Just as you said, change your email once you start getting spam. If you control your own email server, simply use an alias that points at your real account, like:
yourname.registrar.domain.01@yourdomain.com
If I recieved spam to jason.godaddy.artoo-net.20030410@roysdon.net, I'd know exactly where the spam came from.
Simply set up a new alias like jason.godaddy.artoo-net.20030411@roysdon.net and update your contact at your registrar. Once it is successfully updated, remove the alias from forwarding to your account. It's a pain, but it would work.
You could even have the old aliases all go to a bogus account and periodically track how long it takes from someone to collect WHOIS info to when it is sold and used by a spammer.
Hell, since you'd know that 100% that it was UCE culled from WHOIS just sent the old spammed-too alias to forward to uce@ftc.gov.
Since I just updated all my domain contact info with a change in my employer addresses, I have all the login info handy, so I think I'll try and implement this.
A good linux sysadmin could setup a multihomed Linux server between his AP(s) and broadband and use NoCat authentication to block this sort of thing, while allowing surfing (or whatever else).
Ah, even if RedHat's FTP site won't allow more anonymous users, you can still hit their http version of the ftp site to get the MD5SUM to verify any of the ISO files you get from a mirror site. Mind you, this site is slow (took 5+ minutes to connect and get this 618 byte file, but it did go through eventually):
I've been downloading the 3 ISOs from official RedHat mirrors, but until I can get the MD5SUM straight from RedHat's ftp site, I always leave them under "unofficial." Of course, anytime you download from a mirror site, you should grab the MD5SUM from the master site and compare against it.
I wish RedHat had a MD5-only ftp site folks can get ISOs from abroad but check them.
The problem with this law is that an ISP cannot search web content for a given filename or even URL and block it based on that. ISPs don't look at anything beyond IP Layer 3. All they care about is routing IP packets. What happens if a large over-seas company hosts thousands of customers with a single IP address (or pool of addresses in the case of a webserver farm)? All it would take is one bad apple at that hosting ISP and Penn. would force Penn. ISP's to block all other content from that hosting ISP's webserver.
Should that ISP be hosting child porn? Of course not. Should all the other sites hosted at that ISP be blacklisted? No.
These lawmakers are either uneducated about how the internet works, or simply do not care and feel that blocking child porn is more important than the free speech of the other legit websites that may be hosted on an ISP's shared webserver farm.
Penn should enforce the law where they can: If the webservers are outside the arm of the US law, go after what isn't: those who download and view this content. They can start with their own state employees at work, which would violate no privacy laws. Folks seriously addicted to kiddie porn known no bounds. I've know of a case where a local county employee spent 2-3 hours a day at work surfing this stuff.
All this law is going to do is drive kiddie porn sites futher underground and make those in Penn be more sneaky. As someone else posted, Penn. law enforcement won't even be able to access these sites to verify if it has kiddie porn (say if they had a download history on a PC but no actual photos.)
Plenty of production networks are already using IPv6 in specialized markets. How do you think cell companies are assigning addresses to all those cell phones that can send SMS messages and surf the web? IPv6.
IPv6 will continue to be used by companies that need large address space.
IP Phones are yet another specialized market that will benefit from widespread IPv6 adoption and clean up using VPNs and NAT.
Their DNS doesn't have any reply to A record queries for www.hsn.com. The DNS servers work just fine for hsn.com (which forwards you to www.hsn.com).
Thinking I'd be clever, I added '192.234.237.80 www.hsn.com' to my hosts file, but sure enough I just get a URL redirection loop error (as hsn.com and www.hsn.com must be two different servers).
Oh well, and for that price I was going to plunk down the cash right now.
BGP views may vary slightly (+/-5K prefixes) depending if you're getting aggregated routes or if you're taking detailed views from your peers and their direct customers, and naturally how well they and you are filtering. The more connected and less aggregated your routes are, the more you'd see. I don't think I've seen more than 120K, yet, but it's getting closer. For instance I'm seeing 118.6K from Sprint right now:
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
144.232.nnn.nnn 4 1239 12273440 398934 43240550 0 0 1w3d 118603
My former employer was a Microsoft MSCTEC and they were required to have X amount of students in each class obtain their MCSE, otherwise they'd loose their MSCTEC certification.
