Yes, hams get to play with cool toys. But ham radio is censored - it's self-censorship by the users, under the threat of license revocation and social pressure from other hams, but it's still censored, and that makes it much less useful. That's why unlicensed spectrum like the 2.4GHz band used by 802.11b and 5GHz used by 802.11a are *so* critical. We could do so much more if the ham bands weren't censored.
As a licensed amateur I am glad in a way. It limits the demand for those amateur frequencies. If it was a free-for-all like CB (GRS) then I would have a harder time using amateur radio for what I enjoy using it for, experimenting.
If I want Internet access I use either my cable modem or my own 802.11b access.
I don't have a problem with spam on packet, I don't get popups ads on the BBSes, and I don't need to upgrade my PC every other year to keep up with the Jones, I don't need to install Internet Explorer because some web site only works with IE. It is a smaller, friendly (mostly), simpler, but still a nice place to visit. Sure I wouldn't want it to be my only digital communications access, but it is a very nice to do some things.
The ARPANET had its Acceptable Use Policies against non-official use, and its unofficial very flexible policies that you could talk about anything you want _except_ business
ARPANET (and NFSnet)'s AUP didn't kill the Internet, and in fact perhaps were necessary to allow the breakage to do things like the Usenet reorg, the switch from NCP to TCP/IP, the upgrade to DNS, the isolation to tame the Morris worm. If all the big hubs were ISPs with SLA to worry about, and e-commerce that could be affected, would all those upgrades happen as easily? Is that why IPv6, DNSsec, and IPsec still have not been rolled out globally after how many years of talking about it?
If, by sacrificing the entire HF radio spectrum, we could actually wire every home in the USA for economical broadband Internet access, I honestly wouldn't oppose it.
While this might be sensible if all that was affected was amateur radio hobbyists I might agree too. But since HF is still an important backup and emergency communications infrastructure I do not agree with such an idea. Sure it has lots of downsides compared to other high-tech solutions. But those high tech solutions are expensive and require extensive infrastructure to be work. But you start cutting trans-atlantic or trans-pacific cables, how quickly and how well can satellite communications scale to handle the increase traffic load? Space weather affect satellite communications, or did you forget about Galaxy IV malfunction as well as countless other satellite problems (e.g. AO-40).
I will say that I don't believe that power-line distribution makes sense for broadband Internet.
I think you are right, this will be more important than HF users (especially amateur radio operators) complaints. I doubt there is little to no advantage of BPL over other broadband methods, such as various DSL technologies (such as G.lite), cable modems, and DSS like DirectPC.
Most average or medicore managers don't like "really smart" people under them. They worry that you may make them look bad (be vindictive), or be a snob and put other team members down.
Ph.D. have a reputation of being not good team players. This comes from working alone on your thesis for a number of years, often independantly and not in a team of close knit research group. All real world companies need team players, because no one person can (or should) do everything.
Hiring staff (HR or the technical manager) avoid PhD for low/entry level positions because of the bordom and leaving factors. They worry that you will leave at the first better job offer. The best way to fight this is, if you really are excited about the job, show your excitment, and try to only take interviews with jobs you plan to stay at.
Once upon a time I had an interview at ARM the microprocessor design company, they were looking for a couple of IT positions (security and development) and my CV interested them. When I got into the interview, the fact that almost got me hired was that I was a licensed amateur radio (ham) operator. Since hams tend to have a boat-load of practical hands on experience with building and fixing things, they were very keen on this. I wasn't going to touch a MPU design, or even work on embedded systems, but it was this practical experience that they looked for.
If you want to work for AMD, Intel, ARM, IBM Research, Microsoft Research, or AT&T Research, then get your Ph.D. If you want to muck with designing systems to be build, get your Masters and get experience.
How much do you value your life? Seriously. Untrained people working on AC mains, whether a mere 120 Volts or 220 V, can be risking their lives. Since you do not appear to be a trained and licensed electrician, hire someone who is, preferrable a good one.
You may of broke the law by removing the mains panel. This varies from state to state or province to province so I can't say for sure in your case, but there is always provincial or state laws you need to abide with. They exist to prevent fatal accidents and to reduce risk of fire.
I suspect it will also be cheaper and quicker to hire a professional firm than attempt some random upgrades which if do not result in sudden death or injury, may increase your chances of electrician fires.
