Security of the internet

[David Farber <farber () central cis upenn edu>]

[ "Users of the net must understand that it is an "open" net.  They may not rely
upon the security of such a network.  They may not rely upon the apparent
origin or destination of the messages.  They may not rely upon the behavior of
privileged users (system managers et. al.) within the net.  They not rely upon
the polite behavior of users of the net." so says the below author. I
wonder if most users and even companies understand this. I DOUBT it. Wonder
how far the telephone system would have gotten with such an attitude? We
are building a new world wide coimmunications system NOT a toy!!! (I
hope).. djf]






Date:  Thu, 4 Nov 93 06:50 EST
From: WHMurray () DOCKMASTER NCSC MIL
Subject:  Security of the internet


Our esteemed moderator complains as follows (aside, but in normal voice from a
high pulpit):


> ....which is that system and network security stinks in most
> systems, particularly those on the Internet.


Not true, Peter.  System security stinks on one system in five in the
internet.  This is not "most."  However, it is sufficient to put the whole net
at risk.


The level of security in the internet is.  That is to say it is a given; the
laws associated with large numbers make it resistant to change.


It is sufficient for most of the applications or uses of the net.  Otherwise,
by definition, the uses would not take place.  At the same time it is
insufficient for many of the applications.


Users of the net must understand that it is an "open" net.  They may not rely
upon the security of such a network.  They may not rely upon the apparent
origin or destination of the messages.  They may not rely upon the behavior of
privileged users (system managers et. al.) within the net.  They not rely upon
the polite behavior of users of the net.


This is not because the origin and destination of many messages are forged,
that many privileged users are malicious, or that most users are rude.  If
this were the case, the net would simply disintegrate.  Rather, it is simply
in the nature of an open network that some will be.


If it is important to your application that a message came from where it
appears to have come from, then you had better have sufficient evidence,
independent of that which the net provides you, that that is where it came
from.  If it is important to you that your message not be seen by anyone other
than its addressee, you had better talk in a code that only you and he
understand.


It is now relatively simple to automate such protection for your traffic at
the application layer.  Once automated its use will be simple and transparent.
You will be able to enjoy both the wide connectivity and economy provided by
the net and the security required for your application.


It is unrealistic to expect to get both, by default, from the same mechanism.
The real world does not work that way.


William Hugh Murray, Executive Consultant, 49 Locust Avenue, Suite 104; New
Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray () DOCKMASTER NCSC MIL


------------------------------


Date: Fri, 5 Nov 93 16:40:18 PST
From: RISKS Forum <risks () csl sri com>
Subject: Re: Security of the internet


Bill, Consider the network as a system in the large.  If almost all of those
systems use passwords, their security stinks.  [Only a few systems today use
token authenticators.]


If a Trojan horse in my system captures a password on your system as a result
of an FTP or TELNET from my system to yours, then YOUR system is now
vulnerable to an attack that might permit me to Trojan horse your system,
which in turn can compromise all of the systems that you FTP or TELNET to.  It
is as simple as that.  By induction, virtually the entire net is at risk
sooner or later, by iterative closure [cloture?].


Peter