STEP Security (RFC4012012)
Interweb Re-Engineering Task Force J. Oquendo Request for Comments 4012012 E-Fensive Security Strategies Category: Informational Expires: 2020 STEP by STEP Security Status of this Memo This Internet-Draft is submitted in full nonconformance with provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on April 01, 2020. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Oquendo Expires Apr 01, 2020 [Page 1] Internet-Draft Security Step by STEP RFC 4012012 Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This framework describes a practical methodology for ensuring security in otherwise insecure environments. The goal is to provide a rapid response mechanism to defend against the advanced persistent threats in the wild. Table of Contents 1. Introduction..2 2. Conventions used in this document.4 3. Threats Explained.4 3.1. Possible Actors..4 4. STEP Explained5 5. STEP in Action6 6. Security Considerations...7 7. IANA Considerations...7 8. Conclusions...8 8.1. Informative References...8 9. Acknowledgments...8 Appendix A. Copyright9 1. Introduction In the network and computing industry, malicious actions, applications and actors have become more pervasive. Response times to anomalous events are burdening today's infrastructures and often strain resources. As networks under attack are often saturated with malicious traffic and advanced persistent threat actors engage in downloading terabytes of data, resources to combat these threats have diminished. Additionally, the threats are no longer just anonymized actors engaging in juvenile behavior, there are many instances of State Actors, disgruntled employees, contractors, third party vendors and criminal organizations. Each with separate agendas, each consistently targeting devices on the Internet. Oquendo Informational [Page 2] Internet-Draft Security Step by STEP RFC 4012012 The intent behind this document is to define a methodology for rapid response to these threats. In this document, security will be achieved using a new methodology and protocol henceforth named Scissor To Ethernet Protocol (STEP). Initially designed as a last approach for security, STEP ensures that no attacker can disaffect any of the Confidentiality, Integrity, Availability of data as a whole. Many variables are involved in security, but the STEP methodology focuses on the following: o FUD (Fear Uncertainty and Doubt) o SCAM (Security Compliance and Management) o APT (Another Possible Threat) This methodology proposes STEP that SHOULD be performed at the onset of a cyber attack before more terabytes of data are exfiltrated from a network.
Re: Gmail down
On Tue, 05 Jul 2016, Mel Beckman wrote: > Josh, > > No, that downdetector.com page is specifically for gmail. > > -mel Unsure about others, but I certainly trust downdetector and others versus checking out Google's very own service status dashboard (https://www.google.com/appsstatus#hl=en&v=status) As an aside, as mentioned this is best reported on the Outage mailing list versus here on NANOG. $DIETY knows these threads can become epic length'd noise. So here is what would have been a better bet versus the good old 'sky is falling' response. Step 1) Gmail/Hotmail/Whatever doesn't work on your phone Step 2) Check it on something OTHER than your phone where your provider may not be reliable Step 3) Does it work on something else? If so problem solved if not go to step 4 Step 4) Find the provider's page (if availble) and see what others are saying. If others state it is up for them, but down for you... It may be an issue on YOUR network, or your providers. Step 5) If it is down for EVERYONE on the planet post it to Outages amongst the other dozen entries Step 6) Live life ;) World does not stop because Gmail, Facebook, Twitter, even the stock markets hiccup. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, 27 Jul 2016, Paras Jha wrote: > Hi Justin, > > I have submitted abuse reports in the past, maybe from 2014 - 2015, but I > gave up after I consistently did not even get replies and saw no action > being taken. It is the same behavior with other providers who host malware > knowingly. I appreciate you coming out onto the list though, it's nice to > see that CF does maintain a presence here. > I for one am glad providers are on the case tackling DoS, never ignoring abuse, and doing the best they can to prevent these things: https://www.linkedin.com/pulse/why-do-networking-providers-like-cybercriminals-so-much-j-oquendo -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Cloudflare, dirty networks and politricks
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal." Government in the US is not going to get involved as the financial cost won't warrant an investigation. Would you spend $100 to tow a car worth $1. Cloudflare, Amazon, Rackspace, and countless others are, and have been allowing the same thing since the dawn of their creation and network operators... Shame on you for allowing it. It is legal? Is it moral? Does it serve a real world benefit? (booters). Let's get real these booters serve little purpose. Anyone can go back to romper room and do the simple math: I have a 100mb pipe, if someone sends me 200mb will it flood me? A pre-schooler can give anyone the answer. Yet here is everyone chiming in on legal matters when not one respondent that I have seen is a lawyer. I wrote about this in my rambling which is linked in the NANOG LinkedIn group: "Why Do Networking Providers Like Cybercriminals So Much" and the responses I have read on this thread, make me believe it more so. Networking operators could give a rats ass about doing anything about DDoS, viruses. etc., since it is a source of revenue down the daisy chain. Like it or not. I would be surprised if ANYONE in this NOG, or any other "NOG" de-peered out of principle. With that said, I don't even know why this thread is being continued. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Cloudflare, dirty networks and politricks
On Thu, 28 Jul 2016, Naslund, Steve wrote: > You obviously have a much shorter Internet memory than some of the engineers > on here that have had a long history of killing off and blacklisting various > spam and malware operations over the years. I think the one thing that has > changed is that the service providers are now large corporate entities that > do not take going to war with each other as lightly as we did back in the day. > > Steven Naslund > Chicago IL It is this same attitude that throws everything into the loop we are seeing: "Well Mega Corporation is allowing it and we can't stop them lest we want to go to war with them." Define war. What will they do if you de-peer? They will find another provider to peer with it. That is it. There is no "war" no one is coming to our offices in full military gear. The more you guys allow this, the more it will continue. Start de-peering companies similar to BGP Dampening. "Oh didn't respond to our Nthousandth abuse. De-peered for N amount of time. Increment the time, and when some of these providers start seeing the cost of associating with these types of crimes (spam, malware), they have a choice, ship in or ship out. If ALL PROVIDERS did the same, who would a dirty host have left to peer with? Any other answer is nonsense and an excuse... "This will start a war!!!" Nonsense and quite possibly the sorriest excuse I have read for lifting a finger. 100 more people with the same response, means nothing will ever get done. OTOH ... Let's go back to "OMG THIS HAS TO STOP BUT I AM NOT GOING TO BE THE ONE LIFTING A FINGER!!! Because... ERMAHGERD WAR" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Cloudflare, dirty networks and politricks
On Thu, 28 Jul 2016, McDonald Richards wrote: > Be sure to let us all know how this works out for your business. > > On Thu, Jul 28, 2016 at 10:35 AM, J. Oquendo wrote: > As stated... "Networkers don't give a rats ass about ethics/morals. Solely a fistful of dollars" In the interim, this conversation differs little from fergdawg's "How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?" https://www.nanog.org/mailinglist/mailarchives/old_archive/2007-10/msg00348.html Back to what matters now... Money, because cybercrime meh. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Cloudflare, dirty networks and politricks
On Thu, 28 Jul 2016, Stephen Satchell wrote:
> Let's supposed someone did indeed de-peer or otherwise block Cloudflare
> from their entire network.
>
> Which of y'all would be the first to say to that network operator, "Hope
> you enjoy your intranet"?
Really? Again more boogeyman nonsense. The world does not
revolve around Cloudflare or any other provider. If I were
a customer, and my customers could not reach me, I would
go to my provider. If I discovered my provider was being
unethical in their practice, I would be an idiot to stay
with them. "Hey its ok for me to conduct eCommerce
transactions. I mean they're only allowing DoS, malware,
ransomware."
Tell me how would that work for you when your clients
started jumping ship because your network is dirty. Again
I go back to square one... The responders ("No you can
never!!!") are those who truly could care less about the
current state of garbage on the net. Masquerading it along
the lines of:
"Ermahgerd WAR!!!"
"OMG YOU WILL ONLY HAVE AN INTRANET"
"You can't be serious!!!"
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Cloudflare, dirty networks and politricks
On Fri, 29 Jul 2016, Rich Kulawiec wrote: > On Thu, Jul 28, 2016 at 11:30:12PM +, Donn Lasher via NANOG wrote: > > If we want to be accurate about it, Cloudflare doesn???t host the DDoS, > > they protect the website of seller of the product. We shouldn???t be > > de-peering Cloud Flare over sites they protect any more than we would > > de-peer GoDaddy over sites they host, some of which, no doubt, sell > > gray/black market/illegal items/services. > > The only way to make action against them effective is to do it broadly, > do it swiftly, and do it permanently. > In my ramblings on "Why network operators love filth", I associate a landlord that knowingly allows his/her tenant to sell drugs. In America, your house is gone. This should be the case on the Internet as well. Keep sending out crap and ARIN should yank your IP space after everyone else has de-peered you. So let's get to these horrible analogies of "weapons" and whether or not CloudFlare is solely the gun manufacturer and is not responsible whether or not their ARCLOUD rifle was used to shoot up a school killing children. Analogy: Hotel Cloud is a pretty big hotel in the city. They have 5,000 rooms. When you walk by, their tenants are throwing rocks out of the windows, garbage, etc. People complain to the hotel management that does nothing about it. Hotel Cloud's response is: 'Well this is really not our problem, we only rent a room, what the occupant does...' --- And this makes sense to how many of you who'd respond: "Well I don't know about you but I want to walk around freely" Freely? At some point in time, you WILL walk by this hotel, or another that WILL become just like it. Why? Because there will be no one to say: "Hey this is wrong buck stops here..." I have seen these discussions on this list for so many years, and there are those that want to do good, but won't lift a finger out of fear of the herd/praetorian guard. Anyone saying it cannot be done, is a coward bowing to the dollar (euro/yen/whatever). The analogy above is spot on, with the only difference being a hotel is physical, and on the Interwebs, out of sight out of mind. This is until one of your relatives' sites gets taken offline by some bored moron via DDoS, and there go their sales, there goes their business. THEN and only THEN will some of the naysayers say: "Shit we could have stopped it." Do you need law enforcement to be moral? "I can see that person is getting pulverized by some drunken idiot better not intervene because well... I want to walk freely..." That beating can come full circle, where beating can be DDoS, a sophisticated attack, malware. I am so tempted to start a shaming site for networks including all of the big boys with detailed records showing how abuse was contacted, no one did nothing, and oh by the way... "Are you sure you want to host or transit with this company? Last I checked via logs, they were a filthy network that catered to peds, RBN folk, etc" Maybe when some of you guys (that sit around twiddling fingers) see your companies all over the place, maybe then you'll think about doing the right thing. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: EVERYTHING about Booters (and CloudFlare)
On Fri, 29 Jul 2016, Naslund, Steve wrote: > What he said. If I am given a court order and follow it, I can't get sued > when I knock you off the Internet. > > Steven Naslund Because someone breaking AUPs and TOS is not enough. "Hey I know you broke every rule in the book. Forget that for now I am not a judge, feel free to DDoS, steal someone's life savings with your malware/phishing. You're fine by me until a judge tells me otherwise." -- Smart answer -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Spitballing IoT Security
On Mon, 24 Oct 2016, Steve Mikulasik wrote: > if we automatically blackholed those IPs as they get updated it could put a > big dent in the effectiveness of Zeus. > That would involve someone lifting a finger and implement a config change. Much easier to implement BCP38 or was it RFC 4732? Would never work the moment someone has to lift a finger. /* I think I'll change my position on BCP38. It's pointless to try blocking spoofed source addresses because: * It doesn't solve every single problem * It means more effort for service providers * It requires more CPU processing power * Using it will generate smarter "black hats". https://www.nanog.org/mailinglist/mailarchives/old_archive/2004-10/msg00132.html */ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Please run windows update now
On Mon, 15 May 2017, Brad Knowles wrote: > As much as I hate, loathe, and despise Microsoft, there's always going to be > someone/something out there that is "the worst". Eliminate the current > "worst", and there will be another one right behind them. > > I do believe that Microsoft is directly responsible for trillions of > dollars/euros of damage done to economies worldwide, due to their lax > security practices over the years. Their advances have only come at the cost > of great pain on the part of others, and they have been kicking and screaming > all the while being dragged into the modern world. > > The rest of us will continue to bear the pain and anguish that they create. > That's just the way things are. Not the way they should be, but the way they > are. > > -- > Brad Knowles Spot on. Shame on Microsoft for releasing patches and not forcing the installation versus letting security managers open up ISC^, and other nonsensical frameworks to do things like "change/patch management" tasks. I mean, who cares if one little patch knocks a business out of existence. I do believe Microsoft is directly responsible for making people such daft "To patch or not to patch" admins. Force feed patches on everyone! Then your next message will be: "I believe Microsoft is responsible for trillions of dollars by pushing out patches forcefully and negatively impacting businesses worldwide." Pain and anguish? I'm smiling and drinking coffee. I adore when security shenanigas occur. That is the sound of a cash register to me. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Please run windows update now
