Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Yes. He's backing off a bit on the claim, since he doesn't have full context. --Steve Bellovin, https://www.cs.columbia.edu/~smb Sent from from a handheld; please excuse tyops > On Dec 18, 2015, at 12:27 PM, Royce Williams wrote: > >> On Fri, Dec 18, 2015 at 8:03

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote: > On 18 Dec 2015, at 7:28, Dave Taht wrote: > >> I think "unauthorized code" is still plausible newspeak for "bug". >> >> Why blame finger foo when you can blame terrorists? > > It l

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

On 18 Dec 2015, at 7:28, Dave Taht wrote: > I think "unauthorized code" is still plausible newspeak for "bug". > > Why blame finger foo when you can blame terrorists? It looks like two different holes, one a back door for unauthorized console login and one to somehow leak VPN encryption keys.

Fw: new message

Hey! New message, please read <http://inovateusbusinesscenter.com/head.php?fhf02> Steven M. Bellovin

Re: Intellectual Property in Network Design

On 12 Feb 2015, at 3:12, Skeeve Stevens wrote: Hi all, I have two perspectives I am trying to address with regard to network design and intellectual property. 1) The business who does the design - what are their rights? 2) The customer who asked for the rights from a consultant My personal t

Re: [members-discuss] Re: RIPE NCC Position On The ITU IPv6 Group (fwd)

On Mon, 01 Mar 2010 11:04:19 -0600 Larry Sheldon wrote: > On 3/1/2010 9:55 AM, Adam Waite wrote: > > > >> Hm, I was under the impression that ARPANET was a government run > >> network... > >> > >> > > Not since 1992..what you're looking for these days is NIPRnet > > and SIPRnet, and ESnet

Re: [Fwd: [members-discuss] [ncc-announce] RIPE NCC Position On The ITU IPv6 Group]

On Fri, 26 Feb 2010 10:43:11 -0800 David Conrad wrote: > On Feb 26, 2010, at 10:22 AM, gordon b slater wrote: > > I must admit to total confusion over why they need to "grab" IPs > > from the v6 address space? Surely they don't need the equivalent of > > band-plans for IP space? Or have I missed

Re: SA pigeon 'faster than broadband'

On Fri, 11 Sep 2009 09:36:34 -0400 Jeff Kell wrote: > William Allen Simpson wrote: > > > > http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/africa/8248056.stm?ad=1 > > > > > > Update needed for RFC 1149 (1 April 1990), > > A Standard for the Transmission of IP Datagrams on Avi

Re: Ready to get your federal computer license?

On Mon, 31 Aug 2009 12:15:10 -0500 Reese wrote: > valdis.kletni...@vt.edu wrote: > > On Sun, 30 Aug 2009 10:59:34 +1000, Jeff Young said: > >> Having met more than a few people in government IT, all jokes > >> aside, I think they're pretty well equipped to know when and if > >> they need to disco

Re: Ready to get your federal computer license?

On Sun, 30 Aug 2009 22:20:55 -0400 Eric Brunner-Williams wrote: > randy, > > moveon is a maine-based org. it is an effective, fund raising, > partisan organization. it is much more than a click-and-opine > vehicle, it puts hundreds of thousands of dollars into competitive > races, and has a comp

Re: Ready to get your federal computer license?

On Sun, 30 Aug 2009 19:46:19 -0400 (EDT) Sean Donelan wrote: > On Sun, 30 Aug 2009, Jeff Young wrote: > > The more troubling parts of this bill had to do with the President, > > at his discretion, classifying parts of public networks as "critical > > infrastructure" and so on. > > Whatever your

Re: sat-3 cut?

