Date: Fri, 21 Apr 1995 13:18:59 -0400 (EDT)
In-Reply-To:
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 12 Apr 1995, S. Finer wrote:
> On Mon, 10 Apr 1995, R Ballard wrote:
>
> > You would have to disable telnet, FTP, Web Browsers, and News. You would
> > also have to disable sockets programming (since the kid can get telnet
> > anywhere).
> >
> > What is needed is clients that request interactive password entry at
> > start-up and send the authentication information to each server using a
> > real-time encrypted key (Kerberos) validated by a third party server.
>
> This is doable....but would the server need to be involved, ABSOLUTELY?
> I'm not so sure your could not get decent lock-out capability on a purely
> local basis.
The server knows the Host IP address and the TCP or UDP port number. The
Port number is dynamically assigned. There isn't a public mapping of the
user to the port implicit in the transport layer. The session layer,
which includes authentication, can be as simple as a user/password in
clear text between a client and a server, or as complex as encrypted
real-time "tickets" between client, server, and "trusted hosts".
HTTP includes a generalized "authentication" parameter, but leaves the
processing up to each implementation. The best solution is to call a
"general purpose" routine like "getpwent()" which can be used to search
yellow pages, kerberos, and local password files. It can also use
real-time decryption and "magic cookie" comparisons, similar to those
used by X11 terminals.
> > This authentication software is widely available and can be enabled on
> > most clients and servers with little effort. By allowing the parents to
> > sent the "Lockout" to a third-party server, the "Porno Board" can protect
> > the children by using the authentication which will Identify the kid as a
> > minor.
> IC- and agree, but can't much of this functionality be accomplished
> locally ONLY?
Each parent would have to tell every host on the internet that he did not
want his host to be accessible to their hosts. In addition, each parent
would have to lock out every host on the internet through a router or
firewall that is inaccessable to the children.
Someone has to tell some reliable source that this person either is or is
not a minor. The assumption would be that the person is not a minor. If
there is good reason to believe that a "guardian" knows this person is a
minor, the server can refuse access to inappropriate information. The
churches, public schools, and federal agencies would be good candidates
for reporting authorities.
> > > As to kids who can break the lock.....some will be able to do so....but
> > > not many. Most will not try very long if the frustration level is high.
> > > Just lock out all telnet capability without a separate password, that the
> > > parent DOES NEED TO SECURE. gotta go
Kids often try to use long distance telephones, or dial 1-900 numbers
without their parents permission too. The difference is that the person
answering the call has a voice to indicate that they are talking to a
child. With the net, an articulate writer can masquarade as an adult
with a minimal amount of effort.
> > Let me just correct one thing. You would have to "Completely Disable all
> > TCP connects going out of the box" with the exception of the "Protected
> > client which would go directly to a Fire-wall host exclusively.
> Well, ok, but this can be done. BUT suppose the protected client just
> went to the regular server the provider made available to everyone. But
> the protected client recognizes specified smut sites via a continuously
> updated file, and does not allow the kid to direct the client to go
> there. The lock is local. Orgs. would update the spec file to the
> standards the parent expects. The parents would just need to keep the
> lock-out client by-pass password secure.
If the kid can get to a proxy server which is not a smut site, and can
use that to get to a smut site, he has blown your security. It takes 3
days for this type of information to pass through a 1000 student Jr. High
School. It takes 2 days to find out which liquor stores don't take IDs.
> Any
> > internal solution can be defeated with two floppy disks.
> Hmmm.....ANY? I'm not doubting you....just do not see it.
Actually, the problem is that MS-DOS/Windows provides absolutely no
interim security. If the kid can modify the ini file or the autoexec.bat
file, he can bypass the security. Unix, Windows-NT, and Linux provide
"root priviledges" which are only accessible by entering a password which
the parents can change frequently.
From rballard@cnj.digex.net Fri Apr 21 13:25:09 1995
Status: O
X-Status: