Slashdot Mirror
Red Hat Pushes For CC Certification By Year's End
Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."
This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX
Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:
http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
we will never see Debian get this
meridian at tha.net
Does anyone know if SuSE/Novell is pursuing this same certification?
We're looking to use it in some places, but wasn't able to think of it until we found out it was going through certification.
It mightn't mean much to some places, but for government organisations, it's a big step to getting it in more places than just using it for "development toys".
This is another way of legitimizing Linux in the corporate world. Despite Red Hats recent business decisions over all this is a very strong/smart move for all Linux users.
you can read about the Common Criteria here.
Unfortunately, the other site has been shut down.
I want to drag this out as long as possible. Bring me my protractor.
I know I ramble on about a lot of things here so here is another rant. Is it me or are certs like so blown out of proportion it's not even funny? Don't get me wrong, I think they have their place somewhere, but as for counting on someone certified to actually have a clue is an altogether different case.
For those on mailing lists (I'm on isp-lists*, sec*focus*, nanog, sunmanagers, etc), how many times do you see someone with a sig with all their grewvy certs asking dumb assed questions that any good sysadmin/secadmin/network admin could answer? Come on I know I'm not the only one. I've seen plenty of people in the industry with certs galore who didn't know squat, I've read about CCIE's who didn't even know the command line syntax to null route.
Maybe I should pick up the books and just take my certs for the hell of it, but I see no need to. I make money, and haven't had problems with anything. If I need something done and I don't know, then I'm learning it for my own sake immediately. I've never felt the need to get a cert, so am I rambling on... Or... Are certs like soooooo yesterday?
MoFscker
at least linux-inclined sysadmins working for companies (who require too much of a product) will be able to select a linux variant without too-much-persuading their bosses. that is a biggie, i think, for a considerable number.
Red Hat couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.
drip...drip...
Excuse me, I've got sarcasm dripping from my chin...
One more useless qualification-paid-for-sign-dotted-line.
;-)
People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).
One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....
When something happens, formalizing it usually means restricting it from "just" happening further. Mkay
From the original February discussion. This has even more relevance now. ...
..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
"The Common Criteria,
Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?
RHEL is getting certified at EAL2, which is really weak.
Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here. For more info, read Jonathan Shapiro's article.
KungFUnix proudly introduces CUP, Certified Unix Pimp certification. Now you too can study and memorize 50 common criteria books we select and get kickbacks from in order to achieve your goal of adding the word CUP to your signature.
NO EXPERIENCE NEEDED!
That's right act now and send us 2,000.00 (US), and we'll gladly present you with information on obtaining this new and exciting certification. So what can you do with a CUP certification:
- Impress your clueless CTO
- Impress friends
- Add the word CUP to CCNA, MCSE, or CISSP
- Use the cert for a dustrag
- Smoke a doob with the cert
shrugs Certs who needs em.MoFscker
I was just wondering whether or not other distributions can use the work that RH is doing to get a "common Common Criteria" effect. After all, they are all using the same Ring 0 piece, being the Linux kernel. After that, it should just become a matter of configuration verification...
And with the support that Linux has gotten from the NSA, through SE-Linux, I would think a lot of the in-depth work on Linux has been covered.
--Storm
Since the discussion so far was so boring let's instead wonder why RH is so eager to wlk the "established commerce" path.
I'll tell you what their problem is: they're the first. The first always loses. They get to fight the hardest their own community, they get all the surprises boomeranged back to them, they just get everything first. Even if they don't really innovate. And _that_ is going to kill them. They don't know how to react any more (heck no one does) and so they jump back into corporate logic... which they were seen as being a counter to.
I don't know I don't have much love for them but neither do I have any hate towards them. But I feel that the 5th or so is going to be the one that matters 5 years from now. Heck it may be a BeOS clone or a BSD even so. IMHO, we're now at a point where armies die, believe it or not.
Footnotes are recorded right now.
Why are all these moronic offtopic cert bashing posts getting modded up?
The CC cert has nothing to do with CCIE, MCSE OR ANY OTHER OF THOSE!
Mod those tards OFFTOPIC. GET A GOD DAMN CLUE.
Yes, the MCSE is a joke and we're all so much smarter than those MCSE losers blah blah usual slashshit crapfest...EXCEPT ITS ALL OFFTOPIC.
A profile for the evaluation, and the assurance level to which you achieve that profile.
So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.
In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".
In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).
SuSE already have it.
Next question, will someone fund a community owned distro to get this certification?
(i.e. Debian etc.)
Expert in software patents or patent law? Contribute to the ESP wiki!
Speaking as someone who works for the government and knows exactly what a Common Criteria Certification is worth, why the hell do the Red Hat people think they're going to be major players by getting certified to EAL-2? I mean, seriously, *anyone* can get EAL-1, so they put just a tiny bit more effort (and dough) into it to get EAL-2, when competing operating systems like Windows and Solaris are EAL-4. No one is going to take them seriously with just an EAL-2. And that explains why it'll be done by the end of the year. And by the way, the CCC is a bunch of BS that tells you absolutely nothing about how secure a system is. For the government, it just dictates what you can and can't buy.
