Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Jimmy Hess]

On 1/23/13, Rich Kulawiec  wrote:
> On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
> Once again: captchas have zero security value.  They either defend
> (a) resources worth attacking or (b) resources not worth attacking.  If
> it's (a) then they can and will be defeated as soon as someone chooses to
> trouble themselves to do so.  If it's (b) then they're not worth the effort 
> to deploy.  See, for example:

See, you don't show they're not worth the effort to deploy in case (a).
The CAPTCHA   _might_  be attacked,   only if the attacker perceives
the value of resources worth attacking   as higher  than what the
attacker believes the sum of their  cost of the effort that will be
required  to defeat all the  barriers resisting attack.

The return on defeating the CAPTCHA, without defeat on other measures,
will be pretty much zero, if it is reinforcing other security
measures.

And of course, you can revise the CAPTCHA, if your monitoring finds
that it has been defeated, and abuse starts to occur,  so the attacker
has to break it again.

It takes much less time commitment to develop new variations on a
CAPTCHA than it it does to defeat novel variations.

> Now I'll grant that captchas aren't as miserably stupid as constructs
> like "user at example dot com" [1] but they really are worthless the

> [1] Such constructs are based on the proposition that spammers capable
> of writing and deploying sophisticated malware, operating enormous botnets,
> maintaining massive address databases, etc., are somehow mysteriously
> incapable of writing
...
>

No,  they are based on the proposition,  that the obfuscation is
unique enough to avoid detection,  and spammers frequently search for
something particularly obvious (e-mail addresses that don't require
extra CPU cycles spent on trying many de-obfuscation techniques to
parse).

Any particular obfuscation would obviously lose value, if it became
used frequently.
I believe the specific one  'user at example dot com' is
well-known due to its obviousness and use by certain Mail archive to
HTML software,  and therefore -- I would not recommend that particular
method.

For obfuscation methods to be most effective at blocking address
harvesting, they should be novel, non-obvious.

eg
'
   Email  to username  and atsign,  this domain:  example,  dot,   and
then  com.
'

Of course...  if any obfuscation method becomes very popular, or
frequently used by a large number of documents (E.g. list archives of
many/large public mailing lists), and the obfuscation technique will
automatically become worthless,

just because mailing list archives are such an attractive target for
address harvesting, and a consistent obfuscation method for many
addresses -- means the value of defeating that method becomes
significant.

--
-J

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Scott Howard]

On Thu, Jan 24, 2013 at 8:48 AM, Rich Kulawiec  wrote:

> (Yes, yes, I'm well aware that many people will claim that *their* captchas
> work.  They're wrong, of course: their captchas are just as worthless
> as everyone else's.  They simply haven't been competently attacked yet.
> And relying on either the ineptness or the laziness of attackers is
> a very poor security strategy.)


So by this logic, the locks on your house
(car/work/letterbox/cellphone/etc) are worthless too.

Does that mean you leave your house unlocked?

  Scott.

Re: Suggestions for the future on your web site: (was cookies, and

[Joe Greco]

> To resort to plain language instead of overworked metaphor, the
> problem with CAPTCHAs is that they're increasingly easier for
> computers to solve than they are for humans.  This is perverse,
> because the whole reason they were introduced was that they were
> _hard_ for computers but _easy_ for humans.  The latter part was a key
> design goal, and we are increasingly ditching it in favour of "just
> using a CAPTCHA" because they're what we think works.

So the point that seems reasonable to make is that people deploy 
CAPTCHA in environments where it is insufficient to the task.

True enough.

At the point where an arms race has developed over such technology,
or other circumvention technologies (such as hiring cheap labor) is
being used, it seems to me that in such an environment, the 
technology is fundamentally not suited to the task.  It seems fair
to say that CAPTCHA is rapidly evolving to the level of hook-and-eye
latch protection, suitable for rudimentary protection on low-value
assets, keeping the rabbit in its cage, etc.

