Does anyone's VT100 emulator support the answerback function these days?
Terminal on OS X doesn't seem to. I think I remember in the dark ages there were some that let you set the answerback message remotely, but I suspect people figured out that was a bad idea.
Ah, but who among us didn't embed a CTRL-E in our "you are about to be idle killed" messages and set our answerback messages to "".
Fortunately he put the only correct response to this nonsense right in there - saves me some typing. Quote from the varnish team:
This is not a security problem in Varnish or any other piece of software
which writes a logfile.
The real problem is the mistaken belief that you can cat(1) a random
logfile to your terminal safely.
This is not a new issue. I first remember the issue with xterm(1)'s
inadvisably implemented escape-sequences in a root-context, brought up
heatedly, in 1988, possibly late 1987, at Copenhagens University
Computer Science dept. (Diku.dk). Since then, nothing much have changed.
The wisdom of terminal-response-escapes in general have been questioned
at regular intervals, but still none of the major terminal emulation
programs have seen fit to discard these sequences, probably in a
misguided attempt at compatibility with no longer used 1970'es
technology.
I admit that listing "found a security hole in all HTTP-related programs
that write logfiles" will look more impressive on a resume, but I think
it is misguided and a sign of trophy-hunting having overtaken common
sense.
Instead of blaming any and all programs which writes logfiles, it would
be much more productive, from a security point of view, to get the
terminal emulation programs to stop doing stupid things, and thus fix
this and other security problems once and for all.
3 comments
[ 4.1 ms ] story [ 24.1 ms ] threadThis is not a terribly serious bug...
Terminal on OS X doesn't seem to. I think I remember in the dark ages there were some that let you set the answerback message remotely, but I suspect people figured out that was a bad idea.
Ah, but who among us didn't embed a CTRL-E in our "you are about to be idle killed" messages and set our answerback messages to "".
This is not a security problem in Varnish or any other piece of software which writes a logfile.
The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.
This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed.
The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology.
I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense.
Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all.