Slashdot Mirror
Justifying the Common Criteria Security Evaluation
lewko writes "Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case. Microsoft bashing aside, the process in evaluating a security product is relevant to anyone considering the deployment of technology into their environment." The EROS operating systems he mentions looks interesting - of course, it also looked interesting three years ago.
Well how much of what is secure? It seems to me that MOST of the security bugs one associates with Microsoft are problems with two programs in particular--IIS and Outlook (Express version only).
... so i will be the one to say what everyone is thinking... "duh?"... we know its insecure but what do we do? Should we try to work to get windows secure somehow or do our own open source thing? honestly what good are we going to do with this new info?
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
I know some commercial Unixes are certified to C2 if you have it configured right. What about the Linuxes?
Why would anyone want to use a text editor that is not vi?
Bueller?
This kind of certification is a great thing for people running Win2K. But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now? A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS. It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers are buying upgraded products fast enough.
While it sounds interesting, you have to wonder how useful it will be. Microsoft has said itself that windows wasn't designed to be secure (because they opted for higher functionality, albeit less secure funtionality). According to the website, EROS should be completely virus free, because there won't be any way for a virus to work. That sounds a bit like Palladium to me (only certified code runs). Personally, I think that if you expect to install any OS and expect it to be secure off the bat, then your in for a surprise. Even Linux has vulnerabilities. A properly configured Windows Box can be just as secure as any OS, you just have to know the system
The Common Criteria security standards deal with the design of operating systems, not the implementation. It has been certified that the security system used in Windows 2000 is "well designed"; but this says nothing about how many bugs there might be in the code.
Tarsnap: Online backups for the truly paranoid
""Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? "
The computer was off during the test.
Jonathan S. Shapiro, Ph.D.
Johns Hopkins University Information Security Institute
By now, you may have heard that Microsoft has received a Common Criteria certification for Windows 2000 (with service pack 3) at Evaluation Assurance Level (EAL) 4. Since a bunch of people know that I work on operating system security and on security assurance, I've received lots of notes asking "What does this mean?" On this page I will try to answer the question. For the impatient the answer is:
Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.
Since that's a pretty strong statement, bear with me while I try to explain it in plain English.
How a Security Purchase Should Work (In Abstract)At the risk of telling you something you already know, here is how a purchaser ought to proceed when buying a security product:
Assess your needs. Determine what your requirements are.
Decide which product you are most confident will meet those needs.
Buy and deploy it.
Each of these is potentially an involved process, and most customers don't have the expertise to do them effectively. Even if you did, Microsoft (or any other vendor) isn't likely to let you examine their code and design documents in order to evaluate their product.
The purpose of the Common Criteria process is to develop standard packages of commonly found requirements (called Protection Profiles) and have a standard process of independent evaluation by which an expert evaluation team arrives at a level of confidence for some particular software product.
As a customer, this makes your life simpler, because you can compare your needs against existing requirements constructed by experts and then see how well the software you are buying meets those requirements. Security requirements are fairly hard to write down correctly, but if the resulting document is annotated properly they aren't all that hard to understand.
Obviously, if you don't know your needs (requirements) you don't stand much of a chance of getting them met. Likewise, if you don't know what requirements a software product was evaluated against, the evaluation result isn't terribly useful to you in practical terms.
How Common Criteria WorksFrom the customer perspective, a Common Criteria evaluation has two parts:
A standardized requirements specification called a Protection Profile that says what the system is supposed to do. Sometimes there will be more than one of these -- usually a general baseline protection profile and then some others describing additional, specialized requirements.
An evaluation rating. This is basically an investigation by well-trained experts to determine whether the system actually meets the requirements specified in the protection profile(s). The result of the evaluation is an "Evaluation Assurance Level" which can be between 1 and 7. This number expresses the degree of confidence that you can place in the system.
In order to understand the result of an evaluation, you need to know both the evaluation result, which will be a level between EAL1 and EAL7, and the protection profile (the requirements that were tested). Given two systems evaluated against the same protection profile, a higher EAL rating is a better rating provided the requirements meet your needs.