So, then, "replace it with what, exactly?"  What if we all wake up 
one morning to find that our computers have gained an IQ of 6000? 
Will the computers be making jokes about "as dumb as a human" and
debating ways to identify if they're talking with another computer 
or just a human?  :-)

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Andrew Sullivan]

On Thu, Jan 24, 2013 at 04:43:47PM -0500, Jean-Francois Mezei wrote:
> It is better to have a tent with holes in the screen door than no screen
> door. If the damaged screen door still prevents 90% of mosquitoes from
> getting in, it does let you chase down and kill those that do get in.

I get this argument, but it seems to miss the point I was trying to
make earlier.  This isn't like a screen door with holes in it, but
more like a screen door with holes in it and a trick hinge that, from
time to time, bounces back and whacks the humans entering right in the
nose.  

To resort to plain language instead of overworked metaphor, the
problem with CAPTCHAs is that they're increasingly easier for
computers to solve than they are for humans.  This is perverse,
because the whole reason they were introduced was that they were
_hard_ for computers but _easy_ for humans.  The latter part was a key
design goal, and we are increasingly ditching it in favour of "just
using a CAPTCHA" because they're what we think works.

(Of course, this is really just a special case of the usual problems in
HCI when security becomes an issue.  We have this kind of problem with
passwords too.)

A

-- 
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Jean-Francois Mezei]

On 13-01-24 13:52, George Herbert wrote:

> It's true that relying on the laziness of attackers is statistically
> useful, but as soon as one becomes an interesting enough target that
> the professionals aim, then professional grade tools (which walz
> through captchas more effectively than normal users can, by far) make
> them useless.


This is true. However, if CAPTCHAS stop the bulk of casual hacking
attempts because the simple hacking scripts just flag that site as not
worth the effort and move onto the next, then the site manager has to
deal with far fewer true hacking attempts (those which are determined to
get in or hurt your web site).

It is better to have a tent with holes in the screen door than no screen
door. If the damaged screen door still prevents 90% of mosquitoes from
getting in, it does let you chase down and kill those that do get in.

Just because a security technique is not bullet proof does not mean it
isn't useful.

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[George Herbert]

On Thu, Jan 24, 2013 at 5:48 AM, Rich Kulawiec  wrote:
> On Wed, Jan 23, 2013 at 01:20:07PM +0100,  . wrote:
>> CAPTCHAS are a "defense in depth" that reduce the number of spam
>> incidents to a number manageable by humans.
>
> No, they do not.  If you had actually bothered to read the links that
> I provided, or simply to pay attention over the last several years,
> you would know that captchas are not any kind of defense at all.
>
> They're like holding up tissue paper in front of a tank: worthless.
>
> (Yes, yes, I'm well aware that many people will claim that *their* captchas
> work.  They're wrong, of course: their captchas are just as worthless
> as everyone else's.  They simply haven't been competently attacked yet.
> And relying on either the ineptness or the laziness of attackers is
> a very poor security strategy.)
>
> ---rsk

It's true that relying on the laziness of attackers is statistically
useful, but as soon as one becomes an interesting enough target that
the professionals aim, then professional grade tools (which walz
through captchas more effectively than normal users can, by far) make
them useless.

I disagree that they're entirely ineffective.  The famous Wiley
cartoon (found also in the frontspiece of the original Firewalls
book...) "You have to be this tall to storm the castle" does apply.
But knowing the relative height and availability of storm-the-captcha
tools is important.  They are out there, pros use them all the time,
they are entirely effective.


-- 
-george william herbert
george.herb...@gmail.com

Re: Suggestions for the future on your web site: (was cookies, and

[David Barak]

--- On Thu, 1/24/13, Andrew Sullivan  wrote:
> Lately, AFAICT, most CAPTCHAs have
> been so
> successfully attacked by wgetters that they're quite easy
> for machines
> to break, but difficult for humans to use.  For
> example, I can testify
> that I now fail about 25% of the reCAPTCHA challenges I
> perform,
> because the images are so distorted I just can't make them
> out (it's
> much worse on my mobile, given the combination if its small
> screen and
> my middle-aged eyes).
> 
> So it's now more like airport security: a big hassle for
> the
> legitimate users but not really much of a barrier for a
> real
> attacker.  A poor trade-off.

