> At least telnetd is disabled by default so most installs won't be vulnerable.
I'm very surprised by this statement, and also very surprised by the following passage of the article which shows a similar spirit:
> On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time.
Rather, I would have expected something like "Since telnetd isn't used anymore anyway, we decided to remove it from our distribution." ;-)
Seriously, are there really computer systems remotely accessible via telnetd? Really? It's 2011! Even ten years ago SSH was already a standard component of every Unix system. Back then, I never considered telnetd to be an option for any remotely accessible machine. I only saw telnet-like services when people played Multi-User Dungeons (MUD), and even those systems did not need a telnetd but ran their own server processes.
The same for FTP, by the way. FTP will probably need more time to die than telnet, but alternatives like SFTP or Rsync-over-SSH have been available for years, too.
In other words: Why should we care? What kind of administrators and/or company policies are running telnetd anyway? Are those totally reckless, or am I missing something?
You probably aren't running 20 year old hardware that hasn't seen a software update since 1991. Some people are. Mostly people where the computer is incidental to the machine.
e.g. Back in the '90s the MRI scanners at my institute used VAX models that were well and truly obsolete even for the day, with tremendously obsolete versions of VMS because that was what was FDA approved and no changes could be made.
One can certainly imagine a device with a 6 figure price tag that communicates by telnet to a user supplied server. (Not our MRI scanners though, we weren't allowed to upgrade their software to support TCPIP.)
Lots of devices where the focus isn't really on the computer side of the device. Phone switches and auto-dialers come to mind as examples I have dealt with recently.
I'm very surprised by this statement, and also very surprised by the following passage of the article which shows a similar spirit:
> On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time.
Rather, I would have expected something like "Since telnetd isn't used anymore anyway, we decided to remove it from our distribution." ;-)
Seriously, are there really computer systems remotely accessible via telnetd? Really? It's 2011! Even ten years ago SSH was already a standard component of every Unix system. Back then, I never considered telnetd to be an option for any remotely accessible machine. I only saw telnet-like services when people played Multi-User Dungeons (MUD), and even those systems did not need a telnetd but ran their own server processes.
The same for FTP, by the way. FTP will probably need more time to die than telnet, but alternatives like SFTP or Rsync-over-SSH have been available for years, too.
In other words: Why should we care? What kind of administrators and/or company policies are running telnetd anyway? Are those totally reckless, or am I missing something?