Slashdot Mirror
Justifying the Common Criteria Security Evaluation
lewko writes "Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case. Microsoft bashing aside, the process in evaluating a security product is relevant to anyone considering the deployment of technology into their environment." The EROS operating systems he mentions looks interesting - of course, it also looked interesting three years ago.
... so i will be the one to say what everyone is thinking... "duh?"... we know its insecure but what do we do? Should we try to work to get windows secure somehow or do our own open source thing? honestly what good are we going to do with this new info?
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
They are willing to throw out win98 and winME but i doubt they will get rid of 2k. They know 2k is better than XP for a lot of things and it would be like shooting themselves in the foot to piss off the current installed base of win2k.
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
While it sounds interesting, you have to wonder how useful it will be. Microsoft has said itself that windows wasn't designed to be secure (because they opted for higher functionality, albeit less secure funtionality). According to the website, EROS should be completely virus free, because there won't be any way for a virus to work. That sounds a bit like Palladium to me (only certified code runs). Personally, I think that if you expect to install any OS and expect it to be secure off the bat, then your in for a surprise. Even Linux has vulnerabilities. A properly configured Windows Box can be just as secure as any OS, you just have to know the system
Given that Microsoft constantly modifies shared portions of its Operating Systems via Service Packs, Windows Update, and while installing new applications...well, precisely how meaningful is any declaration of the security of a given Microsoft OS? Just tracking WHAT you have on a given Windows box is enough to make most sysadmins break out in hives.
If you have any software configuration that strays more than trivially from the one tested for security than the certification isn't really relevant.
...that Microsoft is more concerned with protecting its software from the "evil pirates" who made Windows and Linux big, than they are about keeping our critical information secure. Great, they can lock you in jail for 20 years because you gave your friend a copy of Word XP, but they won't lift a finger to keep REAL CRIMINALS from hijacking your identity.
Microsoft more than anything has pissed me off over their threat ads in certain areas. If you haven't heard them, I'd encourage people to find a way to hear them. They are shocking in their brazen "Stop being a criminal or we'll make you our woman and you'll like it." attitude.
Microsoft has been proven to be the sham it is, even by the government. When the US Government, the most incompetant bureacracy in existence says that you suck...man, you have to seriously do some soul-searching...if Gates even has one.
Only in slashdot are posts of solidarity modded at -1 Redundant, while posts of antagonism are modded as -1 Flamebait.
"...[Windows 2000] has no real firewall built into it!"
Where do you draw the line? Microsoft is stuck between a rock and a hard place here. On one hand, if they don't put in a firewall, people will complain that they have to buy additional software or hardware to secure the OS (which is true.) On the other hand, if Microsoft does add a firewall, Norton, Symantec, and 50 other "personal firewall" software makers would scream bloody murder: "Microsoft is leveraging their OS monopoly to put us out of business!"
I'd guess the crappy firewall built into XP is a sort of compromise. On one hand, you don't want millions of unsecured Windows boxes running around on the Internet. So Microsoft surreptitiously adds an incoming-packets-only firewall to XP. Sure, it's a crappy firewall, and it doesn't offer real protection. But it keeps the firewall software makers at bay, and it keeps Microsoft out of the Justice Dept. gray area.
Most sysadmins would buy a hardware firewall or dedicated NAT device with firewall anyway... so at least in corporate settings, that problem is solved. Really, it's going to be tough for Microsoft to add any decent programs to the OS at this point, since they've already been found guilty of illegally bundling Internet Explorer. I'd watch for more stuff to be attached to Office or offered as a free download instead.
Simpli - Your source for San Jose dedicated servers and colocation!
There is really only one reason why MS went through all the trouble to get Win2k certified at CC-EAL4 (Equivalent to Orange book c2). MS wants the governemnt to upgrade to Win2k. Until now, many government sites would only use NT4.0 SP6a because that was the lates MS OS with the C2 certification. But now that Win2k SP3+ has recieved the, C2 equivalent, EAL4 certification, the government will be free to use Win2k on many of their systems without violating any secirity regulations.
The CC certification does not prove that Win2K is free from security related bugs, nor does it realisticaly prove that Win2k is secure. All it does is prove that Win2k, in certain configurations, adhears to the requirements of a EAL4 rated protection profile.
You're right, but...
There is nothing which *would* constitute a sufficient condition for security. You can't check any particular property, of the product or process, and say "Yup, it's secure." We should all know that by now. In general, the closest we come is to haul out a long list of known mistakes (the absence of which is a necessary but not sufficient condition) and hope not to find them.
