Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!elroy.jpl.nasa.gov!decwrl!pa.dec.com!decuac!hussar.dco.dec.com!mjr From: mjr@hussar.dco.dec.com (Marcus J. Ranum) Newsgroups: comp.unix.internals Subject: Re: Unix security additions Message-ID: <1991Mar19.145012.10940@decuac.dec.com> Date: 19 Mar 91 14:50:12 GMT References: <9128@sail.LABS.TEK.COM> <15996.27e4cf9a@levels.sait.edu.au> <19114@rpp386.cactus.org> Organization: Digital Equipment Corp., Washington Ultrix Resource Center Lines: 50 jfh@rpp386.cactus.org (John F Haugh II) writes: >>Presumably one cannot TYPE in a non-secure window either? Can't have that >>"sensitive" guv`mint data typed by hand, either, can we? Well, the idea here is that if I open up a TS document in one window, and a UC document in another, and just manually transcribe the one to the other, I've broken the law in a manner that is outside of the scope of the software. (I mean, I could just use my photographic memory, and go sing the data at a local bar, too) - however, the system will help the security officers prosecute me, when they point out that I had both TS and UC documents open at once, and the logs show that the one I spilled to the [favorite "enemy" here] was one of them. >At some point in time you ultimately have to trust the people who you >have given access to this data to. This is why it is permissible to >type from a higher level window to a lever level window - simply because >desk blotters and note pads lack MAC labels. As for why you can't have >cut and paste between windows, hell, seems like a completely arbitrary >restriction to me - provided the invoker has the authority to downgrade >information, that is. The idea of "downgrade" is that when you downgrade information, the fact gets logged someplace, and remembered. Thus, downgrading a document is entirely different from cutting a hunk of TS data from one window and pasting it into an unclassified window. I believe that my employer's CMW product actually allows cut & paste, but upgrades the sensitivity of the pasted-into document to that of the cut-from, if the cut-from is higher. As someone explained it to me, the goal is somewhat to limit the effective *bandwidth* at which you can steal stuff. If I could somehow do a software-to-software "theft" of sensitive information, my chances of being able to grab a LOT are higher than if I diligently copy to postit notes which I sneak out of the building secreted in my anus. (I have not ever tried this, mind you). The part I really love about all this (haven't experienced it directly) is that with MAC stuff in your system, there's a degree of "creeping classification" - which is to say that over time the system will become more and more "secret" as data is touched, and eventually it will tend towards being entirely at whatever the highest security level was. It's all spook stuff, and it's government spook stuff at that, so don't expect it to make any sense, and then you'll understand. mjr. -- The world is just backing store for virtual reality games.