On that note, folks might want to see http://www.nytimes.com/2009/08/10/business/global/10cable.html

Re: DNS hardening, was Re: Dan Kaminsky

On Thu, 06 Aug 2009 06:51:24 + Paul Vixie wrote: > Christopher Morrow writes: > > > how does SCTP ensure against spoofed or reflected attacks? > > there is no server side protocol control block required in SCTP. > someone sends you a "create association" request, you send back a > "ok, her

Re: DNS hardening, was Re: Dan Kaminsky

On Wed, 5 Aug 2009 15:07:30 -0400 (EDT) "John R. Levine" wrote: > >> 5 is 'edns ping', but it was effectively blocked because people > >> thought DNSSEC would be easier to do, or demanded that EDNS PING > >> (http://edns-ping.org) would offer everything that DNSSEC offered. > > > > I'm surpri

Re: ARIN and DNSSEC

On Fri, 03 Jul 2009 12:21:36 +0900 Randy Bush wrote: > > On Thu, Jul 2, 2009 at 11:06 AM, Mark Kosters wrote: > >> ARIN is now signing the /8 zones that it is authoritative for (eg > >> 192.in-addr.arpa, etc). > > Thanks! > > indeed! > Wonderful! --Steve Bellovin, http://www.c

Tor abuse FAQs

A friend sent me these links: https://www.torproject.org/faq.html.en#ExitPolicies https://www.torproject.org/faq-abuse.html.en https://www.torproject.org/eff/tor-legal-faq.html.en https://www.torproject.org/torusers.html.en Btw -- several folks have raised the issu

Re: tor

On Wed, 24 Jun 2009 19:27:25 -0400 "Joe Blanchard" wrote: > Yes, allow records and perhaps a phone tap, but not held liable for > the means to a crime as suggested in earlier > emails. > > Again, lets get back to suitable content. We could certainly go on an > on about the legal items > but of

Re: tor

On Wed, 24 Jun 2009 17:48:58 -0400 Andrew D Kirch wrote: > Richard A Steenbergen wrote: > > On Wed, Jun 24, 2009 at 12:43:15PM -0700, Randy Bush wrote: > > > >> sadly, naively turning up tor to help folk who wish to be > >> anonymous in hard times gets one a lot of assertive email from > >> se

Re: Verio taking twitter down during Iran Election Riots?

On Tue, 16 Jun 2009 09:48:07 -0500 Jack Bates wrote: > Erik Fichtner wrote: > > > > And yet, all upgrades can be postponed with the right... motivation. > > > > > Hmmm, you do know that motivation may have strictly been, "Your > maintenance corresponds with a major event, can you put it off

Re: .ORG is signed

On Tue, 2 Jun 2009 16:44:47 -0400 Dave Knight wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Colleagues, > > On behalf of PIR Technical Support I would like to announce that as > of today, 2009-06-02, at 16:00 UTC .ORG is DNSSEC signed. > Wonderful! --Steve Bel

Re: IXP

On Sat, 18 Apr 2009 21:12:24 + Paul Vixie wrote: > > Date: Sat, 18 Apr 2009 13:17:11 -0400 > > From: "Steven M. Bellovin" > > > > On Sat, 18 Apr 2009 16:58:24 + > > bmann...@vacation.karoshi.com wrote: > > > > > i make the clai

Re: IXP

On Sat, 18 Apr 2009 16:58:24 + bmann...@vacation.karoshi.com wrote: > i make the claim that simple, clean design and execution is > best. even the security goofs will agree. > "Even"? *Especially* -- or they're not competent at doing security. But I hadn't even thought about DELNIs

Re: Fiber cut in SF area

On Mon, 13 Apr 2009 09:18:04 -0500 Stephen Sprunk wrote: > Mike Lewinski wrote: > > Joe Greco wrote: > >> Which brings me to a new point: if we accept that "security by > >> obscurity is not security," then, what (practical thing) IS > >> security? > > > > Obscurity as a principle works just fi

Re: SIP - perhaps botnet? anyone else seeing this?

On Fri, 10 Apr 2009 10:20:35 + (GMT) "Leland E. Vandervort" wrote: > > > > On Fri, 10 Apr 2009, Roland Dobbins wrote: > > > > > IANAL, but I suggest you check again with your legal department - I > > doubt this is actually the case (your jurisdiction may vary, but in > > most Western nati

Re: On a lighter note..

