1995-10-17 - BeBox Security Hole?

Header Data

From: rah@shipwright.com (Robert Hettinga)
To: cypherpunks@toad.com
Message Hash: 2a2cbb4a13fbb3b19d4614ee9e05027f5174aa0125bb654d9d5fd96968e30457
Message ID: <v02120d06aca9a270c12d@[199.0.65.105]>
Reply To: N/A
UTC Datetime: 1995-10-17 19:46:56 UTC
Raw Date: Tue, 17 Oct 95 12:46:56 PDT

Raw message

From: rah@shipwright.com (Robert Hettinga)
Date: Tue, 17 Oct 95 12:46:56 PDT
To: cypherpunks@toad.com
Subject: BeBox Security Hole?
Message-ID: <v02120d06aca9a270c12d@[199.0.65.105]>
MIME-Version: 1.0
Content-Type: text/plain



This looks like fun...

Cheers,
Bob Hettinga


>Date: Mon, 16 Oct 1995 23:07:58 -0700
>From: crawford@scruznet.com (Michael D. Crawford)
>To: semper.fi@abs.apple.com, dev@be.com
>Subject: Re: BeBox development questions and answers
>Message-ID: <199510170607.XAA06319@scruz.net>
>
>Jonah Benton asked Melissa Rogers about security:
>
>>>>are there ways of excluding certain users from certain parts of the file
>>>>system?
>>>No
>>>>
>>>>i believe you support telnet- can multiple users telnet in at once?
>>>>
>>>Yes
>
>The answers to these two questions suggests the existence of the following
>serious security problem, which can cause breaches on any other machine on
>the network.  This is a time-honored way for hackers to bust into machines
>on the Internet.
>
>do{
>   telnet to an Internet host that does not have adequate security
>
>   Patch the telnet client on the Be box to save keystrokes into a file
>
>   Log out
>
>   Wait a couple weeks
>
>   Telnet back in, retrieve the file.
>
>   Now you have the host names, account names, and passwords for several other
>   machines
>}while ( Internet != destroyed );
>
>Would someone from Be care to clarify?
>
>This isn't exactly on-topic for this list, but it is a serious problem.
>It's been going on for years on other OS's.
>
>Mike
>
>Michael D. Crawford             | I use anonymous digital cash from DigiCash.
>crawford@scruznet.com           | Join the e-Cash trial at:
>http://www.scruz.net/~crawford/ | http://www.digicash.com
>

-----------------
Robert Hettinga (rah@shipwright.com)
Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131
USA (617) 323-7923
"Reality is not optional." --Thomas Sowell
>>>>Phree Phil: Email: zldf@clark.net  http://www.netresponse.com/zldf <<<<<







Thread