This article was posted to the Usenet group alt.hackers in
1995; any technical information is probably outdated.
Parent Parent
Re: What is the problem with Finger?
Article: 7567 of alt.hackers From: tms@tis.com (Tom Swiss) Newsgroups: alt.hackers Subject: Re: What is the problem with Finger? Date: 31 Mar 1995 16:20:39 GMT Organization: from, not for, Trusted Information Systems, Inc. Lines: 28 Approved: "Ho! Ha-ha! Guard! Turn! Parry! Dodge! Spin! Ha! Thrust!"--Daffy Duck Message-ID: 3lha4n$9g1@shemesh.tis.com NNTP-Posting-Host: sol Status: RO
ayman@ccwf.cc.utexas.edu (Ayman M. El-Khashab) writes:
>
>: So, I'll bite. Does anyone know what the security hole is in finger? I
>: can understand not wanting to have anyone be able to finger in, but why
>: wouldn't the admins what me to finger out?
>
>It isn't really a hole per se, but you can often finger 0@machine.com and
>it lists all of the users.
...
>Most places use the login name as the password until the user logs in
>for the first time. So now the person has a login name and a pretty
>good chance at a password.
Sysadmins setting up login ids as passwords need to be shot.
...
>By not allowing finger, nobody can see all of the users on the system.
Remember that the question was about fingering _out_. Removing the
finger command won't stop users from fingering people on other machies if
telnet is still around. (See /etc/services.)
The answer isn't to remove a valuable service, but to configure it
appropriately.
=Tom Swiss/tms@tis.com======"Born to die."=======Keep your laws
off my brain!==
"What's so funny 'bout peace, love and understanding?" -
Nick Lowe
Machine-independent, adj:
Doesn't run on any existing machine.
Parent Parent