Re: User Unknown (WAS: really amazon?)

2019-08-05 Thread Scott Christopher 
Rubens Kuhl wrote: 

> I don't think that "companies with tons of lawyers" should be a factor in 
> making resource allocation policies. But considering either small or big 
> networks, an escalation path would reduce friction and increase overall 
> compliance... for instance, failure to have functioning abuse PoC could lead 
> first to being inegible to receive new resources. 

It's not about $BIGCORP having lots of corporate lawyers imposing its will on 
the small guys - it's about Amazon's role as a public utility, upon which many 
many many important things depend.

S.C.

Re: User Unknown (WAS: really amazon?)

2019-08-04 Thread Scott Christopher 
John Curran wrote: 

...

> As I have noted previously, I have zero doubt in the enforceability of the 
> ARIN registration services agreements in this regard – so please carefully 
> consider proposed policy both from the overall community benefit being 
> sought, and from the implications faced as a number resource holder having to 
> comply oneself with the new obligations. 

I completely agree that ARIN can revoke an organization's resources. Nobody has 
ever doubted that.

What I have been saying is that if ARIN revoked Amazon's resources because of a 
trivial matter of bounced Abuse PoC, even if the small "community" of network 
operators and other interested parties passed a rule supporting this, the 
backlash would be *enormous* and lead to media attention, litigation, police, 
investigation by U.S. Congress, etc. 

The interests of the public affected by a global Amazon/AWS outage would 
greatly outweigh the rights of this small "community" which would ultimately be 
stripped away, I'd think.

This is moot, of course, because ARIN would give ample notices and time to 
Amazon and they would dutifully comply. But the original poster to which I 
replied invited us to imagine such a situation.


S.C.

Re: really amazon?

2019-07-31 Thread Scott Christopher 
Rich Kulawiec wrote: 

> On Wed, Jul 31, 2019 at 11:13:48PM +0300, Scott Christopher wrote:
> > Because it will get spammed if publicly listed in WHOIS.
> 
> Yes.  It will.  Are you telling us that Amazon, with its enormous financial
> and personnel resources, doesn't have ANYBODY on staff who knows how to
> properly manage an abuse@ address -- part of which includes dealing
> with that exact problem?

They do, but it's just time-consuming and inefficient. You can't spam-filter 
the content of abuse@ obviously.

But in addition to spam, random (read: non-technical) people will send 
complaints outside of the usual purview of spam, network abuse, DMCA, etc. They 
find some FAQ on the web telling them to determine the PoC on 
whois.domaintools.com and then they start firing crap.

I prefer openness and transparency and the general spirit of WHOIS but, in 
practice, you really do need the limit the PoC information to a trusted group 
of insiders.

-- 
S.C.

Re: User Unknown (WAS: really amazon?)

2019-07-31 Thread Scott Christopher 
Sandra Murphy wrote: 

> Scott, you might want to read "Policy Development Process (PDP)” 
> https://www.arin.net/participate/policy/pdp/ in order to discover just 
> exactly what John means by “If the community developed a policy”. 
> 
> You might also want to join the Public Policy Mailing List, 
> arin-p...@arin.net, to discuss.  Scintillating discourse, I assure you.

Yes - I am aware of how ARIN functions, its mandate, its governance, etc.

What I have been saying is that, if ARIN did something so brazen as to revoke 
Amazon's resources because of some bounced PoC emails, the impact would be 
*dramatic* and likely lead to the end of ARIN. Just think about this for a 
minute. :) Obviously this will not happen because ARIN is so righteously 
competent. :)

I wasn't criticizing ARIN (or anybody) I was just answering a hypothetical.

-- 
S.C.

Re: really amazon?

2019-07-31 Thread Scott Christopher 
Valdis Klētnieks wrote: 

> On Wed, 31 Jul 2019 16:36:08 -, Richard Williams via NANOG said:
> 
> >  To contact AWS SES about spam or abuse the correct email address is 
> > ab...@amazonaws.com
> 
> You know that, and I know that, but why doesn't the person at AWS whose job it
> is to keep the ARIN info correct and up to date know that?

Because it will get spammed if publicly listed in WHOIS.

-- 
S.C.

Re: User Unknown (WAS: really amazon?)

2019-07-31 Thread Scott Christopher 
John Curran wrote: 

> Scott - 
> 
> Alas, you have a fundamental misunderstanding about the nature of ARIN… we 
> don’t do anything other than implement policies that this community wants. If 
> the community developed a policy to require Abuse POC’s validation, and said 
> policy made clear that failure to do so was to result in revocation, then 
> ARIN would indeed implement the policy (and that includes revocation for 
> those who ignored the policy.) 

