Slashdot Mirror
Windows 2000 Gets Common Criteria Certification
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Watch out for the EULA on service pack 3, its a killer.
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
"Flyin' in just a sweet place,
Never been known to fail..."
Microsoft Windows 2000 has been awarded Common Criteria Certification.
Sounds like Windows 2000 is the lowest common denominator.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
This kind of certification is a great thing for people running Win2K.
But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?
A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.
It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.
"Provided by the management for your protection."
Hopefully the amount of hoops common criteria makes you jump through will be enough to 'persuade' microsoft into just keeping win2k around instead of EOLing it.
But linux still doesn't have it, does it? I'd rather have service packs, than have to hand-apply the hundreds of patches that are put out each year. How does linux handle masses of patches? New kernel build's? That's essentially all a service pack is.
Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated
Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.
How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
Ok did the 3 Service Packs statement rub anyone else the wrong way? Or was it just me?
Another article, more in-depth as to the prereqs for certification:
First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.
Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.
Just for the record, there is NO "off the record" record.
Make a record of that.
Too bad it takes 3 service packs...
Yea, because we all know that open source software never needs to be patched. Yep, it's all 100% secure from the start. All open source software is versioned in whole number increments with no point releases for bugs. It's positively magical!
Gag me with an overstuffed penguin doll...
Don't forget how slow SP3 is. I tried it on one computer and bootup time was noticeably longer.
However, it is nice to see Microsoft going for some sort of help here. It would be much worse had they decided to flaunt it instead.
Have you read my journal today?
World Tech Tribune had a rather hilarious FUD article covering this several days ago.
were you expecting to see a sig here? perhaps you'd rather see the inside of an ambulance!
What Linux really needs is the equivalent of Windows Update so you can get a full listing of what needs to be updated.
With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.
Propaganda?
I say bollocks.
Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
Correct me on this, but I don't remember Linux getting an ISO certification about anything.
The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
You're A Debian user, right?
/. Where the truth
" Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated"
Their test system had two 120Gig HDs full of fansubbed anime and was running at 100 cpu doing divx encodes ?
Well, they said "exactly the same system".
Wait, did they mean my exact system ? How do I sue them for wasting my cpu cycles running benchmarks ?
This post was nearly funny. Blame the cough syrup.
graspee
Most distributions already have this. Red Hat has the Red Hat Network. 3 Service Packs for Windows 2000, but hundreds of hotfixes...
Common criteria does not mean secure. There are multiple levels of the common criteria that mean different things. It doesn't appear that the article states the level achieved.
Common criteria is quite complicated - to understand what common criteria really means, you'll need to read some things that are NOT posted at Microsoft. This may mean that they basically implement what they have documented, or that they implement a specific feature set.
In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.
If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.
What I'm listening to now on Pandora...
oh and if you want win2k to be secure dont allow it to connect to anything outside of your control.
m l
http://www.theregister.co.uk/content/4/27877.ht
For the longest time everyone here has been criticizing Microsoft because they have poor security. So they start fixing it. They release patches. Then everyone criticizes the fact that they release all these patches. They are only being responsive to your criticism. Now an objective panel gives them a reward for their efforts, and everyone here is angry!
You know, I really thought everyone here genuinely wanted Microsoft to improve security. I thought we all were in it for the benefit of all. I thought that was what the Linux community was all about. But clearly the intent here is more religion than technical. Either you are part of my religion, or you are to be destroyed. How's that better than your perceptions of how Microsoft acts?
You know, maybe the .ORG domain name really is more appropriate, since it's a religion and all.
So who is working on certifying Linux? Is anyone going to actually try to improve the net, or are we going to just keep pulling Microsoft down?
Yes, it showed me that whoever wrote the article just had to put the mandatory anti-MS comment to get it submitted.
It could have been 1 service poack or 2, and it still would have been written the same way. Gotta have the obligatory jab at MS(even if they are doing something right).
And I can express my view against it by simply not subscribing to Slashdot.
Hey! I thought about submitting this yesterday...I'm sure lot's of people did. It was all over the news. I refrained cuz I realized that everything I've submitted so far has been M$ bashing... so I'm determined not to submit anything else about M$. (Even if they never use any of my submissions anyway.) Like my Dad always said, "if can't say something nice, don't say anything at all."
Comment removed based on user account deletion
I can't remember the last time I ever had dll problems. It was probably back with Windows 95 or something. W2K and XP have dll version management built in. I hear people on /. talk about DLL Hell, but I mainly get the impression that they haven't used Windows since 3.11 or something...
Compare that to the pain you often have to go through to install an RPM on Linux...
I think most people who read Slashodt are at least half-intelligent sentient beings. Most can tell FUD from truth. When criticism of Microsoft is called for and valid, fine. But this sort of thing is starting to get tiresome: bashing the Evil Empire for the sake of bashing. No more, no less. And on the fucking front page, with the tacit approval and blessing of the "editors".
A "news organization", if nothing else, has to maintain a modicum of impartiality. At the very least, please keep the garbage in the comments where it belongs, right next to the goatse and fecal trolls.
And I'll repeat something I read here once: The twig can only bend so much before breaking. Keep this up and Slashdot will be reduced to nothing more than a quivering hysterical mass of negative trolls whose only purpose in life is to attack someone else instead of celebrating what's good about the culture that spawned it.
