Slashdot Mirror
Windows 2000 Gets Common Criteria Certification
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Watch out for the EULA on service pack 3, its a killer.
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
"Flyin' in just a sweet place,
Never been known to fail..."
Microsoft Windows 2000 has been awarded Common Criteria Certification.
Sounds like Windows 2000 is the lowest common denominator.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
This kind of certification is a great thing for people running Win2K.
But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?
A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.
It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.
"Provided by the management for your protection."
Hopefully the amount of hoops common criteria makes you jump through will be enough to 'persuade' microsoft into just keeping win2k around instead of EOLing it.
But linux still doesn't have it, does it? I'd rather have service packs, than have to hand-apply the hundreds of patches that are put out each year. How does linux handle masses of patches? New kernel build's? That's essentially all a service pack is.
Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated
Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.
How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
Ok did the 3 Service Packs statement rub anyone else the wrong way? Or was it just me?
Another article, more in-depth as to the prereqs for certification:
First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.
Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.
Just for the record, there is NO "off the record" record.
Make a record of that.
Too bad it takes 3 service packs...
Yea, because we all know that open source software never needs to be patched. Yep, it's all 100% secure from the start. All open source software is versioned in whole number increments with no point releases for bugs. It's positively magical!
Gag me with an overstuffed penguin doll...
World Tech Tribune had a rather hilarious FUD article covering this several days ago.
were you expecting to see a sig here? perhaps you'd rather see the inside of an ambulance!
What Linux really needs is the equivalent of Windows Update so you can get a full listing of what needs to be updated.
With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.
Propaganda?
I say bollocks.
Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
Correct me on this, but I don't remember Linux getting an ISO certification about anything.
The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
You're A Debian user, right?
/. Where the truth
" Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated"
Their test system had two 120Gig HDs full of fansubbed anime and was running at 100 cpu doing divx encodes ?
Well, they said "exactly the same system".
Wait, did they mean my exact system ? How do I sue them for wasting my cpu cycles running benchmarks ?
This post was nearly funny. Blame the cough syrup.
graspee
Common criteria does not mean secure. There are multiple levels of the common criteria that mean different things. It doesn't appear that the article states the level achieved.
Common criteria is quite complicated - to understand what common criteria really means, you'll need to read some things that are NOT posted at Microsoft. This may mean that they basically implement what they have documented, or that they implement a specific feature set.
In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.
If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.
What I'm listening to now on Pandora...
For the longest time everyone here has been criticizing Microsoft because they have poor security. So they start fixing it. They release patches. Then everyone criticizes the fact that they release all these patches. They are only being responsive to your criticism. Now an objective panel gives them a reward for their efforts, and everyone here is angry!
You know, I really thought everyone here genuinely wanted Microsoft to improve security. I thought we all were in it for the benefit of all. I thought that was what the Linux community was all about. But clearly the intent here is more religion than technical. Either you are part of my religion, or you are to be destroyed. How's that better than your perceptions of how Microsoft acts?
You know, maybe the .ORG domain name really is more appropriate, since it's a religion and all.
So who is working on certifying Linux? Is anyone going to actually try to improve the net, or are we going to just keep pulling Microsoft down?
Yes, it showed me that whoever wrote the article just had to put the mandatory anti-MS comment to get it submitted.
It could have been 1 service poack or 2, and it still would have been written the same way. Gotta have the obligatory jab at MS(even if they are doing something right).
And I can express my view against it by simply not subscribing to Slashdot.
Comment removed based on user account deletion
I can't remember the last time I ever had dll problems. It was probably back with Windows 95 or something. W2K and XP have dll version management built in. I hear people on /. talk about DLL Hell, but I mainly get the impression that they haven't used Windows since 3.11 or something...
Compare that to the pain you often have to go through to install an RPM on Linux...
Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)
All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
So these certs are of no use except to PR flaks. And trolls.
Comment removed based on user account deletion
Too bad it takes 3 Service Packs..."
/. wants to maintain any level of credibility as a technology site (not a blind MS-bashing site) then it shouldn't post comments like this.
Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
every modern distribution comes with an application that tells you which packages need to be updated and why they need to be updated.
select, download, install - there are really equivalent tools.
in Mandrake it's called "Mandrake Update" - even the naming convention is similar..
The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).
Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.
I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.
FYI, here is what the Common Criteria says about EAL4:
EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
"dope will get you through times of no money better than money will get you through times of no dope"
All well and good but you cannot run W2K with macines with personal data on them, since that macine would then be violating the Federal HIPPA.
