kovar@ECLECTIC.COM (David C. Kovar) (05/16/91)
We went through this whole thing when I was back at Dartmouth when the Macs first came out. The school paper went nuts when they found out that 15 of us had Peek. They only quieted when it was pointed out that since we were in a networking course, we could probably rewrite Peek given a few days and the incentive to do so. The problem isn't in the tools that let you see the wire, it's in the applications that are stupid enough to transmit important data in the clear. Telnet/ftp have been doing this since they were first written, and people have been complaining for nearly as wrong. It's a shame that it may take security violations to get this sort of thing fixed, but that's what it looks like. If you want to know about some real security horor shows, ask me about CE Software's QuickMail when I get back from the Macintosh Developer's Conference next week. If you want to learn a bit more about this stuff, and read more about the Peek stuff at Dartmouth and what they've done about it, get ahold of the next issue of ISPNews. (Information Security Product News.) I wrote an article that'll be appearing in there. I can send email copies of it out next week if anyone's interested. Also, if you're interested in such things, System 7.0 is going to make Mac security much more interesting. Apple Events, PPC, and the like, really open up your Mac to just about anyone if you're not careful. Apple seems to be taking some interest in building security tools into the system, but I'm not exactly sure what's there, yet. -David Kovar P.S. If you're REALLY interested in authentication systems for the Mac, feel free to send me mail on that as well. We're developing a pretty neat two factor authentication system....
kludge@grissom.larc.nasa.gov ( Scott Dorsey) (05/16/91)
In article <9105160430.AA04272@eclectic.com> kovar@ECLECTIC.COM (David C. Kovar) writes: > The problem isn't in the tools that let you see the wire, it's >in the applications that are stupid enough to transmit important >data in the clear. Telnet/ftp have been doing this since they >were first written, and people have been complaining for nearly >as wrong. It's a shame that it may take security violations to get >this sort of thing fixed, but that's what it looks like. While much of it is indeed the fault of the protocol, a good deal of blame should be laid on an operating system which permits any user running any program to access any device in any way. The operating system should provide user authentication and not permit untrusted users to put the ethernet card in promiscuous mode. For any installation with multiple machines and networks, this is the case. --scott
amanda@visix.com (Amanda Walker) (05/21/91)
kludge@grissom.larc.nasa.gov ( Scott Dorsey) writes:
While much of it is indeed the fault of the protocol, a good deal of blame
should be laid on an operating system which permits any user running any
program to access any device in any way.
I think that this is still misplacing "the blame." In my opinion (which
stems from having managed networks of hundreds of Macs & workstations), the
central problem is assuming that it is *possible* to secure the machines
at all. It is impossible to guarantee any level of security when your
network has Macs, PCs, or workstations available for use by the public;
neither is it possible if you do not secure the actual connectors & cables
on your network.
On both Macs and PCs, anyone can write or run programs which talk to
the hardware. On Suns and most other workstations, anyone who wants
to badly enough can break into UNIX as root, and proceed to talk to
the hardware. In fact, most UNIX machines are quite insecure even
*without* physical access to the machine.
One approach is to use security systems (such as Kerberos) which do not
depend on the physical security of the machines or the network. If this
is infeasible, the best you can probably do is punish people you can catch,
and live with the reality that anyone who wants to badly enough will
compromise your security.
