Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!newstop!eastapps!playroom!gaffa.East.Sun.COM!cliffs From: cliffs@gaffa.East.Sun.COM (Clifford C. Skolnick) Newsgroups: comp.unix.internals Subject: Re: Unix security additions Message-ID: <536@playroom.UUCP> Date: 18 Apr 91 18:12:41 GMT References: <1092@mwtech.UUCP> <19208@rpp386.cactus.org> <6783@awdprime.UUCP> <1991Apr18.042212.11738@Think.COM> Sender: news@playroom.UUCP Organization: Sun Microsystems, Inc. Rochester, NY Lines: 47 In article <1991Apr18.042212.11738@Think.COM> barmar@think.com (Barry Margolin) writes: >In article <6783@awdprime.UUCP> Tony Sanders writes: >>What if the backup/restore utilities on the "secure" system used an >>encryption scheme before writting to tape (like dump|crypt|dd of=/dev/mt, > >If the people you're trying to protect against are the operators, this >isn't much of a solution, since they have to know the password in order to >do the backups and restores. >-- >Barry Margolin, Thinking Machines Corp. > >barmar@think.com >{uunet,harvard}!think!barmar If you wrote your own crypt "like" program this would not be true. Basically you could have a "mycrypt" and "myuncrypt" function. You would just have to protect the "myuncrypt" program and you will be all set. Optionally you could put the encryption in the device driver so that only that driver could read the tapes again. This is a bit overboard unless you are really paranoid. Either of these schemes would also help the problem of keeping backups both off-site and secure. Even if the "ememy" gets the tapes, he will need to decrypt them first. I guess this is not such a bad idea. Hmm, psuedo tape device driver with encyption. Set the password via and ioctl(). Encrypt all data in or out. It would not even be that hard. Of course the real enemy is reading all packets of the ethernet and saving the good stuff. Some idiot left a set of OS tapes which he booted from and got root access to his workstation. He also knew enought to build himself a new kernel and add in NIT or whatever support he needed to create his own version of a sniffer. If it ain't one thing it's another. UNIX and security is a fine art, of which few people have a true understanding. Cliff -- Cliff Skolnick | "When routine life's hard, and inhibitions are low, and cliffs@sun.com | resentment lies hide, but emotions run through, and we're (716) 385-5049 | changing our ways, taking different roads. Love, love I think. I am. | will tear us apart, again." -- Joy Division