When Comcast first rolled out that data cap nation wide, I started prodding at it one night out of morbid curiosity
Nmapping the server they used caused the messages to immediately disappear. As well as the server to seemingly vanish. Turned out the firewall was just blanket banning the entire IP range when it saw a portscan!
The upside being that Comcast would stop MITM'ing HTTP traffic for about 72 hours
Even if you can actually reach the people who run the ASN of your ISPs, if it something big like Cox, charter, Shaw, etc, they'll be politically unable to confirm or deny anything, and won't want to talk to you. You might get a straight answer if you are in a similarly senior position at an equivalent sized ISP that has mutual settlement free peering, such as between RCN and Charter.
If you want actual customer support these days, your best bet is to create a PR problem for the company via social media, because PR flacks are paid enough to matter.
Definitely if you think of your product/ service as "premium" this is the correct model to have.
We also have municipal fiber but they’ve chosen not to make that available for residential service which is really disappointing but … politics.
But we go one further — no development on the LAN. Develop on another server at a different hosting company, and only deploy on the production host when thoroughly vetted.
Does this just mean staging/shared servers are not deployed on machines inside the corporate network, or that developers can't have their dev environment locally and instead remote in to some other machine to do their work?
I've heard of the latter in a few companies and it's always the kind of thing that makes me nope out of every applying to them.
Each dev has his own cellular connection for internet on his development box. Again, no LAN access. Corporate e-mail and cross-department file servers are on another box on each dev's desk.
The downside is massive over-usage charges for each dev's cell data (40-50 GB/month/dev over). The upside is that devs are effectively airgapped from the company, which I assume is the primary goal of all this.
Also, chat is banned. There have been efforts in the past to bring in tools like Slack, but the honchos believe that it makes the company better as a whole if we speak to each other like human beings, especially cross-department. Even if that means slowing down a project. And even if that means having to walk across campus, or occasionally driving to another part of town to another building. Phones are largely only used when off-site, or we need to talk to someone in another city.
It all sounds tremendously inefficient, but I try to think of it as being like working at IBM or Sperry in the 60's. It seems to work. The company is profitable and expanding, and has been for 40+ years.
They've also done some things that I assume fell out of operating ICSI's Notary but don't make any real sense for this paper.
For example: For a real user what we care about is this cert the end user was presented for a site: Would that be trusted in (Internet Explorer on XP, Safari on iOS, a Python script on a Debian machine, etcetera) and would it be trusted in this smartphone.
And what they've looked at is, were the same Trust Stores baked into an Android phone as the above systems? But that's subtly different in a way that fogs the issue here. Example:
Suppose phone X trusts ISRG Root X1, XP trusts DST Root CA X 3, and a Debian system trusts Lets Encrypt Authority X3. Those are, to the naked eye, and this study, three completely different things. But in _practice_ for an end user it'd turn out any of the three work for trusting a vast number of certificates used on the web. Trusting one or another _does_ matter, but this paper isn't about why that is, and doesn't really explain what's going on here, it treats that sort of scenario as anomalous and potentially alarming without explaining.
The paper did remind me that ICSI's Notary won't work with TLS 1.3, which I have sort of known but not ever mentally addressed. The ICSI Notary works by peeking inside TLS sessions. In versions up to TLS 1.2, the server's Certificate is delivered unencrypted, just before both peers encryption switches on and their communications are unintelligible. This is used by the Notary and by lots of crappy middleboxes, but in TLS 1.3 the encryption has switched on earlier, before the certificate is sent, so the Notary can't see certificates any more.
If our upstreams were clueless or negligent, it would be possible to get into a situation such as when a Pakistani telecom announced a huge chunk of V4 space that is YouTube, effectively DDoSing their international submarine links and also taking down YouTube for some users worldwide.
We forgot to create some IRR entries and GTT just accepted our prefixes.
There is essentially no security, it's fairly trivial to hijack whatever space you want. (Doing it undetected is more difficult though!)
Lots of phone companies still just approve a port if you send them the required paperwork to initiate a port. That means with zero verification from the account holder a number can vanish from your account.
Since the problem is that hijacking numbers is easy, shouldn't that apply to “anyone who relies on telephone numbers”, not just “anyone who relies on SMS”?
SMS isn't the only telephobe-number-based second-factor.
Err. That's pretty much every implementation of 2FA around the world.
Why isn't this more well known ?
Guess what the send you when you forget your 2FA or password? Yep, an SMS. So out the door goes the whole point of 2FA. Your three factors (account name / email address + password + Google Authenticator) have now been reduced to one factor: your email address.
I can rent a mobile tower in Malaysia or some other asian country, advertise your phonenumber as roaming there for about €10/h and start intercepting all your shit. Or just get your telco's inept service dept to forward your number somewhere else.
1. Even the giants get it wrong.
2. There is no security anywhere in the tech world. Literally everything is broken. Your electronic car locks / starter system, your phone, your internet, everything is horribly horribly horribly broken beyond any imagining, even for hyper-tech savvy people.
3. Remove your phonenumber as a backup device from your google account and never use it as a backup device every again.
Edit: Oh, you said that.