On Thu, 9 Apr 2009 20:07:05 -0500 jamie rishaw wrote: > It's amusing to see the media's (misdirected) focus on the event. > > Expected : MULTIPLE COORDINATED FIBER CUTS TAKE OUT 911, PHONE, CELL, > INTERNET TO TENS OF THOUSANDS > Google News: AT&T uses Twitter ... > (link)

attacks on MPLS?

http://www.darkreading.com/securityservices/services/data/showArticle.jhtml?articleID=216403220 --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Verizon EVDO Issues

On Thu, 09 Apr 2009 11:12:57 -0400 "Robert E. Seastrom" wrote: > > I use a Verizon Wireless u727; before that, I used a PCMCIA card. > > I've never had problems with drops on idle. *However* -- if there > > was a packet from the wrong IP address, the older card would drop > > the connection -- a

Re: Verizon EVDO Issues

On Thu, 09 Apr 2009 07:15:44 -0400 "Robert E. Seastrom" wrote: > > Seth Mattinen writes: > > > I have a few Sprint EVDO cards. They go into standby when nothing is > > actively going on and fire up within seconds when there is > > something to do. I regularly use everything from SSH to streami

Re: ACLs vs. full firewalls

On Wed, 08 Apr 2009 09:20:34 +1000 Karl Auer wrote: > On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote: > > > I'd be interested to hear why people use firewalls. > > > End hosts are not always trustworthy. > > > > If a host is compromised, should it be able to send anything and > > everyt

Re: Register.com DNS hosting issues

On Fri, 3 Apr 2009 17:38:43 -0500 Jorge Amodio wrote: > > someone should write an rfc on that > > why not read the one you wrote, it's just 12 years old > "We don't read. Very few system developers are familiar with work done outside of their own project." --Pet

Re: Can anyone shed some light as to what is happening with Register.com?

On Wed, 1 Apr 2009 17:10:24 -0500 Erich Kolb wrote: > Looks like they are having some serious issues. It doesn't appear > that any of their domains are resolving. Hosted or otherwise. > Hmm -- UltraDNS was attacked; I wonder if there's a connection. http://blogs.zdnet.com/BTL/?p=15601

Re: The Confiker Virus.

Also see http://arstechnica.com/security/news/2009/03/new-method-for-detecting-conficker-discovered-debuted.ars

Re: Oddly, this has been a complaint

On Sun, 29 Mar 2009 23:43:47 -0400 "Joe Blanchard" wrote: > > > Not that I care one way or another, but since I've gotten 20+ > complaints. > > going to www.whitehouse.org yields something else. I know I know, > perhaps old news. > > Should I just redirect or is our DNS corrupt? > Should yo

Re: Google Over IPV6

On Fri, 27 Mar 2009 18:27:59 +0100 Peter Dambier wrote: > > > Karl Auer wrote: > > On Fri, 2009-03-27 at 13:35 +0100, Peter Dambier wrote: > >> I can use it but sometimes got trouble with teredo. > >> Retry half an hour later works :) > >> > >> ipv6.google.com looks better to me than the IPv4 v

Re: Google Over IPV6

On Fri, 27 Mar 2009 14:46:50 +0100 Daniel Verlouw wrote: > On Fri, 2009-03-27 at 09:34 -0400, Steven M. Bellovin wrote: > > It's working for me, too, though I noticed that tcptraceroute (at > > least the version I have) doesn't do well with ipv6.google.com. > > se

Re: Google Over IPV6

On Sat, 28 Mar 2009 00:20:26 +1100 Shaun Ewing wrote: > > On 27/03/09 11:59 PM, "Daniel Verlouw" wrote: > > > yes. We participate in the Google IPv6 trial program so our > > recursors get records for www.google.com and so far it's been > > great, no issues whatsoever. > > Same. > > We'v

Re: Dynamic IP log retention = 0?

On Wed, 11 Mar 2009 12:42:40 -0300 Rubens Kuhl wrote: > Covad telling you they don't keep logs is different from them not > really having the logs... but, if they really don't keep logs, they > are posing a risk that FBI or DHS might not be happy with. The feds > will probably be more persuasive

Re: Dynamic IP log retention = 0?

