Justifying the Common Criteria Security Evaluation

lewko writes "Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case. Microsoft bashing aside, the process in evaluating a security product is relevant to anyone considering the deployment of technology into their environment." The EROS operating systems he mentions looks interesting - of course, it also looked interesting three years ago.

What's secure?

[Moridineas]

Well how much of what is secure? It seems to me that MOST of the security bugs one associates with Microsoft are problems with two programs in particular--IIS and Outlook (Express version only).

Re:What's secure?

[bkontr]

I agree that the "secure" definition seems very unclear. It also seems to me that security ratings are very subjective. Is web server being run, is there a firewall installed, do I have virus protection, and are service packs installed are typical questions that part of security program . If properly configured Windows or most any OS can be secure. In the same vein: If improperly or not well configured any OS can have a security problem waiting to be exploited.

Re:What's secure?

[ender81b]

Actually, quite a bit more are the result of IE which, since it is embedded into the os, makes the entire OS not secure. Therefor you can't just say 'windows 2000 is secure except for IIS and OE' because it isn't. IIRC there have been 9 security patches for IE *This year*, and that doesn't count the individual fixes of vulnerabilities that where taken care of in Service Pack 3, IE service pack 1, or the 'cumulative patch for IE 6.0'.

You really start to notice the vulnerabilites if you install a fresh copy of win2k and have to patch it up. Takes about 30 minutes and 7-8 reboots. You are partially correct though, the actual win2k system itself has had very few vulnerabilites, most are due to the add-ons such as IE, OE, and IIS.

Re:What's secure?

[ceeam]

Add to this SQLServer, Office programs and that leaves you with... what?

Re:What's secure?

[cscx]

since it is embedded into the os

IE is embedded into Explorer, NOT the OS (i.e. the kernel). You can easiliy run Windows with a different shell (why?).

Re:What's secure?

[Stauf]

Well how much of what is secure? It seems to me that MOST of the security bugs one associates with Microsoft are problems with two programs in particular--IIS and Outlook (Express version only).

Or, y'know, the version of Outlook that was spreading all those nasty worms.... it probably had some holes too.

Re:What's secure?

[capnjack41]

problems with two programs in particular--IIS and Outlook (Express version only).

So is that why I get script monkeys flooding my webserver with crap like this?

146.83.216.249 - ... "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1003
146.83.216.249 - ... "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1003

Didn't need no millions-of-dollars report to convince me!

Re:What's secure?

[pVoid]

Apart from the fact that IE is *not* integrated into the kernel (please stop spreading fud btw, it makes you look small), can you tell me you can install a linux build from 3 years ago, and run it a-ok without any code updates?

Win2k is a pretty young OS. It's bound to have patch requirements.

Re:What's secure?

IE is integrated into the OS. Microsoft has testified this in court. Are you claiming that they are lying to make themself look worse than they really are?

Re:What's secure?

[jez9999]

Photoshop?

Re:What's secure?

Kernel != OS. Internet Explorer (or rather the
HTML renderer) is implemented in a userspace
DLL which is also used by Window Explorer,
HTML Help, etc.

Re:What's secure?

You really start to notice the vulnerabilites if you install a fresh copy of win2k and have to patch it up. Takes about 30 minutes and 7-8 reboots.

You know, after just having to do that this weekend I can second that. I don't want to sound like a Linux fanboy, but I only had to reboot my Debian GNU/Linux system twice when I installed it this weekend, and that was to get it to boot off the hard drive instead of the CD install media. Initial bootup to install media, reboot to complete install with apt-get, reboot the final time to load all the daemons and start X. I could've eliminated the final reboot by just starting the daemons by hand but I decided not to.

With the Win2k install I had to reboot after the CD was done copying things, reboot again after the initial install was done, reboot again after I installed the SVGA driver for my video card, reboot again after I installed a sound driver, reboot 2 times to get my USB hub recognized, reboot another time after that before it recognized and installed a driver for my USB keyboard and mouse (this is a laptop), reboot again after installing SP3, reboot again to install IE 6.0 cumulative path for IE 6.0, reboot again to install DirectX 8.1, reboot again to install Windows Media Player and some other patches that weren't covered by the previous software updates and finally had to reboot again to install a Windows Media Player update to the version I just installed! Then I needed to reboot when I installed the USB scanner drivers to get it to recognize the device. Oh, I forgot I needed to reboot to install the D-link network card drivers for the DWL-650 pcmcia 802.11b adapter. I don't think I needed to reboot to install the USB printer though so that's a plus. Amazing how complicated it is to do a Windows2000 install and don't get me started on telling me I could've done this in 3 easy steps because you can't. The shit forces you to reboot to "complete installation" and your only option is a reboot button usually.

Hell, even my Mac running OS X only rebooted one time to install OS X 10.2.2 and another time to install VirtualPC (why it needs to reboot for that is beyond me.. probably some legacy app that is braindead and living in the OS 9 world of rebooting to apply system changes. Since then I've just been closing the lid (laptop) and putting it in standby for weeks.

Re:What's secure?

[Ben+Hutchings]

What's more concerning than the need to install the security patches is the large number of known and unpatched vulnerabilities, which are still exploitable on most up-to-date Windows desktops.

I think you shouldn't need to reboot more than twice to install those patches, as the hotfixes can be combined using QCHAIN.EXE.

Re:What's secure?

Didn't Microsoft testify in court that IE is part of the OS?

Re:What's secure?

[richie2000]

Apart from the fact that IE is *not* integrated into the kernel

He never wrote that either. The OS is not the kernel, as Stallman would be more than happy to tell you. You yourself call Win2k an "OS", would you not agree that IE is integrated into Win2k?

can you tell me you can install a linux build from 3 years ago

As soon as you can find me a three-year old Linux distro STILL BEING SOLD AS NEW.

Microsoft could easily have patched their master disc and manufactured new Win2k Server CDs at any time during these three years since the initial release but they have not done so. They are still making and selling software that they know is defective without even a token attempt at fixing the most glaring security holes in their product. In my book, this not only borders on criminal negligence, it's a fucking full-scale invasion over said border.

Would you take kindly to Ford opening up an old warehouse and selling three-year old Explorers with three-year old Firestone tires labeled as "NEW FROM THE FACTORY"? No? Why not?

Win2k is a pretty young OS. It's bound to have patch requirements.

Three years is not young in the OS business (even if you take the time to read the years cited in the copyright notice when it boots). Considering the time and effort that Microsoft spent making it, they should have done a better job.

Re:What's secure?

That would be an acceptable explanation if Microsoft defined an "OS" as "the kernel".

They don't, and therefore it's not.

Re:What's secure?

[Richard_at_work]

As soon as you can find me a three-year old Linux distro STILL BEING SOLD AS NEW. Microsoft could easily have patched their master disc and manufactured new Win2k Server CDs at any time during these three years since the initial release but they have not done so. They are still making and selling software that they know is defective without even a token attempt at fixing the most glaring security holes in their product. In my book, this not only borders on criminal negligence, it's a fucking full-scale invasion over said border.

Hrm, thats funny. I have win2kpro cds here that are naked, or have sp1 already integrated, or have sp1 and 2 integrated. I can choose which cd to use, and i usually go for the latest one. This also is the case with win2kserver, the ones we have here have sp1 integrated. So your wrong, buy Win2k (either version) and MS will have done what you are saying they havent, and upgraded the base OS installed.

Re:What's secure?

[Moridineas]

So is that why I get script monkeys flooding my webserver with crap like this?

....yes. If apache has a hole that allows root access, is it the OS's fault?

Re:What's secure?

[richie2000]

So your wrong, buy Win2k (either version) and MS will have done what you are saying they havent,

OK, I'll admit my copies of Win2k Server are almost a year old now, but both were buck nekkid when I got them from the store. Hm, maybe the cheap, slimy bastards kept old copies on the shelves and sold them off? I wouldn't put it past them - they were bought in Microsoft's personnel shop in Redmond...

Are your copies regular retail copies or MSDN? If they're retail, I'll happily retract my statements and applaud Microsoft's efforts on this.

Im at the karma cap...

[packeteer]

... so i will be the one to say what everyone is thinking... "duh?"... we know its insecure but what do we do? Should we try to work to get windows secure somehow or do our own open source thing? honestly what good are we going to do with this new info?

Re:Im at the karma cap...

[AftanGustur]

honestly what good are we going to do with this new info?

Huh ? Like, use it to educate upper management in a civilized manner ??

Sometimes It's like trying to stone them to death with popcorn, but I belive sooner or later there will be enough reasons to "just say no to Microsoft". And when that time comes, they will need as correct information as possible to evaluate the possibilities.

Re:Im at the karma cap...

If only your parents had used a cap we wouldnt have to put up with your bs

What did Linux get?

[mferrare]

I know some commercial Unixes are certified to C2 if you have it configured right. What about the Linuxes?

Re:What did Linux get?

[tuxlove]

Having helped develop C2 Unix OSes, I can tell you that Linux does not come close. There may be patches for all I know, but for sure stock Linux doesn't cut it. It's not a matter of Linux being buggy or broken; it's just not built to be that secure. I don't recall all of the criteria, but they are quite intrusive and the vast majority of Linux users would find them more than burdensome.

One example that immediately comes to mind is that "ps" listings can't show other users' processes. Many of the C2 requirements are kind of like that.

Re:What did Linux get?

[AftanGustur]

I know some commercial Unixes are certified to C2 if you have it configured right. What about the Linuxes?

Glad you asked. Some people might look at the fact that Linux doesn't have a XYZ 'certification' as a indication of that it is not secure enough to get it.

In reality, such certifications cost a lot of money and small companies like RedHat simply can't affort it (They don't make enough money of release X.Y during it's market-life, to justify such a operation)

What is interesting about this new Windows 2000 certification is that it's for a system that operates in a "safe" environment (i.e. not on the Internet) and Microsoft specifically asked, and paid, for grading at this level.

Now, you can interpret that as you want, but most of us are probably understanding it as "This is how secure Microsoft thinks Windows 2000 actually is". (Such gradings take a long time (few years) and I doubt that Microsoft will have another go at a higher grading before the EOPL (end-of-product-life) of Windows 2000.

Re:What did Linux get?

[debrain]

ISO/IEC 15408 (supercedes the rainbow series, to which CCITA belongs): ACL's, sudo (or equiv.), auditing, non-root'ing (ie. linux single) boot params, non transferrable FS. All are available for Linux, but more likely you will use or want to use a BSD.