Finally, the insurance at your workplace is void if work that requires an licensed electrician is done by someone who is not licensed in your state or province.
So, in my opinion, the only lawful and sensible solution is to hire a licensed eletrician to rewire your distribution panel to replace the inadeque wiring, and do your new wiring.
When designing and building a physical cryptographic strong random number generator (CSRNG, not CSPRNG) you are looking for many things including:
* a uniform or near uniform distribution of the output. * it must be unpredictable * it should be very hard / impossible for attacker to influence the output of the CSRNG.
The first two are reasonably easy with physical RNG, but the last one is the kicker when it comes to actually implementing the CSRNG.
The attacker shouldn't be able to influence it by poking a pin-hole in the case (of a light sealed chamber around the CCD), or putting a heat source next a lava lamp (so the goo stays at the top)
After all, not every Zalman ZM400A-APF is going to have a 12V min/max fluctuation of only 0.005V, and not every Enermax EG651P-VE FMA 550W is going to have a fluctuaction of 0.65V.
If the fluctuations are due to the switching power supply and regulator design, then yes these measurements are going to be similar on other samples of these models (assuming no revision changes).
Modern electronics components are amazing reliable and consistent as long you don't use surplus parts (or capacitors made from incorrect stolen information) and operate them in their specifications. Most components are either DOA, and thus found before they leave the factory, or die from common but well understood semiconductor failures (thermal breakdown, static discharage, etc.)
Though I agree, for the most accurate testing, multiple samples should be used. That's just standard scientific method.
When wiring up electrical systems, it is important to remember that your long runs should always be done with high voltage cable. For instance, from the wall to the power supply is 120V AC. Once the voltage is reduced, the runs need to be kept as short as possible, since every foot of cable loses substantially more power at the increased current required.
Well, you have to also factor in that AC travels much better than DC. That debate goes back to Edison and Telsa, and Telsa got it right. That's why your mains power (that comes out of your wall socket) is high voltage AC and not DC.
A minor reason is that I suspect that switching power supplies with long DC leads would act as unintential radiators (i.e. accidential antennas) at LF, 20-40kHz typically I believe in most computer power supplies. Thus they would be unable to get FCC approval due to the RF noise.
I just built a new Athlon XP (2600+) based system, and the power supply was the most frustrated part to get working correctly. I bought a generic case with a 300W Pro-Power ATX power supply. It had useless regulations, the 12V rail measured at 12.8V with the system on and idle, and jumpted to 13.2V when running some math calculations that I use for stress testing (www.mersenne.org).
So I spent a Saturday trying to find a local computer dealer open that had any power supplies in stock. Most were sold out because of recent lightning storms (note: most didn't fail right away), anyhow about 2 hours of looking and driving I found a Codegen 300W ATX supply. It didn't setup off the SilentPC power alarms, but it failed the stress testing, with errors in about 1 hour of testing. The CPU temperature was fine (40-42 C) but I suspect the power wasn't clean which introduced memory or logic glitches.
Finally after a week, I got a ThermalTake 360W power supply and my system works fine.
So anyone who has an unstable system, it may not be all the fault of the OS, but poor or underpowered power supply.
Are you NUTS? ADMIT to someone in authority that he broke into the system?
Nuts, no. I was once invited to the computer centre to explain some login annomlies with my own account. When I admitted to sharing my account with another user. They ended up hiring me for 6 years on a steadily increasing salary.
Depending on the university's attitude, that could lead to anything from expulsion to a few years in a pound-you-in-the-ass prison.
Doubt that. Universities strongly prefer to quietly deal with any and all incidents of security, from computers to rape, in private with their own university judical system if possible. If there is nothing in the media to embarass them, the computer centre has no interest in making it an public issue. Common displine would be losing your account until end of the semester.
If you absolutely feel the need to confess, do NOT confess to the IT people. They have a duty to the University and to the integrity of their systems, and no duty at all to you.
Or you could act like a responsible adult, and take responsibility for your actions.
All computing service staff I have been employed with, or had help me as a student, have always been nice and helpful to me if I tried to make their life easier. And the converse, if you make their life hard, they will return the favour.
Like in court, penalties for admitting wrongdoing are lower than having to have a full investigation. The expense if they hire outside experts may be passed on you as part of a fine.
Making an example out of you is a perfect way of covering their embarrasment.
