Re: Smokeping - EchoPingHttps
I sort of feel like echopinghttps is a near 20-year old tool with little to no bearing on the reality of where TLS is today. The owner of this tool has discontinued it ( see https://github.com/bortzmeyer/echoping ) and it is no longer maintained. I wouldn't rely on it anymore. -john On Wed, Oct 20, 2021 at 4:26 PM Mike Hammett wrote: > I used EchoPingHttps for the first time today. > > I pulled up the top 20 sites (well, removing duplicate sites from the same > company) from Alexa and put them in to trend response times. I've had "this > feels slow" over the years, but no way to really track that other than > feels and pings. > > I noticed that a few (Facebook, Salesforce, ESPN, and Zillow) don't chart > at all, with varying errors in a smokeping --debug. I've noticed that a > couple more (Amazon and Etsy) are fickle in their responses. I assume if > they're not responding, they're poo pooing on my fake client. Am I in the > right ballpark? > > > Next, is there a better way of doing this? I saw the curl plugin, but it > was only after I had seen EchoPingHttps, so maybe curl is "better." > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > >
Re: Malicious SS7 activity and why SMS should never by used for 2FA
The goal of U2F is one key fob that works on many services. Implementation is pretty simple and the hardware is inexpensive. Sent from my iPhone > On Apr 19, 2021, at 08:51, William Herrin wrote: > > On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka wrote: >> It's all about convenience, and how much they can get >> done without speaking to human. > > Hi Mark, > > Convenience is the most important factor in any security scheme. The > user nearly always has a choice, even if the choice is as > rough-grained as "switch to a different company." If your process is > too onerous (the user's notion of onerous) then it simply won't be > used. An effective security scheme is the strongest which can be built > within that boundary. > >> If a key fob can be sent to them - preferably for free - that would help. > > Hint: carrying around a separate hardware fob for each important > Internet-based service is a non-starter. Users might do it for their > one or two most important services but yours isn't one of them. > > Regards, > Bill Herrin > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/
Re: Malicious SS7 activity and why SMS should never by used for 2FA
I’m sorry - I think we miscommunicated here. I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against SMS being used for multi factor auth at all. -j Sent from my iPhone > On Apr 18, 2021, at 12:48, William Herrin wrote: > > > On Sun, Apr 18, 2021 at 12:03 PM John Adams wrote: > > On top of this most TOTP and HOTP systems have additional security checks > > like blocking reuse of codes, rate-limiting of guesses, and in some cases > > acceptance of earlier codes (in TOTP) if the clock skews too far that make > > them much stronger options which decreases security but is certainly more > > of a convenience factor. > > Hi John, > > On a site, the symmetric key used to generate the TOTP code is stored in the > same database as the user's password. Unencrypted or with readily reversible > encryption since unlike a password it can't be verified by comparing > ciphertext. Your protection is that every site uses a different TOTP key, > just like you're supposed to use a different password, so compromise of a > single site doesn't broadly compromise you elsewhere. It can also be captured > with malware on your phone, the same place an adversary will sniff your > password, which -will- broadly compromise you if you're also entering the > passwords on your phone. > > None of these authentication schemes are magic. They all have attack vectors > with varying degrees of difficulty, none of which are particularly harder > than breaking a well chosen password. 2FA doesn't solve this. All it does is > require an adversary to break -two- completely different authentication > schemes in close enough proximity that you won't have closed the first breach > before they gain the second. That's it. That's all it does. > > While attacks on SMS are certainly practical, stop and think for a moment on > how you would scale them up and break 1 accounts per day. Got a plan > where you're not caught in the first two days? No, you don't. > > SMS is not a strong authentication factor. When used well, it's not intended > to be. It's meant to require an adversary to do enough extra work after > having already captured your password that unless they're specifically > targeting you, the odds favor discovering and correcting the original breach > before much harm can be done. For that use and that use only, it performs > about as well as TOTP. > > If you can reset your email password with an SMS message and reset your bank > password with an email then SMS has been misused as a very weak single factor > authentication process. Not because SMS offers weak authentication (that's > all it's meant to offer) but because it was used incorrectly in a process > that needed strong authentication. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/
Re: Malicious SS7 activity and why SMS should never by used for 2FA
On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor. -john On Sun, Apr 18, 2021 at 6:06 AM Mel Beckman wrote: > As far as I know, authenticators on cell phone apps don’t require the > Internet. For example, the Google Authenticator mobile app doesn't require > any Internet or cellular connection. The authenticated system generates a > secret key - a unique 16 or 32 character alphanumeric code. This key is > scanned by GA or can be entered manually and as a result, both the > authenticated system and GA know the same secret key, and can compute the > time-based 2nd factor OTP just as hardware tokens do. > > There are two algorithms: HOTP and TOTP. The main difference is in OTP > expiration time: with HOTP, the OTP is valid until it hasn’t been used; > TOTP times out after some specified interval - usually 30 or 60 seconds. > For TOTP, the system time must be synced, otherwise the generated OTPs will > be wrong. But you can get accurate enough clock time without the Internet, > either manually using some radio source such as WWV, or by GPS or cellular > system synchronization. > > -mel > > > On Apr 18, 2021, at 5:46 AM, Mark Tinka wrote: > > > > > > > >> On 4/18/21 05:18, Mel Beckman wrote: > >> > >> No, every SMS 2FA should be prohibited by regulatory certifications. > The telcos had years to secure SMS. They did nothing. The plethora of > well-secured commercial 2FA authentication tokens, many of them free, > should be a mandatory replacement for 2FA in every security governance > regime, such as PCI, financial account access, government web portals, etc. > > > > While I agree that SMS is insecure at the moment, I think there still > needs to be a mechanism that does not rely on the presence of an Internet > connection. One may not be able to have access to the Internet for a number > of reasons (traveling, coverage, outage, device, money, e.t.c.), and a > fallback needs to be available to authenticate. > > > > I know some companies have been pushing for voice authentication for > their services through a phone call, in lieu of SMS or DTMF-based PIN's. > > > > We need something that works at the lowest common denominator as well, > because as available as the Internet is worldwide, it's not yet at a level > that one would consider "basic access". > > > > Mark. >
Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read
because no one should know what you read about or check out at wikipedia Sent from my iPhone > On Dec 31, 2019, at 00:30, Matt Hoppes > wrote: > > Why do I need Wikipedia SSLed? I know the argument. But if it doesn’t work > why not either let it fall back to 1.0 or to HTTP. > > This seems like security for no valid reason.
