Re: When an ISP should run their own IRR for customers
On 12/1/12, ML wrote: > I'm querying the community on the feasibility of running my own IRR on > behalf of customers whom probably aren't/won't register their own > objects. I'm going down this path since I don't believe RADB or ARIN > would let me register objects on behalf of my customers. It doesn't seem like a terribly good reason to want to start a new IRR.I wouldn't expect RADB to mirror.What brought you to the actual conclusion you won't be able to register the customer route objects, after receiving authorization from the customer? Last I checked, on RADB it's technically possible for any paying maintainer to register a route object, as long as it's not already registered under another mnt-by; LEVEL3 and some others have in the past commonly created proxy-registered routes for customers' non-existent routes to facilitate the creation of automatic route filtering policy definitions. And there are some AS objects that also say they are proxy registered in the remarks or description sections... $ whois -h whois.radb.net as32114 aut-num:AS32114 as-name:WalkerMachine descr: This is a Proxy registered AS for Walker Machine by Lumos Networks. mnt-by: MAINT-AS7795 ... -- -JH
When an ISP should run their own IRR for customers
I'm querying the community on the feasibility of running my own IRR on behalf of customers whom probably aren't/won't register their own objects. I'm going down this path since I don't believe RADB or ARIN would let me register objects on behalf of my customers. I know I'm going to need this in the near future once my AS starts to peer. Conservatively I would be proxy registering about 100 customers. Would a potential upstream/peer NOT want to query my IRR because I'm not RADB, ARIN, etc (Essentially not a well known registry)? If not, is it likely my IRR could get mirrored by RADB so other networks can retrieve good info via RADB. If I was to run my own IRR is Merit's IRRd they way to go or is there something better? Thanks
Re: "Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications"....
On 11/27/2012 11:48 PM, Owen DeLong wrote: I agree that some of it comes down to knowledge; most programmers learn from experience and lets face it unless you go looking your unlikely to run into IPv6 even as of yet. I believe as the ISP implements IPv6 and companies get more demand on the customer facing side of things it will pick up quickly. Sure, using gethostbyname() is certainly easier to find code examples, but not impossible to find other examples. http://owend.corp.he.net/ipv6 Pretty much everything you need to know about taking your applications from mono-stack to dual-stack. "Everything you need to know" except for how to actually accomplish this task in the real world. In order to accomplish this in the real world using present-day software development methodologies you would need to do a few more things: - Generate some user stories that explain why the IPv6-supporting code needs to be written - Break these user stories down into backlog items and convince the product manager to place these items into the backlogs of the dozens or more interacting teams that need to write the code - Add all of the backlog items for all of the interworking pieces so that, for instance, automated monitoring tools that are watching the IPv4 services will now be watching the IPv6 services as well... capacity planning will be able to account for IPv6 growth... etc. - Convince the product manager (along with other departments like marketing and executive management) that adding support for IPv6 to an existing working product is *more important* than meeting internal and external requests for features and fixing known bugs - Develop a test plan so that the various interworking parts of your system may be tested internally once IPv6 support is added to ensure that not only does IPv6 now work but that the existing IPv4 functionality is not broken as a result - Write the code when the work makes its way to the top of the backlog - Wait for the infrastructure environment to be upgraded to support running IPv6 in production - Test the new IPv6 functionality and verify that none of the IPv4 functionality is broken - Deploy to customers - Receive bug reports - Prioritize bugs that have been created that affect IPv4 customers and IPv6 customers appropriately such that the IPv6 bugs ever get fixed - Iterate I'm sure I've missed a few steps. Includes an example application implemented in IPv4 only and ported to dual stack in C, PERL, and Python. Unfortunately the "example application" is less than 1M lines of code and fewer than a a few hundred different servers plus client applications. In our datacenters all our software is built with IPv6 addressing supported but we have yet to build the logic stack as we are waiting for the demand. It makes no sense to build all the support just because when there are other important things to do. +1 on this for sure. There is something else. Many people "cheated" and stuck a 2^32 number in an integer datatype for their SQL or other servers. They don't work as well with 2^128 sized IPs. They have to undertake the actual effort of storing their data in a proper datatype instead of cheating. I've seen this over-and-over and likely is a significant impediment just as the gethostbyname vs getaddrinfo() system call translations may be. One of many issues that will come up. Along with the lack of support for IPv6 in the infrastructure, or the monitoring tools, or the automated test systems, or whatever. It's actually pretty easy to change the datatype in an SQL database, so that shouldn't be that much of an impediment. If only A) it were that simple and B) going in and changing data types for columns didn't have audit implications, data replication implications, data warehousing and analysis system implications, etc. Matthew Kaufman ps. I work for a division of my employer that does not yet have IPv6 support in its rather popular consumer software product. Demand for IPv6 from our rather large customer base is, at present, essentially nonexistent, and other things would be way above it in the stack-ranked backlog(s) anyway. One could argue that until we add IPv6 support throughout our systems, consumers will continue to demand IPv4 connectivity from operators in order to run software like ours, rather than us being cut off from any meaningful proportion of customers. pps. And until we were last acquired, we *didn't* have IPv6 at our developer's desktops. Now we do, but it doesn't connect to the global IPv6 Internet (yet).
