Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.large
Subject: Re: security for large sites
Message-ID: <15609:Sep2620:06:3790@kramden.acf.nyu.edu>
Date: 26 Sep 90 20:06:37 GMT
References: <8611@fy.sei.cmu.edu> <1990Sep26.180538.9484@crl.dec.com>
Organization: IR
Lines: 21

In article <1990Sep26.180538.9484@crl.dec.com> wojcik@crl.dec.com writes:
> I think that
> in the same way you cannot test for the absence of bugs, (only the presence)
> you cannot test for a secure system.

That isn't always true. I can, for example, inspect a directory tree,
observe that the directory tree has no setuid files, and be sure that a
chroot()ed process with one uid will not be able to affect files with a
different uid unless kernel security is flawed.

> Security isn't something you add on, it has to be designed into the
> organizational and computational systems we use.

Not necessarily. The system with the simplest security rules has the
best chance of obeying those rules to the letter, and is easiest to test
for a particular security policy.

I don't disagree with the point you're making, but some of your
arguments are a little weak.

---Dan