Folks, you might be interested in checking out a network monitoring tool we launched today, Netalyzr. It's a Java applet you can run by surfing to netalyzr.com. It aims to measure a bunch of the properties of and end user's network access, particularly looking for transparent modifications (e.g., hidden proxies), connectivity restrictions, and some security issues (e.g., whether the DNS resolver is vulnerable to the Kaminsky attack). We've had several thousand users run it today so far, so you may be hearing about reports your customers have gotten from it. You can see a sample report at: http://netalyzr.icsi.berkeley.edu/restore/id=example-session - Vern
didn't want to spring for a cert for that eh? www.startssl.com ... hey lookie! free certs! On Tue, Jun 9, 2009 at 6:51 PM, <vern@ee.lbl.gov> wrote:
Folks, you might be interested in checking out a network monitoring tool we launched today, Netalyzr. It's a Java applet you can run by surfing to netalyzr.com. It aims to measure a bunch of the properties of and end user's network access, particularly looking for transparent modifications (e.g., hidden proxies), connectivity restrictions, and some security issues (e.g., whether the DNS resolver is vulnerable to the Kaminsky attack).
We've had several thousand users run it today so far, so you may be hearing about reports your customers have gotten from it. You can see a sample report at:
http://netalyzr.icsi.berkeley.edu/restore/id=example-session
- Vern
On Jun 10, 2009, at 10:16 PM, vern@ee.lbl.gov wrote:
didn't want to spring for a cert for that eh? www.startssl.com ... hey lookie! free certs!
? We bought a cert from Thawte specifically so people wouldn't find that it's suspect. Does it look funny when your browser presents it to you?
Yes. -- TTFN, patrick
On 11/06/2009, at 2:16 PM, vern@ee.lbl.gov wrote:
didn't want to spring for a cert for that eh? www.startssl.com ... hey lookie! free certs!
? We bought a cert from Thawte specifically so people wouldn't find that it's suspect. Does it look funny when your browser presents it to you?
I had the same problem, I'm not sure Christopher correctly diagnosed it. It looks like in Safari, when a Java applet asks for unrestricted access (as opposed to standard) it presents you with the security cert to confirm that you really want it. It says "This certificate is valid", as opposed to "invalid" or "untrusted" or whatever normally comes up. Screenshot of the GUI: http://don.braintrust.co.nz/~nward/netalyzr.png -- Nathan Ward
On Wed, Jun 10, 2009 at 10:26 PM, Nathan Ward<nanog@daork.net> wrote:
On 11/06/2009, at 2:16 PM, vern@ee.lbl.gov wrote:
didn't want to spring for a cert for that eh? www.startssl.com ... hey lookie! free certs!
? We bought a cert from Thawte specifically so people wouldn't find that it's suspect. Does it look funny when your browser presents it to you?
I had the same problem, I'm not sure Christopher correctly diagnosed it.
It looks like in Safari, when a Java applet asks for unrestricted access (as opposed to standard) it presents you with the security cert to confirm that you really want it. It says "This certificate is valid", as opposed to "invalid" or "untrusted" or whatever normally comes up.
<http://img38.imageshack.us/i/picture1apq.png/> actually: 1) it's firefox 2) the error is from 'java' (looks like the same error as you get nathan) 3) it says: "This applet was signed by the 'International Computer Science Institute' , but Java canNOT verify the authenticity of the signature's certificate. Do you trust this certificate?" So... java fail, my-reading-skills-fail... -chris
Screenshot of the GUI: http://don.braintrust.co.nz/~nward/netalyzr.png
On Tue, Jun 9, 2009 at 16:51, <vern@ee.lbl.gov> wrote:
Folks, you might be interested in checking out a network monitoring tool we launched today, Netalyzr. It's a Java applet you can run by surfing to netalyzr.com. It aims to measure a bunch of the properties of and end user's network access, particularly looking for transparent modifications (e.g., hidden proxies), connectivity restrictions, and some security issues (e.g., whether the DNS resolver is vulnerable to the Kaminsky attack).
