The problem is more subtle that a casual reading of Thompson's classic paper suggests. He explained how to create a trojan horse in the compiler with nothing showing in the source code, but that is not the only tool you need to worry about. Every step between source code file and program image loaded and running is a potential place where a trojan horse could be inserted.
The linker could do some subtle patching of the object files as it links.
A shared library loader would be a neat place to splice in some extra behaviour; more fun than just subverting the basic program loading system.
It would be fun to subvert the virtual memory system to spot where certain code is loaded, and add some interesting side effects.
The truly paranoid will wonder if the microcode in the processor has anything strange in it as they insert the hand-assembled binary code into the memory as the first step of bootstrapping their system into a state they can trust. (They will, of course, have built the tool that is inserting the code, and be worrying about any non-trivial components it contains.)
Any tools - diff, debuggers, etc. - that you use to inspect the system will, of couse, hide the exploit code and show the 'clean' version, and the necessary features will propagate by the same mechanism as everything else.
Perhaps you should research the existing patent fee structure. I am not an IP lawyer, but one I see regularly tells me that fees have to be paid every year, and they increase in later years. If you fail to pay, the patent lapses, and the idea becomes unprotected prior art that anyone can use. Exact figures vary between jurisdictions, but the basic idea seems common everywhere. Under the existing scheme, you get only so many repeats, and I think that this is better than having no set limit to how long a really rich company can prevent others using an idea.
For all the things Microsoft say they will do, and which should have been done before, they just don't have the necessary level of paranoia guiding the design.
I haven't tried Win2000 yet, but under NT4 if you can gain access to the PC I use, and you can steal my NT domain password then you can use my digital identity. I selected high security when installing it in browser and mailer, but those applications can just use my private key without so much as a dialog to warn me. It is as if they had decided that dialling in the combination of the safe is too inconvenient so they provide a robot that will do it for anyone who can walk into my office.
There needs to be a fundamental change of attitude, not just some fixing of holes (although that is necessary).
You may be thinking of "Top Gun Wingman", developed at UCB and presented at Middleware 98 as an example of an adaptive middleware proxy. It is wonderful what happens when students want to look up the Internet Movie DataBase from a wireless PDA while watching a film.
Does anyone ever read old stuff here? Here is some more anyway.
Evaluations against TCSEC, ITSEC and Common Criteria may well be working to an obsolete model of the environment, but if anyone can point to something better I would be glad to see it.
I just searched BUGTRAQ for SCO CMW+ - the one I mentioned - and it said "No matching vulnerability found." There were vulnerabilities for other SCO offerings.
I also just checked the TCSEC EPL as well as ITSEC and I can't find any DGUX rated B1 or equivalent (highest is C2).
On the subject of 'xploits' it is not until B2 that "The TCB shall be found relatively resistant to penetration", and B3 that "The TCB shall be found resistant to penetration".
One side effect of the search was that I found that NT4 (with SP6a and C2 update) is "... rated C2 by NSA...[read the caveat for yourself]..." dated November 1999.
Having people who can speak "suit language" working as consultants with people who understand security technology looks like an important step to getting security taken seriously. For too long, security has been the "top priority" until it comes time to pay in [money,time to market,performance,usability] when the acceptable price turns out to be [some,nothing,nothing,nothing].
Let us hope that this company has the credibility, both business and technical, to make decision makers realise that it is possible to do better than is common with current offerings.
Pity about the @Stake web site - they seem to have had the "web is art" or "my browser is the only browser" designers in (or perhaps the black on black I got is an 'underground' thing).
What happens if the person/company supported by the defence fund loses?
It seems that in the UK, those who contribute may be liable for the costs of the other side. See the BBC news article about the backers of Hamilton being pursued for costs by Al-Fayed after the recent libel case. The danger is that funds that balance the resources available to the richer party end up pushing up the total cost so lawyers get much richer, and everyone else loses. I would much prefer some way to limit permitted expenditure to what the poorer party can afford, but I doubt if that can be made to happen (too many politicians are/were lawyers for a start).