All your base!
Got Code?
Common Criteria Certificate basically replaced the rainbow series of certificate. The more familiar one that we know are C2 of Orange book which NT 4 had.
I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
To put this in perspective: PIX v5.2 and Checkpoint NG are both certified to EAL 4. However, I still can't tell my PIX to not bother logging dropped packets to port 137 without telling it to not log _any_ drops at all! On checkpoint I can log based specifically on the rule, not just service or action. Both are "certified" but there is only one I would prefer to use.
Do really dense people warp space more than others?
First of all, CC certification was achieved with Service Pack 3 plus Hotfix Q326886, not just SP3. The author's statement is incorrect.
Second, Common Criteria isn't a panacea or a magical certificate saying that Win2k is uber-secure. It is an assurance that it meets a specific level of security and reliability on failure (ie, will STOP instead of going into an insecure mode on a kernel exception).
Its predecessor was called Orange Book, which WinNT scored a C2 rating. That's about as good as you are going to get with an "off the shelf" operating system. A Level 3 really doesn't mean it's better than other OSs, just certified that it will operate in a predictable and reliable fashion, has DACLs and user-based security, etc... Big whoop.
Why Service Pack 3? Gee, it takes a bit of time for certification. IIRC, NT took 2 years to get C2 certified. Remember, this is the government.
By the way, I don't see Linux listed anywhere on the CC list. Check your pots, I think they're talking to your kettles.
Finally, I take exception to the author's use of "propaganda". Is it becoming the thing to call anything propaganda that paints Microsoft as something other than the Evil Empire?
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.
If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.
Marcus' Full QuoteMarcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:
This reminds me of when my current employer went through UL certification. It was truly eye opening experience for what those little stickers mean.
To begin with, the UL techs had very little clue about what it was they were certifying, they spent more time ensuring that all of the hardware we used had UL certifications. After that, they bascially re-wrote the spec's around our system. In the end we passed, of course. It would have been kinda tough to fail when the spec was being modified to fit our system, not the other way around.
After that wonderful experience, I came to realize just how big of a con the UL is pulling on all of us. Its bunk, it doesn't even prove that there is a decent level of quality behind a product. As an example, one of our system configurations requires an ethernet serial provider (ESP), for use with a modem and remote managment software. Easy enough, we've done this for years. But, the ESP we used was not UL listed, so we had to change manufacturers. When we finally found one we discovered that it would not work with a modem and the remote managment software, even had the manufacturer tell us as much! So now we are scrambling, trying to find another supplier. All because of some stupid little UL sticker.
I can say with confidence, the UL certification is a con. Also, I've dealt with ISO certification, its a con as well (yes, we have documentation on all of our procedures, just ignore that it is very loose and only ensures that we do roughly the same thing every time, and gets universally ignored, we're a custom shop after all, doing the same thing every time is impossible). And I would bet that this common criteria cert is a con, you pay them, play around for a few days to make the inspectors happy, and they sign off on your system.
Necessity is the mother of invention.
Laziness is the father.
My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.
0 2/10-29CommonCriteriaPR.asp 0 2/1029CommonCriteriaFAQ.asp
.Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.
n /news/bulletins/cccert.asp for more info.
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
obviously no deficiencies vs. no obvious deficiencies
FOR IMMEDIATE RELEASE
October 29, 2002
SAIC Awarded Common Criteria Certificate for Microsoft Windows 2000 Operating System Evaluation
(MCLEAN, VA) Science Applications International Corporation (SAIC) today announced that it has received a National Information Assurance Partnership (NIAP) Common Criteria certificate for successfully performing the evaluation of the Microsoft Windows 2000 operating system. SAIC's Common Criteria Testing Laboratory (CCTL) performed the evaluation and received the certificate at the Federal Information Assurance Conference (FIAC) 2002 in College Park, Md.
"SAIC is proud to have contributed to this Common Criteria milestone event and congratulates Microsoft for attaining this significant achievement in computer security," said Duane Andrews, SAIC corporate executive vice president.
The Windows 2000 operating system evaluation was conducted in accordance with ISO 15048 Common Criteria Evaluation Assurance Level (EAL) Level 4 Augmented requirements and was evaluated against the Common Criteria Controlled Access Protection Profile, which is consistent with the commercial-level information security requirements for the Department of Defense (DoD). An EAL4 is the highest evaluation rating that a commercial CCTL can perform and Windows 2000 is the first operating system to achieve an EAL4 rating under the United States Common Criteria Evaluation and Validation Scheme (CCEVS).
