Conference 7.286::digital

>Gateway addresses are now permitted on business cards.

I am having trouble interpreting your note.

Do you mean the addresses of gateways are now permitted, or addresses which
mention gateways to access nodes within the ENET?  The former is a rather
obvious piece of information for a company as large as Digital (at least
for anyone who inhabits the outside networks), while the latter sounds
useful, and I assume it is what was on your sample card.
				/AHM/THX

    It means that you can have a network address throught a gateway
    into the EASYNET. This is the kind of address John showed on his
    sample card. He could not have COVERT::COVERT (no gateway node
    included) because there is not a business reason for it. Customers
    could not use it. However, the ARPA and/or  UUCP address, including
    gateway node *is* an address customers could (and do) use.
    
    		Alfred

    hmm...maybe my memory is failing, but I just got my new business
    cards, and I could have sworn my node was included...
    
    
    Nisreen

    Hmmm.  I've got a whole stack of Digital business cards, and a large
    percentage of them have the normal stuff plus NODEA::SMITH (or
    whatever) on them.  True, not useful for customers, but useful
    internally.
    
    Jon

    I print my own business cards on the LN03 using CG TIMES font. Not
    only does it look great, it even FEELS like engraving! ['course
    I feel sort of dumb if someone catches me cutting 'em out with my
    sissors!]  I use heavy stock and the feel is the same.
    
    At any rate, I include my node/custer address for use by other DIGITAL
    employees whom I meet and who may wish to contact me.  And I appreciate
    it when their card has similar info.  Therefore, there is a business
    reason to include both E-net and DTN information.
    
    	Rick Merrill
    

        I see a definite business need for at least some DEC employees to
        have enet addresses, DTn, etc. on our business cards. 
        
        I have two stacks of business cards that I have collected while
        working here. The DIGITAL stack is more than twice the size of the
        customer stack. I would estimate that the distribution of my cards
        that I have handed out is similar. 
        
        I work in an internal support orginization. My "customers" ae
        fellow DEC employees. I am also the "customer" of other internal
        orginizations. Why then should I not put information that is
        useful to those people whom I exchange cards with on my card? 
        
        I will agree that it should not be done on ALL DEC cards, just
        where there is a reason to have the information there. Certainly
        the customer sales force would be outside this category. 

    On the other hand, if an ARPA or UUCP address is on the card, it
    would be easy to work out an Easynet address, since the Easynet
    node and username are part of the ARPA/UUCP address. Doing the
    reverse isn't easy for someone on the "outside" who doesn't know
    how the gateway works.
    
    Then again, there are likely a large number of people in DEC who
    wouldn't know how to do the conversion from A/U to E-Net. Then
    again again, someone in this position probably wouldn't have any
    use for the E-Net address in the first place.
    
    --- jerry

The following is the reply I posted in ANCHOR::EASYNET:


    re mailstops:
    
    Mailstops should be included because they help our mailroom in routing
    the mail to us.  If they are left off, the mail still gets to us
    (but we're also likely to get a message from the mailroom to please
    notify correspondents of our mailstop).  However, without a street
    address, the mailstop alone is no good except for interoffice mail.
    (Hmm.  I wonder if ZIP+4 plus mailstop would be sufficient.  But
    I digress.)
    
    Similarly, `SIMON::SZETO' is useful only as an internal address,
    because Easynet is an internal network.  You need some equivalent
    of street address (or ZIP+4) combined with nodename and username
    to have a complete address for external use.  You specify your complete
    gateway address so that the external user doesn't have to do the
    translation from the internal addressing format.
    
    Note that the nodename and username, unlike the mailstop, cannot
    be omitted, because there is no counterpart to the DEC mailroom,
    which can then route the mail to you.  (Or is there?  Is DECmail
    reachable from gateways, so that a customer could send mail directly
    to Ken?)
    
    Getting back to the point Tom was making about the exchange of business
    cards by employees, having the Easynet address on the card certainly
    would be helpful.  That way, you wouldn't have to translate the
    gateway address back to an Easynet address.  The argument that one's
    Easynet address is internal information really doesn't hold water
    anymore, because that same information, albeit transposed somewhat,
    is now allowed on business cards.
    
  --Simon
    

    RE: "confidential gateway"?? - I have not met a DEC customer yet
    who did not know that DECWRL! was the e-net gateway.  Really!
    
    RMM
    

Personally, I would not bother with easynet addresses on business cards.  I
use ELF.  Since node names change periodically and business cards don't I
find ELF the more reliable.  The only problem that remains is to educate 
people to keep their ELF addresses up to date.

-mark

You could have two types of cards.  Internal Use Only ones that include the
Easynet address and DTN number, and External Use Only ones that have a gateway
address and outside phone number.

You can of course always write the required information on the card...

If you are prepared to spend a few of your own dollars, you could always get
your cards printed privately to your own requirements - bypassing any "rules".

jb

    I've got my enet address on my business cards, and use them for
    both internal people, and customers.  For internal people, it's
    obvious.  Not enough people know how to use ELF.  For customers,
    I tend to point out the fact that my enet node is there, and am
    proud of it.  Typically, I've just finished talking to them about
    how they should install a corporate DECnet network, putting up
    applications such as mail, notes, and videotex.  Showing that DIGITAL
    has it now, and has had it for quite a few years had an impact.
    AND, at DECUS, and the more techie shows, many customers already
    know how to get to DEC via the gateways, and only need my internal
    node name.
    
    bill
    

        re .10
        
        Then  ,  of  course,  you have the problem, where a significant 
        percentage of the organization are under the  Control  of  GIA, 
        who consider the  implementation  of  ELF  to  be  a  two  year 
        project.
        
        And,   of   course,   the   generic   problem  with  ELF  where 
        cross-proliferation of the ELF Databases does not  seem  to  be 
        happening.
        
        So apart from the missing people, and the out of date data, ELF 
        ain't bad.
        
        re.12
        
        Way to go! {Digital has it now? - Digital has had it for longer 
        than it realizes...}
        
        q
        

My standard DIGITAL business card lists the following in the address section:

	Digital Equipment Corporation
	75 Reed Road (HL01-1/S07)
	Hudson Massachusetts 01749
	617-568-4077  DTN 225-4077
	ARPA: Seiler@DEC-HUDSON
	Enet: NULL::Seiler

Note that I have listed both internal and external forms of PAPER 
ADDRESS (street address vs. mailstop), VOICE ADDRESS (NYNEX vs. DTN),
and ELECTRONIC ADDRESS (ARPAnet and Enet).  

Both my mailstop and Enet addresses have changed since I got my cards, 
but that's no big problem.  I scribble my new mailstop onto cards,
but my Enet mail gets automatically forwarded because I kept my account
on NULL for precisely that purpose.  My paper mail would also get forwarded, 
of course, but the people in the mailroom would rather spend their time
doing other things than chasing down peripatetic employees.

ELF is a good idea, but the existance of ELF is no excuse to leave this
info off business cards.  First, ELF is not always available (arrgh), and
second, many people don't know much about it and haven't entered their
electronic addresses (double arrgh).  

And don't forget to list both internal and external phone numbers.  Short
of calling directory assistance (if you know THAT number) translation of
one to the other can be quite difficult.

Business cards are for remembering someone and getting in contact with
them at a later time.  They should include as many useful addresses as
possible.  And for everybody reading this, that includes electronic
addresses.  

	Larry Seiler

    I'm not involved in sales, but I seem to always be handing
    out my business card to people who want information about pricing,
    performance, and configuration of some DEC product or other.
    It's a low-key way of doing business; IBM has put so much pressure
    on sales performance in the past that I meet a lot of businessmen
    that are extremely reluctant to make even a casual inquiry
    of a computer company's sales office.
    
    I estimate that half of these contacts do give me a call, and
    I usually refer them to the hotline if it's a long question.
    I also estimate that about three of these calls a year result
    in a sale.  All things considered, putting internal and external
    addresses on everyone's business card is a pretty cheap investment
    in sales and public relations, if other DECcies out there have
    similar experiences.

    Has anyone been able to order business cards with a gateway address
    recently?
    
    At ZK, apparently everyone who orders cards gets the same memo from
    Office Services, showing a sample business card and the words: "This is
    the Digital standard business card and no variation will be exceptable
    [sic]." Of course the example card has neither an Easynet nor a gateway
    address. 
    
    I haven't pursued this with Office Services, and would like to know
    whether anyone already has.
    
    					Val

    I haven't tried it myself, but I remember reading in a VAX Notes
    conference somewhere that it is possible to have an Easynet/gateway
    address included on your business cards if your CC manager approves.
    
    	- Jerry

    My cards have an EASYnet address on them--so does everyone's card
    in our office.  However, the policy here is not to include the gateway
    address.  It sounds as though it's up to each Cost Center.

>    However, the policy here is not to include the gateway address.
>    It sounds as though it's up to each Cost Center.

It doesn't seem that cost centers have any control; the service organizations
in LKG and ZKO seem to be telling the cost centers what they can and can't do.

From our office services folks at LKG:

	The confusion started when a memo dated March 28th 1986 from Joe 
	Archibald stated that no gateway OR node information is allowed. 
	"Node Names and Access procedures are not to be disclosed to any 
	outside interest without proper high level approvals."
	Corp. Security has since then changed their stance to allow Gateway 
	information only.

	LKG's interpretation of the information that is allowed on Digital 
	Business cards is as follows:
		Only gateway addresses are allowed.
		No personal node names, no personal account names.

I've pointed out that it's impossible to include a gateway address without
including personal node names and personal account names.

/john

Val,

	All last summer I fought with Joe Archibald, his manager
	Mike Carter, Fred Robinson of ZK Security, Dottie Wedge
	of ZK Office Services, and unnamed individuals at Coronet
	Printing to get an set of business cards printed which
	included my electronic mail address.  In the course of the 
	battle, Mike Carter agreed to permit addresses of the format
	username@node.dec.com  or  ...!decwrl!node.dec.com!username.
	He insisted that their policy is only intended to eliminate
	the printing of the form  node::username.  A distinction I
	fail to appreciate but am personally happy to ignore.  It
	was an unexpectedly prolonged debate, culminating in the 
	first set of cards ordered being lost and emergency procedures
	to obtain a set prior to a trip, but in the end the cards
	were provided with the electronic mail addresses printed.

	Just this week I have received a new set of cards with new
	mailstop and phone number and electronic mail address without
	so much as a whimper or hesitation.  Attached below is the
	format I attached to the order form I submitted to Vic in
	Office Supplies.  You should have no problem with a similar
	format.

	Good luck,
			john


________________________________________________________________________________

  ,---,---,---,---,---,---,---,
  |   |   |   |   |   |   |   |
  | d | i | g | i | t | a | l |
  |   |   |   |   |   |   |   |
  `---`---`---`---`---`---`---`



			        J. R. Sopka
			Principal Software Engineer
		        Parallel Processing Software



                       Digital Equipment Corporation
                     110 Spit Brook Road (ZKO 1-3/B10)
                     Nashua, New Hampshire  03062-2698
                 (603) 881-1978       sopka@syzygy.dec.com
________________________________________________________________________________

    I was told that the ZIP code for ZKO was 03062-2897.  Is my number
    incorrect, or does ZKO1 have a different ZIP code than ZKO2?
        John Sauter

    I don't know about ZKO, but the last 4 digits of the ZIP codes
    for LTN1 and LTN2 are different.  The last 4 digits of the LTN zip
    codes are post office box numbers; each building has its own P.O.
    box, hence a different zip code.
    

Re .21,.22:

A November 1986 Digital Telephone Directory lists one address (110 Spit
Brook Road) and one ZIP code (03062-2642) for ZK.  It lists two addresses
and ZIP codes for LTN.  Either the directory is being excessively vague
about ZK, or your number is incorrect.
				/AHM

    So we have three zip codes alleged for ZKO: 03062-2698, 03062-2897
    and 03062-2642.  The March, 1987 phone book, on page 279, lists
    ZKO as 03062-2642.  I wonder if my cost center manager will spring
    for a new set of business cards?
        John Sauter

Here's what the Post Office says:

110 Spitbrook Road has its own Zip Code:	03062-2698   <<--- correct code

102-198 Spitbrook Road is			     -2642

99 Tara Blvd is					     -2897

The ZKO mailroom says that it is 2698, and that they'll get the next
issue of the corporate directory fixed.

/john

Back to the original subject:  Business Cards.  I enclose the following
abstract from a private message I received today:

	The real issue here however is whether or not an employee
	can routinely include their electronic mail address on
	their business card.  If Archibald & Carter would take
	the time to revise their poorly worded memo, people like Val 
	would not have to fight additional battles for approval to
	have this essential communication address placed on their
	business cards.  Val's cost center manager is sticking by 
	the unnecessarily restrictive wording of Archibald's
	original memo since no revision has been issued.

Since I had convince Mike Carter that our group has a legitimate need for
having our business cards printed with the gateway addresses to show that we're
serious about networking here in the Network Architecture group, (that message
is posted in the base note) I thought I would call Joe Archibald (Mike Carter
has left DEC) and try to get him to revise his memo.

No luck.

Arch: "We're still evaluating what we want to permit on business cards."
JRC:  "Then what does someone do now?"
Arch: "Wait."
JRC:  "That may not be the right business decision.  Should I advise people
       to contact you for specific authorization if their local people still
       want to restrict cards."
Arch: "That's not likely."
JRC:  "We have a business need to put this information on cards."
Arch: "Since all the cards will have to be reprinted when the telephone
       numbers change [this doesn't happen until July 1988] we'll have a
       decision by then.  Besides, some of the gateway products don't have
       a clear indication that mail is coming in through a gateway, and we
       need to address that first."
JRC:  "So should people who can't get their local stationery group to put the
       gateway address on the card just go outside and have their cards printed
       privately?"
Arch: "No, they should wait."
JRC:  "That's not a good business decision."
Arch: "That's the way it is."

        Re: Zip codes
        
        Part of the [new] zip code (the last 2 ditits, I think) is the
        post office carrier route number. Each time the post office
        changes its routes, this part of the code can change. Thus every
        six months or so, when they "load balance" the routes, your
        9-digit zip code may change. Better get the printer to print those
        last 4 digits in pencil, or order small quantities of cards. 
        
        Bob_who_is_VERY_glad_he_doesn't_own_40%_of_a_post_office_any_more! 
        

    Re: .27
    
    I'm pretty sure that isn't true.  The last four digits are
    assigned by address, not carrier route.  If the last two digits
    were carrier route, they'd tend to be pretty low.  The 9-digit
    zips I know seem to bear no relationship whatsoever to carrier
    route, and in fact tend to be much more fine-grained.
    				Steve

    Once again to the original topic... Since cost center managers must
    approve business card requests, they are in a position to enforce the
    January 1986 prohibition on gateway addresses. My manager agrees the
    prohibition is unreasonable, but I agree he is within his rights to
    enforce it, because it's the most recent official communication he's
    received on this issue.
    
    ZK security manager Fred Robinson is taking this up with Corporate
    Security again, to try to get them to issue a consistent decree.
    If I hear more news, I'll post it.
    
    					Val

One very good question is:

	Exactly what bearing does a memo written by someone in
	Corporate Security have to do on business cards issued
	in Spitbrook.

Noone in Spitbrook, not even the manager of ZK security, reports to
the department that issued the memo.

Latest word is that higher-ups in Corporate Security are straightening
this out right now.

/john

    re .27
    
    
    What is all the concern about 9 digit Zip Codes?  I thought the
    Post Office was going to continue to deliver to the 5 digit Zips
    and the main gain of 9's was speedier delivery?
    
    Jim
    

    Could somebody please update this note with the latest information?
    
    I would like to know what gateway addresses I can put on my
    business card (I'm also interested in what formats people use
    for UUCP and ARPA on their cards - but I can find that elsewhere
    if necessary).
    
    Thanks,
    
    - dave

	My card has the following on it:

	"UUCP: ..!decwrl!axel.dec.com!foley"
	and 
	"ARPAnet: foley%AXEL.DEC@DECWRL.DEC.COM"

	These addresses were checked out by John Covert, Gateway Master,

	Of course, the printers kinda messed mine up but they are usable..
	("Wassamatta, ain't never seen a gateway before??")

							mike

	We (MR01) just recieved a memo about node addresses/dtns
	on business cards.  The memo follows:
					/Robin


=======================================================================

	TO: DISTRIBUTION		FROM: Ellen M. Cadoret
					DEPT: Regional Office Services
					LOC: MR03-2/P17
					EXT: 297-4561
					DATE: December 22, 1987

	SUBJECT: BUSINESS CARDS

	Due to a change in vendors and the corporate specification of
	business cards, node names and DTN'S will NO LONGER BE ALLOWED
	on any business card order.  Orders take approximately 7-10 days 
	from the time the vendor receives and processes them to the time 
	they are returned t yur mail/stop.  Your cost center will be
	charged $10.00 per order (250 cards per order).  Please be sure
	that you have a phone number, C.C. and C.C. Manager's signature
	on the order form.

	New Business card order forms may be ordered though Office
	Services "OASIS" (automated supply ordering) by using order
	#322.

	If you have any questions please give me a call.

					Sincerley,
					Ellen M. Cadoret		

It is supposedly an Executive Committee decision that electronic mail addresses
will not appear on business cards -- if you need to, you can write it on the
back.

We have, in the past, been able to convince people that since we are in the
business of networking (in some groups) that it is foolish to not put our
electronic mail addresses on our business cards.

If we are not able to continue to get this done, I, for one, will either have
my cards printed at my own expense at a local printer (either the whole card
or just the back).

/john

When I was just a lad, my junior high school's print shop teacher would have
been proud to let me superimpose an additional set of information on some
professional's business cards as good practice, and perhaps something worth a
little extra credit.  People who have kids or neighbors in high school shop
classes might inquire of them whether their instructors would allow them to do a
run of a few hundred pre-printed cards for extra credit.  And if you don't know
of any suitable kids, you might be able to deal directly with the instructor.
				/AHM

  I can live without a node name on my business card, but not without a DTN
number. I think this rule is going to cause a lot of in-house callers to use
outside lines because they won't take the time to look up the DTN number.
This will mean higher phone bills. As for the new area code, when people see
what the alternative is, I think a lot of them will keep their old business
cards and write in the new area code when the time comes.

Re .34:
    
>    	Due to a change in vendors and the corporate specification of
>	business cards, node names and DTN'S will NO LONGER BE ALLOWED
>	on any business card order.  

