Xref: utzoo alt.security:727 comp.protocols.tcp-ip:11522 alt.sys.sun:931 Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!snorkelwacker!think!sdd.hp.com!uakari.primate.wisc.edu!ames!haven!aplcen!unmvax!sci.ccny.cuny.edu!cucard!dasys1!cooper!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!samsung!umich!srvr1!maize.engin.umich.edu!fozzy From: fozzy@caen.engin.umich.edu (Eric Wines) Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun Subject: Re: anonymous ftp, and the dangers thereof Message-ID: <1990Apr19.205930.15589@caen.engin.umich.edu> Date: 3 Jun 90 07:25:23 GMT References: <2616@husc6.harvard.edu> Sender: news@caen.engin.umich.edu (Mr. Usenet) Organization: University of Michigan Engineering, Ann Arbor Lines: 33 In article <2616@husc6.harvard.edu> chrome@hscfsas1.UUCP (David C. Kovar) writes: >In article emv@math.lsa.umich.edu (Edward Vielmetti) writes: >>ftpd identifies itself in the login banner like so: >> >>220 xxxxxxxxxxxxxxxxxxxxxxx FTP server (Version 5.55 Tue Apr 17 20:44:35 EDT 1990) ready. >> > > I am not up on which versions of FTP are currently vulnerable but it >strikes me as quite irresponsible to use actual host names in an example. >If nothing else, you're going to get some people FTPing to it just to >see what the scoop is. (I just did to see if you really were using an >actual example.) > I think you are quite wrong. To be on the internet these days your system had better be secure. Your login accounts had better have good passwords, your ftp had better be secure, etc. It would extremely trivial to query every entry in /etc/hosts for ftp version information. If it is really a hole don't you think there are hacker's that have exploited it? Would I be wrong to tell a co-worker that some idiot sysadmin at bozo.com has root wide open without a password (just an example). My company is not on the internet. We may be in the near future. If this is to happen things will have to be *extremely* secure on the machine that connects. I have co-workers who don't really know what the internet is expressing concern about security in the face of the the possibility of connecting to it (from what they here on the news). I think being on the internet is like having a home phone. Anyone can call you at anytime, even at 4AM. You can unplug your phone but that's not really a solution. You can get an answering service for a phone to keep people from bugging you, but for the internet, your system should be secure or you'd better not care.