Re: Jenkins amplification
On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow may have written: > My experience, and granted it's fairly scoped, is that this sort of thing > works fine for a relatively small set of 'persons' and 'resources'. Seeing as managing this sort of thing is my primary job these days ... > it ends up being about the cross-product of #users * #resources. That's the interesting part of the job - coalescing rules in a way that minimises the security impact but maximises the decrease of complexity. If you don't, you get an explosion of complexity that results in a set of rules (I know of an equivalent organisation that has over 1,000 firewall rules) that becomes insanely complex to manage. > certainly a more holistic version of the story is correct. > the relatively flippant answer way-back-up-list of: "vpn" I think that "vpn" is the right answer - it's preferrable to publishing services to the entire world that only need to be used by empoyees. But it's not cheap or easy. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgp9x9K3M8fTy.pgp Description: OpenPGP digital signature
Re: IPv4 and Auctions
On Thu, 24 Oct 2019 08:18:47 -0400 (EDT), Jon Lewis may have written: > IP space was handed out to organizations (and even to individuals) long > before the RIRs like ARIN were created. Those "assignments" / > "allocations" (whatever you want to call them) are outside of the control > of the RIRs because they had no involvement in them. I don't know about others but "my" SRI-NIC allocation passed to RIPE control some while back, as a "legacy" (mnt-by: RIPE-NCC-LEGACY-MNT) block. Although it was fairly easy to predict where it should go. -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgpd3UTjnsJpL.pgp Description: OpenPGP digital signature
Re: Spitballing IoT Security
On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear may have written: > Well yes. uPnP is a problem precisely because it is some random device > asserting on its own that it can be trusted to do what it wants. Had From my own personal use (and I'm aware that this isn't a general solution), I'd like a device that sat on those uPnP requests until I logged into the admin interface to review them. Now if you could automate _me_ then it might become more generally useful :- uPnP(ssh, for admin access) -> f/w f/w -> uPnP device: Don't be silly. > But if instead of a pet feeder we're talking about a home file sharing > system or a video camera where you don't want to share the feed into the > cloud? There will be times when people want inbound connections. We > need an architecture that supports them. As someone who manages an application-based firewall, every problem looks like it would be easier to solve using an application-based firewall :) -- Mike Meredith, University of Portsmouth Principal Systems Engineer, Hostmaster, Security, and Timelord! pgpYa7dseBC5c.pgp Description: OpenPGP digital signature
Re: ICANN GDPR lawsuit
On Wed, 6 Jun 2018 08:01:35 +0300, Hank Nussbacher may have written: > "The European Commission has insisted it is *not subject to the strict > new data protection law* that it has imposed across Europe after it was > revealed the personal information of hundreds of people had been leaked > on its website. " Neglecting where it goes on to say "it would be subject to a new law that “mirrors” GDPR which will come into effect in the autumn.". -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgpdyFKzJLwJ4.pgp Description: OpenPGP digital signature
Re: unwise filtering policy on abuse mailboxes
On Wed, 1 Aug 2018 11:19:36 -0400, Rich Kulawiec may have
written:
> On Tue, Jul 24, 2018 at 05:53:48PM -0700, Dan Hollis wrote:
> > I'm saying people who filter their abuse mailboxes need to stop doing
> > so.
>
> 1. They needed to stop doing so a few decades ago. Anybody still doing
> it today is doing it on purpose, which of course leads directly to the
> question: why?
Never assume malice ("on purpose") something which can be adequately
explained by incompetance.
