Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (09/01/83)
HUMAN-NETS Digest Wednesday, 31 Aug 1983 Volume 6 : Issue 54
Today's Topics:
Computer Security - The Sloan-Kettering VAX security,
Computers and People - Teaching about Computers &
The Worth of Technology &
Computers and culture
----------------------------------------------------------------------
Date: 29 Aug 1983 1202-MDT
From: Walt <Haas@UTAH-20>
Subject: Sloan-Kettering VAX security
Sloan-Kettering probably made their VAX vulnerable to penetration from
Telenet by interfacing to the network by the most popular method.
This method works as follows:
RS232
+-----------+ lines +-----+
| TP4000 |---------| |
Telenet <==== X.25 line ====> | interface |---------| VAX |
| box |---------| |
+-----------+ +-----+
The X.25 line runs to the Telenet packet switch and is probably about
4800 baud. Incoming calls are multiplexed onto the wire by the rules
of CCITT Recommendation X.25. The purpose of the TP4000 is to
demultiplex the incoming calls and make the network appear to the VAX
as if it were a set of dialups. The RS232 lines coming out of the
TP4000 go into the VAX exactly as if they came from so many modems.
TP4000 is a Telenet trademark, and there are in fact several other
interface boxes that may have been used. They are all pretty similar.
I am guessing at a TP4000 on the basis that it's the most popular box
for this purpose.
When a virtual call is placed over Telenet to the VAX, the network
hands an INCOMING CALL packet across the X.25 line to the TP4000. The
TP4000 inspects the INCOMING CALL and replies with either a CALL
ACCEPTED packet, or a CLEAR REQUEST packet to reject the call. The
TP4000 can be programmed to make various judgements; I'm not sure
exactly what its capabilities are in detail. If the TP4000 decides to
accept the call, it indicates to the VAX that a call is present, and
the VAX responds with the system herald.
The security of this method of connecting to Telenet is limited by the
amount of scepticism you can program into your interface box, and also
by your ability to do the programming. Most Telenet customers seem to
have relatively little sophistication about the X.25 standard and the
network that they're connected to.
Anyone with a terminal and a 300 or 1200 baud modem can dial up the
Telenet public PAD (Packet Assembler/Disassembler) conveniently
located near them and request that a virtual call be placed to
whatever network address they type. For example, to connect to
UTAH-20 you would type to the PAD:
@c 80153.30
However, when your call came in to MY interface box, it would be
rejected with a CLEAR REQUEST packet. The reason for this is that
when you give the CONNECT command to a public PAD, the PAD builds a
CALL REQUEST packet which requests the REVERSE CHARGING option. My
interface box is programmed to reject any such call. In order to
connect to 80153.30 you have to agree in advance to pay for the call
yourself. You do this by giving what Telenet refers to as a
"password-ID" to the public PAD. This specifies a Telenet account to
be charged for the call, and requires you to provide a password before
the CALL REQUEST packet will be sent. The command looks like this:
@ID ;80153.30/account
PASSWORD=password
UTAH-20 will not print its herald until it sees a CALL REQUEST which
does not request reverse charging.
My interface prints out the calling address from each CALL REQUEST
packet that comes in, so I'm able to get some idea of how many people
are trying to connect without a password-ID. There seem to be quite a
lot of people dialing into public PADs and connecting at random. This
is the network equivalent of the hacker practice of dialing numbers
and listening for a carrier.
To the best of my knowledge, most Telenet sites are vulnerable to the
kind of penetration that Sloan-Kettering experienced. If you are in
this catagory I encourge you to switch to the way we do it here.
Cheers -- Walt
------------------------------
Date: 30 Aug 1983 10:17-PDT
Subject: "Losers"
From: KIETZMANN@USC-ISIE
I fully agree with Greg Davidson's feelings about "Losers" being
nothing more than poorly trained users. I don't know of anyone
that has ever learned to walk without learning to crawl first.
A teacher or trainer must begin with something that is known by
the trainee or student and then proceed to more complex items.
