RE: Broken Mini-SAS cable removal?

[Joe Klein]

Try shim stock or a feeler gauge between the plug and socket to work the 
latching fingers. This isn't something that I've tried specifically in this 
case. 

You might need to put a notch in the stock or feeler gauge so that you can work 
the fingers from the backside. Kinda like that old trick of using a credit card 
to prise a door latch, except this should work since there's no deadlatch. :)

You might also try gently twisting a small screwdriver or spudger stick between 
the plug and socket too to increase the gap between the socket and plug. 

-joe

From: NANOG  On Behalf Of 
Ryland Kremeier
Sent: Friday, April 23, 2021 09:31
To: nanog@nanog.org
Subject: Broken Mini-SAS cable removal?

 
 External Mail
 
Anyone here have experience removing a mini-SAS cable when the plastic tab has 
broken off? Tried checking online but couldn't find anything.

Thank you,
-- Ryland

RE: IP addresses on subnet edge (/24)

[Joe Klein]

You could have them try the AWS E2 reachability site to confirm if this is the 
case.

https://ec2-reachability.amazonaws.com/

Many of their test nodes end with .255 or .0. There are a few ending with 
255.255 and several that end with 0.0.

I’m not sure what the website test actually does (ICMP versus TCP test or 
something else), but you can also connect to those IPs (at least the two that I 
just tested) over port 80, to test the full handshake. You mentioned 
ClientHello/ServerHello, these nodes don't respond over port 443 (only saw 
SYN). Kinda makes sense given they're IP addresses.

-joe



From: NANOG  On Behalf Of 
Andrey Khomyakov
Sent: Monday, September 14, 2020 16:26
To: Nanog 
Subject: IP addresses on subnet edge (/24)

 
 External Mail
 
TL;DR I suspect there are middle boxes that don't like IPs ending in .255. 
Anyone seen that?

Folks, 
We are troubleshooting a strange issue where some of our customers cannot 
establish a successful connection with our HTTP front end. In addition to 
checking the usual things like routing and interface errors and security policy 
configurations, hopening support tickets with the load balancer vendor so far 
all to no avail, we did packet captures.
Based on the packet captures we receive a SYN, we reply with SYN-ACK, but the 
client never actually receives that SYN-ACK. In a different instance the 3-way 
completes, followed by TLS client hello to us, we reply with TLS Server Hello 
and that server hello never makes it to the client.
And again, this is only affecting a small subset of customers thus suggesting 
it's not the load balancer or the edge routing configuration (in fact we can 
traceroute fine to the customer's IP).
So far the only remaining theory that remains is that there are middle boxes 
out there that do not like IPs ending in .255. The service that the clients 
can't get to is hosted on two IPs ending in .255
Let's just say they are x.x.121.255 and x.x.125.255. We even stood up a basic 
"hello world" web server on x.x.124.255 with the same result. Standing up the 
very same basic webserver on x.x.124.250 allows the client to succeed.
So far we have a friendly customer who has been working with us on 
troubleshooting the issue and we have some pcaps from the client's side 
somewhat confirming that it's not the customer's system either.
This friendly customer is in a small 5 people office with Spectrum business 
internet (that's the SYN-ACK case). The same customer tried hopping on his LTE 
hotspot which came up as Cellco Partnership DBA Verizon Wireless with the same 
result (that's the TLS server hello case). That same customer with the same 
workstation drives a town over and he can get to the application fine (we are 
still waiting for the customer to let us know what that source IP is when it 
does work).
Before you suggest that those .255 addresses are broadcasts on some VLAN, they 
are not. They are injected as /32s using a routing protocol, while the VLAN 
addressing is all RFC1918 addressing.

--Andrey

Re: Request for assistance with Verizon FIOS connection

[Joe Klein]

As from a consumers standpoint, Verizon FIOS has published an IPv6 website,
created a discussion forum, and stated they would soon support. That was 14
years ago.

Joe Klein

On Sat, Jul 15, 2023, 3:46 AM Mel Beckman  wrote:

> Matt,
>
> I missed where the OP indicated they've tried both a direct laptop
> connection as well as another router. I think you may have seen my reply
> suggesting that and thought that was the OP stating he'd done it.
>
> -mel
> --
> *From:* Matt Corallo 
> *Sent:* Friday, July 14, 2023 9:44 PM
> *To:* Mel Beckman ; Neil Hanlon ;
> nanog@nanog.org 
> *Subject:* Re: Request for assistance with Verizon FIOS connection
>
> OP indicated they've tried both a direct laptop connection as well as
> another router. That seems to
> meet the requirement for having ruled out his home-made router, though
> obviously I agree one should
> attempt to rule out any possible errors by doing transparent packet
> sniffing analyzing the problem
> carefully before escalating an issue. Hopefully everyone on this list
> knows the value of the tech on
> the other end of the line's time :)
>
> Matt
>
> On 7/14/23 9:07 PM, Mel Beckman wrote:
> > Getting the FCC involved seems premature, since the OP hasn't yet ruled
> out a problem with his home
> > made router. Not that there's anything wrong with making your own
> router, but it seems there is a
> > burden of proof on the end user to demonstrate the problem isn't at with
> the CPE. Even a test as
> > simple as connecting a laptop up for a day and running pings would rule
> out the CPE.
> >
> >-mel
> >
> 
> > *From:* NANOG  on behalf of
> Matt Corallo 
> > *Sent:* Friday, July 14, 2023 5:46 PM
> > *To:* Neil Hanlon ; nanog@nanog.org 
> > *Subject:* Re: Request for assistance with Verizon FIOS connection
> > I've always had good luck with
> https://consumercomplaints.fcc.gov/hc/en-us
> > <https://consumercomplaints.fcc.gov/hc/en-us>. This tends to result in
> > a higher-level tech getting assigned to your ticket at least at larger
> providers. Depending on where
> > you are, your local government may have a similar process (e.g. in NYC
> the city has a similar
> > process that tends to get very high priority tech attention as city
> council members will rake
> > providers over the coals on individual complaints come contract-renewal
> time).
> >
> > Matt
> >
> > On 7/14/23 8:01 AM, Neil Hanlon wrote:
> >> Hi all - I apoligize for the not-necessarily-on-topic post, but I've
> been struggling with this issue
> >> for the past two
> >> weeks and am about out of ideas and options other than ask here.
> >>
> >> The short version is I recently got FIOS at my (new) house, and plugged
> in my router (SFF PC running
> >> Vyos). Initially,
> >> all was fine, however, some time later, connectivity to the gateway
> given by the DHCP server is
> >> completely lost. If I
> >> force a renewal, the gateway (sometimes) comes back--sometimes not.
> When it doesn't work, the
> >> DHCPDISCOVER process has
> >> to start over again and I often recive a lease in a completely
> different subnet--which isn't really
> >> the problem, but
> >> seems to be symptomatic of whatever is happening upstream of me.
> >>
> >> The problem, from my perspective, is that the IPv4 gateway given to me
> in my DHCP lease goes away
> >> before my lease
> >> expires--leading to broken v4 connectivity until either 1. the system
> goes to renew the lease and
> >> fails, starting over;
> >> or 2. A watchdog notices and renews the lease (This is what I have
> attempted to implement, without
> >> much success).
> >>
> >> As a note, IPv6 connectivity (dhcpv6-pd, receiving a /56) is entirely
> unaffected when IPv4
> >> connectivity breaks.
> >>
> >> For the past week, I have been monitoring to various IPv4 and IPv6
> endpoints over ICMP and TCP, and
> >> have been able to
> >> chart the outages over that period. More or less, every two hours,
> shortly after a lease is renewed,
> >> the gateway
> >> disappears. I'm happy to share more details and graphs/logs with anyone
> who might be able to help.
> >>
> >> I have attempted to contact FIOS support several times and even had a
> trouble ticket opened at one
> >> point--though this
> >> has been closed as they cannot apparently find any issue with the ONT.
> >>
> >> I'm at my wit's end with this issue and would really appreciate any and
> all help. Please contact me
> >> off list if you need
> >> additional details--I can provide ticket numbers/conversation IDs/etc,
> as well as graphs/logs/etc.
> >>
> >> Best,
> >> Neil Hanlon
>

