Discussion:
oldusenet project
(too old to reply)
Tavis Ormandy
2022-12-17 18:18:45 UTC
Permalink
I thought this might be interesting to some readers here, the olduse.net
project has recently restarted (note: it's not my project, I'm just
a user)

https://olduse.net/#forty

It's an nntp server that replays usenet posts with a 40 year delay. I
quite enjoy following some of the old discussions at the speed they
happened.

Obviously it's read only - it's a usenet server, not a DeLorean :)

Tavis.
--
_o) $ lynx lock.cmpxchg8b.com
/\\ _o) _o) $ finger ***@sdf.org
_\_V _( ) _( ) @taviso
Ahem A Rivet's Shot
2022-12-17 18:39:03 UTC
Permalink
On 17 Dec 2022 18:18:45 GMT
Post by Tavis Ormandy
I thought this might be interesting to some readers here, the olduse.net
project has recently restarted (note: it's not my project, I'm just
a user)
https://olduse.net/#forty
It's an nntp server that replays usenet posts with a 40 year delay. I
Wow that means it's running just three years after USENET started,
long before I found it. I wonder how complete their copy is.
--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
songbird
2022-12-17 22:56:41 UTC
Permalink
Post by Ahem A Rivet's Shot
On 17 Dec 2022 18:18:45 GMT
Post by Tavis Ormandy
I thought this might be interesting to some readers here, the olduse.net
project has recently restarted (note: it's not my project, I'm just
a user)
https://olduse.net/#forty
It's an nntp server that replays usenet posts with a 40 year delay. I
Wow that means it's running just three years after USENET started,
long before I found it. I wonder how complete their copy is.
it is very interesting to me that anyone has got some
of the feeds from that era apart from the borg (which took
over dejanews).

i tried to see if they had any archives available apart
from the slow historical server that is posting just so
many articles a day.

i have a lot of writings from a long time ago that i
lost that i'd like to get back somehow. i tried google
groups but that didn't go very well. :(


songbird
Kerr-Mudd, John
2022-12-18 10:48:38 UTC
Permalink
On Sat, 17 Dec 2022 17:56:41 -0500
Post by songbird
Post by Ahem A Rivet's Shot
On 17 Dec 2022 18:18:45 GMT
Post by Tavis Ormandy
I thought this might be interesting to some readers here, the olduse.net
project has recently restarted (note: it's not my project, I'm just
a user)
https://olduse.net/#forty
It's an nntp server that replays usenet posts with a 40 year delay. I
Ironically he has a link there to a Mastodon erm account?. /That/ doesn't
display on my old chrome browser.
Post by songbird
Post by Ahem A Rivet's Shot
Wow that means it's running just three years after USENET started,
long before I found it. I wonder how complete their copy is.
it is very interesting to me that anyone has got some
of the feeds from that era apart from the borg (which took
over dejanews).
I (or someone a bit like me) didn't start usenet 'til the 90's.Luckily all
those cringeworthy posts were under another Nym.
Post by songbird
i tried to see if they had any archives available apart
from the slow historical server that is posting just so
many articles a day.
i have a lot of writings from a long time ago that i
lost that i'd like to get back somehow. i tried google
groups but that didn't go very well. :(
songbird
--
Bah, and indeed Humbug.
D.J.
2022-12-18 17:46:52 UTC
Permalink
Post by songbird
Post by Ahem A Rivet's Shot
On 17 Dec 2022 18:18:45 GMT
Post by Tavis Ormandy
I thought this might be interesting to some readers here, the olduse.net
project has recently restarted (note: it's not my project, I'm just
a user)
https://olduse.net/#forty
It's an nntp server that replays usenet posts with a 40 year delay. I
Wow that means it's running just three years after USENET started,
long before I found it. I wonder how complete their copy is.
it is very interesting to me that anyone has got some
of the feeds from that era apart from the borg (which took
over dejanews).
i tried to see if they had any archives available apart
from the slow historical server that is posting just so
many articles a day.
i have a lot of writings from a long time ago that i
lost that i'd like to get back somehow. i tried google
groups but that didn't go very well. :(
songbird
I think I wound up with all of the ones from another froup, without
the above site, but I would have to check to make sure.
--
Jim
Ahem A Rivet's Shot
2022-12-17 18:41:00 UTC
Permalink
On 17 Dec 2022 18:18:45 GMT
Now that's the first publicly visible finger server I've seen in
decades.
--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
Johnny Billquist
2022-12-20 14:17:39 UTC
Permalink
Post by Ahem A Rivet's Shot
On 17 Dec 2022 18:18:45 GMT
Now that's the first publicly visible finger server I've seen in
decades.
Gromit:bqt/mytcp> finger @mim.stupi.net
[mim.stupi.net]
RSX-11M-PLUS system MIM. Tue Dec 20 15:16:49 2022. Up: 0 days, 13:04.

