XMarks on Firefox started acting up as soon as Firefox did the "Legacy" S**t. The behavior has forced me over to Chrome. Xmarks is still useful if you want to have some disjoint and some synced bookmarks: I use to have different bookmark toolbars at work and at home, but a shared subset of bookmarks that allow me to bookmark something at work, and see the bookmark and write about it on my blog from home. It also lets me sync the bookmarks between different browsers (well, it did), so that there was a standard set of bookmarks no matter which browser I used.
That's right. The SR-52 (and its non-programmable close cousin, which could also use the PC-100A printer, the SR-56). Up until just a few years ago, I had the SR-52, loads of cards and manuals. I sold it on eBay once I confirmed the card reader was dead as a parrot. But I did miraculous things with it when it worked... back in high school and college in the mid-1970s.
My understanding also is that configuration management comes into play, in that the DoD is unsure that the open source software has been developed with appropriate CM. Remember that CM is more than a simple CVS type system: it is also a system where the changes are reviewed before they are incorporated for impact and for security.
There are also assurance issues, as was noted above. There are some attempts to assess the quality of open source software; I'm aware the DHS has an initiative with Coverity; see http://scan.coverity.com/.
I've read through the article, and I've read through the discussions here. The article really doesn't say that much.
Red Hat is talking about working with NIAP. This means they are going for a Common Criteria rating, which simply means it will be easier for the government to purchase the product for DoD acquisitions.
Does it mean the product is more secure? Only in press releases.
Security consists of two aspects: the functions provided to address threats in the environment (functional), and the confidence that those functions are correctly implemented (assurance). For a given product, the functional and assurance requirements are defined in the Security Target. As the article never mentioned the target, we have no idea what functions are claimed (although we can presume it is likely the set of C2 functions from TCSEC days, but that's unclear). This is important: I've seen products with really useless functions get evaluated, and I've seen ones with a reasonable function set.
Next, is the assurance question. EAL4 was mentioned, which is simply the highest level that can get mutual recognition. It is only moderate security... and again, only provides assurance relative to the functions that are claimed. Assurance is also related to the environment. If this product is for a "benign" environment, then it won't be subjected to strong testing.
This all comes together in the testing, which is relative to the functions and assurance. If there isn't strong vulnerability testing, then you only have relatively simple functional testing. If there is vulnerability testing, this is more in relation to the claimed functions. For example, if the product doesn't claim that it protects against denial of service attacks, then the vulnerability testers don't have the obligation to see if they can create a denial of service condition.
In short, this is a long way of saying: this is a press release, and needs the usual grain of salt. Get the Security Target. Read it. Understand the claimed security. This is true for ANY evaluated product.
Actually, if I recall Brad's recent articles (which, alas, are up on LiveJournal), they've moved away from MySQL. If you read earlier, Brad noted they've moved to InnoDB. He also noted "We have clusters of 2 identical databases in separate cabinets, separate switches, separate Internap power feeds... so normally losing one database in each cluster doesn't matter: the other one gets used. But when we lose every single database, in all clusters, all at once... that's the time to be paranoid and double check stuff."
I"ve been very impressed with their network infrastructure. In fact, I'm so impressed I (ummm) study it quite a bit every day.
What those who believe the site is slashdotted don't realize is that they have put in load balances that give preference to paid subscribers. Brad posted a blog entry on that yesterday, showing under 1 sec reponse time for paid subscribers, but up to 15 sec (they are waiting for new servers to be delivered) for unpaid subscribers.
It is actually very relevant, if Linus is to achieve penetration into the DoD market. New govt policies (8500.1/8500.2) mandate the use of evaluated products if they exist in a category. In order to use Linux, an evaluated product is required (not to mention other hoops, such as JTA).
# Who is using it? I work with people in the federal government (NIST/NSA) who don't know anything about the CC or PPs or STs, and they authored the @#!&$ thing. My military clients know nothing about it either. It hasn't caught on in five years or however long it's been out.
Just because they aren't using it now doesn't mean they won't be. The latest DoD Security Policies (DoD 8500.1/8500.2), as well as the emerging DIACAP, will require its use.
So this cert is basically just a bunch of bribing shit? Just buy their little logo to put on your website?
