Path: utzoo!attcan!uunet!husc6!uwvax!rutgers!att!jhc
From: jhc@att.ATT.COM (Jonathan Hawbrook-Clark)
Newsgroups: news.sysadmin
Subject: Re: Security checkup
Keywords: security intruder self-help
Message-ID: <2316@att.ATT.COM>
Date: 5 Oct 88 20:01:00 GMT
References: <167@carpet.WLK.COM> <1454@lznv.ATT.COM> <233@ssbn.WLK.COM>
Reply-To: jhc@att.ATT.COM (Jonathan Hawbrook-Clark)
Distribution: na
Organization: AT&T ISL Middletown NJ USA
Lines: 20

In article <233@ssbn.WLK.COM> bill@ssbn.WLK.COM (Bill Kennedy) writes:
>Then why does your company have uucp logins without passwords?  I agree
>with Jonathan (SA att-mt) that anyone could masquerade as anyone else,
>but dammit!  Not without a valid password!

Actually this isn't true, we *do* have passwords on the nuucp login,
it's just that we choose to finesse the entire login procedure and
dump callers straight into the program they were going to invoke
anyway. This is done partially in the name of security, and partially
for convenience.

The problem of having unique logins/passwords for each site boils
down to one of key security. The security of having a key which is
fairly widely known, held in cleartext, and never changed, is
minimal. So we wouldn't trust it anyway.
-- 
Jonathan Clark		jonathan@mtune.att.com, attmail!jonathan
Any affiliation is given for identification purposes only.

The Englishman never enjoys himself except for some noble purpose.