--
Mike Meredith, University of Portsmouth
Chief Systems Engineer, Hostmaster, Security, and Timelord!
pgpFBtzlPDhew.pgp
Description: OpenPGP digital signature
Re: DNS Flag Day, Friday, Feb 1st, 2019
On Thu, 24 Jan 2019 11:22:44 +1100, Mark Andrews may have written: > If you run a firewall in front of your DNS server you may be broken. If you run a firewall in front of your DNS server and the firewall breaks EDNS, then your firewall is broken. And has been a long, long time. I put a firewall in place back in 2004, and EDNS compliance was one of the tests back then. -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgpApQS1bYzQY.pgp Description: OpenPGP digital signature
Re: A Zero Spam Mail System [Feedback Request]
On Wed, 20 Feb 2019 19:01:40 -0700, "Forrest Christian (List Account)" may have written: > On Wed, Feb 20, 2019 at 1:24 PM Matthew Black > wrote: > > Have you ever created a sendmail.cf without using M4? > > I still believe that sendmail is Alien technology. How else can one > explain sendmail.cf?And although I can't say for sure that I I always thought of sendmail.cf as a language for writing MTAs in. I did do *bits* in sendmail.cf but switched to Exim before I got too damaged. > sendmail.cf file which wasn't working as one would expect. I'm also > not 100% certain that m4 was even an option for the first sendmail It wasn't a Sendmail 8 introduction perhaps? -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgpavwLh2geSD.pgp Description: OpenPGP digital signature
Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking
On 27 Feb 2019 13:07:09 -0500, "John Levine" may have written: > The IETF one says that nobody used type 99, and some of the few > implementations we saw were broken, so we deprecated it. And just after I'd finished adding in all the SPF records too, so I had to turn around and take all them out again immediately after. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgpCzfMA47BMs.pgp Description: OpenPGP digital signature
Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking
On Wed, 27 Feb 2019 19:59:49 -0800, Seth Mattinen may have written: > We kind of have that with RP records. But does anyone do it? I used to before various IPAM vendors claimed it was deprecated; I've still got legacy code that queries for it (and the TXT equivalent) as well as the new gooey IPAM thing. -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgpLPwWeNBTLF.pgp Description: OpenPGP digital signature
Re: Oracle DBA
On Wed, 13 Mar 2019 17:44:13 -0700, Randy Bush may have written: > ya. none of us run oracle Yeah but some of us walk it. -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgp19LcFRTpOk.pgp Description: OpenPGP digital signature
Re: Templating/automating configuration
On Wed, 14 Jun 2017 21:35:59 +0100, Nick Hilliard may have written: > What do you think the purpose of change control / management is? To provide employment for change managers of course. -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgpcohqknZUzV.pgp Description: OpenPGP digital signature
Re: Recent trouble with QUIC?
On Wed, 23 Sep 2015 19:01:19 -0500, Sean Hunter may have written: > a) Has anyone here had a similar experience? Was the root cause QUIC > in your case? Yes. No; in our case our firewall (a PA5060 running PANOS6.1.3 at the time) was allowing some QUIC packets through, but not others. As it was newly deployed at the time, it was soon blamed :-\ > b) Has anyone noticed anything remotely similar in the last few > weeks/days/today? Only because I enabled QUIC within Chrome on our test network to verify that it was still a problem. > We're an Apps domain, so this may be specific to universities in the > Apps universe. As are we. -- Mike Meredith, University of Portsmouth Principal Systems Engineer, Hostmaster, Security, and Timelord!
Re: Anycast provider for SMTP?
On Thu, 18 Jun 2015 15:51:31 -0400, "Joe Abley" may have written: > Since DHCP uses broadcast and multicast addresses when a client is > discovering a server, it's not obvious why you'd have to. And broadcast/multicast when renewing a lease (DHCPREQUEST). You will of course see unicast addresses on the server side if the server is seeing requests forwarded by a udp helper. > You can run redundant sets of isc-dhcpd servers together serving the > same broadcast domain and have them assign leases from the same > address pools (at least, I've never tried it, but I was within Indeed. Rock solid in my experience (on a "little" network). -- Mike Meredith, University of Portsmouth Principal Systems Engineer, Hostmaster, Security, and Timelord!
Re: Can somebody explain these ransomwear attacks?
