religious wars

religious wars

[Rich]

It is perhaps not unreasonable to allow site administrators to set up
their own security model.  It is stupid to have both a locked front door
and an open back door on the same system.

To the extent that Plan9 provides a practical demonstration that non-weak
security isn't onerous in a distributed environment, that's a great thing.
Viewed this way, adding cleartext network passwords is as useful as
peeing in the petri dish.
	/r$, pike wannabe

religious wars

[Paul]

On Fri, 18 Aug 1995, Berry Kercheval wrote:

> Indeed.  THe only time I know that PARC got seriously hacked, the intruders 
> didn't come in through *our* firewall -- they got into Xerox somewhere else 
> and just rode the corporate net over here.
> 
> We keep talking about a firewall between PARC and the rest of Xerox, but 
> managers frown on it for some reason :-)
>

I've been selling it as zoned security, and explaining that the multiple 
zones are to protect in layers.  It's looking like a probably buy-in from
my management.  If I just said "I don't trust other operating units", they'd
probably react like yours.  

Well, back to outer space.... 
>   --berry
> 
> Berry Kercheval :: Xerox Palo Alto Research Center
> 
> 
> 


-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

religious wars

[Scott]

I agree with most of what Dave wrote; here's my 2¢.

| If one takes Vadim's argument to the extreme, he
| should eliminate passwords internally since he
| has adequate protection, trusts everyone
| internally, and plan 9 is just a toy system.
| We ran that way ourselves for years
| (till management started using Plan 9 and wanted
| something better to keep us from seeing
| their secret stuff).

Lots of things about the system, and unix before it, reflect this mode
of development.  Consider file permissions: user/group/other is
adequate in uncomplicated circumstances, but in the typical university
setting access control lists would make life much easier,
particularly because the people you trust with particular files or
directories varies so much and so dynamically.

Also, there's a difference between any-user and unauthenticated-person
that user none doesn't seem to capture.  Shipping the system with
telnetd allowing "none" to log in from anywhere strikes me as a
mistake.  Allowing anonymous 9p connections is worrysome too.  AFS does
better, since it lets you restrict what unauthenticated users are
allowed to look at (easy with ACLs).

| Out biggest fear is that this pressure will make
| passwords a default mechanism.  We'ld rather see
| people working on getting Unix and DOS to use 
| better security or making Plan 9 security
| tighter like adding expontial key exchange than
| to add options to Plan 9 to make it less secure.
| Just the ability to do passwords in the clear is
| the first step down a very steep slope.  Climbing
| back up again is real hard.  We have a chance for
| a system that never goes that route, why blow it.

I very strongly agree with this.  In the unix world most people (and
vendors) aggressively avoid kerberos, s/key, and other things that
would improve our lives.  Plan 9 is a rare and valuable example of
doing things better and easier.  When I show it off to visitors I
always point that out.

religious wars

[Berry]

>>>presotto@plan9.att.com said:
 >  However, we still have people
 > constantly creating backdoors to the internet all
 > over the company

Indeed.  THe only time I know that PARC got seriously hacked, the intruders 
didn't come in through *our* firewall -- they got into Xerox somewhere else 
and just rode the corporate net over here.

We keep talking about a firewall between PARC and the rest of Xerox, but 
managers frown on it for some reason :-)

  --berry

Berry Kercheval :: Xerox Palo Alto Research Center

religious wars

[presotto]

We want to make clear why we fear clear passwords
entering the telnet/ftp/etc code.

If one takes Vadim's argument to the extreme, he
should eliminate passwords internally since he
has adequate protection, trusts everyone
internally, and plan 9 is just a toy system.
We ran that way ourselves for years
(till management started using Plan 9 and wanted
something better to keep us from seeing
their secret stuff).

Replacing ARP entries, changing MAC addresses, and
taking over active sessions cause denial or
interruption of service to people and are more
likely to be detected.  The first two don't even work
unless you are on the same side of a gateway.

Just stealing passwords is much harder to detect
since it is entirely passive.  It works an arbitrary
number of hops away.  Once acquired,
the passwords are useable to set up new connections
at any time as compared to the above attacks that
are once only.  These are hardly similar.

In AT&T we are protected by a firewall similar to
what you describe, one of the first in fact and
built by our group.  However, we still have people
constantly creating backdoors to the internet all
over the company, sometimes because we merge with
(or buy out) someone that already has a less protected
gateway, sometimes because someone finds the current
firewalls confining and get their own links.  Creating
crappy internal security just allows others to take
advantage of these lapses.

Also, we use multiple networks, not just broadcast
media like ethernet.  Our ATM and Datakit networks aren't
susceptible to spoofing though they can be snooped.
In these, our security is infinitely better than
clear passwords.

In short, passwords in the clear are a worse mechanism
than what we have.  As Vadim points out, it could be better.

The main reason for wanting passwords
is that they make access from Unix or DOS easier.
Out biggest fear is that this pressure will make
passwords a default mechanism.  We'ld rather see
people working on getting Unix and DOS to use 
better security or making Plan 9 security
tighter like adding expontial key exchange than
to add options to Plan 9 to make it less secure.
Just the ability to do passwords in the clear is
the first step down a very steep slope.  Climbing
back up again is real hard.  We have a chance for
a system that never goes that route, why blow it.

religious wars

[Vadim]

Well, i'm not against better security -- as long
as it can be tuned to fit the requirements.

Note that the option i added *is not on by default*.

Let me reiterate that the security level should be
adequate in regard to the value of information.
By not providing the low security you effectively
eliminate the whole class of applications for the
system.

"What?  Give securenet keys to all people who want
to log into the xxx account?  I don't even know
them!"

BTW, i appreciated the joke about managenment not
wanting you (designers of the system) to see their
information :)

The session stealing attacks do not have to be
easily identifyable, and in fact they are already
happening, as the knowledge is becoming more common.
Also, while the "passive snooper" is a nice theoretical
model in data world all passive snoopers have
capability for active interference by definition.
One-time passwords are a mere deterrent, not the system
a determined hacker can't break.  Cleartext passwords
are also a deterrent.  I may choose not to protect the
system at all and use the police as a deterrent.

Please don't force the choice of security level down
the system administrators' throats.  They know the
local circumstances better.  In our village doors are
left open more often than in yours :)

It is not a "religion", it is a common sense.  I saw
too many misguided efforts to improve security by
making it hard to use, to the net result that everybody
simply ignores the procedures.  Ah, those proverbial
holes in fences of top-secret installations.

--vadim