail client is being obnoxious.)


  Why? The prevalence of malware for a given OS is going to, generally, be a 
matter of most return for least work.
  If you're writing malware to steal credit card numbers, say, you're much 
better served writing it for Windows than you are OSX or Linux,


Really?  I'm positive that there are far more credit card numbers stored 
on various flavors of *nix systems (web servers) than windows systems.  
And you only have to crack one to get a plethora of credit card numbers.


If both flavors were equally easy to exploit, according to your theory 
above we would see more exploits on the *nix servers.  Yet server-side 
exploits are seen on Windows servers far more often than *nix servers, 
despite the fact that more web pages are served by *nix servers than 
Windows servers.


I'm really surprised to see this "Windows is more popular, that's why 
it's exploited more often" misinformation being spewed on a technical 
list like NANOG.  I thought people here had more clue.


jc

Re: Heads-up: spammer Scott Whittle/iptechlabs.com/iptechnologylabs.com hitting addresses harvested from NANOG list

[Patrick W. Gilmore]

On Jun 13, 2012, at 13:30 , Chris Boyd wrote:
> On Jun 13, 2012, at 10:56 AM, Patrick W. Gilmore wrote:

>> Is his upstream, or the upstream of his hosting provider, on NANOG or IETF?
> 
> My sample came via GoDaddy:

GoDaddy is not blind to these problems.

Has anyone asked them to look into this?

-- 
TTFN,
patrick

Re: EBAY and AMAZON

[Dave Hart]

On Wed, Jun 13, 2012 at 5:36 PM, Barry Shein  wrote:
>  > On Tue, Jun 12, 2012 at 11:44:44AM +, Jamie Bowden wrote:
>  > > While MS may be a favorite whipping boy, let's not pretend that if the 
> dominant OS were Apple or some flavor of *nix, things would be any better.
>
> That assumes the security architectures of all these OS's is similar
> which is simply not true.

You're right.  Windows has an architecture that's easier to secure,
with auditing, ACLs, and capabilities ("privileges") part of every
NT-derived release.  This means everything interesting doesn't have to
be "root", for which there is no equivalent in Windows -- no magic
user which bypasses access checks.

> There have been security flaws in Microsoft OS's which led to the
> spread of malware which would have been almost impossible on any
> unix-like operating system.
>
> One of the biggest problems was creating the first and often only user
> on MS systems with administrator privileges allowing any piece of
> software they ran to do anything on the system.

Is it not common to install unix-like operating systems similarly,
with setup completed after a root password is chosen but before any
human-named accounts are created?

I'm not impartial, I once worked for the architect of NT's security.
Discount my opinion appropriately.  My opinion is 20 years of
hardening have likely made Windows a tougher nut to crack than other
mass-market OSes.  It could hardly be otherwise -- there have been
large piles of money fueling a free market in 0-day Windows exploits
for many years now.  Windows has grown over that time, of course, and
more code means more holes, but other OSes have been growing as well.
Meanwhile, the most security-sensitive parts of Windows have slower to
change and grow.

Yes, Windows evolved from an essentially security-ignorant single-user
environment.  Unix evolved from an essentially security-ignorant
multiuser environment.  The baseline of unix security with magic root,
setuid apps, and primitive access permissions are nonetheless inferior
to the baseline of NT-derived Windows.  There are varying degrees of
ACL support in some unix-like systems, and wide support for
capabilities that allow services to start as a non-root user, or "drop
root" after starting as such.  There is not, across the POSIX world, a
strong security infrastructure that can be relied on to be universal.
On the other hand, with the death in the wild of the Windows 9x/ME
house of cards, today Windows does provide that universal security
infrastructure.

Unix systems can be secured.  So can Windows systems.  No OS can
simultaneously provide lazy users with power tools and completely
protect those users from self-injury.  Security costs overhead for
too-often no perceived benefit until someone gets hurt.  When you are
forced to deal with it, it's nice to have the best in class
infrastructure under your feet.

Cheers,
Dave Hart

Re: Article: IPv6 host scanning attacks

[Dave Hart]

On Wed, Jun 13, 2012 at 5:42 PM, Fernando Gont wrote:
> On 06/13/2012 02:28 PM, Dave Hart wrote:
>
>>> The aforementioned article is available at:
>>> 
>>
>>>
>> "published" and "available" are misleading at best.
>
> It is not. Just scroll down the page, and you'll find the whole article.
> -- it was easy to talk crap than to do that, right?

Yes, I'm an idiot for believing what I read on that site:

"Requires Free Membership to View"

Of course I should have expected that means "scroll past me and the
page of whitespace to view."

