Re: www.WhosWhere.com selling access to my employer's passwd file
At 02:12 AM 4/27/96 -0700, Rich Graves wrote:
-----BEGIN PGP SIGNED MESSAGE-----
If you are involved with the affairs of a large organization, I urge you to check www.whoswhere.com to see if they have a bunch of user email addresses that they shouldn't.
They also have some information that is seriously outdated. They have two e-mail addresses for me that are about 2-3 years out of date. (I wonder how some of this information was collected. One was from my Fidonet point address of years back. Not something accesable from finger.)
Of course there is little that one can do about this kind of invasion of privacy. But they don't have to be so fucking blatant and stupid about it. They have the email addresses of DAEMONS from our password files in their database.
I wonder if those addresses are from a "finger @sitename.org" hack. It becomes worrysome when the methods of hackers intersect with those of database compilers.
There is no need for mailbombing, or anything like that. Our lawyers are simply going to nuke them from orbit. Please check them out before they go offline, so that you will have a shot at whatever is left.
Keep us informed as to the fireworks. it will be fun to watch. --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano@teleport.com |
On Sat, 27 Apr 1996, Alan Olsen wrote:
Of course there is little that one can do about this kind of invasion of privacy. But they don't have to be so fucking blatant and stupid about it. They have the email addresses of DAEMONS from our password files in their database.
I wonder if those addresses are from a "finger @sitename.org" hack. It becomes worrysome when the methods of hackers intersect with those of database compilers.
They did that too. They got recursive whois and finger sweeps dated mid-1993 (we catch people doing whois aaaa*, aaab*, and so on every once in a while), a Usenet-wide sweep dated early 1994, a sweep of local, firewalled su.* newsgroups last December/January 95/96, and an outright theft of the master shadow password file for most stanford.edu accounts (address, real name, and UID only, no group ID or encrypted password) in January 1996. I'm sure they bought the first two from some other source. As much as I'm tempted to call these jokers at home early tomorrow morning, I know that a slow roasting by lawyers and the newsmedia is likely to be more effective. -rich
Rich Graves wrote:
They did that too. They got recursive whois and finger sweeps dated mid-1993 (we catch people doing whois aaaa*, aaab*, and so on every once in a while), a Usenet-wide sweep dated early 1994, a sweep of local, firewalled su.* newsgroups last December/January 95/96, and an outright theft of the master shadow password file for most stanford.edu accounts (address, real name, and UID only, no group ID or encrypted password) in January 1996.
Why people tolerate running "old" finger server on their machines? Old finger server giving anyone names of all users logged on, dynamic information such as from where they are logging in, etc etc is just as bad invasion of privacy as whowhere.com. It does not take a genius to write a safer replacement for in.fingerd that reports only what users wish to report about themselves. There are many good replacements for finger daemon floating around, too. I wrote one in perl, it is about 50 lines long and is free for asking. - Igor.
participants (3)
-
Alan Olsen -
ichudov@algebra.com -
Rich Graves