On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
> They do have a lousy track record. I'm convinced, though, that
> they're sincere about wanting to improve, and they're really trying
> very hard. In fact, I hope that some other vendors follow their
> lead.
Of course we need to be honest with our
On Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan wrote:
>
> FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
> the computer to check array lengths or pointers. Programmers know what
> they are doing, and don't need to be "constrained" by the programming
> language. Ever
> His main thesis was basically that every
> OS in common use today, from Windows to UNIX variants, has a fundamental
> flaw in the way privileges and permissions are handled - the concept of
> superuser/administrator. He argued instead that OSes should be
redesigned to
> implement the principle
Has anyone had experiences with Arbor Networks Peakflow DOS and Traffic
products? If so could you share your experiences, whitepapers, evaluations,
etc. off list? I am interested in the generalized view of the effectiveness
of the product as well as any enhancement requests that operators may
On Wednesday, January 29, 2003, at 02:32 AM, Sean Donelan wrote:
On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
They do have a lousy track record. I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard. In fact, I hope that some other vendo
A world before buffer overflow exploits ?
The first (Fortran) programming course I ever took at MIT on the first
day of lab they said
1.) If you set an array index to a sufficiently large negative number
you would overwrite
the operating system and crash the system (requiring a reboot from
Though it was written nearly two years ago, John
Quarterman's "Monoculture Considered Harmful"
remains the very best exposition of this issue.
//www.firstmonday.org/issues/issue7_2/quarterman/
Peter
On Wed, 29 Jan 2003, Richard A Steenbergen wrote:
> On Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan wrote:
> >
> > FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
> > the computer to check array lengths or pointers. Programmers know what
> > they are doing, and don'
Hopefully I can stay within the bounds of NANOG's traditions against
marketing material if I limit myself to thanking Kyle for his comments,
and encourage anyone attending NANOG 27 who would like more info on
automated control of routing for load objectives to come find me at the
meeting.
Mik
In a message written on Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan wrote:
> Multics security. Bell Labs answer: Unix. Who needs all that "extra"
> security junk in Multics. We don't need to protect /etc/passwd because
> we use DES crypt and users always choose strong passwords. We'll mak
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the transaction. I'd be willing to bet the
failure rat
A single point of consumer data. I haven't checked by home router logs
since Monday night but I was seeing a pattern of significant incoming
port 80 traffic (I'm not running any services) over the last week or so,
similar to increased 1433/1434 traffic before Saturday's flurry.
Best regards,
On Wed, Jan 29, 2003 at 08:50:56AM -0500, Marshall Eubanks wrote:
>
> A world before buffer overflow exploits ?
>
> The first (Fortran) programming course I ever took at MIT on the first
> day of lab they said
>
> 1.) If you set an array index to a sufficiently large negative number
> you w
I am seeing this as well, but only from a few hosts on a single network.
I have contacted their NOC and asked them to "knock" it off - no pun
intended...
Could be some nimda infected boxes or whatever. Firewalls are stopping
it, but it is annoying to wade through the logs.
Todd
-Original M
One thing that I see remaining since this past weekend is massive timeouts
and latencies in mail delivery to very popular addresses (@hotmail, @rr.com,
and @earthlink) @att.net seems to be accepting email without any major
issues, hopefully all these issues will continue to slowly return to norma
We are a RouteScience customer. We are using this box and it rules. We
have been extremely happy with the results. We have multiple OC-x
circuits that we are engineering traffic over, and this box gives us the
ability to "see" things that we could not see before.
It also really allows us to di
On Tue, 28 Jan 2003, Scott Francis wrote:
> I'm still looking for a copy of the presentation, but I was able to find a
> slightly older rant he wrote that contains many of the same points:
> http://www.bsdatwork.com/reviews.php?op=showcontent&id=2
> Good reading, even if it's not very much pract
RAS> Date: Wed, 29 Jan 2003 08:18:45 -0500
RAS> From: Richard A Steenbergen
RAS> Possibly that bounds checking is an incredible cpu suck,
If you check before each byte. Checking for sufficient space
first ("is there room for a 245-byte string?") is much faster.