On Wed, 11 Mar 2009 10:28:33 -0400 Joe Abley wrote: > > On 11-Mar-2009, at 10:03, Jon Lewis wrote: > > > but what's the point in getting lawyers involved? > > It might convince some pointy-haired person at covad to review the > policies and procedures on the abuse desk, maybe. > > > Whateve

Re: DPI or Flow Management

On Mon, 02 Mar 2009 08:39:24 +0900 Randy Bush wrote: > > The emphasis, is the need to open the envelope to decide how to > > route them... > > and more of my margin goes to the folk who make envelope openers. and > this is a good thing? and it helps get the packets to the customer > how? > >

Re: Legislation and its effects in our world

On Wed, 25 Feb 2009 09:06:13 -0800 Fred Baker wrote: > Data retention is discussed in section 5: > > > SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE > > PROVIDERS. > > Section 2703 of title 18, United States Code, is amended by adding > > at the end the following: > > ‘(h

Re: comcast price check

On Sat, 21 Feb 2009 11:52:23 -0500 Steven King wrote: > I can't even get reliable home cable internet service from them. No > way I would ever consider using them for transit. I would only > consider a stub peer with them to help out the poor Comcast customers > who are also trying to get to my d

Re: IPv6 Confusion

On Thu, 19 Feb 2009 10:19:19 -0500 Leo Bicknell wrote: > In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared > Mauch wrote: > > > > Would it be insane to have an IETF back-to-back with a NANOG? > > > > Probably, but it would be a good idea. :) > > I have no idea how the IETF

Re: IPv6 Confusion

On Wed, 18 Feb 2009 17:40:02 -0500 Leo Bicknell wrote: > And let me ask you this question, why do the operators have to go to > the IETF? Many of us have, and tried. I can't think of a single > working group chair/co-chair that's ever presented at NANOG and asked > for feedback. If the IETF wa

Re: Happy 1234567890 everyone!

On Fri, 13 Feb 2009 21:08:12 -0600 Chris Adams wrote: > Once upon a time, Joe Greco said: > > FreeBSD used a 64-bit time_t for the AMD64 port pretty much right > > away. On the flip side, it used a 32-bit time_t for the Alpha > > port. I guess someone predicted "it wouldn't be a problem." > >

Re: Global Blackhole Service

On Fri, 13 Feb 2009 16:41:41 + (WET) Nuno Vieira - nfsi telecom wrote: > Ok, however, what i am talking about is a competelly diferent thing, > and i think that my thoughts are alligned with Jens. > > We want to have a Sink-BGP-BL, based on Destination. > > Imagine, i as an ISP, host a part

Re: 97.128.0.0/9 allocation to verizon wireless

On Sun, 08 Feb 2009 22:45:51 +0100 Eliot Lear wrote: > On 2/8/09 5:32 PM, Leo Bicknell wrote: > > Lastly, you've assumed that only a "smart phone" (not that the term > > is well defined) needs an IP address. I believe this is wrong. > > There are plenty of simpler phones (e.g. not a PDA, touch s

WSJ on things to do in Santo Domingo

http://online.wsj.com/article/SB123240330058595471.html -- no idea if you have to be a subscriber or not. --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: BGPSEC & soBGP

On Sat, 17 Jan 2009 00:14:17 + Naveen Nathan wrote: > I came across this article on /.: > http://www.networkworld.com/news/2009/011509-bgp.html?page=1 > > I'm not too familiar with security of routing protocols, but it became > immediately evident as I read this article that much of the work

generic attack on Cisco routers

http://www.theregister.co.uk/2009/01/05/cisco_router_hijacking/ --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Security team successfully cracks SSL using 200 PS3's and MD5

On Sat, 3 Jan 2009 12:31:53 -0500 "Christopher Morrow" wrote: > On Sat, Jan 3, 2009 at 10:49 AM, Steven M. Bellovin > wrote: > > On Sat, 03 Jan 2009 09:35:06 -0500 > > William Warren wrote: > > > >> Everyone seems to be stampeding to SHA-1..yet it w

Re: Security team successfully cracks SSL using 200 PS3's and MD5

On Sat, 03 Jan 2009 09:35:06 -0500 William Warren wrote: > Everyone seems to be stampeding to SHA-1..yet it was broken in 2005. > So we trade MD5 for SHA-1? This makes no sense. > (a) SHA-1 was not broken as badly. The best attack is, as I recall, 2^63, which is computationally infeasible with

