lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <MDEHLPKNGKAHNMBLJOLKEEJLBBAB.davids@webmaster.com>
From: davids at webmaster.com (David Schwartz)
Subject: RE: [MISC] SBC Blocks Port 25 - No Exceptions.


> Approximately an hour ago, we lost TCP port 25 from/to anywhere.
> This, on our "Business-Class DSL" line.  A call to SWB confirms that:
>
> (a) The decision to block *everyone* was made some time ago;
> (b) SWB chose not to notify anyone of this impending change;
> (c) There are NO exceptions.  Just how this "service" qualifies as a
> "Business Class DSL" is anyone's guess.
> (d) While they state that they will offer relay services, to get them
> requires that you fill out a form and send it in to SWB for
> processing: a
> process that could take "several weeks".

	If you signed a contract that allows your ISP to place permanent,
non-emergency filters on your line that filter out any content they decide
they don't like with no notification and no way for you to opt out, you're a
fool. If you didn't, then you should complain loudly (and if necessary sue)
for their violation of your contract.

	When I negotiate deals with ISPs to provide business class service, these
types of things are often the most complicated part of the negotiations. You
should definitely demand the following and not choose an ISP that doesn't
provide it:

	1) Notification of all filters that will be applied to all packets destined
to your IP addresses or sourced from your line. At least 3 business days
ahead in non-emergency situations and as soon as practical in emergency
situations.

	2) The ability to opt out of any and all filters that the ISP might place
upon packets destined for your IP addresses or sourced by your circuit with
the following exceptions:

	A) Packets destined for IP addresses that the ISP knows are not valid.

	B) Packets sourced from IP addresses that the ISP does not know belongs to
you.

	C) Emergency filters placed to deal with a problem that is in progress.
Such filters may only be kept as long as the problem is actually ongoing and
may not be more restrictive than is reasonably necessary to deal with the
emergency.

	D) Future filters that are the result of technical necessity. These must be
reasonably constructed so that they are as narrow as possible to block out
only known harmful or malicious traffic.

	3) Filters blocking based on IP protocol, ICMP type, TCP or UDP port, are
never considered technically necessary. Specifically, blocking all SCTP, for
example, or all packets with unknown IP protocol fields may only be done on
an emergency basis or with an opt out option.

	4) The ISP specically waives any right to consider its filtering policies a
trade secret or otherwise confidential as a means of keeping you from
getting access to the policies. They may request that you not disclose them
(and you can commit to honor this request).

	DS



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