"The SAIC CCTL took on a complex challenge, and we were successful in completing the evaluation of the Windows 2000 operation system," said Tammy Compton, co-director of the SAIC CCTL, and the leader of the evaluation team. "The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations. This led to the completion of one of the more challenging projects we have conducted, and we are confident of more successful evaluations in the near future."
"We have embraced the Common Criteria evaluation process from its inception, because we saw the high quality bar for security we could provide to customers," said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp. "With CC certification and the support resources we are releasing today, customers now have an internationally-recognized template for Windows 2000 that enables them to build an IT system for secure computing beyond that of any other commercially-available platform today."
Located in Columbia, Md., the SAIC CCTL is a division of SAIC's Secure Business Solutions and was accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) in August 2000. SAIC CCTL was one of the first commercial laboratories to be listed in the NIAP's CCEVS. SAIC's Secure Business Solutions provides security solutions for networks and business systems. Its 500 engineers can assess, test, design, certify, deploy, and manage solutions for information and physical security, and train organizations to be a core part of overall security solutions.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
- Audit
- Cryptographic Support
- Communications
- User Data Protection
- Identification and Authentication
- Security Management
- Privacy
- Protection of the TOE Security Functions
- Resource Utilisation
- TOE Access
- Trusted Path/Channels
Is all that's required for the certification. Does the OS have the right features with a configuration policy that sets those features properly.It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
This is a boring sig
To an explaination
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Just to clarify, I didn't mean to imply that NT3.5 ever received a B1; just that it could be configured to meet that level. The main point being that while a specific cert might be nice in the PR wars, how you apply the system is what's important. For example, just as soon as a W2K user loads MS Office onto that machine, the cert is no longer valid.
The CC cert is less revealing than a NIST cert, because the CC evaluate the design of the system, and only a part of the implementation. So it is better suited to show that a developer has good security processes, rather than secure products.
And let's not slight MS here. From what I've seen, they are making an honest effort to secure their products. I think they've finally reached the point at which they have to in order to stay in business.
Why is this story presented as 'propaganda'? I mean, I disklike windows as much as the next person, but lets at least acknowledge they they have made a serious effort and spent a lot of money to improve security and that that effort has paid off. At least give them props for that.
From the article:
That's right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.
"Well," you ask, "exactly which versions of Linux can and cannot meet CC EAL4 requirements?" It stands to reason that the core Linux(TM) kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux(TM) would meet these minimum requirements.
Kernel.org does not release an operating system, they release a kernel.
His article is FUD because he blasts the core kernel in much the same way I could say:
"Windows sucks, Bill sucks, and the MS goons suck, because while Windows 2000 SP3 can meet the cert the Windows XP kernel.exe file can't."
He himself admits that many Linux distributions can meet this cert. But it's as if he doesn't understand that there's a different between a Linux distribution and a Linux kernel.
In fact, the follow quote refering to kernel.org
After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true.
Really shows his lack of knowledge, because
1> kernel.org isn't a distribution, it's a kernel.
2> A full distibution with services(ftp, nntp, http) is totally less secure than a kernel without a distribution(ie. you can't even log into the machine).
"Too bad it takes 3 Service Packs..." So what? Nt4 had what.. 7 service packs? Up to 6a or something wasn't it?
In response to all those posters who've said our negative remarks against Microsoft are uncalled for, I have only two words....
Steve Ballmer.
Too bad it takes 3 Service Packs...
Better 3 Service Packs then ignoring issues all together. Not the best service record but at least realize it could be worse.
What is music when you despise all sound?
Too bad it takes 3 Service Packs...
Right, and as we all know Sendmail, NFS/RPC and BIND have been pinnacles of bulletproof security. I won't even go into the concept of UNIX security.
Also, you might want to actually read what the certification means, instead of just pulling some meaning out of your ass. It's the least you could do before submitting a story on it...
Would be nice to see what we are agreeing too, and send a copy to our lawyer.
Though, personally i dont care what they say. I will do as i please anyway.
---- Booth was a patriot ----
Propaganda from MS's Press Release link:
Intoductory paragraph:
"The dramatic increase in Internet and computer use has generated tremendous benefits for people around the world. Unfortunately, consumers' online activities can also be the target of criminal activity such as intrusion and theft. As a result, security is a primary concern for information technology (IT) consumers."
