I was responding to the "Most routers have a way of resetting the root password" part. He turned that off.
But, yes, he did eventually hand over the passwords. And yes, they should have the network audited and secured by now -- long ago, in fact. They're just keeping him locked up because they can -- much the same way he lorded over the FiberWAN network.
I didn't say it was expensive. I just said it was complicated by the size of the network -- lots of devices to check, you only need to miss one. (been there, done that. 'tho in my defense, there's no reason for that router to be running an IGP anyway.)
They called in consultants... so yeah, they spent 10x what they needed to. But that gives them someone outside the city gov to blame when something is missed.
I'm not a lawyer (not am I in CA.) So, I don't know what various laws he may or may not have violated. I'm not sure where he thought this was going to end up... dude, you don't work there anymore; the network is no longer your responsibility. This is not going to get you re-hired. And it's not going to do you a lot of good hunting for a job elsewhere.
He was "concerned" that handing over the passwords would (almost immediately) lead to his "incompetent" coworkers screwing things up. Well, he handed over the passwords and 14 months later there have been no issues with the FiberWAN network. He was completely wrong: he handed over the passwords and the network did not fail. They've had plenty of time to break something, but haven't. That is a powerful check in the "NOT INCOMPETENT" column for his coworkers. But that does not mean they are competent -- it's pretty easy to not break something. (I'm not grading their work or interviewing them for a job, so I have nothing onwhich to base their competence.)
It's worse than that... not only do you need physical access, you need a copy of the config, or the necessary bits to regenerate one from scratch. He turned off password recovery; the only way in is to erase the configuration. (or jump through a dozen hoops to get that NVRAM in a device that ignores that bit. in many cisco devices, the NVRAM is not removable; if the rommon chips aren't removable either, you're screwed.)
Had he done that, he would have been fired the instant the passwords hit the paper. The only reason he remained employed for so long is because no one else knew the passwords. He was, in essence, blackmailing the city. They tolerated him because he did actually keep the network running. I don't know what the last straw was that has brought us to today's farce.
If you're up-to-date on the case, you should remember he turned off password recovery. The only way to reset the password is erase the configuration (NVRAM) and there are no (known) archived backups. He was the only one with the knowledge to rebuild a config from memory. He did this on purpose to stop people in the field from altering the configuration (passwords, routes, anything)
If someone erased the config on any of my gear, I'd be pissed. And I keep backups.
And his concerns (rants of a lunatic?) have been well and truely proven wrong at this point. He gave up the password(s) and the network has not failed at the hands of these "competent coworkers".
One would think they'd've changed the passwords, but who knows. Maybe they're worried about breaking something by changing them... As for any "backdoors" -- us network folk call them "alternate paths", or "a way around the thing that's broken" -- it would take an extensive audit of the entire infrastructure to find, and remove or (re)secure any that may exist. In a network that large, it's not a simple task.
They assume that he would intentionally disrupt the network. In my opinion, that is absolutely wrong. Did he have any traps in the network when they fired him? (ala a "dead man switch") No. Did he do anything to disrupt the network before, or shortly after he was fired? NO. He refused to hand over the keys to protect his hard work -- why the h*** would you now assume he would do anything at all to break that same "hard work"? (and if he did, they'd have a cast iron case against him, far better than the theater they currently have.)
Right. The "outside" people were protecting themselves from were the bored university students.:-)
You are spliting hairs... They are protected because the box is doing NAT -- sure it's piss-poor form of "protection" but it's clearly better than nothing. You cannot get to the hosts behind it because they don't have a public address. IPv6 was designed to do away with the address rewriting. Everything else those cheapy NAT boxes are doing, they will have to continue doing... connection tracking and protocol aware inspection -- in the Cisco world: CBAC. In the era of NAT, you can get to whatever has been explicitly granted. In the IPv6 era, you will be able to reach whatever has not been explicitly blocked. This is will be as much of a mess as the early days of IPv4 where complete idiots were setting up firewalls with a seriously flawed understanding of what they were doing. ("deny icmp any any" was the First Rule of firewalls. Anyone who did that, in my book, should be fired immediately. If you don't realize why that's stupid, you should not be a "firewall admin".)
*cough*UPnP*cough* Very few "gamers" setup anything on their NAT box these days. (yes, the computer being about to open any holes it wants is as bad and idea as it sounds... if Halo can open ports, so can a rootkit.)
