Re: NYT covers China cyberthreat

[Suresh Ramasubramanian]

On Thursday, February 21, 2013, Warren Bailey wrote:

> The only spanking that has been going on nanog lately is Jay using his
> email to keep us up to date on current news. I am going to call it a
> night, and look for a SCUD fired from Florida in the morning. ;)
>
>
Nanog setting their list server up to mandate that envelope from matches
header from should take care of this .. I see the envelope being whatever,
nob...@server.example.com type stuff more often than not, in all these
forwarded articles that are supposed to be coming from Jay's account.

--srs


-- 
--srs (iPad)

Re: NYT covers China cyberthreat

[Warren Bailey]

The only spanking that has been going on nanog lately is Jay using his
email to keep us up to date on current news. I am going to call it a
night, and look for a SCUD fired from Florida in the morning. ;)



On 2/20/13 11:29 PM, "Richard Porter"  wrote:

>When you really look at human behavior the thing that remains the same is
>core motives. The competition makes sense in that it is human nature to
>aggresse for resources. We are challenged in the "fact" that we 'want' to
>belong among the other five. This will never change but.
>
>What is really a travesty here is that most of us have been saying "hey
>this is critical" and can now shift to "I told you so"Š in that if you
>did what we said to do 1 Š 5 Š. 10 Š years ago .. you would have
>"mitigated" this risk..
>
>Basically, genetically we have not changed, so what behavior would
>suggest that (even with the introduction of faster calculators).. why
>would we change? Just means we would do X faster ŠŠ.
>
>This is my first comment to the list.. please flame me privately to save
>the list :) *** or publicly who think I should really be spanked!!! ***
>
>
>Regards,
>Richard
>
>
>
>On Feb 20, 2013, at 7:27 PM, Suresh Ramasubramanian 
>wrote:
>
>> Very true. The objection is more that the exploits are aimed at civilian
>> rather than (or, more accurately, as well as) military / government /
>> beltway targets.
>> 
>> Which makes the alleged chinese strategy rather more like financing
>>jehadis
>> to suicide bomb and shoot up hotels and train stations, rather than any
>> sort of disciplined warfare or espionage.
>> 
>> --srs (htc one x)
>> On 21-Feb-2013 7:40 AM, "Steven Bellovin"  wrote:
>> 
>>> 
>>> On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote:
>>> 
 On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
> boys and girls, all the cyber-capable countries are cyber-culpable.
>you
> can bet that they are all snooping and attacking eachother, the
>united
> states no less than the rest.  news at eleven.
 
 The scary part is that so many things got hacked by a bunch of people
 who made the totally noob mistake of launching all their attacks from
 the same place
>>> 
>>> 
>>> This strongly suggests that it's not their A-team, for whatever value
>>>of
>>> "their" you prefer.  (My favorite mistake was some of them updating
>>>their
>>> Facebook pages when their work took them outside the Great Firewall.)
>>>They
>>> just don't show much in the way of good operational security.
>>> 
>>> Aside: A few years ago, a non-US friend of mine mentioned a
>>>conversation
>>> he'd had with a cyber guy from his own country's military.  According
>>>to
>>> this guy, about 130 countries had active military cyberwarfare units.
>>>I
>>> don't suppose that the likes of Ruritania has one, but I think it's a
>>>safe
>>> assumption that more or less every first and second world country, and
>>>not
>>> a few third world ones are in the list.
>>> 
>>> The claim here is not not that China is engaging in cyberespionage.
>>>That
>>> would go under the heading of "I'm shocked, shocked to find that
>>>there's
>>> spying going on here." Rather, the issue that's being raised is the
>>>target:
>>> commercial firms, rather than the usual military and government
>>>secrets.
>>> That is what the US is saying goes beyond the usual rules of the game.
>>> In
>>> fact, the US has blamed not just China but also Russia, France, and
>>>Israel
>>> (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and
>>>note
>>> that that's an Israeli news site) for such activities.  France was
>>> notorious
>>> for that in the 1990s; there were many press reports of bugged first
>>>class
>>> seats on Air France, for example.
>>> 
>>> The term for what's going on is "cyberexploitation", as opposed to
>>> "cyberwar".
>>> The US has never come out against it in principle, though it never
>>>likes it
>>> when aimed at the US.  (Every other nation feels the same way about its
>>> companies and networks, of course.)  For a good analysis of the legal
>>> aspects,
>>> see
>>> 
>>>http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-stra
>>>tegy-for-the-cyber-exploitation-threat/
>>> 
>>> 
>>> 
>>> 
>>>--Steve Bellovin, https://www.cs.columbia.edu/~smb
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>
>
>

Re: NYT covers China cyberthreat

[Richard Porter]

When you really look at human behavior the thing that remains the same is core 
motives. The competition makes sense in that it is human nature to aggresse for 
resources. We are challenged in the "fact" that we 'want' to belong among the 
other five. This will never change but.

What is really a travesty here is that most of us have been saying "hey this is 
critical" and can now shift to "I told you so"… in that if you did what we said 
to do 1 … 5 …. 10 … years ago .. you would have "mitigated" this risk..

Basically, genetically we have not changed, so what behavior would suggest that 
(even with the introduction of faster calculators).. why would we change? Just 
means we would do X faster …….

This is my first comment to the list.. please flame me privately to save the 
list :) *** or publicly who think I should really be spanked!!! ***


Regards,
Richard



On Feb 20, 2013, at 7:27 PM, Suresh Ramasubramanian  wrote:

> Very true. The objection is more that the exploits are aimed at civilian
> rather than (or, more accurately, as well as) military / government /
> beltway targets.
> 
> Which makes the alleged chinese strategy rather more like financing jehadis
> to suicide bomb and shoot up hotels and train stations, rather than any
> sort of disciplined warfare or espionage.
> 
> --srs (htc one x)
> On 21-Feb-2013 7:40 AM, "Steven Bellovin"  wrote:
> 
>> 
>> On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote:
>> 
>>> On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
 boys and girls, all the cyber-capable countries are cyber-culpable.  you
 can bet that they are all snooping and attacking eachother, the united
 states no less than the rest.  news at eleven.
>>> 
>>> The scary part is that so many things got hacked by a bunch of people
>>> who made the totally noob mistake of launching all their attacks from
>>> the same place
>> 
>> 
>> This strongly suggests that it's not their A-team, for whatever value of
>> "their" you prefer.  (My favorite mistake was some of them updating their
>> Facebook pages when their work took them outside the Great Firewall.) They
>> just don't show much in the way of good operational security.
>> 
>> Aside: A few years ago, a non-US friend of mine mentioned a conversation
>> he'd had with a cyber guy from his own country's military.  According to
>> this guy, about 130 countries had active military cyberwarfare units.  I
>> don't suppose that the likes of Ruritania has one, but I think it's a safe
>> assumption that more or less every first and second world country, and not
>> a few third world ones are in the list.
>> 
>> The claim here is not not that China is engaging in cyberespionage.  That
>> would go under the heading of "I'm shocked, shocked to find that there's
>> spying going on here." Rather, the issue that's being raised is the target:
>> commercial firms, rather than the usual military and government secrets.
>> That is what the US is saying goes beyond the usual rules of the game.  In
>> fact, the US has blamed not just China but also Russia, France, and Israel
>> (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note
>> that that's an Israeli news site) for such activities.  France was
>> notorious
>> for that in the 1990s; there were many press reports of bugged first class
>> seats on Air France, for example.
>> 
>> The term for what's going on is "cyberexploitation", as opposed to
>> "cyberwar".
>> The US has never come out against it in principle, though it never likes it
>> when aimed at the US.  (Every other nation feels the same way about its
>> companies and networks, of course.)  For a good analysis of the legal
>> aspects,
>> see
>> http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy-for-the-cyber-exploitation-threat/
>> 
>> 
>> 
>> 
>>--Steve Bellovin, https://www.cs.columbia.edu/~smb
>> 
>> 
>> 
>> 
>> 
>> 
>> 

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Scott Weeks]

--- s...@cs.columbia.edu wrote:
From: Steven Bellovin 

An amazing percentage of "private" lines are pseudowires, and neither you nor 
your telco salesdroid can know or tell; even the "real" circuits are routed 
through DACS, ATM switches, and the like.  This is what link encryptors are 
all about; use them.  
-



I would sure be interested in hearing about hands-on operational
experiences with encryptors.  Recent experiences have left me 
with a sour taste in my mouth.  blech!

scott

Re: IPv6 Routes in L3

[Darton Williams]

Sorry for the noise, I just looked at Level3 LG again (it returned unknown
error messages the last time I tried this). Approximating the same route,
their trace reaches fed2 and actually leaves the inter-VLAN whereas mine
stops at hop 13 here. I'm guessing the !filtered at the destination is just
ICMP.

Traceroute results from Salt Lake City, UT
to 2001:4178:2:1269::fed2

  1 vl-11.car2.SaltLakeCity1.Level3.net (2001:1900:4:1::13E) 0 msec 0
msec 0 msec
  2 vl-4043.edge3.Denver1.Level3.net (2001:1900:4:1::142) 56 msec 32 msec 8 msec
  3 vl-4080.edge6.Denver1.Level3.net (2001:1900:4:1::2E) 8 msec 12 msec
vl-4081.edge6.Denver1.Level3.net (2001:1900:4:1::32) 12 msec
  4 vl-4042.edge1.Chicago2.Level3.net (2001:1900:4:1::36) 36 msec 36
msec 36 msec
  5 vl-4067.car1.Chicago1.Level3.net (2001:1900:4:1::1D) 36 msec 36 msec 40 msec
  6 vl-4061.car2.NewYork2.Level3.net (2001:1900:4:1::22) 88 msec 180
msec 204 msec
  7 vl-4081.car1.NewYork2.Level3.net (2001:1900:4:1::F5) 60 msec 56 msec 56 msec
  8 vl-4061.edge2.Washington1.Level3.net (2001:1900:4:1::105) 64 msec
60 msec 64 msec
  9 vl-4080.edge1.Washington1.Level3.net (2001:1900:4:1::D1) 60 msec
60 msec 64 msec
 10 vl-4086.edge3.Paris1.Level3.net (2001:1900:6:1::15) 160 msec 144
msec 144 msec
 11 vl-4081.edge4.Paris1.Level3.net (2001:1900:5:1::12E) 140 msec
vl-4080.edge4.Paris1.Level3.net (2001:1900:5:1::12A) 144 msec
vl-4081.edge4.Paris1.Level3.net (2001:1900:5:1::12E) 140 msec
 12 vl-4060.edge3.Frankfurt1.Level3.net (2001:1900:5:1::215) 152 msec
176 msec 148 msec
 13 vl-4043.car1.Munich1.Level3.net (2001:1900:5:1::25E) 172 msec 184
msec 220 msec
 14 2001:1900:5:2:2::302 156 msec 156 msec 156 msec
 15 te9-1-c1.net.muc2.internetx.de (2001:4178:1::6) 160 msec 160 msec 160 msec
 16 2001:4178:2:1269::FED2 !filtered  !filtered  !filtered