It's also helpful to remember that the Common Criteria don't define try to define a reasonable security certification. What they do provide is a list of things which might be interesting and ways of measuring those things. It's up to the "end user" to choose which things are important to them (define a protection profile).
Rings come from Multics. 1960s technology. IA-32 machines have ring hardware, but few operating systems use it.
While I see the humor in your comment, and you are right, he does have a point. Win2k/XP boxes are quite secure once you configure them properly as long as you don't use certain software on them. *cough*ISS*cough* The problem is that compaired to *nix relativly few users know how to secure their systems. Windows falls victim to its own design in the respect that it is desiged so that people can use it without much knowledge of the internal workings of the system. So you get lots of people who know just enough to use it but nowhere near enough to secure it properly who promptly run around the net with unsecured boxs by the thousands. Linux requires the user to learn more about the inner workings of the system and as such that user is better equiped to secure his or her box. Linux's steeper learning curve makes it inherently more secure by creating a more knowledgable user base. While windows's ease of use creates an inherently more ignorant, and thus less secure, user base. Sure IE's integration into explorer doesn't help, and neither does Outlook's idiotic attachment handling but its actually the primary goal of the windows design team, ease of use, that is windows's greatest flaw. Without a knowledgable user, no OS is really all that secure. Although the security minded way that *nix is designed does help it quite a bit.
We're going to make information free Mr. Anderson, whether you like it, or not.
Sorry, auditing specific terminology there is going to sink me. An audit program is usually a 2 to 20 page document (average 5-ish pages) that consists of a series of questions to ask, things to check and what documentation to request. You follow the audit program and you can proove your audit opinions.
So, if I find shitty security (doesn't matter what OS) I report on it. If I'm satisfied, I report on it.
Problem I encounter is that Win2K, I haven't found a good audit document (program) yet. So even if there is great Win2K security (which ALWAYS means it's bundled in with other security, and ALWAYS means they have a good security policy), I have a hard time prooving it. Similarly, when I find bad Win2k securuty and am called on to proove it (proof in an audit opinion sense, not the same as trying to explain active directories to senior management) I have a hard time.
he mentioned browsers as a quintessential example of closed vs. open source patching. though that's really another issue.
secondly, i'd hardly call bind "bulletproof", given its legendary legacy of remote root exploits. there are other free alternatives, and after this last discovered vulnerability, people are switching in droves.
unfortunately, iis too has a legendary legacy, prompting this whole stupid discussion.
i think the real issue here is when you have a homogeneous, ms-only setup (xp on iis, on x86), you're far more likely to be bitten, sooner, than on a hetrogenous system (some random bsd on some crazy big-endian cpu). no, i'm not invulnerable, just less succeptible to nusance worms if i happen to miss an advisory.
also take into consideration that all those daemon vulnerabilities you may encounter probably effect a very small portion of the open source population. how many are remote? how many are root? how many are even installed by default? how many would work on a big endian platforms? taken to an extreme, how many would work on a headless netbsd dreamcast running all-chrooted daemons on a read-only filesystem?
i will agree, however, that if you take the proper precautions and vigilantly harden your machine, you probably won't have any problems regardless of the platform. however i also think that open source software makes that job much, much easier.
From the Slashdot story: "Microsoft bashing aside..."
This kind of talk is nonsense! When someone says "Microsoft bashing", they are in effect apologizing for saying something negative about Microsoft. Apologizing is ridiculous. There are many negative things that can be honestly said about Microsoft. Apologizing by using the word "bashing" in the same paragraph as a legitimate complaint weakens the complaint, especially with people who are not technically knowledgeable.
In his November 15, 2002 Crypto-Gram newsletter, Bruce Schneier says "A well-written analysis of the major security/privacy/stability concerns of Windows XP" about this article: Windows XP Shows the Direction Microsoft is Going.
(Bruce Schneier wrote major books about computer security: Applied Cryptography and Secrets and Lies: Digital Security in a Networked World.)
The article contains only a small number of the legitimate complaints about Microsoft. I know because I wrote the article in my spare time, and there are many, many issues I have not had time to document.
Who kept Kevin Mitnick in prison? Who allows Microsoft to be abusive? It's us. It is technically knowledgeable people who allow these abuses. We could be effective in our complaints. Instead, we accept a double standard in which illogical people are allowed to be illogical, but we must be completely logical or we would lose our jobs.
If you are sure of a problem, be effective in talking about it! Get your thoughts in order. Make your communication clear. Get the job done! Write an advisory letter to a government leader. Mention your ideas everywhere a lot of people are listening.
