Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!stanford.edu!ATHENA.MIT.EDU!tytso
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
Newsgroups: comp.protocols.kerberos
Subject: Re: Integrity of MIT source
Message-ID: <9103081552.AA29115@tsx-11.MIT.EDU>
Date: 8 Mar 91 15:52:40 GMT
References: <9103072250.AA26791@snow-white.lanl.gov>
Sender: news@shelby.stanford.edu (USENET News System)
Reply-To: tytso@ATHENA.MIT.EDU
Organization: Internet-USENET Gateway at Stanford University
Lines: 38


    From: jrc@snow-white.Lanl.GOV (James R. Clifford)

    What measures have been taken to protect MIT's Kerberos software
    source? We are investigating using Kerberos for our network
    authentication system.  For some clients and servers, building the code
    from the MIT source is the only available/timely alternative.  On the
    other hand, there are those who contend basing a large part of the
    campus security on software obtained from an electronic bulletin board
    is crazy.  "Bulletin boards are where you go to pick up viruses, Trojan
    horses, and other nasty social diseases", they say.

I tend to make a distinction between "eletronic bulletin boards" and FTP
sites.  You can obtain kerberos by ftp'ing to ATHENA-DIST.MIT.EDU (IP
address 18.71.0.38).  Only certain Project Athena staff members have
access to that machine; only authorized software releases go there.  In
contrast, I tend to think of "eletronic bulletin boards" privately run
systems which you access by modem; where the average age of users is
under 21; and where random people deposit software to which is picked up
by other users who use that software at their own risk.  

I do, however, find it touching that you are only concerned that "what
you ftp" is unchanged from "what the authors released".  Allow me to ask
this question:  Why are you so convinced that software will be free of
"back doors" and "wizard passwords" just because it came from MIT
Project Athena?  After all, other software packages have come released
from equally prestigious institutions with "wizard passwords".

We encourage people to at least look over the source code of what they
FTP over; and if they want to, they're perfectly welcome to perform a
security audit over the code.  In this respect, vendor release of
Kerberos are likely to be worse, since you don't get the source code,
and so you have to take the vendor's word that there are no back doors.
I, personally, would rather take a look at the source code myself, and
assure myself that a piece of security-related is code is free of holes,
accidental or otherwise.

						- Ted