nanog mailing list archives

Re: Internic PGP Auth busted

From: Dean Gaudet <dgaudet-list-nanog () arctic org>
Date: Mon, 23 Feb 1998 12:51:28 -0800 (PST)

I posted a rant about this to bugtraq almost a year ago.  In the case
where it happened to me I was already annoyed because an update that had
been NAKed several times was applied when a single ACK was received over a
month later (sent by a former employee who happened to have the month old
NOTIFY).  And then when I called them to ask them WTF they requested that
I fax them some letterhead to "prove" that I was who I said I was. 

The fellow on the phone really had no idea how ludicrous that assertion
was.  I'm afraid I lost my temper. 

I put a tiny amount of effort into determining if there was anything
cryptographically secure in the NOTIFY.  I suspect there wasn't -- but I
gave up before concluding that because their system was returning
responses up to a week later, and I didn't feel like pipelining my efforts
that much just to prove that the system was completely broken. 

I've no idea if it's still this broken. 

Dean

On Fri, 20 Feb 1998, Sanjay Dani wrote:

requirement so that you can then change each one to CRYPT.  [File away
that first response that has your encrypted password.  I am told you don't
ever get it again.]


If you are lucky (?), the (A)ck/(N)ak NOTIFY message that goes to
the "other" contact might include your password. I saw my password,
as the admin contact for a domain, included in the NOTIFY
message that went to the technical contact, luckily it was
our own NOC.

Regards,
Sanjay.

PS. Thanks to everyone who responded to my query on overseas
telco provisioning, I will post one summary when the info
is complete.

---------------------------------------------------------------
Web Professionals, Inc.                Direct:  +1 408-863-4850 
20111 Stevens Creek Blvd, Suite 145    Biz/NOC: +1 408-863-4848
Cupertino CA 95014 USA             http://web.professionals.com
---------------------------------------------------------------
-=- Your Outsourcing Partner for Website and Server Hosting -=-

Current thread:

Internic PGP Auth busted Greg Ketell (Feb 20)
- Re: Internic PGP Auth busted Christopher Caldwell (Feb 20)
  - Re: Internic PGP Auth busted Greg Ketell (Feb 20)
    - Re: Internic PGP Auth busted ken emery (Feb 20)
    - Re: Internic PGP Auth busted Jon Green (Feb 23)
- Re: Internic PGP Auth busted Steve Hultquist (Feb 23)
- <Possible follow-ups>
- Re: Internic PGP Auth busted Sanjay Dani (Feb 23)
  - Re: Internic PGP Auth busted Dean Gaudet (Feb 23)
    - Re: Internic PGP Auth busted John Caruso (Feb 23)