Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!tut.cis.ohio-state.edu!ucbvax!ECLECTIC.COM!kovar From: kovar@ECLECTIC.COM (David C. Kovar) Newsgroups: comp.protocols.appletalk Subject: Watch, peeking, and security threats Message-ID: <9105160430.AA04272@eclectic.com> Date: 16 May 91 04:30:15 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 36 We went through this whole thing when I was back at Dartmouth when the Macs first came out. The school paper went nuts when they found out that 15 of us had Peek. They only quieted when it was pointed out that since we were in a networking course, we could probably rewrite Peek given a few days and the incentive to do so. The problem isn't in the tools that let you see the wire, it's in the applications that are stupid enough to transmit important data in the clear. Telnet/ftp have been doing this since they were first written, and people have been complaining for nearly as wrong. It's a shame that it may take security violations to get this sort of thing fixed, but that's what it looks like. If you want to know about some real security horor shows, ask me about CE Software's QuickMail when I get back from the Macintosh Developer's Conference next week. If you want to learn a bit more about this stuff, and read more about the Peek stuff at Dartmouth and what they've done about it, get ahold of the next issue of ISPNews. (Information Security Product News.) I wrote an article that'll be appearing in there. I can send email copies of it out next week if anyone's interested. Also, if you're interested in such things, System 7.0 is going to make Mac security much more interesting. Apple Events, PPC, and the like, really open up your Mac to just about anyone if you're not careful. Apple seems to be taking some interest in building security tools into the system, but I'm not exactly sure what's there, yet. -David Kovar P.S. If you're REALLY interested in authentication systems for the Mac, feel free to send me mail on that as well. We're developing a pretty neat two factor authentication system....