I don't know what the situation is in the US, or elsewhere, but the international nature of the net means that people will try to fight their legal battles in the most favourable jurisdiction.
Microsoft Windows NT 4.0 SP3 was certified in March 1999 at assurance level E3 and functionality class F-C2 under the UK ITSEC scheme - see the UK ITSEC scheme site for details. This is essentially C2 functionality, but with a higher assurance level (ITSEC E2/F-C2 is approximately TCSEC C2). I have not found any version of Linux certified under any scheme.
The UK ITSEC scheme is jointly managed by CESG and DTI, and is based in Cheltenham - which is also where you will find CESG and GCHQ. So we have NT passing ITSEC at the same level as conventional versions of Unix (i.e. the ones without MLS) under a scheme managed by CESG, and an expert from CESG reported as saying that Linux is more secure because the source is open to scrutiny. Note that the article does not say in what forum the remarks were made, so we are dependent on a journalist reporting accurately here.
There are various things you can take from this. One is that ITSEC E3/F-C2 (and also TCSEC C2) is not much of a hurdle to jump in terms of real security - Linux could probably jump that hurdle, but has not been put to the test. The second is that CESG has at least one person who is aware of the value of openness - but is reported as having the strange view that "Linux is as secure as you can make a computer," and also "Unix [on which Linux is based] is the paradigm that the computer is the network".
Linux as available today is certainly not as secure as a computer could be made. It could be made very secure, and the openness means that anyone can have a go at verifying and improving the security, but that is not the only option. I would expect SCO CMW+ (certified at E3/F-B1) to be more secure than the average Linux without the benefit of open source.
The important thing is for designers and implementers who really care about security, and who have enough experience to know what they are doing, to have real input into the process.
he has requested that his (and the name of his, er, "female companion") not be released.
The wrath of geeks aside, that is not the action of an innocent man.
In these days when so many people seem to think it acceptable to vent their feelings without any attempt to discover the facts, any sane person who is in any way connected with the death of a celebrity will want their identity withheld from the masses. When you have been in a serious road accident, the last thing you need is to be inundated with hate mail. Considering the weather conditions in the UK this weekend, I would wait for some real evidence before pointing any fingers.
Desmond Llewelyn will be missed by many, but perhaps we should also think of the other people who died in road accidents in the UK this weekend (BBC report).
SOAP (nor XML-RPC) will not scale as well as IIOP used by Corba, simply because it's human readable. It consumes more bandwidth and is much more difficult to parse. I agree that It's nice for toy appliacations.
It may be true that human readable protocols and data formats are less efficient, but this has not been a problem in the past. The major advantage of HTML (and XML) over document formats with control characters or other binary stuff is that it is human readable, or, more importantly, editable with simple easily available tools. The human readable internet protocols - SMTP, FTP, HTTP - have been a success, I am not sure I could name a protocol with binary control information that has spread in the same way.
The trouble with SOAP is that, despite its name, it is not an Object access protocol. One of the 'non-goals' is 'Objects-by-reference'; this means you cannot pass the ability to interact with a specific object instance (except perhaps by some application invented add-on). This was the feature that made CORBA so much more than just another RPC. It is also the feature that is responsible for most of the problems with firewalls.
The argument that port 80 is already open on most firewalls, is really silly. If everybody does some kind of RPC over it, soon there will be closed to not allow arbitrary calls.
I just dont believe that port 80 is open on most firewalls. In low risk environments it may be permitted to make direct outgoing connections (I used to work for a company that had its packet filters set up like that - it is probably too dangerous now). Anyone who allows direct outgoing connections it probably allowing more than just port 80. It is much more usual to have to go via a SOCKS proxy or an application level web proxy - these are not at all like having port 80 open.
