Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)

[Gene Spafford <spaf@cs.purdue.edu>]

I haven't been voting on candidates, but I want to respond to these 
for the active voters to consider.

Exposures to finger, rusers, etc fall into the exposures category 
because they aren't really vulnerabilities.   In fact, I would argue 
that they aren't even exposures given the description.   To be a 
problem the following needs to be true:

1) The service needs to be accessible to a malfeasor (externally or internally)
2) The service needs to respond to requests from the malfeasor with 
correct, useful information.
3) The system the service is running on must have some other 
vulnerability that can be exploited.
4) The system needs to be accessible so that vulnerability can be exploited.

So, that "finger" is running on my machine is not a problem if a 
firewall and/or tcpwrappers are in place and prevent anyone from 
offsite from accessing it.   Likewise, if there are no 
vulnerabilities on my machine, I'm not exposing anything.

And I won't even mention the policy problem again. :-)


I run a version of finger on my machine.  It returns information that 
may or may not be accurate.   It may not respond to requests from 
some hosts and domains.   My machine is otherwise pretty tightly 
configured, so people knowing that there is a user 'spaf' on my 
machine isn't a problem (as if they couldn't guess that otherwise). 
I am basically the only user on my machine.    So, is "finger" still 
an exposure because it is running?

I think not.

--spaf