Slashdot Mirror
IBM Clinches Security Certification for Linux
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
CNN.com has this story too.
Microsoft set out to get Win2K certified and only completed the process last October according to .
Linux now has the upper hand because MS does not yet have XP certified.
I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.
I believe Linux received an EAL 2. Windows 2000, however has received an EAL 4. An EAL 4 involves more security checks and requirements.
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.
IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.
Check out here: http://www.commoncriteria.org/
IBM has gotten Linux certified
Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.
Linux got the highest rating possible
No it didn't. FUD. According to this story...
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.
In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.
It's still good to see Linux get this certification though. It's another step towards displacing Windows.
Don't anthropomorphize computers, they don't like it.
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.
if you're curious about some of the history of microsoft and the certication of windows for government work, click here, and look elsewhere for the story of ed curry. its been linked to here on slashdot before.
if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here.
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.
Welcome to the Panopticon. Used to be a prison, now it's your home.
You can get an overview at networkcomputing.com or at the common citeria web site.
According to the press release the certification covers the `SuSE Linux Enterprise Server 8 on IBM eServer xSeries', i.e. a specific SuSE product running on a specific family of servers. And nothing else. Read also this bit.
Nope, we won't slashdot Yahoo. But we may slashdot their rating system :)
There's that "Rate This Message" on the bottom. Just everyone pick "5" and the news will make to the "highest rated" and possibly to top headlines of Yahoo news.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.
Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?
Read the C|Net article and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.
Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.
So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Jonathan Shapiro wrote a great article analyzing the Windows Common Criteria certification; much of it applies to Linux as well. Among other things, it explains why Windows can get certified even with its remote root exploits: "An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected."
Most linux/bsd distros default config are quite secure, whereas the default in Windows (which most people use) is extremely open and very vulnerable.
This is true at the moment, but it's changing with new product releases.
For example, on Windows Server 2003, IIS is not installed by default, and if you install it, it binds to localhost only by default. I find this rather impressive for Microsoft because it shows that the company sacrifices trivial installation for more security. I wonder where they are heading. IMHO, it's getting more and more likely that Microsoft crushes the free software competition in the security area. Not because of certification, but because of more reliable software, better product management, courage to make decisions which inconvenience users etc. Right now, their advisories are already among the best the market offers (which also says something about the market, but still I wouldn't have predicted this two years ago).