Knowing that a product has met an EAL4 evaluation -- or even an EAL7 evaluation -- tells you absolutely nothing useful. It means that you can have some amount of confidence that the product meets an unknown set of requirements. To give a contrived example, you might need a piece of software that always paints the screen black. I might build a piece of software that paints the screen red with very high reliability, and get it evaluated at EAL4. Obviously my software isn't going to solve your problem.
The Windows 2000 EvaluationMicrosoft sponsored an evaluation of Windows 2000 (with Service Pack 3 and one patch) against the Controlled Access Protection Profile (plus some enhancements) and obtained an EAL4 evaluation rating. This is most accurately written as "CAPP/EAL4".
Problem 1: The Protection ProfileThe Controlled Access Protection Profile (CAPP) standard document can be found at the Common Criteria website.Here is a description of the CAPP requirements taken from the document itself (from page 9):
The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.
Translating that into colloquial English:
Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.
In fairness to Microsoft, CAPP is the most complete operating system protection profile that is presently standardized. This may be the best that Microsoft can do, but it is very important for you as a user to understand that These requirements are not good enough to make the system secure. It also needs to be acknowledged that commercial UNIX-based systems like Linux aren't any better (though they are more resistant to penetration).
Note that the "Don't install software" part means that you probably shouldn't install a word processor. On several occasions Microsoft has unintentionally shipped CD's with viruses on them. A CD with a virus qualified as "malicious system development."
Problem 2: The Evaluation Assurance LevelHaving described the requirements problem, I now need to describe the problem of the EAL4 evaluation assurance level that Windows 2000 received.
As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.
An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.
The Bottom Line for Windows 2000In the case of the CAPP protection profile, there actually isn't much point to doing anything better than a low-confidence evaluation, because the requirements set itself is very weak. In effect, you would be saying "My results are inadequate, but the good news is that I've done a lot of work so that I can be really sure that the results are inadequate.
In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.
ConclusionSecurity isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time.
It is possible to do much better. EROS, a research operating system that we are working on here in the Systems Research Laboratory at Johns Hopkins University, should eventually achieve an EAL7 evaluation rating, and is expected to provide total defense against viruses and malicious code. It won't be compatible, because the most important security problems in Windows and UNIX are design problems rather than implementation problems. In fact, none of the viable research efforts toward secure operating systems are compatible with existing systems.
It remains to be seen whether EROS or one of the other attempts to build secure operating systems will prevail, but better solutions are coming.
Jonathan Shapiro is an Assistant Professor in the Department of Computer Science of Johns Hopkins University. He has been working on operating system security and assurance since 1991. His past research has yielded both formally verified security properties and dramatically improved performance results in secure operating systems. His current research focuses on tying these results together into a complete, usable system, and on evaluating and testing the correctness and reliability of the resulting system.
Dr. Shapiro is also member of JHUISI, the Hopkins Information Security Institute.
Get a clue. We recognize the win2k common criteria certification was announced before. This post directs us to a paper with an analysis on what the certification means.
I was also interested in EROS; unfortunately, at the time, it had a non-commercial-use license, and so I never did anything more than grab it and get it up and running on a single system.
Now that he's going with an MPL-style license, I guess he might be able to get more people interested. Unfortunately, like the GPL, there only room for one product in that ecological niche at a time, and Linux is already there.
While capabilities are an interesting approach, I don't think this really has any bearing on the Microsoft certification, unless the intent of mentioning EROS was to make fun of the certification?
-- Terry
The trouble I find is that I'm able to evaluate the level diligence the IT staff at any given company has taken, I'm able to audit the level of (attempted) compliance to any documented security policy and I'm even able to assess internal security configuration and controls.
Ultimately though, I'm signing off on audit opinions that ALWAYS says and feeling a little sick about it. If we got sued, I could provide documentation proving that I diligently checked security and based on "accepted" business standards the security was implement at a reasonable level. Basically, I could cover my ass.