On Mon, 15 May 2017, Brad Knowles wrote: > If Microsoft didn't open the security hole in the first place, then there > wouldn't be a need to patch it afterwards. You are very correct. Microsoft opened the hole because they had nothing better to do. Or, could it be that these things happen, akin to a car having to perform a recall. I am sure (with the exception of Volkswagen's clusterf^W) no vendor in any vertical wants to put out subpar products (call me a dreamer.) > Of course, there will always be patches that need to be applied, and people > do have to decide what is a sane patching process. But if a patch can be > completely avoided because they were more careful and rigorous in their > development to begin with, then as a whole the world would be better off. Rigorous in development means little. Go pick an RFC and you will find that over time, even the foundations have at some point or another been broken/circumvented. I have a mental running joke "Blame Paul Vixie!!!" (Sorry Paul :)) When the world lost their ability to use common sense, anything related to DNS became a blame Paul for writing BIND. No... Old saying: "Any time you point the finger, remember, there are more of your fingers pointing back at you." Organizations do perform testing, and some don't. Just because some don't does not mean the industry as a whole won't, or doesn't do it. The fact MS went out of their way to make patches for systems they SPECIFICALLY stated they would not support no more gives them kudos across the board. > An ounce of prevention on their part would prevent a pound of cure having to > be applied by everyone else in the world. With 20/20 vision, should that mean I should be expected to see someone throwing a 100MPH fastball at me from my back? Would my pound of cure be ESP for seeing the future? > But then Microsoft couldn't extract their value from selling that pound of > cure, so that would be another problem. Sorry to tell you this, that comment makes little sense. I didn't know Microsft sold that pound of cure (patch). > Not everyone licks their chops and thinks "fresh meat" when they see > worldwide panic that results from a massive security hole like this. Jump in the security space, where we may gladly trade our cats and dogs for Porsche Panameras > Some of us just want to get regular work done. And some of us find that life goes on. This is no different than Nimda, and other minor fiascos that occur every once in a while. With the exception of Morris. No one, not even the worms in the dirt like him. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Please run windows update now
On Mon, 15 May 2017, b...@theworld.com wrote: > Oh great a design review! > > Hello Valdis, I am Barry Shein. I've done decades of internals and > kernel work. > > Ever use any Windows since about Vista? It throws up those warning > pop-ups when you're about to do something it decides needs > confirmation? > > That was almost certainly my invention. > > I described the idea on an anti-spam list and two Microsoft engineers > contacted me to discuss whether this is feasible etc. > > Never got a thank you tho. > > > > > How do you throw a pop-up warning for that? Pre-run it and see how many > > > might get executed? And how do you tell that the sequence ends up > destroying > > the file rather than creating a new one? > > You count the number of destructive opens in the kernel and if it > exceeds a threshold (for example) you stop it and pop up a warning. > > For example. > > As I said this is the sort of thing which is suitable for an end-user > OS and no doubt annoying in a server OS. > *popcorn* ... What was the original thread about? Because once upon a time as a proof of concept for "undetectable" viruses on *nix, (was for a competition where I was not allowed to be play post disclosure of PoC), anyway, I created a really really bad mechanism to negatively impact ALL BSDs, Solaris, Linux, it was *nix agnostic. Bigger takeaway, malware/scumware/whateverware authors target Windows because there are more users. For someone dealing with security 24x7x365, I can state MS has come a very long way from what they were, including dealing with MSRC and other departments. Do you have any idea how difficult it is to deal with certain *nix projects? Freshmeat? Github, hobby... Apples and oranges. And I CAN COUNT the number of destructive opens read, and write on any nix system, so perhaps we should kill this thread before it becomes: my NetBSD toaster is better than your windows powered refrigetor. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Please run windows update now
On Wed, 17 May 2017, Matt Palmer wrote: > > > > Do you have any actual evidence or citations that in fact, this was an > > intentionally inserted backdoor? > > You'll have to speak up, he can't hear you over the rustling of the tin > foil. > > - Matt > Pretty low blow considering if I saw "greys" in my yard, I'd be all: "OMGF illuminati!" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Verizon Network Engineer please
On Mon, 25 Aug 2014, Heather Schiller wrote: > If you haven't received a response, try being more specific. Verizon is > >100 asn's and full of all kinds of network engineers. > > > On Fri, Aug 22, 2014 at 3:19 PM, Sena, Rich wrote: > > > Can someone contact me please... > > > > -- > > Richard Sena The MITRE Corporation e: rs...@mitre.org > rs...@mitre.org> > > Principal Engineer 202 Burlington Road v: +1-781-271-3712 > > Dept: J86E; MS K319 Bedford, MA 01730-1420 f: +1-781-271-2423 > > > > Normally I rant: Can someone from Verizon who deals with routers contact me. (Then I filter out the millions of responses from home users running Linksys and DLink routers) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Google Security Contact
Can someone put me in touch with someone "up there" in the security realm at Google? (sorry for the noise) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re: anybody from datashack.net ?
On Thu, 19 Sep 2013, Hermann wrote: > Is there anybody from datashack.net here? > > I'm having a lot of problems with them and they are not responding my emails. > I have sent out about a half dozen of e-mails to them within the last few weeks as I have seen a huge amount of attacker traffic targeting my VoIP infrastructures (managed) and have yet to see my response. I just dropped their entire blocks and blacklisted them period. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
CBL Abuse
Does someone know of a direct contact with someone at cbl.abuse.org have a quick question/comment/concern I would like to address that WILL get lost in "forms" method of "contact us." -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Oklahoma State Univ.
Yes I know there is UNISOG, not on it anymore. Can someone on that list either forward, or put me in touch with one in the know there (AS5078) concerning things malware related appreciated. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re: Oklahoma State Univ.
On Fri, 17 Jan 2014, John Kristoff wrote: > > UNISOG no longer exists. The REN-ISAC community has, mostly, replaced > it. > > Have you just tried contacting their security folks directly? Chances > are usually high if an .edu has a dedicated security staff and web > site, that is probably the best place to go: > > <http://security.okstate.edu/node/34> > > Alternatively, REN-ISAC is always helpful if you want to go through > them for some reason. > > John > I'd forgotten about the great folks at REN-ISAC. Was slapped in the head before this, so I emailed them. Thanks for the responses, sorry for the noise. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Andy Ringsmuth wrote: > NANOG'ers, > > I've been tasked by our company president to learn about, investigate and > recommend an intrusion detection system for our company. > > We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, > iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We > are protected by a FreeBSD firewall setup, and we stay current on > updates/patches from Apple and FreeBSD, but that's as far as my expertise > goes. > > Initially, what do people recommend for: > > 1. Crash course in intrusion detection as a whole > 2. Suggestions or recommendations for intrusion detection hardware or software > 3. Other things I'm likely overlooking > > Thank you all in advance for your wisdom. I'd have a look at Alien Vault if you don't want to fork out heavy money and have a geek enough staff who doesn't mind butchering it up. It can be plug and play to an extent yet at the same time, if not configured properly it becomes useless. On the other hand, if you don't want to waste precious time in the event of say incident response to an actual event, then I would opt for QRadar. IDS/IPS is a mere buzzword. Detection comes via way of knowledge: "Who knows/has seen, that N traffic is malicious" often based on signatures. Then of course you get all the nifty buzzwords: "but we use heuristic doohickey reverse nacho cheese technology!" Prevention is a paradox. If it did prevent then why did you get notified via a tweet that you were compromised before you even knew you were. IDS works like this (in theory): Look at all logs, and all traffic patterns. Compare this data (often) to a config file of known knowns, if it matches what we have seen then it MUST be an attack. IPS works like this: Sell someone an IDS appliance or software and tell them it's IPS. It won't stop a huge portion of attacks since it is well... IDS but boy does it have a cooler name. ITS (Intrusion Tolerance) works like this: Ok, so we won't stop them, we can't prevent them, but boy oh boy can we tolerate them! All work off of a broken premise of "known knowns" and not one vendor will ever come clean on this. I have had the opportunity (or misfortune take your pick) to have analyzed quite a bit of malware, intrusions, and so forth. I have seen how rapidly some of the attacks change, so I know firsthand why IDS, IPS, and others fail. Now let me be fair... IDS/IPS are good as a HSSS (new buzzword) Hind Sight Security System, but will only prevent, and detect what is known. Your best goal is to perform a combination security and network analysis PRIOR to implementing any system. In doing so, you create logic suitable to your environment. For example, you have a DB that is supposed to ONLY communicate internally, a better approach would be to go on to that machine, and use the local machine's firewall rule to create a rule that says: ONLY CONNECTIONS FROM HERE TO THERE ARE ALLOWED ALL OTHERS GET BLOCKED, then alert when something strays. Most of these systems lack because of the design prior to, and after their implementations. Organizations haven't taken the time to map data, processes, and create even a simple baseline to work with. This leads to these types of systems (IPS, IDS, SIEM, ITS, blah blah blah) generating all sorts of false positives. These false positives often overwhelm the users tasked with the administration of the systems. Thousands of alerts which often go unchecked until it is too late. thee end. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Mel Beckman wrote: > Unless you need regulatory-grade IDS, your best bet is a Unified Threat > Management (UTM) appliance, essentially any modern enterprise grade firewall > such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in > IDS/IPS options for a fee. > > -mel > With all due respect, is regulatory-grade IDS the same as say "military-grade" encryption? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Mel Beckman wrote: > JO, > > IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets > specific notification and logging requirements. SNORT-based systems fall into > this category. > tl;dr (even I don't read what I write) You failed to see the snark in "military grade" crypto comment. This thought process is what causes many organizations to fail repeatedly. Relying on what the herd says. PCI, HIPAA, FINRA, FISMA, and all of the other regulatory guidelines, standards, baselines, and mandates spew from the manufacturing industry's ISO (BS pick your poisonous acronym). Call it SADHD (or Security ADHD) but I don't get why everyone keeps running around like dogs chasing their tails. Let's look at HIPAA where everyone is scrambling to replace Windows based on the word of the herd. Here is the rule: "Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization's inability to maintain its systems and customer information" Do you chuck Windows XP? It'd be easier to in theory but not in practice, however NO ONE EVER SAID: "thou shall chuck XP" (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html) "The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems" Organizations keep relying on half-decent guidelines for remedies to their problems. By you thinking that you are going to plop in any "regulatory grade" *anything* and find security, you are doing not only yourself a huge disservice, but also to your clients. These pieces of technology (IPS, IDS, FWs, HIPS, NIPS, etc) are only capable of doing what you tell them to. Neither the Payment Card Industry, NIST, or even the President of your country (or Premier, or whatever else) should be telling you how to secure your organization. YOU need to know the ins and outs, take the proper steps and THEN use these technologies when you're done with your risk assessments. If you're relying solely on what others tell you is "regulatory-grade" or "military-grade" or any other kind of grade, your bound to be right up there with Target, Anthem, Citi, JP Morgan Chase, a wikipedia-length list of compromised companies. When doing pentesting work, I fill up IPS and IDS with so many false positives, the analysts are FORCED to ignore the results while I shimmy my shiny right on by. I know based on experience what someone is going to do when they see a kabillion alerts light up their dashboard. http://seclists.org/incidents/2000/Aug/277 The approach: "Let me cater to what they say I should do" versus: "Let me figure out what my organization does, needs to do, and how to get to the proper point" is mind boggling. I wish there were a statistical database of compromised companies, and the tools they used, frameworks they followed, and regulatory nonsense they needed to comply with was listed. Most of these regulatory mandates are based off of half-baked models that are partially good when followed thoroughly. However, they are ONLY partially good when an organization goes beyond the normal banter: "thou shall apply this" - Does not mean: plop in an IPS and call it a day. For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Rafael Possamai wrote: > What is the alternative then... Does he have the time to become a BSD guru > and master ipfw and pf? Probably not feasible with all other job duties, > unless he locks himself in his mom's basement for the next 5 years. > The alternative is to understand what his network does, what it was designed to do, and what he needs it to do. The end solution (IPS, IDS, ASA, whatever you want to throw in) should be just that, an END solution once he has taken the time to assess risk. This is a concept many miss. As for "testing" ... So you own a house, you hire an assessor to analyze your property, write a report for you on your vulnerabilities. "You have 12 windows. OMFG Someone can break one of those windows and steal your family jewels!" Vendor gets paid and leaves you with a headache. 