RE: Unable to email anyone from my primary domain name; thanks Google Mail and G Suite.

[Joe Klein]

This was recently thrashed out in the MailOp mailing list, 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop.



I can point you to the beginning on the email chain, but it became a mess - 
https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2019-October/014854.html
 (And yes, please ignore the bad certificate…..)



The link is private, so you'll have to sign up first.  The 'google' insights 
come from the author Brandon Long.





From Google's PoV, there wasn't enough good signals from his emails being sent 
and his messages being acted upon within his mailbox for Google to determine it 
legitimate. Google watches everything, from the moment the email touches their 
edge until the email is ultimately disposed. Everything in-between provides 
signals to Google if that email was something that the receiver wanted. Think 
of things like never reading the email and auto-filtering it (tagging, I guess 
for gmail), for example, are negative signals.



I suspect that by changing your 5321.MailFrom, you changed the signal calculus, 
for now. I bet in a bit, provided that you don’t change any other behaviors, 
that these emails will eventually be rejected too.



This is done by all the big players, but Microsoft is the most aggressive.



The recommendations for this guy were to have his email relayed through a 
bigger company before heading out to Google, especially if he wasn't going to 
dump OVH. For example, OVH maintains email relays that have way better 
reputations than the space used by customers (this was a recommendation by 
someone else, I have no clue personally).



Also, free is free. If you pay for G-Suite, then the admin gets a LOT of extra 
bonuses that anyone would expect out of a paid mailbox. I don’t know about 
G-Suites (wouldn’t touch the stuff personally), but you can get a O365-hosted 
exchange mailbox for like $5/month these days with all the aliases you need and 
all the post-processing transport rules you want. In line with the paid 
Microsoft mailbox – an email does not get delivered for no reason except in the 
rarest of cases. The same is not true with the free mailboxes hosted by 
Microsoft or Google.



And if having an account opened with one of the “big guys” ruffles your 
feathers the wrong way, try a smaller paid provider. I’ve used Hushmail 
personally for the last 8-10 years.



Some other pieces of insight provided by Brandon in that thread that are 
counter-points to your suggestions –



A lot of email that they tag as spam or straight-out block in the same way 
yours are now is due to 419 scams and spearfishing. Both are low-volume, may 
not contain links and can be sent text, so they share many of the same signals 
that your emails do today or that you propose as getting a free pass.





TL;DR for this guy - his domain is a free one off of eu.org, he's coming out of 
OVH network space and he sends a few messages a day, so the OVH signaling 
eventually won. As a paraphrase from that thread, 1 out of 1 messages 
aren't spam from that netblock in Google’s eyes. And sign-up for the MailOp 
list if you want to discuss this further in a better forum.







Good Luck!




From: NANOG  On Behalf Of Constantine A. Murenin
Sent: Wednesday, October 23, 2019 7:19 PM
To: North American Network Operators' Group 
Cc: Constantine A. Murenin 
Subject: Unable to email anyone from my primary domain name; thanks Google Mail 
and G Suite.


 External Mail


Dear NANOG@,

I'm not sure where else to post this, and this is not really new, either, but I 
think I have a new take here.

I use my own personal domain name for various UNIX stuff, including sending 
log-related things to myself out of cron, which end up in my own Gmail.com 
account, either directly, or through forwarding (w/o SRS).  (I do not use G 
Suite for my own domain name, for obvious reasons; just the consumer-based 
gmail.com email address from the old times of 
invitation-based registrations.)

Over the years, I sometimes had certain messages rejected by Gmail, but it was 
a very low rate of rejection (less than 5% for any mail I cared about), and 
wasn't a major problem (usually only some automated messages would be rejected).

A couple of months ago, I setup some new scripts that would send me new nightly 
emails.  It's all plain text, but had a few dozen of domain names present (it's 
logs).  Absolutely no links, just plenty of domains which I don't control.  So, 
Gmail has been presenting most of these messages with their red warning label 
that the email contains malicious links, even though all of these emails 
contained zero links, zero URLs to any of these unknown domain names, zero URL 
schemes, zero "http://";, zero "https://"; etc.  You get the idea.

Since about a few weeks ago, I am now seeing at least a 95% rejection rate for 
my domain name, for ALL email, including the forwards.  Including emails which 
I send to myself from within Google, and which get forwarded ba

Re: NIST NTP servers

[Joe Klein]

Is this group aware of the incident with tock.usno.navy.mil &
tick.usno.navy.mil on November 19. 2012 2107 UTC, when the systems lost 12
years for the period of one hour, then return?

The reasons were not fully explained, but the impact was global. Routers,
switches, power grids, phone systems, certificates, encryption, Kerberos,
logging and any tightly coupled transaction systems were impacted.

So I began doing 'security research' on the topic (don't confuse me with
joe hacker), and discovered both interesting and terrifying issues, which I
will not disclose on an open forum.

Needless to say, my suggestions are:
1. Configure a trusted time source and good time stratum architecture for
your organization.
2. When identifying your source of time, the majority of the technologies
can be DDOS'ed, spoofed or MITM, so consider using redundant sources and
authentication.
3. For distribution of time information inside your organization, ensure
your critical systems (Encryption, PKI, transactions, etc) are using your
redundant sources and authentication.
4. Operating systems, programming languages, libraries, and applications
are sensitive to time changes and can fail in unexpected ways. Test them
before it's too late.
5. Disallow internal system to seek NTP from other sources beyond your edge
routers.
6. All core time systems should be monitored by your security team or SOC.

One question, is this a topic anyone would find interested at a future
NANOG? Something like "Hacking and Defending time?".


Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Tue, May 10, 2016 at 9:59 PM, Mel Beckman  wrote:

> I don't pretend to know all the ways a hacker can find out what nap
> servers a company uses, but I can envision a virus that could do that once
> behind a firewall. Every ntp response lists the current reference ntp
> server in the next higher stratum. There are many ways that process could
> harvest all ntp servers over time, and then pass the public IP back to a
> mother ship controller. It could be going on right now.
>
> My point is, when the fix is so cheap, why put up with this risk at all?
>
>  -mel beckman
>
> > On May 10, 2016, at 5:18 PM, Chris Adams  wrote:
> >
> > Once upon a time, Mel Beckman  said:
> >> Boss: So how did a hacker get in and crash our accounting server, break
> our VPNs, and kill our network performance?
> >>
> >> IT guy: He changed our clocks.
> >
> > So, this has been repeated several times (with how bad things will go if
> > your clocks get changed by years).  It isn't that easy.
> >
> > First, out of the box, if you use the public pool servers (default
> > config), you'll typically get 4 random (more or less) servers from the
> > pool.  There are a bunch, so Joe Random Hacker isn't going to have a
> > high chance of guessing the servers your system is using.
> >
> > Second, he'd have to guess at least three to "win".
> >
> > Third, at best, he'd only be able to change your clocks a little; the
> > common software won't step the clock more than IIRC 15 minutes.  Yes,
> > that can cause problems, but not the catastrophes of years in the future
> > or Jan 1, 1970 mentioned in this thread.
> >
> > Is it possible to cause problems?  Yes.  Is it a practical attack?  I'm
> > not so sure, and I haven't seen proof to the contrary.
> > --
> > Chris Adams 
>

Re: BCP38 adoption "incentives"?

[Joe Klein]

What would it take to test for BCP38 for a specific AS?

Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Tue, Sep 27, 2016 at 8:31 AM, Stephen Satchell  wrote:

> Does anyone know if any upstream and tiered internet providers include in
> their connection contracts a mandatory requirement that all
> directly-connected routers be in compliance with BCP38?
>
> Does anyone know if large ISPs like Comcast, Charter, or AT&T have put in
> place internal policies requiring retail/business-customer-aggregating
> routers to be in compliance with BCP38?
>
> Does any ISP, providing business Internet connectivity along with a block
> of IP addresses, include language in their contracts that any directly
> connected router must be in compliance with BCP38?
>
> I've seen a lot of moaning and groaning about how BCP38 is pretty much
> being ignored.  Education is one way to help, but that doesn't hit anyone
> in the wallet.  You have to motivate people to go out of their way to
> *learn* about BCP38; most business people are too busy with things that
> make them money to be concerned with "Internet esoterica" that doesn't add
> to the bottom line.  You have to make their ignorance SUBTRACT from the
> bottom line.
>
> Contracts, properly enforced, can make a huge dent in the problem of BCP38
> adoption.  At a number of levels.
>
> Equipment manufacturers not usually involved in this sort of thing (home
> and SOHO market) would then have market incentive to provide equipment at
> the low end that would provide BCP38 support.  Especially equipment
> manufacturers that incorporate embedded Linux in their products.  They can
> be creative in how they implement their product; let creativity blossom.
>
> I know, I know, BCP38 was originally directed at Internet Service
> Providers at their edge to upstreams.  I'm thinking that BCP38 needs to be
> in place at any point -- every point? -- where you have a significant-sized
> collection of systems/devices aggregated to single upstream connections.
> Particular systems/devices where any source address can be generated and
> propagated -- including compromised desktop computers, compromised light
> bulbs, compromised wireless routers, compromised you-name-it.
>
> (That is one nice thing about NAT -- the bad guys can't build spoofed
> packets.  They *can* build, um, "other" packets...which is a different
> subject entirely.)
>
> (N.B.:  Now you know why I'm trying to get the simplest possible
> definition of BCP38 into words.  The RFCs don't contain "executive
> summaries".)
>

Re: BCP38 adoption "incentives"?

[Joe Klein]

The knobs that are available to push adoption of any standard can include
"Doing nothing", "Educating the community",  "Incentives", "Public
Shaming", "Loss of business", "Engaging the policy & legal wanks". It seems
to me the first two options have not moved the ball much.

Must we move the last four to fix the DDOS problem? The last one scares me,
but the other three might be valid method to move the ball.

Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Tue, Sep 27, 2016 at 10:32 AM, Mikael Abrahamsson 
wrote:

> On Tue, 27 Sep 2016, Joe Klein wrote:
>
> What would it take to test for BCP38 for a specific AS?
>>
>
> Well, you can get people to run https://www.caida.org/projects
> /spoofer/#software
>
> I tried to get OpenWrt to include similar software, on by default, but
> some people are afraid that they might incur legal action on themselves by
> doing antispoofing-testing.
>
> https://www.ripe.net/participate/ripe/tf/anti-spoofing might be of
> interest.
>
>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se
>

Re: U.S. test of national alerts on Oct. 4 at 2:20pm EDT (1820 UTC)

[Joe Klein]

Received it twice on the smartphone. Did not trigger the emergency weather
system, nor impact stream on TV in NCR.

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
"*I skate to where the puck is going to be, not to where it has been."
-- *Wayne
Gretzky
"I never lose. I either win or learn" - Nelson Mandela


On Wed, Oct 4, 2023 at 2:35 PM Ryan A. Krenzischek via NANOG <
nanog@nanog.org> wrote:

> I've only gotten the alert now ...9 times.
>
> Ryan
>

Re: SRI's Dan Lynch dies

[Joe Klein]

Wow, I have not spoken to Dan Lynch in 8 years. He was brilliant!