On Wed, Feb 20, 2013 at 10:39 PM, Darton Williams  wrote:

> Anyone have visibility on Level 3 IPv6 routing? I'm unable to reach
> http://fedoraproject.org by their primary and ended up having to spoof a
> secondary in local DNS. Note that this is on HughesNet; multiple levels of
> support have been clueless or stumped.
>
> For the curious:
>
> [darton@dkw-vostro ~]$ dig -6 @google-public-dns-a.google.com -t 
> www.fedoraproject.org
>
> ; <<>> DiG 9.9.2-P1-RedHat-9.9.2-3.P1.fc17 <<>> -6 @
> google-public-dns-a.google.com -t  www.fedoraproject.org
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21521
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.fedoraproject.org. IN 
>
> ;; ANSWER SECTION:
> www.fedoraproject.org. 1200 IN CNAME wildcard.fedoraproject.org.
> wildcard.fedoraproject.org. 1200 IN  2607:f188::dead:beef:cafe:fed1
> wildcard.fedoraproject.org. 1200 IN  2001:4178:2:1269::fed2
> wildcard.fedoraproject.org. 1200 IN 
> 2610:28:3090:3001:dead:beef:cafe:fed4
>
> ;; Query time: 10 msec
> ;; SERVER: 2001:4860:4860::#53(2001:4860:4860::)
> ;; WHEN: Wed Feb 20 22:13:26 2013
> ;; MSG SIZE  rcvd: 163
>
> Love the beefy theme there...
>
> fed2 is the only one I can't reach, and though the  records are
> round-robin, fed2 appears to be the one to which HTTP requests get routed
> and tracing that takes me from Salt Lake to Munich by way of Paris before
> timing out:
>
> [darton@dkw-vostro ~]$ traceroute6 -N 64 fedoraproject.org
> traceroute to fedoraproject.org (2001:4178:2:1269::fed2), 30 hops max, 80
> byte packets
>  1  2001:5b0:216e:9590:280:aeff:fe3f:4965
> (2001:5b0:216e:9590:280:aeff:fe3f:4965)  24.672 ms  24.504 ms  24.506 ms
>  2  * * *
>  3  2001:5b0:21ff:fffa::100 (2001:5b0:21ff:fffa::100)  1079.945 ms
>  1237.825 ms  1290.435 ms
>  4  vlan122.car1.SaltLakeCity1.Level3.net (2001:1900:2100::d9d)  1341.274
> ms  1409.308 ms  1411.624 ms
>  5  vl-11.car2.SaltLakeCity1.Level3.net (2001:1900:4:1::13e)  1489.445 ms
>  1508.739 ms  1733.181 ms
>  6  vl-4043.edge3.Denver1.Level3.net (2001:1900:4:1::142)  1578.809 ms
>  1639.417 ms  1641.692 ms
>  7  vl-4081.edge6.Denver1.Level3.net (2001:1900:4:1::32)  1641.783 ms
> vl-4080.edge6.Denver1.Level3.net (2001:1900:4:1::2e)  1691.372 ms
> vl-4081.edge6.Denver1.Level3.net (2001:1900:4:1::32)  1698.425 ms
>  8  vl-4042.edge1.Chicago2.Level3.net (2001:1900:4:1::36)  1745.349 ms
>  1745.056 ms  1744.322 ms
>  9  vl-4067.car1.Chicago1.Level3.net (2001:1900:4:1::1d)  1744.410 ms
>  1744.489 ms  1737.454 ms
> 10  vl-4061.car2.NewYork2.Level3.net (2001:1900:4:1::22)  1873.919 ms
>  1873.887 ms  1870.193 ms
> 11  vl-4080.car1.NewYork2.Level3.net (2001:1900:4:1::f1)  1766.868 ms
>  1766.506 ms  1765.284 ms
> 12  vl-4061.edge2.Washington1.Level3.net (2001:1900:4:1::105)  1767.345
> ms  1767.463 ms  1767.493 ms
> 13  vl-4081.edge1.Washington1.Level3.net (2001:1900:4:1::d5)  1767.633 ms
> vl-4083.edge1.Washington1.Level3.net (2001:1900:4:1::dd)  1801.766 ms
> vl-4081.edge1.Washington1.Level3.net (2001:1900:4:1::d5)  1801.754 ms
> 1

IPv6 Routes in L3

[Darton Williams]

Anyone have visibility on Level 3 IPv6 routing? I'm unable to reach
http://fedoraproject.org by their primary and ended up having to spoof a
secondary in local DNS. Note that this is on HughesNet; multiple levels of
support have been clueless or stumped.

For the curious:

[darton@dkw-vostro ~]$ dig -6 @google-public-dns-a.google.com -t 
www.fedoraproject.org

; <<>> DiG 9.9.2-P1-RedHat-9.9.2-3.P1.fc17 <<>> -6 @
google-public-dns-a.google.com -t  www.fedoraproject.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21521
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.fedoraproject.org. IN 

;; ANSWER SECTION:
www.fedoraproject.org. 1200 IN CNAME wildcard.fedoraproject.org.
wildcard.fedoraproject.org. 1200 IN  2607:f188::dead:beef:cafe:fed1
wildcard.fedoraproject.org. 1200 IN  2001:4178:2:1269::fed2
wildcard.fedoraproject.org. 1200 IN 
2610:28:3090:3001:dead:beef:cafe:fed4

;; Query time: 10 msec
;; SERVER: 2001:4860:4860::#53(2001:4860:4860::)
;; WHEN: Wed Feb 20 22:13:26 2013
;; MSG SIZE  rcvd: 163

Love the beefy theme there...

fed2 is the only one I can't reach, and though the  records are
round-robin, fed2 appears to be the one to which HTTP requests get routed
and tracing that takes me from Salt Lake to Munich by way of Paris before
timing out:

[darton@dkw-vostro ~]$ traceroute6 -N 64 fedoraproject.org
traceroute to fedoraproject.org (2001:4178:2:1269::fed2), 30 hops max, 80
byte packets
 1  2001:5b0:216e:9590:280:aeff:fe3f:4965
(2001:5b0:216e:9590:280:aeff:fe3f:4965)  24.672 ms  24.504 ms  24.506 ms
 2  * * *
 3  2001:5b0:21ff:fffa::100 (2001:5b0:21ff:fffa::100)  1079.945 ms
 1237.825 ms  1290.435 ms
 4  vlan122.car1.SaltLakeCity1.Level3.net (2001:1900:2100::d9d)  1341.274
ms  1409.308 ms  1411.624 ms
 5  vl-11.car2.SaltLakeCity1.Level3.net (2001:1900:4:1::13e)  1489.445 ms
 1508.739 ms  1733.181 ms
 6  vl-4043.edge3.Denver1.Level3.net (2001:1900:4:1::142)  1578.809 ms
 1639.417 ms  1641.692 ms
 7  vl-4081.edge6.Denver1.Level3.net (2001:1900:4:1::32)  1641.783 ms
vl-4080.edge6.Denver1.Level3.net (2001:1900:4:1::2e)  1691.372 ms
vl-4081.edge6.Denver1.Level3.net (2001:1900:4:1::32)  1698.425 ms
 8  vl-4042.edge1.Chicago2.Level3.net (2001:1900:4:1::36)  1745.349 ms
 1745.056 ms  1744.322 ms
 9  vl-4067.car1.Chicago1.Level3.net (2001:1900:4:1::1d)  1744.410 ms
 1744.489 ms  1737.454 ms
10  vl-4061.car2.NewYork2.Level3.net (2001:1900:4:1::22)  1873.919 ms
 1873.887 ms  1870.193 ms
11  vl-4080.car1.NewYork2.Level3.net (2001:1900:4:1::f1)  1766.868 ms
 1766.506 ms  1765.284 ms
12  vl-4061.edge2.Washington1.Level3.net (2001:1900:4:1::105)  1767.345 ms
 1767.463 ms  1767.493 ms
13  vl-4081.edge1.Washington1.Level3.net (2001:1900:4:1::d5)  1767.633 ms
vl-4083.edge1.Washington1.Level3.net (2001:1900:4:1::dd)  1801.766 ms
vl-4081.edge1.Washington1.Level3.net (2001:1900:4:1::d5)  1801.754 ms
14  vl-4086.edge3.Paris1.Level3.net (2001:1900:6:1::15)  1844.308 ms
 1844.440 ms  1844.908 ms
15  vl-4081.edge4.Paris1.Level3.net (2001:1900:5:1::12e)  1844.358 ms
 1844.415 ms vl-4080.edge4.Paris1.Level3.net (2001:1900:5:1::12a)  1843.473
ms
16  vl-4060.edge3.Frankfurt1.Level3.net (2001:1900:5:1::215)  1845.091 ms
 1845.065 ms  1845.030 ms
17  vl-4043.car1.Munich1.Level3.net (2001:1900:5:1::25e)  1845.052 ms
 1845.033 ms  1897.648 ms
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

fed4 is a different route:

[darton@dkw-vostro ~]$ traceroute6 2610:28:3090:3001:dead:beef:cafe:fed4
traceroute to 2610:28:3090:3001:dead:beef:cafe:fed4
(2610:28:3090:3001:dead:beef:cafe:fed4), 30 hops max, 80 byte packets
 1  2001:5b0:216e:9590:280:aeff:fe3f:4965
(2001:5b0:216e:9590:280:aeff:fe3f:4965)  15.410 ms  15.337 ms  15.269 ms
 2  * * *
 3  2001:5b0:21ff:fffa::100 (2001:5b0:21ff:fffa::100)  897.468 ms  915.494
ms  975.368 ms
 4  vlan122.car1.SaltLakeCity1.Level3.net (2001:1900:2100::d9d)  1026.481
ms  1044.762 ms  1164.987 ms
 5  vl-4046.edge5.LosAngeles1.Level3.net (2001:1900:4:1::279)  1198.366 ms
 1406.782 ms  1504.377 ms
 6  vl-60.edge1.LosAngeles9.Level3.net (2001:1900:12:1::d)  1602.064 ms
 789.763 ms  646.960 ms
 7  gblx-level3-10G.LosAngeles9.Level3.net (2001:1900:4:3::276)  702.353 ms
 733.689 ms  902.689 ms
 8  snvang.abilene.ucaid.edu (2001:504:d::bd)  966.739 ms  1006.089 ms
 1090.304 ms
 9  * * *
10  xe-1-0-2.60.rtr.atla.net.internet2.edu (2001:468:1:60::1)  1260.105 ms
 1342.136 ms  1386.991 ms
11  chlt7600-gw-to-chltcrs-gw.ncren.net (2610:28:10c:5::2)  1439.616 ms
 1550.497 ms  1630.215 ms
12  manningkid-to-chlt7600-gw.ncren.net (2610:28:10c:7::2)  1034.366 ms
 1034.401 ms  1172.668 ms
13  2610:28:3090:23::2 (2610:28:3090:23::2)  1003.700 ms  1017.225 ms *
14  2610:28:3090:3001:dead:beef:cafe:fed4
(2610:28:3090:3001:dead:beef:cafe:fed4)  921.136 ms !X  832.055 ms !X
 789.599 ms !X

Any ideas/c

T-Mobile Debuts Novel Network Management with GoSmart

[Jay Ashworth]

Check this out.

