Slashdot Mirror

I sent an email to the address at the bottom of the site...

Dear Sir or Madam,

It was with great interest that I perused the materials on the Music Rules website. (On a side note, it doesn't work properly with Firefox 3.0.) I agree that piracy of music is a problem, and some reform of copyright law is needed. However, I believe that your educational materials are misleading and sometimes directly contradict actions of the RIAA in the past.

In the teacher's guide, on page 4, the answer to question #2 (left column) is given:

Caitlin is not a songlifter because personal use is permitted when music fans buy their music. Caitlin can copy her music onto her hard drive and her MP3 player. Caitlin can even burn a CD with her own special mix of music she has purchased.

This however contradicts earlier cases where the RIAA has pursued music pirates for doing this exact same thing. A Washington Post article from 2007:

Now, in an unusual case in which an Arizona recipient of an RIAA letter has fought back in court rather than write a check to avoid hefty legal fees, the industry is taking its argument against music sharing one step further: In legal documents in its federal case against Jeffrey Howell, a Scottsdale, Ariz., man who kept a collection of about 2,000 music recordings on his personal computer, the industry maintains that it is illegal for someone who has legally purchased a CD to transfer that music into his computer.

The industry's lawyer in the case, Ira Schwartz, argues in a brief filed earlier this month that the MP3 files Howell made on his computer from legally bought CDs are "unauthorized copies" of copyrighted recordings.

The teacher's guide also ignores the term, "fair use." While fair use is quite limited in U.S. law, generally being restricted to purposes of research and parody, if the RIAA wants to teach third-graders the term, "DMCA notice," why not "fair use?"

Coverage of alternative forms of copyright appears to be non-existent as well, such as the Creative Commons licenses, which allow the creator to turn over specific rights to others, such as the right to modify, or distribute. Public domain coverage is missing as well. Old recordings from before 1923 (such as Edison's early record player) on the Library of Congress site thus would be public domain, and free to download. The materials would scare kids into thinking that everything is copyrighted, and thus illegal.

The materials also should recommend sites where music can be legally downloaded for free. One example is Musopen.com, which contains recordings of public domain works, but also contemporary works where the composer has expressed willingness for his music to be shared. . Warnings should be balanced with alternatives. Also, you could recommend the students to whenever possible purchase music directly from the artist, so that the artist is paid a fair amount.

U.S. federal government training materials ignore this distinction, preferring the "all downloaded music is illegal" mantra. For example, see this training website (it's screen 27 of 48). I can disprove this by visiting this Wikipedia link, where I can download a copy of the W.W.S.S. Wind Ensemble with Dennis Smith playing Arthur Pryor's arrangement of "Blue Bells of Scotland," released under the EFF's Open Audio License (http://en.wikipedia.org/wiki/File:Arthur_Pryor_-_Blue_Bells_of_Scotland,_for_Trombone_and_Band.ogg). Similarly, recordings by U.S. military bands, being created by the U.S. government, are generally also public domain.

Copyright reform does need to be effected in the United States. The clause in the Constitution governing copy

"Really? You might want to tell that to the military... I can't get Firefox installed much less supported on a military computer"

Really, what exactly is the rule regarding Firefox on military computers?

'Here's an easy way to have Firefox allow popups for our site'

'If you have a CAC card and reader, use Internet Explorer instead of Firefox and follow the previously mentioned CAC installation instructions'

Jump to How to manage certificates in Firefox.:Enter the password for Firefox's certificate database

Perhaps you missed the "Home" link at the bottom of the page which leads to http://iase.disa.mil/index2.html. Since the page the training course resides on is only one page of a larger website, I would conclude that it is not a website in and of itself.

Furthermore, if you go to the homepage, you will not find one single instance of Flash. So, I would conclude this is not a "Flash-heavy" website, but a Flash presentation that is part of a non-flash-heavy website.

As previously stated, this is no different than a powerpoint presentation or slideshow that is presented as a linked resource. You, and everyone else playing this URL game, think you're being clever but you only come off as an ass.

That site: http://iase.disa.mil/eta/iaav7-3/iaa/index.html (the first link in TFS)

Have you "launched" a new "course"? The eevil hacker destroyed everthing. Cash, oil, food, it's the global meltdown! Aaah!

LOL. It really reminds me of this game we used to play as children, where the challenge was, to end the story in the destruction of the world, trough a chain of cause and effect, in as few steps as possible. And from a totally harmless starting point.

