Internic PGP Auth busted

Dean Gaudet dgaudet-list-nanog at arctic.org
Mon Feb 23 20:51:28 UTC 1998


I posted a rant about this to bugtraq almost a year ago.  In the case
where it happened to me I was already annoyed because an update that had
been NAKed several times was applied when a single ACK was received over a
month later (sent by a former employee who happened to have the month old
NOTIFY).  And then when I called them to ask them WTF they requested that
I fax them some letterhead to "prove" that I was who I said I was. 

The fellow on the phone really had no idea how ludicrous that assertion
was.  I'm afraid I lost my temper. 

I put a tiny amount of effort into determining if there was anything
cryptographically secure in the NOTIFY.  I suspect there wasn't -- but I
gave up before concluding that because their system was returning
responses up to a week later, and I didn't feel like pipelining my efforts
that much just to prove that the system was completely broken. 

I've no idea if it's still this broken. 

Dean

On Fri, 20 Feb 1998, Sanjay Dani wrote:

> 
> 
> > requirement so that you can then change each one to CRYPT.  [File away
> > that first response that has your encrypted password.  I am told you don't
> > ever get it again.]
> 
> If you are lucky (?), the (A)ck/(N)ak NOTIFY message that goes to
> the "other" contact might include your password. I saw my password,
> as the admin contact for a domain, included in the NOTIFY
> message that went to the technical contact, luckily it was
> our own NOC.
> 
> Regards,
> Sanjay.
> 
> PS. Thanks to everyone who responded to my query on overseas
> telco provisioning, I will post one summary when the info
> is complete.
> 
> ---------------------------------------------------------------
> Web Professionals, Inc.                Direct:  +1 408-863-4850 
> 20111 Stevens Creek Blvd, Suite 145    Biz/NOC: +1 408-863-4848
> Cupertino CA 95014 USA             http://web.professionals.com
> ---------------------------------------------------------------
> -=- Your Outsourcing Partner for Website and Server Hosting -=- 
> 
> 




More information about the NANOG mailing list