home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud436b.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
3KB
|
65 lines
Date: Mon, 10 Aug 1992 15:51:38 GMT
From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin)
Subject: File 2--Bell System Policies - in Re CuD 4.35
((MODERATORS' COMMENT: We asked Jerry Carlin and John Higdon to frame
their discussion of Bell System/Bellcore policies as a
point-counterpoint exchange. We found their discussion exceptionally
informative and commend them for putting together a stimulating
sequence of posts)).
In CuD 4.35, John Higdon wrote:
>But the policy of "The Bell System" and now Bellcore and the RBOCs
>seems to be to do nothing about any such problems and wait for some
>phreak to get caught with a hand in the cookie jar...
I'm not going to argue history but John's contention that Bellcore and
the RBOCs are doing nothing is incorrect. BTW, I work for PacBell.
Some examples:
Bellcore has issued "Technical Advisories" on the subject of
security including FA-NWT-000835 "Generic Framework
Requirements for Network Element and Network System Security
Administration Messages" and FA-STS-001324 "Framework Generic
Requirements for X Window System Security".
They participate in security organizations such as IEEE P1003.6
doing security standards for POSIX (UNIX) and ISO/IEC JTC1/SC27
and ANSI X3T4 (a mouthful :-) I personally voted on the last
draft of P1003.6, spending quite a bit of time to try to fathom
a very large document. Also, a set of Bellcore security
requirements forms a large part of a draft NIST "Minimum
Security Functionality Requirements for Multi-User Operating
Systems" (MSFR) document designed to replace the DoD Orange
Book.
They are doing work on using Kerberos and exploring OSF/DCE
security features to increase the robustness of distributed
applications.
We (Pacbell) have spent millions of dollars implementing
various security measures including security packages (RACF for
MVS) and in using Security Dynamics "SecureID" cards for dial
access.
We have been working on enhancing UNIX security. Bellcore has
developed a UNIX Security Toolkit which added many features to
the basic scripts first outlined in the book "UNIX System
Security" by Wood & Kochan. They added a one-week course on
UNIX security to their curriculum. We and they now have
security components to reviews of applications. Bellcore
developed a set of UNIX security requirements and asked all the
major vendors to respond. Systems security is now part of the
purchasing decisions.
Is all of this enough? Well, that is another argument but I hope it's
clear that Bellcore and Pacbell (and the other RBOCS) are "doing
something".
++++
Jerry M. Carlin (510) 823-2441 jmcarli@srv.pacbell.com
Alchemical Engineer and Virtual Realist
Downloaded From P-80 International Information Systems 304-744-2253