Until I see someone explain why Win2000 can pass the certification and Linux cannot, you can't really call it FUD.
I don't think it is one can pass and one cannot.
One has corporate bucks to pay for the evaluation. The other does not.
The features required for CAPP are certainly achievable in Linux -- even the enhanced audit. The bigger problem is meeting the assurance requirement. EAL3 and EAL4 require High Level, and to some extent, low-level documentation. Does this exist for the Linux kernel, or is it just code? How is configuration control done? THe ACM requirements call for configuration control. What about Life Cycle Controls? What's there for Linux?
The assurance requierments augure against an open source project. This doesn't mean it is impossible, just that an open source vendor would need to do extra work.
Windows 2000 (all versions) are covered until 2005.
Are you sure? Normally, a CC evaluation is for a specific version of a specific product. Given that the maintenance of assurance process isn't defined yet, that's it.
Of course, NIAP and the Common Criteria folks are working on what the AMA process will be, so there is the possibility that once it is established, Microsoft will sign up for it and maintain the rating. They didn't do that with NT 3.5, but then again, the process was in transition at that point.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
Wrong. B1 maybe. B2 required modularity in the design of the code, including all included applications that were part of the TCB. It is unclear whether NT 3.5 could have met that requirement.
Boeing's MLS LAN Network Component MDIA,
Version 2
Gemini's Gemini Trusted Network Processor
Honeywell's SCOMP Version STOP Release 2.1
The BLACKER system also made A1, but wasn't a commercial product. The VMS varient was designed for A1, but I"m not sure if it ever completed evaluation (I don't see it on the EPL).
Yes, a mathematical proof of security was required, at least for the mandatory access control policy (folks typically didn't model DAC).
The papers may be posted, but you should still come and attend that session at the conference, for there you can get the full give and take.
[I'll also note the full program is up for the conference, so you can see what other papers, sessions, and tutorials we'll be having. The conference web page is www.acsac.org]
Actually, it was my program he broke (only one user), and as we were carpooling together at the time, and close family friends, I long ago forgave him.
Conferences choose hotels for many reasons other than their website.
For example, from our research into hotels in Las Vegas, if a hotel has both a bar and gaming, then there are legal restrictions on the ability for someone under 21 to make their own reservations their, even on their own credit card (yes, unbelievable isn't it). By staying at a non-gaming hotel, such as the Alexis Park, one can get around those restrictions. I would imagine this might be a concern for Defcon.
If one is trying to negotiate lower rates, and find a hotel that is less smokey, then the field is also much more limited. The newer hotels are often pricier; the older hotels are smokier. These are also factors.
Other factors that come into play are available meeting space, connectivity in the rooms, the willingness of the hotel to negotiate (some hotels do have an attitude). These also influence the decision.
Truthfully, in my experience, the web page of the hotel is usually the lowest concern. It is used for initial fact finding about the hotel, but once the negotiation is done, is not a significant factor.
I just thought I would let folks know there will be another computer security conference at the Alexis Park later this year, of a nature pretty different than Defcon. For those working in the industry, it would be well worth checking out.
The 18th Annual Computer Security Applications Conference will be held the week of December 9-13, 2002 at the Alexis Park. We're still in the process of finalizing the technical program, but I can tell you there will be two days of tutorials, followed by 2.5 days of technical programs. Tutorials will include Information System Security Basics, Understanding Biometric Technology, Denial Of Service Attacks-Background Diagnosis and Mitigation, XML Security, Cryptography and PKI Basics, Mobile and Wireless Security Issues, Risk Assessment, and Survivable Systems Analysis. Invited Speakers include Earl Boebert and Dan Geer. (and you read it on Slashdot first!)
Look for Advance Program information to be going up on www.acsac.org around September 1. If you have questions before then, feel free to visit the site, and contact one of the members of the conference committee.
Daniel (Conference Chair, Tutorial Chair, ACSAC 18)
Actually, the date is for Perl 1
on
Happy Birthday Perl!
·
· Score: 2, Interesting
If you read the history section closely, the date is when Perl 1 was released. I don't think that was the day Larry completed it (he was over in R&D by that time), but it certainly isn't the original birthday of Perl. I should know. I was there.
