Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!rphroy!caen!hellgate.utah.edu!dog.ee.lbl.gov!elf.ee.lbl.gov!torek
From: torek@elf.ee.lbl.gov (Chris Torek)
Newsgroups: comp.unix.admin
Subject: Re: Project Athena ( was Re: Non Destructive Version of rm)
Message-ID: <13043@dog.ee.lbl.gov>
Date: 10 May 91 12:24:57 GMT
References: <12049@mentor.cc.purdue.edu> <1991May8.174603.26309@athena.mit.edu> <12067@mentor.cc.purdue.edu> <1991May9.001907.13024@athena.mit.edu> <12112@mentor.cc.purdue.edu>
Reply-To: torek@elf.ee.lbl.gov (Chris Torek)
Distribution: na
Organization: Lawrence Berkeley Laboratory, Berkeley
Lines: 49
X-Local-Date: Fri, 10 May 91 05:24:57 PDT

In article <12112@mentor.cc.purdue.edu> asg@sage.cc.purdue.edu
(The Grand Master) writes:
>Just answer one quick question. I assume that each workstation has a 
>disk of it's own mounted on / right? If so, can I not log into one of
>your workstations and rm -rf /, thus making it useless? Can I not do
>this for EACH AND EVERY WORKSTATION YOU HAVE?

I have no idea whether these workstations are `diskless' and use a
remote disk or have a local disk, but the principle is the same.  The
answer is `yes'.  You can also, of course, walk in with a sledgehammer
and bust each and every workstation into a million pieces.  Either one
will get you some kind of disciplining, if you are caught.  Both
actions are semantically (if not monetarily) equivalent: in both cases
you cost the support staff some time/money to fix/replace the
equipment, and nothing else.

As to networks and trust:

>You have another choice. To trust only those computers to which the
>user does not have physical access.

The basic problem here is that the network itself is physically
accessible as well, and such access can be nearly untraceable.  Your
average Ethernet or fiber optic cable can be `wiretapped' without too
much difficulty and with little chance of detection.  If this is done,
sessions can be recorded and/or played back, and the `tapping' machine
can stand in the stead of another, previously existing machine.

The Athena security system provides a variable amount of defense
against this sort of intrusion.  If you wiretap and collect someone's
tickets, you can use playback methods to gain access for the duration
of the ticket.  If sessions themselves are encrypted (this is quite
expensive in terms of CPU time, hence is rarely done, at least outside
Athena---probably inside as well) the windows are narrow and security
is relatively high.  If the sessions are not encrypted you can, of
course, get quite a bit more information.

>I NEVER said anything about trusting every machine on the internet. Is there
>no way of telling a system to "trust" only a select few others?

Unfortunately, the answer is a qualified `no', because any machine can
(within various limitations) impersonate any other.  The limitations
are largely to do with routing issues.  There are schemes galore for
improving this sort of security; the Athena Kerberos software has the
advantage of being relatively simple, `known largely to work' and, not
least, free.
-- 
In-Real-Life: Chris Torek, Lawrence Berkeley Lab CSE/EE (+1 415 486 5427)
Berkeley, CA		Domain:	torek@ee.lbl.gov