>>> (FWIW, it's a human-readable version  of the IETF Internet-Draft I
>>> published a month ago or so about IPv6 host scanning (see:
>>> ))
>>
>> I guess I'll take a look at this to see what you're smoking.
>
> I find it amazing the number of people that will talk crap when one
> publishes something when compared to the number of people that provides
> technical comments or criticism (even if it's "you're completely wrong
> because of this and that).

The draft and the article raise valid points about the predictability
of widely-used MAC-derived IIDs, but it does not in any way justify
the headline "Analysis: Vast IPv6 address space actually enables IPv6
attacks."  Whomever wrote that should share their stash.

Cheers,
Dave Hart

Re: EBAY and AMAZON

[valdis . kletnieks]

On Wed, 13 Jun 2012 11:08:25 -0700, JC Dill said:

> If both flavors were equally easy to exploit, according to your theory
> above we would see more exploits on the *nix servers.  Yet server-side
> exploits are seen on Windows servers far more often than *nix servers,
> despite the fact that more web pages are served by *nix servers than
> Windows servers.

I suspect the *real* issue is that for really large systems, it's not so much
"exploits" as "one-off customized attacks".  The chances of pwning Bank
of America with an off-the-shelf attack are pretty low - but finding a blind
SQL injection and leveraging it are a bit higher.

And given all the 'XYZ got pwned' news stories, I suspect that in fact
the *nix boxes *are* being attacked - just not with COTS attack tools.


pgpuUJFvMZu9O.pgp
Description: PGP signature

Re: EBAY and AMAZON

[Barry Shein]

On June 13, 2012 at 18:20 daveh...@gmail.com (Dave Hart) wrote:
 > On Wed, Jun 13, 2012 at 5:36 PM, Barry Shein  wrote:
 > >  > On Tue, Jun 12, 2012 at 11:44:44AM +, Jamie Bowden wrote:
 > >  > > While MS may be a favorite whipping boy, let's not pretend that if 
 > > the dominant OS were Apple or some flavor of *nix, things would be any 
 > > better.
 > >
 > > That assumes the security architectures of all these OS's is similar
 > > which is simply not true.
 > 
 > You're right.  Windows has an architecture that's easier to secure,

It didn't occur to me that the original comment was referring to
professionally secured sites only.

I think one of the huge complaints about Windows systems is their
appearance by the tens of millions in botnets which tend to be a
problem with non-professionally run systems.

 > with auditing, ACLs, and capabilities ("privileges") part of every
 > NT-derived release.  This means everything interesting doesn't have to
 > be "root", for which there is no equivalent in Windows -- no magic
 > user which bypasses access checks.
 > 
 > > There have been security flaws in Microsoft OS's which led to the
 > > spread of malware which would have been almost impossible on any
 > > unix-like operating system.
 > >
 > > One of the biggest problems was creating the first and often only user
 > > on MS systems with administrator privileges allowing any piece of
 > > software they ran to do anything on the system.
 > 
 > Is it not common to install unix-like operating systems similarly,
 > with setup completed after a root password is chosen but before any
 > human-named accounts are created?

Apparently not, given the relative absence of un*x (which includes for
example MacOS and Linux) systems in being pwned by clicking "open this
attachment" in an email message.

But the worst from Windows was the decades when they allowed any app
to inject code into the kernel typically for graphics speed-up. Which
of course could be any code, and that any code could own the system
instantly.

The rest is talking around the actual, measurable problem of botnets etc.

Where do you think all that spam which pounds your mailbox
relentlessly comes from? Botted Windows systems.

I don't think saying that a professionally secured Windows 8 release
candidate is much better than past systems when we're suffering under
excuses or even mitigates the situation.

The worst is that many of those features which made Windows so
insecure were not removed because they provided marketing advantage
(e.g., making any user admin, injecting graphics code for app
speed-up.)

So MS agonized for years about how to deal with this and not cut into
their or their favored vendors' profit model while the rest of the net
suffered gabillions of dollars in damage.

MS, in effect, made many tens of billions on the flaws in their OS's,
at the expense of everyone else.

(I'm done but I'll leave the rest of the msg...)

 > I'm not impartial, I once worked for the architect of NT's security.
 > Discount my opinion appropriately.  My opinion is 20 years of
 > hardening have likely made Windows a tougher nut to crack than other
 > mass-market OSes.  It could hardly be otherwise -- there have been
 > large piles of money fueling a free market in 0-day Windows exploits
 > for many years now.  Windows has grown over that time, of course, and
 > more code means more holes, but other OSes have been growing as well.
 > Meanwhile, the most security-sensitive parts of Windows have slower to
 > change and grow.
 > 
 > Yes, Windows evolved from an essentially security-ignorant single-user
 > environment.  Unix evolved from an essentially security-ignorant
 > multiuser environment.  The baseline of unix security with magic root,
 > setuid apps, and primitive access permissions are nonetheless inferior
 > to the baseline of NT-derived Windows.  There are varying degrees of
 > ACL support in some unix-like systems, and wide support for
 > capabilities that allow services to start as a non-root user, or "drop
 > root" after starting as such.  There is not, across the POSIX world, a
 > strong security infrastructure that can be relied on to be universal.
 > On the other hand, with the death in the wild of the Windows 9x/ME
 > house of cards, today Windows does provide that universal security
 > infrastructure.
 > 
 > Unix systems can be secured.  So can Windows systems.  No OS can
 > simultaneously provide lazy users with power tools and completely
 > protect those users from self-injury.  Security costs overhead for
 > too-often no perceived benefit until someone gets hurt.  When you are
 > forced to deal with it, it's nice to have the best in class
 > infrastructure under your feet.
 > 
 > Cheers,
 > Dave Hart

-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1

Re: LinkedIn password database compromised

[Grant Ridder]

Hi Everyone,

I thought that i would share an IEEE article about LinkenIn and eHarmony.

http://spectrum.ieee.org/riskfactor/telecom/security/linkedin-and-eharmony-hacked-8-million-passwords-taken/?utm_source=computerwise&utm_medium=email&utm_campaign=061312


-Grant

On Wed, Jun 13, 2012 at 1:05 PM, Phil Pishioneri  wrote:

> On 6/8/12 7:22 PM, Luke S. Crawford wrote:
>
>> I haven't found any way that is as simple and as portable as using
>> ssh that works in a web browser.
>>
>
> The Enigform Firefox Add-on (plus mod_openpgp on Apache httpd) seems
> similar:
>
> http://wordpress.org/extend/**plugins/wp-enigform-**authentication/
>
>  Enigform is a Firefox Add-On which uses OpenPGP to digitally sign
>> outgoing HTTP requests and Securely login to remote web sites, as long
>> as the remote web server is Enigform-compliant.
>>
>
> -Phil
>
>

RE: Article: IPv6 host scanning attacks

[STARNES, CURTIS]

It seems I saw that title came through an article somewhere but I have a slight 
problem with stating that "Vast IPv6 address space actually enables IPv6 
attacks".

Going from an IPv4 32 bit address space to a IPv6 128 bit address space like 
you mentioned in the article would be a tedious effort to scan.

But you also make the following assumptions:

A number of options are available for selecting the Interface ID (the 
low-order 64 bits of an IPv6 address), including:
.Embed the MAC address;
.Employ low-byte addresses;
.Embed the IPv4 address;
.Use a "wordy" address;
.Use a privacy or temporary address;
.Rely on a transition or coexistence technology.
 
Unfortunately, each of these options reduces the potential search 
space, making IPv6 host-scanning attacks easier and potentially more successful.


That sounds fine and dandy but in reality, Internet facing IPv6 native or 
dual-stack systems that are installed with any security forethought at all 
would not embed any of these options with the exception of the last one 
(transitional or coexistence) only if forced to do so.

I agree that some IPv6 addresses are set up to have catchy names, but why set 
up hundreds or even thousands of IPv6 addresses with IPv6 addresses that you 
try to remember like we did with IPv4?

I will also concede that Microsoft has not helped with issuing multiple IPv6 
addresses using "privacy" settings even if a static IPv6 address is set.

In general, I just don't agree with your conclusions, and with proper IPv6 
firewall rules, the network should still be as secure as the IPv4 systems.  Not 
more insecure just because they run an IPv6 stack.


Curtis

-Original Message-
From: Dave Hart [mailto:daveh...@gmail.com] 
Sent: Wednesday, June 13, 2012 12:29 PM
To: Fernando Gont
Cc: NANOG
Subject: Re: Article: IPv6 host scanning attacks

On Wed, Jun 13, 2012 at 6:52 AM, Fernando Gont  wrote:
> Folks,
>
> TechTarget has published an article I've authored for them, entitled
> "Analysis: Vast IPv6 address space actually enables IPv6 attacks".
>
> The aforementioned article is available at:
>  pace-actually-enables-IPv6-attacks>

"published" and "available" are misleading at best.  The article is teased with 
a sentence and a half, truncated by a demand for an email address with tiny 
legalese mentioning a privacy policy and terms of use that undoubtedly would 
take far longer to read than Gont's valuable content.

