<H5>Subject: Re: Pressler Markup & Report From: R Ballard <rballard@cnj.digex.net> Date: Tue, 18 Apr 1995 13:00:28 -0400 (EDT)</H5>
<A HREF=index.php><H5>How the Web Was Won</H5></A>
<A NAME=db/011507.html>Subject: Re: Pressler Markup & Report</A>
From: R Ballard <rballard@cnj.digex.net>
Date: Tue, 18 Apr 1995 13:00:28 -0400 (EDT)
<HR><PRE>
In-Reply-To: <Pine.SOL.3.91.950412055250.3155D-100000@clark.net>
Message-ID: <Pine.SUN.3.91.950418123828.9743F-100000@cnj.digex.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


On Wed, 12 Apr 1995, S. Finer wrote:

> 
> 
> On Mon, 10 Apr 1995, R Ballard wrote:
> 
> > You would have to disable telnet, FTP, Web Browsers, and News.  You would 
> > also have to disable sockets programming (since the kid can get telnet 
> > anywhere).
> > 
> > What is needed is clients that request interactive password entry at 
> > start-up and send the authentication information to each server using a 
> > real-time encrypted key (Kerberos) validated by a third party server.
> 
> This is doable....but would the server need to be involved, ABSOLUTELY? 
> I'm not so sure your could not get decent lock-out capability on a purely 
> local basis.

Unfortunately, each host on the internet can serve anywhere from 1 to 
several hundred thousand users.  Each connection is identified by  
destination IP/Port Address and Source IP/Port Address.  The client ports 
are allocated dynamically from a "Pool" of addresses (Usually 4096-32767).

Here is a rough algorythm.

The client must do:
	bind(myaddress,ANYPORT)
	getsockaddr(ipaddr,ipport) /* ip addresses and ports */
	auth->ipaddr=ipaddr;
	auth->port=ipport
	auth->user=user;
	auth->ticket=rand(time);
	rpc_auth(auth,ticket); /* authentication information is encrypted */
	if(ticket!=OK) { exit} /* kiddie wants porn, crook wants money */
	connect();
	send(ticket);
	while(fread(stdin,buf))
	{
		crypt(ticket,buf)
		send(buf);
	}
The server must do:
	sock=listen(); /* get socket from listen */
	getsockaddress(sock);
	rpc_auth(auth,ticket);	/* client sent to trusted host, we pick up 
from TH */
	if(ticket!=OK) {exit};	/* server knows it's safe */
	accept(sock);
	get(ticket) /* temporary "password" */

> > This authentication software is widely available and can be enabled on 
> > most clients and servers with little effort.  By allowing the parents to 
> > sent the "Lockout" to a third-party server, the "Porno Board" can protect 
> > the children by using the authentication which will Identify the kid as a 
> > minor.
> 
> IC- and agree, but can't much of this functionality be accomplished 
> locally ONLY?
> 
> > > As to kids who can break the lock.....some will be able to do so....but 
> > > not many.  Most will not try very long if the frustration level is high.  
> > > Just lock out all telnet capability without a separate password, that the 
> > > parent DOES NEED TO SECURE.  gotta go
> > 
> > Let me just correct one thing.  You would have to "Completely Disable all 
> > TCP connects going out of the box" with the exception of the "Protected 
> > client which would go directly to a Fire-wall host exclusively.  
> 
> Well, ok, but this can be done.  BUT suppose the protected client just 
> went to the regular server the provider made available to everyone. But 
> the protected client recognizes specified smut sites via a continuously 
> updated file, and does not allow the kid to direct the client to go 
> there. The lock is local.  Orgs. would update the spec file to the 
> standards the parent expects.  The parents would just need to keep the 
> lock-out client by-pass password secure.  
> 
> 
> Any 
> > internal solution can be defeated with two floppy disks.
> 
> Hmmm.....ANY?  I'm not doubting you....just do not see it.  
> 

From rballard@cnj.digex.net Tue Apr 18 17:06:28 1995
Status: O
X-Status: 
</PRE>