The usual target is the web site that the consumer goes to not the individual consumer.
Further down:
"Microsoft supports CC certification because the standards are recognized by over 14 countries, and because its evaluation and certification process helps consumers make informed security decisions. As part of it's commitment to provide customers with a secure platform for Trustworthy Computing, Microsoft submitted the Windows® 2000 operating system for CC certification. By enabling a complete, transparent analysis of Windows 2000 via the Common Criteria's independent government auditors, Microsoft is taking an important step toward building trust in the security of its products."
EAL4 only addresses the procedures and documentation processes in the creation of the software. It doesn't address the actual software security itself. Considering both the large number of priviledge elevation attacks and the recently announced vulnerability in PPTP.
An interesting note from their evaluation document under Personnel Assumptions:
"Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment." (emphasis added)
So, here you have a press release talking about how W2K's CC Certification means that you'll be more secure when working on the Internet and then you have a note that says users MUST be cooperative and in a benign environment. Well the Internet is neither so that pretty much cancels out the whole press release.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Actually, Microsoft was evaluated against the CAPP. Unless they added stuff in the target, this would exclude Cryptographic Support (FCS), Privacy (FPR), Resource Utilization (FRU), TOE Access (FTE), and Trusted Path (FTP).
You need to read the Win2K target to see what the functional requirements were.
Daniel
Well, I still have SP2 on my W2K machines *because* of the EULA. The problem with the EULA is that you do not *know* if it is legal or not. Nobody ever has upheld a EULA in court, and until there is a precedent (means, a judge has decided on the legality of a EULA) the EULA is just a very gray area in juridical terms. That is why they are dangerous and should be read very very carefully.
It is enough that a company gets sued over a reasonable EULA (if there is such a thing), and a judge deems that EULA legal, in order to make all EULA's legal. That would open a whole can of worms...
I'm pretty sure EULA's are not legal in Europe, but I am not sure at all.
Too bad Linux isn't cerfitied at all.
/. editors. If I had wanted mud slinging news I would have checked out the local political race, or any one of the national tabloids. It would also be different if /. put a satirical flavor on every headline then the "Too bad it takes 3 Service Packs..." sort of comment would have been humourous. Instead I find it tiring and all to common.
/.'s readers' roll is to review, evaluate, and comment on the story thereby giving other readers some insite, food for thought, background information, and/or research needed for them to make informed decisions. If the /. editors feel it necessary to throw in such comments then they should keep them off the headlines and post their feelings like the rest of us do.... in the comments.
Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.
No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.
/.'s roll should be to report the news in a non-bias way while the
damnedIfIknowHowToUseAn'Or,Merlin.
It's about maturity both on the part of the product and the posters. Using a trite analogy, like a good wine, any product needs time to mature and so do many Linux zealots. Geeks by their nature like to fiddle with things ;) so applying endless patches isn't necessarily a bad thing. Every Linux luser wants to be a kernel hacker but without the time and resources applying endless patches and reading the arcanum is a vicarious kernel hacker's high. MS needs to get product to the market and stay ahead of the competition, they're in a race and too often the product is left to mature in the market place. But the people who use windoze use it mainly because they want a one click answer even if that answer is shrouded in equivocation. It's a different mind set. And when Linux does grow to take larger and larger market share the users will want pat SP like resolutions to problems while here we will nitpick and complain that back in the day things were better without the concerns of too many lusers being addressed over the real requirements of the OS.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
I know this may sound self-defeating, but people should stop complaining about the commentaries placed by the article's submitter.
It's been too often that readers quip "*cough* Zealot *cough*", or "wish you were a little unbiased" ....
Well people, you should understand that commentaries are ... well, commentaries. Since, when are commentaries supposed to be unbiased??? They are exactly supposed to be subjective, for God's sake. So what if he's a zealot. That's his opinion. Read the article itself, and don't complain that the submitter's views are not the same as yours.
The interesting thing in the replies to your message is not the number of systems quoted that DO have the equivalent of System Update, but that there are so many other computer-literate people, such as yourself, who think that there is no such thing for linux and all other *nixes. Even Cygwin does. How do we get that idea across to more people?
:{)||
You know, when I was growing up, people always said to each other, "Nothing is this world is free". Maybe the FSF is fighting in-grained cultural beliefs. The only way to fix this is to make people pay for it. Pay us. A lot. They will thank us. (Hello?) Thank you, thank you very much.