When it came out. If you wanted to "borrow" someone's phone number. All you had to do was clone the MAC address of the VoIP (EMTA) port
If someone called the number. Both you and the victims phones would ring
Things got a bit different with MDN and MIN were different to ESN pair. Calls still came but you couldn't auth or call out for data services.
It's all a bit old now, but look up QPST, QXDM for the past decade and 20 years ago look up Oki900.
Unfortunately I don't really remember the details, since I worked on the core data network at the time.
So...anyone here ever set up a throwaway machine with root ssh enabled with one of those common passwords, so that some of those could get in, so you could see what they actually try to do once they are in?
If so, what did you see?
This pain has been known for many, many years.
There simply shouldn't exist the scenario where a household is unaware that their hijacked toasters has been saturating their upload for months.
It seems unfair, but these are solutions that actually work. Waiting for things to fix themselves clearly isn't. We're quickly entering a reality where everyone will be using Cloudflare instead of just most of us.
It's pretty incredible how far naive decentralization got us, though. Soon we're going to be looking back in awe.
Yup. I can't use 188.8.131.52 because my AT&T router is responding to it.
Try that as an alternative.
The login/"landing" page when connecting to these hotspots would not load. Changing back to 184.108.40.206 fixed the problem.
No, it means their hotspot uses 220.127.116.11 as internal IP. I've seen this in a bunch of places.
Modern OSes detect these login pages by making a DNS lookup of a known domain, eg. macOS/iOS lookup "captive.apple.com", and if the answer is not in the 18.104.22.168/8 subnet they know someone is intercepting DNS and show the Wifi login window.
"As part of an effort to de-bogonise this newly allocated address space, RIPE, in cooperation with APNIC, made some test advertisements to the global BGP table for several prefixes with 22.214.171.124/8. Specifically, these networks included 126.96.36.199/24 and 188.8.131.52/24. Why these networks? Because they contain the novel (and illegal) IPv4 addresses 184.108.40.206 and 220.127.116.11, of course.
"Shortly after announcing the routes to the world, RIPE's RIS was flooded with over 50 Mbps of traffic destined for what is still an unallocated network; it should not appear on the global Internet."
>Huston emphasised that APNIC intends to protect users' privacy. "DNS is remarkably informative about what users do, if you inspect it closely, and none of us are interested in doing that," he said.
Maybe it is reasonable to take them at their word as they seem trustworthy, but we should at least consider the fact that at least some of this DNS traffic is indeed being analyzed.
Users of the DNS service get the privacy guarantee.
Non-users do not. If you floodping 18.104.22.168 you are not a user of the DNS service and the privacy terms don't apply to you. Rather you're a member of the Misconfiguration Club, and the site you're pinging has the usual right to analyse your pings.
I get the general idea, but having "user-privacy oriented" and "we collect everything and make it available to many researchers" services under the same IP may lead to some issues.
that's just the public stuff!
Another regional example, they have 20Gbps to the VANIX.
What is opaque is the size and scale of their PNI peering, which parties generally don't share. For example in a mid sized city where Comcast is the cable monopoly they almost certainly use a 100GbE interface direct to Comcast for just that isp.
Yes the scale is terabits globally. But it is highly decentralized.
Isn’t that the entire point of a CDN, to have decentralized POPs scattered globally?
Yes, they may max out at 100gb per public IX in most cases, but they still have lots of 100gb peers all over the globe.
Your post implied a total of 200-400gb, the real number is 10x that (otherwise known as “order of magnitude”). I’m not disputing your knowledge or experience, but the post as written has issues.
If you want privacy, you never do DNS queries from an ISP-assigned IP address. Tor exits do DNS queries on behalf of clients. Decent VPN services also handle DNS queries for clients.
Or are you arguing that even Cloudflare couldn't get raw DNS traffic?
I don't mean to question CloudFlare's integrity.
It's just that, for claims about privacy, I'd rather depend on more than trusting any one party.
Because these sorts of comments read to me as "yeah, you're the best right now, but are you perfect? No.". Nobody claimed perfection, and there's value in being the best.
But I never depend on any one of them. I use nested chains. That's my no means perfect, because routes are relatively static, unlike Tor with its frequently changing circuits. But the basic idea is the same. Compromise would depend on collusion, perhaps forced, of multiple parties. Or some serious traffic analysis.
Here, there's CloudFlare, its auditors, and perhaps Google. So maybe there is distributed trust in that. But still, I'm happier to put more independent parties between me and them. Tor, or at least a nested VPN chain.
This is relevant as the CEO has previously woken up one morning after a troublesome sleep and it has been argued, gone against his word (for good and anti nazi reasons). Many argue that he was entirely within his right to do so, and he was! So in this case, would he be entirely within his right to start monitoring all that data. As he asks, paraphrasing: "what more can I do to ensure my word is good."
I’ll start: do we ever store 22.214.171.124’s users’ IPs? No. They’re never written to disk. And APNIC never has access to them.
What data do you provide to APNIC? We give APNIC reports on non-DNS data that’s hitting 126.96.36.199. It includes information like: what protocols are sending data to the IP, what’s the volume, where it it coming from?
