From owner-freebsd-isp  Sat Feb  1 19:51:58 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id TAA27863
          for isp-outgoing; Sat, 1 Feb 1997 19:51:58 -0800 (PST)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id TAA27858
          for <freebsd-isp@FreeBSD.ORG>; Sat, 1 Feb 1997 19:51:55 -0800 (PST)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id TAA02305 for <freebsd-isp@FreeBSD.ORG>; Sat, 1 Feb 1997 19:51:50 -0800
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id TAA19786 for <freebsd-isp@FreeBSD.ORG>; Sat, 1 Feb 1997 19:46:55 -0800
Date: Sat, 1 Feb 1997 19:46:54 -0800 (PST)
From: Michael Dillon <michael@memra.com>
To: "freebsd-isp@freebsd.org" <freebsd-isp@FreeBSD.ORG>
Subject: Re: Spam from rival
In-Reply-To: <199702020052.QAA20768@freefall.freebsd.org>
Message-ID: <Pine.BSI.3.93.970201194112.8699Y-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sat, 1 Feb 1997 dwoodward@intraserve.com wrote:

>     If the line is null (i.e. just a <CRLF> is sent) then finger
>     returns a ``default report" report that lists all people logged
>     into the system at that moment.
> 
> By doing this several times over a period of days logging the results (a 
> cron perl script, logging to a file) do you think they would be able to 
> get list of users??

I know somebody who did this every 5 minutes for three months including
a script to summarize the user list so he could keep track of the
competitor's growth. The reason he stopped was that he discovered that 
he could just tftp the /etc/passwd file from the competitor's SCO system.

> Plus giving out shell accounts isn't bad, since everyone is so honest 
> what possible harm could it cause? Why I just can't wait to sign up 
> more. That extra $10 a month is worth it

It is possible to configure a shell machine so that the /etc/passwd file
does not contain usernames, only the userid numbers. This is especially
easy with FreeBSD where you have the complete source. Just change every
mention of /etc/passwd to /.etc/.passwd and then modify adduser to keep a
bogus /etc/passwd file in place for when you forget to modify a package
that you install. There are probably a dozen other ways to secure a shell
machine.

Michael Dillon                   -               Internet & ISP Consulting
Memra Software Inc.              -                  Fax: +1-250-546-3049
http://www.memra.com             -               E-mail: michael@memra.com