> (FWIW, it's a human-readable version  of the IETF Internet-Draft I 
> published a month ago or so about IPv6 host scanning (see:
> ))

I guess I'll take a look at this to see what you're smoking.

> You can get "news" about this sort of stuff by following @SI6Networks 
> on Twitter.

"news" in quotes is appropriate given it's really eyeball harvesting for 
marketing purposes.

Cheers,
Dave Hart

Flame virus

[Grant Ridder]

Hi Everyone,

I realize this is not directly network related, but i thought i would pass
the article along anyways.  The authors of the Flame virus have started to
destroy its existence.

http://spectrum.ieee.org/riskfactor/telecom/security/flame-ordered-to-flame-out/?utm_source=computerwise&utm_medium=email&utm_campaign=061312

-Grant

Re: very confusing.

[Randy Bush]

NANOG, i strongly desire to restrain this slimeball idiot's trade.
please tell me if you have any ideas on how to do so.

---

> Be advised that Im following your posts and have your threating
> messages to me.  If there is an ddos or restraint of trade due to my
> ACCIDENTAL email I'll escalate to commerce and FBI.

LOL.  you are not only a slimeball (who the ietf and nanog admins are
scraping out), but an idiot.

but do please tell me how i can restrain your trade.  would love to
discuss your spam with the DoC and FBI.

randy

Re: very confusing.

[Richard Golodner]

On Thu, 2012-06-14 at 07:05 +0900,
> ACCIDENTAL email

How can my company get six accidental emails? Not even an idiot sends
six emails by mistake. 

Spammertechnology labs is more like it.

Re: very confusing.

[Nick Hilliard]

>> Be advised that Im following your posts and have your threating
>> messages to me.  If there is an ddos or restraint of trade due to my
>> ACCIDENTAL email I'll escalate to commerce and FBI.

1. spam a big pile of network operators
2. threaten legals on aforementioned prospective customers
3. profit!!11!!

awesome.

Nick

Re: very confusing.

[jim deleskie]

Accidental, he didn't mean to get caught :)

On Wed, Jun 13, 2012 at 7:10 PM, Richard Golodner
 wrote:
> On Thu, 2012-06-14 at 07:05 +0900,
>> ACCIDENTAL email
>
> How can my company get six accidental emails? Not even an idiot sends
> six emails by mistake.
>
> Spammertechnology labs is more like it.
>
>

Re: very confusing.

[Mark Andrews]

In message <4fd91056.3030...@foobar.org>, Nick Hilliard writes:
> >> Be advised that Im following your posts and have your threating
> >> messages to me.  If there is an ddos or restraint of trade due to my
> >> ACCIDENTAL email I'll escalate to commerce and FBI.
> 
> 1. spam a big pile of network operators
> 2. threaten legals on aforementioned prospective customers
> 3. profit!!11!!
> 
> awesome.
> 
> Nick
 
Complain to you Congress and House Representatives that CAN-SPAM
is too unbalanced.  The current US law lets you get away with single
shots.  It should be a offence to send to someone you don't have
consent from.  Look at the Australian SPAM act for a more balanced
act.

As long as US law allows companies to harvest addresses and send
to them this sort of thing will continue to happen.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Article: IPv6 host scanning attacks

[Fernando Gont]

On 06/13/2012 03:37 PM, Dave Hart wrote:
>>> "published" and "available" are misleading at best.
>>
>> It is not. Just scroll down the page, and you'll find the whole article.
>> -- it was easy to talk crap than to do that, right?
> 
> Yes, I'm an idiot for believing what I read on that site:
> 
> "Requires Free Membership to View"
> 
> Of course I should have expected that means "scroll past me and the
> page of whitespace to view."

I wouldn't "announce" the publication of an article that implies the
hassle of a registration in order to read it.

While it's certainly not "as good as it can get" to have a banner saying
"require free membership to view" inserted in the middle of the article
body, it's still "acceptable" for me. (Since you're not the first one to
think that the article was not free, next time I'll probably make this
explicit such that possible trouble is avoided]).



>> I find it amazing the number of people that will talk crap when one
>> publishes something when compared to the number of people that provides
>> technical comments or criticism (even if it's "you're completely wrong
>> because of this and that).
> 
> The draft and the article raise valid points about the predictability
> of widely-used MAC-derived IIDs, but it does not in any way justify
> the headline "Analysis: Vast IPv6 address space actually enables IPv6
> attacks."  Whomever wrote that should share their stash.

FWIW, the headline was replaced prior to publication. Put another way: I
agree with your comment regarding the headline.

Cheers,
-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: very confusing.