I don't consider ISO/IEC15408 machines a burden, especially in lieu of the alternatives; most user-level programs may never tell they are there. As Linux is source, it is trivial (well, insofar as kernel hacking is trivial; maybe 'possible' is a better word) to acquire the necessary options for ISO/IEC15408. It seems easier to do this with BSD's because they tend to be simpler in design.

Re:What did Linux get?

[Zeinfeld]

Glad you asked. Some people might look at the fact that Linux doesn't have a XYZ 'certification' as a indication of that it is not secure enough to get it.

In reality, such certifications cost a lot of money and small companies like RedHat simply can't affort it (They don't make enough money of release X.Y during it's market-life, to justify such a operation)

No, Linux would fail evaluation because it does not meet many of the important security requirements. In particular there is no system security guide that describes how to securely configure the O/S in a single place.

Documentation is a large part of the C2 criteria. Linux simply fails that test. You cannot get certification for a third party guide for good reason, the document has not been reviewed by the engineers who wrote the code.

It is interesting to note how the Fox News style bias of slashdot on the security topic gets more hysterical by the month. Could it be because analyst firms like Aberdeen are predicting that Linux will become the poster chid for security, and no they don't think it is more secure.

So Microsoft get a security evaluation, the slashdot response is to publish the story three times to date, each time claiming that it is further proof that Microsoft's products are insecure. At what point do people ask whether the Slashdot editorial style has more to do with the commercial interests of their employer than an interest in honest journalism?

Re:What did Linux get?

[yomamasbooty]

Keep in mind that C2 systems are not networked.

Re:What did Linux get?

[Oggust]

One example that immediately comes to mind is that "ps" listings can't show other users' processes. Many of the C2 requirements are kind of like that.

I can't see how that would be required for C2 (CAPP in the CC). The old B2 (Structured Protection) was the first level that required covert channel analysis. Granted, that's a pretty obvious covert channel, and you might see it as a kind of quasi-legitimate IPC. In that case the B1 (LSPP) level would require it to follow it's normal rules of compartments and levels.

/August.

Re:What did Linux get?

ACLs', sudo, non-rooting boot params, non transferable FS are not C2/CAPP requirements.

Thorough auditing is. Linux doesn't come close to the level of auditing necessary. While such auditing can be implemented in the kernel at between 0-3% overhead depending on how much you want to audit, the LSM project never intended to implement Linus's idea of a completely configurable security module system that allowed users the choice of any security policy. It was suggested by TLA** to put all of the current security code into a module that would be 'just another LSM module' that would be plugged in as the default. However major political poopoo stopped that nonsense. Funny thing was, TLA had most of it written when the political powers that be told them to go fly a kite -- it was 'too late' to put such broad changes into LSM (this was summer 2001).

As was presented at the USENIX Security Symposium this summer, LSM doesn't support Common Criteria CAPP. It was never a design goal of the LSM chiefs to actually support the lowest level of Common Criteria, CAPP with auditing -- the claim was that 'auditing' wasn't a "real security model" since it doesn't actually provide security -- it only provides "trust" -- which is substantially different than security.

Funny thing was -- they convinced Linus that this LSM thing was 'the bomb'. Like it did everything he chartered it to do. They totally pulled the wool over his eyes because he doesn't know enough about security to recognize a con job. It boiled down to 'if we put in all the changes needed for audit, we'll never get sufficient buy-in from the "kernel developers" (there's that cabal again), so please TLA will
you keep your people quiet. The TLA team, worried about where'd they'd find their next job, after TLA went under (still in freefall), decided that political schmoozing was the right way to go. After all -- they got their pay either way. Who cares if it wasn't what was best for the company in the long run -- it wasn't likely there would be a company in the long run anyway.

BSD would be easier to do this with since the person tasked with integrating security is fairly level headed and sane. Linux has a great number of 'egos' running the show that have something to prove. Security takes second place to that -- which may end up being Linux's biggest Achilles' heel when it comes to critical infrastructure machines. So much time was wasted on a "security enhanced" policy that is too critically encumbered by patents to be of any commercial use. People were invited and disinvited to kernel conferences based on personal likes/dislikes rather than technical merit, but like Bill Gates said when told ms-dos was technically inferior to Apple's product: "You don't seem to understand: It doesn't matter".

TLA* = Three Letter Acronym

Re:What did Linux get?

[debrain]

ACLs', sudo, non-rooting boot params, non transferable FS are not C2/CAPP requirements.

You are correct in the auditing claim. I suggest you read select sections 4 through 12 of version 2.1 of the CCITA part 2, available at:
http://www.commoncriteria.org/cc/cc.html

Most pertinent of these, section 6 "User data protection", will qualify, upon investigation, the statement I have made regarding the necessity of ACLs, sudo, non-rooting boot params, non-transferrable FS. (see: FDP_{ACC,ACF,SDI}, and FTP_FLS in S.10.2) Make note that I specified these as sufficient, not necessary.

I do not understand the relevance of the remainder of your comments, except perhaps the BSD references, which are partly agreeable, but I suspect your perspective is biased. Of all the free software developers I have met, Theo de Raadt of OpenBSD fame is among the more finicky. Thankfully his skill and knowledge compensates more than adequately.

Any Linux distros EAL4 or higher?

[joshua404]

Bueller?

Well

[BrianGa]

This kind of certification is a great thing for people running Win2K. But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now? A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS. It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers are buying upgraded products fast enough.

Re:Well

[packeteer]

They are willing to throw out win98 and winME but i doubt they will get rid of 2k. They know 2k is better than XP for a lot of things and it would be like shooting themselves in the foot to piss off the current installed base of win2k.

Re:Well

[Tyreth]

It appears that Windows 2000 have mainstream support expired 31 March 2005, and finally extended support in 31 March 2007.

This seems to me longer than the time for which Windows 98 was allocated, but not for server releases. I heard or read somewhere that the lifecycle had been extended, but I could be mistaken. Either way, this gives it another 2-4 years of usage. I'm not sure whether thats useful or not. Product Lifecycles

Re:Well

[pVoid]

You know, I wonder if they'll drop 2k way before XP. The thing is that WinXP is NT 5.1 kernel, (and 2k is obviously NT 5).

I know there actually are additions to the NT 5.1 kernel (so new Native calls), but I'm wondering if it wouldn't be backward compatible with NT 5.

Millions of Dollars on documentation?!

[Kip+Winger]

Even after reading the arcticle, it seems doubtful to me that millions of dollars were spent on creating documents to say that Windows 2000 meets the security criteria. Personally, even though this is Microsoft we're talking about, this seems a bit outrageous.

Re:Millions of Dollars on documentation?!

[ramzak2k]

they quite obviously had to support everything that were documenting with proof, they probably factored that in.

Re:Millions of Dollars on documentation?!

Actually, they admit this themselves... if you read MS's own articles, you would have seen: "Through a multiyear, multimillion-dollar commitment, the Windows 2000 Platform has earned CC certification for Evaluation Assurance Level 4 (EAL4)... blah blah, FUD, blah blah..." There is nothing but documentation to the certification. No actual penetration testing is done.

EROS: The Extremely Reliable Operating System

[ball-lightning]

While it sounds interesting, you have to wonder how useful it will be. Microsoft has said itself that windows wasn't designed to be secure (because they opted for higher functionality, albeit less secure funtionality). According to the website, EROS should be completely virus free, because there won't be any way for a virus to work. That sounds a bit like Palladium to me (only certified code runs). Personally, I think that if you expect to install any OS and expect it to be secure off the bat, then your in for a surprise. Even Linux has vulnerabilities. A properly configured Windows Box can be just as secure as any OS, you just have to know the system

Re:EROS: The Extremely Reliable Operating System

[pVoid]

A properly configured Windows Box can be just as secure as any OS, you just have to know the system

Thank you for saying that out... there is nothing more valuable than a sysadmin who knows his platform.

I've been hearing a lot of moft-is-not-secure 'proofs' lately... I'm just wondering: has anyone actually proven that the OS is structuraly (ie by design) flawed?

A structural flaw for example would be that files have ACLs, but pipes don't. Or something of the sort... *not* that the default out of the box configuration leaves a NULL ACL on the \system32\cmd.exe (that is not a structural problem, it's configuration).

So long as someone doesn't show real facts when they claim to 'proove' something, it's FUD pure and simple AFAIConcerned.

Re:EROS: The Extremely Reliable Operating System

[TheFranz]

This story ran a while back on /.
it thought it is a design flaw
like the kind you mentioned.

http://slashdot.org/article.pl?sid=02/08/06/1828 25 6&mode=nested&tid=172

so windows is flawed by design, in my opinion at least.

Re:EROS: The Extremely Reliable Operating System

[vadim_t]

It is *very* flawed. This is how you can destroy a Win2K system as a normal user:

1. Boot Windows 98
2. Export HKEY_LOCAL_MACHINE to a .reg file
3. Boot Win2K
4. Log in as a normal user
5. Import the .reg file
6. Reboot

I did that, and Win2K was never able to finish booting. It got stuck at the blue desktop background and complained about missing entry points in DLLs. If that's not a structural flaw I don't know what it is.

Re:EROS: The Extremely Reliable Operating System

[RedGuard]

Its a bug in the application which runs a
privileged process on an unprivileged user's
desktop - a properly written application would
be unprivileged and use an IPC mechanism to
communicate with the service it controls.

Re:EROS: The Extremely Reliable Operating System

[RedGuard]

If you want you can set a more restrictive
ACL on that registry tree. However I doubt most
users need to be prevented from intentionally
destroyed their systems.

Re:EROS: The Extremely Reliable Operating System

[vadim_t]

Users? You need no users for that.

This means that any program can screw my registry enough to leave the system unbootable. What's the point in running as normal user, then? Just try to rm -rf /etc on Linux. I'm pretty sure that unless you're root it'll still work fine afterwards. And that's how it should be.

On Linux, if I want to try a suspicious program I can create a new user account and try it there. If I want to be more paranoid I can chroot it and use strace to find what exactly it's doing.

Now, if in Win2K it's possible to break the whole system as a normal user, where's all that security it's supposed to have?

Also, what registry tree? I've seen no detailed help files explaining every key of the Windows registry, what it's used for, and what would happen if it had too restrictive permissions. If those permissions are so badly set from the beginning it makes me think the reason is that many programs will break when they're unable to write to some places. If changing those ACLs would give me better security at the cost of breaking half of my programs, thanks, I don't want it. Linux works much better.

