fidelio@geech.gnu.ai.mit.edu (Rob J. Nauta) (03/31/91)
About three weeks ago I wrote a program that listens along with in.telnetd and manages to read the username and password by using some tricks. I sent the program to SUN and CERT, who have rushed out new versions for SunOS. But apart from a 'we have received your mail and will forward it to someone' absolutely no news, mail, nothing about this. So, I want to know, what's up ? Has anyone heard anything ? Greetings, Rob
mjohnsto@admin8779.shearson.com (Mike Johnston) (03/31/91)
In article <14471@life.ai.mit.edu> fidelio@geech.gnu.ai.mit.edu (Rob J. Nauta) writes:
About three weeks ago I wrote a program that listens along with in.telnetd
and manages to read the username and password by using some tricks.
I sent the program to SUN and CERT, who have rushed out new versions
for SunOS. But apart from a 'we have received your mail and will forward it
to someone' absolutely no news, mail, nothing about this.
So, I want to know, what's up ? Has anyone heard anything ?
Greetings, Rob
No doubt you can expect the NSA to be knocking on your door in a matter of
minutes.
Greetings, NSA
--
--
Michael R. Johnston mjohnsto@shearson.com || mjohnstonn@mcimail.com
System Administrator UUCP: uunet!slcpi!mjohnsto
Lehman Brothers Inc. Phone: (212) 640-9116
"Life is pain. Anyone who tells you different is trying to sell you something."rg@msel.unh.edu (Roger Gonzalez) (04/01/91)
In article <14471@life.ai.mit.edu> fidelio@geech.gnu.ai.mit.edu (Rob J. Nauta) writes: >About three weeks ago I wrote a program that listens along with in.telnetd >and manages to read the username and password by using some tricks. >I sent the program to SUN and CERT, who have rushed out new versions >for SunOS. But apart from a 'we have received your mail and will forward it >to someone' absolutely no news, mail, nothing about this. >So, I want to know, what's up ? Has anyone heard anything ? > >Greetings, Rob I got a notification from CERT about it and patches were put in uunet's sun-dist directory, among ather places. This brought to light one of my chief beefs about CERT: they just say that there is a hole, and where to get something to fix it. I get queasy when CERT says "quick - go replace your in.telnetd" without any explaination of where the hole is. To get on the CERT mailing list, you're supposed to be root at a site, but I see CERT bulletins posted all over the net! What's the point in having a semi-secure list to find out about security holes when all you get is a watered down alert that gets posted -everywhere-? Harumph. -- "The question of whether a computer can think is no more interesting than the question of whether a submarine can swim" - Edsgar W. Dijkstra rg@[msel|unhd].unh.edu | UNH Marine Systems Engineering Laboratory r_gonzalez@unhh.bitnet | Durham, NH 03824-3525
john@iastate.edu (Hascall John Paul) (04/01/91)
rg@msel.unh.edu (Roger Gonzalez) writes: }To get on the CERT mailing list, you're supposed to be root at a site, }but I see CERT bulletins posted all over the net! What's the point in While this may have made some sense in the old days of big centralized sites, the concept of "root" is just about meaningless in the world of workstations (esp. universities with hundreds of workstations out it the hands of students). john (one of a bucketload of "root@iastate.edu"s) hascall
pjg@acsu.buffalo.edu (Paul Graham) (04/01/91)
rg@msel.unh.edu (Roger Gonzalez) writes: |To get on the CERT mailing list, you're supposed to be root at a site, |but I see CERT bulletins posted all over the net! What's the point in |having a semi-secure list to find out about security holes when all you |get is a watered down alert that gets posted -everywhere-? | |Harumph. since all cert advisories are available via anonymous ftp it would seem there has been a misunderstanding. -- pjg@acsu.buffalo.edu / rutgers!ub!pjg / pjg@ubvms (Bitnet) opinions found above are mine unless marked otherwise.
wcs) (04/03/91)
In article <1991Mar31.175455.23513@unhd.unh.edu> rg@msel.unh.edu (Roger Gonzalez) writes:
]This brought to light one of my chief beefs about CERT:
]they just say that there is a hole, and where to
]get something to fix it. I get queasy when CERT says "quick - go
]replace your in.telnetd" without any explaination of where the hole is.
It's not too bad a compromise between the obscurity method so
successfully practiced by some three-letter-acronynm companies :-)
and just telling everyone the gory details which guarantees that
sites with inattentive sysadmins can be cracked by novices.
Sure, it's nice to know what's really going on, even if it's just
yet-another-telnetd-hole, but it's better to give people a chance to
fix it first. It's a different case if you're talking about bugs
without known fixes, or bugs in equipment whose manufacturers
aren't responsive about releasing fixes.
--
Pray for peace; Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
"Don't Use Racist or Sexist Language" - Political Correctness Police Slogan
"Let's Beat Up That African-American" - Los Angeles Police Department Slogan