Hello John - you are absolutely right. Since the community has shown 
overwhelming disapproval of Amazon's invalid abuse POC, please go ahead and 
revoke Amazon's resources.

Maybe do this late Friday afternoon for the courtesy toward Amazon's support 
staff ?

And since this will certainly be historic, please post an announcement to 
nanog-list ?

Thanks, and Good luck !

S.C.

Re: User Unknown (WAS: really amazon?)

2019-07-30 Thread Scott Christopher 
Christoffer Hansen wrote: 

> On 30/07/2019 11:59, Chris Knipe wrote:
>
> > Then update your ARIN records to reflect that.  Fully agree with Dan on
> > this one.
> > 
> 
> Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a
> policy came into effect of validating ALL 'OrgAbuseEmail' objects listed
> in the ARIN database. And revoked the resources from those that failed
> to respond after multiple attempts.

Then imagine the media attention, public outcry, corporate lawyers from Amazon, 
the pressure from Congress, and an ARIN that would no longer function as an 
independent body anymore. . .

-- 
S.C.

Re: really amazon?

2019-07-30 Thread Scott Christopher 
Dan Hollis wrote: 

> >>> RCPT To:
> <<< 550 #5.1.0 Address rejected.
> 550 5.1.1 ... User unknown
> >>> DATA
> <<< 503 #5.5.1 RCPT first

Try j...@amazon.com

-- 
S.C.

Re: Postmaster@

2019-06-15 Thread Scott Christopher 
Gary E. Miller wrote: 

> Is it no longer required to monitor the postmaster@ ?
> 
> Did RFC 822 and RFC 5321 get repealed?  Or is M$ more special than the
> rest of us?

Not just M$ but Cloudflare too: https://www.cloudflare.com/abuse

Worse is that you might need to complete a CAPTCHA just to get to that page, 
/me barfs

-- 
S.C.

Re: Spamming of NANOG list members

2019-06-01 Thread Scott Christopher 
M. Omer GOLGELI wrote: 

> There are also variants of it with subjects like
> 
> " Ref Id: %VARIABLE% "
> and
> "%Domain.tld% Ref Id: %VARIABLE% "
> 
> 
> 
> And as Bryan said, we are increasingly getting more and more as well.

I wonder if this crap corresponds positively with the price of Bitcoin. 

-- S.C.

Re: PSA: change your fedex.com account logins

2019-05-31 Thread Scott Christopher 
Dan Hollis wrote: 

> Phishing scheme didn't happen.
> 
> fedex has had a number of major compromises so it's not a stretch that 
> their user database was stolen and sold to spammers.

The other possibility is that your one-off email scheme is predictable, and 
someone knows you use FedEx, and that someone is targeting specifically you, 
and this obvious phishing email is a red herring for the exploit you didn't see.

Be concerned.

-- S.C.

Re: Spamming of NANOG list members

2019-05-24 Thread Scott Christopher 
Rich Kulawiec wrote: 

> On Fri, May 24, 2019 at 08:17:31AM -0700, Brian Kantor wrote:
> > Anne, the way that such addresses are often harvested is that one of
> > the spammers (or his agent) becomes a member of the list and simply
> > records the addresses of persons posting to the list.  They then
> > get spammed.
> 
> I rather suspect that's exactly what's happening here.  I've gotten three,
> but a colleague who is subscribed but has never posted has gotten zero,
> despite sharing the same email infrastructure and thus precisely the
> same configuration.

Not even that - google your email address inside " " and see where it can be 
harvested.

-- 
S.C.

Re: Spamming of NANOG list members

2019-05-24 Thread Scott Christopher 
Anne P. Mitchell, Esq. wrote: 

> Question:  Is the member list with email addresses public??  Otherwise, 
> one has to wonder how they got these addresses?

https://marc.info/?l=nanog=1=2 and https://lists.gt.net/nanog/ mangle email 
addresses in the headers but do nothing about email addresses that are quoted / 
attributed in the body.

-- 
S.C.

Re: Contact for BART

2019-01-21 Thread Scott Christopher 
Owen DeLong wrote:

> I’m quite aware of this. If you’ll note, the thing I was replying to
> said he was ALSO looking for a good contact within CALDOT.
My bad - I didn't read this thread thoroughly.

But my email client is at fault too... it hid all the quoted text under
a button "Show quoted text" because you top-posted, so I didn't see any
context. I'm filing a bug report.
/me ducks and taps out
 
S.C.

