What kinds of things would you want in the GNU OS?
Don Alvarez
boomer at athena.mit.edu
Fri May 26 01:28:54 AEST 1989
A few observations on security...
(1) Every OS implementation has (or will have) bugs, and some of them
are going to be security related bugs (note I said _implementation_,
as distinct from _theory_).
(2) The Internet Virus was able to propagate effectively because
almost everybody used one of two different systems with a number
of standard bugs.
(3) It generally takes human hackers a few tries to break into your
system, and (imho) the best defense against them is good logging
of strange behavior. (you have to assume that someone will
eventually crack your security, but they will probably have left
traces of themselves by the time they do).
(4) If you have good backups and a logfile entry showing when your
security was breached, the amount of damage an intruder can do to
your files is severely limited (release of classified/confidential
data not withstanding).
...and a few conclusions based on those observations...
(1+2) GNU's main security advantage will probably be that there is no
'standard' security system. People will (hopefully) hack and
code to their heart's content, logging or checking whatever
random things they think are significant on their system. The
more hacked the systems become, the less likely it is that
everyone's fingerd will have the same bug, and without those
'standard' bugs, network viruses will have a much harder time
propagating.
(3+4) Assuming you have some threshold amount of security, improving
your logging capabilities is probably more effective than
improving your defenses. No matter how good your security, if
a wizard really wants to get in, he will. If you keep (and
read!) good logs, and if you back up every day (don't just
talk about it!), then the evil wizard can't trash more than
one day's work.
Q: What single thing would I recommend?
A REALLY REALL REALLY easy way to tell my system to prompt me for a
tape every morning, dump all changes since the previous morning,
_and_eject_the_tape (don't leave your backups where the system can get
at them). Once a week/month/ten days/etc the system would prompt me
for several tapes and automatically do a full backup. This has the
advantage that it protects you from well-meaning good guys ("rm *.c?
aaarghh!") as much as it protects you from ill-meaning bad guys. If
your password is like your toothbrush (use it everyday, change it
regularly, and don't share it with friends), then doing backups is like
flossing (everybody talks about it, nobody does it).
Closing musings:
On the subject of security, you were probably more interested in
questions like "what encryption algorithm should we use" (or even the
more radical "should we continue to have world-readable password
files"), "should we allow rsh-style remote procedure calls", "should
we include kerberos hooks", etc. I'd say go ahead and leave
/etc/passwd the way it is, but try to come up with a simple password-
checker to make sure people don't use password=account-name couplets.
rsh is tougher, because it's so common as to be almost mandatory. And
yes, I think kerberos is a darn good way to handle inter-host
communications.
-Don Alvarez
--
+ -------------------------------------------------------------------------- +
| Don Alvarez M.I.T. Center For Space Research (617) 253-7457 |
| boomer at SPACE.MIT.EDU Moving Soon: Princeton University Gravity Lab 8/89 |
+ -------------------------------------------------------------------------- +
More information about the Comp.unix.wizards
mailing list