People use Skype because a) it works, and b) it's free. SIP on the otherhand is a pile of braindamage. As a protocol designed in the era of NAT, they failed. It's broken by multi-homing alone. There is ZERO reason for a pair of machines to open a completely seperate connection between each other for a voice/video stream -- and there's no need to tell me your address; the connection to me gives me the address. (SIP is a security nightmare. There are loads of reasons people avoid SIP beyond their own network(s).)
They aren't a "computer" in the common sense. And they aren't "naked"... they protect themselves by not running any services on the WAN (internet) side, and not having much to compromise in the first place.
If you're thinking Win95, then we aren't talking about the same "pre-NAT". By the time 95 was released (Aug 24 1995), NAT did exist. It was pretty simple and crude then, but it was "functional"... we had a next cube, my linux box (as the nat gateway), a windows 3.1.1 ("wfw") / NT 3.5(?) pc, and a win95 (msdn pre-release) working on a 10base-2 network. (june-july ish '95)
What university was that? And when? I cannot recall a single univerisity that was firewalling anything when I was in college in the early 90's. Even in the mid-90's when I was working for an ISP, I saw very few places with a firewall. Most were "protected" by the limited amount of IPv4 technology in their network. The internet was much slower then with far fewer people trying to mess things up, and there wasn't that much of value to steal, vandalize, or "DoS".
No, I do not assume "NAT == Firewall". I am saying 99% of the world is protected by the veil NAT creates. Yes, it's a paper thin barrier, but it's more than enough to keep a network safe from outside attack. (no firewall can protect a network from it's own stupid users.) Taking it away is akin to taking away the front door on everyone's house... it's not much of a barrier to a theif, but it's surprisingly enough.
True. But for 99% of the internet connected, NAT comprises 100% of their security. And that's all they need. IPv6 is a lot more complicated....scanning even a/64 is infeasible. That's the IPv6 equiv to sticking your fingers in your ears and screaming LA LA LA LA LA. For starters, that's wrong -- one need not scan the entire/64. Plus, that's a completely wrong thought process for any security context. That's like claiming I cannot break into your house because I don't know where it is. An IPv6 host will eventually talk to some other machine(s) -- otherwise it has no need for a network at all, and then it's not hidden any more. Ah, but what about the "privacy extensions", you're thinking... most machines will still have that eui-64 address. See, the nuts that designed this crap didn't spend even 1 second thinking about how this stuff will get used; they spent even less time looking at how people currently used networks.
It may violate current rules, but it does not violate any law. And that's all that matters.
And, for the record, the reason ARIN/IANA aren't chasing down any of these/8's is because a) it won't help, and b) it will take a costly, time consuming legal battle to get them back.
You don't even need DHCPv6 to advertise DNS servers or default routes.
Because you are still running an IPv4 stack. IPv6 autoconfig will give you a prefix and a router(s). That's it. DHCPv6, in it's current brain damage, won't provide domain names, a hostname, ntp servers, or pretty much most of the data that can be provided from DHCPv4. PXE netbooting... I don't think anyone has even realized that won't work.:-)
Turn off the IPv4 stack and see how much static information you have to enter.
I can directly address each system from anywhere in the world without having to use a VPN or other translation
And so can everyone else. Having watched a Windows 2000 Server be compromised during installation, and a redhat server compromised on it's first boot (before patches could be applied)... no machine should ever be connected to the internet "naked".
As much as NAT "isn't security", it keeps the internet out. You cannot mug me if you don't know where I am.
99% of his rant is on the complete lack of interoperability and the non-existance of any migration path. Not that there can be any migration since the two protocols are completely alien to the other. Your only choice is to start using the new and eventually stop using the old. People are resistant to the first part, and the last part isn't going to happen for decades.
End users don't need to know or do anything. At this point, all we really need is for ISPs to provide IPv6 and the rest will happen without users doing -- or knowing -- a thing.
100% WRONG. That little thing you have between your cable/dsl modem and your computers -- called "a router" (and that's being generous) -- will have to be upgraded at best, and replaced at worst. If you're plugging your windows box into the internet "naked", then you're a g** d***ed idiot and should be taken out and shot.
The cheapy netgear, dlink, linksys, et. al. routers/gateways/etc. for the most part don't have the memory or processing power to support IPv6. Even if they did, users would still have to upgrade them, and very few ever do. In the corp. world, there's a great deal of work to be done to integrate IPv6. Not the least of which is none of the firewalls (fully) supporting IPv6... if you have a pix firewall, throw it away -- "Upgrade to an ASA today!"; even 'tho it's working fine (and has for decades), it'll never support IPv6.
