Conference gyro::internet_toolss

No - you have always needed a crypto-key and authorization to do PUTs through
the gateway.  If you managed to do it without a key, I'm sure the gateway
admins would like to know about it.

				Steve

    I do remember when I was VMS support a long time ago
    to have transfered patches directly to customer sites.
    
    That may be a few years ago, but I am sure I did it.
    I was using the colorado site, although I do not remember
    the exact details.
    
    But what is the security issue to PUT files to customer site?
    I can understand the customer getting access internaly, but
    fail to see the security issue outbound.
    
    Besides the point... 
    
    Is there any other way to do it?
    
    Will I have to waste 2 hours to go to the office,
    trying to get approval to have access to a system/tape drive
    (add another few hours) copy the file to a $50 tape (add
    an couple hours to find a media), have it sent to the customer 
    fedex ($50).
    
    Can this company still afford to waste that much money?
    
    If anyone has a solution, let me know.
    Mailing it is not feasable as the customer e-mail will not accept
    e-mail more than 6 MB.  The file is over that limit, and very
    hard to break in pieces. 
    
    Thanks,
    
    Vince.

The security issue is that they don't want someone who manages to get into
Digital's network to easily copy Digital's product sources or other
proprietary information outside the company.  If you have a regular need to
"put" files, then apply for a cryptokey and use it.  There is an initial
charge plus a yearly fee.  I have one and use it regularly.

	http://wrl-www.pa.dec.com/wrl/compute/guard/guard.html

				Steve

Vincent -- DTN 632-7908 (v_ledoux@kaofs.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy

:     Is there a new procedure?

If you are using PA or CRL, the procedure has always required that you
use a cryptokey to authenticate yourself.

Stephen
--
- -----
Stephen Stuart				stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

    I found the original information I used "when" this was working.
    Below is the mail...
    
    It does say: FTP files "to" and "from" the remote site...
    
    If someone wants to send "internal use only" out, he can
    always e-mail it.   I will have to do that, but I will
    spend hours to break the file in multiple file, and the
    customer will have to reconstruct it at the other end.
    
    I believe it is a waste of time, non-professional for
    a false-security issue.
    
    Thanks for your prompt answer, anyway.
    
    From:   TSC::"mst%whtice.service.digital.com@deccxo" 18-APR-1995
    16:05:12.74
    To:     n_pirollo%kaofs.dnet.digital.com@whtice.service.digital.com
    CC:
    Subj:   How to ftp a file thru colorado.service.digital.com
    
    
            To ftp a file "thru" colorado you need to do the following:
    
            1. From the machine you are on type,
    
            ftp colorado.service.digital.com 1555
    
            It will present a screen asking for username @ hostname,
    
            2. You'll need to supply a username on the host you are
               trying to move the file to, or from.  This would be
               something you get, in advance from the customer.
    
            3. It will then ask for a password, also obtained from the
               customer, to go with the username and hostname. You enter
               this at the password prompt.
    
            4. At this point you are signed onto the customer system via
               FTP.  You can use standard FTP commands like GET and PUT
               to copy from, or copy to, the files your working with.
    
     
                                                    Hope that helps,
    
                                                    Jack Callaghan
                                                    Mike Temkin
                                            Commercial Internet Services
    
    

Vincent -- DTN 632-7908 (v_ledoux@kaofs.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: It did use to work!

:     I believe it is a waste of time, non-professional for
:     a false-security issue.

You are free to believe what you like.

If you want to pursue this with the people who set the policies, send
mail to <ip-exarc@pa.dec.com>. 

Stephen
- -----
Stephen Stuart				stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

Vincent -- DTN 632-7908 (v_ledoux@kaofs.enet.dec.com) wrote:

>     I believe it is a waste of time, non-professional for
>     a false-security issue.

If Digital were to allow non-authenticated outgoing ftp, it would defeat the
purpose of having a firewall, to protect the intellectual property of the
corporation.  The purpose of the cryptokey is to prove to the
firewall that you have the authority as a Digital employee to export the
intellectual property in question.  The process itself takes less than ten
seconds, so it's hardly a burden or cumbersome.  The keys themselves are 
relatively easy to get, so if there's a chance you'll need one in the future,
you should consider having your organisation request one as a policy.

