more Bernstein on SMTP tracing

2 views
Skip to first unread message

Mark Crispin

unread,
May 6, 1992, 2:13:20 AM5/6/92
to
Bernstein is still clueless. A user on a personal workstation A can send mail
to RFC-931 machine B that, to all appearances, is RFC-931 authenticated mail
on RFC-931 machine C.

I don't know about NYU, but we have a gaggle of personal machines in computer
labs and offices. We haven't determined any way to guarantee such complete
control over these machines that nobody, on any machine, at any time, can ever
run evil software. Perhaps some university in Peking can do it, but we can't
afford to have machine-gun armed security guards sitting watch over each box
and every metre of coax, fiber, and twisted pair.

Plug'n'play software to do such things exists. Fortunately, it is kept under
very tight control. You won't find it on any FTP server.

-- Mark -- (that's Mark with a `k', not a `c')

Dan Bernstein

unread,
May 6, 1992, 3:10:25 PM5/6/92
to
In article <MS-C.705132800...@Tomobiki-Cho.CAC.Washington.EDU> Mark Crispin <m...@Tomobiki-Cho.CAC.Washington.EDU> writes:
> Bernstein is still clueless. A user on a personal workstation A can send mail
> to RFC-931 machine B that, to all appearances, is RFC-931 authenticated mail
> on RFC-931 machine C.

Mark is lying. He cannot, from his personal workstation, send mail to
hosts within the convex.com domain (where, I am told, some experimental
RFC 931 servers are running) without having some non-Convex host appear
in the headers. Mark can't even *touch* TCP/IP in that domain---or in
thousands more around the Internet.

What Mark is trying to say is that it's not difficult to break TCP.
Indeed, that's why I had category (5): more people can control TCP
between A and B than just the A and B sysadmins! So what have you
contributed to the discussion, Mark?

> Plug'n'play software to do such things exists. Fortunately, it is kept under
> very tight control. You won't find it on any FTP server.

Ooh ah. Are we supposed to be impressed? Everyone else: If you want an
accurate summary of TCP/IP weaknesses, read Steve Bellovin's paper on
the topic. The attacks he outlines require more technical skill to
understand and implement than RFC 931, but once again you don't have to
trust Mark's summaries (or mine). Steve also has a paper (which,
unfortunately, hasn't been distributed widely) on the lack of DNS
security, which is somewhat relevant to mail headers. Don't listen to
Mark's self-serving ``I know better than you do'' rhetoric; read the
papers and learn about the attacks for yourself.

---Dan

Chet Ramey

unread,
May 20, 1992, 4:46:05 PM5/20/92
to
Mark Crispin <m...@Tomobiki-Cho.CAC.Washington.EDU> writes:
>Bernstein is still clueless.

``These wounds I had on Crispin's day.''
-- Henry V, Act IV, Scene III
--
``The use of history as therapy means the corruption of history as history.''
-- Arthur Schlesinger

Chet Ramey, Case Western Reserve University Internet: ch...@po.CWRU.Edu

John Hascall

unread,
May 20, 1992, 11:14:47 PM5/20/92
to
ch...@odin.INS.CWRU.Edu (Chet Ramey) writes:
}Mark Crispin <m...@Tomobiki-Cho.CAC.Washington.EDU> writes:
}>Bernstein is still clueless.

}``These wounds I had on Crispin's day.''
} -- Henry V, Act IV, Scene III

You left out the best part... ;-)

``He which hath no stomach to this fight,
Let him depart;''

John

Reply all
Reply to author
Forward
0 new messages