Besides, looking at all the bloa
AR> Date: Wed, 29 Jan 2003 07:20:35 -0800
AR> From: Al Rowland
AR> IIRC, the ATM system is similar to CC transactions. A best
AR> effort is made to authorize against your account (Credit Card
AR> or Banking) but if it fails and the transaction is within a
AR> normal range (your daily card limit)
On Wed, Jan 29, 2003 at 05:26:06PM +, E.B. Dreger wrote:
>
> If you check before each byte. Checking for sufficient space
> first ("is there room for a 245-byte string?") is much faster.
> Besides, looking at all the bloated code using indirect function
> calls[*] and crappy code using poor
Is there a new top-level whois server or did shared registry whois stop
providing references to the appropriate whois servers for .org? At least a
pair of domain registars cannot adjust any .org records claiming that the
domains not exist.
Alex
--
> IIRC, the ATM system is similar to CC transactions. A best effort is
> made to authorize against your account (Credit Card or Banking) but if
> it fails and the transaction is within a normal range (your daily card
> limit) the CC/ATM completes the transaction.
Too bad it is not the ca
On Wed, Jan 29, 2003 at 12:40:00PM -0500, [EMAIL PROTECTED] wrote:
>
> Is there a new top-level whois server or did shared registry whois stop
> providing references to the appropriate whois servers for .org? At least a
> pair of domain registars cannot adjust any .org records claiming that the
>
On Wed, Jan 29, 2003 at 12:40:00PM -0500, [EMAIL PROTECTED] wrote:
>
>
> Is there a new top-level whois server or did shared registry whois stop
> providing references to the appropriate whois servers for .org? At least a
> pair of domain registars cannot adjust any .org records claiming that th
RAS> Date: Wed, 29 Jan 2003 12:36:22 -0500
RAS> From: Richard A Steenbergen
RAS> Note I'm making a distinction between fixing the string
RAS> libraries to handle overflow situations better, and changing
RAS> the entire OS to do array bounds checking. One is good, the
RAS> other is not.
Okay. I
TY> Date: Wed, 29 Jan 2003 12:53:20 -0500
TY> From: Tim Yocum
TY> One can only speculate why the whois servers have vanished,
TY> however it should be noted that as of about an hour ago, all
TY> sorts of odd whois output was being served - including
TY> incorrect contact information for domains
AM> Date: Wed, 29 Jan 2003 09:44:05 -0800
AM> From: Adam McKenna
AM> The root servers aren't providing referrals to the gtld-servers for .org
AM> anymore.. Instead they're referring to here:
[ snip new .org glue RRs that point to nstld.com ]
AM> Anyone know anything about this? I can't find
Hi, Adam.
] Anyone know anything about this? I can't find anything on ICANN's web site
] regarding a switch.
I noticed it on 8 Jan, and adjusted my monitoring accordingly.
http://www.cymru.com/DNS/gtlddns-o.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
At 12:46 PM 1/29/2003, [EMAIL PROTECTED] wrote:
> IIRC, the ATM system is similar to CC transactions. A best effort is
> made to authorize against your account (Credit Card or Banking) but if
> it fails and the transaction is within a normal range (your daily card
> limit) the CC/ATM completes t
On Wed, 29 Jan 2003, Al Rowland wrote:
> Or,
>
> IIRC, the ATM system is similar to CC transactions. A best effort is
> made to authorize against your account (Credit Card or Banking) but if
> it fails and the transaction is within a normal range (your daily card
> limit) the CC/ATM completes the
On Wed, Jan 29, 2003 at 12:40:00PM -0500, [EMAIL PROTECTED] wrote:
>
>
> Is there a new top-level whois server or did shared registry whois stop
> providing references to the appropriate whois servers for .org?
> Alex
> --
Alex-
The new whois server for the .ORG TLD can be found at
whois.pub
I believe specific account data is not kept on the local machine. I may
be wrong, not to mention the data strip on the card...
Nothing new. Look at what happened to the Chicago Board of Trade a few
years back. I wonder how WCOM reported the out-of-court settlement for
that one their books. ;0
Th
On Wed, Jan 29, 2003 at 12:11:07PM -0600, Rob Thomas wrote:
> ] Anyone know anything about this? I can't find anything on ICANN's web site
> ] regarding a switch.
>
> I noticed it on 8 Jan, and adjusted my monitoring accordingly.
>
> http://www.cymru.com/DNS/gtlddns-o.html
Jan 2, 2003
On Wednesday, Jan 29, 2003, at 12:53 Canada/Eastern, Tim Yocum wrote:
on the 31st of December, 02, VeriSign was no longer the registry
operator for .org.
