[4227] in WWW Security List Archive
Re: Return Receipts and Security
daemon@ATHENA.MIT.EDU (Jack Gostl)
Fri Jan 31 20:53:42 1997
Date: Fri, 31 Jan 1997 18:34:15 -0500 (EST)
From: Jack Gostl <gostl@argoscomp.com>
To: Speedy <vc51680@pegasus.cc.ucf.edu>
Cc: "David W. Morris" <dwm@xpasc.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.93.970131181701.2484E-100000@pegasus>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 31 Jan 1997, Speedy wrote:
> > That Return-Receipt field is pretty mild. It simply says that the local
> > sendmail got the message, not that the user is signed on. I think a
> > bigger problem is the X-style receipt that Pegasus can generate, which
> > goes out when the message is READ. Pegasus allows you to turn it off, but
> > if you don't, it is exactly what you described, a method for checking
> > when a user is logged on.
> >
>
> What would be / are the security risk of a user allowing other to see if
> they are logged on?
As a rule, the less you tell the better. If we are talking a unix system,
I sometimes scan for processes that I own, or I use the "w" command to
see who else is logged on. If someone were had cracked into my account,
they wouldn't want me to know it, so I presume they'd try to avoid times
that I was on.
I'm sure that some imaginative soul on this list will come up with
brighter ideas.... but we are a bit off topic for a list on web security.
Jack Gostl gostl@argoscomp.com
