SUSE Linux Receives EAL3 Certification

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

GNAA Announces acquisition of SCO

GNAA Announces acquisition of SCO
By Tim Copperfield
New York, NY - GNAA (Gay Nigger Association of America) today announced acquisition of The SCO Group for $26.9 million in stock and $40 million in gay niggers.

GNAA today announced it has signed a definitive agreement to acquire the intellectual property and technology assets of The SCO Group, a leading provider of Fear, Uncertainty and Doubt, based in Lindon, Utah. GNAA's acquisition of SCO technology will help GNAA sign up more members worldwide. In addition to developing new solutions, GNAA will use SCO engineering expertise and technology to enhance the GNAA member services.

"I'd love to see these GNAA types slowly consumed by millions of swarming microbes and converted into harmless and useful biochemicals." said an anonymous slashdot poster, blinded by the GNAA success in achieving first post on a popular geek news website, slashdot.org.

"This GNAA shit is getting out of hand. Slashdot needs troll filters. Or better yet a crap flood mod that I can exclude from my browsing. Seriously, a good troll is art, what you dumb fucks are doing is just plain stupid." said spacecowboy420.

macewan, on linuxquestions said "Thanks for that link to the SCO quotes page. My guess is that they want to be bought out. Hrm, think they want GNAA to buy them??"

After careful consideration and debate, GNAA board of directors agreed to purchase 6,426,600 preferred shares and 113,102 common shares (the equivalent of 150,803 ADSs) of SCO, for an aggregate consideration of approximately US$26.9 million and approximately $40 million for gay niggers that were working in Lindon, Utah offices of The SCO Group.

If all goes well, the final decision is to be expected shortly, followed by transfer of most SCO niggers from their Lindon, UT offices to the GNAA Headquarters in New York.

About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.

About

Re:GNAA Announces acquisition of SCO

GNAA Announces acquisition of SCO

'k, but what about sex?

You have a Schniedelwutz?

Certification

Certification. What's it all about? Is it good, or is it whack?

Re:Certification

If there is anything in this world that is on teh spoke, it is certification.

Re:Certification

Don't sell yourself short, sir. You are also on teh spoke.

certifications

As a well-known expert in the field of cyber-security, I can tell you that certifications are very important.

If SUSE wants to be taken seriously, they need two things - they are going to need a C2 certification, and they need an audit of their source code by experts.

Re:certifications

they need an audit of their source code by experts

Bullshit. Just get 100 dirty gnu hippies in one place, give them access to an unlimited supply of Coke/Jolt and pizza and you'll have your code audited in no time.

Re:certifications

Just get 100 dirty gnu hippies in one place, give them access to an unlimited supply of Coke/Jolt and pizza and you'll have your code audited in no time

No, what you get then is a cum-stained carpet and a lawsuit for hosting homosexual orgies in a public building.

Re:certifications

As a well-known expert in the field of cyber-security, I can tell you that certifications are very important.

And as an utter nobody in the field of cyber-security, I can tell you that you'll have to start dropping the prefix "cyber" in order to be taken seriously.

Re:certifications

Ah yes, is "e-security" or "i-security"(sounds too apple-like) prefered?

I am certifiable

does that count?

SuSE would do better swapping the lizard for...

You just can't take Linux seriously when its fronted by losers like these. Would you buy software from them? I don't think so! You Linux groupies need to find some sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?!

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Come on, you must admit she is better than an overweight penguin or a gay looking goat! Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Join the campaign for more cute open source babes today!

Re:SuSE would do better swapping the lizard for...

Ok, do you guys really think Ceren is hot, or is this some kind of running joke?

Ceren doesn't strike me as hot at all. You can do better.

Re:SuSE would do better swapping the lizard for...

[rob-fu]

Anything with a vagina and a pulse is hot around here. You must be new.

Re:SuSE would do better swapping the lizard for...

Anything with a vagina and a pulse is hot around here. You must be new.

Vagina and pulse optional.

Re:SuSE would do better swapping the lizard for...

[caluml]

I think it's the shiny outfits that do it for them.

Re:SuSE would do better swapping the lizard for...

GET TEH FUCK OFF OUR SITE, YOU MOTHERFUCKING GAY NIGGER FARGOTT!

# Impotent Stiff: Please try to keep poop on toilet.
# Try to suck other people's penis instead of starting new threads.
# Lick other people's anuses before posting your own to avoid simply duplicating what has already been said.
# Use a clear dildo that describes what you are about to do.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments are encouraged

Re:SuSE would do better swapping the lizard for...

Yes, I think she is hot.

Tom

Certifications in current Job market.

[Chris_Stankowitz]

Regardless of what Mr. Bush had to say last night (State of the Union), the current job market is still all that bright for techies. I'd like to know, with the growing list of certs for linux which ones are worth it? Are the RH Certs worth it anymore/or maybe more now becase they dropped desktop solutions. Has anyone seen employers activley asking for these kinds of certs as many do with MCSEs, CCIEs, etc...?

Re:Certifications in current Job market.

[James+Youngman]

I'd like to know, with the growing list of certs for linux which ones are worth it?

But the EAL certifications cover the security of the system itself. Those certifications are applied to computer system products, not to people...

There's a description of the EAL certification levels in the at the NIST site which is linked to from the top-level article. The point about this certification from Linux's point of view is that it allows it to be cinsidered for various sorts of Government deployment, which often require EAL certification to a certain level.

Re:Certifications in current Job market.

which often require EAL certification to a certain level

your comment "to a certain level" is slightly misguided. DoD sales often require certification, but the level is not specified in any case that I am aware of.

Re:Certifications in current Job market.

[crmartin]

As one of the people who helped write the navy's book on evaluation, I'm afraid I have to tell you you're wrong. Going back to the old Orange Book (TCSEC), there are certain applications that require certification at particular levels.

Besides, this comment doesn't even make any real sense -- you can be evaluated at EAL 1, which is merely functional testing and offers no assurance at all.

Windows 2000 is EAL4, but...

[quigonn]

...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed. Extremely ridiculous, especially when you have a look at how much software comes with SuSE (a lot!) and how much comes with Windows 2000 (virtually none!).

But I'm still waiting for a certificate for some SELinux version. Since EAL4 is the highest level where it's still feasible to build the demanded security into it, hardly any normal "customer" operating system will achieve a higher level. But SELinux has been designed for security since the very beginning, and should be able to reach at least EAL5.

Re:Windows 2000 is EAL4, but...

[blowdart]

"you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed"

And it's the same with SuSE. If you look at the SuSE press release you will see that the certidication is limited to "SUSE LINUX Enterprise Server 8 with Service Pack 3". Next service pack arrives it will need recertified.

Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

Re:Windows 2000 is EAL4, but...

[kmarius]

Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

I don't know much about the EAL standard, but after a quick look at the previous certification(EAL 2), I think it probably includes all of the software.

Re:Windows 2000 is EAL4, but...

[jcinnamond]

you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.