The new registrar is called "Public Interest Registry"
One can only speculate why the whois servers have vanished,
whois.crsnic.net was
Just for grins,
The PIN is on your card, likely encrypted, this based on the fact that
most ATMs will reject your card at the initial PIN prompt before you try
to execute any transaction, as is likely your balance and daily
withdrawal limit but the Kwik-E-Mart system might not have a way to see
t
In message <[EMAIL PROTECTED]>, Sean
Donelan writes:
>
>On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
>> They do have a lousy track record. I'm convinced, though, that
>> they're sincere about wanting to improve, and they're really trying
>> very hard. In fact, I hope that some other vendors f
On Tue, 28 Jan 2003, Scott Francis wrote:
He argued instead that OSes should be redesigned to implement the
principle of least privilege from the ground up, down to the
architecture they run on.
[...]
The problem there is the same as with windowsupdate - if one can spoof the
central
Hi,
I apologize if this has been asked before. I work for an ISP that
started very small (hundreds of T1 and 56k customers) and has grown very
large in the last few years (thousands of T1 customers, as well as DS3
customers and OC3 customers).
We currently use an IGP to route between our dis
At 08:27 AM 1/29/2003 -0600, Alif The Terrible wrote:
> > FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
> > the computer to check array lengths or pointers. Programmers know what
> > they are doing, and don't need to be "constrained" by the programming
> > language. Everyo
We switched to BGP just recently, before things got out of hand. I highly
recommend that you do so. It really does work better. It's very nice seeing
your OSPF config carry essentially just the loopback interfaces.
> In particular I'm wondering about the thousands of lines of
> configuration u
On Wed, 29 Jan 2003, Jeff Godin wrote:
The new whois server for the .ORG TLD can be found at
whois.publicinterestregistry.net. Web interface for .ORG WHOIS can
be found at http://www.pir.org/whois/>.
Wed Jan 29 11:08:09
matt@pants:~$ whois -h whois.publicinterestregistry.net unibrow.org
wh
On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote:
>
> The PIN is on your card, likely encrypted,
We're off-topic now, so I won't go into detail, but the PIN is
sometimes on the card and sometimes not. There are different ways of
doing it. (If the sampling of cards in my wallet is re
On Wed, Jan 29, 2003 at 11:13:27AM -0800, just me wrote:
>
> On Wed, 29 Jan 2003, Jeff Godin wrote:
>
> The new whois server for the .ORG TLD can be found at
> whois.publicinterestregistry.net. Web interface for .ORG WHOIS can
> be found at http://www.pir.org/whois/>.
>
> Wed Jan 29 11:08
On Wed, Jan 29, 2003 at 01:19:08PM -0500, Charles Sprickman wrote:
>
> On Wed, 29 Jan 2003, Al Rowland wrote:
>
> > Or,
> >
> > IIRC, the ATM system is similar to CC transactions. A best effort is
> > made to authorize against your account (Credit Card or Banking) but if
> > it fails and the tran
I've also seen a few 25/110/111 requests in my logs
but it didn't seem higher than 'normal.'
Best regards,
__
Al Rowland
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
> Behalf Of Jim Popovitch
> Sent: Wednesday, January 29, 20
ML> Date: Wed, 29 Jan 2003 11:07:59 -0800
ML> From: Mathew Lodge
ML> It doesn't have to be, if your compiler is worth its salt.
ML> Take a look at the GNU Ada compiler implementation of bound
ML> checking -- incredibly efficient.
s/compiler/programmer/
How about:
struct buf_t {
On Wed, 29 Jan 2003, Mike Bernico wrote:
>
>
> Hi,
>
> I apologize if this has been asked before. I work for an ISP that
> started very small (hundreds of T1 and 56k customers) and has grown very
> large in the last few years (thousands of T1 customers, as well as DS3
> customers and OC3 custom
.org is being moved into new Public Internet Registry away from NSI
Their whois server can be found at http://www.orgtransition.info
And if you prefer to get all info at once, I run recursive server at
completewhois.com. It can be used from command-line (unlike PIR's server) -
"whois -h complet
Your assumption is my account is at my local branch. Neither is my safe
deposit box. It's at a different, larger branch in the adjacent suburb.