Should you still believe that this is a false security issue, I'd encourage 
you to read the conviction history of Kevin Mitnick.

-- 
-=Paul Flaherty, N9FZX |     "Just name a hero, and I'll prove he's a bum."
->flaherty@pa.dec.com  |          -- Col. Gregory "Pappy" Boyington
[posted by Notes-News gateway]

    Well, hate to jump on a stump, but...
    
    It is *not* at all convenient or simple to have to order a $250 device
    just to be able to use 50% of the capability of FTP.  If you are of the
    opinion implied by .7, that any legitimate employee has the privilege
    and authority to push files, you are talking about 50,000 * $250 = $12
    million dollars to quote-insure-unquote the "security" that someone has
    to use mail instead of FTP to send out files.
    
    And this doesn't factor in the infrastructure needed to support this
    gateway system.  It took me weeks to finally get a working set-up, and
    the whole time I had the very strong impression that the support for
    this effort is underfunded, understaffed, and at least somewhat casual.
    Every message was certain to mention that each step of the process
    would be taken "in good time" (to paraphrase) with no certainly of
    precise completion times.  There is no way that even a percentage of
    DEC employees could be issued cryptokeys without breaking this process.
    
    But that won't happen, because most cost center managers are going to
    want to see a demonstrated need for a given employee to exercise his
    "privilege", and the idea of everyone in a group having one, or
    everyone getting one by default on their start date is ludicrous.
    
    You can say what you will, but there has always been the tangible
    "impression" that crypto-keys are for the elite few.  And no one has
    been doing anything to dispel that idea.
    
    Requiring every employee to get a $250 device so they can do what
    probably 90% of all the employees at every internet-connected company
    in the world can do is pretty braindead.
    
    BTW, you mention Mitnick.  Well, that name always comes up regarding
    security.  He stole the VMS sources.  If that is the best argument for
    security you can come up with in these days and times, I'm not
    convinced.  
    
    Corporate security is important.  Vital.  I don't question that at all. 
    I seriously question whether limiting push capability has anything
    whatsoever to do with that.
    
    The VMS paranoia days are over.  Its time to join the 20th century.
    
    jeb
    

re Note 4647.8 by PCBUOA::BAYJ:

        Very well put.

        Bob

	One would hope that the days when our badges can become
	Smart Cards are close at hand. With the simple use of a 
	3.5" floppy-to-SmartCard adaptor, we could solve problems 
	like this fairly easily.

							mike

Jim, Portables (bayj@pcbuoa.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: Note: lower case - I'm NOT yelling

I'm not yelling either.

:     Corporate security is important.  Vital.  I don't question that at all. 
:     I seriously question whether limiting push capability has anything
:     whatsoever to do with that.
:     
:     The VMS paranoia days are over.  Its time to join the 20th century.

You can post as elegant a supporting argument for your position as you
like, and you will accomplish nothing of any substance, except
whatever warm feeling you get from having said something. We're all
happy to go down the garden path with you, as a topic or keyword
search or whatever will show you. A lot of us know it quite well.

If you want your commentary to be heard by people who have more to
offer than just a sympathetic ear, then SEND MAIL to the people who
make policy. We maintain an alias for them, <ip-exarc@pa.dec.com>
(although none of them are Palo Alto people).

Stephen
- -----
Stephen Stuart				stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

What does that mean?  Since VMS is gone and unix doesn't have any security
and it has been reported that NT is worse than unix, we shouldn't even bother
trying?

I keep after the unix people I work with to implement the so called enhanced
security, which is just simply what VMS has had for a decade, even tho, or
perhaps especially because, I know it causes them so much pain with broken
softwarea and degraded performance.

Ultimately, I believe that the pain will pay off in the high marks that the
product reviewer have been giving the security products we're marketing under
the AltaVista brand.

Congrats on the Computer Resellers picking AltaVista firewall as their
Editor's Choice.

    I refer to paranoia over the VMS sources being stolen, which oftentimes
    seems to be the driving mentality to many of our security efforts.
    
