GNU, security, and RMS

hznx at vax5.CIT.CORNELL.EDU hznx at vax5.CIT.CORNELL.EDU
Fri Jun 9 08:42:12 AEST 1989 

In article <19930 at adm.BRL.MIL> bzs at bu-cs.bu.edu (Barry Shein) writes:
>
>Will someone explain to me exactly how usernames and passwords and
>file protections (a not unknown form of security) will protect against
>computer viruses?? These are often introduced into the system by
>unwitting bona-fide users, hiding in a useful looking program picked
>up somewhere.

Exactly.  Let's take the analogy to an office with single-user PC a step
further.  If your office is in America, you have a door with a lock on it,
to keep unauthorized persons out.  You may have a burglar alarm, to alert
you when an unauthorized person gets in.  Thanks to this control that YOU
have over YOUR personal machine, you can keep all nincompoops and other
negligent computer users away.

Look at all the "free" security you get with this arrangement!  The lock
works because only authorized users have keys, picking the lock is difficult,
and the chance of getting caught is significant (if low).  The burglar alarm
works because it is not able to be compromised by the burglar; furthermore,
it brings the police to the scene.  As far as nonmalicious users go, you
simply keep them away.

Yet even this is not enough.  Single-user machines run by all types of users
fall victim to accidental reformats, accidental file deletion, and system
crashes due to incorrect software installation.  Viruses propagate because
programs perform actions they should not be doing (modifying executable files,
parts of the OS in memory, etc).

So the single user takes precautions:  lots of backups, format recovery
programs, antivirus software.  And when the system goes down, the single
user might spend a few hours restoring from the backup and a few more
recovering his data.  No big deal.

Remote-access multiuser machines do not have any of these luxuries.  The
chance of getting caught while "picking the lock" is extremely low. 
Unsocial youths turn to cracking instead of picking high-security locks,
partly because of the unlikelihood of getting caught.  Burglar alarms
(audit trails) are useless if they can be changed by the burglar, if they
are hard to read, or if the end result is not some punishment.  And without
*strict* login security, you never can know whether your best friend replaced
version 2.1 with version 1.3 or whether a cracker faked his account.  Can you?

Accidental problems grow exponentially without security, since there are more
users who can make mistakes and more users who must restart their work whenever
any one user screws up.  Viruses damage everyone's work, not only the hapless
soul who contracted it.

Security reduces (does not eliminate) these problems.  Access vandalism can
be no more common than physical vandalism iff access restrictions are used.
The damage of viruses and Trojans can be limited to a much smaller amount of
data and their frequency can be reduced: if the virus can't scramble my
program's or the system's data, it has been killed.  File protections
(coupled, of course, with login restrictions) are the only means to do this
on a multi-user system.  And protection is needed to secure an audit trail;
someone must maintain it and make it available to *some* other people.

Sure, not all systems need security.  UNIX-like systems, because they are
used in environments where the above problems are/can be commonplace, do need
security.  To claim that high security should not be available as an integral,
unhacked part of the OS (because not everyone needs it) is similar to tossing
out "awk."

The default issue is moot.  If the sysadmin is incapable of changing defaults,
he'll have far more serious problems than security.  If he's just lazy, he'll
have problems with both security and free exchange of information.

Remember.  I grew up in a small, homogenous, moral community in the farming
state of South Dakota.  None of our neighbors would ever commit a crime.
But we locked our doors every night.  Did it impair our sense of community?
No, because we had a doorbell: if someone wanted to come in, they would
ring it.  It's a small price to pay when compared to the benefits.  All the
sysadmins I know keep a mailbox for those who wish access to protected stuff.

In the real world, there are some things I do not tell anyone else; there are
some things I tell only my close friends; there are some things that *must*
be protected from my business competitors.  Until competition (not just
capitalism) ceases, I let stated enemies read not only my diary but my mind,
and I leave the door to my office (or home) unlocked when the police are on
vacation, I want security.  It can be abused.  But that's a personal issue.

>	-Barry Shein

Dan Dulitz
hznx at vax5.cit.cornell.edu

More information about the Comp.unix.wizards mailing list