My 'account' is likely in one of their corporate monoliths downtown,
hence the network connection. That's why my card works as well in
Virginia (my most r
My recommendation would be for you to:
o redistribute directly connected interfaces via a strict
filter into BGP and use iBGP to carry it around the local
AS
or
o use passive interfaces in IGPs to do the same
Avoid having to run a topology computation everytime a T1/56
I tried an nslookup about 20 minutes after I sent that mail, and it
succeeded as well. Probably a pbi.net barf near my end as all three
auth nameservers returned me the correct info.
Of course, there's still the issue of the whois returning complete
garbage, aside from the two nameserver entries
On Wed, Jan 29, 2003 at 10:47:30AM -0800, [EMAIL PROTECTED] said:
> On Tue, 28 Jan 2003, Scott Francis wrote:
>
> He argued instead that OSes should be redesigned to implement the
> principle of least privilege from the ground up, down to the
> architecture they run on.
>
> [...]
>
> The
Can anyone suggest a good consumer-grade broadband provider for a small
number (~15) of remote users in Singapore and Tokyo? My company wants to
allow our remote sales folks to use our VPN client, and presently most
of them use dial-up. The push to use cable modems or DSL is on.
We currently ha
MB> Date: Wed, 29 Jan 2003 12:51:08 -0600
MB> From: Mike Bernico
[ snipped and reformatted throughout ]
MB> We currently use an IGP to route between our distribution
MB> routers and the CPE routers we manage.
I hope I'm misreading. If you're, say, running OSPF between
your edge routers and CP
On Wed, 29 Jan 2003, Scott Francis wrote:
On Wed, Jan 29, 2003 at 10:47:30AM -0800, [EMAIL PROTECTED] said:
> On Tue, 28 Jan 2003, Scott Francis wrote:
>
> He argued instead that OSes should be redesigned to implement the
> principle of least privilege from the ground up, down to th
On Wed, 29 Jan 2003, Christopher L. Morrow wrote:
> On Wed, 29 Jan 2003, Mike Bernico wrote:
> >
> > We currently use an IGP to route between our distribution routers and
> > the CPE routers we manage.
>
> So, if customers bounce your IGP churns away? And customers have access to
> your IGP da
At 07:32 PM 1/29/2003 +, E.B. Dreger wrote:
s/compiler/programmer/
Now write programs to toss around buf_t* instead of char*. It's
not that difficult.
No, it isn't, as is doing buf_t[x] rather than pointer arithmetic, but the
*practical* problem is that you really need
1,$s/compiler/pro
On Wed, Jan 29, 2003 at 12:21:50PM -0800, [EMAIL PROTECTED] said:
[snip]
> > So far, the closest thing I've seen to this concept is the ssh
> > administrative host model: adminhost:~root/.ssh/id_dsa.pub is
> > copied to every targethost:~root/.ssh/authorized_keys2, such that
> > com
Thanks so much for all the feedback. All your input has been extremely
helpful.
Just to clarify:
In our network core all customer routes are summarized and carried in
iBGP. That was a recent change of mine. We use EIGRP to carry loopback
and next hop information. I'm working on migrating
Al Rowland wrote:
The PIN is on your card ...
Not for any card I've ever owned. I've changed my PIN several times
over the years, and the bank has never re-encoded my card or sent me a
new card as a result of doing so.
Maybe some banks do store the PIN on the card, but I'm certain that it'
Richard A Steenbergen <[EMAIL PROTECTED]> writes:
> (pointers ARE your friend god damnit :P)
Most C programmers have no clue about the C pointer semantics, I'm
afraid, so this powerful feature is often abused.
--
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart
Richard A Steenbergen <[EMAIL PROTECTED]> writes:
> I said exploits, not ways to get outside your proper address space and
> crash the OS. Any sufficiently powerful language presents an opportunity
> to do bad things to an ill prepared OS, but the answer isn't to make the
> language less power
Halleluljah. A voice of knowledge as opposed to conjecture. Different
bank ATMs operate differently. There are online and offline modes.
The PIN may or may not be recorded on the card. Some of these
differences are due to the fact that not all financial institutions
were connected to interbank ne
On Tue, Jan 28, 2003 at 11:49:16AM +, Miquel van Smoorenburg wrote:
>
> I found out that our outgoing SMTP servers have been blocked by
> the msn.com MXes. In a nasty way, too -- no SMTP error, the TCP
> connection is simply closed by them immidiately after establishing it.