First a tiny drop of rain fell onto the street.
But a insect got stuck in it.
Causing a bird to land and pick it up.
So the car of the president drove into it, causing a crash and his death.
Just while on the phone with the Chinese government.
So the CIA assassinates the Chinese premier, because they think he is the responsible one.
Which causes China to launch all its nukes, which causes the USA to launch all its nukes, which causes special experimental biochemical weapons to be released,
which causes all remaining humans to turn into alienlike raptor-zombies.
So a tenthousand years later, some real aliens land, get their ship taken over by the raptor-zombie-humans, which then fly out to enslave and nuke the entire universe!

Yes, it always ends with nukes, and most of the time with monsters too.

Or the short video version: http://www.albinoblacksheep.com/flash/end

Let me clarify - it's not a Flash-heavy site, because it's not a site. It's a course. It's an online course entirely written in Flash, not a Flash-heavy web site.

Is it a collection of related content accessible via a URL prefixed by http:/ or https:/ ? In that case, I'd call it a "site" and so, I'd imagine, would most people with more than a passing exposure to the web. The fact that the content on that particular site comprises a training course is irrelevant.

http://iase.disa.mil/eta/iaav7-3/iaa/index.html is a site hosting nothing but that large Flash application and a little boilerplate html, yet you seem to have a problem with it being described as a "Flash-heavy" site. Why?

Warning: this site gives a whole new meaning to "Flash heavy."

They have a non-flash site if you need to complete this training and receive your certificate and you can't have flash. Not sure how they are running the audio but that's available as well.

I gotta admit it's not as entertaining as the zoom down into the city flash animation when instead of that you get:

Screen 1 of 48. Screen title, Intro. A block in any city, U S A. The camera zooms into a bank A T M. The A T M screen reads, no funds available. The camera zooms into another A T M, and again, no funds are available. Cut to an office in a building. Camera zooms into computer screen on desk. C N N website is on screen, displaying news headlines that support audio. Camera zooms to P D A on desk. P D A displays news headlines that support audio. Camera zooms to fax machine. Document on machine displays news headlines that support audio.

Also, you might encounter some problems with words and acronyms that are pronounced like IA (Information Assurance)

Screen 4 of 48. Screen title, What is I Ay? Image of worker at desk with computer. The computer monitor displays a warning ...

Civilian contractors can have SIPR.

Here's the process for setting that up:
http://www.disa.mil/connect/classified/nondod_new_siprnet.html

The thing I keep seeing is lazy DISA auditors that see the STIG's as black and white. Most of the testers I've run into aren't technical people. They run the automated SRR scripts and ding you for having your kernel version out of spec. If I were to sit them down and ask why a particular control was an open finding they'd tell me "Because the STIG said so" without digging deeper as to why.

The most recent test I was on, the testing team hit the sys admins for an out of date Kernel on a VMWare ESX box. VMWare uses a highly customized version of RHEL. Installing the most recent Kernel would turn the box into a paperweight. The best advice I can give you is to first check with the tester to find out exactly what the vulnerability is and what their recommended fix action is. Depending on your tester you may be wasting your time. I've see far too many tester leave comments like "Not up to STIG compliance". Check with your vendor to see if they have issued a patch to address that vulnerability. Once you have that information you can place your comments into a POA&M and go back to your DAA and explain why a given open finding isn't really a finding and/or won't be fixed. You can also look into mitigation factors to see if you can reduce the severity. Many controls will state "If you're doing X, Y and Z this finding may be reduced from a CAT I to a CAT II".

Good luck with your C&A and be glad you're not on the documentation side of things :^)

The thing I keep seeing is lazy DISA auditors that see the STIG's as black and white. Most of the testers I've run into aren't technical people. They run the automated SRR scripts and ding you for having your kernel version out of spec. If I were to sit them down and ask why a particular control was an open finding they'd tell me "Because the STIG said so" without digging deeper as to why.

The most recent test I was on, the testing team hit the sys admins for an out of date Kernel on a VMWare ESX box. VMWare uses a highly customized version of RHEL. Installing the most recent Kernel would turn the box into a paperweight. The best advice I can give you is to first check with the tester to find out exactly what the vulnerability is and what their recommended fix action is. Depending on your tester you may be wasting your time. I've see far too many tester leave comments like "Not up to STIG compliance". Check with your vendor to see if they have issued a patch to address that vulnerability. Once you have that information you can place your comments into a POA&M and go back to your DAA and explain why a given open finding isn't really a finding and/or won't be fixed. You can also look into mitigation factors to see if you can reduce the severity. Many controls will state "If you're doing X, Y and Z this finding may be reduced from a CAT I to a CAT II".

Good luck with your C&A and be glad you're not on the documentation side of things :^)

DADMS is DoN-only for a reason; nobody else has the NMCI problem, and it didn't exist prior to NMCI. It's somewhat disconcerting to sit in on a meeting for a joint POR system, and have flag officers wonder WTF the Navy isn't implementing. "Uh, it's not in DADMS, sir." Sparks fly to say the least.

That said, the procedure is pretty simple, and since DITSCAP/DIACAP provide for it, you run specific vendor patches for whatever vendor-supported OS you're running (sorry Gentoo fanboys, roll-your-own isn't allowed in production systems). The Unix SRR script *should* be able to figure out if the backport is applied in a vendor-supplied patch, and pronounce it okay.

(The SRR scripts are publicly-available to everyone; if you're not running a commercial distro, you'll probably get some weird results, but it's still pretty good at picking out possible problems, even on systems that aren't officially-supported. I've run it on everything from Debian, including GNU/Hurd to OS X. http://iase.disa.mil/stigs/SRR/index.html)

If something is revealed that's not accurate, you document:
a) why you can't fix it (i.e. whatever system is running on top ceases to work, the vendor refuses to fix, the vendor is tango uniform, it's Wednesday and you don't feel like it, etc.),
b) why the scanner goofed up and picked out a problem that doesn't exist (yes, this version is different, but the vendor backported the fix [with proper vendor reference] to this, which is applied).
or
c) the fix hasn't been released and fully tested yet.

Cases a and c are what a POA&M is for, which is normally submitted along with the accreditation package, and updated periodically.

Works here.

It redirects to http://www.disa.mil/forge/ which is working fine

Project "forge.mil" is only to be found at the url http://www.disa.mil/forge/

The address forge.mil is unavailable as of now.

Either does not exist, or has been taken over by the Chinese/Russians, or it has been slashdotted, or it runs on Windows.

Any of the above, is not a good sign.

Ownership to rent is a business model.
Rent to own is always a foolish proposition.

DOD is way ahead for once (I think), I am not sure of the specifics....
DOD DISA RACE http://www.disa.mil/race/ owns their enterprise infrastructure.

If you rent service to sustain your core business/products..., then good for the business owners.

If you pay for your core business/products/content... to be available 24/7/365, then your core business/products... are not critical to business profit/survival.

For personal/home your core data/content may not be critical, but when someone has your personal information... who will still carry the liability/trouble for loses.

For some cloud/virtualization infrastructure may be a solution....

For an oldhawk like me, I will always maintain my personal/home/private infrastructure (computers, routers, FW-appliance...), and pay for connect/access.

IOW-IMHO: CoreGiveItUpGetFucked2dCore%~P

It's also the most secure OS on the planet

Trusted Solaris would like to have a word with you.

Trusted Solaris is what the US DoD's global command and control environment runs on.

There's also XTS-400.

They do have their own Root CA. Either AC is talking out of his ass, or the images using at his base are all kinds of jacked up. Frankly, from my experience with AF IT, it wouldn't surprise me if both were true.

If passed, this could have the effect of a de-facto outlawing of Linux.

Not a chance. Believe it or not, the NSA and the DoD actually know what Linux is. And a lot of their advice for securing Unix and Linux systems is actually quite good.

And this without even considering the larger question of why the government should have any control over the software private users run on their own computers.

They shouldn't.

But they don't need to have that control. All they have to do is say that any system that is owned by the federal government or interoperates with federal government systems has to comply with the security guidelines. They'll get the states to fall in line via the usual mechanism: by withholding federal funding until they agree to implement the federal guidelines at the state level.

And if you're thinking, "Well, that only affects people who are the government, contract with the government, or work with the government," ponder that thanks to Bush and Obama, that combined class of people will shortly be the majority.

If passed, this could have the effect of a de-facto outlawing of Linux.

Not a chance. Believe it or not, the NSA and the DoD actually know what Linux is. And a lot of their advice for securing Unix and Linux systems is actually quite good.

And this without even considering the larger question of why the government should have any control over the software private users run on their own computers.

They shouldn't.

But they don't need to have that control. All they have to do is say that any system that is owned by the federal government or interoperates with federal government systems has to comply with the security guidelines. They'll get the states to fall in line via the usual mechanism: by withholding federal funding until they agree to implement the federal guidelines at the state level.

