[At-Large] ICANN Blog : Relying on ICANN Community-Developed Processes for a Safe, Secure Interne

bzs at theworld.com bzs at theworld.com
Fri Jan 7 05:54:45 UTC 2022 

On January 6, 2022 at 18:12 karl at cavebear.com (Karl Auerbach) wrote:
 > 
 > On 1/6/22 5:05 PM, bzs at theworld.com wrote:
 > > We never designed it to do things which require so much security.
 > > ...
 > >
 > > The net was designed to share pictures of cats...
 > 
 > Our mileage is varying.  There are diverse histories of the net - the 
 > history of the net does kinda resemble that fabled elephant and the 
 > blind men.
 > 
 > I worked for the US Joint Chiefs of Staff back in the early 1970's and 
 > then for various three-letter US agencies in Maryland for much of the 
 > rest of that decade.  We started with ARPAnet technology and moved 
 > forward.  Our focus was operating system and network security (for which 
 > I designed and built the first verified B-level secure operating system.)

The Orange Book (which defined A/B/C security) was mostly about
compartmentalization, how to keep people with different levels of
clearance, or just no "need to know", away from each other on shared
mainframes. With an eye towards the possibility that some of those
people on the inside might be hostile actors.

It was obsolesced by computers becoming cheap enough that you just
didn't share resources between disjoint departments, and other
factors.

No doubt when networks were introduced they developed similar concerns
on shared networks within secure facilities but these weren't shared
with public networks in general (I'm sure there were exceptions, these
are huge organizations.)

So it wasn't about how to securely take credit card and other
information from otherwise unvetted parties across uncontrolled public
networks.

It was about keeping information marked confidential out of the hands
of the people down the hall if they had no clearance.

 > 
 > Anyway... it was always our goal back then to bake security deeply into 
 > the net.  And by the latter part of the 1970's we had invented a lot of 
 > stuff that had to be re-invented later, such as IPsec, key management, 
 > virtual networks, and lots and lots of software/hardware that used 
 > security tagging and capabilities.  We actually implemented most of 
 > these things and got them working in production environments.
 > 
 > (Why re-invented?  Because we were doing stuff for agencies that were 
 > extremely paranoid about national security implications - remember 
 > during the 1970's the cold war was running very hot.  So we could not 
 > publish anything about what we worked on.)

I think the disconnect here is "public networks" and commerce etc on
those public networks.

Yes computer and network security has long been an active topic, some
of it going back before the first ARPAnet projects (e.g., Multics,
rings of security, ca 1969.)

But securing commerce and connection to an open, public network was a
new idea beyond logins, passwords and similar.

When was the first RFC regarding anything much beyond logins and
passwords? I could go look.

Anyhow, Apples vs Orange Books.

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

More information about the At-Large mailing list