Craigslist hacked?

Mark Andrews marka at
Tue Nov 25 01:00:05 UTC 2014

In message <FDF98A3E-6BDC-4D85-8826-B3B8DC6EC725 at>, George Herbert writes:
> > On Nov 24, 2014, at 4:18 PM, Randy Epstein <nanog at>
> wrote:
> >
> > Actually, he didn’t hack its records either.  He exploited a bug in
> ...returned a legit response plus a tacked-on glue record for
> anytime you queried his nameserver, which he tricked
> people into doing with mixtures of sending you mail, hitting open DNS
> servers with queries for his domain, and another thing I still don't want
> to talk about.
> Paul was more widely quoted and knew his BIND vulnerability better; he
> can always out-pedant me on this one.

More a protocol bug which lead to DNSSEC, which allows you to accept
a answer from anywhere so long as it is signed and validates as
secure, which most of you have yet to deploy.

> I did get a few press quotes, though.
> Your fu is weak, Randyhopper.  Train harder!   ;-)
> George William Herbert
> Sent from my iPhone

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list