Tom Guptill tgpt at pas.rochester.edu
Sun Jun 22 13:16:36 EDT 1997

One risk here, and one reason why those of us who have gotten burned in
the past are so insistent on this, is that under many UNIXes (UNIXen?)
it's not terribly difficult for a non-root program to gain access to the
network devices, either by exploiting a root vulnerability or by finding a
hole in protection on the network.  Hence, the proxy server could be
sniffing passwords and sending them out in packets that look like the rc5
data.  I'm NOT accusing anyone of this, just saying the possibility is

I could probably come up with spare switched segment and an old Sun4/110
to use as a proxy server, and I think I'd be willing to bend my rule on a
machine that can't see traffic bound for anything but it.  (We currently
have many more switch ports than we're using.)  

This would create several limitations, though:

(1) the amount of traffic my tired old 4/110 can handle is minimal
(2) the proxy will need to run under NetBSD/SPARC
(3) I'll need to install NetBSD/SPARC :)

- Tom

Tom Guptill                     Department of Physics and Astronomy
UNIX SA                         University of Rochester  Rochester, NY USA
                                HEPNet:  tgpt at urhep
On Sat, 21 Jun 1997, David Sowder wrote:

> On Sun, 22 Jun 1997, Kris Van Hees wrote:
> > > On Sat, 21 Jun 1997, Kris Van Hees wrote:
> > > > 
> > > > It was fun.  When client v1 support goes, so do my machine.
> > > 
> > > Maybe before the servers drop support for the v1 clients, a personal proxy
> > > could be released that communicates with the RC5 servers using the v2 client
> > > protocol and communicates with the clients using the v1 client protocol. 
> > 
> > If anyone puts up a proxy like this, I can  keep working on the project,
> > though I guess the owner of the proxy (person running it) will be lucky
> > enough to collect the prize money.  But that's fine, I do it for the fun
> > and principle of the matter.
> > 
> > However, if the idea is for me to run a personal proxy somewhere and let
> > my v1 clients communicate with it, and still have no source for the proxy,
> > even if the proxy is intended only to play proxy, I cannot run that without
> > the source (exactly same situation as running the client in the first place).
> > 
> > Again though, if someone is willing to put up a v1-to-v2 proxy/convertor,
> > perhaps with listing who can submit to it... I'd be happy to use it.
> Like I said in my last post, the personal proxy could be placed on a
> machine that did nothing else (I.e. a 286 or 386 that's just lying around)
> and would be restricted to only communicate on the RC5 ports.  In this
> way, the worse thing the untrusted code could do would be to send bogus
> information to the RC5 servers and/or clients, which would be a stupid
> thing for the RC5 organizers to program into _their_ personal proxy code,
> or to erase everything on the personal proxy machine's hard drive, which
> again would be a stupid thing for the RC5 organizers to put in their code.
> This arrangement would in effect be the same as someone else running the
> v1/v2 gateway, just that it would be running on your machine.
> Maybe to satisfy the policies of an organization such as yours, someone
> else would indeed have to setup a v1/v2 gateway that was globably
> available, but with an access list as Kris mentioned.
> --
> David R. Sowder           sowderd at swau.edu                  davids at hpnc.com
> Assistant Director of Information Services           Chief Network Engineer
> Southwestern Adventist University              Hypernet Communications Inc.
> http://www.swau.edu/~sowderd/                   http://www.jci.net/~davids/
> ----
> To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list