[linux-elitists] telnet weenie frenzy!

Bulent Murtezaoglu bm@acm.org
Mon Feb 26 12:58:21 PST 2001


    DM> [...] This is all regarding an item that appeared in Linux Journal
    DM> (appended).  Any of you all security experts have an opinion?

I am NOT a security expert, but I do have an opinion.

    DM> [..] Teaching people how to set up telnet or ftp servers is
    DM> irresponsible, so we won't do it. 

I don't agree.  You could instead teach them why it might be preferable not
to provide telnet or ftp on the interface facing the internet and/or
point out references for further reading.  

    DM> Shred your dusty old
    DM> no-sense-of-security Internet books that explain these two
    DM> insecure protocols (don't give them to a library; a kid might
    DM> see them) and install ssh. 

SSH is vulnerable to man-in-the-middle attacks in the deafault config
installed by most of the disributions I know.  If you take careless
system administration as a given, it is also vulnerable to dictionary
attacks much like telnet (extrapolate to ftp for regular users).
Anonymous read-only ftp is just as secure IMHO as http, if we can
assume solid server software.

    DM> Most distributions have
    DM> easy-to-install ssh packages now. 

Usually delivered by insecure methods.  It seems to me that if we will
be scared of adversaries who can sniff tcp connections, we should also
be scared of adversaries who will muck with DNS and cause
ftp.redhat.com or http.debian.org and such to resolve to whatever 
server they want.  

I DO agree that ssh is a better option.  But you solicited devil's
advocate comments...

cheers,

BM



More information about the linux-elitists mailing list