Re:EROS: The Extremely Reliable Operating System

[ergo98]

It is *very* flawed. This is how you can destroy a Win2K system as a normal user

Despite your probable pleas to the contrary, you were not a regular user when you carried that out. Windows has ACLs on virtually everything in the OS (contrary to Linux, for example, with its incredible large granularity security), and the registry is no exception. The HKLM registry branch has only READ access for anyone but System and Administrators (in some cases also Power Users, which much like Administrators is not an account that you should regularly run under). The registry applications abide by these permissions quite simply because they can't fail not to. I see two possible scenarios here, one that you were in an account as PowerUser or Administrator, or two that there is a complex fault that somehow bypassed the ACLs. I suspect the former as being dramatically more likely.

Having said, you weren't actually trying to do that in a serious way, were you? (copying the tree from 98 to 2K) As a sidenote, virtually all Windows variants keep one or more backup to the registry tree, and choosing "last known good configuratin" would have fixed it for you immediately.

Re:EROS: The Extremely Reliable Operating System

[RedGuard]

If you run any old crap off the internet then
you ought to be more worried about it deleting
your personal files than system files which can
be restored by reinstalling in 30 minutes.

Moreover I was wrong to suggest in my earlier
post that the default ACL would allow full access to HKLM: a clean installation of Windows 2000
gives the group Users only read access to
so you must have been either a Power User or an Administrator.

It is true that there is legacy software that
requires to run in a more privileged context
than is necessary - but by the same token there
are Unix programs that require suid root when
they don't need it. This doesn't have any
bearing on the underlying security of the system
only that users have the choice in both cases to
forego some security to run more software.

Re:EROS: The Extremely Reliable Operating System

[vadim_t]

No, I imported it accidentally. Clicked the wrong .reg in the folder.
The "last known good configuration" didn't help, apparently because I had rebooted several times, because I didn't realize at first what had happened.

Re:EROS: The Extremely Reliable Operating System

[vadim_t]

So how do I know if some of my software is how you call it, "old crap"? Can I chroot it, strace or ltrace it, look in /proc to see what files it has open?

I do have backups, but restoring data that doesn't change often is much faster and easier than spending a whole day on installing Win2K, then applying all the patches and rebooting 8 times at least, and then reinstalling everything else because every program wants its settings to be in the registry.

I guess I may have been a power user, definitely not administrator, although I don't know because obviously I had to reinstall it, but I don't remember seeing Win2K warn about power users. I think it said they can install programs, but I never saw a detailed explanation of what security settings are used for them.

Anyway, it's quite odd. Somehow Linux lets me install programs in my own folder without any problems, and Win2K with all the money MS has still can't handle it properly.

Re:EROS: The Extremely Reliable Operating System

That sounds a bit like Palladium to me (only certified code runs).

EROS has nothing to do with certified code. The idea of EROS is that you can be handed a program and run it without any fear that it will hurt you, because you will be able to restrict in what ways it interacts with the rest of the system in very specific ways. For example, some game you got as an attachment should be able to open up a window and write things to it, and that's about it. It should not be able to, say, read your mail folders, or open up network connections, and with EROS you can be pretty sure this is the case.

Repost

[cscx]

Original available here, but last time we didn't get the privlege of reading Michael's snippy comments at the end.

Re:Repost

[silvaran]

Get a clue. We recognize the win2k common criteria certification was announced before. This post directs us to a paper with an analysis on what the certification means.

Re:Repost

Well, it was a whole 18 days ago. When you don't wake up until 3:00 pm, hours seem like days.

Re:The Art of Cunniligus

[RealityThreek]

Umm. I'm pretty sure you are about as off-topic as you can get. Lucky I don't have mod points right now. :P

Theo de Raadt

[strateego]

The only way Microsoft(C) can get a secure OS is to throw ton of money at Theo de Raadt or somebody with his mind set to run a team to continually check Windows code for security problems.

Re:Theo de Raadt

[alizard]

The only way Microsoft(C) can get a secure OS is to throw ton of money at Theo de Raadt or somebody with his mind set to run a team to continually check Windows code for security problems.

You mean have MS pay Theo and everyone connected with the OpenBSD project enouh to persuade them that taking it proprietary and rebranding it Windows XX is A GOOD IDEA, right? Continuously checking Windows OS and applications for security fuckups is too big a job for one person, and probably too big a job for 1,000 persons.

Would the OpenBSD team sell out for $10 billion and the right to oversee future development?

Note that this would actually be an intelligent and cost-effective thing for MS to do, even if various code libraries have to be rewritten to avoid the use of GNU code of any sort, so we can take for granted that they'll never think of it for themselves.

While this is a lot more than MS paid for the rights to what later became MSDOS ($30K, IIRC), times have changed.

While this breaks compatibility with all MS applications, does anyone actually think anything less has the remotest chance of doing the job? Assuming the job is building a reasonably secure OS that can be made to work with a wide range of applications.

Re:Theo de Raadt

This will probably never be an option. Not to be a troll but every modern OS has SMP support, except OpenBSD/NetBSD. They are missing a lot that FreeBSD already has in terms of support, doesn't even support ACPI and has horrible threading implementation. Personally I believe OpenBSD just doesn't scale.

Umm...

[cperciva]

The Common Criteria security standards deal with the design of operating systems, not the implementation. It has been certified that the security system used in Windows 2000 is "well designed"; but this says nothing about how many bugs there might be in the code.

Re:Umm...

[miu]

Patches and upgrades for bugs are much easier to apply than hotfixes that require you to change the way you use the product.

Breaking "off".

""Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? "

The computer was off during the test.

Utter nonsence

[Safety+Cap]

From the website...

Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line~

An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

In other words, it is paper certification with no substance. "Search for vulernabilities"? What method do they use? Pound on the keyboard and see if it breaks? I seriously doubt they are looking at the code and verifying that the developers avoided overflow-vulnerable functions. What are the qualifications/skills of the "independent" verifier? MCSE? Code monkey? Nick the Pig?

Oh and if you use Visual SourceSafe, then you're covered. "Automated configuration management." Hogwash. This no more ensures you have a secure system than Suzi the Secretary checking to make sure you badged in the main door instead of surfing in behind Bob. Sure, you it is tough to have a secure system without some kind of ConfigMan, but it is not necessary and sufficient that having one ensures a secure system.

Oh, are all your tools identified (shades of ISO-9000!)? Golly, gee that's nice. So, we gonna check to see if all the old Lan Man code (which authenticates without credentials) is out of the current build? No? Oh, not a requirement.

What a load of tripe. I wonder how much they paid to have this cert. Probably more than an MCSE, and just as worthless.

Re:Utter nonsence

Well Microsoft have just been certified as part of the THE INTERNATIONAL JEWISH CONSPIRACY, so this should blend nicely for them.

Re:Utter nonsence

Concrete lifejackets could get certified under ISO2002, and EAL4 is little better - meaningless numbers, worthless after the first patch applied, and you would be a fool to run windows less 12 months of patches, even negligent.
Logging and C2, ahem - logging can be turned off.
BUGTRAQ clearly identifies that the experts are bringing shame and disrepute to the profession, where reasonably skilled 12 year olds perform their basic inspections/tests.

If 4 out of 7 is supposed to imply 4/7 or 57% - as a manager , I would not fly on a plane 57% reliable, or a car or something a business depends upon.

Asking Theo or Bruce S, or AC to pick a number has more credibility. The rootkit and COTDCow BO proved a point, that these certification people cant read.

In case of shashdotting, full text, IANAKW, etc

Understanding the Windows EAL4 Evaluation

Jonathan S. Shapiro, Ph.D.
Johns Hopkins University Information Security Institute

By now, you may have heard that Microsoft has received a Common Criteria certification for Windows 2000 (with service pack 3) at Evaluation Assurance Level (EAL) 4. Since a bunch of people know that I work on operating system security and on security assurance, I've received lots of notes asking "What does this mean?" On this page I will try to answer the question. For the impatient the answer is:

• Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

Since that's a pretty strong statement, bear with me while I try to explain it in plain English.

How a Security Purchase Should Work (In Abstract)

At the risk of telling you something you already know, here is how a purchaser ought to proceed when buying a security product:

1. Assess your needs. Determine what your requirements are.

2. Decide which product you are most confident will meet those needs.

3. Buy and deploy it.

Each of these is potentially an involved process, and most customers don't have the expertise to do them effectively. Even if you did, Microsoft (or any other vendor) isn't likely to let you examine their code and design documents in order to evaluate their product.

The purpose of the Common Criteria process is to develop standard packages of commonly found requirements (called Protection Profiles) and have a standard process of independent evaluation by which an expert evaluation team arrives at a level of confidence for some particular software product.

As a customer, this makes your life simpler, because you can compare your needs against existing requirements constructed by experts and then see how well the software you are buying meets those requirements. Security requirements are fairly hard to write down correctly, but if the resulting document is annotated properly they aren't all that hard to understand.

Obviously, if you don't know your needs (requirements) you don't stand much of a chance of getting them met. Likewise, if you don't know what requirements a software product was evaluated against, the evaluation result isn't terribly useful to you in practical terms.

How Common Criteria Works

From the customer perspective, a Common Criteria evaluation has two parts:

1. A standardized requirements specification called a Protection Profile that says what the system is supposed to do. Sometimes there will be more than one of these -- usually a general baseline protection profile and then some others describing additional, specialized requirements.

2. An evaluation rating. This is basically an investigation by well-trained experts to determine whether the system actually meets the requirements specified in the protection profile(s). The result of the evaluation is an "Evaluation Assurance Level" which can be between 1 and 7. This number expresses the degree of confidence that you can place in the system.

In order to understand the result of an evaluation, you need to know both the evaluation result, which will be a level between EAL1 and EAL7, and the protection profile (the requirements that were tested). Given two systems evaluated against the same protection profile, a higher EAL rating is a better rating provided the requirements meet your needs.

Knowing that a product has met an EAL4 evaluation -- or even an EAL7 evaluation -- tells you absolutely nothing useful. It means that you can have some amount of confidence that the product meets an unknown set of requirements. To give a contrived example, you might need a piece of software that always paints the screen black. I might build a piece of software that paints the screen red with very high reliability, and get it evaluated at EAL4. Obviously my software isn't going to solve your problem.

The Windows 2000 Evaluation

Microsoft sponsored an evaluation of Windows 2000 (with Service Pack 3 and one patch) against the Controlled Access Protection Profile (plus some enhancements) and obtained an EAL4 evaluation rating. This is most accurately written as "CAPP/EAL4".

Problem 1: The Protection Profile

The Controlled Access Protection Profile (CAPP) standard document can be found at the Common Criteria website.Here is a description of the CAPP requirements taken from the document itself (from page 9):

• The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

Translating that into colloquial English:

• Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.

