| ▲ | RupertSalt 2 hours ago | |||||||
Well this is weird. You talk about me, my, mine, my network, my computer. But you're promoting a "distro". That means you're distributing software. It's not yours anymore. Attackers on a network will use techniques to "pivot". Once a "foothold" is established then they scan for other places to attack. They will indeed get inside "your" computer, or router, and then compromise your telnetd. It comes back to the liberty of swinging your arms vs. the proximity to my nose. If your distro is connected to a network, then you're responsible and accountable for security issues that result. There are thousands of distro kiddies sending out their favorite flavor of Linux, but how many audited it like Theo de Raadt? You don't seem to understand the CVE under discussion. It doesn't even affect telnet(1). Practically nobody runs telnetd(8) anymore since the introduction of encryption, ssh, and the like. MUD players use MUD clients. Network admins use nc(1). The reason "telnet" was deprecated is: it's just not really useful anymore without its complementary service. telnet(1) isn't inherently dangerous, it's just superfluous, and distros pretty much evaluated that it wasn't worth hanging on to. As for "traceroute", I'm not sure it's "useless or dangerous", but it can be misleading and definitely superfluous. It is widely misinterpreted by novices trying to prove something about their WAN connectivity. It misrepresents network topology and doesn't work real good with modern equipment or protocols. It was a judicious decision to bundle it with network debugging tools, because not everyone needs to debug networks. Especially the ones who believe that they can. I would say that any network debugging tool available is also useful to your attackers with a foothold. A "living off the land" attack will leverage your telnet client, will run traceroutes on your network, and they will use all the software cruft that you didn't uninstall! I am pretty sure there are distros that simply don't come with development environments, C compilers, or various interpreters anymore, and it is for this reason: they are not inherently insecure or vulnerable, but "living off the land" will weaponize them every time. However, I must concede that your temperament and tone is well-suited to being a distro administrator. You remind me of Linus Torvalds vs. Andrew Tanenbaum, or Theo de Raadt vs. FreeBSD. Perhaps Scott Adams vs. the world. Carry on, good sir. | ||||||||
| ▲ | its_magic an hour ago | parent [-] | |||||||
> You talk about me, my, mine, my network, my computer. But you're promoting a "distro". That means you're distributing software. It's not yours anymore. It's OURS. It was never YOURS. Get it? > Attackers on a network will use techniques to "pivot". Once a "foothold" is established then they scan for other places to attack. They will indeed get inside "your" computer, or router, and then compromise your telnetd. Oh no! Someone is going to hack into my LAN! I guess I'd better keep the shotgun loaded. Are you aware that your entire computer is backdoored, starting at the CPU level on up? It's like you don't realize this. Your 'security' = gaping asshole, same as everyone else these days. And you're worried about telnet? > It comes back to the liberty of swinging your arms vs. the proximity to my nose. If your distro is connected to a network, then you're responsible and accountable for security issues that result. Fascinating new legal/morality theory you've concocted. No, I am in fact not responsible for some noob running a telnetd on the open internet then getting hacked. Craziness. Wait a second. Are you also the type of person who is susceptible to the bullshit belief that, because I never got the, quote-unquote ''covid vaccine'' (nor the flu vaccine, nor any other), that I'm somehow a threat to you? Are you one of those people too? > You don't seem to understand the CVE under discussion. You don't seem to understand much of anything. > The reason "telnet" was deprecated is I've just explained to you that it hasn't been 'deprecated' at all ON MY SYSTEM. What you choose to do is irrelevant. > As for "traceroute", I'm not sure it's "useless or dangerous", but it can be misleading and definitely superfluous. It is widely misinterpreted by novices trying to prove something about their WAN connectivity. And here we come to the epicenter of your problematic thinking: I am not a novice. I'm a power user. Get it? I've been doing this shit for decades. I'm sick to death of my entire life being ruled and dictated by the 'needs' of morons. You can keep your Play-Skool OS and padded walls, thanks. Really, your entire philosophy is so full of logical contradictions. You're scared to death of telnet/traceroute, but you're cool with having this giant package ecosystem where you are constantly streaming Other People's Binaries to your system, and you think that is safe, and would never be hacked or used against you. Clueless. Go argue with a brick wall; you'll get further. I know what I'm doing. | ||||||||
| ||||||||