Comment removed based on user account deletion
Interesting thing is, /. was never set up to be a definitive news source, from what I understand. It was (and still is) a few guys throwing stuff that interests them up on the web. By spending a lot of time on the site, you're in essence buying in to their [sometimes twisted] take on things. If you want a different flavor of propoganda, you either go somewhere else or create your own.
The FACT is, that it has taken 3 service packs and a huge amount of public thrashing to get the OS to the point that it can be certified.
As to whether the certification means anything, that's up to each of us to decide for ourselves. My Win 2000 will remain firewalled off from the rest of my network, while I use what I feel to be more secure OS's to get the job done.
...in my mind it degraded the apparent level of professionalism of the /. editors.
That's quite impressive.
May we never see th
Wrong, saic.om and microsoft.com are reporting this. e-week had a completely unrelated article, dated 5 months ago, about SP3.
Read more of the propaganda here.
So now press releases are 'propaganda'?
Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated.
Which article? The e-week article is the only one talking about SP3, and it says nothing about 'running exactly the same system'.
The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Troll, troll, troll. You are obviously unaware of all the point releases linux distributions make that SUCK. (redhat 7.0 comes to mind)
Allow me to put you on my 'foe' list, mr qnal.
<grub> Reading
And too bad it only takes 1 service pack: they're cumulative in nature. Install Win2k, and if your install media wasn't updated to SP3 already, apply SP3 yourself.
Great day to post this. Only three Windows 2000 Security bullitens posted today!
/ te chnet/security/current.asp?frame=true
http://www.microsoft.com/technet/treeview/?url=
Does the certification include the two security patches downloaded this morning? More IIS roll up patches and an Unchecked buffer in PPTP implementation.
You're only as secure as the next patch...
-ted
I have two Linux boxes and one Windows box, and I happen to see the virtues of both - which is why I find so many of the comments here troubling. First of all, to imply that Microsoft bought this certification is childish at best. Secondly, in the original post, it says "too bad it takes three service packs." Are you telling me you haven't updated your Linux box three times because of vulnerabilities? Linux systems can be insecure too, and to fix them, you need updates. Plain and simple. Don't be stupid.
'nuff said.
~.Evanrude
I haven't been following the seucrity certification for Win2K story, but was it tested with SP1, SP2, etc? Or are you just assuming it would fail without SP3?
Too bad they couldn't stay at 2.4.0 ...
Either you are bitching at M$ because they are not releasing enough bug fixes, then because they do release them (think of the service packs as just the next version, free software constantly get new versions...). Make up your mind, this is silly. Dumb comments doesn't make you neither l33t, nor cool, nor taken seriously.
Just to piggyback, if you use HFNetchk, get thyself QChain which eliminates multiple reboots when installing multiple hotfixes, and Hotfix Reporter, a nice GUI to HFNetChk.
The more relevant point to bring up is the fact that WinDOS applications have a tendency to muck about with the entire system. It seems extremely absurd to associate any sort of ISO standard with OS where such practices are standard.
Nevermind service packs and security fixes, what about actually installing and running applications?
Considering this permissive attitutude regarding updates to system files, it is not all unreasonable to question this certification process.
A Pirate and a Puritan look the same on a balance sheet.
No, it is you that is sadly deluded. Unix machines chug along silently, dependably long enough for those that installed them to forget how to maintain them. Meanwhile, it is NT that is getting exploited by multiple worms and buffer overflow exploits.
Unix simply gets the work done. It gets the work done faster and in larger scale enviroments than any PC based toy running NT can handle.
If you wish to compare Unix to the real VMS (rather than that wannabe NT), you might have a point.
Otherwise, you're just sadly deluded.
A Pirate and a Puritan look the same on a balance sheet.
SE Linux is going for a level 2 and they believe this is even aiming a bit high.
There really isn't anything magic about CommonCriteria Certification or its older brother the NIST certification process. All it takes is money to pay the various fees and the time and effort necessary to guide whatever product you are trying to certify through the process.
Unfortunately this means open source products such as various Linux distributions, OpenBSD, FreeBSD, and NetBSD probably need to find someone to sponsor certification. For commercial Linux distributions like RedHat, SuSE, etc. this sponsorship is likely to come from the vendor or from a partner like IBM, or HP. For free distributions like Debian and the xBSD projects this means they would either have to collect donations or find a sponsor like Google or Yahoo.
