Re: Patch for MeetingPoint 3.0

Bill Woodland (wcw@bga.com)
Mon, 15 Dec 1997 23:33:42 -0600


Anne, Bill, Gary, Andrew:

I sent this mesage to Brian on 11/17/97 and haven't received any response
back at all. Is he on vacation? For how long? I'd really like a response
to this, and to the next message that I'm sending again. I'd also like to
know if anyone there is aware of the security hole that Streak emailed
Brian about (I'll forward that one to all of you, also). Thanks.

>Date: Mon, 17 Nov 1997 23:44:33 -0600
>To: boshea@wpine.com (Brian O'Shea)
>From: "Bill Woodland (Squeek)" <wcw@bga.com>
>Subject: Re: Patch for MeetingPoint 3.0
>Bcc: billw
>
>At 09:29 PM 11/17/97 -0500, you wrote:
>>Hello Bill,
>>
>>I was cleaning out my mailbox and came across your email about putting
>>No-Blues back up.
>>
>>First let me apologize for the problems that you had with the 2.1 Windows
>>server. Under the management at the time, I was not allowed to go back=
and
>>fix those problems and create a point release. We now have a more
>>enlightened leader, and he is commited to satisfying the customer, and
>>being responsive to problems.
>
>I accept, and understand. I work for the state of Texas, and deal with
red tape bs all the time, and "unenlightened leaders" so am aware of the
kinds of problems that can arise because of them. Besides, I'm not a
paying customer....they're the ones you really need to make happy.
>
><snip>
>>I notice that you have 3.0 RC 3 running on No-Blues at the moment. If you
>>have ANY problems with it, you should download the patch. It's available
>>via anonymous ftp from 192.80.72.200 in pub/outgoing. The name of the=
file
>>is mpcs.exe. That directory is protected, so you will not see any files=
if
>>you do an "ls", so you need to be explicit, mpcs.exe all lower case.
>
>Downloaded and instaled already. Thanks for the quick info, and also
for..."Logfile naming convention - has been changed and now associates with
Notepad" :)
>
>Comments:
>MPCS is the best ref I've seen to date. The vid is much faster than the
2.x ref, and of course the Cornell version can't compare at all. All in
all I think you guys did a real good job on it. The telnet hasn't hung up
on me once (like the 2.1 version did all the time) and except for some of
MY OWN stupid errors, the ref has been running non-stop since I downloaded
the 30b4d11.exe in early November. I must admit that I haven't played
around with the h.323 or T.120 stuff at all yet...only so many hours in a=
day.
>
>Now that I have your attention.... :)
>
>SUGGESTIONS:
>I'd like to see more info in the log. TELNET accepted from
nnn.nnn.nnn.nnn is nice, but it should show when that telnet is closed,
too. Also if someone sends a disconnect packet thrui the ref, the ref
should log it, ignore it AND kick the SOB off :)
>
>Why can't I use the ' ( ) / characters in a conf name? Can I only use a-z
and 0-9? I tried "Squeek's ref (15/5)" but it didn't like it. I like to
have the (15/5) there to let people know how many senders/lurkers are
allowed, and it's MY ref :)
>
>This is really for the client side, but regarding people killing off
others with disconnect packets...have the client only honor the disconnect
if the MAC address that the packet came from is the same as the ref. The
IP can be spoofed, but the MAC address can't.
>
>By the way, I actually LIKED the wpmanage program...any chance of you guys
updating it to work with MPCS? NO? How about releasing the source code
for it? No? Come on...if you guys aren't gonna continue to use/support
it, then what good is the code to you anyway? :)
>
>Trust me on this...you should check out the new version of RefMarshal at
this address:
>
>http://personalweb.sierra.net/~dpaul/refmarshal/
>
>Read the web page, download it, and try it on my MPCS ref. My telnet
password is "fonseca"....Hey, if I can't trust YOU, then I'm screwed :)
>
>I also have a few concerns about the HERALD command. No offense, but I
hate the java gui stuff, and would rather use telnet to
configure/kill/deny, so I've entered a password into the registry. This
also means that I had to allow-wpconfig commands for 255.255.255.255 so my
ref cops can telnet in. This leaves the ref open to anyone, and they can
come in and do all the WHO commands they want...I don't have a problem with
that. However, if someone else telnets into the ref, they can use the
HERALD command WITHOUT having to enter the ref password. Imagine if I
telnetted into your ref and sent msgs to someone over and over with HERALD.
There's nothing the user can do to stop the MOTD packets from coming up.
HERALD needs to be moved into the group of commands that require a
password, like KILL and DENY.
>
>The other concern about HERALD is that the MAC clients ignore the MOTD
packets once they have established a conneciton and have received the first
MOTD from the ref. I know, this makes me sound a bit hypocritical, but
REAL ref cops need to be able to send msgs to MAC clients, too. Can you
make the ref send the HERALD msgs to MAC clients as a private message?
>
>SECURITY:
>Try this on my ref. Telnet in without entering the password, and try the
conf command, and then the pref-vid-codecs command. All my private
conferences are displayed:
>MeetingPoint@squeek> conf
> 0 ACVHE (3/2) NO Blues G rated
> 1 ACVSE (0/0) Self Relfect for Testing
>MeetingPoint@squeek> pref-vid-codecs
>MP Conference default preferred video codecs: <disabled>
>Conference 0 preferred video codecs: <disabled>
>Conference 1 preferred video codecs: <disabled>
>Conference 450 preferred video codecs: <disabled>
>Conference 2099 preferred video codecs: <disabled>
>
>I've been told that you can do this with the GUI:
>Select Moderator, but don't enter a userid or password. It lists all of
the conferences, both public and private. =20
>
>One more thing. It seems that if I have a telnet password in the
registry, then the GUI won't work. Does it actually do telnet commands to
the ref to accomplish its jobs? Why can't it go to the registry and get
the password? This way you could I could use telnet, and my moderators
could use the GUI.
>
>
Bill Woodland (Squeek =A9) PC questions only, please.
Personal web page: http://www.realtime.com/~wcw
CU-SeeMe page: http://cu-seeme.cornell.edu/~WCW
CU-SeeMe Unsubscribe? Details at http://cu-seeme.cornell.edu/listinfo.html