Date: Mon, 10 Aug 1992 15:51:38 GMT
From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin)
Subject: File 2--Bell System Policies - in Re CuD 4.35

((MODERATORS' COMMENT: We asked Jerry Carlin and John Higdon to frame
their discussion of Bell System/Bellcore policies as a
point-counterpoint exchange. We found their discussion exceptionally
informative and commend them for putting together a stimulating
sequence of posts)).

In CuD 4.35, John Higdon wrote:

>But the policy of "The Bell System" and now Bellcore and the RBOCs
>seems to be to do nothing about any such problems and wait for some
>phreak to get caught with a hand in the cookie jar...

I'm not going to argue history but John's contention that Bellcore and
the RBOCs are doing nothing is incorrect. BTW, I work for PacBell.
Some examples:

  Bellcore has issued "Technical Advisories" on the subject of
  security including FA-NWT-000835 "Generic Framework
  Requirements for Network Element and Network System Security
  Administration Messages" and FA-STS-001324 "Framework Generic
  Requirements for X Window System Security".

  They participate in security organizations such as IEEE P1003.6
  doing security standards for POSIX (UNIX) and ISO/IEC JTC1/SC27
  and ANSI X3T4 (a mouthful :-) I personally voted on the last
  draft of P1003.6, spending quite a bit of time to try to fathom
  a very large document.  Also, a set of Bellcore security
  requirements forms a large part of a draft NIST "Minimum
  Security Functionality Requirements for Multi-User Operating
  Systems" (MSFR) document designed to replace the DoD Orange
  Book.

  They are doing work on using Kerberos and exploring OSF/DCE
  security features to increase the robustness of distributed
  applications.

  We (Pacbell) have spent millions of dollars implementing
  various security measures including security packages (RACF for
  MVS) and in using Security Dynamics "SecureID" cards for dial
  access.

  We have been working on enhancing UNIX security. Bellcore has
  developed a UNIX Security Toolkit which added many features to
  the basic scripts first outlined in the book "UNIX System
  Security" by Wood & Kochan. They added a one-week course on
  UNIX security to their curriculum. We and they now have
  security components to reviews of applications. Bellcore
  developed a set of UNIX security requirements and asked all the
  major vendors to respond. Systems security is now part of the
  purchasing decisions.

Is all of this enough? Well, that is another argument but I hope it's
clear that Bellcore and Pacbell (and the other RBOCS) are "doing
something".

++++
Jerry M. Carlin	(510) 823-2441 jmcarli@srv.pacbell.com
Alchemical Engineer and Virtual Realist

Downloaded From P-80 International Information Systems 304-744-2253