Standards Update, IEEE 1003.6: Security

Phil Ronzone pkr at sgi.com
Mon Jul 9 16:22:37 AEST 1990 

From:  pkr at sgi.com (Phil Ronzone)

In article <790 at longway.TIC.COM> sms at WLV.IMSD.CONTEL.COM (Steven M. Schultz) writes:
>	short of soldiers with M16s at a computer facility door i do not
>	believe that software is any substitute for physical security.
>	it's just one more password that has to be spread around (in
>	case the SSO or whoever) goes on vacation, etc...

Argument of two different fruits here.

As an example, we purchased an AT&T 630 (386 PC type machine) to run
AT&T SV/MLS (B1 UNIX). We had AT&T put the software on, and they set,
as is required the passwords.

But they forgot to tell us what the passwords were. Although we had
physical possesion of the machine, in a company that also make computers,
it would have taken us a while to "boot" the system (i.e., insecurely).

And we would have been able to do that ONLY because of the fact that the
machine used standard disks with "standard" UNIX filesystems and so on.

Whereas the same hardware with normal UNIX would have very vulnerable.

A safe protects your money, but if a huge helicopter steals the safe
and you have weeks to work on it, you can open it.



>>I disagree again -- I think the recent Internet worm is an example of why.
>
>	now it's my turn to disagree.  sheesh, why does the worm have to
>	be brought up everytime security is discussed?  it was a BUG that
>	was exploited, and i for one do not think that adding security
>	will do away with BUGs in software.  on the contrary, as the

Eh? That's the WHOLE point of Orange book security and the TCB concept.
Those programs would have never made it into the TCB and been able to
propagate like they did. Although it is not the best example.

The answer was more to WHY would someone want security. Answer is, to
control what you have your system do.
--
<---------------------------------------------------------------------------->
Philip K. Ronzone                  S e c u r e   U N I X           pkr at sgi.com
Silicon Graphics, Inc. MS 9U-500                           work (415) 335-1511
2011 N. Shoreline Blvd., Mountain View, CA 94039            fax (415) 965-2658

Volume-Number: Volume 20, Number 116

More information about the Comp.std.unix mailing list