Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM Clinches Security Certification for Linux

Posted by CmdrTaco on from the we're-like-secure-or-something dept.

Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

11 of 373 comments (clear)

  1. Re:Can vs. Will by Anonymous Coward · · Score: 5, Insightful

    And you think IBM doesn't know how to handle bureaucrats? They invented the game and probably patented it as well.

  2. Re:Can vs. Will by Liselle · · Score: 5, Insightful

    Don't underestimate how cheap people can be. It goes hand-in-hand with greed. Windows is not precisely free.

    Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.

    --
    Auto-reply to ACs: "Truly, you have a dizzying intellect."
  3. Re:Can vs. Will by keester · · Score: 5, Insightful

    The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.

    Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.

    This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.

    --
    Take it easy? I'll take it anyway I can get it . . .
  4. SuSE, not Linux by perly-king-69 · · Score: 4, Insightful

    Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?

    --

    --
    This sig is inoffensive.

  5. CC is just not that simple. by Osrin · · Score: 4, Insightful

    1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.

    2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.

    3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.

    Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.

    Tread carefully.

  6. Re:Just wondering.. by TedCheshireAcad · · Score: 4, Insightful

    If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

    Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?

  7. Re:Big win for Linux! by EvilTwinSkippy · · Score: 4, Insightful
    Excuse me? Windows 2003 is an entirely new product and requires an entirely new certification.

    Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.

    People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.

    When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.

    Now how do you do that within a 5 year Window again?

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  8. Smell those contracts by Teahouse · · Score: 5, Insightful

    This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.

    --
    "Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
  9. Re:Are there any secure Os's out there? by SmallFurryCreature · · Score: 4, Insightful
    ehm slight failure on youre part of understanding how it was tested.

    Linux was tested for test "low and moderate" security and passed. It was not tested for anything higher so we don't now if it would have failed those.

    The tests costs lots of money and time, so you start at the bottom and work youre way up. It is like say a soccer team passing the semi-finals, you don't then say, oh that means they missed the finals? No that is yet to come.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  10. Re:In your face! by Osrin · · Score: 4, Insightful

    The terms CC and "security" should never be used in the same sentence, CC is not about security it is about trust.

  11. Re:Just wondering.. by evenprime · · Score: 4, Insightful
    TedCheshireAcad asked
    If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

    Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
    No, it is not odd. It is expected, in fact. Microsoft's rating was for common criteria "CAPP/EAL4". The CAPP part means that the OS provides "a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security". I don't consider the internet to be a non-hostile and well-managed user community, so I'm not the least bit surprised that hostile remote attacks are possible. The evaluations didn't say that it was safe to hang the microsoft box - or the linux one - on the internet.

    These lower level security evaluations don't mean much in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD, who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's comments on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels
    EAL4 - methodically designed, tested and reviewed

    EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs.

    An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
    Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.
    --

    "Weapons should be hardy rather than decorative" - Miyamoto Musashi
    I think that goes for OS's too