Totally Useless Feature Vulnerable for a Decade Finally Patched

WINS is a totally useless service on a LAN. We can get the job done with DNS or LDAP. M$, in its desire to do things differently to lock people in developed WINS and it was full of holes. The latest hole will soon be patched after a decade of vulnerability.

Don’t use useless technology invented by M$ to lock you in. Use Debian GNU/Linux. It works for you, not M$.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

27 Responses to Totally Useless Feature Vulnerable for a Decade Finally Patched

  1. twitter says:

    Things are actually harder now, thanks to Microsoft. Exim for Debian was easy to configure back in 1999 too. The script choices were basically the same. Given a reasonable ISP, it’s a snap. Given the attitude of ISPs today, it’s impossible. Microsoft put pressure on ISPs to make things difficult by blocking ports back in the early 2000s. Email is a gnu/linux strength that flies in the face of Microsoft propaganda at several fundamental levels.

  2. Consider a school full of people. If dozens of them are sending e-mail to each other it is some traffic on the Internet if we used a service out there and none if we use a local e-mail server. QED

    I have worked in schools that forbade e-mail just for that reason in the days of dial-up. Today, schools are larger and some have pitiful broadband access that is worse than dial-up per user.

  3. Linux Apostate says:

    “It is complex but worthwhile.”

    Well, you’re half right. sendmail is an abomination. If Microsoft had invented it, you would be pouring hate on it and asking why anyone is still using it.

    If Debian now provides an easy way to configure exim4 to send/receive Internet mail, then that’s good and certainly an improvement from more than a decade ago when I last tried to do this by hand. So Linux does make progress after all! But still the question is “why bother”.

  4. Well, that’s a change in topic. I could argue that the value of setting up a mail server is worth the effort but the original mention was exim serving localhost which works out of the box on a default install of many distros. The complexity of the configuration is an artifact of the evolution of the protocol(s)

    You can read sendmail documentation here and here. Here’s a snippet:“Sendmail is based on RFC 821 (Simple Mail Transport Protocol), RFC 822 (Internet Mail Headers Format), RFC 974 (MX routing), RFC 1123 (Internet Host Requirements), RFC 1413 (Identication server), RFC 1652 (SMTP 8BITMIME Extension), RFC 1869 (SMTP Service Extensions), RFC 1870 (SMTP SIZE Extension), RFC 1891 (SMTP Delivery Status Notications), RFC 1892 (Multipart/Report), RFC 1893 (Enhanced Mail System Status Codes), RFC 1894 (Delivery Status Notications), RFC 1985 (SMTP Service Extension for Remote Message Queue Starting), RFC 2033 (Local Message Transmission Protocol), RFC 2034 (SMTP Service Extension for Returning Enhanced Error Codes), RFC 2045 (MIME), RFC 2476 (Message Submission), RFC 2487 (SMTP Service Extension for Secure SMTP over TLS), RFC 2554 (SMTP Service Extension for Authentication), RFC 2821 (Simple Mail Transfer Protocol), RFC 2822 (Internet Message Format), RFC 2852 (Deliver By SMTP Service Extension), and RFC 2920 (SMTP Service Extension for Command Pipelining). However, since sendmail is designed to work in a wider world, in many cases it can be congured to exceed these protocols. These cases are described herein.”

    It is complex but worthwhile. You may know that even businesses with server-guys are switching to mail-in-the-cloud to get such complexity out of the house. OTOH a local server is trivial and on a GNU/Linux terminal server all the users get to use it with very little complexity. One can even make nice server names in a few seconds and it’s good.

    The configuration of exim4 is pretty simple in Debian:
    dpkg-reconfigure exim4-config
    Please select the mail server configuration type that best meets your needs. Systems with dynamic IP addresses, including dialup systems, should generally be configured to send outgoing mail to another machine, called a ‘smarthost’ for delivery because many receiving systems on the Internet block incoming mail from dynamic IP addresses as spam protection. A system with a dynamic IP address can receive its own mail, or local delivery can be disabled entirely (except mail for root and postmaster). General type of mail configuration: internet site; mail is sent and received directly using SMTP
    mail sent by smarthost; received via SMTP or fetchmail
    ail sent by smarthost; no local mail
    local delivery only; not on a network
    no configuration at this time

    I feel another video coming on… Oh, wait! I did a video on setting up Citadel and mail is a part of it. Done. That’s about the fastest configuration of anything in IT.

    I would prefer to configure sendmail before I would configure SMB/CIFS the way M$ has butchered it. Where I last worked we had a system that worked fine with XP but was useless for “7”. We switched to GNU/Linux and the complexity disappeared.

  5. Linux Apostate says:

    “It works the same way it has since the 1970s.”

    This is not an advantage.

    As to “mail is easy”, I have just one thing to say about that – /etc/sendmail.cf. It’s only “better” than Exchange if by “better” you mean “can only be configured by a voodoo Linux witchdoctor”.

    And even those guys are all cheating. If you can write a useful sendmail.cf without referring to any samples or HOWTOs then you deserve a Nobel prize. Then you deserve to be stripped of that prize for doing something so pointless with your genius when you could have been curing cancer.