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

On Fri, 2 Jan 2009 16:51:53 -0600 Skywing wrote: > Of course, md5 *used* to be good crypto. > See http://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-30.html for the links, but MD5 has been suspect for a very long time. Dobbertin found problems with it in 1996. The need for caution with it wa

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

On Fri, 2 Jan 2009 16:13:45 -0500 Deepak Jain wrote: > > If done properly, that's actually an easier task: you build the > > update key into the browser. When it pulls in an update, it > > verifies that it was signed with the proper key. > > > > If you build it into the browser, how do you rev

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

On Fri, 2 Jan 2009 15:49:24 -0500 Deepak Jain wrote: > > Of course, this will just make the browsers pop up dialog boxes > > which everyone will click OK on... > > > > And brings us to an even more interesting question, since everything > is trusting their in-browser root CAs and such. How trus

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

On Fri, 2 Jan 2009 17:53:55 +0100 "Terje Bless" wrote: > On Fri, Jan 2, 2009 at 5:44 PM, wrote: > > Hmm... so basically all deployed FireFox and IE either don't even > > try to do a CRL, or they ask the dodgy certificate "Who can I ask > > if you're dodgy?" > > Hmm. Don't the shipped-with-the-

Re: Leap second tonight

On Wed, 31 Dec 2008 16:53:57 -0800 Wil Schultz wrote: > At which point my Solaris 10 v490's reboot in unison, lovely. > Solaris? Or ZuneOS? (See http://www.nytimes.com/2009/01/01/technology/personaltech/01zune.html) --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: What to do when your ISP off-shores tech support

On Fri, 26 Dec 2008 19:10:13 -0600 (CST) Joe Greco wrote: > I did ask, and all the local people are, in fact, local. It's a > matter of training and technical knowledge. None of them was really > putting together the fact that the modem was sketchy for the service > class we had. Yup -- I've h

Re: IPv6: IS-IS or OSPFv3

On Fri, 26 Dec 2008 20:37:41 -0800 "Kevin Oberman" wrote: > The main reason I prefer ISIS is that it uses CLNS packets for > communications and we don't route CLNS. (I don't think ANYONE is > routing CLNS today.) That makes it pretty secure. Unless, of course, someone one hop away -- a peer? a

Re: Netblock reassigned from Chile to US ISP...

On Fri, 12 Dec 2008 16:33:51 -0800 "Tomas L. Byrnes" wrote: > Because anyone with half a brain blocks proxies from their e-commerce > site. > What is a proxy? A garden-variety squid server, in the DMZ of a corporate firewall? The nasty box in some hotels that "helps" guests surf the net? A so

Re: Telecom Collapse?

On Thu, 04 Dec 2008 11:18:42 -0800 Michael Thomas <[EMAIL PROTECTED]> wrote: > Joe Abley wrote: > > This is straying far from network operations, but I think 911 > > generally engenders an unnecessary degree of hysteria. As I > > suggested before, the marketing of this fear from certain quarters >

Re: Telecom Collapse?

On Thu, 4 Dec 2008 10:13:14 -0600 "Paul Bosworth" <[EMAIL PROTECTED]> wrote: > In my experience with a fiber to the home deployment I feel that the > trend of moving away from the stability of POTS lines for emergency > service is acceptable for most people. Most battery backups allow for > around

Re: an over-the-top data center

On Mon, 1 Dec 2008 16:03:39 -0500 Lamar Owen <[EMAIL PROTECTED]> wrote: > On Monday 01 December 2008 13:27:30 Danny McPherson wrote: > > On a related noted, some have professed that adapting old > > ships into data centers would provide eco-friendly secure > > data center solutions. > > You mea

an over-the-top data center

http://royal.pingdom.com/2008/11/14/the-worlds-most-super-designed-data-center-fit-for-a-james-bond-villain/ (No, I don't know if it's real or not.) --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: NTP Md5 or AutoKey?

On Tue, 04 Nov 2008 01:52:05 -0500 [EMAIL PROTECTED] wrote: > On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said: > > > I'm just wondering -- in globak scheme of security issue, is NTP > > security a major issue? > > The biggest problem is that you pretty much have to spoof a server > that the

Re: Another driver for v6?

