[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <68c6001e14b368c4660d76f8faad5f44@greatcircle.com>
Date: Thu, 23 Feb 2006 13:23:34 -0800
From: Elizabeth Zwicky <zwicky@...atcircle.com>
To: "Geoff Vass" <geoff@...zow.com.au>
Cc: <bugtraq@...urityfocus.com> <bugtraq@...urityfocus.com>
Subject: Re: Amazon phishing scam on Yahoo servers
On Feb 21, 2006, at 11:02 PM, Geoff Vass wrote:
> Surely someone, somewhere, has to take some responsibility for allowing
> domains to be created which are clearly and obviously bogus.
Working on a mail system transition for a national telecomm,
I worked with a consultant (like me, a US national at the time
based in yet another country) who claimed to have double-checked
the list of sites to be marked as internal (i.e., customers
of that national telecomm). When we pointed out that a good
20% of them were clearly bogus (a software error), as noted
immediately by the first person who saw email to their largest
competitor marked as internal, she said that she couldn't be
expected to know the details of local companies. Well, I dunno,
I thought if I knew who my client's largest competitor was,
and they advertised on all the busses, it shouldn't be that
difficult, really, but most importantly, the second domain on
the "internal" list was aol.com, which, you may note, is
a well-known US company unlikely to be buying its Internet
connectivity from a non-US telecomm.
Which is to say, wouldn't surprise me at all if I managed
to register a domain to George W. Bush at 1500 Pennsylvania
Ave. At a US registrar, even. Such errors are in my experience
more likely to be caught by software than by the humans who
ought to be good at it, because the human beings are too bored
or too uninterested.
Elizabeth Zwicky
zwicky@...h.org
Powered by blists - more mailing lists