re: NASA's OIG

Walter Nissen (dk058@cleveland.Freenet.Edu)
Thu, 31 Aug 1995 15:25:19 -0400

> Subject: Re:  NASA's OIG (Orbit Information Group?) 
SeeSat-L is not the proper place for a discussion of TCP/IP security 
issues.  Nor is it the place for a few other subjects that have been 
brought up in the past few months.  Mercifully, none of these have gotten 
truly out of hand.  I confess that I am one who pushes the edge of the 
envelope of topicality.  I would always hope to do so in a modest way 
which people don't find objectionable. 
I would like to ask all of us to consider, before sending material to the 
explosive address, that new subscribers are coming on-line every week or 
more often.  We may well be the welcoming committee for one or more new 
subscribers.  If we post helpful, satellite-related, visual-related 
material, we will give a good impression. 
Having considered all this, I think I should post a reply to the expressed 
security concerns, in the hope that the subject may thereby be put to 
rest.  If not, the sequelae must not appear in SeeSat-L, but be taken to 
e-mail, or to one of the security-related newsgroups.  I would welcome 
e-mail messages from anyone who wants to find such discussion and will 
happily point people in the right direction. 
>         Are you really SURE that's what is required? If so this is deserving 
> of a "comp.risks" posting. I would hope people at NASA would think ahead 
> more clearly than that...!!!! 
Neither am I sure of the requirements for FTP at OIG, but the insecurity 
of TCP/IP has been well-known since its inception.  People didn't want the 
much more secure, but proprietary, SNA.  So now we have TCP/IP.  Many 
machines receive and pass along security data for other machines.  This is 
how telnet, rlogin, etc., etc., work.  Sniffers can read it.  This is why 
you can't securely send credit card info by e-mail.  There is nothing very 
unusual about what OIG is doing, nothing requiring capital letters nor 
exclamation points. 
> If I sound paranoid to you, then I'd hazard that you haven't yet had 
> to spend hours cleaning up a system that has been maliciously trashed by 
> invaders from the internet... (not to mention redoing all the work that was 
> lost). 
If you put a machine on the Internet you do so, or should, with the 
understanding that TCP/IP has a variety of security holes.  You are 
responsible for limiting the impact of any resulting problems on your 
operations.  Networking can be done securely.  TCP/IP doesn't. 
I suspect none of us would be very sympathetic toward a bank which decided 
to save rent and inconvenience by moving its money into file cabinets on 
the public sidewalk.  Neither am I very sympathetic when systems managers, 
usually those without CDPs and without IS training, moan endlessly about 
how criminals destroyed them and everything they stand for.  It is wrong 
to hurt other people, whether by stealing their money or crashing their 
computers.  So? 
If you receive a message in my name extolling the virtues of roasting 
little girls at 200 degrees C, you can safely assume that someone has 
stolen one of my passwords and is spoofing you.  It could happen.  I don't 
worry about it. 
Walter I. Nissen, Jr., CDP


Astronomy is lights in the sky.