The same is true of EAL4 Solaris, and presumably also of SuSE. It wouldn't make sense to certify all versions and configurations of a particular OS, including service packs/patches that haven't yet been written. Take a look at how to set up EAL4 certified solaris [sun.com] to
see how specific the certification is.

But I'm still waiting for a certificate for some SELinux version.

I suspect cost plays a big factor here. I used to work for a hosting company and came across a customer who wanted C2 (kinda EAL3 equivalent) certified Solaris. We could do this, right up to the point at which they plugged it into the internet. To get their particular setup of Solaris certified would have meant involving a third party (CLEF) to audit the solution, and this would have cost quite a bit of money. In the end the customer decided to go with our explicitly uncertified "kinda like an EAL4 (CCAP) Solaris setup" with SSH (logging through BSM) stuck on the side.

The real problem with certification is that it costs money, so it needs to have a business driver. In the case of solaris they needed the certification to sell to banks etc. SELinux is unlikely to have a similar financial incentive to takeup.

Re:Windows 2000 is EAL4, but...

[Otter]

Next service pack arrives it will need recertified.

And, of course, it has to be that way. quigonn, if a product had a certification that claims it's secure no matter what changes you subsequently make, how much faith would you have in that certification?

Re:Windows 2000 is EAL4, but...

That is the nature of C2. You don't certify a product, you certify a very specific configuration of a product. Any change removes the C2 status completely. This is why Microsoft certified Windows 2000 under seven different configurations so that solutions could be tailored to a specific task and still meet guidelines.

Oh, and for comments involving security vulnerabilities automatically reducing C2 EAL, where would that leave Suse?

http://www.suse.com/de/security/announcements/in de x.html

Re:Windows 2000 is EAL4, but...

[blowdart]

Looking at page 16 of the PDF (they've turned cut and paste off) it's a very minimal distribution compared to what you or I would run.

Generally it's a shell, filesystem, a few g* programs (but note no compiler), encryption libs, mailx, curses, openssl & openssl, perl (although no version), sys*, telnet, textutils, vim, vsftpd, w3m, wget and yast stuff.

No apache, no sendmail, nothing fun :)

Re:Windows 2000 is EAL4, but...

Anyone who uses the phrase 'hook up' **MUST** be hanged.

Re:Windows 2000 is EAL4, but...

[moonbender]

No, not all software was tested. Page 15f of the PDF you linked to contains a list of packages that were installed - I can't copy/paste due to the stupid Acrobat Reader security. Let's just say the list isn't very long and does not contain either Sendmail or Apache. There's a guide available which seems to endetail how to set up the evaluated environment on your own server FWIW. (Note: IBM sponsored the SuSE Linux Enterprise Server = SLES evaluation.)

Re:Windows 2000 is EAL4, but...

[jonasmit]

There is security and then there is security features. SELinux is designed with specific security features in mind - the main one is a flexible way to manage access control based on the FLASK architecture. You will be able to implement, at the OS level, RBAC, MAC, & DAC. So, it is security enhanced but some of the enhancements are to facilitate the use of "better" access control mechanisms such as RBAC and DAC not just better code checking or something.

Re:Windows 2000 is EAL4, but...

[moonbender]

Oh and just to be clear, like the guy I replied to said, this all refers to SuSE's previous EAL2 certification - I don't know, but assume that it's similar with the current EAL3.

Re:Windows 2000 is EAL4, but...

First of all, before people guess around, look at the SUSE security websites. All the details are there:

http://www.suse.de/de/security/certification/ind ex .html

As you can see, the certified system does not run a webserver, but it runs SSH, Postfix, and FTP!

Also, the "+" in the EAL3+ certification means that at least minor bugfixes can be applied to the system without losing the certification status, because the processes of how these fixes are developed, distributed and applied have also been certified. At least that is what I understand.

SUSE is actively working on getting the EAL4+ certification.

Re:Windows 2000 is EAL4, but...

[Hektor_Troy]

Completely off topic, but your signature got me wondering.

>My hard drive is just a 5th-level cache between the CPU and the Internet.

5th?

CPU
L1 cache (1st level)
L2 cache (2nd level)
RAM (3rd level)
Harddrive (4th level) ...
Internet

What am I missing?

Re:Windows 2000 is EAL4, but...

"it will need recertified."

Do you live in the South or is this abomination spreading?

What you meant to say was "it will need TO BE recertified."

And the next person who tells me "this needs fixed" is going to get it! BANG! ZOOM!! Or at least a "yeah, and so does your grammar"...

Re:Windows 2000 is EAL4, but...

[PyromanFO]

Hard Drive Cache?

Re:Windows 2000 is EAL4, but...

[moonbender]

I wonder, actually... I think I had originally written 4th, but then another Slashdottee came along and convinced me it was the 5th. Hmm... hard drives come with a cache of their own (8 MB nowadays), figure that in and it works. =)

Re:Windows 2000 is EAL4, but...

[Hektor_Troy]

Well, yeah ... but not quite ...

The harddrive cache is PART of the harddrive. It's not like you can remove it or anything (unless you have some really weird/expensive/exotic/old harddrive).

Re:Windows 2000 is EAL4, but...

[moonbender]

Sure, but then again, that most certainly is also true for the CPU first and second level caches!

(My apologies for continuing this wildly off-topic discussion. ;) )

Re:Windows 2000 is EAL4, but...

Leave it to a yank to lecture someone British on the Queen's English.

http://dictionary.reference.com/search?q=recerti fied

Re:Windows 2000 is EAL4, but...

[plcurechax]

To make any sense of the various Evaluation Assurance Levels (EAL) you need to understand what the Common Criteria is, where it came from (US military InfoSec), and what it is trying to do - a standard for purchasing and implmenting military and government computer systems for classified or sensitive data. You also need the other half of the equation, the Protection Profile, what it is trying to achieve. There is a far greater focus on access control, and auditing than in your typically commercial computing setting. It is about assurance, not security.

The EAL has become a media sound bite, it is quick and easy to mention in 30 seconds, but does not tell you much on its own.

So you really need two bits of information, the Evaluation Assurance Level, 3+ in this case, which implies that they producted a lot of documentation about how SuSE Linux Enterprise Server version 8 with Service Pack 3 on IBM eServers (entire line from x86 and PowerPC series to zSeries mainframes) and in the end it meets the Controlled Access Protection Profile.

Common Criteria does not focus on failure, or how things breaks, but looks at how things are designed to operate. It does NOT look for implementation flaws in most EAL levels actually acheived.

If you do any reading on Common Criteria (CC) you will quickly realise that it has little to do with secure computing, but more with assurance that if you use a given certified system you will not be blamed for any security breaches because you choose the supposely correctly labelled systems.

If CC was more popular, maybe more software programmers would focus on good software design, because their designs have to be documented, and at high enough level, they must be independently reviewed. Good design, as well as using the available resources to eliminate classes of flaws would reduce security risks by several orders of magnitude.

Re:Windows 2000 is EAL4, but...

This is an American site. We don't speak the Queen's English. We speak American English.

Fuck the British, fuck the Queen and fuck you.