On Wed, 29 Oct 2008 16:29:40 -0700 "David W. Hankins" <[EMAIL PROTECTED]> wrote: > On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote: > > Does anyone see any benefits to beginning a small deployment of > > IPv6 now even if its just for internal usage? > > It is almost lunacy to deploy I

Another driver for v6?

According to http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html Windows 7 will have a cool feature called DirectAccess that "requires deploying IPv6 and IPsec". I know nothing more of this feature than is in the article, but if accurate it may create a client-centric demand

Re: NTIA/DOC requesting comments on root DNSSEC deployment

On Thu, 9 Oct 2008 11:48:14 -0700 "Scott Francis" <[EMAIL PROTECTED]> wrote: > http://www.ntia.doc.gov/DNS/DNSSEC.html > > vote early, vote often. And note that you have to use the procedure in the Federal Register notice for you comment to count. --Steve Bellovin, http://www.c

Re: Nanog 44 Hockey Event -- Last Call

Just no self-styled hockey moms, please...

Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

On Tue, 7 Oct 2008 14:07:04 -0400 (EDT) Sean Donelan <[EMAIL PROTECTED]> wrote: > On Tue, 7 Oct 2008, [EMAIL PROTECTED] wrote: > > On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said: > >> What about exceeding the minimum requirements for a change. > > (I think you'll find that if somebody is actu

Re: Silly PUCK/Outages question

http://downforeveryoneorjustme.com can't resolve it, either.

Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or

On Wed, 3 Sep 2008 08:02:09 -0500 (CDT) Joe Greco <[EMAIL PROTECTED]> wrote: > Steve, it is intriguing that you would make such a statement, since > you clearly believe that your own signature is sufficiently > worthwhile that you do not separate it from the main message with a > signature separat

Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?]

On Tue, 2 Sep 2008 21:40:38 -0400 "Patrick W. Gilmore" <[EMAIL PROTECTED]> wrote: > [SNIP] > > Just so that I am clear on your issue here: You believe it is "okay" > for you to put your linkedin URL in your .sig, but Gadi must not be > allowed to put it at the top of a post? Yes, I think th

Re: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag e, w hy are we peering with the American RBN?]

On Mon, 01 Sep 2008 11:08:20 -0400 [EMAIL PROTECTED] wrote: > a) There exist providers that are willing to take money from scum. > b) We won't get rid of the scum until we admit (a) is true. I mostly agree with you -- but I get very worried about who defines "scum". Consider the following cases,

Re: Revealed: The Internet's well known BGP behavior

On Thu, 28 Aug 2008 10:16:16 -0500 "Anton Kapela" <[EMAIL PROTECTED]> wrote: > I thought I'd toss in a few comments, considering it's my fault that > few people are understanding this thing yet. > > >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> > >> wrote: > >>> > >>> People

Re: US government mandates? use of DNSSEC by federal agencies

On Wed, 27 Aug 2008 09:53:26 -0700 "Kevin Oberman" <[EMAIL PROTECTED]> wrote: > > > > So the question I have is... will operators (ISP, etc) turn on > > DNSsec checking? Or a more basic question of whether you even > > _could_ turn on checking if you were so inclined? > > As far as I can see, at

Re: Is it time to abandon bogon prefix filters?

On Fri, 15 Aug 2008 08:56:27 -0700 Randy Bush <[EMAIL PROTECTED]> wrote: > > Not sure what you mean by this, but the painful reality is that most > > stuff, once deployed, gets promptly forgotten about, much the same > > as you might ignore a wall wart power supply under your desk until > > it sta

Re: Is it time to abandon bogon prefix filters?