Re: A Zero Spam Mail System [Feedback Request]
Agreed. I’ve never seen someone so excited to have reinvented TMDA from the 1990’s. Please, tell us more how the Internet will readdress itself to meet your fascinating solution. Can we go back to talking about network engineering now? Sent from my iPhone > On Feb 17, 2019, at 19:21, valdis.kletni...@vt.edu wrote: > > On Mon, 18 Feb 2019 07:33:32 +0530, Viruthagiri Thirumavalavan said: >> My name is Viruthagiri Thirumavalavan. I'm the guy who proposed SMTP over >> TLS on Port 26 > > Unfortunately, your attempt there didn't demonstrate an in-depth knowledge of > the email ecology of the sort needed to *actually* solve the spam problem. > >> Today I have something to show you. >> >> Long story short I solved the email spam problem. Well... Actually I >> solved it long time back. I'm just ready to disclose it today. Again... > > So actually *disclose* it already, rather than whining about how you've been > treated. > > And there's this telling statement: > >> [Today's discussion is about whether I solved the spam problem. Not about how >> I'm gonna distribute the solution] > > You apparently don't understand that how the solution gets distributed is a > very important part of whether the solution will work. > > Bottom line: You hit most of the points in Vernon Schryver's FUSSP list, plus > an amazing number of points in John Baez's crackpot index. Not a good way to > start. > > So because I'm needing some entertainment, I went to go check the Medium post. > >> "Spammers have no idea what's going on INSIDE the email system. i.e. They >> have no idea whether their mail gets marked as spam or not." > > Oh, you poor, poor uneducated person. Spammers have a *very good* idea > of whether it was marked as spam. > >> "Now, what if your first mail get rejected with an error message like >> "Unauthorized Sender"? >> Would you still write your follow-up mail? No, right?" > > At which point you totally miss the point - for a spammer, the reasonable > thing to do > is *send another mail with a different From: value*, in hopes of hitting one > that's > an "authorized sender". > >> "So when mails get rejected with an error message, spammers gonna remove your >> email address from their email list. That's because your email address is a >> dead end for them." > > OK, I'm done here. We obviously have a total lack of understanding of the > problem space, and it's very unlikely that an actually correct solution will > arise from that. > > Also, I'll offer you a totally free piece of technical advice: Those SAD > entries in the DNS that you're hoping to use to tie domains together are > trivially forgeable. > > To save everybody else the effort: As far as I can tell, he's re-invented > plus > addressing, and says that if everybody creates mailboxes > john.sm...@example.com > for personal mail, and a john.smith+na...@example.com for nanog mail, and > john.smith+my-b...@example.com for his bank emails, spam will apparently give > up in defeat > > There's a whole bunch more, including assuming that Joe Sixpack *will* create > a > separate address for each "transactional" piece of mail, that spammers won't > send mail that looks like personal mail, that spammers won't create bogus DNS > entries, and a few other whoppers... >
Re: Perspectives about customer M/A/C in triple play environments
I have never seen this level of segmentation in any customer premises I have worked on. Even in "triple-play" environments the handoff is nearly always untagged ethernet and the downstream devices just work. -j On Mon, May 16, 2016 at 5:09 PM, Jason Lixfeld wrote: > Hello, > > I think it’s fair to say that most broadband/FTTx customers don’t have to > think very much or need to have a very high degree of understanding if they > want to move their wired Internet device from one room or another in their > house. > > Maybe to keep things simple, let’s assume that we’re talking about a > relatively modern MDU unit where a customer has some sort of provider CPE > in their in-suite telecom demark closet/box/what have you with some number > of switched 'LAN’ ports on it, and each of those LAN ports would be wired > to a wall jack somewhere. Mr. or Ms. User can move their Internet device > anywhere there is a wall jack and Bob’s your uncle. > > My question is around how this landscape changes in triple play > environments. As I understand it, most triple play deployments separate > (in some cases VoIP,) TV and Internet traffic onto VLANs (Internet would be > presented to the customer untagged). The CPE would then allow the ISP to > switch the video traffic onto a coax port, or maybe onto the CPE’s embedded > switch, or maybe both. For the sake of argument, let’s assume the provider > is supplying an Ethernet based set-top-box, so customer should be able to > connect the STB to any wall jack and it should just work. And they should > be able to connect their provider supplied ATA to any wall jack, and it > should just work. And they should be able to connect their Internet device > to any wall jack and it should just work. > > Or should it? > > Are most CPEs that are provided by ISPs sophisticated enough to be able to > put all service tags on all ports, and have those same ports act