that multiple problems tend to fire me up a bit...
...at any rate, let me relay a tale to you about Notwork Solutions (domain registrar).
They are actually called "Network Solutions" (www.networksolutions.com), but I think
my moniker is more fitting...you'll see why in a minute...
The Pit originally had problems with our hosting provider (http://www.racesimcentral.net/)
but I won't go into that here...suffice it to say, they basically just packed up, couldn't
contact the admin or anything, and there we were, out to lunch.
However, the worse tale is why we STAYED offline for such a long time...
I initially transferred DNS control to the new nameservers for BHMS (www.bhmotorsports.com)
on June 4th, 2001. Thanks to Jacob and Pekka, they offered us up some space there to get
us going. However, on the first attempt to change the information, it basically didn't do anything.
I have my login set to CRYPT-PW (more on that later), and it refused to change any information,
even though I returned the email and everything else.
So, I called them up (Notwork Solutions). They promised to fix it, and did so. But, again it didn't
work. So, I called them up again. Apparently there was an error in the database, and they had to
manually change the information to make it work. This took about a week before it was figured out.
So, I'm waiting for he DNS servers to change...and...nothing happens! I go and check the whois
on Notwork Solutions, and the information appears to be right. HUH? So I call them back up.
After spending an half-hour on the telephone with someone I could barely understand, they said they
would fix the problem. I wait. and wait. and wait. Nothing. Again.
So, I call them up again (it takes 48 hours before you can really be sure that DNS changes have taken
place, as they may update the information once or twice a day, and the root nameservers (who run the
entire internet) may get that information slightly before it's posted, so you may not see changes for quite
some time. This time I get the same story...and again, I wait, and wait, and wait. Nothing.
So, after another 48 hours, I call them up again and this time I'm hopping mad. Not only are they not
fixing the problem, but they have a LOUSY phone service, I've been cut off I don't know how many
times, and most of the time I end up talking to people for whom English is a second language. No offense
to anyone here, and I'm not a bigot, but if you're going to have people on TELEPHONES for TECHNICAL
ASSISTANCE...GET SOMEONE YOU CAN TALK TO! Without repeating yourself 5 times...
They said they would send me to their 2nd level tech support. Do I get there? Ha! I get cut off again, and
it's too late to call back. So, I log in and attempt to change my domain info again. Again, it doesn't work.
I call them back the following week (it was a Friday on my last call). I tell them right up front that there is
ONLY one answer to my problem, and they had better not***it up. I want to talk to 2nd level tech
support, RIGHT NOW! So, after asking me some more stupid questions (I don't know why they bother
to give you tracking numbers, obviously they are tracking very little since they never seem to have a clue
as to what you called the PREVIOUS 5 times for...) They finally put me on to someone who said they
were a manager for 2nd level tech support. He says that he'll make it a priority job, and give me another
tracking number.
I sit around, hoping that this attempt to get things work will succeed. HA! Again, I sit around for 48 hours,
again the root DNS servers have the same information. No change. Now, let me make a comment here for
those of you who are familiar with DNS...the DNS servers on the BHMS were fine. The problem was that
while Notwork Solutions had updated their database, for some reason when they were submitting their information
to the root DNS servers, it was failing. This could be duplicated by running whois on other servers, as well
as attempting to do a traceroute to theuspits.com. Either it would come back as 'no such address', or attempt
to connect to the OLD nameservers...
So, I call them up again, give them the tracking number again, and they promise to fix it again. I don't hold
out any hope this time, but I wait another 48 hours, then I send them a message to their tech support on
email. I give them an ultimatum of 48 hours from the next morning of fixing my problem, or else I will
A) remove my domains from their control, B) post a message on my front page telling this story C) send
other messages out telling this story, and D) entertain taking them to court for loss of my address
48 hours later, and no change. So, I then remove my domains from their premises, type up this story,
and that's why we're here... ;] I don't plan to take them to court (even though I know I could do so),
as I just don't want the hassle. And even though this is the worst experience I've had with NS, it's not
the first...I've been on the phone to them many, many times before over problems that they caused...
So, you've been warned. And, before I sign off, let me expose a few other things about Notwork Solutions.
They claim they are secure? HA! Let me tell you, as a security professional, it would be SIMPLE to hijack
someone's domain who uses Notwork. Why? Well, let me tell you...
First off, let me quote two messages sent via BUGTRAQ (an international security mailing list)...
On CRYPT-PW, Peter Ajamian
"Discovering the original password from the encrypted form is made
magnitudes easier by the inclusion of the first two characters of the
password in the salt (proof of concept code follows at the end of this
message). Using the proof of concept code I was able to derive my own
six character password in less than one minute on an old Pentium 200 MMX
computer. A new 1ghz computer could easily crank out 6 char passwords in
mere seconds, 8 char passwords in a few hours, and a 10 char password
probably in a week to a month or better."
On PGP-Scheme, Len Sassaman
"When the owner of a handle account attempts to associate a PGP key with
his account, he is asked to do so by providing the "PGP KEY ID". However,
the input box only allows eight characters. v4 PGP keys (key generated
with PGP versions 5.x and greater, as well as GnuPG) have key-ids that are
64 bits long, rather than 32 bits. This is because of the well-known fact
that it is trivial to generate keys with a specific 32 bit key-id
(allowing duplication.) Search the archives for the DEADBEEF attack."
And finally, me...
The MAIL-TO scheme is completely inadequate, as it is SIMPLE for someone
to see your contact information by doing a who-is, then spoofing you, and changing
the information to theirs. And how then are you going to prove that you really didn't
make the changes? Not only that, but if you use the CRYPT-PW scheme, your CRYPT-PW
gets emailed to you in the return email!!!!!!!!! Anyone sniffing the traffic, or with a trojan
on your machine, could easily grab your CRYPT-PW without even trying!
So, you can see that your information and domain is completely INSECURE using
Notwork Solutions.
Some of you may feel that this is a vendetta email, and well, I'd by lying if I said that it
wasn't. However, I'm also sending this out to (hopefully) keep some of you from having
the same experience I had, or even worse, getting your domain stolen.
And probably some of the worse information on the whole deal is that one of the security
consultants on Bugtraq said he had informed Notwork about these insecurities in 1999.
They really seem to be on the ball...
So, what's the fix? Very easy...transfer your domain to another registrar. I changed mine
to Dotster (www.dotster.com) who incorperates an SSL session everytime you make a
change. So, your password and information is always encrypted during transmission, and
instead of having one of these stupid insecure 'schemes' to maintain your domain, you just
log in and make changes. Very easy. I'm not necessarily promoting Dotster, but I was
happy with the way their stuff worked.
At any rate, have a nice weekend! ...and hopefully The Pits really WILL be up when
everything gets transferred over to dotster...
Cheers!
--
?? Jan Kohl ??
SECURITY CONSULTANT
The Pits - http://www.racesimcentral.net/
Castle Graphics - http://www.racesimcentral.net/