Re: William was raided for running a Tor exit node. Please help if you can.
> The BBC has an article about a similar issue on a Tor exit node in Austria: > Austrian police raid privacy network over child porn > http://www.bbc.co.uk/news/technology-20554788 actually it is not a "similar case" but the case of William W. that BBC reported. Though with some mistakes: the servers were not seized, the hardware (drives etc) at his home was seized, William was not charged (he says), police is just investigating. http://www.lowendtalk.com/discussion/6283/raided-for-running-a-tor-exit-accepting-donations-for-legal-expenses/p5 And so far only the police know if "images showing child sex abuse" were actually "found passing through them" as BBC writes. The warrent posted at arstechnica.net http://cdn.arstechnica.net/wp-content/uploads/2012/11/Beschluss.png mentions section 207a, para 2, 2nd case, and para 4 no 2, lit b of Austrian Criminal Code, which would be possession of a a pornographic depiction of a minor person over 14, showing their genitals in an obscene manner. (the text of the relevant section in German: http://www.ris.bka.gv.at/Dokumente/Bundesnormen/NOR40105143/NOR40105143.html) The warrent does not mention anything that refers to distribution or transport of pornographic images. So, either police and judge were not aware that it was a TOR server or they have/had a suspicion that's not related to running a TOR server. Or the made a mistake and quoted the wrong section. We simply don't know at present. regards, jutta am Samstag, 01. Dezember 2012 um 17:10 schrieb nanog@nanog.org: > The BBC has an article about a similar issue on a Tor exit node in Austria: > Austrian police raid privacy network over child porn > http://www.bbc.co.uk/news/technology-20554788 > ## > Austrian police have seized servers that were part of a global anonymous > browsing system, after images showing child sex abuse were found passing > through them. <...>
Re: William was raided for running a Tor exit node. Please help if you can.
> Example of an actual warrant: > > > https://www.eff.org/sites/default/files/filenode/inresearchBC/EXHIBIT-A.pdf Please also keep in mind, if it's relevant, that *no warrant* is required for data that is stored by a third-party. Data on a server, TOR or otherwise, would by definition be data that is stored by a third party. Which means that if there is a person of interest (POI), it would not be terribly hard to get at personal information about the POI that is not on their own private machines. (Here is an article we wrote about that: http://www.theinternetpatrol.com/no-warrant-necessary-for-law-enforcement-to-access-data-stored-in-the-cloud/ ) > Not a lawyer. Is a lawyer, but hasn't been following this thread. That said, if there are specific questions, I'd be happy to answer them if I can. Anne Anne P. Mitchell, Esq CEO/President Institute for Social Internet Public Policy http://www.ISIPP.com Member, Cal. Bar Cyberspace Law Committee
Re: Legal Crap [was: William was raided for running a Tor exit node. Please help if you can.]
On 12/1/2012 11:01 AM, Jimmy Hess wrote: Anyone, including people off the street, can have opinions about the Law, and opinions about networks. Would you be willing to rely some stranger off the street, with no qualifications, or positive background whatsoever, to start recommending a new network design, quite possibly. strangers off the street sometimes demonstrate superior insight than credentialed 'experts'. not typically, of course, but sometimes. an essential point is how much work i want to do to assess the credibility of the comments from either source. folks who rely on their credentials for credibility tend to lose it with me. anyone who makes a point by clearly providing a solid basis for it tends to gain it. but i agree that clarity about the purpose of this thread would be helpful... d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
Re: Legal Crap [was: William was raided for running a Tor exit node. Please help if you can.]