Is there anyone out there that has an audit program for Win2k that they would feel comfortable using to tell the auditors that they can rely on the numbers? Just curious.
Oh, BTW, the auditors could care less about Common Criteria and even though they're thick as pudding about IT, they're still smart enough o bring in outside people when they need to rely on any computer's numbers.
It was followed by a short lived, but lengthy discussion with regular readers of worldtechtribune (including the editor-in-chief apparently) and some other newsforge readers.
You may or may not find some interesting thoughts, or just more (mis)information.
Before you mod me down, I am a network admin that works with both windows 2000 and linux on a daily basis. I am also a certified MCSA (though we all know what we think of certs :) ). Anyways, my #1 reason why i think windows security SUCKS, is that the damn OS has no real firewall built into it! I mean, come on, with win2k you gotta either buy a hardware firewall (cisco pix, etc), or throw a unix box in front of it. And yes, i know XP does have a basic firewall built in, but do any of you want to run a server on XP ? People always bitch at MS for bundling software into their OS, but there's no excuse to not include reasonable packet filter ability in the OS. Thats why I believe the only time you EVER put a MS box on the net is if its behind a NAT or something else that totally hides the box from outsiders.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Given that Microsoft constantly modifies shared portions of its Operating Systems via Service Packs, Windows Update, and while installing new applications...well, precisely how meaningful is any declaration of the security of a given Microsoft OS? Just tracking WHAT you have on a given Windows box is enough to make most sysadmins break out in hives.
If you have any software configuration that strays more than trivially from the one tested for security than the certification isn't really relevant.
is CAPP/EAL4.
It protects me against threats of inadvertent or casual attempts to breach the system security, like people walking in while I'm, uhh, ya know.
Of course it does nothing when someone disables the lock or tries to kick the door in.
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
...that Microsoft is more concerned with protecting its software from the "evil pirates" who made Windows and Linux big, than they are about keeping our critical information secure. Great, they can lock you in jail for 20 years because you gave your friend a copy of Word XP, but they won't lift a finger to keep REAL CRIMINALS from hijacking your identity.
Microsoft more than anything has pissed me off over their threat ads in certain areas. If you haven't heard them, I'd encourage people to find a way to hear them. They are shocking in their brazen "Stop being a criminal or we'll make you our woman and you'll like it." attitude.
Microsoft has been proven to be the sham it is, even by the government. When the US Government, the most incompetant bureacracy in existence says that you suck...man, you have to seriously do some soul-searching...if Gates even has one.
Only in slashdot are posts of solidarity modded at -1 Redundant, while posts of antagonism are modded as -1 Flamebait.
"...[Windows 2000] has no real firewall built into it!"
Where do you draw the line? Microsoft is stuck between a rock and a hard place here. On one hand, if they don't put in a firewall, people will complain that they have to buy additional software or hardware to secure the OS (which is true.) On the other hand, if Microsoft does add a firewall, Norton, Symantec, and 50 other "personal firewall" software makers would scream bloody murder: "Microsoft is leveraging their OS monopoly to put us out of business!"
I'd guess the crappy firewall built into XP is a sort of compromise. On one hand, you don't want millions of unsecured Windows boxes running around on the Internet. So Microsoft surreptitiously adds an incoming-packets-only firewall to XP. Sure, it's a crappy firewall, and it doesn't offer real protection. But it keeps the firewall software makers at bay, and it keeps Microsoft out of the Justice Dept. gray area.
Most sysadmins would buy a hardware firewall or dedicated NAT device with firewall anyway... so at least in corporate settings, that problem is solved. Really, it's going to be tough for Microsoft to add any decent programs to the OS at this point, since they've already been found guilty of illegally bundling Internet Explorer. I'd watch for more stuff to be attached to Office or offered as a free download instead.
Simpli - Your source for San Jose dedicated servers and colocation!