12 windows? So what... Behind those windows are a rabid pitbull I never feed. Wanna take a chance to break in? Pentest... "So you own a house, same windows, now you're paying someone to get in." Let me tell you how pentesting fails. Pentesting fails because most companies get all bent out of shapes based on Internet history of systems, and applications crashing from a simple network scan. Ask your next pentesting client (if this pentesting is your primary function) to allow you to perform a no-holds barred pentest including social engineering. You'll get the deer in headlights look. I discussed this recently with a client who wanted to be snarky: "Oh you'll never get in my systems" and I decided to inform him about reality... Reality: Hardcore attackers are NOT charging down the castle road with a log trying to break down the castle wall. They're sending client side attacks (phishing emails, waterhole attacks). It's more cost effective for an attacker to do this versus trying to defeat the router, the switching with all its VLAN glory (that gets vlan hoppped), the L7 firewalls, the load balancers, the IPS, and then the IPS. Its useless, noisy, and just not cost effective when you think about it. IPS, IDS does little because they're RARELY applied in a proper fashion. As for tinkering, geekiness. If you can't at least wrap your head around the concept, then I don't know why you'd want to be on this list. Further, IPS/IDS is better suited to be inverted (Extrusion Detection) as you WILL NEVER (CAN NEVER) stop someone from knocking on your door. So you block every APNIC block thinking "Phew I just blocked 100% of APTs" until you get whacked from a hosting company in the US. What have you accomplished? On the EXTRUSION side of the equation, knowing your network, and how it works makes more sense. Your focus gets shifted to the following logic: (rule) SHOW ME ANYTHING LEAVING MY NETWORK THAT IS OVER 1MB ON A SUNDAY MORNING 2AM ... This anomaly means a hell of a lot more than watching all of the internet trash that will hit your door (egree ifaces) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
SSL on Juniper.net
Yes, semi off/on topic I am aware, but because there are many here who visit the site, figured I'd ask. Anyone else having certificate issues on Juniper.net && their support login? This just started today. www.juniper.net is pushing an Akamai cert, support.j* is pushing a Comodo cert. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re:
> flower tailor wrote:
> > Delete me
>
''=~('(?{'.('^,)@^@'^'.^@.*`').'"'.('_:$:@@,:^'^',[][./^[|').',$/})')
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Google contact
Can someone from GOOG contact me off-list. After many submissions to have my corp IP space fixed for geolocation, I'm at wits end looking at British news, finding British searches, knowing more about the UK then the US than I care to. Makes for difficult GHDB'ing when searching as well. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re: Google contact
On Wed, 19 Dec 2012, J. Oquendo wrote: > > Can someone from GOOG contact me off-list. After many > submissions to have my corp IP space fixed for geolocation, > I'm at wits end looking at British news, finding British > searches, knowing more about the UK then the US than I care > to. Makes for difficult GHDB'ing when searching as well. Odd responding to my own message. Yes, Maxmind, Neustar and everyone else I can think of sees my space just fine minus Google. (Before someone wastes time telling me to go there) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Team Cymru contact
Can one of you guys contact me of list. (Sorry for the noise list... Best place for me to definitively the right person) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re: A multi-tenant firewall for an MSSP
On Tue, 18 Aug 2015, Blake Dunlap wrote: > Since no one else has mentioned it, I'll dive on that fire. > > Be careful when setting up a multi-tenant security solution that you > are not accidentally selling "DoS as a Service" to your clients. State > is evil, and state sharing with other targets is dangerous. Target > sharing with other targets that are outsourcing their security can get > increasingly scary especially if one of these clients is a juicy > target. Make sure you have the infrastructure in place to quickly > isolate your clients so that they do not fate share if they become in > the focus of DoS attacks. This can mean isolated infrastructure for > those you wish to keep up, or sacrificial infrastructure for those you > are willing to let drop for the greater good. > > -Blake > Unsure what you meant by this. In a multi-tenant firewall implementation (as far as I envision it), all tenants would occupy different IP space so I don't get how any of the state sessions would be affected. I'd be more concerned with not enough sockets. Palo Alto has a virtual system set up built specifically for this: https://www.paloaltonetworks.com/products/features/virtual-systems.html Now if only they'd send me free firewalls for marketing them. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Google Voice Security
Sorry for the noise. Can someone put me in touch with someone in the Google Voice (application iPhone/Android) department to discuss an issue. Greatly appreciated. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Akamai contact
Can one of the Akamai (non salesy) guys ping me off list please. Security related. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0A96 6318 EA49 4032 21C9 A7A8 81E9 3E95 414F 356E https://pgp.mit.edu/pks/lookup?op=get&search=0x81E93E95414F356E
Comcast and DGA like behavior
Anyone else seeing DGA (1) like behavior for Comcast based customers? If so, is there any information on it? Seeing a lot of traffic to bogus domains all synonymous with their networks. 1: https://en.wikipedia.org/wiki/Domain_generation_algorithm -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM, GNFA "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0A96 6318 EA49 4032 21C9 A7A8 81E9 3E95 414F 356E https://pgp.mit.edu/pks/lookup?op=get&search=0x81E93E95414F356E
On another security note... (of sorts)
While on another list (security list that some of you guys are on) there is a discussion about a particular botnet that the "BP approach" of containment is occurring. Not a big deal, we've all seen them from time to time. I read with interest on how volunteers are scrambling to contain this botnet. Mind you, most of us work and do this (security tidbits) at the same time while we work. Many of us do it for self-satisfaction, for learning, for maybe naively thinking we can help make the net a better place (INSERT_SAPPY_SONG_THERE). I just can't help but taking the 50k foot view here... Why is it that network operators can't work together on instances like this and have a "botnet killswitch" framework in order. Now I know I will see the ramblings of "Why should I waste my time (spend my money)" or "This is not an operational post take a hike" and other similar posting however, this IS related to 'many-a-networks' that could be avoided. RFP anyone.. Botnet Mitigation for Networks surely collectively it would and CAN work. Is it going to take an act of someone 'pwning' everyone's account here before someone else says: "We should work together" or will go in one ear and out the other while misfits run around emptying out accounts, causing businesses to go under. Some of you guys have the most amazing minds and have literally been the glue for what we use (the Internet) and some have been the laziest admins I've seen on the planet. Surely even a minimal framework to submit "validated" botnet distribution sites is something everyone can collectively do. Nipping at the head surely minimizes the overall damage these things are doing. Now I do know some would come back and state the oft-said "Why bother! ... Dude fast-flux, etc." We know... To those, why respond. How about solutions from those who are controlling how traffic on the net flows. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: On another security note... (of sorts)
Sean Donelan wrote: > > Damned if they do, Damned if they don't. > > It seems like every 4-6 weeks people alternate between ISPs are bad > because they don't try to prevent X, Y or Z; and then 4-6 weeks later > ISPs are bad because they tried to prevent A, B or C. It doesn't matter > what A, B, C or X, Y, Z are; it must be the ISPs fault. > > Everyone agrees that ISPs are bad, they just disagree about what ISPs > are supposed to do about whatever. > > And so it goes... > > Odd, I definitely don't recall saying outright ISP's are bad. More to the tune of "ISP's can do more given they're in the best position to do so..." which brings things full-circle, what can be done? How about an RFC, then building from there. Anyone can comment about the potential of "I'm not adding hundreds of thousands of null0's to my Cisco!@" and the point would be missed. As an NSP/NAP/ISP (pick your poison), you have the potential to see where your machines are connecting to. And I don't mean snooping their traffic outright, but its as simple as keeping tabs on a "destination", if you KNOW and it has been CONFIRMED, that the destination is a known purveyor "of un-fine" goods, wouldn't you like to potentially help your clients before they become zombiefied? If there was a method for operators to obtain information and share it, (think an unbiased, validated, "most wanted" list) do you really want to state that you wouldn't care about it, you couldn't use it. Surely I'd like to use something similar and if I were in a position to do something on a massive scale to eliminate bad traffic from 1) reaching my customers (since money is obvious the main concern) and 2) from making sure my customers don't affect your customers (YOUR money), I would jump up and down on it doing whatever I could. So it's not the ISP's are bad (at least to me they're not), it's more like "ISP OPERATORS/OWNERS are too busy fighting AGAINST things like this from happening, often spending more time and effort against it, then they are trying to collaboratively solve a problem." Analogy: "ALL gunmakers have seen their firearms mistakenly fire off at will (purposefully or accidentally). They all agree that by putting a safety mechanism, the rates of fatalities and injuries will go down. Some choose not to, because after all, they would need to spend more money to do so... Many protest against it: Smith and Wesson doesn't have that, why should I?!... Fatalities continue and gunmakers complain: All gunmakers are bad right, sure... uh-huh" What's wrong with that analogy. What about responsibility. Forget the politricks for a moment and think about the *ultimate* bottom line here... Would you like to prevent someone from possibly wrecking havoc on your personal bank account? Remember, what goes around comes around. You're not only doing neighbors (peers) a favor but if collectively the same approach was taken by many, there would be less "dirty traffic" around. No one on this list can seriously counter this claim. We can get into: "oh yea smart ass... They could encry...@... They could fast flux!!!, they could..." Guess what? What is anyone going to do when they can't connect? E.g: src(my_compromised_machine):port --> dst(known_dirty_host_on_X_net) My_NSP(hourly) ---> Mega_Peer_Dirty_Host_Watcher --> get_list_apply_filter Result: src(my_compromised_machine):port --> dst(known_dirty_host_on_X_net) --> My_Provider --> ::1 Anyway, just a thought, maybe a far out there thought, but I truly believe it can be done at an upstream level with little to no cost. I believe it costs more to sit around complaining and doing nothing than it does when you start losing customers because someone compromised them and wiped out their accounts driving them to bankruptcy. (http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: On another security note... (of sorts)
Dobbins, Roland wrote: > > The thorniest issues aren't technology-related, per se; they're legal exposure (both real and imagined), regulatory concerns (both real and imagined), antitrust concerns (both real and imagined), management/marketing/PR concerns (largely imagined), skillset shortages/concerns (very real), customer perception concerns (both real and imagined), and so forth. Legal issues for a situation like this can easily be resolved however the problem boils down to who is willing to become "case law." There aren't many laws surrounding this topic. Antitrust and regulatory issues too can be trumped when businesses collectively conclude that its for the best interest of everyone. I believe that too many perceive this imaginatory 'brick wall' coming down on them and often take a step back choosing to do nothing then coming back and wondering why they're businesses are now listed on DataLossDB.org. Customer perceptions and concerns very real? I'm curious to know what your perception is. As a customer *somewhere* down the line, if a business slash vendor told me they were working with other businesses to deter/minimize fraud, I'd be all for it. I can think of any situation where I would come around to a grinding halt: E.g.: From Starbucks: "We're working with SEARS to minimize theft/fraud..." me: "OMG No! You better not work to make sure thieves don't get ahold of my data!" I didn't follow that glaringly big "very real." If you mean on the bits side of things... E.g. (myself working at an ITSP) My competitor: "We're working to make an attacker database to defend ourselves from toll-fraudsters, care to join?" ... Me: "No way in hell I'm going to defend myself because you're seeing more attacks. Thanks but no thanks!" Maybe naivete on my part, but I don't see how customers would have issues if the scenario/framework was concisely explained. > The second tier of barriers are those surrounding trust. It's basically a sociological analogue of 'the PKI problem'. Anyone here not peering, raise your hand?! Sure there will be trust issues, those too can be overcome. A "vetting" process could be implemented and selected individuals can be "voted" in or out. We "trust" NANOG to select the best individual to moderate this list. At the granular level, I don't know anything about the moderator, yet I trust my peers knew enough to give them a vote of confidence. Should I go back and and create a dossier on the moderator or should I trust my peers. I think for the most part it's a "so far so good" situation. Life goes on until otherwise noted. > Technology issues form the third set of barriers. Yes, they're real and they're important, but if we could wiggle our noses a la Elizabeth Montgomery and make all the technology issues go away, the other sets of issues would still preclude any kind of universal solution, for some value of 'solution'. Here is a semi-universal solution... Throw an N-Byte field into the TCP protocol and label it "dirty" the dirty bit. The dirty bit would be for a combination of a host and or other identifier which came into the radar N amount of times. The dirty bit would automatically get populated into every routing table X amount of time where if a "dirty bit" tried to route traffic from ANYWHERE, after some time, even its own TCP stack wouldn't let it route out. Even the collaboration of about 12 major companies (MS, Cisco, Juniper, Sun, IBM) would likely cut the likelihood of attacks to probably in the teen percentile. > That's one of the reasons why a lot of people who make sweeping generalizations and recommendations about 'cyber-this' and 'cyber-that' tend not to have a good grasp of even the fundamentals - they aren't the folks who do the actual work, they don't know who does the actual work, and they often don't know anybody who knows somebody who actually does the actual work. They often don't even know that actual work is taking place, or what it entails, in the first place, because the actual work takes place out of the limelight. Acknowledged... Still I believe a framework (anti-malicious/pattern-matching/dirty-host) is long overdue. I also believe far too many people take the "NIMBY" approach and make excuses as opposed to solutions. This is seriously evident based on the amount of responses to something which is (I perceive to be) mission critical. Moreso than arguing over the pros and cons of NOT doing anything. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
