chip@eniac.seas.upenn.edu (Charles H. Buchholtz) (06/26/91)
In article smoot@woodstock.berkeley.edu (Stephen [Steve] R Smoot) writes: >This seems to be partially the same issue as whether randomly trying >"guest" accounts is abuse. The problem is that some people offer services >to the rest of the community, and there must be a way to get to them. Thus >guest and anonymous ftp were created (Necessity being the mother of >invention and all that.). > >There seem to be three kind of sites: > 1) ones with *publically* available stuff they want *anyone* to use. > 2) ones which want to export to *certain known users*. > 3) ones with no interest in others contacting them/using their > resources. It's not that testing every machine for anon-FTP or guest accounts is in itself abuse; it's that many people cannot imagine any motivation for doing so *except* abuse, so they consider it very suspicious, even incriminating, behavior. First of all, it boggles my mind that people would actually ftp to an arbitrary list of sites to see if they had anonymous FTP. I can't see a person saying, "Hmmm, I wonder what games are available public domain. Guess I'll start ftping to every host and maybe I'll happen to hit a machine at random that happens to have anonymous FTP and happens to have games." It seems so much easier to find out where to look rather than searching blindly. I'm not saying that this is evil behavior; it just never occurred to me that anyone would ever do this. It did occur to me, however, that people trying to break into machines might say, "OK, I know of common security holes in badly set up anonymous FTP and guest accounts. Highly visible sites probably have these plugged, but maybe there are some sites around that don't get accessed by "strangers" and don't worry about security. So I'll try every single site to see if I can find one that I can hack." After reading this group for a while, I realize that some people actually do find anon-FTP sites by brute force trial and error. I still don't understand it, though. Here's a true story: I used to work for a medium size academic department (call it "bar.edu"). Most of the machines were run by whichever research group used them, and I supplied support when they needed it. One day, someone from the military contacted us saying that "guest@foo.bar.edu" had been systematically trying to break into one of their computers. I contacted the sysadmin for foo.bar.edu who said, "We only have two accounts on that machine: root and guest. Guest has no password. The machine is only used to collect data from experimental devices; since no individual work is done on it, we don't need individual accounts. I realized that anyone could log into the machine, but why would they? Besides, how could they find out about it? I can't believe someone would go around trying every machine on the net looking for an open guest account." I am posting as an individual, not as a representative of U. of P. Charles H. Buchholtz Systems Programmer chip@seas.upenn.edu School of Engineering and Applied Science University of Pennsylvania