[plug] Incoming Telnet Priority

Steven Vertigan steve at vertigan.wattle.id.au
Fri Nov 23 20:42:09 WST 2001


On Fri, 2001-11-23 at 18:34, Bill Kenworthy wrote:

> No the server wont check your mail, but the client is
> using the same protocol.

Not to be pedantic but it isn't, that was my point.  It's using the pop3
protocol (or imap or ftp or http or whatever you're checking) and you
could just as easily check with a sockets library and a c function.  You
could also say baking a cake and having sex are essentially the same
thing in that they both involve molecules and kinetic energy.  IIRC the
original comment was WRT replacing telnet with ssh for shell access
arguing that you need to check your mail server with the telnet client
as you or the post on the Mandrake list and anyone who disagrees must be
an ssh fanatic isn't particularly relevant.

> You want the job, thats the conditions, take it or leave it!  Would you
> go against company policy and risk your job by compromising security
> with unauthorised tunnels tch tch!

If I want the job bad enough to put up with onerous restrictions of my
network usage I probably wouldn't be telnetting into a box to play
nethack in the first place.  If on the other hand I needed shell access
to another machine for my job then I'd tell my supervisor that an inane
firewall setup was stopping me from doing my job and severely
compromising the company's security.

 
> This I agree with - how about ftp, vnc (only the passwd is encoded, the
> actual sessions acan apparently be recovered), samba mounts, and there
> must be inumerable other programs that use plain text passwords or
> content!
> 
> People seem to crucify anyone who even suggest that there is life in
> telnet, but there seems to be no balance or thought in the argument.

I agree there, there are many insecure protocols.  I have smb, telnet
and ftp inside my lan but there's no way I'd open those ports outside of
it.  As has been oft-stated on this list security is a holistic process
and a simple mantra like "telnet bad, ssh good" isn't helpful on it's
own.  But that said it doesn't invalidate the statement either, I don't
like the telnet server in particular as it has a history of buffer
overflows on the BSD platform that is my network gateway, not sure if
the standard linux one is any better.

Regards,
Steve



More information about the plug mailing list