Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (09/01/83)
HUMAN-NETS Digest Wednesday, 31 Aug 1983 Volume 6 : Issue 54 Today's Topics: Computer Security - The Sloan-Kettering VAX security, Computers and People - Teaching about Computers & The Worth of Technology & Computers and culture ---------------------------------------------------------------------- Date: 29 Aug 1983 1202-MDT From: Walt <Haas@UTAH-20> Subject: Sloan-Kettering VAX security Sloan-Kettering probably made their VAX vulnerable to penetration from Telenet by interfacing to the network by the most popular method. This method works as follows: RS232 +-----------+ lines +-----+ | TP4000 |---------| | Telenet <==== X.25 line ====> | interface |---------| VAX | | box |---------| | +-----------+ +-----+ The X.25 line runs to the Telenet packet switch and is probably about 4800 baud. Incoming calls are multiplexed onto the wire by the rules of CCITT Recommendation X.25. The purpose of the TP4000 is to demultiplex the incoming calls and make the network appear to the VAX as if it were a set of dialups. The RS232 lines coming out of the TP4000 go into the VAX exactly as if they came from so many modems. TP4000 is a Telenet trademark, and there are in fact several other interface boxes that may have been used. They are all pretty similar. I am guessing at a TP4000 on the basis that it's the most popular box for this purpose. When a virtual call is placed over Telenet to the VAX, the network hands an INCOMING CALL packet across the X.25 line to the TP4000. The TP4000 inspects the INCOMING CALL and replies with either a CALL ACCEPTED packet, or a CLEAR REQUEST packet to reject the call. The TP4000 can be programmed to make various judgements; I'm not sure exactly what its capabilities are in detail. If the TP4000 decides to accept the call, it indicates to the VAX that a call is present, and the VAX responds with the system herald. The security of this method of connecting to Telenet is limited by the amount of scepticism you can program into your interface box, and also by your ability to do the programming. Most Telenet customers seem to have relatively little sophistication about the X.25 standard and the network that they're connected to. Anyone with a terminal and a 300 or 1200 baud modem can dial up the Telenet public PAD (Packet Assembler/Disassembler) conveniently located near them and request that a virtual call be placed to whatever network address they type. For example, to connect to UTAH-20 you would type to the PAD: @c 80153.30 However, when your call came in to MY interface box, it would be rejected with a CLEAR REQUEST packet. The reason for this is that when you give the CONNECT command to a public PAD, the PAD builds a CALL REQUEST packet which requests the REVERSE CHARGING option. My interface box is programmed to reject any such call. In order to connect to 80153.30 you have to agree in advance to pay for the call yourself. You do this by giving what Telenet refers to as a "password-ID" to the public PAD. This specifies a Telenet account to be charged for the call, and requires you to provide a password before the CALL REQUEST packet will be sent. The command looks like this: @ID ;80153.30/account PASSWORD=password UTAH-20 will not print its herald until it sees a CALL REQUEST which does not request reverse charging. My interface prints out the calling address from each CALL REQUEST packet that comes in, so I'm able to get some idea of how many people are trying to connect without a password-ID. There seem to be quite a lot of people dialing into public PADs and connecting at random. This is the network equivalent of the hacker practice of dialing numbers and listening for a carrier. To the best of my knowledge, most Telenet sites are vulnerable to the kind of penetration that Sloan-Kettering experienced. If you are in this catagory I encourge you to switch to the way we do it here. Cheers -- Walt ------------------------------ Date: 30 Aug 1983 10:17-PDT Subject: "Losers" From: KIETZMANN@USC-ISIE I fully agree with Greg Davidson's feelings about "Losers" being nothing more than poorly trained users. I don't know of anyone that has ever learned to walk without learning to crawl first. A teacher or trainer must begin with something that is known by the trainee or student and then proceed to more complex items. Within any office, whether it is military, commercial, or educational in nature, there is always a certain degree of turnover of personnel. The reasons may be promotion within the company, a company (or military) directed transfer to another location, or just an individual just switching jobs. This turnover and movement of people leaves nearly all offices with a continuing need for an ongoing system of training their replacements. My office went from 5 experienced, trained people to 2 plus an empty slot. At the time when an office is already in a busy situation, (covering the duties that would be done by the occupant of the empty slot, for example) the additional job of training the person to fill that empty slot can sometimes be frustrating. It is sometimes difficult to find much time in a small office to do justice to training someone when the normal requirements of the job always have first priority. Training of the replacements will then catch the lowest priority and result in "losers" as the output of your training program. I have some ideas about a tutoring system I would like to see in a program for someday. It has 2 parts. The first part would let an "expert" write the tutorial frames (the text, question, and desired answer) for a tutorial lesson in his area of specialty, whether it might be administrative procedures, basics of using a certain text editor, or just generalized procedures used in an office. This portion of the program would allow the "expert" to create the tutorial frames in an interactive mode or would accept properly formatted frames created by a text editor. The second part of this tutorial system would show all of the subjects available to a prospective student (possibly as a menu) and walk the student through the selected topic interactively. The details of handling wrong answers, stopping in the middle and continuing later, feedback to the student, etc. have many possibilities and could be worked out later. This type of a system would give the "losers" better training. Changes in the contents of the tutorial could be updated easily and in a timely manner. The training of new people would not be an additional burden or receive low priority because of the high priority of the normal duties of that office. For quite some time, I have wondered about the availability of interactive tutorials on the ARPANET. I know of a couple, one to teach the basics of EMACS and another to teach some of the uses of control characters in TOPS-20. I would be willing to compile a list of tutorials and publish the list later in the Human-Nets Digest, if anyone would be interested. If anyone knows of tutorials available, send the information to KIETZMANN @ USC-ISIE. I suggest the information desired about tutorials might be as follows: SUBJECT: LOCATION: (where it can be found presently) CURRENT OPERATING