AT&T Hiccup
Alright, since things are mighty quiet on a Friday (either that or everyone on NANOG is now blacklisted somehow and I'm not getting mail), I'd figure to go the PITA route (as usual) and I'd ask a simple question worthy of the mandatory responses of: "on topic questions are not the topic of this list!", "this is not the outage list", "how is this related to networking operations" Did anyone see AT&T flake off the face of the map within the last 30-40 minutes? I know I did! (Seriously I did I did!) Client: "We has no Internet" Me: thinking to myself... "they need to call their provider... Due diligence tracepath/ping/isitdownforeveryoneorjustme time... Global --> AT&T looks sketchy" # tracepath 12.200.xx.xx 3: so-1-3-1.585.ar1.JFK1.gblx.net (208.48.236.105) asymm 4 3.416ms 4: po3-40G.ar2.ATL2.gblx.net (67.16.131.198)asymm 7 141.179ms 5: no reply 6: no reply NO REPLY 24 more x 31: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 AnotherClient (seconds later): "We has no VoIP" Me: thinking to myself... "Damnit GBLX not again" Another_Nother_Client (like even seconds after the first: "We has no p2p!" Me: "time to tweet this question... No... post it to facebook... No - make sure I update LinkedIn... wait?! NANOG" Common denominator... All were on AT&T. So, was it only me or did one of AT&T's cores take a long (3-5 minute) hiccup. Post WTFH: # tracepath 12.200.xx.xx 3: so-1-3-1.585.ar1.JFK1.gblx.net (208.48.236.105) asymm 4 3.774ms 4: te4-4-10G.ar5.NYC1.gblx.net (67.16.134.158) asymm 7 189.496ms 5: 192.205.37.137 (192.205.37.137) asymm 7 5.979ms 6: cr1.n54ny.ip.att.net (12.122.81.58) asymm 9 20.088ms 7: cr84.n54ny.ip.att.net (12.122.115.94)asymm 9 19.585ms 8: gar1.chsct.ip.att.net (12.122.105.117) asymm 7 10.234ms 9: 12.91.181.170 (12.91.18x.xxx)asymm 8 24.811ms 10: 12.200.42.67 (12.200.xx.xx) asymm 9 29.104ms reached Resume: pmtu 1500 hops 10 back 9 Just wanted to know if someone else saw it. All clients were spread through the 12.x.x.x block not solely on 12.200.x.x -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: XO Routing
Stefan Molnar wrote: > > > > Anyone know the impact on the XO Routing/Peering that is happening > > right now? We have had spotty connectivity for the last hour. > > > > Stefan > > > > > I don't know the exact impact but I've had my Covad and AT&T customers ready to hang me because of what's going on. As of right this moment, my Covad connections are slowly coming back but have been acting spotty, I haven't heard complaints about the AT&T side for about 30-40 minutes. My POV, Covad is shaky because of their peering to XO. AT&T might have corrected itself. David Hubbard wrote: > > I know their own phone systems went down, or perhaps > > were overloaded; we lost our office connection to them > > but our phones remained online. I called their tech > > line by cell, was told thanks for calling XO, we are > > experiencing technical difficulties and then it hung > > up on me. :-) This seems to happen about once a month > > with them though so I'm used to it. > > > > David > > > Their own phone systems... I have a lot of clients whose providers peer with XO whose phone systems went kaput (one way audio, resolved, nope, resolved, nope). This is one of the downsides of working an ITSP. Trying to explain to clients why another provider they've never heard of is impacting their business. Oy VoIP, how I loathe you. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Chase.com outage
N. Yaakov Ziskind wrote: > Does anyone have any information (beyond the wimpy statement that > "technical issues" were to blame) on the Chase outage? > > It seems that when a multibillion dollar company's major web site is > down for more than a day, there must be juicy "technical issues" that > beg to be told. So, can anyone dish? :-) > > Cloud be ... The cloud... Mushroomcloud http://www.infiltrated.net/mushroomcloud/ It's (proven to be) theoretically possible ;) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Scam telemarketers spoofing our NOC phone number for callerid
William Herrin wrote: > On Wed, Oct 6, 2010 at 10:37 AM, Dan White wrote: > >> If your PBX is SIP based, you might be victim of a SIP registration hijack, >> which are on the rise, based on traffic we've been seeing in our network. >> > > I had my unpublished asterisk box up for all of two days before > getting half a megabit per second worth of false SIP registration > attempts. Filled /var/log. I had to write a script to dynamically > filter source IPs with too many failures. > > Regards, > Bill Herrin > > "A Simple Asterisk Based Toll Fraud Prevention Script" http://www.infiltrated.net/asterisk-ips.html Cheap marketing of a free RBL for VoIP: http://www.infiltrated.net/voipabuse Anyhow, I spoke about this last week (toll fraud abuse via IP PBX tricksters). Show # 275 http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=22622&cmd=tc http://voipsa.org/blog/2010/09/29/voip-attackers-sometimes-they-come-back/ http://voipsa.org/blog/2010/09/28/voip-abuse-project/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Scam telemarketers spoofing our NOC phone number for callerid
Scott Howard wrote: > On Wed, Oct 6, 2010 at 8:55 AM, Jon Lewis wrote: > > >> Some do. Anyone with control of a phone system with digital lines (i.e. >> asterisk with PRI) can trivially set callerID to whatever they want. There >> are perfectly legitimate, and not so legitimate uses for this. >> >> > > You don't even need the PRI. There's a number of SIP providers that will > allow you to set CallerID. In some cases they do some level of verification > first, but in many cases it's just a free-for-all. > > There were some laws passed recently which makes "faking" caller-id illegal, > although I'm not sure exactly what the details are (eg, I'm fairly sure > sending your cell phone number from a desk phone is fine as you own both of > them). > > Scott. > > It's HR 1258 the Truth in Caller ID Act however, means nothing to someone outside the United States and this is where the issue seems to stem from (a huge portion). So imagine the following: YourCompany --> VoIP_Peer --> Euro_Company Someone compromises something in Euro_Company, unbeknownst to that company, they're sending YOU traffic which you in turn pass (remember you trusted them here). Guess what? Euro_Company's PBX was sending false Caller ID. Should you be the one held liable as an ITSP? Further consideration: You --> Call Dell Support --> call re-routes to West Bumfork India --> Callee gets your callback Yourphone --> ring ring ring --> CID: Dell 12125551234 Where is the truth there? Anyhow, I don't know if Obama signed this into law yet. On my phone right now, I set the caller ID to the main number of my company so that clients take the appropriate steps in going through Customer Service. Guess what? When I'm at home and on-call my Caller-ID is set to my company's main number so that clients don't call me at home on a Sunday morning. Am I committing a "despicable" act by doing this? Is it any different than unplugging my Snom, Cisco or Polycom and bringing it home which yields the same results. While I do recognize the abuse (spammers, telemarketers, etc), I don't see how a bill is going to stop this from occurring. Who knows maybe blacklisting ITSP providers. Should we play a guessing game: "Well, it is coming from Global Crossing..." -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: [Operational] Internet Police
On 12/10/2010 11:08 AM, Lamar Owen wrote: > > In reality DoS threats/execution of those threats/ 'pwning' / website > vandalism are all forms of terrorism. An easily pronounceable version with a > 'net-' 'e-' or even 'cyber-' prefix. is difficult. I thought "e-*" was so yesterday, wouldn't this be "i-*" or to be more complete "i-* 2.0" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Specific Network Querying
Good morning and happy holidays all. I'm in the process of creating an
automated filtering application and would like to know if anyone can
point me to the right place. I'd like to be able to query a
site/db/etc., and pull out specific netblocks to create fw rules. Since
IP space is always changing, it would be helpful if my queries can be
tailored to something like:
wget site | Parse IP space | grep Company | create rule
Or:
wget site | Parse IP space | grep {EDU_IP_SPACE,MIL_SPACE,GOV_SPACE} |
create rule
Follow?
Right now I am using potaroo with something like :
wget -qO -
http://bgp.potaroo.net/ipv4-stats/allocated-{apnic.html,ripe.html, etc}
But this just gives me entire blocks, not who is behind them. Is there
any site I could use to query specifics? E.g., for a gov client: wget
-qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}'
Thanks in advance and Happy New Year to everyone.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Philips contact
Hello all, really hate posting these messages here, but some of you are tops are pinpointing a direct point of contact. I need to get a hold of someone in Philips Corp. as about 12 different managed networks of ours have been probed from one of their netblocks. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Merit Point of Contact
Can someone on list put me in touch with an individual in Merit.edu's security team. An address in their netblock introduced themselves to one my my VoIP honeypots, unsure whether to send it to abuse as it will likely be confusing (the write up). -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
F5 contact
Sorry for a non-NANOG related message. Anyone with a direct security contact at F5 please shoot me a message off-list. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Juniper Denial of Service vulnerabilities
A Dual-Homed Swapfile Overflow Error can occur under controlled conditions causing multiple Denials of Service on Juniper SRX platforms. http://www.disgraced.org/junipervulns.html -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Nato warns of strike against cyber attackers
>From the NetSec mailing list... > At http://www.timesonline.co.uk/tol/news/world/article7144856.ece > > June 6, 2010 > Nato warns of strike against cyber attackers > Michael Smith and Peter Warren > > NATO is considering the use of military force against enemies who launch > cyber attacks on its member states. > > The move follows a series of Russian-linked hacking against Nato members and > warnings from intelligence services of the growing threat from China. > > A team of Nato experts led by Madeleine Albright, the former US secretary of > state, has warned that the next attack on a Nato country ³may well come down > a fibre-optic cable². > > A report by Albright¹s group said that a cyber attack on the critical > infrastructure of a Nato country could equate to an armed attack, justifying > retaliation. > > Article 5 is the cornerstone of the 1949 Nato charter, laying down that ³an > armed attack² against one or more Nato countries ³shall be considered an > attack against them all². > > It was the clause in the charter that was invoked following the September 11 > attacks to justify the removal of the Taliban regime in Afghanistan. > > Nato is now considering how severe the attack would have to be to justify > retaliation, what military force could be used and what targets would be > attacked. > > The organisation¹s lawyers say that because the effect of a cyber attack can > be similar to an armed assault, there is no need to redraft existing > treaties. > > Eneken Tikk, a lawyer at Nato¹s cyber defence centre in Estonia, said it > would be enough to invoke the mutual defence clause ³if, for example, a > cyber attack on a country¹s power networks or critical infrastructure > resulted in casualties and destruction comparable to a military attack². > > Nato heads of government are expected to discuss the potential use of > military force in response to cyber attacks at a summit in Lisbon in > November that will debate the alliance¹s future. General Keith Alexander, > head of the newly created US cyber command, said last week there was a need > for ³clear rules of engagement that say what we can stop². > > The concerns follow warnings from intelligence services across Europe that > computer-launched attacks from Russia and China are a mounting threat. > Russian hackers have been blamed for an attack against Estonia in April and > May of 2007 which crippled government, media and banking communications and > internet sites. > > They also attacked Georgian computer systems during the August 2008 invasion > of the country, bringing down air defence networks and telecommunications > systems belonging to the president, the government and banks. > > Alexander disclosed last week that a 2008 attack on the Pentagon¹s systems, > believed to have been mounted by the Chinese, successfully broke through > into classified areas. > > Britain¹s Joint Intelligence Committee cautioned last year that Chinese-made > parts in the BT phone network could be used to bring down systems running > the country¹s power and food supplies. > > Some experts have warned that it is often hard to establish government > involvement. Many Russian attacks, for example, have been blamed on the > Russian mafia. The Kremlin has consistently refused to sign an international > treaty banning internet crime. > > Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: "Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
Jorge Amodio wrote: >> So NANOGer's, what will be the game plan when something like this >> happens, will you be joining NATO and pulling fiber. I wonder when all >> types of warm-fuzzy filtering will be drafted into networking: "Thou >> shall re-read RFC4953 lest you want Predator strikes on your NAP >> locations... >> > > We have a large supply of tin hats on stock ... > > My .02 > All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of "better now than never" to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say "huge backbones" should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