In fairness to Microsoft, CAPP is the most complete operating system protection profile that is presently standardized. This may be the best that Microsoft can do, but it is very important for you as a user to understand that These requirements are not good enough to make the system secure. It also needs to be acknowledged that commercial UNIX-based systems like Linux aren't any better (though they are more resistant to penetration).

Note that the "Don't install software" part means that you probably shouldn't install a word processor. On several occasions Microsoft has unintentionally shipped CD's with viruses on them. A CD with a virus qualified as "malicious system development."

Problem 2: The Evaluation Assurance Level

Having described the requirements problem, I now need to describe the problem of the EAL4 evaluation assurance level that Windows 2000 received.

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

The Bottom Line for Windows 2000

In the case of the CAPP protection profile, there actually isn't much point to doing anything better than a low-confidence evaluation, because the requirements set itself is very weak. In effect, you would be saying "My results are inadequate, but the good news is that I've done a lot of work so that I can be really sure that the results are inadequate.

In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

Conclusion

Security isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time.

It is possible to do much better. EROS, a research operating system that we are working on here in the Systems Research Laboratory at Johns Hopkins University, should eventually achieve an EAL7 evaluation rating, and is expected to provide total defense against viruses and malicious code. It won't be compatible, because the most important security problems in Windows and UNIX are design problems rather than implementation problems. In fact, none of the viable research efforts toward secure operating systems are compatible with existing systems.

It remains to be seen whether EROS or one of the other attempts to build secure operating systems will prevail, but better solutions are coming.

Jonathan Shapiro is an Assistant Professor in the Department of Computer Science of Johns Hopkins University. He has been working on operating system security and assurance since 1991. His past research has yielded both formally verified security properties and dramatically improved performance results in secure operating systems. His current research focuses on tying these results together into a complete, usable system, and on evaluating and testing the correctness and reliability of the resulting system.

Dr. Shapiro is also member of JHUISI, the Hopkins Information Security Institute.

Wait..

[dethl]

M$ wasted money to prove their OS has crappy security?!

Re:Wait..

What's ridiculous is that Solaris 8 also has an EAL of 4, and some IRIX EALs are at 3.

This means absolutely nothing.

Re:Wait..

Yeah, maybe if IRIX was more secure, more people would buy SGI's--

*shakes head*

I was also interested in EROS...

[tlambert]

I was also interested in EROS; unfortunately, at the time, it had a non-commercial-use license, and so I never did anything more than grab it and get it up and running on a single system.

Now that he's going with an MPL-style license, I guess he might be able to get more people interested. Unfortunately, like the GPL, there only room for one product in that ecological niche at a time, and Linux is already there.

While capabilities are an interesting approach, I don't think this really has any bearing on the Microsoft certification, unless the intent of mentioning EROS was to make fun of the certification?

-- Terry

Auditing Win2k Security

[Inexile2002]

Recently I've been working as an IT auditor for an accounting firm, and I've found myself completely at loggerheads for finding a good Win2k audit program for security. (Here I mean program as in a sequence of checks that I follow, not compiled program.)

The trouble I find is that I'm able to evaluate the level diligence the IT staff at any given company has taken, I'm able to audit the level of (attempted) compliance to any documented security policy and I'm even able to assess internal security configuration and controls.

Ultimately though, I'm signing off on audit opinions that ALWAYS says

"name of firm" has observed adequate Windows 2000 security..."

and feeling a little sick about it. If we got sued, I could provide documentation proving that I diligently checked security and based on "accepted" business standards the security was implement at a reasonable level. Basically, I could cover my ass.

Is there anyone out there that has an audit program for Win2k that they would feel comfortable using to tell the auditors that they can rely on the numbers? Just curious.

Oh, BTW, the auditors could care less about Common Criteria and even though they're thick as pudding about IT, they're still smart enough o bring in outside people when they need to rely on any computer's numbers.

Re:Auditing Win2k Security

[damu]

A bit offtopic, but this is how I do security around here:

In my case, I worry about the outside in, not really the inside out.

1) I run all machines through port scans, and ensure that none of them have the ability to run web/ftp/game servers, ensuring that the machines are not giving out information to the world through open ports, makes me sleep a little better at night.

2) Scare the living crap out of my users, train them to hell, and contantly remind them of what they can't and can do, let them know about the new virus, the new hack, and how THEY can prevent this to happen to them. Change their passwords often, do not let them leave their computers logged in. And if they are bad, I have persmission to strike them down, by removing internet surfing, or other "goodies". etc, etc.

It is not much of an "audit" but thats the way I do my workstation security around here.

Re:Auditing Win2k Security

Have a look at the Win2k Gold Standard. Its a benchmark developed by a number of organisations incl the NSA, SANS and the centre for internet security. see http://www.cisecurity.org/bench_win2000.html

Re:Auditing Win2k Security

[ostiguy]

Yeah, they have some good stuff. The NSA's guides are more stringent tho - IIRC, the CIS folks recommend 90 day max password lifetime, while NSA sez 42.

I think for a cleanly wrapped up tool, you need to look at the high end market. There are some free tools that MS provices (MBSA, which is a gui hfnetchk), and also tools in the resource kits, but not one click and point tool.

ostiguy

Re:Auditing Win2k Security

[alanjstr]

Did you try the Center for Internet Security? They have a tool (or manual checklist if you print out the documentation) for Win2k, Linux, Solaris, WinNT, and HP-UX. You can use it to audit your policies as well as instructions on how to lock down your computer. There is also documentation from the NSA (upon which this is partly based) on how to lock down a box a lot better than the default policies.

Other discussions

[Tyreth]

This was written about on newsforge a few weeks ago. It was a link to the thoughts of Joe Wagner who wrote a rather agitating article about how Windows must be more secure than Linux, because Linux had not obtained this certification, and potentially could not possibly attain it.

It was followed by a short lived, but lengthy discussion with regular readers of worldtechtribune (including the editor-in-chief apparently) and some other newsforge readers.

You may or may not find some interesting thoughts, or just more (mis)information.

one basic reason why windows security sucks

[Indy1]

Before you mod me down, I am a network admin that works with both windows 2000 and linux on a daily basis. I am also a certified MCSA (though we all know what we think of certs :) ). Anyways, my #1 reason why i think windows security SUCKS, is that the damn OS has no real firewall built into it! I mean, come on, with win2k you gotta either buy a hardware firewall (cisco pix, etc), or throw a unix box in front of it. And yes, i know XP does have a basic firewall built in, but do any of you want to run a server on XP ? People always bitch at MS for bundling software into their OS, but there's no excuse to not include reasonable packet filter ability in the OS. Thats why I believe the only time you EVER put a MS box on the net is if its behind a NAT or something else that totally hides the box from outsiders.

Re:one basic reason why windows security sucks

[jonnythan]

Windows 2000 does have basic packet filtering. It's MCSE, and I don't think MCSA was a typo. You obviously have no idea what it is. I am forced to run our webserver on Win2k at work, and there's no firewall between it and the outside (not my choice). All ports except 21 and 80 are blocked.

Re:one basic reason why windows security sucks

[MrBlack]

I'm not quite sure what to make of this comment


It's MCSE, and I don't think MCSA was a typo.


but there is a microsoft certification called MCSA (like MCSE but harder apparently...).

Re:one basic reason why windows security sucks

Unfortunately, it's like MCSE only easier....

Re:one basic reason why windows security sucks

[cscx]

I think you're full of shit. Here's why:

1. Win2k has packet filtering built into TCP/IP.
2. ISA server is a proxy/firewall. You can always *buy* it.
3. Your suggestion of using XP as a server totally broke your credibility.
4. You can always download a free firewall if you're worried (Tiny Personal Firewall comes to mind).
5. What gives you the right to claim that you would never put a Win2k box straight on the net, but you would a *nix box? According to CERT, there were three times as many security holes in open source OSes this year than MS. So, personally I'd be more leary of putting a Linux box right on the net than I would an MS box. Nuff said.

Re:one basic reason why windows security sucks

[MrBlack]

I know it's bad form to reply to your own post but....I check microsoft's site after posting my previous comment just to make sure. I had previously thought that MCSA was a super-set of MCSE (like MCSD is a super-set of MCAD) but now I am not so sure....here is a link for anyone that cares to check...
http://www.microsoft.com/traincert/mcp/m csa/mcsa_mcse.asp

Re:one basic reason why windows security sucks

You sir are an idiot. He said using XP as a server is a dumb idea. And i refuse to believe you have any credability yourself as far as that CERT claim. Lets compare severity here, and the fact that windows is only one OS. Adding up all the advisories from every OS and comparing to one doesn't count.

Re:one basic reason why windows security sucks

[sheldon]

"I am also a certified MCSA"

and then later on...

"People always bitch at MS for bundling software into their OS, but there's no excuse to not include reasonable packet filter ability in the OS."

Well you've certainly proved one thing. People with certifications can often oversell themselves as experts when they really know very little about the products.

Psst... I share the bounty of a simple google search.

Re:one basic reason why windows security sucks

[b17bmbr]

I'd be more leary of putting a Linux box right on the net than I would an MS box.

are you serious? the slapper thing required gcc on the server. what the hell is gcc doing on a server, anyways? also, it affected a tiny percentage of the servers out there, compared to every windows server when a windows hole arises.

taken as a whole, *nix, and even just linux, security is far better.

i wouldn't put just any box right on the net. but the difference is this: when you use windows, you roll the dice and hope that microsoft has fixed all the holes, and when a new one arises, they jump to it.

when you use an open source OS, you can be assured that fixes will come faster and better. i think the SSL hole in IE and konqueror point this out. a fix was out in less than a day for konqueror. m$ wouldn't even acknowledge the hole, then took forever getting around to fixing it.

it's not so much the OS, but who ya gonna put your faith in...

Re:one basic reason why windows security sucks

[cscx]

First of all, you shouldn't be using a web browser on a production server.

Second, it's not the slapper worm that worries me -- it's those constant buffer overflows in this daemon and that daemon, shoot, even the bulletproof BIND just had a vulnerability. I actually trust IIS; I for one always disabled all the script mappings (I didn't need anything beyond ASP support).

There are ways to properly secure a Windows box, you just need to know what you're doing. (There *are* ways of hotfixing the server w/o browsing to Windows update). And regardless of the OS, you need to keep up on your security updates.

Re:one basic reason why windows security sucks

[Florian+Weimer]

You can use IPsec policies to filter incoming IP packets. IPsec policies apply to normal IP traffic as well. No reboot is required when you change the filter. Works on Windows 2000 and XP.

(I don't do Windows, but these things are quite well-known, I guess.)

Re:one basic reason why windows security sucks

No, there were three times as many CLOSED security-holes in open source OSes.

Re:one basic reason why windows security sucks

he mentioned browsers as a quintessential example of closed vs. open source patching. though that's really another issue.

secondly, i'd hardly call bind "bulletproof", given its legendary legacy of remote root exploits. there are other free alternatives, and after this last discovered vulnerability, people are switching in droves.

unfortunately, iis too has a legendary legacy, prompting this whole stupid discussion.

i think the real issue here is when you have a homogeneous, ms-only setup (xp on iis, on x86), you're far more likely to be bitten, sooner, than on a hetrogenous system (some random bsd on some crazy big-endian cpu). no, i'm not invulnerable, just less succeptible to nusance worms if i happen to miss an advisory.

also take into consideration that all those daemon vulnerabilities you may encounter probably effect a very small portion of the open source population. how many are remote? how many are root? how many are even installed by default? how many would work on a big endian platforms? taken to an extreme, how many would work on a headless netbsd dreamcast running all-chrooted daemons on a read-only filesystem?

i will agree, however, that if you take the proper precautions and vigilantly harden your machine, you probably won't have any problems regardless of the platform. however i also think that open source software makes that job much, much easier.

Re:one basic reason why windows security sucks

[siliconjunkie02]

pssst.... IPSec isnt a packet filter. And if anyone wants to bring up the fact that you can restrict certain ports in the TCP/IP properties it applies to all interfaces, so if you make your webserver accessable only via port 80 you just killed all your remote manageability. The easy answer is a true hardware firewall if you are running lots of servers, or even something as simple as a $59 nat router if its just one.

The point is that out of the box you cant say to only allow port 80 connections on a particular interface.

Re:one basic reason why windows security sucks

[droyad]

U hu, and you don't call ISA a firewall? It comes bundled with SBS 2000.

Re:one basic reason why windows security sucks

[AKnightCowboy]

Anyways, my #1 reason why i think windows security SUCKS, is that the damn OS has no real firewall built into it!

So turn on Win2k's packet filtering or get Tiny Personal Firewall. Plenty of our Win2000 admins use that as a host firewall. It still doesn't fix the real problem though since most attacks against Windows are application layer attacks these days. It doesn't help to have a firewall on the system when you root he box through IIS holes (been there, done that, wiped and reinstalled for the trouble). All the firewalls in the world are not going to help you unless the applications and servers you're exposing to the world are secure. Win2k can get the most stringent security certification in the world for all I care but if it is all nullified by turning on IIS or SQL server (which is usually the only reason the clueless admins use it as a server) then it doesn't mean much.

Re:one basic reason why windows security sucks

[ostiguy]

The IPSec filtering is pretty lame. There is no logging capability, and when I tried bulk loading enourmous rule sets, it choked. It is an interesting hack, and might be use for odd scenarios, but as a general production tool, nope.

ostiguy

Re:one basic reason why windows security sucks

[Permission+Denied]

"...there's no excuse to not include reasonable packet filter ability in the OS."

Psst... I share the bounty of a simple google search.

The little IPSec hack does indeed allow you to do firewall-type stuff (ooh, you can filter based on IP addresses!), but by no means can it be considered "a reasonable packet filter ability." It is not a stateful firewall. It's not even close to a stateful firewall because you can't filter based on various headers. FWIW, it won't filter based on device (although I've never seen a multi-homed Windows box). It won't filter broadcast or multicast traffic. Also, it won't filter based on the originating program on the local machine (something very popular in Windows host-based firewalls but which I've never used as I work primarily with Unix machines and network devices). I don't have a windows box handy at the moment so I can't verify this, but I don't think it will even log blocked packets, not to mention allow you to specify what to log.

The little IPSec hack basically sucks as a firewall. However, it's better than nothing - you can restrict all the MS networking stuff to originate only from within your organization, which means many fewer boxes are rooted by the irc kiddies (various political reasons why we can't implement such a policy at the organizational level, which is what I'd like to do). Not something to rely upon, but it does slow down the rate of comprimises to a manageable rate.

Re:one basic reason why windows security sucks

[yomamasbooty]

What chu talkin bout Willis?

w2k does have a packet filter. It's located under the "security profile." I am using it right now and it is configured to only accept sshd (Cygwin of course), and blocks all netbios. I also use it for creating IPSEC tunnels to other servers. The only part I don't like is that there is no good logging for it. In otherwords I can't track the traffic that I have blocked. It's no iptables, but it does a good job in helping secure a networked device.

How did you get MCSA certified without knowing this? RTFM

Re:one basic reason why windows security sucks

[sheldon]

If you want a firewall then buy Firewall-1 from Checkpoint and install it on your Win2k server.

Again, something the original poster claimed didn't exist.

Re:one basic reason why windows security sucks

[mr17hz]

I'm having a hard time following what's being argued here. Windows 2000 is an OS - they don't claim that it comes with a firewall. I don't see how you can judge a software product based off the statement "They are not doing what they never said they would do". So Linux and various other operating systems come with a firewall; We're not arguing price, we're arguing security. Any security expert knows not to implement a Windows 2000 server that's not behind a firewall. Purchase the one you like best, or use one that's available at no cost. You get what you pay for, its up to you to take into consideration a solution's cost before deploying it.

Shooting at the Wind

[divide+overflow]

Given that Microsoft constantly modifies shared portions of its Operating Systems via Service Packs, Windows Update, and while installing new applications...well, precisely how meaningful is any declaration of the security of a given Microsoft OS? Just tracking WHAT you have on a given Windows box is enough to make most sysadmins break out in hives.

If you have any software configuration that strays more than trivially from the one tested for security than the certification isn't really relevant.

Re:Shooting at the Wind

In a world where M$ has given itself the right to update your Windoze installation this security evaluation is instantly worthless.

Firewall

[Whibla]

Sorry?

What is ISA server?

(Other than a misleading - Acceleration?)

Re:Firewall

Internet Security & Acceleration. Sequel to Proxy Server.

Re:Firewall

[Whibla]

Hmm!

I guess I should be a little more careful with what I consider humour / sarcasm.

I do actually know what ISA stands for, and what it does, and how to configure it, and how to break it too...

Not that anyone here needs to know this, but this clarification makes me feel better at least.

My Bathroom Door . . .

[D+iz+a+n+k+Meister]

is CAPP/EAL4.

It protects me against threats of inadvertent or casual attempts to breach the system security, like people walking in while I'm, uhh, ya know.

Of course it does nothing when someone disables the lock or tries to kick the door in.

Re:My Bathroom Door . . .

[Grail]

Either of those actions void the basic assumptions of the CAPP (pdf) - in particular, A.NO_EVIL_ADM and A.COOP.

A.NO_EVIL_ADM is the assumption that noone is trying to break the system.

A.COOP is the assumption that everyone using the system is working in harmony to support the aims of the system.

Re:My Bathroom Door . . .

[Sri+Lumpa]

" like people walking in while I'm, uhh, ya know."

Masturbating?

For this kind of use you may want more security like that provided by a combination of bedroom_door and blanket. This combination both prevent accidental security breach (when bedroom_door is secured) and allows you to secure your assets when security is breached by providing a camouflaging apparatus (blanket or similar) while you securely hide your data.

Re:My Bathroom Door . . .

[FurryFeet]

To increase funcionality, I'd also include a honeypot. Implementation is left as an exercise to the reader.

I've noticed an interesting concept...

[C0LDFusion]

...that Microsoft is more concerned with protecting its software from the "evil pirates" who made Windows and Linux big, than they are about keeping our critical information secure. Great, they can lock you in jail for 20 years because you gave your friend a copy of Word XP, but they won't lift a finger to keep REAL CRIMINALS from hijacking your identity.

Microsoft more than anything has pissed me off over their threat ads in certain areas. If you haven't heard them, I'd encourage people to find a way to hear them. They are shocking in their brazen "Stop being a criminal or we'll make you our woman and you'll like it." attitude.


Microsoft has been proven to be the sham it is, even by the government. When the US Government, the most incompetant bureacracy in existence says that you suck...man, you have to seriously do some soul-searching...if Gates even has one.

Re:I've noticed an interesting concept...

Guess Solaris is responsible of the same attitude towards security. Solaris 8 is EAL 4 as well.

Where do you draw the line?

[SlashChick]

"...[Windows 2000] has no real firewall built into it!"

Where do you draw the line? Microsoft is stuck between a rock and a hard place here. On one hand, if they don't put in a firewall, people will complain that they have to buy additional software or hardware to secure the OS (which is true.) On the other hand, if Microsoft does add a firewall, Norton, Symantec, and 50 other "personal firewall" software makers would scream bloody murder: "Microsoft is leveraging their OS monopoly to put us out of business!"

I'd guess the crappy firewall built into XP is a sort of compromise. On one hand, you don't want millions of unsecured Windows boxes running around on the Internet. So Microsoft surreptitiously adds an incoming-packets-only firewall to XP. Sure, it's a crappy firewall, and it doesn't offer real protection. But it keeps the firewall software makers at bay, and it keeps Microsoft out of the Justice Dept. gray area.

Most sysadmins would buy a hardware firewall or dedicated NAT device with firewall anyway... so at least in corporate settings, that problem is solved. Really, it's going to be tough for Microsoft to add any decent programs to the OS at this point, since they've already been found guilty of illegally bundling Internet Explorer. I'd watch for more stuff to be attached to Office or offered as a free download instead.

Re:Where do you draw the line?

[PSUdaemon]

A packet filter should be considered part of the OS. In Linux it's part of the kernel, I'm not sure if it's userland or not in BSD, but regardless, a packet filter is much more a core OS component than a browser...

They can even steal BSD's if they wish!

Linux has had more security flaws this year

This should be taken with a grain of salt, but Linux has had more security holes than Windows in 2002.

Fact is, if you want the most security, you have to go OpenBSD AND know how to configure it. Then again, knowing how to configure any of those operating systems properly might help.