Cheers,
-- jra

http://www.phonescoop.com/articles/article.php?a=11956

This email was sent via Phone Scoop (www.phonescoop.com). The sender thought 
you might be interested in the page linked above.

Re: NYT covers China cyberthreat

[Suresh Ramasubramanian]

Very true. The objection is more that the exploits are aimed at civilian
rather than (or, more accurately, as well as) military / government /
beltway targets.

Which makes the alleged chinese strategy rather more like financing jehadis
to suicide bomb and shoot up hotels and train stations, rather than any
sort of disciplined warfare or espionage.

--srs (htc one x)
On 21-Feb-2013 7:40 AM, "Steven Bellovin"  wrote:

>
> On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote:
>
> > On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
> >> boys and girls, all the cyber-capable countries are cyber-culpable.  you
> >> can bet that they are all snooping and attacking eachother, the united
> >> states no less than the rest.  news at eleven.
> >
> > The scary part is that so many things got hacked by a bunch of people
> > who made the totally noob mistake of launching all their attacks from
> > the same place
>
>
> This strongly suggests that it's not their A-team, for whatever value of
> "their" you prefer.  (My favorite mistake was some of them updating their
> Facebook pages when their work took them outside the Great Firewall.) They
> just don't show much in the way of good operational security.
>
> Aside: A few years ago, a non-US friend of mine mentioned a conversation
> he'd had with a cyber guy from his own country's military.  According to
> this guy, about 130 countries had active military cyberwarfare units.  I
> don't suppose that the likes of Ruritania has one, but I think it's a safe
> assumption that more or less every first and second world country, and not
> a few third world ones are in the list.
>
> The claim here is not not that China is engaging in cyberespionage.  That
> would go under the heading of "I'm shocked, shocked to find that there's
> spying going on here." Rather, the issue that's being raised is the target:
> commercial firms, rather than the usual military and government secrets.
> That is what the US is saying goes beyond the usual rules of the game.  In
> fact, the US has blamed not just China but also Russia, France, and Israel
> (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note
> that that's an Israeli news site) for such activities.  France was
> notorious
> for that in the 1990s; there were many press reports of bugged first class
> seats on Air France, for example.
>
> The term for what's going on is "cyberexploitation", as opposed to
> "cyberwar".
> The US has never come out against it in principle, though it never likes it
> when aimed at the US.  (Every other nation feels the same way about its
> companies and networks, of course.)  For a good analysis of the legal
> aspects,
> see
> http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy-for-the-cyber-exploitation-threat/
>
>
>
>
> --Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>
>
>

Re: FCC Commits to Opening Up More 5GHz Airwaves

[Jay Ashworth]

Oh, /I'm/ the Whacky Weekend thread this week?

Thnks.
- jra 

Owen DeLong  wrote:

>"I've hacked JRA's private key and I approve this message."
>
>(just kidding, but someone had to say it.)
>
>Owen
>
>On Feb 20, 2013, at 17:52 , Jay Ashworth  wrote:
>
>> That way lies madness and sweaty palms, Jason.
>> 
>> But mostly you know because I haven't ever aimed such robots at the
>list in the 18 years I've been on it.
>> -jra
>> 
>> Jason Baugher  wrote:
>> 
>>> But how do we KNOW this really came from you? :)
>>> 
>>> 
>>> On Wed, Feb 20, 2013 at 2:34 PM, Jay Ashworth 
>wrote:
>>> 
 Oooh.  We're getting even cleverer.  No, this wasn't me either.
 
 Moderators: please put my address on moderation?
 
 Cheers,
 -- jr 'yes, this request really came from me :-)' a
 
 - Original Message -
> From: "Jay Ashworth" 
> To: nanog@nanog.org
> Sent: Wednesday, February 20, 2013 2:49:49 PM
> Subject: FCC Commits to Opening Up More 5GHz Airwaves
> Might this solve the "10MB problem" discussed on NANOG?
> 
> Cheers,
> -- jra
> 
> http://www.phonescoop.com/articles/article.php?a=11953
> 
> This email was sent via Phone Scoop (www.phonescoop.com). The
>>> sender
> thought you might be interested in the page linked above.
 
 --
 Jay R. Ashworth  Baylink
 j...@baylink.com
 Designer The Things I Think
> 
>>> RFC
 2100
 Ashworth & Associates http://baylink.pitas.com 2000
>Land
 Rover DII
 St Petersburg FL USA   #natog  +1
>727
>>> 647
 1274
 
 
>> 
>> -- 
>> Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: FCC Commits to Opening Up More 5GHz Airwaves

[Owen DeLong]

"I've hacked JRA's private key and I approve this message."

(just kidding, but someone had to say it.)

Owen

On Feb 20, 2013, at 17:52 , Jay Ashworth  wrote:

> That way lies madness and sweaty palms, Jason.
> 
> But mostly you know because I haven't ever aimed such robots at the list in 
> the 18 years I've been on it.
> -jra
> 
> Jason Baugher  wrote:
> 
>> But how do we KNOW this really came from you? :)
>> 
>> 
>> On Wed, Feb 20, 2013 at 2:34 PM, Jay Ashworth  wrote:
>> 
>>> Oooh.  We're getting even cleverer.  No, this wasn't me either.
>>> 
>>> Moderators: please put my address on moderation?
>>> 
>>> Cheers,
>>> -- jr 'yes, this request really came from me :-)' a
>>> 
>>> - Original Message -
 From: "Jay Ashworth" 
 To: nanog@nanog.org
 Sent: Wednesday, February 20, 2013 2:49:49 PM
 Subject: FCC Commits to Opening Up More 5GHz Airwaves
 Might this solve the "10MB problem" discussed on NANOG?
 
 Cheers,
 -- jra
 
 http://www.phonescoop.com/articles/article.php?a=11953
 
 This email was sent via Phone Scoop (www.phonescoop.com). The
>> sender
 thought you might be interested in the page linked above.
>>> 
>>> --
>>> Jay R. Ashworth  Baylink
>>> j...@baylink.com
>>> Designer The Things I Think  
>> RFC
>>> 2100
>>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>>> Rover DII
>>> St Petersburg FL USA   #natog  +1 727
>> 647
>>> 1274
>>> 
>>> 
> 
> -- 
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: NYT covers China cyberthreat

[Steven Bellovin]

On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote:

> On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
>> boys and girls, all the cyber-capable countries are cyber-culpable.  you
>> can bet that they are all snooping and attacking eachother, the united
>> states no less than the rest.  news at eleven.
> 
> The scary part is that so many things got hacked by a bunch of people
> who made the totally noob mistake of launching all their attacks from
> the same place


This strongly suggests that it's not their A-team, for whatever value of
"their" you prefer.  (My favorite mistake was some of them updating their
Facebook pages when their work took them outside the Great Firewall.) They
just don't show much in the way of good operational security.

Aside: A few years ago, a non-US friend of mine mentioned a conversation
he'd had with a cyber guy from his own country's military.  According to
this guy, about 130 countries had active military cyberwarfare units.  I
don't suppose that the likes of Ruritania has one, but I think it's a safe
assumption that more or less every first and second world country, and not
a few third world ones are in the list.

The claim here is not not that China is engaging in cyberespionage.  That
would go under the heading of "I'm shocked, shocked to find that there's
spying going on here." Rather, the issue that's being raised is the target:
commercial firms, rather than the usual military and government secrets.
That is what the US is saying goes beyond the usual rules of the game.  In
fact, the US has blamed not just China but also Russia, France, and Israel
(see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note
that that's an Israeli news site) for such activities.  France was notorious
for that in the 1990s; there were many press reports of bugged first class
seats on Air France, for example.

The term for what's going on is "cyberexploitation", as opposed to "cyberwar".
The US has never come out against it in principle, though it never likes it
when aimed at the US.  (Every other nation feels the same way about its
companies and networks, of course.)  For a good analysis of the legal aspects,
see 
http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy-for-the-cyber-exploitation-threat/




--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: can you share ipv6 addressallo cation

[Owen DeLong]

First, if you are starting from a /32 and deciding how to carve it up from 
there, you are already approaching the problem backwards.

The correct approach (general broad strokes)  is to:

1.  Identify your subnetting needs.
A.  Infrastructure addressing
B.  Internal IT needs within the company
C.  Customer network needs (usually best to count the 
Infrastructure and Internal IT as n*customers at this point when
rolling this all up into a total number of subnets 
needed).
D.  Decide on a customer end-site subnet size (unless this 
is an exceptional case, /48 is a good number to use)

2.  Identify the natural aggregation points in your network.

3.  Identify the number of /48s (or whatever other size you decided 
in D) needed
in your largest aggregation site. (This should be the sum of 
all subordinate
end-user networks as well as any infrastructure networks, etc.

Round that up to a nibble boundary ensuring at least a 25% free 
space.

4.  Identify the total number of aggregation points at the 
hierarchy level identified in (3) above.

5.  Round that up to a nibble boundary as well.

6.  Make a request for the prefix size determined by taking the 
number in 1D (/48) and
subtracting the number of bits identified in (3) and (5). e.g. 
your largest aggregation
point serves 50,000 customer end sites and you have 196 such 
aggregation points.
Each customer end-site is to receive a /48.

50,000 customer end-sites is 16-bits. To get a 25% min free, we 
must round up to 20.
This count includes 2 customer end-sites to support ISP 
infrastructure and internal IT
needs, respectively.

196 aggregation points is 8-bits. To get a 25% min free, we 
must round up to 12.

48-20=28-12=16 -- This network should request a /16 from their 
RIR.

Notes:

This is a severe oversimplification. Obviously more details will be required 
and the process must be adapted to each individual ISP's network topology and 
other considerations.

Your first several iterations of addressing plan will be wrong. Accept it, 
deploy it, and expect to redo it a few times before you're completely happy 
with it.

Plan big, deploy small the first few times so that you can learn lessons about 
the big plan while the deployments are still small.

Owen

On Feb 20, 2013, at 14:44 , Deric Kwok  wrote:

> Hi all
> 
> I am searching information about ipv6 addressallocation for /32
> 
> Any experience and advice can be shared
> 
> eg: loopback. peer to peer,
> 
> Thank you so much

Re: FCC Commits to Opening Up More 5GHz Airwaves

[Jay Ashworth]

That way lies madness and sweaty palms, Jason.

But mostly you know because I haven't ever aimed such robots at the list in the 
18 years I've been on it.
-jra

Jason Baugher  wrote:

>But how do we KNOW this really came from you? :)
>
>
>On Wed, Feb 20, 2013 at 2:34 PM, Jay Ashworth  wrote:
>
>> Oooh.  We're getting even cleverer.  No, this wasn't me either.
>>
>> Moderators: please put my address on moderation?
>>
>> Cheers,
>> -- jr 'yes, this request really came from me :-)' a
>>
>> - Original Message -
>> > From: "Jay Ashworth" 
>> > To: nanog@nanog.org
>> > Sent: Wednesday, February 20, 2013 2:49:49 PM
>> > Subject: FCC Commits to Opening Up More 5GHz Airwaves
>> > Might this solve the "10MB problem" discussed on NANOG?
>> >
>> > Cheers,
>> > -- jra
>> >
>> > http://www.phonescoop.com/articles/article.php?a=11953
>> >
>> > This email was sent via Phone Scoop (www.phonescoop.com). The
>sender
>> > thought you might be interested in the page linked above.
>>
>> --
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think  
>RFC
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>> Rover DII
>> St Petersburg FL USA   #natog  +1 727
>647
>> 1274
>>
>>

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: NYT covers China cyberthreat

[Barry Shein]

Failure to understand reality is not reality's fault.


On February 20, 2013 at 09:10 calin.chior...@secdisk.net (calin.chiorean) wrote:
 > 
 > If I didn't miss any part of the report, no *nix is mentioned.
 > 
 > I'm a *nix fan, but why they (when I say they, I mean an attacker, not 
 > necessary the one in this document) should complicate their life, when all 
 > tools are available for windows os, you just have to compile them.
 > 
 > Cheers,
 > Calin
 > 
 > 
 >  On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote  
 > 
 > >
 > > 
 > > 
 > >Be sure to read the source: 
 > > 
 > >intelreport.mandiant.com/Mandiant_APT1_Report.pdf 
 > > 
 > >I'm only part way through, but I find it hard to believe that 
 > >only micro$loth computers are used as the attack OS. Maybe I 
 > >haven't gotten far enough through report to find the part 
 > >where they use the *nix boxes? 
 > > 
 > >scott 
 > > 
 > >
 > 

-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Steven Bellovin]

On Feb 20, 2013, at 3:20 PM, Jack Bates  wrote:

> On 2/20/2013 1:05 PM, Jon Lewis wrote:
>> 
>> See thread: nanog impossible circuit
>> 
>> Even your leased lines can have packets copied off or injected into them, 
>> apparently so easily it can be done by accident.
>> 
> 
> This is especially true with pseudo-wire and mpls. Most of my equipment can 
> filter based mirror to alternative mpls circuits where I can drop packets 
> into my analyzers. If I misconfigure, those packets could easily find 
> themselves back on public networks.
> 
An amazing percentage of "private" lines are pseudowires, and neither you nor 
your telco salesdroid can know or tell; even the "real" circuits are routed 
through DACS, ATM switches, and the like.  This is what link encryptors are all 
about; use them.  (Way back when, we had a policy of using link encryptors on 
all overseas circuits -- there was a high enough probability of underwater 
fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our 
circuits mighty suddenly end up on a satellite link.  And we were only worrying 
about commercial-grade security.)


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: NYT covers China cyberthreat

[Warren Bailey]

I can't help but wonder what would happen if US Corporations simply blocked all 
inbound Chinese traffic. Sure it would hurt their business, but imagine what 
the Chinese people would do in response. It seems like China takes very little 
seriously until it goes mainstream. This is happening right now with their 
political system, they are attempting (publicly) to rid themselves of bad 
apples. I think this applies to the majority of the Internet dependant 
countries, people are ready to jump out of a window if facebook or Twitter is 
down. Imagine the revolt after every major US based provider stopped taking 
their calls, and data. I understand the implications, but I think this may be 
the only real way to spank them (I know the financial ramifications..)


>From my Android phone on T-Mobile. The first nationwide 4G network.



 Original message 
From: Suresh Ramasubramanian 
Date: 02/20/2013 5:22 PM (GMT-08:00)
To: sur...@mauigateway.com
Cc: nanog@nanog.org
Subject: Re: NYT covers China cyberthreat


Net net - what we have here is, so far, relatively low tech exploits with a
huge element of brute force, and the only innovation being in the delivery
mechanism - very well crafted spear phishes

They don't particularly need to hide in a location where they're literally
bulletproof (considering how many crimes have the death penalty in china,
said penalty being enforced by a bullet to the head and your family billed
for the bullet, if I remember correctly)

Now there's a light shone on it all, despite the official denial, you'll
simply see this office building shift to an even more anonymous business
park halfway across the country (or maybe inside an army base that people
just can't wander into and photograph), and the exploits will simply start
to cover their traces better.

Sure they'll evolve - let them.  The point here is that they're going to
evolve anyway if we let them operate with impunity from a location where
they're bulletproof.

--srs

On Thursday, February 21, 2013, Scott Weeks wrote:

>
>
> --- valdis.kletni...@vt.edu  wrote:
> The scary part is that so many things got hacked by a bunch of people
> who made the totally noob mistake of launching all their attacks from
> the same place
> 
>
>
> This all seems to be noobie stuff.  There's nothing technically cool
> to see here.  All they do is spear phishing and, once the link is
> clicked, put in a backdoor that uses commonly available tools.  As
> I suspected earlier it's M$ against M$ only.
>
> The downside is nontechnical folks in positions of power often have
> sensitive data on their computers, only know M$ and don't have the
> knowledge to don't click on that "bank" email.
>
> Technically, it was 74 pages of yawn.  Don't waste your time unless
> you're interested in how they found out where the attack was
> originating from and how they tied it to the .cn gov't.
>
> scott
>
>

--
--srs (iPad)

Re: FCC Commits to Opening Up More 5GHz Airwaves

[Jason Baugher]

But how do we KNOW this really came from you? :)


On Wed, Feb 20, 2013 at 2:34 PM, Jay Ashworth  wrote:

> Oooh.  We're getting even cleverer.  No, this wasn't me either.
>
> Moderators: please put my address on moderation?
>
> Cheers,
> -- jr 'yes, this request really came from me :-)' a
>
> - Original Message -
> > From: "Jay Ashworth" 
> > To: nanog@nanog.org
> > Sent: Wednesday, February 20, 2013 2:49:49 PM
> > Subject: FCC Commits to Opening Up More 5GHz Airwaves
> > Might this solve the "10MB problem" discussed on NANOG?
> >
> > Cheers,
> > -- jra
> >
> > http://www.phonescoop.com/articles/article.php?a=11953
> >
> > This email was sent via Phone Scoop (www.phonescoop.com). The sender
> > thought you might be interested in the page linked above.
>
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land
> Rover DII
> St Petersburg FL USA   #natog  +1 727 647
> 1274
>
>

Re: NYT covers China cyberthreat

[Suresh Ramasubramanian]

Net net - what we have here is, so far, relatively low tech exploits with a
huge element of brute force, and the only innovation being in the delivery
mechanism - very well crafted spear phishes

They don't particularly need to hide in a location where they're literally
bulletproof (considering how many crimes have the death penalty in china,
said penalty being enforced by a bullet to the head and your family billed
for the bullet, if I remember correctly)

Now there's a light shone on it all, despite the official denial, you'll
simply see this office building shift to an even more anonymous business
park halfway across the country (or maybe inside an army base that people
just can't wander into and photograph), and the exploits will simply start
to cover their traces better.

Sure they'll evolve - let them.  The point here is that they're going to
evolve anyway if we let them operate with impunity from a location where
they're bulletproof.

--srs

On Thursday, February 21, 2013, Scott Weeks wrote:

>
>
> --- valdis.kletni...@vt.edu  wrote:
> The scary part is that so many things got hacked by a bunch of people
> who made the totally noob mistake of launching all their attacks from
> the same place
> 
>
>
> This all seems to be noobie stuff.  There's nothing technically cool
> to see here.  All they do is spear phishing and, once the link is
> clicked, put in a backdoor that uses commonly available tools.  As
> I suspected earlier it's M$ against M$ only.
>
> The downside is nontechnical folks in positions of power often have
> sensitive data on their computers, only know M$ and don't have the
> knowledge to don't click on that "bank" email.
>
> Technically, it was 74 pages of yawn.  Don't waste your time unless
> you're interested in how they found out where the attack was
> originating from and how they tied it to the .cn gov't.
>
> scott
>
>

-- 
--srs (iPad)

Re: NYT covers China cyberthreat

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote:
The scary part is that so many things got hacked by a bunch of people
who made the totally noob mistake of launching all their attacks from
the same place



This all seems to be noobie stuff.  There's nothing technically cool 
to see here.  All they do is spear phishing and, once the link is 
clicked, put in a backdoor that uses commonly available tools.  As 
I suspected earlier it's M$ against M$ only.  

The downside is nontechnical folks in positions of power often have 
sensitive data on their computers, only know M$ and don't have the 
knowledge to don't click on that "bank" email.

Technically, it was 74 pages of yawn.  Don't waste your time unless 
you're interested in how they found out where the attack was 
originating from and how they tied it to the .cn gov't.

scott

Re: can you share ipv6 addressallo cation

[joel jaeggli]

how you subnet a network operator is is fairly complex topic even if the 
principles are rather simple.


http://tools.ietf.org/html/rfc5375.html

includes among other things some case studies.

there's quite a lot of source material from the various nog(s) where 
people have presented on their own experiences.


http://www.getipv6.info/index.php/IPv6_Presentations_and_Documents


On 2/20/13 2:44 PM, Deric Kwok wrote:

Hi all

I am searching information about ipv6 addressallocation for /32

Any experience and advice can be shared

eg: loopback. peer to peer,

Thank you so much

can you share ipv6 addressallo cation

[Deric Kwok]

Hi all

I am searching information about ipv6 addressallocation for /32

Any experience and advice can be shared

eg: loopback. peer to peer,

Thank you so much

Re: Anyone know of a good InfiniBand vendor in the US?

[Tom Ammon]

IPoIB looks more like an application than a network protocol to Infiniband.
The IB fabric doesn't have a concept of broadcast, so ARP works much
differently than it does in IPv4/ethernet world - basically an all-nodes
multicast group handles the distribution of ARP messages. That said, the ib
drivers that come with redhat/centos are pretty good, and you can always
download the official OFED drivers from the OFA at
https://www.openfabrics.org/linux-sources.html if the stuff in your linux
distribution is missing something.

I've set up IPoIB routers running 10G NICs on the ethernet side and QDR
HCAs on the IB side, using quagga to plug in to the rest of my OSPF
network, and it works fine. Basically you just need to set up quagga like
you would if you were going to turn a linux box into an ethernet router and
don't worry about the fact that it's actually IB on one side of the router
- your network statements, etc., in OSPF in quagga won't change at all.

You'll find that some things in IB have no equivalent to ethernet. For
example, if you want to have gateway redundancy for traffic exiting the IB
fabric, your first instinct will be to look for VRRP for IB, but you won't
find it, because of the ARP differences I talked about above. To get around
this you can set up linux-ha or some other type of heartbeat arrangement
and bring up a virtual IP on the active gateway, which can be shifted over
to the standby gateway when the ha scripts detect a problem. Some vendors
also have proprietary solutions to this problem but they tend to be
expensive.

So, I'd say, read up on quagga and give that a try, and I think you'll find
that as long as the IB drivers are up to snuff (the sminfo command returns
valid results, etc.) it'll pretty much just work for you. I'm also happy to
discuss more offline if you prefer.