+1000

I routinely fail CAPTCHAs, and am certainly less accurate than a decent machine 
at the OCR required.  Those of us whose eyes don't correct to 20/20 would 
greatly appreciate some other form of "slow down the spammers" than this.  

David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com

Re: Super slow HP ILO 2 web interface

[Jay Ashworth]

This assumes that your ILOs aren't on their own VLAN, which they 
really ought to be; mine were...

Cheers,
-- jra

- Original Message -
> From: "Michael Loftis" 
> To: "Erik Levinson" 
> Cc: "nanog" 
> Sent: Thursday, January 24, 2013 2:34:14 AM
> Subject: Re: Super slow HP ILO 2 web interface
> I've had issues with HP, Dell, and Super micro in any higher amounts
> of
> broadcast traffic, especially ARP requests. The iDRAC 5 and 6 behave
> very
> badly in high broadcast environments, failing to respond to http and
> local
> ipmi (ipmitool via the smbus or whatever) interface. That's probably
> where
> I would start personally...anything over a couple hundred hosts in the
> same
> broadcast domain, especially if those are windows or osx hosts that
> love to
> jibber about CIFS and mDNS.
> 
> 
> 
> Sent from my Motorola Xoom
> On Jan 23, 2013 6:25 PM, "Erik Levinson" 
> wrote:
> 
> > Hi everyone,
> >
> > This is probably an OT question for this list, but I thought someone
> > here
> > may have encountered this.
> >
> > I've been having a really annoying super slow web interface access
> > to ILO
> > 2 on our DL360 G5s and G6s, since day one, on all of them. SSH to
> > ILO is
> > perfectly fine. IPMI is fine. VSP is fine. Everything to do with ILO
> > is
> > fine except the damn web interface, which is slow to load pages
> > intermittently. It kind of works in bursts for a few seconds when it
> > works,
> > so I try to do things quickly. It's hard to characterize exactly
> > what's
> > happening beyond my vague description, but I've looked at the dev
> > tools in
> > Chrome, tried FF, etc. with no luck.
> >
> > One thing I haven't tried in a while is a packet capture of an ILO
> > port to
> > see if it's doing something weird, like trying to do rDNS on the
> > client's
> > IP or on itself, etc.
> >
> > If it helps, our config doesn't use DHCP and otherwise all the boxes
> > are
> > reset to defaults, then have their IP/SM/GW configured and local
> > users
> > configured...nothing fancy. We do use our own SSL certs, but the
> > problem
> > happens without them as well, so I've already ruled that out.
> >
> >
> > Does anyone have any ideas on what obvious thing I could have
> > missed?
> >
> >
> > Thanks
> >
> > Erik
> >
> >
> >
> >

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: Suggestions for the future on your web site: (was cookies, and

[Joe Greco]

> Well, yes and no.  Lately, AFAICT, most CAPTCHAs have been so
> successfully attacked by wgetters that they're quite easy for machines

I wasn't aware that there was now a -breakCAPTCHA flag to wget.

The point I was making is that it's a defense against casual copying
of certain types of protected content and other stupid tricks that
used to go on.  Someone who has made a business out of copying web
sites and has arranged to defeat CAPTCHAs is not a casual attacker.

> to break, but difficult for humans to use.  For example, I can testify
> that I now fail about 25% of the reCAPTCHA challenges I perform,
> because the images are so distorted I just can't make them out (it's
> much worse on my mobile, given the combination if its small screen and
> my middle-aged eyes).

I agree that this problem has gotten worse; as time goes on, it 
seems likely that the computers will be able to read CAPTCHA's
(and then solve the new generation of CAPTCHA's) more easily than
many humans.

> So it's now more like airport security: a big hassle for the
> legitimate users but not really much of a barrier for a real
> attacker.  A poor trade-off.

Don't think we're quite there yet.  However, it is certainly moving in
that direction.

