From: ichudov@algebra.com (Igor Chudov @ home)
Date: Mon, 29 Apr 1996 03:19:55 +0800
To: llurch@networking.stanford.edu (Rich Graves)
Subject: Re: www.WhoWhere.com selling access to my employer's passwd file
In-Reply-To: <Pine.GUL.3.93.960427172022.9454F-100000@Networking.Stanford.EDU>
Message-ID: <199604281414.JAA14452@manifold.algebra.com>
MIME-Version: 1.0
Content-Type: text


Rich Graves wrote:
> They did that too. They got recursive whois and finger sweeps dated
> mid-1993 (we catch people doing whois aaaa*, aaab*, and so on every once
> in a while), a Usenet-wide sweep dated early 1994, a sweep of local,
> firewalled su.* newsgroups last December/January 95/96, and an outright
> theft of the master shadow password file for most stanford.edu accounts
> (address, real name, and UID only, no group ID or encrypted password) in
> January 1996.

Why people tolerate running "old" finger server on their machines?  Old
finger server giving anyone names of all users logged on, dynamic
information such as from where they are logging in, etc etc is just as
bad invasion of privacy as whowhere.com.

It does not take a genius to write a safer replacement for in.fingerd that
reports only what users wish to report about themselves. There are many
good replacements for finger daemon floating around, too.

I wrote one in perl, it is about 50 lines long and is free for asking.

	- Igor.