Let me add a little bit to what I was saying before. I think that in the long run you are correct.
Currently, cell phones have penetrated a much larger market space than PDA's have. Also, simple games are mainstream games for the masses. If my cell phone let me play a sports game, I would play it when I was on the toilet, in the bus, etc.. The point being, everyone has them, and they are readily available. People who own cell phones and PDA's tend to leave their PDAs behind before they leave their cell phones behind (I'm sure there are exceptions, I'm only looking at trends).
This is what makes the cell phone an attractive target for these kinds of games. Clearly, the games need to be made for the interfaces that currently exist.
Ok. However, I believe through some recently good conversations with people in the cell business (guys that worked on BlueTooth, and other fun stuff) that cell phones are going to become pure access devices. They are always connected to a global network and when combined with BlueTooth allow all of your other devices to connect as well. For those who don't know BlueTooth is a technology that allows devices to talk to eachother when in close proximity. You can use BlueTooth to have your PDA talk to your cell phone. This means that later, your cell phone will likely just sit in your pocket (maybe as a belt buckle?). Your PDA will talk to it through BlueTooth and be your access device. You could also pull out your laptop and use it on the network for when you needed that kind of hardware.
So, I believe that Cell Phones make a great simple game platform that someone will likely exploit in the short term. However in the long term I think they will be relegated to the task of being your network jack, and other devices will be used to provide the interfaces.
On PitBull for example, the web server typically does not run with any privilege. Rather, another daemon runs in a seperate compartment that executes the cgi programs. Communication between the web server and "cgi daemon" is allowed by a small piece of trusted code called a security gate. The security gate essentially sets up a limited pipe between the two processes. This way if the CGI program is exploited, the attacker will not have any special privileges. In fact, it is pretty trivial to set up the cgi programs compartments such that is has no external network access.
This of course depends on what you want to do with CGI. If you want your CGI programs to communicate out to a back-end network (database perhaps) then you would set up your network rules to allow the CGI program to only communicate out the backend on a specific port. This will allow your CGI program to contact the database but do nothing else. It won't be able to modify any files on the system (except the few that may be in its own running compartment).
I completely agree, that sysadmins are absolutely critical in the security process. If you believe your system is totally secure, then you are just sitting around waiting for something bad to happen. Also, admins can be a critical part in the design of a system (particularly if they have relevant security knowledge).
Unfortunately, VVOS is somewhat limited in its configuration abilities. We are giving away our products for free for non-commercial use if you were interested in taking a look at what we do. Obviously I'm biased, but I believe are product is significantly better and more flexible than VVOS. You can get copies of the software at www.argusrevolution.com and company information is at www.argus-systems.com
Of course, I'd be interested in talking more about your experiences with TOS as its always fun to talk with someone who is actually implementing systems.
Please feel free to drop me a note if you'd like to swap thoughts on trusted os or using them.
Cheers,
Jeff
Jeff Thompson Software Evangelist and Visionary Argus Systems Group, Inc. thompson@argus-systems.com
There is a great solution to a lot of these problems. It's not the be all end all, but it is a good start. I've written what I think is an interesting analysis of the Apache Web site hack paper to illustrate how trusted os can be used. You can find it at http://www.argusrevolution.c om/articles/apachetos.html
There are a lot of interesting things being done with Trusted OS today. A number of people are working on commercial TOS for people. Argus Systems Group is doing commercial versions, and Robert Watson is heading up the TrustedBSD port (www.trustedbsd.com)
Trusted OS does not remove security flaws and holes, but it can cause them to give the attacker no real access to the system. Check out the paper I wrote, as it should illustrate this quite nicely.
Cheers, Jeff
Jeff Thompson Software Evangelist and Visionary http://www.argusrevolution.com/
I suspect that in a very short while we will see a whole list of WAP based games released for cell phones. The limited interface of cell phones lends itself well to older technologies and games.
The singular advantage that a cell phone has over the technology that was present for old text based games is its interconnectivity. Clearly, the cell phone is the ultimate platform for multi-player games.
I believe that we will see fantasy based sports games, gambling, and other basic multi-player games (cards, trivia, etc) start to take off on cell phones. In fact, whoever goes after this market with force could easily dominate it and reap huge rewards (Think $10 a month subscription fees with a global customer base).
I'd be interested to hear what others thought about these ideas.
Jeff
Jeff Thompson Straight Talk - Open, Honest, and Usually Right http://www.advancenet.net/~jwthomp/
I'd love to do an interview on the subject. In honesty, I am new to/. and don't know how to go about doing that. I'll certainly look into it.