    The reason I take issue with the policy is that 99% of the employees
    are restricted from using a commonly available capability in the very
    remote chance that someone might break into a Digital system, and for
    some reason find that the only way they have of transporting
    proprietary information off the intranet is using FTP (i.e., for some
    reason, mail, Kermit, Z-modem, etc. are not available).
    
    In other words, we don't protect against someone breaking in and
    *mailing* themselves information.  Why?  Because to disable outgoing
    mail would impact business.
    
    Well, my point is that not having FTP impacts business.  More and more
    each day.  Before the WWW surge, FTP was largely unknown, and rarely
    needed.  Since the WWW, FTP has become as common as email for
    transport, and is becoming much more widely known.  Not to mention it
    is FAR faster and more reliable.  I finally had a business case to
    justify a crypto-key because we simply couldn't continue to do business
    using mail for transporting large binary files.
    
    I believe the only reason FTP is so zealously guarded is strictly
    historical, and that the need to protect it so is now past.
    
    Think about it:  We seek to protect our network by making sure that if
    someone breaks into it, they will find its unusable????  
    
    Whats wrong with THAT picture?  Lets focus our security efforts where
    it makes sense, and permit our employees access to the tools that all
    our competitors have access to.
    
    jeb
    
    (BTW, I haven't even mentioned having inbound FTP sites available
    outside the firewall.  Our competitors have those as well, easily
    accessible)
    

Jim, Portables (bayj@pcbuoa.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: (none)

:     Whats wrong with THAT picture?  Lets focus our security efforts where
:     it makes sense, and permit our employees access to the tools that all
:     our competitors have access to.

Your opinion is not new. If you search this conference you will find
that others have expressed the exact same feelings. Note the dates. 
Through all the years that feelings identical to yours have been
expressed, not one word has been mailed to <ip-exarc@pa.dec.com>.

There is a group of people who would love nothing more than to focus
our security efforts where it makes sense. Until you, the people
affected by these policies, make your feelings known, nothing will
change.

Posting here doesn't count. You, Jim, are just the next in a long line
of people whose opinions have not mattered because they were not heard.

Stephen
- -----
Stephen Stuart				stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

re Note 4647.14 by QUABBI::"stuart@nsl-too.pa.dec.com":

> Posting here doesn't count. You, Jim, are just the next in a long line
> of people whose opinions have not mattered because they were not heard.
  
        This is certainly true.

        However, it can be very helpful for a person who wishes to
        change things to sound out their ideas and their arguments
        first with a more open and (presumably) more sympathetic
        audience.

        Of course, as you point out, you then need to take the next
        step and make the presentation to the official body.

        Bob

    So, who exactly are these mysterious folks at <ip-exarc@pa.dec.com>
    that don't read notesfiles, and obviously are completely out of touch
    with their "customers", the employees of this company?
    
    And, along the lines of .15, does my opinion represent a vocal
    minority, or the silent majority?  Is this a real issue, or an
    occasional inconvenience with numerous alternatives?  Or did I call it
    right that demand is growing with cognizance of the internet?
    
    jeb
    

Jim, Portables (bayj@pcbuoa.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: (none)

:     So, who exactly are these mysterious folks at <ip-exarc@pa.dec.com>
:     that don't read notesfiles, and obviously are completely out of touch
:     with their "customers", the employees of this company?

The current list is:

Randy Brown <brownr@mail.dec.com>
Paul Doucette <doucette@das.dec.com>
Chuck Noble <noble@mail.dec.com>
Jean-Paul Rambeau <rambeau@mail.dec.com>
Stephen Webber <webber@akocoa.enet.dec.com>
Bob Yost <yost@ics.enet.dec.com>

Notes is not an official communications medium of the Corporation (MTS
mail is the only officially blessed medium, by the way). You need to
adjust your expectations accordingly, starting with your "these people
are completely out of touch" attitude. You probably wouldn't like it
if I said, "you obviously are completely out of touch with the way
that change is accomplished," would you? I haven't said that because
I'm trying to inform you, rather than belittle you. The people on the
<ip-exarc@pa.dec.com> list deserve the same courtesy from you that you
are getting from me.

