Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!cs.utexas.edu!sdd.hp.com!uakari.primate.wisc.edu!samsung!umich!terminator!dabo.ifs.umich.edu!rees From: rees@dabo.ifs.umich.edu (Jim Rees) Newsgroups: comp.sys.apollo Subject: Re: security problems Message-ID: <1990Jul5.162324.171@terminator.cc.umich.edu> Date: 5 Jul 90 16:23:24 GMT References: <9006281344.AA00445@cc2.cc.umr.edu> <2032@cernvax.UUCP> <1646@tuvie> Sender: usenet@terminator.cc.umich.edu (usenet news) Reply-To: rees@citi.umich.edu (Jim Rees) Organization: University of Michigan IFS Project Lines: 48 In article <1646@tuvie>, mike@tuvie (Inst.f.Techn.Informatik) writes: Also, if HP/Apollo think they can handle Apollo security problem by saying Apollos were never intended to be secure, then we should try to force them to enhance security by posting *ALL* problems to the net Warning: Crufty personal opinion ahead. I think there has been a lot of confusion (even within Apollo) about the Apollo model of security. I think the basic question you need to ask is, "where is the boundary between the trusted side of the system and the untrusted side?" The traditional boundary has always been between the user and the computer. Computers trust each other but not their users. Berkeley and Sun still adhere to this model. I claim that this model is no longer valid, because computers are now under the control of untrusted users. A perfect example of this wrong-headed thinking is so-called "trusted ports" in TCP. Trusted by whom? Any user with half a brain can make a TCP connection appear to come from any port they want, and can make a connection to any port they want. At Apollo we resisted for years implementing trusted ports, because we knew it was a complete sham, and that anyone who depended on trusted ports was just asking for trouble. In today's world, you have to put the boundary not between the user and his computer, but between computers. This is the exact opposite of the Berkeley/Sun model. Computers must trust their users, because the user can always hit the reset button or write his own kernel. These are extreme examples, but the point is that the computer is no longer in a locked room, it's on someone's desk, and anyone who has physical access to a computer can (in theory) do whatever they like with it. Computers can no longer trust each other, because each one is under the control of a (potentially hostile) user. This means that you can't trust anything that comes down the ethernet. If you carry this argument to its logical conclusion, you need to implement some kind of authentication/encryption scheme, like Kerberos (which has its own flaws but at least is trying to solve the right problem). IBM systems don't trust anyone. Sun systems trust each other and pretend they don't trust their users. In fact, they do trust their users, because when you trust a workstation, you are trusting its user. Apollo systems trust each other and didn't used to pretend that they don't trust their users (got that?). Now that customers have bullied the company into providing various abominations like the Berkeley 'r' commands, they pretend to trust their users too. JLRU.