And if you're thinking, "Well, that only affects people who are the government, contract with the government, or work with the government," ponder that thanks to Bush and Obama, that combined class of people will shortly be the majority.

3. Inspector then moves on to the server room, where Linux is installed. Inspector can't determine that "latest Microsoft patches are installed", so machines are marked as non-compliant.

The FederalGgovernment uses Linux as well and there are published security standards for it. The NSA and DISA both publish security guides and implementation guidelines for Linux. NSA Secure Configuration Guides DISA STIGS . This will require training for your typical enforcement droid but is not out of reach. To say that regulation would require Microsoft only is ignoring the fact that *nix is very much in use in the Federal Government

When I last worked in the White House in the '90s certain senior staff had a little device that constantly updated with the President's location from WHCA.

That's so Snake Plissken can retrieve him if he ever happens to crash-land in Manhattan.

When I last worked in the White House in the '90s certain senior staff had a little device that constantly updated with the President's location from WHCA.

I want to clear up some confusion .... The real site is at https://www.forge.mil/ not www.forgemil.com. Forgemil.com was a site we were using during the development of forge.mil. Unfortunately, the wrong URL somehow made it in to the article. Right now the site requires a user to authenticate using a DOD PKI certificate (either a Common Access Card or a certificate from one of the DoD external certificate authorities (ECA)). See http://iase.disa.mil/pki/eca/index.html for more information.

Everything that is worth buying has been IPv6 compliant for years.

That is not at all true. A great deal of equipment and software still does not support IPv6. That's slowly improving, but you still need to check the DOD and IPv6 Ready certification lists before you make a purchase.

There's support and support. The first OS to have certified DOD compliant IPV6 support (what this topic is about) was Vista. Solaris 10 came second. Neither had IKEv2 capability. Then came Novell and RedHat, both with IKEv1 and IKEv2.

So it's not only a neck-to-neck race, but you can also be first, and you can be first (with IKEv2).

You can find the list, with certification dates, here.

Well Apple and MS has had some IPv6 support for a while but they are shades to the amount of support. I believe that IPv6 has been available in Linux before MS or Apple (since 1996). However it was deemed "experimental" until 2005 even though it worked well enough for most people and distros. MS has had limited IPv6 starting with Win2K and has had some IPv6 support with XP in 2002. As for DoD compliance, only Vista with SP1 is partially compliant and OS X does not to appear to have been tested.

There are other agencies, such as NIST, that may help. They offer checklists and guides for configuring specific systems:
http://checklists.nist.gov/ncp.cfm

Other US Agencies also are concerned with security.
SECURE REMOTE COMPUTING
SECURITY TECHNICAL IMPLEMENTATION GUIDE
http://iase.disa.mil/stigs/stig/src-stig-v1r2.pdf

The US Defense Information Systems Agency (DISA) publishes security guides on many different subjects, including one on instant messaging. It's fairly generic, and applicable to lots of different protocols and products. If you want to deploy an IM solution securely, then you'll want to consider some of the recommendations as a starting point. About half of the recommendations are DoD-centric, but the rest are generally pretty good for everyone. It's publicly available here.

Check out the DOD Security Technical Implementation Guides (STIG). They are not the most complete or up-to-date, but are a reasonable baseline for a production server.

Publicly-accessible at:
http://iase.disa.mil/stigs/stig/index.html

The STIG is the human readable form, the corresponding Checklist is the technical details for each finding (and is update approximately quarterly.)

I like that when you click on the Privacy notice on the DoD Network Information Site (http://www.nic.mil/), you get a 404 page:

http://www.disa.mil/info/secpriv.html

Ah, the irony of it... I guess there is not a single privacy statement that would protect anybody from just clicking through publicly available pages?

If you want to see how most military systems are locked down just go to http://iase.disa.mil/stigs/index.html and grab the documents describing the lock down procedure. Or you can just download the scripts and programs that do it for you, grab the DISA gold.

Theoretically, that unifying command is DISA. http://www.disa.mil/

It just doesn't work as well as we'd like.

um, it is called DISA, try this link http://iase.disa.mil/stigs/stig/index.html

Defense Information Systems Agency (DISA) is responsible for managing most US Defense IP networks. They are also responsible for managing most of the US DoD's IP address space. Address space with their name on it is used by a wide range of US DoD organisations/sites/activities. There isn't much mystery about who they are or what they do.