Every firewall configuration I have seen is much more restrictive in incoming connections. The textbook examples allow incoming connections only to specific bastion hosts, and these are often on a perimiter net separate from the main internal network. Having port 80 open to the host that runs the external web server is usually all you get. Anyone doing something dynamic involving live data that is on the internal network has some kind of proxy on the bastion host, perhaps integrated with the web server. If you can put the proxy in place, you are the one who can open up some other port if there is any benefit in doing so; using port 80 in this context is just irrelevant.
I fear that SOAP will succeed by being buzzword compliant. I fear because it is as short-sighted as adopting an OS that has 8.3 filenames, with directories as an afterthought so you have to use '\' because you have already used '/' for something else. It may be adequate for now, but we will regret it when we move on to the harder problems.
The saddest thing is that several of the the ORB vendors deserve this problem. Their customers told them to get out of the immature proprietary phase but they chose not to.
It was not one of Paxman's probing inquisitions. I think the comment about Paxman not having the technical background to probe beyond the initial question is right. For example, there was a question about people having to upgrade when Microsoft release a new version, Gates responded by saying that Microsoft have to make the new version much better so that people choose to upgrade, users can carry on using the old version if they want to. Paxman did not raise the issue of compatibility that forces everyone in a group that exchanges documents to upgrade when one does. This may have been Paxman's lack of background information, or it may have been considered too difficult for the audience, but is was a missed opportunity to probe in a place where users are affected.
The other problem, of course, is that, unlike a politician, Gates does not need to convince the public to vote for him. The kind of searching interview Paxman inflicts on politicians would not really make any difference to anything. Making Gates uncomfortable for a few minutes would not magically break up Microsoft or force them to publish their internal APIs or file formats, or give people some other products they could buy instead.
On the whole, I think the interview was a waste of time.
This reminds me of the time when Intel introduced the 8086. Back then, ZiLOG with the Z80 was a real force in the market competing with Intel's 8080, Motorola's 6800 and Rockwell's 6502.
Then came the 16 bit revolution (when we really needed more - the 16-bit minicomputers running out of space should have been the clue.)
The competitors were: Intel with the 8086 ZiLOG with the Z8000 Motorola with the 68000 National Semiconductor with the 16032 (later called 32016)
In technical terms, the order of merit was 16032, 68000, Z8000, 8086. In marketing the 8086 was way ahead, but I think the 68000 was next.
Only two of these gained any substantial market share, and the 68000 had the advantage of being really a 32 bit processor. The 16032 was a better 32 bit processor, but it was just too late arriving.
If AMD have some technical feature of the scale of 32 vs 16 bits back then, and they are also far enough along with the development that they can ship at most a few months behind Intel, they have a chance of competing in this space. The more likely outcome of developing an incompatible processor is that we will see them reinvent themselves in some niche market in a few years time as ZiLOG have now done.
The Open Source community may well be able to use SledgeHammer when it arrives, but the software shipped as binary will ship for itanium first (or only), and that will be what counts.
and the IBM (and others) testimony reveals more: Public Hearing on Use of the Patent System to Protect Software Related Inventions Transcript of Proceedings Wednesday, January 26, 1994 San Jose Convention Center
The statement itself is old news but does anyone know if anything was done about more and better trained patent examiners?
Anyone who does not like patents has a simple solution. Think of the idea, write it up in enough detail and publish before a patent application is filed. If you don't think you can have enough ideas yourself, put up the money to support people who can think of the ideas and publish them.
This isn't such a simple solution for copyright, but why copy when you can create?
I will be more convinced when someone who has put in all the hard work to write something worth reading more than once and given it away suggests doing away with copyright. Similarly, for patents, if you have had a valuable idea and published without patenting I will be more inclined to listen to your opinion.
To get you started, let me give you two symbols, call them 'zero' and 'one'. Let me tell you that you can create a sequence of these symbols. I have now given you every patent application, book, film, TV show, outtake etc. that has ever been or will ever be written, performed or thought of, and to whatever level of detail you want. Choosing the one you want out of this infinite library is left as an exercise for the writer.
