| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Jun 9 23:57:13 2005 From: khermans at cisco.com (Kristian Hermansen) Subject: Microsoft Windows and *nix Telnet PortNumber Argument Obfuscation On Thu, 2005-06-09 at 08:06 -0700, Etaoin Shrdlu wrote: > For those of us actually looking at it as an > early warning system, think of Nick as being a vocal representative of the > majority of more senior security people on the list. OK. Fair enough, but at least some people found it "informative". The technique described probably does affect many networking tools, as you stated, but one should ask if this is a proper coding technique or not (think secure code). The input does not map to the expected output -- and the user should have been told that the port number is out of range. Otherwise, what if he thinks 65571 is a valid port after executing that command? He may be naive, but shouldn't the telnet programmer let him know that he is mistaken in his port choice? As an analogy, it is also true that a C programmer could pull some nice tricks to optimize his code, but that code may confuse another programmer trying to understand it. This is a system, like anything else, and things are based on give/take. I don't see why allowing this to happen actually helps anyone but the telnet programmer -- because it could confuse many users. That's my rant and I'm done -- the users who did not know about this have been informed and that was the point of the original notice. My apologies to the "elite", who sit so highly upon their horses and throw flames down from above ;-) -- Kristian Hermansen <khermans@...co.com> Cisco Systems, Inc.
Powered by blists - more mailing lists