One gimmic they'd do is that they'd have a drawing for a free vacation for students that pass all their required tests within 1 month of the final class. This helped motivate a large amount of the students. Prior to that, mainly those without a job would bother to take the tests (those whose employer were sending them to training didn't bother).
The DirecTV TiVos have no subscription fee as of a few months ago. You pay the standard $5/month receiver fee that you'd pay for any other DirecTV receiver on an account.
Life-Time subscriptions are no longer available for the DirecTV TiVos, but if you have one you never have to pay the $5/month receiver fee for that unit.
The press conference said specifically that the "Home Media Option" will work only on the same local subnet (this is the option to play MP3s/view pics/stream other media off your PC).
Second, the sharing of shows will have "TivoGuard" to encrypt and keep anyone from extracting the Tivo-to-Tivo sharing.
Ah, thanks for the insight. Was about DSS (DirecTV, EchoStar, etc)? If I had a TV that could only receive a DSS signal, would that be exempt (and is any sort of DSS service even available)?
I mean, I only pay US$39/mo. for my DirecTV, so that'd be a ton cheaper for a hall (£90/mo for TV licenses for 9 folks vs ~£53/mo for DSS (US$5/set-top).
I'm curious, what if you own a TV but "only" use it for VHS / DVD playback? Do you have to pay a TV license then? What if you have satellite? Do you pay this per TV, or just per household, or just per address (what if you rented out rooms)?
WWW != TCP/IP or 'the internet', even if it's all people see or know about the internet beyond email (which now all the webtv/msn folks access via web interfaces, at least that's what my inlaws all seem to use). It's just tcp/80, or tcp/443 if you're shoping/banking... 65533 more ports out there, and that's just tcp.
Oh, but I should say that supposedly the last few months the two company owners have been going without pay as time are tough. Needless to say, their Wives weren't happy, but it deep help the rest of us feel a little better, especially with a decent amount of our co-workers getting laid off.
Heh, our local "computer foresics" cop is a total joke. He even teachs classes at our local CC.
Guy gets off on spreading FUD about "traveler cases" where kids get "abducted" or tricked into meeting with strangers online... yeah, it happens, but the way this guy talks if you don't watch your kid every single second they're online, it's like someone is gonna find them online and snatch them on their way to school... wait, that could happen without the internet.
Anyway, just ranting about it. Check your local PD and/or community college for help on how to be a "by the book" clueless FUD-spreader.
Although, I always thought it'd be cool to work for the FBI or CIA:-/
There are at least a dozen different places a totally anonymous person can get free internet access in my town in very obvious places (that's not including hundreds I've located via wardriving). The easiest and fastest are the public library and the community college library. Speaking of which, my local community college has a nice open WiFi net. Better lock it down so the communists, err terrorists, don't hack any inappropriately connected resources (why should any vital US infrastructure systems EVER be connected to the internet?).
Why should every military base have it's own internet access? Sounds like suicide letting G.I. Joe order up ADSL and let him connect it to a secure network. ALL military internet access should be required to flow out a small handful of highly fortified internet connection points. Even modems should be banned. If the government had HALF a clue it wouldn't matter how insecure the internet was. Paraphrasing here, but it goes roughly like this: Remove the plank out of your own eye before you try to remove the splinter from mine.
Having said that, I believe if you're going to run an open AP, you need to do so responsibly. You need to filter SMTP access so someone doesn't use your bandwidth and IPs to use an open SMTP relay to spam folks (and yes, of course the SMTP relay shouldn't be open, but you shouldn't give them high speed anonymous access to it either). You should be able to account for who is using your internet access, if nothing more than a MAC address and email account. Yeah, a totally open WiFi network world wide would be cool, but each WiFi operator should be aware and able to shut down abusive behavior.
