[55439] in North American Network Operators' Group
Re: Bell Labs or Microsoft security?
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Jan 29 09:44:15 2003
Date: Wed, 29 Jan 2003 09:41:02 -0500
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0301290256580.26281-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Jan 29, 2003 at 03:32:41AM -0500, Sean Donelan=
wrote:
> Multics security. Bell Labs answer: Unix. Who needs all that "extra"
> security junk in Multics. We don't need to protect /etc/passwd because
> we use DES crypt and users always choose strong passwords. We'll make
> the passwd file world readable so we can translate uid's to usernames.
> Multi-level security? Naw, its simplier just to make everything Superuser.
A choice made what, 20 years ago? Almost every major form of unix
moved to shadow password files and/or stronger password protection
years ago.
> FORTRAN/COBOL array bounds checking. Bell Labs answer: C. Who wants
> the computer to check array lengths or pointers. Programmers know what
> they are doing, and don't need to be "constrained" by the programming
> language. Everyone knows programmers are better at arithmatic than
> computers. A programmer would never make an off-by-one error. The
> standard C run-time library. gets(char *buffer), strcpy(char *dest, char
> *src), what were they thinking?
Again, a choice made perhaps 20 years ago? New libraries and
languages make solving this problem much easier. New tools are
available to catch it when it does happen, even in traditional C.
We can't expect people to never make mistakes. Rather, the bar
must be set that once a mistake is made and understood we strive
never to make it again. The choices you site were made at a very
different time, and for very different reasons. I highly doubt
if Bell Labs had to make choices today that they would choose the
same outcome.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE+N+f+Nh6mMG5yMTYRAhynAJ9DpQ71zUzkQc78YwjZkwBUE6cvZgCeLS3Y
UR9Fj80dIwKktoba3SRdln0=
=j6LL
-----END PGP SIGNATURE-----
--ew6BAiZeqk4r7MaW--
