This article was posted to the Usenet group alt.hackers in
1995; any technical information is probably outdated.
Parent
Re: What is the problem with Finger?
Article: 7544 of alt.hackers From: ayman@ccwf.cc.utexas.edu (Ayman M. El-Khashab) Newsgroups: alt.hackers Subject: Re: What is the problem with Finger? Date: 26 Mar 1995 23:05:37 GMT Organization: The University of Texas at Austin, Austin, Texas Lines: 54 Approved: God@heaven.com Message-ID: 3l4s01$427@geraldo.cc.utexas.edu NNTP-Posting-Host: slip-22-10.ots.utexas.edu X-Newsreader: TIN [version 1.2 PL2] Status: RO
-----BEGIN PGP SIGNED MESSAGE----- marlowe (marlowe@io.com) wrote: : : Finger was removed from the system by the administrators as a possible : : security hole. : So, I'll bite. Does anyone know what the security hole is in finger? I : can understand not wanting to have anyone be able to finger in, but why : wouldn't the admins what me to finger out? It isn't really a hole per se, but you can often finger 0@machine.com and it lists all of the users. It is VERY resource intensive, but that is not the problem. The problem is that people often cat that to a file and then they can see when everyone has logged in last. They are most concerned with users that have never logged in. Most places use the login name as the password until the user logs in for the first time. So now the person has a login name and a pretty good chance at a password. Once they get in once, they can set up a .rhosts file and now they can login to that persons account whenever they want, even if the legit user changes his password. By not allowing finger, nobody can see all of the users on the system. But it is really a pain, if you want a public key or phone number or something else. VERYlameObHack Using linux on my machine, no connection directly to the net, so I use slip. Set up the mailer and edited and recompiled some of the programs to look the mail and posts look like they are coming from ccwf.cc.utexas.edu so that any responses will get to a 'true' mail server and I can slip in and use linux to get them back from the server as a popclient. Nothing fancy but it works. - - Ayman - -- _____________________________________________________________ For the Public Key, finger ayman@ccwf.cc.utexas.edu or WWW at http://ccwf.cc.utexas.edu/~ayman/main.html Why is it always easier to volunteer than to unvolunteer? - ------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBL3Xyn045m/iMbhP9AQHN2AQAzPX6MzgWeLcIzuH4H/zlovGrfXua/TWk /d2h1xwqtcarXuAm0B2X36ycYV+rP2GPBO2RET+nQTq1fJF3AloHvLpiX5LbYjsC bY7dcR0JLZJEUgOhf827FGBLWBtQOoS107ccFSoSmOFmNoKp3ltoIcMgRvn47a+C YtM6Xp2Ps1k= =EvRn -----END PGP SIGNATURE-----
Parent
Child Child Child Child Child Child Child