[ale] Cross platform notification

JD jdp at algoloma.com
Sat Jan 11 16:19:04 EST 2014 

I've seen nc used to create an unauthenticated listener that could run any shell
command from a remote location. That is like having telnet without the login
running under whatever authority the nc process has.  THAT is most definitely a
risk to system security in my book.

Others are welcome to different opinions.

On 01/12/2014 04:01 AM, Matt Hessel wrote:
> Netcat isn't really a security risk.  It's just convienent.  Most of what it
> does can be done with creative scripting and bash.
> 
> On Jan 10, 2014 11:55 PM, "Alex Carver" <agcarver+ale at acarver.net
> <mailto:agcarver%2Bale at acarver.net>> wrote:
> 
>     On 1/10/2014 16:50, Pete Hardie wrote:
>     > XMPP is a fairly widespread protocol, and libraries exist for the
>     > sending end to hook into for most languages
> 
>     Most languages but if it's able to be used by bash then I'll consider
>     it.  Not every transmitter is going to be a fully compiled program.  I
>     really do want to occasionally set up a simple bash script that fires
>     off a preformatted text file at the destination receiver.  I have
>     already tested that with Growl, simple text file with the GNTP headers
>     as per the protocol spec, transmit with netcat and notifications pop up
>     on the receivers.  No libraries needed.
> 
> 
>     >
>     > On Fri, Jan 10, 2014 at 7:02 PM, JD <jdp at algoloma.com
>     <mailto:jdp at algoloma.com>> wrote:
>     >> On 01/10/2014 06:16 PM, Alex Carver wrote:
>     >>> I was looking into notification methods that I could use for one of my
>     >>> projects to send quick messages to multiple machines (pretty much every
>     >>> desktop or mobile platform currently in use) on my local network.  I see
>     >>> Growl seems to be available for nearly every platform and seems to be a
>     >>> fairly simple protocol.  I just wanted to solicit opinions on this kind
>     >>> of notification method.  The originating computer is going to be one of
>     >>> the Linux machines and I've been experimenting with sending by bash
>     >>> script which is nice, simple, and requires no libraries, just netcat.  I
>     >>> might later write up a small transmitter in C but I think bash will
>     >>> probably work well for now.
>     >>
>     >> Netcat is a HUGE!!!!!!! security risk. I wouldn't ever use it beyond POC and
>     >> only on an air-gapped lab network.
>     >>
>     >> What sort of notifications?  Desktops, system to system, system to specific
>     >> client?  system to any normal web-client?
>     >> Any chance this will every be wanted over the internet in the future?
>     >>
>     >> And ... isn't growl commercial?  What is the fallback if it isn't available?
>     >> What about non-GUI client machines?
>     >>
>     >> Is polling an option? If so, you could setup a REST web interface on a
>     central
>     >> box that clients can push and pull from. REST means it is trivial to make a
>     >> client via a bash+curl script.
>     >>
>     >> XMMP? More effort to use (only slightly), but extremely flexible.
>     >>
>     >> Or place the messages into a file that every client has read access from.
>     KISS
>     >> does work after all.
>     >>
>     >> What are the authentication needs?
>     >>
>     >> What are the encryption needs? Anything sensitive involved .. even in the
>     future?

More information about the Ale mailing list