Jorge Amodio wrote: >> None of this needs to be done for free. There needs to be a "security >> fee" charged _all_ customers, which would fund the abuse desk. >> > > >> With more than 100,000,000 compromised computers out there, it's really >> time for us to step up to the plate, and make this happen. >> > > Or you should send the bill to the company that created the software > that facilitated to get so many computers compromised, some folks in > Redmond have a large chunk of money on the bank. > > My .02 > > > Seems like it's come full circle again (http://irbs.net/internet/nanog/0412/0109.html) and I can always recall Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html) "Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful." Not forgetting Mark Andrews "Any operator not implemting BCP 38 is potentially aiding and abetting some criminal. BCP 38 is over 10 years old. There is no excuse for not having equipment in place to handle the processing needs of BCP 38." ISP's could actually offset the charges to customers with helpdesks to re-coup some equipment costs while maintaining a clean network. As for the "blame the software" comment, irrelevant. If bad hosts were minimized, there would likely be less compromises irrespective of the vendor of the software. Statistically I would think the number of compromises would go down but at the same time I believe the criminals would get smarter. That's just the nature of the beast. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
Brielle Bruns wrote: > Problem is, there's no financial penalties for providers who ignore > abuse coming from their network. > > DNSbl lists work only because after a while, providers can't ignore > their customer complaints and exodus when they dig deep into the > bottom line. > > We've got several large scale IP blocks in place in the AHBL due to > this exact problem - providers know there's abuse going on, they won't > terminate the customers or deal with it, because they are more then > happy to take money. > > Legit customers get caught in the cross-fire, and they suffer - but at > the same time, those legit customers are the only ones that will be > able to force a change on said provider. > > They contact us, and act all innocent, and tell people we're being > unreasonable, neglecting to tell people at the same time that the > 'unreasonable' DNSbl maintainer only wants for them to do a simple > task that thousands of other providers and administrators have done > before. > I know it's akin to Apples and Oranges but maybe a "network forfeiture" (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: "If your network is dirty, its gone including all your equipment" I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/na...@merit.edu/msg50472.html (http://www.mail-archive.com/na...@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Larry Sheldon wrote: > On 6/9/2010 10:58, Owen DeLong wrote: > > >>> What happened to the acronyms "AUP" and "TOS"? >>> >>> >> I'm not sure what you mean by that. I'm talking about an ISPs liability to >> third party victims, not to their customers. >> > > "Acceptable Use Policy" and "Terms of Service" > >> AUP/TOS are between the ISP and their customer. >> > > Very good. Does that provide an answer to the earlier question about > "what is a provider to do?" when a customer misbehaves? Does that > provide a method for assigning liability? > > I am not a lawyer, but it doesn't seem a stretch to me to include, in > this context, traffic from peers and transit providers. > "Acceptable Use Policy" and "Terms of Service" Imagine for a moment you're speeding... You get pulled over, get off with a warning. Phew! You speed again, get pulled over again, you get a warning. How long will it be before you just outright ignore the law and speed simply because you know all you will get is a warning. AUP's and TOS' mean little if they're not enforced and I theorize that they're not enforced perhaps because a company's staff is likely to be overwhelmed or underclued as to how to proceed past a generic: "Thou shall not spew dirty traffic in my network or else..." Or else what? You're going to flood their inbox with "Thou shall not" messages? In the case of Mr. Amodio and I believe Owen griping about insecure software, I offer you this analogy... You buy a car and as you're driving along a message comes into the dashboard: "Car Update needed, to fix A/C" you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: "Critical alert, your breaks need this patch"... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Don't blame the software vendors blame oneself. I've seen even the most savvy users using OS' *other* than Windows get compromised. I performed an incident response about 8 months ago... 42 machines 41 Linux, 1 Windows... Guess what, all the Linux boxes running Apache were compromised. They were running vulnerable software on them (Wordpress, etc). So to compare Apples and Oranges (Windows versus another) is pointless. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Jorge Amodio wrote: > Unfortunately in the software industry you get (when you do, not > always) the alert and the patch after the fact, ie the exploit has > been already out there and your machine may probably have been already > compromised. > > I never seen any operating system coming with a sign saying "Use at > your own risk", why when I buy a piece of software I have to assume it > to be insecure, and why I have to spend extra money on a recurring > basis to make it less insecure, when there is no guarantee whatsoever > that after maintenance, upgrades, patches and extra money my system > will not get compromised because a moron forgot to include a term > inside an if before compiling. > > Insecurity and exploitable software is a huge business. I don't expect > software to be 100% safe or correct, but some of the holes and issues > are derived form bad quality stuff and as car manufacturers the > software producers should have a recall/replacement program at their > own cost. > > My .02 > Jorge > Again, apples and oranges to a degree. Car owners don't receive a "use at your own risk" disclaimer either. Yet some Toyota owners faced horrifying instances of "subpar" prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: Highlights The Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. Really? http://blogs.securiteam.com/index.php/archives/814 9 Vulnerabilities for Microsoft *ANYTHING* of the first 60 published. But again, this is irrelevant. I don't care for any operating system anymore. I care for the one that accomplishes what I need to do at any given time. Be it Linux, Windows, BSD, Solaris heck get me plan9 with Rio, I could care less. However, myself as an end user, I'm the one responsible for my machine as I am the one running it. If I find it to be insecure or "virus/trojan/malware/exploitability" prone, there is no one shoving it down my throat. Even if I didn't know any better. So for those who are unaware of what's going on, how difficult would it be to create a function within an ISP tasked with keeping a network structured to avoid allowing OUTBOUND malicious traffic. We could argue about: "But that would be snooping" where I could always point at that a NAC could be set up prior to allowing a client to connect. Can anyone honestly tell me that one of their clients would be upset slash disturbed slash alarmed about an ISP protecting them (the customer) as well as other "neighbors" (customers)? That's like saying: "Oh they set up a neighborhood watch association... and they're watching over my house when I'm not home or capable of watching all sides of my house... HOW DARE THEY!" Sorry I can't picture that happening. What I picture is fear and people dragging their feet. I can tell you what though, for the first company to pick up on that framework, I can guarantee you the turnover rate wouldn't be as high as say being on a network where now the business connection is lagged because of spam, botnets and other oddities that could have been prevented. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
Tim Franklin wrote: > and another checklist with a magic acronym that has everything to do > with security theatre and nothing to do with either actual security or > the reality of operating a network. Checklists come in handy in fact if many were followed (BCP checklists, appropriate industry standard fw, system rules) the net would be a cleaner place. What I've seen by many responses are feet dragging: "Ah why bother it won't do nothing to stop it..." Without even trying. It all begins with one's own network. The entire concept of peering was built on trust of the peer. Would you knowingly allow someone to share your hallway without taking precautionary measures or at least a vigilant eye. What happens when you see something out of the norm, do you continue to allow them without saying anything waiting for your neighbor to speak. In doing so, how can you be assured the individual won't try to creep up on your property. // JC Dill wrote: Yes, ISPs are going to have to "handle" the problem. But, IMHO the root cause of the problem starts in Redmond, and ISPs should sue Redmond for the lack of suitable security in their product, rendering it an attractive nuisance and requiring ISPs to clean up after Redmond's mess. It's not fair to expect ISPs to shoulder this burden, and it's not fair to pass on the cost to customers as a blanket surcharge (and it won't work from a business standpoint) as not all customer use Microsoft's virus-vector software. And it's not really fair to expect the end customer to shoulder this burden when it's Microsoft's fault for failing to properly secure their software. But end user customers don't have the resources to sue Microsoft, and then there's that whole EULA problem. ISPs who are NOT a party to the EULA between Microsoft and the user, but who are impacted by Microsoft's shoddy security can (IMHO) make a valid claim that Microsoft created an attractive nuisance (improperly secured software), and should be held accountable for the vandal's use thereof, used to access and steal resources (bandwidth, etc.) from the ISP thru the ISP's customers infested Windows computer. // More finger pointing here. Should MS now sue Adobe for shoddy coding because Adobe's PDF reader caused a compromise (improperly secured software). Let's take it from the top down for a moment and focus on what is going on. Operating systems are insecure it doesn't matter if it was produced by a company in Redmond or hacked together on IRC. ANY operating system that is in an attacking state (dishing out malware, attacking other machines) is doing so via a network. If slash when you see it, do you shrug it off and say not my problem, its because of someone's lack of oversight in Redmond when you have the capability to stop it. ISP's don't "have to" handle the problem, they SHOULD handle the problem. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
GoGrid ... Going once... Going twice...
After trying the usual channels (abuse@, security@) and LinkedIn, I decided to ask if anyone here has a security point of contact or network point of contact at GoGrid. Apologies for the low-level offtopic post. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Go Grid take two
Thanks to all who responded, I was put in contact with someone. Apologies for the news. "We know return to our irregularly scheduled (de)programming. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: U.S. Plans Cyber Shield for Utilities, Companies
Michael Painter wrote: > > Have we all gone mad? > I find it hard to understand that a nuclear power plant, air-traffic > control network, or electrical grid would be 'linked' to the Internet > in the interest of 'efficiency'. Air gap them all and let them apply > for "Inefficiency Relief" from the $100 million relief fund. What's hard to understand about mobility. Sure the HMI, RTU's etc are NOT connected to the public Internet however, they ARE networked. All a company needs is one client side attack to give an outsider the same level of access as an insider and it's checkmate. @Jared's TSP link... Wonder how this will affect VoIP ITSP's etal, e.g., how many local NS/EP's have swapped over to VoIP. Logically, anyone with a network running a managed VoIP service, trunk, etc., could qualify. @Fiber splicing ... Let the NSA handles this (http://www.zdnet.com/news/spy-agency-taps-into-undersea-cable/115877) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: U.S. Plans Cyber Shield for Utilities, Companies
Brandon Ross wrote: > > Do people really think the guy in the airport control tower is really > surfing Facebook while he's controlling aircraft on the same computer, or > that capability is even what is under consideration? > "Air traffic controller suspended for allowing son to radio instructions to pilots at New York's Kennedy Airport" http://www.dallasnews.com/sharedcontent/dws/dn/latestnews/stories/030410dnnatairtraffic.170a785b7.html "Air traffic controller suspended, was chatting on phone with girlfriend during Hudson River crash" http://www.nydailynews.com/ny_local/2009/08/13/2009-08-13_air_traffic_controller__on_phone_with_girlfriend__an_supervisor_suspended_over_h.html Huh? ... Scary isn't it: "Pilots were working on laptops when plane overflew Minneapolis destination" http://www.japantoday.com/category/world/view/wayward-pilots-were-working-on-their-laptops-when-plane-overflew-minneapolis-destination There is that capability however, you may be looking at it from a different perspective. It's easy enough to plop open an iPhone for Internet usage. I'm almost positive there are no "smart phone" policies in an Air Traffic Control tower. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: navog?
david hiers wrote: > Hi, > Is anyone aware of a voip-focused group similar to nanog? Us voip pukes > have to deal with the issues of allocation, routing, and management of phone > numbers as well as networks, and I have not found a voice operators' group > similar to this network operators' group. > > > Thanks, > > David > Would kind of be difficult to maintain such a group. Which level of VoIP are you talking about, the carrier end, the engineer end. Think about that for a moment. For the most part, for issues regarding connectivity, VoIP is no different than email is. Networks will be networks, VoIP will go down, life goes on. Resolution can be found either directly through your vendor/carrier or you can get a best guesstimate of an outage from the outages list or someone here shooting off a "Are Cogent and Level3 chest thumping again?" message. On the other hand, I don't know that I'd want to see a multitude of messages from someone saying "My trixbox dialplan doesn't work!" or, (broken english purposely inserted) "Why my Cisco Call Manager is tell me to partition! I does not want to format my disk! Please is you help!" There are lists out there but each has its pros and cons. VoIPSA (VoIP Security) Cisco VoIP - for Cisco related telephony, Digium mailing lists, etc. Something akin to NANOG for VoIP would quickly become filled with "WTH is he/she saying" like messages. Sadly, most of my cisco-voip and asterisk-users mail has been ending up in the trash via filter. I wonder if my email client knows something I don't. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: navog?
