Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Mother, May I?
Mark Rasch, 2008-01-23

"Mommy, can I have a cookie?"

Comments Mode:
Thanks Mark 2008-01-23
Andy S.
Mother, May I? 2008-01-23
Anonymous (1 replies)
Re: Mother, May I? 2008-01-24
Mark D. Rasch
You're overlooking some issues. 2008-01-23
Anonymous (2 replies)
Re: You're overlooking some issues. 2008-01-24
Mark D. Rasch
Re: You're overlooking some issues. 2008-02-14
Anonymous
Mother, May I? 2008-01-23
Erik N
Mother^H^H^H^H^H^H directory manager, May I? 2008-01-23
reiisi
OS utilities and public "keys" 2008-01-23
Ole Juul (1 replies)
Re: OS utilities and public "keys" 2008-01-28
Mark D. Rasch (1 replies)
Re: Re: OS utilities and public "keys" 2008-01-29
Jon Hash
Be careful what you ask for 2008-01-23
overshoot
Mother, May I? 2008-01-24
Thomas Downing (1 replies)
Internet as Commons 2008-01-28
Mark D. Rasch (1 replies)
Re: Internet as Commons 2008-01-29
Jon Hash (1 replies)
Re: Re: Internet as Commons 2008-02-01
Mark D. Rasch
Mother, May I? 2008-01-24
stacy
Not much of a cheese shop, is it? 2008-01-24
Mitch Smith (2 replies)
Re: Not much of a cheese shop, is it? 2008-01-28
Mark D. Rasch (1 replies)
Re: Re: Not much of a cheese shop, is it? 2008-01-29
Camambert
Re: Not much of a cheese shop, is it? 2008-01-29
Anonymous
Mother, May I? 2008-01-27
Anonymous (1 replies)
I usually agree with you Mark, but in this case I have to disagree.
Sierra's failure to properly secure their server cannot turn what would otherwise be a perfectly legal act into a crime. If Sierra had properly configured split horizon DNS, and left zone transfers enabled, then a zone transfer would have only returned information intended for the public. This would have included the information that David Ritz was probably looking for, but not the internal information that could be damaging to Sierra's security.

I also think it's moot as to whether this information was gathered through a zone transfer or a collection of DNS queries. Although a zone transfer will give you all the information quickly I don't think there's anything you get in a zone transfer that couldn't be retrieved via regular queries (Admittedly a lot of carefully crafted queries)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/463/34887#34887
Re: Mother, May I? 2008-02-01
Mark D. Rasch
Mother, May I browse your public server? 2008-01-28
Anonymous (1 replies)
Re: Mother, May I browse your public server? 2008-02-01
Mark D. Rasch
It's Like a Phone Book 2008-01-30
danielc
Mother, May I? - WPAD hack appears to be legal 2008-02-01
Bertman
Mother, May I? 2008-02-07
Victor (1 replies)
Re: Mother, May I? 2008-02-07
Mark D. Rasch
Mother, May I?: Yet another real-world analogy, the court's homework, and ..."Microsoft itself"? 2008-02-09
Anonymous







 

Privacy Statement
Copyright 2007, SecurityFocus