If you're talking about 'Longhorn,' then it's Windows 2007(/+).
...
I think I should add a 'You insensitive Clod!' here for the sake of 'fitting in.'
Edward@Tomato - /home/Edward/ man woman
man: no entry for woman in the manual.
"Qua!?"
Now that's distinquished company.
the main distinguishing charactaristic being that almost no-one uses them any more...
Note that EAL2 is something that provides essentially no assurance of security. You can find details of this in Google's cache (www.commoncriteria.org is no longer alive).
What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification? Unless it was unachievable... Vendors know ahead of time if they'll pass or not, all the criteria is there for the public to review. You don't submit until you are already sure you'll pass. Obviously Linux is not EAL 4 ready. Windows 2000 is not only EAL 4 but also augmented with ALC FLR 3.
Who is going to notice an effortless to achieve EAL 2?
No that was only released on punchcards and not updated after. It doesn't count anymore.
just kidding
Look, for the love of all that is holy, it's spelled HOBBYIST. Jesus Christ!
remember,it's yellow in the front, brown in the back.
dupe of this.
>> EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil
Is this your next frontier? It certainly does not look very freedom-free to me...
> it isn't 'the Kernel development model' rather, the open
> source development model that they would be giving the ok for.
Actually, it's the "open development model". The term "OpenSource" was created in 1998. Before this, many Free Software projects used the open development model. Linux was the first big one and it's use of this model really took off in 1992.
(and anyway, they're not certifying a development model, they're certifying a specific box set.)
Expert in software patents or patent law? Contribute to the ESP wiki!
Think of it this way: lots of tech people get certifications such as CCNA, MCSE, etc. in order to get through the hiring process. The actual certifications may be meaningless in any number of ways, but the hiring people insist on them.
Now, think of this: RH, as a fictitious person (a corporation) needs to get this cert so it can get that cool job. They want to get hired for that big enterprise thing, since they've been saying, "Enterprise" a lot lately. The hiring manager(s) want to see that cert on their CV.
My conclusion? This is a very smart move for RH, and they should pursue similar avenues as the market dictates.
C|N>K
XP / 2003 are even more secure?
ha ha ha.
effortless? As I recall, ms struggled for years to get some sort of certification, and though they did manage to buy the cert, it really means nothing, as anyone who is plagued by the endless parade of microsoft worms & virii can attest.
and xp "even more secure" - that's hilarious - have you been living under a rock? I guess to be a good microsoft fanboy, you must ignore the nonstop microsoft security disasters that plague us all, and focus on the assurances of the ms pr campaign.
Good lord, where do they find these idiots?
What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification?
It costs time and money to do this and what for? All the 'trusted OS' systems have to be rigorously certified on specific hardware and with a specific version of driver, etc. This limits their usefullness. They lag the technology curve by a considerable amount of time. (for example, certification occurs on a 2.4.21 kernel--but if your newest network card requires 2.4.23 too bad)
NSA has worked on securing linux, but it is not to the trusted OS level. My personal opinion is that the only way to have a trusted network is to not connect it to other stuff - dont rely on 'trusted OS's' etc.
Another thing to consider is that a lot of these certification requirements by groups like the 'EU' are really just forms of protectionism. They raise the bar to competition. In many instances these organizations exempt themselves from the standards. Take ISO-9000 for example.
will someone please *off* the AC troll that's going on about the cert types? Yes, I *know* the diff, without even RTFA, and I *own* an original Orange Book. FWIW, the anti-troll ammo is on me for the next 12 Z
C|N>K
Security cannot be determined from simply doing a suite of tests, and determining that it must be secure if the tester was unable to break in. The biggest variable that affects security is the administration of the machines ... and this applies to all systems, BSD, Linux, Solaris ... and yes, even MS Windows. Even OpenBSD clearly states their history of security (note, they never claim that is is secure, only that it has been to a certain degree) is based on the default install. Change it in any way, and all bets are off.
Security is not a thing you can just buy. Likewise it cannot be an attribute or property of a thing you can buy (or download). Security is in how you go about every aspect of the way you work, and not just in computers and networks. Social engineering is still a very workable way to access what you are not authorized to access. Poor passwords are incredibly common, for example (spammers are now using password guessing successfully to log into SMTP AUTH and MSA mail ports to submit their garbage ... they already have your userid). People are the weak link.
So ... IMHO ... the Common Criteria Scheme is nothing more than a bunch of feel-good paperwork for PHBs. Unfortunately, it's what PHBs want to see, so vendors like Red Hat do need to play into this BS just to get some sales. But it doesn't tell you squat about real security.
now we need to go OSS in diesel cars
...here, look at the column under "Criteria". Be careful not to slashdot it - note the .mil domain ;)
C|N>K
fo shizzle
Now I have finally realized this. Red Hat is successful. How do I know this? Any company that gets bashed by Militant Nerds are successful in my book :)
i'm guessing that you can't. many certs and classifications the government doles out must be met in sequence. kind of like the SEI levels. this is only a guess, though.
for example, MS may have had EAL 1, 2, 3 on other systems and as such "qualified" to attempt a level 4 compliance.
The CC label is REQUIRED for some government computer work for which linux is perfectly suited, but until recently had to be passed up. We could use Trusted Solaris (yawn) or Win2K (barf). Then came SuSe, but we liked RedHat better. Now we will be able to have RedHat in the mix, which should keep things interesting.
It's not so much that the people who actually check the security care what OS it is... it's the people who approve the classification of information systems, etc. you know, pencil pushers, that give a shit about the Common Criteria cert on XYZ software.
I'm glad RedHat finally scrounged up some money from under the couch to remove this roadblock.
Fuck Beta. Fuck Dice
In the real world we keep score. Benchmarks are a way of keeping score. Market share is a way of keeping score. And CC certification is a way of keeping score. It helps separate the winners from the losers. That is the way things are. Always has been that way, and always will. Except of couse in PC kindergarten.
CC certification is a good thing.
footnote: see Aesop's fable of the fox and the grapes for further insight.
OTOH, I guess it would not be a major problem for another vendor to go down this same path with Linux, as long as they can demonstrate a similar implementation process.
See my journal, I write things there
The biggest drawback is that they're getting certified in the UK! Even if they were to change and go for an EAL3 or better it would be illegal to use in the US for classified processing until it is tested by a US sponsored evaluator. Talk about your Catch-22's.
Are you some kind of retard?
as anyone who is plagued by the endless parade of microsoft worms & virii can attest
I want to lodge a complaint with Microsoft. I've used Windows XP since it went to release candidate and I've never had an endless parade of Microsoft worms and virii, and frankly, I'm pissed about it. I love parades! Especially when the virii get dressed up as cartoon characters. But all I got was one shitty worm that didn't even bother painting its face. Ripped off!
If you've been plagued by the "Microsoft" virii going around then I've got a hint for you: don't execute those files called "SomethingInteresting.doc.exe" that RonaldMcDonald55832@yahoo.coxlkkk sends you. That bastard is so dishonest!
You dont really work on servers, do you?
Manipulate the moderator system! Mod someone as "overrated" today.
The KDE.org folks can leverage this to get Kommon Kriteria certification...
For an OS like Linux, thats always changing and evolving, how relevant is a Cert of this nature ? In an OS like Windoze where there are very little ( or far and few ) feature updates, between fairly long drawn out release cycles one can understand that each version being certified can mean something.
It is extremely time consuming. The main problem for Linux will be the requirements of documentation and development.
For example, EAL4 requires a "Developer defined life-cycle model". That just doesn't merge well with Linus approach of "when it's done".
Assorted stuff I do sometimes: Lemuria.org
You hit the nail on the head there - unfortunately it seems no media has even attempted to understand the basics of CC, when reporting on this...
A CC certification consists of two parts:
An "assurance level", and either a "security target" or a "protection profile".
A protection profile is a sort of a "standardized security target". A description of a number of requirements that you evaluate your system against. Whereas, a "security target" is something you yourself write, if you do not want to certify your system against an existing protection profile.
NSA has submitted protection profiles that are roughly equivalent to TCSEC C2 and TCSEC B2; the CAPP and LSPP protection profiles, respectively.
SuSE got an EAL-2 certification against some security target that they themselves wrote. This means, they are "fairly" sure that their system does roughly what's in the security target (that they wrote). Had they gotten an EAL-7, it would only mean that they were "very confident" that their system did what was in their security target. It would say nothing about the completeness or even relevance of their security target.
Some newer versions of windows got an EAL-4 against the CAPP. This can be seen roughly as equivalent of the old C2 certification.
Trusted Solaris also has an EAL-4. However, they have an EAL-4 against the LSPP, which means something roughly equivalent to the TCSEC B2 certification.
People, there is a world of difference between those two EAL-4 certifications!
One should note though, that NSA writes in the LSPP that it is not intended for systems that should be used in 'hostile' environments or even with malicious users. The internet, for example, can hardly be classified as a 'friendly' environment.
This is interesting, as virtually no systems that are connected to the internet today have anything even remotely resembling the functionalities mandated by the LSPP, not to speak about assurance levels...
Certification is not a question of technical merit, it's also based on a lot of paperwork as well as a lot of money that needs to be "given" to a certification laboratory that validates all that paperwork
I've been pushing for a Debian CC certification myself, but it's not probable that this will come to pass unless it's sponsored.
You do have a Debian-derived product that is currently CC certified EAL4: Stonesoft's Stonegate (security target available at NIST's NIAP, the Common Criteria site seems to have been discontinued unfortunately). It is certified versus a firewall-specific Protection Profile, though, so it should not be used as a comparison metric against others that are certified against an operating system PP.
It is actually very relevant, if Linus is to achieve penetration into the DoD market. New govt policies (8500.1/8500.2) mandate the use of evaluated products if they exist in a category. In order to use Linux, an evaluated product is required (not to mention other hoops, such as JTA).
Daniel
Anyway if you wern't totally ignornt, you would know that it is very painful to install any edition of Windows that currently ships without bug infested IE. You obviously failed even your Minesweeper Consultant and Solitaire Expert exam.