Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!ucbvax!cs.glasgow.ac.uk!inei
From: inei@cs.glasgow.ac.uk (Nick Nei)
Newsgroups: comp.protocols.appletalk
Subject: Re: Cayman's 'Watch' is security threat.
Message-ID: <2711.9105212053@crete.dcs.glasgow.ac.uk>
Date: 21 May 91 20:53:56 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 49


Many thanks to all who responded and participated in the discussion.
Briefly, my problem:  in a student lab, some students are spying on
fellow student's UNIX login passwords using Cayman's Watch which
samples AppleTalk packets on LocalTalk.

Suggested solutions:

      *	Cut off fingers of perpertrators and parade them in public.
	(We will be doing that - not literally!)

      *	Use kerberos.  (But will it work with NCSA Telnet?  Is there
	an NCSA Telnet version that is kerberos compatible around
	somewhere?)

      *	Remove Watch from disc.  (It never was on public hard disc
	and not to ask students to remove their copies is not
	a workable solution.)

      *	Ask Cayman to produce copies of Watch which register themselves
	on network.  (A case of closing the stable door after the
	horse has bolted?)

      * Subnet the network and minimise the damage.  (Not really
	satisfactory.  Everybody is still nervous/paranoid.)

      *	Write a watchdog program which watches AppleTalk for sniffer
	programs like Watch.  (Not a bad idea, but does not prevent
	hackers from writing a sniffer themselves, and how will I know
	the name of the hacker? I can't believe the name in the Chooser
	is real.)

      *	Make all Macs run Responder, and when one goes off air, check
	what user is up to.  (Won't work for us - we have over 500 Macs
	in dispersed labs.)

      *	Pray no one uses Watch, Peek, etc.  (Have been doing this!)

No one has offered a satisfactory solution.  How about augmenting
NCSA Telnet and telnetd on the UNIX site?  Using one-way encryption,
NCSA Telnet sends encrypted password to telnetd, which decrypts it
before giving it to login.  Proviso: this solution only protects 
password and nothing else.  Can any expert out there tell me if this
is feasible?

Mail:  Nick Nei, Computing Science Dept.,
       Glasgow Univ., 17 Lilybank Gardens,
       Glasgow G12 8QQ, UK.  Tel: (041) 339 8855 x 5457
ARPA:  inei%uk.ac.glasgow.dcs@nsfnet-relay.ac.uk USENET: inei@cs.glasgow.uucp