Date: Wed, 02 Aug 1995 04:39:02 -0700 From: "Jordan K. Hubbard" <jkh@time.cdrom.com> To: paul@freebsd.org Cc: pst@shockwave.com, jkh@freefall.cdrom.com, CVS-commiters@freefall.cdrom.com, cvs-libexec@freefall.cdrom.com Subject: Re: cvs commit: src/libexec/getty gettytab.5 main.c Message-ID: <3050.807363542@time.cdrom.com> In-Reply-To: Your message of "Wed, 02 Aug 1995 10:56:49 BST." <199508020956.KAA12591@server.netcraft.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> The correct response would have been to explain to this user that it > was firmly recommended not to do that for security reasons. Sigh. Conversations like this never cease to amaze me. What are we *arguing* about here, people?? In this instance we have "the security risk" I've introduced by giving the user the ability to change the default login banner. Wait a minute. What used to be there before? It was "FreeBSD (some.host.name) (ttyxx)", I believe, before all this ruckus got raised. Now this DOES tell us we're running FreeBSD, does it not? Sheesh. I don't *need* the version number! I know the project's only released 4 major releases and statistics would tend to lean towards 2.0 and 2.0.5, so I have all of *two* variations to try in my attack. Boy, challenge me big time, why don't ya! :-) Heck, if those don't work then I'll try my variation for -current and get just about everybody I missed on the first pass. All the technology is openly available, and if someone wants in based on a version-specific flaw then it's pretty obvious what they're going to do upon an encountering a FreeBSD system with no stated revision level: Try it. If it works, they're in. If it doesn't, they try the next trick in their bag or give up when they're out of tricks. A stated revision changes *nothing*. I'm sorry, this argument has gotten entirely too silly. I'm outta here. Jordan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3050.807363542>