:     And, along the lines of .15, does my opinion represent a vocal
:     minority, or the silent majority?  Is this a real issue, or an
:     occasional inconvenience with numerous alternatives?  Or did I call it
:     right that demand is growing with cognizance of the internet?

My opinion is there are mechanisms to accomplish the majority of the
communications needs of the corporation. There are obvious problems,
and those of us who implement gateways are working hard to overcome
them in a manner consistent with the policy that we are directed to
follow.

This is an over-simplification, but the world is divided into two
camps: people who can't do what they need to do because the mechanisms
don't exist, and people who are dissatisfied with the existing
mechanisms. The latter group seems to consist mostly of people either
do not understand that the purpose of a cryptokey is authentication,
or who are unwilling or unable to justify the expense of a cryptokey
to their cost center managers.  This despite the fact that the
objections are always phrased in terms of "convenience."

Stephen
- -----
Stephen Stuart				stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

> Notes is not an official communications medium of the Corporation (MTS
> mail is the only officially blessed medium, by the way).

	Actually, you must be out of touch! :-)  Exchange Mail is now officially
  blessed as the replacement for MTS.  Three out of those 6 mail addresses
  are to an Exchange Mail server.

> This is an over-simplification, but the world is divided into two
> camps: people who can't do what they need to do because the mechanisms
> don't exist, and people who are dissatisfied with the existing
> mechanisms. The latter group seems to consist mostly of people either
> do not understand that the purpose of a cryptokey is authentication,
> or who are unwilling or unable to justify the expense of a cryptokey
> to their cost center managers.  This despite the fact that the
> objections are always phrased in terms of "convenience."
> 

	I agree.  If you can't justify a cyptokey to your cost center manager
  you probably should not be sending files to an outside company.  It's not
  just a matter of convenience, it's a matter of security.  I doubt that you
  will get ANYONE in EXARC to listen to you based on convenience as opposed to
  need.  I expect their response will be: why can't you get a cryptokey?

		Danny

If the purpose is just to deliver some file to a customer, there are
Delivery Tools: DDIA, DSNlink, WIS ... that allow routinely files to
be transferred outside the firewall. 

The situation is very common: Development groups who need to install 
their code on a customer's system, Customers who need a copy of their
contracts, and of course regular support and delivery of patches, using
the transport you prefer: Modems: ISDN or PSTN, TCP/IP, X.25 or DECnet.
All this with the blessing of ExArc, because the solution has been 
technically reviewed. 

So instead of re-inventing the wheel, just ask you nearest MCS Service
Infrastructure Engineering team in CXO or VBO.

Jean-Pierre @VBO

    So how about Compuserve? I can't telnet out either. On the other hand,
    I can use WinCim to connect to Compuserve via our proxy, and WinCim
    does allow telnet (and ftp, including put). Granted, it's probably
    terribly slow.

I'm also impacted by not having a crypto-key. It's not that i couldn't get one 
it's just that i don't see why our cost center should be charged for multiple 
keys when most of our group needs to FTP files to the ISV's we support on a 
regular basis. For small files, i uunecode a tar file and email pieces of it. 
For large files i have someone here who has ftp access out to push the files.

The point is you don't need a costly "key" get to get binary files out of the 
company if you are so inclined-proprietary or not. This crypto balogna just 
adds overhead to the bottom line as far as i can see.

------------------------------------------------------------------------------
 James C. Mikelis                               Software Partners Engineering
 Phone: +1.508.467.9073 (FAX) 1.508.467.1468	Digital Equipment Corporation
 EMAIL: Mikelis@mail.dec.com                    200 Forest St. [MR01-3/F26]
 http://www.digital.com/www-swdev/              Marlboro, MA 01752
------------------------------------------------------------------------------

Re: .21

Ok, so you have found a compromise which works for you.  Good.  Note that your
e-mail is logged, so there is a "trace" available should the need arise.

As has been said earlier, MCS Colorado offers a service to groups who need
frequent access to FTP PUT.  I don't know what the relative costs are.

					Steve

    >I doubt that you will get ANYONE in EXARC to listen to you based on
    >convenience as opposed to need.  I expect their response will be: why
    >can't you get a cryptokey?
    