    In our office - New York Commercial District -  many of the sales and
    sale support reps have limited account assignments.  One sale rep, for
    instance, is assigned only to Columbia University.  He used to have a
    card that showed his title to be "Account Manager, Columbia
    University."  Another rep sells only to hospitals; her card read
    "Manager - Hospital Accounts."  A sales support person whose primary
    responsibility was consulting on networking issues had cards that read
    "Networking Consultant."  Now we have been told that - per this
    corporate standardization - we can no longer customize our cards.  We
    are "Sales Representatives" and "Software Specialists". 
    
    Although it seems like a small thing, customers do respond to these
    customized titles - they get a sense of security knowing that the
    person they are dealing with is catering to their specific needs.  In
    fact, in a previous job in which I consulted to both pharmacuetical and
    plastics manufacturers, I had two sets of cards.  That employer didn't
    care what was on its employees cards - it allowed its employees to use
    their judgement. 

    

    Does anyone have handy the authoritative statement on the format
    of business cards?
    
    We're been down this road before: where local interpretations of what
    is a reasonable corporate policy are unreasonably locally implemented.
    
    Standard titles are stupid and a silly internal pursuit of consistency.
    We compete with companies that let the equivalent of a software
    specialist or sales representation put impressive titles on their
    cards. 

    Is the rule that DEC won't print extra stuff on business cards,
    or that extra stuff is not allowed on business cards (note the subtle
    distinction)?
    
    Is this part of the "corporate identity standards" stuff we have
    begun to hear about?  It seems to me that a standard-looking logo
    and a standard-looking business card are reasonable.  However, that
    does not mean identical!  Otherwise all cards would say Ken Olsen,
    and not your name.  The standard business card should have a standard
    place to put "additional identifying information" for stuff like
    "manager of sales to companies between Fortune 645 and 733", and
    another standard place for "additional contact information".  The
    latter could have electronic addresses, or it might say something
    like "Call Tuesdays between 1 and 5"
    
    I think I saw the address of a "corporate standards" guru in a recent
    MGMT MEMO, with a request to contact her with concerns.  Sounds
    like this is a good thing to do.  Does anyone have a file of MGMT
    MEMOs around to check through?  It was only a week or 2 ago that
    I saw it.
    
    Burns
    Burns

    
    As long as we're talking Corporate Standards and Business cards:
    
    	What is the current (as of 30-Dec-1987) the Corporate Color?
    
    It took 3 tries and 6 months to get my business cards right. The
    first ones were ordered with the wrong zip-code. The day I got my
    second set of business cards, I moved out of the building, so wrong
    phone number and wrong address. I finally got my cards right. Now
    I'm told that in the next 3 months, I'll be moving within the same
    building by may have to change my phone number. In the meantime,
    I'm taking my time to change my last name. I think I'll wait for
    the 5th round at this.
    
    Re: DTNs, internally there are places out in the field which one
    or two DTN lines for the DEC facilities. They are busy during business
    hours, after hours no one is there. Locally here in Chicago area,
    DEC has at least 5 sites. They cannot be reached by DTN from other
    local sites. I'm getting tired of memorizing the outside numbers
    for various sites. If you hand out cards internally, people can
    get your node address on ELF if you are registered.

    And then, of course, there's the problem associated with the change
    in telephone area codes for employees in the Greater Maynard area
    (actually *all* of Central Massachusetts) from 617 to 508 on July
    1, 1988.
    
    

    From the December, 1987 _Mgmt Memo_, the contact name for "Corporate
    Identity Standards" is Judy Steul, DTN 251-1490 [(617) 264-], DECmail
    @CFO, CFO1-1/M37.

    My group is in an unusual situation: we actually have a machine
    on ARPAnet, so printing our E-mail address doesn't disclose an internal
    node name (decvax is already well known).  I talked to
    our office services people and found that Peter Phillips (DTN 251-1515)
    would have to approve the extra line ("reeves@decvax.dec.com")
    on the card.  After I explained the situation, he had no problem 
    with it.  My new cards arrived about two weeks ago.
    
    Morals:
    
    . A corporate-wide nameserver on a gateway could reduce the
      perceived security problem.
    
    . There may still be Corporate Identity reasons not to print E-mail
      addresses.  I think Mr. Phillips was concerned only with security.
    
    . I have my cards, so I'm not going to rock the boat any harder.
                                                          

>< Note 174.42 by ADVLSI::HADDAD >
>    And then, of course, there's the problem associated with the change
>    in telephone area codes for employees in the Greater Maynard area
>    (actually *all* of Central Massachusetts) from 617 to 508 on July
>    1, 1988.
>    
Actually, it's all of eastern Massachusetts outside of the Boston area
and part of the south shore, and it's 16 July 1988.

This seems to be no change.

Internal addresses are prohibited.

External electronic mail addresses have not been prohibited.

My current cards, which contain

		covert%covert.dec@decwrl.dec.com

were printed while the same rules were in effect.

/john

    What's the part number and ordering contact for the "Corporate
    Identity Manual"?
    
    I agree with John, There seems to be no change.

    I'm not sure if I understand the problem fully, but I assume the
    desire to put your nodename on the business card is to facilitate
    electronic mail addressing?
    
    If so, then surely you don't need the nodename, you need the location
    code, and MTS addressing takes care of the rest, 
    		e.g. JOHN KAPPLER @ REO (for DECmail & ALL-IN-1, plus
    the VAXmail equivalent)
    
    I'm told by DIS that MTS addressing will reach any employee,
    world-wide, and now including that last bastion, Spitbrook Road.
    
    Am I missing the point?
    
    JFK
    
    p.s Anyone tell me how I work out my external mail address here
    in the UK?
    

>        I'm told by DIS that MTS addressing will reach any employee,
>    world-wide, and now including that last bastion, Spitbrook Road.

    Wonderful, so now I'll get more 'electronic' mail via hardcopy
    several days late. :-( Please tell me how to get my batch job
    to read it. Thank you.
    
    			Alfred    

The GATEWAY, which is what we are concerned with here, does not accept MTS
addresses.

Only "covert%covert.dec@decwrl.dec.com" is useful for my business cards,
which I only give to non-DEC correspondents.

/john

Re: .49
    
>    I'm told by DIS that MTS addressing will reach any employee,
>    world-wide, and now including that last bastion, Spitbrook Road.
    
    I can dig up about a dozen addresses formed as you suggest that will
    not (have not) reached their intended targets, although they presumably
    are formatted correctly.  I've discovered that I almost never receive
    mail so addressed to me.
    

    Re: < Note 174.47 by COVERT::COVERT "John R. Covert" >
    
    From the previous policy statement:
   	> 4. Internal electronic node information shall
    	> [bold] not [end bold] be printed on stationery items.
    
        
    Sounds like to me that you have given away the information
    that there is a covert node on the Enet; it is just in a slightly
    more obscure form than covert::covert.
    
    According to the statement, however, it sounds that any
    address on a machine registered with ARPA net or otherwise well
    known (decvax, decwrl, decsrc, and maybe the old 20's on the
    ARPA net, for example). (i.e. "external machines")
    Most of these machines are somewhat more carefully controlled 
    than others.  For example, we have programs which go around and 
    make sure that no one has set up proxy logins to non-DEC machines.

Yes, I'm missing something here too, John - sounds like you're giving 
out an internal Node name (covert)

"covert%covert.dec@decwrl.dec.com" 
        ======

it may be less obvious, as the nodename matches the username, but if
I give out winston%mormps.dec@decwrl.dec.com (as I'd like to), aren't 
I violating the corporate policy?

		/j

Re .55:

If you read the policy, you will see that it is discussing what can be printed
on business cards that Digital pays for, and says nothing about whether you can
disclose your network address, phone number or mailstop to non-employees.
				/AHM

>Re .55:
>
>If you read the policy, you will see that it is discussing what can be printed
>on business cards that Digital pays for, and says nothing about whether you can
>disclose your network address, phone number or mailstop to non-employees.
				/AHM

maybe I misunderstood John.  The heart of the matter is that printing an
ARPANET or USENET address on your DEC business card requires internal
addressing information (i.e., your nodename), does this violate the corporate
policy?  If it doesn't, then I would think printing your ENET address
(NODE::USERNAME) would also be ok, since it contains a subset of the ARPANET
address.  In fact, the ENET address should be the better choice because it
gives external people enough information on how to contact you (most external
people I've talked to have known how to get to DEC by one net or another) and
also gives your net address to internal people in a readable form.  I am happy
to follow policy, but this note seems to have conflicting interpretations of
what the policy is. /still confused 

    A few years ago I discussed this issue (net address on cards) with
    someone pretty high up in Security (who's since left DEC). He saw
    and understood a clear difference between an ARPA/UUCP address which
    included the ENET node and just giving the ENET address. I never
    was able to understand it though.
    
    Anybody know what policy says (or doesn't say) about having cards
    (with DEClogo etc) printed up privately?
    
    			Alfred

        I think I shall just get a cheap stamp made up to stamp the
        back of my business card with the network details. This will
        ,of course, not look as professional as properly printed cards,
        but far be it from me to upset a bureaucrat... :-)
        
        q
        

    .54 sums up my understanding nicely; I can name "decvax" on my card,
    since it is well controlled (and well known outside the company);
    further, the address given cannot be used to log in to decvax (there
    is no "reeves" account there) -- another part of the tight controls
    Jim refers to.  However, if I wanted to name, say, SMURF on my card
    -- in any form -- that would violate the policy (at least its intent).
    
    A thought: maybe the point of not allowing the information to be
    preprinted is so you can control who receives it.

The policy doesn't provide any reasoning.  People are imputing reasoning that
may or may not be behind what's there.  There are (at least) two entirely
different arguments one could make for this policy:

	1.  Internal node names should not be revealed to outsiders, for
		whatever reason.  (Most people think there is some sort of
		a security issue.)

	2.  Any information appearing on business cards should be useful
		AS IT STANDS to people outside of DEC.  That is:  "External"
		in the policy means essentially "externally accessible".

If the policymakers really had Reason 1 in mind, then John Covert's card is
"improper", and should not have been accepted.  As I think everyone here
agrees, Reason 1 makes little sense.  I also have yet to see any convincing
evidence that it is believed by anyone in a decision-making capacity:  Just
because random people in Security or whatever offices manage ordering of
stationary impute this as the reason for the policy statement does NOT mean
it has any policy significance.  

Reason 2, on the other hand, makes a lot of sense.  Digital pays for business
cards mainly so they can be given to customers, not so they can be passed
around internally.  Just as it's reasonable to require that a business card
require some address beyond "The Mill", it's reasonable that any electronic
address be given in an externally-usable form.

What this ultimately comes down to is that the apparent plain text of the
policy is ambiguous:  "External" could mean either "Externally known by
deliberate decision (e.g., on ARPA)" OR "Externally usable".  Nothing in
the text of the policy removes this ambiguity, and neither rumors nor
carping about it in this file will help.

There's an individual named in the policy as responsible for it; if anyone
really want to RESOLVE this issue, rather than continue debating it forever,
he should contact that individual and request a FORMAL clarification - some-
ting that can be given to recalcitrant managers - of the ambiguity.  If
the clarification comes down on the side of Reason 1 above, THAT is the
time to raise the issue and get the now-clear policy (or interpretation)
changed.

							-- Jerry

Were there a policy change, I would support the DEC NODE::USERNAME
format on cards as opposed to the ARPA, USENET, etc.   Every 
external person I have dealt with seems to know how to get to DEC from
<their> network.  All they need is the NODE and USERNAME.  The
advantage here is that cards will be less cluttered than if we each
try to put all of the various ARPA, USENET, (alternate USENET),
bitnet, etc. addresses on the front of each card. 

But who am I to propose policy ;-)?

/j

>        I'm told by DIS that MTS addressing will reach any employee,
>    world-wide, and now including that last bastion, Spitbrook Road.

Unfortunately not quite true.  There are two people people who could be
validly addresses as "JEREMY BARKER @ REO".  I arranged some time ago that
all messages addressed like this should go to the other Jeremy Barker (i.e.
not myself).  The other Jeremy Barker also has sufficient information to 
know when to send the messages to me (on paper).

jb

    I have cards printed in the following format, quite happily.
    
             ----------------------------------------------------
             |  Customer Services        European  Distributed  |
             | Systems Engineering      Systems Maintainability |
             |                                Engineering       |
             |                                                  |
             |                   Andy Leslie                    |
             |         Senior Maintainability Engineer          |
             |                                                  |
             |                 |d|i|g|i|t|a|l|                  |
             |                                                  |
             |                                                  |
             | Digital Equipment Co Ltd      RDGENG::Leslie     |
             | Digital Park, Worton Grange,  DTN:  830 - 6723   |
             | Reading, Berkshire RG2 0TU    Tel.(0734) 856723  |
             ----------------------------------------------------

    No-one objected as I have *no* external contacts that I would give a
    card to. On the other hand, they do get given to fellow employees. 
    
    I assume that if my cards were expected to have external distribution
    then the internal information would have been deleted. 
    
    Andy    

    The purpose of a business card is to help people get in touch with
    you. (If you are self-employed, it is also a form of advertising.)
    
    I believe the old policy was established when it was necessary to
    use "routing information" that revealed some of the structure of
    the internal network. That is no longer true.
    
    Therefore the policy is that you can put on your card mail-stop
    and address, phone number, and node::username.
    
    	Rick
    	Merrill
    

    This is interesting since one of my responsibilities is to 
    make network tools secure for release to external field sites
    and one of the items considered for this release is the deletion
    of any internal node references.

I can buy beleive the argument (of no node info on your card) for security
reasons.

Scenario: Mr. X from DEC comes to my company and gives a 'non-disclosure'
          presentation on DEC's new 4096 bit word-length 5GHz cpu built into
          an 80-column card punch.

          I receive a business card saying that Mr. X is on node 80CARD::X
          and that he is a 'Principal Card Punch Design Engineer'.

          Another day I meet with my pal that has access to a DEC internal
          system and will let me 'play around' a bit. I'll start my poking
          at node 80CARD:: as I suspect it could be a hotbed of card punch
          activity.
          
Farfetched? Yes.

Possible?   Yes.

Moral: Don't tell outsiders anything that they don't need to know.

If electronic mail is an important tool for communication with those outside
of DEC then maybe our gateways (name server based?) need improving so that we
need not reveal internal node names.

Lee

    
    	Hi speed CPU's in a card punch is far fetched, but not
    	the scenario that you depict.  It happens more than you
    	my think it does judgin by the amount of external access
    	reviews I have in front of me.
    
    

    Then why doesn't the policy state that you can't put something like
    "2picosecond VAX design engineer" on your business card?
    
    For that matter, anyone who is working on the new 2picosecond VAX
    should have an account on some other (ie: already existing machine)
    from which they could get mail. 
    
    For me, there's nothing wrong with me giving my nodename (MILT)
    out.  All it is is a lowly VAXstation II/GPX with my nickname on
    it
    
    -milt
    

I agree that it has been convenient to have internal node names on cards,
especially if you frequently give cards to other employees. However, with
the increasing concerns for network security, we should stop handing out
pointers that help hackers to find the more significant systems.

Employees can use ELF to find the internal ("best") net address of any employee.
Those of us who would have put node names on our business cards, just make
sure that ELF is updated.

For outsiders, I would recomend the following: most employees are now listed
on "MTS sorters" for their facility. This can be true even for users who
prefer VAXmail as their mail interface. (The MTS sorters can sort to VAXmail
just as easily as to DECmail or ALL-IN-1). If you feel the need to give to
outsiders an electronic mail address, give them the one that goes to your
site rather than to your ultimate system. This gives out no more information
that the address (facility code, mailstop) that is already on your business
card.

If you are not currently registered with your site's sorter, have your cost
center manager get you registered. Some sites charge the cost to the cost
center. Others overhead it. But the charges are modest in general.

        Re: .70
        
        If we worry about the scenario in .67, then we not only have
        to take node names off of business cards but stop putting
        them in ELF.  Otherwise the intruders with access to EasyNet
        just use ELF to determine which node to attack.
        
        					B.J.

    Once a person gets access to *any* system on the net it would
    only take a few minutes with NCP SHOW KNOWN NODES to come up
    with a life time of interesting node names. Our links to other
    nets are such, I'm led to believe, that someone could not use
    them to break into the EASYNET so I don't understand how giving
    someone a node name is a help to breaking in. If it were then
    maybe people shouldn't be allowed to contribute to the USENET.
    After all hundreds of EASYNET addresses show up there now already.
    
    			Alfred

    re .70:  I'm missing something here.  I do have "Simon Szeto @HGO" on
    my business card, but how is somebody outside Digital supposed to
    get to me that way with electronic mail?
    
  --Simon
    

    re .61:                                             
    
    I guess I should have been more explicit; the person I spoke with
    to get "decvax" approved on my card was not a random person but,
    in fact, the same Mr. Phillips named in the policy.  The questions 
    he asked made it clear that he, at least, interpreted #1 (security) 
    as the motivation behind the policy.  No, I didn't get a "Formal 
    clarification"...
    
    As I think the intervening responses show, there is in fact some
    security concern over revealing internal node names.

    In all honesty, it seems that the "security-minded" policy-makers
    have either been mis-informed about how nodenames work, or are just
    having knee-jerk reactions.  If we look at some of the scenarios
    mentioned, they tend to break down under their own weight.
    
    a) hostile user has access to ENET through  unscrupulous DECcie
    who lent them their account.  Using their handy business card file,
    they suck unsuspecting nodes dry of all confidential information.
    
    [If *any* hostile user has an account with ENET access, he has auto-
     matic list of ALL the nodes on the ENET, and has no need to rely
     on a few paltry business cards]
    
    b) hostile user has nodenames from business cards, but no access
    to accounts on ENET machines.
    
    [Same applies.  Once a hostile user gains access to a machine, the
     then we fall back to the next line of defense, which is SECUREPACK
     and other network security tools.]
    
    c) hostile user attempts access via internet gateways from ARPA,
    BITNET et al, using those illicit nodenames.
    
    [The internet gateways are probably the most thoroughly scrutinized
     nodes in the network, as far as security is concerned.  Also, as
     mentioned elsewhere, those very nodenames can be found thoughout
     the USENET in public correspondence from DECcies.]
    
    I think the real reason for this whole thing is the embarrassment
    felt by the "image-makers" when they see the wacky names we use
    for our nodes.  They probably feel that it's hard to take someone
    seriously when their E-mail address is something like DOPEY::JONES!
    
    Geoff

    re:.70
    I don't see the benefits in giving out MTS codes.  I don't think
    DECWRL understands them in its gateway syntax; I have outside
    correspondents who reach me at delni.dec.com, but MTS is strictly
    internal unless perhaps some serious hackery goes on.
    
    If someone were logged into an Easynet account, they'd be able to
    find nodes by saying things like "1025::" and "4394::" since the DECnet
    address space is quite dense.  Session control is quite happy to
    take integers in place of node names.
    
    With DECnet/OSI, there will be one universal address space; our
    name servers will presumably migrate into one universal namespace
    too someday.  Secrecy here seems counter-productive.

    From the FWIW department:
    
    In my previous job, I was pleasantly surprised to find that our
    SUN sales rep had his Usenet address printed on his card.  I gather
    that it is the explicit policy at SUN to include such addresses,
    and that a business card without an electronic address would be
    the exception, not the rule.  I'm not sure about this though, and
    it may have changed in the last few years.
    
    I wonder if SUN believes there is a sound business reason for
    distributing electronic addresses.  Terms like "accessability" and
    "customer satisfaction" come to mind.  DEC, on the other hand, suffers
    from the reputation of having an inaccessible sales force. (Presumably,
    we don't deserve this reputation.) 
    
    Maybe there's a lesson here.
    
       Gary

    IBMers have internal code nos. and e-mail addresses on their cards.
    
    Some Xerox employees add the following to the reverse side of their
    cards:                                        -------
    		telephone:  ...
    		Intelnet: ... 
    		XNS: ...        
    		ARPA: ...
    		TC/Fax: ...              
    
    The message is obviously, "You can get in touch with me."
    
    	Rick
    	Merrill
    

        It was suggested earlier that an easy way to add this information
        to your business card it to get a rubber stamp made up and stamp
        it on the back.  This is OBVIOUSLY easier than getting a policy
        changed to have it done at the printers. 
        
        If you really care about having the cards look really nice, then
        take one to a printer and ask to have a set made up, using the
        official one as a model. 
        
        Alas, there seems to be no way to get the DECWRL gateway to send
        incoming mail to a Message Router node.  If someone knows how to
        get this to work, please give an example here. 
        
        Tom
        

You do not need an account in a given machine to have mail forwarding
enabled for that machine, as VMSMAIL maintains its own translation
database.  That is, if you (with privs) go into mail on your VAX (call
it VAX1), and say, SET FORWARD/USER=FOO  nm%CLEM::FOO. Then all mail
sent to VAX1::FOO will be forwarded to CLEM::FOO.  FOO does not need 
an account on VAX1 for this to work.  So, you could theoretically have
one node, probably hung off an external net gateway node, that you can
send mail to and have it reach an employee, regardless of what node he
is really on.  Thus, corporate-wide, we would give out only one or two 
nodenames (like ARPGAT or some such), and you wouldn't have to tell 
customers when you changed your node.

The database could be maintained by the ELF people, but I would
suggest it be a parallel facility.  That is, to be in the database of
this "global router" you'd have to send a request, and then send an
update request whenever your node changes.  Only employees who request
it would be in the database. This would keep the database to several
thousand names instead of tens of thousands. It should be possible for
the entry/update facility to be automated by software (like ELF). The
only hitch I see is if VMSMAIL's searching facility is inefficient -
anyone from VMSMAIL (or corporate communications) listening? 

    Without appearing to defend VMSMAIL, I don't see that the efficiency
    of the searching algorithm as "the only hitch."  I fail to see the
    necessity of using VMSMAIL in the first place in the putative DEC
    gateway node that understands where every employee is (if that's
    the proposal).  Isn't uniqueness of employee a problem to be solved
    in this proposal?  For example, we have two Steve Bourne's in the
    company.  How does the sender know how to address the mail to the
    right one?
    
    The defunct DECmail system (superseded by ALL-IN-1 MAIL) used badge
    numbers, which are of course unique (supposedly).  However, I'm
    not about to suggest using that again.
    
    Getting back to the original issue, I think we should ask why we
    want to put network addresses on business cards.  If it's to let
    people outside the company know how to send us electronic mail,
    then we should use network addresses that are usable in that context.
    "Simon Szeto @HGO" is not very usable in that context.  But it could
    be useful if the purpose of putting the network address on the
    card was to give other Digital employees the information, without
    running afoul of the rule that node names shall not appear on the
    card.
    
    Personally I'm still skeptical of the argument that putting node
    names on business cards is a security risk.
    
    As for putting the verboten info on the reverse side, I already
    have something on the reverse side -- it's the English side of my
    card; the "right" side is in Chinese.
    
    You know what I think?  I think we should just print our own cards
    with our node names and give those cards to our friends in Digital,
    and leave the approved format cards for giving out to customers.
    Or simpler still, just write your node name on the card when you
    give it to a Digital employee.
    
  --Simon
    

    In December  when  my  cards  were  printed  without an email
    address I too began to ask questions and got a memo from Judy
    Steul  suggesting I supply a business case for my request.  I
    did this in the attached memo.  

    When I  heard  nothing  back,  I contacted Peter Phillips who
    informed  me  that the Corporate Identity Committee meets the
    first  Tuesday  of each month.  This issue is still open.  My
    memo  was distributed and was discussed in January, February,
    and is the first item on the adgenda for March as well.

    I suggest  that  anyone  who  is interested also supply input
    (perhaps  agreeing  with  my  memo)  to  Peter  Phillips.  (I
    suggest   paper   mail   for  obvious  reasons  -  mail  stop
    CF01-1/M37).   THIS  SHOULD  BE  IN  TIME  FOR  THE MARCH 1ST
    MEETING.

    I think  these  people  do not realize the extent to which we
    rely  upon  email and how email can help us in our job.  They
    need input.

    My original  memo  is  reproduced  below  as best as possible
    using  the  mail  option of Document.  I am not including the
    attachments  but  suffice  to  say  that  they  were  lengthy
    listings of nodes on the various networks.

		____________________________________

          DIGITAL       INTEROFFICE MEMORANDUM

                                             FROM: Paul T. Cummings
                                             DTN:  226-6366
                                             ENET: ultra::cummings

          TO:      Peter Phillips            DATE: December 24, 1987
                                             FROM: Company Identity
                                                   Committee
                                             DEPT: Corporate User Publications

          cc:      Phil Becker
                   Dana Lajoie
                   Suresh Masand
                   Judy Steul


          SUBJECT: Business Card Corporate Identity Standard Proposal


          A recent request for business cards has uncovered a poten-
          tial shortfall in the Guidelines for Implementation sec-
          tion of the Corporate Stationary System of the Corporate
          Identity Manual, as written by the Company Identity Com-
          mittee. In this memo I describe the problem, explain how
          the problem relates to Digital's business posture, and pro-
          pose a solution for the committee's consideration. Upon ex-
          plaining the problem to Judy Steul, she suggested that I
          request a special exception to the referenced policy. How-
          ever, I should like to specifically point out that I am not
          requesting an exception be granted; rather I am recommend-
          ing that the policy be changed as described below.

 


                                                           Page 2




          The problem centers around including electronic mail (e-
          mail) addresses on business cards. In telephone conversa-
          tions, Judy pointed out that the reason for not including
          electronic addresses was that a this would somehow weaken
          the security posture of Digital's computer systems. I will
          discount this assertion to the extent possible. However,
          since no one from your office could explain what the threat
          was nor could Judy or yourself give me a reference for the
          alleged security threat, I can only discuss the topic in
          the abstract. It is worth noting that this issue will be-
          come more contentious when many of the Massachusetts Dig-
          ital employees with their e-mail address currently on their
          business card request new business cards as a result of the
          617 area-code split.

          In my case, I requested that both my Easynet (Digital in-
          ternal) and Arpanet (world wide) e-mail addresses be in-
          cluded with my paper mail address. This request was denied.
          In reading the policy, it appears that the policy was mis-
          interpreted and that the Arpanet address should have been
          printed as this is not an internal address. However, the
          printer said there was another part of the standard which
          precluded lines longer than 32 characters; my Arpanet ad-
          dress is 33 characters. In any case the Easynet address in
          clearly precluded in the policy and I will make a case for
          both addresses to be included.

                   E-mail Is Essential To Modern Business

          E-mail is now in common use among modern business both for
          internal and external communication. The popularity of E-
          mail is on the rise because it incorporates many of the best
          features of telephone, and paper mail (pejoratively referred
          to as "snail mail" in the e-mail community) communications.
          It provides the timeliness of the telephone - messages are
          delivered to points all over the world literally in min-
          utes (far better than Federal Express type services). And
          E-mail is non-interfering as is paper mail - the reader can

 


                                                           Page 3




          act on the message at his leisure. And better that paper
          mail or telephone, electronic mail provided the informa-
          tion in a form most conducive to further processing. E-mail
          is currently used extensively by Digital employees. This
          is in part evidenced by the Gateways Notes conference, which
          contains over 600 topics and 2500 entries, mostly seeking
          information on network paths to various institutions.

          It seems to me that as a leader in the computer industry
          Digital has an interest in seeing e-mail proliferate. And
          Digital, as a technology leader, should be able to recog-
          nize the utility of e-mail to modern business. I have at-
          tached host listings of the Military Network (Milnet), Com-
          puter Science Network (CSNET), and the Advanced Research
          Project Agency Network (Arpanet). A quick scanning of these
          listings reveals that many of Digitals most important cus-
          tomers, suppliers, and competitors maintain hosts on the
          network. In addition, all of the top research universities
          maintain e-mail hosts. Timely and convenient communication
          with our customers, suppliers, and research institutions
          is of obvious import.

          Regarding internal use, it is apparent to me that far more
          mail is exchanged by Digital's e-mail facilities than by
          its slower paper counterpart. In that past three months,
          I have received less than ten memo's through paper mail but
          I have received nearly 100 through electronic means. Dig-
          ital clearly relies on its e-mail as a critical component
          of its internal business correspondence.

          For the same reasons that compel us to use business cards
          as efficient means of providing essential business data to
          external contacts apply equally to to our Digital counter-
          parts. Many organizations within Digital exist solely to
          service other Digital organizations. For this reason I feel
          that we should include our Digital Easynet address on our
          business card. The Digital phone book does not contain the
          necessary information, and the Employee Locator Facility

 


                                                           Page 4




          (ELF) is unreliable as it overloaded and frequently does
          not respond to user requests.

          I have provided examples of business cards of competitors,
          customers, and colleagues as examples of people who also
          felt it was important to include their e-mail addresses as
          elements of their business address. It is interesting to
          note that each card presents the information in a differ-
          ent format. The Company Identity Committee would need to
          determine the best means of presentation for Digital.

             Security Is Important But Irrelevant In This Case

          As electronic information exchange becomes more prevalent,
          and computer networks become more difficult to bound, com-
          puter security issues become increasingly complex. However,
          providing one's electronic address to an adversary does noth-
          ing to weaken the security posture of a computer system.
          The security mechanisms in place in Digital's computer sys-
          tems do not depend on the electronic address of the node
          being kept secret. In fact it would be preposterous to think
          otherwise for the following reasons. First, a user's e-mail
          address is shown whenever he sends mail. Second, DECnet node
          names are six characters in length. Therefore they are eas-
          ily guessed. Please note the members of Digital's own Se-
          cure Systems Group, and the National Computer Security Cen-
          ter who include their e-mail addresses on their business
          cards (attached).

          In discussions with Corporate Security, it was pointed out
          that, associating a user name with a node name allows gives
          an adversary a starting point (the user name) for guess-
          ing passwords. This is true. But as was previously pointed
          out this risk is already present because node names are re-
          vealed whenever a user sends mail! In addition the pass-
          word mechanism is the basis for the user identification and
          authentication function on Digital's main computer line.
          The threat of adversaries guessing passwords is clearly deemed
          acceptable.

 


                                                           Page 5




                            Proposed Alternative

          With the case made that e-mail addresses should be included
          on Digital business cards, I would like to propose the fol-
          lowing sample format for your consideration. The printer
          (Regal Press) of my business card felt that Digital had im-
          posed a limitation of 32 characters per line. I should point
          out that this limitation is unreasonable for Arpanet ad-
          dresses. My Arpanet address is: cummings%ultra.dec@decwrl.dec.com,
          which is 33 characters. The only variable portion of this
          address is the name, in my case 8 characters. Therefore the
          corporate identity standard should accommodate 25 charac-
          ters plus the length of a name as a minimum line length.
          I have tried to stay with your implied model of not labelling
          the various sections. The card now presents the persons name,
          title, and organization followed by the three primary means
          of contact: paper mail, voice, and electronic mail.

          Figure 1: Proposed Business Card Format

 


                                                           Page 6




                                  Summary

          In summary, I feel that e-mail is an important component
          of Digital's business communications. As a leader in com-
          puter technology, we should recognize this fact and encour-
          age computer networking as standard business practice - not
          the opposite. For this reason, I feel that  Digital should
          recognize that an employee's e-mail address is a crucial
          element of his business address and should therefore be ac-
          commodated by the Corporate Identity Standard. Security is-
          sues though important are not relevant to this discussion,
          as our computer security architecture does not rely on the
          secrecy of e-mail addresses.

Figure one  was  created  via a postscript file and cannot be included here.
But the following should give you the jist of it.

	_________________________________________________________________
	|								|
	|			Paul T. Cummings			|
	|			Principal Engineer			|
	|			Government Systems Group		|
	|								|
	|								|
	|	digital logo	Digital Equipment Corporation		|
	|			305 Foster St, P.O. Box 1450		|
	|			(LTN2-2/C08)				|
	|			Littleton, Mass.  01460-1123		|
	|								|
	|			617.486.6366				|
	|								|
	|			ultra::cummings				|
	|			cummings%ultra.dec@decwrl.dec.com	|
	|								|
	_________________________________________________________________

					

    As a small aside, I don't believe 33 characters is necessary anymore.
    ARPAnet domain servers recognize .dec.com as defaulting to decwrl,
    so the address
    	cummings@ultra.dec.com
    should work.  I routinely use
    	goldstein@delni.dec.com
    even though delni is not in the ARPAnet hosts table.
             fred

re .83  Not all ARPANET sites are using domain servers yet; very few MILNET
sites are, and almost no sites at such major locations as Bellcore are.

The only guaranteed correct address includes the reference to decwrl.

/john

As manager of the DIS IDA Program, I am an avid user and advocate of
VAX Notes.  As a member of the Company Identity Committee, however,
I'm dismayed by some of the "expert advice" given here.  I'd like to
correct a few impressions and offer some suggestions. 

*  Peter Phillips swears that he has NEVER given approval for
   electronic mail addresss on business cards!  Whatever got
   said, this was not Peter's intent.  Needless to say, he does
   NOT approve of this practice.
   
*  The Company Identity Committee (hereafter, CIC) intent in
   prohibiting internal addresses and phone numbers on business
   cards was to avoid confusing customers (the primary audience for
   business cards) with information which is not applicable to them.
   I was not party to this decision, but I have no problem with it
   either.  Online lookup facilities like ELF should serve all
   internal needs.  If (since?) they don't work well enough, let's
   fix them!  We have invested enough to create something marginally
   useful -- let's go the rest of the way. Same with MTS addressing.
   Digital Telecom says it works. I know it does for me, but I also
   know it does not for a lot of people I send mail to.  If it does
   not work for you, let's push DT to fix it.  This is what they get
   paid for, and if they're inadventently failing, we want them to
   know about it. 
   
*  Originally a secondary reason for eliminating node names on
   business cards, security has become the primary reason.  Whether
   some of you believe it is possible or not, the hackers are here.
   Don't help them.  If you are fortunate enough not to have run
   into them, I'm glad, but I have been on a system which was under
   attack.  It is not fun, and it is definitely dangerous to our
   business.  An AT&T security manager recently gave an entire
   presentation to our people on what a hacker can do with an
   average business card.  Let's not volunteer to be the case study.
   This means you guys with the rubber stamps as well as the
   "post-printing" people. Nodes names on business cards ARE a
   security risk -- DO NOT DO IT, for the good of the company that
   pays your salary.  If you're giving a card to an internal person,
   write the info on it if you feel the need.  Adds that personal
   touch. 

In spite of all of the above, intercorporate electronic mail is
here.  There is a real business need for it, we are a leader in this
field, and our internal solutions should set an example for the
industry.  To me, this means figuring out how to do it right. My
thoughts are as follows: 

*  For internal mail, use MTS routing wherever possible, starting
   now.  If it does not work for you, get it fixed.  This is not
   only more secure, it makes life so much easier for poor buggers
   like me who send monthly mail to a 400 VAXmail-user distribution
   list.  I'd much rather have MTS know that you changed nodes from
   FOO:: to BAR:: than to get all those notices from "The Postmaster"
   (who is that guy, anyway?).
   
*  To find people, use ELF.  Keep your own ELF entry up to date so
   people can find you.  List your MTS address as well as your
   VAXmail address to encourage people to start using that format.
   
*  For external mail, type X.400, we need to work with DT to arrive
   at a standard format. Something like "MCI MAIL: EUGENE F
   KUSEKOSKI @VRO@DIGITAL" would be ideal, but the technical wizards
   will have to advise on the details.  All other "sensitive"
   information like node names, badge numbers, etc should be avoided
   unless that is what we are left with when all other alternatives
   have been exhausted.  I will personally sponsor the amendment of
   the CIC policy to permit this kind of address on our business
   cards when an appropriate form is agreed upon. 
   
   For external mail, type "other", I believe we need some work to
   our gateways as suggested in a previous reply.  When I send mail
   to someone on ARPAnet (yep, I definitely do that), I address him
   with a name and facility code.  Where it goes from there is
   invisible to me.  For some reason, our people feel that we cannot
   handle our end without node names. But we are a big company?  The
   U.S. Army is a big company folks, and they do it just fine.  I
   believe the key is to get users who want to use the gateway to
   register, as suggested in a previous reply.  This can be
   automated to make it as painless as possible for all concerned,
   perhaps happening automatically when a Digital employee first
   sends mail out of the gateway.  When ARPA correspondents can
   address me as KUSEKOSKI@VRO@DIGITAL or something similar which
   does not reveal my actual node, I will sponsor amendment of the
   CIC policy again to permit this kind of address on our business
   cards.  I have already proposed this before John Sims, and he is
   in basic agreement.  This one requires some work, though.  DT
   does not want to touch the foreign net gateways.  Who can help me
   out here? 
   
Bottom line:  We've got some issues, and some needs which are
real to a lot of people, albeit in different proportions.  We've
also got a lot of smart people who have the brains and resources
to fix the problem instead of grousing about it in a VAX Notes
conference and creating rubber stamps.  So why don't we just
fix the problem and retire this topic?

Send constructive comments and offers to help directly to me. Enter
all other comments which do not contribute directly to the solution
in this conference if you must. 