It is possible to have opensource based projects certified under CommonCriteria and the NIST standards. Several Linux and BSD based firewalls and security appliances such as the WatchGuard Firebox have been ceritfied.
Happy Fun Ball is for external use only.
Actually, as another response indicated, they got a level 4, which is pretty high. However, they were only certifying, "the Active directory service, Windows 2000's virtual private network (VPN) capability, the single sign-on function, its implementation of network security standard Kerberos, and the Windows 2000 encrypted file system". This means that a whole bunch of other stuff in the OS was left out. This is still good though; it is fairly hard for a company to get a common criteria cert.
The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations.
Yes, it's obvious that they did not actually look at the systems performance.
"We have embraced the Common Criteria evaluation process from its inception..." said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp.
We all know what happens to things M$ embraces, wink.
I would not use Win2k to run a dog house and SP3 on win2k is no better than anything they've ever made. Woo-hoo, forced screen savers and other cosmetics on top of system that still has no real users and is more and more owned directly by M$. Why should anyone believe SP3 is any better than any other closed binary junk M$ has been putting out?
What is SAIC's deal? SAIC has a huge infrastructure of hard working and competent techs. Well, as competent as they can be running aroung the worthless web of product famililiarization M$ weaves. Why their management is willing to prostitute them all for M$ is beyond explaination.
Trusted Path, what's that? Give me a break.
Friends don't help friends install M$ junk.
I hate everything about Microsoft and use Gentoo Linux as my main desktop OS. However, when I need Windows I need Windows, so I've had to install Windows 2000 on one of my computers.
Upgrading from a fresh install to SP3 wasn't very difficult at all for me. I downloaded and ran the installer, rebooted, and then promptly turned off the stupid auto-update thingy. It didn't take long at all, and compared to the trouble of repartitioning my drives to make room for a new OS, tracking down ethernet and video drivers, and actually installing the OS, applying SP3 was trivial. Of course, not being an NT guru, there's a good chance that I'm missing something important, but it does seem that people are too quick to badmouth Microsoft.
In fact, as far as Windows goes, Windows 2000 isn't that bad. After installing Mozilla, OpenOffice, and some other goodies, I've got a pretty decent setup. I still think Linux is much, much better for many, many reasons, but not giving Microsoft credit when it's due doesn't do anyone any good.
Steve
All that boils down to the usual "blame the user". At my company we were forced to sign an "agreement" that said employees were accontable for all things done with our login. I objected as it would make me responsible for the actions of others, viruses and any real breach which, of course, I had no ability to avoid. I was told there was no option, sign or be denied computer usage, and not to worry, I'd be treated fairly. The implementing officer told me that they could in no way garuntee that any of the bad things I was able to think of would not happen, but that they had no choice but to do as my company wished. Yes, the implementing officer worked for SAIC which told my company what to do then told me they had to do what they were told.
Any OS with real users can follow those requirements, duh, M$ discovers the multiuser environment. It's too bad M$ has yet to implement real user accounts and other standard good practices and instead beats around with elaborate work arounds. Any reasonable company would know better than to blame the user when their software vendor fails them.
Friends don't help friends install M$ junk.
This brings EAL4 into dis-repute.
not really. You can certify a brick to EAL7. You just have to be choosey about the features you certify. This is the core of CC and the biggest misunderstanding. A rating of EAL4 is meaningless without understanding what was tested. The whole program was not tested and does not need to be for the CC certification.
Under the CC program a vendor supplies the security target to the customer. The customer matches that target against the customer's own target (requirements).
That is what has happened with win2k. MS set out a list of features which were certified to EAL4. The CC is very objective, testing only things which are specified. The number of bugs is irrelevant. The history or poorly written code is irrelevant. These were not features specified in the CC security target for Win2k.
CC does not require "oodles of timestamps, everywhere." Timestamps are only required if certain parts of audit are included in the security target. Although as auditing is a current marketing check box item, audit is usually included in the CC certification.
[i]For linux, as an open source OS, who would pay this[/i]?
The distribution creators, say red hat or united linux. it is not the kernel that is certified, but a certain installation.
Microsoft's marketing department and their press releases sure didn't help. They were all too happy to misrepresent it to mean that NT was somehow "military strength" security (whatever that means).
PJRC: Electronic Projects, 8051 Microcontroller Tools