shwake@raysnec.UUCP (Ray Shwake) (12/06/90)
tim@delluk.uucp (Tim Wright) writes: >As has been pointed out, MOST people running unix do NOT want any higher >level security than is already provided. It only gets in the way. I get the >distinct feeling that if you want "high" levels of security, you shouldn't >be running unix in the first place. Any comments ? Sorry, Tim, can't agree. Despite all the references to UNIX' "inherent lack of security", even plain-vanilla UNIX supports a higher security potential than many OS alternatives, even those of "commercial quality". How one exploits that potential, however, is another matter. Of course, one must distinguish between security weaknesses inherent in the operating system from those associated with add-ons (e.g. sendmail). Yes, many people do NOT want a higher level of security than is already provided, since security costs in both human and system resources without obvious benefit - at least, not until you need it! I do find it telling that the first C2 certified system (Gould) and the first B1 certified system (System V/MLS) were UNIX systems.
dhesi%cirrusl@oliveb.ATC.olivetti.com (Rahul Dhesi) (12/07/90)
I suspect that even in C2, B2, etc. systems, system or group administrator carelessness or carefulness will remain a significant factor in determining how secure real systems are. For example, how does a B2 secure system prevent a password being taped to a terminal? -- Rahul Dhesi <dhesi%cirrusl@oliveb.ATC.olivetti.com> UUCP: oliveb!cirrusl!dhesi
palowoda@fiver (Bob Palowoda) (12/08/90)
From article <168@raysnec.UUCP>, by shwake@raysnec.UUCP (Ray Shwake): > tim@delluk.uucp (Tim Wright) writes: > >>As has been pointed out, MOST people running unix do NOT want any higher >>level security than is already provided. It only gets in the way. I get the >>distinct feeling that if you want "high" levels of security, you shouldn't >>be running unix in the first place. Any comments ? > > Sorry, Tim, can't agree. Despite all the references to UNIX' "inherent > lack of security", even plain-vanilla UNIX supports a higher security > potential than many OS alternatives, even those of "commercial quality". > How one exploits that potential, however, is another matter. Of course, one > must distinguish between security weaknesses inherent in the operating system > from those associated with add-ons (e.g. sendmail). > > Yes, many people do NOT want a higher level of security than is > already provided, since security costs in both human and system resources > without obvious benefit - at least, not until you need it! I was under the impression that (at least with SCO's UNIX) you have to buy C2. Or am I wrong here. If this is the case how can one measure the cost benefit? How much does Secureware addin cost in other versions? How do you know how much it costs? What's the prices average price difference between SysV/MLS and SysV? ---Bob -- Bob Palowoda palowoda@fiver | *Home of Fiver BBS* Home {sun}!ys2!fiver!palowoda | 415-623-8809 1200/2400 {pacbell}!indetech!fiver!palowoda | An XBBS System Work {sun,pyramid,decwrl}!megatest!palowoda| 415-623-8806 1200/2400/19.2k TB+
tim@delluk.uucp (Tim Wright) (12/10/90)
In <168@raysnec.UUCP> shwake@raysnec.UUCP (Ray Shwake) writes: >tim@delluk.uucp (Tim Wright) writes: >>As has been pointed out, MOST people running unix do NOT want any higher >>level security than is already provided. It only gets in the way. I get the >>distinct feeling that if you want "high" levels of security, you shouldn't >>be running unix in the first place. Any comments ? > Sorry, Tim, can't agree. Despite all the references to UNIX' "inherent >lack of security", even plain-vanilla UNIX supports a higher security >potential than many OS alternatives, even those of "commercial quality". Sorry Ray, I didn't make myself clear. I didn't mean to imply "Vanilla UNIX" was insecure. Far from it. I said that a well set up system probably gave as much security as most people wanted. Having thought about it and discussed it those who know considerably more about the subject than myself, I have changed my mind slightly. I'm not convinced that a vanilla system provides as much security as people need, but that the implementations of more secure versions have in general been so appalling (?sp) and detrimental to normal (i.e. familiar UNIX) system use as to render them unusable/not-used. I suppose I'd better shut-up here and redirect follow-ups to alt.security. Tim -- Tim Wright, Dell Computer Corp. (UK) | Email address Bracknell, Berkshire, RG12 1RW | Domain: tim@dell.co.uk Tel: +44-344-860456 | Uucp: ...!ukc!delluk!tim "What's the problem? You've got an IQ of six thousand, haven't you?"