Regards,
Gene Kusekoski

    RE: .85 The problem with your saying that node names on business
    cards is a security risk is that you don't explain how. All the
    network experts who've replied here (and they have some very
    impressive credentials in those areas) say it's *not* a risk.
    
>*  The Company Identity Committee (hereafter, CIC) intent in
>   prohibiting internal addresses and phone numbers on business
>   cards was to avoid confusing customers (the primary audience for
>   business cards) with information which is not applicable to them.

    Now our customers are idiots who get confused by extra lines on
    a business card? Either you're not serious or our customers are a
    lot stupider then they were when I was in the field. Aside from
    that the primary audience for my business cards is DEC employees.
    
    As far as I can tell you've given *no* sound business reason for
    leaving the address off the business cards. Sorry.
    
>*  For internal mail, use MTS routing wherever possible, starting
>   now.  If it does not work for you, get it fixed.  This is not
>   only more secure, it makes life so much easier for poor buggers
>   like me who send monthly mail to a 400 VAXmail-user distribution
>   list.  I'd much rather have MTS know that you changed nodes from
>   FOO:: to BAR:: than to get all those notices from "The Postmaster"
>   (who is that guy, anyway?).

    If you're having trouble with a list that small (my *weekly* mailing
    is 5 times that large and I know someone who has a *daily* list twice
    the size of mine) I suggest you switch to using Nmail or
    DECmail-11. Either I get will do the job. VAXmail sent to addresses
    I haven't used for four or more years still gets to me without
    any full time mail support people in the way.

>    So why don't we just fix the problem and retire this topic?

    The simplest cheapest fix is to retire a policy which serves no
    useful purpose except to interfere with communication both internally
    and externally.
    
    			Alfred

   re: < Note 174.85 by FYI::KUSEKOSKI "Gene Kusekoski, 273-3138, VRO3-2B7" >

>  either.  Online lookup facilities like ELF should serve all
>  internal needs.  If (since?) they don't work well enough, let's
>  fix them!
    
    You are making some radical assumptions here.  ELF is not only
    sometimes inaccurate and mis-managed, but is not even available
    in some areas.  And by the way, ELF is what I would consider one
    of the worst security holes in the entire network.  And the funding
    and manpower support for internal utilities like ELF and EMAIL have
    been slow to materialize.
    
>  business.  An AT&T security manager recently gave an entire
>  presentation to our people on what a hacker can do with an

    An AT&T security manager?  A UNIX security manager?  I don't doubt
    that any war stories he had to tell would strike fear into the hearts
    of the audience ...  
    
>  handle our end without node names. But we are a big company?  The
>  U.S. Army is a big company folks, and they do it just fine.  I

    The U.S. Army is not a company.  They are not driven by business
    goals, or even logic for that matter.  They do whatever they do as
    a result of legislative or executive policies that have no basis
    in the corporate world, being concerned with National Security and
    so forth, and with my tax dollars no less ...  Please don't bring
    our company down to this level.

>  Send constructive comments and offers to help directly to me. Enter
>  all other comments which do not contribute directly to the solution
>  in this conference if you must. 

    Thank you.  If "constructive" means agreeing with the policy, then
    I guess I have nothing to offer you directly.  The discussions in
    this conference, even if most of them are negative, are valuable.
    They are informative (I didn't even know about the policy until
    I read about it here) if nothing else.
    
    Geoff

Re .85:

>An AT&T security manager recently gave an entire
>   presentation to our people on what a hacker can do with an
>   average business card.  Let's not volunteer to be the case study.

I have just looked at business cards for the following AT&T employees:

1.  A head of a Bell Labs research department.  The last I heard, his computer
science papers have more citations by other researchers than anyone else
employed in the industry.

2.  A member of a Bell Labs research department.  The research he is involved
in has become one of the hottest topics in its field.

3.  A consultant-level salesman.

Pardon the name dropping, but I do this to make a point.  I would think that all
three of these individuals would be rather widely known.  By your account they
must all be in immenent danger of being hacked.

All three of them have their network addresses on their business cards.

Why should we practice what AT&T preaches when they don't?
				/AHM/THX

I wouldn't go around quoting that AT&T security consultant; many of the things
he said are pure hogwash (for example, suggesting that people use the card
reader phones instead of keying in their credit cards because hackers were
tapping payphone lines and recording credit card numbers:  the card reader
phones simply transmit the credit card the same way it would be transmitted
if you typed it yourself!).

If knowledge of our nodenames is a security risk worthy of making us appear
stupid for not allowing nodenames on business cards (and it does make us look
stupid, believe me, I deal with customers in the field of networking all the
time) then we should also ban participation in all of the computer network
discussion groups.  Let's just shut down the gateway and lose all the benefit
we have gotten from it.

Many of us *only* want to put our external mail address on our business cards,
not anything that would "confuse" our customers (who must really be stupid, or
so DIS must think).

We certainly will someday solve the problem of *needing* to use nodoe names,
but negatively impacting our business needs until then is *stupid*.  Last year,
the entire Digital Network Architecture group did without business cards for
six months while we fought (and successfully won) this issue.  We give our
cards to people on the network standards committees where we are trying to
get "the Digital way" to be the international standard way.  Not having our
mail addresses on our cards implies that there is something wrong with the
Digital way and can have a long term affect in the billions of dollars on
our company.

Not allowing gateway addresses on business cards is a *very* bad idea for the
future of the company.

/john

    Clearly, this topic can go on for an infinite period of time.  It's
    also clear to me that there are valid arguments on both sides.  But I
    think some people are missing the point.  I don't really want to take
    sides or spend my nights poking this conference.  I DO want to do
    something to make changes that make at least SOME of us happy. 
    
    The position I'm trying to support is not something I made up or even
    something DIS made up. The Company Identity Committee is an officially
    chartered subcommittee of the Executive Committee and is chaired by
    John Sims, Vice President of Strategic Resources.  This committee, for
    whatever reason they saw fit, has said "no internal node names on
    business cards".  Rather than endlessly debating the virtue of this
    position, let's see if there are ways to get what we all want and need
    within its framework. 
    
    The CIC has NOT said, "no electronic mail addresses".  This is a
    distinction they did not fully understand, but one on which I am trying
    to educate them.  Incidentally, they did not provide for FAX numbers
    either, which is another bit of technology that is extremely useful in
    business today.
                                    
    Electronic Mail with X.400-style addressing should be allowed
    immediately.  I am proposing that revision next week.  Mail through the
    gateways, if it were "buffered" to strip off internal routing
    information as another contributor to this conference and I have
    suggested, should also be no problem, but we need someone to do what I
    perceive to be a minimal amount of work to the gateway.  This done,
    we'll have intercompany mail approaches that support the business need
    of most people, and our business cards will reflect the way in which
    we have addressed the problem for Digital.
    
    I think we are in violent agreement here!  Can't we stop the debate,
    get the gateway work done, and move on?  Get in touch if you want to
    help solve the problem.  If you just want to send me more arguments,
    I'll be glad to send you back a note that says "Good Point!", but we
    won't be any closer to the solution we know we all need.  Why not help
    me to help you? 
    
    gk

    I've had customers look at my current set of business cards and
    ask what that little JAWS:: down next to my phone number meant.
     When I provide an explanation, they suddenly become fascinated
    with the concept of Easynet...  Seems to be a good selling point,
    and a REAL good way to start up a conversation about something the
    customer doesn't have and, BTW, WE sell!
    
    But Alas....I now am under the prospect of a new job title, hence
    a set of new cards....  and double digit passwords...
    
    Gil  (AKA JAWS::DAVIS)
    

re .90
>Rather than endlessly debating the virtue of this
>    position, let's see if there are ways to get what we all want and need
>    within its framework. 

    I disagree.  The "virute of this position" is exactly what is
    at issue here.  When my request for business cards was turned
    down, I was asked to comment how on the standard did not meet
    my  business  need  and  I have done so (copied in note .85 I
    think).   I  hope  others have as well.  I don't think anyone
    really wants to engage in an endless debate, least of all me.
    I just want a useful piece of information on my business card
    and  no  one has ever given me any real explanation on why it
    shouldn't be there.


>    Electronic Mail with X.400-style addressing should be allowed
>    immediately.  

    But you  seem  to  agree  with  putting  at  least  some form
    external  mail  addresses  on  business  cards.   This  is an
    excellent  starting  point.   (For  some  reason  you  make a
    distinction,   which   is  lost  on  me,  regarding  internal
    addresses.  But only one problem at a time.) 

>Mail through the
>    gateways, if it were "buffered" to strip off internal routing
>    information as another contributor to this conference and I have
>    suggested, should also be no problem, but we need someone to do what I
>    perceive to be a minimal amount of work to the gateway.  

    It seems  to  me  you  feel providing nodenames as part of an
    extermail  address  somehow  weakens our security posture.  I
    don't  for  the  life  of  me know why.  (And I have spent my
    share  of  time  in  addressing  computer security issues.) I
    think  that  going  to  the  trouble  to  translate and strip
    addresses  in  a  gateway,  is solving a problem that doesn't
    exist.   (Two lines in a policy is certainly easier to change
    than  complete  corporate  addressing  mechanisms and gateway
    sofwtare.)

    If there  is  a  security problem, WHAT IS IT? LET'S HEAR IT!
    Who claims to understand it? All I hear is vague allusions to
    hackers  and  security.  Lacking any kind of an explanaion of
    what  this  secirity  threat is, I have to conclude that only
    tradition  and backwards thinking keeps us from doing what we
    want.

    FWIW, I  agree that hackers (in the recently created sense of
    the  term)  are  a  bad thing and computer security is a good
    thing.  Just be sensible about it. Please.

    Look folks, you're missing the point(s).
    
    Point 1: Right, wrong or indifferent, the CIC has mandated no internal
    node names on business cards.
    
    Point 2: Electronic mail addresses that follow point 1 are OK.
    
    So the only problem is to come up with an addressing scheme that
    our mail gateways can use that don't require an internal node name.
    Once that is done, everyone can be happy.  You can put your (sanitized)
    E-mail address on your business card and still satisfy the CIC mandate
    of no node names.

re: .93, and others
Gateways, ELF, and all sorts of important infrastructure services have been
living on a shoestring for years.  "Just hve the network strip off the internal
routing information".  Right.  Now, who is going to provide the funding for
the software development?  Who is going to provide the hardware to run it on?
And the maintenance?  Spring some funding, THEN we can talk about this.  Until
then, this sounds like the typical smoke blown by politicians.  I'm surprised
there hasn't been a proposal yet to create a "blue-ribbon panel" to investigate
the issue.
						-- Jerry

Re: .93
    
>      Once that is done, everyone can be happy.
    
    People are making rubber stamps, printing their own (guilty), and being
    unhappy, because "that" ISN'T done. 
    
    I suggest that you and Mr. Kusekoski are missing a point: enforcing the
    current policy, while useful alternatives are not in place and not
    99.9% reliable, is causing a business problem.
    
====              
         
    In the meantime, I'd like to know whether the compromise solution
    being proposed would work for me.  But I don't know a number of
    things on how MTS works.
    
    A question for anyone that does know: it's been asserted that should
    MTS addresses be allowed on business cards, it would be sufficent for
    internal use. Assuming for the moment that TIM LASKO@PKO will always
    find me on VIDEO--which is not today the case--would someone sending
    mail to TIM LASKO@PKO find me six months later, when our entire group
    moves to Westford (DSG)?   Would some kind of intervention on my part
    need to occur? 

>    I suggest that you and Mr. Kusekoski are missing a point: enforcing the
>    current policy, while useful alternatives are not in place and not
>    99.9% reliable, is causing a business problem.
    
Agreed.  In his lengthy exposition Mr Kusekoski made an assumption that the
MTS addressing will work for anyone.  THIS IS NOT TRUE. It cannot make any
distinction between two people having the same name at the same location.

Until there is some way of making that distinction (and making the finer
distinction of two people with the same name in the same group) it is not
a solution.

Perhaps some of the people alleging network addresses to be a security risk
could explain carefully what seecurity loophole they open up.

Jeremy Barker
NAC Diagnostic Engineering, Reading, England

(REO2-G/K3 - but JEREMY BARKER @REO is a different person)

RE: .93
       
       	RE: your "Point 1:"  This is DEC. Just cuz some panel has
       	mandated something doesn't mean it's right and we should blindly
       	follow them. In DEC you can argue the point and if your point
       	makes more sense then you'll more than likely win. (And then
       	be tasked with carrying it out.. :-))  We are argueing
       	the point now and frankly, the arguements from the other
       	side (no addresses) haven't convinced me in the least.
       
       							mike

RE: < Note 174.97 by AXEL::FOLEY "Rebel without a Clue" >
       
>      	RE: your "Point 1:"  This is DEC. Just cuz some panel has
>      	mandated something doesn't mean it's right and we should blindly
>      	follow them. 
    
    Exactly.  _Continue_ to argue the point (and I hope your side wins).
    But at the same time work on a solution that would satisfy everyone.
    I didn't say the the CIC was right in their decision, just that
    we ought to be able to come up with a technical solution to their
    perceived "problem" with node names on business cards while still
    allowing useful electronic mail addresses to be given to outsiders.

        Re: .98
        
>    I didn't say the the CIC was right in their decision, just that
>    we ought to be able to come up with a technical solution to their
>    perceived "problem" with node names on business cards while still
>    allowing useful electronic mail addresses to be given to outsiders.
        
        It doesn't make sense to jump in and solve a `problem' just
        because someone says there is a problem.  DEC does not have
        infinite resources, and there are many things that we could or
        should do.  We need to determine if there actually is a problem
        before we waste resources to solve it.  (And finding a good
        solution would not be simple, either to design, implement, or
        manage.  Previous replies have mentioned some of the problems
        that will arise.) 
        
        To investigate the `problem' we first have to find out what the
        `problem' is.  Reply .85 doesn't say what the problem is, it
        just mentions that `hackers are out there'.  That just seems
        like a scare tactic. 
        
        .85 mentions ELF as an alternative to using internal addresses
        on business cards.  But, as I mentioned in .71, if ELF exists
        then it doesn't matter that the internal addresses are on
        business cards.  If someone doesn't have EasyNet access
        knowledge of an internal address is useless, and if an intruder
        has EasyNet access then they don't care if the address is on the
        business card because they can use ELF to determine it anyway. 
        
        					B.J.

    	Something for CIC to read when they are discussing this:
    
    	"Remember, all security improvements include a cost to the site.
    The cost may diffcult to measure in dollars and cents, but it will
    exist.  Some security enhancements may slwo down access to data,
    thus delaying your staff in their routine tasks...."
    
    	"As you think about your security needs, be realistic.  Security
    is an emotionally charged topic.  It is easy to justify security
    measures.  *In fact it may be too easy.* [emphasis mine]  You may
    become so overzealous in the pursuit of system security that you
    adopt too many measures.  The most secure systems are predictably
    the hardest to use and the least friendly to users...."
    
    Source? 
    
    
    Guide to VAX/VMS System Security
    p 1-10.
    
    	
    	Part of the "being realistic" in this case, is understanding
    that with a 6 character node name that are a limited number of
    permutations available for node names.  With the address sapce filling
    up, it's a good bet that *any combination* of letters and numbers
    is registered.  "Real words" are almost a sure thing.  (You don't
    believe me?  *You* try coming up with a node name that hasn't taken
    yet!  We had to go through dozens of names before comgin up with
    one that wasn't taken.  (And these weren't your mainstream names
    either.) 
    
    	When I have the time, I'll look up and type in some references
    on the foolhardiness of counting on the hacker's ignorance to keep
    you safe.
    
    Tracey Heffelfinger 
    
    (BTW I'm the author of our local policies and procedures for system
    security, so I definately have sympathy for the idea of secures
    systems.  I just feel this is the wrong implementation.) 
                                           

    Re:
    < Note 174.99 by ULTRA::HERBISON "Less functionality, more features" >

    				.
    				.
    				.
        >.85 mentions ELF as an alternative to using internal addresses
        >on business cards.  But, as I mentioned in .71, if ELF exists
        >then it doesn't matter that the internal addresses are on
        >business cards.  If someone doesn't have EasyNet access
        >knowledge of an internal address is useless, and if an intruder
        >has EasyNet access then they don't care if the address is on the
        >business card because they can use ELF to determine it anyway. 

        This is not quite the case.  It is possible to send mail back
    and forth to folks at other institutions who do NOT have access
    to the Easynet.  How? Through one of several mail gateways to networks
    such as InterNet, Usenet, Etc.  Thus people on "the outside" (say
    an an educational institution) who had your internal address could
    send you mail, but they can NOT access systems through the gateways.
    The gateways are strictly mail-routing. So being able to utilize
    internal addresses does NOT necessarily imply being able to infiltrate
    the Easynet.
    
    Kevin

    I wanted to leave one more note here before I go off to try to work
    some of the issues mentioned in the replies which precede this one. 
    
    As my colleague from ODIXIE notes, the policy has been implemented,
    right, wrong, or indifferent.  It was handed to me, just as it was
    handed to you.  It does not reflect any personal bias on my part, and I
    lose sleep over some of the aspersions being cast on my intelligence
    here!  You are beating up on someone who is earnestly trying to solve
    some problems for Digital, and this is most discouraging. 
    
    This policy was not implemented by "some panel", but by a subcommittee
    of the Executive Committee.  That's Ken Olsen and his direct reports,
    folks.  My belief is that they do not do things without (what they feel
    are) good reasons.  If you are confident that you do not have to do
    something just because they say so, you probably have better alternate
    sources of income than I do. 

    It falls to DIS, and hence to me, to try to make some of these policies
    work.  In spite of your doubts regarding my personal motivation, I
    really am trying to find solutions which make at least most of the
    people with real business needs happy.  I'm not a guru in these areas.
    I'm just trying to help the business run. 
    
    Deleting the policy, as some people have suggested, is certainly one
    alternative.  It may come to that.  I may even back your position to do
    that.  For now, however, it has not been proven to the Executive
    Committee that their directions should not be followed. Until we've
    given their ideas a fair shot, I'm not ready to put my paycheck on the
    line to convince them otherwise.  Since I'm not as expert in computer
    security as some of you, I'm the wrong one to lead the charge on this
    anyway. 
    
    Those of you who are experts on system and network security should
    contact our corporate security folks in Parker Street and help them
    understand why the issues they perceive are not real.  I'm not being
    flip when I suggest this -- if they need to be educated, help them out.
    Do not, however, look for any dissertations on this subject in VAX
    Notes conferences.  If the network *IS* at risk, this would not be the
    most prudent thing to do. 
    
    So my plan as I leave this conference is:
    
    Get the policy amended immediately to permit electronic mail addresses
    on business cards that do not disclose internal node names.
    