  6. twitter says:

    We don’t have to wait for Microsoft to have email servers to call their security record a total failure. Microsoft would never give people something as simple as email because the company pretends it is something so difficult you have to buy an expensive “server” to run Exchange, which is just as impossible to secure as the rest of their software. Decades old security flaws are the rule not the exception for Windows. The record is so bad, I can’t believe I’m having this conversation.

    Mail notification has worked perfectly well for me over the last decade. I open a terminal and it tells me I have new mail, I type “mail” and look at it. It works the same way it has since the 1970s. It’s easy enough to have my graphical user mail client watch my system mailbox. When my machine is on, so is email. If I see something unusual, I can go dig through my logs. All software should be so easy. Why reinvent the wheel for system messages and logs?

    How does Windows do this? It pops a message in your face like, “there are updates available for brand name software.” Good luck to them finding out if something is gone wrong or where the vendors have put all their logs, if they even have logs. This is what happens when you reinvent the wheel in order to keep users helpless and divided.

  7. I don’t need a local mail server for most of the things that I do but there are many packages of software around that use the facility so it is part of the basic installation of Debian GNU/Linux. That’s one reason I opted for a minimal installation sometimes. It’s still a useful thing on a desktop system already running lots of processes involving communication.

  8. Linux Apostate says:

    But you just don’t need a mail server on your local machine. I think we even agree about that.

    Why, then, do distributions include this useless feature? Putting users at risk with buggy software they don’t need… why, that almost sounds like Microsoft, doesn’t it? Debian’s decision making process must be broken, because it is still choosing to include this anti-feature by default.

  9. Lots of people do not have a local server so it makes sense to have one on a desktop machine.

    Many clients can deal with multiple e-mail accounts so this is not a problem. Some people use some free web-based e-mail for password-resetting and the like, another for personal use, others for specific businesses and a local one for in-house messaging. The use of e-mail is only limited by one’s imagination.

  10. Linux Apostate says:

    The mail notification GUI is not set up by default in Debian 6.0.

    Basic usability: if something tells the user to check his email, he’ll assume you mean his Internet mail.

    Having a local mail system on a desktop machine is stupid. Should the user have two mail clients, one for the Internet and one for messages from Cron?

    I did once try to integrate the local Linux mail and Internet mail, using fetchmail, sendmail and SMTP. It seemed perfectly rational, given that at the time (1997) quite a lot of Linux mail clients couldn’t do POP and IMAP and insisted on doing everything the Unix way. Also, if this was not the purpose of the local mail system, then why was it there at all? And why were there HOWTO guides for doing exactly this?

    In theory the project would have given me a better choice of email client (i.e. not just Netscape mail) as well as allowing me to pick up messages from the system. In reality, it just added unnecessary complexity and lots of my outgoing mail was classified as spam since it came from a dynamic IP address with a hostname not matching DNS. This should have been a clue about the awfulness of Linux, but like a good little cultist I assumed the fault lay with myself and plodded onwards, even though I knew that no Windows user had ever had to deal with a comparable problem. Thus it was a complete waste of time, as I had not only failed to find a satisfactory solution, I had also failed to learn an important lesson about Linux.

  11. Ever seen the movie, “You’ve Got Mail”? It is trivial to test the presence of mail and to notify the user at login or every 10 minutes or whatever. Many people leave a client open and new messages are highlighted somehow. My terminal servers are multi-user systems so exim is useful for private mail between users as well.

    There is a package for it in Debian GNU/Linux: see mail-notification

  12. Linux Apostate says:

    It’s not that changes are bad, it’s just that some changes are better than others, and we disagree about which ones they are.

    Email is really not a good approach for notifying the user. Apart from anything else, the user already has email account(s) and they’re completely separate from the local Unix mailbox. Mail turning up in /var/spool/mail may never even be noticed. Some notification!

    If every Windows computer ran an email service, and that email service had vulnerabilities, we would never hear the end of it. “Why is this pointless service running? Why is it so insecure?” Well, all of that applies to Linux too, and if we are going to determine which change is *really* best, rather than which change we simply like the most, then we have to be consistent.

  13. twitter says:

    Everyone being in control of their own communications and social networking is the point of FreedomBox. Email is a well established standard that I expect to see as part of Freedom Box. Exim has never been a problem for me used as a system messenger or as a normal internet mail server. The package was easy enough for me to set up. Freedom box will require no set up at all.

    Any self respecting OS will have a means of communicating significant events with the user. Email has worked well for this. I do not think a mail server that by default does not actually listen to network traffic is a network security risk.

    Perhaps there will be security problems when free software is dominant. Those will be minor next to the problems we have now with botnets and malicious features that are part of the OS and other non free applications. People who think the present is acceptable and argue for no changes must have a vested interest in the present.

  14. Ur clothes, give zim to me says:

    Redundancy and freedom make the network robust. Microsoft style monoculture and top down control wreck networks for everyone.

