home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.security.misc
- Path: sparky!uunet!ossi!dag
- From: dag@ossi.com (Darren Alex Griffiths)
- Subject: Re: unhappy about overloading finger
- Message-ID: <dag.712016415@ossi.com>
- Sender: news@ossi.com (OSSI Newsstand)
- Nntp-Posting-Host: nasty
- Organization: Open Systems Solutions Inc.
- References: <1992Jul24.100650.9235@nntpd.lkg.dec.com>
- Distribution: comp
- Date: Fri, 24 Jul 1992 22:20:15 GMT
- Lines: 27
-
- coar@Nephi.Enet.DEC.Com (Rodent of Unusual Size) writes:
-
- > So what's supposed to happen? I'm running a system with standard ULTRIX
- > (other than modified FTP), and all this does is a full finger of the
- > passwd file of the remote system. Is that the screwup? What should it do
- > instead?
-
- It's definately a major screwup. This allows the pond scum who try and
- break into systems to get a list off all users and then attempt to crack the
- password for each of these users. Even worse, they can see who hasn't logged
- in for a while and try those accounts knowing that they may not be detected,
- or see what accounts have never been logged into and try them assuming that
- they were recently added and have a null or obvious password.
-
- Instead it should complain about the bogus user not existing.
-
-
- Cheers,
- --dag
- _______________________________________________________________________________
- Darren Alex Griffiths | dag@nasty.ossi.com
- Open Systems Solutions, Inc | (510) 652-6200 x139
- Fujitsu | Fax: (510) 652-5532
- 6121 Hollis Street | Berkeley is famous for two exports
- Emeryville, CA 94608-2092 | LSD and unix, this isn't a coincidence.
- _______________________________________________________________________________
-
-