Raise glass for Dan!

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
"*I skate to where the puck is going to be, not to where it has been."
-- *Wayne
Gretzky
"I never lose. I either win or learn" - Nelson Mandela


On Mon, Apr 1, 2024 at 6:06 PM joe hess  wrote:

> Thanks for sharing this, too.Lynch was really underrated for what he
> did.  He basically made certain that people made their dreams work
> together, or at least that is what I saw.
>
> Too, when you asked any questions in the Internet’s early days, all the
> answers eventually seemed to wind back to Dan.
>
> I only knew him by remote interaction, and I have often felt cheated that
> I didn’t get to know him better.
>
>
>
> > On Apr 1, 2024, at 11:12 AM, Sajit Bhaskaran 
> wrote:
> >
> > RIP Dan Lynch. It is worth adding that he was also the founder of the
> Interop shows in the mid 80s which achieved a great deal in terms of
> advancing TCP/IP adoption, and inter-operability testing was a big deal
> back then when the future of TCP/IP was also not at all certain, as it was
> in competition then with the ISO/OSI protocol suite. Dan's efforts and
> passion as an entrepreneur created an exponentially growing community of
> users and vendors all over the world that made the TCP/IP protocol suite
> the de facto standard. Thanks very much for sharing. Today we take the
> Internet for granted. It could have been very different.
> >
> > On 3/31/2024 12:19 PM, Jay R. Ashworth wrote:
> >> >From Lauren Weinstein @ PRIVACY Digest:
> >>
> >> """
> >> Dan Lynch, one of the key people involved in building the Internet and
> >> ARPANET before it, has died.
> >>
> >> Dan was director of computing facilities at SRI International, where
> >> ARPANET node #2 was located and he worked on development of TCP/IP, and
> >> where the first packets were received from our site at UCLA node #1 to
> >> SRI, and later at USC-ISI led the team that made the transition from the
> >> original ARPANET NCP protocols to TCP/IP for the Internet. And much
> more.
> >>
> >> Peace. -L
> >> """
> >>
> >> He was well written up across the web, but here's a 2021 piece for those
> >> who aren't as familiar with his background:
> >>
> >>
> https://www.internethalloffame.org/2021/04/19/dan-lynchs-love-brilliant-complexity-fuels-early-internet-development-growth/
> >>
> >> And his IHoF induction speech:
> >>
> >> http://opentranscripts.org/transcript/dan-lynch-ihof-2019-speech/
> >>
> >> I would note his age here, as obits usually do, but it seems unusually
> difficult
> >> to learn.
> >>
> >> Happy landings, Mr Lynch.
> >>
> >> Cheers,
> >> -- jra
>
>

Re: RFC 1918 network range choices

[Joe Klein]

Which part?  The allocation of the addresses or the security model (section
2, 4 & 5)?

Note: Very few system, network, or security professionals have even read
anything besides section 3, the private address allocation.  Could be why
we have some many compromises --- just saying.

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Thu, Oct 5, 2017 at 4:28 PM, Randy Bush  wrote:

> >> The answer seems to be "no, Jon's not answering his email anymore".
>
> jon was not a big supporter of rfc1918
>

Re: Xbox Live and Teredo

[Joe Klein]

Are you aware:

- Microsofts justification for Teredo is to support P2P during the
transition to IPv6 dominant networks.

- Xbox 360: Console
  - IPv4 preferred and requires the Microsoft 'custom STUN and security
implementation."

- Xbox One: Console
  - IPv6 preferred - Native IPv6+IPSec
 - Requires unsolicited inbound IPSec and IKEv2
 - "Disables firewall capabilities if one exists" - UPNP+...

- IPv4 preferred or no IPv6 = [IPv6+IPSec]+Teredo
 - Teredo is only necessary for Xbox Live party chat and multiplayer

  - Within the tunnel, it requires unsolicited inbound IPSec and IKEv2
 - UDP long port mapping refresh intervals (60 seconds+) to avoid
losing connections to xbox peers
 - Uses UPNP to "Disables firewall capabilities if one exists"
 - If NAT exists, here is the most successful strategy, left to right:
   -  Open to the Internet > Address Restricted > Port Restricted >
Symmetric > UDP Block
- Teredo prefers UDP port 3074 vs. UDP port 3544

- XBOX - Windows 10
   - Teredo is only necessary for Xbox Live party chat and multiplayer
   - Most common error: “Teredo is unable to qualify”

https://support.xbox.com/en-US/xbox-on-windows/social/troubleshoot-party-chat
  - If a third party firewall is installed, good chance it is blocking
teredo outbound ports or the Windows10 teredo is disabled.

Hope this helps... And don't ask about the security --- It's "good enough
for home users" :(




Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Tue, Jan 2, 2018 at 6:19 PM, Mark Andrews  wrote:

> Time to buy a Xbox for the NOC so you can trouble shoot.  All puns
> intended.
>
> Mark
>
> > On 3 Jan 2018, at 10:15 am, Justin Wilson  wrote:
> >
> > These are all Xbox one clients.  We don’t hand out IPv6 on this network
> yet, so I made sure to disable any sort of IPV6 on the interfaces just to
> be sure because I figured Teredo is tied to v6.  The only thing we have not
> done yet is disable any IPV6 stuff on the customer routers.  Everyone has
> been getting link local addresses for the longest time.   We just disabled
> ipv6 totally on the interfaces just to be safe.
> >
> >
> > Justin Wilson
> > j...@mtin.net
> >
> > www.mtin.net
> > www.midwest-ix.com
> >
> >> On Jan 2, 2018, at 6:06 PM, Chris Adams  wrote:
> >>
> >> Once upon a time, Mark Andrews  said:
> >>> Given that you have IPv6 I would be looking at why the XBOXs are
> attempting Teredo at all.  I would expect them to use the IPv6 addresses
> that you are assigning your customers.
> >>
> >> The OP didn't say what type of Xbox.  IIRC the Xbox 360 does not support
> >> IPv6, while the Xbox One does (but neither would explain the Teredo).
> >> --
> >> Chris Adams 
> >>
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>
>

Re: Xbox Live and Teredo

[Joe Klein]

While you are at it, you might want to configure a STUN and ICE server, to
address streaming UDP.