In regards to the change a single thing comment.
How evaluations work under the common criteria is that you make a set of claims and the evaluator (in our case CSC), verifies those claims. This means that in theory one could certify anything.
However, just getting evaluated to meet certain requirements does not mean anything unless people know what those requirements mean. This is why under the Common Criteria there are predefined descriptions of claims that vendors can try to meet. B1 under the Common Criteria is known as the "Labeled Protection Profile". This is what we are certifying to. One part of the evaluation is what hardware and configuration you are setting up on.
This is specified under the TOE or Target of Evaluation. So yes, we are in fact being evaluated on specific equipment (you have to pick something to run your systems on for testing!). In the past you were essentially limited by what you are running on. However, because of this there has been a lot pressure to loosen up this restriction as it really does not make a lot of sense. We are in fact trying to put into our claims, a more flexible hardware claim.
Now with that said, what you have to understand is how certifications are used. In the government and military they are used as tools to help "accreditors" determine if a specific architecture meets the security requirements of the information it will be handling. B1 helps an accreditor determine that a system is sufficient. Being B1 obviously does not guarantee accreditation.
So, in reality even if you run a B1 system on different hardware or with modifications you still have a B1 system. For example, if the system you are using was evaluated with networking using a 10BaseT card, and you switch to a 100BaseT, your system is still B1. It is still functionally B1 and would still very likely be accredited by an accreditor.
If you add a piece of software to the system that is not evaluated to B1, then that software is not considered B1, but your underlying system still is. Now you can certainly do things to create an insecure B1 system, just as you can muck up permission bits on UNIX, the real strength of B1 is not in its name, in its certification, but in its functionality.
B1 systems (and I'm really referring to ours as this is the one I know the best!, though much of this applies to others) break up root powers into a least privilege system. This allows applications to only run with the specific abilities that they need to run. B1 systems use mandatory access controls that allow applications to be isolated from eachother completely. Administrative tools can be isolated, web pages can be made read-only to web servers (not based on UID, but only on security level). Finally, good B1 systems implement mandatory controls in the networking. A web admin that comes in from an internal network can be marked with a label that allows him to read/write web pages. The same user coming in from a public network (internet) can be marked with another level that will not allow them to access the pages at all.
To sum this up: Certification tells you that a vendor has created a B1 functional system, and had that fact independently verified by a highly scrutiness team of people. B1 is not about protecting "military secrets" (though it can be), but about providing security functionality that allows secure architectures to be built.
As always, I'm happy to answer more questions.
If anyone can give me insite on doing an interview, I'd really like to talk about how people can use B1 systems to solve real security problems (not military problems).
You can obtain a free Trusted OS that sits on top of Solaris 7 (x86 and sparc) from the Argus Revolution. ISO CDROM images are available for download as well as an online store to order the media from if you like.
The Trusted OS is called PitBull and is made by Argus Systems Group. We are currently porting to Linux (IA64 and 32bit kernels), AIX, and UnixWare.
To address issues of certification. An OS can in fact go through certification and receive a "B1" rating. Argus is currently doing this under the Common Criteria scheme which has replaced both the old US TCSEC and European ITSEC methods of certification. This also includes networking as part of the evaluation.
There is a lot of misinformation being spread around about what "B1" is and how certifications work. I am more than happy to answer any questions in this regard (and am considering writing a FAQ to cover this often misunderstood issue).
As to whether you need B1? If you are running a system that is connected to a public network and you don't want an application exploit to lead to system wide penetration, then you should be running B1. B1 is not just for the overly paranoid crazy person, millitary, and banks.
The whole point of the aforementioned Revolution is to raise awareness in trusted os technology and get people talking about it. If you would like to be involved in these discussions please get involved on the site. I'd love to have people running PitBull, but we are happy to engage everyone that is using trusted os's! The most important thing is to get people to use platforms that actually let them secure their systems. Trusted OS technology lets you do this!
I suspect there may at least be a kernel of truth in this post. And I concur, best wishes to Mr. Garriot. I can still remember how excited I was to buy Ultima 4 from the local Egghead store. Jeff
Actually the first cert was done through the ITSEC process in Europe. I can testify to this as I was personally involved in the procss, and yet it is not cheap. We are currently involved in a common criteria evaluation under the labeled protection profile (B1) to EAL4. This is the highest level of cert underway with the CC. This includes networking. By the way, it is MLS not BLS. All of our documentation is available online for your review, and the results of the CC evaluation will be in the public as well. I am curious why you seem so surprised? Do you have past experience with the evaluation process (TPEP, ITSEC, or otherwise)? I guess I should stress again, this is the real things. Cheers, Jeff Jeff Thompson Software Evangelist and Visionary Argus Systems Group, Inc. e: thompson@argus-systems.com w: www.argus-systems.com
Slashdot Mirror
Interesting comments.