This is probably redundant, as you are likely to be British, and a queen.

Re:Windows 2000 is EAL4, but...

and yet you're using a Brit protocol to access said site.

You = owned

Re:Windows 2000 is EAL4, but...

[phoenix_rizzen]

Just like any other cache, you can disable the harddrive's write cache (except on those drives that only pretend to disable it). Depending on your filesystem, this can actually improve your data integrity.

Re:Windows 2000 is EAL4, but...

[inode_buddha]

IMHO it won't take too long to get an SElinux version because its in the 2.6 kernel.

Re:Windows 2000 is EAL4, but...

[Hektor_Troy]

yeah, I came to that conclusion myself about ten seconds after I posted it ...

didn't bother to correct myself, though, this being da intarwaep and all :-)

Re:Windows 2000 is EAL4, but...

No need to apologize friend. This thread was as interesting as the original "my dick's bigger - it's got EAL X cert." discussion. (I've actually wondered about your "5" once or twice myself - without piping up of course, being a karma whore and all ;) ).

Re:Windows 2000 is EAL4, but...

[Bishop923]

Depending on his processor, he might have L3 Cache, which would bump the HDD to level 5.

Yeah, right.

[Sarojin]

SuSE/Novell couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

Re:Yeah, right.

[fred87]

Wasn't this SLES version released before novell bough SUSE?

Re:Yeah, right.

[red+floyd]

Well SCO OpenDesktop 2, OpenDesktop 3 and OpenServer 5 were C2 certified. Maybe Darl actually will use Sarojin's argument?

Re:Yeah, right.

[Mr.+Slippery]

Well SCO OpenDesktop 2, OpenDesktop 3 and OpenServer 5 were C2 certified.

SCO also had a B3 certified product (called "SCO CMW+", IIRC). It sucked rocks, rather unstable, but at the lime I beleive it was the only B-level system available on x86 hardware.

Re:Yeah, right.

[red+floyd]

Forgot about that one! Thanks.

See, Darl *OWNS* all secure Linux. Maybe he'll sue the NSA over SELinux?

wic.....wic....

wack!

Chris cuevassy wack!!!!!

I'm not very impressed

If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*

I'm not impressed...

[mikkado]

If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*.

Re:I'm not impressed...

[citadelgrad]

Windows is only secure if you don't have any services installed or it is unplugged. ~WeRD~

Re:I'm not impressed...

[hendridm]

I know it's humor, but some services you can't turn off like the RPC service. :P

But, I guess it should be firewalled anyway...

Re:I'm not impressed...

[coopaq]

If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*.

Actually it means SUSE is getting better at handshakes and butt kissing business dealings. Something the Linux community is soarly lacking.

Reputation is everything for people and products!

Re:I'm not impressed...

[citadelgrad]

Slammer!!!!! Viruses are fun!

Klerck is teh whack! [n/t]

n/t

EAL 1-4 Descriptions

[peterdaly]

Evaluation assurance level 1 (EAL1) - functionally tested
EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.

Evaluation assurance level 2 (EAL2) - structurally tested
EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.

Evaluation assurance level 3 (EAL3) - methodically tested and checked

EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.

Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

Re:EAL 1-4 Descriptions

The great thing about EAL is that it doesn't require any actual security/bug check review of the code, only that the project was fully documented in its design. So they evaluated the security functions. Great, I bet everyone else did, too, when they were developing them. But how many root holes are actually in the security functions? When I first heard of the EAL, I was hoping at least one level would be equivalent to the old common criteria of system design with formal proofs for ALL parts of the operating system. I imagine the bourocrats didn't like having a certification that no system could attain without dedicated hardware and such, but it provided a clear upper bound for security.

Re:EAL 1-4 Descriptions

[tiger99]

That being the case, I don't see how any Microtrash product would ever get even level 1. It would fail on the undisclosed or badly documented APIs for a start. But, reading these definitions, the whole thing is worthless because there is no INDEPENDENT review and only a subset of the junk is tested, even at level 4.

Best to stick to something where the security model is open to inspection, such as OpenBSD.

In any case, was the particular Win 2000 configuration which was tested not subsequently found to have serious deficiencies, hence the constant service packs, which you can't actually install?

This stupid certification does far more harm than good as it makes users think they are secure when as a matter of proven fact they are not.

Re:EAL 1-4 Descriptions

[winchester]

The EAL description levels in itself are interesting, but you should take the protection profile in account with the evaluated operating system. If you look at all evaluated operating systems, you will see that they all use the Controlled Access Protection Profile (CAPP). This PP assumes certain things about threat levels, for instance no malicious administrator and no malicious users. Therefore, the PP is quite weak. This is the PP that has been used to evaluate WIndows 2000, for instance, but other operating systems as well. I haven't seen the ToE (Target of Evaluation) for SuSE, but i expect it to be close to the CAPP as well.

A totally different PP is the Mandatory Access Protection Profile. This PP is based on mandatory access controls, of which the SELinux kernel extentions are an implementation. (Reality is far more complicated, but for now this explanation will do). The MAPP is a far more stringent PP, therefore the number of evaluated operating systems is far lower.

These PP's, along with specialized PP's for firewalls, databases, crypto devices et cetera can be found on the NIST website, if anyone would care to read them.

As noticed already by several people, a certain EAL is for a certain version of the operating system, with certain services installed, on a certain hardware configuration, thus its real life value is limited. However, given the fact that several organisations only procure ICT products that have undergone Common Criteria evaluation, this is an important step for the deployment of Linux in that type of organisation.

The Open Source Problem

[Ianoo]

Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy. There's certainly no way a single user who makes changes to his or her kernel could ever hope to achieve this kind of certification.

Hence all the hard work of the kernel developers, who provide their services for free in many cases, cannot be directly recognised. Instead some huge corperation has to come along and sponsor such certification. This just isn't right, IMO.

There's a much bigger issue here though, a threat from the future called Digital Rights Management and NGSCB. Who wants an operating system that will be unable to access secure web services because Microsoft introduces a protocol that requires a DRM-aware application running on a DRM-booted computer? Open source GPL'd Linux will never be able to obtain such certificates without massive corperate sponsorship from IBM, Novell, Redhat or whoever.

Even if it does, changing one line in my kernel and recompiling would invalidate it, locking me out of my legally purchased music and movies, and even things like my e-mail eventually (we're already seeing this with the restrictions that a sender can put on an e-mail in Office 2003. Imagine when this is part of the operating system and not easily circumvented).

Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!

This sort of thing plays right in to their hands. They're undermining the free work of all the thousands of Linux and BSD developers effectively through the back door: by making open source software an unviable solution under the guise of security. Fuck them.

Re:The Open Source Problem

[imsabbel]

anyone who is able to support an installation that needs such a certificates should be able to spend that few tousand $.

Re:The Open Source Problem

[Ianoo]

You're missing the point. Not all of us want to buy Enterprise Linux to run DRM applications on our machines.

Re:The Open Source Problem

[Short+Circuit]

Well, that sort of support is part of the OSDL's charter.