    Perhaps this is the attitude that keeps people from bothering to try
    and change a broken system.  If you know in advance that attitudes are
    against you, and not open to suggestions or change, it makes it less
    likely that you'll mount your sturdy steed.
    
    I've had many occasions when I had a business need for the ability to
    FTP push.  It would have been extremely helpful, timesaving, and
    therefore cost saving for the company.  However, these were mostly
    short duration requirements that couldn't wait for the 1-2 month cycle
    for securing a crypto-key to complete.  For want of a nail...
    
    As I mentioned, I now have a justifying business purpose, and a manager
    that doesn't suffer from penny-wise/dollar-foolish syndrome, unlike
    many Digital managers.  
    
    In fairness though, note that in the name of security, we have
    purposely prevented employees from using a capability that has been
    built in to the network since the day it was turned on.  This is not
    the case of it being expensive to PROVIDE a capability, but rather its
    expensive to DENY the capability.  We are paying money to lose money.
    
    Realize also that the person who said they use someone else's
    crypto-key technically violates the rules for using a crypto-key. 
    Theoretically, anyone who ever pushes a file needs a key, and we've
    already discussed the less than hospitable atmosphere that surrounds
    the process of getting a key.
    
    Ideally, it would be nice if the corporate infrastructure people were
    more interested in providing people the tools needed to do their job in
    a convenient, friendly way that would encourage doing things in a
    manner that is convenient and inexpensive.  
    
    But if that happened naturally, we might still be a 125,000 person
    company.
    
    jeb
    

>    >I doubt that you will get ANYONE in EXARC to listen to you based on
>    >convenience as opposed to need.  I expect their response will be: why
>    >can't you get a cryptokey?
>    
>    Perhaps this is the attitude that keeps people from bothering to try
>    and change a broken system.  If you know in advance that attitudes are
>    against you, and not open to suggestions or change, it makes it less
>    likely that you'll mount your sturdy steed.
>    
>    I've had many occasions when I had a business need for the ability to
>    FTP push.  It would have been extremely helpful, timesaving, and
>    therefore cost saving for the company.  However, these were mostly
>    short duration requirements that couldn't wait for the 1-2 month cycle
>    for securing a crypto-key to complete.  For want of a nail...
>    
>    As I mentioned, I now have a justifying business purpose, and a manager
>    that doesn't suffer from penny-wise/dollar-foolish syndrome, unlike
>    many Digital managers.  
>    
>    In fairness though, note that in the name of security, we have
>    purposely prevented employees from using a capability that has been
>    built in to the network since the day it was turned on.  This is not
>    the case of it being expensive to PROVIDE a capability, but rather its
>    expensive to DENY the capability.  We are paying money to lose money.

	You're totally missing the point.  There's a reason that this corporation
  has firewalls around its corporate network.  We could save millions of dollars
  by doing away with the firewalls and infrastructure needed to support them.
  Why do you think so many companies are ADDING firewalls?  Just to burden down
  those employees needing to get something out to the customer?  Or is it because
  they want to protect the corporate assets and trade secrets?  You're complaining
  about something costing $100 per year per cryptokey to ensure that the
  person sending something out is an authorized employee.  At least that can be
  tracked.  Are you objecting to people being identified when they send something
  out?
>    
>    Realize also that the person who said they use someone else's
>    crypto-key technically violates the rules for using a crypto-key. 
>    Theoretically, anyone who ever pushes a file needs a key, and we've
>    already discussed the less than hospitable atmosphere that surrounds
>    the process of getting a key.
>    
	The person loaning a cryptokey to someone else is ultimately responsible
  for what that person does with the key.  

>    Ideally, it would be nice if the corporate infrastructure people were
>    more interested in providing people the tools needed to do their job in
>    a convenient, friendly way that would encourage doing things in a
>    manner that is convenient and inexpensive.  
>    
	They do.  It's called a cryptokey.

		Danny

    >At least that can be tracked. 
    
    How are those tracked who (potentially) push files out using the
    Compuserve proxy?
    

One might argue that the appropriate place to implement the necessary controls
is within the specific functional units that hold the critical business data.