    Pursue answers from the Digital Telecom people on:
    
    	Why MTS doesn't work for everyone as advertised;
    
    	Availability and solidity of ELF (which should, by the way, not
        need to include nodenames if MTS works right);

    	Willingness to fund "buffered gateway" development.

    Ciao, folks.  It's been real....
    
    gk

        Re: .101
        
        Sorry, I wasn't clear.
        
        What I meant to say:  If someone doesn't have EasyNet access,
        knowledge of an internal address *does not help violate the
        security of the node mentioned in the internal address*. 
        
        On the other hand, if an intruder has EasyNet access then they
        don't care if the address is on the business card because they
        can always use ELF to determine the internal address.
        
        					B.J.

    There has been a lot of repetition here. I'd like to suggest that
    if people don't have anything new and original to say about this
    topic that they don't say anything. Perhaps someone would like to
    start a separate conference so that all the rat holes can be followed.
    
    In the mean time, I suggest that anyone who has a business problem
    with the policy pursue it up their management chain. If you're
    particularly bold and upset I believe that John Sims mail stop
    is in ELF and the phone book. Little will be accomplished with
    more circular arguments here.
    
    		Alfred Thompson
    		Co-moderator HUMAN::DIGITAL

1.  Note that anyone with a PC and a modem can grab several hundred
    node names by dialing every number in (617) ...... and looking for
    a connection.  If you get lucky and find a LAT, it isn't much work
    to do "SHOW NODES".  So, we shouldn't assume that, just because we
    don't publicize "internal node names," they aren't already visible.

1a. Many people have registered their workstation under their own name.
    This offers the penetrator an excellent opportunity for linking
    individuals with nodes, even if the corporate "no internal node
    names" policy is implemented.

2.  There are a number of people who receive mail on nodes that they
    don't have accounts on.  One of these nodes is the Dec Internet
    router, decwrl.  This leads me to suggest creating a central
    mail-router (call it DIGITAL::)  There are no user accounts on
    this node.  All Dec employees have "mail forwarding" logicals
    setup.  Then, I can tell external people to send me mail at
    "martin_minow%digital.dec@decwrl.dec.com" and DIGITAL:: will forward
    it to nm%thundr::minow (which will forward it to nm%may20::minow).
    This can be made to work today with a minimal amount of work.
    (Assuming, of course, that MAIL can handle 200,000 "set forwards")

Martin.

    The thought just occurred to me:  Could it be that KO and friends
    are *embarrassed* by our internal nodenames?  Some of them are
    certainly avante garde, considering the new "corporate" image
    we are trying to project ...
    
    Martin's suggestion in .-1 is certainly feasible and the most
    easily implemented.  Just come up with a couple of million dollars
    (transfer cost) for some 87xx clusters to do mail redirecting
    for the 55,000 (I'm quoting old figures here) registered MTS
    mail users.  The software to do it would be non-standard of
    course, but it would be minimal in comparison to some of the
    other solutions in terms of user impact.

    It's got my vote!
    
    Geoff

    re : node names.
    
    An outside contractor at NASA put together a project for the R&E
    group on site, which was to be on the JESNET (sitewide ethernet).
    Internally, they named the nodes Huey, Dewey, and Louey, intending
    to change them after connection onsite.  NASA management liked the
    names so much they refused to have them changed and even sent a
    nice letter to the company for their innovative way of grouping
    in a "memorable fashion" the related systems.
    

    Well the   meeting   of   the  Corporate  Identity  Committee
    subcommittee  of  the Executive Committe was to meet on March
    1st   (last  Tuesday)  and  discuss  this  issue  until  some
    resolution was achieved.

    Can our  fellow  noter, who is a member of that subcommittee,
    report on the outcome?

    Well the partial results are in, sort of.

    I gave  Peter  Phillips  a  call  yesterday  to  find out the
    results  of  the  latest  meeting  of the Corporated Identity
    Committee (CIC) subcommittee of the Executive Commmittee.  It
    appears  that  progress  is  being  made.   From what I could
    discern, the CIC now believes that there is justification for
    putting  e-mail addresses on business cards.  That's the good
    news.   The  bad  news  is  there  is still a perception of a
    security problem so we can't do it.   

    In my latest call, I again tried to find out what the alleged
    security  problem was but to no avail.  Also no avail finding
    out  the  name  of  someone  who  thought they understood the
    alleged problem.

    It seems  where  it  stands  now is that a corporate security
    person,  Mr.   Humphrey, and a person who has something to do
    with the mail system, Bill Cross, are invited to the next CIC
    meeting  to  provide  input.   Input on what was unclear.  It
    seemed  for  part  of my discussion, unfortunately, that Mr's
    Cross  and  Humhrey  were  being asked to comment on proposed
    solutions  to  problem  that  was not yet defined.  But Peter
    assured  me  that  they were also being asked to determine if
    there  was a problem.  Peter also mentioned that he would ask
    John Simms (CIC Chairman) if they (the CIC) might not want to
    invite a computer security specialist to the meeting as well.
    Sounded like a good idea to me.

    re .-1:
    
    Ray Humphrey is Director of Security at Digital.
    Bel Cross is in charge of all information systems at Digital.
    John Sims is VP of Personel, etc., at Digital.
    
    The above titles are not quite exact, but about right. The spellings
    and jobs are correct. They are the right "top level" people to address
    the issues around system security. They consistently solicit input
    from the technical experts, especially on system security matters.

In the latest issue of the Digital Technical Journal.  The publication 
information contains instructions on how to contact the editor,
including ENET and ARPANET addresses.  Isn't DTJ an external 
publication?  Could business cards be just the tip of the iceberg?

        Many Digital Employees communicate with Customers etc through
        the ARPA and Usenet Gateway. As soon, as one has communicated
        with  someone outside, the return address is divulged. 
        
        THe only way that I can see a security risk is if I sent mail,
        fred customer at local U. and he noticed that I am on node
        bunyip. SO one day, when He is at a dec training course, He
        goes somewhere he shouldn't ( which is hard in our training
        facility), finds a terminal and tries a connect bunyip.
        
        He knows there is a quodling account on bunyip, and so will
        try to break into it. He will have no more success than anyone
        internal to digital who would try to break in.
        
q
        

    Re: .49 (way back there)
    
    > I'm told by DIS that MTS addressing will reach any employee,
    > world-wide, and now including that last bastion, Spitbrook Road.
    
    All of my attempts to reach Peter Phillips of the CIC via MTS have
    been rejected as "unrecognised recipient". (note lack of
    internationalization of the error message as well :-)

	If divulging node names is a security risk, why don't
	we change node names every time a system has been hacked ?

	And a humble suggestion, why not use automatic password
	creation to make up new node name, just to avoid something  
	obvious like HUMAN ?


    

Re. < Note 174.114 by BISTRO::WLODEK "W.Stankiewicz, Comms support, VBO" >

>	If divulging node names is a security risk, why don't
>	we change node names every time a system has been hacked ?
>
>	And a humble suggestion, why not use automatic password
>	creation to make up new node name, just to avoid something  
>	obvious like HUMAN ?

Cut me a break! Why don't we automatically change everything once a
week. How about our user names? Make them non-phonetic so it will be
hard to figure my name out. Same with node addresses and passwords.
This way Digital equipment and its employees can spend the rest of
their working days trying to get work done.

Take a clue... The more secure a system is the harder it is to get
real work done. There is no such thing as a "completely" secure
system. To get a "reasonably" secure system is not too hard and the
cost is small. It's covering that last 1% that creates unreasonable
cost and maximal problems for all users.

    
    Cut me a break you too ! I was just kidding.
    
    					(.- wlodek .-)

Not to beat a dead horse, but the Enet and Internet address of the editor
is prominently displayed in the slick Digital technical magazine.

Martin.

                                         Date:      5-Apr-1988 11:16am EDT
                                         From:      MIKE CONNOR @VRO 
                                                    CONNOR.MICHAEL AT A08 AT RELIEF AT VRO 
                                         Dept:      INFO SECURITY PROGRAM
                                         Tel No:    273-3422

TO: See Below

Subject: (I) NODE NAMES ON BUSINESS CARDS



        At the Corporate Identity Committee (CIC) meeting this a.m., it was
decided that Internal Node Names will not be permitted on Digital Business
Cards. External Electronic Mail Addresses will be permited. A communication
from the CIC will be forthcoming.

        Rational:
        
        Business Cards are for external use in a business context and the CIC 
wants to ensure our Business Cards have a professional image, which means
no internal information: DTN, Badge#, Node Name etc.

        Until our Internal Electonic Mail Address becomes our External
Electronic Mail Address, Node Names are sensitive information. By providing
blanket approval for dissemination of Node names to the outside world, we
have the potential of loosing our legal right to protect our intellectual
property.

        From a Security Viewpoint, we have the option to be even more
restrictive (i.e. make the Node Name itself classified). This step however
would severely impact individuals who need to communicate electronically
external to Digital outside of Commercial Mail Gateways. The view expressed
by John Sims, Bel Cross and Ray Humphrey is to permit individuals to
communicate their Internal Node Address, informally, as a business and/or
technical requirement.

        Bottom line: No change in existing policy. External Mail Addresses
can be used like FAX and Telex.

    First, thanks for posting this. However, I'm astonished that a memo
    this important cannot use clear and precise English. 

>    Bottom line: No change in existing policy. External Mail Addresses
>    can be used like FAX and Telex.
    
    The word "like" in this sentence can have two meanings: "such as
    FAX and Telex numbers", or, "in the same way that FAX and Telex
    numbers are permitted".                              
    
    I believe it can have two meanings because of the distinction made,
    earlier in the memo, between "Electronic Mail Address" and "Node Name".
    Since "Internal Node Names" are prohibited, but "External Electronic
    Mail Addresses" are not, the only address I know of that falls into
    that category is my Telex address. 
    
    Hopefully the official communication from the CIC will be clear
    and specific.

    I'll add that I've sent an electronic mail message to the author
    of the message in .118.  I hope that my VAXMAIL -> MTS connection
    will work this time.

    Does this mean that I can put something like:
    
    	Jackson%pravda.dec@decwrl.dec.com
    
    on my business card?  It's my "external electronic mail address"
    
    
    -bill

RE: < Note 174.118 by BUSY::KLEINBERGER "Vivo, ergo sum" >
                             -< More information >-
>            Until our Internal Electonic Mail Address becomes our External
>Electronic Mail Address, Node Names are sensitive information. By providing
>blanket approval for dissemination of Node names to the outside world, we
>have the potential of loosing our legal right to protect our intellectual
>property.

    They CAN'T be serious.  That is like saying that public printing
    the US Snail address of DEC facilities has "the potential of loosing
    our legal right to protect our intellectual property" because we
    disclosed where we store the paper copies of all that intellectual
    property.  Shakespeare was right.

    Charlie

I guess we'll have to strike the location and mail stop fields
from the cards next, because invaders can use them to find and ransack
my desk after they break into the building.
Then my phone number, because it could be tapped.
Then my name, because they might call me at home.

Reductio ad absurdum?  Perhaps, but "absurdum" seems an apt description
of the controversy in this matter.

Do I understand correctly that FAX and TELEX numbers
don't clutter a business card but net addresses do?
Are these people afraid that punctuation offends people?
Are we really regressing to the point of protecting form over function?
Of being more careful about how good we look than over how good we are?

This used to be just silly, but it's worse and more serious than that.

- tom powers]

    
    I can't understand the reaction to the posted policy. As someone
    who has had quite a few late nights and con-calls with people I'd
    really rather not be talking to because of security problems I'd
    rather be safe than sorry!
    
    You can't compare external addresses and mailstops to node names.
    Node names provide any hacker who manages to penetrate the network
    with "starting points" including physical locations (usually) and,
    even more important, possible usernames. The difference between
    node names and external mail addresses is that most external mail
    links aren't DECnet connects and don't provide "general" purpose
    access such as Set Host and File Xfer. They should have been "secured"
    before being approved for general use.
    
    And providing your address for USENET may not be violating the letter
    of the law but it's certainly violating the INTENT!
    
    -Ray
    

        Re: .124
        
>    You can't compare external addresses and mailstops to node names.
>    Node names provide any hacker who manages to penetrate the network
>    with "starting points" including physical locations (usually) and,
>    even more important, possible usernames. 
        
        Yes, you can compare mailstops and external addresses.
        
        Mailstops provide physical locations (usually) can provide
        starting points, the name on the business card provides 
        possible usernames.  To be consistent, you need to remove
        both the name and mailstop if you are paranoid.
        
        Also, excluding the electronic mail address does nothing
        to protect against someone who manages to penetrate the network--
        they can get the information in the electronic mail address
        from ELF.  [I've mentioned this in at least two previous
        notes in this discussion, maybe you weren't paying attention.]
        
        					B.J.

    I mentioned in .120, that I sent a polite message to Mike Connor
    asking him to clarify his mail message, specifically whether external
    electronic mail addresses which must contain an internal node name
    are prohibited.  His reply follows...
    
From:	FACMTS::FACMTS::MRGATE::"PKOMTS::RELIEF::A08::CONNOR.MICHAEL"  7-APR-1988 11:41
To:	MRGATE::"VIDEO::LASKO"
Subj:	RE: Re your memo re CIC decision on electronic addresses on business cards

From:	NAME: MIKE CONNOR @VRO              
	FUNC: INFO SECURITY PROGRAM   
	TEL: 273-3422  VRO3-3/B9  <CONNOR.MICHAEL AT A08 at RELIEF at VRO>

        My understanding is that Internal Node names will not be permitted, so 
the use of an external address which also requires the use of an internal node 
will not be allowed. I agree that it is important that the policy not be 
confusing. We will be getting a copy of the CIC statement prior to publication, 
which I will forward for comments.
    

    
    re .125;
    
    Agreed that once you penetrate, ELF provides all that information
    and more. The issue is the initial penetration - I believe that public
    nodename/username pairs make that much easier.
    
    And yes, taking off the persons name and address would reduce risks
    even more. However, there's the law of diminishing returns. What
    you'd lose doing that is somewhat more than what you'd lose removing
    nodenames. And you gain more by losing less - seems like a win to
    me!
    
    -Ray
    

  If knowledge of a node name is that great a security threat, then
  shouldn't node names of the form <site-code>Vnn be forbidden?  Or
  we should forbid users of such systems to put their mailstops (which
  of course include the site code) on business cards...

  JP

       RE: .126
       
       	If "an external address which also requires the use of an internal
       node" is verboten then WHAT do we put on our cards?  Nothing that I
       know of anyways.. 
       
       	Sigh...
       
       RE: facVxx nodenames.
       
       	Good point.. All you need is the GIA naming scheme and you're
       chock full of nodenames..
       
       	Myself, with a name like FOLEY, anyone who has half an imagination
       would and has seen Beverly Hills Cop would attempt to look for
       AXEL::FOLEY.
       
        Security IS a big issue. I just wonder who paranoid things are
       gonna get?? (lock up your systems in concrete bunkers with NO 
       access in or out unless you pass a retinal exam)
       
       							mike

    Re: .129
    
    Telex, FAX, MCI Mail(R), etc., would be suitable, not that they're
    particularly useful.
    
    The point is that we now know what the policy is (will be), so that
    much is clear.  

I spent two years working at MCC, which (at the time) was run by Admiral Bobby
Inman (ex NSA, CIA, and Naval security). We weren't even allowed to have our
individual phone numbers on our business cards, just the corporate phone number
from which the operators would transfer you to the right extension. Even there
we could give an internet address, because MCC spent the time and money to build
a gateway, which had the internal address of every single employee, and
re-routed the mail to the correct node. The mailer even stripped off local node
identification when sending to the outside, so that I wasn't
"hetrick%bubba@mcc", but simply "hetrick@mcc.arpa". It's feasible to do this at
DEC, if we really want to be that security-concious, but the corporation has to
make the committment to spend the money, including the problem of dealing with
multiple employees with identical names (MCC actually had two James Miller's --
they solved it by having a Jim Miller and a James Miller, as I recall, but with
a VP named Jack Smith, I don't think we want to depend on other JSmiths
rerouting his mail). 

If the corporation is serious about security, the problem can be solved. If not,
all that is accomplished is to make us look foolish in front of customers to
whom security is important -- the current policy simply announces our lack of
ability as a company. As an employee, I resent that, since I know we can do it. 

       RE: .130
       
       	To quote your personal name "There are no temporary
       workarounds..."  This is so true in this case. What we have here is
       a temporary workaround done policy style. It says "You can do it
       but you can't".. This satisfies (sort of) the people who want the
       addresses by formaly recognizing them but offers NO way to comply 
       (technically and feasibly) with the policy!
       
       	Similar to what .131 said, unless DEC provides the bucks to do a
       proper gateway then we look foolish to those customers who think
       (thought?) DEC had its sh_t together when it comes to networks.
       This is embarrassing...
       
       
       							mike

    Well, if it's becoming clear that CIC meant what they said, then
    shouldn't we point out to Sims, Cross, and Humphrey, who stuck to
    their guns on the security issue, that to be consistent with the 
    intent of the "no external disclosure of node names" policy, some 
    things ought to be done about the gateways?

    1.  Mail going out through the gateways must hide the node name.
    2.  To facilitate replies and mail originating from outside our
    	network, there must be a way to send mail into the network 
    	without using internal node names.

    At the end of Mike Carter's memo quoted in .0, it was stated that
    "Gateway addresses are allowed and recommended because of business
    reasons."  Latest memos seem to indicate that gateway addresses
    must not have internal node names embedded.  In order to make this
    reasonable, we must have gateways that can handle mail in both
    directions without use of internal node names in gateway addresses.
    If the corporation is serious about the CIC policy, somebody had
    better fund the development of a gateway that can do this.
    
    The technical implications are non-trivial.
    
  --Simon
    

    [I was hoping that, someday, someone would realize the subtle truth
    behind my personal name.  Now I'll have to change it.  :-)] 
    
    Somebody about fifty notes back mentioned that all of the arguments had
    been argued in this conference, so I'm falling back on sending polite
    messages for more explanation.   I sent the following last night.
    Perhaps it will be answered. (Perhaps others could do the same?) 
    
    Mike,

    Thanks for taking the time to clarify your memo.   Unfortunately,
    I confess that it leaves me somewhat confused.
                                                                   
    Based on your clarification, I'd like to convey my further concern
    that the CIC communication be clearer on the nature of the
    sensitivity of internal node names and the threat to our legal
    rights to protect our intellectual property.   This can only aid in
    understanding the policy, especially by a highly technical and, 
    unfortunately, skeptical audience.
    
