Re: For the AdaOS folks

["Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>]

On Tue, 04 Jan 2005 13:00:04 -0500, Warren W. Gay VE3WWG wrote:

> Dmitry A. Kazakov wrote:
> 
>You're not a practical man.

Nor you are. We both stick to Ada! (:-))

>>>File systems mitigate access to the thousands of objects
>>>that exist within the file system. In a hierarchical system
>>>of directories, you have upper levels of choke points (in
>>>parent directories), as well as the ability to control
>>>access on the object itself.
>> 
>> Yes, that is the point. Files are primitive, but objects. It is much easier
>> to enforce security in a hierarchical system than in a flat sea of
>> unstructured data.
> 
> But a firewall prevents you from accessing any of my files at home ;-)
> and my files at work.
> 
> Sure, there is also an account+password, more networking, and
> more controls behind it. But the one I really count on Dmitry, is
> that firewall.

But the only need in firewall is the policy of trusting behind it. Any
program may read your address book. Why your address book allows that? The
problem of the firewall approach is that the firewall has to know all
possible ways of misusing all possible system resources. Everything in me
cries that this is a wrong design, per definition wrong.

>>>>Do you need a firewall to tunnel open/close/read/write to floppy
>>>>drives? It would be nonsense. 
>>>
>>>Maybe its not your floppy. Maybe it belongs to
>>>another user (perhaps a student/coworker/spouse).
>> 
>> But how a tunnel might help with that? It does not know who is the owner.
> 
> Not a problem. I can determine who accesses the floppy
> when it is mounted (look up the mount command).

Yes, but once mounted it is accessible for all. Actually it is the file
system with its access rights to the files, that makes access safe, not
only the mount command.

>>>>The problem is that network protocols do not
>>>>have safety of a file system. 
>>>
>>>A file system is confined.
>> 
>> Come on, there were multi-user OSes before Windows. Even UNIX pretended to
>> be one.
> 
> So? Who gets an account? (approved folk).
>
> Who is on the internet? (everyone, including hackers, nobody excluded)

Stop, the definition of a true multi-user system is that ideally you should
be unable to observe any effects of actions of other people (if you do not
want to, of course.) If a hacker cannot influence your work, do you care
whether he has an account or not? The real difference is that in the
internet everybody is "root".

>>>Not at all. While it is not the entire answer to network
>>>security, you court disaster without one. You will not find
>>>one network security expert to suggest what you are promoting.
>> 
>> Sure, why should they kill a hen carrying the gold eggs? (:-)) 
> 
> It sounds like the golden egg is on your system(s) - especially
> if you don't believe in firewalls ;-)

One my colleague adamantly refused to replace Windows NT 4.0 with XP on his
box. He argued that though MS does not plan any new service packs for NT,
neither do viruses developers! (:-))

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de