Re:The Open Source Problem

[vsprintf]

Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy.

So perhaps the powers that be in OSS should come up with their own certification (secure software?), with their own test regimen. It would be just as meaningful as any other cert.

Re:The Open Source Problem

[jombee]

I disagree. I do not believe commercial software security certifications are a threat to OSS as you suggest.

A valuable result of the certification process is assurance. The software security certification process is capable of providing a reasonable, varying degree of assurance to a software platform snapshot. The OSS community is capable of creating and performing security evaluations of OSS targets. It's a matter of motivation I suppose.

= jombee

Re:The Open Source Problem

[Thing+1]

Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!

There's gotta be some sort of certification guidelines for these certifications. I mean, companies aren't just going to fly in there blind and see what's wrong with their products -- that's wasteful. They'll likely get tons of documentation on what things are checked and why, giving them opportunity to improve their product prior to spending money on the certifications.

So if the requirements are spelled out for us, why not make a community-based effort to create a testbed for each level of certification? Then every developer could set up a spare system and have it run tests after they make changes. Yes, the complete testbed would probably take days or weeks to complete, but after having been completed once it could (dreaming, here?) scan the code and see which parts changed, and based on that, determine which tests need to be re-run.

The testing could also be distributed somewhat, using VMs in multiple hosts. Whether this be a single lab (OSDL?) or distributed across the Internet like SETI@home et al, it would decrease the time required to run through all the tests. (And of course there would have to be some sort of verification of the results, as well, so we don't have attackers corrupting the results like distributed.net saw a few years ago.)

Does This mean anything to anybody?

Am I corrent in assuming that this certificate has nothing to do with real security in a OS, but more to do with following some set guidlines created by some agency years ago about stuff like code review?

Re:Does This mean anything to anybody?

[Iorek]

It means something to me (I work with the Common Criteria daily), but you do have a point: the certificates don't mean much to the general public beyond being a license to sell to the U.S. government.

I'd just like to point out that, while the Common Criteria (CC) is based on the U.S. Trusted Computer System Evaluation Criteria - the TCSEC, a.k.a. the Orange Book - it's also based on the European ITSEC and the Canadian CTCPEC... It's an international standard, and a common language for the world's security professionals.

Similarly, the Common Evaluation Methodology (CEM), a companion document to the CC, is an internationally-recognized methodology for conducting these evaluations, so that a gov't dept. in France knows exactly what was done in this SUSE evaluation (after they read the security target, anyway) and can make informed decisions based on that. Don't discount this international market: the list of countries that recognize these certificates is growing every year.

Now, on the subject of real security, again I hear what you're saying. These products get certified up to EAL4 (the highest level recognized internationally... We haven't developed the CEM beyond it yet) and you see flaws published every week. I think a big part of this problem is discretionary security versus mandatory (or real, you could say) security. Yes, you can evaluate a set of security funcitonal requirements (e.g., identification and authentication, stored data integrity, etc.), but at the end of the day, if we're trusting the process that's acting on behalf of the user, things are going to go awry. If we can't set an overall policy, regardless of whose in control of the individual processes, are we really secure? In certain environments, yes. That's where the CC is helping today. On the Internet? It could! Really! Mandatory access control and other necessary components are there, in the CC, but no products are claiming them. So where does that leaves us? These products that are getting certified are not secure in the Internet environment, that's where. And forums like this one scoff at the standard, when it's not the problem. It can, and will, in the future, certify SELinux, which does implement real security.

Finally, I just want to mention that the CEM covers more than code reviews. That's certainly part of the development class (ADV), but there's also configuration management requirements, delivery and operational requirements, installation, generation and start-up requirements, guidance document requirements, life-cycle support requirements, testing requirements and vulnerability assessment requirements (that, admittedly, only cover threats of a low attack potential at EAL4... as I said, we've got a ways to go with the methodology before we can certify Internet-secure operating systems).

Do security holes reduce EAL levels?

[G4from128k]

It would seem that documented flaws in an OS should automatically reduce the EAL rating of that OS. Otherwise the EAL process is just a paper-pushing exercise.

Re:Do security holes reduce EAL levels?

[tjansen]

Actually it is even funnier: you can not update/patch your installation without losing the certification. So if an exploit becomes known for your OS you have the choice between either running an uncertified OS or running an OS with known exploits until the patch has been certified (which can take many months).

So in reality certified OSes are less secure than an up-to-date system. But whatever, it's certified.

Re:Do security holes reduce EAL levels?

[awkScooby]

I don't think that security holes reduce the EAL rating. If they were to do so, only holes that existed in the certified configuration should be considered. A security certification can't possibly tell you that a system is secure in every concievable configuration.

Any moron of a sysadmin can take a very secure system and turn it into one full of holes. Conversely, the best sysadmin in the world can't make a poorly designed system secure. A certification gives you, a non-moron of a sysadmin, some hope that you can lock a system down to a point where it's "secure".

As much fun as it is to slam Microsoft (hey, I do it all day long), it is possible to configure Windows so that it is pretty secure. You have to disable most all of the network services, but it can be locked down... The NT kernel itself was designed with a lot of good security features. Those DEC guys did a great job. Now if only the rest of Microsoft could learn how to design software with security in mind from the outset, and stop introducing "improvements" which make the OS less secure (tying everthing in the world to Internet Explorer, for example)...

Re:Do security holes reduce EAL levels?

[wkitchen]

That's a good point. But I wonder if the process of getting the certification, with whatever scrutiny and preparation that entails, might make the later uncertified patched versions better than they might otherwise have been simply by having been built upon a well-tested foundation. So, while religiously maintaining a system's certification is probably counterproductive, obtaining that certification in the first place might not be.

That's great

[Eric+S+Rayrnond]

It's good to see SUSE increasing security. It's even better seeing Linux become more viable for government and military uses.

But just 1 year ago, weren't we criticizing Windows for achieving EAL 4:

Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

So which is it, Slashdot? I'm confused.

Is EAL worthwhile or is it an "inadequate set of requirements"? Is EAL 4 worse than EAL 3?

Personally, I'm suspicious of most certifications, from business to security. Usually, they're just a way for the certifying company (in this case Common Criteria) to make easy money.

Anyway, maybe we should just wait for Eros, which is supposed to achieve EAL 7 when it is fully implemented, due to it's powerful and secure design, better than both Unix and Windows.

Re:That's great

I guess it's flattering to be greeted by your own words when you click on a story, but it doesn't change the fact that this person, Eric S Raymond, completely plagiarized what I wrote a few months back on another desktop Linux story. He did go through the effort of changing my "Windows NT 4" to his "Windows 2000", but I'm not sure why he bothered ...

I wish I could prove this, but I can't list any comments beyond my last 24. Honestly, why would I accuse someone I don't know of plagiarism if it weren't true?

Shame on you, Mr. Eric S Raymond ...

Re:That's great

Well, _all_ Mr Raymond's comments are here: http://slashdot.org/~Eric%20S%20Rayrnond

I don't see any plagiarism, particularly about desktop linux. He hasn't posted much, maybe because people seem to have an axe to grind, probably due to his libertarian beliefs.

