Re: Moving telnet/telnetd from base to pkgsrc

To: Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>
Subject: Re: Moving telnet/telnetd from base to pkgsrc
From: Hisashi T Fujinaka <htodd%twofifty.com@localhost>
Date: Sat, 15 Dec 2018 19:46:46 -0800 (PST)

On Sat, 15 Dec 2018, Taylor R Campbell wrote:

Date: Sat, 15 Dec 2018 22:38:10 +0100
From: Anders Magnusson <ragge%ludd.ltu.se@localhost>

I'm pretty sure that all users of telnet know what the implications
are.  If they don't then it doesn't matter whether it is in base or not.


One of the implications at the moment is that anyone on the internet
between you and the remote host can crash your telnet client[*] with
no user interaction beyond making a connection.

This is _not_ the traditional and by now well-understood security
problem of telnet that it has no secrecy or authentication.  And
cursory examination of the telnet code -- together with its origins in
an era when the internet was a safe place -- does the opposite of
inspiring confidence that this hole is isolated.

Given that a large fraction of respondents (though not all) indicated
that their primary use of telnet is to test reachability of a server
or manually enter SMTP or HTTP requests over the internet -- a use
which is adequately served by the much smaller and much more
confidence-inspiring usr.bin/nc -- I think this _does_ constitute a
serious danger that warrants the scrutiny it is getting.


[*] Whether it can lead to arbitrary code execution, I don't know, and
   I'm not interested in studying further to find out; it doesn't
   take much to get arbitrary code execution, like a single null byte
   heap buffer overflow:
   https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html


How do you want me to access my local appliances (and keep in mind more
and more things are "new" by calling them IoT)? Python? I hate python,
and I'm really not sure how that's better than Perl, except that most of
the things people want me to do on Python doesn't work because of
whaterver the Python packaging dependency hell is.

And I wish people would quit bringing Firefox into this. It takes me the
better part of a week to build Firefox, when it does build, because of
that rust nonsense.

--
Hisashi T Fujinaka - htodd%twofifty.com@localhost
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

References:
- Re: Moving telnet/telnetd from base to pkgsrc
  - From: Taylor R Campbell

Prev by Date: Re: Moving telnet/telnetd from base to pkgsrc
Next by Date: Re: Moving telnet/telnetd from base to pkgsrc
Previous by Thread: Re: Moving telnet/telnetd from base to pkgsrc
Next by Thread: Re: Moving telnet/telnetd from base to pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index