From cse.psu.edu!9fans-outgoing-owner Fri Aug 18 17:20:30 1995 Received: from colossus.cse.psu.edu ([130.203.1.2]) by cannon.ecf.toronto.edu with SMTP id <206>; Fri, 18 Aug 1995 17:20:19 -0400 Received: by colossus.cse.psu.edu id <46304>; Fri, 18 Aug 1995 17:05:13 -0400 Received: from plan9.att.com ([192.20.225.252]) by colossus.cse.psu.edu with SMTP id <46305>; Fri, 18 Aug 1995 17:03:12 -0400 From: presotto@plan9.att.com To: 9fans@cse.psu.edu Date: Fri, 18 Aug 1995 16:48:37 -0400 Subject: religious wars Message-Id: <95Aug18.170312edt.46305@colossus.cse.psu.edu> Sender: owner-9fans@cse.psu.edu Precedence: bulk Reply-To: 9fans@cse.psu.edu Status: RO We want to make clear why we fear clear passwords entering the telnet/ftp/etc code. If one takes Vadim's argument to the extreme, he should eliminate passwords internally since he has adequate protection, trusts everyone internally, and plan 9 is just a toy system. We ran that way ourselves for years (till management started using Plan 9 and wanted something better to keep us from seeing their secret stuff). Replacing ARP entries, changing MAC addresses, and taking over active sessions cause denial or interruption of service to people and are more likely to be detected. The first two don't even work unless you are on the same side of a gateway. Just stealing passwords is much harder to detect since it is entirely passive. It works an arbitrary number of hops away. Once acquired, the passwords are useable to set up new connections at any time as compared to the above attacks that are once only. These are hardly similar. In AT&T we are protected by a firewall similar to what you describe, one of the first in fact and built by our group. However, we still have people constantly creating backdoors to the internet all over the company, sometimes because we merge with (or buy out) someone that already has a less protected gateway, sometimes because someone finds the current firewalls confining and get their own links. Creating crappy internal security just allows others to take advantage of these lapses. Also, we use multiple networks, not just broadcast media like ethernet. Our ATM and Datakit networks aren't susceptible to spoofing though they can be snooped. In these, our security is infinitely better than clear passwords. In short, passwords in the clear are a worse mechanism than what we have. As Vadim points out, it could be better. The main reason for wanting passwords is that they make access from Unix or DOS easier. Out biggest fear is that this pressure will make passwords a default mechanism. We'ld rather see people working on getting Unix and DOS to use better security or making Plan 9 security tighter like adding expontial key exchange than to add options to Plan 9 to make it less secure. Just the ability to do passwords in the clear is the first step down a very steep slope. Climbing back up again is real hard. We have a chance for a system that never goes that route, why blow it.