--
Amanda Walker amanda@visix.com
Visix Software Inc. ...!uunet!visix!amanda
--
UNIX: The only operating system that can be destroyed by mail.chip@tct.com (Chip Salzenberg) (05/21/91)
According to kludge@grissom.larc.nasa.gov ( Scott Dorsey): > While much of it is indeed the fault of the protocol, a good deal of blame >should be laid on an operating system which permits any user running any >program to access any device in any way. This objection is naive. If the authentication is in the OS, then I walk up to a Mac with my own hacked OS on a floppy, and boot from the floppy. Presto. Besides, who says that all machines on an AppleTalk network shall be Macintoshes running System N? -- Brand X Industries Custodial, Refurbishing and Containment Service: When You Never, Ever Want To See It Again [tm] Chip Salzenberg <chip@tct.com>, <uunet!pdn!tct!chip>
kludge@grissom.larc.nasa.gov ( Scott Dorsey) (05/21/91)
In article <2838265E.2EE6@tct.com> chip@tct.com (Chip Salzenberg) writes: >According to kludge@grissom.larc.nasa.gov ( Scott Dorsey): >> While much of it is indeed the fault of the protocol, a good deal of blame >>should be laid on an operating system which permits any user running any >>program to access any device in any way. > >This objection is naive. If the authentication is in the OS, then I >walk up to a Mac with my own hacked OS on a floppy, and boot from the >floppy. Presto. Yes, but without authentication in the OS it's perfectly possible for you to walk up to a Mac and install your (subtly altered to do evil things) copy of the OS on it. Both an improved authentication protocol and improved operating system protections are required --scott
kenw@skyler.arc.ab.ca (Ken Wallewein) (05/22/91)
In article <1991May20.173119.4279@visix.com> amanda@visix.com (Amanda Walker) writes:
...
One approach is to use security systems (such as Kerberos) which do not
depend on the physical security of the machines or the network. If this
is infeasible, the best you can probably do is punish people you can catch,
and live with the reality that anyone who wants to badly enough will
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
compromise your security.
^^^^^^^^^^^^^^^^^^^^^^^^
--
Amanda Walker amanda@visix.com
Visix Software Inc. ...!uunet!visix!amanda
--
UNIX: The only operating system that can be destroyed by mail.
Aw, come on. Let's get realistic.
There a big difference between professional spooks and idle curiosity. How
serious you get depends on your situation. There ain't no such thing as
100% secure.
As long as messages cross a network in cleartext, and that network is
accessible by computers which do not support security in hardware and
software, it's going to be pretty hard to prevent snooping.
Now, a constructive idea: how about network interface hardware
manufacturers designing the circuit boards so that promiscuous mode is not
implemented on some boards, or could require hardware changes to activate,
or a password, or something like that?
Some one earlier posted an idea along the line that packet sniffers should
first broadcast a message saying "I'm gonna start sniffin' now!". That
would be a nice, easy thing to help suppress casual sniffing by the wrong
people. Sure, it wouldn't stop anybody who was serious and/or
knowledgeable, but it would be polite, and would solve 95% of the problem.
And make no mistake -- this IS a game of percentages.
--
/kenw
Ken Wallewein A L B E R T A
kenw@noah.arc.ab.ca <-- replies (if mailed) here, please R E S E A R C H
(403)297-2660 C O U N C I Lamanda@visix.com (Amanda Walker) (05/22/91)
In article <KENW.91May21105153@skyler.arc.ab.ca> kenw@skyler.arc.ab.ca (Ken Wallewein) writes: There a big difference between professional spooks and idle curiosity. Yes and no. At a university, "idle curiousity" can be pretty persistent. I've seen students wander around the Internet and routinely bypass normal security precautions "out of idle curiousity." As long as messages cross a network in cleartext, and that network is accessible by computers which do not support security in hardware and software, it's going to be pretty hard to prevent snooping. Exactly. Now, a constructive idea: how about network interface hardware manufacturers designing the circuit boards so that promiscuous mode is not implemented on some boards, or could require hardware changes to activate, or a password, or something like that? This is more or less the current case for Macintosh Ethernet boards, since anything that uses promiscuous mode has to talk directly to the hardware, a task about as complex as writing a .ENET driver for the board. On the other hand, LocalTalk hardware is the same on every Mac, and there are programs (and source code) wandering around to do snooping. The only effective response is to either change the software, or offer a big disincentive for the activity. At a university, the phrase "academic misconduct" comes to mind--the same kind of penalty you'd use for someone peeking at exams or someone else's files on a UNIX machine. -- Amanda Walker amanda@visix.com Visix Software Inc. ...!uunet!visix!amanda -- "The beauty of the truth is that it need not be proclaimed or believed. It skips from soul to soul, changing form each time it touches, but it is what it is...." --Mark Helprin, Winter's Tale