X-Message-Number: 6747
From: Peter Merel <>
Subject: Securing Cryonet
Date: Thu, 15 Aug 1996 00:45:11 +1000 (EST)

Kevin Q. Brown writes,

>I'll be taking some time off Aug. 15 - 20, probably with sporadic
>email access but certainly not full admin capabilities.  Let me
>know your brilliant ideas.  Thanks.

The question is, how secure should secure be? You could auto-bounce
email from non-subscribers and refuse anonymous subscriptions, but then
not-David-Cosenza would only turn to forgery; he's already shown that he
has the willingness, if not the technical ability, to carry this off.
The same weakness would affect a full-on moderation scheme - quite apart
from the thankless pain that a moderator would endure ... if one could be
found.

To really make the list secure you'd need to require subscribers to sign
their submissions with something like PGP or Verisign. This would
certainly work okay, but it would also cut off subscribers who don't
have the technical expertise to get these things going easily - probably 
quite a few subscribers.

So I think what's wanted is a password setup; each subscriber to the
list would be issued with a unique password. When a subscriber wanted to
post to the list, they'd include their own password, say on the subject
line preceding the real subject. The password would be automatically
stripped off before their posting was mailburst to the other subscribers.

This isn't a perfect scheme, but it doesn't have to be; if not-David-
Cosenza hacks one or more passwords then new ones can be issued,
clarifications made and subscriber-security beefed up. The main thing is
that this fixes the security problems without making life too difficult
for new subscribers. Not-David-Cosenza can still spam sci.cryonics of
course, but there anyone who reads him will just use a kill-file.

Peter Merel.


Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=6747