[plug] Incoming Telnet Priority

Bill Kenworthy billk at iinet.net.au
Fri Nov 23 18:34:06 WST 2001


On Fri, 2001-11-23 at 16:17, Steven Vertigan wrote:

> I hope there's more than what you just mentioned.  What has a machine's
> installed packages got to do with the capabilities of the package?  Not
> to mention most of the unices I've installed in recent times have had
> the ssh daemon set up by default and required manual installation (or
> activation) of the telnet server.  And no installing a telnet server
> won't check ports of mail or anything else, who told you it would?  The
> fact you can access many tcp services with a telnet *client* has nothing
> to do with whether you should have a gaping security hole in your
> machine or not.
In the case of this argument, there is NO difference - if you use the
telnet protocol, including client and server, the password and content
are in plain.  No the server wont check your mail, but the client is
using the same protocol.

>   As for allowing your company or any third party to monitor your
> connection yes, it'll do that, but not everyone would consider that a
> must-have feature.  If I was stuck behind such a firewall I would rather
> try something like tunneling through http or even getting the desired
> machine to listen for ssh on a different port.
> 
You want the job, thats the conditions, take it or leave it!  Would you
go against company policy and risk your job by compromising security
with unauthorised tunnels tch tch!

> And while I'm ranting about bad security what is it with people that
> wouldn't touch telnet with a 10-foot pole but are happy with pop3
> services running?  I have an account with a web hosting company in the
> U.S that won't give me shell access but don't offer any other form of
> encryption so I'm stuck blasting my plaintext password across the net
> every 15 minutes.  I would close the account but I signed up for 12
> months or thereabouts.
> 
This I agree with - how about ftp, vnc (only the passwd is encoded, the
actual sessions acan apparently be recovered), samba mounts, and there
must be inumerable other programs that use plain text passwords or
content!

People seem to crucify anyone who even suggest that there is life in
telnet, but there seems to be no balance or thought in the argument.

> Steve
> 




More information about the plug mailing list