[Coco] Re: The online Telenet CoCo BBS now has a domain name!

Theodore A. Evans alxevans at concentric.net
Sat Nov 29 13:10:00 EST 2003


On 11/29/03, Gene Heskett wrote:

> 1. the comm method really shouldn't be telnet as it leaves the host 
> system open to the quick and dirty installation of rootkits and such.
> Its simply not secure.  Take a good look at ssh, aka secure shell, 
> which is much more secure, establishing the comm channel in an 
> encrypted format before it asks you for your username and password, 
> so not even those are sent in the clear.  And the 8 character limit 
> on password length leaves it more vulnerable to a dictionary attack 
> than it could be with a longer password.

The problem with telnet as telnet is not the quick and dirty
installatio of rootkits, but rather simply that all of the
transactions (including passwords) are sent unencrypted.  You can use
it as an easy route to hack into the accounts (on that machine) of the
users who are connecting through this means, but nothing more.  If the
users who telnet in are not given great power on teh system, you don't
really have a serious security hole.

Many Unix systems still ignore letters past the 8th in passwords, and
even if they aren't ignored you run into one of two problems.  Users
like reasonably short passwords (ok, I typically use passwords,
slightly, over 8 characters), or you start to put aggravating
restrictions on passwords which also make it likely that users will
forget them.  This will result in users either writing down passwords,
or resetting passwords.

-- 
URA Pagan Redneck if: you measure wisdom by the length of a beard.
Theodore (Alex) Evans            | alxevans at concentric.net
94-1071 Kepakepa St. Unit #C-1   | http://www.concentric.net/~alxevans
Waipahu, HI 96797                | ICQ 78089262
x                                | (808) 676-0123         2B v ~2B = ?




More information about the Coco mailing list