Most univesity staff have more important and interesting things to do than to make (paper) work and attend meeting (of university judicals) for themselves. If you don't embarass them, they will act in a rational and reasonable fashion.
I have written and -selftested proof-of-concept exploit code.
This part bothers me, but I am not clear on whether you tested this on your university's live system. If so, you have committed a crime.
If this is the case, I would recommend you turn yourself in, find the university computing services staff member who is responsible for the system, and talk to them in person. Tell them you have found a security problem, and that you have altered data on their system. Specify what data you have changed (i.e. your grades, or whatever).
You are in the role of damage control, if you have made unauthorized access to a system you do not have the authorization to modify. You may have broken the law. If this is the case, cooperate in an attempt to get no charges laid, and get the problem fixed.
If you have not attacked the university's systems, find a technical contact with the software manufactorer, and inform them you believe there are security problems with ___. Do not mention any exploit code in early conversations.
If the company does not response to you informing them of security flaws, follow the full disclosure policy as outlined by RainForestPuppy's RFPolicy. Strongly avoid releasing exploit code while there is no fix. That should be a last ditch attempt at forcing them to admit there is a problem. Also give them lots of time to get their fix out, once they do acknowledge there is a problem and want to fix it.
The ethical thing to do is to take resonability for your own actions, then to help serve the public good by reducing the security risk to all those vulrenable system by attempting to get a security fix released.
It makes sense that they don't want their code to be open source, because then ALL the bugs will be found.
Care to back that claim up? According to this paper by Dr. Ross Anderson, Cambridge University Computer Lab, not all flaws will be found by the good guys (i.e. the honest public) and fixed. Even with many times the resources of a single enemy.
I had a wonderful time working for a small university, except the work was as boring as dirt. All I was doing was report programming.
A small software house that wasn't too real well, staying alive, but not as profitable as the owners wished it was, things weren't great. Little politics, but there was no standardization, and you end up managed by whims or the most recent trendy manager's magazine article. In 11 months we went through C, Delphi, VB, DCOM, TCP/IP, Corba, Java, JavaBeans -- not much ever got actually done.There was also no internal procedure when management pulled dirty tricks, from pressuring workers into unpaid overtime, to harassment and (violent) intimidation.
Watching a friend not get his paycheque, because his employer was cash-strapped that month, wasn't very pretty. It also the beginning of the end of that small company.
Best job: small development team within a federal government department. There are issues or concerns, but no death marches, there is a harassment policy, a contract that specifies how overtime is to be paid, and a corporate credit card for business / travel expenses so my own credit rating isn't screwed when I don't receive my expense claims.
I guess what I was getting at was "Is this a valid comparison?"
Bingo! Right question.
No, you cannot directly compare EAL ratings blindly. You need to weight them based upon the protection profile, that details things like the configuration, and how they are being rated.
Remember, it's Trusted Computing not Secure Computing. Most of the low-level ratings is about documentation, a paper trail, and establishing basic things like change control (e.g. CVS) and responsibilities (i.e. who, within Suse, maintains mm.c?).
You need to read the Protection Profile/plan, which explains how they define it will handle various events and under what conditions.
For example I haven't checked but the Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886 Hotfix (OS) EAL4+ certification may only be for systems without floppy drives and no networking, like the earlier NT4 C2 rating.
The EAL rating itself is meaningless, except to sales people.
Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.
Because no one (e.g. BSDi) has spent the money to prepare the documentation, and pay for the independant evaluation from an approved lab.
IIRC, it's about 9 million for EAL7 test as it has the NSA certify all the source, compiled binaries, default configuration, and configuability. The hardware is also certified the same way, so that the OS is joined to the exact brand of chip. And EAL7 takes about 1-3 years of rigorus testing.
Well considering no OS has ever been evaluated to EAL7, I think you're wrong. Especially since you apparently have no clue what is entailed at that level. Hint: formal proofs of security.
I think the largest system certified to this level was a reimplementation of the first intel 4004 based calculator (add, subtract, multiple, divide).
AIX 5L for PowerPC V5.2, Program Number 5765-E62 B1/EST-X, V2.0.1 with AIX, V 4.3 (Bull) HP-UX (11i) Version 11.11 IRIX v 6.5.13, with patches 4354, 4451, 4452 IPSO 3.5 and 3.5.1 (Nokia) Trusted IRIX/CMW v 6.5.13, with patches 4354, 4451, 4452, 4373, 4473 Solaris 8 2/02 Trusted Solaris 8 4/01 Sun Solaris Version 8 with AdminSuite v3.0.1 Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886
The common criteria is about an standardized approach to security. The CC itself is not about the system security, just the general approach to the security. CC is also more about information security and information assurance, it is not focused on system vulnrenabilities.
What does this mean?
It is basically just a bunch of paperwork to cover the a** of the civil servant who approves the computer system purchases.
You need to read the actual NIST docs about exactly what hardware the system had. The old NT4 C2 was a specific Compaq with no networking and no floppy drive, IIRC.
Then you need to look at what they claim to protect against. You can use a standard form letter like protection plan which says it won't get viruses or hacked as long the system has no networking and no removable media or you can use a protection plan which is useful.
This doesn't mean much in general, other than the usual misunderstanding and misquoting by sales people to management. It doesn't make any difference to Linux itself.
biometric scanners that are capable of detecting whether the subject is alive.
a) freshly cut meat is still warm, and cools to room temperature over time - the warmth is the most common "alive" test for fingerprints, though there are a few other advanced methods, like checking for a pulse and testing conductivity of the skin AFAIK.
b) Imagine being the poor guard trying to convince the prisoners of this...
Slashdot Mirror
Yes, hams get to play with cool toys. But ham radio is censored - it's self-censorship by the users, under the threat of license revocation and social pressure from other hams, but it's still censored, and that makes it much less useful. That's why unlicensed spectrum like the 2.4GHz band used by 802.11b and 5GHz used by 802.11a are *so* critical. We could do so much more if the ham bands weren't censored.
As a licensed amateur I am glad in a way. It limits the demand for those amateur frequencies. If it was a free-for-all like CB (GRS) then I would have a harder time using amateur radio for what I enjoy using it for, experimenting.
If I want Internet access I use either my cable modem or my own 802.11b access.
I don't have a problem with spam on packet, I don't get popups ads on the BBSes, and I don't need to upgrade my PC every other year to keep up with the Jones, I don't need to install Internet Explorer because some web site only works with IE. It is a smaller, friendly (mostly), simpler, but still a nice place to visit. Sure I wouldn't want it to be my only digital communications access, but it is a very nice to do some things.
The ARPANET had its Acceptable Use Policies against non-official use, and its unofficial very flexible policies that you could talk about anything you want _except_ business
ARPANET (and NFSnet)'s AUP didn't kill the Internet, and in fact perhaps were necessary to allow the breakage to do things like the Usenet reorg, the switch from NCP to TCP/IP, the upgrade to DNS, the isolation to tame the Morris worm. If all the big hubs were ISPs with SLA to worry about, and e-commerce that could be affected, would all those upgrades happen as easily? Is that why IPv6, DNSsec, and IPsec still have not been rolled out globally after how many years of talking about it?
If, by sacrificing the entire HF radio spectrum, we could actually wire every home in the USA for economical broadband Internet access, I honestly wouldn't oppose it.
While this might be sensible if all that was affected was amateur radio hobbyists I might agree too. But since HF is still an important backup and emergency communications infrastructure I do not agree with such an idea. Sure it has lots of downsides compared to other high-tech solutions. But those high tech solutions are expensive and require extensive infrastructure to be work. But you start cutting trans-atlantic or trans-pacific cables, how quickly and how well can satellite communications scale to handle the increase traffic load? Space weather affect satellite communications, or did you forget about
Galaxy IV malfunction as well as countless other satellite problems (e.g. AO-40).
I will say that I don't believe that power-line distribution makes sense for broadband Internet.
I think you are right, this will be more important than HF users (especially amateur radio operators) complaints. I doubt there is little to no advantage of BPL over other broadband methods, such as various DSL technologies (such as G.lite), cable modems, and DSS like DirectPC.
start shooting down satellites
You mean like the Ronald Regan's failed "Star Wars" the National Missile Defense (NMD) that planned to put weapons, and start the arms race in space.
Or maybe George W Bush's "Son of Star Wars?" Which is the same thing only scaled down.
I've had about a dozen in the last half a hour.
At least now I know why I'm am getting so many, and why there seemed to be some new variety to the messages (and the attachment file names).
Most average or medicore managers don't like "really smart" people under them. They worry that you may make them look bad (be vindictive), or be a snob and put other team members down.