    Further, it appears to me that these related concerns must be
    addressed in light of the upcoming policy communication. I suspect
    that these issues weren't addressed by the CIC, however, it seems
    likely that this is the further responsibilty of your department in
    consistently applying the philosophy behind the CIC policy decision. 
    
    - It is common practice to include external electronic mailing
      addresses when posting messages to the relatively public USEnet 
      electronic bulletin boards--I just did this myself a few moments ago. 
      Further, the internal node name can be extracted from the message
      whether it is supplied or not.
    
      Is it possible to limit this practice and/or behavior without
      impacting employees whose jobs depend on this method of business
      communication?
                                               
    - In many of our recent non-internal technical publications (the
      most recent Digital Technical Journal is an example) a number
      of ARPAnet addresses are given, which contain internal node names.

      Should this practice be stopped?  If so, what equivalent
      electronic address can be put in its stead, today?
    
    - In your memo you stated, "until our Internal Electronic Mail
      Address becomes our External Electronic Mail Address, Node
      Names are sensitive information." 
    
      What resources are being directed toward meeting this goal
      to eliminate the risks?
    
    I look forward to a clear communication from the CIC, and answers to
    the above additional concerns. 
    
    Thank you for your time.
    
    Timothy Lasko
    DSG Terminals Architecture
    

    [Re: .134]:  Troublemaker.   8^)
    
    If just knowledge of node names is sensitive, are we not already in
    trouble?  With over 25,000 Easynet nodes, it has become very difficult
    simply to think of an English word of 1-6 characters that someone
    hasn't already used.  I know--we wanted to name all our workstations
    after typefaces, only to discover that many of the good ones were
    already taken.  
    
    Last I checked, STEVEN was available; I read about someone with a
    vanity license plate of STUPID (the man was a longtime MENSA member,
    you see), and saw that STUPID was available (though GENIUS is taken).
    But the namespace is filling up, as I'm sure you know.  In fact, I
    challenge anyone to come up with a list of ten English words of 1-6
    characters, none of which are already Easynet nodes.  Unless you
    check each one out first, I'll bet you'll hit three or four real
    nodenames.
    
    Does this imply we should rename all our nodes to meaningless codes?
    Gee--sounds like I*M.... 8^( 
    

    25,000 is nothing compared to the 300-plus million combinations
    of A through Z.  You just have to apply some imagination:
    
    THORN ETH TIMING DENTAL RUDE STIGMA SCHWA VOICED VELAR TRILL 
    (not to mention, LASKO)

     Well, if the  Nodenames  are  "TOP  SECRET  DEC  PROPRIETARY  INFO",
     someone should tell the  CIC  that  all  numbers >1024 **>MUST<** be
     similiarly classified!
     
     My NODE is **>NOT<** SAFETY, but  it  REALLY  is  5167!!  [SAFETY is
     5.47. 5 * 1024 + 47 = 5167.]
     
     Computers  don't  really  understand   our  Nodenames,  but  have  a
     translation database to a numbering  scheme which tells it WHERE and
     WHICH Node it really is.
     
     One  could probably try any Node #  above  1024  as  xxxx::SMITH  or
     xxxx::JONES and get a "hit" the majority of times!
     
     The only thing that this policy proves is  that  the CIC has no idea
     how computers operate or how our network operates!
     
     This is sheer idiocy.  I am all for  security,  but  we  are  in the
     typical  government  mode  of  classifying  "blank pages" with these
     types of policies.   The  CIC's explanation of how we could lose our
     patent/copyright rights by listing a  NODE::NAME  on a business card
     should be quite amusing.  The  NODE::NAME  is  {probably  - standard
     caveat,  I am not an attorney} the  legal  equivalent  of  Name  and
     Street/City Address or Name and Phone Number!  
     
     The  CIC  is  taking  the    usual  government  approach,  when  the
     issue/answer might be politically embarrasing, just "classify" it as
     a "National Security" issue.

    I think it's important to be careful who we criticize: from what I
    understand, the CIC believes that internal addresses look
    unprofessional on business cards.  It may be that they wouldn't
    normally have a problem with external mailing addresses - in fact, I
    recall an earlier note stating that. 
    
    I don't think that this is particularly unreasonable policy; after all,
    an external address is sufficient to give information and "impress"
    our customers, and we certainly don't need to impress each other. 
    (If you disagree with that, we can start another note about what
    impresses customers - I don't think that is the real issue here.)
    
    However, it appears to me that it is only the information security
    people who are claiming that there is a threat in an internal node name
    being present on a business card, even in an otherwise professional
    context.  The CIC is no doubt going to take the word of the IS people,
    it's these people who we would like to explain their position, and/or
    take action to enforce it uniformly. 

        Correct me if I am wrong, but doesn't the header information
        of all of the software products that we ship to customers,
        give information. As to the node, device and directorys, person
        etc. I may be wrong, I dont have an SDC Kit handy to check...
        I thought all products are built by the engineering groups
        and then sent to SDC. So we publish network details in our
        software kits.
        
        q
        
ie.
        Listing of save set(s)
	
	Save set:          SECPACK030.A
who>>	Written by:        SEC_KO      
	UIC:               [000012,000031]
	Date:               4-FEB-1987 18:03:01.69
	Command:           BACKUP *.*.0/EXCLUDE=(*.C,*.H,*.RNO,*.A,*.LIS,*.DIR) SECPACK030.A/SAVE_SET
	Operating system:  VAX/VMS version V4.5
	BACKUP version:    V4.5
	CPU ID register:   01843810
node>>	Node name:         _DRAGON::
dev>>	Written on:        _$1$DUA12:
	Block size:        32256
	Group size:        10
	Buffer count:      3

dir>>	[SEC_KO.SECURPACK.V30.BUILD]BUILD_DELETE_ALARM.COM;1        2  28-AUG-1986 14:34

    Re: .139
    
    You are 100% correct.
    
    			Steve

.137 actually has the solution:  The policy forbids the use of node NAMES.
I'm perfectly happy to have:

		LEICHTERJ%24799.DEC@DECWRL.DEC.COM

on my card.  See!  No node name!
							-- Jerry

PS:  re .139.  BACKUP savesets provide a LOT of information about internal
nodes, internal accounts, devices, and so on.  I reported this - I think I
may even have QAR'ed it - quite a while back.

    re .133:
    
    The correct "external" address should be via the routers. For example,
    the most reliable way to send me mail is (internally) to
    	MTS$"PKO::Peter Conklin"
    
    I am not sure what the external equivalent of this is. But that should
    appear on my business card. Then no security information is revealed.
    
    We do need to get the gateways or MAIL and A1Mail to use my site code
    for MTS returns rather than the node I happen to be mailing from.

    Re: .141   Jerry, that's inspired.  I wonder if it would pass muster....
    
    Re: .142   I tried for about fifteen minutes to get an external address
    that would eat mts$"PKO::Timothy Lasko" (and what it expands to), but
    I end up either putting VIDEO into the path (which is a no-no) or
    getting something that can't be parsed by VMS Mail. 
    
    Until someone can demonstrate a way to do this - this isn't a solution
    for people who would like to give out external mail addresses. 
    Until the resources are directed towards making it work, the
    current policy is, at best, annoying.
    
    I'll repeat my question from .95, since the subject was again brought
    up... 

< Note 174.95 by VIDEO::LASKO "There are no temporary workarounds..." >
                         -< rebut to .93; a question >-
    
    ...   
         
    In the meantime, I'd like to know whether the compromise solution
    being proposed would work for me.  But I don't know a number of
    things on how MTS works.
    
    A question for anyone that does know: it's been asserted that should
    MTS addresses be allowed on business cards, it would be sufficent for
    internal use. Assuming for the moment that TIM LASKO@PKO will always
    find me on VIDEO--which is not today the case--would someone sending
    mail to TIM LASKO@PKO find me six [three-TL] months later, when our entire
    group moves to Westford (DSG)?   Would some kind of intervention on my part
    need to occur? 

        Re: .142,.143
        
        	The point is moot because the Message Router product
        cannot deal with address strings with "@" signs in them since
        it uses this character to separate its own routing information.
        
        Message router will take the address "u1@nd1.ARPA"@DECWRL@MRGATE
        and change it to DECWRL::nd1.ARPA"::"u1 or some such nonsense.
        Too bad it doesn't know how to ignore strings in quotes.
        
       _Mike

    Face it, folks.  The safe, approved way for a customer to communicate
    with a Digital employee is through the U.S. Mail or via the telephone.
    It works for millions of people every day, and exposes no secrets.
    Perhaps our only problem is that we're spoiled. 

    	re .145  Spoiled ? Because we use the latest in communication
    technology ?
    
    I think that if we want to be perceived as being in the forefront,
    we have to look like we're used to being there. E-mail adresses
    on business cards tell outsiders "We use this stuff so often
    it's like another phone number to us. No big deal."
    
    And isn't that a confidence-builder ?

    re .145
    
    the world is a changing thing and if we want our computers to be
    a part of it, we have to show the world how they are used.  If not
    we can keep using outdated technologies until someone else comes
    along.
    
    Rob

>< Note 174.145 by DELNI::JONG "Steve Jong/NaC Pubs" >
>                           -< Solutions: USPS, AT&T >-
>
>    Face it, folks.  The safe, approved way for a customer to communicate
>    with a Digital employee is through the U.S. Mail or via the telephone.
>    It works for millions of people every day, and exposes no secrets.
>    Perhaps our only problem is that we're spoiled. 

     Face it, folks.  The safe, approved way for a customer to compute is
     with paper and pencil or maybe with a Japanese pocket calculator.
     It works for millions of people every fay, and exposes no secrets
     unless you press really hard when you write.  Perhaps our only
     problem is that we're spoiled.

                                   Atlant

        The way we should communicate with customers is the way they
        wish to communicate.  If they use the phone or mail, fine.
        If the have MCI Mail, they should be able to send to Digital
        addresses addressed through our MCI Mail Gateway to Message
        Router and our MTS network.  If they are technical enough to
        be on Internet/ARPAnet/Bitnet/USENET/whatever, we should give
        them the appropriate address by which to contact us.
        
        Since MANY of our (non-technical) customers have MCI mail accounts
        and we already have the software to bridge to MCI mail IN A
        WAY WHICH FOLLOWS THE NO NODENAMES RULE, we should do it.
        
       _Mike

    Re. 143
    
    For sites using the MTS Toolkit, all nodes containing ALL-IN-1 are
    polled and all accounts are then matched to an extract of the employee
    masterfile for the site (in the US).  This ties you to your ALL-IN-1
    account.  Those names on the emf extract which are not matched up
    with an ALL-IN-1 account get listed in the router to send mail to
    a facility printer where mail is manually routed via mailroom. 
    This is called print mail.
    
    The MTS administrator can manually add names or add alternate routing
    for employees at the site which do not have an ALL-IN-1 account.
    An example is to send MTS messages to the VMSmail user agent.
                                                                
    When you leave a facility, you drop off the weekly emf feed and
    therefore don't get an automatically generated router listing. 
    If you have been manually entered, the site administrator must manually
    delete you.  A reminder is sent as part of the weekly processing
    as to the names of all employees who departed a facility during
    the current week.
    
    If for any reason an MTS message cannot be delivered, a postmaster
    message is generated telling the sender why the message was not
    delivered.
    
    For MTS specific questions, you may check with the MTS notesfile on
    IAMOK::MTSNOTES.  Add it to your notebook by touching KP7 while reading
    this note. 

        Note 174.149 gives  the  impression  that  there  is a production
        gateway currently available between  MCI  Mail  and Digital's MTS
        mail network.  While testing  has  been  conducted  for  nearly a
        year, we have determined that this configuration doesn't meet the
        needs of our employees.  We will  instead  plan  to  offer  X.400
        messaging, described below.
        
        It  was  also  mentioned  in 174.149 that we  could  contact  our
        business  partners  if  they  had connections through "Internet/-
        ARPA/Bitnet/USENET/whatever".   However,  the  policies  of these
        networks generally prohibit  formal  business  correspondence  of
        for-profit organizations.  In  addition,  since many of the relay
        nodes donate their service, the  relibility and timliness of such
        channels for mail is insufficient for our internal needs.
        
        The  solution  which Digital Telecommunications (the organization
        which  runs  MTS) recommends is to implement X.400  messaging  to
        connect the Digital MTS domain to the outside world.    Mail will
        be  addressed and processed according to standard rules.  In  the
        US,  public carriers are just now planning to offer this service.
        It  is  already being offered in Europe where MTS in each country
        is implementing  a gateway to the country PTT (Postal Telephone &
        Telegraph administration).   In  the US, we are planning to begin
        testing the service with  one  or  more  public  carriers.   This
        service will operate similarly to  telephone  service in that the
        sender  will  bear the cost of  initiating  the  message.    Many
        administrative procedures have to be worked out.
        
        This technology is relatively new.    It was made possible by the
        CCITT  X.400 recommendations of 1984.   Software  has  only  been
        available in the last year.  And  public  carriers  are  just now
        making their announcements and signing people up.  Information is
        being  passed  down  to  the  MTS  organization  in  the   field.
        Questions    about   this  will  be  best  answered  by  the  MTS
        organization at  your  facility    or    through   the  notesfile
        IAMOK::MTSNOTES.

    

    Re: .150
    
    Thanks, Paul for a complete reply.  It appears then that for internal
    electronuic mail, our site administrator has to manually change our
    entries when we move, so there's no problem there.
    
    Unfortunately, according to .144 (Thanks, Mike), external electronic
    addressing with MTS addresses won't work.
                                               
    Now, X.400 addressing may be nice--by the way, how soon is "coming": a
    year, five years?--but that's a whole new networking world other than
    the one which exists and is functioning today, and may not be one with
    which I particularly need to communicate. (Feel free to correct me if
    I'm wrong.) 
    
    Therefore, we are still without a real solution to the problem of
    "officially" not being able to give out ARPA/Internet addresses with
    node names, and we still have neither a reason, nor a consistent policy. 
    
    For the record, Mike Connor still hasn't answered my follow-up letter.

re .145
    
        >>>    , and exposes no secrets.

        Now does it, personally I think that it would be more likely
        for someone to accidentally pick up hard copy and slip it into
        an envelope, without even realizing that they had done so,
        then to send confidential electronic mail.
        
        q
        

Re .153:

If you had used a mailer with the command:

SET DEFAULT REPLY (TO) {ALL|SENDER-ONLY}

you wouldn't say that.
				/AHM

Re .153:

P. S.  I wonder if everyone who sprays out-of-context secrets to the VMSTEAM
mailing list realizes that it goes to a lot more than just people who work on
VMS?

    re:.151
    X.400 will right now connect a handful of internal users with gateway
    arrangements to the handful of external users of X.400-compliant
    mail systems with gateways.  Expressed as a fraction of the total
    E-mail community reached through non-X.400 gateways, you probably
    need scientific notation with a negative "E".
    
    Not to mention that public X.400 networks tend to charge per message
    while our other gateways are ad-hoc and cheaper.
    
    Gateways are only useful when two can tango.  Right now the outside
    world uses UUCP and SMTP, with a handul migrating to X.400.

    Hmm, it's been just over two weeks--
    
    Has anyone seen the official CIC communication?  
    Has anyone heard anything from the Information Security Program? 
    Has anyone seen funding of an external mail gateway project?
    Has anyone seen consistent enforcement of the internal node name
     secrecy act?

    Looks like we can all remove the electrinic mail addresses when
    we redo our business cards to change the area code.
   

        Heck, I just got new business cards (a side effect of a move
        from MKO1 to MKO2), and not only do the new ones not have an
        address by which I can be reached through the gateways (you
        pick the gateway), but they DON'T EVEN HAVE MY MAILSTOP!
        
        This is ridiculous.
        
        Tom

    We're working our way towards a blank (DEC-color) card with a badge
    number in the middle of it.
    
John

       
       	RE: .160
       
       	Oh NO John, we CAN'T put the badge number!!! THAT'S ANOTHER
       breach of "security"...
       
       	RE: .159
       
       	That IS ridiculous.. Mailstops not allowed now?  FWIW, I purposely
       	left mine off cuz I knew I was moving but disallowing it is
       	crazy..
       
       	Next thing you know we'll get a DEC color card with our initials
       	and maybe a digital logo and a comment "Ask me for details...
       Security reasons forbids me from having them printed"
       
       							mike

Have two sets of cards made up... One for internal contacts, and one for 
customers!   8^)

        On the one hand, I never said I was not allowed to have my
        mailstop on my card.  On the other hand, it was on the form
        that was submitted to get the cards printed -- I did not ask
        that it be left off the cards.  Who knows?
        
        Tom

    I just got my new cards and they do have my mailstop on them. Should
    I keep quiet about this ? :-))
    
    Jon

    Re: .164
    
    Jon, I heard that.  I'm reporting you to the Business Card Police!
    You can't keep secrets around here, don't you know that yet?
    
    BTW, just as a general comment (not towards you, Jon), I think having
    the mailstop makes sense.  I always indicate it as part of my address,
    just makes life easier for the mailrooms.  I *do* think that DTNs
    and E-net information is inappropriate, but a mailstop is just another
    identifier for people sending mail.
    
    Bearly,
    

    
    Of course, considering the amount of moving Digital employees/groups
    do...
    
    However, I guess the outside address changes just as often so it's
    a wash if most of the moves are between facilities.
    
    -Ray
    

          <<< HUMAN::DISK$HUMAN_WRKD:[NOTES$LIBRARY]DIGITAL.NOTE;1 >>>
                          -< The DEC way of working >-
================================================================================
Note XXX                    New business cards                      No replies
IAMOK::DEVIVO "Paul DeVivo @VRO, DTN 273-3166"       27 lines   1-JUN-1988 08:29
--------------------------------------------------------------------------------

    I know bits and pieces of this have been discussed elsewhere in
    this notesfile and in other notesfiles, but think it needs some
    more airing now.
    
    It has been announced that with the split in the Eastern Massachusetts
    617 telephone area code the business cards of 30,000 DEC employees
    will become obsolete overnight (mid-July).
    
    Based on experience of someone in my department, the printer(s?)
    have a directive that there will be no
    
    	a. DTNs
    	b. Electronic mail addresses
    
    allowed on business cards.  The printer simply ignores what you
    type on the ordering coupon.
    
    You all should know this.
    
    Now, there needs to be a work around for special cases.  How is
    that accomplished?  Does anyone know how to instruct the printer
    that it's OK?  Whose approval is required?
    