Tom

Tom


On Tue, Feb 19, 2013 at 5:55 PM, Jon Lewis  wrote:

> On Tue, 19 Feb 2013, Landon Stewart wrote:
>
>  Oh by vendor I mean VAR I guess.  Mostly I'm also wondering how an IB
>> network handles IPoIB and how one uses IB with a gateway to layer 3
>> Ethernet switches or edge routers.  If anyone has any resources that
>> provide details on how this works and how ethernet VLANs are handled I'd
>> appreciate it.
>>
>
> My limited IB experience has been that the IB switch acts much like a dumb
> ethernet switch, caring only about which IB hardware addresses are
> reachable via which port.  Routing between IPoIB and IP over ethernet can
> be done by any host with interfaces on both networks and IP forwarding
> enabled.  In our setups, we've used IPoIB, but with 1918 addresses and not
> routed beyond the IB network.
>
> --**--**--
>  Jon Lewis, MCP :)   |  I route
>  Senior Network Engineer |  therefore you are
>  Atlantic Net|
> _ 
> http://www.lewis.org/~jlewis/**pgpfor PGP 
> public key_
>
>


-- 
-
Tom Ammon
Network Engineer
M: (801) 674-9273
t...@tomsbox.net
-

Re: FCC Commits to Opening Up More 5GHz Airwaves

[Jay Ashworth]

Oooh.  We're getting even cleverer.  No, this wasn't me either.

Moderators: please put my address on moderation?

Cheers,
-- jr 'yes, this request really came from me :-)' a

- Original Message -
> From: "Jay Ashworth" 
> To: nanog@nanog.org
> Sent: Wednesday, February 20, 2013 2:49:49 PM
> Subject: FCC Commits to Opening Up More 5GHz Airwaves
> Might this solve the "10MB problem" discussed on NANOG?
> 
> Cheers,
> -- jra
> 
> http://www.phonescoop.com/articles/article.php?a=11953
> 
> This email was sent via Phone Scoop (www.phonescoop.com). The sender
> thought you might be interested in the page linked above.

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jack Bates]

On 2/20/2013 1:05 PM, Jon Lewis wrote:


See thread: nanog impossible circuit

Even your leased lines can have packets copied off or injected into 
them, apparently so easily it can be done by accident.




This is especially true with pseudo-wire and mpls. Most of my equipment 
can filter based mirror to alternative mpls circuits where I can drop 
packets into my analyzers. If I misconfigure, those packets could easily 
find themselves back on public networks.


Jack

FCC Commits to Opening Up More 5GHz Airwaves

[Jay Ashworth]

Might this solve the "10MB problem" discussed on NANOG?

Cheers,
-- jra

http://www.phonescoop.com/articles/article.php?a=11953

This email was sent via Phone Scoop (www.phonescoop.com). The sender thought 
you might be interested in the page linked above.

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[David Barak]

--- On Wed, 2/20/13, Jay Ashworth  wrote:

> - Original Message -
> > From: "Owen DeLong" 

> > The DACS question wasn't about DACS owned by the people
> using the
> > circuit, it was about DACS inside the circuit provider.
> When you buy a
> > DS1 that goes through more than one CO in between two
> points, you're
> > virtually guaranteed that it goes through one or more
> of {DS-3 Mux,
> > Fiber Mux, DACS, etc.}. All of these are under the
> control of the
> > circuit provider and not you.
> 
> Correct, and they expand the attack surface in ways that
> even many 
> network engineers may not consider unless prompted.

This is precisely the value of encryption on point to point links, preferably 
at the link layer rather than at the IP layer.  When coupled with decent 
end-to-end application-layer encryption on top of that, the value proposition 
for sniffing traffic from the network drops a whole lot.

David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Owen DeLong]

If you have that option, I suppose that would be one way to solve it.

I, rather, see it as a reason to:
1.  Cryptographically secure links that may be carrying private 
data.
2.  Rotate cryptographic keys (relatively) often on such links.

YMMV, but I think encryption is a lot cheaper than building a telco. Especially
over long distances.

Owen

On Feb 20, 2013, at 11:33 , Warren Bailey 
 wrote:

> Isn't this a strong argument to deploy and operate a network independent
> of the traditional switch circuit provider space?
> 
> On 2/20/13 11:22 AM, "Jay Ashworth"  wrote:
> 
>> - Original Message -
>>> From: "Owen DeLong" 
>> 
>>> Many DACS have provision for "monitoring" circuits and feeding the
>>> data off to a third circuit in an undetectable manner.
>>> 
>>> The DACS question wasn't about DACS owned by the people using the
>>> circuit, it was about DACS inside the circuit provider. When you buy a
>>> DS1 that goes through more than one CO in between two points, you're
>>> virtually guaranteed that it goes through one or more of {DS-3 Mux,
>>> Fiber Mux, DACS, etc.}. All of these are under the control of the
>>> circuit provider and not you.
>> 
>> Correct, and they expand the attack surface in ways that even many
>> network engineers may not consider unless prompted.
>> 
>> Cheers,
>> -- jra
>> -- 
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think   RFC
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>> Rover DII
>> St Petersburg FL USA   #natog  +1 727 647
>> 1274
>> 
>> 
> 
> 

Re: NYT covers China cyberthreat

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote:
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
> boys and girls, all the cyber-capable countries are cyber-culpable.  you
> can bet that they are all snooping and attacking eachother, the united
> states no less than the rest.  news at eleven.

The scary part is that so many things got hacked by a bunch of people
who made the totally noob mistake of launching all their attacks from
the same place



Maybe.  The report says the following, but it doesn't make clear 
(I'm only on page 31, so I don't know if they do later in the report) 
if this is a small botnet, or individuals manning the 937 C&C servers:


»» APT1 controls thousands of systems in support of their computer 
intrusion activities.

»» In the last two years we have observed APT1 establish a minimum of 
937 Command and Control (C2) servers hosted on 849 distinct IP addresses 
in 13 countries. The majority of these 849 unique IP addresses were
registered to organizations in China (709), followed by the U.S. (109).

»» In the last three years we have observed APT1 use fully qualified 
domain names (FQDNs) resolving to 988 unique IP addresses.

»» Over a two-year period (January 2011 to January 2013) we confirmed 
1,905 instances of APT1 actors logging into their attack infrastructure 
from 832 different IP addresses with Remote Desktop, a tool that provides 
a remote user with an interactive graphical interface to a system.

»» In the last several years we have confirmed 2,551 FQDNs attributed to 
APT1.

»» We observed 767 separate instances in which APT1 intruders used the 
“HUC Packet Transmit Tool” or HTRAN to communicate between 614 distinct 
routable IP addresses and their victims’ systems using their attack
infrastructure.



scott

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Warren Bailey]

Isn't this a strong argument to deploy and operate a network independent
of the traditional switch circuit provider space?

On 2/20/13 11:22 AM, "Jay Ashworth"  wrote:

>- Original Message -
>> From: "Owen DeLong" 
>
>> Many DACS have provision for "monitoring" circuits and feeding the
>> data off to a third circuit in an undetectable manner.
>> 
>> The DACS question wasn't about DACS owned by the people using the
>> circuit, it was about DACS inside the circuit provider. When you buy a
>> DS1 that goes through more than one CO in between two points, you're
>> virtually guaranteed that it goes through one or more of {DS-3 Mux,
>> Fiber Mux, DACS, etc.}. All of these are under the control of the
>> circuit provider and not you.
>
>Correct, and they expand the attack surface in ways that even many
>network engineers may not consider unless prompted.
>
>Cheers,
>-- jra
>-- 
>Jay R. Ashworth  Baylink
>j...@baylink.com
>Designer The Things I Think   RFC
>2100
>Ashworth & Associates http://baylink.pitas.com 2000 Land
>Rover DII
>St Petersburg FL USA   #natog  +1 727 647
>1274
>
>

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jay Ashworth]

- Original Message -
> From: "Owen DeLong" 

> Many DACS have provision for "monitoring" circuits and feeding the
> data off to a third circuit in an undetectable manner.
> 
> The DACS question wasn't about DACS owned by the people using the
> circuit, it was about DACS inside the circuit provider. When you buy a
> DS1 that goes through more than one CO in between two points, you're
> virtually guaranteed that it goes through one or more of {DS-3 Mux,
> Fiber Mux, DACS, etc.}. All of these are under the control of the
> circuit provider and not you.

Correct, and they expand the attack surface in ways that even many 
network engineers may not consider unless prompted.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Owen DeLong]

Many DACS have provision for "monitoring" circuits and feeding the data
off to a third circuit in an undetectable manner.

The DACS question wasn't about DACS owned by the people using the
circuit, it was about DACS inside the circuit provider. When you buy a
DS1 that goes through more than one CO in between two points, you're
virtually guaranteed that it goes through one or more of {DS-3 Mux,
Fiber Mux, DACS, etc.}. All of these are under the control of the circuit
provider and not you.

Owen

On Feb 20, 2013, at 09:47 , Warren Bailey 
 wrote:

> If you are doing DS0 splitting on the DACS, you'll see that on the other
> end (it's not like channelized CAS ds1's or PRI's are difficult to look at
> now) assuming you have access to that. If the DACS is an issue, buy the
> DACS and lock it up. I was on a .mil project that used old school Coastcom
> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty
> top notch traffic and the microwave network (licensed .gov band) brought
> it right back to the base that project was owned by. Security is
> expensive, because you cannot leverage a service provider model
> effectively around it. You can explain the billion dollars you spent on
> your global network of CRS-1's, but CRS-1's for a single application
> usually are difficult to swallow. I'm not saying that it isn't done EVER,
> I'm just saying there are ways to avoid your 1998 red hat box from
> rpc.statd exploitation - unplug aforementioned boxen from inter webs.
> 
> If you created a LAN at your house, disabled all types of insertable
> media, and had a decent lock on your front door, it would be pretty
> difficult to own that network. Sure there are spy types that argue EMI
> emission from cable etc, but they solved that issue with their tin foil
> hats. We broadcast extremely sensitive information (financial, medical,
> etc) to probably 75% of the worlds population all day long, if you walk
> outside of your house today my signal will be broadcasting down upon sunny
> St. Petersburg, Florida. Satellite Communications are widely used, the
> signal is propagated (from GSO generally) over a relatively wide area and
> no one knows the better. And for those of you who say.. I CAN LOOK AT A
> SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread
> spectrum TDMA operation - my signal to noise on my returns is often -4dB
> to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as
> far as the planet is concerned they are awgn. I guess it's my argument
> that if you do a good enough job blending a signal into the noise, you are
> much more likely to maintain secrecy.
> 
> On 2/20/13 9:13 AM, "Jay Ashworth"  wrote:
> 
>> - Original Message -
>>> From: "Warren Bailey" 
>> 
>>> We as Americans have plenty of things we have done halfass.. I hope an
>>> Internet kill switch doesn't end up being one of them. Build your own
>>> private networks, you can't get rooted if someone can't knock. Simple
>>> as that.
>> 
>> Well, Warren, I once had a discussion with someone about whether dedicated
>> DS-1 to tie your SCADA network together were "secure enough" and they
>> asked 
>> me: 
>> 
>> "Does it run through a DACS? Where can you program the DACS from?"
>> 
>> Cheers,
>> -- jra
>> -- 
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think   RFC
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>> Rover DII
>> St Petersburg FL USA   #natog  +1 727 647
>> 1274
>> 
>> 
> 
> 

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jon Lewis]

On Wed, 20 Feb 2013, Jay Ashworth wrote:


Well, Warren, I once had a discussion with someone about whether dedicated
DS-1 to tie your SCADA network together were "secure enough" and they asked
me:

"Does it run through a DACS? Where can you program the DACS from?"


