Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!cs.utexas.edu!longway!std-unix From: pkr@sgi.com (Phil Ronzone) Newsgroups: comp.std.unix Subject: Re: Standards Update, IEEE 1003.6: Security Message-ID: <802@longway.TIC.COM> Date: 9 Jul 90 06:22:37 GMT References: <780@longway.TIC.COM> <786@longway.TIC.COM> <790@longway.TIC.COM> Sender: std-unix@longway.TIC.COM Reply-To: std-unix@uunet.uu.net Organization: Silicon Graphics, Inc., Mountain View, CA Lines: 48 Approved: jsq@longway.tic.com (Moderator, John S. Quarterman) From: pkr@sgi.com (Phil Ronzone) In article <790@longway.TIC.COM> sms@WLV.IMSD.CONTEL.COM (Steven M. Schultz) writes: > short of soldiers with M16s at a computer facility door i do not > believe that software is any substitute for physical security. > it's just one more password that has to be spread around (in > case the SSO or whoever) goes on vacation, etc... Argument of two different fruits here. As an example, we purchased an AT&T 630 (386 PC type machine) to run AT&T SV/MLS (B1 UNIX). We had AT&T put the software on, and they set, as is required the passwords. But they forgot to tell us what the passwords were. Although we had physical possesion of the machine, in a company that also make computers, it would have taken us a while to "boot" the system (i.e., insecurely). And we would have been able to do that ONLY because of the fact that the machine used standard disks with "standard" UNIX filesystems and so on. Whereas the same hardware with normal UNIX would have very vulnerable. A safe protects your money, but if a huge helicopter steals the safe and you have weeks to work on it, you can open it. >>I disagree again -- I think the recent Internet worm is an example of why. > > now it's my turn to disagree. sheesh, why does the worm have to > be brought up everytime security is discussed? it was a BUG that > was exploited, and i for one do not think that adding security > will do away with BUGs in software. on the contrary, as the Eh? That's the WHOLE point of Orange book security and the TCB concept. Those programs would have never made it into the TCB and been able to propagate like they did. Although it is not the best example. The answer was more to WHY would someone want security. Answer is, to control what you have your system do. -- <----------------------------------------------------------------------------> Philip K. Ronzone S e c u r e U N I X pkr@sgi.com Silicon Graphics, Inc. MS 9U-500 work (415) 335-1511 2011 N. Shoreline Blvd., Mountain View, CA 94039 fax (415) 965-2658 Volume-Number: Volume 20, Number 116