Luser Real name Term Idle Logged in
BILLQUIST Johnny Billquist TT10: 10:57 20 Dec 04:18
BILLQUIST Johnny Billquist TT11: 3 20 Dec 04:18
BILLQUIST Johnny Billquist TT12: 33 20 Dec 14:09
Gromit:bqt/mytcp>

Johnny
Jorgen Grahn
2022-12-30 16:38:56 UTC
Permalink
Post by Johnny Billquist
Post by Ahem A Rivet's Shot
On 17 Dec 2022 18:18:45 GMT
Now that's the first publicly visible finger server I've seen in
decades.
[mim.stupi.net]
RSX-11M-PLUS system MIM. Tue Dec 20 15:16:49 2022. Up: 0 days, 13:04.
Luser Real name Term Idle Logged in
BILLQUIST Johnny Billquist TT10: 10:57 20 Dec 04:18
BILLQUIST Johnny Billquist TT11: 3 20 Dec 04:18
BILLQUIST Johnny Billquist TT12: 33 20 Dec 14:09
Gromit:bqt/mytcp>
% finger @snipabacken.se
Login Name Tty Idle Login Time Office Office Phone
grahn Jorgen Grahn p1 1:28 Fri 08:03
grahn Jorgen Grahn p3 - Fri 15:42

(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)

/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
Dennis Boone
2022-12-30 18:46:10 UTC
Permalink
Post by Jorgen Grahn
(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)
The original implementation tended to have the usual buffer management
issues, and also exposed actual live usernames, login status, etc.
This sort of thing gives away information that could be useful in an
attack.

Newer implementations that let you control what information is shown,
and have been better secured, etc.

De
Peter Flass
2022-12-30 21:45:33 UTC
Permalink
Post by Dennis Boone
Post by Jorgen Grahn
(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)
The original implementation tended to have the usual buffer management
issues, and also exposed actual live usernames, login status, etc.
This sort of thing gives away information that could be useful in an
attack.
Sort of like Facebook, I guess.
Post by Dennis Boone
Newer implementations that let you control what information is shown,
and have been better secured, etc.
De
--
Pete
Theo
2022-12-31 17:40:02 UTC
Permalink
Post by Peter Flass
Post by Dennis Boone
Post by Jorgen Grahn
(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)
The original implementation tended to have the usual buffer management
issues, and also exposed actual live usernames, login status, etc.
This sort of thing gives away information that could be useful in an
attack.
Sort of like Facebook, I guess.
I think there might have been some stalking incidents on university systems
where you could finger someone and find out how recently they read their
mail and where from. If the recently was 'now', that told you where they
were logged in currently. If it was from 'studentpc42.physics.example.edu'
then you knew their precise location. It could also leak sidechannel
information, eg if the student was an English major we can infer that they
knew somebody in physics who let them in to the physics building, etc.

Theo
Johnny Billquist
2023-01-01 14:52:43 UTC
Permalink
Post by Theo
Post by Peter Flass
Post by Dennis Boone
Post by Jorgen Grahn
(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)
The original implementation tended to have the usual buffer management
issues, and also exposed actual live usernames, login status, etc.
This sort of thing gives away information that could be useful in an
attack.
Sort of like Facebook, I guess.
I think there might have been some stalking incidents on university systems
where you could finger someone and find out how recently they read their
mail and where from. If the recently was 'now', that told you where they
were logged in currently. If it was from 'studentpc42.physics.example.edu'
then you knew their precise location. It could also leak sidechannel
information, eg if the student was an English major we can infer that they
knew somebody in physics who let them in to the physics building, etc.
Knowing if someone is online isn't done by looking at when mail was
read. That is silly. Finger directly reports if you are online or not.
And if not, when you last logged in.

But sure, you can certainly stalk someone, and then any kind of
information can be considered bad.

Johnny

Johnny Billquist
2022-12-31 12:41:53 UTC
Permalink
Post by Jorgen Grahn
Post by Johnny Billquist
Post by Ahem A Rivet's Shot
On 17 Dec 2022 18:18:45 GMT
Now that's the first publicly visible finger server I've seen in
decades.
[mim.stupi.net]
RSX-11M-PLUS system MIM. Tue Dec 20 15:16:49 2022. Up: 0 days, 13:04.
Luser Real name Term Idle Logged in
BILLQUIST Johnny Billquist TT10: 10:57 20 Dec 04:18
BILLQUIST Johnny Billquist TT11: 3 20 Dec 04:18
BILLQUIST Johnny Billquist TT12: 33 20 Dec 14:09
Gromit:bqt/mytcp>
Login Name Tty Idle Login Time Office Office Phone
grahn Jorgen Grahn p1 1:28 Fri 08:03
grahn Jorgen Grahn p3 - Fri 15:42
(I never understood what's so insecure about finger. It's not as if
I allow telnet access, or ssh access without public-key auth. People
can learn where I am and when, but right now -- and since it's under
my control -- I don't mind.)
Well, the theory is that even finding out the usernames existing on a
system is a security issue.

I myself disagree, and have no real issue with revealing that
information, so I keep finger running.

For the same reason, identd is sometimes being blocked, and can be
configured no not actually reveal usernames, but just UIDs.

Johnny
Ahem A Rivet's Shot
2022-12-31 13:20:32 UTC
Permalink
On Sat, 31 Dec 2022 13:41:53 +0100
Post by Johnny Billquist
Well, the theory is that even finding out the usernames existing on a
system is a security issue.
On a typical university system with hundreds of student accounts it
could very well be enough to make a low rate dictionary attack yield an
entry point.
--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
Jorgen Grahn
2022-12-31 22:44:00 UTC
Permalink
Post by Ahem A Rivet's Shot
On Sat, 31 Dec 2022 13:41:53 +0100
Post by Johnny Billquist
Well, the theory is that even finding out the usernames existing on a
system is a security issue.
On a typical university system with hundreds of student accounts it
could very well be enough to make a low rate dictionary attack yield an
entry point.
Hopefully, today few expose plain password login over the network ...
although I don't know the challenges faces by a university sysadmin --
maybe they need insecure auth for legacy reasons.

Me, I just configure my personal ssh server with
'PasswordAuthentication no' and then I don't worry much.

/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
Loading...