Hi! On Fri, 25 Jun 2021 18:56:36 +0300, "Alex K." may have written: > Ah ... and one more thing. Gladly, it is not our (network folks) life's > complicated. It's system/DBA/and security folks, lifes. But I don't want > to get cocky. We got SDN :-) Yet. Probably. Ransomware gangs /do/ target infrastructure - currently known to be DNS servers (Microsoft), hypervisors, backups, etc. I wouldn't assume that they wouldn't try attacking the network itself today or in the future. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgpLeSJFo9IJ9.pgp Description: OpenPGP digital signature
Re: Colombia Network Operators Group
On Mon, 23 Sep 2019 14:06:36 -0700, "Scott Weeks"
may have written:
> >the Cisco Umbrella security researchers."
>
> Fascinating. What is the security threat I wonder, that there is no
> JavaScript?
> ---
Security threats aren't limited to JavaScript. It could be an entirely
static site which is still worth blocking (see phishing).
Or it's possible that the registration is new enough that it's blocked just
for that reason - although at a month old, it should be beyond that window.
Or the site hasn't been categorised ("unknown") which is enough to block
for an especially Evil Firewall Admin[0].
0: I may be an Evil Firewall Admin, but I'm not an especially EFA.
--
Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer
pgptidFEWJqmE.pgp
Description: OpenPGP digital signature
Re: Update to BCP-38?
As an Evil Firewall Administrator™, I have an interest in this area ... On Fri, 4 Oct 2019 15:05:29 -0700, William Herrin may have written: > On Thu, Oct 3, 2019 at 2:28 PM Keith Medcalf wrote > > Anyone who says something like that is not a "security geek". They are > > a "security poser", interested primarily in "security by obscurity" and > > "security theatre", and have no clue what they are talking about. Hmm ... 'primarily in "security by obscurity"' ... that does tend to indicate a severe case of cluelessness (and that's coming from someone who doesn't let his right hand know what his left hand is up to without justification that has been signed off in triplicate). To give a real world example, removing headers from an Apache web server doesn't do much to increase security (it's mostly to keep auditors happy) because automated attacks will hit your exposed Apache servers anyway, and a sophisticated attacker will note the removal and adopt the strategy of an automated attack. > more important information you'd like to deny to him. There's a 5-step > process used by the U.S. Military but the TL;DR version is: if you don't > have to reveal something, don't. You've ignored step 1 - identifying critical information that needs protecting. It makes sense to protect information that needs protecting and don't lose sleep over information that doesn't need protecting. Not many of us are planning an invasion of a Nazi-infected Europe any time soon. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgpmEWhW6kP_b.pgp Description: OpenPGP digital signature
Re: Update to BCP-38?
On Tue, 8 Oct 2019 13:59:58 +, Mark Collins may have written: > Not everyone attacking your systems is going to have the skills or > knowledge to get in though - simple tricks (like hiding what web server > you use) can prevent casual attacks from script kiddies and others who > aren't committed to targeting you, freeing your security teams to focus > on the serious threats. Er ... no. Not according to real world data (my firewall logs). Most attacks are fully automated and they don't (always) bother with complex logic to determine which attacks to try. For instance I constantly see Apache struts attacks against servers that a) may or may not be running Apache (the headers are removed) b) definitely aren't running Struts. In fact many attacks are sufficiently automated that the human behind the scenes won't even know a system has been compromised if it doesn't successfully pick up the second stage of the payload and 'phone home'. -- Mike Meredith, University of Portsmouth Chief Systems Engineer, Hostmaster, Security, and Timelord! pgpuN30Tt6VQC.pgp Description: OpenPGP digital signature
Re: VDSL
On Thu, 17 Oct 2019 09:45:35 +0100 (BST), "t...@pelican.org" may have written: > The chickens have come home to roost now though, as they're struggling to > find a cool branding for the subsequent FTTP roll-out, and not getting > any better than "full fibre", a.k.a "we lied to you last time, but this > time it really is..." "We mispelt it last time - it should have been 'fibber broadband'; this time it's proper 'fibre broadband'" -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgpBXst7CoQwF.pgp Description: OpenPGP digital signature