A properly configured Windows Box can be just as secure as any OS, you just have to know the system
yeah, right. only when both systems are turned off
I dont know why you are feeling uncomfortable with your methodology. What you are doing is exactly what needs to be done. There is no one program or set of programs that can be run to assess the security level of any organization. The best that can be achieved is to take a snapshot in time of the currently known security exposures and then check to see whether there are defenses against the exposures. However, this doesnt guarantee that new exposures are covered. The only way one can have an assurance that future exposures will be covered is by examining the process that the organization has and the level to which the process is being followed.
Now, why exactly do you think that this only results in "adequate" security measures? Strike out Win2000 in your post above and replace it with Linux / Solaris / whatever you think is secure. What could you do when auditing installations of those operating systems that you arent already doing for Win2000?
There is no such thing as luck. Luck is nothing but an absence of bad luck.
Vendors hated NSA's old rating process. The standards were tough, NSA did the evaluations themselves, and you only got two tries to pass. After the first evaluation, NSA told you what was wrong. If you failed on the second try, that was it - you flunked. Worst case, NSA listed your product as "Class D - This class is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class."
Later, the process became much more "vendor friendly". Evaluations are performed by outside contractors, and vendors can submit their software over and over and over again until it passes. Microsoft used this process to push NT 4 through. It took years. The evaluation process is controlled by the vendor, and there are no public reports of failure.
The "common criteria" are rather weak, down near the bottom of the old NSA criteria. And the evaluation process is almost totally under vendor control, although it does have to be performed by an outside contractor acceptable to the Government.
There's better stuff out there. Currently, the most secure OS certified is the Wang XTS-300. This is certified to level B3 of the old Red Book criteria, which is about four notches above the level Windows 2000 just reached. Various FBI and DoD systems use Wang XTS-300, which is on Wang-built Pentium II and III systems. Wang is gone, but the product has been taken over by Getronics, which keeps a low profile.
Read the data sheet for the XTS-300. It's UNIX-like, but very different inside.
Coming soon, the XTS-400, which runs Linux apps.
These secure systems enforce a "mandatory security" model. Data has a security level, an integrity level, and a list of compartments to which it belongs. Movement downward in security level or upward in integrity level is prohibited, as is movement out of a security compartment or into an integrity compartment. This is very restrictive, but it's the only approach known to have any chance of really working.
There is really only one reason why MS went through all the trouble to get Win2k certified at CC-EAL4 (Equivalent to Orange book c2). MS wants the governemnt to upgrade to Win2k. Until now, many government sites would only use NT4.0 SP6a because that was the lates MS OS with the C2 certification. But now that Win2k SP3+ has recieved the, C2 equivalent, EAL4 certification, the government will be free to use Win2k on many of their systems without violating any secirity regulations.
The CC certification does not prove that Win2K is free from security related bugs, nor does it realisticaly prove that Win2k is secure. All it does is prove that Win2k, in certain configurations, adhears to the requirements of a EAL4 rated protection profile.
You're right, but...
There is nothing which *would* constitute a sufficient condition for security. You can't check any particular property, of the product or process, and say "Yup, it's secure." We should all know that by now. In general, the closest we come is to haul out a long list of known mistakes (the absence of which is a necessary but not sufficient condition) and hope not to find them.
It's also helpful to remember that the Common Criteria don't define try to define a reasonable security certification. What they do provide is a list of things which might be interesting and ways of measuring those things. It's up to the "end user" to choose which things are important to them (define a protection profile).
they quite obviously had to support everything that were documenting with proof, they probably factored that in.
Siggy Say, Siggy Do
but who the hell are the CommonCriteria folks, and why must I give a shit what they think of whatever OS?
The above is an honest question, if you can't elaborate clearly, please don't even bother to reply.
Thank you.
Welley Corporation - SLM Scammers
The sort-of-precursor to the CC, the DOD-5200.28-STD (Orange Book) specified exactly who needed to be in the testing team. For "Division C" (Windows NT 4.0 is rated C2):
For higher security classifications, the qualifications of the testing team get higher. For Division A you need at least one individual with a bachelor's degree in Computer Science or the equivalent and at least two individuals with masters' degrees in Computer Science or equivalent.So, Safety Cap's point is well made - the method of testing and the personnel carrying it out is just as important as the technical criteria.
Never email donotemail@WeAreSpammers.com
In essence, like the author stated, many people are substituting education about security issues with Common Criteria certification. However, if the customer doesn't know what they want, or if they don't understand what Common Criteria does and DOES NOT check, then the customer still has no idea what they are getting. And like the author, I sometimes wonder if Common Criteria certification short cuts the basic security background required to write an RFP and replaces it with a check box for an EAL.
In particular, if you work on or sell a security product and want to sell to government or the European Union, it must be Common Criteria certified. What the certification proves, however, is up to the interpretation of the person implementing the product.
Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.
He has obviously never bought anything from Fernwilter and Associates.
From the Slashdot story: "Microsoft bashing aside..."
This kind of talk is nonsense! When someone says "Microsoft bashing", they are in effect apologizing for saying something negative about Microsoft. Apologizing is ridiculous. There are many negative things that can be honestly said about Microsoft. Apologizing by using the word "bashing" in the same paragraph as a legitimate complaint weakens the complaint, especially with people who are not technically knowledgeable.
In his November 15, 2002 Crypto-Gram newsletter, Bruce Schneier says "A well-written analysis of the major security/privacy/stability concerns of Windows XP" about this article: Windows XP Shows the Direction Microsoft is Going.
(Bruce Schneier wrote major books about computer security: Applied Cryptography and Secrets and Lies: Digital Security in a Networked World.)
The article contains only a small number of the legitimate complaints about Microsoft. I know because I wrote the article in my spare time, and there are many, many issues I have not had time to document.
Who kept Kevin Mitnick in prison? Who allows Microsoft to be abusive? It's us. It is technically knowledgeable people who allow these abuses. We could be effective in our complaints. Instead, we accept a double standard in which illogical people are allowed to be illogical, but we must be completely logical or we would lose our jobs.
If you are sure of a problem, be effective in talking about it! Get your thoughts in order. Make your communication clear. Get the job done! Write an advisory letter to a government leader. Mention your ideas everywhere a lot of people are listening.
If you prevent Microsoft from being abusive, you are being charitable toward Microsoft. The company has a self-destructive side; preventing Microsoft from being abusive helps you and I personally, helps the world, and helps Microsoft. Remember, Microsoft's abusiveness causes all technically knowledgeable people to look bad to those who are not technically knowledgeable. Those with no technical knowledge are not qualified to sort out the details. We all suffer.
If you know better than the people around you, that makes you the leader! Don't accept foolishness. Don't accept implied criticism; make the speaker state his or her opinions openly. Don't accept the terms "nerd" or "geek". Those terms are used by illogical people to weaken the power of the people who are knowledgeable.
You mean have MS pay Theo and everyone connected with the OpenBSD project enouh to persuade them that taking it proprietary and rebranding it Windows XX is A GOOD IDEA, right? Continuously checking Windows OS and applications for security fuckups is too big a job for one person, and probably too big a job for 1,000 persons.
Would the OpenBSD team sell out for $10 billion and the right to oversee future development?
Note that this would actually be an intelligent and cost-effective thing for MS to do, even if various code libraries have to be rewritten to avoid the use of GNU code of any sort, so we can take for granted that they'll never think of it for themselves.
While this is a lot more than MS paid for the rights to what later became MSDOS ($30K, IIRC), times have changed.
While this breaks compatibility with all MS applications, does anyone actually think anything less has the remotest chance of doing the job? Assuming the job is building a reasonably secure OS that can be made to work with a wide range of applications.
Tech Public Policy stuff
I bumped into this several years ago, in the antivirus field. "Get the product certified", said the marketing department. "Some big corporates want to see an official certification" said our sales people.
So I looked into it. At the time, it was called "Itsec", now it's "Common Criteria". It was run, in those days, by the electro-spooks, based in Cheltenham.
When I found what it was, I was absolutely ROFL.
I, the vendor, was expected to state the functionality of the product, what it was supposed to do, security-wise. They call this the TOE, "Target of Evaluation"
They, the evaluators, would check that it met that functionality, and give me a certificate if it did.
So far, so good. But what's the right functionality? In my case, what functionality should an antivirus have (rhetorical question, please don't tell me, except it isn't as simple as you might think).
So, I said to the people who ran the scheme, Suppose I define my functionality as "Comes in a blue box". Could I get an Itsec certification for that? The answer boiled down to "Yes, but that isn't a security issue". "Yes it is," I said.
Um. Who defines what is a security issue and what isn't? I was saying that the lack of a blue box, was a security issue. How do you say it isn't? Anyway, that's my TOE, please certify it. Well, it never got that far, that was just my way of telling them that their scheme was a joke.
So I went to a pal of mine who ran the security department at a university, suggested that he set up a certification scheme, and got the product certified under that instead. That made our marketing people happy, also our sales people. Customers had a certification to pin on the wall, everything was tickety-boo.
Except the government people, who knew they were being made monkeys out of, because I threw that "Comes in a blue box" thing at them at every conference and seminar I went to, and I heard that it started to seriously embarrass them, because people started asking questions about the value of their certifications. There's more in that thread - things did start to change, but the change didn't happen in the end.
Now, I'm not suggesting that the Microsoft certification says "Comes in a blue box." But until you've read the TOE, you don't actually know what security functions have been certified.
... is one that is never plugged in, never turned on, and never used.
As soon as you turn it on and plug it in to a network, or let someone log in and use it, all kinds of evil things can happen.
So, with the above being the most secure system, we have to make compromises. Take passwords/phrases for instance. We could specify a pass phrase of at least 60 characters with mixed case, numbers, and special characters. That might take a cracking program a little longer to break. But the odds that the casual user will remember it and not write it down someplace increases as the difficulty of the password increases.
Or, we could install smart card devices and require their usage, along with pass phrases and biometrics. But that increases costs and complexity. Not only do I need smart card readers and software at my desk, but also every system that I will use to VPN in with.
Or, we could remove all floppy disks and CD drives from our user's machines, and prevent them from downloading from the internet, but then we have to listen to them gripe all the time.
Or, we could remove Windows 2000 and use some as-yet-to-be-named totally secure, non-breakable software that provides 90% of the same functionality. But then the users would lose access to Outlook and Word and whine again because they don't want to learn something new.
Instead, we do the best with what we have, and move on. Fix the security leaks as they come up, and hope we get to them before the crackers do. Yes, I would love for MS to do a better security job, and I would also love to install Linux on the desktop. But since neither is going to happen anytime soon, we deal with it. (Although XP has finally made our CIO sit up and consider replacing MS.)
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
This a rather interesting turn of events in the Linux vs. Microsoft battle. The ramifications of such are certification could possibly be far reaching. Linux support in governement offices has been expanding for example, My uncle works works for the FAA and their office is moving from NT 4 to linux (for desktops). However this certification turns the tables of linux proliferation a bit. Since there are not many (or any?) Linux distros that are rated at such a level it will be easier for MS to make a case against Linux from a "trust worthyness" standpoint. Whether this is true or not, the rating gives MS a foot to stand on when dealing with the government and/or military. Also, it makes more W2K a more "valueable" product since it has something that only the l33t of the OS world posses.
IE is embedded into Explorer, NOT the OS (i.e. the kernel).
Grandparent said "OS" not "kernel". An operating system is more than a kernel.
You can easiliy run Windows with a different shell (why?).
Why? Easy. Explorer is a RAM hog compared to alternatives such as litestep.
Will I retire or break 10K?
Tester #1: OK, attempting to buffer overflow attack on the NetBEUI Protocol.
Tester #2: No response, good.
Tester #1: Attempting buffer overflow attack on the Messenger Service.
Tester #2: No response, good.
Tester #1: Attempting to ping the box.
Tester #2: No response, this thing is a rock.
Tester #1: Well I think it passes with flying colors then!
Tester #2: Yep, lets go to lunch.
MS Representative(wanders in after Techs have left): Hey where did those guys go? I better turn this box before they begin...