Re:Linux has had more security flaws this year

its sad that you had to post that as an AC.

only secure when it's powered down

[zrodney]

A properly configured Windows Box can be just as secure as any OS, you just have to know the system

yeah, right. only when both systems are turned off

Re:only secure when it's powered down

[WhiteKnight07]

While I see the humor in your comment, and you are right, he does have a point. Win2k/XP boxes are quite secure once you configure them properly as long as you don't use certain software on them. *cough*ISS*cough* The problem is that compaired to *nix relativly few users know how to secure their systems. Windows falls victim to its own design in the respect that it is desiged so that people can use it without much knowledge of the internal workings of the system. So you get lots of people who know just enough to use it but nowhere near enough to secure it properly who promptly run around the net with unsecured boxs by the thousands. Linux requires the user to learn more about the inner workings of the system and as such that user is better equiped to secure his or her box. Linux's steeper learning curve makes it inherently more secure by creating a more knowledgable user base. While windows's ease of use creates an inherently more ignorant, and thus less secure, user base. Sure IE's integration into explorer doesn't help, and neither does Outlook's idiotic attachment handling but its actually the primary goal of the windows design team, ease of use, that is windows's greatest flaw. Without a knowledgable user, no OS is really all that secure. Although the security minded way that *nix is designed does help it quite a bit.

Re:only secure when it's powered down

[mencik]

Turning them off would be a "denial of service".

Security comes thru process not via a program

[Kenneth+Stephen]

I dont know why you are feeling uncomfortable with your methodology. What you are doing is exactly what needs to be done. There is no one program or set of programs that can be run to assess the security level of any organization. The best that can be achieved is to take a snapshot in time of the currently known security exposures and then check to see whether there are defenses against the exposures. However, this doesnt guarantee that new exposures are covered. The only way one can have an assurance that future exposures will be covered is by examining the process that the organization has and the level to which the process is being followed.

Now, why exactly do you think that this only results in "adequate" security measures? Strike out Win2000 in your post above and replace it with Linux / Solaris / whatever you think is secure. What could you do when auditing installations of those operating systems that you arent already doing for Win2000?

Re:Security comes thru process not via a program

[Inexile2002]

Sorry, auditing specific terminology there is going to sink me. An audit program is usually a 2 to 20 page document (average 5-ish pages) that consists of a series of questions to ask, things to check and what documentation to request. You follow the audit program and you can proove your audit opinions.

So, if I find shitty security (doesn't matter what OS) I report on it. If I'm satisfied, I report on it.

Problem I encounter is that Win2K, I haven't found a good audit document (program) yet. So even if there is great Win2K security (which ALWAYS means it's bundled in with other security, and ALWAYS means they have a good security policy), I have a hard time prooving it. Similarly, when I find bad Win2k securuty and am called on to proove it (proof in an audit opinion sense, not the same as trying to explain active directories to senior management) I have a hard time.

Re:Security comes thru process not via a program

[flonker]

If you're looking for checklists, Microsoft has some available. But if you've been looking, you're probably aware of them. Nevertheless, I used them when securing my network.

There are real, secure, systems out there.

[Animats]

Check out the NSA-approved secure systems list. Operating systems have been built in the past that met reasonably stringent criteria, but few current mainstream systems are on that list.

Vendors hated NSA's old rating process. The standards were tough, NSA did the evaluations themselves, and you only got two tries to pass. After the first evaluation, NSA told you what was wrong. If you failed on the second try, that was it - you flunked. Worst case, NSA listed your product as "Class D - This class is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class."

Later, the process became much more "vendor friendly". Evaluations are performed by outside contractors, and vendors can submit their software over and over and over again until it passes. Microsoft used this process to push NT 4 through. It took years. The evaluation process is controlled by the vendor, and there are no public reports of failure.

The "common criteria" are rather weak, down near the bottom of the old NSA criteria. And the evaluation process is almost totally under vendor control, although it does have to be performed by an outside contractor acceptable to the Government.

There's better stuff out there. Currently, the most secure OS certified is the Wang XTS-300. This is certified to level B3 of the old Red Book criteria, which is about four notches above the level Windows 2000 just reached. Various FBI and DoD systems use Wang XTS-300, which is on Wang-built Pentium II and III systems. Wang is gone, but the product has been taken over by Getronics, which keeps a low profile.

Read the data sheet for the XTS-300. It's UNIX-like, but very different inside.

Coming soon, the XTS-400, which runs Linux apps.

These secure systems enforce a "mandatory security" model. Data has a security level, an integrity level, and a list of compartments to which it belongs. Movement downward in security level or upward in integrity level is prohibited, as is movement out of a security compartment or into an integrity compartment. This is very restrictive, but it's the only approach known to have any chance of really working.

Re:There are real, secure, systems out there.

[Student_Tech]

It is interesting to read about the concept of rings, with the main kernel sitting in the innermost ring. I know that some of the computers my dad worked on out at Hanford were Primes that had some concepts of rings, with the innermost being the highest up on the privilege levels. Not exactly the same I don't think, but this was many years ago.
(Hey just went looking, looks as if Primos Revision 21.0.1DODC2A got to the C2 level, so maybe this is more similar then I think)

Re:There are real, secure, systems out there.

[Animats]

Rings come from Multics. 1960s technology. IA-32 machines have ring hardware, but few operating systems use it.

Re:There are real, secure, systems out there.

[Oggust]

C2 is about the same as CAPP/EAL4, except in the old TCSEC system instead of the new common criteria.

B1 systems have mandatory access control, and is a lot like the new LSPP profile in CC. B2 introduces covert channel control, which IMHO is overkill, mostly. (Not to mention practically unsolvable.)

Higher would be nice, of course, but I'd settle for an LSPP system with really good assurance!

/August

Re:There are real, secure, systems out there.

[karlm]

Linux, *BSD, and the NT branch of Windows use rings. (The Windows 95 branch may have also used rings, I'm not familiar at all with Win 95 internals.) I'm not aware of any *NIX whose kernel doesn't run in ring 0. User apps run in ring 3. You can't make a function call (or other jump or branch) into a lower ring, but instead you need to use an interupt. Some instructions are also unavailable in certain rings.

Without hardware enforcement of the abstraction barrier, your user space code could jump int the kernel at spots right after privledge checks, or could manipulate the MMU and get raw acess to every device and every memory location. This would make privledge escalation trivial.

As long as you have 2 (properly designed) rings supported by hardware, you can emulate as many rings as you want, but you'll pay a performance hit.

One important note is that all XBox code runs in ring 0 and in a single address space (unless a devloper goes WAAYYY out of thier way). This is for performance reasons, but if there's an exploitable buffer overflow in a game, it's mre than a "root" exploit, it's a kernel exploit. (Yes, both Linux and WinXP allow superusers to modify the running kernel, so the distinction is moot in these cases.) This wou;d allow for a software "mod chip".

Any OS can be secure...

[screamingelectron]

Any OS can be secure, just unplug it from any external connection. Problem solved...

Get the Govt. to Upgrade to Win2k

[T4D]

There is really only one reason why MS went through all the trouble to get Win2k certified at CC-EAL4 (Equivalent to Orange book c2). MS wants the governemnt to upgrade to Win2k. Until now, many government sites would only use NT4.0 SP6a because that was the lates MS OS with the C2 certification. But now that Win2k SP3+ has recieved the, C2 equivalent, EAL4 certification, the government will be free to use Win2k on many of their systems without violating any secirity regulations.

The CC certification does not prove that Win2K is free from security related bugs, nor does it realisticaly prove that Win2k is secure. All it does is prove that Win2k, in certain configurations, adhears to the requirements of a EAL4 rated protection profile.

Re:Get the Govt. to Upgrade to Win2k

Wasn't the NT4 certification contingent on the PC not being connected to a network? Doesn't sound like something modern government offices could find useful ;)

There are no sufficient conditions in security

[Squeamish+Ossifrage]

You're right, but...

There is nothing which *would* constitute a sufficient condition for security. You can't check any particular property, of the product or process, and say "Yup, it's secure." We should all know that by now. In general, the closest we come is to haul out a long list of known mistakes (the absence of which is a necessary but not sufficient condition) and hope not to find them.

It's also helpful to remember that the Common Criteria don't define try to define a reasonable security certification. What they do provide is a list of things which might be interesting and ways of measuring those things. It's up to the "end user" to choose which things are important to them (define a protection profile).

EROS / EAL4

[Crasoum]

On one hand it seems interesting that one can potentially have something that "can be built to do exactly what it should and no more" but with that comes the problem (headache perhaps?) of the reauthorization of every new executable/binary/process ect that was not initially thought up during the install process. Now with persistent processes, what is one "allows" a program that is initially thought of as secure, then it is discovered that it has a horrible bug that compromises the system? Does it stop the unwanted processes, or does it allow them because the permission is already set to, with the idea in mind that if you think something is secure, it is.

Although a good idea, it can also stop one from doing some interesting things, for instance, using your web browser to look at pictures. You can easily use a Picture editing program like Gimp to view it, or you can use an image previewing device, which both are made to look at pictures, or your web browser, which is made to look at information in general that is online, but not necessarily used to preview pictures.

Now with EAL4, that is equal to Symantec Enterprise Firewall (Which of course means crap if you know the flaws that are within the coding structure)

But it means EAL4 requires more through design description, a subset of implementation, and improved mechanisms and/or procedures that provide confidence that the TOE will not be tampered with during development or delivery

That leaves the impression that as long as only the developers and the beta testers have it, it could be rated EAL to the highest power... even after all the flaws are discovered.

Moot point..

Of course I am probably not seeing the whole picture, and am totally wrong...

Forgive my ignorance...

[MoThugz]

but who the hell are the CommonCriteria folks, and why must I give a shit what they think of whatever OS?

The above is an honest question, if you can't elaborate clearly, please don't even bother to reply.

Thank you.

Re:Forgive my ignorance...

[scarpa]

Common criteria = I have a set of requirements, same as a lot of others.

In this case, the requirements were themselves inadequate for a net connected system, and MS did a half assed job of meeting them.

The news is not really about MS, but about a method of evaluating complex software products.

Re:Forgive my ignorance...

[Ektanoor]

Hmmm... Good statements you made here about them... Don't be admired that they'll be ringing your bell soon...

Common Criteria is a set of security standards sponsored by such kind organisations as the NSA and its cousins from UK, Germany, France, Netherlands and maybe more.

So pack the bags, kiss the cat goodbye and run...

Re:Forgive my ignorance...

[karlm]

I had an internship at a startup that originally planned on getting CC certification for a product of thiers.

The Common Criteria replace the old NIST "Orange Book" specifications.

The CC is a certification standard set up by the NSA, NIST, and some European counterparts. It has an ISO number, too. It can be applied to any computer system (an OS, a browser, a PCI card) as long as you can clearly define the system boundary. The criteria keep alking about the target of evaluation (TOE) instead of calling it an OS, although most commonly you hear about CC being applied to OSes.