Re: Contact for BART

2019-01-20 Thread Scott Christopher 
No :)

BART is Bay Area Rapid Transit, a public transportation system with its
own bureaucracy and publicly elected board.
Caltrans is a separate State bureaucracy, though it has a big office in
the city of Oakland near BART Headquarters.
And then there is Caltrain which is the commuter rail that runs down the
peninsula. That organization has its own bureaucracy and board, too.
Lesson to be learned: don't use obscure acronyms unknown outside a small
geographical region :)
Owen DeLong wrote:

> You’ll have more luck finding California Dept. of Transportation if
> you call them “CalTrans” which is what they call themselves.> 
> Owen
> 
> 
>> On Jan 18, 2019, at 17:27 , Ben Cannon  wrote:
>> 
>> HAH. Apologies for copying the list.  But I think we all needed a
>> good Friday laugh.>> 
>> Making it relevant again, also looking for a good contact within
>> CALDOT (California Dept of Transportation) and the joint bridge
>> authority for the Bay Bridge in San Francisco.>> 
>> Have a good weekend all :)
>> 
>> -Ben Cannon
>> 
>>> On Jan 18, 2019, at 5:25 PM, William Herrin  wrote:>>> 
>>> On Fri, Jan 18, 2019 at 5:18 PM Ben Cannon  wrote:
>>> > I’m speaking of the san francisco based Bay Area Rapid Transit
>>> > department about Rights Of Way for fiber…>>> 
>>> Now you've said enough that if the person you're looking for is here
>>> he'll have some idea you mean him.>>> 
>>> 
>>> > What are you talking about?
>>> 
>>> Inappropriate abbreviation. I mean sure, why not a NANOG Friday
>>> Fight Club, but why would you want to get in a ROW (noisy argument)
>>> with BART Simpson?>>> 
>>> Regards,
>>> Bill Herrin
>>> 
>>> -- 
>>> William Herrin  her...@dirtside.com  b...@herrin.us>>> 
>>> Dirtside Systems . Web: 
>>> <6x7_speedTest.JPG>

S.C.

Re: CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-11-08 Thread Scott Christopher 
Mark Tinka wrote: 

> I hope the U.S. does catch-up. If we were swipe-based here, we'd all be
> broke :-). I know a number of major merchants in the U.S. now use PIN's,
> and I always stick to those when I travel there.

In the U.S., pin codes are required for EFTPOS transactions (called debit) over 
interbank networks like Pulse, STAR, etc

Swipe-and-sign (and now just swipe for small amounts) is for Visa, Mastercard, 
Discover transactions (called credit)

Skimming and card fraud is actually uncommon in the U.S. these days, and the 
police are very effective at combating it. It's just cheaper for the industry 
to eat fraud losses than to "upgrade" systems. The transition to chip-based 
cards was a debacle.

-- 
S.C.

Re: CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-10-11 Thread Scott Christopher 
Robert Kisteleki wrote: 

> (this is probably OT now...)
> 
> > I'm pretty sure the "entire point" of inventing CVV was to prove you
> > physically have the card.
> 
> Except that it doesn't serve that purpose. Anyone who ever had your card
> in their hands (e.g. waiters) can just write that down and use it later
> hence defeating the purpose of "physically having the card". 

But waiters don't know your ZIP code which is the other thing needed for online 
verification (in the U.S.)

3D Secure is good enough. It will probably be mandatory for payment processors 
sometime in the future. In the meantime, it just costs the industry less to 
cover fraud losses.

-- 
S.C.

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

2018-09-19 Thread Scott Christopher 
Christopher Morrow wrote:

> Whether it actually 'costs' that much to pull a x-connect and maintain
> that x-connect is probably not as important as 'gosh it's really hard
> to be 'close' to  ' right? which is what they are
> capitalizing on here.> 
> Hank, how far away is the next closest large network metro ? Riyad?
> Rome? Sofia?... I mean, it's all 'far' from 'isreal' (or really any
> part of the world)  to the next decent network POP :(>  

I'm not sure if Israelis can buy anything from Riyadh, though. It's
usually the case that Israelis and their neighbors can't do business
with each other, either because of their neighbor's laws or Israel's
laws, or both.
So your Tel Aviv data center has a much smaller market and can't benefit
from economies of scale like more developed markets such as United
States and western Europe which sell globally.
I agree that capitalism lets you charge whatever you can get but healthy
capitalism gives you competition. The *big* question: If prices are so
high in Israel, why don't competitors enter this market when it's 1)
pretty much commodity and 2) booming globally?
--S.C.

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

2018-09-18 Thread Scott Christopher 
Hank Nussbacher wrote:

> On 18/09/2018 08:02, Christopher Morrow wrote: 
>> 
>> it's funny/possible that x-connect costs affect where peering appears
>> in the landscape, right?> Not this time.  Just price gouging since moving a 
>> number of cabinets
> to a different location is a nightmare.
Sure - but at least they have competitors.

Look at prices from telecoms like China's CN1. Would you rather have
prices set by  government-controlled monopolies, or by private
competition?
--S.C.