When is Red Hat going to start this process? Anyone from Red Hat have a comment?
http://www.linkedin.com/in/dougneedham
Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)
All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
So these certs are of no use except to PR flaks. And trolls.
Comment removed based on user account deletion
Interviewee: "I'm an MCSE!!!"
Me: "That'll be all thank you, and there's the door!"
"I'm just here to regulate funkiness."
Those hot fixes are included in subsequent service packs. Install SP3 on a new system and there are few patches, if any, left to install. --gary
Too bad it takes 3 Service Packs..."
/. wants to maintain any level of credibility as a technology site (not a blind MS-bashing site) then it shouldn't post comments like this.
Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
...or does the author of the descriptive post for this article sound like the guy in this strip
If I were him, I'd be more thankful that MicroSoft patches holes, since they still do have a rather large presence, after all.
every modern distribution comes with an application that tells you which packages need to be updated and why they need to be updated.
select, download, install - there are really equivalent tools.
in Mandrake it's called "Mandrake Update" - even the naming convention is similar..
The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).
Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.
I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.
FYI, here is what the Common Criteria says about EAL4:
EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
"dope will get you through times of no money better than money will get you through times of no dope"
All well and good but you cannot run W2K with macines with personal data on them, since that macine would then be violating the Federal HIPPA.
All your base!
Got Code?
Shoudn't this be filed in the humour section?
Common Criteria Certificate basically replaced the rainbow series of certificate. The more familiar one that we know are C2 of Orange book which NT 4 had.
I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
To put this in perspective: PIX v5.2 and Checkpoint NG are both certified to EAL 4. However, I still can't tell my PIX to not bother logging dropped packets to port 137 without telling it to not log _any_ drops at all! On checkpoint I can log based specifically on the rule, not just service or action. Both are "certified" but there is only one I would prefer to use.
Do really dense people warp space more than others?
First of all, CC certification was achieved with Service Pack 3 plus Hotfix Q326886, not just SP3. The author's statement is incorrect.
Second, Common Criteria isn't a panacea or a magical certificate saying that Win2k is uber-secure. It is an assurance that it meets a specific level of security and reliability on failure (ie, will STOP instead of going into an insecure mode on a kernel exception).
Its predecessor was called Orange Book, which WinNT scored a C2 rating. That's about as good as you are going to get with an "off the shelf" operating system. A Level 3 really doesn't mean it's better than other OSs, just certified that it will operate in a predictable and reliable fashion, has DACLs and user-based security, etc... Big whoop.
Why Service Pack 3? Gee, it takes a bit of time for certification. IIRC, NT took 2 years to get C2 certified. Remember, this is the government.
By the way, I don't see Linux listed anywhere on the CC list. Check your pots, I think they're talking to your kettles.
Finally, I take exception to the author's use of "propaganda". Is it becoming the thing to call anything propaganda that paints Microsoft as something other than the Evil Empire?
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
If you check out: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/issues/W2kCCUG/default.a sp and specifically the section 3.3; you'll see that its only a tad better than NT's orange book scam (which was certified as secure but only if not connected and in a locked room). This time - all the machines on the LAN need to be under the same security constraints; and that LAN of course stays in a locked down building. Or, since the days of NT, we've now gone from a locked room with one PC to a slightly larger locked room of PC's. Geez. Progress.
Comment removed based on user account deletion
This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.
If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.
Marcus' Full QuoteMarcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:
This reminds me of when my current employer went through UL certification. It was truly eye opening experience for what those little stickers mean.
To begin with, the UL techs had very little clue about what it was they were certifying, they spent more time ensuring that all of the hardware we used had UL certifications. After that, they bascially re-wrote the spec's around our system. In the end we passed, of course. It would have been kinda tough to fail when the spec was being modified to fit our system, not the other way around.
After that wonderful experience, I came to realize just how big of a con the UL is pulling on all of us. Its bunk, it doesn't even prove that there is a decent level of quality behind a product. As an example, one of our system configurations requires an ethernet serial provider (ESP), for use with a modem and remote managment software. Easy enough, we've done this for years. But, the ESP we used was not UL listed, so we had to change manufacturers. When we finally found one we discovered that it would not work with a modem and the remote managment software, even had the manufacturer tell us as much! So now we are scrambling, trying to find another supplier. All because of some stupid little UL sticker.
I can say with confidence, the UL certification is a con. Also, I've dealt with ISO certification, its a con as well (yes, we have documentation on all of our procedures, just ignore that it is very loose and only ensures that we do roughly the same thing every time, and gets universally ignored, we're a custom shop after all, doing the same thing every time is impossible). And I would bet that this common criteria cert is a con, you pay them, play around for a few days to make the inspectors happy, and they sign off on your system.
Necessity is the mother of invention.
Laziness is the father.
My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.
0 2/10-29CommonCriteriaPR.asp 0 2/1029CommonCriteriaFAQ.asp
.Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.
n /news/bulletins/cccert.asp for more info.
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
obviously no deficiencies vs. no obvious deficiencies
"The CC defines the Protection Profile (PP) construct which allows prospective consumers or developers to create standardised sets of security requirements which will meet their needs."
"The Target of Evalution (TOE) is that part of the product or system which is subject to evalution. The TOE security threats, objectives, requirements and summary specification of security focuntions and assurance measyers together form the primary inputs to the Security Targets (ST), which is used by the evalutators as basis for evaluation"
"Evaluation
... EAL7 ("good"), see above reference.
The principal inputs to evalutation are the Security Target, the set of evidence about the TOE and the TOE itself. The expected result of the evalution proecess is a conformation that the ST is satisfied for the TOE, with one or more reports documenting the evalution findings"
In short the Protection Profile defines the implementation independent set of security requirements and objectives. I think the PP used for Win2000 is "Controlled Access Protection Profile (Version 1.d)", downloadable here
"The TOE (Target of Evaluation) is the product under evaluation (Win2000+VPN?+?) and the ST (security target) contains the security objectives and requirments of a specific identified TOE and defines the functional and assurance measures offered by that TOE to meet stated requirements. The ST may claim conformance to one or more PPs and forms the basis for an evalution."
The assurance level (EALx) is the measure of "how much" assurance there exists that a TOE meets its security claims. EAL1 ("bad")
So the real interesting parts are the Security Target and the Evaluation-report. (Then you know what you're talking about).
(Yes, my native tongue is not English)
Anyone remember the rainbow books? The DOD and NCSA had all their standards for computer security. It was all found in a huge multivolume set of books that presented the most rediculous guidelines on security. When using bureaucratic guidelines for computer security it seems most people miss the point. You can't secure a server by following a bunch of formal and abstract rules. If you want to secure a system you need to use a person that understands how the system works and where the vulnerable points would be. Setting a bunch of standards just gives a false sense of security. I enjoyed the rainbow books because their highest classifications of security can still allow for simple services/daemons that could have holes and be running as a root user. This becomes very evident when you look realize military systems usually have terrible security. You find unpatched daemons, unpassworded accounts, etc. It's too bad that most people out there can't understand what is wrong with the bureaucratic method.
FOR IMMEDIATE RELEASE
October 29, 2002
SAIC Awarded Common Criteria Certificate for Microsoft Windows 2000 Operating System Evaluation
(MCLEAN, VA) Science Applications International Corporation (SAIC) today announced that it has received a National Information Assurance Partnership (NIAP) Common Criteria certificate for successfully performing the evaluation of the Microsoft Windows 2000 operating system. SAIC's Common Criteria Testing Laboratory (CCTL) performed the evaluation and received the certificate at the Federal Information Assurance Conference (FIAC) 2002 in College Park, Md.
"SAIC is proud to have contributed to this Common Criteria milestone event and congratulates Microsoft for attaining this significant achievement in computer security," said Duane Andrews, SAIC corporate executive vice president.
The Windows 2000 operating system evaluation was conducted in accordance with ISO 15048 Common Criteria Evaluation Assurance Level (EAL) Level 4 Augmented requirements and was evaluated against the Common Criteria Controlled Access Protection Profile, which is consistent with the commercial-level information security requirements for the Department of Defense (DoD). An EAL4 is the highest evaluation rating that a commercial CCTL can perform and Windows 2000 is the first operating system to achieve an EAL4 rating under the United States Common Criteria Evaluation and Validation Scheme (CCEVS).
"The SAIC CCTL took on a complex challenge, and we were successful in completing the evaluation of the Windows 2000 operation system," said Tammy Compton, co-director of the SAIC CCTL, and the leader of the evaluation team. "The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations. This led to the completion of one of the more challenging projects we have conducted, and we are confident of more successful evaluations in the near future."
"We have embraced the Common Criteria evaluation process from its inception, because we saw the high quality bar for security we could provide to customers," said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp. "With CC certification and the support resources we are releasing today, customers now have an internationally-recognized template for Windows 2000 that enables them to build an IT system for secure computing beyond that of any other commercially-available platform today."
Located in Columbia, Md., the SAIC CCTL is a division of SAIC's Secure Business Solutions and was accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) in August 2000. SAIC CCTL was one of the first commercial laboratories to be listed in the NIAP's CCEVS. SAIC's Secure Business Solutions provides security solutions for networks and business systems. Its 500 engineers can assess, test, design, certify, deploy, and manage solutions for information and physical security, and train organizations to be a core part of overall security solutions.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Except Linux doesn't have a claim to this level of Security. I love Linux, but it loses this round.
apt-get dist-upgrade
- Audit
- Cryptographic Support
- Communications
- User Data Protection
- Identification and Authentication
- Security Management
- Privacy
- Protection of the TOE Security Functions
- Resource Utilisation
- TOE Access
- Trusted Path/Channels
Is all that's required for the certification. Does the OS have the right features with a configuration policy that sets those features properly.It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
This is a boring sig
To an explaination
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Just to clarify, I didn't mean to imply that NT3.5 ever received a B1; just that it could be configured to meet that level. The main point being that while a specific cert might be nice in the PR wars, how you apply the system is what's important. For example, just as soon as a W2K user loads MS Office onto that machine, the cert is no longer valid.
The CC cert is less revealing than a NIST cert, because the CC evaluate the design of the system, and only a part of the implementation. So it is better suited to show that a developer has good security processes, rather than secure products.
And let's not slight MS here. From what I've seen, they are making an honest effort to secure their products. I think they've finally reached the point at which they have to in order to stay in business.
Why is this story presented as 'propaganda'? I mean, I disklike windows as much as the next person, but lets at least acknowledge they they have made a serious effort and spent a lot of money to improve security and that that effort has paid off. At least give them props for that.
From the article:
That's right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.
"Well," you ask, "exactly which versions of Linux can and cannot meet CC EAL4 requirements?" It stands to reason that the core Linux(TM) kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux(TM) would meet these minimum requirements.
Kernel.org does not release an operating system, they release a kernel.
His article is FUD because he blasts the core kernel in much the same way I could say:
"Windows sucks, Bill sucks, and the MS goons suck, because while Windows 2000 SP3 can meet the cert the Windows XP kernel.exe file can't."
He himself admits that many Linux distributions can meet this cert. But it's as if he doesn't understand that there's a different between a Linux distribution and a Linux kernel.
In fact, the follow quote refering to kernel.org
After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true.
Really shows his lack of knowledge, because
1> kernel.org isn't a distribution, it's a kernel.
2> A full distibution with services(ftp, nntp, http) is totally less secure than a kernel without a distribution(ie. you can't even log into the machine).
Yesterday they passed for security certification, congrats.
Today 2 new venerabilities, oops.
So is this where I stick a witty comment?
"Too bad it takes 3 Service Packs..." So what? Nt4 had what.. 7 service packs? Up to 6a or something wasn't it?
In response to all those posters who've said our negative remarks against Microsoft are uncalled for, I have only two words....
Steve Ballmer.
Too bad it takes 3 Service Packs...
Better 3 Service Packs then ignoring issues all together. Not the best service record but at least realize it could be worse.
What is music when you despise all sound?
that we give microsoft credit for actually doing something right. service pack whatever. how many security updates have you had to do to keep your linux box up-to-speed with the security issues? i run primarily linux, and i'm not a big fan of the microsoft way. but dammit, if they deserve credit, give it to em!
Time to get out the old buffer overflow toolbox.
Too bad it takes 3 Service Packs...
Right, and as we all know Sendmail, NFS/RPC and BIND have been pinnacles of bulletproof security. I won't even go into the concept of UNIX security.
Also, you might want to actually read what the certification means, instead of just pulling some meaning out of your ass. It's the least you could do before submitting a story on it...
Would be nice to see what we are agreeing too, and send a copy to our lawyer.
Though, personally i dont care what they say. I will do as i please anyway.
---- Booth was a patriot ----
M$ will continue to support w2k thru 2005. But .... the next version of Office will not - which means that next year when people start passing around those .doc files you can't read you'll have to upgrade Office and as a result upgrade to XP
Propaganda from MS's Press Release link:
Intoductory paragraph:
"The dramatic increase in Internet and computer use has generated tremendous benefits for people around the world. Unfortunately, consumers' online activities can also be the target of criminal activity such as intrusion and theft. As a result, security is a primary concern for information technology (IT) consumers."
The usual target is the web site that the consumer goes to not the individual consumer.
Further down:
"Microsoft supports CC certification because the standards are recognized by over 14 countries, and because its evaluation and certification process helps consumers make informed security decisions. As part of it's commitment to provide customers with a secure platform for Trustworthy Computing, Microsoft submitted the Windows® 2000 operating system for CC certification. By enabling a complete, transparent analysis of Windows 2000 via the Common Criteria's independent government auditors, Microsoft is taking an important step toward building trust in the security of its products."
EAL4 only addresses the procedures and documentation processes in the creation of the software. It doesn't address the actual software security itself. Considering both the large number of priviledge elevation attacks and the recently announced vulnerability in PPTP.
An interesting note from their evaluation document under Personnel Assumptions:
"Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment." (emphasis added)
So, here you have a press release talking about how W2K's CC Certification means that you'll be more secure when working on the Internet and then you have a note that says users MUST be cooperative and in a benign environment. Well the Internet is neither so that pretty much cancels out the whole press release.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Perhaps it should.
--- Tao
This tool lists ALL available security patches for Windows 2000 and IE. Most of them go through more stability testing before being released to the unwashed masses on windowsupdate.microsoft.com.
Maybe it's still not 'as fast' as some linux patches, but it's relatively automated and easy to use, and centralized.
Actually, Microsoft was evaluated against the CAPP. Unless they added stuff in the target, this would exclude Cryptographic Support (FCS), Privacy (FPR), Resource Utilization (FRU), TOE Access (FTE), and Trusted Path (FTP).
You need to read the Win2K target to see what the functional requirements were.
Daniel
People remember the big viruses and worms that have affected Windows systems more than anything else.
For some of these, you can say that it was really Office products that are at fault (Word, Outlook, etc.), but that is not the whole story. Installing Office products on the Mac does not open you up to these kinds of security problems.
Windows seems to be set-up to allow execution of WSH scripts and lets Word macros do too many things in too many places. Why not sand-box it? And Outlook is horrible.
When you set-up Win2000 as a server, why should you have to leave Internet Explorer and Outlook on there anyway? Oh, they are "part of the OS". Right. . . I really can't pick and choose too much of what the OS decides to install for me (custom install or not).
Well, I still have SP2 on my W2K machines *because* of the EULA. The problem with the EULA is that you do not *know* if it is legal or not. Nobody ever has upheld a EULA in court, and until there is a precedent (means, a judge has decided on the legality of a EULA) the EULA is just a very gray area in juridical terms. That is why they are dangerous and should be read very very carefully.
It is enough that a company gets sued over a reasonable EULA (if there is such a thing), and a judge deems that EULA legal, in order to make all EULA's legal. That would open a whole can of worms...
I'm pretty sure EULA's are not legal in Europe, but I am not sure at all.
Too bad Linux isn't cerfitied at all.
/. editors. If I had wanted mud slinging news I would have checked out the local political race, or any one of the national tabloids. It would also be different if /. put a satirical flavor on every headline then the "Too bad it takes 3 Service Packs..." sort of comment would have been humourous. Instead I find it tiring and all to common.
/.'s readers' roll is to review, evaluate, and comment on the story thereby giving other readers some insite, food for thought, background information, and/or research needed for them to make informed decisions. If the /. editors feel it necessary to throw in such comments then they should keep them off the headlines and post their feelings like the rest of us do.... in the comments.
Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.
No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.
/.'s roll should be to report the news in a non-bias way while the
damnedIfIknowHowToUseAn'Or,Merlin.
Agreed, especially concerning security, and we don't need some paid-for piece of paper to say so.
RPM?
I use RedHat, but I still use a mantra of:
Configure... bum bum... Make... la la... Make Install..
and whatever steps in between. But then I'm a linux control freak, so I've never liked RPM's very much
It's about maturity both on the part of the product and the posters. Using a trite analogy, like a good wine, any product needs time to mature and so do many Linux zealots. Geeks by their nature like to fiddle with things ;) so applying endless patches isn't necessarily a bad thing. Every Linux luser wants to be a kernel hacker but without the time and resources applying endless patches and reading the arcanum is a vicarious kernel hacker's high. MS needs to get product to the market and stay ahead of the competition, they're in a race and too often the product is left to mature in the market place. But the people who use windoze use it mainly because they want a one click answer even if that answer is shrouded in equivocation. It's a different mind set. And when Linux does grow to take larger and larger market share the users will want pat SP like resolutions to problems while here we will nitpick and complain that back in the day things were better without the concerns of too many lusers being addressed over the real requirements of the OS.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
I know this may sound self-defeating, but people should stop complaining about the commentaries placed by the article's submitter.
It's been too often that readers quip "*cough* Zealot *cough*", or "wish you were a little unbiased" ....
Well people, you should understand that commentaries are ... well, commentaries. Since, when are commentaries supposed to be unbiased??? They are exactly supposed to be subjective, for God's sake. So what if he's a zealot. That's his opinion. Read the article itself, and don't complain that the submitter's views are not the same as yours.
Firstly, SP3 is buggy as hell, really, more than most other serivce packs.
Secondly, saying "too bad it takes 3 service packs" is absurd... how many patches have their been since, say, linux 2.4.1? Gee, LOTS.
Thirdly, this is a security certification, yes, but it doesn't have ANYTHING to do with how bug-free the code is (or not). IT only has to do with the security model in use, and the features it has (acl's, permissions, audit trails, etc). Again.. it has NOTHING to do with how secure the system is... only with what features it has for enforcing security (yes, it has more than unix)
Except for that open source commie pinko faggot beardie part, I agree. Is this what it takes to get a article submitted here? Just flame MS for no reason at all? Get your fscking act together, and try to fix Linux problems before whining about MS. Give me a reason to switch, before I save enough for a Mac!
Grumpingly yours,
J.
It meant plenty; poeple just misundrestood what C2 meant.
People thought it meant "you can't break in". That's not what it means at all.
It has to do with access controls and audit trails and whatnot.. the overall security model and how it is enforced. IT does not have anything to do with whether or not there are bugs.
C2 certified means, when your government agency or whatever company needs to build a system to C2 specs, they need to use a system that is certified to do so.
You CAN build a C2 system with NT.... that was the point. You CAN'T build one with Linux.
One thing that you must consider is that it takes a lot of money to get certified. When I say a lot I'm talking 20 to 30 million a lot. For linux, as an open source OS, who would pay this. I assume that anyone that does would expect some type of benefit, read ownership. Additionally, don't read too much into a CC certification. Remember that windown NT was also certified, as long as it was not plugged into a network.
And if Linux was perfect at it's 1.0 release, you'd have a leg to stand on.
"Ask not what your country can do for you." --John F. Kennedy
The interesting thing in the replies to your message is not the number of systems quoted that DO have the equivalent of System Update, but that there are so many other computer-literate people, such as yourself, who think that there is no such thing for linux and all other *nixes. Even Cygwin does. How do we get that idea across to more people?
:{)||
You know, when I was growing up, people always said to each other, "Nothing is this world is free". Maybe the FSF is fighting in-grained cultural beliefs. The only way to fix this is to make people pay for it. Pay us. A lot. They will thank us. (Hello?) Thank you, thank you very much.
HAHAHAHAHAHAHAHAHAHAHA!
I've used linux since High School (~7 years ago) and no one really had broadband then (though I remember when ISDN came out and I really wanted it).
