On Tue, 2022-12-20, Johnny Billquist wrote:
> On 2022-12-17 19:41, Ahem A Rivet's Shot wrote:
>> On 17 Dec 2022 18:18:45 GMT
>> Tavis Ormandy <taviso@gmail.com> wrote:
>>
>>> /\\ _o) _o) $ finger taviso@sdf.org
>>
>> Now that's the first publicly visible finger server I've seen in
>> decades.
>
> Gromit:bqt/mytcp> finger @mim.stupi.net
> [mim.stupi.net]
> RSX-11M-PLUS system MIM. Tue Dec 20 15:16:49 2022. Up: 0 days, 13:04.
>
> Luser Real name Term Idle Logged in
> BILLQUIST Johnny Billquist TT10: 10:57 20 Dec 04:18
> BILLQUIST Johnny Billquist TT11: 3 20 Dec 04:18
> BILLQUIST Johnny Billquist TT12: 33 20 Dec 14:09
> Gromit:bqt/mytcp>

% finger @snipabacken.se
Login Name Tty Idle Login Time Office Office Phone
grahn Jorgen Grahn p1 1:28 Fri 08:03
grahn Jorgen Grahn p3 - Fri 15:42

(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

> (I never understood what's so insecure about finger. It's not as if
> I allow telnet access, or ssh access without public-key auth. People
> can learn where I am and when, but right now -- and since it's under
> my control -- I don't mind.)

The original implementation tended to have the usual buffer management
issues, and also exposed actual live usernames, login status, etc.
This sort of thing gives away information that could be useful in an
attack.

Newer implementations that let you control what information is shown,
and have been better secured, etc.

De

Dennis Boone <drb@ihatespam.msu.edu> wrote:
> > (I never understood what's so insecure about finger. It's not as if
> > I allow telnet access, or ssh access without public-key auth. People
> > can learn where I am and when, but right now -- and since it's under
> > my control -- I don't mind.)
>
> The original implementation tended to have the usual buffer management
> issues, and also exposed actual live usernames, login status, etc.
> This sort of thing gives away information that could be useful in an
> attack.

Sort of like Facebook, I guess.

>
> Newer implementations that let you control what information is shown,
> and have been better secured, etc.
>
> De
>

--
Pete

On 2022-12-30 17:38, Jorgen Grahn wrote:
> On Tue, 2022-12-20, Johnny Billquist wrote:
>> On 2022-12-17 19:41, Ahem A Rivet's Shot wrote:
>>> On 17 Dec 2022 18:18:45 GMT
>>> Tavis Ormandy <taviso@gmail.com> wrote:
>>>
>>>> /\\ _o) _o) $ finger taviso@sdf.org
>>>
>>> Now that's the first publicly visible finger server I've seen in
>>> decades.
>>
>> Gromit:bqt/mytcp> finger @mim.stupi.net
>> [mim.stupi.net]
>> RSX-11M-PLUS system MIM. Tue Dec 20 15:16:49 2022. Up: 0 days, 13:04.
>>
>> Luser Real name Term Idle Logged in
>> BILLQUIST Johnny Billquist TT10: 10:57 20 Dec 04:18
>> BILLQUIST Johnny Billquist TT11: 3 20 Dec 04:18
>> BILLQUIST Johnny Billquist TT12: 33 20 Dec 14:09
>> Gromit:bqt/mytcp>
>
> % finger @snipabacken.se
> Login Name Tty Idle Login Time Office Office Phone
> grahn Jorgen Grahn p1 1:28 Fri 08:03
> grahn Jorgen Grahn p3 - Fri 15:42
>
> (I never understood what's so insecure about finger. It's not as if
> I allow telnet access, or ssh access without public-key auth. People
> can learn where I am and when, but right now -- and since it's under
> my control -- I don't mind.)

Well, the theory is that even finding out the usernames existing on a
system is a security issue.

I myself disagree, and have no real issue with revealing that
information, so I keep finger running.

For the same reason, identd is sometimes being blocked, and can be
configured no not actually reveal usernames, but just UIDs.

Johnny

On Sat, 31 Dec 2022 13:41:53 +0100
Johnny Billquist <bqt@softjar.se> wrote:

> Well, the theory is that even finding out the usernames existing on a
> system is a security issue.

On a typical university system with hundreds of student accounts it
could very well be enough to make a low rate dictionary attack yield an
entry point.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/

Peter Flass <peter_flass@yahoo.com> wrote:
> Dennis Boone <drb@ihatespam.msu.edu> wrote:
> > > (I never understood what's so insecure about finger. It's not as if
> > > I allow telnet access, or ssh access without public-key auth. People
> > > can learn where I am and when, but right now -- and since it's under
> > > my control -- I don't mind.)
> >
> > The original implementation tended to have the usual buffer management
> > issues, and also exposed actual live usernames, login status, etc.
> > This sort of thing gives away information that could be useful in an
> > attack.
>
> Sort of like Facebook, I guess.

I think there might have been some stalking incidents on university systems
where you could finger someone and find out how recently they read their
mail and where from. If the recently was 'now', that told you where they
were logged in currently. If it was from 'studentpc42.physics.example.edu'
then you knew their precise location. It could also leak sidechannel
information, eg if the student was an English major we can infer that they
knew somebody in physics who let them in to the physics building, etc.

Theo

On Sat, 2022-12-31, Ahem A Rivet's Shot wrote:
> On Sat, 31 Dec 2022 13:41:53 +0100
> Johnny Billquist <bqt@softjar.se> wrote:
>
>> Well, the theory is that even finding out the usernames existing on a
>> system is a security issue.
>
> On a typical university system with hundreds of student accounts it
> could very well be enough to make a low rate dictionary attack yield an
> entry point.

Hopefully, today few expose plain password login over the network ...
although I don't know the challenges faces by a university sysadmin --
maybe they need insecure auth for legacy reasons.

Me, I just configure my personal ssh server with
'PasswordAuthentication no' and then I don't worry much.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

On 2022-12-31 18:40, Theo wrote:
> Peter Flass <peter_flass@yahoo.com> wrote:
>> Dennis Boone <drb@ihatespam.msu.edu> wrote:
>>> > (I never understood what's so insecure about finger. It's not as if
>>> > I allow telnet access, or ssh access without public-key auth. People
>>> > can learn where I am and when, but right now -- and since it's under
>>> > my control -- I don't mind.)
>>>
>>> The original implementation tended to have the usual buffer management
>>> issues, and also exposed actual live usernames, login status, etc.
>>> This sort of thing gives away information that could be useful in an
>>> attack.
>>
>> Sort of like Facebook, I guess.
>
> I think there might have been some stalking incidents on university systems
> where you could finger someone and find out how recently they read their
> mail and where from. If the recently was 'now', that told you where they
> were logged in currently. If it was from 'studentpc42.physics.example.edu'
> then you knew their precise location. It could also leak sidechannel
> information, eg if the student was an English major we can infer that they
> knew somebody in physics who let them in to the physics building, etc.

Knowing if someone is online isn't done by looking at when mail was
read. That is silly. Finger directly reports if you are online or not.
And if not, when you last logged in.

But sure, you can certainly stalk someone, and then any kind of
information can be considered bad.

Johnny