From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Fri, 18 Aug 1995 00:02:14 -0400
From: Vadim Antonov avg@postman.ncube.com
Subject: passwords in the clear
Topicbox-Message-UUID: 1824352c-eac8-11e9-9e20-41e7f4b1d025
Message-ID: <19950818040214.JDKJCmOgS6x3F20CIyxDIlEtUvcoVOr14re35UffXhc@z>

Dave Presotto wrote:

>My heart is broken, I can't go on.  I thought I finally got
>rid of the damn things.

>Vadim, what is the property of your firewall that forces you
>to go to a scheme that anyone can break by watching packets
>go by?

If somebody can *watch* packets on Ethernet, that somebody
can also *send* them, ok?  The challenge-reply authentication
is useless on LANs, as stealing an already authenticated TCP
session is trivial.  Sending an ARP bogon is very simple, and
so is programming Pee-See cards for an arbitrary MAC address.
Been there, done that.  The only way to defeat snoopers on
Ethernet is to encrypt all data or to use filtering bridges,
or to use good application-level gateway and not bother with
protection from insiders (which you never can do anyway... as
an insider can always stick a floppy in your machine and
voila! all data is his).

Please, the false expectation of "security" is worse than
the known lack of it.  Overall, the security must be
*adequate*, not *perfect*.  If a person can walk to my
machine i won't bother protecting my files with anything
more elaborate than plaintext passwords, and the company
already has an application-level gateway.

For many of us, SNK doesn't worth the hassle (btw, i wrote
the SNK stuff for BSD, so you can't call me ignorant or
whatever).

--vadim

PS: A helpful SNK hint: to erase the memory you don't need
    to remove the batteries, just type in:

	ON
	3
	ENT
	00000000
	ENT
		
    repeat the sequence, and it'll give you the EO - prompt.