There is no bribing; that I can assuredly say (at least for the US, where I'm involved with the process). I don't believe it is happening elsewhere either.
The evaluation labs do an honest evaluation of the product, and there is scheme oversight to ensure that they do. Schemes monitor themselves to ensure that there is consistency across the schemes.
So, don't go blaming evaluation labs or oversight. The usual problem is a bad security target, or people reading the certifications without reading the targets.
Its pretty well common knowledge in the security community that Microsoft paid for that certification.
Actually, in todays model, ALL VENDORS pay for their certification. All the government provides is oversight to the commercial labs that do the actual evaluation.
It is the vendor's responsibility to (a) pick a scheme (i.e., in which country will evaluations be done: US, UK, France, Germany, etc.) -- differing countries have different forms of oversight, but supposedly the same level of rigour; (b) pick an evaluation facility in that country (for the US, you can see the list by visiting the CCEVS webpage). The vendor also gets to develop the claim of what security features are present (i.e., the security target).
This is VERY different from the older "Orange Book" evaluation paradigm, where the government wrote the criteria (TCSEC), and the government evaluated against the criteria (TPEP).
It would be useful if folks took some time to learn whereof what they speak.
As has been noted in other comments, a statement of an EAL with respect to an evaluation, in isolation, is MEANINGLESS. EAL4 refer to a particular level of confident that the claimed functions are implemented correctly. ONLY those claimed functions.
How are those claimed functions determined? Look at CC Part 1. They are based either on a specific set of organizational policies (such as the DoD) or determined in response to specific threats. There is also a specific set of assumptions. You must read these to determine what your actual security is; they are contained in the Security Target.
In the case of Windows 2000, a claim was made against the Controlled Access Protection Profile. This is roughly C2 functionality, but what is more important: it is for a BEGIGN environment. Thus, there wasn't extensive penetration testing done. This is great for many DoD applications, as the systems are used in a close environment, with trusted people, and no internet connections.
However, most people deal with hostile environments -- the internet. The evaluation didn't occur against that threat; thus, there were no functions added (nor the requisite assurance) against that threat. I'm sure there is something similar for Red Hat.
Folks, don't take the easy approach of looking at a rating. It is as useless as looking at Thumbs Up or Thumbs Down to see a movie. Take a time, read the specification, and read the reviews.
and the testers assign an assurance rating depending on how probable it is you actually got it right.
Actually, the testers don't assign the EAL. It, too, must be claimed in the target, and determines how much work the evaluators do. (And the evaluators must follow a specific procedure, called the Common Evaluation Methodology, that is overseen by an approved government organization. See the NIAP Web Page for more information.
I didn't know you guys were doing that. It looks like [digitalnet.com] you guys have built a ground up proprietary security OS with XTS-400
Actually, they've been doing it much longer. XTS-400 is the grandchild of the B3-rated XTS-200, the first B3 rated system (XTS-300 was also B3 rated). The XTS-200 evaluation was in the early 1990s (at least that's when I was on the team). And XTS, of course, is the "Son of SCOMP", the first A1 semi-commercial operating system.
do the tests themselves work. Unfortunately, a lot of stuff in the computing world revolves around windows - so it could be a matter of adding criterium to the test based on what windows does or "is supposed to do."
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of paper.
This is where understanding the Common Criteria and how it works is critical. So take your seats, boys and girls, for a little primer.
The Common Criteria is not a criteria, per se, but a catalog of potential ways to address threats. When one writes a security target, one begins by enumerating the environment in which the product works: the assumptions, the threats the product will address, the threats the environment will address, and the policy. One then creates objectives for both the product and the environment to address those threats. To implement each of the objectives, one selects components from the CC.
In a security target (ST), this is a statement of "This is what I do". A Protection Profile (PP) is a statement of "THis is what I want". One can build a target that is compliant with the PP, this is "You want this; here's how I give it to you".
But the key thing is that the target details the functionality the product claims. The evaluation process provides confidence that what is claimed is what is implemented.
Confidence, or in CC speak, assurance, comes in a variety of areas: how the design was documented and developed, what guidance is given users, how throughly the product was tested, whether configuration management was in place, etc. These assurance areas are arranged into a set of 7 EALs, where EAL1 is "I ran a test and it worked", and EAL7 is formally specified and verified with penetration testing, etc.
