Aduke.1873
net.followup
utcsrgv!utzoo!decvax!duke!bcw
Fri Mar 12 02:11:12 1982
Re: On telling people not to crack security
Mark's partly right;  it is possible to protect against *some* abuses
of smart terminals.  There are still a couple of problems with his
proposed solution:

   1)  Some terminals (such as the Hazeltine) use characters other than
       the 000-037 (octal) [the nonprinting characters less than space]
       to lead in to control sequences.  In the case of the Hazeltine,
       the lead-in charalter is the ~, of all things.  Other terminals
       use things like } as the lead-in character.  I'm not sure you
       could arrange to be very safe unless you disallowed all of the
       lower case characters (0140-0177 [octal]) as well, although even
       then there may be some offending terminal somewhere which uses
       something like \\ as a lead-in character.

   2)  Although the simple-minded letter bombs like mail bombs have
       been fixed by this method (with the reservations mentioned above),
       there's still the problem of readable files.  A similar problem
       already exists for any *programs* executed by the super user,
       but it's easy to forget (or not even realize) the problem with
       the *terminal* even if the system manager is aware of the problem
       with *programs*.

   3)  Don't forget news!  This has the same potential as a letter
       bomb, if anybody can submit an article to it at a particular site.

   4)  Then there's all kinds of other programs (even Empire telegram
       files could be abused this way) which would also have to be
       fixed.

Have fun thinking about this -- the possibilities are probably endless,
though I think we have a pretty good start.

In fairness to Unix, there are a lot of systems which are in a *much*
worse situation, there's not even the possibility of making them secure
even in principle ...

                       Bruce C. Wright @ Duke University

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.