    Wait, I thought freedom was all about AThousandEyesOnDaCodez(TM). But more importantly …

    So what you’re saying is that the 9 yr old across the street, your nephew whose 12, and the widow retiree that lives next to you are all going to help break that goddamn monoculture down so that the evil Microsoft corporation will die? Is that what you’re saying? Because of course everyone wants to “get to know the technology” right? Like how everyone – since the creation of steel is now a producer of steel and knows what it’s made o.

    Like how everyone since the advent of printing presses is an offset printer? How everyone knows how to produce treated lumber since the advent of mass production lumber? You should read the book “Dark Age Ahead” by Jane Jacobs. It’s an interesting perspective of the fall of recorded civilizations and how important it was for a connection with reality.

    But hey, the world will have Linux and that will be important right?

  15. Ur clothes, give zim to me says:

    In an ideal world we would all run mail servers.

    lolwut? Yeah, I can just see your mom setting this up. Next stupid answer.

  16. The local mail delivery is a bit overblown. We should all run sshd for system management and we can use that to communicate with other mail servers on the LAN in a secure manner. If you have LDAP managing accounts, a single server makes sense but not for a bunch of PCs on a LAN. I have been in a lot of schools that did not use LDAP but they could still use local e-mail. It makes great sense for an LTSP machine.

  17. Linux Apostate says:

    Twitter, I know you from Slashdot, so I can’t really believe you’re about to get a serious reply from me, but here goes.

    We should all run mail servers? What. No, we shouldn’t. Exim is no use whatsoever to the desktop user, who sends and receives email via IMAP/SMTP or (more likely) Gmail.

    You’re right that the default setting is local mail delivery. Nevertheless this is a daemon listening on a network socket, which was until recently vulnerable to several remote exploits. We all know this is a bad idea, whether it’s Microsoft, Linux or Losethos. Every daemon must have a good reason to exist, and Exim4 totally fails that test.

  18. twitter says:

    Please don’t compare one hole in Exim to the steaming pile of worm food that Windows is. Exim’s default setting is local delivery only, something that is very useful for machine administration. It is also useful to have a nice mail package like exim for … actual email. It is dishonest to compare that to the combination of garbage like Wins, network plug and play, SMB and a host of other terrible Microsoft, do it alone third rate tech. More than half of Windows computers are part of a botnet and virtually all the Fortune 500 networks are infested. That’s complete ownage of Microsoft systems. Despite lots of FUD and predictions of doom over the last 15 years, GNU/Linux systems do much better than that, thank you.

    In an ideal world we would all run mail servers. Most Windows machines do this as nodes on a botnet with no function gain for actual users. In the gnu/linux world people can use dyn-dns and persistent networks for better privacy and to avoid the buggy and dysfunctional servers run by Microsoft friendly ISPs. Redundancy and freedom make the network robust. Microsoft style monoculture and top down control wreck networks for everyone.

  19. Linux Apostate says:

    You still don’t need a mail server running on each machine.

    Anyway, if “Totally Useless Feature Vulnerable for a Decade Finally Patched” is a valid criticism of Microsoft, then it’s a valid criticism of Debian as well.

  20. ray says:

    the wimp was designed to support legacy system netBIOS, created by Systec.

  21. These teachers were all running on a terminal server. There were four machines for 24 teachers and the students.

  22. Linux Apostate says:

    “It’s not a big deal to have a system without exim but it is often useful. I set up a system once where teachers had a large red button on the desktop. In case of emergency, they had only to click it and an e-mail would be sent to the office.”

    But this doesn’t require exim4 on the local machine. You could have done it with a single server for the whole network.

    You can’t say that Debian is better than Windows because WINS was (1) vulnerable and (2) unnecessary, since Debian has an equivalent of WINS (exim4) which was also (1) vulnerable and (2) unnecessary.

    This does not mean there are no other reasons why Debian is better than Windows, but this particular reason is no good.

  23. Ordinary users are often blocked from seeing the logs but can be on the e-mail lists of an application. It’s not a big deal to have a system without exim but it is often useful. I set up a system once where teachers had a large red button on the desktop. In case of emergency, they had only to click it and an e-mail would be sent to the office. Even if the teacher was not interested in e-mail the capability could be installed and available.

  24. Linux Apostate says:

    But desktop users just don’t need a local mail system! The system logs are a more reliable way to find out if something is failing. If you really want a mail server, then you are special and should install one by hand.

    Enabling exim4 by default is exactly like enabling WINS by default. It increases the attack surface with no benefit for most users. What I’m saying is that moving from Windows to Debian doesn’t free you from this sort of braindamaged decision.

  25. I have often used exim4. On an isolated system in which you use GMail etc. it has little value but it is a nice system if you want local mail system on the LAN. Some processes use it for reporting errors or routine operation.

  26. Linux Apostate says:

    Doesn’t Debian include equally useless things? What about exim4?

    Multiple vulnerabilities… in a mail daemon that’s completely unnecessary on a desktop system, yet installed by default.

    On my Debian systems I disable exim4 as a matter of course. It’s not like the old days where there were dozens of these pointless daemons running by default. But it’s still stupid.

Leave a Reply