From owner-freebsd-security  Tue Jul 29 03:44:07 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id DAA03309
          for security-outgoing; Tue, 29 Jul 1997 03:44:07 -0700 (PDT)
Received: from artorius.sunflower.com (artorius.sunflower.com [24.124.0.13])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA03304
          for <security@FreeBSD.ORG>; Tue, 29 Jul 1997 03:44:02 -0700 (PDT)
Received: from localhost (lists@localhost)
	by artorius.sunflower.com (8.8.6/8.8.5) with SMTP id FAA10176;
	Tue, 29 Jul 1997 05:43:29 -0500 (CDT)
Date: Tue, 29 Jul 1997 05:43:29 -0500 (CDT)
From: "Stephen D. Spencer" <lists@artorius.sunflower.com>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
cc: security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95q.970728164333.3342J-100000@cyrus.watson.org>
Message-ID: <Pine.BSF.3.95q.970729051819.10119C-100000@artorius.sunflower.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Robert,

That problem is much less prevalent on cable modem systems (or potentially
less of a problem :)  As a cable-internet ISP, it was decided before we
made the service available that there is no reason to give customers shell
access to our main servers.  It is an obvious requirement of such a
network for potential customers to have their own machine.  They can
configure tcp/ip clients to their hearts' content, and if they really want
a *nix shell, there's Linux and the various BSD derivatives.  We offer
pop3 accounts, but many of our customers have their mail directly
delivered to their personal machines.  This cuts down on the number of
login requests that are being passed over various segments to our main
servers. Also, the cable modems that we use (Zenith Homeworks Universal)
operate on a MAC filter concept (limits the number of machines connected
to any given modem) and cannot be put into a promisciuous mode by the
customer.  

-Stephen Spencer
admin guy
Sunflower Datavision
Lawrence, KS

On Mon, 28 Jul 1997, Robert Watson wrote:

> 
> Well, once you have one host, you have all the hosts on the same ethernet
> segment.  Typically, though, problems with sniffing occur on college dorm
> networks, which run large numbers of less-well-managed Linux/etc hosts.
> This may be an increasing problem on Cable-modem networks, which I
> understand work something like Ethernet, in that they are broadcast
> networks for a local segment.  Also, who is to say that occasionally
> routers or ISP machines don't get broken into, and sniffing occurs?  Any
> of your users could be logging in from an untrusted network, so in essense
> you are relying on that network to be secure as well as your own.