efficiency versus security

[Don Libes]

It would be nice if customer's could have the option of turning off
certain security options such as the VAX's zero-fill on brk.  No
one at our site is interested in perusing through used memory.  I
am wondering if there are other "features" we could turn off.
(e.g. protecting /dev/*mem)

Perhaps our site is unusual.  I don't know.  On approx.  50
machines (most running UNIX) we have no passwords except our
gateway (to the world) machine.  There are no root passwords.  We
have been running this way for 3 years and have yet to regret it.
(Actually once, someone accidentally ruined /bin/login but it
wasn't that hard to restore.)

I suspect we have the same ratio of wizards to naive users that
everyone else has.  We had a lot of discussions before doing this,
but we finally agreed to do it for a trial period (or until the
first rm *, whichever came first).  Everyone liked it a lot and now
no one wants to go back.

One of the surprising things is the number of programs that don't
work if you don't have a password.  ftp comes to mind.  I wish we
could delete all the password code and anything else that we really
don't use (we already deleted the Fortran compiler :-).  I'm not
confusing this with file protection or kernel vs user mode.  Don't
get me wrong - I'm not asking for an unreliable system.

I could give dozens of reasons why the no password environment
works, but I'm not trying to convince anyone else to switch so I
won't.  I'm only trying to get an answer to the question posed
above (with this explanation as to why I'm asking it) and maybe
some reactions.

Perhaps the only point against lack of security is that some of our
software is proprietary, and we are obliged to protect it.  We had
an incident before we stopped using passwords, where someone
walked out with a whole set of backup tapes (we tend to leave the
machine room door propped open because our AC is flakey).  This
person didn't even have to login to steal the house!  

If I was charged with enforcing system security I would go nuts,
with the current trend in desktop systems and Joe-beginner being
his own root.  In any case, I think I have managed to drive home
the point locally that users shouldn't depend on the computer for
security, only processing power.

Now we are connecting the whole campus on a (logical) ethernet
and some of the other groups are warning us that they don't trust
their users as much as we respect ours.  I think they're going to
be in for a rude shock when they realize their password can be read
by anyone listening promiscuously.  I can't wait.

Don Libes       {seismo,umcp-cs}!nbs-amrf!libes
Password?  Never had it.  Never will.