Microsoft's amnnouncement says: "E3/F-C2 is widely acknowledged to be the highest ITSEC evaluation rating that can be achieved by a general-purpose operating system."
Says who?
I doubt if the vendors with E3/F-B1 evaluations would agree; Trusted Solaris from Sun for example. There have even been B3 (under TCSEC) rated systems that can reasonably be described as 'general purpose'.
Microsoft may think E3/F-C2 is hard - after all, Windows 95/98 do not have the required functionality.
NT passed, Microsoft have a right to say it did. That Microsoft thinks this is the highest NT can go is the interesting point - most versions of Unix don't go any higher, but there are several examples to show that they can if the vendor is prepared to put in the effort (and pay for an evaluation).
All the evaluations against TCSEC (Orange Book) are explicitly stated to be "when installed as prescribed" in the Evaluated Products List. Just because typical use of NT is less secure than typical use of Unix, this does not mean that NT cannot be configured and used securely enough to pass. I don't usually work as root on Unix, but I usually (on my workstation always) work with Administrator rights on NT - this is crazy, but that's just how you get you work done.
Note also that for NT they went for E3/F-C2 rather than the E2/F-C2 that the ITSEC says is intended to correspond to TCSEC class C2, and this brings in things like having to provide the evaluator with "Source code or hardware drawings for all security enforcing and security relevant components".
Under the TCSEC you did not have to show that a system was "relatively resistant to penetration" until B2 (corresponds to E4/F-B2) and ITSEC does not seem to have anything like this phrase - perhaps because it is meaningless and there is no way to test for something so vague. Passing the E3/F-C2 level of evaluation does not mean there are no ways to break in, and this is just as true of the Unixes that have been evaluated as it is for NT.
Another thing to note is that at least one version of Unix has been evaluated at the less stringent E2/F-C2, and many have not been evaluated at all.
Passing the evaluation is not really anything to boast about, but failure would have been embarrasing.
Slashdot Mirror
The problem is more subtle that a casual reading of Thompson's classic paper suggests. He explained how to create a trojan horse in the compiler with nothing showing in the source code, but that is not the only tool you need to worry about. Every step between source code file and program image loaded and running is a potential place where a trojan horse could be inserted.
The linker could do some subtle patching of the object files as it links.
A shared library loader would be a neat place to splice in some extra behaviour; more fun than just subverting the basic program loading system.
It would be fun to subvert the virtual memory system to spot where certain code is loaded, and add some interesting side effects.
The truly paranoid will wonder if the microcode in the processor has anything strange in it as they insert the hand-assembled binary code into the memory as the first step of bootstrapping their system into a state they can trust. (They will, of course, have built the tool that is inserting the code, and be worrying about any non-trivial components it contains.)
Any tools - diff, debuggers, etc. - that you use to inspect the system will, of couse, hide the exploit code and show the 'clean' version, and the necessary features will propagate by the same mechanism as everything else.
Perhaps you should research the existing patent fee structure. I am not an IP lawyer, but one I see regularly tells me that fees have to be paid every year, and they increase in later years. If you fail to pay, the patent lapses, and the idea becomes unprotected prior art that anyone can use. Exact figures vary between jurisdictions, but the basic idea seems common everywhere. Under the existing scheme, you get only so many repeats, and I think that this is better than having no set limit to how long a really rich company can prevent others using an idea.
For all the things Microsoft say they will do, and which should have been done before, they just don't have the necessary level of paranoia guiding the design.
I haven't tried Win2000 yet, but under NT4 if you can gain access to the PC I use, and you can steal my NT domain password then you can use my digital identity. I selected high security when installing it in browser and mailer, but those applications can just use my private key without so much as a dialog to warn me. It is as if they had decided that dialling in the combination of the safe is too inconvenient so they provide a robot that will do it for anyone who can walk into my office.
There needs to be a fundamental change of attitude, not just some fixing of holes (although that is necessary).
