From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,8623fab5750cd6aa X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news1.google.com!news.glorb.com!wn12feed!worldnet.att.net!bgtnsc04-news.ops.worldnet.att.net.POSTED!53ab2750!not-for-mail From: Dave Thompson Newsgroups: comp.lang.ada Subject: Re: Improving Ada's image - Was: 7E7 Flight Controls Electronics Message-ID: References: X-Newsreader: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Thu, 01 Jul 2004 04:08:17 GMT NNTP-Posting-Host: 12.75.191.75 X-Complaints-To: abuse@worldnet.att.net X-Trace: bgtnsc04-news.ops.worldnet.att.net 1088654897 12.75.191.75 (Thu, 01 Jul 2004 04:08:17 GMT) NNTP-Posting-Date: Thu, 01 Jul 2004 04:08:17 GMT Organization: AT&T Worldnet Xref: g2news1.google.com comp.lang.ada:2016 Date: 2004-07-01T04:08:17+00:00 List-Id: On Tue, 15 Jun 2004 05:21:12 +0400 (MSD), "Alexander E. Kopilovich" wrote: > I don't know any good definition for "reliable and secure OS", and I don't > think that there is such a definition. Is QNX (probably written C) reliable > and secure? Perhaps yes, but one can say that it has not enough users or that > it isn't general-purpose OS. Was Multics reliable and secure? Perhaps yes, > but one can say that it was not tested in an environment comparable with that > in which Windows live - millions of users, many of them almost illiterate and > some of then wicked. > Multics was consciously designed to be used primarily by people who were not computer experts and some (though hopefully not many) malicious experts. (I assume you don't really mean illiterate, as user interfaces = terminals then were nearly all character/textual.) No system on hardware of the time supported more than hundreds or maybe a thousand users, and I'm not sure how well it would have scaled; but it definitely did provide security -- modulo bugs of course, and there were some -- in those cases, including I believe on the mil sites "tiger" teams, and on my edu site definitely quite clever hackers (in the original/true meaning) who were certainly sometimes mischievous though not truly wicked. (That is, they would try to break security, but motivated only to demonstrate their ability and perhaps play jokes, not to actually steal, interfere, deceive, or damage.) Besides the design -- which as already noted does depend, critically, on hardware support and thus couldn't use, then and probably now, "standard" or commodity hardware -- the key was/is that it not be *administered* by incompetents; system managers and group/project managers do need to know quite a bit to set up policies and defaults that suitably secure (and restrict) ordinary users. For example, active content in email (or the Web) hadn't been dreamt of then, but if it were/is desired, it should have been/be possible to put say mail in a highish ring like 2 or 3 protected against even unintentional weakening by users, and able to force the untrustworthy content to say ring 7 with access as limited as desired. The one new problem that I believe Multics never tackled is secure sharing of a graphics/windowing display; even ignoring blatantly dangerous designs like MSWindows, X for example has had issues with covert channels. I think this should be doable but don't know that anyone has. It was also designed to be reliable, even in the face of component failures, although I didn't really experience that because we were in effect an experimental site who *deliberately* shut down fairly often. - David.Thompson1 at worldnet.att.net