Re: NSI's registrar db hacked
bill@daze.net wrote:
Nothing new here. Network Solutions has known about the MAIL-FROM problem for years, yet they refuse to do anything about it.
Doh. Didn't realize it was the same old thing. This seems like such a trivial problem to solve... a) force guardian (crypt-pw seems the most reliable) on all new domain registrations b) with NSI's next spam to their customer database, lead people forcibly to guardian (crypt-pw again) c) use a mail system that scales, so that 1 week delays don't happen. One good thing I've noticed in the last week or so - if someone attempts to register a domain, or modify a domain, to use your nameservers, your nameserver contacts get an email. Of course, in typical NSI style, the email is non-intuitive. And in typical NSI style, although it says you must "ack" for it to go through, it goes through anyway. But it's a start... at least you know that someone is trying to use your dns. -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
On Thu, 13 Apr 2000, Rodney Joffe wrote:
bill@daze.net wrote:
Nothing new here. Network Solutions has known about the MAIL-FROM problem for years, yet they refuse to do anything about it.
Doh. Didn't realize it was the same old thing. This seems like such a trivial problem to solve...
a) force guardian (crypt-pw seems the most reliable) on all new domain registrations b) with NSI's next spam to their customer database, lead people forcibly to guardian (crypt-pw again) c) use a mail system that scales, so that 1 week delays don't happen.
I don't understand where the problem is with authenticating based on email address, if they simply did it right. Get a request from address X. Verify that address X should be allowed to change the record. Send an email back to X, requiring that they reply with a particular subject, or to a particular address, or go to a particular URL, etc. where "particular" is not guessable. You know, like mailing lists have been doing for years. It isn't that complicated. For people that have automated systems that send in forms, they can either specify a crypt-pw or use PGP and NSI could then not require the email validation or they could just have to modify their system to deal with it being done in a secure way. This does not require every record to be updated with an authentication scheme and is something that is more reasonable than PGP (is that working at NSI this week?) or, arguably, crypt-pw to use as a default. But hey, why should NSI care? This way they can get people to shell out $$$ after their domain is stolen to get it back ASAP.
One good thing I've noticed in the last week or so - if someone attempts to register a domain, or modify a domain, to use your nameservers, your nameserver contacts get an email. Of course, in typical NSI style, the email is non-intuitive. And in typical NSI style, although it says you must "ack" for it to go through, it goes through anyway. But it's a start... at least you know that someone is trying to use your dns.
This has been the case since for at least a couple of years. --msa
"Majdi S. Abbas" wrote:
This has been the case since for at least a couple of years.
There has to be something else then. One of our companies has provided nameserver service for 7 months publicly, and is authoratative for 30,000+ domains. Last week was the *first* time we ever received a notification. Apparently we also changed our guardian object to crypt-pw. Perhaps that's the magic pill? -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
On Thu, 13 Apr 2000, Rodney Joffe wrote:
a) force guardian (crypt-pw seems the most reliable) on all new domain registrations
The other day I sent in a modify for a domain that I was tech contact (using crypt-pw) and someone else was the admin/billing contact. The admin contact got an after update notification that included my e-mail, including the clear-text password. At one point in time NSI used to strip the password off before re-emailing any form for any reason. Also, I would love to use PGP, but they can't get that right either. ========================================================================= Michael P. Lucking Michael@Lucking.COM
On Fri, 14 Apr 2000, Michael P. Lucking wrote:
Also, I would love to use PGP, but they can't get that right either.
Obviously not. I have been trying for THREE YEARS to change some domains which I have been unable to do as my handle is protected with PGP and no matter what I try I can't get it through. In fact, I only recently was able to contact somone in NSI who was able to confirm that I was, in fact, set up with PGP and which KeyID they were looking for. But, of course, that didn't help either. I've got a couple more things to try here but I'm not holding my breath. - Forrest W. Christian (forrestc@imach.com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------
participants (5)
-
Forrest W. Christian
-
Majdi S. Abbas
-
Marc Slemko
-
Michael P. Lucking
-
Rodney Joffe