Ph.D. have a reputation of being not good team players. This comes from working alone on your thesis for a number of years, often independantly and not in a team of close knit research group. All real world companies need team players, because no one person can (or should) do everything.
Hiring staff (HR or the technical manager) avoid PhD for low/entry level positions because of the bordom and leaving factors. They worry that you will leave at the first better job offer. The best way to fight this is, if you really are excited about the job, show your excitment, and try to only take interviews with jobs you plan to stay at.
Once upon a time I had an interview at ARM the microprocessor design company, they were looking for a couple of IT positions (security and development) and my CV interested them. When I got into the interview, the fact that almost got me hired was that I was a licensed amateur radio (ham) operator. Since hams tend to have a boat-load of practical hands on experience with building and fixing things, they were very keen on this. I wasn't going to touch a MPU design, or even work on embedded systems, but it was this practical experience that they looked for.
If you want to work for AMD, Intel, ARM, IBM Research, Microsoft Research, or AT&T Research, then get your Ph.D. If you want to muck with designing systems to be build, get your Masters and get experience.
Education is important, but experience is golden.
How much do you value your life? Seriously. Untrained people working on AC mains, whether a mere 120 Volts or 220 V, can be risking their lives. Since you do not appear to be a trained and licensed electrician, hire someone who is, preferrable a good one.
You may of broke the law by removing the mains panel. This varies from state to state or province to province so I can't say for sure in your case, but there is always provincial or state laws you need to abide with. They exist to prevent fatal accidents and to reduce risk of fire.
I suspect it will also be cheaper and quicker to hire a professional firm than attempt some random upgrades which if do not result in sudden death or injury, may increase your chances of electrician fires.
Finally, the insurance at your workplace is void if work that requires an licensed electrician is done by someone who is not licensed in your state or province.
So, in my opinion, the only lawful and sensible solution is to hire a licensed eletrician to rewire your distribution panel to replace the inadeque wiring, and do your new wiring.
Some cost savings, aren't worth it.
When designing and building a physical cryptographic strong random number generator (CSRNG, not CSPRNG) you are looking for many things including:
* a uniform or near uniform distribution of the output.
* it must be unpredictable
* it should be very hard / impossible for attacker to influence the output of the CSRNG.
The first two are reasonably easy with physical RNG, but the last one is the kicker when it comes to actually implementing the CSRNG.
The attacker shouldn't be able to influence it by poking a pin-hole in the case (of a light sealed chamber around the CCD), or putting a heat source next a lava lamp (so the goo stays at the top)
After all, not every Zalman ZM400A-APF is going to have a 12V min/max fluctuation of only 0.005V, and not every Enermax EG651P-VE FMA 550W is going to have a fluctuaction of 0.65V.
If the fluctuations are due to the switching power supply and regulator design, then yes these measurements are going to be similar on other samples of these models (assuming no revision changes).
Modern electronics components are amazing reliable and consistent as long you don't use surplus parts (or capacitors made from incorrect stolen information) and operate them in their specifications. Most components are either DOA, and thus found before they leave the factory, or die from common but well understood semiconductor failures (thermal breakdown, static discharage, etc.)
Though I agree, for the most accurate testing, multiple samples should be used. That's just standard scientific method.
When wiring up electrical systems, it is important to remember that your long runs should always be done with high voltage cable. For instance, from the wall to the power supply is 120V AC. Once the voltage is reduced, the runs need to be kept as short as possible, since every foot of cable loses substantially more power at the increased current required.
Well, you have to also factor in that AC travels much better than DC. That debate goes back to Edison and Telsa, and Telsa got it right. That's why your mains power (that comes out of your wall socket) is high voltage AC and not DC.
A minor reason is that I suspect that switching power supplies with long DC leads would act as unintential radiators (i.e. accidential antennas) at LF, 20-40kHz typically I believe in most computer power supplies. Thus they would be unable to get FCC approval due to the RF noise.
I just built a new Athlon XP (2600+) based system, and the power supply was the most frustrated part to get working correctly. I bought a generic case with a 300W Pro-Power ATX power supply. It had useless regulations, the 12V rail measured at 12.8V with the system on and idle, and jumpted to 13.2V when running some math calculations that I use for stress testing (www.mersenne.org).
