2 Mar
2020
2 Mar
'20
7:54 p.m.
Speaking as a person employed in the InfoSec industry (I'm a Technical
Information Security Officer for Big Bank/CISSP/CSSLP, Etc.), I can only
parrot Johnny's comments.
If you are concerned about security with DECnet, then you shouldn't be
running it--the authentication data is in the clear; you are literally
running around with your electronic 'pants down' except that nobody is
looking and few people understand DECnet and there is no money to be had
cracking it.
It is for this reason that I implemented anonymous access and
restrictions on Tops-20 FAL/DAP.? For public files, there is no need for
authentication, so you don't have to worry about losing any passwords
(that don't exist, anyway).
There is also a mechanism that I am researching to implement information
theoretic secure authentication for TELNET and FTP that should be
adaptable to DECnet (but will require some monitor modifications).? So
you wouldn't have to worry about passwords (but the other traffic would
still be in the clear).? I'm hoping to publish it in the next year.
ssh is only a point-to-point solution, like IPsec or OpenVPN.? If you
are routing traffic over it, then you are only as safe as the traffic
you are routing.
On 3/2/20 1:37 PM, Johnny Billquist wrote:
That said, I wouldn't really worry too much. First
of all, few people
would understand DECnet unless they explicitly look for it. Second,
this is all just hobbyist fun. It's not as if something actually
depends on this running. Third, anyone (more or less) is free to
connect if they want to anyway, so it's not a secret cabal with
entrance rites.
In the end, if someone really is worried, they should not connect to
HECnet to start with. DECnet itself was never designed for the
security levels or issues people know about today. If security is
keeping you awake at night, then you should not run DECnet at all.
Don't fool yourself into thinking that because you are running some
link over SSH or whatever, you are now safe.