Xref: utzoo alt.security:2046 comp.unix.admin:1442 news.admin:13021 comp.unix.internals:2463
Path: utzoo!utgpu!cs.utexas.edu!uunet!unhd.unh.edu!msel.unh.edu!rg
From: rg@msel.unh.edu (Roger Gonzalez)
Newsgroups: alt.security,comp.unix.admin,news.admin,comp.unix.internals
Subject: Re: in.telnetd
Message-ID: <1991Mar31.175455.23513@unhd.unh.edu>
Date: 31 Mar 91 17:54:55 GMT
References: <14471@life.ai.mit.edu>
Sender: usenet@unhd.unh.edu (USENET News System)
Organization: UNH Marine Systems Engineering Laboratory
Lines: 26
Nntp-Posting-Host: msel.unh.edu

In article <14471@life.ai.mit.edu> fidelio@geech.gnu.ai.mit.edu (Rob J. Nauta) writes:
>About three weeks ago I wrote a program that listens along with in.telnetd
>and manages to read the username and password by using some tricks.
>I sent the program to SUN and CERT, who have rushed out new versions
>for SunOS. But apart from a 'we have received your mail and will forward it
>to someone' absolutely no news, mail, nothing about this.
>So, I want to know, what's up ? Has anyone heard anything ?
>
>Greetings, Rob

I got a notification from CERT about it and patches were put in uunet's
sun-dist directory, among ather places.  This brought to light one of my
chief beefs about CERT: they just say that there is a hole, and where to
get something to fix it.  I get queasy when CERT says "quick - go
replace your in.telnetd" without any explaination of where the hole is. 
To get on the CERT mailing list, you're supposed to be root at a site,
but I see CERT bulletins posted all over the net! What's the point in
having a semi-secure list to find out about security holes when all you
get is a watered down alert that gets posted -everywhere-?

Harumph.
-- 
"The question of whether a computer can think is no more interesting
 than the question of whether a submarine can swim" - Edsgar W. Dijkstra 
rg@[msel|unhd].unh.edu        |  UNH Marine Systems Engineering Laboratory
r_gonzalez@unhh.bitnet        |  Durham, NH  03824-3525