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Tue, Jan 2, 2018 at 10:19 PM, Martin List-Petersen 
wrote:

> On 02/01/18 23:15, Justin Wilson wrote:
>
>> These are all Xbox one clients.  We don’t hand out IPv6 on this network
>> yet, so I made sure to disable any sort of IPV6 on the interfaces just to
>> be sure because I figured Teredo is tied to v6.  The only thing we have not
>> done yet is disable any IPV6 stuff on the customer routers.  Everyone has
>> been getting link local addresses for the longest time.   We just disabled
>> ipv6 totally on the interfaces just to be safe.
>>
>
>
> Disabling anything IPv6 is counter productive. The way things are going is
> IPv6 and has been for many years.
>
> Now ... what could happen is that you've got a missconfigured torredo
> gateway upstream.
>
> Disabling IPv6 on customer routers etc won't solve your problem. IPv6 is
> here to stay.
>
> Your best bet: set up a Terredo gateway and facilitate these Xboxes as
> long as you don't give them native IPv6.
>
> Just my 2c.
>
> Kind regards,
> Martin List-Petersen
> --
> Airwire Ltd. - Ag Nascadh Pobail an Iarthair
> http://www.airwire.ie
> Phone: 091-865 968
> Registered Office: Moy, Kinvara, Co. Galway, 091-865 968 - Registered in
> Ireland No. 508961
>

NG Firewalls & IPv6

[Joe Klein]

All,

At security and network tradeshows over the last 15 years, I have asked
companies if their products supported "IPv6". They all claimed they did,
but were unable to verify any successful installations. Later they told me
it was on their "Roadmap" but were unable to provide an estimated year,
because it was a trade secret.

Starting this last year at BlackHat US, I again visited every product
booth, asking if their products supported dual-stack or IPv6 only
operations. Receiving only the same unsupported answers, I decided to focus
on one product category.

To the gurus of the NANOG community, What are your experiences with
installing and managing Next Generations firewalls? Do they support IPv6
only environments? Details? Stories?

If you prefer not to disparage those poor product companies, please contact
me off the list.

Thanks,

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

Re: Seeking IPv6 Security Resources

[Joe Klein]

Chris,

Are you aware IPv6 has 3 or arguably 4 major generations of standards?

Each generation requires nuanced defense strategies, based on which clauses
("must" and "should") were implemented. Some of the derived security works,
do not reflect, and in some cases contradict current security
recommendations. The perceived newness of the technology, and ambiguities
of recommendations have resulted in 'pushback' by the security community to
implement IPv6. This has forced us to continue with the implement of IPv6
and 'trust' the vender recommendations, based on the limitations of that
venders products.

In the cracks, between the standards and implementation of these standards,
are where security vulnerabilities exist, compromises lay, and defenses
crumble.

Joe Klein
"Inveniam viam aut faciam"

On Tue, Nov 25, 2014 at 3:32 PM, Chris Grundemann 
wrote:

> Hail NANOG!
>
> I am looking for IPv6 security resources to add to:
> http://www.internetsociety.org/deploy360/ipv6/security/
>
> These could be best current practice documents, case-studies,
> lessons-learned/issues-found, research/evaluations, RFCs, or anything else
> focused on IPv6 security really.
>
> I'm not requesting that anyone do any new work, just that you point me to
> solid public documents that already exist. Feel free to share on-list or
> privately, both documents you may have authored and those you have found
> helpful.
>
> Thanks!
> ~Chris
>
> Note: Not every document shared will get posted to the Deploy360 site.
>
> --
> @ChrisGrundemann
> http://chrisgrundemann.com
>

Re: REMINDER: Leap Second

[Joe Klein]

I spoke on time hacking and ntp 3 years ago at shmoocon.
On Jan 25, 2015 12:28 PM, "Ken Chase"  wrote:

> I think devices would likely be fine, unless they're concerned with
> reconciling
> a leap-second updated ntp source and one that's not. Who wins?
>
> For most NTPs I would guess they're slaves to whatever feed and just
> 'believe'
> whatever they're told. (Sounds like a security hole waiting for high
> frequency
> trader types, q.v.
>
> http://www.theverge.com/2013/10/3/4798542/whats-faster-than-a-light-speed-trade-inside-the-sketchy-world-of
> )
>
> Can't we just subscribe to a leapsmeary NTP feed if we care to have no
> big leap (I dont mind)? Isnt NIST offering this?
>
> /kc
>
>
> On Sun, Jan 25, 2015 at 06:01:40PM +0100, Karsten Elfenbein said:
>   >Hi,
>   >
>   >Java had some issues with 100% CPU usage when NTP was running during
>   >the additional second in 2012.
>   >
> http://blog.wpkg.org/2012/07/01/java-leap-second-bug-30-june-1-july-2012-fix/
>   >
>   >Google did something different to get the extra second in:
>   >
> http://googleblog.blogspot.de/2011/09/time-technology-and-leaping-seconds.html
>   >
>   >Most devices probably don't even know about the leap second coming as
>   >that would require a firmware upgrade.
>   >
>   >
>   >Karsten
>   >
>   >2015-01-25 16:19 GMT+01:00 Mike. :
>   >> On 1/25/2015 at 9:37 AM Jay Ashworth wrote:
>   >>
>   >> |This June 30th, 235959UTC will be followed immediately by 235960UTC.
>   >> |
>   >> |What will /your/ devices do?
>   >>  =
>   >>
>   >>
>   >> I've always wondered why this is such a big issue, and why it's done
>   >> as it is.
>   >>
>   >> In UNIX, for instance, time is measured as the number of seconds
>   >> since the UNIX epoch.  imo, the counting of the number of seconds
>   >> should not be "adjusted", unless there's a time warp of some sort.
>   >> The leap second adjustment should be in the display of the time,
>   >> i.e., similar to how time zones are handled.
>   >>
>   >>
>   >> fwiw
>   >>
>   >>
>   >>
>
> --
> Ken Chase - m...@sizone.org Toronto
>

Re: Intrusion Detection recommendations

[Joe Klein]

I now have a few moments to discuss Security Onion, and why it works well
for a many small and mid-sided organization.


Security Onion is a Linux distro for IDS, NSM, and log management. The
whole thing can be run on a single, or separated systems, based on the
needs, network and security architecture, and budget. From a IDS sensor
standpoint it contains;1.Snort, Suricata – Focused on network-based
signature detection, or what I call “the barn door is open, and the horse
is gone” detection. This is because someone needs to be compromised, take
to time to send out signatures (or purchase them) before you can use them.
Great if the attack is against everyone, or a small community of people
that will share this information, but not so good if you are the target.2.
Bro – Network based packet and protocol classifier, which when
configured, preform:a.Internal intelligence analysisb.Full session,
Bidirectional net flow analysisc. File extractiond.Network
Reconnaissancee.Behavior and statically analysis on the flowf.  And
much more3.OSSEC – A comprehensive host based intrusion detection
system with fine grained application/server specific policies across
multiple platforms such as Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac
and Vmware ESX. To catch the traffic, you have:1.Sguil: The Analyst
Console for Network Security Monitoring2.Squert is a web application
that is used to query and view event data stored in a Sguil database
(typically IDS alert data). Squert is a visual tool that attempts to
provide additional context to events through the use of metadata, time
series representations and weighted and logically grouped result sets. The
hope is that these views will prompt questions that otherwise may not have
been asked.3.  Snorby is a ruby on rails web application for network
security monitoring that interfaces with current popular intrusion
detection systems (Snort, Suricata and Sagan). The basic fundamental
concepts behind Snorby are *simplicity*, organization and power. The
project goal is to create a free, open source and highly competitive
application for network monitoring for both private and enterprise use.4.
ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and
Sphinx full-text search. It provides a fully asynchronous web-based query
interface that normalizes logs and makes searching billions of them for
arbitrary strings as easy as searching the web. Packet Capture and analysis:
1.Xplico is a network forensics analysis tool (NFAT), which is a
software that reconstructs the contents of acquisitions performed with a
packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).2.NetworkMiner is
a Network Forensic Analysis Tool (NFAT) for Windows (but also works in
Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network
sniffer/packet capturing tool in order to detect operating systems,
sessions, hostnames, open ports etc. without putting any traffic on the
network. NetworkMiner can also parse PCAP files for off-line analysis and
to regenerate/reassemble transmitted files and certificates from PCAP files.
 The only thing you are missing is a SEIM, which I recommend the ELK stack.
This includes:1.elasticsearch - for distributed restful search and
analytics2.logstash - manage events and logs - elasticsearch works
seamlessly with logstash to collect, parse, index, and search logs3.kibana
- visualize logs and time-stamped data - elasticsearch works seamlessly
with kibana to let you see and interact with your dataAll of the above
items are Open Source, have free and paid training and support, if needed.
One can save millions of dollars and get the newest capabilities.
Contact me off list if you have questions.

Disclosure: I do not sell these products, but I use them.

Joe Klein
"Inveniam viam aut faciam"

On Fri, Feb 13, 2015 at 12:40 PM, Andy Ringsmuth  wrote:

> NANOG'ers,
>
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based.
> Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
> world. We are protected by a FreeBSD firewall setup, and we stay current on
> updates/patches from Apple and FreeBSD, but that's as far as my expertise
> goes.
>
> Initially, what do people recommend for:
>
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or
> software
> 3. Other things I'm likely overlooking
>
> Thank you all in advance for your wisdom.
>
>
> 
> Andy Ringsmuth
> a...@newslink.com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397(402) 304-0083 cellular
>
>

Routing between TATA COMMUNICATIONS and Level 3 Communications, Inc.

[Joe Klein]

Found a routing problem between TATA COMMUNICATIONS and Level 3
Communications, Inc.

Attempted traceroute from Digital Ocean to FrontRange Internet :

traceroute to www.asx.com (2607:fa88:1000:5::a744:a050) from
2604:a880:800:10::1ba:5001, 30 hops max, 24 byte packets

 1  2604:a880:800:10::::fff2
(2604:a880:800:10::::fff2)  2.638 ms  1.354 ms  1.101 ms

 2  2604:a880:800::701 (2604:a880:800::701)  0.418 ms  0.338 ms  0.289 ms

 3  decix-nyc.he.net (2001:504:36::1b1b:0:1)  11.43 ms  9.492 ms  1.132 ms

 4  10ge16-1.core1.nyc4.he.net (2001:470:0:259::1)  10.062 ms  9.559 ms
1.177 ms

 5  level3.gige-g3-5.core1.nyc4.he.net (2001:470:0:202::2)  2.989 ms  2.773
ms  1.515 ms

 6  2001:1900:19:5::8 (2001:1900:19:5::8)  1.427 ms  1.402 ms  1.344 ms

 7  vl-4060.car2.NewYork2.Level3.net (2001:1900:4:1::fe)  1.349 ms  1.332
ms  1.967 ms

 8  vl-4061.car1.Chicago1.Level3.net (2001:1900:4:1::21)  22.435 ms  71.92
ms  57.907 ms

 9  vl-4040.edge1.Chicago2.Level3.net (2001:1900:4:1::1e)  23.516 ms
23.427 ms  23.414 ms

10  vl-4042.edge6.Denver1.Level3.net (2001:1900:4:1::35)  46.468 ms  46.58
ms  46.779 ms

11  vl-51.ear1.Denver1.Level3.net (2001:1900:13:1::8)  47.678 ms  47.647
ms  47.861 ms

12  * * *

13  * * *

14  * * *

15  * * *

16  * * *

17  * * *

Traceroute from the FrontRange Internet to Digital Ocean:

 traceroute6 2604:a880:800:10::1ba:5001
traceroute to 2604:a880:800:10::1ba:5001 (2604:a880:800:10::1ba:5001), 30
hops max, 80 byte packets
 1  2607:fa88:1000:5::fffd (2607:fa88:1000:5::fffd)  0.554 ms  0.471 ms
0.375 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  2001:5a0:3900::3e (2001:5a0:3900::3e)  75.679 ms  78.276 ms  77.441 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Please contact off-line.

Joe Klein
"Inveniam viam aut faciam"

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Joe Klein]

Use IPv6, bind a second address to the device. Enable on a random port, on
this new address. Remove ssh from the other IP address.

Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Thu, Mar 31, 2016 at 4:06 AM, Robert Kisteleki  wrote:

>
> > How do you deal with such massive amount of 'illegal' traffic ?
>
> Move SSH to a different port. Better yet, use IPv6 only :-)
>
> Robert
>

Re: Galaxy S6 is IPv6 on all US National Mobile carriers

[Joe Klein]

Was in a meeting over 4 years ago, where the people from Verizon were
claiming they would be rolling out IPv6 for FIOS in the following years.
Still waiting.