as > untagged LAN ports as well? If not, how do providers deal with this? Do > they dedicate one port for an IPTV STB? One port for an ATA (assuming no > built-in POTS on the CPE)? And the rest of the ports for untagged > Internet? What if the customer has 2+ TVs? Do they need to call in and > have the provider remote in and provision another port for TV at the > expense of some other service that might be running on that port already? > Do they need to install a switch that does IGMP snooping? > > I feel like this all has the potential to become very complicated for the > customer, and maybe the provider and their installers. To me, the customer > should continue to be dumb and unassuming. They should be able to put > whatever they want wherever they want and have it just work. Is that how > things actually are in the real world or are customers and providers making > silent sacrifices for the sake of all this new fangled technology? >
Re: Automated alarm notification
datadog will do this without issue, and if you have a small number of hosts it's nearly free. -j On Thu, Feb 11, 2016 at 1:51 PM, Frank Bulk wrote: > Is anyone aware of software, or perhaps a service, that will take SNMP > traps, properly parse them, and perform the appropriate call outs based on > certain content, after waiting 5 or 10 minutes for any alarms that don't > clear? > > I looked at PagerDuty, but they don't do any SNMP trap parsing, and nothing > with set/clear. > > Frank > >
Fw: new message
Hey! New message, please read <http://mixmajor.com/floor.php?2> John Adams --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Fw: new message
Hey! New message, please read <http://industriatazca.com/position.php?h> John Adams --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Fw: new message
Hey! New message, please read <http://thevillagesatsb.com/out.php?rexx> John Adams --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Re: Cat-5 cables near 200 Paul, SF
Central computer. It's next to Moscone west. It's great. No need to go to the south bay. -j On Fri, May 31, 2013 at 11:16 AM, Warren Bailey < wbai...@satelliteintelligencegroup.com> wrote: > We talked about this the other day. I think the consensus was.. In San > Fran, you're best off to head over to Fry's. I'm foggy, but I believe the > word was Fry's in lieu of Microcenter etc. I think we also heard some > people reply back with Graybar. > > On 5/31/13 4:15 AM, "Tuc" wrote: > > >Hi, > > > >Hate to be "that guy" but really need help. Anyone know a place near 200 > >Paul in SF with a major quantity of cat-5 cables? Like 30 8ft blue, 20 8ft > >grey, 30 5ft blue. Need them today due to ex-employee's poor inventory > >keeping. > > > >Thanks, Tuc > > >
Re: Suggestions for managed DNS provider?
I'm extremely happy with Dyn, for both personal and work (Twitter.) Their staff is fantastic and great to deal with. -j On Thu, Feb 14, 2013 at 12:08 PM, Mike Hale wrote: > DynDNS was pretty decent for us. We had a fair amount of load with > them and they handled it with no problem. > > On Thu, Feb 14, 2013 at 11:58 AM, David Hubbard > wrote: > > Hi all, anyone have suggestions for very stable/reliable managed DNS? > > Neustar/UltraDNS is an obvious option to look at, just curious about > > alternatives. Cost effective would be nice, but stable under attack is > > better. > > > > Thanks, > > > > David > > > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > >
Re: SSL Certificates and ... Providers
Many vendors do this and I highly recommend someone like Digicert that won't play the per-machine licensing game with you. Sent from my iPhone On Dec 27, 2012, at 11:47 AM, Blake Pfankuch wrote: > Ok, so this might be a little off topic but I am trying to validate something > a vendor is telling me and hoping some people here have expertise in this > area... > > I am working with a SSL certificate provider. I am trying to purchase a > quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 > domains. Vendor is telling me that the Wildcard certificates are licensed > per physical device it is installed on. This means instead of using a single > wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 > servers. > > This does not compute in my brain and also in my mind completely defeats the > purpose of a wildcard cert as I know it. Has anyone run into this before? > > Thanks > Blake
Re: Adding GPS location to IPv6 header
Your proposal doesn't even give people a way to encrypt their location data; By moving geodata to a portion of the protocol which is not covered by commonly used encryption methods (i.e. HTTPS, which is up a few layers in the stack) people can't be protected should this data be monitored by a malicious intermediary. Think: Syria, China, Iran, or any other government which will kill you for your words online. Application protocols sending GPS data under say, HTTPS protect the end user from revealing their location to anyone on their path, forcing an intermediary to look up the IP in a common geo database which will be mostly inaccurate in pinpointing users, and hopefully will save lives. Companies like Twitter, Facebook, and some parts of google are going HTTPS by default for this very reason. This proposal is dead, you don't have the sense to lie down.
