who's fingering me

[Raymond Nijssen]

gary at sci34hub.sci.com (Gary Heston) writes:
>In article <rcbarn.676630997 at rwa.urc.tue.nl> rcbarn at urc.tue.nl writes:
>=sean at ms.uky.edu (Sean Casey) writes:
>=>
>=>The answer is: it can't. The IP protocols do not transmit userid
>=>information, and neither does the finger protocol. [...]
>=As a very simple but useful workaround in this case, you can use a 
>=fingerd that immediately fingers back to the host it receives a request 
>=from, thus revealing potential userid of people who are fingering your
>=system. [...]

>...and when a user on a machine implementing this fingers someone on
>another machine implementing it, the second machine fingers the first
>to see who it is, causing the first machine to finger the second again,
>causing the second to finger the first again, etc., etc., etc.

It seems that my previous posting could easily be misunderstood; I did
not at all mean to suggest that these very simple workarounds were
capable of solving all shortcomings of the IP protocols; they merely
exchange one disadvantage for another.

>Sounds like positive feedback, to me. 

Well, don't be so negative before you had a look at it; I don't know
exactly how smart these tools are, but I can very well imagine that
some kind of very trivial check to avoid unnecessary backfingers is 
built in.

>It would be better to change finger to provide the requesting uid, 
>and fingerd to reject requests that don't provide it.

The problem is not just fingerd; in general, all IP stuff suffers from
some kind of this problem. As for me, I can't think of no good reason
why IP protocols don't transmit UID info, but I guess we'll have to
live with it.

>Gary Heston   System Mismanager and technoflunky   uunet!sci34hub!gary or

-Raymond
-- 
| Raymond X.T. Nijssen  | Eindhoven Univ. of Technology                       |
| raymond at es.ele.tue.nl | EH 7.13, PO 513, 5600 MB Eindhoven, The Netherlands |
| "Don't put that on the wall in a tax-payer supported museum!"  Pat Buchanan |