>Now realistically, EAL4 IS a restrictive >certification! Trusted Solaris8 is EAL4 certified. >Most default Unix installs might barely pass EAL2.
I'm not disagreeing, but I'd like to add this point- What's important is the Protection Profile the evaluation is against-the w2k EAL4 certification is against the CSPP - vaguely equal to the C2 in the Orange Book. The Trusted Solaris EAL4 cert was against a Security Target that conforms with the CSPP, the LSPP (=~ the B1 or B2 cert in the orange book, I forget,) AND the RBAC (role based access control) protection profile.
>Most companies claiming that their encryption is >``unbreakable'' are using one-time pads; and most of these snake oil salesman are using algorithmic "random" number generation. There's two delicate parts of one time pads-distributing the pad , and your pad generation.
DoDD 8500.1, *the* authoritative overarching DoD document concerning Computer Security contains this paragraph:
Public domain software products, and other software products with limited or
no warranty, such as those commonly known as freeware or shareware, shall only be
used in DoD information systems to meet compelling operational requirements. Such
products shall be thoroughly assessed for risk and accepted for use by the responsible
DAA.
The part that I wonder about is "other software products with limited or no warranty, such as those commonly known as freeware or shareware". I wonder if this was meant to indicate Open Source Software? IANAL, but I've never seen a EULA for software that didn't indicate a limited warranty. In fact, from my layman's point of view, all the standard EULAs seem to indicate that the software has no warranty, since they seem to claim that the software doesn't have to do anything at all...
There is some documented use of open source in the DoD (probably the least likely to use open source IMHO,) right now. See: This Study from NAVOCEANO (Naval Oceanographic Office.)
This program was produced in conjunction with the Open Source Software Institute, a non-profit to encourage open source usage in government.
Now that IBM is rebulding their federal services groups, does IBM have any plans to work with Red Hat for A NIAP Common Criteria evaluation (making it hunky-dory, from a security perspective to use Linux.) How about FIPS 140-2 for the IBM-Linux crypto cards?
jht wrote:
"without Linux there would be no GNU system, either."
hrm. actually, when I first starting running linux, it was for hobby stuff, but I was using gcc on a sun box in a production environment, because sun charged an arm and a leg for a simple c compiler...
You forgot the step: looking through all of your files to make sure you've got every extension, finding.ah when you figure out you're missing it, doing the MD5 sum, realizing that you're missing 1 meg of.ad, getting.ad again, etc. etc. Monkeywork like this is what computers are *for*
I'm going to go against the grain and say that if you're not sure you want to go to college, don't. I hit college right out of high school, and didn't really want to go. I did horribly after a couple of semesters, dropped out, and spent around 2 years having a *really* good time. I bummed around at minimum wage jobs, played in bands, and generally had fun. After a while of that, I was ready for college, went back and did well. Just relax for a while. If you can pick up some sysadmin work that isn't full time, do so. If you're not sure, college can be a costly mistake.
"And it's hard to get one of those without being a US citizen, let alone a permanent resident.
A lot of my fellow coworkers are H1-B holders and are thus shut out from government jobs due to a lack of security clearance or the
unwillingness to hire anything but US citizens."
Well, if the person is a foreign national, they can still get a NAC(National Agency Check) to work with sensitive information. For classified information, I think it's appropriate that only US citizens should be dealing with it. (Note that naturalized citizens can get clearances.)
"The really fascinating thing about this robot/experiment is that
making the robot react to simple cues from the human makes the robot act much more intelligent than it actually is"
Haven't seen a link to this yet. The CIA is funding
new search technologies via In-Q-Tel From their page:
In-Q-Tel is an independant, private, non-profit company funded by the U.S government with one objective:to identify and deliver next generation information technologies to support CIA's critical intelligence missions.
Of course, if you're using their intellectual input to develop your product, they should get a piece. Come to think of it, you're using my intellectual input too. Gimmie! Matter of fact, I had a drunken conversation with a L0pht person about 4 years ago. I want part of @Stake too..
I'm almost hesitant to say this, considering the libertarian bent of/., but one employer that doesn't follow these practices is the U.S. government.
disclaimer - While I haven't worked for the fed personally, I've worked with them a good bit as a contractor, and feel competent to comment. No, I'm not a secret plant of the mythical secret controllers (who I feel are some sort of parental-wish-fulfillment urge to have a 'greater power,' and who are somehow super efficient in contrast to the rest of the fed.)