Re:That's great

[gowen]

But just 1 year ago, weren't we criticizing Windows for achieving EAL 4:

We? No. Follow that link. See at the beginning where it says "lewko writes". That means the section you quoted is the opinion of lewko. Not mine, and probably not yours, either.

Re:That's great

[peterdaly]

I just got a similar reply to my +5 post which lists definitions directly from the government spec. (I litterally added nothing to my post other than text from the spec.) I would expect Anonymous Coward didn't write the government spec. There are probably more of these posts from the same person or script.

Mods...please mod this (my) post down...I just wanted to point out this "plagerism!" guy is not only doing this to Eric's post.

Move along...nothing more to see here. :-)

Re:That's great

I realize you are probably a troll, and I'm posting anonymously because I will surely get flamed for this, but the problem is the "Slashdot double standard." See, if Linux gets an EAL3 certification, thereby decreeing it can be used in high-security government agencies, then Slashdot goes "WHOO HOO! YIPPIE! GO OPEN SOURCE! YAY TUX THE PENGIUN!" and whatnot. However, if the _same thing_ happens to Microsoft Windows (remember, all of Slashdot _hates_ Microsoft Windows because of Bill Gates' success in the business world) and Windows 2000 achieves an even _higher_ level of certification, an EAL4, then that's a real kick in the nuts to the Linux zealots on Slashdot, and they're all like "BOO BILL GATES! WINDOWS SUCKS! DON'T SUPPORT THE EVIL EMPIRE!" and whatnot. Personally, I run network security in a government research building, and the certifications _are_ useful, especially when presenting a new idea to the higher ups, be it Windows, Linux, Solaris, AIX or HP-UX (and we have all kinds here). So remember that next time, it's the "Slashdot double standard". Thank you.

Re:That's great

[Lochin+Rabbar]

It's a person a script wouldn't have misread RayRNond as RayMond. Trolls trolling trolls and idiot moderators sucking up to an imposter, isn't Slashdot great.

Re:That's great

[NotAnotherReboot]

I don't really see anyone on here saying that these specs made SuSE any more secure. The gist of it is that by having this certification, they can now compete for government contracts previously unavailable to them.

Companies have to jump through hoops to get some of these contracts; the requirements may be rediculous, but achieving the requirements to compete for contracts is still important none-the-less.

Re:That's great

[$ASANY]

EAL is certainly not the ultimate determination of a system's actual security, but right now it's the U.S. Government's (and a few other governments) standard. That standard really doesn't mean much outside of contracting with the feds. As far as indicating to non-government entities whether a product is secure or not, it's slightly better than worthless.

My company does a lot of professional services with DOD and some other agencies, and it's been a huge pain for me that linux wasn't certified under Common Criteria. If I set up something to demo to DOD that was running on a linux box, because it's easier and works better, it was immediately shot down because it didn't meet their standards. End of discussion. Once you get the certification you can play ball, but until that time you can't do squat. So now that we are in the game, you better believe the introduction of linux in the federal government is going to be a flood. I know of a couple of civillian agencies ready to take the plunge (more often than not replacing Solaris with linux, but some dumping of MS as well), and some DOD R&D has been with linux but not much production stuff is in place -- yet. The three letter agencies are interested, and EAL3 is going to make a big difference there.

SuSE probably hasn't "increased" security to make this happen at all, but simply paid the money and took the time to have one of the evaluating companies perform the certification tests. It described the installation method, the packages to be installed and the way the system would be managed, and the evaluating company ran the battery of tests for level 3 and certified that it passed those tests. Heck, given enough time and money SLES will comply with level 5, and the only thing keeping this from happening is the amount of investment SuSE, Novell and IBM are willing to make for this.

EAL really says nothing about the security of linux based systems, but is says a ton about how receptive governments will be to employing it. This is indeed good news.

Re:That's great

[shadowpuppy]

I'd say it's a semi worth while set of requirements. It serves it's purpose as a cover your ass by making the proper motions to proctect our military secrets. That means there are a bunch of paperwork requirements in addition to the actual requirements. Since it's easier for Microsoft to generate the needed paperwork, they have an EAL 4 while SuSE has an EAL3.

In a way comparing military security requirements to corprate security requirements is like comparing Apples to Oranges. They have much more control over how the computer interacts with the world than we do. They also consider having it guarded 27/7 feasible.

Re:That's great

You're speling si rediculous.

Re:That's great

Shapiro's claim that 'Eros achieves EAL7' is, without a PP or ST to define the security functionality to be checked, an empty claim.
And even with PPs relevant for OSes, it is still very dubious that the Eros development team can show the needed formal specifications, proofs and documentation, to say nothing of the high requirements on the development process and environment.
In other words: put up or shut up.

Re:That's great

[hackstraw]

I never busted on Windows for being EALed. I will say that Windows and other OSes have much more robust auditing than Linux, and that has been a big deterant from government certifications with the Linux OS.

One thing that I think is interesting to note is that a _company_ providing a specific _distro_ of Linux is being certified here, not Linux proper. The company and specific distro thing is important because it shows the viability of making $$ off of open source software. Anyone can get all of the same source, etc off of the net and have their own Linux distro, but currently larger companies like RedHat and Suse are the most embrased distros out there by government, companies, education, and very importantly 3rd party hardware providers. I started using Linux when there was only Slackware and Yggdrasil. Maybe there were others at the time, but those are the only 2 that I remember. Anyway, I think that it is amazing that a bunch of hackers on the net were able to throw together (with SCO's IP of course!) an OS and all of the userland tools to be packaged together by a German company with the help of an American company (IBM) and able to achieve a decent certification level.

I don't bear too much weight in certs by themselves. Afterall, AIX, Solaris, Windows2000, and HPUX would all be the same if EAL4 was the only category of review. But a cert (like a college degree) opens up new doors that were otherwise not possible without them.

I am so grateful that I was able to freely download and view the source of Linux. My "certification" from college is in Psychology, and I have never had a computer course or any formal training or certification. But because of the openness of Linux, I was able to learn inside and out about the OS, how to program, etc (and get a real job :). And to see this go from something that I played with on my 486 in my dorm to almost a brand name that is commonplace on TV ads and whatnot.

Keep up the good work guys! This is where the important stuff and the fun of Linux lives, not trying to get "Joe Six Pack" to use Linux on his PC at home.

Re:That's great

[Fyndo]

Is EAL worthwhile or is it an "inadequate set of requirements"? Is EAL 4 worse than EAL 3?