All of the major OSes have solid IPv6 support in place...
No they don't. IPv6 support in Windows XP is "experimental" and lacks just about everything found in modern (i.e. windows 7) implementations.
The transition plan is solid, and works very well in practice...
"Stop using IPv4 and start using IPv6." (not necessarily in that order) Is not a "plan". I was around back in the early days... people had appletalk and IPX networks and wanted to "get on the internet". None of them were happy with the requirement to add a completely new network layer (IPv4) to their network and thus new software on every machine. IPv6 is the same mess. IPv4 and IPv6 share only the first two letters. At the core, they are completely, utterly, fundamentally different. People will be running "dual stack" for many years to come due to this incompatibilty and simple fact that a great number of devices/systems will NEVER support IPv6. (for example, I still have IPX only print servers.)
... just like it used to be done prior to everyone using NAT...
In the days before NAT, (most) people didn't bother with filtering. The net was a very different place back then; we didn't need to police every packet moving around the world. (we also didn't have SPAM back then, btw.)
A network today without the veil of NAT will be a very nasty place indeed!
What competition? Most people have at most 2 or three choices for residential connectivity. (some don't even have that.)
So, that'd be... DSL from your landline telco, cablemodem from your local monopoly cable provider, FiOS if you're really f'ing lucky, and HughesNet if you're really unlucky. Cellular data plans, you say... they're slow, expensive, and ALL of them have usage caps. This isn't the 90's where you had 4 dozen ISPs to service your dialup internet needs.
Most go unprosecuted because it costs too much and is very hard to trace back to any real person. Add in jurisdictional boundries and you may find that they cannot be prosecuted if you do manage to find them. Most cases can be "easily" handled through whatever registrars are involved if it's dealt with immediately -- but it's still a long, ugly process.
If what I've read is true, he commited several crimes... breaking into the AOL account (computer trespass) to gain access to the godaddy account (computer trespass, fraud, wire fraud,...), creating false transactions to cloud the picture and give the false impression that the domain was bought (fraud, banking fraud, CC fraud,...) -- not sure what was involved there, and then sold the stolen property on ebay for a huge profit. This is indeed a matter for criminal court.
Slashdot Mirror
I was responding to the "Most routers have a way of resetting the root password" part. He turned that off.
But, yes, he did eventually hand over the passwords. And yes, they should have the network audited and secured by now -- long ago, in fact. They're just keeping him locked up because they can -- much the same way he lorded over the FiberWAN network.
I didn't say it was expensive. I just said it was complicated by the size of the network -- lots of devices to check, you only need to miss one. (been there, done that. 'tho in my defense, there's no reason for that router to be running an IGP anyway.)
They called in consultants... so yeah, they spent 10x what they needed to. But that gives them someone outside the city gov to blame when something is missed.
I'm not a lawyer (not am I in CA.) So, I don't know what various laws he may or may not have violated. I'm not sure where he thought this was going to end up... dude, you don't work there anymore; the network is no longer your responsibility. This is not going to get you re-hired. And it's not going to do you a lot of good hunting for a job elsewhere.
He was "concerned" that handing over the passwords would (almost immediately) lead to his "incompetent" coworkers screwing things up. Well, he handed over the passwords and 14 months later there have been no issues with the FiberWAN network. He was completely wrong: he handed over the passwords and the network did not fail. They've had plenty of time to break something, but haven't. That is a powerful check in the "NOT INCOMPETENT" column for his coworkers. But that does not mean they are competent -- it's pretty easy to not break something. (I'm not grading their work or interviewing them for a job, so I have nothing onwhich to base their competence.)
It's worse than that... not only do you need physical access, you need a copy of the config, or the necessary bits to regenerate one from scratch. He turned off password recovery; the only way in is to erase the configuration. (or jump through a dozen hoops to get that NVRAM in a device that ignores that bit. in many cisco devices, the NVRAM is not removable; if the rommon chips aren't removable either, you're screwed.)
Had he done that, he would have been fired the instant the passwords hit the paper. The only reason he remained employed for so long is because no one else knew the passwords. He was, in essence, blackmailing the city. They tolerated him because he did actually keep the network running. I don't know what the last straw was that has brought us to today's farce.
If you're up-to-date on the case, you should remember he turned off password recovery. The only way to reset the password is erase the configuration (NVRAM) and there are no (known) archived backups. He was the only one with the knowledge to rebuild a config from memory. He did this on purpose to stop people in the field from altering the configuration (passwords, routes, anything)
If someone erased the config on any of my gear, I'd be pissed. And I keep backups.
