Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!vtserf!wizards!valdis
From: valdis@wizards.vt.edu (Valdis Kletnieks)
Newsgroups: comp.unix.internals
Subject: Re: Duplicating ASCII bel in the tty driver (was Re: Changing tty drivers)
Message-ID: <503@vtserf.cc.vt.edu>
Date: 23 Oct 90 18:46:14 GMT
References: <24752@adm.BRL.MIL> <1990Oct16.173128.7280@onion.pdx.com> <CEDMAN.90Oct23083648@lynx.ps.uci.edu>
Sender: news@vtserf.cc.vt.edu
Reply-To: valdis@wizards.vt.edu (Valdis Kletnieks)
Organization: Virginia Polytechnic Institute and State University
Lines: 33

In article <CEDMAN.90Oct23083648@lynx.ps.uci.edu>, cedman@lynx.ps.uci.edu (Carl Edman) writes:
|> No, no , no, no ! You didn't read what I wrote I explicitly stated that
|> this would only apply to fixed hardwired "dumb" terminals in public
|> access areas. There it is that the problem of spoofs is the greatest
|> and where this feature would be most effective. On this kind of terminal
|> NO compilcated file transfer protocoll is going to run and the system
|> managers will know the kind of terminals they have well enough to
|> always install the right bell character.
|> 
|> On the other hand, for dialup lines on which most file transfer protocolls
|> are run there is little (altough not no) chance of spoofs. So this
|> would NOT apply to them.

For the terminally dense among us, explain why a dialup line has less chance
of a spoof.  I know if *I* were a hacker trying to get a password, I'd
rather attack the dialup lines, and suck in the password from somebody who
rates a terminal at home, than glom onto a password from some weenie who
is still trying to figure out that editors are used to modify files.

Dial in, run your program (remember to block SIGHUP), and hang up.  Better
chance of getting an "interesting" password, and no eyewitnesses ("Yeah, this
geeked-out hacker type was there - 5'6, 175, brown hair, scar on left cheek,
answered to the name of "Rover".....").  

Saying "There's little chance of spoofs, so we won't bother checking for them"
is just ASKING for trouble.  It's like saying "Well, we're a bank, and since
80% of all bank robbers come in the front door, we'll only put security cameras
out front, and hope we dont get hit by the 20% that sneak in the back..."


					Valdis Kletnieks
					Computer Systems Engineer
					Virginia Tech