What kinds of things would you want in the GNU OS?

Fri May 26 01:28:54 AEST 1989

A few observations on security...

(1) Every OS implementation has (or will have) bugs, and some of them
    are going to be security related bugs (note I said _implementation_,
    as distinct from _theory_).

(2) The Internet Virus was able to propagate effectively because
    almost everybody used one of two different systems with a number
    of standard bugs.

(3) It generally takes human hackers a few tries to break into your
    system, and (imho) the best defense against them is good logging
    of strange behavior.  (you have to assume that someone will
    eventually crack your security, but they will probably have left
    traces of themselves by the time they do).

(4) If you have good backups and a logfile entry showing when your
    security was breached, the amount of damage an intruder can do to
    your files is severely limited (release of classified/confidential
    data not withstanding). 

...and a few conclusions based on those observations...

(1+2) GNU's main security advantage will probably be that there is no
      'standard' security system.  People will (hopefully) hack and
      code to their heart's content, logging or checking whatever
      random things they think are significant on their system.  The
      more hacked the systems become, the less likely it is that
      everyone's fingerd will have the same bug, and without those
      'standard' bugs, network viruses will have a much harder time
      propagating.  

(3+4) Assuming you have some threshold amount of security, improving
      your logging capabilities is probably more effective than
      improving your defenses.  No matter how good your security, if
      a wizard really wants to get in, he will.  If you keep (and
      read!) good logs, and if you back up every day (don't just
      talk about it!), then the evil wizard can't trash more than
      one day's work. 

Q: What single thing would I recommend?

A REALLY REALL REALLY easy way to tell my system to prompt me for a
tape every morning, dump all changes since the previous morning,
_and_eject_the_tape (don't leave your backups where the system can get
at them).  Once a week/month/ten days/etc the system would prompt me
for several tapes and automatically do a full backup.  This has the
advantage that it protects you from well-meaning good guys ("rm *.c?
aaarghh!") as much as it protects you from ill-meaning bad guys. If
your password is like your toothbrush (use it everyday, change it
regularly, and don't share it with friends), then doing backups is like
flossing (everybody talks about it, nobody does it).

Closing musings:

On the subject of security, you were probably more interested in
questions like "what encryption algorithm should we use" (or even the
more radical "should we continue to have world-readable password
files"), "should we allow rsh-style remote procedure calls", "should
we include kerberos hooks", etc.  I'd say go ahead and leave
/etc/passwd the way it is, but try to come up with a simple password-
checker to make sure people don't use password=account-name couplets.
rsh is tougher, because it's so common as to be almost mandatory.  And
yes, I think kerberos is a darn good way to handle inter-host
communications.  

-Don Alvarez

--
+ -------------------------------------------------------------------------- +
|  Don Alvarez           M.I.T. Center For Space Research    (617) 253-7457  |
|  boomer at SPACE.MIT.EDU  Moving Soon: Princeton University Gravity Lab 8/89  |
+ -------------------------------------------------------------------------- +