The pay for the fed is crap. No doubt about it. But, the job security and benefits are nutty. It is, sometimes unfortunately, impossible to get fired. Federal workers get lots of vacation time (I don't remember exactly how much, but I remember being surprised when I heard.)
But what about the insane bureaucracy? This is, unfortunatly, quit true. But, I believe a lot of this arises from the lack of quality employees. Much like teaching, there are many fine people who work out of a sense of personaly responsibility, but there are placeholders too.
There is a large demand for qualified techs there-mainly due to the rigitidy of thw workplace (ties and cubes) and the low pay (which *is* more than 0, what many people are making now.) And hell, if more techs work there, maybe the inherit freakiness of techs will help loosen up some of the trivial things and tighten up some of the crappy ones.
Are we going to outlaw the import/export of random data also? I'm no cryptography expert, but I could whip up one-time pad encryption/decryption in about 5 minutes. If Carnivore were deployed at every US ISP, how would this help? The interviews I've seen from feds and from counter-terrorism experts have indicated that the main problem has been the lack of human intelligence rather than electronic.
Hey, why didn't we think of that before? Forbidding
something to adolescents will surely make it less
appealing. While we're at it, lets forbid smoking,
drinking, and premarital sex, and the whole world
will be a big, happy Disneyland.
Although the tone's a bit confrontational, I'd agree
about reading the contract and talking to the employer about it. Companies tend to have their standard contract for a position, but when I voiced my concerns, they've been willing to modify them (once about a non-compete I thought was a bit too broad, and once about open-source side work specifically.)
>Want some more hardcore oldschool goodness? Check out this review of the Pentium 200 at Glide Underground.
P200? hardcore oldschoool goodness? Please, god let this be a troll for "when I was young" stories. oy.
Slashdot Mirror
This solar-powered drink cooler could probably be modified to fit personal electronics better. I would test it for condensation first, though..
If you have a Nintendo DS Lite, you can pick up the Nintendo DS Lite Browser cartridge that runs Opera for about $70.
>Now realistically, EAL4 IS a restrictive
>certification! Trusted Solaris8 is EAL4 certified.
>Most default Unix installs might barely pass EAL2.
I'm not disagreeing, but I'd like to add this point-
What's important is the Protection Profile the evaluation is against-the w2k EAL4 certification is against the CSPP - vaguely equal to the C2 in the Orange Book. The Trusted Solaris EAL4 cert was against a Security Target that conforms with the CSPP, the LSPP (=~ the B1 or B2 cert in the orange book, I forget,) AND the RBAC (role based access control) protection profile.
>Most companies claiming that their encryption is >``unbreakable'' are using one-time pads;
and most of these snake oil salesman are using algorithmic "random" number generation. There's two delicate parts of one time pads-distributing the pad , and your pad generation.
But how long before the world's salmon supply gets depleted? More short-sighted NASA tomfoolery.
The part that I wonder about is "other software products with limited or no warranty, such as those commonly known as freeware or shareware". I wonder if this was meant to indicate Open Source Software? IANAL, but I've never seen a EULA for software that didn't indicate a limited warranty. In fact, from my layman's point of view, all the standard EULAs seem to indicate that the software has no warranty, since they seem to claim that the software doesn't have to do anything at all...
There is some documented use of open source in the DoD (probably the least likely to use open source IMHO,) right now. See:
This Study from NAVOCEANO (Naval Oceanographic Office.)
This program was produced in conjunction with the Open Source Software Institute, a non-profit to encourage open source usage in government.
Now that IBM is rebulding their federal services
groups, does IBM have any plans to work with Red Hat
for A NIAP Common Criteria evaluation (making it hunky-dory, from a security perspective to use Linux.) How about FIPS 140-2 for the IBM-Linux crypto cards?
jht wrote:
"without Linux there would be no GNU system, either."
hrm. actually, when I first starting running linux, it was for hobby stuff, but I was using gcc on a sun box in a production environment, because sun charged an arm and a leg for a simple c compiler...
