Bugtraq mailing list archives
Re: W-Land: READ THIS NOW -- telnet sci.dixie.edu 1 (fwd)
From: weave () hopi dtcc edu (Ken Weaverling)
Date: Sat, 9 Sep 1995 06:04:18 -0400
On Fri, 8 Sep 1995, Mandar M. Mirashi wrote:
---------- Forwarded message ---------- Date: Thu, 7 Sep 1995 16:50:56 -0400 From: Ken Weaverling <weave () hopi dtcc edu> telnet sci.dixie.edu 1 | sh The script builds an executable IRC client, real nice for the novice to set up IRC on their own. While that alone bothers me enough, part of the script emails the author some *interesting* information about your system, including the NIS domain name.
Although the original poster is right about the dommainname being returned, he neglected to mention _where_, _how_ and _why_ this command was being used. This command is used in conjunction of several other checks to return the closest IRC server to the site. If you check the script
Fine -- but -- we are talking about the NIS domainname, which is not always (nor should be) equiv to the DNS domainname. The NIS domainname has nothing to do with the nearest server. Revealing the NIS domainname can be a security problem, hence my post.
Anyway, posts such as these prompted me to put up a disclaimer in the script to use it at your own risk. This is a _free_ service that I provide to the Internet community, and hundreds of people have benefitted from it over the years. There are a lot more vicious(and obfuscated) things a person can do if disguising backdoors in C code. The crux is, you have to trust _somebody_ _somewhere_ when downloading software from ftp sites, or installing irc using this service. Of course, the best solution is not to trust anyone and pore through the code yourself.
Thank you for explaining. I do have some suggestions. First, you should do a `which irc` or something to see if it is already installed. We already have it on the system. I had at least two students so far chew up megabytes of disk space installing this without looking first (first semester, must have come here from a more oppresive University next door and just assumed we don't have it :-) Second, it's too easy. This may be a religious issue, but a user that has to know enough to ftp an archive, unzip it, set it up, etc, should also know enough of what is going on to know its source code and the dangers. It is too automated and prime for abuse. Port 1 doesn't matter, you could set up numerous machines without special privileges to run port 1. Third, I appreciate your explanation but for the reasons about the "dangerous" bit you explain, I agree. I don't like users installing stuff. I try and be open as much as possible and install whatever they want, including MUD clients, or whatever. I can't stop them, but this makes it too easy. A weak argument perhaps. I certainly don't want a draconian policy of no binaries in user accounts either. Ouch... Finally, zap the domainname command out of the script. It's not reliable for what you want to do anyway.
I do wish that Ken had at least cc'ed me a copy of this post when sending it to a list that I do not subscribe to :-( Please cc me at mmmirash () mailhost ecn uoknor edu if there are followups.
Yes, I apologise. The beginning of semesters are a bit hellish, with new students "testing the waters" for the first week or so seeing how much they can get away with. I saw the NIS domainname (which I still object to) and freaked a bit. It's tough being me, no one understands my sorrows! :-)
Current thread:
- Re: W-Land: READ THIS NOW -- telnet sci.dixie.edu 1 (fwd) Mandar M. Mirashi (Sep 08)
- Re: W-Land: READ THIS NOW -- telnet sci.dixie.edu 1 (fwd) Ken Weaverling (Sep 09)