On 12/1/12, Patrick W. Gilmore wrote: > On Nov 30, 2012, at 20:25 , Randy Bush wrote: > As for "the legal crap", most of what is posted is not on-topic here. There > are laws & legal implications which are operational, though. And even > though I am not a lawyer, I need to understand them or I cannot do my job. > My lawyer is not going to pick which datacenter to lease, even if he knows a Laws and legal ramifications are a driving force impacting design and policy for network operations, because they have financial implications, and finance matters. For example, if you or your orgs' staff are denied access to your equipment or data and critical servers are seized or offlined, while a police investigation is ongoing, due to a breach of PII confidentiality (eg Stolen social security numbers of staff members used by an ID thief), for example, there is possible hardship for the org, even if you or your org fully exercised due care and went well beyond the minimum: with a responsible well-thought security program, and the offender is an outsider,you might soon not have a network, due to bankruptcy. In this case you might not have any "liability" or guilt for the breach, but you have major costs, regardless. Anyone, including people off the street, can have opinions about the Law, and opinions about networks. Would you be willing to rely some stranger off the street, with no qualifications, or positive background whatsoever, to start recommending a new network design, or give them a CLI with directions that they can start making whatever changes they like to your core router? Would you ask how to configure an AP to be secure, on a network law discussion list? Opinions are one thing; but a large amount of legal mumbo jumbo, and attempting to suggest you have exactly what a court would find, or what the exact and only issues are, that list members can't responsibly rely on anyways (DUE to its importance not its non-importance), is a waste of bits,and there might be a more appropriate place to discuss law itself. :) -- -JH
Re: Legal Crap [was: William was raided for running a Tor exit node. Please help if you can.]
On Dec 1, 2012, at 10:37 AM, Jeffrey Ollie wrote: > On Sat, Dec 1, 2012 at 4:21 AM, Patrick W. Gilmore wrote: >> >> It amazes me how people feel free to opine on things... > > Actually, what really bugs/amazes me about that thread is that the > person whom this thread was originally about IS NOT EVEN FROM THE > UNITED STATES OF AMERICA. > > CALEA, DMCA, yadda, yadda, yadda have nothing at all to do with the > original problem. True, but false. The original incident in Austria was being used as an argument against anonymous networks in the US or elsewhere. For US persons the relevant laws here are relevant to that followup discussion. George William Herbert Sent from my iPhone
Re: Legal Crap [was: William was raided for running a Tor exit node. Please help if you can.]
On Sat, Dec 1, 2012 at 4:21 AM, Patrick W. Gilmore wrote: > > It amazes me how people feel free to opine on things... Actually, what really bugs/amazes me about that thread is that the person whom this thread was originally about IS NOT EVEN FROM THE UNITED STATES OF AMERICA. CALEA, DMCA, yadda, yadda, yadda have nothing at all to do with the original problem. -- Jeff Ollie
Re: William was raided for running a Tor exit node. Please help if
On Sat, Dec 01, 2012 at 10:36:56AM -0600, Joe Greco wrote: > Even if we were to assume that there are no "bad actors" in law > enforcement, what happens when someone is simply faced with something > so complex that they don't really understand it? The conventional > wisdom is to seize it and let experts work it out. There is another problem with that approach. Actually, two, one that affects us, one that bears on the root cause. We all know, or should know, that there are a couple hundred million zombies (aka bots) out there. Nobody knows exactly how many, of course, because it's impossible to know. But any estimate under 100M should be discarded immediately, and I think numbers in the 200M to 300M are at least plausible, if not probable. Those systems are pretty much EVERYWHERE. The thing is, we don't know specifically where until either (a) they do something that's externally observable that indicates they're zombies AND someone in a position to observe it makes the observation or (b) someone does a forensic-grade examination of them -- which is often what it takes to find some of the more devious malware. There is nothing at all that stops child porn types from leasing zombies or creating their own. There is also nothing stopping them from setting those systems up to transmit/receive child porn via HTTP/S or SMTP or FTP or any other protocol. Or through a VPN or whatever. No Tor required. So -- five minutes from now -- you (generic you) could suddenly be in a position where what happened to this guy is happening to you, because 7 zombies on your network just went active and started shovelling child porn. And you probably won't know it because the traffic will be noise buried in all the other noise. That is, until the authorities, whoever they are wherever you are, show up and confiscate everything, including desktops, laptops, servers, tablets, phones, printers, everything with a CPU. And why shouldn't they? Do you think you're immune to this? Why should you be? Because you're an ISP? A Fortune 500 company? A major university? Joe's Donut Shop? Why should *you* get a pass from this treatment? My point, which I suppose I should get to, is this: This tactic (confiscating everything) is simply not a sensible response by any law enforcement agency. It's bad police work. It's lazy. It's stupid. And worse than any of THAT, it *helps* the child porn types do their thing. (Why? Because it clearly signals the nature and location and time of a security breach. This helps them avoid capture and provides useful intelligence that can be used to design the next operation.) The right tactic is to keep all that gear exactly where it is and doing exactly what it's doing. The children who have already been horribly, tragically exploited will not be any more so if those systems keep running: that damage is done and unplugging computers won't fix it. But keeping that stuff in place and figuring how to start tracing the purveyors and producers, THAT will attack the root cause of the problem, so that maybe other children will be spared, and the people responsible brought to justice. I know it's unfashionable for police to, you know, actually engage in police work any more. It's tedious, boring, and doesn't make headlines. It's much easier to hold self-congratulory press conferences, torture helpless people with tasers, and try to out-do Stasi by setting up a surveillance state. But it would be nice if someone with a clue got them to stop supporting child porn by virtue of being so damn lazy, ignorant and incompetent. TL;DR: try a rapier rather than a bludgeon. ---rsk