Let me add a little bit to what I was saying before. I think that in the long run you are correct.
Currently, cell phones have penetrated a much larger market space than PDA's have. Also, simple games are mainstream games for the masses. If my cell phone let me play a sports game, I would play it when I was on the toilet, in the bus, etc.. The point being, everyone has them, and they are readily available. People who own cell phones and PDA's tend to leave their PDAs behind before they leave their cell phones behind (I'm sure there are exceptions, I'm only looking at trends).
This is what makes the cell phone an attractive target for these kinds of games. Clearly, the games need to be made for the interfaces that currently exist.
Ok. However, I believe through some recently good conversations with people in the cell business (guys that worked on BlueTooth, and other fun stuff) that cell phones are going to become pure access devices. They are always connected to a global network and when combined with BlueTooth allow all of your other devices to connect as well. For those who don't know BlueTooth is a technology that allows devices to talk to eachother when in close proximity. You can use BlueTooth to have your PDA talk to your cell phone. This means that later, your cell phone will likely just sit in your pocket (maybe as a belt buckle?). Your PDA will talk to it through BlueTooth and be your access device. You could also pull out your laptop and use it on the network for when you needed that kind of hardware.
So, I believe that Cell Phones make a great simple game platform that someone will likely exploit in the short term. However in the long term I think they will be relegated to the task of being your network jack, and other devices will be used to provide the interfaces.
Just some more thoughts,
Jeff
Absolutely! This is why I used the word "can".
On PitBull for example, the web server typically does not run with any privilege. Rather, another daemon runs in a seperate compartment that executes the cgi programs. Communication between the web server and "cgi daemon" is allowed by a small piece of trusted code called a security gate. The security gate essentially sets up a limited pipe between the two processes. This way if the CGI program is exploited, the attacker will not have any special privileges. In fact, it is pretty trivial to set up the cgi programs compartments such that is has no external network access.
This of course depends on what you want to do with CGI. If you want your CGI programs to communicate out to a back-end network (database perhaps) then you would set up your network rules to allow the CGI program to only communicate out the backend on a specific port. This will allow your CGI program to contact the database but do nothing else. It won't be able to modify any files on the system (except the few that may be in its own running compartment).
I completely agree, that sysadmins are absolutely critical in the security process. If you believe your system is totally secure, then you are just sitting around waiting for something bad to happen. Also, admins can be a critical part in the design of a system (particularly if they have relevant security knowledge).
Unfortunately, VVOS is somewhat limited in its configuration abilities. We are giving away our products for free for non-commercial use if you were interested in taking a look at what we do. Obviously I'm biased, but I believe are product is significantly better and more flexible than VVOS.
You can get copies of the software at www.argusrevolution.com and company information is at www.argus-systems.com
Of course, I'd be interested in talking more about your experiences with TOS as its always fun to talk with someone who is actually implementing systems.
Please feel free to drop me a note if you'd like to swap thoughts on trusted os or using them.
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
thompson@argus-systems.com
There are a lot of interesting things being done with Trusted OS today. A number of people are working on commercial TOS for people. Argus Systems Group is doing commercial versions, and Robert Watson is heading up the TrustedBSD port (www.trustedbsd.com)
Trusted OS does not remove security flaws and holes, but it can cause them to give the attacker no real access to the system. Check out the paper I wrote, as it should illustrate this quite nicely.
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
http://www.argusrevolution.com/
I suspect that in a very short while we will see a whole list of WAP based games released for cell phones. The limited interface of cell phones lends itself well to older technologies and games.
The singular advantage that a cell phone has over the technology that was present for old text based games is its interconnectivity. Clearly, the cell phone is the ultimate platform for multi-player games.
I believe that we will see fantasy based sports games, gambling, and other basic multi-player games (cards, trivia, etc) start to take off on cell phones. In fact, whoever goes after this market with force could easily dominate it and reap huge rewards (Think $10 a month subscription fees with a global customer base).
I'd be interested to hear what others thought about these ideas.
Jeff
Jeff Thompson
Straight Talk - Open, Honest, and Usually Right
http://www.advancenet.net/~jwthomp/
In regards to the change a single thing comment.
How evaluations work under the common criteria is that you make a set of claims and the evaluator (in our case CSC), verifies those claims. This means that in theory one could certify anything.
