Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!caip!lll-crg!hoptoad!gnu From: gnu@hoptoad.uucp (John Gilmore) Newsgroups: net.crypt,net.dcom Subject: Re: Security and dialbacks Message-ID: <906@hoptoad.uucp> Date: Sun, 20-Jul-86 16:50:14 EDT Article-I.D.: hoptoad.906 Posted: Sun Jul 20 16:50:14 1986 Date-Received: Mon, 21-Jul-86 06:36:25 EDT References: <199@pwcs.UUCP> Organization: Nebula Consultants in San Francisco Lines: 55 Xref: watmath net.crypt:819 net.dcom:2040 Here are the two messages I have archived on the subject. Another place to look is in the pretty good book by Bill Landreth, who was one of the teenagers arrested for cracking a variety of computers around the country. Unfortunately I forget the name and am not at home. I hope the proceeds from the book paid his legal bills; since he didn't do any harm to the systems he cracked, I think he's done society a service. From ptsfa!qantel!intelca!oliveb!glacier!decwrl!decvax!bellcore!ulysses!mhuxr!mhuxt!houxm!whuxl!whuxlm!akgua!gatech!gitpyr!kludge Wed Mar 12 13:45:44 1986 From: kludge@gitpyr.UUCP (Scott Dorsey) Newsgroups: net.crypt Subject: Re: Dialback (Re: Re: foiling password crackers) Message-ID: <1536@gitpyr.UUCP> Organization: Georgia College Of Universal Knowledge >> I hear IBM's mainframe has a fool-proof way of dealing with hackers. >> The computer stores each users phone number in memory. When the user >> calls in and completes the login correctly, the mainframe hangs up >> and calls the user back. This way the hacker would have to be at the >> users house to do any hacking! These devices do take some time to break into. First of all, a hacker has to obtain a valid access code. Having done that, he calls up the port, gives the access code, then calls the machine back on the line which is used by the machine to dialout (often the same line used to dialin). The machine gets a carrier and connects. We had one of these devices at work, and I would often do this while I was on the road and away from my home phone (which the machine knew about). From ptsfa!qantel!hplabs!sdcrdcf!sdcsvax!ncr-sd!ncrcae!ncsu!hes Sun Mar 16 11:05:17 1986 From: hes@ncsu.UUCP (Henry Schaffer) Newsgroups: net.crypt Subject: Re: Dialback (Re: Re: foiling password crackers) Message-ID: <3056@ncsu.UUCP> Organization: N.C. State University, Raleigh There was a discussion last year in either net.dcom or fa.telecom on methods of beaking into dialback (without physical access.) They mostly related to the window in which an incoming call may be received by the line being used for dialback. If the cracker then plays a dial-tone, the dialback site can be convinced that it has reached its intended number. (I don't have the article to repost.) --henry schaffer n c state univ [I believe the definitive article in that discussion was by Lauren Weinstein, vortex!lauren; perhaps he has a copy. The conclusion I recall reaching from reading the discussion was that the dialback modems were not particularly secure in and of themselves, though they can provide an additional layer of security to a system with existing safeguards. Having a dialback modem that provides access to the system console would not provide much security, since only one layer (the modem) would need to be breached before the system is wide open. --gnu] -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa May the Source be with you!