[Coco] The online Telenet CoCo BBS now has a domain name!

John E. Malmberg wb8tyw at qsl.net
Sat Nov 29 10:32:00 EST 2003


Gene Heskett wrote:
> Two comments after I logged in and looked around.
> 
> 1. the comm method really shouldn't be telnet as it leaves the host 
> system open to the quick and dirty installation of rootkits and such.
> Its simply not secure.

There are some platforms were this is not a problem.

> Take a good look at ssh, aka secure shell, 
> which is much more secure, establishing the comm channel in an 
> encrypted format before it asks you for your username and password, 
> so not even those are sent in the clear.  And the 8 character limit 
> on password length leaves it more vulnerable to a dictionary attack 
> than it could be with a longer password.

Dictionary attacts do not work when the host decides that after the n'th 
password attempt all passwords will be refused, even if they guess 
right.  Based on standard timeouts, for even a 6 character password, it 
can take years to get a match.

But with the BBS, the passwords are not managed by the OS, it is managed 
by the BBS software.  As long the NT telnet connection is locked into 
the BBS, it should not be a high risk.

> 2. If you are going to use yellow text, please put it over a black 
> background, yellow over white is very difficult to read.  This was 
> using the std telnet that comes with linux, the first time I actually 
> used it as I use ssh even when logging into my firewall 5 feet away.
> I don't run any telnetd services here, and I don't know anyone who 
> does.  Shutting it off is part of the std system security.

If my ISP permitted it, I would allow telnet access to my system here. 
There is no threat to my system security by doing that.

I have never started up the ssh telnet client on my system, I would have 
to see how to do that.

I would be surprised if the telnetd on Windows NT suppored ssh anyway.

-John
wb8tyw at qsl.net
Personal Opinion Only




More information about the Coco mailing list