For my own "open" WiFi at freenet.artoo.net I use NoCAT to authenticate all users. Yeah, it wasn't as easy as unboxing an AP and plugging it in, but it wasn't that hard to configure, and now I know exactly who is connecting within any 5 minute sliding window (it uses pushed SSL auth to verify the original sign-on is still valid, and will block and force an SSL redirect to a login page if the original SSL auth isn't kept up). So, worst case is someone could wait for another WiFi user to go idle and spoof their MAC address, and they get 5 minutes of access.
Disabling spanning tree on a network of any size is suicide waiting to happen. Without spanning tree you'll be instantly paralyzed by any layer two loops.
For instance: Bonehead user wants to connect 2-3 more PCs at his desk, so he brings in a cheap hub or switch. Say it doesn't work for whatever reason, so he leaves the cable in and connects a second port from the wall (or say later on it stops working so he connects a second port to test). When both of those ports go active and you don't have spanning tree, you've just created a nice loop for that little hub or switch to melt your network. Just be glad it's going to be a cheap piece of hardware and not a large switch, or you'd never be able to even get into your production switches using a console connection until you find the connection and disable it (ask my how I know). How long does this take to occur? Not even a second.
Spanning tree is your friend. If you're a network technician/engineer, learn how to use it. Learn how to use root guard to protect your infrustructure from rouge switches (or even evil end-users running "tools"). A simple search on "root guard" at Cisco.com returns plenty of useful hits
At my present employer, we're actually overly strict and limit each port to a single MAC address and know what every MAC address in any company hardware is. We know where every port on our switches go to patch panels. If anything "extra" is connected, or a PC is moved, we're paged. If a printer is even disconnected, we're paged. The end-users know this, and they know to contact IT before trying to move anything.
Why do we do this? We've had users bring in wireless access points and hide them under their desks/cubes. We want to know instantly if someone is breaching security or opening us up to such a thing. Before wireless, I'd say this was overly anal, but now, it's pretty much a requirement. The added benefit to knowing if an end-user brings a personal PC from home, etc., on to the network (which means they possibly don't have updated MS-IE, virus scanners/patterns, may have "hacking tools", etc.). This isn't feasible on a student network or many other rapidly changing networks, but on a stable production network it's a very good idea. Overhead seems high at first, but it's the same as having to go patch a port to a switch for a new user - you just document the MAC address and able port-level security on the switch port:
interface FastEthernet0/1
port security action trap
port sec max-mac-count
With Syslogging enabled, you'll know when this occurs and if you've got expect scripts to monitor and page you when another mac address is used on that port, and if you've got your network well documented, you can stop by the end-user while they're still trying to dink around hooking up their laptop and catch 'em in the act.
Yes, I know all about MAC address spoofing. Do my end-users? Probably not, and by the time they find out, they're on my "watch list" and their manager knows. Of course, that's where internal IDS is needed and things start to get much more complicated, but at least you're not getting flooded with odd-ball IDS reports if you manage your desktops tight so users can't install any ol' app they want. Higher upfront maintenance cost? Perhaps, but we've never had any end-user caused network issue.
I'm fairly certain that if someone was running a "bad" application like what hosed the network in this story, I'd find it in under 30 minutes with our current network documentation. Would it require a lot of foot traffic? Yes, as the network would possible be hosed so management protocols wouldn't work, but I could isolate it fairly fast with console connections and manually pulling uplink ports.
Re:And then the updater gets hacked
on
Due Diligence?
·
· Score: 1
RHN is free for one system per email. Hrmm, sendmail aliases anyone?
Slashdot Mirror
Just as you said, change your email once you start getting spam. If you control your own email server, simply use an alias that points at your real account, like:
yourname.registrar.domain.01@yourdomain.com
If I recieved spam to jason.godaddy.artoo-net.20030410@roysdon.net, I'd know exactly where the spam came from.
Simply set up a new alias like jason.godaddy.artoo-net.20030411@roysdon.net and update your contact at your registrar. Once it is successfully updated, remove the alias from forwarding to your account. It's a pain, but it would work.