However, just getting evaluated to meet certain requirements does not mean anything unless people know what those requirements mean. This is why under the Common Criteria there are predefined descriptions of claims that vendors can try to meet. B1 under the Common Criteria is known as the "Labeled Protection Profile". This is what we are certifying to. One part of the evaluation is what hardware and configuration you are setting up on.
This is specified under the TOE or Target of Evaluation. So yes, we are in fact being evaluated on specific equipment (you have to pick something to run your systems on for testing!). In the past you were essentially limited by what you are running on. However, because of this there has been a lot pressure to loosen up this restriction as it really does not make a lot of sense. We are in fact trying to put into our claims, a more flexible hardware claim.
Now with that said, what you have to understand is how certifications are used. In the government and military they are used as tools to help "accreditors" determine if a specific architecture meets the security requirements of the information it will be handling. B1 helps an accreditor determine that a system is sufficient. Being B1 obviously does not guarantee accreditation.
So, in reality even if you run a B1 system on different hardware or with modifications you still have a B1 system. For example, if the system you are using was evaluated with networking using a 10BaseT card, and you switch to a 100BaseT, your system is still B1. It is still functionally B1 and would still very likely be accredited by an accreditor.
If you add a piece of software to the system that is not evaluated to B1, then that software is not considered B1, but your underlying system still is. Now you can certainly do things to create an insecure B1 system, just as you can muck up permission bits on UNIX, the real strength of B1 is not in its name, in its certification, but in its functionality.
B1 systems (and I'm really referring to ours as this is the one I know the best!, though much of this applies to others) break up root powers into a least privilege system. This allows applications to only run with the specific abilities that they need to run. B1 systems use mandatory access controls that allow applications to be isolated from eachother completely. Administrative tools can be isolated, web pages can be made read-only to web servers (not based on UID, but only on security level). Finally, good B1 systems implement mandatory controls in the networking. A web admin that comes in from an internal network can be marked with a label that allows him to read/write web pages. The same user coming in from a public network (internet) can be marked with another level that will not allow them to access the pages at all.
To sum this up: Certification tells you that a vendor has created a B1 functional system, and had that fact independently verified by a highly scrutiness team of people. B1 is not about protecting "military secrets" (though it can be), but about providing security functionality that allows secure architectures to be built.
As always, I'm happy to answer more questions.
If anyone can give me insite on doing an interview, I'd really like to talk about how people can use B1 systems to solve real security problems (not military problems).
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
The Trusted OS is called PitBull and is made by Argus Systems Group. We are currently porting to Linux (IA64 and 32bit kernels), AIX, and UnixWare.
To address issues of certification. An OS can in fact go through certification and receive a "B1" rating. Argus is currently doing this under the Common Criteria scheme which has replaced both the old US TCSEC and European ITSEC methods of certification. This also includes networking as part of the evaluation.
There is a lot of misinformation being spread around about what "B1" is and how certifications work. I am more than happy to answer any questions in this regard (and am considering writing a FAQ to cover this often misunderstood issue).
As to whether you need B1? If you are running a system that is connected to a public network and you don't want an application exploit to lead to system wide penetration, then you should be running B1. B1 is not just for the overly paranoid crazy person, millitary, and banks.
The whole point of the aforementioned Revolution is to raise awareness in trusted os technology and get people talking about it. If you would like to be involved in these discussions please get involved on the site. I'd love to have people running PitBull, but we are happy to engage everyone that is using trusted os's! The most important thing is to get people to use platforms that actually let them secure their systems. Trusted OS technology lets you do this!
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
thompson@argus-systems.com
I suspect there may at least be a kernel of truth in this post. And I concur, best wishes to Mr. Garriot. I can still remember how excited I was to buy Ultima 4 from the local Egghead store. Jeff
Actually the first cert was done through the ITSEC process in Europe. I can testify to this as I was personally involved in the procss, and yet it is not cheap. We are currently involved in a common criteria evaluation under the labeled protection profile (B1) to EAL4. This is the highest level of cert underway with the CC. This includes networking. By the way, it is MLS not BLS. All of our documentation is available online for your review, and the results of the CC evaluation will be in the public as well. I am curious why you seem so surprised? Do you have past experience with the evaluation process (TPEP, ITSEC, or otherwise)? I guess I should stress again, this is the real things. Cheers, Jeff Jeff Thompson Software Evangelist and Visionary Argus Systems Group, Inc. e: thompson@argus-systems.com w: www.argus-systems.com
Argus has ports under way to AIX, UnixWare, and Linux.
Argus Revolution is the online portal where it is being made available from. Free B1 OS, free T-Shirt. What could be better? :)