Well, that's a quick introduction. Hopefully, this helped.
Daniel
(Want to learn more about security? Attend the Applied Computer Security Applications Conference, (ACSAC).
That is, it's certified secure on hardware X, and
software Y. I know that's what C2 security ratings are all about. However, I'm not sure if the common
criteria includes the hardware or not.
This is a big difference between the CC and the TCSEC, and why you need to read the Security Target.
In the Common Criteria, certain requirements can be levied on the IT environment. Thus, it is possible to evaluate a software only product. But this must be made clear in the Security Target.
Correct...but, this could be a first step towards the C2 certification
C2 refers to ratings under the TCSEC. For government use, the TCSEC has officially been cancelled. Thus, no one is going for C2 anymore. The closest equivalent are products that are compliant with the Controlled Access Protection Profile (CAPP), or soon, the Operating System Profile for Basic Robustness. You can learn more about these profiles at the IATF website.
I see the problem. You're confusing two things. I was talking about how long the Common Criteria rating is good for. That rating applies only to SP3, unless MS applies a maintenance of assurance process to the product.
You are talking about how long Microsoft will support the product.
Actually, Microsoft was evaluated against the CAPP. Unless they added stuff in the target, this would exclude Cryptographic Support (FCS), Privacy (FPR), Resource Utilization (FRU), TOE Access (FTE), and Trusted Path (FTP).
You need to read the Win2K target to see what the functional requirements were.
Sorry about that. I somehow had the idea that the highest levels were '1'.
In the TCSEC, the digraphs went from D to A, and within each, from 1 up. C was discretionary access control, b added mandatory access control, and A was formally modeled. The full order was D Just to clarify, I didn't mean to imply that NT3.5 ever received a B1; just that it could be configured to meet that level.
Configured, no. NT 3.5 had no facility for putting security labels on files (Unclass, Secret, etc.), or for using those labels for access decisions. It probably could have been added, but wasn't part of the standard product.
The main point being that while a specific cert might be nice in the PR wars, how you apply the system is what's important. For example, just as soon as a W2K user loads MS Office onto that machine, the cert is no longer valid.
I'd have to read the report, but Office might be viewed as just an application not affecting the kernel (again, I need to read the report). However, the ratings are more than just PR--they are of critical importance to government agencies who must buy rated products.
The CC cert is less revealing than a NIST cert, because the CC evaluate the design of the system, and only a part of the implementation.
This comment doesn't make sense. The CC certification *is* a NIST cert, so to speak, as it is awarded by NIAP, a joint NSA-NIST program.
So it is better suited to show that a developer has good security processes, rather than secure products.
Again wrong. The CAPP includes both functional requirements as well as assurance requirements. You can find more information on evaluations at niap.nist.gov.
And let's not slight MS here. From what I've seen, they are making an honest effort to secure their products. I think they've finally reached the point at which they have to in order to stay in business.
It does appear they are endeavoring to add security features to their products, yes. My problems with Microsoft are less in the features they add, but the thought they put into them, and that they don't fully think out the ramifications or take the time to appropriately test them. With a product so complicated, it is difficult to do so.
Common criteria does not mean secure. There are multiple levels of the common criteria that mean different things. It doesn't appear that the article states the level achieved.
This implies the CC is like the old TCSEC, with multiple digraphs. Wrong.
The CC is more of a chinese menu. One from column a, one from column b.
In the CC paradigm, one determines the threats, assumptions, etc, for the system, and then builds a set of requirements, both functional and assurance, to address these threats. The requirements used are drawn from the CC, and expressed in a security target.
To simplify things, one can use a protection profile as the basis for their target.
But the CC itself does not provide leveled bundlings of functional and assurance requierments as the TCSEC did.
Slashdot Mirror
XMarks on Firefox started acting up as soon as Firefox did the "Legacy" S**t. The behavior has forced me over to Chrome. Xmarks is still useful if you want to have some disjoint and some synced bookmarks: I use to have different bookmark toolbars at work and at home, but a shared subset of bookmarks that allow me to bookmark something at work, and see the bookmark and write about it on my blog from home. It also lets me sync the bookmarks between different browsers (well, it did), so that there was a standard set of bookmarks no matter which browser I used.