You may be thinking of "Top Gun Wingman", developed at UCB and presented at Middleware 98 as an example of an adaptive middleware proxy. It is wonderful what happens when students want to look up the Internet Movie DataBase from a wireless PDA while watching a film.
Does anyone ever read old stuff here? Here is some more anyway.
Evaluations against TCSEC, ITSEC and Common Criteria may well be working to an obsolete model of the environment, but if anyone can point to something better I would be glad to see it.
I just searched BUGTRAQ for SCO CMW+ - the one I mentioned - and it said "No matching vulnerability found." There were vulnerabilities for other SCO offerings.
I also just checked the TCSEC EPL as well as ITSEC and I can't find any DGUX rated B1 or equivalent (highest is C2).
On the subject of 'xploits' it is not until B2 that "The TCB shall be found relatively resistant to penetration", and B3 that "The TCB shall be found resistant to penetration".
One side effect of the search was that I found that NT4 (with SP6a and C2 update) is "... rated C2 by NSA ...[read the caveat for yourself]..." dated November 1999.
Having people who can speak "suit language" working as consultants with people who understand security technology looks like an important step to getting security taken seriously. For too long, security has been the "top priority" until it comes time to pay in [money,time to market,performance,usability] when the acceptable price turns out to be [some,nothing,nothing,nothing].
Let us hope that this company has the credibility, both business and technical, to make decision makers realise that it is possible to do better than is common with current offerings.
Pity about the @Stake web site - they seem to have had the "web is art" or "my browser is the only browser" designers in (or perhaps the black on black I got is an 'underground' thing).
It seems that in the UK, those who contribute may be liable for the costs of the other side. See the BBC news article about the backers of Hamilton being pursued for costs by Al-Fayed after the recent libel case. The danger is that funds that balance the resources available to the richer party end up pushing up the total cost so lawyers get much richer, and everyone else loses. I would much prefer some way to limit permitted expenditure to what the poorer party can afford, but I doubt if that can be made to happen (too many politicians are/were lawyers for a start).
I don't know what the situation is in the US, or elsewhere, but the international nature of the net means that people will try to fight their legal battles in the most favourable jurisdiction.
Microsoft Windows NT 4.0 SP3 was certified in March 1999 at assurance level E3 and functionality class F-C2 under the UK ITSEC scheme - see the UK ITSEC scheme site for details. This is essentially C2 functionality, but with a higher assurance level (ITSEC E2/F-C2 is approximately TCSEC C2). I have not found any version of Linux certified under any scheme.
The UK ITSEC scheme is jointly managed by CESG and DTI, and is based in Cheltenham - which is also where you will find CESG and GCHQ. So we have NT passing ITSEC at the same level as conventional versions of Unix (i.e. the ones without MLS) under a scheme managed by CESG, and an expert from CESG reported as saying that Linux is more secure because the source is open to scrutiny. Note that the article does not say in what forum the remarks were made, so we are dependent on a journalist reporting accurately here.
There are various things you can take from this. One is that ITSEC E3/F-C2 (and also TCSEC C2) is not much of a hurdle to jump in terms of real security - Linux could probably jump that hurdle, but has not been put to the test. The second is that CESG has at least one person who is aware of the value of openness - but is reported as having the strange view that "Linux is as secure as you can make a computer," and also "Unix [on which Linux is based] is the paradigm that the computer is the network".
Linux as available today is certainly not as secure as a computer could be made. It could be made very secure, and the openness means that anyone can have a go at verifying and improving the security, but that is not the only option. I would expect SCO CMW+ (certified at E3/F-B1) to be more secure than the average Linux without the benefit of open source.
The important thing is for designers and implementers who really care about security, and who have enough experience to know what they are doing, to have real input into the process.
It sounds like the other driver is at fault...
he has requested that his (and the name of his, er, "female companion") not be released.
The wrath of geeks aside, that is not the action of an innocent man.
In these days when so many people seem to think it acceptable to vent their feelings without any attempt to discover the facts, any sane person who is in any way connected with the death of a celebrity will want their identity withheld from the masses. When you have been in a serious road accident, the last thing you need is to be inundated with hate mail. Considering the weather conditions in the UK this weekend, I would wait for some real evidence before pointing any fingers.
Desmond Llewelyn will be missed by many, but perhaps we should also think of the other people who died in road accidents in the UK this weekend (BBC report).
SOAP (nor XML-RPC) will not scale as well as IIOP used by Corba, simply because it's human readable. It consumes more bandwidth and is much more difficult to parse. I agree that It's nice for toy appliacations.
It may be true that human readable protocols and data formats are less efficient, but this has not been a problem in the past. The major advantage of HTML (and XML) over document formats with control characters or other binary stuff is that it is human readable, or, more importantly, editable with simple easily available tools. The human readable internet protocols - SMTP, FTP, HTTP - have been a success, I am not sure I could name a protocol with binary control information that has spread in the same way.
The trouble with SOAP is that, despite its name, it is not an Object access protocol. One of the 'non-goals' is 'Objects-by-reference'; this means you cannot pass the ability to interact with a specific object instance (except perhaps by some application invented add-on). This was the feature that made CORBA so much more than just another RPC. It is also the feature that is responsible for most of the problems with firewalls.
The argument that port 80 is already open on most firewalls, is really silly. If everybody does some kind of RPC over it, soon there will be closed to not allow arbitrary calls.
I just dont believe that port 80 is open on most firewalls. In low risk environments it may be permitted to make direct outgoing connections (I used to work for a company that had its packet filters set up like that - it is probably too dangerous now). Anyone who allows direct outgoing connections it probably allowing more than just port 80. It is much more usual to have to go via a SOCKS proxy or an application level web proxy - these are not at all like having port 80 open.
Every firewall configuration I have seen is much more restrictive in incoming connections. The textbook examples allow incoming connections only to specific bastion hosts, and these are often on a perimiter net separate from the main internal network. Having port 80 open to the host that runs the external web server is usually all you get. Anyone doing something dynamic involving live data that is on the internal network has some kind of proxy on the bastion host, perhaps integrated with the web server. If you can put the proxy in place, you are the one who can open up some other port if there is any benefit in doing so; using port 80 in this context is just irrelevant.
I fear that SOAP will succeed by being buzzword compliant. I fear because it is as short-sighted as adopting an OS that has 8.3 filenames, with directories as an afterthought so you have to use '\' because you have already used '/' for something else. It may be adequate for now, but we will regret it when we move on to the harder problems.
The saddest thing is that several of the the ORB vendors deserve this problem. Their customers told them to get out of the immature proprietary phase but they chose not to.
It was not one of Paxman's probing inquisitions. I think the comment about Paxman not having the technical background to probe beyond the initial question is right. For example, there was a question about people having to upgrade when Microsoft release a new version, Gates responded by saying that Microsoft have to make the new version much better so that people choose to upgrade, users can carry on using the old version if they want to. Paxman did not raise the issue of compatibility that forces everyone in a group that exchanges documents to upgrade when one does. This may have been Paxman's lack of background information, or it may have been considered too difficult for the audience, but is was a missed opportunity to probe in a place where users are affected.
The other problem, of course, is that, unlike a politician, Gates does not need to convince the public to vote for him. The kind of searching interview Paxman inflicts on politicians would not really make any difference to anything. Making Gates uncomfortable for a few minutes would not magically break up Microsoft or force them to publish their internal APIs or file formats, or give people some other products they could buy instead.
On the whole, I think the interview was a waste of time.
This reminds me of the time when Intel introduced the 8086. Back then, ZiLOG with the Z80 was a real force in the market competing with Intel's 8080, Motorola's 6800 and Rockwell's 6502.
Then came the 16 bit revolution (when we really needed more - the 16-bit minicomputers running out of space should have been the clue.)
The competitors were:
Intel with the 8086
ZiLOG with the Z8000
Motorola with the 68000
National Semiconductor with the 16032 (later called 32016)
In technical terms, the order of merit was 16032, 68000, Z8000, 8086. In marketing the 8086 was way ahead, but I think the 68000 was next.
Only two of these gained any substantial market share, and the 68000 had the advantage of being really a 32 bit processor. The 16032 was a better 32 bit processor, but it was just too late arriving.
If AMD have some technical feature of the scale of 32 vs 16 bits back then, and they are also far enough along with the development that they can ship at most a few months behind Intel, they have a chance of competing in this space. The more likely outcome of developing an incompatible processor is that we will see them reinvent themselves in some niche market in a few years time as ZiLOG have now done.
The Open Source community may well be able to use SledgeHammer when it arrives, but the software shipped as binary will ship for itanium first (or only), and that will be what counts.
I noticed the page was not at the oracle site. A little probe shows that this is one of several
statements by various companies.
The directory listing reveals the date:
oracle.html 30-May-1994 02:36
and the IBM (and others) testimony reveals more:
Public Hearing on Use of the Patent System to Protect Software Related Inventions
Transcript of Proceedings Wednesday, January 26, 1994 San Jose Convention Center
The statement itself is old news but does anyone know if anything was done about more and better trained patent examiners?
Anyone who does not like patents has a simple solution. Think of the idea, write it up in enough detail and publish before a patent application is filed. If you don't think you can have enough ideas yourself, put up the money to support people who can think of the ideas and publish them.
This isn't such a simple solution for copyright, but why copy when you can create?
I will be more convinced when someone who has put in all the hard work to write something worth reading more than once and given it away suggests doing away with copyright. Similarly, for patents, if you have had a valuable idea and published without patenting I will be more inclined to listen to your opinion.
To get you started, let me give you two symbols, call them 'zero' and 'one'. Let me tell you that you can create a sequence of these symbols. I have now given you every patent application, book, film, TV show, outtake etc. that has ever been or will ever be written, performed or thought of, and to whatever level of detail you want. Choosing the one you want out of this infinite library is left as an exercise for the writer.
Microsoft's amnnouncement says: "E3/F-C2 is widely acknowledged to be the highest ITSEC evaluation rating that can be achieved by a general-purpose operating system."
Says who?
I doubt if the vendors with E3/F-B1 evaluations would agree; Trusted Solaris from Sun for example. There have even been B3 (under TCSEC) rated systems that can reasonably be described as 'general purpose'.
Microsoft may think E3/F-C2 is hard - after all, Windows 95/98 do not have the required functionality.
NT passed, Microsoft have a right to say it did. That Microsoft thinks this is the highest NT can go is the interesting point - most versions of Unix don't go any higher, but there are several examples to show that they can if the vendor is prepared to put in the effort (and pay for an evaluation).
All the evaluations against TCSEC (Orange Book) are explicitly stated to be "when installed as prescribed" in the Evaluated Products List. Just because typical use of NT is less secure than typical use of Unix, this does not mean that NT cannot be configured and used securely enough to pass. I don't usually work as root on Unix, but I usually (on my workstation always) work with Administrator rights on NT - this is crazy, but that's just how you get you work done.
Note also that for NT they went for E3/F-C2 rather than the E2/F-C2 that the ITSEC says is intended to correspond to TCSEC class C2, and this brings in things like having to provide the evaluator with "Source code or hardware drawings for all security enforcing and security relevant components".
Under the TCSEC you did not have to show that a system was "relatively resistant to penetration" until B2 (corresponds to E4/F-B2) and ITSEC does not seem to have anything like this phrase - perhaps because it is meaningless and there is no way to test for something so vague. Passing the E3/F-C2 level of evaluation does not mean there are no ways to break in, and this is just as true of the Unixes that have been evaluated as it is for NT.
Another thing to note is that at least one version of Unix has been evaluated at the less stringent E2/F-C2, and many have not been evaluated at all.
Passing the evaluation is not really anything to boast about, but failure would have been embarrasing.