Internic PGP Auth busted

requirement so that you can then change each one to CRYPT. [File away
that first response that has your encrypted password. I am told you don't
ever get it again.]

If you are lucky (?), the (A)ck/(N)ak NOTIFY message that goes to
the "other" contact might include your password. I saw my password,
as the admin contact for a domain, included in the NOTIFY
message that went to the technical contact, luckily it was
our own NOC.


PS. Thanks to everyone who responded to my query on overseas
telco provisioning, I will post one summary when the info
is complete.

I posted a rant about this to bugtraq almost a year ago. In the case
where it happened to me I was already annoyed because an update that had
been NAKed several times was applied when a single ACK was received over a
month later (sent by a former employee who happened to have the month old
NOTIFY). And then when I called them to ask them WTF they requested that
I fax them some letterhead to "prove" that I was who I said I was.

The fellow on the phone really had no idea how ludicrous that assertion
was. I'm afraid I lost my temper.

I put a tiny amount of effort into determining if there was anything
cryptographically secure in the NOTIFY. I suspect there wasn't -- but I
gave up before concluding that because their system was returning
responses up to a week later, and I didn't feel like pipelining my efforts
that much just to prove that the system was completely broken.

I've no idea if it's still this broken.


Do you have a summary yet?