[38007] in North American Network Operators' Group
Re: EMAIL != FTP
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat May 26 19:45:42 2001
Message-Id: <200105262343.f4QNhH124990@foo-bar-baz.cc.vt.edu>
To: Mitch Halmu <mitch@netside.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sat, 26 May 2001 19:23:16 EDT."
<Pine.SOL.3.91.1010526190821.2647b-100000@sunny.netside.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1787518400P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Sat, 26 May 2001 19:43:17 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1787518400P
Content-Type: text/plain; charset=us-ascii
On Sat, 26 May 2001 19:23:16 EDT, Mitch Halmu said:
> Did I happen to mention MAPS in my post? I didn't. The argument was made
> for ORBS, or any FOREIGN entity that blocks North American networks.
> ORBS fans in this country will have lots of explaining to do and hell to
> pay if any foreign entity exploits this weakness to attack US interests
> in an international incident.
For those who read Computerworld, a co-worker of mine was quoted on page 1
of the May 21 issue, saying "You can expect to see major liability lawsuits
in the next 18 months or so". Better install those IIS patches *NOW* -
I'm more concerned about a lawyer attack than an international terrorist
attack....
OK.. so a hostile site *could* use DNS cache poisoning or hack the
ORBS DNS servers to screw up your e-mail. On the other hand, you have
the *EXACT* same vulnerability for *ANY* use of DNS. So unless you're
using /etc/hosts exclusively, you have *bigger* problems if faced by a
determined adversary. Frankly, if *I* were a determined adversary, the
site's use of ORBS would be the least of their problems.
I don't know.. maybe the foreign terrorists are like the Three Stooges - they
DID catch the guys who bombed the World Trade Center when one of them tried
to get back the deposit on the now-destroyed truck.....
For bonus points - if anybody is both paranoid and anal-retentive enough
to care about this sort of thing, I presume you *HAVE* edited your DNS
cache hints to only include root name servers that are located on US soil,
and reachable entirely by communications links that do not take a loop
through non-US territories.
THere *will* be hell to pay if foreign terrorists take over a root name
server that's outside the US, after all....
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_1787518400P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOxA/lXAt5Vm009ewEQL3TQCgniX4SUpYlttDk8QUdOxFza3J00MAoIp4
FO4bnEw/u3NkG2+yBM0GeQc5
=/4QK
-----END PGP SIGNATURE-----
--==_Exmh_1787518400P--