/P

The *nix STIG (Security Technical Implmentation Guidelines) has included RHEL for a very long time... they only (very) recently split Linux off to its own separate one: https://www.aiptl.nit.disa.mil/Linux-STIG/wiki/sta tic.php?page=static070124-111906

/P

ShaunC said "If you want cheap tracts of land and cheap electricity, you build a data center in Oklahoma or Kansas".

And if you look it up, "Oklahoma, Kansas, Arkansas, Iowa, and Missouri are entirely within Tornado Alley"...

I don't know what's more irritating, the clowns arguing about something that they missed the premise of in the first place or the people who are arguing with someone who has been to the DISA data center in OKC.

This is simply not true. The NSA, NIST and DISA (DoD) all create guides for the operating systems, network devices and applications that are commonly used within their agencies. The Mac OS X Server Security Configuration Guide
and Mac OS X Security Configuration Guide posted on the Apple documentation website was developed in cooperation with the NSA too.

http://www.apple.com/server/documentation/

NIST and DISA publicly distribute their security guidance.

http://checklists.nist.gov/
http://iase.disa.mil/stigs/stig/

I found response to the DITSCAP question a friging joke. BTW, DITSCAP has been phased out for http://iase.disa.mil/ditscap/index.html DIACAP, the microsoft guy should have know that! Without going into the details... The DoD should demand microsoft do the DIACAP for their OS. If you've ever gone throught the DITSCAP process you would know why... It is a major pain in the ass and was/is crap. Contractors that provide other softwares are or should be required to go through this process, why on earth can the DoD not demand the same from the maker of the primary OS used by them. If the DoD follows their own rules/regs/instructions Vista shouldn't hit the desktop till at least LATE 2008. Bunk I Tell ya!

The NSA initiative, code-named ``Pioneer Groundbreaker,'' asked AT&T unit AT&T Solutions to build exclusively for NSA use a network operations center which duplicated AT&T's Bedminster, New Jersey facility, the court papers claimed.

That plan was abandoned in favor of the NSA acquiring the monitoring technology itself, plaintiffs' lawyers Bruce Afran said.
The NSA says on its Web site that in June 2000, the agency was seeking bids for a project to ``modernize and improve its information technology infrastructure.'' The plan, which included the privatization of its ``non-mission related'' systems support, was said to be part of Project Groundbreaker.
Mayer said the Pioneer project is ``a different component'' of that initiative.

The groundbreaker program is well known, in fact its infamous... in being a really really expensive network upgrade. The kind of thing with rewiring offices and buying lots of bandwidth from the likes of AT&T.

And I mean a lot of bandwidth. A lot of the DoD bandwidth contracts currently up for grabs are of course available online for anyone to see. (But shame on the nytimes, shame shame shame!) How did you think intercepted traffic came from all over the world back (But especially big telco sites) to Maryland? Still wonder why companies like AT&T want to do everything to help the NSA?

And of course groundbreaker is over budget and insecure.

So what is this secret new thing that is being claimed? The hints are:

• Its mentioned on the NSA website
• Its "non mission related"
• Its a component of a network upgrade
• And its called a "network operation center"

It makes sense that the NSA would want a new but ordinairy "network operation center" with its new network. You really really need one of those to show politicians around (scroll to "nsa loads nmap" for a good laugh). Especially the ones who know nothing about intelligence except what they have seen on 24. (I would be funny if there werent so many schools planes trains and subways blown up around the world after 9/11)

Guiding them past the movie theater and showing the huge list of languages in which movies are shown isn't glamorous, though it should get the point across of sigint being of no use without humans to read and hear it... It might also show why having computers that can display bidirectional text isn't some fancy feature nobody uses. (Its usefull for such obscure languages as say Arabic, just to name something random of the top of my head.) I guess the lack of lighting the 24 set designers came up with for dramatic effect makes these NOC places a little cheaper to run than hiring qualified analyst though.

Sure it could also be a top secret surveillance program advanced beyond anything ever seen before, possible including extra terrestrial technology and tinfoil hat countermeasures... I mean in theory you could call that a NOC I guess.

This possible hype reminds me of the echelon story. After unspecific press accounts surrounding a big and sloppy EU investigation about "echelon" people assumed the worse and the hype started to build and build.

Now some time has passed historians have been able to figure out exactly what component is codenamed echelon, and it looks a little like this. (Thats an 70`s VAX 11/780, for those who couldn't tell, shame on you)

Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.