Re: Adding GPS location to IPv6 header
Don't conflate layer 5-7 needs with basic communication requirements. IP is not the place for this sort of header. This is not data that should be sent on every packet. It becomes redundant. Not to mention the serious privacy concerns such a header brings up in the protocol. You barely address this in your RFC. You write it away with a wishy-washy "Oh err um, users will have the option to turn it off". That's worked so well for opt-out advertising -- I'm sure it will work here. If there's a place where I can go and vote this down / debate it away, tell me where that is. -j On Thu, Nov 22, 2012 at 3:59 AM, Ammar Salih wrote: > Dears, I've proposed a new IPv6 "extension header", it's now posted on IETF > website, your ideas and comments are most welcome! > > > > > http://datatracker.ietf.org/doc/draft-add-location-to-ipv6-header/?include_t > ext=1 > > > > Thanks! > > Ammar Salih > > > > > >
Re: Google burp
Hey now, we're doing fine over here at Twitter. :P -j On Wed, Oct 31, 2012 at 2:55 PM, Blair Trosper < blair.tros...@updraftnetworks.com> wrote: > I guess I'll be the one to ask...what's going on over at Google? Service > interruptions and front-end errors all over the place across what appears > to be all services, though Gmail seems to have bounced back up. Google's > service disruption is about to bring Twitter's service to its knees as > people complain and try to figure out what's going on. > > Blair Trosper > Updraft Networks & The North Texas GigaPOP >
Re: NSA and the exchanges
Allegedly? No, definately. https://www.eff.org/nsa-spying https://www.eff.org/files/filenode/att/presskit/ATT_onepager.pdf -j On Wed, Oct 31, 2012 at 11:25 AM, andy lam wrote: > Anyone knows if there's a way to find out how involved NSA monitors 151 > front street at Toronto? NSA allegedly monitors data centres in the US, > but does it have the same influence at a building sitting in its neighbor's > soil? > > There's something on the web like www.ixmaps.ca that tries to piece it > together. but not sure how helpful the information on there really is? > > > feedback welcome. >
Re: CVV numbers
There is a reason part of most scanners that verify the PCI standard look for autocomplete=off on credit card number and cvv2 fields. This is specifically it. -j On Sat, Jun 9, 2012 at 12:30 PM, Barry Shein wrote: > > On June 9, 2012 at 12:12 w...@typo.org (Wayne E Bouchard) wrote: > > > > The main weakness of CVV2 these days is "form history" in browsers. > > (auto complete). Now, if someone can get ont your PC, they not only > > get the credit card number (which there are myriad different ways to > > get) but the CVV as well so that mechanism is, now, all but useless. > > Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need > access to your form history which actually is useless if the > merchant's form just uses a password-type field, etc. > > Yeah, a lot of these techniques are useless if your computer etc is > completely pwned. But they help if you're not. > > Credit card fraud prevention is all about percentages, not absolutes. > > Even just requiring a valid credit card number and expiration date and > nothing else probably prevents, I dunno, 98%+ of all potential fraud, > probably 99%+. > > The rest is about squeezing down that last percentage point or two and > generally discouraging crooks from trying. > > One of the PITA frauds credit card companies deal with is someone in > the household, like your teenage kid, taking your card physically out > of your wallet and using it w/o your permissin and then you call in > when you see the bill that you never ordered $100 from iTunes or > bought any cool sneakers at the mall. > > That's probably more common than a lot of the other frauds you imagine. > > A lot of these techniques at least prove that *someone* had your card > physically if they suspect this was not fraud but, rather, > "unauthorized use". > > People will also try to deny charges they simply regret, like a night > at a bar with strippers particularly that one in the blue hot pants, > who the h*** KNEW she got $300 for a lap dance and $50/glass for the > Kristal, doesn't seem fair not fair at all...it's some backpressure. > > > -- >-Barry Shein > > The World | b...@theworld.com | > http://www.TheWorld.com > Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, > Canada > Software Tool & Die| Public Access Internet | SINCE 1989 *oo* > >
Re: Dear Linkedin,
On Fri, Jun 8, 2012 at 1:02 PM, Scott Weeks wrote: > :: https://agilebits.com/onepassword (1Password) is one solution to > :: managing web site passwords. > > > Only if you have an OS you have to pay for: apple or ms. > > So use LastPass, then. -j
Re: Dear Linkedin,
On Fri, Jun 8, 2012 at 12:48 PM, Michael Thomas wrote: > So the implication is that I have 100's of passwords all unique and that I > must > change every one of them to be something new and unique every few months. > And remember each of them. And not write them down. > > I'm sorry, my brain doesn't hold that many passwords. Unless you're a > savant, neither does > yours. So what you're telling me and the rest of the world is impossible. > No actually, it's not impossible. I use 1password, you might use LastPass. They both work on Android, iPhone, Linux, Mac, Windows. I have over 900 passwords in that system, and I don't know any of them. They're all 8-14 characters. All random. I know my master password, and no one on the Internet has a copy of that. On some systems, I have a Yubikey with a 45 character master password. Change your habits. Fix the password anti-pattern. -j
Re: Linux Centralized Administration
Here at Twitter we make extensive use of Puppet. It's great, but we had a hard learning curve and much customization to get it to work the way we wanted to. I'd also recommend Chef, which is like Puppet but includes more tools (like a machine database) out of the box. -j On Thu, Jan 12, 2012 at 2:27 PM, Matthew Palmer wrote: > On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > > Hey folks. just curious what people are using for automating updates to > > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > > example but a good one. I have heard there are some open source > solutions > > similar to that of Red Hat Network? > > At work, we use (and built) a tool called 'tingle' > (https://github.com/anchor/tingle), which handles it all for us across our > internal and managed-for-customers infrastructures. > > Personally, I don't run CentOS, but I use unattended-upgrades on my > personal > herd of Debian machines, which works well enough. > > - Matt > > -- > A woman in liquor production / Owns a still of exquisite construction. > The alcohol boils / Through magnetic coils. > She says that it's "proof by induction." >-- http://limerickdb.com/?34 > > >
Re: question regarding US requirements for journaling public email (possible legislation?)
