From: brnstnd@nyu.edu (Dan Bernstein) Newsgroups: alt.security Subject: Re: Bernstein on SMTP tracing Message-ID: <15910.May602.56.0592@virtualnews.nyu.edu> Date: 6 May 92 02:56:05 GMT References: Organization: IR Lines: 45 In article mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes: > I hope that anyone who takes Bernstein's advice on using RFC-931 only has to > deal with clueless kiddies and not with real hackers. Mark and I are in violent agreement on most of the issues here. Nearly all mail forgery is performed by clueless kiddies. As is, anyone who reads the SMTP protocol spec can forge mail. With RFC 931, the number of people who can forge mail drops dramatically---only the five categories of people I mentioned before can control the usernames added to headers. This makes the server well worth the minutes it takes to install. > Bernstein lists five > categories of people that have to be trusted in order for RFC-931 to work. To > this, let me add a sixth category: any user on a personal workstation. Someone who owns his own workstation and sends mail from it is in category (2), so your sixth category is nonexistent. Besides, the mail is tagged as coming *from that workstation*. Someone illegally in category (5)---someone who can break TCP---can already destroy all security mechanisms in wide use on the Internet except Kerberos. It doesn't make sense to worry about those people when you haven't even stopped forgery from the clueless kiddies mentioned above. > Let me go further. I can send a forged message to an RFC-931 machine A that > alleges to be from a user (other than me) at RFC-931 machine B. I.e., category (5). You can break TCP. > Personally, I think it is better to have > the wave of forged mail at the beginning of the school year and let the > novelty wear off. Here's where Marc and I disagree. If you agree with his philosophy---if you're satisfied with the current flood of forgeries---then you shouldn't install RFC 931. I prefer to stop as many attacks as I can, right now. RFC 931 provides such a high yield for so little effort---why not use it? > What does Bernstein have against > PEM? Mainly that it's vaporware. Nonexistent. Useless. Software which doesn't exist is never useful. ---Dan