Within any office, whether it is military, commercial, or
educational in nature, there is always a certain degree of
turnover of personnel. The reasons may be promotion within the
company, a company (or military) directed transfer to another
location, or just an individual just switching jobs.
This turnover and movement of people leaves nearly all offices
with a continuing need for an ongoing system of training their
replacements. My office went from 5 experienced, trained people
to 2 plus an empty slot. At the time when an office is already
in a busy situation, (covering the duties that would be done by
the occupant of the empty slot, for example) the additional job
of training the person to fill that empty slot can sometimes be
frustrating. It is sometimes difficult to find much time in a
small office to do justice to training someone when the normal
requirements of the job always have first priority. Training of
the replacements will then catch the lowest priority and result
in "losers" as the output of your training program.
I have some ideas about a tutoring system I would like to see in
a program for someday. It has 2 parts.
The first part would let an "expert" write the tutorial frames
(the text, question, and desired answer) for a tutorial lesson in
his area of specialty, whether it might be administrative
procedures, basics of using a certain text editor, or just
generalized procedures used in an office. This portion of the
program would allow the "expert" to create the tutorial frames in
an interactive mode or would accept properly formatted frames
created by a text editor.
The second part of this tutorial system would show all of the
subjects available to a prospective student (possibly as a menu)
and walk the student through the selected topic interactively.
The details of handling wrong answers, stopping in the middle and
continuing later, feedback to the student, etc. have many
possibilities and could be worked out later.
This type of a system would give the "losers" better training.
Changes in the contents of the tutorial could be updated easily
and in a timely manner. The training of new people would not be
an additional burden or receive low priority because of the high
priority of the normal duties of that office.
For quite some time, I have wondered about the availability of
interactive tutorials on the ARPANET. I know of a couple, one to
teach the basics of EMACS and another to teach some of the uses
of control characters in TOPS-20.
I would be willing to compile a list of tutorials and publish the
list later in the Human-Nets Digest, if anyone would be
interested. If anyone knows of tutorials available, send the
information to KIETZMANN @ USC-ISIE. I suggest the information
desired about tutorials might be as follows:
SUBJECT:
LOCATION: (where it can be found presently)
CURRENT OPERATING ENVIRONMENT: (USC-ISIE is a DEC machine
running TOPS-20)
LANGUAGE OF THE SOURCE CODE:
AVAILABILITY: (arrangements for use by or transfer to other
ARPANET people)
CONTACT POINT: (for someone interested in obtaining the program)
------------------------------
Date: 24 Aug 1983 1255-MDT
From: Walt <Haas@UTAH-20>
Subject: Re: Techno-philosophy
...the public schools are scared to death to help students
develop the tools (philosophy and morality) to sort out
those messages, because they don't think people trust the
schools to separate <philosophy and morality> from
<ideology and religion>.
Bruce Hamilton.ES@PARC-MAXC.ARPA
This is especially hard when local potentates go around making
speeches to the effect that morality can only come from religion, as
one did here not too long ago. My own opinion is that morality and
religion are mutually exclusive - that is, if you are attempting to
follow the dictates of a religion, then as a result you will end up
doing immoral things.
The best discussion of the population problem, and why it is a
problem, that I have ever found is in the book /Managing the Commons/,
by Garrett Hardin. Hardin discusses what he calls "the tragedy of the
Commons", which is a situation in which a group of people, each of
whom is pursuing their own best interests, produces a result which is
tragic for all of them. The classic example is the common pasture.
Suppose, for example, that you have a community-owned pasture that is
capable of supporting 100 cows. There are ten herders, each of which
has ten cows grazing on the pasture. At this point the pasture is
producing as much as it is capable of. Now one herder decides to
improve his lot in life, and adds an eleventh cow to his herd. There
are now 101 cows grazing on a pasture which can support 100 cows.
Actually the sky does not fall, of course; all that happens is that
each cow gets a little less than it needs, and so produces a little
less milk and meat than it should (say about 1% less, for simplicity).
The result is that the herder who added the extra cow is receiving
about 9% more milk and meat, and the other nine are each receiving
about 1% less, than before.