You could even have the old aliases all go to a bogus account and periodically track how long it takes from someone to collect WHOIS info to when it is sold and used by a spammer.
Hell, since you'd know that 100% that it was UCE culled from WHOIS just sent the old spammed-too alias to forward to uce@ftc.gov.
Since I just updated all my domain contact info with a change in my employer addresses, I have all the login info handy, so I think I'll try and implement this.
A good linux sysadmin could setup a multihomed Linux server between his AP(s) and broadband and use NoCat authentication to block this sort of thing, while allowing surfing (or whatever else).
Ah, even if RedHat's FTP site won't allow more anonymous users, you can still hit their http version of the ftp site to get the MD5SUM to verify any of the ISO files you get from a mirror site. Mind you, this site is slow (took 5+ minutes to connect and get this 618 byte file, but it did go through eventually):
3 86/MD5SUM
http://ftp.redhat.com/pub/redhat/linux/9/en/iso/i
Here's my IPv6 RedHat 9 mirror:
ftp://r2.ipv6.artoo.net/pub/redhat/linux/9/
I've been downloading the 3 ISOs from official RedHat mirrors, but until I can get the MD5SUM straight from RedHat's ftp site, I always leave them under "unofficial." Of course, anytime you download from a mirror site, you should grab the MD5SUM from the master site and compare against it.
I wish RedHat had a MD5-only ftp site folks can get ISOs from abroad but check them.
The problem with this law is that an ISP cannot search web content for a given filename or even URL and block it based on that. ISPs don't look at anything beyond IP Layer 3. All they care about is routing IP packets. What happens if a large over-seas company hosts thousands of customers with a single IP address (or pool of addresses in the case of a webserver farm)? All it would take is one bad apple at that hosting ISP and Penn. would force Penn. ISP's to block all other content from that hosting ISP's webserver.
Should that ISP be hosting child porn? Of course not. Should all the other sites hosted at that ISP be blacklisted? No.
These lawmakers are either uneducated about how the internet works, or simply do not care and feel that blocking child porn is more important than the free speech of the other legit websites that may be hosted on an ISP's shared webserver farm.
Penn should enforce the law where they can: If the webservers are outside the arm of the US law, go after what isn't: those who download and view this content. They can start with their own state employees at work, which would violate no privacy laws. Folks seriously addicted to kiddie porn known no bounds. I've know of a case where a local county employee spent 2-3 hours a day at work surfing this stuff.
All this law is going to do is drive kiddie porn sites futher underground and make those in Penn be more sneaky. As someone else posted, Penn. law enforcement won't even be able to access these sites to verify if it has kiddie porn (say if they had a download history on a PC but no actual photos.)
Plenty of production networks are already using IPv6 in specialized markets. How do you think cell companies are assigning addresses to all those cell phones that can send SMS messages and surf the web? IPv6.
IPv6 will continue to be used by companies that need large address space.
IP Phones are yet another specialized market that will benefit from widespread IPv6 adoption and clean up using VPNs and NAT.
ftp://r2.ipv6.artoo.net/pub/animatrix/
In an effort to try and get more and more geeks using IPv6, I think I'll be mirroring content like this:
ftp://r2.ipv6.artoo.net/pub/soulpix/
Both DivX and QT formats have been mirrored.
If you don't have native IPv6 access (hmm, who does?) you can get tunneling access for free from he.net and a number of other tunnel brokers.
Their DNS doesn't have any reply to A record queries for www.hsn.com. The DNS servers work just fine for hsn.com (which forwards you to www.hsn.com).
Thinking I'd be clever, I added '192.234.237.80 www.hsn.com' to my hosts file, but sure enough I just get a URL redirection loop error (as hsn.com and www.hsn.com must be two different servers).
Oh well, and for that price I was going to plunk down the cash right now.
