From owner-freebsd-security  Sun Mar 21  1:10:29 1999
Delivered-To: freebsd-security@freebsd.org
Received: from smtp2.andrew.cmu.edu (SMTP2.ANDREW.CMU.EDU [128.2.10.82])
	by hub.freebsd.org (Postfix) with ESMTP id 7A3C815227
	for <freebsd-security@FreeBSD.ORG>; Sun, 21 Mar 1999 01:10:23 -0800 (PST)
	(envelope-from Harry_M_Leitzell@cmu.edu)
Received: from unix11.andrew.cmu.edu (UNIX11.ANDREW.CMU.EDU [128.2.15.15]) by smtp2.andrew.cmu.edu (8.8.5/8.8.2) with SMTP id EAA13223; Sun, 21 Mar 1999 04:09:56 -0500 (EST)
Date: Sun, 21 Mar 1999 04:09:56 -0500 (EST)
From: "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>
X-Sender: Harry_M_Leitzell@unix11.andrew.cmu.edu
Reply-To: "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>
To: mike@seidata.com
Cc: Steven Grady <grady@xcf.berkeley.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: question about e-bay breakin last week
In-Reply-To: <Pine.BSF.4.05.9903210314200.1682-100000@ns1.seidata.com>
Message-ID: <Pine.SOL.3.96L.990321035623.18091B-100000@unix4.andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 21 Mar 1999 mike@seidata.com wrote:

> On Sun, 21 Mar 1999, Steven Grady wrote:
> 
> > According to the story, the cracker who got into e-Bay last week got
> > in via FreeBSD.  Does anyone know anything more about this?
> 
> Does anyone else think the story sounds a bit fishy?  The 'hacker'
> mentions little more than well-known 'hacking cliches', and the
> 'proof' that is mentioned (a bogus page placed on one of Ebay's web
> servers) could have just as easily been accomplished by spoofed DNS.
> 
> *shrug*
> 
> Later,
> 
> 					-Mike

	It might be the journalist instead of MagicFX who came up with the
wording.  Most writers will do that to aim for a larger audience than the
technical literate crowd.  I am a bit peeved that it didn't mention the
program he used that had a buffer overflow in it though.
	Spoofed DNS would imply he only rerouted requests to a machine he
already had access to and that Exodus doesn't really keep its name servers
up to date (That is bull because they run an EFnet IRC server and keep
their bind versions bleeding edge for the exact reason of preventing
spoofing).  I am guessing that the student did break in and the journalist
just dumbed down what he said to capture the mainstream audience.

-Harry



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message