[Charles Morris]

Don't get me wrong, I greatly dislike spam, but next thing you know it
will be against the law to send packets to someone you don't have
consent from...
or hand out pamphlets / talk to someone on the street you don't have
consent from...

I figure the solution here that fits with the best interests of the
people, or really with any internet problem,
is a defensive or cryptographic one; instead of an offensive or
law-based punitive solution.

e.g. Requiring proof-of-work headers for email that doesn't want a
speedy descent into /dev/null

Re: very confusing.

[Randy Epstein]

Folks,

This content is great .. for another list.  I know you're not happy with
receiving unsolicited mail, and yes, it's likely your addresses were
scraped from either the mailing list itself or various archives that are
kept, but this list is not the best place to discuss this.

Please refrain from these types of discussions on the NANOG mailing list.
We are doing everything in our power to keep the list on-topic and stop
abuse when we see it.  We don't take situations like this lightly.

Thank you all in advance and if you have any issue with this, please
contact me or the Communications Committee directly.

Regards,

Randy Epstein
Acting Chair, NANOG CC

Re: very confusing.

[Lynda]

On 6/13/2012 3:05 PM, Randy Bush wrote:

NANOG, i strongly desire to restrain this slimeball idiot's trade.
please tell me if you have any ideas on how to do so.


I have plenty of ideas. Unfortunately, I am not permitted to do those 
things. I promise it would not be painful, though. I'm not cruel, just 
methodical.



Be advised that Im following your posts and have your threating
messages to me.  If there is an ddos or restraint of trade due to my
ACCIDENTAL email I'll escalate to commerce and FBI.


LOL.  you are not only a slimeball (who the ietf and nanog admins are
scraping out), but an idiot.

but do please tell me how i can restrain your trade.  would love to
discuss your spam with the DoC and FBI.


Of the many, many subscribers here on the list, I gently point out to 
the moh-ron in question that there are any number of current and former 
members of various federal agencies *also* following the list. Oh, 
dearest slimeball, be careful what you wish for.


Not said in jest.

What the heck, at least it isn't yet another interminable discussion of 
ebay and amazon spam.


--
Start wearing purple wearing purple
Start wearing purple for me now
All your sanity and wits they will all vanish
I promise, it's just a matter of time...

RE: Article: IPv6 host scanning attacks

[Karl Auer]

On Wed, 2012-06-13 at 15:22 -0500, STARNES, CURTIS wrote:
> I have a slight problem with stating that "Vast IPv6 address space
> actually enables IPv6 attacks".

So do I. Compared to IPv4, scanning IPv6 is much, much harder, and that
is (I think) the most important thing to know.

The analysis was good in that it offered a bit of consideration to the
scanning issue, but...

"Some estimates peg the length of time for a host-scanning attack on a
single IPv6 subnet at 500,000,000 years!"

It's not an estimate. It's a approximation based on scanning a /64
subnet at a thousand probes per second. 18 billion billion (addresses in
one /64) divided by one thousand, divided by 31536000 (the number of
seconds in a year) - works out to about 500,000,000.

> .Embed the MAC address;
> .Employ low-byte addresses;
> .Embed the IPv4 address;
> .Use a "wordy" address;
> .Use a privacy or temporary address;
> .Rely on a transition or coexistence technology.

Why do you not mention DHCP in this list? You do mention it elsewhere.
DHCPv6 will in general supply random addresses. You say that "some"
DHCPv6 servers produce sequential addresses - could you please give an
example? I use Nominum's DCS, which certainly does NOT do this very
foolish thing.

Low-byte addresses are generally going to be on high-value devices,
which will usually be servers (whose existence is thus public knowledge
anyway) or network fabric devices (who will be very solidly protected by
firewalls, generally requiring no access from outside at all, or even
access from most of the inside network either).

Embedded IPv4 addresses are going to be a reducing problem, and in the
scenario you mention, as well as in most other scenarios, again mostly
on machines that have very strong protections from firewalls and their
own packet filters.

Wordy addresses will be an issue for some vanishingly small percentage
of systems, and generally systems that their owners want people to see
(Facebook being a good example). These are generally going to be systems
whose existence is public knowledge anyway.

All transition technologies are a reducing problem. The primary
transition technology - dual stack - has no technology-specific problems
in respect of scanning (except perhaps that the scanner, at least in
theory, gets two bites at the cherry).

I think you are making a minor issue look far bigger than it is. I feel
the privacy issues around SLAAC are far more significant in the real
world than any threat from scanning.

Regards, K.

PS: I still like your RFC about stable privacy addresses.

PPS: There seems to be a diagram missing in the discussion of embedded
MAC addresses, after the word "syntax".



