lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <68c6001e14b368c4660d76f8faad5f44@greatcircle.com>
Date: Thu, 23 Feb 2006 13:23:34 -0800
From: Elizabeth Zwicky <zwicky@...atcircle.com>
To: "Geoff Vass" <geoff@...zow.com.au>
Cc: <bugtraq@...urityfocus.com> <bugtraq@...urityfocus.com>
Subject: Re: Amazon phishing scam on Yahoo servers



On Feb 21, 2006, at 11:02 PM, Geoff Vass wrote:

> Surely someone, somewhere, has to take some responsibility for allowing
> domains to be created which are clearly and obviously bogus.

Working on a mail system transition for a national telecomm,
I worked with a consultant (like me, a US national at the time
based in yet another country) who claimed to have double-checked
the list of sites to be marked as internal (i.e., customers
of that national telecomm). When we pointed out that a good
20% of them were clearly bogus (a software error), as noted
immediately by the first person who saw email to their largest
competitor marked as internal, she said that she couldn't be
expected to know the details of local companies. Well, I dunno,
I thought if I knew who my client's largest competitor was,
and they advertised on all the busses, it shouldn't be that
difficult, really, but most importantly, the second domain on
the "internal" list was aol.com, which, you may note, is
a well-known US company unlikely to be buying its Internet
connectivity from a non-US telecomm.

Which is to say, wouldn't surprise me at all if I managed
to register a domain to George W. Bush at 1500 Pennsylvania
Ave. At a US registrar, even. Such errors are in my experience
more likely to be caught by software than by the humans who
ought to be good at it, because the human beings are too bored
or too uninterested.

	Elizabeth Zwicky
	zwicky@...h.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