Hi everyone, Ed Amaroso, and I want to talk to you in this video about some more history in cyber security. I always couch that, because when I think, historically, we didn't use the word cyber. I have no idea where that came in. I've been writing books for years, in the 80s and 90s, I wrote books on cyber security. But I was calling them computer security. And I remember an editor in maybe 1998 or 99 suggesting that I call a book that I wrote in 2000 Intro to Cyber Security. And I went sure, I wasn't quite sure about that, it seemed a little odd. Now we use the term all the time. But anyway, we're talking back and I want to tell you about a couple guys that I know from a place called, Mitre M-I-T-R-E, it's MIT Research and Engineering. They were working in the 70s and, admittedly, I was still in high school then. But these guys were working in computing at a time when the military, the US Department of Defense was starting to use computers for pretty critical, pretty sensitive military applications. And they asked these guys to look at how we might start protecting sensitive data, from you know prying eyes, from leaks, from disclosure, from confidentiality issues. As they find their way onto the computers that we had in the 1970s. Were probably big monster mainframes, that you've probably seen images of on old TV shows or old movies or big monster mainframe looks like. So these two guys, David Bell and Len LaPadula good friends of mine. In fact, Len LaPadula wrote the nice liner notes for the first book I ever wrote 1993, so he is a friend of mine. They came up with this idea where they said, look here's the way the military does it, and we'll see if we can do this on the computer. He said first off, everybody in the military has this thing called the clearance, which means how trusted are you to have access to sensitive information. Or you might be very trusted, but if you're the janitor cleaning the bathrooms. Well you're trusted, but you don't really need that information. And setting need to know aside, clearances are things that are provided to people based on trustworthiness and kind of their position. So they looked and they said it sort of starts with unclassified, which means they have no clearance. But you can get, for example, something called a confidential clearance. You could get something a little higher called the secret clearance. And then, if you're a big shot, you can get this thing called the top secret clearance. Whoa, you could read all this fancy, important, sensitive stuff. They saw that, and they said we have to start with that. The idea that active entities, people, and again, a computer, that's going to be a process. It's going to be something running on behalf of the user and application. They could have clearances, so that's the first thing. They have good clearances for everything. Then the second thing they said is all these files and documents we have, they have classifications, but the same scale. Like an unclassified document, confidential document, secret, top secret, and so on. So, we've got these two things, we've got people that have these clearances, and we've objects and classifications. And they went, let's just call them labels, because they're the same name. So, I have a label on a person top secret, I have a label on the file, let's say it's secret. And they went, how does the military do this? They looked and they went, hey, let's take some use case. First off, is it fair for someone with a top secret clearance to read something that's top secret? Duh, of course, you can, and that's the whole idea, you read it. But they said what if, though, I have no clearance, can I read that top secret document. And they went, no, you can't, so hm, that's interesting. I can sort of read at the same level, but I can't be reading up so to speak. And they said, similarly, someone with a top secret clearance can certainly read something unclassified. So they went, it's okay to read down. And they came up with this model, so let's call it no read up, interesting model right? The second thing that that they noticed was when you're putting information into a repository, into a file, a directory, a document. They said if you're top secret, and you're taking top secret information, you can certainly write it to a top secret document. That's the whole idea, but they said, what if you're at unclassified, and you've, got unclassified information, you want to put that in the top secret document. And they thought, that's actually okay. Like it's all right to put unclassified and top secret, but flipping it, said can you take top secret information and write it down to an unclassified receptacle they went, no. So scratch your head and said you know what? It is no write down, and they went, wow, we've got it. No write up, no write down, and that was the whole idea. Now I gotta tell you a funny story. The document they wrote around this is really hard to read. They wrote these two volumes using like field theory or something. They're big fat hard to read documents, I'm not sure if anybody ever really read it. But a friend of mine, John Rushby, a very good researcher, wrote a paper that explained it in a kind of reasonable way. Everybody read that, and then I came up with the notation that I put in my first book that I think a lot of people have been using. I call them level diagrams. You see on the screen here, the level diagram shows, yes to can read down, yes you can write up. But you can't no read down, no write up, I'm sorry no read up or write down for Bell- LaPadula. Can be explained with a simple diagram, and you gotta be real careful about these big documents and so on. One time, the Federal government asked me to review this big document. And I won't tell you which one it is, you may have heard of it. But it was a really fat document, big long thing like this. And I didn't have a lot of time to review it. So I wrote back to them and I said I don't have a lot of time. They said just do whatever you can. I was teaching, I was giving a midterm. And I said to myself, during this midterm, I'm going to read this big document, send them my comments. That's all I have time to do. Through a two and a half hour midterm, I read maybe this much of a document this fat. And I generate about 100 comments. And I sent it back to them and I said I did the best I could, 100 comments, whatever, I don't have time. So take my name off the reviewers list, because I didn't read the thing. I read a little bit and they go, that's fine thank you, we appreciate your comments. So months pass, the document gets released. And as part of the release, they sent a thank you to everybody. And I got a nice thank you note, because I did put two hours of time into it. And they sent a big long list of reviewers, there must have been 50 fancy reviewers of this thing. And, they said, and by the way, we're attaching a file here with everybody's comments on this. And I thought wow I'm going to go look at this. And I saw they made a mistake, they just sent me the file that had my comments. So I sent them back a note, and I said, you sent me the file with my comments. Well I'd like the one with everybody's comments, and their answer was, that is the file with everybody's comments. They were all my comments, I read this much of it. I think there's a lesson there, like as you are developing ideas as a computer scientist or as a researcher. Or whatever you do, when you write these big giant monster things, people tend not to read them. Now reference guide is a different story, I think it's all right to build a reference guide that people can look up. But when you develop something, it's gotta be simple. And you can see in a level diagram, very quickly, can see immediately how Bell- LaPadula works, versus trying to read 1,000 pages. So keep that in mind, no read up no write down. In a subsequent video, we'll look at how the integrity threat is dealt with using a very different scale. But somewhat ironic conclusion in respect to level diagrams. So we'll see you in the next one.
