Carolyn P. Meinel Hall of Shame
Hacking Guide Errata

> Vol. 1 Number 6

> It's vigilante phun day one more time! How to nuke offensive Web sites.

And this is supposed to be mostly harmless?

> busy and may be enough to put the computer out of action. If several people
> do this simultaneously, the target host will almost certainly be unable to
> maintain its network connection. So -- *now* do you want to install Linux?

No. You should install linux because you want a powerful 32 bit operating
system that is fully multitasking and multithreaded. You should not install
an OS because you want to maliciously take down a site on the net. Besides,
installing linux doesn't get you connected to the net automatically.

Consistency alert: Once again, first you say Windows 95, then you say Linux.

> The fact that runs a finger service is interesting. Since finger
> is one of the best ways to crack into a system, we can conclude that either:

One of the best ways to crack into a system?! Read previous replies.

> 1) The sysadmin is not very security-conscious, or

Finger is just about the most minor security concern there is. The admin
of my ISP allows finger, and is quite security conscious. He doesn't
have the luxury of disabling most of the ports, so you can use
finger on his server. 

> Since we have seen evidence of a fire wall, case 2 is probably true.

What evidence?! You just showed that you connected and received an
ascii banner. That is NOT a sign of a firewall. The fact that many
firewalls are passive will make determination of a firewall's
existance somewhat difficult. 

> "I have been paying close attention to all of the "happy hacker" things that
> you have posted.  When I tried using the port 79 method on, it
> connects and then displays a hand with its middle finger raised and the
> comment "UP YOURS."  When I tried using finger, I get logged on and a
> message is displayed shortly thereafter "In real life???""

At no point were you "logged on" using the finger service. You simply connected,
made a query, and received the output. That does not involve any login or
authentication scheme.

In real life: ??? is a common message displayed if the system doesn't know
who you are asking about (ie: the account doesn't exist).

> And a program with calls to root just might crash and dump you out into root.

"with calls to root". Are you referring to a SUID program? Or a program
running AS root? Finger is NOT SUID, and does NOT need to make calls to
root. This can be referenced in the 'ffingerd' documentation.