Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!chinacat!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F Haugh II) Newsgroups: comp.unix.internals Subject: Re: Unix security additions Message-ID: <19117@rpp386.cactus.org> Date: 21 Mar 91 13:38:17 GMT References: <9128@sail.LABS.TEK.COM> <15996.27e4cf9a@levels.sait.edu.au> <19114@rpp386.cactus.org> <1991Mar19.145012.10940@decuac.dec.com> Reply-To: jfh@rpp386.cactus.org (John F Haugh II) Organization: Lone Star Cafe and BBS Service Lines: 56 X-Clever-Slogan: Recycle or Die. In article <1991Mar19.145012.10940@decuac.dec.com> mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: > The idea of "downgrade" is that when you downgrade information, >the fact gets logged someplace, and remembered. Thus, downgrading a >document is entirely different from cutting a hunk of TS data from >one window and pasting it into an unclassified window. I believe that >my employer's CMW product actually allows cut & paste, but upgrades the >sensitivity of the pasted-into document to that of the cut-from, if >the cut-from is higher. I've not seen any restriction against down grading a part of the document versus the entire document. For example, why can't I select some option which says "downgrade this paste buffer"? My motivation for this is wanting to reduce the degree to which MAC labels float up every time a file or window is touched. You point to this in your later comments - allowing cut and paste with some mechanism for not floating up would avoid the "creeping classification" problem. > As someone explained it to me, the goal is somewhat to limit the >effective *bandwidth* at which you can steal stuff. If I could somehow >do a software-to-software "theft" of sensitive information, my chances >of being able to grab a LOT are higher than if I diligently copy to >postit notes which I sneak out of the building secreted in my anus. (I >have not ever tried this, mind you). Agreed - but the hypothesis is that you already have been granted the appropriate authority to "downgrade" some collection of data, so bandwidth isn't an issue. This is simply "usability", which is something I feel the spook community is opposed to. Obviously the cut/paste needs to be audited. But, given that I can type 30 or 40 wpm and given that desk blotters and computer printouts don't enforce sensitivity labels (to say nothing of postit notes secreted in your anus ;-), why is cut and paste between different MAC level windows completely forbidden? Covert channels are permitted at the .1 bit/second level or so - I can type about 30 bits per second, so 8,640 bits via a covert channel per day is "a lot", but 10 minutes of manual typing comes out to 14,000 bits or so - and the later is unauditable!? > The part I really love about all this (haven't experienced it >directly) is that with MAC stuff in your system, there's a degree of >"creeping classification" - which is to say that over time the system >will become more and more "secret" as data is touched, and eventually >it will tend towards being entirely at whatever the highest security >level was. Yes, and this is a very serious problem. Overclassification of data is a serious expense. You either have to pay to downgrade or declassify, or pay to dispose of the data. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "I've never written a device driver, but I have written a device driver manual" -- Robert Hartman, IDE Corp.