richard@pegasus.com (Richard Foulk) (12/10/90)
> Sorry, Tim, can't agree. Despite all the references to UNIX' "inherent >lack of security", even plain-vanilla UNIX supports a higher security >potential than many OS alternatives, even those of "commercial quality". > > [...] > > I do find it telling that the first C2 certified system (Gould) and >the first B1 certified system (System V/MLS) were UNIX systems. What's so telling about Unix having something added to it before other operating systems? Name another OS where source code is available. -- Richard Foulk richard@pegasus.com
paul@frcs.UUCP (Paul Nash) (12/12/90)
Thus spake richard@pegasus.com (Richard Foulk): > > I do find it telling that the first C2 certified system (Gould) and > >the first B1 certified system (System V/MLS) were UNIX systems. > > What's so telling about Unix having something added to it before other > operating systems? Name another OS where source code is available. Try IBM's VM/SP. This is (was last time I saw it) _distributed_ as source code (/370 assembler, but it is source). It is also _far_ less secure (in terms of ease of beak-in) and far more difficult to administer than _any_ *nix that I have encountered (including early Xenix's). Spake lance@unigold.UUCP (Lance Ellinghouse): > I am sick and tired of hearing everyone say SCO's C2 > is not worth anything... Here is an example of someplace > it *DID* help... > > Over the next week or two, we had the line locked/disabled > by C2 every couple days... Finnaly it stopped for no reason. The last VM I worked on (VM/SP 4, circa 1988) also had this charming feature, and it didn't have C2 security! Maybe you should rather buy an IBM lameframe, and you can have dead dial-ups most of the time :->. ---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=--- Paul Nash Flagship Wide Area Networks (Pty) Ltd paul@frcs.UUCP ...!uunet!ddsw1!proxima!frcs!paul
lws@comm.wang.com (Lyle Seaman) (12/27/90)
palowoda@fiver (Bob Palowoda) writes: >From article <168@raysnec.UUCP>, by shwake@raysnec.UUCP (Ray Shwake): >> Yes, many people do NOT want a higher level of security than is >> already provided, since security costs in both human and system resources >> without obvious benefit - at least, not until you need it! > I was under the impression that (at least with SCO's UNIX) you have >to buy C2. Or am I wrong here. If this is the case how can one measure >the cost benefit? How much does Secureware addin cost in other versions? >How do you know how much it costs? Ray wasn't speaking of dollars, Bob. He was speaking of the more nebulous "lost time" and "wasted CPU cycles". I don't know how you establish exactly what values those have in order to measure the cost benefit, I guess you'll have to ask Southwestern Bell that. But you don't have to know exactly what the dollar cost is to know that the human cost (my time, yours, etc) is too much. -- Lyle Wang lws@capybara.comm.wang.com 508 967 2322 Lowell, MA, USA Source code: the _ultimate_ documentation.
