Re: NSI's registrar db hacked

[Marc Slemko <marcs () znep com>]

On Thu, 13 Apr 2000, Rodney Joffe wrote:

> bill () daze net wrote:
>
> > Nothing new here.  Network Solutions has known about the MAIL-FROM problem
> > for years, yet they refuse to do anything about it.
>
> Doh. Didn't realize it was the same old thing. This seems like such a
> trivial problem to solve...
>
> a) force guardian (crypt-pw seems the most reliable) on all new domain
> registrations
> b) with NSI's next spam to their customer database, lead people forcibly
> to guardian (crypt-pw again)
> c) use a mail system that scales, so that 1 week delays don't happen.

I don't understand where the problem is with authenticating based on email
address, if they simply did it right.

Get a request from address X.  Verify that address X should be
allowed to change the record.  Send an email back to X, requiring
that they reply with a particular subject, or to a particular
address, or go to a particular URL, etc. where "particular" is not
guessable.  You know, like mailing lists have been doing for years.
It isn't that complicated.

For people that have automated systems that send in forms, they can either
specify a crypt-pw or use PGP and NSI could then not require the email
validation or they could just have to modify their system to deal with it
being done in a secure way.

This does not require every record to be updated with an authentication
scheme and is something that is more reasonable than PGP (is that
working at NSI this week?) or, arguably, crypt-pw to use as a
default.

But hey, why should NSI care?  This way they can get people to shell out
$$$ after their domain is stolen to get it back ASAP.