Welcome to Hurricane Electric's Tunnelbroker.net forums!
Started by gerbil, October 04, 2011, 10:13:44 PM
QuoteFirst thing I noticed as an HE 'customer', having signed up for a tunnel, is that account names are made public as the first part of RDNS/PTR hostnames for easily guessed/discovered IPv6 addresses that the user has no RDNS control over, and thus cannot override (I'm talking about addresses outside of the 'routed prefixes'). This would seem to be an unnecessary security faux pax for obvious reasons.
QuoteThe second issue involves HE providing personal information of customers on its whois server. I'm not disputing that this may be part of RIR (ARIN's) policy. However, I don't believe there is full disclosure in your terms of service, where you state "Hurricane Electric will provide your information to the appropriate RIRs when required under RIR policy. This data may be published by the RIR in a database such as whois." With there apparently being no 'may' about the release of this information, and it not so much being provided from you (HE) to the RIR as you (HE) providing it directly to any third party querying your whois server. At the least I think the terms of service should be amended to be clearer (and more accurate), but I also (and probably more importantly) think that a short disclosure of this specific policy near any forms (on HE's network of websites) that request personal information would be a good idea.
QuoteAlong the same line (and for similar reasoning) as the first point, I find it a fairly bad idea to both require using a monolithic HE account for forum access *and* not allow an over-riding 'display' name to be specified in the forum profile. Along the same line as the second point, there doesn't seem to be any disclosure of personal information (location) being taken from input at other locations within the HE network and being made available on the forum (under the user profile). If I'm missing something on these points, hints/corrections are welcome.
QuoteThe 24-hour timer on the daily IPv6 seems odd and inappropriate. Even if people can independently keep close track of this timer (which seems a completely unnecessary burden), offset drift will happen such that days will be lost in completing the repetitive march to 1400/1500 points. Much better would be to keep track of the last day that the user completed each challenge. This eliminates the need to keep track of a 24-hour timer, and eliminates any drift that would result in lost days for completing these tests.
QuoteThese daily IPv6 tests aren't proving any technical knowledge that you haven't tested in the certification levels leading up to these daily tests. They are so mindlessly repetitive that most people probably relegate the task of completing them to simple scripts; they don't seem to really serve a productive purpose to the user. If I were to guess by the looks of them, these tests seem designed solely for HE to farm information (from its users/customers) about 'active' IPv6 allocations and services.
QuoteAlso, I've been caught two times (and I've only been doing these tests for four or five days) by an apparent bug in the daily tests where if I submit output for a host within a prefix that I've used in past daily tests, the test locks up and doesn't allow me to use other fresh, un-unused prefixes that I'm absolutely sure I've never used before. Also, I think it should be a bit clearer as to where the line is drawn in prefixes, as far as reuse goes, such as using static /32 as a delineation point, or the smallest/largest CIDR prefix (smallest if you consider host space, or largest if you consider CIDR number, such as /48 > /32) shown in the RIR whois database (or whatever other reasonable approach you might take). Though, maybe you have made it clear somewhere and I missed it.
QuoteFirst off, congrats on reaching Sage. Don't forget to validate your address information and pick a t-shirt size. That way we can get you a nifty reward for your efforts!
QuoteWe have this information (username + location) for troubleshooting purposes. Sometimes it is simply quicker to look into a reported issue when that information is presented in a traceroute. Especially as we'll get tickets with either limited information by the user, or from other people not associated with the account experiencing issues.
QuoteWe can review the language of our posted relevant policies regarding the broker/certification/free dns. However at this time only the City/State/ZIP are published, and no other specific user information. This helps satisfy RIR policies. And even then it is only as accurate/correct as was submitted by the user.
QuoteWe prefer the single unified account method for access to the free services. Especially useful when we terminate an account for abuse. If you want your real name or some other name to be displayed on the forums, under your profile settings in the forums you would edit: "Name: This is the displayed name that people will see".
QuoteWe might adjust this, however all those with 1500 seem to have completed without issue. If we wanted people to script against it, and not interact with trying to find relevant IPv6 information and game the system by essentially setting up a data mining bot and walking away, yeah we could have it reset every day at like 3am.
QuoteWe track only what was the subject of the submission; IP, hostname, etc. That is to make certain that an account doesn't keep submitting identical information over and over again. So for WHOIS, we store the entire range submitted. For rdns/aaaa just the IP/hostname, etc. If you are experiencing errors, please make certain you are emailing firstname.lastname@example.org so we can look into them.
QuoteRead here as 'Congratulations! Make sure to validate correct address information, because this was obviously not a concern of yours anywhere in your post!
QuoteI imagine it would be quite easy for you to create a back-end tool for employee use only that would allow you to enter an IPv6 address and, if applicable, bring up assignee account information.
QuoteApparently I'm still missing it. When I'm viewing my profile, the first thing I see is the 'Summary' page, which does not allow editing of the name.
Quote from: broquea on October 05, 2011, 06:09:15 AMWe might adjust this, however all those with 1500 seem to have completed without issue. If we wanted people to script against it, and not interact with trying to find relevant IPv6 information and game the system by essentially setting up a data mining bot and walking away, yeah we could have it reset every day at like 3am.