To tell the story yet again. Larry and I were sharing an office at SDC. Larry needed a program to support a configuration management system he was developing for the BLACKER program. Awk wouldn't do the job of marching through the news directories. And so he developed perl (version 0). I know; for I was the first user, using a combination of perl and other programs to support a data dictionary for the ACC portion of BLACKER, where we would maintain the data dictionary in nroff, and the pascal source would be automatically derived.
So, celebrate if you will, but remember exactly what you are celebrating. And drink and drive responsibly:-)
Orange book security don't just consider the hardware. It includes the installation, location, and all physical access and environments of the machine.
No. Product evaluations do not consider the location, physical access and environments, although certification and accreditation does. There may be assumptions in the documentation about the environment, however.
Nope. An unplugged computer would not meet A1. It lacks the requisite functionality (no audit, no enforcement by the operating system, etc), and likely doesn't have all the assurance evidence (design documentation, test documentation, formal models, etc.)
You would have to do a fair amount of work to make the brick secure.
True, Linux can never be B1 (or any level) certified itself... It can, however be B1 ready, with all the features needed to produce a B1-rated system.
Often, vendors refer to this as having "B1 functionality
Before I go on, note that references to B1 are becoming outdated. The TCSEC is being superseded by the Common Criteria (see commoncriteria.org for details). In this criteria, there are protection profiles (generic statements of requirements), that are crafted into Security Targets for specific Targets of Evaluation. The TCSEC B1 rating is being replaced by the Labeled Security Protection Profile (see http://www.r adium.ncsc.mil/tpep/library/protection_profiles/in dex.html). However, as with the TCSEC, a rating involves not only an evaluation of function, but an evaluation of assurance. This assurance includes design documentation, user documentation, installation instructions, and testing. These factors make it difficult to evaluate a generic Linux installation. The features could also complicate matters. For example, if FPT_SEP (in B1 parlance, System Architecture) is included, there is a requirement that the domain for the policy-enforcing portion of the OS must be protected. This is typically done by using kernel mode, and putting users in user mode. This is typically done on a specific hardware platform, so the platform must be known in order to perform the evaluation.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
There are few A1 systems, but some do exist. Usually, they are not full OSs, but narrower products such as network guards. You are correct in that they are prohibitively expensive to develop.
One of the subtle points about MACs is that they are required to be persistent *in all media*. This means that MACs should be preserved (and enforced) when a file is copied to removable media,...
Actually, this is only true for multilevel devices. There can be single-level devices that are labelled externally (with paper labels). These require procedural controls to ensure that the labels are proper; the operating system enforces the restriction that only data whose label is dominated (i.e., less-than-or-equal to) may be copied to the device (some systems choose to enforce an "equal" policy, which is stricter).
Slashdot Mirror
Until I see someone explain why Win2000 can pass the certification and Linux cannot, you can't really call it FUD.
I don't think it is one can pass and one cannot.
One has corporate bucks to pay for the evaluation. The other does not.
The features required for CAPP are certainly achievable in Linux -- even the enhanced audit. The bigger problem is meeting the assurance requirement. EAL3 and EAL4 require High Level, and to some extent, low-level documentation. Does this exist for the Linux kernel, or is it just code? How is configuration control done? THe ACM requirements call for configuration control. What about Life Cycle Controls? What's there for Linux?
The assurance requierments augure against an open source project. This doesn't mean it is impossible, just that an open source vendor would need to do extra work.
Daniel
Windows 2000 (all versions) are covered until 2005.
Are you sure? Normally, a CC evaluation is for a specific version of a specific product. Given that the maintenance of assurance process isn't defined yet, that's it.
Of course, NIAP and the Common Criteria folks are working on what the AMA process will be, so there is the possibility that once it is established, Microsoft will sign up for it and maintain the rating. They didn't do that with NT 3.5, but then again, the process was in transition at that point.
Daniel
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
Wrong. B1 maybe. B2 required modularity in the design of the code, including all included applications that were part of the TCB. It is unclear whether NT 3.5 could have met that requirement.
Daniel
The BLACKER system also made A1, but wasn't a commercial product. The VMS varient was designed for A1, but I"m not sure if it ever completed evaluation (I don't see it on the EPL).
Yes, a mathematical proof of security was required, at least for the mandatory access control policy (folks typically didn't model DAC).
Daniel
[I'll also note the full program is up for the conference, so you can see what other papers, sessions, and tutorials we'll be having. The conference web page is www.acsac.org]
Daniel
Actually, it was my program he broke (only one user), and as we were carpooling together at the time, and close family friends, I long ago forgave him.
