Arpanet's first access control

In September 2003, University College London (UCL) had had their Arpanet terminal interface processor (TIP) for only six weeks. There was a major networks meeting in Brighton, which was the first public demonstration of international usage.

Immediately after the meeting, I had an Arpanet project meeting at UCL and then invited all the attendees to my house for dinner. There were at least a dozen attendees, including most of the developers of the TIP software from BBN. Of course, all of them were suffering withdrawal symptoms because they had not been onto the net for a whole week, so they lined up to get on my home system. Although they could dial in easily, they could not get any further because the TIP requested a password. The BBN developers were particularly astounded; their software did not at the time have any access control, so they could not understand this request.

At UCL, we were very concerned about security. I had a DEC PDP-9 host and had found a security hole in their software. For a fraction of a second, after users connected in but before they had time to do anything else, it was possible to seize the session and force it to go through our host. We had used this to request that the user put in a password, before we released the connection and let the normal software continue. I believe that this was the first network-level access control on the Arpanet!