Slashdot Mirror
Windows 2000 Gets Common Criteria Certification
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Except when running slashcode, which you can't even update the number of comments on a static page.
Sad, really...
Watch out for the EULA on service pack 3, its a killer.
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
"Flyin' in just a sweet place,
Never been known to fail..."
Microsoft Windows 2000 has been awarded Common Criteria Certification.
Sounds like Windows 2000 is the lowest common denominator.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
This kind of certification is a great thing for people running Win2K.
But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?
A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.
It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.
"Provided by the management for your protection."
Hopefully the amount of hoops common criteria makes you jump through will be enough to 'persuade' microsoft into just keeping win2k around instead of EOLing it.
At least it got there...
So, we wait for 2-3 updates on any MS product any waiting for it to be "stable"..
But linux still doesn't have it, does it? I'd rather have service packs, than have to hand-apply the hundreds of patches that are put out each year. How does linux handle masses of patches? New kernel build's? That's essentially all a service pack is.
Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated
Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.
How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
What the hell? I guess his summmary is better than mine, since I was delerious with the flu. But, regardless: HEY! That's not fair.
-- "You can lead a yak to water, but you can't teach an old dog to make a silk purse out of a pig in a poke" - Opus
Ok did the 3 Service Packs statement rub anyone else the wrong way? Or was it just me?
Another article, more in-depth as to the prereqs for certification:
First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.
Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.
Just for the record, there is NO "off the record" record.
Make a record of that.
Too bad it takes 3 service packs...
Yea, because we all know that open source software never needs to be patched. Yep, it's all 100% secure from the start. All open source software is versioned in whole number increments with no point releases for bugs. It's positively magical!
Gag me with an overstuffed penguin doll...
Don't forget how slow SP3 is. I tried it on one computer and bootup time was noticeably longer.
However, it is nice to see Microsoft going for some sort of help here. It would be much worse had they decided to flaunt it instead.
Have you read my journal today?
World Tech Tribune had a rather hilarious FUD article covering this several days ago.
were you expecting to see a sig here? perhaps you'd rather see the inside of an ambulance!
I wonder of the "complex challenge" she speaks of is referring to cashing that big cheque (or 'check', for those who spell American)...
It's funny. Laugh.
What Linux really needs is the equivalent of Windows Update so you can get a full listing of what needs to be updated.
With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.
Propaganda?
I say bollocks.
Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
Correct me on this, but I don't remember Linux getting an ISO certification about anything.
The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
You're A Debian user, right?
/. Where the truth
" Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated"
Their test system had two 120Gig HDs full of fansubbed anime and was running at 100 cpu doing divx encodes ?
Well, they said "exactly the same system".
Wait, did they mean my exact system ? How do I sue them for wasting my cpu cycles running benchmarks ?
This post was nearly funny. Blame the cough syrup.
graspee
Too bad a little slashbitch had to throw in his comment. Too bad Linux doesn't even try to call anything a release. Upgraded to 2.2.19 yet? Mwahahaha!
wanta Fanta?
Slow Down Cowboy!
I got a 1600 on the SATs.
YOU suck.
Most distributions already have this. Red Hat has the Red Hat Network. 3 Service Packs for Windows 2000, but hundreds of hotfixes...
...and make misguided comments about "DLL Hell". I've never had a problem with incompatible DLLs, but I've had a fuckload of issues fighting with package managers like RPM to get dependencies correct. Yes, I know you can --force rpms (before the zealots point that out).
Common criteria does not mean secure. There are multiple levels of the common criteria that mean different things. It doesn't appear that the article states the level achieved.
Common criteria is quite complicated - to understand what common criteria really means, you'll need to read some things that are NOT posted at Microsoft. This may mean that they basically implement what they have documented, or that they implement a specific feature set.
In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.
If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.
What I'm listening to now on Pandora...
oh and if you want win2k to be secure dont allow it to connect to anything outside of your control.
m l
http://www.theregister.co.uk/content/4/27877.ht
For the longest time everyone here has been criticizing Microsoft because they have poor security. So they start fixing it. They release patches. Then everyone criticizes the fact that they release all these patches. They are only being responsive to your criticism. Now an objective panel gives them a reward for their efforts, and everyone here is angry!
You know, I really thought everyone here genuinely wanted Microsoft to improve security. I thought we all were in it for the benefit of all. I thought that was what the Linux community was all about. But clearly the intent here is more religion than technical. Either you are part of my religion, or you are to be destroyed. How's that better than your perceptions of how Microsoft acts?
You know, maybe the .ORG domain name really is more appropriate, since it's a religion and all.
So who is working on certifying Linux? Is anyone going to actually try to improve the net, or are we going to just keep pulling Microsoft down?
Yes, it showed me that whoever wrote the article just had to put the mandatory anti-MS comment to get it submitted.
It could have been 1 service poack or 2, and it still would have been written the same way. Gotta have the obligatory jab at MS(even if they are doing something right).
And I can express my view against it by simply not subscribing to Slashdot.
When will the hardest attack start, this is just a start to attack Win2k, trying to find a nice feature to see if it's really proof what is suggested.
Just waiting.........
"He went to the refrigerator and grabbed a jug of what he thought was water. It wasn't until after he had emptied the contents of the jug that he discovered that it was kerosene."
Gee I know I always look forward to a nice Ice cold Jug O kerosene in the morning.....
Dumbass trolls.....try harder....
Comment removed based on user account deletion
I can't remember the last time I ever had dll problems. It was probably back with Windows 95 or something. W2K and XP have dll version management built in. I hear people on /. talk about DLL Hell, but I mainly get the impression that they haven't used Windows since 3.11 or something...
Compare that to the pain you often have to go through to install an RPM on Linux...
I think most people who read Slashodt are at least half-intelligent sentient beings. Most can tell FUD from truth. When criticism of Microsoft is called for and valid, fine. But this sort of thing is starting to get tiresome: bashing the Evil Empire for the sake of bashing. No more, no less. And on the fucking front page, with the tacit approval and blessing of the "editors".
A "news organization", if nothing else, has to maintain a modicum of impartiality. At the very least, please keep the garbage in the comments where it belongs, right next to the goatse and fecal trolls.
And I'll repeat something I read here once: The twig can only bend so much before breaking. Keep this up and Slashdot will be reduced to nothing more than a quivering hysterical mass of negative trolls whose only purpose in life is to attack someone else instead of celebrating what's good about the culture that spawned it.
When is Red Hat going to start this process? Anyone from Red Hat have a comment?
http://www.linkedin.com/in/dougneedham
Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)
All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
So these certs are of no use except to PR flaks. And trolls.
The SP3 thing sound fishy. I wonder if they've got extra tricks up their sleeves regarding W2k. It just seems too much of a coincidence that to be Common Criteria Certified or to run the next Office release you'll need SP3. Something is brewing in the seedy minds of Microsoft's lawyers, methinks...
Comment removed based on user account deletion
Interviewee: "I'm an MCSE!!!"
Me: "That'll be all thank you, and there's the door!"
"I'm just here to regulate funkiness."
Those hot fixes are included in subsequent service packs. Install SP3 on a new system and there are few patches, if any, left to install. --gary
Too bad it takes 3 Service Packs..."
/. wants to maintain any level of credibility as a technology site (not a blind MS-bashing site) then it shouldn't post comments like this.
Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Face it, historically Microsoft's security is pretty pathetic and the only reason it has improved at all is due to the constant criticism and market pressure.
You are a traitor to Computer Scientists, Software Engineers and John Q. Publics everywhere if you let Microsoft slide on their shoddy security.
...or does the author of the descriptive post for this article sound like the guy in this strip
If I were him, I'd be more thankful that MicroSoft patches holes, since they still do have a rather large presence, after all.
every modern distribution comes with an application that tells you which packages need to be updated and why they need to be updated.
select, download, install - there are really equivalent tools.
in Mandrake it's called "Mandrake Update" - even the naming convention is similar..
The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).
Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.
I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.
FYI, here is what the Common Criteria says about EAL4:
EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
"dope will get you through times of no money better than money will get you through times of no dope"
All well and good but you cannot run W2K with macines with personal data on them, since that macine would then be violating the Federal HIPPA.
All your base!
Got Code?
Shoudn't this be filed in the humour section?
Imagine a Beowolf Cluster of THESE!!!
Common Criteria Certificate basically replaced the rainbow series of certificate. The more familiar one that we know are C2 of Orange book which NT 4 had.
I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
To put this in perspective: PIX v5.2 and Checkpoint NG are both certified to EAL 4. However, I still can't tell my PIX to not bother logging dropped packets to port 137 without telling it to not log _any_ drops at all! On checkpoint I can log based specifically on the rule, not just service or action. Both are "certified" but there is only one I would prefer to use.
Do really dense people warp space more than others?
First of all, CC certification was achieved with Service Pack 3 plus Hotfix Q326886, not just SP3. The author's statement is incorrect.
Second, Common Criteria isn't a panacea or a magical certificate saying that Win2k is uber-secure. It is an assurance that it meets a specific level of security and reliability on failure (ie, will STOP instead of going into an insecure mode on a kernel exception).
Its predecessor was called Orange Book, which WinNT scored a C2 rating. That's about as good as you are going to get with an "off the shelf" operating system. A Level 3 really doesn't mean it's better than other OSs, just certified that it will operate in a predictable and reliable fashion, has DACLs and user-based security, etc... Big whoop.
Why Service Pack 3? Gee, it takes a bit of time for certification. IIRC, NT took 2 years to get C2 certified. Remember, this is the government.
By the way, I don't see Linux listed anywhere on the CC list. Check your pots, I think they're talking to your kettles.
Finally, I take exception to the author's use of "propaganda". Is it becoming the thing to call anything propaganda that paints Microsoft as something other than the Evil Empire?
yayyy.. i can post
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
Slow news day or what - posting crap like this really helps me kick my /. habit.
If you are going to put a troll on the front page please make it a halfway decent one.
It's sad that in general linux zealot == ms hater. What a waste of enegry.
W2K with a Common Criteria evaluation ... finally. In the time that it took MS to get this one evaluation completed, Oracle has performed FOURTEEN (14) evaluations of it's database software!
PLEASE NOTE: Unless you use the software in Microsofts evaluated configuration, it is not considered "using" the evaluated product. Their NT4.0 evaluation requred removal of the floppy disk drive in order to use it in an evaluated configuraiton.
If you check out: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/issues/W2kCCUG/default.a sp and specifically the section 3.3; you'll see that its only a tad better than NT's orange book scam (which was certified as secure but only if not connected and in a locked room). This time - all the machines on the LAN need to be under the same security constraints; and that LAN of course stays in a locked down building. Or, since the days of NT, we've now gone from a locked room with one PC to a slightly larger locked room of PC's. Geez. Progress.
Comment removed based on user account deletion
Ok, putting aside all the microshit, here's an honest question relating to everyones fear of the SP3 EULA:
Does anyone know how MS remote access is going to work, and what firewalls/routers/etc would be able to block it? After all, they say they get to do it, not that we have to make it easy for them.
And no, "upgrade to SuSe" is not a firewall, "format c:" is not a router, and any references to "Stephen King dead", beowulf clusters, or 3: Profit! will necessitate me hunting you down and plucking your eyeballs out with rusty spoons.
Slowly.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.
If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.
Marcus' Full QuoteMarcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:
This reminds me of when my current employer went through UL certification. It was truly eye opening experience for what those little stickers mean.
To begin with, the UL techs had very little clue about what it was they were certifying, they spent more time ensuring that all of the hardware we used had UL certifications. After that, they bascially re-wrote the spec's around our system. In the end we passed, of course. It would have been kinda tough to fail when the spec was being modified to fit our system, not the other way around.