However, as anyone who has tried to interact with engineers in VMS knows,
they found it necessary to implement a firewall around VMS to protect themselves
from external access to VMS systems from intruders making use of insecure
access points elsewhere within Digital.

On the other hand, unix engineering does not have a firewall protecting them
from intruders who gain access to our network from any source.  Furhtermore,
most of the unix technical people seriously object to implementing what
is called "enhanced security" because it makes everything much more complicated.
One particular area of complication is in the use of NIS.

Given, for example, the recently publicized news server bug which allows a
clever user to issue commands on virtually any unix system running a news
server, intruders were at least limited to using mail to send back results
rather than being able to ftp back the results of their scavaging.  While
the intruders how exploited this hole in the news servers in use inside and
outside of Digital used mail for simplicity, its not inconceivable that
someone who was sufficiently motivated, and informed, would make use of Digitals
network if there were no other restrictions.

And here's how you do it.

By use of the news server bug you issue a command that accesses the ftp gateway
to copy into Digital a special program.  This program is then executed by
the same means on the news server machine.

What this program does is connect to the ftp gateway twice.  The first
connection is to "get" a special file on the intruder's system.  This special
file is the incoming telnet stream.  And in truth, this can be done today.
However, it is seldom useful to type blindly into a system without getting any
output.  That is where the second connection to the ftp gateway comes in.  The
second connection issues a "put" to a special file that is the outgoing telnet
stream.

The reason that this works is that the gateway has no way to interpret the
data stream because it is a pure octet stream.  It would be impossible to
differentiate between the log of an interactive session and the actual data
stream involved.

You might argue that this is so complicated that no one would make use of
this capability.  However, the same technique was effectively used with DAP
to create remote terminal sessions on VMS.  In part this was easy because of
the tight integration of networking and VMS; the entire program transferred
and executed was written in DCL, but it also demonstrates how simple the
the idea is.  I'm sure that someone who was sufficiently proficient in shell
commands would figure out the "one line command" what would implement the
above in less than a day given access to a system and a two way ftp gateway.

So, what we have is a conflict between culture and technology, security,
including auditing, on unix systems conflicts with the the users desired
ease of use and the unix model of doing as much as possible with simple
tools that are activated by issuing commands that pipe the data from one
tool to another making adding security checks and auditing difficult, (but
not impossible - the news server security hole has been plugged assuming
everyone has patched their news server).

Since its difficult, and sometimes impossible, to force everyone to follow
strict security standards, simple blunt objects are used to close the most
inviting holes.

One simple solution would be to put a CI VMScluster on the firewall.  With one
node of the cluster outside the firewall and the rest inside the firewall,
the cluster would be rather easy to manage.  The intracluster communication
would be done over CI.  The data could be copied to a staging area on the
cluster which was accessible over the network from either side.  Alternately,
I suspect that it would be easy to create a web interface that allowed
FTSV jobs to be create that first transferred the file to the cluster and
then back off the cluster on the other side of the firewall.

And to further confound the hackers, the file transfers could be done on the
internet side using ISO OSI protocols and RFC1006.  One of the arguments as
I understand it for IPv6 is that the OSI protocols can't be implemented so
that means that such transfers would be limited to people using Digital
computers.  At a minimum, hackers would at least have to buy a computer that
is capable of running VMS or Digital UNIX.  ;-)

ExArc has often refused access to a certain types of internet data for security 
reasons.  

Eventually, somebody outside control of ExArc, sets up and maintains their own 
"rebel" internet gateways and proxys.  Recent examples include Secure HTTP proxy 
and RealAudio proxy.  How long before somebody sets up their own FTP PUT proxy or 
gateway?

Yet, people are screaming for blocking of spam mail, but ExArc does nothing.

IMHO, ExArc control over corporate internet security is only an illusion of 
management.


							-Paul

Have people screamed to ExArc, or just to this Notes conference?

Is ExArc's function security related, or network management related? What does 
corporate internet security have to do with spam?

PJDM

re Note 4647.28 by BIGUN::nessus.cao.dec.com::Mayne:

> Is ExArc's function security related, or network management related? What does 
> corporate internet security have to do with spam?
  
        If you get enough spam it's a denial-of-service attack.

        Bob