[ (Non-cross)posted to IETF discussions, NANOG, PPML, RIPE IPv6 wg,
Dutch IPv6 TF. Web version for the monospace font impaired and with
some links:
http://www.bgpexpert.com/addrspace2008.php ]
2008 IPv4 Address Use Report
As of January first, 2009, the number of unused IPv4 addresses is
92
BGP Update Report
Interval: 01-Dec-08 -to- 01-Jan-09 (32 days)
Observation Point: BGP Peering with AS131072
TOP 20 Unstable Origin AS
Rank ASNUpds % Upds/PfxAS-Name
1 - AS35805 250272 3.2% 897.0 -- UTG-AS United Telecom AS
2 - AS4323 122592 1.6%
This report has been generated at Fri Jan 2 21:19:11 2009 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date
A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it to issue valid SSL certificates
for any site they w
We were assigned a new block from ARIN two weeks ago and are getting several
reports from end users that the Spanish and German versions of Google's
search page are coming up.
IP2Location and Maxmind are mostly correct, but there appears to be no way
for me to verify that Google and Akamai have 96
> A team of security researchers and academics has broken a core piece
> of Internet technology. They made their work public at the 25th Chaos
> Communication Congress in Berlin today. The team was able to create a
> rogue certificate authority and use it to issue valid SSL certificates
> for any s
On 2009-01-02, at 09:04, Rodrick Brown wrote:
A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it t
Joe Abley wrote:
>
> On 2009-01-02, at 09:04, Rodrick Brown wrote:
>
>> A team of security researchers and academics has broken a core piece
>> of Internet technology. They made their work public at the 25th Chaos
>> Communication Congress in Berlin today. The team was able to create a
>> rogue c
On Fri, 2 Jan 2009, Joe Abley wrote:
On 2009-01-02, at 09:04, Rodrick Brown wrote:
A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
ro
On Fri, 2 Jan 2009, Joe Greco wrote:
Anyways, I was under the impression that the whole purpose of the
revocation capabilities of SSL was to deal with problems like this, and
How to revoke the CA is actually in the file. The fake CA they created
didn't have any revokation.
MD5 is broken, do
On Fri, 02 Jan 2009 09:58:05 CST, Joe Greco said:
> Anyways, I was under the impression that the whole purpose of the
> revocation capabilities of SSL was to deal with problems like this, and
> that a large part of the justification of the cost of an SSL certificate
> was the administrative burden
On Fri, Jan 2, 2009 at 5:44 PM, wrote:
> Hmm... so basically all deployed FireFox and IE either don't even try to do
> a CRL, or they ask the dodgy certificate "Who can I ask if you're dodgy?"
Hmm. Don't the shipped-with-the-browser trusted root certificates
include a CRL URL?
On Fri, 2 Jan 2009 17:53:55 +0100
"Terje Bless" wrote:
> On Fri, Jan 2, 2009 at 5:44 PM, wrote:
> > Hmm... so basically all deployed FireFox and IE either don't even
> > try to do a CRL, or they ask the dodgy certificate "Who can I ask
> > if you're dodgy?"
>
> Hmm. Don't the shipped-with-the-
> On Fri, 02 Jan 2009 09:58:05 CST, Joe Greco said:
> > Anyways, I was under the impression that the whole purpose of the
> > revocation capabilities of SSL was to deal with problems like this, and
> > that a large part of the justification of the cost of an SSL certificate
> > was the administrati
On 2 Jan 2009, at 12:33, Joe Greco wrote:
We cannot continue to justify security failure on the basis that a
significant percentage of the clients don't support it, or are
broken in
their support. That's an argument for fixing the clients.
At a more basic level, though, isn't failure guar
Joe Greco wrote:
> [ ]
>
> Either we take the potential for transparent MitM attacks seriously, or
> we do not. I'm sure the NSA would prefer "not." :-)
>
> As for the points raised in your message, yes, there are additional
> problems with clients that have not taken this seriously. It
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to bgp-st...@lists.apnic.net
For historical data, please see http://thyme.apnic.net.
If you have any comments please contact Philip Smith .
Routing
On 3/01/2009, at 6:06 AM, Steven M. Bellovin wrote:
On Fri, 2 Jan 2009 17:53:55 +0100
"Terje Bless" wrote:
On Fri, Jan 2, 2009 at 5:44 PM, wrote:
Hmm... so basically all deployed FireFox and IE either don't even
try to do a CRL, or they ask the dodgy certificate "Who can I ask
if you're do
From reports in the CBL database, it appears they have enjoyed some DOS
traffic yesterday, and I'm currently enjoying a little 40k+ botnet
attack (small botnet beats large one when you host the victim IP).
