Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Message-ID: <9102:Sep2521:04:0390@kramden.acf.nyu.edu>
Date: 25 Sep 90 21:04:03 GMT
References: <24590@adm.BRL.MIL>
Organization: IR
Lines: 21

In article <24590@adm.BRL.MIL> ssds!tims@uunet.uu.net (Tim Sesow (SSDS Rocky Mntn)) writes:
> One way out:  stick to TELNET sessions and ALWAYS disconnect and reconnect
> before logging on.

Even this isn't good enough. Despite popular myth, there is a way to
sneak a Trojan Horse under a pseudo-tty (under BSD, at least). Please,
kids, don't bother sending me mail asking how to do this; learn to read
your own man pages.

And what do you propose to do about public terminals? Too many terminal
concentrators don't provide a trusted path. Many communications programs
are just a bit too configurable. Some universities (like MIT) have an
atmosphere of trust where nobody would take advantage of such problems;
some universities (like NYU) have an atmosphere of trust where we'll
draw and quarter any student who misbehaves and stick his head on a pike
in front of the building. But it's still an issue to think about.

Disclaimer: I've never been personally involved in sticking anyone's
head on a pike. :-)

---Dan