Re: IPv4 Hijacking For Idiots

2018-02-01 Thread Scott Christopher 
Scott Weeks wrote: 

> --- s...@xopher.net wrote:
> From: Scott Christopher <s...@xopher.net>
> 
> I think the solution is legislation + regulations.
> -
> 
> For sure dude, because, you know, they do such a 
> great job of all the other stuff they touch!
> 
> scott
> 
> ps. NOT!

I don't want to rain on all these sunny libertarian feelingz you have
bottled up - but the reason we have an Internet where small companies
can compete with big companies on equal footing is because of "net
neutrality" and the regulations that make that. This is why today we are
all using something better than AltaVista and faster than 56k dial-up.

Right now there is a cartel of providers that have no incentive to
secure BGP. Please explain how the free market fixes this on its own.

-- 
Regards,
  S.C.

Re: IPv4 Hijacking For Idiots

2017-06-07 Thread Scott Christopher 
Mark Andrews wrote: 

> but we do have the tech to do this.

I wholeheartedly agree.

> All it takes is a couple of transit providers to no longer accept 
> word-of-mouth and
> the world will transition overnight.

This is the hard part. 

It seems trivial - being probably only a handful of transit providers -
but then again, these providers have massive infrastructure spread
globally, often ancient legacy systems that still work, and management
has a legal responsibility in most places to maximize the profits of
their shareholders.

Look at the rollout of EMV in the U.S.: the world "has done had that
tech to do that" for decades (in Europe) but it only arrived in the U.S.
two years ago. And the U.S. doesn't do the (more secure) chip-and-pin
like the rest of the world (that costs too much money according to the
banks) but rather chip-and-signature. 

Whereas U.S. banks are (sometimes) liable for fraud on their systems,
transit providers don't have any liability for anything in the U.S. And
they are actively fighting for their right to transit some packets
faster than others - for an additional fee, of course!

I think the solution is legislation + regulations.

-- 
Regards,
  S.C.

Re: IPv4 Hijacking For Idiots

2017-06-06 Thread Scott Christopher 
Hank Nussbacher wrote: 

> 2.  Create a domain called acme-corp.com and a user called peering

Or one could register aсme.com

(If the reader can't tell the difference between acme.com and aсme.com ,
the reader is using one of the multitude of email clients and/or fonts
that presents Unicode poorly.)

> 3.  Contact an IX, preferably not one in a Westernized, clueful area:
> https://en.wikipedia.org/wiki/List_of_Internet_exchange_points

I don't think the ordinary Westernized IX is immune to this. Any system
requiring human scrutiny is only as secure as the laziest human employed
by it. Don't underestimate the "too busy to check this crap"
attitude and its potential for serious problems.

-- 
Regards,
  S.C.

Re: Russian diplomats lingering near fiber optic cables

2017-06-01 Thread Scott Christopher 
Sean Donelan wrote: 

> But, its odd to send diplomats to remote areas of the country, if you are 
> not trying to survey geographic infrastructure in the middle of the 
> country.

It's just "for show."

If they really wanted to be invisible, they could do so without using
diplomats - a group that is always assumed to be under location
surveillance. 

-- 
Regards,
  S.C.

Re: Lille, France

2017-06-01 Thread Scott Christopher 
Rod Beck wrote: 

> Altice is in the States and going public soon. They have been producing
> superior financial results. Appears to know how to run these cable
> networks better than the standard American management.

They don't actually lay any cable though, nor do they build their own
network. They have been acquiring other telecoms at a brisk pace for 15
years as the industry consolidates. (They are debt heavy, especially for
a European company, and this upcoming IPO is a 20% sale to grab more
capital, riding the wave of recent market bullishness for U.S.
telecoms.)

Not sure if any of us network engineers will like them in 2 - 4 years -
but you're a business consultant seeing this from a different
perspective. ;)

-- 
Regards,
  S.C.

Cogent BGP Hijack

2017-05-23 Thread Scott Christopher 
https://www.lowendtalk.com/discussion/114865/hetzner-and-other-traffic-passing-cogent-rerouted-over-moscow#latest

A report that all Cogent traffic got re-routed into Moscow. Looks
innocent but happened right after UA blocked RU websites (e.g.,
VKontakte, Yandex, etc)

Any thoughts ?

-- 
Regards,
  S.C.

Re: Financial services BGP hijack last week?

2017-05-02 Thread Scott Christopher 
On Mon, May 1, 2017, at 10:49 PM, valdis.kletni...@vt.edu wrote:

> I didn't see any mention of this here.  Any comments?
> 
> [...]
> 
> https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

Governments mopping up signals and data isn't a new concept, and
certainly not unique to the Russian Federation.

Personally I'm more concerned about important people giving up passwords
so easily to spearfishers. . .

-- 
 Regards,
  S