Addressed to: Firewalls @
GreatCircle .
COM
Joseph S. D. Yao <jsdy @
cospo .
osis .
gov>
** Reply to note from Joseph S. D. Yao <jsdy @
cospo .
osis .
gov>
= --------------------------------------------------------------------
= PLEASE ... send or Cc: all "COSPO Computer Support" mail to
= sys-adm @
cospo .
osis .
gov
= --------------------------------------------------------------------
= Date: Fri, 9 Aug 1996 12:33:03 -0400
= From: "Joseph S. D. Yao" <jsdy @
cospo .
osis .
gov>
= To: Firewalls @
GreatCircle .
COM
=
= Subject: Re: Info World Firewall Articles
=
= > Date: Thu, 8 Aug 1996 17:30:58 -0400
= > From: Steve Kotsopoulos <steve @
ecf .
toronto .
edu>
= > Subject: Re: Info World Firewall Articles
= >
= > jminie @
earthlink .
net wrote:
= > >We're aware of how insecure UNIX is natively. ...
=
= Let's clarify this. Unix is an operating system that allows you
= great latitude in how you set it up. It is neither secure nor
= insecure "natively" (whatever that means).
=
absolutely; agreed!
the statement "We're aware of how insecure UNIX is natively"
shows a BLATANT lack of intellectual prowess and mouth freedom
reminiscent of Bill Gates' statements and advertising in the 80s
when he was trying to promote what is best described as a boot
sector virus as THE opertaing system of the future --operating
system? well, maybe a program loader, as was CPM.
the point is simple: once *you* are operating on a closed and
unreceptive mind, you're no better than a school child who covers
his ears as he raises his hand to gain attention to talk.
by _today's_ full blown inter/intranet requirements, Ritchie
and Thompson's *_original_* version of UNIX, which like DEC's VMS
is a derivative of Multix, is insecure --BUT THAT WAS ALMOST 30
YEARS AGO!
or are you of the equivalent of Bill Gates, who claims only
Bills' shit don't stink?
ALL SYSTEMS EVOLVE OVER TIME. or, they are not being used...
However, *unlike* Gates who is notorious for never-fixed bugs
and gaping security holes opened by each successive massive
incompatible rewrite, the *_concept_* of unix STILL is the same,
30 YEARS LATER.
and, unlike Gates who guards his precious source code as his
mansion (probably since most of the code is so bad it would be bad
PR for MS for you to see it), unix source code has always been
available; and, 30 years of tweaking have made unix' open and
friendly system even more flexible --AND, hand in hand, more
secure.
UNIX has been expanded with the same conceptual visions
(other than commercial companies who listened to their marketing
sleeze trying to be unique and are mostly history) by generations
of practicioners who *understand* the unix kernel and concepts.
= It can be set up as Ken and Dennis
= did initially, in a "friendly" environment, so that everybody can do
= anything. In these days, probably a very very bad idea. It can also
= be set up quite tightly, so that it's about as secure as any
= operating system NOT SPECIFICALLY DESIGNED FOR HIGH-LEVEL SECURITY
= can get.
=
agreed!
and flavours of UNIX with restricted functions and trust are
_very_secure_ when properly installed. We have almost 30 years
of finding the week spots; and, an updated 20 year old 'routed'
and 'gated' as a two machine master firewall is _very_ secure.
[PAY me enough money and I will show you HOW TO build a REAL
secure system for CHEAP].
and, given enough background, you quickly understand WHY there
is no perfect software, no perfect operating system [except in Bill
Gates' dreams], and _no_ secure kernel in a multi-user,
multi-tasking, multi-machine environment if the user(s) expect
access other than by batched punch cards, &c.
in other words, "security" and "friendly" are diametrically
opposed: the more you improved the client space for friendly
access and sharing of information on a single machine or on a
network, the less the security.
A "perfectly" secure machine is therefore "perfectly"
unusable.
having been extensively involved during the 70s and 80s as a
consultant to both Western Electric and Labs and taught college
level courses on security , I, and others, have traveled through
through these same problems --and, remember, R, T, and K
constructed unix _in their spare time_ --for a DEC 11/45 which
was limited to 64K data and 64K program.
given that unix started out presuming 3 things:
1. unlimited trust
2. perfect disks (no error correction provided)
3. unlimited time
which is fine in a low usage research environment, but
commercially (government) it just was not acceptable. At that
point, the conundrum roars onto the playing field.
So, somebody hacked error management routines into the disk
drivers, and Berkeley contributed 'bad144' and so on. uucp had
security holes; everybody chipped in and they are mostly gone
(knock on wood), shadow password files were added, &c. and, now
we have SSL &c. for secure tcp/ip...
Again, why is unix stable, secure, friendly, and consistent?
SIMPLE: open systems, source code and intelligent, thinking power
users and perfectionists (who live in the dark except for the
glow of a CRT).
= This
= should, preferably, be done by REAL systems professionals, not "I
just
= graduated from college, and have read all of Microsoft's and Sun's
= press releases, and therefore know everything there is to know about
= computer security" types. (To everyone: NO, I am NOT talking about
= YOU; but you do know someone something like that, don't you? ;-))
=
want to swap blacklists? <g>
= This is why the majority of real software security specialists
= started their secure systems and firewall systems on some variant of
= Unix. Please note that I said "the majority", and not "all": this is
= not meant to start a flaming contest or any other sort of contest.
=
does not need to be a contest... it's a fact, and about the
only way to learn, both then and now. there is no source code for
today's proprietary firewalls, anymore than there has ever been.
I, for one, refuse to use either firewall or cryptographic
products I can not see the source. I do not need to have NSA
embedded routines for their pleasure in hardware/software systems
I design.
just remember: talking is $$$ --have your wallet handy.
attila <attila @
primenet .
com>
--
In the interests of a drug-free world it is perhaps time for Britain
and other Western democracies to consider banning President Clinton
from visiting their countries.
--Ambrose Evans-Pritchard
Follow-Ups:
|
|