-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687

Patch Management - Windows & RHEL/CentOS based on Date

[Wade Peacock]

Hi All,

Does anyone know of a patch management system that will allow us to control the 
roll out of patches, specifically for Windows but Linux would be nice too, that 
can use a date to limit whether a patch is rolled out.

Ie.

Patch to date set to2012-06-10

So all patches released up to 2012-06-10 will be offer to requesting client. 
Any patches released after 2012-06-10 will be hidden/not offered until the 
"Patch to Date" is moved forward.

Wade Peacock
Production IT | Vision Critical
direct  604.629.9358
mobile  604.363.8137

www.visioncritical.com

New York  |  London  |  Vancouver |  Paris  | Sydney  |  Chicago |  San 
Francisco | Toronto | Montreal | Calgary

Re: Patch Management - Windows & RHEL/CentOS based on Date

[Andrew Latham]

On Wed, Jun 13, 2012 at 7:47 PM, Wade Peacock
 wrote:
> Hi All,
>
> Does anyone know of a patch management system that will allow us to control 
> the roll out of patches, specifically for Windows but Linux would be nice 
> too, that can use a date to limit whether a patch is rolled out.
>
> Ie.
>
> Patch to date set to    2012-06-10
>
> So all patches released up to 2012-06-10 will be offer to requesting client. 
> Any patches released after 2012-06-10 will be hidden/not offered until the 
> "Patch to Date" is moved forward.
>
> Wade Peacock
> Production IT | Vision Critical
> direct  604.629.9358
> mobile  604.363.8137
>
> www.visioncritical.com
>
> New York  |  London  |  Vancouver |  Paris  | Sydney  |  Chicago |  San 
> Francisco | Toronto | Montreal | Calgary
>

I am unsure of some details but will blindly suggest you look at
wpkg.org as a method of deployment for Microsoft Windows products.


-- 
~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~

Re: Patch Management - Windows & RHEL/CentOS based on Date

[Paul Graydon]

On 06/13/2012 01:47 PM, Wade Peacock wrote:

Hi All,

Does anyone know of a patch management system that will allow us to control the 
roll out of patches, specifically for Windows but Linux would be nice too, that 
can use a date to limit whether a patch is rolled out.

Ie.

Patch to date set to2012-06-10

So all patches released up to 2012-06-10 will be offer to requesting client. Any patches 
released after 2012-06-10 will be hidden/not offered until the "Patch to Date" 
is moved forward.

Wade Peacock
Production IT | Vision Critical
direct  604.629.9358
mobile  604.363.8137

www.visioncritical.com

New York  |  London  |  Vancouver |  Paris  | Sydney  |  Chicago |  San 
Francisco | Toronto | Montreal | Calgary

There are a number of different solutions depending on your environment 
and how much you might be prepared to spend.


A few that spring to mind:

PatchLink, works with Windows and RedHat, not sure if they sorted out 
CentOS support.  I've used PatchLink in the past for managing patch 
deployment to several hundreds of servers, (split up into groups for a 
final bit of paranoia).

ManageEngine have tools, but I believe that's Windows only.
RedHat have Satellite that patches and a whole lot more but that comes 
at a premium.  There is also SpaceWalk from them: 
http://spacewalk.redhat.com/ that manages RedHat, CentOS and Scientific 
Linux patching.


Paul

Re: Patch Management - Windows & RHEL/CentOS based on Date

[Reed Loden]

On Wed, 13 Jun 2012 23:47:24 +
Wade Peacock  wrote:

> Does anyone know of a patch management system that will allow us to
> control the roll out of patches, specifically for Windows but Linux
> would be nice too, that can use a date to limit whether a patch is
> rolled out.

I don't know of a good software product that does *both* Windows and
RHEL/CentOS, but for Windows, have you looked at Microsoft's WSUS [0]?
For RHEL/CentOS, use Spacewalk [1].

Hope that helps!
~reed

[0] http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
[1] http://spacewalk.redhat.com/

Re: very confusing.

[Greg Ihnen]

A trick to do on mail (USPS) spammers is take the prepaid mailing envelope they 
often include and tape it to a brick wrapped in brown paper and drop it off at 
the post office. They have to pay the shipping. If enough people do it, they go 
out of business.

In this case, do anything you can to waste his time and resources. Call up and 
act interested in his services and have them go through their sales pitch as 
many times as you can.  Ask for them to mail you literature. Have them write up 
proposals and quotes. Then when the last step left is to actually commit to 
their service tell them you were just pulling their chain, and why. If you eat 
up enough of their time they end up attending to too few real paying customers 
and they go out of business.

