Date: Thu, 10 Oct 2002 18:10:21 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Steve Kudlak <chromexa@ovis.net> Cc: "Roman V. Mashak" <mrv@tv2.tomsk.ru>, "'hackers@freebsd.org'" <hackers@FreeBSD.ORG>, "Nelson, Trent ." <tnelson@switch.com> Subject: Re: C-2(Security) blues and the like Message-ID: <Pine.NEB.3.96L.1021010180927.39392F-100000@fledge.watson.org> In-Reply-To: <3DA5A764.68AA7199@ovis.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Oct 2002, Steve Kudlak wrote: > It has been a long time since I dealt with those arcane security > matters. At least they are obscure and arcane to most people. Many > consider me to be babbling when I go on about these things. If I start > saying "rainbow books" (the NSA's security books are in different > colors) many people assume that I am crazy.:) > > Most of the stuff I did involved C-2 security and all the logging and > authentication stuff. An assumption seems to have been made that > "logging in" via ftp was the same as logging in via tty or machine. This > is not so. The ftp code "establishes a user" the login code gets the > user a shell and all that. For awhile in some OSes with C-2 security if > one was going to mount a dictionary attack on some user or ever root, > ftp would have been away to go. It would allow one a large amount of > attacks with logging. One would definitely get more than 3 attempts to > "login". It was a way around C-2 security and was in my opinion a > pretty serious compromise. Logging ftp "logins" and ftp use were > proposed fixes. I just had to find the problems not fix them. > > Hmmm...maybe I will post this to BSD hackers and if someone says it is > off topic I will shut up. Perhaps I should as this info is kind of old. > But the important to watch for these little back door tricks. Note I > have not as of late read the FreeBSD ftp code. Perhaps I should. This would be on topic for trustedbsd-discuss@TrustedBSD.org, but you should go review current language, documents, and specifications, or you'll cover a lot of previously covered ground. The first thing you are probably interested in is the Common Criteria description, which I believe is available from ISO. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021010180927.39392F-100000>