09 Mar 08 17:14, Jeff Bowman wrote to Roy Witt:


 >> They can crash it. Someone has already shown how a netmail packet can
 >> be dropped on any system that might be in a route and the netmail will
 >> be sent to the system intended. No session or packet password
 >> required.

 JB> Yeah, one of the things I've started to notice with modern Fidonet is
 JB> the relatively lax security model.  Back in the day, there was long
 JB> distance to contend with, and your average Joe probably wasn't going
 JB> to go calling around to other systems far away to cause trouble when
 JB> it was on his dime. Local pranksters would be easier to track down.
 JB> And caller ID came into the picture eventually as well.

 JB> But internet connectivity for Fidonet made it a whole different ball
 JB> game.

As an example, Michiel van der Vlist showed me a way around all of the
security in place by dropping a netmail, addressed to my node, on my
echomail uplink's system. He was passworded out on my internet link and
couldn't connect directly.

 JB> The inherent nature of Fidonet, with direct sending of netmail
 JB> to other nodes and things of that sort, means most systems could be
 JB> capable of receiving mail from anyone.  There's no way that I'm aware
 JB> of that's currently implemented to ensure that a netmail (or echomail
 JB> for that matter) is truly from who they say they are, name or node or
 JB> path or whatever else you want to go by.  Binkd supports passwords,
 JB> but a.) you don't know who's actually using them, and b.) that really
 JB> only prevents them from receiving mail packets, not uploading it.
 JB> What a particular system does with insecure packets is completely
 JB> based on the configuration of that particular node.

Yes...on this system, it goes to a insecure mail area.

 JB> Basically, Fidonet suffers design flaws in similar ways to how IPv4
 JB> does (which the internet currently still manages to function with).
 JB> Neither were originally meant for the environment that they would
 JB> eventually function within. Everyone played by the honor system when
 JB> they were created.  And while the internet is of course a lot
 JB> different than Fidonet in terms of the sorts of users it sees, it
 JB> took the internet being exploited before they started trying to
 JB> implement safeguards.  They have the eventual solution of moving to
 JB> IPv6 (whenever that actually happens), but I don't know if anyone is
 JB> discussing Fidonet's future yet.

 JB> Of course, trying to implement any big change of Fidonet arguably
 JB> doesn't make it Fidonet anymore to some, and I know plenty of people
 JB> around here aren't fond of change, so I really dunno what the
 JB> solution is when it comes to that aspect of it.

 JB> --- D'Bridge 2.98

                R\%/itt



--- Twit(t) Filter v2.1 (C) 2000