However, Ace Hardware still sells hook-and-eye latches, and that's 
something to think about.

One of the businesses we run here had a "problem"; the website had a
"contact us" page that had been recycled out of some script with 
changes to hardcode where mail went, which didn't stop some exploit
script from finding it and then trying to spam through it, which 
meant all their spam went to the company contact address.  The coder 
who maintained the website noted that only a particularly stupid 
spammer (or completely automated system of some sort) would try to 
exploit a script without bothering to check if the mail was being
delivered to victims, so he figured that the correct fix was to put 
a very simple CAPTCHA on it.

I was skeptical, since even five years ago I saw the effectiveness of
CAPTCHAs as being in severe decline, but you know what, he was right.
The CAPTCHA is VERY readable, even has ALT text so you can use it in 
your favorite text browser, because the point WASN'T to make it 
impossible (or even difficult) to abuse, but rather to address a 
particular problem.

It helps to keep your perspective on things.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Suggestions for the future on your web site: (was cookies, and

[Mike A]

On Thu, Jan 24, 2013 at 11:00:50AM -0500, Andrew Sullivan wrote:
> On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
> 
> > A CAPTCHA doesn't need to be successful against every possible threat,
> > it merely needs to be effective against some types of threats.  For
> > example, web pages that protect resources with a CAPTCHA are great at
> > making it much more difficult for someone with l33t wget skills from 
> > scraping a website.
> 
> Well, yes and no.  Lately, AFAICT, most CAPTCHAs have been so
> successfully attacked by wgetters that they're quite easy for machines
> to break, but difficult for humans to use.  For example, I can testify
> that I now fail about 25% of the reCAPTCHA challenges I perform,
> because the images are so distorted I just can't make them out (it's
> much worse on my mobile, given the combination if its small screen and
> my middle-aged eyes).
> 
> So it's now more like airport security: a big hassle for the
> legitimate users but not really much of a barrier for a real
> attacker.  A poor trade-off.

"A Modest Proposal": Maybe we need to turn it around and fail on successful
recognition of the CAPTCHA, then?

-- 
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin 

Re: Suggestions for the future on your web site: (was cookies, and

[Andrew Sullivan]

On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:

> A CAPTCHA doesn't need to be successful against every possible threat,
> it merely needs to be effective against some types of threats.  For
> example, web pages that protect resources with a CAPTCHA are great at
> making it much more difficult for someone with l33t wget skills from 
> scraping a website.

Well, yes and no.  Lately, AFAICT, most CAPTCHAs have been so
successfully attacked by wgetters that they're quite easy for machines
to break, but difficult for humans to use.  For example, I can testify
that I now fail about 25% of the reCAPTCHA challenges I perform,
because the images are so distorted I just can't make them out (it's
much worse on my mobile, given the combination if its small screen and
my middle-aged eyes).

So it's now more like airport security: a big hassle for the
legitimate users but not really much of a barrier for a real
attacker.  A poor trade-off.

Best,

A

-- 
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com

Re: Suggestions for the future on your web site: (was cookies, and

[Joe Greco]

> On Wed, Jan 23, 2013 at 01:20:07PM +0100,  . wrote:
> > CAPTCHAS are a "defense in depth" that reduce the number of spam
> > incidents to a number manageable by humans.
> 
> No, they do not.  If you had actually bothered to read the links that
> I provided, or simply to pay attention over the last several years,
> you would know that captchas are not any kind of defense at all.
> 
> They're like holding up tissue paper in front of a tank: worthless.
> 
> (Yes, yes, I'm well aware that many people will claim that *their* captchas
> work.  They're wrong, of course: their captchas are just as worthless
> as everyone else's.  They simply haven't been competently attacked yet.
> And relying on either the ineptness or the laziness of attackers is
> a very poor security strategy.)

This is a fairly common mistake.

Security isn't about prevention, it's about deterrence.

If you have a locked screen door, someone can still trivially break 
the screen and unlock it.

If you have a glass door, a brick.

If you have a hollow core wood door, a shoulder.