    I can't speak about justifying the DTN, but I am interested in the
    case of an external electronic mail address which does *NOT* include
    a node name or number.  I'm speaking of either an MCI Mail number
    or an X.400 electronic mail address.

    re: .167 "how" - Have your own printed.
    

        That would be real easy if our laser printers could handle
        adequate card stock (and heaven forbid) we had a color postscript
        engine... 
        
        Back over to you, Print Engineering person... :-)
        
        q

    I do print my own BUT they're black and white and have to be chopped!
    
    I ment, "go to your own printer" and ask your Cost Center for
    petty cash reimbursement.
    
    	:-)
    
    

re: .169

LN03s will quite happily handle card of a suitable thickness.

The best way though is to go directly to a printer as mentioned in .170

jb

The following business card sample was taken from the X.400 Gateway Registration
Application Form -- apparently once you start paying $26/month to be registered
in the directory, you can put your X.400 gateway address on your card:

            +---------------------------------------------------+
            |                                                   |
            |                     Paul DeVivo                   |
            |                     New Products Service Manager  |
            |                     DT/Network Applications Group |
            |                                                   |
            |                                                   |
            |                                                   |
            |   +-+-+-+-+-+-+-+                                 |
            |   |d|i|g|i|t|a|l|   Digital Equipment Corporation |
            |   +-+-+-+-+-+-+-+   555 Virginia Road VRO5-2/D6   |
            |                     Concord, MA 01742-2727        |
            |                     508.371.5166                  |
            |                     X.400: C=us;A=mci;P=digital   |
            |                     O=digital;OU=admin;OU=dt      |
            |                                                   |
            +---------------------------------------------------+

Mine is G=John;S=Covert;C=us;A=mci;P=digital;O=digital;OU=eng;OU=segcad.

I'd still like to have covert@covert.dec.com on my card, too.  The back, maybe.

/john

Suppose the following scenario:
       
I order my business cards through office services and get the standard
business cards which meet with corporate guidelines.

I then take these cards to a friend who can do "letterpress" printing
and he prints on either the front or back of the card my ENET and DTN.

I then give these cards out to DEC employees as I travel through the
company. (I do not give these cards to folks on the outside.)

Have I just committed an action which can cause my employment to be
terminated? Some folks around me think that this might happen...

Rich (who hasn't actually done this yet)

    If a *good reason* for something can be explained/shown/justified,
    I can accept almost anything.  In reading this note and other related
    notes, I have yet to see anything even remotely resembling a "good
    reason" for this policy?
    
    Jon

    Not saying it's necessarily a "good" reason, but it helps to keep
    the easynet from attack if people do not have a node name at least
    to begin with.  Not saying employees would do this (although I'm
    sure it's happened), but you don't know where your cards you pass
    out end up.

    How does having a node name make the easynet more vulnerable to attack.
    I've not heard of any worm/virus/vandal programs that depended on
    knowing nodenames.  As others have pointed out, it's pretty easy to
    make up node names that are already in use.  I was sure I'd be able to
    get DUMMER, but no, someone had it, and I had to be satisfied with DUM.
    And, at that, the node names aren't "real" anyway, the numbers are, and
    numbers are dead easy to make up.  
                                       
    Leaving easynet-format addresses off business cards affords about
    as much protection as whistling Dan Tucker to a harricane, as my
    grandmother used to say.
    

    I've been following this subject (off and on again) for sometime...
    
    IMHO, having the Enet address on the Biz cards is really a good
    thing to do!  When I was working up at China Lake Naval Weapons
    Station, I instructed the sales folk on how they could send mail
    to their gov'ment customers through the gateway.  They didn't know
    we could do that, and really liked it (especially when playing tele
    tag...).  If our Enet address was on the card then it would certainly
    present an opportunity for better servicing the needs of our
    customers...
    
    As far as the security issue of not giving out node names, look
    in some of the documentation that is sent to customers...you'll
    find nodenames in them - so what's the issue then??
    
    Befuddled,
    
    Jp

Uh, could we get back to my question...

Could I get fired for doing this???	thanks

Of course not.  It takes a lot more than ignoring the Corporate Identity Manual
to get fired.

And besides, the answer I always got when I complained that people I met would
like to send mail via the gateway was "then write your gateway address on the
back."

/john

    It's my belief, Rich, that you would not be.  If Digital allows
    a X400 address to be used on bizcards, allows us to communicate 
    with the USENET community, allows us to put our site location on
    bizcards, sometimes publishes Enet node names in documentation
    subject to World distribution, ad infinum...; then I can't see
    how you would be violating _any_ trust!  
    
    Of course this is one voice in the Notes$wilderness, but it seems
    to me that "...if it's right, then do it!"  
    
    This policy needs review. While it may have been justified in
    some earlier time period, with today's ability to communicate to
    anyone who has a "mail link", it's not now.
    
    Cheers,
    
    Jp

>                    <<< Note 174.175 by VLNVAX::TSTARLING >>>

>    Not saying it's necessarily a "good" reason, but it helps to keep
>    the easynet from attack if people do not have a node name at least
>    to begin with.  Not saying employees would do this (although I'm
>    sure it's happened), but you don't know where your cards you pass
>    out end up.

This simply doesn't make sense. Digital employees are completely free
to publish their Nodename AND Username in a number of public, external 
places where they are read by an audience of tens of thousands.

USENET groups and RISKs digest are two places that immediately 
spring to mind.

If revealing a nodename is a risk of hacking, what's the risk of
revealing a username on that node too, and to a much wider audience.

Granted, USENET postings are justifyable and work related, here's a
few:
	comp.org.decus,	comp.sys.dec, comp.unix.ultrix, comp.os.vms

But it only takes a hacker to look in one of these public conferences
to get the nodename and username of someone within DEC who has posted
a note there.

How you can justify openly distributing this information in a
public place read by tens of thousands of people and you can't
justify putting it on a piece of card which has far less circulation
is a complete mystery to me.

In my opinion, this regulation has no sense in reality and does
little to promote security and detracts from our networking image.
How convenient it would be for customers to send in problems by
electronic mail, keep in touch with account managers by mail and
so on. Maybe that was expecting a bit much after all.

	Craig.

    re: .178 "getting fired"
    
    Let's put it this way:  If you get fired, you can take at least
    two Area Managers and four whole Corporate Account Teams with 
    you.  (this just by glancing through my card file)
    
    Geoff

    re .178;
    
    Just a further thought.  Would you really wnat to work for a company
    that would fire you over something this trivial?
    
    -dave

    Some of us deal with 95% internal people.  I always end up writing
    my node name and DTN on the card when I give it to other employees.
    Employees who need to call me hate trying to translate 603-881 into
    the appropriate DTN!  Especially if they are not at a terminal to
    access ELF at the moment they need to call.
                                                     
    I think we should have 2 sets of cards, perhaps in 2 different colors.
    (One for outside people, one for other employees.)  I would order
    about 450 internal ones, and 50 outside ones.
    
    

    
    	   If I may be so bold as to point out the obvious... if knowing
    	a nodename, in and of itself, constituted a threat, then we are
    	in very big trouble to begin with.  What network known to DECkind
    	has not included at least one (and probably more) of the following:
    
    		VAXA (and the inevitable, VAXB, VAXC, etc.)
    		HEUY (and the inevitable, DEWEY, and LEWEY)
    		HARPO (and the inevitable, CHICO, ZEPPO, and KARL)
    		CURLY (and the inevitable, MOE, LARRY, and SHEMP)
    		
    	   Our network contains ALL of these (a silent testimony
    	to the real creative spirit lurking in the hearts of those
    	who name our nodes).  
    
    	   Mind you, we doo have some good node names (SYZYGY is
    	one of my personal favorites), but that`s beside the point.
    	If all it takes is a known node name to compromise the E-net,
    	then it is already compromised.
    
    	   However, knowing a nodename and username pair is significantly
    	more risky.  All that remains for some n'er-do-well to break in
    	is a phone number and a couple of passwords... or a network
    	path and a single password (usually). 
    
    	   Still, given that we now have 12-character passwords, the 
    	odds against breakins are pretty good... unless we still have
    	some people around using their spouse's name or twelve X's 
    	as a password.
    
    	- Greg

    re:  last several
    
    I thought I prefaced my statement by saying it was not necessarily
    a "good" reason not to have a node name on business cards.  I'm not
    sure what the real reason for the policy is, but was only giving
    what I perceived as the most likely one...It could be to keep costs
    down due to people moving around so much.  I know of several hundred
    people whose cards are out of date due to mail stop changes over the
    last six months or so, including mine.  What hasn't changed over the
    last several years is my enet address and my DTN, so I guess that is
    a weak excuse, too.  Oh well, better I stop guessing.

    If I can't put the name of my Easynet node on my card, I'm in
    trouble...
    
    :-)

    I (and my collegues) have also heard the "Well, just scribble your
    network address on the back."  It does slow you down a bit;  if I
    handed out cards on a daily basis, a rubber stamp would be useful to
    have.
    
    But I've finally used up a whole box of cards (500?), after three
    years.  The people who see them the most, though, are
    
    the waiters at local Sichuan restaurants:  they make excellent notepads
    for organizing a Chinese dinner for 6 or 8.
    
    Dick

>        <<< Note 174.188 by LYCEUM::CURTIS "Dick "Aristotle" Curtis" >>>
>                      -< Don't leave home without them! >-

>    I (and my collegues) have also heard the "Well, just scribble your
>    network address on the back."  It does slow you down a bit;  if I

Doesn't this look a bit unprofessional?
Er, excuse me a second while I write my nodename on my business card.
The company won't print it for me this way, I have to write it on myself.
They don't mind that.

I thought the whole point of a business card was a quick way of leaving
your name and contact details with someone.  An easynet address is just
another contact address. As I say, nodenames are regularly broadcast to
the world via usenet. There is no reduction in risk by not putting them
on business cards.

>  <<< Note 174.187 by LESLIE::LESLIE "Old light, through New Windows"  >>>

>    If I can't put the name of my Easynet node on my card, I'm in
>    trouble...
 
 I guess you're not the only one either ....

	Craig.

You don't understand.

The corporate view is that the decwrl gateway is a clever hack, not a business
tool.  The *FACT* that commercial use is prohibited enforces the corporate view.

Hacks do not belong on business cards.

The official corporate X.400 gateway is now operating.  You can put your
official, approved, $26/month address on your business cards.

No amount of griping in this conference is going to change the situation, a
situation approved by the Executive Committee.

/john

    I have been reading the replies here for a while and suddenly I
    saw an official business card yesterday that HAD THE NODE NAME and
    the DTN. The person's name shall remain unmentioned but I did a 
    double take.  Will continue to investigate.
    
    ......... Suchindran

>             <<< Note 174.190 by COVERT::COVERT "John R. Covert" >>>

It might have been more organised to do the following if mail addresses
were going to be banned.

1) Tell everyone what's going to happen and why
2) Ban email addresses on cards one day
3) Introduce X.400 addresses the next
4) Publicise how people can get an X.400 address if they want one.

The current situation leaves everyone in confusion, as is plain from
reading this topic.

	Craig.

    re: < Note 174.192 by MARVIN::COCKBURN "Craig, PhaseV & FCNS" >

>   3) Introduce X.400 addresses the next
>   4) Publicise how people can get an X.400 address if they want one.

    I can see a certain number of CC managers shuddering in their boots
    over this one.  $26/month * X employees starts adding up *real* fast!
    It sounds like MCI might be getting a few windfall checks from DEC
    when the word finally gets out to the field ...
    
    Geoff

    The X.400 gateway is the right way to go.  I predict however that
    it will take so long to squeeze "decwrl" shut that it may be "fixed"
    someday.
    
    No one has mentioned that you are free to pay for your OWN business
    cards, and "deduct" it from your income taxes.		:-)
    
    re: .193 "CC managers shuddering in their boots..." - I've seen
    some who wear boots, and some who shudder at a $26,000 workstation,
    but never one who wears boots AND shudders at a mere $26. charge!
    
    	Rick
    	Merrill

    re: .193
    
>    It sounds like MCI might be getting a few windfall checks from DEC
>    when the word finally gets out to the field ...
    
    Is the $26/mo going to MCI or to DIS?  (Actually, the cost is $26/mo
    plus traffic charges.)
    
    My understanding is that DEC is using a gateway; user's won't have
    individual MCI-Mail (or whatever it's called) accounts.  If this is
    the case, I would expect MCI to be concerned with the number of bytes
    transferred through the gateway rather than with how many users
    generate or receive those bytes.

>    Is the $26/mo going to MCI or to DIS?  (Actually, the cost is $26/mo
>    plus traffic charges.)

Part to each.
    
>    My understanding is that DEC is using a gateway; user's won't have
>    individual MCI-Mail (or whatever it's called) accounts.

Wrong.  Because X.400 addressing isn't "real" yet, you need to have an MCI
Mail "Off-Net-Record".  Users on, for example, CompuServe, don't use the
X.400 address on your card at all, you still have to tell them your MCI
Mail ID number; they send to that and MCI forwards it to your X.400 address.

/john

RE:< Note 174.175 by VLNVAX::TSTARLING >
                                 -< security >-

>    Not saying it's necessarily a "good" reason, but it helps to keep
>    the easynet from attack if people do not have a node name at least
>    to begin with.  Not saying employees would do this (although I'm
>    sure it's happened), but you don't know where your cards you pass
>    out end up.

Most of the time, I write my email address by hand anyway. Many companies like 
HP, Sun, Apollo etc list their Email address. IBM on the other hand does not 
even allow internal machines to be connected to the outside world!

Dileep

re: 174.9

>    RE: "confidential gateway"?? - I have not met a DEC customer yet
>    who did not know that DECWRL! was the e-net gateway.  Really!

October 1987 issue of Communications of the ACM had our gateway address in it.

re: 174.139

OK, you've convinced me, if our software products have node::username, then,
as far as I am concerned, there are no restrictions on revealing our node and 
username in the context of an ARPAnet, INTERNet, etc. address.

re: 174.184

>    Some of us deal with 95% internal people.

Some of us deal with 99 44/100% external people.

re: 174.197

>IBM on the other hand does not 
>even allow internal machines to be connected to the outside world!

Not true. I send electronic mail to IBM.

re: 174.198

>        -< One can't receive X.400 mail if the customer can't send it >-

        -< One can't send X.400 mail if the addressee can't receive it >-

From:	CHESS::KAIKOW       "Howard Kaikow ZKO3-4/Z09 381-1122"  4-NOV-1989 13:44
To:	
Subj:	Glorioski! (or beating a dead horse)

Regarding the issue of revealing one's electronic mail address to the outside 
world, I have just reviewed an extensive discussion of this in the 
human::DIGITAL conference (topic 174).

As for most topics in conferences, lots of opnions get stated, however, 
little is finalized as those discussions are not binding on anyone. However, it 
was pointed out that when the SDC distributes software, a BACKUP/LIST of the 
released save sets wil reveal the internal DEC node::username that created the 
save set.

VMS still does this 5.3 so I am assuming that VMS does not consider it a NONO to
reveal such information, therefore, I no longer feel compelled to pretend to 
hide my node and username.

Those of us whose jobs involve dealing with the outside world 99 44/100% of the
time must reveal our electronic mail addresses.

This may sound like a very simple answer to this problem, but here goes.

I can send mail outside Digital. This reveals a nodename and username.
I can also post notes in USENET. Ditto.

If such information is 'secret' then why are we allowed to post them in
external public forums? 

For incoming mail, which is the issue at stake here then consider the
following:
1) I can receive and send mail via to the external world via an easynet
   gateway.
2) I can receive and send mail within Digital via Message Router.

3) If we built products which talk to one another, then put 1 and 2 together.

If the issue is that we can't reveal Nodename/Username pairs (ignoring
the hundreds of thousands who read usenet!) then why cany we use 3) to
receive external mail via the message router?

I have been told the syntax for doing this from the outside world is:

"firstname surname@loc.feed@gateway"

Where loc is your three digit location code, and feed is the name of an
easynet node running message router and connected to the gateway node.

As there is no username as such revealed here, just a surname, and it
isn't necessarily on the FEED node then surely this is acceptable for
printing on business cards?

	Comments?
			Craig

The issue is not that the information is considered "secret."  It isn't.

The issue is that the Corporate Identity Committee doesn't want names like
IBM, WANKER, FARTER, and so on appearing on business cards.

Specific names are approved where groups have applied to the identity
committee stating that they have a need to communicate with the outside.

/john

    Is the Corporate Identity Committee part of the sam organization that
    did ELF V2?

	It's been just over 2 years that this note was last written to.

	Any changes in the Corporate Policy about not putting e-mail
	addresses on business cards?

	-amitabh (who needs to get new cards printed and is tired of scribbling
	his fax and e-mail information on the cards)

    good questions, either way, one can ask outside card-making co. to
    make your own cards, with same digital logo on it, but you can write
    your own address on it as you want, should be ok to do? cost not much.

    According to topic 3 in LOOKUP::COMPANY_IDENTITY, certain
    addresses/formats are approved for use on cards. One such is:-
    
    	firstname.lastname@site.mts.dec.com
    
    [Press KP7 or Select to add conf to Notebook]

Well I have my internet mail address and my fax number on my cards.  I just 
filled out the standard form with all the info on it.  I did not note that the 
mail address was for e-mail, and the cards showed up a few days later just fine.
I did do them on a rush as I had to get new ones for a show when my address,
title, and phone changed.  I don't know if that anything to do with it.  Also, 
they capitalized incorrectly, but I just tell people to use all lower case 
letters and everything is fine.

Matt

    Make sure that the person doing the order knows that the
     
        firstname.lastname@site.mts.dec.com
    
    *is* legal.  I just got 500 cards w/o my mail address.  Our secratary
    was told that mail addresses are for special circumstances only.
    
    --- Gavin
    
    P.S. - anyone want one (of 50) of my cards??? :-)

    "legal" by what government statute?
    
    Your secretary was "told" what by whom, and what authority do they have
    to make such decisions?  What are the "special circumstances"?

    	I have personally never used the MTS routing styled address
    mentioned a couple of notes back.  I just tried it out of curiousity
    (by sending mail to myself via DECPA::"firstname.lastname@lkg.mts.dec.com")
    and it does indeed seem to work.

    	In the past however, I have always had people send me internet
    mail directly as follows:

*	username@nodename.enet.dec.com

    or even:

*	username@nodename.sitename.dec.com

    	I can only assume that the added use of MTS is to allow for one
    standard mailing address format for all DECies (as it is needed for
    those among us who are graced with ALL-IN-1 accounts and who must go
    through MTS to reach the rest of us peons).  I assume that this was
    the main reason that the mysterious source specified an implicit mts
    routing for internet mail, and if so, I wouldn't recommend using it
    unless it is absolutely necessary.  Why add yet another unnecessary 
    internet mail bottleneck to an otherwise perfectly precise internet
    address?