BGP views may vary slightly (+/-5K prefixes) depending if you're getting aggregated routes or if you're taking detailed views from your peers and their direct customers, and naturally how well they and you are filtering. The more connected and less aggregated your routes are, the more you'd see. I don't think I've seen more than 120K, yet, but it's getting closer. For instance I'm seeing 118.6K from Sprint right now:
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
144.232.nnn.nnn 4 1239 12273440 398934 43240550 0 0 1w3d 118603
GPS. GPS! For God's sake! When was the last time you got so lost that you needed friggin' GPS to pinpoint your location to the nearest ten feet...
When I go GeoCaching. Plus the ability to download a ton of waypoints and not have to input them into my GPS would simply rock.
My former employer was a Microsoft MSCTEC and they were required to have X amount of students in each class obtain their MCSE, otherwise they'd loose their MSCTEC certification.
One gimmic they'd do is that they'd have a drawing for a free vacation for students that pass all their required tests within 1 month of the final class. This helped motivate a large amount of the students. Prior to that, mainly those without a job would bother to take the tests (those whose employer were sending them to training didn't bother).
So think of it like this: the DirecTivo has two tuners, so you get the first one free, and the second one at the $5/mo mirror fee ;-)'
The DirecTV TiVos have no subscription fee as of a few months ago. You pay the standard $5/month receiver fee that you'd pay for any other DirecTV receiver on an account.
Life-Time subscriptions are no longer available for the DirecTV TiVos, but if you have one you never have to pay the $5/month receiver fee for that unit.
You need ExtractStream. Stream all that MPEG content off to your Mac and edit and burn all you like (VCDs as well, of course).
The press conference said specifically that the "Home Media Option" will work only on the same local subnet (this is the option to play MP3s/view pics/stream other media off your PC).
Second, the sharing of shows will have "TivoGuard" to encrypt and keep anyone from extracting the Tivo-to-Tivo sharing.
Ah, thanks for the insight. Was about DSS (DirecTV, EchoStar, etc)? If I had a TV that could only receive a DSS signal, would that be exempt (and is any sort of DSS service even available)?
I mean, I only pay US$39/mo. for my DirecTV, so that'd be a ton cheaper for a hall (£90/mo for TV licenses for 9 folks vs ~£53/mo for DSS (US$5/set-top).
I'm curious, what if you own a TV but "only" use it for VHS / DVD playback? Do you have to pay a TV license then? What if you have satellite? Do you pay this per TV, or just per household, or just per address (what if you rented out rooms)?
WWW != TCP/IP or 'the internet', even if it's all people see or know about the internet beyond email (which now all the webtv/msn folks access via web interfaces, at least that's what my inlaws all seem to use). It's just tcp/80, or tcp/443 if you're shoping/banking... 65533 more ports out there, and that's just tcp.
Oh, but I should say that supposedly the last few months the two company owners have been going without pay as time are tough. Needless to say, their Wives weren't happy, but it deep help the rest of us feel a little better, especially with a decent amount of our co-workers getting laid off.
We got $20 Amazon gift certificates and played bingo/name drawings for 6 $100 gift certificates good at our local mall. Oh well...
Heh, our local "computer foresics" cop is a total joke. He even teachs classes at our local CC.
:-/
Guy gets off on spreading FUD about "traveler cases" where kids get "abducted" or tricked into meeting with strangers online... yeah, it happens, but the way this guy talks if you don't watch your kid every single second they're online, it's like someone is gonna find them online and snatch them on their way to school... wait, that could happen without the internet.
Anyway, just ranting about it. Check your local PD and/or community college for help on how to be a "by the book" clueless FUD-spreader.
Although, I always thought it'd be cool to work for the FBI or CIA
There are at least a dozen different places a totally anonymous person can get free internet access in my town in very obvious places (that's not including hundreds I've located via wardriving). The easiest and fastest are the public library and the community college library. Speaking of which, my local community college has a nice open WiFi net. Better lock it down so the communists, err terrorists, don't hack any inappropriately connected resources (why should any vital US infrastructure systems EVER be connected to the internet?).