On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger wrote: > > (I am speaking specifically of full email journaling, not just logs, which > I do archive for significant amounts of time.) > > I also don't want to discuss the pros, cons, merits, costs, goods, or > evils of such a requirement, just wanted to know if this is something I > should be looking forward towards maybe needing to implement. > This is probably not what you want to hear, but you should really read through EFF's "Best Practices for Online Service Providers." https://www.eff.org/wp/osp Specifically: OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks. If a court order requests data that is more than a few weeks old, the OSP can simply point to the policy and explain that it cannot furnish the requested data. Likewise, if unnecessary PII is regularly deleted, the OSP cannot supply what it does not retain. This saves the OSP time and money, while also providing the OSP with sufficient data for its own administrative and business purposes.
Re: Logs Bank
You probably want spunk, but if you want to do aggregation in an OSS fashion, scribe or flume is the way to go. -John Sent from my iPhone On Nov 8, 2011, at 11:59, joshua.kl...@gmail.com wrote: > Hi, > > If I may ask, is there any OSS that can serve as a log bank or log server, > where it aggregate logs from different sources , and the logs can be > accessed using the web from any location on the network and can do graphical > presentations based on.the frequency or content os the logs. > > Thank you > > Joshua > > -- > Sent from my Nokia N9
Re: What do you do when your Home ISP is down?
On Thu, Aug 18, 2011 at 10:21 AM, Mark Keymer wrote: > I am wondering what some of you guys do when your home ISP is down. At > least those of you that don't give yourself internet. > > I have a couple of solutions to this problem. 1) I've got a backup Verizon 4G LTE modem giving out wifi. When the DSL goes down, I have code that will switch the house over to 4G LTE. 2) The DSL circuit is monitored by a set of scripts, and it's modems and associated switches are tied into an RPC (Remote Power Controller.) If the circuit fails to pass traffic, my scripts will walk the entire network (routers, switches, servers) as a admin would trying to find the bad device. If a device is unresponsive, it reboots it. If the provider's DSLAM dies, my DSL modem will just sit there and power cycle over and over again until their DSLAM returns. If you want it, python code to control a baytech rpc is here: https://github.com/netik/rpc3control -john
Re: DNS DoS ???
I don't think anycast works the way you think it does. It'll distribute load
for single dns servers, but not the case that he is describing.
-j
On Sat, Jul 30, 2011 at 12:01 PM, Alex Nderitu wrote:
> Dns anycast can in addition to acl help distribute load.
> On Jul 30, 2011 9:44 PM, "Jon Lewis" wrote:
> > On Sat, 30 Jul 2011, Drew Weaver wrote:
> >
> >>> my DNS servers were getting slow so I blocked recursive queries for all
> >>> but my own network.
> >>
> >> This should be the standard practice. By operating an open recursor,
> >> you lend your DNS server to abuse as a contributor to DNS
> >> reflection/amplification attacks.
> >>
> >> ---
> >>
> >> And at this point he may as well just ACL in-front of the recursors to
> >> prevent the traffic from hitting the servers thus reducing load needed
> >> to reject the queries on the servers themselves.
> >
> > An awful lot of older/smaller deployments have single servers doing both
> > authoratative and recursive DNS. These should be setup with either an
> > allow-recursion { ACL;} statement or separate authoratative and recursive
> > views limiting recursion to just those networks that should be sending
> > recursive queries.
> >
> > Another option is to run separate services bound to different individual
> > IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
> > unbound for recursion.
