Slashdot Mirror
IBM Clinches Security Certification for Linux
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.
And you think IBM doesn't know how to handle bureaucrats? They invented the game and probably patented it as well.
XP is a desktop OS, and hardly needs security certification of that level. Windows 2003 server just came out a few months ago. Give it time. I bet the Linux configuration that was certified was not exactly 2.5 kernel material running debian unstable.
Mother is the best bet and don't let Satan draw you too fast.
Don't underestimate how cheap people can be. It goes hand-in-hand with greed. Windows is not precisely free.
Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Try the CCEVS home page... Here you can find the Validated Products List.
... information wants to be forwarded
The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.
Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.
This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.
Take it easy? I'll take it anyway I can get it . . .
Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?
Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.
Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.
Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?
--
This sig is inoffensive.
Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?
Wrong place in the article to put that bit.
1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.
2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.
3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.
Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.
Tread carefully.
If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?
Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.
People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.
When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.
Now how do you do that within a 5 year Window again?
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
Linux was tested for test "low and moderate" security and passed. It was not tested for anything higher so we don't now if it would have failed those.
The tests costs lots of money and time, so you start at the bottom and work youre way up. It is like say a soccer team passing the semi-finals, you don't then say, oh that means they missed the finals? No that is yet to come.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
No it didn't. FUD. According to
FUD = Fear, Uncertainty, and Doubt
Overexageration is not FUD. It may be inaccurate or perhaps just plain wrong, but it is not FUD.
I agree with you on that. As the requirements for EAL4 certification stand right now, it's quite true that Linux would not be able to qualify. However, the reason Linux doesn't qualify shows exactly what the problem is with his argument that Linux is less secure somehow because it doesn't have this certification: Linux is not unable to achieve EAL4 because of a lack of technical merit or actual real world security, it's because of a *technicality*. While documentation of the development process is, I suppose, necesary for closed source operating systems to prove certain standards of programming, the fact that you can actually *look* at the source code in OSS projects lessens the neccesity of this aspect for that type of projects. If I can look at the code and actually see that, for example, the password authentication routines are secure, then does it matter if the actual programming was done by a highly regimented team of programmers using a compartmentalized programming methodology, or a lone college student working from his parents basement while munching cheetos? The resulting code and its security is what matters, not so much the development process used to arrive at this code.
:) So here's hoping that the talk of changing the CC process to take OSS principles into account more moves from beyond mere talk to some action.
At least, that's *my* humble opinion.
"Two things are infinite: the universe, and human stupidity. And I'm not sure about the first one." - Albert Einstein
The terms CC and "security" should never be used in the same sentence, CC is not about security it is about trust.
All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.
Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.
As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
These lower level security evaluations don't mean much in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD, who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's comments on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too