Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (12/15/83)
HUMAN-NETS Digest Thursday, 15 Dec 1983 Volume 6 : Issue 82
Today's Topics:
Response to Query - Human-nets/USENET gateway (2 msgs),
Computer Security - Legal incentives for good security? &
Passwording (3 msgs)
----------------------------------------------------------------------
From: sdcsvax!davidson@Nosc (Greg Davidson)
Date: 10 Dec 1983 1539-PST (Saturday)
Subject: Human-nets/USENET gateway
Gateways between arpanet mailing lists and USENET newsgroups do exist.
However, some problems emerge from this distribution that I will
discuss. First, though, there is for each arpanet mailing list, foo,
a corresponding USENET newsgroup fa.foo; fa meaning ``From Arpanet''.
Recently whoever was providing the gateway between human-nets and
fa.human-nets shut it off. I don't know the situation in this
particular case, but I can state the usual problem.
News gateway sites are also mail gateway sites, to allow folks on
either net to respond to article authors resident on one of the other
nets. The news gateway quickly advertises the gateway site as a mail
gateway. Soon the mail gateway is being used by tens of thousands of
people all over USENET land. The worst problem is with people in
USENET land who put their UUCP addresses on arpanet mailing lists.
The volume of traffic soon becomes unbearable and the gateway site
shuts down its unrestricted distribution. Now on the USENET, that
does not exhaust all of the gateway site's options.
In addition to the internationally distributed newsgroups, net.ALL and
fa.ALL on the USENET, most local areas, and some large organizations
have a local subnet, e.g., sdnet.ALL (San Diego), ba.ALL (SF Bay
Area), btl.all (Bell Telephone Laboratories) etc. Within these
subnets, there's often an arpanet gateway site, and so there will
appear sdnet.human-nets, etc., gated with the arpanet. The gateway
sites will actually gate mail from and to anywhere, but they have
learned to keep a low profile.
I expect that after a while, a new site will volunteer to gate
fa.human-nets, but what I recommend, if you're interested in something
for your own geographic area or administrative domain, is that you set
up local gateways. These will be more reliable and cause less
trouble.
The biggest problem with the unrestricted gateways is the people who
want to be directly on the arpanet mailing lists. Thus, for example,
one gateway site found that it was devoting a VAX 11/780 exclusively
to the gateway task, and it was still bogging down under thousands of
identical copies of sf-lovers, human-nets, etc. I suppose that if the
arpa mailing lists were to reject uucp addresses it would help a lot,
but this would need to happen in a coordinated fashion with a new
gateway site starting up, in order to avoid cutting off a lot of
people.
A second solution would be if multiple gateways could exist for the
same mailing lists, with the USENET software recognizing identical
copies of articles from different gateways as such. If enough
gateways could be set up in a sufficiently short period of time, this
could automatically create the necessary segmentation of the USENET,
without leaving anyone out. This solution, and other solutions
requiring USENET software changes, are complicated by the nature of
the USENET.
Many of the problems of world-net that have been discussed
intellectually on human-nets for years are occurring now on the
USENET. The USENET is slowly and painfully implementing mechanisms,
such as finer control of distributions, to attempt to control the
problems. The problem grows worse as more sites join, and soon,
thanks to Lauren, any IBM-PC can be on the net. The solutions are
delayed partly by the time it takes software developers (who are
mostly doing these things in their spare time) to implement solutions,
but mostly by the constraint of having to maintain compatibility with
very old versions of the USENET software. As with world-net, the
environment supporting the network software is extremely diverse,
making grand new schemes unimplementable.
Well, I've simplified things a lot in my presentation. I've left out
the fact that the USENET is carried by more than one underlying
network, although its carried mostly by the UUCP network. I've also
left out the fact that there are other high-level news networks
gatewayed with arpanet mailing lists and USENET newsgroups, e.g.,
notesfiles. Its time to readdress all of the world-net topics now
that we have a de facto world-net to try out our solutions on.
-Greg
------------------------------
Date: 10 December 1983 20:27 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: Routing Human-Nets To Usenet
A while back the SPACE mailing list linked with a USENET news group,
and ever since we've been getting "dumb" messages from USENET people
who don't know simple facts about physics. I wonder if linking
HUMAN-NETS with USENET would likewise water down the quality of our
discussions? With SPACE it was a tradeoff. With just Arpa members the
SPACE digest wasn't very active much of the time, it'd go into a lull
for a few weeks every so often. But with all the junkmail from USENET
it seems to be active every day. HUMAN-NETS seems to be active enough
as is, and the addition of USENET would only cause constipation and
frustration rather than saving the digest from inactivity.
Perhaps a big-topics link could be implemented. Somebody on each
network would browse the mail from the other network without answering
any of it. If some interesting new topic comes up, it could be
introduced into that browser's own network discussion and after a
month or so the results of the induced discussion could be reported
back to the net where that topic originated. That way all subjects
could be covered on both nets and results shared without doubling the
mail volume on both systems.
------------------------------
From: sdcsvax!davidson@Nosc (Greg Davidson)
Date: 10 Dec 1983 1604-PST (Saturday)
Subject: Legal incentives for good security
All of the new computer security laws that I have seen put all of
the legal force on the evil cr/h/acker who is trying to break into
a system. To what extent should an organization which offers
computer services to organizations and individuals be liable for
having poor security? Do any of the laws address this point?