Just because you don't spend enough time on the internet for you to justify the cost of broadband doesn't make us rich that we can just throw our money away on broadband. I certainly didn't have UNIX in college when I first started using linux because I was still in High School. In fact UNIX classes at my college was a joke when I took it. (For some reason we spend 1/2 the term doing java)
Most linux users have broadband because they use the internet a lot. Imagine that... you can actually buy linux distributions on cd for very little... let's see... Debian (my fav. distro) on linuxcentral.com... 7 discs... $14.95 and you don't need to download anything. Then you can set up a PPP connection (which I did in High School) to an ISP and set up to download upgrades before you go to sleep. You don't need broadband for linux, you need broadband if you want to download mp3's, download movies, check your e-mail every minute, check slashdot constantly, play any online game... shall I go on?
Because of the fact that many computer junkies like myself need the internet to get all this information, sources become available to download Linux this way or install linux over a network, but you don't have to.
I still firmly believe the reason that Linux hasn't taken off in the office desktop is because M$ office is not available and M$ users have a hard enough time figuring out excel that they need to have special classes.
and I wouldn't classify Windows 2000 as an average users desktop... I don't know too many "average users" who use it... that would be more like ME or XP.
-Chris
If you want inbiased news go to....
um I think you're gonna have to make your own news site if you want that. This site is news for nerds and because of that you will have some bias towards certain things (such as linux).
Go to cnn and tell them to stop being so negative when some nutcase kills a bunch of people and they call it a tradgedy... that's bias. If you don't like it go to MSNBC to get more of a M$ slant on things.
-Chris
Comment removed based on user account deletion
Well lets see... red hat has one, debian has one... I'm sure others do as well, they just happen to be the ones I'm familiar with. Do some research next time before you shoot your mouth off.
-Chris
All I can find are XP boxes! A lot of good it does me getting an older product certified.
-- Many men would appreciate a woman's mind more if they could fondle it
"Too bad it takes 3 Service Packs..."
forget "3 'service packs"...try 3 YEARS! The service packs wouldnt be such a big deal if it didnt take fuckin 3 YEARS to get 'secure!'
Intelligence is like four wheel drive, having it just means you'll get stuck in more remote places.
Interesting thing is, /. was never set up to be a definitive news source, from what I understand. It was (and still is) a few guys throwing stuff that interests them up on the web. By spending a lot of time on the site, you're in essence buying in to their [sometimes twisted] take on things. If you want a different flavor of propoganda, you either go somewhere else or create your own.
The FACT is, that it has taken 3 service packs and a huge amount of public thrashing to get the OS to the point that it can be certified.
As to whether the certification means anything, that's up to each of us to decide for ourselves. My Win 2000 will remain firewalled off from the rest of my network, while I use what I feel to be more secure OS's to get the job done.
So, its really hard to compare Linux to Windows in a case like this, because Windows consists of an OS AND a desktop environment (well you could say the desktop environment is part of the OS, but you know what I mean...)
Linux is not that. Linux is only a kernel.
So, Linux probably would not gain this certification because that is a lot of security stuff to add into the mainline kernel (though they did just add crypto routines and are almost done with ACLs). Most of the security holes in Linux are a result of other programs and not a fault of the kernel. (Hence RMS' contention it should be called GNU/Linux -- because there is the Linux kernel and a bunch of GNU and other 3rd party programs that actually make it useful).
As an example, the desktop environment in Linux is X, which is not considered part of Linux.
...in my mind it degraded the apparent level of professionalism of the /. editors.
That's quite impressive.
May we never see th
Wrong, saic.om and microsoft.com are reporting this. e-week had a completely unrelated article, dated 5 months ago, about SP3.
Read more of the propaganda here.
So now press releases are 'propaganda'?
Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated.
Which article? The e-week article is the only one talking about SP3, and it says nothing about 'running exactly the same system'.
The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Troll, troll, troll. You are obviously unaware of all the point releases linux distributions make that SUCK. (redhat 7.0 comes to mind)
Allow me to put you on my 'foe' list, mr qnal.
<grub> Reading
And too bad it only takes 1 service pack: they're cumulative in nature. Install Win2k, and if your install media wasn't updated to SP3 already, apply SP3 yourself.
Great day to post this. Only three Windows 2000 Security bullitens posted today!
/ te chnet/security/current.asp?frame=true
http://www.microsoft.com/technet/treeview/?url=
Does the certification include the two security patches downloaded this morning? More IIS roll up patches and an Unchecked buffer in PPTP implementation.
You're only as secure as the next patch...
-ted
Too bad it takes 3 Service Packs...
and how many "updates" does linux need to be secure? Far more than 3. Especially when you need to get them from all the "eyes peering at the code".
I would rather have all the updates lumped into one large service pack, than 50 or 100 separate ones.
I have two Linux boxes and one Windows box, and I happen to see the virtues of both - which is why I find so many of the comments here troubling. First of all, to imply that Microsoft bought this certification is childish at best. Secondly, in the original post, it says "too bad it takes three service packs." Are you telling me you haven't updated your Linux box three times because of vulnerabilities? Linux systems can be insecure too, and to fix them, you need updates. Plain and simple. Don't be stupid.
A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000. The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.
Read more here
As Opposed to a Linux kernel that is constantly under development?
'nuff said.
~.Evanrude
Whilst everyone on here seems to be getting tired at the jokes to M$, I get increasing annoyed by the comments posted by everyone telling the guy to grow up. OK, M$ might be doing something good for once, but can you please leave it off with the lame whines everytime someone makes a joke at M$ because its becoming tiring. You'd almost think the audience of /. was pro-M$.