So I spent a Saturday trying to find a local computer dealer open that had any power supplies in stock. Most were sold out because of recent lightning storms (note: most didn't fail right away), anyhow about 2 hours of looking and driving I found a Codegen 300W ATX supply. It didn't setup off the SilentPC power alarms, but it failed the stress testing, with errors in about 1 hour of testing. The CPU temperature was fine (40-42 C) but I suspect the power wasn't clean which introduced memory or logic glitches.
Finally after a week, I got a ThermalTake 360W power supply and my system works fine.
So anyone who has an unstable system, it may not be all the fault of the OS, but poor or underpowered power supply.
Are you NUTS? ADMIT to someone in authority that he broke into the system?
Nuts, no. I was once invited to the computer centre to explain some login annomlies with my own account. When I admitted to sharing my account with another user. They ended up hiring me for 6 years on a steadily increasing salary.
Depending on the university's attitude, that could lead to anything from expulsion to a few years in a pound-you-in-the-ass prison.
Doubt that. Universities strongly prefer to quietly deal with any and all incidents of security, from computers to rape, in private with their own university judical system if possible. If there is nothing in the media to embarass them, the computer centre has no interest in making it an public issue. Common displine would be losing your account until end of the semester.
If you absolutely feel the need to confess, do NOT confess to the IT people. They have a duty to the University and to the integrity of their systems, and no duty at all to you.
Or you could act like a responsible adult, and take responsibility for your actions.
All computing service staff I have been employed with, or had help me as a student, have always been nice and helpful to me if I tried to make their life easier. And the converse, if you make their life hard, they will return the favour.
Like in court, penalties for admitting wrongdoing are lower than having to have a full investigation. The expense if they hire outside experts may be passed on you as part of a fine.
Making an example out of you is a perfect way of covering their embarrasment.
Most univesity staff have more important and interesting things to do than to make (paper) work and attend meeting (of university judicals) for themselves. If you don't embarass them, they will act in a rational and reasonable fashion.
I have written and -selftested proof-of-concept exploit code.
This part bothers me, but I am not clear on whether you tested this on your university's live system. If so, you have committed a crime.
If this is the case, I would recommend you turn yourself in, find the university computing services staff member who is responsible for the system, and talk to them in person. Tell them you have found a security problem, and that you have altered data on their system. Specify what data you have changed (i.e. your grades, or whatever).
You are in the role of damage control, if you have made unauthorized access to a system you do not have the authorization to modify. You may have broken the law. If this is the case, cooperate in an attempt to get no charges laid, and get the problem fixed.
If you have not attacked the university's systems, find a technical contact with the software manufactorer, and inform them you believe there are security problems with ___. Do not mention any exploit code in early conversations.
If the company does not response to you informing them of security flaws, follow the full disclosure policy as outlined by RainForestPuppy's RFPolicy.
Strongly avoid releasing exploit code while there is no fix. That should be a last ditch attempt at forcing them to admit there is a problem. Also give them lots of time to get their fix out, once they do acknowledge there is a problem and want to fix it.
The ethical thing to do is to take resonability for your own actions, then to help serve the public good by reducing the security risk to all those vulrenable system by attempting to get a security fix released.
It makes sense that they don't want their code to be open source, because then ALL the bugs will be found.
Care to back that claim up? According to this paper by Dr. Ross Anderson, Cambridge University Computer Lab, not all flaws will be found by the good guys (i.e. the honest public) and fixed. Even with many times the resources of a single enemy.
Is it better in small companies? non-profits?
I had a wonderful time working for a small university, except the work was as boring as dirt. All I was doing was report programming.
A small software house that wasn't too real well, staying alive, but not as profitable as the owners wished it was, things weren't great. Little politics, but there was no standardization, and you end up managed by whims or the most recent trendy manager's magazine article. In 11 months we went through C, Delphi, VB, DCOM, TCP/IP, Corba, Java, JavaBeans -- not much ever got actually done.There was also no internal procedure when management pulled dirty tricks, from pressuring workers into unpaid overtime, to harassment and (violent) intimidation.
Watching a friend not get his paycheque, because his employer was cash-strapped that month, wasn't very pretty. It also the beginning of the end of that small company.
Best job: small development team within a federal government department. There are issues or concerns, but no death marches, there is a harassment policy, a contract that specifies how overtime is to be paid, and a corporate credit card for business / travel expenses so my own credit rating isn't screwed when I don't receive my expense claims.
