OFF: very, spam question,was:OFF: RIP UWP lyrics archive

Thu Jan 9 23:07:45 EST 1997

On Thu, 9 Jan 1997, Ken Alexander wrote:

> There's a non-java way to get the login of someone using any web browser
> under the following circumstances:
>    - the browser client is running on a unix machine that runs 'identd',
>      a program whose sole function is to answer network queries of the
>      form "what user is connected to tcp port NNN?"
> and
>    - the web server is configured to attempt to connect to the identd
>      port of the client host on each call, and log the info.
>      Even NCSA httpd can be told to do this.

(Mind you, like reverse DNS lookups, identd queries are a big performance
penalty, and so a good candidate for being turned off.)

Indeed, and the web server even conveniently passes in this information to
CGI scripts in the form of a nice environment variable.  A generic
feedback script I once wrote logged this information, or "(Unknown)" if it
was not passed in (i.e. no identd on client machine).  I think I only ever
saw one instance where "(Unknown)" was *not* logged in the entire time I
used that script.  I think most sites disable identd.  I know I turned it
off on my Linux box, because it seemed to slow things down with no benefit
to me (I have only a 2400 baud PPP line:), even though it was enabled by
default.

To reply to another post, the point I was making about SecurityManager is
that it is not so much Java that is eeeeevil, but the way its classes are
implemented---in particular the security policy that SecurityManager
implements---that causes the potential headaches.  Btw, the attack the
poster mentioned depends upon whether SecurityManager allows connections
to arbitrary off-site port numbers (and, of course, whether the client's
machine runs identd).

> However, I did get spammed, in a way, due to this once.  I fingered someone
> at a remote machine, and I immediately received an email advertisement from
> the internet provider that I was fingering at, because they had used identd
> to figure out who was doing the finger.  I returned the email with a
> response that was metaphorically a finger of a different sort...

obSpamecdote: The most ironic spam e-mail I ever received was one that
came out of the blue asking me if I wanted to rent web space on some
commercial ISP so I could host "real" WWW pages under my complete control.
I wrote back, asking where they'd obtained my name, and respectfully
declined their offer on the grounds that I am a WWW *admin* for at least
two machines (including the CS graduate student machine WWW server), and
so was well-able to host my own pages, thankyou.  My reward?  The next
day, I got the same basic spam back again!  How dense are these people!?!
(Upon further investigation, apparently this provider rewarded the signup
of new victims with bonus hours/space on their system.)

Cheers,

Paul.

obCD: Gong, _Gong Est Mort_

e-mail: paul at csgrad.cs.vt.edu                    A stranger in a strange land.