/. readers to comment on the CONTENT of the news, not some comment the poster added.
As for the certificate, it is propaganda since all such certificates are meaningless. Three service packs is also meaningless. Who knows, SP2 could probably have got the certificate. Who cares if it's just propaganda? Stop arguing over pointless things. If someone makes a small comment about M$ products everyone jumps and defends M$. If someone makes a pro-M$ comment everyone jumps and slags off M$! I'd prefer
Lastly, Windows has huge problems. But so does Linux. Every OS has its downfalls, and the skill in the user/admin is knowing where the problems are and how to best deal with them. IMO Windows sys admins need to be a lot more skilled than Linux ones...
Quite correct but in many cases beside the point.
Often to purchase a product in a CC enviornment, it must be available in a CC configuration. The logic goes something along the lines of if a product can be sufficently secured to achieve EAL level X, we can reasonably expect to be able to meet future security requirements we may have.
The logic starts to unravel fast when you look at some of the configurations tested. Many of them are highly stripped down versions of the original product. That said, it carries a lot of weight in some purchasing circles and is a decent sized downturn proof market.
~~ What's stopping you?
Last I checked a fresh install of most Linux distros didn't yield an airtight box.
This comment was generated by a squadron of trained super elite albino ninja chickens for you.
I am not a robot. I am a unicorn.
I haven't been following the seucrity certification for Win2K story, but was it tested with SP1, SP2, etc? Or are you just assuming it would fail without SP3?
Too bad they couldn't stay at 2.4.0 ...
Either you are bitching at M$ because they are not releasing enough bug fixes, then because they do release them (think of the service packs as just the next version, free software constantly get new versions...). Make up your mind, this is silly. Dumb comments doesn't make you neither l33t, nor cool, nor taken seriously.
Your comment very much needed to be said. I wish I could mod you up.
Unless mankind redesigns itself
Take a look at Microsoft's own documentation for the Service Packs. Most of the "service" in "Service Pack" is security fixes.
Until earlier this year when Microsoft declared that security was really, really important to them, certification probably wasn't even on their radar.
Hi. What software companies are getting sued out of existence for providing a GUI that crashes way less than KDE/GNOME/any other UI I've used on Linux, including really stupid, simple ones like BlackBox?
What is shitty about MS software? MS makes BY FAR the most stable software, whether you look at application-space or kernel space. MS's kernel never crashes. Drivers developed for MS's kernel do. That's what happens when one single person doesn't decide what goes into the kernel and what doesn't.
And what a surprise, Windows supports more hardware and software than Linux! Sure, you might actually see a BSOD where I have to reboot and lose all my applications. But the same thing happens in Linux when X crashes and I have to restart it, losing all of my X sessions. Who cares if the kernel didn't crash?
Unless mankind redesigns itself
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification.
MS SHOULD surpass any of the certification standards more easily with each new OS release. Frustratingly they don't seem to want to (or can't) fix some of the more fundamental security issues with their operating systems.
http://jesus.everdense.com/
The more relevant point to bring up is the fact that WinDOS applications have a tendency to muck about with the entire system. It seems extremely absurd to associate any sort of ISO standard with OS where such practices are standard.
Nevermind service packs and security fixes, what about actually installing and running applications?
Considering this permissive attitutude regarding updates to system files, it is not all unreasonable to question this certification process.
A Pirate and a Puritan look the same on a balance sheet.
No, it is you that is sadly deluded. Unix machines chug along silently, dependably long enough for those that installed them to forget how to maintain them. Meanwhile, it is NT that is getting exploited by multiple worms and buffer overflow exploits.
Unix simply gets the work done. It gets the work done faster and in larger scale enviroments than any PC based toy running NT can handle.
If you wish to compare Unix to the real VMS (rather than that wannabe NT), you might have a point.
Otherwise, you're just sadly deluded.
A Pirate and a Puritan look the same on a balance sheet.
Microsofts Expiry Cycle states that you get 5 years mainstream support, 2 years extended, 8+ years online self help. That probably means 2 and a bit more years for win2k.
I think, however, that MS announced this was probably the last service pack for win2k. Which is a shame.
Yay me!
SE Linux is going for a level 2 and they believe this is even aiming a bit high.
There really isn't anything magic about CommonCriteria Certification or its older brother the NIST certification process. All it takes is money to pay the various fees and the time and effort necessary to guide whatever product you are trying to certify through the process.
Unfortunately this means open source products such as various Linux distributions, OpenBSD, FreeBSD, and NetBSD probably need to find someone to sponsor certification. For commercial Linux distributions like RedHat, SuSE, etc. this sponsorship is likely to come from the vendor or from a partner like IBM, or HP. For free distributions like Debian and the xBSD projects this means they would either have to collect donations or find a sponsor like Google or Yahoo.
It is possible to have opensource based projects certified under CommonCriteria and the NIST standards. Several Linux and BSD based firewalls and security appliances such as the WatchGuard Firebox have been ceritfied.
Happy Fun Ball is for external use only.
Actually, as another response indicated, they got a level 4, which is pretty high. However, they were only certifying, "the Active directory service, Windows 2000's virtual private network (VPN) capability, the single sign-on function, its implementation of network security standard Kerberos, and the Windows 2000 encrypted file system". This means that a whole bunch of other stuff in the OS was left out. This is still good though; it is fairly hard for a company to get a common criteria cert.
when the system is turned off....
