From: nelson@crynwr.com
Date: Sat, 11 May 1996 05:54:54 +0800
To: cypherpunks@toad.com
Subject: Re: Remailer in a box
In-Reply-To: <01I4IIMHQ67Y8Y5BAX@mbcl.rutgers.edu>
Message-ID: <19960510033729.30653.qmail@ns.crynwr.com>
MIME-Version: 1.0
Content-Type: text/plain


E. ALLEN SMITH writes:
 > 	I see your difficulty. It is an additional one with respect to
 > anonymous accounts. Hmm... you could put the burden on other ISPs by only
 > having anonymous accounts via telnet access - and not accepting such from
 > k12.edu domains. Bit of a limit, though.

1) New .edu registrations are restricted to colleges, but you have
   rogues like sidwell.edu (Chelsea's Quaker school), plus the odd
   17-year-old attending college like I did.

2) .k12.STATE.us is safe enough to restrict, except that some people
   are staff members who will be unhappy.  Of course, those people can
   just change their DNS so it responds to a PTR request with
   a.root-servers.net.  So naturally you don't let the students manage
   your servers (although frankly, the staff members have little time
   or knowledge to do it themselve; most would be happy to find a
   trustworthy student).  Even so, said smart student will discover
   that it's possible to spoof the DNS by spamming a client with
   responses.  That's particularly easy since the source of the packet
   will likely be the same subnet that the smart student.

You can't use the DNS for authentication of any type, particularly if
a Damoclean CDA is hanging over your head.

-russ <nelson@crynwr.com>    http://www.crynwr.com/~nelson
Crynwr Software   | Crynwr Software sells packet driver support | PGP ok
11 Grant St.      | +1 315 268 1925 voice | It's no mistake to err on
Potsdam, NY 13676 | +1 315 268 9201 FAX   | the side of freedom.