Atekmdp.1119 net.unix-wizards utcsrgv!utzoo!decvax!ucbvax!ihnss!houxi!npois!harpo!cbosg!teklabs!tekmdp!grahamr Wed Mar 10 14:02:18 1982 Security fixes for smart terminals The problem is sending ARBITRARY data upon request FROM the system. It doesn't include sending the terminal type--if it's in rom or given at the keyboard--or sending the cursor position. Several fixes come to mind, from a switch that turns off these features to a keyboard- or rom-defined prefix for such transmissions. It's clear that the problem is in the terminal. Any software solutions are probably full of holes. Anybody have a PROM scrambler? "mesg n" prevents opening, not writing. All that's needed is to complete the open call before "mesg" runs. Letter bombs are also a problem. My terminal has a keyboard lock feature. It's easy to send a letter that locks my keyboard while it does its dirty work. I think there's a "reset" button I can hit, but I probably won't hit it quick enough. Besides, it can be reprogrammed! A kludge for MH systems to get around the letter bomb problem is to have "l" rewritten as something like: cat $* | sed -n l This might be done on a per-user basis if show used execvp. It doesn't. ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.