Greg

On Jun 13, 2012, at 5:35 PM, Randy Bush wrote:

> NANOG, i strongly desire to restrain this slimeball idiot's trade.
> please tell me if you have any ideas on how to do so.
> 
> ---
> 
>> Be advised that Im following your posts and have your threating
>> messages to me.  If there is an ddos or restraint of trade due to my
>> ACCIDENTAL email I'll escalate to commerce and FBI.
> 
> LOL.  you are not only a slimeball (who the ietf and nanog admins are
> scraping out), but an idiot.
> 
> but do please tell me how i can restrain your trade.  would love to
> discuss your spam with the DoC and FBI.
> 
> randy
> 

Re: very confusing.

[Joe Greco]

> A trick to do on mail (USPS) spammers is take the prepaid mailing =
> envelope they often include and tape it to a brick wrapped in brown =
> paper and drop it off at the post office. They have to pay the shipping. =
> If enough people do it, they go out of business.

That's simply false; local postmasters have had the discretion to discard
your bricks for years, AND THEY DO.

> In this case, do anything you can to waste his time and resources. Call =
> up and act interested in his services and have them go through their =
> sales pitch as many times as you can.  Ask for them to mail you =
> literature. Have them write up proposals and quotes. Then when the last =
> step left is to actually commit to their service tell them you were just =
> pulling their chain, and why. If you eat up enough of their time they =
> end up attending to too few real paying customers and they go out of =
> business.

But that, on the other hand ...

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Patch Management - Windows & RHEL/CentOS based on Date

[Ray Wong]

If you're using Active Directory I think you can actually do that with
the Policy Manager thingy, but i'm not really a windows guy to be
sure.

-R>

On Wed, Jun 13, 2012 at 4:47 PM, Wade Peacock
 wrote:
> Hi All,
>
> Does anyone know of a patch management system that will allow us to control 
> the roll out of patches, specifically for Windows but Linux would be nice 
> too, that can use a date to limit whether a patch is rolled out.
>
> Ie.
>
> Patch to date set to    2012-06-10
>
> So all patches released up to 2012-06-10 will be offer to requesting client. 
> Any patches released after 2012-06-10 will be hidden/not offered until the 
> "Patch to Date" is moved forward.
>
> Wade Peacock
> Production IT | Vision Critical
> direct  604.629.9358
> mobile  604.363.8137
>
> www.visioncritical.com
>
> New York  |  London  |  Vancouver |  Paris  | Sydney  |  Chicago |  San 
> Francisco | Toronto | Montreal | Calgary
>

RE: EBAY and AMAZON

[Keith Medcalf]

> The problem at this point is that even with improvements in newer
> Windows systems there are probably on the order of a billion systems
> out there, attached to the net, and still running these deeply flawed
> OS's which can be taken over by just clicking on the wrong mail
> message.

There have been no improvements in Windows security.

The Microsoft "execute payload with NT AUTHORITY\SYSTEM" ip option was sheer 
brilliance, and that *only* appeared in their new-and-improved Operating 
Systems.  Don't believe the propaganda.

---
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

Re: very confusing.

[Owen DeLong]

Sent from my iPad

On Jun 13, 2012, at 9:01 PM, Joe Greco  wrote:

>> A trick to do on mail (USPS) spammers is take the prepaid mailing =
>> envelope they often include and tape it to a brick wrapped in brown =
>> paper and drop it off at the post office. They have to pay the shipping. =
>> If enough people do it, they go out of business.
> 
> That's simply false; local postmasters have had the discretion to discard
> your bricks for years, AND THEY DO.
> 

Yes... Bricks don't work any more. You have to get more creative.

http://www.dogdoo.com offers a selection of products ideally suited for this 
purpose.
 
>> In this case, do anything you can to waste his time and resources. Call =
>> up and act interested in his services and have them go through their =
>> sales pitch as many times as you can.  Ask for them to mail you =
>> literature. Have them write up proposals and quotes. Then when the last =
>> step left is to actually commit to their service tell them you were just =
>> pulling their chain, and why. If you eat up enough of their time they =
>> end up attending to too few real paying customers and they go out of =
>> business.
> 
> But that, on the other hand ...
> 

Not mutually exclusive.

Owen

Re: very confusing.

[George Herbert]

I am as amused by antispam efforts as anyone, but can we stay on list topic?