Why should every military base have it's own internet access? Sounds like suicide letting G.I. Joe order up ADSL and let him connect it to a secure network. ALL military internet access should be required to flow out a small handful of highly fortified internet connection points. Even modems should be banned. If the government had HALF a clue it wouldn't matter how insecure the internet was. Paraphrasing here, but it goes roughly like this: Remove the plank out of your own eye before you try to remove the splinter from mine.
Having said that, I believe if you're going to run an open AP, you need to do so responsibly. You need to filter SMTP access so someone doesn't use your bandwidth and IPs to use an open SMTP relay to spam folks (and yes, of course the SMTP relay shouldn't be open, but you shouldn't give them high speed anonymous access to it either). You should be able to account for who is using your internet access, if nothing more than a MAC address and email account. Yeah, a totally open WiFi network world wide would be cool, but each WiFi operator should be aware and able to shut down abusive behavior.
For my own "open" WiFi at freenet.artoo.net I use NoCAT to authenticate all users. Yeah, it wasn't as easy as unboxing an AP and plugging it in, but it wasn't that hard to configure, and now I know exactly who is connecting within any 5 minute sliding window (it uses pushed SSL auth to verify the original sign-on is still valid, and will block and force an SSL redirect to a login page if the original SSL auth isn't kept up). So, worst case is someone could wait for another WiFi user to go idle and spoof their MAC address, and they get 5 minutes of access.
For instance: Bonehead user wants to connect 2-3 more PCs at his desk, so he brings in a cheap hub or switch. Say it doesn't work for whatever reason, so he leaves the cable in and connects a second port from the wall (or say later on it stops working so he connects a second port to test). When both of those ports go active and you don't have spanning tree, you've just created a nice loop for that little hub or switch to melt your network. Just be glad it's going to be a cheap piece of hardware and not a large switch, or you'd never be able to even get into your production switches using a console connection until you find the connection and disable it (ask my how I know). How long does this take to occur? Not even a second.
Spanning tree is your friend. If you're a network technician/engineer, learn how to use it. Learn how to use root guard to protect your infrustructure from rouge switches (or even evil end-users running "tools"). A simple search on "root guard" at Cisco.com returns plenty of useful hits
At my present employer, we're actually overly strict and limit each port to a single MAC address and know what every MAC address in any company hardware is. We know where every port on our switches go to patch panels. If anything "extra" is connected, or a PC is moved, we're paged. If a printer is even disconnected, we're paged. The end-users know this, and they know to contact IT before trying to move anything.
Why do we do this? We've had users bring in wireless access points and hide them under their desks/cubes. We want to know instantly if someone is breaching security or opening us up to such a thing. Before wireless, I'd say this was overly anal, but now, it's pretty much a requirement. The added benefit to knowing if an end-user brings a personal PC from home, etc., on to the network (which means they possibly don't have updated MS-IE, virus scanners/patterns, may have "hacking tools", etc.). This isn't feasible on a student network or many other rapidly changing networks, but on a stable production network it's a very good idea. Overhead seems high at first, but it's the same as having to go patch a port to a switch for a new user - you just document the MAC address and able port-level security on the switch port:With Syslogging enabled, you'll know when this occurs and if you've got expect scripts to monitor and page you when another mac address is used on that port, and if you've got your network well documented, you can stop by the end-user while they're still trying to dink around hooking up their laptop and catch 'em in the act.
Yes, I know all about MAC address spoofing. Do my end-users? Probably not, and by the time they find out, they're on my "watch list" and their manager knows. Of course, that's where internal IDS is needed and things start to get much more complicated, but at least you're not getting flooded with odd-ball IDS reports if you manage your desktops tight so users can't install any ol' app they want. Higher upfront maintenance cost? Perhaps, but we've never had any end-user caused network issue.
I'm fairly certain that if someone was running a "bad" application like what hosed the network in this story, I'd find it in under 30 minutes with our current network documentation. Would it require a lot of foot traffic? Yes, as the network would possible be hosed so management protocols wouldn't work, but I could isolate it fairly fast with console connections and manually pulling uplink ports.
RHN is free for one system per email. Hrmm, sendmail aliases anyone?