I'm one of those who still hasn't upgraded (I wrote about it today on LJ), as all my machines at home are AMD machines, and SP3 had problems on AMD machines. See this Slashdot discussion in particular.
Does anyone know if those problems have been resolved? I'll be glad to upgrade if I know I'm not going to be dealing with BSODs.
[Well, I think I'm close enough at 47. My wife is 50]
Hint: We've always been there. I've been on LJ for over 3 years now, and MySpace as well (although the latter just points to LJ).
That's right. The SR-52 (and its non-programmable close cousin, which could also use the PC-100A printer, the SR-56). Up until just a few years ago, I had the SR-52, loads of cards and manuals. I sold it on eBay once I confirmed the card reader was dead as a parrot. But I did miraculous things with it when it worked... back in high school and college in the mid-1970s.
My understanding also is that configuration management comes into play, in that the DoD is unsure that the open source software has been developed with appropriate CM. Remember that CM is more than a simple CVS type system: it is also a system where the changes are reviewed before they are incorporated for impact and for security.
There are also assurance issues, as was noted above. There are some attempts to assess the quality of open source software; I'm aware the DHS has an initiative with Coverity; see http://scan.coverity.com/.
I've read through the article, and I've read through the discussions here. The article really doesn't say that much.
Red Hat is talking about working with NIAP. This means they are going for a Common Criteria rating, which simply means it will be easier for the government to purchase the product for DoD acquisitions.
Does it mean the product is more secure? Only in press releases.
Security consists of two aspects: the functions provided to address threats in the environment (functional), and the confidence that those functions are correctly implemented (assurance). For a given product, the functional and assurance requirements are defined in the Security Target. As the article never mentioned the target, we have no idea what functions are claimed (although we can presume it is likely the set of C2 functions from TCSEC days, but that's unclear). This is important: I've seen products with really useless functions get evaluated, and I've seen ones with a reasonable function set.
Next, is the assurance question. EAL4 was mentioned, which is simply the highest level that can get mutual recognition. It is only moderate security... and again, only provides assurance relative to the functions that are claimed. Assurance is also related to the environment. If this product is for a "benign" environment, then it won't be subjected to strong testing.
This all comes together in the testing, which is relative to the functions and assurance. If there isn't strong vulnerability testing, then you only have relatively simple functional testing. If there is vulnerability testing, this is more in relation to the claimed functions. For example, if the product doesn't claim that it protects against denial of service attacks, then the vulnerability testers don't have the obligation to see if they can create a denial of service condition.
In short, this is a long way of saying: this is a press release, and needs the usual grain of salt. Get the Security Target. Read it. Understand the claimed security. This is true for ANY evaluated product.
Alt-F3 brings up reveal codes in WordPerfect, something that Word doesn't have.
Oh. Nevermind.
Pay no attention to that man behind the curtain
(Quickly he scurries off to bed. It's been a long day)
Actually, if I recall Brad's recent articles (which, alas, are up on LiveJournal), they've moved away from MySQL. If you read earlier, Brad noted they've moved to InnoDB. He also noted "We have clusters of 2 identical databases in separate cabinets, separate switches, separate Internap power feeds... so normally losing one database in each cluster doesn't matter: the other one gets used. But when we lose every single database, in all clusters, all at once... that's the time to be paranoid and double check stuff."
I"ve been very impressed with their network infrastructure. In fact, I'm so impressed I (ummm) study it quite a bit every day.
D (cahwyguy.livejournal.com)
What those who believe the site is slashdotted don't realize is that they have put in load balances that give preference to paid subscribers. Brad posted a blog entry on that yesterday, showing under 1 sec reponse time for paid subscribers, but up to 15 sec (they are waiting for new servers to be delivered) for unpaid subscribers.
It is actually very relevant, if Linus is to achieve penetration into the DoD market. New govt policies (8500.1/8500.2) mandate the use of evaluated products if they exist in a category. In order to use Linux, an evaluated product is required (not to mention other hoops, such as JTA).
Daniel
# Who is using it? I work with people in the federal government (NIST/NSA) who don't know anything about the CC or PPs or STs, and they authored the @#!&$ thing. My military clients know nothing about it either. It hasn't caught on in five years or however long it's been out.