ENVIRONMENT: (USC-ISIE is a DEC machine running TOPS-20) LANGUAGE OF THE SOURCE CODE: AVAILABILITY: (arrangements for use by or transfer to other ARPANET people) CONTACT POINT: (for someone interested in obtaining the program) ------------------------------ Date: 24 Aug 1983 1255-MDT From: Walt <Haas@UTAH-20> Subject: Re: Techno-philosophy ...the public schools are scared to death to help students develop the tools (philosophy and morality) to sort out those messages, because they don't think people trust the schools to separate <philosophy and morality> from <ideology and religion>. Bruce Hamilton.ES@PARC-MAXC.ARPA This is especially hard when local potentates go around making speeches to the effect that morality can only come from religion, as one did here not too long ago. My own opinion is that morality and religion are mutually exclusive - that is, if you are attempting to follow the dictates of a religion, then as a result you will end up doing immoral things. The best discussion of the population problem, and why it is a problem, that I have ever found is in the book /Managing the Commons/, by Garrett Hardin. Hardin discusses what he calls "the tragedy of the Commons", which is a situation in which a group of people, each of whom is pursuing their own best interests, produces a result which is tragic for all of them. The classic example is the common pasture. Suppose, for example, that you have a community-owned pasture that is capable of supporting 100 cows. There are ten herders, each of which has ten cows grazing on the pasture. At this point the pasture is producing as much as it is capable of. Now one herder decides to improve his lot in life, and adds an eleventh cow to his herd. There are now 101 cows grazing on a pasture which can support 100 cows. Actually the sky does not fall, of course; all that happens is that each cow gets a little less than it needs, and so produces a little less milk and meat than it should (say about 1% less, for simplicity). The result is that the herder who added the extra cow is receiving about 9% more milk and meat, and the other nine are each receiving about 1% less, than before. The herder who added the cow is richly rewarded for his enterprise, and so has an incentive to add yet another cow. So does each of the other nine herders. If they all do what they individually have an incentive to do, the result will be mass starvation! There are two basic approaches to dealing with the problem, both of which are commonly used: 1) Establish an authority which limits the size of the herd to what the pasture will bear, and a system of allocation which allows each herder a certain amount of the pasturage. Pastoral societies generally have some such system. 2) Enclose the common pasture into ten private pastures, so that if one herder adds an eleventh cow to his pasture, only his other cattle will suffer. This social institution is called "property". Agricultural societies generally use this approach. Both approaches have advantages and disadvantages. One advantage to the "allocation authority" approach, for example, is that it makes it possible to utilize grazing lands that are highly seasonal. Much of the grazing in southern Utah, and in other arid lands, needs to be done at lower elevations in the winter and higher elevations in the summer. The cost of several complete sets of pastures would be prohibitive if they were privately owned. On the other hand, common pasturage makes it impossible to do selective breeding of your own herd. Human population is, of course, one of the thorniest "common pasture" problems. Most traditional societies have institutions to limit the number of kids you can have. For example, it is common to have strongly negative sanctions against "illegitimate" child bearing. Many societies forbid marriage to men who have not yet accumulated enough land or cattle to support a family. New technologies can and do create and remove "common pasture" type problems. One obvious example is the allocation of the electromagnetic spectrum. This is a classic common pasture situation solved by an allocating authority (which is the FCC in the US). An example of removing a common pasture problem by technology is the decline of native population which is taking place in virtually all of the industrialized countries of the world. It is now so expensive to buy the technology needed to make your kid self supporting, and so cheap to buy appliances that do the few jobs a kid is capable of, that lots of people find it more to their advantage to have few or no kids. One of the things we need to ask ourselves as we invent new technologies is, what "common pasture" type problems will be created and removed by any given technology? ...because that is one of the major determinants of the resulting changes in social institutions. Cheers -- Walt ------------------------------ Date: Mon 29 Aug 83 11:26:33-PDT From: WYLAND@SRI-KL.ARPA Subject: Computers and culture - Schroeder's comments I didn't mean to imply that central computers nor large computers were dead or dying, just that they were no longer the focus of the developing idea of the computer. A net of personal computers still requires a central computer for store and forward of the net messages, and a central computer is also required for any organization (of 2 or more people) that has common files. Large computers are required for special problems such as modelling. These problems will continue to grow in size and importance, and their machines with them. I still think that memory is the essence of the computer. The fastest scientific calculator, without memory, cannot solve the modelling problems that a large computer can; however, a large, fast memory (say, 1 gigabyte at 10 nanoseconds) should be able to do a respectable job with the crudest (add and subtract integer only?) arithmetic unit. I compared the large, central computers to railroads and the personal computers to automobiles and trucks. I think this analogy holds. A railroad carries huge quantities of bulk material at low cost. They are, and will probably remain, the prime method of handling the bulk of things to be moved from point a to point b. Their disadvantage is that they represent a fixed, relatively inflexable net of transportation. The car/truck represents flexibility: transportation driven by the individual user. The user determines the what, where, and when of the transportation problem. Like the railroad, the large, central computer may be the most practical approach to handling very large problems, scientific or commercial, but with the disadvantage that the user must adapt to its capabilities and limitations. Like the car/truck, the personal computer is adapted to the user and the user's changing requirements. I think that the personal computer is the new focus of the computer idea because the personal computer is where the next great growth area in total computer power (Mips x computers) and total memory (in terabytes) should occur. Although the personal computer usage may be 1-10% rather than the 50+% of a central computer, the total activity should be HUGE! ------------------------------ End of HUMAN-NETS Digest ************************