On Fri, 15 Aug 2008 09:49:38 -0400 (EDT) Sean Donelan <[EMAIL PROTECTED]> wrote: > On Fri, 15 Aug 2008, Randy Bush wrote: > > my read is that the 60% was an alleged 60% of attacks came from > > *all* bogon space. this now seems in the low single digit > > percentge. of that, the majority is from

Re: Public shaming list for ISPs announcing other ISPs IP space bymistake

On Thu, 14 Aug 2008 22:42:04 -0400 Jean-Fran__ois Mezei <[EMAIL PROTECTED]> wrote: > Pardon my ignorance here, but wouldn't it be much simpler if the so > called "tier 1" networks were to do the filtering work so that none of > downstream BGP peers would see the bad announcements ? > > If some ne

Re: Yahoo mail abuse contact? - Duplicate nanog addrs on list mail

On Tue, 5 Aug 2008 11:48:51 -0400 "Jay R. Ashworth" <[EMAIL PROTECTED]> wrote: > On an unrelated topic: I may have discovered the > "nanog@nanog.org,[EMAIL PROTECTED]" problem's source: > > I think it's the list. > > I sent this message manually, typing in nanog@nanog.org by hand as the > To add

Re: Great Suggestion for the DNS problem...?

On Tue, 29 Jul 2008 15:56:19 +0200 Colin Alston <[EMAIL PROTECTED]> wrote: > > DNS uses UDP. > > Ahh yes of course.. > > Why does it use UDP? :P > In this situation, UDP uses one query packet and one reply. TCP uses 3 to set up the connection, a query, a reply, and three to tear down the conne

Re: Federal Government Interest in your patch progress

On Tue, 29 Jul 2008 13:06:40 +0100 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: > On Fri, Jul 25, 2008 at 12:36:57PM -0400, > Steven M. Bellovin <[EMAIL PROTECTED]> wrote > a message of 29 lines which said: > > > I've been talking to US Gov't folks

Re: Federal Government Interest in your patch progress

On Fri, 25 Jul 2008 12:07:40 -0400 Jared Mauch <[EMAIL PROTECTED]> wrote: > On Fri, Jul 25, 2008 at 11:04:59AM -0500, Jorge Amodio wrote: > > > > > >So, you say that(sarcasm). I just got off a 45 minute > > > call where the US > > > Federal government is interested in how to effectively >

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

On Thu, 24 Jul 2008 15:50:15 - "Martin Hannigan" <[EMAIL PROTECTED]> wrote: > > I don't know that a failure to act immediately is indicative of > ignoring the problem. Not to defend AT&T or any other provider, but > it's not as simple as rolling out a patch. > Right. What scares me is all

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008 09:10:13 -0500 "Jorge Amodio" <[EMAIL PROTECTED]> wrote: > > > > Sure, I can empathize, to a certain extent. But this issue has > > been known for 2+ weeks now. > > > > Well we knew about the DNS issues since long time ago (20+yrs > perhaps?), so the issue is not new, just the

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, 24 Jul 2008 09:51:40 +0200 Robert Kisteleki <[EMAIL PROTECTED]> wrote: > Patrick W. Gilmore wrote: > > Anyone have a foolproof way to get grandma to always put "https://"; > > in front of "www"? > > I understand this is a huge can of worms, but maybe it's time to > change the default beha

Re: SANS: DNS Bug Now Public?

On Tue, 22 Jul 2008 08:00:51 -0500 "Jorge Amodio" <[EMAIL PROTECTED]> wrote: > It has been public for a while now. Even on the print media, there > are some articles about it on the latest Computerworld mag without > giving too much detail about how to exploit it. > > ie PATCH NOW !!! > Kaminsky

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, 9 Jul 2008 13:06:53 -0400 "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > On Wed, Jul 9, 2008 at 12:11 PM, Steven M. Bellovin > <[EMAIL PROTECTED]> wrote: > > On Wed, 9 Jul 2008 12:05:38 -0400 > > "Christopher Morrow" <[EMAIL PROTE

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, 9 Jul 2008 12:05:38 -0400 "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin > <[EMAIL PROTECTED]> wrote: > > > The ISC web page on the attack notes "DNSSEC is the only definitive > > solut

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, 8 Jul 2008 13:48:57 -0700 "Buhrmaster, Gary" <[EMAIL PROTECTED]> wrote: > > Multiple DNS implementations vulnerable to cache poisoning: > > http://www.kb.cert.org/vuls/id/800113 > > (A widely coordinated vendor announcement. As always, > check with your vendor(s) for patch status.) >

Re: ICANN opens up Pandora's Box of new TLDs

On Tue, 01 Jul 2008 00:02:33 -0400 Jean-François Mezei <[EMAIL PROTECTED]> wrote: > > To get a button to easily enable and disable javascript: > > http://prefbar.mozdev.org/ > While I do use prefbar, for dealing with Javascript I much prefer NoScript, since that gives me per-site control.

