[mdlug] The new "surface" computer

G Balaji gopinathan.balaji at gmail.com
Wed Jul 18 13:24:22 EDT 2007 

I dont recall everything, nor do I recall correctly, but I think: -

1. One of the initial reasoning for introduction of ADS was security.

2. Windows 2000 Professional edition was the only commercial OS (does
this exclude *BSD/Linux?) to be certified by the US Military that it
was compliant for one of their (top) INFOSEC standards, and I think
ADS played a big part in it.

3. ADS, in secure environments, is used to increase security by
placing additional file attributes - say, a document can be marked as
non-printable, even if it is readable and writeable. It can also be
used to embed file-application attributes - say, a document can be
opened with only Application X. It can also be used to embed
file-application-user attributes - say, a document can be printable
only by user X and only by using application Y. If these features of
ADS are used in the right secure environments, a file cannot be
compromised - modified/copied/sent-over-network etc, as long as the
(securely hardened) operating system is running.  These are in
addition to the security restrictions (ownership, group rights, disk
quota restrictions etc..) that are handled by, and stored in the file
system manager.

Also, ADS is programmer-extensible - any programmer can enhance their
security system by embedding their own dreamt-up custom rights using
ADS.

Of course, this customizable aspect of it was what was used by malware writers.

Apologies for not providing references.. some of what I'd read was on
real paper (the description of the referred INFOSEC standard was part
of a graduate-level Network Security course curriculum*); but most if
not all of the above can be looked into, and be either rejected or
accepted.

[* : some body else might recognize the actual standard from one of
what I thought was its salient feature: a user with a certain
clearance-level security can read a document at his security clearance
level and all lower levels, but can author/write a document only at
his clearance-level or higher]

-B.


On 7/18/07, Robert Adkins <radkins at impelind.com> wrote:
> Curious.
>
> Does anyone know how Windows (NT/2K/XP) legitimately received a
> government security clearance with this gigantic glaring hole in it's
> file system?
>
> Does anyone know if that was even disclosed in the testing for that
> certification?
>
> If not, anyone interested in working towards organizing/raising a
> massive shit storm over this "feature"?
>
> -Rob
>
> -------- Original Message  --------
> Subject: Re:[mdlug] The new "surface" computer
> From: Ingles, Raymond <Raymond.Ingles at compuware.com>
> To: MDLUG's Main discussion list <mdlug at mdlug.org>
> Date: Wednesday, July 18, 2007 9:32:20 AM
> >> From: Joseph Vartanian
> >>
> >
> >
> >>>  MS put the capacity in NTFS, but never really came up with a use for it.
> >>>
> >
> >
> >> Actually, they do have uses for this feature.  MS SQL Server 2005 uses
> >> ADS (alternative data streams), as does MS Exchange Server 2003.
> >>
> >
> >  But, so far as I can see, there's nothing about ADS that can't be done with
> > regular files. I'd be willing to believe that they did that just to make those
> > products *less* portable... :->
> >
> >  Sincerely,
> >
> >  Ray Ingles                                              (313) 227-2317
> >
> >  "Indeed, the one group that would almost certainly oppose the views of
> >      21st-century evangelicals are the 18th-century evangelicals."
> >                             Steven Waldman
> >      http://www.washingtonmonthly.com/features/2006/0604.waldman.html
> > The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
> > _______________________________________________
> > mdlug mailing list
> > mdlug at mdlug.org
> > http://mdlug.org/mailman/listinfo/mdlug
> >
>
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
>

More information about the mdlug mailing list