Anyone have any good resources on the breakdowns of the current known
botnets and their
Maxmind www.maxmind.com is a fairly good indicator of what geo-locators are
seeing, but I recall a recent thread here that there have been disagreements
between the various geolocation services.
I think that some of it depends on the reference sources i.e. how many and
what the algorithms are and
> Of course, this will just make the browsers pop up dialog boxes which
> everyone will click OK on...
>
And brings us to an even more interesting question, since everything is
trusting their in-browser root CAs and such. How trustable is the auto-update
process? If one does provoke
a mass-revo
On Fri, 2 Jan 2009 15:49:24 -0500
Deepak Jain wrote:
> > Of course, this will just make the browsers pop up dialog boxes
> > which everyone will click OK on...
> >
>
> And brings us to an even more interesting question, since everything
> is trusting their in-browser root CAs and such. How trus
Rodrick Brown wrote:
A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it to issue valid SSL certifica
> If done properly, that's actually an easier task: you build the update
> key into the browser. When it pulls in an update, it verifies that it
> was signed with the proper key.
>
If you build it into the browser, how do you revoke it when someone throws 2000
PS3s to crack it, or your hash, or
> ssl itself wasn't cracked they simply exploited the known vulnerable
> md5
> hashing. Another hashing method needs to be used.
The encryption algorithm wasn't hacked. Correct. Another hashing method
may help. Yup.
My problem is with the chain-of-trust and a lack of reasonable or reasonably
For IE and other things using CryptoAPI on Windows, this should be handled
through the automagic root certificate update through Windows Update (if one
hasn't disabled it), AFAIK.
The question is really whether that mechanism requires a cert rooted at a
Microsoft authority or not. The danger b
Funny this should come up...
I've found that a local Mobile Broadband outfit here in NZ are using an IP
range that Akamai's Geolocation service thinks is actually in New Jersey.
Causes me some oddness as a result - this despite the fact that Maxmind
has it correct.
Whilst investigating this (j
> On 2 Jan 2009, at 12:33, Joe Greco wrote:
>
> > We cannot continue to justify security failure on the basis that a
> > significant percentage of the clients don't support it, or are
> > broken in
> > their support. That's an argument for fixing the clients.
>
> At a more basic level, though,
7 170 ms 163 ms 167 ms cr2-pos-0-3-0-2.sanfrancisco.savvis.net [204.70.
95.25]
8 * 208 ms * cr1-tengig-0-15-0-0.NewYork.savvis.net [204.70.1
6.117]
9 170 ms ** kar1-ge-0-0-0.newyork.savvis.net [204.70.193.1]
10 *** Request timed o
I'm seeing some loss thru washington:
Host
Loss% Snt Last Avg Best Wrst StDev
4. 10ge.xe-0-0-0.wdc-eqx-dis-1.peer1.net
0.0%811.0 1.5 0.8 19.1 2.2
5. cpr2-pos-12-0.virginiaequinix.savvis.net
0.0%81 35.0 12.7 1.1 177.2 33.8
6. er2-tengig2-1.virginiaequinix.savvis
Target Name: N/A
IP: 204.70.95.25
Date/Time: 1/2/2009 1:59:37 PM
1 1 ms 0 ms home [192.168.1.254]
2 11 ms 11 ms adsl-75-18-183-254.dsl.pltn13.sbcglobal.net [75.18.183.254]
3 10 ms 10 ms [64.164.107.130]
4 11 ms 9 ms bb1-g3-0.pltnca.sbcglobal.net [151.164.43.54]
Something worth noting. I am not sure about Firefox, but with IE 7 (and IE
6 when CRL validation is enabled) when a the browser encounters a revoked
certificate, it does not present the usual "yes/no" box. Instead, one gets
a message basically saying "certificate is revoked, you can't continue,
p
* Joe Greco:
> It seems that part of the proposed solution is to get people to move from
> MD5-signed to SHA1-signed. There will be a certain amount of resistance.
> What I was suggesting was the use of the revocation mechanism as part of
> the "stick" (think carrot-and-stick) in a campaign to re
On Fri, 2 Jan 2009 16:13:45 -0500
Deepak Jain wrote:
> > If done properly, that's actually an easier task: you build the
> > update key into the browser. When it pulls in an update, it
> > verifies that it was signed with the proper key.
> >
>
> If you build it into the browser, how do you rev
Of course, md5 *used* to be good crypto.
– S
-Original Message-
From: Steven M. Bellovin
Sent: Friday, January 02, 2009 14:46
To: Deepak Jain
Cc: NANOG
Subject: Re: Security team successfully cracks SSL using 200 PS3's and MD5
flaw.
On Fri, 2 Jan 2009 16:13:45 -0500
Deepak Jain
On Fri, 2 Jan 2009 16:51:53 -0600
Skywing wrote:
> Of course, md5 *used* to be good crypto.