palowoda@fiver (Bob Palowoda) (12/27/90)
From article <1990Dec26.223213.2988@comm.wang.com>, by lws@comm.wang.com (Lyle Seaman): [Questions about how much SecureWare is worth deleted] > Ray wasn't speaking of dollars, Bob. He was speaking of the more nebulous > "lost time" and "wasted CPU cycles". I don't know how you establish > exactly what values those have in order to measure the cost benefit, I > guess you'll have to ask Southwestern Bell that. Well ok, Ray may not have been relateing it to any dollar value. But I'm sure the cost of the SecureWare addition could be determined somehow. That's all I was looking for. At least this may be a start into tracking how much security is costing. Something like buying a burglar alarm for a car. > But you don't have to know exactly what the dollar cost is to know that > the human cost (my time, yours, etc) is too much. It's like selling insurance. ---Bob -- Bob Palowoda palowoda@fiver.uucp | *Home of Fiver BBS* Home {sun}!ys2!fiver!palowoda | 415-623-8809 1200/2400 {pacbell}!indetech!fiver!palowoda | Work {sun,pyramid,decwrl}!megatest!palowoda| 415-623-8806 1200/2400/19.2k TB+
allbery@NCoast.ORG (Brandon S. Allbery KB8JRR) (12/29/90)
As quoted from <1990Dec27.051728.12035@fiver> by palowoda@fiver (Bob Palowoda): +--------------- | > But you don't have to know exactly what the dollar cost is to know that | > the human cost (my time, yours, etc) is too much. | | It's like selling insurance. +--------------- Insurance policies don't jump out and prevent you from walking near construction sites on the grounds that someone might drop something from the top of the building under construction and it might hit you. SCO "UNIX" (or, more precisely, SecureWare) does. Why is this a problem? What happens when I *work* at the construction site? ++Brandon -- Me: Brandon S. Allbery VHF/UHF: KB8JRR on 220, 2m, 440 Internet: allbery@NCoast.ORG Packet: KB8JRR @ WA8BXN America OnLine: KB8JRR AMPR: KB8JRR.AmPR.ORG [44.70.4.88] uunet!usenet.ins.cwru.edu!ncoast!allbery Delphi: ALLBERY
fmiller@dobie.UUCP (Fred Miller) (12/30/90)
In article <1990Dec29.044954.2167@NCoast.ORG>, allbery@NCoast.ORG (Brandon S. Allbery KB8JRR) writes: > As quoted from <1990Dec27.051728.12035@fiver> by palowoda@fiver (Bob Palowoda): > +--------------- > | > But you don't have to know exactly what the dollar cost is to know that > | > the human cost (my time, yours, etc) is too much. > | > | It's like selling insurance. > +--------------- > > Insurance policies don't jump out and prevent you from walking near > construction sites on the grounds that someone might drop something from the > top of the building under construction and it might hit you. SCO "UNIX" (or, > more precisely, SecureWare) does. Why is this a problem? What happens when I > *work* at the construction site? > > ++Brandon I couldn't help but add the following humor, since it fits in so well with your comments! I hope you enjoy it! Fred LOST PRESENCE OF MIND Dear Sir: I am writing in response to your request for additional informa- tion. In block #3 of the accident reporting form, I put "Lost presence of mind" as the cause of my accident. You said in your letter, that I should explain more fully, and I trust that the following details will be sufficient. I am a bricklayer by trade. On the day of the accident, I was working alone on the roof of a six story building. When I com- pleted by work, I discovered that I had about 500 lbs. of brick left over. Rather than carring the bricks down by hand, I decid- ed to lower them in a barrel by using a pulley which fortunately was attached to the side of the building at the sixth floor. Securing the rope at ground level, I went up to the roof, swung the barrel out, and loaded the brick into it. Then I went back to the ground and untied the rope, holding it tightly to insure a slow descent of the 500 lbs. of bricks. You will note in block #11 of the accident reporting form, that I weigh 135 lbs. Due to my surprise at being jerked off the ground so suddenly, I "lost my presence of mind", and forgot to let go of the rope. Needless to say, I proceeded at a rather rapid rate up the side of the building. In the vicinity of the third floor, I met the barrel coming down. This explains the fractured skull and broken collarbone. Slowed only slightly, I continued my rapid ascent, not stopping until the fingers of my right hand were two-knuckles deep into the pulley. Fortunately, by this time I had regained my "presence of mind" and was able to hold tightly to the rope in spite of the pain. At approximately the same time, however, the barrel of bricks hit the ground with such force, that the bottom fell out. Devoid of the weight of the bricks, the barrel now weighed approximately 50 lbs. I refer you again to my weight in block #11. As you might imag- ine, I began a rapid descent down the site of the building. In the vicinity of the third floor, I met the barrel coming up. This accounts for the two fractured ankles and the lacerations of my legs and lower body. This encounter with the barrel slowed me enough to lessen my in- juries when I fell into the pile of bricks, and fortunately, only three vertebrae were cracked. I am sorry to report, however, that as I lay there on the bricks, in pain and unable to stand, and watching the empty barrel six stories above me, I again "lost presence of mind".....I let go of the rope.