Most importantly, the EAL tells only half the story. There are 2 components, the PP (Protection Profile), which specifies what security features you're trying to provide, and the EAL (Evaluation Assurance Level) which tells you how certain the people evaluating it are that it meets the profile. Windows 2000 was certified against CAPP (the Controlled Access Protection Profile) to EAL4, The CAPP is, well, hopelessly inadequate. Now Suse is certified to EAL3 also against CAPP. So we now know that we can be almost as certain that Suse provides at least the same inadequate security as Windows is certified to provide. Either or both may provide some security beyond that in CAPP, which is not evaluated. So while this is probably a good thing for Suse (makes paperwork in selling to the government easier) it's hardly a ringing endorsement of anything. now, for example, Trusted Solaris is also certified to EAL4, but against the LSPP (which is a superset of the CAPP profile) and RBAC profiles, and is therefore somewhat more meaningful (however the PP still assumes that the system is not hooked up to a public network :).

Re:That's great

[4of12]

So I'm curious if, after the demos of EAL'd systems to government buyers, they allow the system to be modified - upgraded kernels, adding apache, etc.?

I'm just wondering if the bureaucratic hurdle is a "one time, just to prove you can be certified" or whether it's an ongoing PITA?

Re:That's great

[$ASANY]

The certification covers a specific install, and depending on the circumstances under which a certification is granted, you might have a lot of flexibility, or very little. Back in the early days of Common Criteria, Windows was certified under the provision of no floopy drive or network card, but somehow waivers were granted, exceptions allowed and the like.

Now I'm not all that involved in this, but my take is that EAL3 will make a difference in being able to get your foot in the door. Once it's in, it's a minor bureaucratic hassle to modify the configuration, but if that modification is necessary in order to perform some government function, a waiver isn't that hard to get.

I have a fair amount of experience with Sybase SQL Anywhere in DOD installations, which has certifications that require a certain configuration. I've never encountered that configuration at any DOD installation, I've seen versions used that are more recent than the certification specifies, and I've never seen anyone question these departures. The variances make sense though, and I think they're good decisions, but for a real cross-the-t-and-dot-the-i type, this would probably be a major no-no. The only impact I've ever actually encountered is in bidding and sales efforts.

JUSTIFY or DELETE!!!!

H3RES UR JUSTIFICATION U LOUSY PEICE OF TROL SHIT!1!! WTF MAH DSL CONACTION AT HOMA SUKS AND TAHTS WHAR3 TEH BTA SERVER IS RUNNG1!!1!1 I GAEV OUT TEH SIET 2 125 P3OPLE WHO AMALEED ME ASKED ME FOR DA SIET SO TAHT IT DIDNT DEI11!!!!1
NOW U D3CIEDD 2 B A FUKNG FLMNG ASHOLA AND POST DA SIET 3VERYWH3R3 CAUSNG SIGNIFACNT PROBLAMS WIT MAH DSL AT HOME B/C UR A PEIC3 OF SHIT WIT NOTHNG BTAR 2 DO!11!1 LOL

IVA WASTED 5 HOURS THIS MORNNG DELETNG UR TROLS AND IN DA MEANTIEM HAEV GOT3N NO OTH3R WORK DONE B/C OF U!11!!1 OMG WTF LOL IMM TRYNG 2 DO SOM3THNG NIEC FOR MACSLASH COMUNITY AND UPGRAED OUR SARV3R SO ITS BT3R!1!! LOL U INSIST ON WASTNG MAH TIEM WIT THIS SHIT AND KEPNG ME FROM BNG ABLE 2 WORK ON DA NU SERVER11!!1

IV3 WORKAD ON THIS SIET FOR OVER 3 YEARS WITHOUT 3V3RY MAKNG A PANY OF OF IT B/C I LIEK DA INTERACTION WIT OTHER MAC USERS!!!1!! OMG U JUST SPOIELD TAHT!111!!1 OMG I NOW DR3AD LOADNG TEH SIET 3VARY MORNNG B/C OF TROLS LIEK U111111! OMG I SPEND MOST OF MAH TIEM NOW DAALNG WIT UR PATY BULSHIT INSTAAD MAKNG THIS A BT3R PLAEC!1!1 WTF LOL AND IMM ABOUT R3ADY 2 JUST SHUT DA WHOLE DMN THNG DOWN INST3AD OF DEALNG WIT U ANYMOR3!11!!!!1 LOL

SO THEYRE UR FUKNG JUSTIFICATION!!11!1 OMG NOW S2P POSTNG DA ADRAS OF DA NU SIET
-!1111 OMG WTF BN STANFEILD
EXACUTIEV EDI2R @ MACSLASH

MOD PARENT DOWN! Stole my comment!!

I guess it's flattering to be greeted by your own words when you click on a story, but it doesn't change the fact that this person, quigonn, completely plagiarized what I wrote a few months back on another desktop Linux story. He did go through the effort of changing my "Windows NT 4" to his "Windows 2000", but I'm not sure why he bothered ...

I wish I could prove this, but I can't list any comments beyond my last 24. Honestly, why would I accuse someone I don't know of plagiarism if it weren't true?

Shame on you, Mr. quigonn ...

OT, but funny

Photoshop contest with Linus Torvalds

Moderators, no need to mark this offtopic, it already says so in the title...

Wow, great news

[Rogerborg]

For SCO, I mean, given that they claim to own or claim to already be receiving payments for all of the above!

Money?

Reading this article... it costs money? WTF? You pay for higher levels or something?

Re:Money?

[Lehk228]

sound alot like scientology doesnt it....
"you pay us money and the ghosts will leave your body"/"you pay us money and you are considered secure

...except scientology doesnt make you pay again if you get your hair cut or clip your toenails

Re:Money?

[ortcutt]

Last I heard, SuSE had made Operating Thetans Level 3, while Red Hat was still in the Purification Rundown.

MOD PARENT DOWN! Stole my comment!!

I guess it's flattering to be greeted by your own words when you click on a story, but it doesn't change the fact that this person, peterdaly, completely plagiarized what I wrote a few months back on another Linux security certification story

I wish I could prove this, but I can't list any comments beyond my last 24. Honestly, why would I accuse someone I don't know of plagiarism if it weren't true?

Shame on you, Peter Daly ...

HE'S LYING, PAY NO ATTENTION.

IT's just some stupid AC! Ignore him!!

Re:HE'S LYING, PAY NO ATTENTION.

Oh how desparately I must retain my /. karma! It's all I've got!

novell

[SinaSa]

Does this have anything to do with Novell entering the SuSE scene? Or has this certification been a long time coming? Either way, this is another scratch on the wall of achievements Linux has attained. Most pre Linux UNIX admins have a disdain for Linux zealots, etc who believe that Linux can solve any problem any time, and I'm in the same camp, but with distributions getting certifications like this, Linux continues to progress in promising ways in many fields.

Re:novell

[Albanach]

SuSE got it's EAL 2 certification on IBM hardware and as far as I know that was funded by IBM - I don't know if Novel had anything to do with this EAL 3 certification, but given the time certification takes I suspect that's unlikely.

More likely would be further IBM involvement as a company well placed to benefit from being able to sell more hardware deeper into government.

EAL4 evaluation tells you nothing

It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

Intersting Document on EL

Things will really get heated up

[emo+boy]

when OS/2 Warp gets EAL5 next month.

Rule of thumb:

[Phekko]

If it's Microsoft the article is about, it's bad. No exceptions.