And his concerns (rants of a lunatic?) have been well and truely proven wrong at this point. He gave up the password(s) and the network has not failed at the hands of these "competent coworkers".
One would think they'd've changed the passwords, but who knows. Maybe they're worried about breaking something by changing them... As for any "backdoors" -- us network folk call them "alternate paths", or "a way around the thing that's broken" -- it would take an extensive audit of the entire infrastructure to find, and remove or (re)secure any that may exist. In a network that large, it's not a simple task.
They assume that he would intentionally disrupt the network. In my opinion, that is absolutely wrong. Did he have any traps in the network when they fired him? (ala a "dead man switch") No. Did he do anything to disrupt the network before, or shortly after he was fired? NO. He refused to hand over the keys to protect his hard work -- why the h*** would you now assume he would do anything at all to break that same "hard work"? (and if he did, they'd have a cast iron case against him, far better than the theater they currently have.)
Right. The "outside" people were protecting themselves from were the bored university students. :-)
You are spliting hairs... They are protected because the box is doing NAT -- sure it's piss-poor form of "protection" but it's clearly better than nothing. You cannot get to the hosts behind it because they don't have a public address. IPv6 was designed to do away with the address rewriting. Everything else those cheapy NAT boxes are doing, they will have to continue doing... connection tracking and protocol aware inspection -- in the Cisco world: CBAC. In the era of NAT, you can get to whatever has been explicitly granted. In the IPv6 era, you will be able to reach whatever has not been explicitly blocked. This is will be as much of a mess as the early days of IPv4 where complete idiots were setting up firewalls with a seriously flawed understanding of what they were doing. ("deny icmp any any" was the First Rule of firewalls. Anyone who did that, in my book, should be fired immediately. If you don't realize why that's stupid, you should not be a "firewall admin".)
*cough*UPnP*cough* Very few "gamers" setup anything on their NAT box these days. (yes, the computer being about to open any holes it wants is as bad and idea as it sounds... if Halo can open ports, so can a rootkit.)
People use Skype because a) it works, and b) it's free. SIP on the otherhand is a pile of braindamage. As a protocol designed in the era of NAT, they failed. It's broken by multi-homing alone. There is ZERO reason for a pair of machines to open a completely seperate connection between each other for a voice/video stream -- and there's no need to tell me your address; the connection to me gives me the address. (SIP is a security nightmare. There are loads of reasons people avoid SIP beyond their own network(s).)
(ok, smartass)
They aren't a "computer" in the common sense. And they aren't "naked"... they protect themselves by not running any services on the WAN (internet) side, and not having much to compromise in the first place.
If you're thinking Win95, then we aren't talking about the same "pre-NAT". By the time 95 was released (Aug 24 1995), NAT did exist. It was pretty simple and crude then, but it was "functional"... we had a next cube, my linux box (as the nat gateway), a windows 3.1.1 ("wfw") / NT 3.5(?) pc, and a win95 (msdn pre-release) working on a 10base-2 network. (june-july ish '95)
What university was that? And when? I cannot recall a single univerisity that was firewalling anything when I was in college in the early 90's. Even in the mid-90's when I was working for an ISP, I saw very few places with a firewall. Most were "protected" by the limited amount of IPv4 technology in their network. The internet was much slower then with far fewer people trying to mess things up, and there wasn't that much of value to steal, vandalize, or "DoS".
No, I do not assume "NAT == Firewall". I am saying 99% of the world is protected by the veil NAT creates. Yes, it's a paper thin barrier, but it's more than enough to keep a network safe from outside attack. (no firewall can protect a network from it's own stupid users.) Taking it away is akin to taking away the front door on everyone's house... it's not much of a barrier to a theif, but it's surprisingly enough.
True. But for 99% of the internet connected, NAT comprises 100% of their security. And that's all they need. IPv6 is a lot more complicated. ...scanning even a /64 is infeasible. That's the IPv6 equiv to sticking your fingers in your ears and screaming LA LA LA LA LA. For starters, that's wrong -- one need not scan the entire /64. Plus, that's a completely wrong thought process for any security context. That's like claiming I cannot break into your house because I don't know where it is. An IPv6 host will eventually talk to some other machine(s) -- otherwise it has no need for a network at all, and then it's not hidden any more. Ah, but what about the "privacy extensions", you're thinking... most machines will still have that eui-64 address. See, the nuts that designed this crap didn't spend even 1 second thinking about how this stuff will get used; they spent even less time looking at how people currently used networks.
