Re: [Fwd: zone transfers, a spammer's dream?]
Alex Bligh wrote: The irony of all this is that spammers already have all this information -- yet registrars have gone out of their way to make it as difficult as possible for everyone else to get it (rate-limiting queries and so on). They clearly don't already have this information, or they wouldn't be a) offering to pay people for it b) continue to be trying to obtain it by data mining. There are lots of small-time spammers. Rest assured that the big fish already have access to most major zonefiles. Your argument is roughly equivalent to The irony of this is that drug dealers already have drugs -- yet governments have gone out of their way to make it as difficult as possible for everyone else to get them. Or Credit card fraudsters already have credit card numbers - yet credit card companies have gone out of their way to make it is difficult as possible for everyone else to get them. Drugs are bad. Domains aren't. For a certain value of aren't. Credit card numbers are all you need to commit fraud. Domains aren't. For a certain value of aren't. IE sure, there's a lot of leaked information out there (often including personal data), that doesn't mean responsible registries should add to it. Such as... selling access to the data to anyone who pays? No, responsible registries should of course not do this. - Kandra
Re: Change to .com/.net behavior
From: David Schwartz [EMAIL PROTECTED] Returning NXDOMAIN when a domain does not exist is a basic requirement. Failure to do so creates security problems. It is reasonable to require your customers to fix known breakage that creates security problems. I agree completely. However, this is a policy breakage, not a technial one. Strictly speaking, the com and net zones are perfectly valid, as far as DNS is concerned. While I too am outraged by the actions of Verisign, I've decided to NOT modify my servers in any way. I might decide to block the sitefinder IP, but I will not change my nameservers into modifying DNS responses. Doing so would be to break things, and that is not an acceptable fix even if the other thing is in itself broken. Of course, YMMV. - Kandra
Re: Change to .com/.net behavior
From: [EMAIL PROTECTED] While I too am outraged by the actions of Verisign, I've decided to NOT modify my servers in any way. I might decide to block the sitefinder IP, but I will not change my nameservers into modifying DNS responses. Doing so would be to break things, *You* cannot modify DNS responses, but it's okay for Verisign to do so? No. However they are NOT modifying DNS responses. The responses are perfectly valid results of having a wildcard in the zone. The thing is, they have decided to make ALL second level domains in the com and net zones exist, regardless of wether they are registred or not. This is a policy breakage that I'm not pleased with at all. It is, however, very important to realise the difference between breaking policy and breaking technology. - Kandra
Re: Verisign HOWTO
From: Chris Roberts [EMAIL PROTECTED] I've been asked to forward this here on behalf of Martin A Brooks [EMAIL PROTECTED]: http://www.hinterlands.org/ver/txt It's a 'How to get your IP block removed from the list that Verisign will reply with SiteFinder for'. AKA, click here to unsubscribe? - Kandra
Re: User negligence?
From: Sean Donelan [EMAIL PROTECTED] Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password. Banks use passwords for authentication? That's what scares me. Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions. To the best of my knowledge, all banks around here use a smartcard based system. It might be a bit more inconvenient, but the added security makes it well worth it, in my opinion. It may not be a breach of the bank's security as such, but the measures they take in order to protect their customers' money is in my opinion so low that, IMHO, they are the ones guilty of negligence. -Kandra
Re: User negligence?
From: Sean Donelan [EMAIL PROTECTED] Smartcard has become a marketing buzzword, and its difficult to figure out what people are actually refering too. Sorry, wrong word. I was actually refering to SafeWord/SecureID/ActivCard type solutions, not ATM cards with a chip. Sorry for the confusion. -Kandra
Re: companies like microsoft and telia...
From: Paul Vixie [EMAIL PROTECTED] route:217.208.0.0/13 descr:TELIANET-BLK remarks: Abuse issues should be reported at remarks: http://www.telia.com/security/ remarks: Mail to [EMAIL PROTECTED] will be auto-replied remarks: and referred to the URL above. origin: AS3301 mnt-by: TELIANET-RR changed: [EMAIL PROTECTED] 20010508 source: RIPE [...] One would think they'd learn, after AOL blocked them. - Kandra
Re: Less than 2% of computer attacks on military are successful
From: jnull [EMAIL PROTECTED] But the article also says less than 2% of the attacks resulted in a successful intrusion. 2% would be an embarrassingly large success rate for intrusion on a secured military network. Not to mention the definition of attack the article seems to use. After all, a DoS or a probe doesn't actually result in an intrusion, even when they're successful. - Kandra
Re: COM/NET informational message
From: E.B. Dreger [EMAIL PROTECTED] BV Before IDNA, some application developers had developed BV proprietary mechanisms designed to support IDNs. The Internet UTF-8 is a standard. MS products have used two-octet chars to support Unicode for a long time. Any reason to add yet another encoding? UTF-8 is a character encoding standard, not a DNS-standard. DNS is not, and has not ever been 8-bit clean, despite the fact that many, if not most, implementations will survive UTF-8 labels. IDN(A) is an effort to encode unicode into 7-bit DNS-labels, without breaking backward compatibility (too hard). While there originally were a few voices arguing for UTF-8 over the wire, they were few and the consensus today is that IDN(A) is a Good Way to Go(tm). How about encouraging widespread adoption of EXISTING standards instead of adding more cruft? UTF-8 is standard. Proper DNS implementations are eight-bit safe. People upgraded browsers due to SSL, Year 2000, Javascript... Or, how about encouringing widespread adoption of upcoming standards, such as IDN? http://www.ietf.org/html.charters/idn-charter.html Remember, DNS implementations may be 8-bit safe, but that doesn't prevent anything else from not being so. Domains are used in so much more than DNS, you know. =) Best regards, Kandra Nygards