Path: utzoo!attcan!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!bloom-beacon!athena.mit.edu!boomer From: boomer@athena.mit.edu (Don Alvarez) Newsgroups: comp.unix.wizards Subject: Re: What kinds of things would you want in the GNU OS? Summary: about security Keywords: GNU OS features kernel Message-ID: <11666@bloom-beacon.MIT.EDU> Date: 25 May 89 15:28:54 GMT References: <106326@sun.Eng.Sun.COM> <10317@smoke.BRL.MIL> <106584@sun.Eng.Sun.COM> Sender: daemon@bloom-beacon.MIT.EDU Reply-To: boomer@space.mit.edu (Don Alvarez) Organization: MIT Center for Space Research Lines: 79 A few observations on security... (1) Every OS implementation has (or will have) bugs, and some of them are going to be security related bugs (note I said _implementation_, as distinct from _theory_). (2) The Internet Virus was able to propagate effectively because almost everybody used one of two different systems with a number of standard bugs. (3) It generally takes human hackers a few tries to break into your system, and (imho) the best defense against them is good logging of strange behavior. (you have to assume that someone will eventually crack your security, but they will probably have left traces of themselves by the time they do). (4) If you have good backups and a logfile entry showing when your security was breached, the amount of damage an intruder can do to your files is severely limited (release of classified/confidential data not withstanding). ...and a few conclusions based on those observations... (1+2) GNU's main security advantage will probably be that there is no 'standard' security system. People will (hopefully) hack and code to their heart's content, logging or checking whatever random things they think are significant on their system. The more hacked the systems become, the less likely it is that everyone's fingerd will have the same bug, and without those 'standard' bugs, network viruses will have a much harder time propagating. (3+4) Assuming you have some threshold amount of security, improving your logging capabilities is probably more effective than improving your defenses. No matter how good your security, if a wizard really wants to get in, he will. If you keep (and read!) good logs, and if you back up every day (don't just talk about it!), then the evil wizard can't trash more than one day's work. Q: What single thing would I recommend? A REALLY REALL REALLY easy way to tell my system to prompt me for a tape every morning, dump all changes since the previous morning, _and_eject_the_tape (don't leave your backups where the system can get at them). Once a week/month/ten days/etc the system would prompt me for several tapes and automatically do a full backup. This has the advantage that it protects you from well-meaning good guys ("rm *.c? aaarghh!") as much as it protects you from ill-meaning bad guys. If your password is like your toothbrush (use it everyday, change it regularly, and don't share it with friends), then doing backups is like flossing (everybody talks about it, nobody does it). Closing musings: On the subject of security, you were probably more interested in questions like "what encryption algorithm should we use" (or even the more radical "should we continue to have world-readable password files"), "should we allow rsh-style remote procedure calls", "should we include kerberos hooks", etc. I'd say go ahead and leave /etc/passwd the way it is, but try to come up with a simple password- checker to make sure people don't use password=account-name couplets. rsh is tougher, because it's so common as to be almost mandatory. And yes, I think kerberos is a darn good way to handle inter-host communications. -Don Alvarez -- + -------------------------------------------------------------------------- + | Don Alvarez M.I.T. Center For Space Research (617) 253-7457 | | boomer@SPACE.MIT.EDU Moving Soon: Princeton University Gravity Lab 8/89 | + -------------------------------------------------------------------------- +