Xref: utzoo alt.security:737 comp.protocols.tcp-ip:11529 alt.sys.sun:938 Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!jarthur!petunia!unmvax!sci.ccny.cuny.edu!cucard!dasys1!cooper!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!samsung!umich!srvr1!ant.engin.umich.edu!fozzy From: fozzy@caen.engin.umich.edu (Eric Wines) Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun Subject: Re: anonymous ftp, and the dangers thereof Message-ID: <1990Apr24.134102.3664@caen.engin.umich.edu> Date: 3 Jun 90 09:46:57 GMT References: <2616@husc6.harvard.edu> <1990Apr19.205930.15589@caen.engin.umich.edu> <2672@husc6.harvard.edu> Sender: news@caen.engin.umich.edu (Mr. Usenet) Organization: University of Michigan Engineering, Ann Arbor Lines: 39 In article <2672@husc6.harvard.edu> kovar@popvax.uucp (David C. Kovar) writes: >In article <1990Apr19.205930.15589@caen.engin.umich.edu> fozzy@caen.engin.umich.edu (Eric Wines) writes: >>I think you are quite wrong. To be on the internet these days your >>system had better be secure. Your login accounts had better have good >>passwords, your ftp had better be secure, etc. It would extremely trivial >>to query every entry in /etc/hosts for ftp version information. >>If it is really a hole don't you think there are hacker's that have >>exploited it? >> Would I be wrong to tell a co-worker that some idiot sysadmin at bozo.com >>has root wide open without a password (just an example). > > So, if in the course of my normal, legal wanderings around the Internet >I find that your machine has a security flaw I should immediately post >to alt.security saying "Machine X has a security flaw Y and this is how >you exploit it?" I sincerely hope that this is not what you mean. Of course not. I wouldn't suggest that you should point out specific flaws at specific sites. When discussing something like ftp, I don't think it's a big deal to pick a host at random out of /etc/hosts and use it as an example. Obviously you're not going to mention how to crack the host. Showing the login information and saying something like "this version of ftp is three years old, people are still running old versions of ftp and many of these are not entirely secure" just isn't a big deal to me. Pointing out an excellent example of a well known hole that has been ignored by a large (?) number of sites is a good thing. > Yes, you should keep your machine as secure as possible if you're going >to attached yourself to a public network. I've no problems at all with >that. But if you discover a hole in my system and tell everyone else before >you tell me about it, I am going to be quite upset. And, if breaking into >my system is illegal, and you are party to an illegal act by passing >on that information, then you've also just broken the law. I think you're stretching things a bit. Certainly a list of systems and their security weaknesses isn't going to be posted (well, at least not on Usenet. I'm sure it's common on BBS's with cracking information). I think it would be very interesting to write some shell scripts to gather *statistical* information about fairly blatant security weaknesses on internet hosts, but I'm sure not going to do it.