According to Network News (the UK rag) today, MI5, the Home Office, and
others don't use PGP signing at RIPE (the European Internet registry),
although its the only really secure method for updating records. So anyway,
I thought I'd look into it, and, well, its true (edited highlights follow):
www.mi5.gov.uk. 6715 IN A 128.98.11.23
inetnum: 128.98.0.0 - 128.98.255.255
mnt-by: QINETIQ-UK-MNT
mntner: QINETIQ-UK-MNT
auth: MD5-PW $1$tSMW1DGk$GIAERGLu5BwBUXabmYjvs1
I'm sure Qinetiq haven't been so foolish as to choose a guessable password
(after all, they've shown their IT expertise by the masterly handling of the
1901 Census website), but even so, their e-mail must contain the password in
plain text. Of course, if anyone out there runs their password cracker on
that and finds I'm wrong, I'd _love_ to hear about it.
Note: all data above is from publicly available sources.
Incidentally, the article suggests that some people are still using
MAIL-FROM auth, which is, frankly, astonishing. I can't be bothered to
track down who, though.
Ben http://www.apache-ssl.org/ben.html http://www.thebunker.net/
[PS. OK, I lied: I can be bothered. This is just too amazing:
www.gov.uk. 35656 IN CNAME www.ukonline.gov.uk.
www.ukonline.gov.uk. 283 IN A 195.33.102.13
inetnum: 195.33.96.0 - 195.33.127.255
mnt-by: AS12967-MNT
mntner: AS12967-MNT
auth: MAIL-FROM .*@att.nl
auth: MAIL-FROM .*@icoe.att.com
Yes, folks. The UK government's Website uses MAIL-FROM auth. And not even
.uk addresses!] [Ben Laurie via risks-digest Volume 22, Issue 14]
11:39
#
G!