George William Herbert
Sent from my iPhone

On Jun 13, 2012, at 19:39, Owen DeLong  wrote:

> 
> 
> Sent from my iPad
> 
> On Jun 13, 2012, at 9:01 PM, Joe Greco  wrote:
> 
>>> A trick to do on mail (USPS) spammers is take the prepaid mailing =
>>> envelope they often include and tape it to a brick wrapped in brown =
>>> paper and drop it off at the post office. They have to pay the shipping. =
>>> If enough people do it, they go out of business.
>> 
>> That's simply false; local postmasters have had the discretion to discard
>> your bricks for years, AND THEY DO.
>> 
> 
> Yes... Bricks don't work any more. You have to get more creative.
> 
> http://www.dogdoo.com offers a selection of products ideally suited for this 
> purpose.
> 
>>> In this case, do anything you can to waste his time and resources. Call =
>>> up and act interested in his services and have them go through their =
>>> sales pitch as many times as you can.  Ask for them to mail you =
>>> literature. Have them write up proposals and quotes. Then when the last =
>>> step left is to actually commit to their service tell them you were just =
>>> pulling their chain, and why. If you eat up enough of their time they =
>>> end up attending to too few real paying customers and they go out of =
>>> business.
>> 
>> But that, on the other hand ...
>> 
> 
> Not mutually exclusive.
> 
> Owen
> 
> 

HE IPv6 tunnel inbound

[Grant Ridder]

Hi,

I have a Hurricane Electric v6 tunnel setup on an AWS (amazon web services)
instance so that i can have ipv6 connectivity.  I can ping and traceroute
out of the tunnel fine, but am unable to access the tunnel from outside.
 For example, i am unable to traceroute to the tunnel address outside the
tunnel address, even with the AWS instance firewall completely open.  I
would like to host a website accessible via IPv6, hence the tunnel setup.
 Is this possible? if so, what could i be doing wrong?  Or is there a
better was to go about this?

Thanks,
Grant

Re: HE IPv6 tunnel inbound

[Christopher Morrow]

On Wed, Jun 13, 2012 at 11:29 PM, Grant Ridder  wrote:
> Hi,
>
> I have a Hurricane Electric v6 tunnel setup on an AWS (amazon web services)
> instance so that i can have ipv6 connectivity.  I can ping and traceroute
> out of the tunnel fine, but am unable to access the tunnel from outside.
>  For example, i am unable to traceroute to the tunnel address outside the
> tunnel address, even with the AWS instance firewall completely open.  I
> would like to host a website accessible via IPv6, hence the tunnel setup.
>  Is this possible? if so, what could i be doing wrong?  Or is there a
> better was to go about this?
>

google/bing/yahoo/webcrawler search result:


> Thanks,
> Grant

Re: HE IPv6 tunnel inbound

[Cameron Byrne]

On Jun 13, 2012 8:29 PM, "Grant Ridder"  wrote:
>
> Hi,
>
> I have a Hurricane Electric v6 tunnel setup on an AWS (amazon web
services)
> instance so that i can have ipv6 connectivity.  I can ping and traceroute
> out of the tunnel fine, but am unable to access the tunnel from outside.
>  For example, i am unable to traceroute to the tunnel address outside the
> tunnel address, even with the AWS instance firewall completely open.  I
> would like to host a website accessible via IPv6, hence the tunnel setup.
>  Is this possible? if so, what could i be doing wrong?  Or is there a
> better was to go about this?
>
> Thanks,
> Grant

Sigh.

Or you could take your business to the dozen or so cloud / vps providers
that support ipv6. ... Softlayer and Arpnetworks come to mind. I have used
both with a high level of sucess

CB

Re: HE IPv6 tunnel inbound

[alejandroacostaalamo]

Also: www.cloudflare.com (for free)

Este mensaje ha sido enviado gracias al servicio BlackBerry de Movilnet

-Original Message-
From: Cameron Byrne 
Date: Wed, 13 Jun 2012 21:10:06 
To: Grant Ridder
Cc: 
Subject: Re: HE IPv6 tunnel inbound

On Jun 13, 2012 8:29 PM, "Grant Ridder"  wrote:
>
> Hi,
>
> I have a Hurricane Electric v6 tunnel setup on an AWS (amazon web
services)
> instance so that i can have ipv6 connectivity.  I can ping and traceroute
> out of the tunnel fine, but am unable to access the tunnel from outside.
>  For example, i am unable to traceroute to the tunnel address outside the
> tunnel address, even with the AWS instance firewall completely open.  I
> would like to host a website accessible via IPv6, hence the tunnel setup.
>  Is this possible? if so, what could i be doing wrong?  Or is there a
> better was to go about this?
>
> Thanks,
> Grant

Sigh.

Or you could take your business to the dozen or so cloud / vps providers
that support ipv6. ... Softlayer and Arpnetworks come to mind. I have used
both with a high level of sucess

CB