If it's about Linux, it's good. Also no exceptions.

I feel sorry for you

because you apparantly got modslapped to -1 for going against the Open Source grain. You have my sympathies.

Summary Misleading

[Mork29]

I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.

Re:Summary Misleading

[dedeman]

I work for Conus CERT, as a reservist, and have also been pushing the Linux envelope. I believe there is a basic reluctance (similar to any business) to switch to a platform which very few current admins (as far as I know) have much experience with. Many I know are still die hard Microcert specialists. Much of the *nix that I've found is used only in the CERTs, dealing with network security/intrusion detection, and the end users are all stuck on/with Win2k. I'm sure that DOD acquisition is an intricate process, made moreso by the level of military spending on computer/IT assets. I mean, where would Sun be without the DOD? I'm still researching as much as possible to provide information to the CERT brass, to get someone to take a look at RedHat or Suse, as they seem to be the only contenders in the high end server market. I've even provided a copy of Knoppix as a system recovery tool. But all in all, this "certification level" will be more helpful, no matter what the criteria consists of, for my efforts. But from a DOD point of view, would admins be happier with a more widespread usage of Linux of some sort? I'm sure that you work with at least some folks like the ones I mentioned earlier.

Goatsex Mirror

We, the RBI (Really Bad Internetusers) have opened a new goatse.cx mirror on www.internetweber.de [internetweber.de]. Just click on the 'Gastebuch' link and enjoy!

0MG

S0ME0NE MAKE 0NE W1TH B1LL GATES THR0WING THE BALL!!`~!~! OMG ROFLF

What protection profile?

[xmath]

EAL3.... what protection profile?

EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:

The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)

I guess this is just one of those "they have - we need it too!" things.

Re:What protection profile?

[Iorek]

It doesn't have to conform to a protection profile; that's just an option. The SUSE security target will list all the security functional and assurance requirements (the EAL3 assurance package in this case) that scope the evaluation (the "something," as you say).

Re:What protection profile?

[xmath]

you're right of course.. I meant security target when I said protection profile.

terminology slip-up :-)

indeed, SuSE's certification (EAL2) of July last year was for a "Product specific Security Target", no protection profile. Assuming it's still the case this year, it means comparing its EAL-rating to Common Criteria certifications of other products (with different security targets) is completely bogus.

The problem is people seem to think "EAL3" is the certification by itself, while the security target is actually more important, but not even mentioned or summarized in the article.

Re:What protection profile?

[Iorek]

Agreed. I've seen comments like "which is better? EAL3 or EAL4?" But I'm still confident that I (and like-minded people like yourself) can get the word out, so long as we keep commenting on these CC articles. :-)

Re:What protection profile?

[hackstraw]

EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

A college degree only indicates how sure you are the person meets the profile (a set of learning and skill requirements). Saying it gets "A college degree" is like saying "We're now quite sure the person is... eh... able to learn something".

Trust me, there are many a bozo out there with a college degree, and there are, ahem, less than secure and robust OSes with EAL certification, but try to get a job where it says "College degree required" or install an OS where it says "EAL3 or higher required" and there is not that level of certification.

On an aside, college degrees are pretty worthless nowadays. At least a generic 4 year degree. I often see on job listings something like "College degree in XXX required or equivalent work experience". This is not as true with higher degrees or professional degrees. Sometimes I think about how much money I would be making now if I had _worked_ instead of going to school and racking up about $30,000 in college loans. Actually, I have seen data that says that the "Stay in school" programs are completly irrational. Supposedly, a HS dropout that goes to work will be making much more $$ immediately and in the future (because of experience and seniority) than a HS graduate. Kinda makes me wonder what the governmental/societal push is for going to school.

Re:What protection profile?

[xmath]

For the benefit of other readers, a short summary of how the Common Criteria work - as far as I can remember (if any inaccuracies slip in, I'm sure someone will point them out :-)

The common criteria are a framework for specifying and evaluating security properties of a product.

They provide a big list of "security functional requirements" that a product might adhere to. Examples:

" FAU_GEN.2.1 The TSF shall be able to associate each auditable event with the identity of the user that caused the event."

"FDP_ACC.2.1 The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects and objects] and all operations among subjects and objects covered by the SFP."

(yes, they just love TLAs)

So there's a nice set of standard security requirements from which you can select the ones you think your product adheres to (or should adhere to).

A second list contains the "security assurance requirements" which is a big list of means by which the development and evaluator can provide assurance of your product's security features.

For example, ATE_COV.2 Analysis of coverage specifies things the developer and evaluator must do to "establish that the TSF has been tested against its functional specification in a systematic manner. This is to be achieved through an examination of developer analysis of correspondence."

The security functional requirements and security assurance requirements are then packed together into the "security target" and evaluation can commence.

The Evaluation Assurance Levels are simply standard packages of security assurance requirements. (for example, ATE_COV.2 given above is part of EAL3 and higher)

ok, hope this helps

Re:What protection profile?

[xmath]

The analogy is kinda flawed, since a college degree should - regardless of the subject - at least indicate a certain level of education in some area.

EAL just indicates how sure you are... you could get something EAL3-certified to be totally insecure.

(note that I don't mean to say the certification is meaningless, just that its presentation in the article is. also, that comparisons like "but Win2000 has EAL4!" are bogus)

A company that knows how the Common Criteria work won't require "EAL3", but actually pay attention to the security target.

Re:What protection profile?

[mrball_cb]

Everybody is missing the (lack of) importance here. Read the description of the rating:

...a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security.

This specifically precludes internet usage (unless you consider connecting to the internet to be non-hostile, in which case your paranoia badge is revoked).

It DOES however open a door to let competitors into a controlled market and it does provide a measuring stick, although the things it measures aren't relevant. It's like recording a live rock show by putting mikes on the roadies instead of the band.

Johnny Cash once told me that Jesus wrote a song and it was called "Why Me Kris." -- Kris Kristofferson

Re:What protection profile?

[Feztaa]

Actually, I have seen data that says that the "Stay in school" programs are completly irrational. Supposedly, a HS dropout that goes to work will be making much more $$ immediately and in the future (because of experience and seniority) than a HS graduate.

I agree with that completely. I'm a university dropout, and I work at a gas station. The Lead Hand at my gas station (basically, she's one step down from being the boss) is a Highschool dropout. The only reason she's ahead of me, is because she has a few years headstart on me (she was busy working my current job while I was busy sleeping through classes).

If I wait long enough, eventually she'll be promoted away to be manager at some other gas station, and then I'll become Lead Hand, and then I'll get to be manager at some other gas station. We're talking over the next five or ten years here, assuming I don't go back to school in september, which I am planning on doing.

If I felt like it, I could probably work my way right up the corporate ladder and work in upper management for the rest of my life, but that's not really where I see myself in 10 years. The only thing standing in my way is that I'm not actually making enough money to live on, and my mom is generously providing me food and shelter until I can get an education and a real job...

MOD PARENT DOWN! Stole my comment!!

I guess it's flattering to be greeted by your own words when you click on a story, but it doesn't change the fact that this person, peterdaly, completely plagiarized what I wrote a few months back on another Linux security certification story

I wish I could prove this, but I can't list any comments beyond my last 24. Honestly, why would I accuse someone I don't know of plagiarism if it weren't true?

Shame on you, Anonymous Coward ...

Nerds unite!

[HighFlyer]

What kind of geek site is this if you have to mention that Solaris is from Sun etc.???

Every decent computer nerd should have those words flowing through their veins...

Re:Nerds unite!

[McNihil]

dude give they n00b a chance he is obviously from the Microsoft camp and want's to fit in by showing off...

Re:Nerds unite!

> What kind of geek site is this if you have to mention that Solaris is from Sun etc.???

You must be new here. It's a geek site with a healthy mix of "wanna-be's" and "micro$oft hater$". I can only presume it was added to save the topic from dozens of comments about how that d4mned Micro$oft has introduced security bugs into their new Linux knockoff called Solaris.

USELESS

[calebtucker]

...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.

This should tell you how extremely useless the common criteria is for actually verifying the security of a product for real world use. Sure it might have some merit in high security government use, but that's about it.

Also, you know how much it costs to get your product evaluated at EAL2 (yes, you have to pay for it) -- about $250k. EAL4 is about $1mil+.

We had someone who works at NIST on the CC come to my school last semester. He said there were less than 100 products that have been evaluated under the CC (can't remember exact number, but around 80).

It boils down to this: if you want to sell your software to the U.S. government, you gotta get it certified at EAL2 at least. Other than that, your EAL level X means nothing.

Re:USELESS

No, this does not show how useless the CC is, but how hard it is for the developers to show that the service packs do not impact the security as evaluated.

The EAL is only the measure of how much assurance you have that the products meets is security target, not that 'it is more secure'. Just what is 'secure' is defined in the ST (often derived from a PP). That is what you should be checking.

Red Hat Cert

Comming soon? I am taking Red Hat Cert classes right now in NC. See Red Hat Academy

Windows *from Microsoft*, huh?

[johannesg]

I'm sure glad they mentioned that. I might have gotten confused with all the other kinds of Windows currently on the market.

MOD DOWN --- TROLL

Obviously this guy is talking out of his ass.

Troll.

Other OS'S?

[Ham+and+Egger]

Does anyone know where a complete list of how each OS is rated? I'm curious about BSD, and OS X primarily...

Microsoft & Novell

Many I know are still die hard Microcert specialists. Much of the *nix that I've found is used only in the CERTs, dealing with network security/intrusion detection, and the end users are all stuck on/with Win2k.

First off, hate Redmond all you want, but Win2K [properly locked down] is one damned adequate [dare I say "fine"?] desktop operating system [and it's four year old technology at this point, which is saying something in and of itself]. If you want to bitch about desktop operating systems, try WinME or Mac9.x [possibly the worst desktop operating system ever conceived by the mind of man, to include Win3.1x] or that hideous Solaris abomination.

Second: Novell 0wnz security. When Novell integrates SuSE with Novell Directory Services [or eDirectory, or iChain, or nSure, or what-the-hell-ever buzzword the idiots in Novell marketing are calling it this week], you'll have all the Red Book/Blue Book/Purple Book/Green Eggs and Ham Book certifications your little heart could possibly desire.

Just be patient; it's coming...

PS: The really, really difficult choice for systems architects is gonna be between a Novell/SuSE/Novell Directory Services backbone, and a Microsoft/.NET-C#/Active Directory backbone. Within the developer community, the buzz on C# is hot, Hot, HOT [think Java circa 1997, or XML circa 2000], and if Novell doesn't figure out a response [Ximian/Mono/whatever], they're gonna be in trouble.

You mean like Lindows?

You mean like Lindows? HHmmm, maybe there is a reason for that lawsuit after-all...

Re:You mean like Lindows?

[sik0fewl]

No, I think he's talking about these ones

WTF!!!

Above,
If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*
Troll.

Below,
If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*
Funny.

Same comment!?!?!?

See

[Cyno]

...which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM).

This is why I don't like certifications. They don't actually say anything about how Linux can compete with any other operating system, but they make people like you think they do.

If the church gives you a piece of paper that says you are going to heaven do you actually believe that you will go to heaven?

If a University gives you a degree does that degree say you know anything about anything?

How many MCSEs does it take to change a lightbulb?

How many certs make you valuable?

None of them change your value or affect your knowledge in any way. So stop placing any value in them. Or I will think you a fool.

CC and the DoD

The worst part about it, is if you start investigating you'll find it was certified by a company in Germany. Since the US doesn't play nice with Common Criteria this means exactly diddly squat to anyone in the Department of Defense. Past DOD/CIO's have regulated that only Certifications approved by US Contractors on US Dollars are to be used for classified. Basically they're saying that they don't trust anyone else. So, even though SuSE has recieved an EAL3, legally it can't be used for anything more than EAL2 within the Defense Dept.

automated certification

[tuxdude]

It would be great if the EAL software package and test methodologies are available for free(similar to Microsoft HCT). This way everybody can make sure that their linux distribuition passes the criteria. Enterprise distribution can spend the required amounts to get the official certification.

Huh?

[Quantum-Sci]

You've gotta be kidding. Mandrake deserves this more than Suse.

Re:Windows 2000 is EAL4 "Augmented" not EAL 4

[SkewlD00d]

EAL4 is bullshit... it doesnt include white-box code auditing and it's a standard developed in a vacuum (ISO and NIST are vacuums). I wouldn't trust any standard not evaluated by hackers. I mean, if Windoze can get their highest rating when it has known and unpatched exploits, what does that say about their testing and standards? This test was done using SP3 which doesnt include the RPC fixes; any system based on this will get Blastered almost immediately if it were attached to a public or infected network. Any user process on Win2k can gain Admin using SEH blasting shell code. Win2k and the Win32 API are too complicated to be provably secure. Since it's closed source and not open-source payware (if the source were included on the media), it's possible that bug that could be found (and fixed) by the public are hidden away in an ivory castle. Win2k is so full of redundant, legacy, incongruent, broken and incomplete features, there's no way to ever secure it w/o removing every unnecessary file, doing an extensive audit and unit testing, redoing some of the fundamental mistakes, and adding some security enhancements (remove RPC dependance, NTLM support, netbios; add encrypted memory spaces). Basically, it'd be better off to start from scratch, making an OS bootstrapped from .NET (no C/C++ compiled code). C/C++ coded operating systems are very difficult to make provably secure, no one has done it yet. A pure object-oriented OS (devoid of pointers, compartmentalized kernel, trusted hardware drivers) w/ real security features (much like Java VM) combined w/ hardware locking / keying of memory/disk pages would definitely be much better than the current state of OSes. Additionally, email programs should be REQUIRED to use gpg/pgp. A solid PKI infrastructure based on LDAP w/ Kerberos CA (which has a valid X.509 cert from thawte or verisign) is a DEFINITE must. In the future, P2P shared authentication MIGHT be a possibility.