Project Athena ( was Re: Non Destructive Version of rm)

Jonathan I. Kamens jik at athena.mit.edu
Fri May 10 06:13:46 AEST 1991 

  (I am omitting responses to points which have already been dealt with in
previous postings.)

In article <12112 at mentor.cc.purdue.edu>, asg at sage.cc.purdue.edu (The Grand Master) writes:
|> I understand this. But if you only trust computers that won't be broken into,
|> then you are safer. What would happen if someone broke into one of your 
|> servers. Could they not delete all the files on all the filesystems for which
|> that machine is the server?

  What would happen if someone broke into one of your Symmetries?  Could they
not delete all of the files on all the filesystems for which that machine is
the server?

  Project Athena's service machines (e.g. file servers, authentication
servers, mail servers, etc.) are secured just as your machines are.

|> }  Security that depends on the good graces of every admin on your network is
|> }no security at all.  Furthermore, it DOES NOT SCALE.  The more machines you
|> }have on a network, the more people you need to run them, and the more people
|> }there are running them, the more possibility there is that someone will start
|> }playing around with root access.  Kerberos avoids this problem.
|> 
|> There still must be SOME people that have a top level of access. What is
|> to stop them from doing whatever they want?

  There are less than five people at Project Athena with access to the
authentication server.  That number can stay constant no matter how many
machines are added to our network.  The number of admins of individual systems
may grow as systems are added, but that does not decrease our security since
we do not trust those individual systems.

  On the other hand, the setup you are advocating trusts systems that are
added.  That means that every admin is trusted.  How many people have root
access to any of your machines, Bruce?

  There must always be some level of trust, because you've got to have someone
running things.  The point is to minimize the amount of trust required.  As I
said, trusting every admin does not scale, while trusting a very small,
constant number of people no matter what the size of the network does.

|>   But Jon conveniently failed to respond to my major gripe with
|> distributed computing. Resources go unused more often. 

  The paper I referenced in my last point addresses this "major gripe," which
is why I referenced it.  Did you bother to read it?  It's only a few pages
long.

|> If I am doing something CPU intensive on a workstation, I gain no
|> added benifit from the fact that only 1/10 of the workstations 
|> are in use. I also will see a significant reduction in the speed of
|> my window operations, since the same CPU is handling them and the
|> intensive task.

  If you are doing something so CPU intensive that your workstation slows
down, then either (a) get a better workstation, or (b) use a compute server
such as a Cray or DEC 9000.  As I pointed out in a previous posting, Project
Athena users *do* have access to those resources if they need them, which
means that we have the best of both worlds.

-- 
Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik at Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8085			      Home: 617-782-0710

More information about the Comp.unix.admin mailing list