Vulnerability Development mailing list archives

Re: things to break..

From: shok () MOKIMAKI ETHEREAL NET (Matt Conover)
Date: Mon, 24 Jan 2000 03:17:01 -0800


Well, I have no affiliation with Napster Inc., but I do know what they
were trying to do.  The idea was to allow people to use napster behind a
firewall.  This isn't really an issue; the RealPlayer (RealAudio from
RealNetworks) does the same thing.

The source wasn't available because they were worried about
competition.  I disagreed with this and I told him they should relesae
it.  Nevertheless, a free client for Linux is available
(gnome-napster) which includes source.  There are also mailing lists that
are working on developing a free napster server (independent of Napster
Inc.).

On Mon, 24 Jan 2000, Jeff Bachtel wrote:

Napster has a "feature" where it will decide the proper port on which
to operate, especially if you are behind a firewall.

Therefore, their server scans you, and ports that you are reachable on
(but which are not actually running a service on your machine) are
pegged as useable by napster for serving mp3's.

This is obviously a problem, Napster found out that my NT workstation
could be reached on port 80 through a campus firewall, and proceeded
to set itself up in that configuration, however that is definately
against our firewall policy (no, I don't expect napster to read minds,
just to be more explicit about what its doing and why).

I haven't looked at the code for the linux napster client yet (is it
even freely available?), but if they don't submit their code and
protocol for peer review, I at least won't be using their product
(being more than aware what has happened due to Mirabilis' approach to
security through obscurity)

jeff

On Sun, Jan 23, 2000 at 10:55:09PM -0600, Matthew S. Hallacy wrote:

speaking of napster, it seems that it portscans you upon connection to
their server, the firewall where i work kept setting off my pager and I
found that it was someone loading napster. I've since banned the use of
it, but it's still quite curious..

On Sun, 23 Jan 2000 Inedag () AOL COM wrote:

since we're on the topic, how about napster?  that's in use by a bazillion
people .. although i don't know how fair that'd be to the napster people, as
i think they're still in beta.  just a suggestion.

-i

Current thread:

Re: Administrivia #5218, (continued)
- - - Re: Administrivia #5218 Bob Fiero (Jan 22)
    - bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail Michal Zalewski (Jan 23)
    - things to break.. Inedag () AOL COM (Jan 23)
    - CGI insecurities hypoclear - lUSt - (Linux Users Strike Today) (Jan 23)
    - HTTP scanners? Scorpus Kahn (Jan 15)
    - Re: HTTP scanners? Seth R Arnold (Jan 24)
    - Re: CGI insecurities David Taylor (Jan 23)
    - Re: CGI insecurities Blue Boar (Jan 23)
    - Re: things to break.. Matthew S. Hallacy (Jan 23)
    - Re: things to break.. Jeff Bachtel (Jan 23)
    - Re: things to break.. Matt Conover (Jan 24)
    - Re: things to break.. Jordan Ritter (Jan 25)
    - Re: things to break.. WHiTe VaMPiRe (Jan 24)
    - Re: things to break.. Jordan Ritter (Jan 25)
    - Re: things to break.. Jordan Ritter (Jan 25)
    - Re: things to break.. Matt Conover (Jan 24)
    - Re: things to break.. John Galt (Jan 24)
    - Re: things to break.. Matt Conover (Jan 25)
    - Re: things to break.. Simple Nomad (Jan 25)
    - Re: things to break.. Jordan Ritter (Jan 25)
    - ICQ Pass Cracker. WolF Knox (Jan 26)

(Thread continues...)