See thread: nanog impossible circuit

Even your leased lines can have packets copied off or injected into them, 
apparently so easily it can be done by accident.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: NYT covers China cyberthreat

[Valdis . Kletnieks]

On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
> boys and girls, all the cyber-capable countries are cyber-culpable.  you
> can bet that they are all snooping and attacking eachother, the united
> states no less than the rest.  news at eleven.

The scary part is that so many things got hacked by a bunch of people
who made the totally noob mistake of launching all their attacks from
the same place


pgpnlgCnfgHdJ.pgp
Description: PGP signature

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Warren Bailey]

I did not approach the inline encryption units on purpose. Obviously
anything that leaves .mil land not riding something blessed by DISA is
going to have something like a KG on both ends. Generally Satellite
systems use TRANSEC, though in our line of work it's an extremely
expensive add-on to an otherwise decent security implementation. I'm not
saying it can NEVER be owned, I'm just saying that 90% of the l33t hax0rs
who are going to look to own something are doing so because it is somehow
exposed to public infrastructure. If I were to put up an SCPC (single
channel per carrier, synonymous to point to point circuits) circuit
between point A and B, the persons looking to intercept my traffic would
need to know quite a bit of information about my signals.. Origination
Point, Destination Point, Modulation, Symbol Rates, Center Frequencies, PN
codes, TRANSEC keys, IP lay out, etc.

You won't hear me talk about how something is absolutely and completely
secure, but you will hear me preach from the rooftops the application of
technology that many people believe is outdated and abandoned. There is a
reason media providers and MSO's still use Satellite to downlink video
signals. The military is still heavily invested in this type of technology
because you are able to completely bypass traditionally used
infrastructure, and Utility companies are jumping on the band wagon as
well. I know of several SCADA (massive power companies) networks that ride
satellite completely for this reason. You can justify the cost and latency
with the security of owning a network that is completely removed from the
usual infrastructure.


On 2/20/13 10:05 AM, "Jamie Bowden"  wrote:

>> From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com]
>
>
>> If you are doing DS0 splitting on the DACS, you'll see that on the
>> other
>> end (it's not like channelized CAS ds1's or PRI's are difficult to look
>> at
>> now) assuming you have access to that. If the DACS is an issue, buy the
>> DACS and lock it up. I was on a .mil project that used old school
>> Coastcom
>> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some
>> pretty
>> top notch traffic and the microwave network (licensed .gov band)
>> brought
>> it right back to the base that project was owned by. Security is
>> expensive, because you cannot leverage a service provider model
>> effectively around it. You can explain the billion dollars you spent on
>> your global network of CRS-1's, but CRS-1's for a single application
>> usually are difficult to swallow. I'm not saying that it isn't done
>> EVER,
>> I'm just saying there are ways to avoid your 1998 red hat box from
>> rpc.statd exploitation - unplug aforementioned boxen from inter webs.
>
>Our connections to various .mil and others are private ds1's with full on
>end to end crypto over them.  You can potentially kill our connections,
>but you're not snooping them or injecting traffic into them.
>
>Jamie
>

Re: TelePacific a good choice?

[Jared Geiger]

We have a customer who used them for IP transit at an office in San
Francisco. They seemed to have issues with International peering. Traffic
to Asia / Australia seemed to be bottlenecked. This was a year ago and the
bottleneck was between TelePacific and Global Crossing at the time.

The customer has moved to another provider and no longer has issues.

~Jared

On Tue, Feb 19, 2013 at 11:10 PM, Mike Hale wrote:

> I've used them at a previous employer, mainly for PRI termination but
> also for some transit and colo services.
>
> They were decent.  Didn't have any major complaints.
>
> If IPv6 is important for you...per what Paul said, they probably
> wouldn't be your best choice.  If IPv6 doesn't matter to you, they're
> good enough.
>
> On Tue, Feb 19, 2013 at 7:37 PM, Paul WALL  wrote:
> > The lack of IPv6 implementation:
> >
> > http://bgp.he.net/AS14265#_asinfo
> >
> > should be the only feedback you need.
> >
> > On 2/19/13, Jeff Harper  wrote:
> >> Hiya,
> >>
> >> We're looking at TelePacific as a possible solution for some of our
> transit
> >> needs.  If you have an honest experience with them, positive or
> negative,
> >> I'd like to hear from you.
> >>
> >> Simply email me off line with your experiences, thanks!
> >>
> >> Jeff Harper, CCIE (W) |  www.well.com
> >> ip access-list extended jeff
> >> permit tcp any any eq intelligence
> >> deny tcp any any eq stupid-people
> >>
> >>
> >>
> >
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
>

About private networks (Was Re: NYT covers China cyberthreat)

[Alain Hebert]

( Well I'm sure that there is a few hundrends of paper on this subject )

I have a few ideas but it involve:

 .Dark Fiber;
. All devices at FIPS 140 level;
. Tonnes of resin;
. Wire mesh;
. Fiber DB monitoring;
. Cable Shield monitoring;
. Single Encryption Key injection for the FIPS 140 devices;
. Central Provisioning;
. Kill switch for suspected segments;




And a private fab because it would not be a good idea to
sub-contract that to lets says... some Chinese outfit =D

TLDR: Feasable, hella costly.

PS:

http://spybusters.blogspot.ca/2010/11/fiber-optics-easier-to-wiretap-than.html

Enjoy this week end of the world news.

-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

RE: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jamie Bowden]

> From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com]


> If you are doing DS0 splitting on the DACS, you'll see that on the
> other
> end (it's not like channelized CAS ds1's or PRI's are difficult to look
> at
> now) assuming you have access to that. If the DACS is an issue, buy the
> DACS and lock it up. I was on a .mil project that used old school
> Coastcom
> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some
> pretty
> top notch traffic and the microwave network (licensed .gov band)
> brought
> it right back to the base that project was owned by. Security is
> expensive, because you cannot leverage a service provider model
> effectively around it. You can explain the billion dollars you spent on
> your global network of CRS-1's, but CRS-1's for a single application
> usually are difficult to swallow. I'm not saying that it isn't done
> EVER,
> I'm just saying there are ways to avoid your 1998 red hat box from
> rpc.statd exploitation - unplug aforementioned boxen from inter webs.

Our connections to various .mil and others are private ds1's with full on end 
to end crypto over them.  You can potentially kill our connections, but you're 
not snooping them or injecting traffic into them.

Jamie

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Cameron Byrne]

On Wed, Feb 20, 2013 at 9:13 AM, Jay Ashworth  wrote:
> - Original Message -
>> From: "Warren Bailey" 
>
>> We as Americans have plenty of things we have done halfass.. I hope an
>> Internet kill switch doesn't end up being one of them. Build your own
>> private networks, you can't get rooted if someone can't knock. Simple
>> as that.
>
> Well, Warren, I once had a discussion with someone about whether dedicated
> DS-1 to tie your SCADA network together were "secure enough" and they asked
> me:
>
> "Does it run through a DACS? Where can you program the DACS from?"
>

Did you open that PDF regarding DACS security ?

 http://money.cnn.com/2013/02/20/news/economy/hacking-infrastructure/index.html

CB


> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
> St Petersburg FL USA   #natog  +1 727 647 1274
>

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Warren Bailey]

If you are doing DS0 splitting on the DACS, you'll see that on the other
end (it's not like channelized CAS ds1's or PRI's are difficult to look at
now) assuming you have access to that. If the DACS is an issue, buy the
DACS and lock it up. I was on a .mil project that used old school Coastcom
DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty
top notch traffic and the microwave network (licensed .gov band) brought
it right back to the base that project was owned by. Security is
expensive, because you cannot leverage a service provider model
effectively around it. You can explain the billion dollars you spent on
your global network of CRS-1's, but CRS-1's for a single application
usually are difficult to swallow. I'm not saying that it isn't done EVER,
I'm just saying there are ways to avoid your 1998 red hat box from
rpc.statd exploitation - unplug aforementioned boxen from inter webs.

If you created a LAN at your house, disabled all types of insertable
media, and had a decent lock on your front door, it would be pretty
difficult to own that network. Sure there are spy types that argue EMI
emission from cable etc, but they solved that issue with their tin foil
hats. We broadcast extremely sensitive information (financial, medical,
etc) to probably 75% of the worlds population all day long, if you walk
outside of your house today my signal will be broadcasting down upon sunny
St. Petersburg, Florida. Satellite Communications are widely used, the
signal is propagated (from GSO generally) over a relatively wide area and
no one knows the better. And for those of you who say.. I CAN LOOK AT A
SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread
spectrum TDMA operation - my signal to noise on my returns is often -4dB
to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as
far as the planet is concerned they are awgn. I guess it's my argument
that if you do a good enough job blending a signal into the noise, you are
much more likely to maintain secrecy.

On 2/20/13 9:13 AM, "Jay Ashworth"  wrote:

>- Original Message -
>> From: "Warren Bailey" 
>
>> We as Americans have plenty of things we have done halfass.. I hope an
>> Internet kill switch doesn't end up being one of them. Build your own
>> private networks, you can't get rooted if someone can't knock. Simple
>> as that.
>
>Well, Warren, I once had a discussion with someone about whether dedicated
>DS-1 to tie your SCADA network together were "secure enough" and they
>asked 
>me: 
>
>"Does it run through a DACS? Where can you program the DACS from?"
>
>Cheers,
>-- jra
>-- 
>Jay R. Ashworth  Baylink
>j...@baylink.com
>Designer The Things I Think   RFC
>2100
>Ashworth & Associates http://baylink.pitas.com 2000 Land
>Rover DII
>St Petersburg FL USA   #natog  +1 727 647
>1274
>
>

Re: Check this out T-Mobile Launches GoSmart Prepaid Service Nationally on Phone Scoop

[Jay Ashworth]

- Original Message -
> From: "JP Viljoen" 

[ Rich K wrote: ]
> > On Wed, Feb 20, 2013 at 07:59:53AM -0500, Robert E. Seastrom wrote:
> >> If only there were some kind of method for Jay to publish which
> >> addresses are actually authorized to send mail on behalf of [snip]
> >
> > SPF is snake-oil. Here's something that works (salt to taste for
> > the MTA of your choice):
> >
> > Connect:phonescoop.com ERROR:5.7.1:"550 Mail refused, known forgery
> > source"
> > From:phonescoop.com ERROR:5.7.1:"550 Mail refused, known forgery
> > source"
> 
> Because putting things into a file on your server, instead of some
> distributed mechanism we could refer to, makes that much more sense.
> Did you guys see this /etc/hosts thing? It's awesome! I DON'T EVEN
> HAVE TO RUN A DNS SERVER!!
> 
> *flamesuit*

And you'll need the Nomex undies, cause what Rich was *recommending*
had nothing to do with that.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: NYT covers China cyberthreat

[Jay Ashworth]

- Original Message -
> From: "Randy Bush" 

> > Part of the entire 'chinese l337 hxx0r spy' 1st complex is
> > apparently
> > the local equivalent of a community college, where the passing out
> > assignment is probably something on the lines of 'get me a dump of
> > the dalai lama's email'.
> 
> american education is behind in many things. this is but one.