When you submit something for CC evaluation, you submit a very specific system with very specific configurations. Anything outside this narrw set of configurations isn't certified. The CC primarily look at design and documentation, so things like buffer overflows don't enter in to the equation. At the highest level (EAL 7), you need all kinds of (mathematical) demonstrations and proofs of sound design (probably mostly involving graph theory). At the lower levels, they require less rigorous proofs and deonstartaions. Basically there are a bunch of feature lists in the criteria and you need to convince the certifier that you have the required features. Good admin/user documentation and configuration tools are a big part of the CC. If it's secure, but not well documented how to keep it secure, you can forget it.

It's expensive to submit a system for certification, so even if the SELinux documentation and config tools were up to par, iit'd be unlikely anyone would pony up the cash to get it evaluated. In terms of software features, I think SELinux could cocievably be EAL 4 or quite possibly higher.

Compare with the Orange Book

[Dynamoo]

What are the qualifications/skills of the "independent" verifier? MCSE? Code monkey? Nick the Pig?

The sort-of-precursor to the CC, the DOD-5200.28-STD (Orange Book) specified exactly who needed to be in the testing team. For "Division C" (Windows NT 4.0 is rated C2):

10.1.1 Personnel
The security testing team shall consist of at least two individuals with bachelor degrees in Computer Science or the equivalent. Team members shall be able to follow test plans prepared by the system developer and suggest additions, shall be familiar with the "flaw hypothesis" or equivalent security testing methodology, and shall have assembly level programming experience. Before testing begins, the team members shall have functional knowledge of, and shall have completed the system developer's internals course for, the system being evaluated.

10.1.2 Testing
The team shall have "hands-on" involvement in an independent run of the tests used by the system developer. The team shall independently design and implement at least five system-specific tests in an attempt to circumvent the security mechanisms of the system. The elapsed time devoted to testing shall be at least one month and need not exceed three months. There shall be no fewer than twenty hands-on hours spent carrying out system developer-defined tests and test team-defined tests.

For higher security classifications, the qualifications of the testing team get higher. For Division A you need at least one individual with a bachelor's degree in Computer Science or the equivalent and at least two individuals with masters' degrees in Computer Science or equivalent.

So, Safety Cap's point is well made - the method of testing and the personnel carrying it out is just as important as the technical criteria.

Why you should care

[joeflies]

Common Criteria, in layman's terms, is a group of security requirements that state a given security product has a given set of features. It is not an easy process to get Common Criteria certified (and it isn't cheap for the vendor).

In essence, like the author stated, many people are substituting education about security issues with Common Criteria certification. However, if the customer doesn't know what they want, or if they don't understand what Common Criteria does and DOES NOT check, then the customer still has no idea what they are getting. And like the author, I sometimes wonder if Common Criteria certification short cuts the basic security background required to write an RFP and replaces it with a check box for an EAL.

In particular, if you work on or sell a security product and want to sell to government or the European Union, it must be Common Criteria certified. What the certification proves, however, is up to the interpretation of the person implementing the product.

The problem with your argument

[D+iz+a+n+k+Meister]

is that you assume, in the form of (annecdotal)history, exactly what you set out to prove.

I posted as AC because...

...it will get modded down anyway. Everyone knows this, it's been submitted as a story and rejected summarily, and /. editorial staff will bury it in their zealousy.

More risky?

[Dog+and+Pony]

Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

He has obviously never bought anything from Fernwilter and Associates.

Huh?

[D+iz+a+n+k+Meister]

Are you trying to make a point or explain my joke?

Basically Windows 2k security is "certified" as secure as closing the bathroom door while, well you know, making a deposit. But not "certified" secure if someone, anyone, is *trying* to do something bad, other than make a deposit.

((Windows Security == closing door) + bathroom humor + on topic ==> funny)

marketing tactics ...

[MenAtWork]

can it be a M$ marketing strategy to force people to upgrade to winXP, I recently read about Univ. of California, Irvine making it compulsory for every user on its residential network to upgrade to XP. Even though some concession was provided, I don't see a reson for migrating since all my applications run well enough and most of the security problems can be taken care by running a firewall. (atleast taken care of as well as in XP)

Funny

[triptolemeus]

From the article: It also needs to be acknowledged that commercial UNIX-based systems like Linux

Okay, I know there is a lot of commercial Linux out there, but to call Linux a commercial system...

Legitimate negative comments are not "bashing".

[Futurepower(R)]

From the Slashdot story: "Microsoft bashing aside..."

This kind of talk is nonsense! When someone says "Microsoft bashing", they are in effect apologizing for saying something negative about Microsoft. Apologizing is ridiculous. There are many negative things that can be honestly said about Microsoft. Apologizing by using the word "bashing" in the same paragraph as a legitimate complaint weakens the complaint, especially with people who are not technically knowledgeable.

In his November 15, 2002 Crypto-Gram newsletter, Bruce Schneier says "A well-written analysis of the major security/privacy/stability concerns of Windows XP" about this article: Windows XP Shows the Direction Microsoft is Going.

(Bruce Schneier wrote major books about computer security: Applied Cryptography and Secrets and Lies: Digital Security in a Networked World.)

The article contains only a small number of the legitimate complaints about Microsoft. I know because I wrote the article in my spare time, and there are many, many issues I have not had time to document.

Who kept Kevin Mitnick in prison? Who allows Microsoft to be abusive? It's us. It is technically knowledgeable people who allow these abuses. We could be effective in our complaints. Instead, we accept a double standard in which illogical people are allowed to be illogical, but we must be completely logical or we would lose our jobs.

If you are sure of a problem, be effective in talking about it! Get your thoughts in order. Make your communication clear. Get the job done! Write an advisory letter to a government leader. Mention your ideas everywhere a lot of people are listening.

If you prevent Microsoft from being abusive, you are being charitable toward Microsoft. The company has a self-destructive side; preventing Microsoft from being abusive helps you and I personally, helps the world, and helps Microsoft. Remember, Microsoft's abusiveness causes all technically knowledgeable people to look bad to those who are not technically knowledgeable. Those with no technical knowledge are not qualified to sort out the details. We all suffer.

If you know better than the people around you, that makes you the leader! Don't accept foolishness. Don't accept implied criticism; make the speaker state his or her opinions openly. Don't accept the terms "nerd" or "geek". Those terms are used by illogical people to weaken the power of the people who are knowledgeable.

Your .sig

[Galvatron]

Isn't that BSOD?

Awwk! You both retard!

Me too. I retard!

Common Criteria

[drsolly]

I bumped into this several years ago, in the antivirus field. "Get the product certified", said the marketing department. "Some big corporates want to see an official certification" said our sales people.

So I looked into it. At the time, it was called "Itsec", now it's "Common Criteria". It was run, in those days, by the electro-spooks, based in Cheltenham.

When I found what it was, I was absolutely ROFL.

I, the vendor, was expected to state the functionality of the product, what it was supposed to do, security-wise. They call this the TOE, "Target of Evaluation"

They, the evaluators, would check that it met that functionality, and give me a certificate if it did.

So far, so good. But what's the right functionality? In my case, what functionality should an antivirus have (rhetorical question, please don't tell me, except it isn't as simple as you might think).

So, I said to the people who ran the scheme, Suppose I define my functionality as "Comes in a blue box". Could I get an Itsec certification for that? The answer boiled down to "Yes, but that isn't a security issue". "Yes it is," I said.

Um. Who defines what is a security issue and what isn't? I was saying that the lack of a blue box, was a security issue. How do you say it isn't? Anyway, that's my TOE, please certify it. Well, it never got that far, that was just my way of telling them that their scheme was a joke.

So I went to a pal of mine who ran the security department at a university, suggested that he set up a certification scheme, and got the product certified under that instead. That made our marketing people happy, also our sales people. Customers had a certification to pin on the wall, everything was tickety-boo.

Except the government people, who knew they were being made monkeys out of, because I threw that "Comes in a blue box" thing at them at every conference and seminar I went to, and I heard that it started to seriously embarrass them, because people started asking questions about the value of their certifications. There's more in that thread - things did start to change, but the change didn't happen in the end.

Now, I'm not suggesting that the Microsoft certification says "Comes in a blue box." But until you've read the TOE, you don't actually know what security functions have been certified.

The only truly secure computer ....

[johnlcallaway]

... is one that is never plugged in, never turned on, and never used.

As soon as you turn it on and plug it in to a network, or let someone log in and use it, all kinds of evil things can happen.

So, with the above being the most secure system, we have to make compromises. Take passwords/phrases for instance. We could specify a pass phrase of at least 60 characters with mixed case, numbers, and special characters. That might take a cracking program a little longer to break. But the odds that the casual user will remember it and not write it down someplace increases as the difficulty of the password increases.

Or, we could install smart card devices and require their usage, along with pass phrases and biometrics. But that increases costs and complexity. Not only do I need smart card readers and software at my desk, but also every system that I will use to VPN in with.

Or, we could remove all floppy disks and CD drives from our user's machines, and prevent them from downloading from the internet, but then we have to listen to them gripe all the time.

Or, we could remove Windows 2000 and use some as-yet-to-be-named totally secure, non-breakable software that provides 90% of the same functionality. But then the users would lose access to Outlook and Word and whine again because they don't want to learn something new.

Instead, we do the best with what we have, and move on. Fix the security leaks as they come up, and hope we get to them before the crackers do. Yes, I would love for MS to do a better security job, and I would also love to install Linux on the desktop. But since neither is going to happen anytime soon, we deal with it. (Although XP has finally made our CIO sit up and consider replacing MS.)

Re:The only truly secure computer ....

[SuiteSisterMary]

With the old Orange Book series, at least, as I haven't looked at the CCSE, as you increased in 'security' level, the emphasis shifted away from keeping people out, to being able to tell what they did.

The fact of the matter is that if your service can be used for legitimate purposes, it can be used for illegitimate purposes. Period.

Importance of Certification

[Zebra_X]

This a rather interesting turn of events in the Linux vs. Microsoft battle. The ramifications of such are certification could possibly be far reaching. Linux support in governement offices has been expanding for example, My uncle works works for the FAA and their office is moving from NT 4 to linux (for desktops). However this certification turns the tables of linux proliferation a bit. Since there are not many (or any?) Linux distros that are rated at such a level it will be easier for MS to make a case against Linux from a "trust worthyness" standpoint. Whether this is true or not, the rating gives MS a foot to stand on when dealing with the government and/or military. Also, it makes more W2K a more "valueable" product since it has something that only the l33t of the OS world posses.

