From owner-freebsd-security  Mon Oct  2 17:26:59 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id B96F237B502
	for <security@freebsd.org>; Mon,  2 Oct 2000 17:26:57 -0700 (PDT)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e930QOK06251;
	Mon, 2 Oct 2000 17:26:24 -0700 (PDT)
Date: Mon, 2 Oct 2000 17:26:24 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: Jordan Hubbard <jkh@winston.osd.bsdi.com>
Cc: Warner Losh <imp@village.org>, Brian Somers <brian@Awfulhak.org>,
	security@freebsd.org
Subject: Re: cvs commit: src/usr.bin/finger finger.c
Message-ID: <20001002172624.C27736@fw.wintelcom.net>
References: <jkh@winston.osd.bsdi.com> <78462.970531991@winston.osd.bsdi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <78462.970531991@winston.osd.bsdi.com>; from jkh@winston.osd.bsdi.com on Mon, Oct 02, 2000 at 05:13:11PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Jordan Hubbard <jkh@winston.osd.bsdi.com> [001002 17:16] wrote:
> > It is?!?  Holy crap it IS - when did THAT happen?  Somebody was
> 
> And just to follow up to myself, I see by the logs that it's been on
> for a very long time if not the very beginning.  As I just said on
> security, I guess I've been turning it off practically in my sleep
> since it's not enabled on any of my systems and I don't even remember
> disabling it.  Since fingerd is hardly an essential service, I'm
> hoping that few will argue with my recent decision to comment it out
> by default.  It's not like people will suddenly lose access to newly
> installed systems (from Windows or some other no-ssh-by-default
> environment), as was argued to be the case with telnetd.

I've also found rather painfully that your smarter script kiddies
will gleefully use your finger info to figure out where your DSL
line is and happily smurf you to death.

Or sometimes they'll just use it to fire up talk to you on your
home machine which is good for a near heart attack.

So can we turn this junk off?  There should be no reason for a 
"securing FreeBSD" article to be posted somewhere.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message