Leland K. Neely <lkn @
# I heard a story this week. It seemed that one site setup filters to
# permit port>1023 access, excepting X and openwin, and thought they were ok.
# One user decided that he "REALLY" had to have access so he reset telnet
# (or rlogin, I am not sure) to listen to a port equal to his phone
# extention. (eg 4532.) This worked so well, that his buddies all had him do
# the same for them. Now, each machine listened on a different port...
I firmly believe that ANY security mechanism can be compromised with
insider help. The problem described above is a people problem, not a
technical problem. You can't do effective security as an "add-on" at
the border of your site; it requires the explicit or implicit
cooperation (or at least the lack of active opposition) of the folks
you're nominally trying to protect. If you don't have that, it's
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041