New hijacking - Done via via good old-fashioned Identity Theft
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Oct 7 15:07:51 UTC 2010
On Thu, 07 Oct 2010 14:16:00 -0000, Sven Olaf Kamphuis said:
> you just give contacts for the passwords with which you have received a
> new one.
>
> each potential person that can send email to your email address, gets a
> unique password from you.
You missed the point. How does person37 at gmail.com ask me for a password, if
I don't accept his e-mail without one? (Hold this thought, we'll be back to this)
> sending person/maillist 1 gets password abcdefg to send to bla at example.com
> (no matter from which email address)
>
> sending person/maillist 2 gets password 123545 to send to bla at example.com
> (no matter from which email address)
And if I've assigned 123545 to duct-tape-2010 at yahoo.com, but he's since moved
to clawhammer101 at gmail.com, how do I securely notify him of the new password,
keeping in mind that I'm probably changing the password *because the enemy
already has access to the old password*? "Hey Joe - somebody has enough access
to your system to get 123545 - so use fuzzy-wombat instead". What's wrong with
this picture?
With 140 million compromised boxes where sending the new password is basically
e-mailing to the enemy, and the scheme leaking new passwords to boot, "revoke and
issue a new credential" simply doesn't scale.
In other words, the only sane response is "revoke and don't bother setting new
one". At which point the person has to contact me and ask for a new password.
"Hey, this is duct-tape-2010, my password doesn't work, give me a new one".
Given that his old password doesn't work because I revoked it when a spammer
got hold of it, how do I know that I'm not giving the new password directly to
the spammer and the esteemed Mr Tape has no idea any of this happened?
Further discussion probably belongs on SPAM-L.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20101007/47ed3a93/attachment.sig>
More information about the NANOG
mailing list