Just because they aren't using it now doesn't mean they won't be. The latest DoD Security Policies (DoD 8500.1/8500.2), as well as the emerging DIACAP, will require its use.
Daniel
Why did they discontinue the portal? It seemed like a good idea to provide a centralized list of evaluated profiles and products.
While the site had its share of problems, I agree that discontinuing it was bad, especially with no notice.
I have my guesses as to why it was discontinued, the primary one being funding for the CC Project as its own entity.
Daniel
So this cert is basically just a bunch of bribing shit? Just buy their little logo to put on your website?
There is no bribing; that I can assuredly say (at least for the US, where I'm involved with the process). I don't believe it is happening elsewhere either.
The evaluation labs do an honest evaluation of the product, and there is scheme oversight to ensure that they do. Schemes monitor themselves to ensure that there is consistency across the schemes.
So, don't go blaming evaluation labs or oversight. The usual problem is a bad security target, or people reading the certifications without reading the targets.
Daniel
Its pretty well common knowledge in the security community that Microsoft paid for that certification.
Actually, in todays model, ALL VENDORS pay for their certification. All the government provides is oversight to the commercial labs that do the actual evaluation.
It is the vendor's responsibility to (a) pick a scheme (i.e., in which country will evaluations be done: US, UK, France, Germany, etc.) -- differing countries have different forms of oversight, but supposedly the same level of rigour; (b) pick an evaluation facility in that country (for the US, you can see the list by visiting the CCEVS webpage). The vendor also gets to develop the claim of what security features are present (i.e., the security target).
This is VERY different from the older "Orange Book" evaluation paradigm, where the government wrote the criteria (TCSEC), and the government evaluated against the criteria (TPEP).
Daniel
Sigh.
It would be useful if folks took some time to learn whereof what they speak.
As has been noted in other comments, a statement of an EAL with respect to an evaluation, in isolation, is MEANINGLESS. EAL4 refer to a particular level of confident that the claimed functions are implemented correctly. ONLY those claimed functions.
How are those claimed functions determined? Look at CC Part 1. They are based either on a specific set of organizational policies (such as the DoD) or determined in response to specific threats. There is also a specific set of assumptions. You must read these to determine what your actual security is; they are contained in the Security Target.
In the case of Windows 2000, a claim was made against the Controlled Access Protection Profile. This is roughly C2 functionality, but what is more important: it is for a BEGIGN environment. Thus, there wasn't extensive penetration testing done. This is great for many DoD applications, as the systems are used in a close environment, with trusted people, and no internet connections.
However, most people deal with hostile environments -- the internet. The evaluation didn't occur against that threat; thus, there were no functions added (nor the requisite assurance) against that threat. I'm sure there is something similar for Red Hat.
Folks, don't take the easy approach of looking at a rating. It is as useless as looking at Thumbs Up or Thumbs Down to see a movie. Take a time, read the specification, and read the reviews.
Daniel
Actually, the testers don't assign the EAL. It, too, must be claimed in the target, and determines how much work the evaluators do. (And the evaluators must follow a specific procedure, called the Common Evaluation Methodology, that is overseen by an approved government organization. See the NIAP Web Page for more information.
Daniel
I didn't know you guys were doing that. It looks like [digitalnet.com] you guys have built a ground up proprietary security OS with XTS-400
Actually, they've been doing it much longer. XTS-400 is the grandchild of the B3-rated XTS-200, the first B3 rated system (XTS-300 was also B3 rated). The XTS-200 evaluation was in the early 1990s (at least that's when I was on the team). And XTS, of course, is the "Son of SCOMP", the first A1 semi-commercial operating system.
Daniel
do the tests themselves work. Unfortunately, a lot of stuff in the computing world revolves around windows - so it could be a matter of adding criterium to the test based on what windows does or "is supposed to do."
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of paper.
This is where understanding the Common Criteria and how it works is critical. So take your seats, boys and girls, for a little primer.
The Common Criteria is not a criteria, per se, but a catalog of potential ways to address threats. When one writes a security target, one begins by enumerating the environment in which the product works: the assumptions, the threats the product will address, the threats the environment will address, and the policy. One then creates objectives for both the product and the environment to address those threats. To implement each of the objectives, one selects components from the CC.
