Newsgroups: comp.admin.policy, comp.security.misc
Followup-To: comp.admin.policy
From: hoey@zogwarg.etl.army.mil (Dan Hoey)
Date: 5 Feb 93 19:18:52 GMT
Subject: Re: Logging anon. ftp usage

m...@kraken.ucsd.edu (Mark Anderson) writes:

>And I want people to fix their software, so that if I tell it
>my email address is "m...@cs.ucsd.edu", it doesn't throw a fit....

Of course, if it got that address out of a PASS command, there's a
nonnegligible chance it's actually the user's real password.  People
are creatures of habit, and occasionally type the wrong thing,
especially if their user agent elicited it by printing ``Password: ''.

This is why I avoid keeping logs of the responses (or fingering
them, for that matter).  I'm concerned that the logs themselves
may constitute a security risk.  If anyone actually has seen real
passwords show up in ftp logs, I'd like to hear my suspicions
corroborated (by email, unless there's something of really general
interest).

Dan Hoey
Hoey@AIC.NRL.Navy.Mil