If you prevent Microsoft from being abusive, you are being charitable toward Microsoft. The company has a self-destructive side; preventing Microsoft from being abusive helps you and I personally, helps the world, and helps Microsoft. Remember, Microsoft's abusiveness causes all technically knowledgeable people to look bad to those who are not technically knowledgeable. Those with no technical knowledge are not qualified to sort out the details. We all suffer.
If you know better than the people around you, that makes you the leader! Don't accept foolishness. Don't accept implied criticism; make the speaker state his or her opinions openly. Don't accept the terms "nerd" or "geek". Those terms are used by illogical people to weaken the power of the people who are knowledgeable.
B1 systems have mandatory access control, and is a lot like the new LSPP profile in CC. B2 introduces covert channel control, which IMHO is overkill, mostly. (Not to mention practically unsolvable.)
Higher would be nice, of course, but I'd settle for an LSPP system with really good assurance!
"An object declared as type _Bool is large enough to store the values 0 and 1." -- 6.1.2.5, C99 standard.
You know, after just having to do that this weekend I can second that. I don't want to sound like a Linux fanboy, but I only had to reboot my Debian GNU/Linux system twice when I installed it this weekend, and that was to get it to boot off the hard drive instead of the CD install media. Initial bootup to install media, reboot to complete install with apt-get, reboot the final time to load all the daemons and start X. I could've eliminated the final reboot by just starting the daemons by hand but I decided not to.
With the Win2k install I had to reboot after the CD was done copying things, reboot again after the initial install was done, reboot again after I installed the SVGA driver for my video card, reboot again after I installed a sound driver, reboot 2 times to get my USB hub recognized, reboot another time after that before it recognized and installed a driver for my USB keyboard and mouse (this is a laptop), reboot again after installing SP3, reboot again to install IE 6.0 cumulative path for IE 6.0, reboot again to install DirectX 8.1, reboot again to install Windows Media Player and some other patches that weren't covered by the previous software updates and finally had to reboot again to install a Windows Media Player update to the version I just installed! Then I needed to reboot when I installed the USB scanner drivers to get it to recognize the device. Oh, I forgot I needed to reboot to install the D-link network card drivers for the DWL-650 pcmcia 802.11b adapter. I don't think I needed to reboot to install the USB printer though so that's a plus. Amazing how complicated it is to do a Windows2000 install and don't get me started on telling me I could've done this in 3 easy steps because you can't. The shit forces you to reboot to "complete installation" and your only option is a reboot button usually.
Hell, even my Mac running OS X only rebooted one time to install OS X 10.2.2 and another time to install VirtualPC (why it needs to reboot for that is beyond me.. probably some legacy app that is braindead and living in the OS 9 world of rebooting to apply system changes. Since then I've just been closing the lid (laptop) and putting it in standby for weeks.
He never wrote that either. The OS is not the kernel, as Stallman would be more than happy to tell you. You yourself call Win2k an "OS", would you not agree that IE is integrated into Win2k?
can you tell me you can install a linux build from 3 years ago
As soon as you can find me a three-year old Linux distro STILL BEING SOLD AS NEW.
Microsoft could easily have patched their master disc and manufactured new Win2k Server CDs at any time during these three years since the initial release but they have not done so. They are still making and selling software that they know is defective without even a token attempt at fixing the most glaring security holes in their product. In my book, this not only borders on criminal negligence, it's a fucking full-scale invasion over said border.
Would you take kindly to Ford opening up an old warehouse and selling three-year old Explorers with three-year old Firestone tires labeled as "NEW FROM THE FACTORY"? No? Why not?
Win2k is a pretty young OS. It's bound to have patch requirements.
Three years is not young in the OS business (even if you take the time to read the years cited in the copyright notice when it boots). Considering the time and effort that Microsoft spent making it, they should have done a better job.
Money for nothing, pix for free
This a rather interesting turn of events in the Linux vs. Microsoft battle. The ramifications of such are certification could possibly be far reaching. Linux support in governement offices has been expanding for example, My uncle works works for the FAA and their office is moving from NT 4 to linux (for desktops). However this certification turns the tables of linux proliferation a bit. Since there are not many (or any?) Linux distros that are rated at such a level it will be easier for MS to make a case against Linux from a "trust worthyness" standpoint. Whether this is true or not, the rating gives MS a foot to stand on when dealing with the government and/or military. Also, it makes more W2K a more "valueable" product since it has something that only the l33t of the OS world posses.
IE is embedded into Explorer, NOT the OS (i.e. the kernel).
Grandparent said "OS" not "kernel". An operating system is more than a kernel.
You can easiliy run Windows with a different shell (why?).
Why? Easy. Explorer is a RAM hog compared to alternatives such as litestep.
Will I retire or break 10K?