From: mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) Newsgroups: alt.security Subject: Bernstein on Convex Message-ID: Date: 8 May 92 00:05:49 GMT Sender: news@u.washington.edu (USENET News System) Organization: University of Washington Lines: 30 Content-Type: TEXT/PLAIN; charset=US-ASCII Mime-Version: 1.0 Bernstein claims that it is impossible to send mail to the Convex domain from my personal workstation without a non-Convex host appearing in the header someplace. He is wrong. It is possible. It would take a bit of effort to set up the attack properly, as well as some experimentation to gain some useful information about the internals of the Convex network, but it can be done. I will not go into the details of the attack, other than to say that there is a difference between what you *think* is part of your infrastructure and what has been made part of your infrastructure. There are things you can do with certain IP protocols that may surprise you. Again, these are techniques beyond your typical clueless freshman, but they are also well-suited to being written up, step-by-step fashion, in cracker publications. RFC-931 is worse that security by obscurity. It is security by complexity. There is nothing obscure about RFC-931; no secret that if well-guarded would stop a bad guy. If you think that RFC-931 solves any problems, you probably also think that shadow password files eliminate the need for making people pick passwords that won't succumb to a password cracker. Bernstein may have some good ideas, but he is treading into the area of quackery. A quack may be sincere -- that is what distinguishes the quack from the fraud -- but is even more dangerous because of it. I suggest that Bernstein reassess what he is trying to push on people. If he spent half the amount of effort working on PEM that he did denouncing it, we might well have had a PEM infrastructure in place by now.