So true, Randy.

But I think the underlying point here was more "when you do these things
on the scale that nation-states do them, the result is different in
type, not merely in degree".

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jay Ashworth]

- Original Message -
> From: "Warren Bailey" 

> We as Americans have plenty of things we have done halfass.. I hope an
> Internet kill switch doesn't end up being one of them. Build your own
> private networks, you can't get rooted if someone can't knock. Simple
> as that.

Well, Warren, I once had a discussion with someone about whether dedicated
DS-1 to tie your SCADA network together were "secure enough" and they asked 
me: 

"Does it run through a DACS? Where can you program the DACS from?"

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: NYT covers China cyberthreat

[.]

This is a improvement over some russian spies, that have the passwords
written down in a piece of paper.

http://www.networkworld.com/news/2010/063010-russian-spy-ring.html?hpg1=bn

<>

Windows XP crapines, slowing down russian spies :D

My password at home is "don't be the low hanging fruit".

Every time that I read on the news that USA is funding this or that
cracking group I get a bit angry. Thats a world where is best to not put
money. More like direct Interpol to stop mafias profiting from it, to
remove money from it. The least thing we want is a "cyber arms race". But
if you don't want one, don't start one.

-- 
--
ℱin del ℳensaje.

Re: Check this out T-Mobile Launches GoSmart Prepaid Service Nationally on Phone Scoop

[JP Viljoen]

On 20 Feb 2013, at 5:22 PM, Rich Kulawiec  wrote:

> On Wed, Feb 20, 2013 at 07:59:53AM -0500, Robert E. Seastrom wrote:
>> If only there were some kind of method for Jay to publish which
>> addresses are actually authorized to send mail on behalf of [snip]
> 
> SPF is snake-oil.  Here's something that works (salt to taste for
> the MTA of your choice):
> 
> Connect:phonescoop.comERROR:5.7.1:"550 Mail refused, known forgery 
> source"
> From:phonescoop.com   ERROR:5.7.1:"550 Mail refused, known forgery source"

Because putting things into a file on your server, instead of some distributed 
mechanism we could refer to, makes that much more sense. Did you guys see this 
/etc/hosts thing? It's awesome! I DON'T EVEN HAVE TO RUN A DNS SERVER!!

*flamesuit*

-J

Re: Check this out T-Mobile Launches GoSmart Prepaid Service Nationally on Phone Scoop

[Rich Kulawiec]

On Wed, Feb 20, 2013 at 07:59:53AM -0500, Robert E. Seastrom wrote:
> If only there were some kind of method for Jay to publish which
> addresses are actually authorized to send mail on behalf of [snip]

SPF is snake-oil.  Here's something that works (salt to taste for
the MTA of your choice):

Connect:phonescoop.com  ERROR:5.7.1:"550 Mail refused, known forgery source"
From:phonescoop.com ERROR:5.7.1:"550 Mail refused, known forgery source"

---rsk

Re: NYT covers China cyberthreat

[calin.chiorean]

::: They don't have 20 brains, they have a country full

It was just an example :-) to point out the scale of  developers vs operators.

Calin

 On Wed, 20 Feb 2013 09:39:24 +0100 Warren 
Bailey wrote  

 >   They don't have 20 brains, they have a country full. I was in Beijing last 
 > year, it was eye opening  to the see the state of affairs there. 
 >  
 >  
 >  
 >  
 >   From my Android phone on T-Mobile. The first nationwide 4G network.
 >  
 >  
 >  
 >  
 >   Original message 
 >  From: "calin.chiorean"  
 >  Date: 02/20/2013 12:36 AM (GMT-08:00) 
 >  To: Warren Bailey  
 >  Cc: sur...@mauigateway.com,nanog@nanog.org 
 >  Subject: Re: NYT covers China cyberthreat 
 >  
 >  
 >  
 >   IMO, if we stick to the document and they are organized in military style, 
 > then a person who collect information, should focus only on that particular 
 > phase. That person is an operator, he or she should not be keep busy 
 > remembering long  CLI commands. The scope is to deliver ASAP.
 >  
 >  No matter how much I like CLI and to put my fingers into text mode, I have 
 > to admit that point and click in windows is an easier and faster method to 
 > achieve the task I did mention. As Warren mention, if you have 20 "brains" 
 > it's easy to put those people port  a tool from *nix to other platform and 
 > have the other 500 operators run it in windows. It's just a matter of good 
 > sense and "business" effectiveness :)
 >  
 >  Maybe I misinterpret information, but this is how I see things.
 >  
 >  Cheers,
 >  Calin  
 >  
 >  
 >   On Wed, 20 Feb 2013 09:24:10 +0100 Warren 
 > Bailey wrote  
 >  
 >   > They are when you have a college full of programmers. 
 >   >  
 >   >  
 >   > From my Android phone on T-Mobile. The first nationwide 4G network. 
 >   >  
 >   >  
 >   >  
 >   >  Original message  
 >   > From: Scott Weeks  
 >   > Date: 02/20/2013 12:23 AM (GMT-08:00) 
 >   > To: nanog@nanog.org 
 >   > Subject: Re: NYT covers China cyberthreat 
 >   >  
 >   >  
 >   >  
 >   > --- calin.chior...@secdisk.net wrote: 
 >   > From: "calin.chiorean"  
 >   >  
 >   >  
 >   > :: when all tools are available for windows os, you just have to compile 
 > them. 
 >   >  
 >   > - 
 >   >  
 >   >  
 >   > They're not all available for m$. 
 >   >  
 >   > scott 
 >   >  
 >   >  
 >   >  
 >   >  
 >   >  
 >   >  
 >   >  On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote  
 >   > >Be sure to read the source: 
 >   > > 
 >   > >intelreport.mandiant.com/Mandiant_APT1_Report.pdf 
 >   > > 
 >   > >I'm only part way through, but I find it hard to believe that 
 >   > >only micro$loth computers are used as the attack OS. Maybe I 
 >   > >haven't gotten far enough through report to find the part 
 >   > >where they use the *nix boxes? 
 >   >  
 >   >  
 >   >  
 >   > 
 >  
 >  
 >  
 >   
 > 

Re: NYT covers China cyberthreat

[calin.chiorean]

IMO, if we stick to the document and they are organized in military style, then 
a person who collect information, should focus only on that particular phase. 
That person is an operator, he or she should not be keep busy remembering long 
CLI commands. The scope is to deliver ASAP.

No matter how much I like CLI and to put my fingers into text mode, I have to 
admit that point and click in windows is an easier and faster method to achieve 
the task I did mention. As Warren mention, if you have 20 "brains" it's easy to 
put those people port a tool from *nix to other platform and have the other 500 
operators run it in windows. It's just a matter of good sense and "business" 
effectiveness :)

Maybe I misinterpret information, but this is how I see things.

Cheers,
Calin  


 On Wed, 20 Feb 2013 09:24:10 +0100 Warren 
Bailey wrote  

 > They are when you have a college full of programmers. 
 >  
 >  
 > From my Android phone on T-Mobile. The first nationwide 4G network. 
 >  
 >  
 >  
 >  Original message  
 > From: Scott Weeks  
 > Date: 02/20/2013 12:23 AM (GMT-08:00) 
 > To: nanog@nanog.org 
 > Subject: Re: NYT covers China cyberthreat 
 >  
 >  
 >  
 > --- calin.chior...@secdisk.net wrote: 
 > From: "calin.chiorean"  
 >  
 >  
 > :: when all tools are available for windows os, you just have to compile 
 > them. 
 >  
 > - 
 >  
 >  
 > They're not all available for m$. 
 >  
 > scott 
 >  
 >  
 >  
 >  
 >  
 >  
 >  On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote  
 > >Be sure to read the source: 
 > > 
 > >intelreport.mandiant.com/Mandiant_APT1_Report.pdf 
 > > 
 > >I'm only part way through, but I find it hard to believe that 
 > >only micro$loth computers are used as the attack OS. Maybe I 
 > >haven't gotten far enough through report to find the part 
 > >where they use the *nix boxes? 
 >  
 >  
 >  
 > 

Re: NYT covers China cyberthreat

[calin.chiorean]

If I didn't miss any part of the report, no *nix is mentioned.

I'm a *nix fan, but why they (when I say they, I mean an attacker, not 
necessary the one in this document) should complicate their life, when all 
tools are available for windows os, you just have to compile them.

Cheers,
Calin


 On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote  

>
> 
> 
>Be sure to read the source: 
> 
>intelreport.mandiant.com/Mandiant_APT1_Report.pdf 
> 
>I'm only part way through, but I find it hard to believe that 
>only micro$loth computers are used as the attack OS. Maybe I 
>haven't gotten far enough through report to find the part 
>where they use the *nix boxes? 
> 
>scott 
> 
>

Re: bidirectional fiber inline amps.

[Mihai Necsa]

specifications in lenght are for kids, adults use budgets :-) bx-d bx-u 
form cisco have a budget of 16dBmW (max), power form -3 to -9dBm and 
sensivity to -19dB. So if the fiber is under -10dB (this means roughly 
10/0.25dB per km SM att) you might see the light at 40km, I have a 
stable link for 37km whith stock bx-d bx-u


On 02/19/2013 11:15 PM, Eric J Esslinger wrote:

Didn't see those. Thanks. Idiot moment for me.

__
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpu-tn.com/
(931)433-1522 ext 165




-Original Message-
From: Jared Mauch [mailto:ja...@puck.nether.net]
Sent: Tuesday, February 19, 2013 2:43 PM
To: Eric J Esslinger
Cc: 'nanog@nanog.org'
Subject: Re: bidirectional fiber inline amps.



On Feb 19, 2013, at 3:30 PM, Eric J Esslinger wrote:


Due to some bundle size restrictions, we are looking at converting
some runs over to use bi-directional fiber sfp's (the Cisco

version is

GLC-BX-D/GLC-BX-U). However a couple of our runs are

farther than the

spec 6.2 miles.  Is anyone aware of a vendor that makes an inline
bidirectional amp for this sort of application? I did some

digging but

either they do not exist or my google fu is weak today.


So you really just want the 20km optics:

GLC-BX-U20
GLC-BX-D20

Most places also make 40km and 80km optics of the same sort.

- Jared



This message may contain confidential and/or proprietary information and is 
intended for the person/entity to whom it was originally addressed. Any use by 
others is strictly prohibited.