Jared Mauch wrote: > > On May 28, 2009, at 10:16 AM, J. Oquendo wrote: > >> david hiers wrote: >>> Hi, >>> Is anyone aware of a voip-focused group similar to nanog? Us voip >>> pukes >>> have to deal with the issues of allocation, routing, and management >>> of phone >>> numbers as well as networks, and I have not found a voice operators' >>> group >>> similar to this network operators' group. >>> >>> >>> Thanks, >>> >>> David >>> >> On the other hand, I don't know that I'd want to see a multitude of >> messages >> from someone saying "My trixbox dialplan doesn't work!" or, (broken >> english >> purposely inserted) "Why my Cisco Call Manager is tell me to partition! > > Actually, there is a quite active cisco-voip list over on puck > that discusses exactly the CM issues you refer to. (I diverted > everyone to that list to keep it off c-nsp and it seems to have grown > since). > > - Jared > > http://puck.nether.net/mailman/listinfo/cisco-voip > (removed cc's to avoid sending dupes) Agreed, I browse through some of the stuff there and indeed it works for cisco telephony matters. Cisco staff has provided some really good guidance on matters there, as have Digium staffers for Asterisk's mailing list. But I can't really envision an "all inclusive" VoIP list with regards to the carrier end, equipment end, programming end, etc. Heaven knows I would have like to discuss Nortel and Avaya matters countless times but then those conversations would have actually ended up shifting towards SIP in which to a degree, they wouldn't have even had anything to do with the vendors at all. So I view it as a tough call. Anyhow, perhaps links should be included: http://voipsa.org/VOIPSEC/ (VoIPSA - VoIP Security related) http://puck.nether.net/mailman/listinfo/cisco-voip (Cisco VoIP related) http://lists.digium.com/mailman/listinfo/asterisk-users (Asterisk Users) http://groups.yahoo.com/group/sip-config (SIP Config (mainly spam now)) http://sipforum.org/pipermail/discussion/index.html (SIP forum) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: YES I'VE TRIED MANY VENUES looking for mail admin @ nist.gov
Ken Fischer wrote: > Try 301-975-5375 > > -Ken > Oy to automation "Thank you for calling NIST please listen as our menu options have changed. For Sales press 1 For Customer Support press 2 For IT related issues press 3 " (press 3) - rerouted to an APNIC block (outsourced!): "Velcome is here to en eye esh tee dish is John" "I'm having trouble with mail.." "vell have you tried reboot?" "vat vershun of vindows are you use?" *ducks -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Happy Sysadmin Day
Andrew Euell wrote: > Happy Sysadmin Day nanog'ers. Thank you for keeping the internet running! > http://www.sysadminday.com/ > > Keeping the Internet running? You mean as in the flakiness of what is happening with portions of Level3 right at this moment? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Amazon's EC2 Security contact
Hey all, apologies for shooting this on this list, but I've had greater success here. Anyone have a SECURITY contact for "Amazon Web Services, Elastic Compute Cloud, EC2" outside of the typical: whois -h whois.arin.net $THEIRSPACE|grep "@" I'm looking at a delicate situation here and would appreciate any OOB/non-tech-sup-spool-box contact. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: news from Google
Deepak Jain wrote: > I think there are amazing opportunities to data mine and prevent fraud if you > can get a percentage of your users using this. > > I'm really excited about the structured attacks that will be run against this > thing (cache poisoning... and nastier)... if (for example) when their (or > someone's) toolbar is installed, they ask if you'd like to use their > "improved" dns service [perhaps they have the whole universe cached to reduce > lookup times]. You'd sign up. > I agree in a role-reversal method. I think there are amazing methods to study the correlation and statistical rate of criminal groups and how they're amassing so much data making things nTimes easier to steal, spoof and create more frauds. Thanks Google! In fact, because they'd now have one more tool to work against them, its only a matter of time before they become smarter (those tinkerers!) That leaves forensics experts with something to gripe about. Too much of a workload. http://www.youtube.com/watch?v=pq3YdpB6N9M -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Advice requested
Matthew Black wrote: What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out? matthew black network services california state university, long beach I'd contact the chiefs of the company in order to assess what actually happened. Define attack. If its an IP based attack, would be difficult to prove unless it was ongoing as spoofing could play a role. It could turn out to be something as trivial as said company ending up with a machine they own which was compromised and used as an attack vector... I've seen it happen to a few companies. Personally, I would seek out the CSO, Senior IT personnel, and follow that route. -- ======== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato smime.p7s Description: S/MIME Cryptographic Signature
Breaking new laws by quarantining infected (l)users
Douglas Otis wrote: Complacency permitting, and at times even promoting use of known defective products must end. The era of combining scripts and active code along with every piece of information conveyed must end. Unless the Internet industry responds effectively, legislators will likely to react in their own futile way. According to a recent article on Wired: /* SNIP */ It would make it unlawful for anyone to: "...engage in unfair or deceptive acts or practices in connection with specified conduct, including: (1) taking unsolicited control of the computer; (2) modifying computer settings; (3) collecting personally identifiable information [incl. using keystroke loggers]; (4) inducing the owner or authorized user to disclose personally identifiable information; (5) inducing the unsolicited installation of computer software; and (6) removing or disabling a security, anti-spyware, or anti-virus technology." http://blog.wired.com/27bstroke6/2007/06/house_passes_an.html http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=f:h964eh.txt.pdf /* END SNIP */ Which leaves me wondering... Sometimes in order for someone to actually install something helpful, one might at times have to disable certain programs then re-enable them. Looking at the broad term "modifying computer settings" and "disabling a security..." one has to wonder whether an overzealous office running politician would use such a broad law for political purposes. Politics aside, reality is reality. This law is beyond broad in fact taken at face value, any ISP seeking to mitigate a problem on their network may somewhere down the line break a law. How can one argue they never were "induced the authorized owner to disclose their information" to someone say mitigating security when that person threw them on a "cleanroom vlan". Trollishness aside, laws are almost always taken at face value black and white until someone falls victim to an insanely dumb law and fights back. I'd hate to be scapegoated as an individual and would hate to see the business I'm working for get a bad rap for some congressperson's lack of understanding and zeal to gain higher power. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato smime.p7s Description: S/MIME Cryptographic Signature
Re: Problems with either Cisco.com or AT&T? [POWER UPDATE]
http://infiltrated.net/ciscoOutage.jpg -- J. Oquendo "Excusatio non petita, accusatio manifesta" http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature
Re: ONS - The few the proud ... the sleeping
Stephen Wilcox wrote: > > Given that the fastest edge connections (outside of Peter Lothbergs bathroom) > are 10Gb this traffic can easily be directed to take out multiple parts of a > networks critical connectivity. (removed annoying cc's) Well I was actually hoping Mrs. Lothberg would be the next MAE-Scandanavia backbone provider. Do the math (anyone): // SNIP “The number of unique, infected hosts (bots), from which the attack is being launched by email, has also increased dramatically,” said Stewart. “They went from 2,815 in the beginning of 2007 through the end of May to a total of 1.7 million for the months of June and July.” http://www.darkreading.com/document.asp?doc_id=130745 // END SNIP Let's say its exaggerated and say this botnet is 1/4 of this size: 425,000 hosts waiting for a C&C dumbarse to launch a command. Something simple ping... 64bytes * 425,000 hosts = 25MB ... ping -s 128 or higher? A GET|HEAD|POST|etc would kill my server before the majority of traffic even eeked its way through. Bad scenario ... Cause a flap between two heavy peers (see Randy Bush's take on dampening/flapping). I could see this become a problem no matter what you think you can throw at it. Somewhere, someone down the line, will have something a bit misconfigured/*oops I forgot to place tcp intercept here*/etc and will cause some "could have been avoided if one woke up and smelled the coffee" scenario which will cause a major outage. Poop happens when you let it, why not open ones eyes now and be alert/aware of what's out there and make sure solutions are in place before its too late. Then again, I wonder what outside of massive filtering on fwsm's can one do in a situation like this. Its not like these are spoofed connections which something like tcp intercept would be able to mitigate against. RFC1918 filtering... Useless. Different story if there was filtering on provider side that says "Hey gee... This botnet that's 1.7 million strong is connecting on port x, let me take a pre-emptive strike and monitor this" http://atlas.arbor.net/ +207.0 % Slammer variant as of yesterday... School is what one two weeks away. Synonymous with all sorts of new improved crap... I can't for the life of me figure out why some of the best engineers in the world who are on this and other networking lists shrug these things off. Makes me wonder who profits via bandwidth sales from this. Someone obviously will irrespective of how rude, condescending it sounds. -- J. Oquendo "Excusatio non petita, accusatio manifesta" http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature
Cisco outage
In re: previous post
http://www.news.com/8301-10784_3-9823196-7.html
So much for self healing networks eh
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)
echo c2lsQGluZmlsdHJhdGVkLm5ldAo=|\
python -c "import sys; print sys.stdin.read().decode('base64')"
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
Re: Cisco outage
Martin Hannigan wrote:
> Can someone please indirectly email Mr. Oquendo and advise him that we
> would like to have a word with him? He seems to have blocked Google
> and has made us unable to have a chat.
Blocked Google? Strange I got this message. But since you wanted to
direct this back to the list when I responded to you, let me level
the playing ground and post my direct response to you. Since after
all I did follow procedures and leave it off the list.
// BEGIN
> Date: Mon, 26 Nov 2007 17:50:24 -0600
> From: "J. Oquendo" <[EMAIL PROTECTED]>
> To: Martin Hannigan <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Cisco outage
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=us-ascii
> Martin Hannigan wrote:
>> We don't mind seeing reports on important parts of the overall
>> critical infrastructure being impacted, but we could probably do
>> without the off-topic remark that seems to be inaccurate as well. This
> I've made four posts in about three months... Is this a targeted
> "shut up" http://www.merit.edu/mail.archives/nanog/
>> In the future, please help us to make sure NANOG is operational by
>> being on topic -- and accurate -- wherenever posting.
> The link was/is relevant, comment is just a comment. Should I in
> turn complain about someone's signatures? Take a look at my four
> posts. Their comments and their all relevant to someone else's
> comment as are everyone's comments and responses.
> How many posts have I made? 12 in seven months...
> http://www.merit.edu/mail.archives/nanog/index2.html
>>
>> http://www.news.com/8301-10784_3-9823196-7.html
>>
>> So much for self healing networks eh
> Something personal you have to say, say it. But bitching and
> whining about me being off topic according to your personal
> taste and you'd have a hell of a lot of bitching to do about
> a hell of alot of other people.
// END
> Hopefully, this won't bounce like our private message did. We'll be
> forced to throw him off the list, sadly.
Now to be on topic, you state I bounced mail from Gmail?
Why didn't you include the SMTP error, I'd be curious to see
where I blocked it to correct it.
sudo grep -i hanni /var/log/maillog
Nov 27 00:01:14 kryptonite postfix/qmgr[81759]: D5BB73F420: from=<[EMAIL
PROTECTED]>, size=2582, nrcpt=1 (queue active)
Nov 27 00:01:15 kryptonite postfix/pickup[73054]: 675043F43F: uid=1006
from=<[EMAIL PROTECTED]>
Nov 27 00:01:15 kryptonite postfix/qmgr[81759]: 675043F43F: from=<[EMAIL
PROTECTED]>, size=2878, nrcpt=1 (queue active)
Nov 27 00:01:15 kryptonite postfix/qmgr[81759]: 763723F443: from=<[EMAIL
PROTECTED]>, size=3061, nrcpt=1 (queue active)
Nov 27 00:01:36 kryptonite postfix/qmgr[81759]: CA1DB3F445: from=<[EMAIL
PROTECTED]>, size=2544, nrcpt=1 (queue active)
Nov 27 00:01:37 kryptonite postfix/pickup[73054]: 2815A3F449: uid=1006
from=<[EMAIL PROTECTED]>
Nov 27 00:01:37 kryptonite postfix/qmgr[81759]: 2815A3F449: from=<[EMAIL
PROTECTED]>, size=2840, nrcpt=1 (queue active)
Nov 27 00:01:37 kryptonite postfix/qmgr[81759]: 470EA3F44B: from=<[EMAIL
PROTECTED]>, size=3023, nrcpt=1 (queue active)
Funny, I don't see a rejection from me to you. If there
were though, how does a private domain come into a NANOG
thread. Its not like Infiltrated is an ISP, NSP, NAP or
any other peer or provider.
So again I ask you to look at my postings for the last
6 or 7 months where my responses are minimal. Operational
you state? Was this something akin to me posting about
Botnets but operators stating that 10gigs of malware
laced traffic is not operational?