In a security target (ST), this is a statement of "This is what I do". A Protection Profile (PP) is a statement of "THis is what I want". One can build a target that is compliant with the PP, this is "You want this; here's how I give it to you".
But the key thing is that the target details the functionality the product claims. The evaluation process provides confidence that what is claimed is what is implemented.
Confidence, or in CC speak, assurance, comes in a variety of areas: how the design was documented and developed, what guidance is given users, how throughly the product was tested, whether configuration management was in place, etc. These assurance areas are arranged into a set of 7 EALs, where EAL1 is "I ran a test and it worked", and EAL7 is formally specified and verified with penetration testing, etc.
Well, that's a quick introduction. Hopefully, this helped.
Daniel
(Want to learn more about security? Attend the Applied Computer Security Applications Conference, (ACSAC).
This is a big difference between the CC and the TCSEC, and why you need to read the Security Target.
In the Common Criteria, certain requirements can be levied on the IT environment. Thus, it is possible to evaluate a software only product. But this must be made clear in the Security Target.
Daniel
C2 refers to ratings under the TCSEC. For government use, the TCSEC has officially been cancelled. Thus, no one is going for C2 anymore. The closest equivalent are products that are compliant with the Controlled Access Protection Profile (CAPP), or soon, the Operating System Profile for Basic Robustness. You can learn more about these profiles at the IATF website.
Daniel
I see the problem. You're confusing two things. I was talking about how long the Common Criteria rating is good for. That rating applies only to SP3, unless MS applies a maintenance of assurance process to the product.
You are talking about how long Microsoft will support the product.
Apples and Oranges.
Daniel
Actually, Microsoft was evaluated against the CAPP. Unless they added stuff in the target, this would exclude Cryptographic Support (FCS), Privacy (FPR), Resource Utilization (FRU), TOE Access (FTE), and Trusted Path (FTP).
You need to read the Win2K target to see what the functional requirements were.
Daniel
Sorry about that. I somehow had the idea that the highest levels were '1'.
In the TCSEC, the digraphs went from D to A, and within each, from 1 up. C was discretionary access control, b added mandatory access control, and A was formally modeled. The full order was D Just to clarify, I didn't mean to imply that NT3.5 ever received a B1; just that it could be configured to meet that level.
Configured, no. NT 3.5 had no facility for putting security labels on files (Unclass, Secret, etc.), or for using those labels for access decisions. It probably could have been added, but wasn't part of the standard product.
The main point being that while a specific cert might be nice in the PR wars, how you apply the system is what's important. For example, just as soon as a W2K user loads MS Office onto that machine, the cert is no longer valid.
I'd have to read the report, but Office might be viewed as just an application not affecting the kernel (again, I need to read the report). However, the ratings are more than just PR--they are of critical importance to government agencies who must buy rated products.
The CC cert is less revealing than a NIST cert, because the CC evaluate the design of the system, and only a part of the implementation.
This comment doesn't make sense. The CC certification *is* a NIST cert, so to speak, as it is awarded by NIAP, a joint NSA-NIST program.
So it is better suited to show that a developer has good security processes, rather than secure products.
Again wrong. The CAPP includes both functional requirements as well as assurance requirements.
You can find more information on evaluations at niap.nist.gov.
And let's not slight MS here. From what I've seen, they are making an honest effort to secure their products. I think they've finally reached the point at which they have to in order to stay in business.
It does appear they are endeavoring to add security features to their products, yes. My problems with Microsoft are less in the features they add, but the thought they put into them, and that they don't fully think out the ramifications or take the time to appropriately test them. With a product so complicated, it is difficult to do so.
Daniel
Common criteria does not mean secure. There are multiple levels of the common criteria that mean different things. It doesn't appear that the article states the level achieved.
This implies the CC is like the old TCSEC, with multiple digraphs. Wrong.
The CC is more of a chinese menu. One from column a, one from column b.
In the CC paradigm, one determines the threats, assumptions, etc, for the system, and then builds a set of requirements, both functional and assurance, to address these threats. The requirements used are drawn from the CC, and expressed in a security target.
To simplify things, one can use a protection profile as the basis for their target.
But the CC itself does not provide leveled bundlings of functional and assurance requierments as the TCSEC did.
Daniel