After that wonderful experience, I came to realize just how big of a con the UL is pulling on all of us. Its bunk, it doesn't even prove that there is a decent level of quality behind a product. As an example, one of our system configurations requires an ethernet serial provider (ESP), for use with a modem and remote managment software. Easy enough, we've done this for years. But, the ESP we used was not UL listed, so we had to change manufacturers. When we finally found one we discovered that it would not work with a modem and the remote managment software, even had the manufacturer tell us as much! So now we are scrambling, trying to find another supplier. All because of some stupid little UL sticker.
I can say with confidence, the UL certification is a con. Also, I've dealt with ISO certification, its a con as well (yes, we have documentation on all of our procedures, just ignore that it is very loose and only ensures that we do roughly the same thing every time, and gets universally ignored, we're a custom shop after all, doing the same thing every time is impossible). And I would bet that this common criteria cert is a con, you pay them, play around for a few days to make the inspectors happy, and they sign off on your system.
Necessity is the mother of invention.
Laziness is the father.
The underlying hardware doesn't meet any real "sameness" criteria - so the OS will act differently on different boxes.
PS for all the Microsoftistas out there: don't you find it infuriating that everyone knows what BSOD means? Is there any other computer product with such a well-known and pervasive failure mode that it's been used in TV commercials?
My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.
0 2/10-29CommonCriteriaPR.asp 0 2/1029CommonCriteriaFAQ.asp
.Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.
n /news/bulletins/cccert.asp for more info.
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
obviously no deficiencies vs. no obvious deficiencies
It's sad that a company gets praised for barely attaining a level of quality that, for any other product besides software, would get them sued out of existence. Let's see, how does it go again? Install the software, add dozens of security fixes, add firewall, anti-virus, disable every feature you don't absolutely need, and then it "kinda works." If cars were that fragile, I don't think we'd be handing out any awards. Of course, it's not just MS (although they are one of the worst offenders), the whole software industry is fundamentally broken.
Hey MS, if your products are so great, when are you planning to drop the "we're not responsible for anything" clause from your EULA? For that matter, when are you going to stop using bogus, unenforceable contracts to intimidate your customers?
"The CC defines the Protection Profile (PP) construct which allows prospective consumers or developers to create standardised sets of security requirements which will meet their needs."
"The Target of Evalution (TOE) is that part of the product or system which is subject to evalution. The TOE security threats, objectives, requirements and summary specification of security focuntions and assurance measyers together form the primary inputs to the Security Targets (ST), which is used by the evalutators as basis for evaluation"
"Evaluation
... EAL7 ("good"), see above reference.
The principal inputs to evalutation are the Security Target, the set of evidence about the TOE and the TOE itself. The expected result of the evalution proecess is a conformation that the ST is satisfied for the TOE, with one or more reports documenting the evalution findings"
In short the Protection Profile defines the implementation independent set of security requirements and objectives. I think the PP used for Win2000 is "Controlled Access Protection Profile (Version 1.d)", downloadable here
"The TOE (Target of Evaluation) is the product under evaluation (Win2000+VPN?+?) and the ST (security target) contains the security objectives and requirments of a specific identified TOE and defines the functional and assurance measures offered by that TOE to meet stated requirements. The ST may claim conformance to one or more PPs and forms the basis for an evalution."
The assurance level (EALx) is the measure of "how much" assurance there exists that a TOE meets its security claims. EAL1 ("bad")
So the real interesting parts are the Security Target and the Evaluation-report. (Then you know what you're talking about).
(Yes, my native tongue is not English)
Anyone remember the rainbow books? The DOD and NCSA had all their standards for computer security. It was all found in a huge multivolume set of books that presented the most rediculous guidelines on security. When using bureaucratic guidelines for computer security it seems most people miss the point. You can't secure a server by following a bunch of formal and abstract rules. If you want to secure a system you need to use a person that understands how the system works and where the vulnerable points would be. Setting a bunch of standards just gives a false sense of security. I enjoyed the rainbow books because their highest classifications of security can still allow for simple services/daemons that could have holes and be running as a root user. This becomes very evident when you look realize military systems usually have terrible security. You find unpatched daemons, unpassworded accounts, etc. It's too bad that most people out there can't understand what is wrong with the bureaucratic method.
FOR IMMEDIATE RELEASE
October 29, 2002
SAIC Awarded Common Criteria Certificate for Microsoft Windows 2000 Operating System Evaluation
(MCLEAN, VA) Science Applications International Corporation (SAIC) today announced that it has received a National Information Assurance Partnership (NIAP) Common Criteria certificate for successfully performing the evaluation of the Microsoft Windows 2000 operating system. SAIC's Common Criteria Testing Laboratory (CCTL) performed the evaluation and received the certificate at the Federal Information Assurance Conference (FIAC) 2002 in College Park, Md.
"SAIC is proud to have contributed to this Common Criteria milestone event and congratulates Microsoft for attaining this significant achievement in computer security," said Duane Andrews, SAIC corporate executive vice president.
The Windows 2000 operating system evaluation was conducted in accordance with ISO 15048 Common Criteria Evaluation Assurance Level (EAL) Level 4 Augmented requirements and was evaluated against the Common Criteria Controlled Access Protection Profile, which is consistent with the commercial-level information security requirements for the Department of Defense (DoD). An EAL4 is the highest evaluation rating that a commercial CCTL can perform and Windows 2000 is the first operating system to achieve an EAL4 rating under the United States Common Criteria Evaluation and Validation Scheme (CCEVS).
"The SAIC CCTL took on a complex challenge, and we were successful in completing the evaluation of the Windows 2000 operation system," said Tammy Compton, co-director of the SAIC CCTL, and the leader of the evaluation team. "The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations. This led to the completion of one of the more challenging projects we have conducted, and we are confident of more successful evaluations in the near future."
"We have embraced the Common Criteria evaluation process from its inception, because we saw the high quality bar for security we could provide to customers," said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp. "With CC certification and the support resources we are releasing today, customers now have an internationally-recognized template for Windows 2000 that enables them to build an IT system for secure computing beyond that of any other commercially-available platform today."
Located in Columbia, Md., the SAIC CCTL is a division of SAIC's Secure Business Solutions and was accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) in August 2000. SAIC CCTL was one of the first commercial laboratories to be listed in the NIAP's CCEVS. SAIC's Secure Business Solutions provides security solutions for networks and business systems. Its 500 engineers can assess, test, design, certify, deploy, and manage solutions for information and physical security, and train organizations to be a core part of overall security solutions.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Except Linux doesn't have a claim to this level of Security. I love Linux, but it loses this round.
apt-get dist-upgrade
- Audit
- Cryptographic Support
- Communications
- User Data Protection
- Identification and Authentication
- Security Management
- Privacy
- Protection of the TOE Security Functions
- Resource Utilisation
- TOE Access
- Trusted Path/Channels
Is all that's required for the certification. Does the OS have the right features with a configuration policy that sets those features properly.It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
This is a boring sig
To an explaination
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Just to clarify, I didn't mean to imply that NT3.5 ever received a B1; just that it could be configured to meet that level. The main point being that while a specific cert might be nice in the PR wars, how you apply the system is what's important. For example, just as soon as a W2K user loads MS Office onto that machine, the cert is no longer valid.
The CC cert is less revealing than a NIST cert, because the CC evaluate the design of the system, and only a part of the implementation. So it is better suited to show that a developer has good security processes, rather than secure products.
And let's not slight MS here. From what I've seen, they are making an honest effort to secure their products. I think they've finally reached the point at which they have to in order to stay in business.
Really now, without being able to browse the source who knows how secure it is. Be a fair witness and say "Unfortunately that is true...".
Why is this story presented as 'propaganda'? I mean, I disklike windows as much as the next person, but lets at least acknowledge they they have made a serious effort and spent a lot of money to improve security and that that effort has paid off. At least give them props for that.
From the article:
That's right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.
"Well," you ask, "exactly which versions of Linux can and cannot meet CC EAL4 requirements?" It stands to reason that the core Linux(TM) kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux(TM) would meet these minimum requirements.
Kernel.org does not release an operating system, they release a kernel.
His article is FUD because he blasts the core kernel in much the same way I could say:
"Windows sucks, Bill sucks, and the MS goons suck, because while Windows 2000 SP3 can meet the cert the Windows XP kernel.exe file can't."
He himself admits that many Linux distributions can meet this cert. But it's as if he doesn't understand that there's a different between a Linux distribution and a Linux kernel.
In fact, the follow quote refering to kernel.org
After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true.
Really shows his lack of knowledge, because
1> kernel.org isn't a distribution, it's a kernel.
2> A full distibution with services(ftp, nntp, http) is totally less secure than a kernel without a distribution(ie. you can't even log into the machine).
Could it possibly be as slow as WinXP Prof? It makes my P4 1.6 at work feel like a P233 would in NT 4.
Yesterday they passed for security certification, congrats.
Today 2 new venerabilities, oops.
So is this where I stick a witty comment?
not trying to be a GNU/linux zealot, but i recall that NT3.51 got something like this before. (a C2 rating) It lost the security ratting once you added a NIC though.
W2k SP3 without a wired (or wireless) connection to the outside world would be secure against MS remote rooting it (as per the SP3 EULA)
but then so is that harddrive i have in a shoebox buried in the back yard (it died).
PS: i'm too lazy to read the article, and too lazy to google the nt3.51 cert
"Too bad it takes 3 Service Packs..." So what? Nt4 had what.. 7 service packs? Up to 6a or something wasn't it?
In response to all those posters who've said our negative remarks against Microsoft are uncalled for, I have only two words....
Steve Ballmer.
Too bad it takes 3 Service Packs...
Better 3 Service Packs then ignoring issues all together. Not the best service record but at least realize it could be worse.
What is music when you despise all sound?
Jeeze...every post to this article seemed to assume that there was ONE Common Criteria certification. Windows got *A* CC Certification, and not a terribly high one. The one the SE Linux project is going for isn't terribly high, either. Think they're going for the same level.
that we give microsoft credit for actually doing something right. service pack whatever. how many security updates have you had to do to keep your linux box up-to-speed with the security issues? i run primarily linux, and i'm not a big fan of the microsoft way. but dammit, if they deserve credit, give it to em!
Time to get out the old buffer overflow toolbox.
How many man-hours did it take?
It's hard to comment on the validity of the Win2K CC without these specifics. If it only takes two man-hours to do a process that can be scripted across a whole network of boxes that's one thing. If it takes 50 man-hours of hacking while directly logged onto the console that's completely useless.
Too bad it takes 3 Service Packs...
Right, and as we all know Sendmail, NFS/RPC and BIND have been pinnacles of bulletproof security. I won't even go into the concept of UNIX security.
Also, you might want to actually read what the certification means, instead of just pulling some meaning out of your ass. It's the least you could do before submitting a story on it...
Would be nice to see what we are agreeing too, and send a copy to our lawyer.
Though, personally i dont care what they say. I will do as i please anyway.
---- Booth was a patriot ----
M$ will continue to support w2k thru 2005. But .... the next version of Office will not - which means that next year when people start passing around those .doc files you can't read you'll have to upgrade Office and as a result upgrade to XP
Propaganda from MS's Press Release link:
Intoductory paragraph:
"The dramatic increase in Internet and computer use has generated tremendous benefits for people around the world. Unfortunately, consumers' online activities can also be the target of criminal activity such as intrusion and theft. As a result, security is a primary concern for information technology (IT) consumers."
The usual target is the web site that the consumer goes to not the individual consumer.
Further down:
"Microsoft supports CC certification because the standards are recognized by over 14 countries, and because its evaluation and certification process helps consumers make informed security decisions. As part of it's commitment to provide customers with a secure platform for Trustworthy Computing, Microsoft submitted the Windows® 2000 operating system for CC certification. By enabling a complete, transparent analysis of Windows 2000 via the Common Criteria's independent government auditors, Microsoft is taking an important step toward building trust in the security of its products."
EAL4 only addresses the procedures and documentation processes in the creation of the software. It doesn't address the actual software security itself. Considering both the large number of priviledge elevation attacks and the recently announced vulnerability in PPTP.
An interesting note from their evaluation document under Personnel Assumptions:
"Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment." (emphasis added)
So, here you have a press release talking about how W2K's CC Certification means that you'll be more secure when working on the Internet and then you have a note that says users MUST be cooperative and in a benign environment. Well the Internet is neither so that pretty much cancels out the whole press release.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Perhaps it should.
--- Tao
This tool lists ALL available security patches for Windows 2000 and IE. Most of them go through more stability testing before being released to the unwashed masses on windowsupdate.microsoft.com.
Maybe it's still not 'as fast' as some linux patches, but it's relatively automated and easy to use, and centralized.
Actually, Microsoft was evaluated against the CAPP. Unless they added stuff in the target, this would exclude Cryptographic Support (FCS), Privacy (FPR), Resource Utilization (FRU), TOE Access (FTE), and Trusted Path (FTP).
You need to read the Win2K target to see what the functional requirements were.
Daniel
People remember the big viruses and worms that have affected Windows systems more than anything else.
For some of these, you can say that it was really Office products that are at fault (Word, Outlook, etc.), but that is not the whole story. Installing Office products on the Mac does not open you up to these kinds of security problems.
Windows seems to be set-up to allow execution of WSH scripts and lets Word macros do too many things in too many places. Why not sand-box it? And Outlook is horrible.
When you set-up Win2000 as a server, why should you have to leave Internet Explorer and Outlook on there anyway? Oh, they are "part of the OS". Right. . . I really can't pick and choose too much of what the OS decides to install for me (custom install or not).
security is not common.
Well, I still have SP2 on my W2K machines *because* of the EULA. The problem with the EULA is that you do not *know* if it is legal or not. Nobody ever has upheld a EULA in court, and until there is a precedent (means, a judge has decided on the legality of a EULA) the EULA is just a very gray area in juridical terms. That is why they are dangerous and should be read very very carefully.
It is enough that a company gets sued over a reasonable EULA (if there is such a thing), and a judge deems that EULA legal, in order to make all EULA's legal. That would open a whole can of worms...
I'm pretty sure EULA's are not legal in Europe, but I am not sure at all.
Too bad Linux isn't cerfitied at all.
/. editors. If I had wanted mud slinging news I would have checked out the local political race, or any one of the national tabloids. It would also be different if /. put a satirical flavor on every headline then the "Too bad it takes 3 Service Packs..." sort of comment would have been humourous. Instead I find it tiring and all to common.
/.'s readers' roll is to review, evaluate, and comment on the story thereby giving other readers some insite, food for thought, background information, and/or research needed for them to make informed decisions. If the /. editors feel it necessary to throw in such comments then they should keep them off the headlines and post their feelings like the rest of us do.... in the comments.
Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.
No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.
/.'s roll should be to report the news in a non-bias way while the
damnedIfIknowHowToUseAn'Or,Merlin.
...with you open source commie pinko faggot beardie weirdies, can it? they finally get a secure operating system, and all you have to say is "Too bad it takes 3 Service Packs"?
RPM?
I use RedHat, but I still use a mantra of:
Configure... bum bum... Make... la la... Make Install..
and whatever steps in between. But then I'm a linux control freak, so I've never liked RPM's very much
It's about maturity both on the part of the product and the posters. Using a trite analogy, like a good wine, any product needs time to mature and so do many Linux zealots. Geeks by their nature like to fiddle with things ;) so applying endless patches isn't necessarily a bad thing. Every Linux luser wants to be a kernel hacker but without the time and resources applying endless patches and reading the arcanum is a vicarious kernel hacker's high. MS needs to get product to the market and stay ahead of the competition, they're in a race and too often the product is left to mature in the market place. But the people who use windoze use it mainly because they want a one click answer even if that answer is shrouded in equivocation. It's a different mind set. And when Linux does grow to take larger and larger market share the users will want pat SP like resolutions to problems while here we will nitpick and complain that back in the day things were better without the concerns of too many lusers being addressed over the real requirements of the OS.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
I know this may sound self-defeating, but people should stop complaining about the commentaries placed by the article's submitter.
It's been too often that readers quip "*cough* Zealot *cough*", or "wish you were a little unbiased" ....
Well people, you should understand that commentaries are ... well, commentaries. Since, when are commentaries supposed to be unbiased??? They are exactly supposed to be subjective, for God's sake. So what if he's a zealot. That's his opinion. Read the article itself, and don't complain that the submitter's views are not the same as yours.
Firstly, SP3 is buggy as hell, really, more than most other serivce packs.
Secondly, saying "too bad it takes 3 service packs" is absurd... how many patches have their been since, say, linux 2.4.1? Gee, LOTS.
Thirdly, this is a security certification, yes, but it doesn't have ANYTHING to do with how bug-free the code is (or not). IT only has to do with the security model in use, and the features it has (acl's, permissions, audit trails, etc). Again.. it has NOTHING to do with how secure the system is... only with what features it has for enforcing security (yes, it has more than unix)
It meant plenty; poeple just misundrestood what C2 meant.
People thought it meant "you can't break in". That's not what it means at all.
It has to do with access controls and audit trails and whatnot.. the overall security model and how it is enforced. IT does not have anything to do with whether or not there are bugs.
C2 certified means, when your government agency or whatever company needs to build a system to C2 specs, they need to use a system that is certified to do so.
You CAN build a C2 system with NT.... that was the point. You CAN'T build one with Linux.
One thing that you must consider is that it takes a lot of money to get certified. When I say a lot I'm talking 20 to 30 million a lot. For linux, as an open source OS, who would pay this. I assume that anyone that does would expect some type of benefit, read ownership. Additionally, don't read too much into a CC certification. Remember that windown NT was also certified, as long as it was not plugged into a network.
And if Linux was perfect at it's 1.0 release, you'd have a leg to stand on.
"Ask not what your country can do for you." --John F. Kennedy
The interesting thing in the replies to your message is not the number of systems quoted that DO have the equivalent of System Update, but that there are so many other computer-literate people, such as yourself, who think that there is no such thing for linux and all other *nixes. Even Cygwin does. How do we get that idea across to more people?
:{)||
You know, when I was growing up, people always said to each other, "Nothing is this world is free". Maybe the FSF is fighting in-grained cultural beliefs. The only way to fix this is to make people pay for it. Pay us. A lot. They will thank us. (Hello?) Thank you, thank you very much.
HAHAHAHAHAHAHAHAHAHAHA!
I've used linux since High School (~7 years ago) and no one really had broadband then (though I remember when ISDN came out and I really wanted it).
Just because you don't spend enough time on the internet for you to justify the cost of broadband doesn't make us rich that we can just throw our money away on broadband. I certainly didn't have UNIX in college when I first started using linux because I was still in High School. In fact UNIX classes at my college was a joke when I took it. (For some reason we spend 1/2 the term doing java)
Most linux users have broadband because they use the internet a lot. Imagine that... you can actually buy linux distributions on cd for very little... let's see... Debian (my fav. distro) on linuxcentral.com... 7 discs... $14.95 and you don't need to download anything. Then you can set up a PPP connection (which I did in High School) to an ISP and set up to download upgrades before you go to sleep. You don't need broadband for linux, you need broadband if you want to download mp3's, download movies, check your e-mail every minute, check slashdot constantly, play any online game... shall I go on?
Because of the fact that many computer junkies like myself need the internet to get all this information, sources become available to download Linux this way or install linux over a network, but you don't have to.
I still firmly believe the reason that Linux hasn't taken off in the office desktop is because M$ office is not available and M$ users have a hard enough time figuring out excel that they need to have special classes.
and I wouldn't classify Windows 2000 as an average users desktop... I don't know too many "average users" who use it... that would be more like ME or XP.
-Chris
If you want inbiased news go to....
um I think you're gonna have to make your own news site if you want that. This site is news for nerds and because of that you will have some bias towards certain things (such as linux).
Go to cnn and tell them to stop being so negative when some nutcase kills a bunch of people and they call it a tradgedy... that's bias. If you don't like it go to MSNBC to get more of a M$ slant on things.
-Chris
Comment removed based on user account deletion
Well lets see... red hat has one, debian has one... I'm sure others do as well, they just happen to be the ones I'm familiar with. Do some research next time before you shoot your mouth off.
-Chris
All I can find are XP boxes! A lot of good it does me getting an older product certified.
-- Many men would appreciate a woman's mind more if they could fondle it
"Too bad it takes 3 Service Packs..."
forget "3 'service packs"...try 3 YEARS! The service packs wouldnt be such a big deal if it didnt take fuckin 3 YEARS to get 'secure!'
Intelligence is like four wheel drive, having it just means you'll get stuck in more remote places.
Interesting thing is, /. was never set up to be a definitive news source, from what I understand. It was (and still is) a few guys throwing stuff that interests them up on the web. By spending a lot of time on the site, you're in essence buying in to their [sometimes twisted] take on things. If you want a different flavor of propoganda, you either go somewhere else or create your own.
The FACT is, that it has taken 3 service packs and a huge amount of public thrashing to get the OS to the point that it can be certified.
As to whether the certification means anything, that's up to each of us to decide for ourselves. My Win 2000 will remain firewalled off from the rest of my network, while I use what I feel to be more secure OS's to get the job done.
So, its really hard to compare Linux to Windows in a case like this, because Windows consists of an OS AND a desktop environment (well you could say the desktop environment is part of the OS, but you know what I mean...)
Linux is not that. Linux is only a kernel.
So, Linux probably would not gain this certification because that is a lot of security stuff to add into the mainline kernel (though they did just add crypto routines and are almost done with ACLs). Most of the security holes in Linux are a result of other programs and not a fault of the kernel. (Hence RMS' contention it should be called GNU/Linux -- because there is the Linux kernel and a bunch of GNU and other 3rd party programs that actually make it useful).
As an example, the desktop environment in Linux is X, which is not considered part of Linux.
I love Linux, Don't get me wrong here. But I also Love Microsoft products, just not there business practices. But I could say, it takes 3 Service Packs for Microsoft were it takes hundreads of linux programers releasing patches everyday to achieve the same damn results. Your all zilots and you know it! Soon you'll all hate Red Hat because they made some money!
...in my mind it degraded the apparent level of professionalism of the /. editors.
That's quite impressive.
May we never see th
it degraded the apparent level of professionalism of the /. editors
Score 5, Funny.
Wrong, saic.om and microsoft.com are reporting this. e-week had a completely unrelated article, dated 5 months ago, about SP3.
Read more of the propaganda here.
So now press releases are 'propaganda'?
Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated.
Which article? The e-week article is the only one talking about SP3, and it says nothing about 'running exactly the same system'.
The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Troll, troll, troll. You are obviously unaware of all the point releases linux distributions make that SUCK. (redhat 7.0 comes to mind)
Allow me to put you on my 'foe' list, mr qnal.
<grub> Reading
And too bad it only takes 1 service pack: they're cumulative in nature. Install Win2k, and if your install media wasn't updated to SP3 already, apply SP3 yourself.
Great day to post this. Only three Windows 2000 Security bullitens posted today!
/ te chnet/security/current.asp?frame=true
http://www.microsoft.com/technet/treeview/?url=
Does the certification include the two security patches downloaded this morning? More IIS roll up patches and an Unchecked buffer in PPTP implementation.
You're only as secure as the next patch...
-ted
I half expected people to be in here bashing M$ for this and that, billgates=devil linux=heaven, etc. etc. I'm glad that I see others stating what I was going to post, that people who use Linux or any open source system, are patching bugs, errors, recompiling kernels, fixing dependencies, changing simlinks but keeping old ones (just in case), ad nauseum. Perhaps there's hope for geeks after all, we're not all Linux groupies that hate microsoft just to hate microsoft. :-)
Wouldn't you like to be a pepper, too?
Ever get the feeling that Slashdot is to Microsoft as CNN is to the Republicains?
Too bad it takes 3 Service Packs...
and how many "updates" does linux need to be secure? Far more than 3. Especially when you need to get them from all the "eyes peering at the code".
I would rather have all the updates lumped into one large service pack, than 50 or 100 separate ones.
A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000. The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.
Read more here
As Opposed to a Linux kernel that is constantly under development?
'nuff said.
~.Evanrude
Whilst everyone on here seems to be getting tired at the jokes to M$, I get increasing annoyed by the comments posted by everyone telling the guy to grow up. OK, M$ might be doing something good for once, but can you please leave it off with the lame whines everytime someone makes a joke at M$ because its becoming tiring. You'd almost think the audience of /. was pro-M$.
/. readers to comment on the CONTENT of the news, not some comment the poster added.
As for the certificate, it is propaganda since all such certificates are meaningless. Three service packs is also meaningless. Who knows, SP2 could probably have got the certificate. Who cares if it's just propaganda? Stop arguing over pointless things. If someone makes a small comment about M$ products everyone jumps and defends M$. If someone makes a pro-M$ comment everyone jumps and slags off M$! I'd prefer
Lastly, Windows has huge problems. But so does Linux. Every OS has its downfalls, and the skill in the user/admin is knowing where the problems are and how to best deal with them. IMO Windows sys admins need to be a lot more skilled than Linux ones...
Quite correct but in many cases beside the point.
Often to purchase a product in a CC enviornment, it must be available in a CC configuration. The logic goes something along the lines of if a product can be sufficently secured to achieve EAL level X, we can reasonably expect to be able to meet future security requirements we may have.
The logic starts to unravel fast when you look at some of the configurations tested. Many of them are highly stripped down versions of the original product. That said, it carries a lot of weight in some purchasing circles and is a decent sized downturn proof market.
~~ What's stopping you?
Last I checked a fresh install of most Linux distros didn't yield an airtight box.
This comment was generated by a squadron of trained super elite albino ninja chickens for you.
I am not a robot. I am a unicorn.
I haven't been following the seucrity certification for Win2K story, but was it tested with SP1, SP2, etc? Or are you just assuming it would fail without SP3?
Too bad they couldn't stay at 2.4.0 ...
Either you are bitching at M$ because they are not releasing enough bug fixes, then because they do release them (think of the service packs as just the next version, free software constantly get new versions...). Make up your mind, this is silly. Dumb comments doesn't make you neither l33t, nor cool, nor taken seriously.
As if any Unix system never had exploits or bugs that needed patching. The only Diference between UNIX and Windows is that Microsoft charges for it's software, that it's developed, and Bundels patches into one large install every now and then. I think UNIX is a great tool and all but stupid ass remarks like this discredit the Unix community.
Take a look at Microsoft's own documentation for the Service Packs. Most of the "service" in "Service Pack" is security fixes.
Until earlier this year when Microsoft declared that security was really, really important to them, certification probably wasn't even on their radar.
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification.
MS SHOULD surpass any of the certification standards more easily with each new OS release. Frustratingly they don't seem to want to (or can't) fix some of the more fundamental security issues with their operating systems.
http://jesus.everdense.com/
You can find them here:
. pd f
http://www.commoncriteria.org/stRpt/ST_solaris8
I'm sure that if you review the other OS cert's, you'll find that all of them require physically securing the computers and the hardware.
Common sense really. It's hard to imagine how a machine can be immune to hacking if the hacker has physical access to it.
Read it here:
. pd f
http://www.commoncriteria.org/stRpt/ST_solaris8
In fact, all of the OS vendors require you to lock the computers and network into a secure enclosure.
It's common sense really.
You can't protect a system if the bad guys can walk up to your machine, pull out its disk drive, stick it into their machine, twiddling the bits, and then stick it back into your machine.
Microsofts Expiry Cycle states that you get 5 years mainstream support, 2 years extended, 8+ years online self help. That probably means 2 and a bit more years for win2k.
I think, however, that MS announced this was probably the last service pack for win2k. Which is a shame.
Yay me!
There really isn't anything magic about CommonCriteria Certification or its older brother the NIST certification process. All it takes is money to pay the various fees and the time and effort necessary to guide whatever product you are trying to certify through the process.
Unfortunately this means open source products such as various Linux distributions, OpenBSD, FreeBSD, and NetBSD probably need to find someone to sponsor certification. For commercial Linux distributions like RedHat, SuSE, etc. this sponsorship is likely to come from the vendor or from a partner like IBM, or HP. For free distributions like Debian and the xBSD projects this means they would either have to collect donations or find a sponsor like Google or Yahoo.
It is possible to have opensource based projects certified under CommonCriteria and the NIST standards. Several Linux and BSD based firewalls and security appliances such as the WatchGuard Firebox have been ceritfied.
Happy Fun Ball is for external use only.
when the system is turned off....
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
IMHO This brings EAL4 into dis-repute.
History shows validation labs do a poor job testing assertions, or that insecurity is inadequately tested for - certificate revocation testing being a sore point.
Box ticking is a start, but the service packs show that prior assertions have been discovered hopelessly incorrrect, many times.
These CC labs have only need browse CERT to get a clue.
As no MS applications are certified, you still do not have a certified solution that can be rolled out. I agree with the above, buffer overflows must be asserted.
BTW the CC means oodles of timestamps, everywhere. If your faster machine appears slower, remember IBM invented special timestamp insructions for speed - and MS design issues mean secure thoughput wont happen , even with multiple CPU's.
I used to run classified Government systems, and at this point in time I wouldn't be able to recommend anything other than FULLY AUDITABLE CODE (read: Open Source). Even if I paid $$$$$ to have source access, how would I ever know that the OS binaries I was running were really from the source I had access to? With Linux/xxxBSD, that's such a no-brainer.
Now, back in the day, we were using VMS and then a specially patched version called OpenVMS. True, we didn't pay for source access, but then again, back then, DEC wasn't using VMS as a tool to control/monitor users, nor were they going way out of their way to achieve non-interoperability with other systems (ok, ok, they were late to the party with TCP/IP, but at least 3rd parties supplied that piece). DEC also wasn't operating as criminals like they now are.
The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations.
Yes, it's obvious that they did not actually look at the systems performance.
"We have embraced the Common Criteria evaluation process from its inception..." said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp.
We all know what happens to things M$ embraces, wink.
I would not use Win2k to run a dog house and SP3 on win2k is no better than anything they've ever made. Woo-hoo, forced screen savers and other cosmetics on top of system that still has no real users and is more and more owned directly by M$. Why should anyone believe SP3 is any better than any other closed binary junk M$ has been putting out?
What is SAIC's deal? SAIC has a huge infrastructure of hard working and competent techs. Well, as competent as they can be running aroung the worthless web of product famililiarization M$ weaves. Why their management is willing to prostitute them all for M$ is beyond explaination.
Trusted Path, what's that? Give me a break.
Friends don't help friends install M$ junk.
Cast of characters:
Gargamel - Bill Gates
Azriel - Steve Ballmer
Papa Smurf - Richard Stallman
Vanity Smurf - John Katz
Brainy Smurf - CowboyNeal (whoever the fuck he is)
Smurfette - Natalie Portman
I hate everything about Microsoft and use Gentoo Linux as my main desktop OS. However, when I need Windows I need Windows, so I've had to install Windows 2000 on one of my computers.
Upgrading from a fresh install to SP3 wasn't very difficult at all for me. I downloaded and ran the installer, rebooted, and then promptly turned off the stupid auto-update thingy. It didn't take long at all, and compared to the trouble of repartitioning my drives to make room for a new OS, tracking down ethernet and video drivers, and actually installing the OS, applying SP3 was trivial. Of course, not being an NT guru, there's a good chance that I'm missing something important, but it does seem that people are too quick to badmouth Microsoft.
In fact, as far as Windows goes, Windows 2000 isn't that bad. After installing Mozilla, OpenOffice, and some other goodies, I've got a pretty decent setup. I still think Linux is much, much better for many, many reasons, but not giving Microsoft credit when it's due doesn't do anyone any good.
Steve
I wish you would do that instead of posting pointless uninformative and offtopic crap.
Comment removed based on user account deletion
All that boils down to the usual "blame the user". At my company we were forced to sign an "agreement" that said employees were accontable for all things done with our login. I objected as it would make me responsible for the actions of others, viruses and any real breach which, of course, I had no ability to avoid. I was told there was no option, sign or be denied computer usage, and not to worry, I'd be treated fairly. The implementing officer told me that they could in no way garuntee that any of the bad things I was able to think of would not happen, but that they had no choice but to do as my company wished. Yes, the implementing officer worked for SAIC which told my company what to do then told me they had to do what they were told.
Any OS with real users can follow those requirements, duh, M$ discovers the multiuser environment. It's too bad M$ has yet to implement real user accounts and other standard good practices and instead beats around with elaborate work arounds. Any reasonable company would know better than to blame the user when their software vendor fails them.
Friends don't help friends install M$ junk.
would a EULA even stand up in court? and if microshaft took you on in court would it want people to find out what is in one?
It *ONLY* took 3 service packs?
That's phenomominal.
SGI's IRIX was eval'ed at CAPP at release 6.5.16 -- that's 16
service packs on top of 6.5, which is the 6th incarnation
of 6.0 (some were hardware specific).
Their last OS to be certified was back at 4.something.
Now how many revisions has RH, Linux Kernel, SuSE, whoever gone
through to get to their first Cert?
It's no wonder Linux diehards proclaim certification is crap.
They can't even grok simple auditing of their silly kernel (oh
my gosh mommy, it will slow me down by 3 cycles -- even when it
is compiled out -- just seeing audit code will slow my brain
down too much). But it really has to run on 486's or it isn't
a useful feature!!!
I know -- let's pretend to come up with a general security
module system that serves the needs of the designers -- "no no,
we can't make it *truely* general, (*shiver*) the secret cabal
of the L won't approve it", "yes, they'll complain that someone
might actually write a non-open source security module -- just
allowing that will guarantee its failure". "let's be sure to
edit out all functionality we can't justify with current security
policies", "but what about it being general"; "hush, we have to
look unified -- and if we don't go along with crap it won't be
accepted by the cabal!". Meanwhile: "yes, lets feed them a state
of the art security system that will be totally unprovable or
certifiable for any commercial product -- maybe Lin02SE?";
"cool name, sorta catchy but I don't think LinME is gonna
make it". But back to dial-a-sec -- we can allow users to dial
up their security module at run-time -- like a phone number -- think
of the ad campaigns for security policies "dial 1-800-SECUREME".
Linux diehards like to talk big about security, but ask them
for certified _proof_ to a given level? Hem and haw and oh that's
not important -- lets throw in a new filesystem, that'll show 'em.
I'll bet the w2ksp3 cert system *doesn't* include IIS -- very
likely can't be hooked up to the internet -- I think CAPP, like its
successor is for use in a non-hostile environment (i.e. internet
wouldn't wouldn't be considered non-hostile), but we all have
to live within our limitations or the walls of our boxes.
Uhoh...my keeper is coming...
See How to get certified security for Win2k, by Microsoft
[i]For linux, as an open source OS, who would pay this[/i]?
The distribution creators, say red hat or united linux. it is not the kernel that is certified, but a certain installation.
Are we sure that this is true? I would have thought that something like Trustix or Immunix might be certified. Are they not?
When it comes down to it a system is only as secure as its system administrator - installing, implementing, updating, setting user guidelines and making sure these are followed. Never mind the OS... My 0,02
- Kenzai, Master of the Little Penguin. "Long Live BeOS...ehhh, where is everybody going!?"
Important letters which contain no errors will develop errors in the mail.
Corresponding errors will show up in the duplicate while the Boss is reading
it. Vital papers will demonstrate their vitality by spontaneously moving
from where you left them to where you can't find them.
- this post brought to you by the Automated Last Post Generator...