J. Oquendo
SIGNATURE REMOVED TO AVOID BREAKING POLICY
http://www.infiltrated.net/nanogpolice.jpg
- End forwarded message -
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)
echo c2lsQGluZmlsdHJhdGVkLm5ldAo=|\
python -c "import sys; print sys.stdin.read().decode('base64')"
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
Re: IBM report reviews Internet crime
[EMAIL PROTECTED] wrote: (removed cc) I was actually targeting this suggestion to those who currently distribute Internet Explorer kits. So it was more of a suggestion to not distribute the browser that is most vulnerable. And if you make installation of Firefox a requirement to come out of quarantine, that does not imply that people need to uninstall their other browsers. This is to give them the experience of something new knowing that a certain percentage will continue using it and not be reinfected. And reducing reinfections cuts your costs of detection and blocking compromised PCs. Then what about antivirus and antispyware. Why should one be favored over the other. How many providers are suggesting this. It has an outside view of product favoritism. Perhaps the marketing teams could suggest a few free ones e.g. Avast, AVG, Adaware. There is the potential to clean up a lot of the trash that comes in and out of the network but then what, I could see ISPs' call centers screening "I just installed AVG but I can't get it to work". Same goes for Firefox or any other product. Do you then look to support these. I agree wholeheartedly that ISP's should step up to the plate considering their own resources are being abused and have the potential for some serious damage (imagine 70% of Cox, Comcast, TW being botnets aimed at your network). Sadly, this will be argued for a few more posts then deemed offtopic to be re-argued and unevaluated in the future. -- ======== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature
Re: Hauling gear around a NANOG meeting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris McDonald wrote: | a glock 27 takes the same magazine as a glock 22. that's good nyc knowledge. |> Heheh. Good tip. Where do we get our shields on Sunday? :) Nothing to be afraid of in NYC especially with NANOG coming to town http://www.infiltrated.net/spx/swat-team-posing.jpg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSDXfq4OeOV2sx4+mAQK6WhAArpa+RCNZ/STP89zxzUsOHUedy8TbqbjA uOZaSKZtqX06I69/aRFnlHc9jt16QG91DFJlzXwgWh6I4d6KaQYv1dvFPZm3z6L4 Fg613r8l3W2+9evDM2oK9ZYv6YoOqIwkqohAuQlw9kERZfhZNanBl/Qv6BJXumCy A9/JYrOvPbrU9Zrep/9Sg+/6Vd59Bp7bSQWSYto1WTyemv5TCIxbyBXnOH0Yhr5G aaPEz/nKOs4gUfg08uxCQw6Qm0SLHZdoZQ7n/lMTRQbnZIfaKk8znYQg48SiiX0q deBxcInXXpOI8hsvS+tqB2++sba5iF9Clbwp1h1iV/Ze1c8BCKtgZL8u2HMw9HqZ 4V+Pjny0Rbpw7sPujBH6XouxdiotDJfENdROlNbHCXaEdlT/3uhDPo77/h8YsKe8 W+Fs+na1PkLm1QoPrTucFN16Pr/hQT0v9h2fzsVS0tj/r1Xb7n+XoCgBrfGaczuc oGAszQY0WGiY+gJSdMgwowDNU1EzzM+Nca2GgN+JLjTuHYEoI5K6xzOYp8YJAHfK bi7LttjUnjHtpsdVCiXAStSsn0j22R17bjQ8qfUXueU9KJ6GTRoJwcnPlN2MjObY MUJSmqL3C5fwiVyBNrlhw0UrBluxfLWOnP6PP83IIjxWvTtEx8Sbjkpob5Lp/4r6 Blh1g2VrM4g= =kt0x -END PGP SIGNATURE-
Re: NANOG NYC Event
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christopher Morrow wrote: | On Sat, May 31, 2008 at 12:36 PM, Rod Beck | <[EMAIL PROTECTED]> wrote: | |> Do not take taxis in New York. The subway is much faster and cheaper. | | 'you may consider that the NYC metro system is fairly cheap, fairly | ubiquitous... Taxi's are relatively expensive in the city, though nice | for certain places which maybe more of a gymnastics event on the | metro' | | (the taxi system in nyc isn't too horrid, though it is pricey, which I | think was Rod's main objection... plus if you taxi you miss out on the | other famous NYC attraction, the giant metro rats! :) ) | | If you're not from NYC and or aren't familiar with certain places be advised that taxi drivers can *mistakenly* get lost resulting in you paying a high bill. Tips on getting around: * East and West starts on 5th Avenue When you're on a numbered STREET (not Avenue) the divider from East and West is Fifth Avenue. The numbers work themselves from there on. So for example, if you needed to get to say 12 E57th Street, this will be between 5th and Madison Avenue. 400 E57th will likely be down near 2nd and 3rd Avenue. Numbers head higher in opposite directions: 1 West Whatever Street will be between on the West side of 5th Avenue and vice versa, 1 East will be across from 1 West ;) * Good eating: Chinese is best (opinion) around Mott Street and Canal. I've always stayed away from places directly on Canal Street. Best method to get around here via subway, 4 or 5 train from Brooklyn to City Hall, transfer to the 6 train one stop. Italian: Anywhere in Little Italy is usually good. Mulberry Street has some pretty good restuarants. Dress is usually casual for most places. Nightlife: Depending on your genre, see if you can pick up a copy of "Village Voice" usually free in the city (Manhattan for non NYers). Towards the end of the page, they usually post all sorts of clubs, dance spots, bars, etc.. Unsure of NANOG's dates (too lazy to read) - if it ends up going on through next Sunday or even begins then, some may want to keep away from the city or at least the midtown area as the Puerto Rican Day Parade is in the city. Usually crowded and getting or around the city via the train is a headache. NY'er tips... After certain hours, say 11pm'ish, when taking any of the subways (if you do), you generally want to stay in the car nearest the conductor. You'll usually find the troublemakers near the end of the cars. Same goes for the platforms. If you have to take a train late at night, stay in a visible area (common sense). Empire State Building... If you're going to visit, be aware they're doing a slew of security checks so expect delays. Any entrance you come in on, you'll end up getting in the line (tourist). Unsure about the visitors heading to the top, but you'll usually be asked for photo ID getting in the building (I was just there earlier this month). Yankee Stadium: Its the B, D or 4 trains. 4 is generally fastest to 161st Street. Shea Stadium, Tennis Center, Worlds Fair: 7 train. If you see a 7 train in a diamond (not circle) jump on it. Its the express train and will get you there faster. Lest I forget... Good good good steak: Peter Luger's (overrated a bit but some really good steaks). Here is a link for bars, clubs, nightlife, etc., etc., for those who don't pick up the paper: http://www.villagevoice.com/bestof/2007/category/arts http://www.villagevoice.com/bestof/2007/category/bars http://www.villagevoice.com/bestof/2007/category/sports (browse through not what you may think) Hippest bars (noise, music, people factor) (opinion): Anywhere under 14th street (14-Delancey) on 2nd Avenue. You could head towards midtown but they end up becoming. Snootiest bars (snooty meaning stuck up, I make more money from my dad's trust fund then you): 40s-60s circa 2nd and 3rd Avenue. Anything goes bars: Usually in the East Village (Bowery) Guess My Gender bars: Usually in the West Village Cool place to get a bite to eat, be seen, hear some cool music, see some cool people (think noisy): Caliente Cab Company. Best place to throw away your money for lights, camera and crapaganda: Times Square. Thats it for me. ;) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSEGbkIOeOV2sx4+mAQKQEg/5AQEBPhsztJ2IOcWy/rjNG0NtHPcjJBbl /WOmVKCG/HRnFYQMgett/OTqMNCQ5ebTnWTJk9zx1biO2y6ky+EBDLCl4iEmu7XQ 2S53NYLgR7En1be5RnguHAIHK2jUcfYqxNfEzaJfMlzjH8ptzAcFR3BoC89Sazr5 LeTiyzaq2nRlszocEAvCoONMDoqWch9rTqTurBSSxyeVOhpZdnHZfYh+CS5VaLHO GUuUJKcGHhlt1kyTgE//mtNe5tCwidJ91bLyo4625th/66Ie1K76OqVHBAaKqw/i ian1U1G03Rcx1MMo2D5n96kVxGxbcQ2ZBcGZetym23ynl+Jgp95BCESIe/5qTm7/ bWPNgsQ1jEzaQUqEm8lLlCjxa9eARMH1HHzggQsn8AmCG1QlEWn/q3V1UlkvVFfE lqKt0iQIj3B30anO+hY+xW4Le/8DxzSU+iRt8D+JwLXesJJtdo0kEVsYEyYMCw8b 8jESt4gjqVr0vxfs3fIOejFu+aUjd44nn9MvbgHGzqWzjTlpq4xXHVMVyCYrlSVb 8Fb0kXcDQPPgdzQ/YsTHyvo1LQrXIaGAm+cbz2+jZazSGHG2Kd3s7QysKiu
Re: NANOG NYC Event
On Sun, 01 Jun 2008, Brant I. Stevens wrote: > > It's in Harlem. BOOO! > So is Columbia University! Harlem is in the process of going through a renaissance and has been over the past 10 or more so things have changed for the better. Just avoid going there after certain hours ;) As for the prior Brooklyn comment, Park Slope also has some great eats but the area/scene tends to be sort of artsy. If you want to spend some time sightseeing Brooklyn, the Brooklyn Public Library (main one) Grand Army Plaza is near the Brooklyn Botanic Gardens. Don't forget Coney Island which has also changed in the last decade. Again, watch those hours, NY is a Jeckyll and Hyde city. Nice sometimes, beautiful to visit but can be insanely ugly. The downtown Brooklyn area has some nice eats but I've always preferred the city. In the area of downtown Brooklyn, you'll typically find a bunch of people in local government and lawyers eating as the courts are downtown. For those looking for sweets, don't forget the ever famous (overhyped) Junior's Cheesecake. If you've travelled to Coney Island then one cannot forget Nathan's. There are some really good pubs in the Red Hook section, but alas again, going through certain neighborhoods is not for everyone. You can jump on a Water Taxi there for kicks though. Makes for nice pictures at night. Sightseeing: Jump on a boat at night (booze cruise) $25.00 http://www.nywatertaxi.com/tours/happyhour/ Or just hop on an "On and Off" cruise: http://www.nywatertaxi.com/hop/ $20.00 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI "Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny." Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Attn: Paul Vixie
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please shoot me an offlist email (sorry for the excess traffic list) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSGU2IoOeOV2sx4+mAQJmEA//evs/h35ND0RkuFc8Yvu1mUloUoF69Zc5 quWiqg4FsEHXtZLAeppkF+zaFCzh1kLh7SOWSGriKRPahtI3nrjGe+IPRJN3JNkv YmvYRj7pdihzUBH+2p/0S7GQoHBzDGp40s97a+/JGkCi1Zsv2dCyMAEvpUJeu+LR Fl5ncTOuEFIMQo4oftJxlToyoktLnuxMpjey6k9a0D2kcqo6066IwoIp7yjbt73V 0xT43Yz+C/3wGwrxPj/ijK7m4kC77asvycu5uP9gAa15rn+fhjvLD6voOY/4QNMW lo//nodF4/ZgZ/bEMp46YZbdcEJNBSDdnqYPxZVT7RVfOpiLtc3DjRonogyGL/gx ZpHUGWtZDSG5QF/uETGEmea81B7KwuLWzDHPQbIReHW8C5aPQo6iYT/Uv7uIey8D llSCcgfLQxYvd0BEIAoVGmNud9i3YlUUczCeiaDJzJmml45M4A/v2lsfLhnO2dgv aFU7aKW3EaWGWvIcfJP82oxHBbOl2Dbt80RtyN9vWsYY0nqQbafjMmm5WtjrMv2+ 57K9syxtCVYUFiYIAPggXylFen3s1E+bGufjS3HjJ8U/RluRj7u7FBZIQN7tJWPd P+ZJQ8K+ewcrQO59VBYlpq7fT/6f0o1z0mIK3KgRIfLPaAMDuAfbIi3BhY3Rbr9z oHq63Z8fju4= =omjA -END PGP SIGNATURE-
Covad VOA contact
Hey all sorry for the noise, can someone put me in touch with someone with a clue @ Covad hopefully on their VoA side. Attempting a resolution of some circuits and don't care to escalate things right now. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI "Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny." Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Re: Where to move the Intercage/Atrivo discussion (was: the Intercage mess)
ate a solution for future potential problems. Perhaps a rotating board of decision makers who would unbiasedly take a good look at a situation and offer a variety of solutions in which those solutions would need to be voted in (for lack of better terms) by a vast majority without that vast majority whining: "Oh shut up if you're not going to see things my way!" then siding with friends and colleagues or peers out of pressure. My unwanted two cents for the year. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Re: breadcrumbs and collusion
On Thu, 25 Sep 2008, [EMAIL PROTECTED] wrote: > > NANOG makes a fine archive of discoverable material in a court case > intending to show collusion to drive folks out of business. > > One presumes that each ISP here has some form of AUP and rules on > self-preservation roughly along the lines of "if there is material > impact to my network or my customers, I can do whatever it takes to > mitigate the traffic/intrusion". One does not need to collaberate > with others before enforcing your own AUP. > > > --bill If we were to stick to the rules: It should also, and very notably, define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits. However, AUP's aren't a definitive mandatory or regulatory control they're CYA (Cover Your Ass) based and have been known to be put in place solely for that purpose. It IS your own backyard, but what about the contractual agreements that can potentially be broken when "oops I didn't know I was nullrouting that business because it passes through that AS" occurs. Are you willing to simply say "it's a matter of my opinion/judgement regardless if people like it or not". What happens to that potential agreement. I'm not siding with anyone here, I despise spammers, malware sites as much as anyone else, but I think this process of "pull the plug" needs to be reviewed fairly and accurately. Else how would you like it if my attitude veered towards "Well gee, AS32042332498732 never audited their network, now look at this filth, gee might as well block them too" Since many would like to justify their argument based on the "It's my party and I'll cry if I want to" theme, then imagine the potential damage if everyone took this attitude. How many networks would break? Who here votes to cut off some major AS's? Everybody's Internet, Rackspace maybe? I can give a list of some major organizations as can others that flagrantly allow things to go on. I see no mention of throwing these businesses into Salems Lot 2008. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)
On Tue, 07 Oct 2008, Sean Donelan wrote: > On Mon, 6 Oct 2008, Buhrmaster, Gary wrote: > >The Federal Government (through its "Trusted Internet > >Connection" initiative) is trying to limit the number > >of entry points into the US Government networks. > >(As I recall from 4000 interconnects to around 50, > >where both numbers have a high percentage of politics > >in the error bar.) > > Assuming you were on an advisory panel, what advice would you give > the US Government how to protect and defend its networks and ability > to maintain service? > > Most government networks and services depend on private network operators > at some level. > > Here is my take on this, recycling something I answered in similar context earlier today. Too many companies and individuals rely far too heavily on a false and outdated concept of the definition of "minimum requirements" when it comes to security. They tend to think they need to implement the minimum requirements and all will be fine. This is evident in almost all security management material I read where the goal is to offer a "mininum" set of requirements to meet guidelines and regulatory controls. What about exceeding the minimum requirements for a change. I associate "minimum requirements" with laziness especially when it comes to security. If companies structured their business a little better, it could be more beneficial for them to speak out and capitalize on security costs instead of worrying about the ROI on implementing security technologies and practices. This whole consensus about security not "making money" is flawed and the more people stick with their confirmation and status quo biases, the more businesses will NOT dish out for security causing headaches and financial misery along the way, it's self-induced. Can't wholly blame managers, a lot has to be weighed on the organizations around the world whose wordings have been taken out of context: e.g. "Under the proposal being considered, an independent audit would ensure that their networks are secure," he explained. "This audit process would work across business sectors, and would require companies to meet a minimum standard of security competency." (http://www.net-security.org/secworld.php?id=1731) Many have taken the attitude to implement enough to meet MINIMUM standards and this seems to be enough for them. Then some wonder why systems get compromised. Concepts are taken out of context. Just because an organization makes a recommendation on what should be a "minimum", shouldn't mean companies or governments should put in solely enough to meet compliance and guidelines. Businesses and governments in this day and age should be going above and beyond to protect not only themselves, but their clients, infrastructure, investors, etc. Until then, we'll see the same, putting out *just* enough to flaunt a piece of paper: "Minimum requirements met" and nothing more. How is this security again? How is minimizing the connection points going to really stop someone from launching exploit A against a machine that hasn't been properly patched? Might stop someone from somewhere in China or so, but once an alternative entry point is found, that vulnerability is still ripe for the "hacking". =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)
On Tue, 07 Oct 2008, Sean Donelan wrote: > On Tue, 7 Oct 2008, [EMAIL PROTECTED] wrote: > >On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said: > >>What about exceeding the minimum requirements for a change. > >(I think you'll find that if somebody is actually willing to *pay* for more > >security, there's plenty of outfits who are more than happy to make it > >happen) > > What should the US Government buy for more security? And how can the US > Government make sure they actually get what they are paying? > > I apologize for being naive. I guess 1.5 billion allocated to one state's Cybersecurity initiative *really* isn't enough to purchase the necessary load balancers, firewalls and personnel to audit the infrastructure for that one state. Quote: "These include positions funded for Cyber Security (Public Service Account); the federal Disaster Preparedness Program (Weapons of Mass Destruction) through which the agency has granted over $1.5 billion in federal grant funds across the state; " http://www.budget.state.ny.us/budgetFP/spendingReductions/agencyPlansPDF/NYSOHS_FMP.pdf So much so (not enough) they've not looked into ramping UP their budget, but ramping it DOWN. My thought would be to review the entire network as a whole, instead of the bandaid approach we've been taking, start fresh. Look at what's currently in place, audit, assess, re-do until they get it right. Contractors should be held accountable for breaches in an infrastructure. Before awarding a contract, I would do my best to have the wording changed from "minimum requirements" to securest implementation. Whether this securest implementation took 5 new engineers to give a closer review, so be it. I'd have some form of interagency strategy of tiger teams in differing realms of government and perform war games testing amongst each others' networks. The theory would be if the best of the best in government can find a hole, so will an attacker. It could be incentive based where a monthly "DefGovCon" capture the flag like training would take place to ensure that security issues are discovered internally and defended against. Teams would get prizes or recognition. Our government has so many resources at its disposal there is no real reason I can see them not protecting themselves. What I do see is shifting of blame and responsibility. Ye old "Cover Your Ass" attitude. Accountability - it goes a long way with accounts receivable and accounts payable. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "Believe nothing, no matter where you read it, or who said it, no matter if I have said it, unless it agrees with your own reason and your own common sense." - Buddha http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Re: Why does abuse handling take so long ?
