back to article How $20 and a lapsed domain allowed security pros to undermine internet integrity

While trying to escape the Las Vegas heat during Black Hat last month, watchTowr Labs researchers decided to poke around for weaknesses in the WHOIS protocol. During that effort, they found, or so they claim, a way to undermine certificate authorities, which the world trusts to keep the internet safe by verifying the identity …

  1. Kevin Johnston Silver badge

    All too common approach to projects here

    I would bet a round of drinks that every El Reg reader has been involved in a project where if you can show the new 'current state' matches the desired end state then this has been treated as the project being complete. Never mind all those old bit of hardware/software, they will all fall away soon enough once people go through a hardware refresh because who would not update their pointers to the super new ones?

    I would also suspect that a number of you have spent months trying to close out old domains etc where the person who 'owned' them within the company left multiple years ago and nobody since has had the courage to kill them off since 'someone may still be using them'. I know that all the change management processes I have suffered require positive approval from an owner and rarely can cope if said owner is no longer available.

    1. Pascal Monett Silver badge

      Re: someone may still be using them

      I've heard that argument more times than I care to count.

      Kill the server. Wait for complaints.

      1. elsergiovolador Silver badge

        Re: someone may still be using them

        If there is a service that is used once or twice a year, but is collecting and crunching data every day, then one day you have important angry person (that you never heard of) coming why they cannot log in to do their end of year reports, where is the data?

        Now it is a pickle, how to generate months' worth of data if other services only keep aggregate numbers.

        1. Gene Cash Silver badge

          Re: someone may still be using them

          Not really. If the server is THAT important, at least put a fucking label on it. Your lack of professional communication is not my problem.

    2. UnknownUnknown Silver badge

      Re: All too common approach to projects here

      I’m sure the bean counters revelled in the $20 saving.

  2. Sorry that handle is already taken. Silver badge

    As always

    There is, of course, an XKCD for this (loosely): Dependency.

  3. CowHorseFrog Silver badge

    Its funny how Jehovah didnt tell the watchtower about typos and how it might be useful to buy typo domains.

    1. Yet Another Anonymous coward Silver badge

      I think the original.yhwh domain is still authoritative but he does get a little tetchy if people use the full name

      1. Empire of the Pussycat

        Use of the full name results in delivery of lightning packets using rfc3251

        <body>

    2. Anonymous Coward
      Anonymous Coward

      or maybe that's why they rebranded to JW.ORG ?

      1. CowHorseFrog Silver badge

        But but i thought Jehovah talked to watchtower every week giving them the content for the next mag.

        1. Anonymous Coward
          Anonymous Coward

          He does the motoring column - but keeps speaking about his own accord

  4. tim 13

    Why did they change anyway?

    Wondering what the reasoning for changing domain was? Any did they have a mechanism for telling everyone using it to update?

    1. simkin

      Re: Why did they change anyway?

      Telling who? It's not like you signup for a mailing list when you write a whois client or otherwise query whois.

  5. TimMaher Silver badge
    Windows

    Hendrix. WatchTower

    All along the watchtower

    Princes kept the view

    While all the women came and went

    Barefoot servants, too

    Well, uh, outside in the cold distance

    A wildcat did growl

    Two riders were approaching

    And the wind began to howl, hey…

  6. Anonymous Coward
    Anonymous Coward

    A nation-state group from Russia or China :o

    > meaning a nation-state group from Russia or China could

    You were doing so very well up to now.

  7. MiguelC Silver badge
    Mushroom

    Re: "Just the [.]gov addresses alone belonged to America, Argentina, Brazil, (...)"

    You do know that Argentina and Brazil are also part of America, don't you? Ah, you meant the "US of America"...

    1. DS999 Silver badge

      Re: "Just the [.]gov addresses alone belonged to America, Argentina, Brazil, (...)"

      When they are listing Argentina and Brazil separately from America, the meaning was completely obvious to everyone but the most ridiculously pedantic.

      1. Claptrap314 Silver badge
        Angel

        Re: "Just the [.]gov addresses alone belonged to America, Argentina, Brazil, (...)"

        Are you new around here?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like