For DNS users of 188.8.131.52, we never provide APNIC any identifying information. We don’t upload any data to them. While they can query for questions like: “How many queries came from India in the last 24 hours?” they can’t query anything on a specific user.
If you have concerns, ask them here. I’ll answer.
https://developers.google.com/speed/public-dns/faq#locations (when EDNS0/ECS isn't supported)
The tin foil hat brigade might suggest that this is deliberate to ensure that only what's served by cloudflare gets to be fast...
Conspiracy theory isn't a dirty word.
Speculation keeps people informed and alive.
It doesn't take much guessing to know who sent an anonymous DNS request for example.com to one of your countless PoPs if your CDN logs a HTTP GET request to www.example.com at the same location a few milliseconds later.
Our business is not about tracking people; it's about selling our service to businesses to make their web sites/APIs/applications faster and more secure.
"Specifically, APNIC will be permitted to access query names, query types, resolver location and other metadata via a Cloudflare API, that will allow APNIC to study topics like the volume of DDoS attacks launched on the Internet and adoption of IPv6."
I interpret "query names" as some values obtained from DNS queries hitting 184.108.40.206, e.g. "foo.example.com".
Is your answer to "What data do you provide to APNIC?" complete in the statement above?
Thanks for clarifying.
Are the gigabytes of junk billions of tiny requests or are there large requests as well?
Are you finding it more difficult than expected to manage the data?
I'm a 220.127.116.11 customer since you launched, thanks a lot for it.
Have seen edge traffic charts for major porn hosting companies and the out:in traffic ratio is like 97:3
What exactly do you mean by "user"? Can they query DNS traffic by IP address / subnet? Exactly what are all of the restrictions there?
EDIT: Is there a whitelist of things they can query by or do you simply trust them to be good citizens, have a binding legal agreement, all of the above?
Ding ding ding, we have a winner. If more people would realize this, we would have less data breaches. To get there, a data breach must become more costly for the companies.
To protect against that, could you commit not to log to disk any queries that come from fewer than N ips in 24 hours, and not to expose rare queries to APNIC or internally? (Not a demand, just brainstorming mitigation.)
It might also be fun to give an internal team access to the data you consider safe, and challenge them to dig up personal data from it.
Is there a guarantee that this will always be the case? Might there, in theory, be a point in the future where users' IPs are collected and stored?
Loving 18.104.22.168, btw.
As personal information count full IP addresses, the content of requests, or any set of data that can be used to recover these.
That is what "we respect your privacy" means.
We can query things like:
1. How much query traffic is from Africa?
2. What’s the peak time of query traffic?
3. What are the most popular DNS authoritative servers?
If you have specific concerns, please raise them here.
Performance. Our core business is making our customers fast and safe. More people using 22.214.171.124 means our Authoritative DNS service inherently faster for anyone who uses it.
Recruiting. Our mission is to help build a better Internet. Lots of places the people on our team can work. That they work for us is often because employees believe in our mission. 126.96.36.199 helps with that.
I've been working a lot with open data and I have huge problem with Cloudflare ruining open internet with bot protection and such. The issue I have is that public data is public, be it bot or human.
I'm having real issue with you guys saying that your mission is to better the internet when you break shitton of floss apps that are essentially harmless and people who want to do harm, crawl at huge rates for commercial purposes break your systems like it's made of twigs. I'm saying this as a person who works on both sides and can't help but call you out.
So sorry unless you turn to non-profit I'm really not buying your "helping the internet" song.
As long as Cloudflare blocks that, it's hostile.
Maybe a way to register as spider with Cloudflare, and get a token that one passes in the header, with strict rate limits would be much better than the current solution of just showing captchas.
Ha, I was using 188.8.131.52/24 as my local intranet as an expirement with dnsmasq a few years back. I got scolded for it, rightly so, but I figured as no-one was using 184.108.40.206/24 at the time it was OK.
I see I am not the only one who did so.
And yes, that's what it would do. And no, I didn't. Made it easier to type in IPS, that's for sure.
Was a blast to see some of it and the warstories about how they where able to do some early warnings of nasties that where about to wreak havoc.
Gave them a good insentive to actually design a pretty good toolingset, that never made it past "On Demand Innovation Services" which helped me to clean out a network with a zoo of malware strains. Still would implement it in the different networks I frequent, if it was available.
The current bandwidth is finite. The future bandwidth is finite. Even if we use all the resources available to us, expanding at the speed of light to capture those resources, it's still finite.
The internet is continually expanding at OSI layer 1. It is a construction project. The bandwidth is growing faster than our ability to fill it.
There are only so many criminals in the world, period. They only have so much bandwidth, either through stealing it or buying it.
Also, I am happy Cloudflare is doing this, they are, at the very least, taking resources away from the criminals that could be attacking others and doing real harm.
But from a user perspective, why couldn't they have just let that address be... So many things are going to break just because Cloudflare wants a pretty IP. Sure, the things that break were using a hack, but in my opinion that doesn't automatically make it okay to break it.
Now I'm just waiting for a startup to launch a Stack Overflow competitor on example.com...
And just knowing that Google has that number is a bit like them owning a license plate or phone number with pure eights...