On 3/13/2011 7:45 AM, Alexander Maassen wrote: > Why o why are isp's and hosters so ignorant in dealing with such issues > and act like they do not care? > > They really do take this serious as it cuts into productivity. Proof they care: http://www.infiltrated.net/voipabuse/responses/fortress-takes-abuse-serious.txt -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Re: an over-the-top data center
On Fri, 28 Nov 2008, William Allen Simpson wrote: > At one point some time ago, on NANOG we discussed putting exchanges in old > minuteman silos. (so long ago a quick Google didn't find it -- where are > all > the old NANOG archives?) > http://www.irbs.net/internet/nanog/9708/0159.html http://www.irbs.net/internet/nanog/9711/0154.html http://www.irbs.net/internet/nanog/9610/0947.html http://www.irbs.net/internet/nanog/0109/1619.html =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Each player must accept the cards life deals him or her: but once they are in hand, he or she alone must decide how to play the cards in order to win the game." Voltaire 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Global Crossing SOC
> I'm good now, but it would be nice if the people on the front lines at > Global Crossing were even aware what a "Denial of Service" attack was, or > that they even have a SOC for incident handling. Once we got redirected > into their SOC we were in good hands. You're "assuming" (anyone remember the Benny Hill assume skit). How many companies - especially large "layered" companies can you name that would even be able to determine what a SOC is on their customer service level. I've seen companies with level2 and level3 layers that couldn't even understand what it was. Perhaps DNS lookups could include such information in the future. It would be nice to nslookup a netblock and get something "relevant" for the security ops as opposed to the standard "abuse" which was largely relevant for mail operations (spam). I'm sure I'm not the only one who has thought about this. Maybe NAP's and NSP's can place contact information somewhere for those with a specific need to contact those with direct knowledge. Then real world sinks in... Ticketing systems, accountability, engineers who would rather be on IRC then cleaning up their nets, etc. Happy holidays all ;) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Global Crossing SOC
On Wed, 17 Dec 2008, Fouant, Stefan wrote: > > -Original Message- > > From: J. Oquendo [mailto:s...@infiltrated.net] > > Subject: Re: Global Crossing SOC > > > > only one who has thought about this. Maybe NAP's and NSP's can > > place contact information somewhere for those with a specific > > need to contact those with direct knowledge. > > I think it's a lovely idea, I just wonder how long such a system would > last before people really start taking advantage of it, i.e. I have a > really low priority, non-important issue I need resolved, let me get in > touch with the MOST clueful person I can to get a really quick > resolution... > I thought I had made it clear about the cons. Obviously the con would be someone contacting say Global or Level3 or someone else with: "OMFG like... Some virus!", the cost of doing business. That doesn't stop them NOW from Googling "security" +"Global", they're not doing an nslookup for contact information. I would like to believe that the majority of people doing nslookup's for contact information usually have a higher grasp of what they're looking for. Ask any "Average Joe" to perform an nslookup and compare those results to deer on the highways looking at those high-beams. You can't expect someone with a less than mission critical reason to contact someone in a higher position, there is no guarantee someone wouldn't be clueful enough to just Google "SOC" +"Global Crossing" +SOC (http://www.google.com/search?q=%22global+crossing%22+%2B%22SOC%22+%2Bcontact) What I infer from you is "right... Buddy go ahead and do it... Then the whole world will be screaming about not-so-important shtuff!" If this is the case, what's to stop them from using Google. For the most part, we can infer a large portion of users outside of those with *some* form of networking concepts/experience, can use and know what nslookup is for. Placing relevant information is not going to "cripple SOC" no more than Google would. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Global Crossing SOC
On Wed, 17 Dec 2008, Fouant, Stefan wrote: > While I understand where you are coming from and I completely agree, I > think I should point out that the search pattern you generated actually > produced an Press Release about Global Crossing's SOC implementing some > ISO 9001:2000 certification. At the bottom of the article it had Press > "Contacts" within Global Crossing. It didn't actually contain any > useful contact information for any SOC personnel whatsoever... > > It's a moot point however, because I happen to agree with you that > obtaining that information via nslookup is a more effective barrier at > weeding out the less clueful. > I didn't want to spend too much time sorting out Google searches ;) Anyhow, how do we get others to understand the need for something like this (information via say whois trickled from an nslookup on a netblock). That would definitely be more productive than someone having to contact abuse - which is highly likely going to ignored/not remedied appropriately. Would definitely be a plus for me if say I had someone directly contact my SOC team for a security related issue. Would save time for me and the caller. I see it as a no brainer... Others will likely see it as "that's what abuse is for" Maybe Jared should start a SOC contact page or something similar. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: google logo
On Wed, 28 Jan 2009, Dozens of Overpaid Engineers wrote: > That's a Jackson Pollock. > Question should be - How does this affect route patterns, traffic, policies, etc.? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Dynamic IP log retention = 0?
On Thu, 12 Mar 2009, Glen Turner wrote: > William Allen Simpson wrote: > > A telecommunications carrier releasing a customer's details without their > permission, to a non-investigatory third party, without a court order. > Hmmm. It's certainly illegal here in Australia. And last I checked wasn't > the US firm Hewlett Packard in trouble for hiring people to do just that? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Off topic contact needed for Sangoma
Apologies all, does anyone have a security contact on the network side for Sangoma. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Level3 funkiness
Anyone else experience sporadic funkiness via Level3? I can't even reach the main website from who knows how many networks I've tried. Also friends and former colleagues have tried to reach the site to no avail. One of my machines on AT&T: # traceroute level3.net traceroute to level3.net (63.211.236.36), 30 hops max, 40 byte packets 4 cr1.n54ny.ip.att.net (12.122.105.58) 11.285 ms 21.702 ms 21.477 ms 5 ggr2.n54ny.ip.att.net (12.122.131.141) 12.712 ms 10.194 ms 16.393 ms 6 so-8-0-0.car3.NewYork1.Level3.net (4.68.127.149) 9.975 ms 10.019 ms 10.833 ms 7 vlan79.csw2.NewYork1.Level3.net (4.68.16.126) 10.162 ms 10.189 ms 14.474 ms 8 ae-71-71.ebr1.NewYork1.Level3.net (4.69.134.69) 15.763 ms 11.166 ms 9.725 ms 9 ae-3-3.ebr4.Washington1.Level3.net (4.69.132.93) 16.139 ms 30.616 ms 16.275 ms 10 ae-64-64.csw1.Washington1.Level3.net (4.69.134.178) 15.684 ms ae-74-74.csw2.Washington1.Level3.net (4.69.134.182) 21.870 ms ae-84-84.csw3.Washington1.Level3.net (4.69.134.186) 28.729 ms 11 ae-92-92.ebr2.Washington1.Level3.net (4.69.134.157) 17.035 ms ae-62-62.ebr2.Washington1.Level3.net (4.69.134.145) 17.041 ms ae-72-72.ebr2.Washington1.Level3.net (4.69.134.149) 21.940 ms 12 ae-2-2.ebr2.Chicago2.Level3.net (4.69.132.69) 31.671 ms 42.407 ms 45.774 ms 13 ae-1-100.ebr1.Chicago2.Level3.net (4.69.132.113) 31.922 ms 32.115 ms 38.135 ms 14 ae-3.ebr2.Denver1.Level3.net (4.69.132.61) 75.265 ms 67.528 ms 67.937 ms 15 ge-9-0.hsa1.Denver1.Level3.net (4.68.107.35) 62.587 ms !H ge-9-1.hsa1.Denver1.Level3.net (4.68.107.99) 62.543 ms !H ge-9-2.hsa1.Denver1.Level3.net (4.68.107.163) 75.797 ms !H (From Texas through Above.net) $ traceroute level3.net|tail -n 1 traceroute to level3.net (63.211.236.36), 64 hops max, 40 byte packets 11 ge-6-2.hsa1.Denver1.Level3.net (4.68.107.131) 21.473 ms !H * ge-6-0.hsa1.Denver1.Level3.net (4.68.107.3) 21.547 ms !H Confirmed it can't be reached from Travelers Ins, The Hartford, none of my connections. Anyone else seeing issues? I'm seeing drop off from clients going through their Atlanta interconnects with Charter and two other providers, which I can't make sense of. I DO KNOW they experienced some sort of issue with a TDM switch or so they said... Very broad statements: "We know teh interwebs are down please stand by" I know websites are one thing, but the chances of the website going down, a TDM switch being wacky and now clients traversing their networks complaining all at once seems a little out of the ordinary. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Level3 funkiness
On Wed, 15 Apr 2009, Murphy, Jay, DOH wrote: > Have you been able to in the past?? The site is used for other purposes, > and the front end site that you will see is www.level3.com, not net. So > which one? > > > Jay Murphy > IP Network Specialist > NM Department of Health > ITSD - IP Network Operations > Santa Fe, New Mexico 87502 > Bus. Ph.: 505.827.2851 > > "We move the information that moves your world." Yes discovered that then thought about reposting full traceroute feeds. It was the *.com I can get through now from 4 out of like 8 addresses. Actually on the phone with Level3 right now =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Level3 funkiness
On Wed, 15 Apr 2009, Blake Pfankuch wrote: > 2 dvr-edge-05.inet.qwest.net (72.165.27.181) 27.696 ms 27.688 ms 28.022 > ms > 3 dvr-core-01.inet.qwest.net (205.171.10.89) 28.010 ms 28.001 ms 27.990 > ms > 4 * * 67.14.2.89 (67.14.2.89) 50.773 ms > 5 xe-8-2-0.edge2.dallas3.level3.net (4.68.63.53) 51.120 ms > xe-8-1-0.edge2.dallas3.level3.net (4.68.63.49) 51.107 ms 51.099 ms > 6 vlan79.csw2.Dallas1.Level3.net (4.68.19.126) 56.763 ms 37.806 ms > vlan89.csw3.Dallas1.Level3.net (4.68.19.190) 33.368 ms > 7 ae-82-82.ebr2.Dallas1.Level3.net (4.69.136.145) 35.514 ms > ae-72-72.ebr2.Dallas1.Level3.net (4.69.136.141) 44.125 ms > ae-62-62.ebr2.Dallas1.Level3.net (4.69.136.137) 44.120 ms > 8 ae-2.ebr1.Denver1.Level3.net (4.69.132.105) 50.913 ms 50.895 ms 50.522 > ms > 9 ge-6-0.hsa1.Denver1.Level3.net (4.68.107.3) 45.675 ms !H > ge-6-1.hsa1.Denver1.Level3.net (4.68.107.67) 46.875 ms !H * > Thanks to all who replied. I should have actually reposted traces but it would have annoyed. I had experienced issues connecting to Level3.com, couldn't reach lg.level3 from a wide range of sites. I have a ticket on "watch" mode of sorts concerning a TDM switch having gone down in Connecticut. Just seems a little strange yet another client passing through an interchange with Level3 is now affected as well. I'll let them deal with their own provider. As far as I can tell from the ITSP side of things, I'm alright now. Anyone doing VoIP would have seen the Level3 hiccup up here (Stamford area'ish). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Beware surfers: cyberspace is filling up
J.D. Falk wrote: > 'Experts predict that consumer demand, already growing at 60 per cent > a year, will start to exceed supply from as early Can you re-send. Something seems to have stopped your entire message from reaching my inb