> We're not listed
> So, by accepting routes from CPE you create a huge security
vulnerability
> for your customers, and other parties. This practice was understood
as a
> very bad network engineering for decades.
Is there someplace I can find tidbits of information like this? I
haven't been alive decades so I
Have you tried [EMAIL PROTECTED] maybe [EMAIL PROTECTED] (they could forward
you).. They are quite responsive (hotmail, abuse), at least from a hotmail
address :).
mark
--
Mark Segal
Director, Data Services
Futureway Communications Inc.
Tel: (905)326-1570
> -Original Message-
> From: M
I'm actually dealing with the same issue as we speak. Out of racks of
web servers doing shared hosting, MSN decided to block the eth0 on one
of our Linux boxes. I called a friend and was given a direct number to
level 3 MSN technical support; they are the last tier of support you can
speak to a
ML> Date: Wed, 29 Jan 2003 12:58:58 -0800
ML> From: Mathew Lodge
ML> No, it isn't, as is doing buf_t[x] rather than pointer
True. I just like having a struct so I may pass a single
variable in function calls instead of a whole mess of them.
ML> arithmetic, but the *practical* problem is that
> But this worm required external access to an internal server (SQL Servers
> are not front-end ones); even with a bad or no patch management system, this
> simply wouldn't happen on a properly configured network. Whoever got
> slammered, has more problems than just this worm. Even with no firewal
On 29.01 03:32, Sean Donelan wrote:
> ... Multics security. Bell Labs answer: Unix. Who needs all that "extra"
> security junk in Multics. .
[reader warning: diatribe following]
Gee, there once were a handflul of people;
their principle goal was to make an OS for their own use.
They
> Not to sound to pro-MS, but if they are going to sue, they should be able to
> sue ALL software makers. And what does that do to open source? Apache,
> MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun
> vendor because some moron shoots himself in the head with it?
DK> Date: Thu, 30 Jan 2003 01:05:12 +0100
DK> From: Daniel Karrenberg
DK> PPS: Plan 9 anyone?
Available for your downloading pleasure. Factotum has picqued
my interest, although I've not installed Plan9 myself yet.
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, cons
> Similarly, you _pay_ MS for a product. A product which is repeatedly
> vulnerable.
I think this is key. People (individuals/corporations) keep buying crappy
software. As long as people keep paying the software vendors for these
broken products what incentives do they have to actually fix t
On Wed, 29 Jan 2003, Mike Bernico wrote:
> Is there someplace I can find tidbits of information like this? I
> haven't been alive decades so I must have missed that memo. Other than
> this list I don't know where to find anyone with lots of experience
> working for a service provider.
Well, th
A few I've found but not tried out yet:
OpenSource:
http://www.freeipdb.org/
http://www.brownkid.net/NorthStar/
Windows:
http://myips.dzoul.com/main.asp
http://www.enterpriseip.net/
I make no promises as to applicability or suitability.
www.sourceforge.net
www.freshmeat.net
These two sites mi
It's even worse, a fake certificate from a man in the middle causes a trustworthy
warning! If a certificate is not co-signed by any of the Browser compiled-in
authorities, the Browsers will just ask: "...do you want to trust ". The
hacker is completely free to fill in when he creates his own c
On Thu, 30 Jan 2003, Daniel Karrenberg wrote:
> PPS: Plan 9 anyone?
Anything but _THAT_! At some period of my life I was paid to make
something resembling production system out of Plan 9... it has all the
quality features of v6 Unix, and looks like some student's course project.
There were some
On Tue, Jan 28, 2003 at 11:13:19AM -0200, [EMAIL PROTECTED] said:
[snip]
> But this worm required external access to an internal server (SQL Servers
> are not front-end ones); even with a bad or no patch management system, this
> simply wouldn't happen on a properly configured network. Whoever got
Any opinion on Inferno ? It seems more suited to build a
packet-eating-machine (router, firewall, vpn, choose your favorite
flavour)...
Rubens Kuhl Jr.
- Original Message -
From: "Vadim Antonov" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, Januar
Jeff Godin wrote:
> whois -h whois.publicinterestregistry.net unibrow.org
Either that or "whoiss unibrow.org".
Whoiss is wrapper for Unix' whois. It performs lookups for
any number of domains, netblocks, handles, IPs, ... on a single
command line without specifying the TLD server. It's availa
80 matches
Mail list logo
