1996-12-03 - Re: New payment scheme for Web access

Header Data

From: Mark Allyn 206-860-9454 <allyn@allyn.com>
To: asgaard@Cor.sos.sll.se (Asgaard)
Message Hash: 47de820fc662f6cf79f348012dda54afc6840b3eb2cd431b683cf8cb0389f4b0
Message ID: <199612030247.SAA20429@mark.allyn.com>
Reply To: <Pine.HPP.3.91.961202125243.16863B-100000@cor.sos.sll.se>
UTC Datetime: 1996-12-03 02:43:38 UTC
Raw Date: Mon, 2 Dec 1996 18:43:38 -0800 (PST)

Raw message

From: Mark Allyn 206-860-9454 <allyn@allyn.com>
Date: Mon, 2 Dec 1996 18:43:38 -0800 (PST)
To: asgaard@Cor.sos.sll.se (Asgaard)
Subject: Re: New payment scheme for Web access
In-Reply-To: <Pine.HPP.3.91.961202125243.16863B-100000@cor.sos.sll.se>
Message-ID: <199612030247.SAA20429@mark.allyn.com>
MIME-Version: 1.0
Content-Type: text/plain


Hello!

You say:

"...........  a very popular site could allow access only to domains
(....foo.bar) that have paid instead of blocking those who have not,
otherwise 'new' sites could circumvent it easily. On the other hand,
a proxy server inside of an allowed domain would circumvent the allowing
kind of scheme, at least for a while (until they found out about it).
Great opportunities for hacking wars.

Another payment scheme in use is to recieve passwords for closed
Web pages by voice phoning to an expensive number........."


First of all, if they block on domains; then it is only a matter
of stealing the domain. The DNS naming system is a joke for this.

Say, you want to steal my own domain; allyn.com so you can go into
the expensive pay per view web site which will allow allyn.com.

All you need to do is to change your DNS reverse lookup records
(the records which map your IP address to your name) so that
when the web site does a reverse DNS lookup at IP address
100.200.3.4 (or whatever your real IP address is); it will return
allyn.com. If you have your own name servers, this should be easy.
Further; knowing the lack of security at Internic; you could probably
go all the way and steal control of the actual domain.

The password method is a joke. A bunch of hackers get together
and chip in for the cost of one password. Then they share it.
Or, the could resort to the old fashioned social engineering
methods that have been long discussed in such forums as 2600
and other places.

Of course, this all is for discussion purposes only. You have your
own concience to live with. 

Can you really look at yourself in the mirror and sleep at night
knowing that  you stole something? I certainly can't. Once I accidentally
walked out of the corner store with a candy bar when I was a little
boy without paying for it. When I reached the house, I discovered that 
I had the candy bar in my hand and I **RAN** crying back to the store and
put it back on the shelf.

Mark





Thread