Can anyone confirm or deny that Verizon FIOS requires an upgrade to the ONT
and router for its "FiOS Quantum" service in order to get IPv6?

Joe Klein
"Inveniam viam aut faciam"

On Mon, Apr 13, 2015 at 10:25 PM, Matt Palmer  wrote:

> On Mon, Apr 13, 2015 at 09:42:07PM -0400, Jared Mauch wrote:
> > > On Apr 13, 2015, at 9:02 PM, Christopher Morrow <
> morrowc.li...@gmail.com> wrote:
> > > On Mon, Apr 13, 2015 at 7:30 PM, Will Dean 
> wrote:
> > >> Reddit started using CloudFlare late last year, so they should able to
> > >> serve content up over v6.
> > >
> > > nice!
> >
> > Sorry to rain on your parade:
> >
> > dhcp-7f01:~ jared% host -t  www.reddit.com.
> > www.reddit.com has no  record
>
> "should be able to serve" != "are serving".
>
> - Matt
>
> --
> If you are a trauma surgeon and someone dies on your table, [...] everyone
> would know you "did your best".  When someone does something truly stupid
> with their system and it dies and you can't resuscitate it, you must be
> incompetent or an idiot.  -- Julian Macassey, in the Monastery
>
>

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

[Joe Klein]

Based on prior work in this space, the problems are as follows:



0. Political appointees don't stick around for long, therefore they can
always point to the last guy as the problem. They are also gone, before
impact of lack of security focus impact their jobs.



1. Executives and middle managers are not compensated or recognized for
have secure systems, there for operations and missions take priority. This
includes disabling all security if the operation requires it, and the PM
justifies it.



2. Architecture of systems seldom includes a security architect from the
beginning, with security added later at a substantial expense.



3. Test plans are inadequate and at times the wrong test plan for the
technology being audited.



4. Third party contractor performing audits and assessments, are paid by
the IT department to provide a favorable report, as quick as possible.  To
accomplish this, the testing is minimal, the qualifications of the staff
are low, and the contractors PM has the ability to change findings to
ensure the customer looks good.



5. System and network admins - they too are not compensated for secure
system, only that the system are operating.  This forces prioritizing
operations over security.



6. Developers are not held accountable for secure code, and their
contractors ignore the issues, even in the few instances where a security
clause is included in the contract.



7. Many architectures are build around a security product, and not the risk
profile.



8. Stovepipes - Many organization have competing political goals, and spend
time CYA instead of making this secure by default.



9. Contractor staff training – contractors promises training to customer
facing staff, but instead never budget for that training. Instead the
contract companies see this as OJT on the taxpayer dime.



>From a game theory standpoint, it turns security always loses.

Joe Klein
"Inveniam viam aut faciam"

On Thu, Jun 18, 2015 at 1:35 PM, William Herrin  wrote:

> On Wed, Jun 17, 2015 at 8:54 PM, Ronald F. Guilmette
>  wrote:
> > I've just started a new Whitehouse Petition, asking
> > that the director of OPM, Ms. Archueta, be fired for gross incompetence.
>
> Hi Ronald,
>
> The core problem here is that the Authority To Operate (ATO) process
> consumes essentially the entire activity of a USG computing project's
> security staff. The non-sensical compliance requirements, which if
> taken literally just about prevent you from ever connecting any
> computer to any other, get in the way of architecting systems around
> pragmatic and effective security.
>
> There's no use blaming the director for a broken system she's
> compelled to employ, one far out of her control. The next warmer of
> that seat is constrained to do no better.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: <http://www.dirtside.com/>
>

Overlay broad patent on IPv6?

[Joe Klein]

I was recently reading a few IPv6 patent, and happened upon on developed by
 Wesley E. George, Time Warner Cable Inc.  on the topic of Use of dns
information as trigger for dynamic ipv4 address allocation.

It seems to impact the allocation of the IPv4 & IPv6 address for the
gateway router, software defined consumer CPE, UPNP, CGN,  content-based
network, residential broadband networks; DSL networks; fiber-to-the-home
(FTTH), fiber-to-the-node (FTTN), or fiber-to-the-curb (FTTC) networks;
wireless Internet service providers (WISP)(fixed wireless to replace home
broadband, typically in rural areas); or indeed to any situation with an
on-demand IPv4 connection and dynamically assigned addressing.

Am I reading this wrong? Has Time Warner patented all functions on the CPE?

Joe Klein
"Inveniam viam aut faciam"

Re: Overlay broad patent on IPv6?

[Joe Klein]

http://www.google.com/patents/US20130254423

Sorry missed the link.



Joe Klein
"Inveniam viam aut faciam"

On Mon, Jul 13, 2015 at 4:52 AM, Joe Klein  wrote:

> I was recently reading a few IPv6 patent, and happened upon on developed
> by  Wesley E. George, Time Warner Cable Inc.  on the topic of Use of dns
> information as trigger for dynamic ipv4 address allocation.
>
> It seems to impact the allocation of the IPv4 & IPv6 address for the
> gateway router, software defined consumer CPE, UPNP, CGN,  content-based
> network, residential broadband networks; DSL networks; fiber-to-the-home
> (FTTH), fiber-to-the-node (FTTN), or fiber-to-the-curb (FTTC) networks;
> wireless Internet service providers (WISP)(fixed wireless to replace home
> broadband, typically in rural areas); or indeed to any situation with an
> on-demand IPv4 connection and dynamically assigned addressing.
>
> Am I reading this wrong? Has Time Warner patented all functions on the CPE?
>
> Joe Klein
> "Inveniam viam aut faciam"
>

Re: WSJ: Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says

[Joe Klein]

I was wrong. Here is a list:
https://firewalltimes.com/att-data-breaches/
https://firewalltimes.com/verizon-data-breaches/
https://firewalltimes.com/google-data-breach-timeline/

Over the past 25 years, security researchers worldwide have consistently
identified new SS7 vulnerabilities (thank you AT&T) each year. Furthermore,
at BlackHat around 2006, a researcher revealed several major
vulnerabilities in law enforcement tools, techniques, and technologies.





Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
"*I skate to where the puck is going to be, not to where it has been."
-- *Wayne
Gretzky
"I never lose. I either win or learn" - Nelson Mandela


On Thu, Dec 5, 2024 at 4:06 PM Joe Klein  wrote:

> Here is the public Breach Report for T-Mobile.
> https://firewalltimes.com/t-mobile-data-breaches/
> Unable to find AT&T, Verizon or several other companies on the list.
>
> Joe Klein
>
> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
> "*I skate to where the puck is going to be, not to where it has been."
> -- *Wayne Gretzky
> "I never lose. I either win or learn" - Nelson Mandela
>
>
> On Thu, Dec 5, 2024 at 3:43 PM Ryan Wilkins  wrote:
>
>> There’s been a question about T-Mobile being part of this or not.  I have
>> no specific knowledge, but just count the number of times they’ve been
>> hacked in the past (that we know of) and draw your conclusion that they’re
>> part of this.
>>
>> Ryan Wilkins
>>
>> On Dec 5, 2024, at 3:38 PM, Joe Klein  wrote:
>>
>> 
>> I suspect that a gag order has been issued for the other companies, and a
>> cybersecurity incident response team has already been hired and is in place.
>>
>> Joe Klein
>>
>> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene
>> 1)
>> "*I skate to where the puck is going to be, not to where it has been."
>> -- *Wayne Gretzky
>> "I never lose. I either win or learn" - Nelson Mandela
>>
>>
>> On Thu, Dec 5, 2024 at 9:58 AM Jason Iannone 
>> wrote:
>>
>>> CNN mentioned Lumen. T-Mo?
>>>
>>> On Wed, Dec 4, 2024 at 5:22 PM J. Hellenthal via NANOG 
>>> wrote:
>>>
>>>> Failing to find a list of providers that were hit. Anyone know more ? I
>>>> don't see them mentioned.
>>>> Verizon & AT&T I know of.
>>>>
>>>> --
>>>>  J. Hellenthal
>>>>
>>>> The fact that there's a highway to Hell but only a stairway to Heaven
>>>> says a lot about anticipated traffic volume.
>>>>
>>>> > On Dec 4, 2024, at 14:59, Sean Donelan  wrote:
>>>> >
>>>> > 
>>>> > At least eight U.S. telecommunications firms were compromised in the
>>>> attack, a senior White House official said
>>>> >
>>>> >
>>>> https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca
>>>> >
>>>> > Chinese government officials have denied responsibility for the
>>>> hacking
>>>> >
>>>> >
>>>> > Anne Neuberger, President Biden’s deputy national security adviser
>>>> for cyber and emerging technology
>>>> >
>>>> > “We believe that the voluntary approach has proved inadequate for the
>>>> most critical companies that underpin our critical infrastructure. So we
>>>> want to complement CISA’s efforts with regulatory efforts."
>>>>
>>>

Re: WSJ: Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says

[Joe Klein]

Here is the public Breach Report for T-Mobile.
https://firewalltimes.com/t-mobile-data-breaches/
Unable to find AT&T, Verizon or several other companies on the list.

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
"*I skate to where the puck is going to be, not to where it has been."
-- *Wayne
Gretzky
"I never lose. I either win or learn" - Nelson Mandela


On Thu, Dec 5, 2024 at 3:43 PM Ryan Wilkins  wrote:

> There’s been a question about T-Mobile being part of this or not.  I have
> no specific knowledge, but just count the number of times they’ve been
> hacked in the past (that we know of) and draw your conclusion that they’re
> part of this.
>
> Ryan Wilkins
>
> On Dec 5, 2024, at 3:38 PM, Joe Klein  wrote:
>
> 
> I suspect that a gag order has been issued for the other companies, and a
> cybersecurity incident response team has already been hired and is in place.
>
> Joe Klein
>
> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
> "*I skate to where the puck is going to be, not to where it has been."
> -- *Wayne Gretzky
> "I never lose. I either win or learn" - Nelson Mandela
>
>
> On Thu, Dec 5, 2024 at 9:58 AM Jason Iannone 
> wrote:
>
>> CNN mentioned Lumen. T-Mo?
>>
>> On Wed, Dec 4, 2024 at 5:22 PM J. Hellenthal via NANOG 
>> wrote:
>>
>>> Failing to find a list of providers that were hit. Anyone know more ? I
>>> don't see them mentioned.
>>> Verizon & AT&T I know of.
>>>
>>> --
>>>  J. Hellenthal
>>>
>>> The fact that there's a highway to Hell but only a stairway to Heaven
>>> says a lot about anticipated traffic volume.
>>>
>>> > On Dec 4, 2024, at 14:59, Sean Donelan  wrote:
>>> >
>>> > 
>>> > At least eight U.S. telecommunications firms were compromised in the
>>> attack, a senior White House official said
>>> >
>>> >
>>> https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca
>>> >
>>> > Chinese government officials have denied responsibility for the hacking
>>> >
>>> >
>>> > Anne Neuberger, President Biden’s deputy national security adviser for
>>> cyber and emerging technology
>>> >
>>> > “We believe that the voluntary approach has proved inadequate for the
>>> most critical companies that underpin our critical infrastructure. So we
>>> want to complement CISA’s efforts with regulatory efforts."
>>>
>>

Re: WSJ: Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says

[Joe Klein]

I suspect that a gag order has been issued for the other companies, and a
cybersecurity incident response team has already been hired and is in place.

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
"*I skate to where the puck is going to be, not to where it has been."
-- *Wayne
Gretzky
"I never lose. I either win or learn" - Nelson Mandela


On Thu, Dec 5, 2024 at 9:58 AM Jason Iannone 
wrote:

> CNN mentioned Lumen. T-Mo?
>
> On Wed, Dec 4, 2024 at 5:22 PM J. Hellenthal via NANOG 
> wrote:
>
>> Failing to find a list of providers that were hit. Anyone know more ? I
>> don't see them mentioned.
>> Verizon & AT&T I know of.
>>
>> --
>>  J. Hellenthal
>>
>> The fact that there's a highway to Hell but only a stairway to Heaven
>> says a lot about anticipated traffic volume.
>>
>> > On Dec 4, 2024, at 14:59, Sean Donelan  wrote:
>> >
>> > 
>> > At least eight U.S. telecommunications firms were compromised in the
>> attack, a senior White House official said
>> >
>> >
>> https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca
>> >
>> > Chinese government officials have denied responsibility for the hacking
>> >
>> >
>> > Anne Neuberger, President Biden’s deputy national security adviser for
>> cyber and emerging technology
>> >
>> > “We believe that the voluntary approach has proved inadequate for the
>> most critical companies that underpin our critical infrastructure. So we
>> want to complement CISA’s efforts with regulatory efforts."
>>
>