On January 6, 2022 at 18:12 karl@cavebear.com (Karl Auerbach) wrote:
On 1/6/22 5:05 PM, bzs@theworld.com wrote:
We never designed it to do things which require so much security. ...
The net was designed to share pictures of cats...
Our mileage is varying. There are diverse histories of the net - the history of the net does kinda resemble that fabled elephant and the blind men.
I worked for the US Joint Chiefs of Staff back in the early 1970's and then for various three-letter US agencies in Maryland for much of the rest of that decade. We started with ARPAnet technology and moved forward. Our focus was operating system and network security (for which I designed and built the first verified B-level secure operating system.)
The Orange Book (which defined A/B/C security) was mostly about compartmentalization, how to keep people with different levels of clearance, or just no "need to know", away from each other on shared mainframes. With an eye towards the possibility that some of those people on the inside might be hostile actors. It was obsolesced by computers becoming cheap enough that you just didn't share resources between disjoint departments, and other factors. No doubt when networks were introduced they developed similar concerns on shared networks within secure facilities but these weren't shared with public networks in general (I'm sure there were exceptions, these are huge organizations.) So it wasn't about how to securely take credit card and other information from otherwise unvetted parties across uncontrolled public networks. It was about keeping information marked confidential out of the hands of the people down the hall if they had no clearance.
Anyway... it was always our goal back then to bake security deeply into the net. And by the latter part of the 1970's we had invented a lot of stuff that had to be re-invented later, such as IPsec, key management, virtual networks, and lots and lots of software/hardware that used security tagging and capabilities. We actually implemented most of these things and got them working in production environments.
(Why re-invented? Because we were doing stuff for agencies that were extremely paranoid about national security implications - remember during the 1970's the cold war was running very hot. So we could not publish anything about what we worked on.)
I think the disconnect here is "public networks" and commerce etc on those public networks. Yes computer and network security has long been an active topic, some of it going back before the first ARPAnet projects (e.g., Multics, rings of security, ca 1969.) But securing commerce and connection to an open, public network was a new idea beyond logins, passwords and similar. When was the first RFC regarding anything much beyond logins and passwords? I could go look. Anyhow, Apples vs Orange Books. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*