--
Mihai NECSA
rcs&rds Ploiesti

Re: Check this out T-Mobile Launches GoSmart Prepaid Service Nationally on Phone Scoop

[Robert E. Seastrom]

If only there were some kind of method for Jay to publish which
addresses are actually authorized to send mail on behalf of
baylink.com (which could then be leveraged by sc1.nanog.org to turn
the recommended soft fail into a hard fail and stop this kind of
silliness cold)...

Billet:~ rs$ dig +short baylink.com. txt
Billet:~ rs$ dig +short baylink.com. spf
Billet:~ rs$ 

-r

George Herbert  writes:

> All in favor of phonescoop being blacklisted from nanog?  Anyone?
> Anyone?  Buehler?
>
>
>
> On Tue, Feb 19, 2013 at 5:50 PM, Grant Ridder  wrote:
>> haha i love the header:
>>
>> Received: (from nobody@localhost)
>>
>> On Tue, Feb 19, 2013 at 7:48 PM, Jay Ashworth  wrote:
>>
>>> Check this out:
>>>
>>> http://www.phonescoop.com/articles/article.php?a=11946
>>>
>>> This email was sent via Phone Scoop (www.phonescoop.com). The sender
>>> thought you might be interested in the page linked above.
>>>
>>>
>
>
>
> -- 
> -george william herbert
> george.herb...@gmail.com

Re: NYT covers China cyberthreat

[David Barak]

Don't be lulled into complacency by a private network: all it takes is one 
thumb-drive or rogue AP and you have a back door.  Private networks reduce but 
do not eliminate attackable surface.

David Barak

Sent from a mobile device, please forgive autocorrection.

On Feb 20, 2013, at 2:04 AM, Warren Bailey 
 wrote:

> An Internet kill switch is a nightmare. We can't even figure out how to run a 
> relay radio system for national emergencies.. Now we are going to assume the 
> people who were owned can somehow shut off communications?
> 
> We as Americans have plenty of things we have done halfass.. I hope an 
> Internet kill switch doesn't end up being one of them. Build your own private 
> networks, you can't get rooted if someone can't knock. Simple as that.
> 
> 
> From my Android phone on T-Mobile. The first nationwide 4G network.
> 
> 
> 
>  Original message 
> From: Zaid Ali Kahn 
> Date: 02/19/2013 10:44 PM (GMT-08:00)
> To: Kyle Creyts 
> Cc: nanog@nanog.org
> Subject: Re: NYT covers China cyberthreat
> 
> 
> We have done our part to China as well along with other countries in state 
> sponsored "hacking". This is more of news amusement rather than news worthy. 
> Question here should be how much of this is another effort to get a "kill 
> switch" type bill back.
> 
> Zaid
> 
> On Feb 19, 2013, at 10:10 PM, Kyle Creyts  wrote:
> 
>> quite a bit of coverage lately from the media.
>> 
>> http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html
>> http://www.bbc.co.uk/news/world-asia-pacific-21505803
>> http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military
>> http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked
>> 
>> On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth  wrote:
>>> 
>>> http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all
>>> --
>>> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>> 
>> 
>> 
>> 
>> --
>> Kyle Creyts
>> 
>> Information Assurance Professional
>> BSidesDetroit Organizer
>> 
> 
> 
> 

Re: NYT covers China cyberthreat

[Scott Weeks]

--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 

It was just an example :-) to point out the scale of developers 
vs operators.


:: You'd be surprised at how much better brains are than brawn
:: on these things...  ;-)


--- wbai...@satelliteintelligencegroup.com wrote:
Have you been to The Great Wall? That statement does not apply 
in the PRC.



It would be interesting, I suppose, to see what can massively 
parallel better.  brains or brawn :)  That's what I'm saying.
If this is done by m$ toolage only, as the report seems to 
say, on page 4, for example:

"817 of the 832 (98%) IP addresses logging into APT1 controlled 
systems using Remote Desktop resolved back to China."

Then they have missed the more interesting part of the puzzle,
I believe.

scott

ps.  If you gottem both, well that's a whole other thingie.

Re: NYT covers China cyberthreat

[Warren Bailey]

Have you been to The Great Wall? That statement does not apply in the PRC.


>From my Android phone on T-Mobile. The first nationwide 4G network.



 Original message 
From: Scott Weeks 
Date: 02/20/2013 12:54 AM (GMT-08:00)
To: nanog@nanog.org
Subject: Re: NYT covers China cyberthreat




--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 

It was just an example :-) to point out the scale of  developers vs operators.



You'd be surprised at how much better brains are than brawn on these things...  
;-)

scott

Re: NYT covers China cyberthreat

[Randy Bush]

> Part of the entire 'chinese l337 hxx0r spy' 1st complex is apparently
> the local equivalent of a community college, where the passing out
> assignment is probably something on the lines of 'get me a dump of the
> dalai lama's email'.

american education is behind in many things.  this is but one.

randy

Re: NYT covers China cyberthreat

[Scott Weeks]

--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 

It was just an example :-) to point out the scale of  developers vs operators.



You'd be surprised at how much better brains are than brawn on these things...  
;-)

scott

Re: NYT covers China cyberthreat

[Scott Weeks]

--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 

IMO, if we stick to the document and they are organized in military 
style, then a person who collect information, should focus only on 
that particular phase. That person is an operator, he or she should 
not be keep busy remembering long CLI commands. The scope is to 
deliver ASAP.
-

What's that randy says?  >;-)  I can only hope you're right, but my 
point was to bring suspicion to the report itself for (possibly; I'm 
only on page 19) saying that m$ is the only attacking OS.



--
No matter how much I like CLI and to put my fingers into text mode, 
I have to admit that point and click in windows is an easier and 
faster method to achieve the task I did mention. As Warren mention, 
---

bzt.  Wrong answer.  Please study more.  Next!

scott

Re: NYT covers China cyberthreat

[Suresh Ramasubramanian]

Part of the entire 'chinese l337 hxx0r spy' 1st complex is apparently the
local equivalent of a community college, where the passing out assignment
is probably something on the lines of 'get me a dump of the dalai lama's
email'.

--srs (htc one x)
On 20-Feb-2013 2:08 PM, "Scott Weeks"  wrote:

>
>
> >I'm only part way through, but I find it hard to believe that
> >only micro$loth computers are used as the attack OS. Maybe I
>
>
> --- calin.chior...@secdisk.net wrote:
> From: "calin.chiorean" 
>
> 
> :: when all tools are available for windows os, you just have to compile
> them.
> 
> -
>
>
> From: Scott Weeks 
>
> ::: They're not all available for m$.
>
>
>
> --- wbai...@satelliteintelligencegroup.com wrote:
> From: Warren Bailey 
>
> They are when you have a college full of programmers.
> --
>
>
>
> Please elaborate.  I didn't follow that.
>
>
> scott
>
>
>

Re: NYT covers China cyberthreat

[Warren Bailey]

They don't have 20 brains, they have a country full. I was in Beijing last 
year, it was eye opening  to the see the state of affairs there.


>From my Android phone on T-Mobile. The first nationwide 4G network.



 Original message 
From: "calin.chiorean" 
Date: 02/20/2013 12:36 AM (GMT-08:00)
To: Warren Bailey 
Cc: sur...@mauigateway.com,nanog@nanog.org
Subject: Re: NYT covers China cyberthreat


IMO, if we stick to the document and they are organized in military style, then 
a person who collect information, should focus only on that particular phase. 
That person is an operator, he or she should not be keep busy remembering long 
CLI commands. The scope is to deliver ASAP.

No matter how much I like CLI and to put my fingers into text mode, I have to 
admit that point and click in windows is an easier and faster method to achieve 
the task I did mention. As Warren mention, if you have 20 "brains" it's easy to 
put those people port a tool from *nix to other platform and have the other 500 
operators run it in windows. It's just a matter of good sense and "business" 
effectiveness :)

Maybe I misinterpret information, but this is how I see things.

Cheers,
Calin


 On Wed, 20 Feb 2013 09:24:10 +0100 Warren 
Bailey wrote 

 > They are when you have a college full of programmers.
 >
 >
 > From my Android phone on T-Mobile. The first nationwide 4G network.
 >
 >
 >
 >  Original message 
 > From: Scott Weeks 
 > Date: 02/20/2013 12:23 AM (GMT-08:00)
 > To: nanog@nanog.org
 > Subject: Re: NYT covers China cyberthreat
 >
 >
 >
 > --- calin.chior...@secdisk.net wrote:
 > From: "calin.chiorean" 
 >
 > 
 > :: when all tools are available for windows os, you just have to compile 
 > them.
 > 
 > -
 >
 >
 > They're not all available for m$.
 >
 > scott
 >
 >
 >
 >
 >
 >
 >  On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote 
 > >Be sure to read the source:
 > >
 > >intelreport.mandiant.com/Mandiant_APT1_Report.pdf
 > >
 > >I'm only part way through, but I find it hard to believe that
 > >only micro$loth computers are used as the attack OS. Maybe I
 > >haven't gotten far enough through report to find the part
 > >where they use the *nix boxes?
 >
 >
 >
 >

Re: NYT covers China cyberthreat

[Scott Weeks]

>I'm only part way through, but I find it hard to believe that 
>only micro$loth computers are used as the attack OS. Maybe I 


--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 


:: when all tools are available for windows os, you just have to compile them.

-


From: Scott Weeks  

::: They're not all available for m$.



--- wbai...@satelliteintelligencegroup.com wrote:
From: Warren Bailey 

They are when you have a college full of programmers.
--



Please elaborate.  I didn't follow that.


scott

Re: NYT covers China cyberthreat

[Warren Bailey]

They are when you have a college full of programmers.


>From my Android phone on T-Mobile. The first nationwide 4G network.



 Original message 
From: Scott Weeks 
Date: 02/20/2013 12:23 AM (GMT-08:00)
To: nanog@nanog.org
Subject: Re: NYT covers China cyberthreat



--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 


:: when all tools are available for windows os, you just have to compile them.

-


They're not all available for m$.

scott






 On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote 
>Be sure to read the source:
>
>intelreport.mandiant.com/Mandiant_APT1_Report.pdf
>
>I'm only part way through, but I find it hard to believe that
>only micro$loth computers are used as the attack OS. Maybe I
>haven't gotten far enough through report to find the part
>where they use the *nix boxes?

Re: NYT covers China cyberthreat

[Scott Weeks]

--- calin.chior...@secdisk.net wrote:
From: "calin.chiorean" 


:: when all tools are available for windows os, you just have to compile them.

-


They're not all available for m$.

scott






 On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks  wrote  
>Be sure to read the source: 
> 
>intelreport.mandiant.com/Mandiant_APT1_Report.pdf 
> 
>I'm only part way through, but I find it hard to believe that 
>only micro$loth computers are used as the attack OS. Maybe I 
>haven't gotten far enough through report to find the part 
>where they use the *nix boxes? 

Re: NYT covers China cyberthreat

[Scott Weeks]

Be sure to read the source:

intelreport.mandiant.com/Mandiant_APT1_Report.pdf

I'm only part way through, but I find it hard to believe that 
only micro$loth computers are used as the attack OS.  Maybe I 
haven't gotten far enough through report to find the part 
where they use the *nix boxes?

scott