Subject: Re: Pressler Markup & Report From: R Ballard Date: Fri, 21 Apr 1995 13:18:59 -0400 (EDT)
How the Web Was Won
Subject: Re: Pressler Markup & Report From: R Ballard Date: Fri, 21 Apr 1995 13:18:59 -0400 (EDT)
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII



On Wed, 12 Apr 1995, S. Finer wrote:
> On Mon, 10 Apr 1995, R Ballard wrote:
> 
> > You would have to disable telnet, FTP, Web Browsers, and News.  You would 
> > also have to disable sockets programming (since the kid can get telnet 
> > anywhere).
> > 
> > What is needed is clients that request interactive password entry at 
> > start-up and send the authentication information to each server using a 
> > real-time encrypted key (Kerberos) validated by a third party server.
> 
> This is doable....but would the server need to be involved, ABSOLUTELY? 
> I'm not so sure your could not get decent lock-out capability on a purely 
> local basis.

The server knows the Host IP address and the TCP or UDP port number.  The 
Port number is dynamically assigned.  There isn't a public mapping of the 
user to the port implicit in the transport layer.  The session layer, 
which includes authentication, can be as simple as a user/password in 
clear text between a client and a server, or as complex as encrypted 
real-time "tickets" between client, server, and "trusted hosts".

HTTP includes a generalized "authentication" parameter, but leaves the 
processing up to each implementation.  The best solution is to call a 
"general purpose" routine like "getpwent()" which can be used to search
yellow pages, kerberos, and local password files.  It can also use 
real-time decryption and "magic cookie" comparisons, similar to those 
used by X11 terminals.
> > This authentication software is widely available and can be enabled on 
> > most clients and servers with little effort.  By allowing the parents to 
> > sent the "Lockout" to a third-party server, the "Porno Board" can protect 
> > the children by using the authentication which will Identify the kid as a 
> > minor.

> IC- and agree, but can't much of this functionality be accomplished 
> locally ONLY?
Each parent would have to tell every host on the internet that he did not 
want his host to be accessible to their hosts.  In addition, each parent 
would have to lock out every host on the internet through a router or 
firewall that is inaccessable to the children.

Someone has to tell some reliable source that this person either is or is 
not a minor.  The assumption would be that the person is not a minor.  If 
there is good reason to believe that a "guardian" knows this person is a 
minor, the server can refuse access to inappropriate information.  The 
churches, public schools, and federal agencies would be good candidates 
for reporting authorities.

> > > As to kids who can break the lock.....some will be able to do so....but 
> > > not many.  Most will not try very long if the frustration level is high.  
> > > Just lock out all telnet capability without a separate password, that the 
> > > parent DOES NEED TO SECURE.  gotta go
Kids often try to use long distance telephones, or dial 1-900 numbers 
without their parents permission too.  The difference is that the person 
answering the call has a voice to indicate that they are talking to a 
child.  With the net, an articulate writer can masquarade as an adult 
with a minimal amount of effort.

> > Let me just correct one thing.  You would have to "Completely Disable all 
> > TCP connects going out of the box" with the exception of the "Protected 
> > client which would go directly to a Fire-wall host exclusively.  
> Well, ok, but this can be done.  BUT suppose the protected client just 
> went to the regular server the provider made available to everyone. But 
> the protected client recognizes specified smut sites via a continuously 
> updated file, and does not allow the kid to direct the client to go 
> there. The lock is local.  Orgs. would update the spec file to the 
> standards the parent expects.  The parents would just need to keep the 
> lock-out client by-pass password secure.  
If the kid can get to a proxy server which is not a smut site, and can 
use that to get to a smut site, he has blown your security.  It takes 3 
days for this type of information to pass through a 1000 student Jr. High 
School.  It takes 2 days to find out which liquor stores don't take IDs.

> Any 
> > internal solution can be defeated with two floppy disks.
> Hmmm.....ANY?  I'm not doubting you....just do not see it.  
Actually, the problem is that MS-DOS/Windows provides absolutely no 
interim security.  If the kid can modify the ini file or the autoexec.bat 
file, he can bypass the security.  Unix, Windows-NT, and Linux provide 
"root priviledges" which are only accessible by entering a password which 
the parents can change frequently.




From rballard@cnj.digex.net Fri Apr 21 13:25:09 1995
Status: O
X-Status: