Re: in.telnetd vulnerability??

From: stephen@acgroup.ucsc.edu
Date: 08/04/01 

Date: Fri, 3 Aug 2001 15:32:57 -0700 (PDT)
From: <stephen@acgroup.ucsc.edu>
To: Ryan Russell <ryan@securityfocus.com>
Subject: Re: in.telnetd vulnerability??
Message-ID: <Pine.GSO.4.31.0108031526390.5437-100000@cavecanem.ucsc.edu>

I am not sure I want to do anything except move towards ssh.
Granted there are vulnerabilites for sure.

On the other hand, I am assuming that telnet is more vulnerable
and more prevalent out of the internet. Therefore, it is the main
target of those who want to use the vulnerabilities to break in
or compromise systems.

What we gain from SSH is a 'more' secure system, not a fool proof
system.

I also think that moving towards ssh quickly will result in a reduction
of particular types of attacks that result from sniffers and just plain
known vulnerabilities.

It takes time to catch up and hack more secure communications systems,
although I will also state that complexity adds more doors that were
not see before to allow avenues of illicit entry.

It is an ongoing process and will probably will never be totally
secure.

Stephen Hauskins
Academic Computing Group
Natural Sciences Division

Omnia iam fient fieri quae posse negabam

On Fri, 3 Aug 2001, Ryan Russell wrote:

> On Fri, 3 Aug 2001, adam morley wrote:
>
> > as an admin, i dont think i would like to hide the fact that a session
> > has become insecure from the user. just too worried some other admin
> > would pop in and type in a root password and let it fly across the
> > internet in plaintext.
>
> You wouldn't be. People with a clue type ssh instead of telnet, and it
> behaves like it should. What you would be doing is hiding the fact that
> it is now sometimes secure from people who assume it is always insecure.
> Dunno, it might breed bad habits. Shrug.
>
> Ryan
>
>

Relevant Pages