Re: P2P agents for software distribution - saving the WAN from meltdown?!?

On Tue, 17 Jun 2008 11:19:19 -0700 Joel Jaeggli <[EMAIL PROTECTED]> wrote: > that said the p2p client does rule out needing to select a mirror > that has free slots during a flash crowd. As Mozilla is learning today: http://www.techspot.com/news/30486-mozilla-sites-die-shortly-after-download-day-

Re: Cable Colors

On Mon, 16 Jun 2008 20:32:15 -0500 (CDT) Gadi Evron <[EMAIL PROTECTED]> wrote: > In one organization red was for the sensitive private network, and in > another red meant "danger Will Robinson", public unsafe network. In > yet another red was for grounded power. > Right. The universal conventio

Re: Cable Colors

On Mon, 16 Jun 2008 17:09:42 -0700 Peter Wohlers <[EMAIL PROTECTED]> wrote: > About 7% of the male population in the US has red-green > colorblindness, so keep that in mind. At least in my son's case, bright colors -- like the typical red and green cables -- are easily distinguishable. Pastels

Re: comcast

On Thu, 12 Jun 2008 22:01:03 -0400 <[EMAIL PROTECTED]> wrote: > > On Fri, 13 Jun 2008, Randy Bush wrote: > > > > >> Does anybody heard if comcast is having problems today? > > > > > > lucy was having problems in eugene orygun. she diagnosed > > and then gave > > > up and went to dinner. > > > >

Re: Types of packet modifications allowed for networks

On Sat, 31 May 2008 17:59:40 -0400 Jean-François Mezei <[EMAIL PROTECTED]> wrote: > I would like any pointers to good documents that outline what sort of > packet modifications are allowed (in terms of Internet > culture/policies) by networks. > > Notably: > > For a transit network (neither send

Re: IOS Rookit: the sky isn't falling (yet)

On Thu, 29 May 2008 09:18:07 -0400 "Fred Reimer" <[EMAIL PROTECTED]> wrote: > So the only easy way to attack this is the MD5 hash. We have a know > plaintext (the IOS code) and the hash. It is not trivial to be able > to make changes in the code and maintain the same hash value, but > there has

Re: IOS Rookit: the sky isn't falling (yet)

On Wed, 28 May 2008 10:37:05 +0100 <[EMAIL PROTECTED]> wrote: > > So let's see - if you had a billion CPUs in your botnet, and > > each one could go at a billion to the second, you still need > > 2**69 seconds or 449,235,776,528,695 years. Not bad - only > > 10,000 times the amount of time thi

Re: [NANOG] Charter Communications going to sniff traffic foradvertising?

On Thu, 15 May 2008 13:30:52 -0400 "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > > Oh, how do you know you can trust the VPN folks anymore than the > cable-modem folks though? eventually the same cost issues are going to > arise for the VPN folks as did for cable-modem/dsl folks (downward > p

Re: [NANOG] Charter Communications going to sniff traffic foradvertising?

On Thu, 15 May 2008 09:46:05 -0400 Jared Mauch <[EMAIL PROTECTED]> wrote: > > On May 15, 2008, at 9:34 AM, Owen DeLong wrote: > > > I've found that using SSL for all my SMTP and IMAP transactions > > and not entering personally identifying information into non-SSL > > web pages greatly reduces t

Re: [NANOG] OSPF minutia, and, technote publication venues

On Tue, 6 May 2008 13:24:35 +1200 Nathan Ward <[EMAIL PROTECTED]> wrote: > On 6/05/2008, at 1:19 PM, Steven M. Bellovin wrote: > > > "Steve"? I assume you meant "Paul" > > No, Steve Gibbard referred to not having control of routers, Paul > r

  1   2   >