Xref: utzoo alt.security:733 comp.protocols.tcp-ip:11528 alt.sys.sun:937 Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!snorkelwacker!think!sdd.hp.com!uakari.primate.wisc.edu!aplcen!unmvax!sci.ccny.cuny.edu!cucard!dasys1!cooper!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!math.lsa.umich.edu!emv From: emv@math.lsa.umich.edu (Edward Vielmetti) Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun Subject: Re: anonymous ftp, and the dangers thereof Message-ID: Date: 3 Jun 90 09:23:39 GMT References: Sender: news@math.lsa.umich.edu Organization: University of Michigan Math Dept., Ann Arbor MI. Lines: 34 In-reply-to: emv@math.lsa.umich.edu's message of 19 Apr 90 00:46:00 GMT In article I wrote: from ftpd(8): BUGS The anonymous account is inherently dangerous and should be avoided when possible. I would estimate by a sampling of these banners that one host in 10 that does anonymous FTP is vulnerable. You log on to an anonymous FTP site and notice that their FTP appears vulnerable. What do you do? 1. nothing. 2. break in and do something nasty. 3. contact the system manager and let them know what's wrong. 4. break in and leave a note to the system manager to let them know what's wrong. 5. break in, leave a note to the system manager to let them know what's wrong, and install a fix. 6. notify CERT and ask for further guidance. Option 1 is easy, option 2 also. Option 3 requires tracking down a person in charge, as worst you send mail to postmaster. I won't recommend options 4 or 5, though I suspect that exercising them a couple of times would trigger option 6. Suggestions on the wording of the message to the system manager welcomed. --Ed Edward Vielmetti, U of Michigan math dept. emv@math.lsa.umich.edu