DEVELOPER CAMP

Trapped in A Time Warp

Simson L. Garfinkel

With all the talk about the nation's growing information superhighway, those of us who have the privilege of sitting in front of networked computers are increasingly concerned about computer security. And as NEXTSTEP developers deploy mission-critical custom applications into trading floors, banks, and hospitals, computer security has become a concern for all NeXT customers.

So it's somewhat surprising that NEXTSTEP's model for computer security seems to be trapped in a time warp that dates back to NeXT's founding in 1985. NeXT still offers standard Berkeley UNIX 4.2 tools: Pick a good password, don't put anybody in your .rhosts file whom you don't trust, and don't use NFS to export a file system to untrustworthy hosts.

Unfortunately, state-of-the-art security in 1985 just isn't good enough for 1994. Customers should be able to put their workstations on the Internet without giving away the keys to their business.

NeXT did make one foray into the wacky world of computer security two years ago, when, at the 1992 NeXTWORLD Expo, Steve Jobs demonstrated new encryption facilities that had been developed for NeXTmail and the workspace. Computer security, or at least encryption, would be part of NEXTSTEP 3.0, Jobs told a rapt crowd. Unfortunately, he spoke too soon. But it wasn't a question of whether NeXT's so-called "Fast Elliptic Encryption" violated existing patents on public-key encryption; the real problem was Ð and remains Ð U.S. export restrictions on cryptographic technology. NeXT can't embed encryption algorithms inside its operating system and sell it overseas.

Encryption aside, there have been a lot of significant advances in computer security since 1985. Applications based upon these developments are now finding their way into the operating systems of NeXT's competitors. Plain and simple, NeXT has some catching up to do:

NeXT should adopt MIT's Kerberos system for network security as the basis for its security model. (The Open Software Foundation has already made a Kerberos-based system a fundamental part of its DCE.) Kerberos could provide badly needed security for NeXT's NFS network file system, distributed objects, Display PostScript, and access to the workspace.
NeXT should license the Andrew File System (AFS) from Transarc and bundle it into the kernel or make it available as a reasonably priced add-on.
NeXT should update its NFS to incorporate TCP-based NFS, which provides better security and, as an added benefit, better performance over SLIP and PPP links.
NeXT should create an authentication API for its log-in panel or, better yet, embed provisions for token-based security systems such as Security Dynamics' SecurID card.

Perhaps the new partnership with Sun will nudge NeXT into improving NEXTSTEP security. While Sun is no standard-bearer in offering secure systems (it was laziness on the part of Sun's programmers that made possible the 1988 Internet Worm), it has a reputation of taking security more seriously than the folks in Redwood City.

One thing, however, is certain: Implementing security is hard, thankless work. It takes expensive, high-powered programmers who are skilled in the art. And if everything works as planned, you'll never know if your security measures are effective or not. Indeed, most companies discover problems with system security only when it's too late.

Simson L. Garfinkel is a senior contributing editor to NeXTWORLD.