There is good and bad in all sizes.
It is a REQUIREMENT for C2 Certification for the system to NOT HAVE EXTERNAL or NETWORK interfaces.
Which is why this document at MSFT describes leaving the floppy driver in the NT4 configuration, and how to restrict NetBIOS....
My previous post was wrong, it appears that the NT4 C2 eval had networking and a floppy. I blame old age for my faulty memory. Sorry.
It is a REQUIREMENT for C2 Certification for the system to NOT HAVE EXTERNAL or NETWORK interfaces.
Err. Nope.
The Trusted Computing (Orange Book) C2 dealt with computer systems, not networks. The Orange Book didn't cover networking.
Or are you going to tell me that all C2 systems did not have a network interface or removable media?
I guess what I was getting at was "Is this a valid comparison?"
Bingo! Right question.
No, you cannot directly compare EAL ratings blindly. You need to weight them based upon the protection profile, that details things like the configuration, and how they are being rated.
Remember, it's Trusted Computing not Secure Computing. Most of the low-level ratings is about documentation, a paper trail, and establishing basic things like change control (e.g. CVS) and responsibilities (i.e. who, within Suse, maintains mm.c?).
How did IBM configure the box? What patches were applied to the kernel?
This will be documented in the Common Criteria protection plan, which will be available on the CC (and NIST) website.
Somebody wanna explain to me how this works?
You need to read the Protection Profile/plan, which explains how they define it will handle various events and under what conditions.
For example I haven't checked but the Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886 Hotfix (OS) EAL4+ certification may only be for systems without floppy drives and no networking, like the earlier NT4 C2 rating.
The EAL rating itself is meaningless, except to sales people.
Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.
Because no one (e.g. BSDi) has spent the money to prepare the documentation, and pay for the independant evaluation from an approved lab.
IIRC, it's about 9 million for EAL7 test as it has the NSA certify all the source, compiled binaries, default configuration, and configuability. The hardware is also certified the same way, so that the OS is joined to the exact brand of chip. And EAL7 takes about 1-3 years of rigorus testing.
Well considering no OS has ever been evaluated to EAL7, I think you're wrong. Especially since you apparently have no clue what is entailed at that level. Hint: formal proofs of security.
I think the largest system certified to this level was a reimplementation of the first intel 4004 based calculator (add, subtract, multiple, divide).
None are "user-tested." They have to be all evaluated at an approved independant testing lab
The highest level completed is EAL4+
for an Operating System.
Common Criteria's CCPL (Centralised Certified Product List)- OS
/CMW v 6.5.13, with patches 4354, 4451, 4452, 4373, 4473
and the NIST's Validated Products List (Operating Systems).
AIX 5L for PowerPC V5.2, Program Number 5765-E62
B1/EST-X, V2.0.1 with AIX, V 4.3 (Bull)
HP-UX (11i) Version 11.11
IRIX v 6.5.13, with patches 4354, 4451, 4452
IPSO 3.5 and 3.5.1 (Nokia)
Trusted IRIX
Solaris 8 2/02
Trusted Solaris 8 4/01
Sun Solaris Version 8 with AdminSuite v3.0.1
Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886
The common criteria is about an standardized approach to security. The CC itself is not about the system security, just the general approach to the security. CC is also more about information security and information assurance, it is not focused on system vulnrenabilities.
What does this mean?
It is basically just a bunch of paperwork to cover the a** of the civil servant who approves the computer system purchases.
You need to read the actual NIST docs about exactly what hardware the system had. The old NT4 C2 was a specific Compaq with no networking and no floppy drive, IIRC.
Then you need to look at what they claim to protect against. You can use a standard form letter like protection plan which says it won't get viruses or hacked as long the system has no networking and no removable media or you can use a protection plan which is useful.
This doesn't mean much in general, other than the usual misunderstanding and misquoting by sales people to management. It doesn't make any difference to Linux itself.
Or actually a bit more like Jim Bell's Assassination Politics, which is a scheme that allows murder for hire under the pretext of a lottery.
biometric scanners that are capable of detecting whether the subject is alive.
a) freshly cut meat is still warm, and cools to room temperature over time - the warmth is the most common "alive" test for fingerprints, though there are a few other advanced methods, like checking for a pulse and testing conductivity of the skin AFAIK.
b) Imagine being the poor guard trying to convince the prisoners of this...