Slashdot Mirror
IBM Clinches Security Certification for Linux
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
What are the ratings and how does other common OS's score? Anybody know?
How small a thought it takes to fill a whole life
CNN.com has this story too.
Microsoft set out to get Win2K certified and only completed the process last October according to .
Linux now has the upper hand because MS does not yet have XP certified.
Hey, you really cant go wrong with a open source, GPL'ed operating system where drivers are wrote by guys from NASA (Thanks Mr. Becker), and your security ACL's are wrote by the Spooks (heh, thanks NoSuchAgency ;-).
It REALLY beats closed source OS'es (for govt's) as even our own MS of America wont let us see the code because it's "dangerous". However showing the Chinese is A-OK.
Gotta makes you think: what would our gov't choose if they didnt have their hand in MS'es pocket?
I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.
According to this article, Red Hat and Oracle are working on gaining the same level of certification by the end of the year.
So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.
Please spare me of all the "BSD SUCKS" and "BSD IS DEAD" flames. Kthx.
/.) -- why doesn't it get more corporate love?
Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.
It seems to me that if they're talking about security and such, there's still a bit to be left desired. Additionally, SuSE is by no means the most standard (IMO, it's the most backward) distribution of Linux.
I'd be interested in learning why more companies don't take a look into BSD environments. The security is there. The license is TOTALLY unrestrictive. It's stable, secure, well documented and well accepted (except on
www.sitetronics.com/wordpress
And you think IBM doesn't know how to handle bureaucrats? They invented the game and probably patented it as well.
I mean, look at all the other level 4 assurance level OSs here . Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?
Mother is the best bet and don't let Satan draw you too fast.
I'm a sysadmin for a large government data center. We've been using Linux in production for years, and we always purchase boxed distributions, even some preconfigured(!) machines from Dell. Government regulations do, however, prevent me from ordering Windex and Duster. These are considered janitorial supplies, and there is no justification in Information Systems procuring these items. So frankly, I'm not sure what all the fuss is about. Things look a lot different on the ground.
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.
IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.
Did you seriously think that they would? If so you need to share some of the dope you've been smoking. As has been said numerous times on this board: to IBM, SCO is nothing more than an annoying mosquito. They might be carrying West Nile, but they are still just a mosquito, and can be crushed or captured almost any time.
The cool part about this whole article is that with the security cert, the government could begin switching some of their offices over. It also means that organizations like hospitals (who need to be concerned with privacy due to HIPAA) can be sold on the fact that it is secure and they don't have to worry as much about some hacker stealing confidential information.
Think about it."We don't know what we are doing, but we are doing it very carefully,..." Wherry, R.J. Personnel Psychology (1995)
what kind of items are covered in the Common Criteria?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Kirby
Don't underestimate how cheap people can be. It goes hand-in-hand with greed. Windows is not precisely free.
Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Yeah it's like the whole 'No-one ever got fired for choosing Oracle' thing.
In this case 'No-one ever got fired for choosing Common Criteria software'.
The important thing to remember here is that a lot of central government positions and even more local government positions are taken by people who could not support their employment in the private sector.
Another interesting point in this article is that statement that the Linux market is expected to grow from $2 billion to more than $5 billion in 2006. That's a very important increase in a short period of time. Definitly something for Microsoft to be worried about.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
IBM has gotten Linux certified
Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.
Linux got the highest rating possible
No it didn't. FUD. According to this story...
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.
In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.
The government would have to buy a trusted operating system that meets the common criteria.. for example, Microsoft Windows 2000. Yes, it is certified too. Let's not start sucking each others dicks on this just yet.
It's still good to see Linux get this certification though. It's another step towards displacing Windows.
Don't anthropomorphize computers, they don't like it.
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.
if you're curious about some of the history of microsoft and the certication of windows for government work, click here, and look elsewhere for the story of ed curry. its been linked to here on slashdot before.
if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here.
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
I'm not sure that the government adopting OSS is such a good idea. I mean when something doesn't work who is held accountable? Linus? Alan? ...?
At least with proprietary technology there is the promise of accoutability [*] in the product.
[*] Yes I know this would mean Microsoft. DA damnit!
Tom
Someday, I'll have a real sig.
Well, look at it this way. If you couldn't, trying would be futile. Sorta like trying to get water/blood from a stone. But, with linux certified, saying that you will not even have one supporter of linux in gov't just got a little unreasonable.
You have big corps like IBM, HP and Dell saying, "it's ok."
You have many countries saying "It's ok, see?"
You have the US (via certification) saying "it's ok."
Seems more unreasonable to say it will never happen every other day.
-
ping -f 255.255.255.255 # if only
After all, Microsoft has got a pretty firm hold on the burecrats in charge.
When you've got them by the balls, you don't need to hold all that firmly.
The price of freedom is eternal litigation.
Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.
Welcome to the Panopticon. Used to be a prison, now it's your home.
This will carry a lot of weight to any argument with a PHB or similar.
J.
You're only jealous cos the little penguins are talking to me.
The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.
Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.
This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.
Take it easy? I'll take it anyway I can get it . . .
Being that Linux is ever evolving and in a constant state of change, wouldn't that mean constant recertification ?
Well IBM is a force to be reckoned with as well. In some ways a little more then Microsoft. Especially in New York State, where almost all the agencies use IBM products. But it was IBM who brought Microsoft into the mainstream. And they can probably bring Linux into the mainstream. It will not be an overnight adoption but a gradual one.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
If Linux only got Low2Moderate - and Windows2k got Moderate2High. Are there any off the shelf OS's that rank equal or better to win2k or is Windows2k the only one out there? Thinking of all the security breaches in Windows2k a Low2Moderate score does not impress me nor does Microsoft when it comes to Security.
Just because the government can consider buying Linux, doesn't mean it will.
Correct. And it's true that no one ever got fired for buying Microsoft.
But much of the Linux deployment in government up to this point has been precisely because it can be had for no official government expenditure. It's always harder to get money for projects than it is to get money to keep your existing people. Those people have been doing some testing of Linux.
Shoestring Linux projects have proven themselves to be not only cost-effective, but generally reliable and useful.
Given that prototype testing already in place, authorizing incremental purchases to add on to that base of Linux functionality is an easier decision than if were made cold, without any evidence to support.
"Provided by the management for your protection."
Linux got the highest rating possible
The highest rating for linux is Bill Gates using it (secretly at home)!
I want my karma, and I want it now!
Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?
Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.
Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.
Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?
--
This sig is inoffensive.
*BSD might as well be dead to the commercial and government enterprises. Until you see the likes of Dell and IBM slapping FreeBSD on their shiny metal systems, your run-of-the-mill IT buyer will still regard the OS as something whose name simply rings a bell or is the answer to an IT-related trivia question.
I work at a gov't site. We have plenty of systems in production and dev environments running Linux, in part because the project managers were able to use the Dell fed contract to get those servers with Linux. So, Linux is recognized by those buyers as a legitimate OS for business use. I can certainly slap SomeBSD on those machines, but whoops, the Oracle vendor said Linux was good, but not this SomeBSD.
When BSD is embraced by top-level vendors, companies will consider it.
So long, michael. Don't let the door hit you...
Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?
Wrong place in the article to put that bit.
According to the press release the certification covers the `SuSE Linux Enterprise Server 8 on IBM eServer xSeries', i.e. a specific SuSE product running on a specific family of servers. And nothing else. Read also this bit.
No one gets fired, true. The powers that be simply move in a Unix admin and eliminate the Windows guy's position.
I speak from experience, on the good end of the shotgun. Unix guys can do Windows, and oh so much more.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.
2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.
3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.
Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.
Tread carefully.
Nope, we won't slashdot Yahoo. But we may slashdot their rating system :)
There's that "Rate This Message" on the bottom. Just everyone pick "5" and the news will make to the "highest rated" and possibly to top headlines of Yahoo news.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Very true that it got C2 certification, but if I recall correctly only when external drives where removed and the PC was not hooked up to a network.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
"They invented the game and probably patented it as well."
Yeah? Well, Amazon patented Patenting...
I'm not sure what it means by the "higest rating possible," but I do know that Level 2 security clearance is what you need in order to take orders and be a real DoD contracter. This is the level that I believe Raytheon's ICCC division (the ones that program the missiles) and other companies such as Boeing work on. The divisons themselves have to be certified in order to work on projects, and since about last year the gov't has started to push their contracters to do this, it makes sense that this finally happened.
This doesn't really open the way for other companies to use Linux, I don't think, but perhaps this will get other compeanies to do this as well. More competition can't hurt, right?
"Time is long and life is short, so begin to live while you still can." -EV
Principally he is right though... Linux will never and can never get EAL4, with a decent protection profile, as it currently stands. You would have to go back and document the development process for each and every component in the OS. Accounting for the activity of all the contributing developers. On the brighter side... there is talk of changing the CC process to better suit the OSS world.
Linux received it's evaluation at a level of EAL2; according to the CC guidelines, this is "structurally tested" and means that it should "not demand more effort on the part of the developer that is consistent with good commercial practice"; applicable where "a low to moderate level of independently assured security" is required.
Windows 2K received an EAL4+, according to NIAP's evaluated product list; which is *supposed* to show it was "methodically designed, tested, and reviewed". This is probably about on par with the old Orange Book (TCSEC) C3 it used to have. EAL4 does "not require substantial specialist knowledge" and is the "highest level in which it is likely to be economically feasible to retrofit in an existing product line." It's intended that an EAL4 system shows "low-level design for the Target of Evaluation (ToE)"; with testing that supports "independent search for obvious vulnerabilities."
That being said, having an EAL2 or EAL4 will probably not get you into a job that involves holding classified data.
All of this is accessible from , the CC website.
This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
secure on hardware X, and software Y
Isn't X software though?
(cue rim-shot)
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
IBM probably started the process years ago. Note that it's only the IBM/SuSE distro that's certified (I'm guessing). Other companies should probably look into it. The article doesn't say how much it cost IBM, but I bet it wasn't cheap!
One line blog. I hear that they're called Twitters now.
I agree with you on that. As the requirements for EAL4 certification stand right now, it's quite true that Linux would not be able to qualify. However, the reason Linux doesn't qualify shows exactly what the problem is with his argument that Linux is less secure somehow because it doesn't have this certification: Linux is not unable to achieve EAL4 because of a lack of technical merit or actual real world security, it's because of a *technicality*. While documentation of the development process is, I suppose, necesary for closed source operating systems to prove certain standards of programming, the fact that you can actually *look* at the source code in OSS projects lessens the neccesity of this aspect for that type of projects. If I can look at the code and actually see that, for example, the password authentication routines are secure, then does it matter if the actual programming was done by a highly regimented team of programmers using a compartmentalized programming methodology, or a lone college student working from his parents basement while munching cheetos? The resulting code and its security is what matters, not so much the development process used to arrive at this code.
:) So here's hoping that the talk of changing the CC process to take OSS principles into account more moves from beyond mere talk to some action.
At least, that's *my* humble opinion.
"Two things are infinite: the universe, and human stupidity. And I'm not sure about the first one." - Albert Einstein
The terms CC and "security" should never be used in the same sentence, CC is not about security it is about trust.
I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.
Better still the Defense Information Systems Agency is recommending that any Linux purchase support the LSB and that apps be written to the LSB.
So, not only is it now easier for government agencies to support Linux deployments, but they are going to force any Linux distributor doing business with the government into interoperability.
do the tests themselves work. Unfortunately, a lot of stuff in the computing world revolves around windows - so it could be a matter of adding criterium to the test based on what windows does or "is supposed to do."
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of paper.
It is great that Linux has been evaluated using Common Criteria, unfortunately there will not be a whole lot of Government agencies lining up to buy it. The standard for classified material is C2/EAL4 regardless of classification. Since Linux does not have the extended auditing that commerical Unix and Windows NT/2000/XP has, it will never get above EAL3. What I would like to see is the the Hardened Gentoo box evaluated under CC (www.gentoo.org/proj/en/hardened). I logged into this box and could basically do nothing (as root)! It uses NSA's Security Enhanced Linux and a variation of Role Based Access Control. This machine will pass muster! I can't wait for the day Linux gets EAL4, but I don't think that is coming too soon.
All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.
Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.
As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.
Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?
Read the C|Net article and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.
Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.
So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Jonathan Shapiro wrote a great article analyzing the Windows Common Criteria certification; much of it applies to Linux as well. Among other things, it explains why Windows can get certified even with its remote root exploits: "An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected."
I speak from experience, on the good end of the shotgun. Unix guys can do Windows, and oh so much more.
Dunno. I've met MCSEs that would never be able to navigate an Xterm, and Unix zealots that think Win2K is equivalent with W95.
Running a large Windows network properly does require knowledge and experience, and I'm not convinced that most *nix admins would be able to do the same without at least half a year of training (but a typical *nix admin would probably learn the Win fundamentals faster than the other way around).
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Nope.
Litigious bastards
US military, budgets have held mostly constant
Which US are you talking about? In the United States, we're spending $48 Billion more this year than last. That's the "largest rise in US military spending in 20 years". Don't be fooled, the Pentagon has plenty of money.
Haha, what I submitted was still in my paste buffer 12 hours later (Yeah nerds do sleep).. This story according to CNN counterdicts what the main story says. Linux only got a rating for low to moderate security not the highest security.
In a article on CNN it is reported that the Common Criteria organization, an international technology standards body, certified Linux for the first time on "mission critical" computers, including those in America's top-secret spy agencies and those used to deliver ammunition, food and fuel to soldiers.
While only certified for Low to Moderate security Linux is still under testing for higher security ratings. IBM says this is good since it gives them a footing in a area that has been dominated by Windows sales. Of note is the fact that IBM paid over $500,000 for testing and was also supported and jointly by SuSE
This isn't strictly correct.
Windows 2000 has a "CAPP/EAL4" certification, not "EAL4". The CAPP part means that the OS provides "a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security". That means the certification becomes meaningless the moment you connect a W2K box to the Internet. It is not certified at all while connected to the net.
By contrast, Linux is non-CAPP "EAL2+" certified, even when connected to the Internet.
My complements.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. If one looks at the chart on page 54 of the Common Criteria Part 3 Security Assurance Requirements document, one sees that an EAL7 system would be analyzed in 25 areas where a EAL2 one would be analyzed in only 13. And even in the 13 areas that are common, there are requirements at the EAL7 level to do each thing much better that don't appear at the EAL2. What may seem like a minor wording difference between 2 requiremnets may take millions to achieve.
EAL2 does not require an exhaustive vulnerability analysis or penetration testing or a covert channel analysis as do those levels above EAL4.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
Acquiring that EAL5+ rating even for a operating system that previously received NSA's highest rating ever for a general purpose operating system takes several years and multiple million $, not the $500K quoted in another post.
The Govt procuring agency is responsible for assuring that the protection profile or security target that the OS was evaluated against is appropriate for the value of the data they are trying to protect and that the assurance level is also appropriate.
All an EAL2 does is allows the government to buy and to use Linux in the most insensitive areas. Surely three letter agencies would require much more than an EAL2.
For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
The biggest thing to remember about the CC is that the level rating is relatively meaningless without considering the protection profile. The problem is vendors don't readily tell you the protection profile they use.