TIP: Click on subject to list as thread! ANSI
echo: net_dev
to: Robert Williamson
from: joaquim homrighausen
date: 1995-09-09 17:17:16
subject: pkt security
>  There  is  neither a technical requirement nor policy that
 > requires a password  during  a  FTS1  session.  A packet in
 > an FTS1 session _may_ contain  a password, but is not
 > required.  More importantly, even if a session  password
 > and/or echomail packet security password exists for the  two
 >  systems,  there is no requirement that this password be used
 > during an FTS1 session.

Then explain to me the following:

FrontDoor calls a system for which the remote mailer requires a password.
An FTS-1 session is established, and thus the remote mailer's only method
of password verification is to check the .PKT header.

The .PKT just happens to contain several hundred NetMail messages, perhaps
even some Conference Mail messages. The remote mailer does not have any
.PKT unpacking capabilities because a .PKT "unpacker" is supplied
with the package, so the mailer exits, and the "unpacker" (which
could be compared to a Conference Mail processor I guess) starts to process
the .PKT file.

So the "unpacker" sees 2:270/17 as the originating address, looks
up the system in its database and -- would you believe it --  there's a
.PKT level password for that system. Only problem is.. they're not the
same.. whoops!

Since you seem to have achieved wisdom beyond your years, and I obviously
haven't, how are two applications that use a field for two different
purposes supposed to peacefully co-exist?

 > Frontdoor  is  an  example of software that attempts to
 > implement and enforce  the  opinions of the author as new
 > policy in it's code.  Some HUBS  have  attempted  require
 > certain  actions  on the part of their downinks,  based
 > upon  FD's  features

[..]

So by the same analogy, if someone buys a gun and commits a crime with it,
the manufacturer of the gun is liable to the victims of the crime.

I know you don't like FrontDoor, that much is obvious. But how someone
using it equals my opinions is beyond my comprehension.

 > Any  mailer  that  uses the same password for session and
 > security is somewhat  insecure,  there  are mailers, I am
 > told, that will not even allow this..  :)

We have chocolate, vanilla, and strawberry.

I guess they must be using a secret optional field in the FTS-1
specification that we haven't been given access to yet. Perhaps a
SuperInformationHighwayVirtualPasswordField?

---
* Origin: Absolute Solutions (2:270/17.6)
SEEN-BY: 10/8 1650 11/157 13/13 50/99 100/525 104/821 105/69 103 330 106/2000
SEEN-BY: 107/411 941 112/1 115/2 123/1 129/11 138/146 147/76 153/920 154/222
SEEN-BY: 157/586 161/55 167/92 170/400 200/204 203/15 512 209/342 720 215/705
SEEN-BY: 234/95 236/48 250/743 260/1 261/1096 267/200 270/101 102 103 280/1
SEEN-BY: 282/1 283/657 292/876 300/1 325/118 332/1 340/20 341/70 345/12
SEEN-BY: 346/35 348/105 353/246 357/1 362/37 380/25 387/31 396/1 403/150
SEEN-BY: 405/0 430/105 620/243 632/348 640/201 206 217 305 531 820 821 822
SEEN-BY: 640/823 690/660 700/101 711/409 410 413 430 431 807 808 809 816 934
SEEN-BY: 712/515 713/888 721/117 724/10 800/1 1000/1 2230/118 2430/1423
SEEN-BY: 2605/606 2613/5 2624/201 306 3412/1114 3417/26 3611/18 3612/240
SEEN-BY: 3615/50 3619/25 3653/777 7104/2 7877/2809
@PATH: 270/17 24/24 396/1 270/101 209/720 640/820 711/409 808 809 934
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.