[techtalk] Almost arrested for using telnet

[Telsa Gwynne]

On Wed, Apr 11, 2001 at 02:36:02PM +1000 or thereabouts, Mary Gardiner wrote:
> On Wed, Apr 11, 2001 at 11:14:34AM +1000, jenn at simegen.com wrote:
> > Tami Friedman wrote:
> > >  	  For now, I am curious if anyone
> > >         can give me a good reason why a sysadmin would not allow telnet to
> > >         be used (when the m$ equivalent of a daemon) is not disabled?
> > 
> > Well, an unrelated reason is that SSH is far, FAR more secure.
> > It doesn't plaintext-send stuff like passwords.
> > 
> > But that's not related to this particular problem. Hrm.
> 
> It seems more likely to be a knee-jerk response.

I agree. 
> 
> When I was at school, one of the 'Internet Rules' was:
> 
> * No downloading.

I still see "conditions of use" on websites (am I the only one who
routinely peeks at these on any site that has them?) which involve
being allowed to browse so long as you don't download or copy any
of the content. I am not emptying my cache just for that! But that's
a similar example of a very broad rule doubtless made after a prior
incident that panicked people which bans stuff that can be quite
harmless. 

> Use of things like telnet, or anything that isn't the web, is regarded as
> generally suspicious by people who staff things like library terminals.
> 
> They tend to think you've hacked their computer, or are in the process of
> hacking someone elses. This particular guy recognised the program - you 
> might get even worse responses from someone who doesn't.
> 
> Actually, that's one reason they might object to telnet. They really 
> wouldn't want someone to be using their terminals to gain unauthorised 
> access to other people's machines.

Yes. Library staff have a tough job in this regard. I know someone who
is the IT guy at a US library. He is very clued-up. But some of the 
stories he comes out with are scary. I'll see if he minds my repeating
them before spreading them about. :) 

At the university library here, I had a friend who would reboot the
machines to boot off a floppy he carried with him, which gave him a
minimal Linux system. Very clever, but of course, how is he to know
if he picks the one machine with dodgy hardware or something else, and
rebooting to Windows fails and leaves the (hard-pressed: you had to
book terminals for an hour in advance) room with one fewer working
machine? There's also the "can you guarantee this floppy has no
virus if you routinely stick it into public-access machines?" issue.

It's entirely possible to have one person who covers four libraries
for the IT stuff, and for the staff then to be stuck until that 
person arrives to fix it. They also have to deal with people who
-think- they know what they're doing but don't. I remember turning
up to use one of the CDs which contain abstracts of the past five
years' nursing and medical articles. "Oh no," they said. "Sorry. 
You can't. The last person to use them took them out of the caddy
and tried to force them into the slot. We have to wait for the 
monthly update now."

On the "people who think they know what they're doing" issue, here's
a story that made my sysadmin groan when I told him:

Watching someone in a terminal room. Stuck in floppy. Started machine.
It went through virus-check. "Beep! This has a virus!" "Oh no!" cried
the student. "A virus on the computer!" He whipped his floppy out...

...and stuck it in the next PC along the line. 

As a practical suggestion for the future, there is a way to have a
java client sitting on a machine which gives you a terminal prompt.
You can set it up, then browse from another machine, point the
browser at the java client, acquire a terminal window (using ssh),
and it's all done in a browser, without the need for a floppy. If
they ask, you can demonstrate it's "part of the website, look!"

I don't use Java, so I don't remember the name of this, of course,
but I am assured it can be done. I bet someone here knows what it is :) 

Telsa