You forgot the step: looking through all of your files to make sure you've got every extension, finding .ah when you figure out you're missing it, doing the MD5 sum, realizing that you're missing 1 meg of .ad, getting .ad again, etc. etc. Monkeywork like this is what computers are *for*
I'm going to go against the grain and say that if
you're not sure you want to go to college, don't. I
hit college right out of high school, and didn't
really want to go. I did horribly after a couple of semesters, dropped out, and spent around 2 years having a *really* good time. I bummed around at minimum wage jobs, played in bands, and generally had fun. After a while of that, I was ready for college, went back and did well. Just relax for a while. If you can pick up some sysadmin work that isn't full time, do so. If you're not sure, college can be a costly mistake.
"And it's hard to get one of those without being a US citizen, let alone a permanent resident.
A lot of my fellow coworkers are H1-B holders and are thus shut out from government jobs due to a lack of security clearance or the unwillingness to hire anything but US citizens."
Well, if the person is a foreign national, they can still get a NAC(National Agency Check) to work with sensitive information. For classified information, I think it's appropriate that only US citizens should be dealing with it. (Note that naturalized citizens can get clearances.)
"The really fascinating thing about this robot/experiment is that making the robot react to simple cues from the human makes the robot act much more intelligent than it actually is"
Sound like management material to me..
In-Q-Tel is an independant, private, non-profit company funded by the U.S government with one objective:to identify and deliver next generation information technologies to support CIA's critical intelligence missions.
I wonder if they like soda?(Hi Cory!)
The OSSI has a mailing list for discussing Open Source and federal Projects.
subscribe:
opengovtprojects mailing list
or email:
opengovtprojects-request@oss-institute.org with the word subscribe as the subject
Of course, if you're using their intellectual input to develop your product, they should get a piece. Come to think of it, you're using my intellectual input too. Gimmie! Matter of fact, I had a drunken conversation with a L0pht person about 4 years ago. I want part of @Stake too..
mmmm...atari pants
I'm almost hesitant to say this, considering the libertarian bent of /., but one employer that doesn't follow these practices is the U.S. government.
disclaimer - While I haven't worked for the fed personally, I've worked with them a good bit as a contractor, and feel competent to comment. No, I'm not a secret plant of the mythical secret controllers (who I feel are some sort of parental-wish-fulfillment urge to have a 'greater power,' and who are somehow super efficient in contrast to the rest of the fed.)
The pay for the fed is crap. No doubt about it. But, the job security and benefits are nutty. It is, sometimes unfortunately, impossible to get fired. Federal workers get lots of vacation time (I don't remember exactly how much, but I remember being surprised when I heard.)
But what about the insane bureaucracy? This is, unfortunatly, quit true. But, I believe a lot of this arises from the lack of quality employees. Much like teaching, there are many fine people who work out of a sense of personaly responsibility, but there are placeholders too.
There is a large demand for qualified techs there-mainly due to the rigitidy of thw workplace (ties and cubes) and the low pay (which *is* more than 0, what many people are making now.) And hell, if more techs work there, maybe the inherit freakiness of techs will help loosen up some of the trivial things and tighten up some of the crappy ones.
Are we going to outlaw the import/export of random data also? I'm no cryptography expert, but I could whip up one-time pad encryption/decryption in about 5 minutes. If Carnivore were deployed at every US ISP, how would this help? The interviews I've seen from feds and from counter-terrorism experts have indicated that the main problem has been the lack of human intelligence rather than electronic.
Hey, why didn't we think of that before? Forbidding something to adolescents will surely make it less appealing. While we're at it, lets forbid smoking, drinking, and premarital sex, and the whole world will be a big, happy Disneyland.
Although the tone's a bit confrontational, I'd agree about reading the contract and talking to the employer about it. Companies tend to have their standard contract for a position, but when I voiced my concerns, they've been willing to modify them (once about a non-compete I thought was a bit too broad, and once about open-source side work specifically.)
I've always felt that the punishment for such behavior should be 2 yrs tech support at a poorly
secured ISP.
>Want some more hardcore oldschool goodness? Check out this review of the Pentium 200 at Glide Underground.
P200? hardcore oldschoool goodness? Please, god let this be a troll for "when I was young" stories. oy.
Yep, It's being replaced by the common criteria, a joint product of Europe, Canada and the US. It's just been recently standardized into an ISO. These sites should be public:
Common Criteria Project at NIST
Trusted Product Evaluation Program