[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Flaws in Internet Security and Commerce

>A fine piece of work.  The ideas expressed in this paper should scare
>the hell out of everyone who uses NFS for any serious applications,
>which for a fact includes most banks and all investment banks and
>brokage houses.  In this particular area I KNOW what is at risk.
>Again, I congratulate the authors on a first-class effort.

The real issue is not NFS itself but RPC and the interface layer between
the system and these layered services. In fact holes also exist in RLOGIN,
REXEC, and RSH (ports 512,513, and 514).

Cant tell you how many secure systems we have broken because of these
little goodies.

The real issue is that by itself TCP/IP has no security to speak of, and
more importantly the concept of secure messaging goes much farther than
just keeping prying eye's off the data contained within. For instance
Commerce Models require synchonization of process events in order to manage
OLTP properly. TCP/IP in and of itself is really unusable for these tasks
without something like the ISIS messageing protocol and process control
1interface above the protocol stack.

All in all it's a complex nut to crack.


>    paul
>> From [email protected] Tue Oct 10 03:15:15 1995
>> From: [email protected] (Paul_A Gauthier)
>> To: [email protected], [email protected]
>> Cc: [email protected], [email protected], [email protected],
>>         [email protected], [email protected]
>> Subject: Basic Flaws in Internet Security and Commerce
>> Date: Mon, 09 Oct 1995 14:26:06 -0700
>> Sender: [email protected]
>> Content-Length: 10235


T. S. Glassey
Chief Technologist
Looking Glass Technologies
[email protected]

Version: 2.6