Daniel
Perl's Paternal Godparent
Conferences choose hotels for many reasons other than their website.
For example, from our research into hotels in Las Vegas, if a hotel has both a bar and gaming, then there are legal restrictions on the ability for someone under 21 to make their own reservations their, even on their own credit card (yes, unbelievable isn't it). By staying at a non-gaming hotel, such as the Alexis Park, one can get around those restrictions. I would imagine this might be a concern for Defcon.
If one is trying to negotiate lower rates, and find a hotel that is less smokey, then the field is also much more limited. The newer hotels are often pricier; the older hotels are smokier. These are also factors.
Other factors that come into play are available meeting space, connectivity in the rooms, the willingness of the hotel to negotiate (some hotels do have an attitude). These also influence the decision.
Truthfully, in my experience, the web page of the hotel is usually the lowest concern. It is used for initial fact finding about the hotel, but once the negotiation is done, is not a significant factor.
D
I just thought I would let folks know there will be another computer security conference at the Alexis Park later this year, of a nature pretty different than Defcon. For those working in the industry, it would be well worth checking out.
The 18th Annual Computer Security Applications Conference will be held the week of December 9-13, 2002 at the Alexis Park. We're still in the process of finalizing the technical program, but I can tell you there will be two days of tutorials, followed by 2.5 days of technical programs. Tutorials will include Information System Security Basics, Understanding Biometric Technology, Denial Of Service Attacks-Background Diagnosis and Mitigation, XML Security, Cryptography and PKI Basics, Mobile and Wireless Security Issues, Risk Assessment, and Survivable Systems Analysis. Invited Speakers include Earl Boebert and Dan Geer.
(and you read it on Slashdot first!)
Look for Advance Program information to be going up on www.acsac.org around September 1. If you have questions before then, feel free to visit the site, and contact one of the members of the conference committee.
Daniel (Conference Chair, Tutorial Chair, ACSAC 18)
If you read the history section closely, the date is when Perl 1 was released. I don't think that was the day Larry completed it (he was over in R&D by that time), but it certainly isn't the original birthday of Perl. I should know. I was there.
:-)
To tell the story yet again. Larry and I were sharing an office at SDC. Larry needed a program to support a configuration management system he was developing for the BLACKER program. Awk wouldn't do the job of marching through the news directories. And so he developed perl (version 0). I know; for I was the first user, using a combination of perl and other programs to support a data dictionary for the ACC portion of BLACKER, where we would maintain the data dictionary in nroff, and the pascal source would be automatically derived.
So, celebrate if you will, but remember exactly what you are celebrating. And drink and drive responsibly
Daniel
Perl's Maternal Godparent.
No. Product evaluations do not consider the location, physical access and environments, although certification and accreditation does. There may be assumptions in the documentation about the environment, however.
You would have to do a fair amount of work to make the brick secure.
Often, vendors refer to this as having "B1 functionality
Before I go on, note that references to B1 are becoming outdated. The TCSEC is being superseded by the Common Criteria (see commoncriteria.org for details). In this criteria, there are protection profiles (generic statements of requirements), that are crafted into Security Targets for specific Targets of Evaluation. The TCSEC B1 rating is being replaced by the Labeled Security Protection Profile (see http://www.r adium.ncsc.mil/tpep/library/protection_profiles/in dex.html). However, as with the TCSEC, a rating involves not only an evaluation of function, but an evaluation of assurance. This assurance includes design documentation, user documentation, installation instructions, and testing. These factors make it difficult to evaluate a generic Linux installation. The features could also complicate matters. For example, if FPT_SEP (in B1 parlance, System Architecture) is included, there is a requirement that the domain for the policy-enforcing portion of the OS must be protected. This is typically done by using kernel mode, and putting users in user mode. This is typically done on a specific hardware platform, so the platform must be known in order to perform the evaluation.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
There are few A1 systems, but some do exist. Usually, they are not full OSs, but narrower products such as network guards. You are correct in that they are prohibitively expensive to develop.
Actually, this is only true for multilevel devices. There can be single-level devices that are labelled externally (with paper labels). These require procedural controls to ensure that the labels are proper; the operating system enforces the restriction that only data whose label is dominated (i.e., less-than-or-equal to) may be copied to the device (some systems choose to enforce an "equal" policy, which is stricter).