> >
> > --
> > Jon Lewis, MCP :) | I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _ http://www.lewis.org/~jlewis/pgp for PGP public key_
> >
>
Re: Multi Factor authentication options for wireless networks
You could always take the route of not trusting the wireless network at all. Users who get to wireless can only go to the Internet. Put all the APs in a DMZ. Users who can open up a VPN to your microsoft vpn servers can authenticate and get to the corporate network. This is the way things were done on the Apple campus for a long time. -john On Thu, Jun 9, 2011 at 3:15 PM, eric clark wrote: > Tokens are an option but I should have been more clear. > As we're a windows shop (apologies, but that's the way it is), we were > planning on going with user credentials and the machine's domain > certificate. Your solution might still be viable, but I'm not certain if I > can get at the machine certs with LDAP that way,have to check that. > > > On Thu, Jun 9, 2011 at 3:08 PM, John Adams wrote: > >> On Thu, Jun 9, 2011 at 3:02 PM, eric clark wrote: >> >>> Wondering what people are using to provide security from their Wireless >>> environments to their corporate networks? 2 or more factors seems to be >>> the >>> accepted standard and yet we're being told that Microsoft's equipment >>> can't >>> do it. Our system being a Microsoft Domain... seemed logical, but they >>> can >>> only do 1 factor. >>> What are you guys using? >> >> >> Move to 802.1X with Radius. >> >> Connect your APs or AP Controllers to a decent OTP system like >> otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP. >> Extend the LDAP schema to hold the private keys for the OTP system. >> >> Many vendors offer this solution, although I suggest that you don't go >> with SecurID or any token vendor that does not disclose their algorithm to >> you. Go open, and use OATH. >> >> The work being done on OATH is where future one-time, two-factor systems >> are headed: >> >> http://www.openauthentication.org/ >> >> -john >> >> >
Re: Multi Factor authentication options for wireless networks
On Thu, Jun 9, 2011 at 3:02 PM, eric clark wrote: > Wondering what people are using to provide security from their Wireless > environments to their corporate networks? 2 or more factors seems to be the > accepted standard and yet we're being told that Microsoft's equipment can't > do it. Our system being a Microsoft Domain... seemed logical, but they can > only do 1 factor. > What are you guys using? Move to 802.1X with Radius. Connect your APs or AP Controllers to a decent OTP system like otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP. Extend the LDAP schema to hold the private keys for the OTP system. Many vendors offer this solution, although I suggest that you don't go with SecurID or any token vendor that does not disclose their algorithm to you. Go open, and use OATH. The work being done on OATH is where future one-time, two-factor systems are headed: http://www.openauthentication.org/ -john
Re: Had an idea - looking for a math buff to tell me if it's possible with today's technology.
We call that "Compression." -j On Wed, May 18, 2011 at 1:07 PM, Landon Stewart wrote: > Lets say you had a file that was 1,000,000,000 characters consisting of > 8,000,000,000bits. What if instead of transferring that file through the > interwebs you transmitted a mathematical equation to tell a computer on the > other end how to *construct* that file. First you'd feed the file into a > cruncher of some type to reduce the pattern of 8,000,000,000 bits into an > equation somehow. Sure this would take time, I realize that. The equation > would then be transmitted to the other computer where it would use its > mad-math-skillz to *figure out the answer* which would theoretically be the > same pattern of bits. Thus the same file would emerge on the other end. > > The real question here is how long would it take for a regular computer to > do this kind of math? > > Just a weird idea I had. If it's a good idea then please consider this > intellectual property. LOL > > > -- > Landon Stewart > SuperbHosting.Net by Superb Internet Corp. > Toll Free (US/Canada): 888-354-6128 x 4199 > Direct: 206-438-5879 > Web hosting and more "Ahead of the Rest": http://www.superbhosting.net >
Re: twitter is serving up errors
On Tue, Apr 5, 2011 at 4:21 PM, Andrew Kirch wrote: > expect nothing of technical relevance in this thread, but as this might > generate some phonecalls to some people. > > Known issue, we're on it. This is not a nanog issue. fwiw. -- John Adams Twitter
Re: Old Annex question
I remember maintaining a fleet of these back in the day. I believe it's just the standard escape character Ctrl-] ? Maybe this document helps? http://www.marine.csiro.au/~dpg/sysManDocs/annex_man.pdf -j On Sat, Feb 12, 2011 at 8:00 PM, Brian Feeny wrote: > > Sad but true, I still have a few of these in operation as terminal servers. > In reading the documentation I could find it wasn't clear to me how to solve > my issue. I use these to manage Cisco routers. > > How can I connect to a server, and then drop back to the CLI, so I can then > connect to another server, and keep switching back and forth? I thought I > could just set the attn_string to say "^A" and then I could just hit that and > it would work, but it doesn't seem to. I basically want to emulate the same > functionality you can get when you do ^^x on a Cisco terminal server > (2509/2511/etc). > > here is how its configured right now: > > %rotary > host1: 1@172.16.1.10 > host2: 2@172.16.1.10 > host3: 3@172.16.1.10 > %gateway > annex 172.16.1.10 > net default gateway 172.16.1.1 metric 1 hardwired > end > > So I connect to my annex by telnetting to 172.16.1.10, then I type say host1, > but I want to drop back to the CLI, any ideas how to escape to CLI once > connected? > > I figured that since many of you are from my same era and these were popular > with ISP's of the day, someone here may know.. > > Brian > > >
Re: DHCP server fail-over and accounting
2011/2/1 Joe : > > hi, > > we plan to implement DHCP server farm in our network. Currently , there > are there problems burning my head. could anybody You're making this way, way too complicated. Run two DHCP servers. Allocate two different netblocks to each server. For Example, if your network is a /24, allocate a couple of /26's. Both will answer on a request. The client will ack to whatever address it decides to accept. Full redundancy. > To our experience, this needs to set up DHCP server on two sites and > syncronize their content in real time. > Beside this , we hope there should be as less modification as possible > on edge router when one DHCP server is down. > should anycast architecture helpful ? or should we just set up two > dhcp servers on two sites and sync. with ISC DHCPD? Don't even bother with the syncing, and anycast is the wrong protocol here. > 2. How to set up accouting and authentication with DHCP? That's the wrong place to do it. 802.1X is better here, or PPPOE/ACLs that need RADIUS auth to get past. > 3. Someone said PPPOE is not good for customer looking for long time online > , DHCP is an good option. But, to my understanding That's funny, because many major ISPs (like telcos) have done this for years. -j
Re: Upload config to juniper
I do this with pyexpect for blacklist updating. It works amazingly well.