We've had several thousand users run it today so far, so you may be hearing about reports your customers have gotten from it. You can see a sample report at:
http://netalyzr.icsi.berkeley.edu/restore/id=example-session
- Vern
Why no privacy policy? Or am I just partially blind? Is an answer in a FAQ legally binding? ~Chris -- Chris Grundemann weblog.chrisgrundemann.com www.twitter.com/chrisgrundemann www.coisoc.org
On Fri, Jun 12, 2009 at 09:43, Randy Bush<randy@psg.com> wrote:
sure, we need a privacy policy that can be arbitrarily changed with no ... previous ... notice just as we have for ... ... everything !!!
exactly. so was the question a troll, a red herring, or just a rant?
randy
I guess it was just a rant, I like to know more specifically how folks intend to use data before I hand it over - and I like that promise to be at least theoretically enforceable. I am far from a lawyer but it is my understanding that an official pp is much more substantive and binding than a single FAQ answer -- especially in the eyes of the FTC. Yes policies can be changed but I can follow those changes and stop using the service/tool/etc if I don't like the changes. If you are saying that the policy can be changed after the fact to allow uses of the data for purposes or in manners other than those originally stated, I think you are wrong, see the 2004 case between the FTC and Gateway Learning as one example I know of off hand: Howard Beales, Director of the FTC’s Bureau of Consumer Protection. “You can change the rules but not after the game has been played.” (http://www.ftc.gov/opa/2004/07/gateway.shtm) I will grant you that in this case the data being collected is probably not that sensitive, but the access to my computer is - to me at least. I for one would have used the tool immediately had there been an acceptable PP or other TOS in place but without it I hesitate... So I figured I would bring it up. ~Chris PS - if you are interested in TOS related stuff, might be worthwhile to check out http://www.tosback.org/timeline.php a new project launched by the EFF (no affiliation, just fyi)
sure, we need a privacy policy that can be arbitrarily changed with no ... previous ... notice just as we have for ... ... everything !!! exactly. so was the question a troll, a red herring, or just a rant? If you are saying that the policy can be changed
i am saying all this is specious. if you don't like it, don't use it. i have been using vern's stuff for 15 years or so, and trust him vastly more than i trust 94.3% of all the other services you trust. randy
i am saying all this is specious.
What is really suspect is www.netalyzr.com is registered via GoDaddy and DomainsByProxy. The IP resolves in Berkeley's IP space, but the reverse DNS name is roland.icir.org. Why the hidden registration? I realize Educause won't register a .com for you, but do you really need to be obtuse about who owns the domain? Also .. the Netalyzr project isn't even listed on the "projects" page at www.icir.org. Cheers, Michael Holstein Cleveland State University
i am saying all this is specious. What is really suspect is www.netalyzr.com is registered via GoDaddy and DomainsByProxy. The IP resolves in Berkeley's IP space, but the reverse DNS name is roland.icir.org.
Why the hidden registration?
if you knew anything about icir, vern, berkeley, ... you would have a clue. as it is, you don't. so anything sounds like black helicopters. i have work to do, so will be dropping out of this ever so exciting and informative conversation. randy
On Fri, Jun 12, 2009 at 11:03, Randy Bush<randy@psg.com> wrote:
sure, we need a privacy policy that can be arbitrarily changed with no ... previous ... notice just as we have for ... ... everything !!! exactly. so was the question a troll, a red herring, or just a rant? If you are saying that the policy can be changed
i am saying all this is specious.
if you don't like it, don't use it. i have been using vern's stuff for 15 years or so, and trust him vastly more than i trust 94.3% of all the other services you trust.
randy
Probably so and it was not my intention to attack Vern, Berkley, ICIR nor infer that they were not trustworthy. Just pointing out a possible place for improvement from my view. ~Chris
imho, I believe you are being a little bit paranoid with a tool released by folks that have been trusted in the community for ages. As Randy said, if you don't like it or don't feel comfortable with it, don't use it. BTW, have you ever notified or made public what do you do with the response of each single ping you sent ? You ICMP packets are invading my privacy !!! :-) Cheers
participants (8)
-
Chris Grundemann
-
Christopher Morrow
-
Jorge Amodio
-
Michael Holstein
-
Nathan Ward
-
Patrick W. Gilmore
-
Randy Bush
-
vern@ee.lbl.gov