We (the DoD office were I worked as a contractor last year) had random scans on both classified *and* unclassified systems; any that weren't meeting the STIG guidelines were taken off-network and somebody (usually the system admin for that particular system and/or his/her supervisor) got a written reprimand.

If you look down the thread some you will see that bandwidh intensive audio streaming sites are being blocked.

The http://www.disa.mil/main/prodsol/data.html NIPRnet is being filtered. The Soldiers and Marines can go walk over to a government funded non-censored 'Internet Cafe' durring of hours and browse the net without restriction. Most Marines/Soldiers have limited access to the NIPRNet anyway, the cafes are put in place for email and browsing purposes.

No, they are not being filtered durring off hours. There is a completely differant non-censored government funded network available in the form of 'Internet Cafe's' that are available.

The network we are talking about is the NIPRNET http://www.disa.mil/main/prodsol/data.html and any bandwidth intensive site will be blocked.

No one has mentioned citizens giving up their rights, only deployed Marines/Soldiers.

http://ipv6.disa.mil/docs/State-of-IPv6-Final-7Feb 05.pdf Google found this, the US DOD review of IPv6 from Feb 2005. Once the US military switches over, a lot of others will fall in behind them.

no air gap. http://iase.disa.mil/acronym.html#S

First, get a network admin who know something about security and dealing with classified IT systems (someone asking for advice on slashdot using a yahoo account doesn't qualify). Seriously - go talk to your ISSM/ISSO/CIO, that's what they are there for. Do you really trust this collection of boobs to give you advice that won't land your ass in jail or get your security clearance yanked for stupidity?

Next, if your ISSM/ISSO/CIO is the usual non-technical pencil pusher and doesn't have the proper resources or knowledge, head over to DISA, specifically DISA STIGS for implementation guides and hardening tools. Also talk to the OADR and project owner to make sure there are no requirements above the DOD minimums such as Tempest or additional physical security requirements.

First, get a network admin who know something about security and dealing with classified IT systems (someone asking for advice on slashdot using a yahoo account doesn't qualify). Seriously - go talk to your ISSM/ISSO/CIO, that's what they are there for. Do you really trust this collection of boobs to give you advice that won't land your ass in jail or get your security clearance yanked for stupidity?

Next, if your ISSM/ISSO/CIO is the usual non-technical pencil pusher and doesn't have the proper resources or knowledge, head over to DISA, specifically DISA STIGS for implementation guides and hardening tools. Also talk to the OADR and project owner to make sure there are no requirements above the DOD minimums such as Tempest or additional physical security requirements.

I'm a different anonymous coward in the defense industry.

Instructions and checklists are available for common operating systems. Use the ones from DISA. Large companies often have their own methods for doing things that result in the same thing. At the end of the day, the customer (presumably DoD) must approve it. Note that different angencies have their own vagaries (DoE DoD, for example).

The guidelines provided here are often good for commercial security, also. In that environment, however, I would evaluate the requirements in a cost/benefit framework.

To confirm you're not a script, please type the word in this image: confuse [sweet irony]

I'd strongly recommend you read Defense Information Security Agency's guidelines for computing in a secure environment - you can find security technical implementation guides (STIGs) at https://iase.disa.mil/ but you need to conform to the STIG on both hardware and OS configuration.

You'll find other regulations for making machines that process classified material, but if you're looking for hardware specs it's pretty easy.

I don't belleve Windows XP has been certified by NIST but that doesn't mean you can't use it. If you're looking for a really high security Windows box the only Microsoft OS that's certified by NIST is Win2kSP3 with the Q326886 patch. You can get the patch by looking up the KB article number (Q326886) at http://support.microsoft.com./

Look here for more NIST information - http://niap.nist.gov/cc-scheme/vpl/vpl_type.html

Don't take my word as gospel, look at the regs - but here it is in a nutshell:

• Unless the box can be secured in a safe (like a laptop) it must have a removable hard drive and that hard drive must be stored in a safe when not in use.
• No wireless. Not any. Not 802.11, not Bluetooth. Do not pass go, go not collect $200. And it can't just be disabled, the hardware cannot have the capability.
• The machine must conform to both DISA STIGs and DoD CERT advisories.
• No Internet connections - you can connect a classified machine to a LAN provided the *entire* LAN is accredited and contained within the security vault. No outside network connections except to SIPRNet

To answer your other question - machines processing classified material can have removable drives - but removable media may never leave the physical security enclave unless it's properly accounted for.

Hope this helps -