It may violate current rules, but it does not violate any law. And that's all that matters.
And, for the record, the reason ARIN/IANA aren't chasing down any of these /8's is because a) it won't help, and b) it will take a costly, time consuming legal battle to get them back.
Because you are still running an IPv4 stack. IPv6 autoconfig will give you a prefix and a router(s). That's it. DHCPv6, in it's current brain damage, won't provide domain names, a hostname, ntp servers, or pretty much most of the data that can be provided from DHCPv4. PXE netbooting... I don't think anyone has even realized that won't work. :-)
Turn off the IPv4 stack and see how much static information you have to enter.
And so can everyone else. Having watched a Windows 2000 Server be compromised during installation, and a redhat server compromised on it's first boot (before patches could be applied)... no machine should ever be connected to the internet "naked".
As much as NAT "isn't security", it keeps the internet out. You cannot mug me if you don't know where I am.
99% of his rant is on the complete lack of interoperability and the non-existance of any migration path. Not that there can be any migration since the two protocols are completely alien to the other. Your only choice is to start using the new and eventually stop using the old. People are resistant to the first part, and the last part isn't going to happen for decades.
100% WRONG . That little thing you have between your cable/dsl modem and your computers -- called "a router" (and that's being generous) -- will have to be upgraded at best, and replaced at worst. If you're plugging your windows box into the internet "naked", then you're a g** d***ed idiot and should be taken out and shot.
The cheapy netgear, dlink, linksys, et. al. routers/gateways/etc. for the most part don't have the memory or processing power to support IPv6. Even if they did, users would still have to upgrade them, and very few ever do. In the corp. world, there's a great deal of work to be done to integrate IPv6. Not the least of which is none of the firewalls (fully) supporting IPv6... if you have a pix firewall, throw it away -- "Upgrade to an ASA today!"; even 'tho it's working fine (and has for decades), it'll never support IPv6.
No they don't. IPv6 support in Windows XP is "experimental" and lacks just about everything found in modern (i.e. windows 7) implementations.
"Stop using IPv4 and start using IPv6." (not necessarily in that order) Is not a "plan". I was around back in the early days... people had appletalk and IPX networks and wanted to "get on the internet". None of them were happy with the requirement to add a completely new network layer (IPv4) to their network and thus new software on every machine. IPv6 is the same mess. IPv4 and IPv6 share only the first two letters. At the core, they are completely, utterly, fundamentally different. People will be running "dual stack" for many years to come due to this incompatibilty and simple fact that a great number of devices/systems will NEVER support IPv6. (for example, I still have IPX only print servers.)
In the days before NAT, (most) people didn't bother with filtering. The net was a very different place back then; we didn't need to police every packet moving around the world. (we also didn't have SPAM back then, btw.)
A network today without the veil of NAT will be a very nasty place indeed!
What competition? Most people have at most 2 or three choices for residential connectivity. (some don't even have that.)
So, that'd be... DSL from your landline telco, cablemodem from your local monopoly cable provider, FiOS if you're really f'ing lucky, and HughesNet if you're really unlucky. Cellular data plans, you say... they're slow, expensive, and ALL of them have usage caps. This isn't the 90's where you had 4 dozen ISPs to service your dialup internet needs.
Yes, you should. So when this happens to you, we'll apply the same logic... "you're a nobody. why should we care?"
Most go unprosecuted because it costs too much and is very hard to trace back to any real person. Add in jurisdictional boundries and you may find that they cannot be prosecuted if you do manage to find them. Most cases can be "easily" handled through whatever registrars are involved if it's dealt with immediately -- but it's still a long, ugly process.
Actually, that was a trademark case. And Apple sued Cisco (aka Linksys) who did not have a product on the market using the iPhone trademark.
If what I've read is true, he commited several crimes... breaking into the AOL account (computer trespass) to gain access to the godaddy account (computer trespass, fraud, wire fraud, ...), creating false transactions to cloud the picture and give the false impression that the domain was bought (fraud, banking fraud, CC fraud, ...) -- not sure what was involved there, and then sold the stolen property on ebay for a huge profit. This is indeed a matter for criminal court.
Bulls***. 99% of the users of the Internet don't know jack about how it works. Slashdot is not a representative sample.
Unless you watch a lot of infomercials at 3-4am, I doubt most of the world knows what P90X is.