[rt-devel] Following links offsite

Bruce Campbell bruce_campbell at ripe.net
Sat Feb 2 07:21:27 EST 2002 

On 1 Feb 2002, seph wrote:

> Bruce Campbell <bruce_campbell at ripe.net> writes:
>
> > As a real-life example, say that your neighbour mentions to his insurance
> > agent that you've been meaning to get insurance for ages.  Which call
> > would you like from the insurance agent?:
>
> equating ticket ID to account info is sketchy at best. ticket IDs are
> sent about in email, and generally treated as non-confidential
> information. I really wouldn't want that to change.

*sigh*.  You really miss the point.

> anyhow, knowledge of an account number, should not equate to
> authorization. sometimes companies get this wrong. there's no reason
> rt should.

RT is merely the tracking system.  Nothing more.  The tracking system
should not hand out, to third parties, information relating to an issue
which could be used via other mechanisms _outside the tracking system_ to
control the issue.

As I said in my previous mail, code to do this will be written, and my
employer at least will be using it.  ( Actually, I'd additionally argue
that we're required to do this as per 4.6 of RFC2050/BCP12 )

As for knowing the account number != authorisation, try the example below.

Farfetched?  Its happened a number of times that I'm aware of.  In all
cases, 'authorisation' was done simply by knowing the ticket number, and
convincing the issuer (Big Transit) that you were related to the problem.

-- 
                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B                      Operations

	Big Transit: Hello small ISP, you are ticket #123456789, whats the
		problem?

	Small ISP: We have a DoS going on, and it seems to be originating
		from evildudes.com.  They've even been bragging about it
		at http://www.evildudes.com/attack/small-isp .

	Big Transit: ok, we'll take a look

		( follows link via tracking system, evildudes now have
		  knowledge of #123456789 and surmise that it's related
		  to Small ISP.  EvilDudes, being Evil(tm), decide to get
		  Big Transit to disconnect Small ISP merely by using
		  knowledge of the ticket number. )

	Big Transit: Hello there, whats your ticket number and name
		please?

	EvilDudes: We've got case #123456789.  My boss has delegated this
		to me, and I'm Joe Bloggs.

	Big Transit: Sure thing, I'll just update the ticket.  Ok, whats
		the current problem; that DoS still ongoing?

	EvilDudes: Unfortunately so, and we've found that our router is
		developing a fault from the traffic.  We've got the router
		guys looking at it, but until they fix it, we're going to
		use our backup link.  Do you mind just blackholing our
		link with you so the EvilDudes will give up?

	Big Transit: Oh my, sounds bad.  We can do that.  Say, I've
		noticed that our records indicate that your got Acme brand
		routers.  Do you want me to get our Acme contact to
		contact you?

	EvilDudes: They'll be onsite in about an hour, so we don't need
		you to do that.  Thanks for your assistance.

	Big Transit: My pleasure.  Give us a call when you've fixed the
		problem, and we'll re-enable the link.

More information about the Rt-devel mailing list