				   -davo

* where username, nodename, and sitename are substituted for appropriately.

    I think it's something to do with the notion that it's
    a "security risk" to tell someone your node name, but it's
    ok to tell them your site code.
    
    

DECPA::"firstname.lastname@lkg.mts.dec.com"

Ok, if this is 'accepted' what happens for me?  There when there are two people
with the same firstname.lastname (ie mccarthy.brian@zko.......)  I am sure
there have to be a few John Smith's at the same site throughout the company.

I agree with .214
username@nodename.enet.dec.com
works for me and avoids Brian S. getting any of my mail.
But that gives a 'nodename' to the outside world.

Brian J.

    The "official" answer is in ICS::COMPANY_IDENTITY note 15.2.  Here it
    is.  It works okay for serious Internet users, but we have to go to our
    site Internet managers to get the appropriate MX entry.  For instance,
    I can put myself on the card as "goldstein@tay2.dec.com", which
    implicitly routes to a node that I specified in the MX data base.
    
       GUIDELINES FOR INTERNET ELECTRONIC MAIL ADDRESSES ON BUSINESS CARDS
                              Revised 01 March 1991
    
    Corporate policy prohibits the printing on business cards of electronic
    mail addresses containing the user's host/node name.
    
    There are currently two forms for an Internet electronic mail address
    which do not include a host/node name and therefore may be printed on
    Digital business cards.
    
    Form 1 - the MTS format: firstname.lastname@sitecode.mts.dec.com.
    An actual example is: paul.devivo@tay.mts.dec.com.
    
    This form works only if the MTS cluster sorter for the sitecode has an
    entry for the employee which correctly routes their mail to them.
    
    Form 2 - the tcp/ip format: user@subnet.domain.  An actual example is:
    reid@pa.dec.com.
    
    
    This form works only when the tcp/ip subnet manager places a mail alias
    entry at the subnet which correctly routes mail to the employee.
    
    
    Form 2 Address Characteristics:
    
    1.  Form 2 only applies to tcp/ip addresses.  It does not apply to
    DECnet addresses (used by VMSmail) nearly all of which include the
    subnet.enet.dec.com.  Addresses for the .enet.dec.com subnet always
    include the node name and therefore are not permitted.
    
    2.  Form 2 addresses currently contain only one "word", a registered
    subnet of the .dec.com domain, between the @-sign and the .dec.com. 
    This subnet name is usually two to four characters in length; it is
    most commonly three characters in length representing the Digital
    sitecode. Examples include:
    
       jones@pa.dec.com     pa = Palo Alto
       jones@lkg.dec.com    lkg = sitecode for King Street, Littleton
       jones@tay2.dec.com   tay2 = sitecode for Taylor St, Littleton, Bldg 2
    
    
    How to distinguish between permitted and non-permitted Internet
    addresses
    for purposes of printing on Digital business cards:
    
    
            PERMITTED - Form 1 MTS address
    
                    tom.jones@tay.mts.dec.com
                                  ^^^
    
            PERMITTED - Form 2 with one "word" between @-sign and .dec.com
    
                    jones@pa.dec.com
                    jones@lkg.dec.com
                    jones@tay2.dec.com
    
    
            NOT PERMITTED - more than one "word" between the @-sign and
            .dec.com, and one "word" is a node or host name which may not
            appear on the business card.
    
                    jones@jove.pa.dec.com
                          ^^^^^^^
                    jones@delni.enet.dec.com
                          ^^^^^^^^^^
    
    
                                 IMPORTANT NOTE
    
    Having a tcp/ip account does not automatically give a user a Form 2
    Internet address.  The subnet manager must properly configure the
    directory/alias information for this to work for you.  Do not order
    business cards with an Internet address until you have tested the
    address and are sure it works for you!
    
    When completing the business card order coupon, enter the Internet
    electronic mail address on the Address Line 4 preceded by the word
    "Internet:" as follows:
    
                    Internet: rjones@mko.dec.com
    
    

It might help if IBM teaches customers to ask their Digital sales rep "my
business card has my *real* Internet address, but yours doesn't.  Is there
some problem I should know about?"  After all, if the networking and security
products and services we sell are excellent, our internal policies should
reflect this.  We do claim to use what we sell, don't we?

Of course, there may be a rational justification for the policy which has
managed to escape our attention in the past 5 years.  Maybe it isn't one that
the corporation wants generally known to employees (let alone customers).
				/AHM

    re: a few back
    
    Printing your own business cards, at your own expense, with "Digital" on
    them may be an inappropriate use of Digital's logo.  May require
    company permission....                                                
    
    If anyone would catch on is unlikely...

    re: .213
    
    > "legal"
    
    Doesn't have a EasyNet node name in the address.
    
    > special circumstances
    
    Who knows?  Since I'm at my customer site 5x8, all of my "Digital"
    related stuff is done via phone or e-mail--I don't get the full story. 
    I assume "special circumstances" include people working shows &
    conventions, sales-type people whos accounts are on the Internet,
    etc.
    
    Personally, whenever I need to correspond, the first thing I ask for is
    an e-mail address.  It just makes it so much easier if I don't have to
    scribble my address on my business cards.
    
    --- Gavin

How does this policy

(a) Make it easier for us to sell/support things to our customer.

(b) Make it harder for weenies to break into our systems.

Security through obscurity has never worked in the past; why do we
persist in believing it will work in the future?

Martin.

If your site has IP connectivity, then enabling user@xxx.dec.com is fairly
easy.  Currenty there are only 9 folks in LKG who take advantage of the fact
that lkg.dec.com is setup and operating.

The following domains (sites) support the user@xxx.dec.com:

alf aqo bst cbm crl cxo dco del det dfe dvo gao gsf ilo jit jrd lkg ltn mko
mro1 nyo osa ozy pa pko prl rdg sbp shr shr3 tay1 tay2 tops20 ucs unx ush vbo 

If your site has IP and is not listed, then bang on your site admin person.
Otherwise, send mail to DECWRL::"postmaster@xxx.dec.com" and ask to have an
alias added for you.

    A scary fairy tale for our times:
    
    Once upon a time there were two people who said to each other "if only
    we could get hold of the source code for some unreleased version of
    VMS, we could figure out how to insert a small, nearly invisible
    routine that would allow us to gain privileged access to any VAX
    anywhere in the world merely by logging onto the system...."
    
    But they had no idea of where to begin looking for the source code. 
    They knew a little about EASYnet and felt that *SOMEWHERE* on the net
    there had to be a machine where the working copy of the source code was
    stored, but they had no idea where to begin to look.  Then they
    attended DECUS and collected a business card from an engineer in VMS
    development.  This card had a cluster alias on it.  Being reasonably
    intelligent people, they decided that if this person were in VMS
    development, then there was a good chance that if they started by
    trying to get into that system they could find out where the source
    code was.
    
    Now there were a number of other holes in security that were necesary
    for them to get into the system, mostly human ones, that they exploited
    very well.....
    
    Less than six months elapsed from the time they decided to try until
    they had tapes in their hands with the source code on it.  Fortunately,
    they did not accomplish their goal of modifying the code primarily
    because one of them "chickened out" and notified us what they had done. 
    One of them spent a year in jail; the other is on probation and making
    "restitution" to DEC.
    
    Now, maybe they could have done all of this without the first clue of a
    node name, but their testimony was that having that single bit of
    information made their task infinitely easier.  In fact, having the
    node name allowed them to sound like DEC employees when talking with
    other DEC employees who unwittingly helped them through the door.
    
    I am not a security type, but I did get a chance to sit in a meeting
    where one of these guys explained how they had accomplished this and
    was not surprised at how easy it was for them (I was surprised about a
    few other things he said, but that's another story).  Now, at one time
    or another, I have been on the side of the people who wanted to have
    internet addresses on their cards.  Perhaps even violently so.  No
    longer.  As a previous note pointed out, there is a way to be addressed
    from the internet without using your node name, and this is allowed on
    business cards.  What's wrong with using this?  Why make life easier
    for people who wish to do DEC harm?
    
    The first rule of system security:  Make it easy to do the right thing
    and difficult-to-impossible to do the wrong thing.

	I find it hard to believe that there is anyone that knowledgeable
	about VMS who doesn't also know what cluster VMS lives on without
	a business card. And anyone who can get on any node on the net could
	findout in a matter of minutes. To blame this on a business card is
	the height of absurdity.

			Alfred

    I seem to recall that STAR is all over the sources we publish.

Won't this all be solved when everyone has X.400/X.500 addresses?

re: .225

As many of the previous replies have indicated you can have an internet address
without a node name.  I have this on my card and do much of my customer 
communicaton through the net.  I find it very difficult to do business in a rapid
way through regular mail and telephone.  I can send postscript files, written 
questions and get detailed responses all in the same day.  Voice mail is great, 
but still will not carry the same amount of information as a mail message.

At the risk of starting a rat hole, I see this as one more small but insidious
example of allowing the old and slow ways to continue.  You may recognize the
"lets get together again next week..." or "let me get back to you with the 
answer to that...".  There is little reason not to get back with the answer in
a couple hours at worst, often with the written answer as given to you, not
a personal interpretation.  The more easily we can communicate with our customers
the better.  In all cases, at all times, without execption.

    
    Re: .225
    
    Can we have a source for this information?  I followed that case fairly
    closely and this is the first time I heard about any testimony to the
    effect that a node name made Mitnick's task easier.
    
    Other replies are quite right -- security by obscurity is no security
    at all.
    
    Furthermore, nodes are just as accessible by number as by name.  And
    when you set host to a node with either method, the node normally tells
    you its name.
    
    So unless DEC is planning on placing a top secret classification on the
    set of positive integers, this measure won't prevent anyone from
    reaching any node.  It will just make it more difficult for people with
    a legitimate reason for doing so.
    
    JP

    E-mail addresses on business cards have also been discussed in
    HUMAN::SECURITY_POLICY note 72.  Of particular interest is a reply by
    Chuck Noble which states that Security has no problems with "real"
    addresses.
    
    The people in charge of the policy, the Corporate Identity Committee,
    are the ones who must be educated.
    
    Wes

        Re: .225

>    Then they
>    attended DECUS and collected a business card from an engineer in VMS
>    development.  This card had a cluster alias on it.  Being reasonably
>    intelligent people, they decided that if this person were in VMS
>    development, then there was a good chance that if they started by
>    trying to get into that system they could find out where the source
>    code was.

        O.K.  Let's assume that the business card didn't have a node
        name on it, but did have an MTS style address.  The two
        individuals would only have to send a message to the address and
        await a reply.  The message could be simple--`Are you the Joe Blow
        I went to Fubar High School with in 1975?'.  The From: address
        in the reply would contain a node name.

>    Less than six months elapsed from the time they decided to try until
>    they had tapes in their hands with the source code on it.  

        Your `solution' (trying to hide node names) would add maybe
        twelve hours to the elapsed time of six months.  Probably
        less--many people use MAILWATCH when they go off to DECUS.

        As other replies have said, security through obscurity doesn't
        work and you can't hide node names with our current software.

        					B.J.

    Well, FWIW, my card says BHAJEE::JAERVINEN on it.
    
    Unfortunately, I forgot to add the Internet address last when our cards
    were reprinted anyway ( ebause the phone number changed).
    

The problem is not and never has been security.

It has been company identity.

The company doesn't want node names like DIEVMS and IBM and COORS on its
business cards.

You will not get in trouble if you have your cards printed in accordance
with the company identity standard (where to get it has been mentioned
many times in this topic) but you slip a non-controversial nodename in.

Of course, the definition of "non-controversial" may change without any
action on your or DEC's part due to something some other company does.

/john

    So, we de-register those nodes...
    q

    re .-1
    
    Yeah, let's have a Corporate Standard For Acceptable Node
    Names!   That's what we need to make this company great
    again.

>             <<< Note 174.235 by COVERT::COVERT "John R. Covert" >>>


>The company doesn't want node names like DIEVMS and IBM and COORS on its
>business cards.

Such nodenames can be passed into public forums via external mail and
usenet newsgroups. Usenet is read by a lot more people than the number
of people likely to see your business card. But of course the beaurocrats
in Corporate Identity don't have much control over what DECWRL passes do
they? Allowing the nodenames to be seen on usenet and not on business
cards seems like a pointless waste of company resources.

Craig

Don't forget that personal names also go out into the real world.

Not only do p-names go outside, they often get turned into mail addresses by 
Unix systems.

Can we put our p-names on our business cards?

Radio Ga-Ga

    It's a hopeless mess, let's admit it. The beareaucrats cannot hit
    USENET, so they hit what they can see: business cards.
    
    BTW Dave, there already IS a policy on acceptable node names: to wit
    the stuff about 3-character nodenames and swearwords....
    
    	- andy

    Re .-1
    
    ANd the story is the restriction on three character nodenames is
    because the message router sw in use around the corporation,  isn't
    smart enough to tell the difference between a nodename and a location
    code....
    
    sigh..
    
    q
    

    Yup. Gawd help us if we ever graduate to SIX character location codes.
    
    	- andy

No problem in the brave new world.  My machine should unambiguously
be identified as 

	DEC:.lkg.mu

(What?  We haven't yet got fullname support in a single VMS 
 application?  Well....)

re: .242,

>    ANd the story is the restriction on three character nodenames is
>    because the message router sw in use around the corporation,  isn't
>    smart enough to tell the difference between a nodename and a location
>    code....

    	Sounds to me like all the more reason *not* to use MTS addresses
    on business cards, and instead to use real internet addresses.

				   -davo

    ... there was a recent discussion on whether to use 
    vaxmail_account_name@fac.enet.dec.com
    or
    vaxmail_account_name@fac.mts.dec.com
    or somesuch...
    
    ?
    
    

No, that's

	username@node.enet.dec.com

or

	yourname@fac.mts.dec.com

I think.

    in <<< Note 174.248 by MU::PORTER "just drive, she said" >>>
    
    >No, that's
    
    >        username@node.enet.dec.com
    
    No, thats only for a DECnet node.  One of those blad danged U*ix
    machines with a tcp/ip address will be addressed as:
    
    user@node.subdomain.dec.com
    
    Or to make it even more confusing, the same address from uucp would be
    something like (I'm not that familiar with uunet addresses):
    
    path!node.subdomain.dec.com!user                                    
    
    Confused yet?

    I just returned from an X.400 mail class put on by the MCI reps who are
    stationed in Stow.
    
    They suggested putting the X.400 address on the business card.
    
    Bo

And let's not forget those nifty looking X.400 addresses.

I saw a card once which had 4 or 5 different address's on it - a very well
connected individual (or possibly very confused).

--Scott

    re    <<< Note 174.250 by OAXCEL::KAUFMANN "Dignity with causality" >>>
                           -< Use an X.400 address >-

>    I just returned from an X.400 mail class put on by the MCI reps who are
>    stationed in Stow.
>    
>    They suggested putting the X.400 address on the business card.
    
    As I recall of the verbosity of X.400 routing information, this will
    mean we need 3" x 5" business cards. and of course, it will do no good
    until a) All of Digital has a consistent X.400 service across the
    corporation, and b) Customers  and counterparts in outher corporations
    have access to X.400.
    
    q
    

    re  .252
    
    One of my customers has his X.400 address on the back of his business
    card - standard size card.
    
    	-Barry-
    

    So what is my X.400 address? Who do I ask? 
    
    			Alfred

Believe it ot not, if you do a  $ VTX X.400
you'll get started in the right direction.

This was the example from VTX:

X.400:  C=US; A=MCI; P=Digital; O=Digital; OU=loc; S=surname; G=firstname

    BUT - you have to register for X.400
    
    	-Barry_who_uses_it_to_communicate_with_clients-
    

    RE: X.400 account
    
    You can check out VTX X.400, as the previous relpy states.  The MCI
    group in Stow handles the registration.  Andrea Leboss @OGO is the MCI 
    rep who did the training and handles the registration.
    
    X.400 can be accessed through ALL-IN-1, ALL-IN-1 MAIL, and VMSmail.
    Recipients can be e-mail, fax, telex, or postal (paper) mail.
    
    Additional software can (must?) be used for addressing X.400 (for
    example, additional menu forms in ALL-IN-1).
    
    Bo

    Remember, if you put your X.400 address on back of t  he business card,
    it'll fill the back. Obviously no good with bilingual English-
    Japanese card flippers.
    
    I once tried to use the VTX X.400 and it simply refused to allow a
    valid address to be computed.  I gave up and found an internet address
    for my correspondent.  That works well.
    
    X.400 was not designed for humans to type (nor were Phase V NSAPs);
    they're designed for directories to create.  Of course the directories
    got ratholed into X.500 oblivion.
    
    I'm of course growing rather cynical about the whole OSI programme.

It is acceptable to have an Internet address on business cards as long as
it uses the .mts.dec.com syntax.  For example, mine would be:

	Steven.Lionel@zko.mts.dec.com

You have to check to see that your site's MTS server knows how to get mail
to you - easiest way is to just send yourself a message using the MTS form
of the Internet address.

The supposed rationale behind this is that publishing the names of Easynet
nodes is a security risk.  Of course, the first time you respond to any
mail someone sends you, or you post to an Internet newsgroup, your node
name is revealed for all to see, but this is considered acceptable.

I was successful at getting my Internet address on my business cards, and
didn't even have to argue about it.

				Steve

    Big DIGITAL ad in this Sunday's Boston GLOBE -- full page, first page
    in the help-wanted section...  Positions at HLO... complete with an
    "unkosher" EMail address -- employment@obsess.enet.dec.com
    
    :-)
    

    
    
      I hear that the price of those ads is around $40,000...
    
    

    If you are unsure about using the Electronic Mail addresses on business
    cards, this is an excerpt from a PRESS RELEASE [not a solicitation] tha
    arrived in my mail today.....
    
    Personalized Internet Licence Plate Frames are a
    very safe and cool way to meet new people.
    
                             ----------INTERNET----------
                             |                          |
                             |                          |
                             |                          |
                             |                          |
                             |                          |
                             ---yourname@yourhost.here---
    
    The licence plate frames are black with white lettering. The top says
    INTERNET and the bottom contains a person's e-mail address.
                                     
    Pricing and contacts were included, but it was a press release.
    
    Howard
    
    Imagine, the next time someone cuts you off in traffic, you just write
    down their INTERNET address.

RE: .263

	Where do you order and how much?

						mike

>    Imagine, the next time someone cuts you off in traffic, you just write

	heck, why not just flame them like always! ;-)