Security Incidents mailing list archives

Re: @home: Is *anyone* really home there???


From: little () HKS COM (Jim Littlefield)
Date: Wed, 23 Feb 2000 13:01:08 -0500


On Wed, Feb 23, 2000 at 12:43:11PM -0500, Philip R. Moyer wrote:

This is a very interesting observation.  Several months ago, when @home
service became available in our area, I looked into getting service from
them.  I am an information security consultant, so in the course of my
various engagements I need to connect to remote machines using
"nonstandard services" (like SSH oooh, aaah), sometimes portscanning
them, and sometimes conducting full-blown penetration tests.

Hmmm, I guess I'm in trouble with @Home as I use SSH all the time, not to
mention, nmap and other port scan tools to test my work network. I even
run my own mail server for outgoing mail (got tired of too many important
messages being "lost" by the @Home servers).

[snip]

Well, that's part of what I do for a living, with the full understanding
and consent of the target system owners.

Same here.

I find it interesting and discouraging that @home apparently feels free
to harbor hackers and other criminals, but will not offer services to
security professionals.  I guess we just have to mark them down as "bad
guys" until they learn to play nice on the Net.

Agreed. Next time you talk to the @Home security department, ask them why
they permitted a dictionary attack on their mail servers. @Home is great if
all you want is a fast connection. "Features" like reliable servers and
intelligent security and abuse departments are apparently not included :(

--
Jim Littlefield           "One time I went to a museum where all the
                           work in the museum had been done by
                           children. They had all the paintings up
                           on refrigerators." - Steven Wright



Current thread: