Re: Basic Flaws in Internet Security and Commerce

[todd@lgt.com (Todd Glassey)]

>A fine piece of work.  The ideas expressed in this paper should scare
>the hell out of everyone who uses NFS for any serious applications,
>which for a fact includes most banks and all investment banks and
>brokage houses.  In this particular area I KNOW what is at risk.
>Again, I congratulate the authors on a first-class effort.
>
>

The real issue is not NFS itself but RPC and the interface layer between
the system and these layered services. In fact holes also exist in RLOGIN,
REXEC, and RSH (ports 512,513, and 514).

Cant tell you how many secure systems we have broken because of these
little goodies.

The real issue is that by itself TCP/IP has no security to speak of, and
more importantly the concept of secure messaging goes much farther than
just keeping prying eye's off the data contained within. For instance
Commerce Models require synchonization of process events in order to manage
OLTP properly. TCP/IP in and of itself is really unusable for these tasks
without something like the ISIS messageing protocol and process control
1interface above the protocol stack.

All in all it's a complex nut to crack.

Todd

cheers,
>    paul
>
>> From owner-cypherpunks@toad.com Tue Oct 10 03:15:15 1995
>> From: gauthier@espresso.CS.Berkeley.EDU (Paul_A Gauthier)
>> To: cypherpunks@toad.com, bugtraq@crimelab.com
>> Cc: gauthier@cs.Berkeley.EDU, brewer@cs.Berkeley.EDU, iang@cs.Berkeley.EDU,
>>         daw@cs.Berkeley.EDU, fur@netscape.com
>> Subject: Basic Flaws in Internet Security and Commerce
>> Date: Mon, 09 Oct 1995 14:26:06 -0700
>> Sender: owner-cypherpunks@toad.com
>> Content-Length: 10235
>>

Regards,

T. S. Glassey
Chief Technologist
Looking Glass Technologies
todd@lgt.com


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQB1AwUBMFu5E6gNRnWhagU5AQHI+gL+Mwpcd3lAWd8FF06qcG6rnLhIYveHW71a
XC7xh1T0uu8qnYX31yMp17OG28jWpKUbWec1IM9/eXOi+gInA7rKICWczV8zo9Z0
0puxjRRN7yO4KfRb3cPpk+r0p6pDg01Y
=bTYb
-----END PGP SIGNATURE-----