>
See http://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-30.html for
the links, but MD5 has been suspect for a very long time.
Dobbertin found problems with it in 1996. The need for caution with it
wa
Could you please hit me up off list? E-mails to your helpdesk and NOC have
gone unanswered. It's in regards to a routing loop:
16 227 ms 204 ms 204 ms park-ll-1-7200.access.demon.net[194.159.245.133]
17 225 ms 204 ms 204 ms
lon1-service-1e2-xxx.router.demon.net[194.159.245.130]
18
So my night was fun: I was in the middle of configuring a mail server
over SSH when suddenly it goes unresponsive...
It seems (to me, but I'm by no means an expert) to be a routing loop.
This is off a residential line in Southern California, between about
2-4:30am PST. Does anyone know what was g
That md5 has now been deprecated for awhile is certainly also true; and people
should have definitely moved on by now.
Then again, I just got yet another Debian DSA mail which has plaintext download
links for new binaries. The integrity verification mechanism for said binaries
is, you guessed
> If you use bad crypto, you lose no matter what. If you use good
> crypto, 2,000,000,000 PS3s won't do the job.
>
Even if you use good crypto, and someone steals your key (say, a previously
in-access person) you need a way to reliably, completely, revoke it. This has
been a problem with SSL
> * Joe Greco:
> > It seems that part of the proposed solution is to get people to move from
> > MD5-signed to SHA1-signed. There will be a certain amount of resistance.
> > What I was suggesting was the use of the revocation mechanism as part of
> > the "stick" (think carrot-and-stick) in a campa
Or maybe they just shouldn't rely on it so much.
It annoys me at the hoops I have to jump through to change the
language on Google-owned properties when they think I'm coming from
Czechoslovakia or Malaysia or some such... Some, like Blogger, still
don't do it right...
On Fri, Jan 2, 2009 at 1:3
On Fri, Jan 2, 2009 at 3:29 PM, Joe Greco wrote:
>> * Joe Greco:
[snip
>> > Either we take the potential for transparent MitM attacks seriously, or
>> > we do not. I'm sure the NSA would prefer "not." :-)
>>
>> I doubt the NSA is interested in MITM attacks which can be spotted by
>> comparing ke
Neil wrote:
Do people here really so quickly forget things? There was a talk on
Carnivore given in 2000 at NANOG 20, IIRC, and I believe that one of the
instigating causes of that talk was problems that Earthlink had experienced
when the FBI had deployed Carnivore there.
Naturally. The NSA
On 2-Jan-09, at 9:56 AM, Robert Mathews (OSIA) wrote:
Joe Greco wrote:
[ ]
Either we take the potential for transparent MitM attacks
seriously, or
we do not. I'm sure the NSA would prefer "not." :-)
As for the points raised in your message, yes, there are additional
problems with
On Fri, 2 Jan 2009, Dragos Ruiu wrote:
www.win.tue.nl/hashclash/rogue-ca/; classtype: policy-violation;
sid:101;)
You can't really use any snort rule to detect SHA-1 certs created by a
fake authority created using the MD5 issue.
Yes, this is a serious matter, but it hardly has any operat
> Neil wrote:
>
> >>Do people here really so quickly forget things? There was a talk on
> >>Carnivore given in 2000 at NANOG 20, IIRC, and I believe that one of the
> >>instigating causes of that talk was problems that Earthlink had experienced
> >>when the FBI had deployed Carnivore there.
>
>
On 2-Jan-09, at 6:53 PM, Gadi Evron wrote:
Yes, this is a serious matter, but it hardly has any operational
impact to speak of for users and none for NSPs.
Dunno. Last I checked NSPs had web servers too. :-P
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
On Fri, Jan 2, 2009 at 10:44 PM, Dragos Ruiu wrote:
>
> On 2-Jan-09, at 6:53 PM, Gadi Evron wrote:
>>
>> Yes, this is a serious matter, but it hardly has any operational impact to
>> speak of for users and none for NSPs.
>
> Dunno. Last I checked NSPs had web servers too. :-P
so, aside from 'get
On Fri, Jan 2, 2009 at 6:30 PM, Neil wrote:
> Or maybe they just shouldn't rely on it so much.
>
> It annoys me at the hoops I have to jump through to change the
> language on Google-owned properties when they think I'm coming from
> Czechoslovakia or Malaysia or some such... Some, like Blogger,
On Jan 2, 2009, at 3:29 PM, Joe Greco wrote:
* Joe Greco:
It seems that part of the proposed solution is to get people to
move from
MD5-signed to SHA1-signed. There will be a certain amount of
resistance.
What I was suggesting was the use of the revocation mechanism as
part of
the "stick
51 matches
Mail list logo