One thing to remember when communicating with the JunOS device is that
if you fail to disable the CLI controls, communicating with the device
is very difficult.
I do something like:
import pexpect
child = pexpect.spawn ('ssh',
['-p','22','-o','StrictHostKeyChecking=no',"router ip address goes
here"], 2)
child.sendline("set cli screen-length 0")
child.sendline("set cli screen-width 0")
< put your commands here to talk to the router >
-j
On Mon, Jan 24, 2011 at 5:39 AM, Florin Veres wrote:
> Hey guys,
>
> Do any of you have any idea if it's possible to upload configuration from a
> script (prefix-list updates in this case) to a JunOS device (MX)?
> For Cisco devices I'm doing it using rcp.
>
> Thanks,
> Florin
>
Re: Specific Network Querying
On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo wrote:
>
> Good morning and happy holidays all. I'm in the process of creating an
> automated filtering application and would like to know if anyone can
> point me to the right place. I'd like to be able to query a
> site/db/etc., and pull out specific netblocks to create fw rules.
[...]
> But this just gives me entire blocks, not who is behind them. Is there
> any site I could use to query specifics? E.g., for a gov client: wget
> -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}'
>
Given the current IPv4 climiate, this sounds like a terrible idea. The
landscape has changed dramatically from what it once was. Large
volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out
there routing traffic, and we'll soon see a time in which entire
countries are transiting over small chunks of IPv4 space. Never mind
the fact that applications on services like Google App Engine have a
different IP nearly every time they connect because of outbound proxy
pools.
I think you're going to have a very difficult time resolving an IP to
the appropriate owner. Coarse calculation of who might be in charge of
a block is possible but fine-grained discovery and classification of
an owner is a difficult task.
That being said, the tools that I'm using on a daily basis to figure
out who actually owns an IP block (or is sending traffic over it) are:
- Senderbase (Cisco)
- cymru whois (whois.cymru.com - good for fast bgp lookups and geo)
- http://multirbl.valli.org/dnsbl-lookup (multi-rbl lookup , good for
finding abusers and other issues)
- SmartViper (Website ownership) http://www.markosweb.com/
-John
Re: LOIC tool used in the "Anonymous" attacks
It's hard to believe that it took eight people to run wireshark and write this simplistic paper about LOIC. The analysis is weak at best (it seems they only had a few days to study the problem), and never analyzes the source code which has been widely available at https://github.com/NewEraCracker/LOIC A cursory analysis of HTTPFlooder.cs would give you all you need to know to understand the attack and block the tool; If you find your network attacked by this tool, you'll immediately discover a large volume of HTTP requests with no User-Agent or Accept: headers. Drop those requests at the border. You can also compile requests of that nature to analyze the size of the swarm that is attacking you. In analysis, I've found this to be on the order of 2000-3000 hosts. It's a decently sized ACL to place on your ingress routers, but these attacks can be thwarted. -j On Sat, Dec 11, 2010 at 7:19 AM, Marshall Eubanks wrote: > Interesting analysis of the 3 "LOIC" tool variants used in the "Anonymous" > Operation Payback attacks on Mastercard, Paypal, etc. > > http://www.simpleweb.org/reports/loic-report.pdf > > LOIC makes no attempt to hide the IP addresses of the attackers, making it > easy to trace them if they are using their own computers. > > Regards > Marshall > > >
Re: Mastercard problems
Uh, no.
Source code from LOIC:
byte[] buf;
if (random == true)
{
buf =
System.Text.Encoding.ASCII.GetBytes(String.Format("GET
{0}{1} HTTP/1.1{2}Host: {3}{2}{2}{2}", Subsite, new
Functions().RandomString(), Environment.NewLine, Host));
}
else
{
buf =
System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0}
HTTP/1.1{1}Host: {2}{1}{1}{1}", Subsite, Environment.NewLine, Host));
}
On Thu, Dec 9, 2010 at 12:49 AM, William Pitcock
wrote:
> On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote:
>> On 9/12/10 8:04 AM, Christopher Morrow wrote:
>> > On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote:
>> >> The problem is that they were also slashdotted. The logs would also have
>> >> a
>> >> large number of unrelated.
>> >
>> > pro-tip: the tool has a pretty easy to spot signature.
>>
>> What is that signature?
>>
>
> The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests.
