Rich Graves wrote:
They did that too. They got recursive whois and finger sweeps dated mid-1993 (we catch people doing whois aaaa*, aaab*, and so on every once in a while), a Usenet-wide sweep dated early 1994, a sweep of local, firewalled su.* newsgroups last December/January 95/96, and an outright theft of the master shadow password file for most stanford.edu accounts (address, real name, and UID only, no group ID or encrypted password) in January 1996.
Why people tolerate running "old" finger server on their machines? Old finger server giving anyone names of all users logged on, dynamic information such as from where they are logging in, etc etc is just as bad invasion of privacy as whowhere.com. It does not take a genius to write a safer replacement for in.fingerd that reports only what users wish to report about themselves. There are many good replacements for finger daemon floating around, too. I wrote one in perl, it is about 50 lines long and is free for asking. - Igor.