Xref: utzoo alt.security:730 comp.protocols.tcp-ip:11525 alt.sys.sun:934 Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!uwvax!dogie.macc.wisc.edu!uakari.primate.wisc.edu!aplcen!unmvax!sci.ccny.cuny.edu!cucard!dasys1!cooper!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!usc!ucsd!helios.ee.lbl.gov!hellgate.utah.edu!boulder!stan!dancer!imp From: imp@dancer.Solbourne.COM (Warner Losh) Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun Subject: Re: anonymous ftp, and the dangers thereof Message-ID: <1990Apr21.222928.24498@Solbourne.COM> Date: 3 Jun 90 08:28:48 GMT References: <6703@blake.acs.washington.edu> <1990Apr20.192233.4092@utzoo.uucp> Sender: news@Solbourne.COM Organization: Solbourne Computer, Inc. Lines: 40 X-Local-Date: 21 Apr 90 15:29:28 PDT In article <6703@blake.acs.washington.edu> mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes: >... There are lessons to be learned, starting with the >abolishment of /etc/passwd and user access to the encryption >algorithm. Sorry. There are too may passwd files out there to do this. Shadow files might help, but then again they might not. The algorithm for password encryption is well known and available via anonymous ftp from many site. Even if it wasn't, you'd have to put something like this into the kernel, and we all know that /vmunix is world readable. That and a good disassembler would totally defeat whatever you just gained.... What is needed is a good guide to how to setup anonymous FTP correctly so that nobody can steal any real files. Also, while we're on the subject: Remember what tftp gives the known universe. Access to all world readable files. Turn it off or restrict it at your site if you are connected to anything resembling the ineternet. In article <1990Apr20.192233.4092@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes: >Ah yes, good old security-through-obscurity. Where have we heard that >before? And it doesn't work. Never has, never will. The only people that you will catch by this are the people too lazy to be inventive. And those are the people least likely to crack your system anyway. >If OSI is the answer, what on >Earth could be the question?? You really don't want to know .... :-) -- Warner Losh imp@solbourne.com Excuse me sir, this is a spot check. Can we see your clue please?