nanog mailing list archives
Re: New hijacking - Done via via good old-fashioned Identity Theft
From: Valdis.Kletnieks () vt edu
Date: Thu, 07 Oct 2010 11:07:51 -0400
On Thu, 07 Oct 2010 14:16:00 -0000, Sven Olaf Kamphuis said:
you just give contacts for the passwords with which you have received a new one. each potential person that can send email to your email address, gets a unique password from you.
You missed the point. How does person37 () gmail com ask me for a password, if I don't accept his e-mail without one? (Hold this thought, we'll be back to this)
sending person/maillist 1 gets password abcdefg to send to bla () example com (no matter from which email address) sending person/maillist 2 gets password 123545 to send to bla () example com (no matter from which email address)
And if I've assigned 123545 to duct-tape-2010 () yahoo com, but he's since moved to clawhammer101 () gmail com, how do I securely notify him of the new password, keeping in mind that I'm probably changing the password *because the enemy already has access to the old password*? "Hey Joe - somebody has enough access to your system to get 123545 - so use fuzzy-wombat instead". What's wrong with this picture? With 140 million compromised boxes where sending the new password is basically e-mailing to the enemy, and the scheme leaking new passwords to boot, "revoke and issue a new credential" simply doesn't scale. In other words, the only sane response is "revoke and don't bother setting new one". At which point the person has to contact me and ask for a new password. "Hey, this is duct-tape-2010, my password doesn't work, give me a new one". Given that his old password doesn't work because I revoked it when a spammer got hold of it, how do I know that I'm not giving the new password directly to the spammer and the esteemed Mr Tape has no idea any of this happened? Further discussion probably belongs on SPAM-L.
Attachment:
_bin
Description:
Current thread:
- New hijacking - Done via via good old-fashioned Identity Theft Ronald F. Guilmette (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Heath Jones (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Ronald F. Guilmette (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Heath Jones (Oct 06)
- RE: New hijacking - Done via via good old-fashioned Identity Theft George Bonser (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Sven Olaf Kamphuis (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Rich Kulawiec (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Sven Olaf Kamphuis (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Valdis . Kletnieks (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Sven Olaf Kamphuis (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Valdis . Kletnieks (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Leen Besselink (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Ben McGinnes (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Joe Greco (Oct 08)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Sven Olaf Kamphuis (Oct 09)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Joe Greco (Oct 09)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Ronald F. Guilmette (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Heath Jones (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Nick Hilliard (Oct 07)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Ben McGinnes (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Owen DeLong (Oct 06)
- Re: New hijacking - Done via via good old-fashioned Identity Theft Eric Brunner-Williams (Oct 06)