>
> William
>
>
>
Looking for security/abuse contact at EGIHosting
Contact me off list please. Thanks, -john
Re: Network Operators Unite Against SORBS
Really the best thing to do is to just leave SORBS alone. The more idiotic bans they put into place with demands for "$50 per IP per incident", the less trustworthy of an RBL they become. Most large network operations will end up ignoring them, or if they do use the data from their RBL, they will take it at a far lower metric in their overall anti-spam equasion. -j On Tue, Oct 12, 2010 at 9:57 AM, Bret Clark wrote: > On 10/12/2010 12:46 PM, Patrick W. Gilmore wrote: >> >> I kinda-sortta feel like many others who have posted here. This is a mail >> thing, not netops. Grow a pair and post under your own name. Is it even >> on-topic for NANOG? Etc. >> >> I even started typing a message to the effect of: "even though I don't >> like SORBS, they should be allowed to publish a list and let others do as >> they please". But then I realized, that is all this anonymous person is >> asking. Or at least it could be. >> >> If "iHate SORBS" wants to create a (another?) list of prefixes which >> should not be routed, and put SORBS on it, he (she?) should be allowed, just >> as SORBS should be allowed to have a list of mail servers SORBS doesn't >> like. Then each operator can decide whether to implement a block based on >> the list or not. Your network, your decision. >> >> Of course, I fully expect no one to implement the block. But that is no >> reason to deny the ability to create the list. >> >> Now, I feel like quoting Pastor Niemöller so we can end this thread. :) >> >> > > Not to mention it's bad enough with congress trying to pass laws to make us > network operators police the Internet, I don't need to police SORBS on top > of it! > Bret > >
Re: do you use SPF TXT RRs? (RFC4408)
We've seen percentage gains when signing with DK, and we carefully monitor our mail acceptance percentages with ReturnPath. It's around 4-6%. I'd like to stop using it, but some people still check DK. -j On Mon, Oct 4, 2010 at 10:02 AM, Michael Thomas wrote: > On 10/04/2010 09:54 AM, John Adams wrote: >> >> Without proper SPF records your mail stands little chance of making it >> through some of the larger providers, like gmail, if you are sending >> in any high volume. You should be using SPF, DK, and DKIM signing. > > There should really be no reason to sign with DK too. It's historic. > >> I don't really understand how your security company related SPF to DoS >> though. They're unrelated, with the exception of backscatter. > > Me either. > > Mike > >> >> -j >> >> >> On Mon, Oct 4, 2010 at 9:47 AM, Greg Whynott >> wrote: >>> >>> A partner had a security audit done on their site. The report said they >>> were at risk of a DoS due to the fact they didn't have a SPF record. >>> >>> I commented to his team that the SPF idea has yet to see anything near >>> mass deployment and of the millions of emails leaving our environment >>> yearly, I doubt any of them have ever been dropped due to us not having an >>> SPF record in our DNS. When a client's email doesn't arrive somewhere, we >>> will hear about it quickly, and its investigated/reported upon. I'm >>> not opposed to putting one in our DNS, and probably will now - for >>> completeness/best practice sake.. >>> >>> >>> how many of you are using SPF records? Do you have an opinion on their >>> use/non use of? >>> >>> take care, >>> greg >>> >>> >>> >>> >>> >>> >>> > >
Re: do you use SPF TXT RRs? (RFC4408)
Without proper SPF records your mail stands little chance of making it through some of the larger providers, like gmail, if you are sending in any high volume. You should be using SPF, DK, and DKIM signing. I don't really understand how your security company related SPF to DoS though. They're unrelated, with the exception of backscatter. -j On Mon, Oct 4, 2010 at 9:47 AM, Greg Whynott wrote: > > A partner had a security audit done on their site. The report said they were > at risk of a DoS due to the fact they didn't have a SPF record. > > I commented to his team that the SPF idea has yet to see anything near mass > deployment and of the millions of emails leaving our environment yearly, I > doubt any of them have ever been dropped due to us not having an SPF record > in our DNS. When a client's email doesn't arrive somewhere, we will hear > about it quickly, and its investigated/reported upon. I'm not opposed > to putting one in our DNS, and probably will now - for completeness/best > practice sake.. > > > how many of you are using SPF records? Do you have an opinion on their > use/non use of? > > take care, > greg > > > > > > >
Re: Intermittent Google issues in Austin area
No problems getting to google from here, but SxSW is under way and there will be lots of traffic from the 15,000+ attendees. -j (in the midst of sxsw, on 6th St, Austin) Sent from my iPhone On Mar 17, 2010, at 14:29, Alex Thurlow wrote: Anyone else having intermittent issues connecting to google servers from the Austin area? I first noticed google.com/jsapi loading slowly to slow down my website from loading, and I've since seen other sites loading from their ajaxapis and even www.google.com's search results taking upwards of 30 seconds to load. Many times it loads fine, and then it won't. I couldn't find a place to submit this to them, so I thought I'd check with you guys. -Alex
Re: 4.1 earthquake in SF Bay region (was Re: he.net down/slow?)
I'm in downtown SF and felt nothing. -j On Jan 7, 2010, at 11:18 AM, Matthew Kaufman wrote: Mike Lyon wrote: I think the he.net problems occurred before the quake... -Mike They did. I was looking at what it looked like from here when the building started swaying. Matthew Kaufman --- John Adams (@netik) Retina Communications j...@retina.net http://www.retina.net/tech this email is: [ ] bloggable [ x ] ask first [ ] confidential
Re: Password repository
I'm a big fan of 1password, but I'm on mac and iPhone. Sent from my iPhone On Nov 19, 2009, at 23:36, Pierre-Yves Maunier wrote: Jay Nakamura wrote: Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks. I use opensource, multiplatforms softwares : Keepass password file in a truecrypt container and it works as heaven and securely. Keepass for Windows : http://www.keepass.info/ Keepass for Linux/Mac OS : http://www.keepassx.org/ Truecrypt (all platforms) : http://www.truecrypt.org/ Pierre-Yves Maunier