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations.
Yes, it's obvious that they did not actually look at the systems performance.
"We have embraced the Common Criteria evaluation process from its inception..." said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp.
We all know what happens to things M$ embraces, wink.
I would not use Win2k to run a dog house and SP3 on win2k is no better than anything they've ever made. Woo-hoo, forced screen savers and other cosmetics on top of system that still has no real users and is more and more owned directly by M$. Why should anyone believe SP3 is any better than any other closed binary junk M$ has been putting out?
What is SAIC's deal? SAIC has a huge infrastructure of hard working and competent techs. Well, as competent as they can be running aroung the worthless web of product famililiarization M$ weaves. Why their management is willing to prostitute them all for M$ is beyond explaination.
Trusted Path, what's that? Give me a break.
Friends don't help friends install M$ junk.
Cast of characters:
Gargamel - Bill Gates
Azriel - Steve Ballmer
Papa Smurf - Richard Stallman
Vanity Smurf - John Katz
Brainy Smurf - CowboyNeal (whoever the fuck he is)
Smurfette - Natalie Portman
I hate everything about Microsoft and use Gentoo Linux as my main desktop OS. However, when I need Windows I need Windows, so I've had to install Windows 2000 on one of my computers.
Upgrading from a fresh install to SP3 wasn't very difficult at all for me. I downloaded and ran the installer, rebooted, and then promptly turned off the stupid auto-update thingy. It didn't take long at all, and compared to the trouble of repartitioning my drives to make room for a new OS, tracking down ethernet and video drivers, and actually installing the OS, applying SP3 was trivial. Of course, not being an NT guru, there's a good chance that I'm missing something important, but it does seem that people are too quick to badmouth Microsoft.
In fact, as far as Windows goes, Windows 2000 isn't that bad. After installing Mozilla, OpenOffice, and some other goodies, I've got a pretty decent setup. I still think Linux is much, much better for many, many reasons, but not giving Microsoft credit when it's due doesn't do anyone any good.
Steve
Comment removed based on user account deletion
All that boils down to the usual "blame the user". At my company we were forced to sign an "agreement" that said employees were accontable for all things done with our login. I objected as it would make me responsible for the actions of others, viruses and any real breach which, of course, I had no ability to avoid. I was told there was no option, sign or be denied computer usage, and not to worry, I'd be treated fairly. The implementing officer told me that they could in no way garuntee that any of the bad things I was able to think of would not happen, but that they had no choice but to do as my company wished. Yes, the implementing officer worked for SAIC which told my company what to do then told me they had to do what they were told.
Any OS with real users can follow those requirements, duh, M$ discovers the multiuser environment. It's too bad M$ has yet to implement real user accounts and other standard good practices and instead beats around with elaborate work arounds. Any reasonable company would know better than to blame the user when their software vendor fails them.
Friends don't help friends install M$ junk.
This brings EAL4 into dis-repute.
not really. You can certify a brick to EAL7. You just have to be choosey about the features you certify. This is the core of CC and the biggest misunderstanding. A rating of EAL4 is meaningless without understanding what was tested. The whole program was not tested and does not need to be for the CC certification.
Under the CC program a vendor supplies the security target to the customer. The customer matches that target against the customer's own target (requirements).
That is what has happened with win2k. MS set out a list of features which were certified to EAL4. The CC is very objective, testing only things which are specified. The number of bugs is irrelevant. The history or poorly written code is irrelevant. These were not features specified in the CC security target for Win2k.
CC does not require "oodles of timestamps, everywhere." Timestamps are only required if certain parts of audit are included in the security target. Although as auditing is a current marketing check box item, audit is usually included in the CC certification.
After reading (and experiencing) all these RPM problems I remember why I love the FreeBSD ports so much...
Yes gentoo's portage system is nice too but it isn't mature enough imho.
Debian's apt is also nice but I much rather have everything on my sys freshly compiled instead of using binary packages...
But yeah RPM is terrible and I don't get how it ever got so popular in the linux world, I mean it is starting to look as messy as say... the windows registry.
Before you ask, I use linux (gentoo) for my desktop needs but I won't use anything else than *BSD for my server needs. And I don't run windows because I don't want to run illegal software and plain out refuse paying too much for my OS, for the rest, windows is looking nice compared to its standard of quality over the years...
The way to corrupt a youth is to teach him to hold in higher value them who think alike than those who think differently
[i]For linux, as an open source OS, who would pay this[/i]?
The distribution creators, say red hat or united linux. it is not the kernel that is certified, but a certain installation.
Are we sure that this is true? I would have thought that something like Trustix or Immunix might be certified. Are they not?
When it comes down to it a system is only as secure as its system administrator - installing, implementing, updating, setting user guidelines and making sure these are followed. Never mind the OS... My 0,02
- Kenzai, Master of the Little Penguin. "Long Live BeOS...ehhh, where is everybody going!?"
Important letters which contain no errors will develop errors in the mail.
Corresponding errors will show up in the duplicate while the Boss is reading
it. Vital papers will demonstrate their vitality by spontaneously moving
from where you left them to where you can't find them.
- this post brought to you by the Automated Last Post Generator...