In particular, if a system is particularly inviting or easy to
break in to (not necessarily the same thing), is it in any legal
sense tempting people to break into it? How do legal statues or
legal practice view joy riding in a hot sports car left on a busy
street with its top down and the key in the ignition?
The security precautions recently discussed on this list, and which
are sufficient to counter almost all break-in strategies have been
known about for years, but only occasionally implemented. If a
system I maintained was violated by any of these hacks, I would
neither call the FBI nor applaud the hacker who did it; I'd simply
turn red with embarrassment and fix the problem.
-Greg
------------------------------
Date: Sat, 10 Dec 83 16:18:31 PST
From: Willard Korfhage <korfhage@UCLA-ATS>
Subject: Easy way to generate odd passwords
For those who want to generate unpronouncable passwords that are easy
to remember, pick a familiar - but not necessarily your most favorite
- book, song, movie, or whatever and select letters from that title
according to some rule (eg. second letter of every word).
------------------------------
Date: 10 December 1983 20:51 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: password security
My favorite way to make up easy-to-remember but hard-to-guess
passwords is to start with a normal word that is meaningful to the
user and change a couple letters in strange ways. A password guessing
program would have to try not just the online dictionary but all
deliberate misspellings, i.e. about 400 times the dictionary if one
change is made (26 letter possibilities in 8 inserted or 8 replacement
spots) or about 80,000 times the dictionary if two changes are made
(400*400/2). For average users with no special security requirements,
this should prevent intrusion if disconnect after three wrong guesses
is used by the login process. (If there are 50,000 words in the
dictionary, then it takes 5e4 * 8e4 = 4e9 guesses. If redialing and
establishing carrier takes 21 seconds each time, that's 7 seconds per
guess, for a total of 2.8e10 seconds = 890 years. Even if the base
dictionary word can be guessed correctly without trial and error,
that's still 8e4 tries = 5.6e5 seconds = 6.5 days of continuous trying
which is long enough to come to the attention of system administrators
and get the call traced and get a search warrant and carry out the
search. Average search time is half that, 445 years or 3.25 days,
still adequate protection I think.) Military and superuser/wizard
passwords can of course have even more stringent requirements to make
break-in virtually impossible by password-guessing.
Anybody have rebuttal or comment on my calculations or conclusions?
------------------------------
Date: 11 December 1983 0108-pst
From: Jerry Bakin <Bakin @ HI-MULTICS>
Subject: Re: password security
I haven't followed the entire password discussion, so a thousand
pardons if this has been brought up before.
I just wanted to let people know that passwords can be selected from a
random basis, be mnemonic, and be as long or as short you wish.
On Multics, there is an argument to the login command to have Multics
generate one a new password. Similarly, there is a program --
generate_words -- which will also generates multi-syllable words.
Arguments to this program are the minimum and maximum length of the
word, and whether or not the words should be printed with hyphens
between the syllables. Multics can quite often come up with a
humorous, random password which does not need to be written down; can
be typed in quite easily; and does not need upper case letters,
control characters, or any other "hard-to-guess" sequences.
I've included 99 of them for your amusement. Note the hyphens are
often interpreted as the method of pronunciation. It is amusing to
note how many of them come close to being actual words, and how many
of them just fall short of being obscene in sound or meaning.
snab snab | veab veab | isho i-sho
bedbur bed-bur | ouya ou-ya | tijves tij-ves
ojrys oj-rys | viyes vi-yes | tofyu tof-yu
dyji dy-ji | uvilip u-vi-lip | nayley nay-ley
liszew lis-zew | ivac i-vac | stry stry
zejry zej-ry | typka typ-ka | doye doye
udveta ud-ve-ta | obgoa ob-goa | deva de-va
meakry meak-ry | cemvog cem-vog | otnec ot-nec
oyngug oyn-gug | geet geet | jaunew jau-new
wore wore | rubpaz rub-paz | zyde zyde
rentu ren-tu | reds reds | devtir dev-tir
koge koge | fetjoi fet-joi | meed meed
grito gri-to | meuyo meu-yo | vata va-ta
noosko noos-ko | pilaw pi-law | rictan ric-tan
quenwu quen-wu | odbyg od-byg | oufpu ouf-pu
ryte ryte | phev phev | kaif kaif
ebko eb-ko | hion hi-on | virdaj vir-daj
oyrue oy-rue | odnu od-nu | daci da-ci
sobcya sob-cya | fisec fi-sec | ferigo fe-ri-go
lebmi leb-mi | eoteec e-o-teec | ecyb e-cyb
drok drok | neelg neelg | eftu ef-tu
gadla gad-la | etvoc et-voc | eter e-ter
ayeev a-yeev | vifco vif-co | vavu va-vu
prie prie | lebgu leb-gu | megpa meg-pa
gond gond | soza so-za | ruji ru-ji
debrur de-brur | ibyab i-byab | bovaj bo-vaj
hebwu heb-wu | dewjou dew-jou | kompu kom-pu
owpan ow-pan | icipy i-ci-py | wawnnu wawn-nu
lugi lu-gi | goft goft | hyodmu hyod-mu
rukoa ru-koa | stas stas | wofaw wo-faw
evvu ev-vu | ilcla il-cla | udse uds-e
snilp snilp | jedvu jed-vu | rulp rulp
filec fi-lec | byke byke | totsh totsh
Jerry Bakin <Bakin -at Hi-Multics>
------------------------------
End of HUMAN-NETS Digest
************************