Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!samsung!think.com!snorkelwacker.mit.edu!bu.edu!m2c!wpi.WPI.EDU!wpi!aej From: aej@manyjars.WPI.EDU (Allan E Johannesen) Newsgroups: comp.admin.policy Subject: Re: Who do I complain to at CalTech about xnet.caltech.edu? Message-ID: Date: 28 Jun 91 14:31:50 GMT References: <1991Jun28.012957.12871@menudo.uh.edu> Sender: news@wpi.WPI.EDU (News) Organization: Worcester Polytechnic Institute, Worcester, MA 01609-2280 Lines: 45 In-Reply-To: jet@navier.math.uh.edu's message of 28 Jun 91 01: 29:57 GMT Nntp-Posting-Host: manyjars.wpi.edu >>>>> On 28 Jun 91 01:29:57 GMT, jet@navier.math.uh.edu (J. Eric Townsend) said: jet> We've been having some break-in problems at UH, and I've had jet> great success tracing things *until* recently, thanks to jet> xnet.caltech.edu. jet> This wonderful device (apparently some sort of terminal server) jet> allows one to telnet in, and back out again, and provides *no* jet> information to outside users. Traces to people on the other side jet> of xnet.caltech.edu end at that device. jet> Who can I talk to at CalTech about this device? It's obviously a jet> gaping security hole as far as NSFnet is concerned, should I go jet> to them? Or can I assume that this is just a new device put on jet> line, and nobody's bothered to lock out incoming telnet sessions. Is NSFnet concerned? If so, they have a lot of work to do. We (located in Massachusetts) have had hackers use connections looped back from Annex servers as far away as Japan. If security is not enabled, an Annex server will let someone telnet to it and telnet right out again. I don't know how many Annexes have been sold to date, but I bet a giant percentage of them do not have this hole plugged; that's up to the random purchaser. (xnet is not an Annex, this is only an example) What about MIT? They operate a terminal server which accepts phone calls and offers telnet. Your search would end there, too. I don't operate a service like that, just because I don't have enough phone lines to give internet access away to everybody within the distance of a local call. If you had been hacked from such a server, would you contact the local TelCo and tell them to put traces on the 30 or 40 lines (or however many) to the server for you and then wait for it to happen again? There are uncountable holes like this. I don't bother with tracing, but rather with security. It's easier to force users to use reasonable passwords than it is to patrol the world. Yes, I think crackers (the trendy word, leaving "hacking" to glorify "playing with computers") are criminals; even the kids, let alone the espionage types. But who has the time? Perhaps you could install a router which filters all but the addresses you trust; then you could relax.