Already Reported awhile ago

[JTMON]

They didn't just get the OS certified but individual apps also such as IE and Outloook. Be Very scared.....

OS != kernel

[yerricde]

IE is embedded into Explorer, NOT the OS (i.e. the kernel).

Grandparent said "OS" not "kernel". An operating system is more than a kernel.

You can easiliy run Windows with a different shell (why?).

Why? Easy. Explorer is a RAM hog compared to alternatives such as litestep.

when does Microsoft pay you, weekly?

Do you get your Microsoft check weekly, monthly or by the word. Because if you get it for new ideas: post anti-Linux anywhere there is an honest discussion about an important Microsoft topic, then you get NO PAYMENT.

Re:when does Microsoft pay you, weekly?

[IDStewart]

Do you get your Microsoft check weekly, monthly or by the word

Just because somebody says something you don't like about Linux doesn't automatically make them a Microsoft flunky. I'm no C2 expert, but I do know enough about InfoSec to know that when it comes to industry-grade security, your stand Linux distro doesn't make the cut.

But that's Ok. It's not supposed to.

Like Windows and OS X, Linux is a consumer product. As such its primary strengths lie in its stability, usability and inter-operability, not necessarily in its security

Don't know what you're talking about.

MS has shown little to no aggresiveness in anti-piracy. Sure, they could lock you up for sharing their software, but they've never done anything of the sort. In fact I think they are somewhat famous for looking the other way in regards to individual piracy.

How do we define Security?

[Bill_EEE]

If we define security as financial security, it is clear that running the dominant operating system, no matter how spoof-proof and bug free it is, contributes to a LACK of SECURITY.

If we define security as a system where we know what is going on and how it does what it does and who has open sockets and who is listening, then the most secure computer is one that is TURNED OFF, no matter what the operating system would be if turned on. Obviously that is rediculous and meant to be humourous.

Throwing money down the IT rathole is not the answer if people feel insequire. No appliance can ever give one total feeling of security.

Untill I can run the Windows 'System INformation' utility and know what every 16 bit, 32 bit driver and every Exe program listed is and who makes it and how to verify it, then I will never feel that Windows is secure. But that won't stop me from using it. I simply won't hook it onto my other machines if it is exposed to the internet.

The Microsoft operating system allows for hooking up new drivers and processes far too easily. And there is no way to know what all of the crap is that gets loaded on.

And so, my advice is. . . if you need to feel secure, then go to the lonely place of meditation and turn off your computer. Because if you are looking for a government certification for security, then you are a fool.

But if you want to sell software and you need that piece of paper that claims that your stuff is secure, then by all means vainly chase after the wind of a government certification.

Here is a question: is there a website or database somewhere that has lists of various modules that get loaded by Windoze and what their checksums should be? Does any database of DLL's and drivers exist where I can look up the processes that show up in the 'Windows Information' utility? Doesn't it seem that if people load these drivers and modules, that they should have to register and provide a way of verifying them? Doesn't it seem that the UNDO or UNINSTALL feature should provide a better way of know what modules are legitimate and which are viruses?

Until Windows makes things clearer and not less-clearer, then I will always think of it as a toy operating system. It is not secure in the sense that you can really know what processes are running and what should and shouldn't be there. I rate it a good toy, and fun to serf with, but I wouldn't bet my government or my company on it.

Re:How do we define Security?

This topic comes up so often that it's alsmost predictable ... and not just with respect to MS.

To my mind the big problem is that there are so many disparate computer security ratings, there's no standardisation of criteria, there's no weighting of different security aspects/scores and there's absolutely no attempt to establish a criteria that can be used by all the different bodies that purport to assess computer security.

CERT and SANS for example basically report on network and network applications security. Various third party 'consultants' have made an industry of reporting on other aspects - which can look good or bad depending on what criteria they assess and how they measure it. There are numerous certifications from the government, UN, ISO and others that make a mockery of the topic ... that are only acessible by those with the time and money to meet their documentation and other specifications ... and that in the final analysis mean absolutely nothing.

What I'd really like to see is some widely adopted security assessment methodology that considered the following weighted aspects ... and was applied rigorously across systems:

1. Incidence (of the affected code on the network, in the distribution system etc)
2. Damage quotient (based on the extent to which it damages hardware, OS, software or whatever components of a given system)
3. Economic cost (individual system basis - for damage, data loss and the like)
4. Network effect (purely based on the effect it can/could have on network performance/security)
5. Contagiousness (estimated number of vulnerable systems)
6. Distribution (number of individuals with affected systems)
7. Preventative Costs (of third party software and hardware necessary to secure whatever OS or System from whatever vulnerability)

The above criteria would at least give you something you could apply to most security violation incidences and would be something you could apply across platforms and applications in a relatively unbiased way ... and would be a hell of a lot more useful in threat analysis than the crappy systems we currently have.

They could be applied equalyy with respect to network, trojan, virus, internal and other security violations - and give Joe Public some measure of information on which he could base his own threat profile using whatever bloody products he used.

Of course, that would not serve the interests of the security industry and many product vendors ... but bugger them. :)

At the moment what we have is crap, with little rigorousness and usefulness to the consumer ... and capable of serious 'Spin Doctor' manipulation when it comes to marketing and other uses.

We need something better.

Regards,

Secure Communications

[Bill_EEE]

I remember when the US determined that the embassy in Moscow was bugged. . . they went to a very secure way to transfer ideas between employees: one of those pads with a sticky black tablet and a clear piece of plastic over the top. When you use a pointed device on it, you can draw whatever you want. And when you are done, you pull the plastic up and the message is errased. These things are very secure and cost only a few dollars. Imagine that, and it doesn't even have a plug. Here is another point (because I used to be in goverenment procurement for computer purchases): Most computers in use in offices do not need to be of a high security type. They are not used for things that are classified. And most users are not doing this kind of work. Thus, for the ones that do, you can provide a single place where they go to get their secure stuff. The best type of security is in process. I have always felt that if you snow-storm the information and provide a way for the user to know which is the correct information, then the enemy doesn't know what message is the right message. And then they are lost in a blizzard of mis-information. But, in the world of 'secure computing' no one wants someone who says that we need less and not more. And someone like me who is thrifty and not foolish in my spending on government computers was not popular. They had a budget, damn it, and they needed to spend it as fast as they could. It wasn't not wise. For example there is the story of the guy who "HAD TO HAVE" the 4 thousand dollar CD burner (in the early 1990s) because he HAD TO record his voice for his presentations (thus he could sleep during the meeting after he started his slide show). My suggestion of purchasing a $40.00 tape recorder with a $5.00 microphone didn't make him like me. He was important, damnit and needed that $4000.00 CD burner. And while I am on the topic of war stories: There was the division of a gov lab where they had a HUGE budget (was it an SDIO office?) and they went out and bought the newest and best of everything. They had wax based color printers and they did all of their transparnecies in color at the cost of at least 5 dollars a print. When a certain general sat through their pretty color presentation his comment at the end of it all was that they seemed to have too much budget and that they waste their money on appearance. I was very happy to know that a general would understand the difference of form over function and want the thrift of function verses the waste of form. I have a lot of these kinds of war stories. I am off topic.

Sour Grapes

[TheCabal]

I find it interesting that little or no attention to the Common Critera have been paid by Slashdot or its readers until Win2k was EAL4 certified. All of a sudden there is a flurry of activity concerning whether the Common Critera is relevant or any good, or whether Microsoft bought their certificate. How come Linux can't get EAL4 certified, hmmm? With all the effort put into bellyaching about Win2k and the CC, I'm certain that at least one flavor of Linux could have been whipped into shape.

It all depends on the PP used

As +/- mentioned in the article, the Common Criteria is based on a protection profile (PP) that says what the system is supposed to do. The given system is supposed then to meet that profile. Depending how well it meets the profile, it will be given a certification. Then again, the certification is based on any profile that the given vendor wants to follow. The key here is making sure, as a customer, that the profile used is one that meet your requirements. So the very fact that Win2k is CC certified means nothing, regardless of the level. Note that to minimize problems NSA, who oversees CC, from the start developed a few protection profiles for certification labs to use. I personally don't know which PP was used.

Quoted Profile is EAL 3, not EAL 4

[redtail]

The author should have observed that the profile from which he drew the damning summary of "what it is good for" includes assurance of EAL3. I'm not suggesing that an EAL4 system would materially change "what it is good for", but a review of the protection profiles at http://www.iatf.net/protection_profiles/operating_ systems.cfm suggests that our gov't thinks EAL4 is good enough to protect SECRET data from uncleared users. I think that is plain nuts, but it does differ from the quoted summary.

Understand the certification

Actually, these certified versions of NT are only impressive to civilians.

From what I remember - NT4 was certified as c2 only without a network card. Which means that adding a network card invalidates the certification.

And the documentation I've seen on the Common Criteria levels tell me that EAP4 means that XP passed a design review. The interesting part of the CC cert is the CAPP - it means that XP is safe to use in am enviroment where you trust the employees, network and programs.

Esentially, CAPP EAL4 is good stuff to put in a press release and not much else.

Actual MS Certification Test

[Herkum01]

Tester #1: OK, attempting to buffer overflow attack on the NetBEUI Protocol.

Tester #2: No response, good.

Tester #1: Attempting buffer overflow attack on the Messenger Service.

Tester #2: No response, good.

Tester #1: Attempting to ping the box.

Tester #2: No response, this thing is a rock.

Tester #1: Well I think it passes with flying colors then!

Tester #2: Yep, lets go to lunch.

MS Representative(wanders in after Techs have left): Hey where did those guys go? I better turn this box before they begin...

Last Post!

[alpg]

A large spider in an old house built a beautiful web in which to catch flies.
Every time a fly landed on the web and was entangled in it the spider devoured
him, so that when another fly came along he would think the web was a safe and
quiet place in which to rest. One day a fairly intelligent fly buzzed around
above the web so long without lighting that the spider appeared and said,
"Come on down." But the fly was too clever for him and said, "I never light
where I don't see other flies and I don't see any other flies in your house."
So he flew away until he came to a place where there were a great many other
flies. He was about to settle down among them when a bee buzzed up and said,
"Hold it, stupid, that's flypaper. All those flies are trapped." "Don't be
silly," said the fly, "they're dancing." So he settled down and became stuck
to the flypaper with all the other flies.

Moral: There is no safety in numbers, or in anything else.
-- James Thurber, "The Fairly Intelligent Fly"

- this post brought to you by the Automated Last Post Generator...