Hi Craig,
At 01:34 -0700 2004-06-23, Craig Lant wrote:
>As to the idea that "no network-accessible vulnerabilities requiring
>patches are likely" for <such and such>, so we should give a blanket
>exception to <such and such>, I don't see that as valid.
That's not what I was advocating; my apologies for any ambiguities
in my wording of my previous messages that lead you to believe that.
The first item in the policy section of the campus minimum security
standards implies - at least to me - that any software for which
vendors have stopped providing patches cannot run on the campus
network.
If that is indeed what that item means, this would prevent users
from running - Mac OS 8.x and 9.x - and compel them to upgrade to Mac
OS X, another Unix-based OS, Linux, or Windows XP. That would likely
be counterproductive from a network security standpoint, to put it
bluntly.
There may be many good reasons to try to migrate users of Mac OS 8
and 9 to newer OSes, but compelling them to do so in the name of
network security is not one of these.
(Here's a simple question: in the years since the founding of
IST-SNS, how many times has SNS had called to its attention a
security issue affecting a host running Mac OS 8 or 9?) :-)
Now I understand that the first item in the implementation section
of the standards appears to qualify the corresponding item in the
policy. Based on the implementation section's wording, it may
instead be the case that only hosts with unpatched security
vulnerabilities may see enforcement action, rather than hosts for
which patches are no longer available from their OS vendors.
Moreover, various comments that you, as well as others participating
in the setting and enforcement of these standards, have made in
various campus user group mailing lists, would seem to confirm this.
For this reason, it might be good to clarify this: would the
standards -- as interpreted by you and other authors and enforcers
today -- prevent users from running Mac OS 8 and 9 on and after May
1, 2005 ... assuming that no new significant security vulnerabilities
are found in that OS between then and now?
Aron Roberts
Workstation Software Support Group
--
Mac OS 8 and 9 are arguably much more secure than any of the other
current OSes in reasonably widespread use on campus, at least from
the perspective of network attacks and risks posed to other hosts on
the campus network and beyond. (At the console, these OSes are
basically wide open, which may or may not be cause for concern, vis a
vis the minimum security standards.)
In these operating systems, 'out of the box':
- No network ports are open.
- Few if any interesting services are offered, and none are
enabled by default.
- No systemwide command processor is available.
For instance, Mac OS 8 and 9 offer no command shells and no
cross-platform scripting languages such as Perl.
AppleScript, a systemwide scripting language, could be used in
exploits, but such exploits would need to be specific to the Mac OS
(limiting their scope) and would typically rely on social engineering
for execution under Mac OS 8 and 9; there are few if any programmatic
means of getting AppleScript scripts to run automatically.
- Very few viruses or worms, most of these ancient, with
an extremely low rate of infection in recent years.
and, most notably:
- A long operating history with:
o Few reported vulnerabilities, generally minor in impact.
o A nearly clean slate regarding the hosting and spread of
malicious code with impacts on other hosts on the network.
o Few network-accessible vulnerabilities identified.
As one example, in sharp contrast with IIS and, to a lesser
extent, Apache, the truly minimal Web Server bundled with
Mac OS 9 has had no security vulnerabilities identified.
In contrast, we all know the checkered security history of Windows
XP and other Windows OSes, and to a lesser degree, of a number of
Linux and Unix OSes. In addition, Mac OS X, over its relatively
brief history, has had significantly more - and more serious -
security vulnerabilities than Mac OS 8 and 9.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Wed Jun 23 10:33:13 2004
This archive was generated by hypermail 2.1.8 : Wed Jun 23 2004 - 10:33:13 PDT