Re: William was raided for running a Tor exit node. Please help if
> Those who do not remember history... > > On Fri, Nov 30, 2012 at 5:23 PM, wrote: > > http://www.sjgames.com/SS/ Those who do not remember history... what, exactly? We're doomed to repeat this over and over even if we remember it. Even if we were to assume that there are no "bad actors" in law enforcement, what happens when someone is simply faced with something so complex that they don't really understand it? The conventional wisdom is to seize it and let experts work it out. But there is the possibility of there being so much data, and such complexity in modern systems. What happens when you've got a Mac and you're running VMware Fusion and you've got VM images sitting on a NAS device? Ten or twenty years ago, "nab all the media" was pretty straightforward in the average case, but these days, it's pretty easy even for Joe Sixpack to have some sophistication and to be storing stuff on a NAS device. If you have an iomega ix2-dl with two 4TB hard drives in it, and the thing only reads out at ~60MB/sec, how do you effectively deal with that? You can either seize it or not. You can't realistically analyze the whole thing on site. You can't realistically copy it in place (two days to read it all!). So you seize it. And what happens when it is reliant on other stuff on the local network? And what happens when the police can't quite figure out the way everything worked together? Heaven help us when we start talking about tech-sophisticated users who employ things like encryption and run multiple levels of abstractions. And that brings us to Tor... The flip side to the coin is that there is such little disincentive to be aggressive in seizures. There are any number of examples of overreach, and since there is virtually no personal risk to the authorities responsible, even if the company is successful in filing suit (see SJ Games). The authorities have one hell of a problem going forward. I hope that part is obvious. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: William was raided for running a Tor exit node. Please help if you can.
The BBC has an article about a similar issue on a Tor exit node in Austria: Austrian police raid privacy network over child porn http://www.bbc.co.uk/news/technology-20554788 ## Austrian police have seized servers that were part of a global anonymous browsing system, after images showing child sex abuse were found passing through them. Many people use the Tor network to conceal their browsing activity. Police raided the home of William Weber, who ran the servers, and charged him with distributing illegal images. ## It is unfortunate that systems in place to allow free speech end up being abused for the wrong purposes. The same applies to anonymous remailers which have been used to stalk and harass/bully people often using forged email addresses (since those remailers allow one to forge the sender's email address instead of forcing an "Anonymous" sender email. If Tor servers are just glorified routers then they could be considered more as transit providers and not responsible for content transiting through them. However, if a transit service goes out of its way to hide the identity of the sender of a packet to make it untraceable, then it becomes more than a simpler "carrier".
[liberationtech] Internet back in Syria
- Forwarded message from Rafal Rohozinski - From: Rafal Rohozinski Date: Sat, 1 Dec 2012 10:39:24 -0500 To: liberationtech Technologies Subject: [liberationtech] Internet back in Syria Reply-To: liberationtech Secdev detected BGP announcements from Syria as of 7:30 AM Eastern standard time. For our initial monitoring we look at the updates that are broadcast, because dumps of those are available every 15 minutes. However a more complete status is available every two hours, which will provide better insight into when the return of the address space was stabilized. How resources across the country are now reporting connectivity in a number of cities. Rafal Sent by SecDev secure mobile. Please excuse typos or other oddities. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Legal Crap [was: William was raided for running a Tor exit node. Please help if you can.]
On Nov 30, 2012, at 20:25 , Randy Bush wrote: >> Not a lawyer. > > than stfu with the legal crap It amazes me how people feel free to opine on things like networking without a certification, but if you don't have a law degree, suddenly they believe you are incapable of understanding anything regarding the law. As for "the legal crap", most of what is posted is not on-topic here. There are laws & legal implications which are operational, though. And even though I am not a lawyer, I need to understand them or I cannot do my job. My lawyer is not going to pick which datacenter to lease, even if he knows a metric-ass-ton more about indemnification than I ever will (at least I hope than I ever will - that shit is BOORING). I appreciate people who have researched and understand the topic giving their insights - just like I do regarding BGP, MPLS, IPv6... okay, no jokes about IPv6. :) And, just like with networking topics, I do not appreciate people taking up 10K+ of their not-so-closest-friends' time with half-baked ideas from people who have not taken the time to understand the subject matter. However, I do not believe the only way to go from the latter group into the former is to pass the bar. (And if so, in what state/country? what specialty? etc., etc.) I guess this is a long-winded way of saying: If all you have to say is "STFU", maybe you should take your own advice? -- TTFN, patrick