[thelist] News Item: Major Security Flaw in CVS
Boris Mann
boris at bmannconsulting.com
Fri Jan 24 09:35:01 CST 2003
On Friday, January 24, 2003, at 10:03 AM, Jason Handby wrote:
>> But of course, everyone knew that telnet is *inherently insecure*, so
>> never used it for anything mission critical.
>
> But vendors were still shipping it! And if you ship something then some
> naieve user out there is going to use it... And it's not very
> comforting to
> turn to the vendor when you get hacked only to be told "oh, well even
> though
> we *shipped* telnetd as part of our operating system we didn't
> actually want
> anyone to *use* it..."
Ummm....I didn't want to get into this, but telnetd is *off by default*
in all major OS that I know of. So, they didn't want anyone to use it,
correct, so did the sane thing and kept it turned off.
And that's kind of the point....if you go ahead and use telnet *knowing
the protocol itself is insecure* then being hacked is inevitable -- you
didn't even bother to do the basic research that says the passwords get
sent in the clear.
Perhaps this bug wasn't found because the protocol/program itself
became very low priority? You're correct -- it wasn't sexy anymore,
because use had dropped off.
How many people are still looking for bugs in IE5?
--
Boris Mann
http://www.bmannconsulting.com
More information about the thelist
mailing list