From owner-freebsd-security  Fri Aug 17 14: 4:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136])
	by hub.freebsd.org (Postfix) with ESMTP id 1ACAA37B406
	for <freebsd-security@FreeBSD.ORG>; Fri, 17 Aug 2001 14:04:21 -0700 (PDT)
	(envelope-from piechota@argolis.org)
Received: from localhost (piechota@localhost)
	by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7HL45T05034;
	Fri, 17 Aug 2001 17:04:05 -0400 (EDT)
	(envelope-from piechota@argolis.org)
X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs
Date: Fri, 17 Aug 2001 17:04:04 -0400 (EDT)
From: Matt Piechota <piechota@argolis.org>
To: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: RE: Silly crackers... NT is for kids...
In-Reply-To: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet>
Message-ID: <20010817165323.F4969-100000@cithaeron.argolis.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 17 Aug 2001, Carroll, D. (Danny) wrote:

> Even for authentication?
>
> I can understand using a telnet client to manually test SMTP servers or
> other protocols, but I cannot understand why you *need* telnet.
> Mind you I am against using pop3 as well, unless it's encrypted.

Example 1:
You're on an internal heavily firewalled corporate LAN, where none of your
information is hidden between employees.  So you don't care, and you don't
have to worry about installing ssh on every PC's desktop, and teaching
cluon-deprived people to use it.

Example 2:
You're running realtime applications, or applications that need all
available processing power for performance reasons.  The extra overhead of
encrypting and decrypting the ssh traffic may drop your performance.


Let's not forget that until the recently done work of the OpenSSH team,
you couldn't use SSH in a commercial environment with out paying for it.
And besides, sniffing passwords isn't that terribly easy if you're using
switched Ethernet anyways.  As an experiment, I've tried to sniff
passwords here (Falls under Example 1: we telnet everywhere, and even
allow root to telnet and ftp in), I've never gotten one unless it was from
the box I was running the sniffer from.

I'll agree that these aren't all that typical, but they do exist.

-- 
Matt Piechota
Finger piechota@emailempire.com for PGP key
AOL IM: cithaeron


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message