[61] in WWW Security List Archive
Re: GSS API...
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Wed Aug 17 21:11:16 1994
From: hallam@dxal18.cern.ch
To: crow!rik@uunet.uu.net, www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
In-Reply-To: Your message of "Tue, 16 Aug 94 15:58:42 MST."
<9408162258.AA01144@crow.spirit.com>
Date: Wed, 17 Aug 94 10:41:00 +0200
>Two items. I raised the spector of DLL's being PC-centric. Most businesses
>talking about HTTP servers are not talking about PC platforms, but UNIX,VMS,
>and only once that I heard of NT.
I think this is more due to NT being very new rather than being any measure of
importance. The userbase for NT is going to be drawn mainly from the VMS and PC
userbases. The VMS userbase is so conservative that they tend to wait six
months before upgrading to new versions of VMS, let alone change OS entirely.
The PC userbase simply don't have the resources to run anything sensible yet.
The sort of resources you get from 16Mb and a 100MHz Pentium is small beans
in the UNIX/VMS workstation world.
Within a year we can expect confidence in NT to have reached the point where
people can use it and the standard machine will be 16Mb with the sort of power
you get from a 100MHz Pentium .
DLLs are only the PC name for a very old VMS idea, sharable images. What is
being suggested is a little more though, its dynamic linking in of functionaly
different modules. This is actually possible under VMS as well
(lib$find_image_symbol) (and no doubt some AWK script for UNIX can be found :-).
>Like Bernhardt of Physik.TU-Muenchen.DE mentioned, I am very concerned
>about the security of DLL, or shared library-like tools. These have been
>a big problem, especially on Sun systems, where an attack might take the
>form of placing a doctored shared library ahead of the appropriate shared
>library. It would hardly do to create an security mechanism with inherent
>security problems.
Simple, require the shared image to be owned by root. If root is compromised
then everything is.
One reason for having a base mode protection system guaranteed to be there is
to allow checking of such objects. Additional security systems are most likely
to add convenience, logging etc. The bootstrap problem will always remain of
course but that is simply life.
The first step in developing a plug in module approach is to get the interfaces
consistent so that a relinking type strategy works. Unless this happens any
dynamic solution is never going to work in any case.
Personally I don't see people dynamically calling up security systems and
linking on the fly. But I do see people wanting to call up image processors,
translators, filters etc on the fly that have been certified by the security
system. OK so it may be logically possible to do the security on the fly as
well but lets learn to walk before we start chartering intergallactic cruises.
>Finally, on copyright protection, Roger Masse mentioned watermarks. I
>had been thinking of a similar idea. Material you did not want copied
>would be delivered as bitmaps with some depth (for example 256 colors,
>8 bits). The receipient's name would be encoded in very small changes in
>the bitmap--changes which would be indetectable to the eye, or software, as
>they would appear to just a shade of difference in color a locations known
>only to the sender.
Such a system would be very inefficient in bandwidth and render the text
useless for automated search. On top of that it is a classic security through
obscurity scheme. Unless you start from random data it is almost certainly
possible to detect such a watermark and corrupt it. The people who work on
attacking such systems do not use the naked eye, they use computer systems.
Given two copies of a picture the differences can be easily found.
Watermarks in film prints have not acted as a deterrent to video pirates.
Such systems have their place but they are not a security system, they are
a monitoring system.
The fact that protects systems such as Reuters is that once data is out
of date it is useless unless you have very large quantities of archived
data which are useless unless you have good search and retreival mechanisms.
What is being sold is not the data but the currency and ease of access of that
data. Online systems do not in general need massive copyright protection
systems.
Copyright protection is about revenue maximisation, not stopping violations.
We can incorporate into the protocol elements to indicate to the browser that
a page is not to be saved/ copied etc. We cannot guarantee these instructions
are followed unless the browser or other client is within the security
zonne. For set top boxes and machines at commercial sites this can be so. For
the hacker in a garage there is no real solution if the system is open.
In Shen there is a tag for this :-
Prohibit: Copy Cache Print Save
Semantics to be defined.... I think that Copy implies that Print and Save
should be disabled. Cache is orthogonal - often a document should not be cached
for other reasons (eg it is dynamic).
Phill H-B