If you have a solid core wood door, a sledge.

If you have a steel door, a prybar.

If you have a safe-style door, explosives.

If you're Fort Knox, a larger military force.  :-)

Basically there is no door that cannot be overcome with sufficient
force; the point of a door is not to absolutely prevent a bad guy
from entering under all circumstances, but rather to deter the 
average attacker to go bother the neighbors instead.  You can do
many things to augment your physical security, unpickable locks,
reinforced doors, motion sensor lights, alarm systems, etc. but all
of these are merely enhancers that are designed to make a criminal
look for an easier target.  A determined and properly resourced
attacker who is determined to attack a given resource is going to
be successful eventually.

And that's where the so-called argument against CAPTCHAs falls apart.

A CAPTCHA doesn't need to be successful against every possible threat,
it merely needs to be effective against some types of threats.  For
example, web pages that protect resources with a CAPTCHA are great at
making it much more difficult for someone with l33t wget skills from 
scraping a website.

It isn't a high bar anymore, it isn't a strong defense anymore.  All
quite true, so I'll even agree with your inevitable answer that many
websites are using CAPTCHA as protection against attacks that it is
no longer capable of guarding against.  Agreed!

However, as part of a "defense in depth" strategy, it can still make
sense.  It's much more of a locked screen door at this point, but if
you've got threats that can be easily deterred, then it's still viable.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Is Level(3) AS3356 absorbing GBLX AS3549

[Josh Hoppes]

Yep,

http://www.nanog.org/meetings/nanog56/presentations/Monday/mon.lightning.siegel.pdf


On Thu, Jan 24, 2013 at 6:03 AM, Christopher J. Pilkington wrote:

> Overnight BGPmon reports that 3356 was adjacent to our AS, but it is
> not. Only plausible situation I can think of is Level(3) absorbing the
> 3549 GlobalCrossing AS.
>
> Is this going on? Or am I suffering from insufficient caffeination?
>
> -cjp
>
>

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Rich Kulawiec]

On Wed, Jan 23, 2013 at 01:20:07PM +0100,  . wrote:
> CAPTCHAS are a "defense in depth" that reduce the number of spam
> incidents to a number manageable by humans.

No, they do not.  If you had actually bothered to read the links that
I provided, or simply to pay attention over the last several years,
you would know that captchas are not any kind of defense at all.

They're like holding up tissue paper in front of a tank: worthless.

(Yes, yes, I'm well aware that many people will claim that *their* captchas
work.  They're wrong, of course: their captchas are just as worthless
as everyone else's.  They simply haven't been competently attacked yet.
And relying on either the ineptness or the laziness of attackers is
a very poor security strategy.)

---rsk

Is Level(3) AS3356 absorbing GBLX AS3549

[Christopher J. Pilkington]

Overnight BGPmon reports that 3356 was adjacent to our AS, but it is
not. Only plausible situation I can think of is Level(3) absorbing the
3549 GlobalCrossing AS.

Is this going on? Or am I suffering from insufficient caffeination?

-cjp

How to avoid security issues with VPN leaks on dual-stack networks

[Fernando Gont]

Folks,

Thought you might be interested...

Techtarget has just published an article I've authored for them,
entitled "How to avoid security issues with VPN leaks on dual-stack
networks".

The article is available at:


(Note: There are some banners (?) intermixed... but the whole article
can be viewed without registration... just keep scrolling down!)

Its "Abstract" is:
 cut here 
The imminent exhaustion of freely available IPv4 addresses has, over a
number of years, led to the incorporation of IPv6 support by most
general-purpose operating systems. However, many applications, such as
VPN client and server software, have been lagging behind to become
IPv6-ready. This results in scenarios in which dual-stacked hosts employ
IPv6-unaware VPN software, thus opening the door to security
vulnerabilities, such as VPN traffic leaks. In this tip, we'll discuss
how these VPN security issues arise and the various mitigation options
available for containing VPN traffic leaks.
 cut here 

P.S.: Any comments will be welcome.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1