The herder who added the cow is richly rewarded for his enterprise,
and so has an incentive to add yet another cow. So does each of the
other nine herders. If they all do what they individually have an
incentive to do, the result will be mass starvation! There are two
basic approaches to dealing with the problem, both of which are
commonly used:
1) Establish an authority which limits the size of the herd to what
the pasture will bear, and a system of allocation which allows each
herder a certain amount of the pasturage. Pastoral societies
generally have some such system.
2) Enclose the common pasture into ten private pastures, so that if
one herder adds an eleventh cow to his pasture, only his other
cattle will suffer. This social institution is called "property".
Agricultural societies generally use this approach.
Both approaches have advantages and disadvantages. One advantage to
the "allocation authority" approach, for example, is that it makes it
possible to utilize grazing lands that are highly seasonal. Much of
the grazing in southern Utah, and in other arid lands, needs to be
done at lower elevations in the winter and higher elevations in the
summer. The cost of several complete sets of pastures would be
prohibitive if they were privately owned. On the other hand, common
pasturage makes it impossible to do selective breeding of your own
herd.
Human population is, of course, one of the thorniest "common pasture"
problems. Most traditional societies have institutions to limit the
number of kids you can have. For example, it is common to have
strongly negative sanctions against "illegitimate" child bearing.
Many societies forbid marriage to men who have not yet accumulated
enough land or cattle to support a family.
New technologies can and do create and remove "common pasture" type
problems. One obvious example is the allocation of the
electromagnetic spectrum. This is a classic common pasture situation
solved by an allocating authority (which is the FCC in the US). An
example of removing a common pasture problem by technology is the
decline of native population which is taking place in virtually all of
the industrialized countries of the world. It is now so expensive to
buy the technology needed to make your kid self supporting, and so
cheap to buy appliances that do the few jobs a kid is capable of, that
lots of people find it more to their advantage to have few or no kids.
One of the things we need to ask ourselves as we invent new
technologies is, what "common pasture" type problems will be created
and removed by any given technology? ...because that is one of the
major determinants of the resulting changes in social institutions.
Cheers -- Walt
------------------------------
Date: Mon 29 Aug 83 11:26:33-PDT
From: WYLAND@SRI-KL.ARPA
Subject: Computers and culture - Schroeder's comments
I didn't mean to imply that central computers nor large
computers were dead or dying, just that they were no longer the
focus of the developing idea of the computer.
A net of personal computers still requires a central
computer for store and forward of the net messages, and a central
computer is also required for any organization (of 2 or more
people) that has common files. Large computers are required for
special problems such as modelling. These problems will
continue to grow in size and importance, and their machines with
them.
I still think that memory is the essence of the computer.
The fastest scientific calculator, without memory, cannot solve
the modelling problems that a large computer can; however, a
large, fast memory (say, 1 gigabyte at 10 nanoseconds) should be
able to do a respectable job with the crudest (add and subtract
integer only?) arithmetic unit.
I compared the large, central computers to railroads and
the personal computers to automobiles and trucks. I think this
analogy holds. A railroad carries huge quantities of bulk
material at low cost. They are, and will probably remain, the
prime method of handling the bulk of things to be moved from
point a to point b. Their disadvantage is that they represent a
fixed, relatively inflexable net of transportation. The
car/truck represents flexibility: transportation driven by the
individual user. The user determines the what, where, and when
of the transportation problem. Like the railroad, the large,
central computer may be the most practical approach to handling
very large problems, scientific or commercial, but with the
disadvantage that the user must adapt to its capabilities and
limitations. Like the car/truck, the personal computer is
adapted to the user and the user's changing requirements.
I think that the personal computer is the new focus of
the computer idea because the personal computer is where the next
great growth area in total computer power (Mips x computers) and
total memory (in terabytes) should occur. Although the personal
computer usage may be 1-10% rather than the 50+% of a central
computer, the total activity should be HUGE!
------------------------------
End of HUMAN-NETS Digest
************************