Hope that (1) the Biometric safe cannot be defeated with a Gummy Bear and (2) the "pro" you brought up to the room isn't a geek who knows about defeating Biometric devices with Gummy Bears!
I am a twenty year veteran and I will give you an example of this "they have thought of this". In 1987 a certain aircraft carrier was participating in an operation called Earnest Will (reflagged Kuwaiti tankers). We had people from various Intelligence commands onboard and one of them forgot to mention the film one of these assets was going to be shooting. Since photo intelligence was a critical part of this operation don't you think it would be important to pass on pertinent information to those concerned?! The Photo Labs on an aircraft carrier have certain capabilities, and the people responsible for thinking these things up don't always know everything (or are told everything). That is usually the result of a four star Admiral to Captain conversation "Captain, get this done", response "Yes sir".
Don't tell me "they have thought of everything" from personal experience I can tell you they haven't!
So it's cool, so what. This isn't no Linux laptop we are talking about. Actual people are going to using this equipment to stay alive, I sure as Hell hope it works!
With DARPA and DoD's never ending penchant for technology to solve every problem, I see potential for numerous problems with the "wired soldier".
DoD has a bandwidth problem now trying to control and get imagery from airborne Predator UAV's, what happens when you wire the individual soldier? Where is this bandwidth going to come from?
Can this be subject to monitoring and how is it going to be secured? For that matter can it withstand an EMP pulse? If I wanted to take out communicating enemy forces using modern comm gear that is not hardened, a small tactical nuke would do just fine.
And what about the possibility of interception even if it is secure? What if a unit that has a base unit to receive updates is captured, then parts of the system (or the whole system) is compromized.
This will take years of testing before it ever becomes reality, I wouldn't hold my breath.
This is not limited to the CIA
on
IT at the CIA
·
· Score: 5, Interesting
Before I retired from the Navy, I worked in an Intelligence facility at the Top Secret level. The equipment that was available to me was several Macs (to produce PowerPoint slides), a Sun Sparc 10 used as a file and print server, a terminal to connect to PROFS (IBM OfficeVision) to read Top Secret e-mail, another Mac to access the Secret LAN and read Secret e-mail. There were no unclassified PC's, Macs, or Unix workstations to "surf the net" despite reading an article in the same command about "open source intelligence".
Part of the problem is compartmenting the information which makes it difficult to search for information since not everyone can access all the information based on the compartments an individual is cleared for. This will not go away soon. And let's not get into the politics of it.
Tivoli cannot do the same things as N1, unless IBM has added some amazing tweaks to it that nobody knows about or uses. N1 allows a data center to manage its resources based on business rather than technical requirements. The example that was given to the local Sun User's Group meeting was say your web site was being hammered by requests (Christmas). By using the console and selecting the appropriate options, you could do the following:
1. Reallocate bandwidth
2. Build and deploy new web servers to meet the demand (provided you have the hardware available)
This is done with one person, not a team of system, web, and network administrators. Most of the technology to support N1 is already in Solaris (Resource Manager, Live Upgrade, Solaris Flash, JumpStart).
I don't know about you, but I can find plenty of uses for N1, and companies wanting to shore up their bottom line can as well. IBM and HP are also working on similar technologies, but Sun is farther ahead and has made purchases of companies that have technology Sun needs (Sun purchased a company to get the "provisioning engine" technology for N1).
If N1 actually works (and to me it does), there will be a huge change in how data centers are managed. And a lot of IT people could potentially be out of work!
Canon might not use active electronics in the cartridges to determine the expiration of the cartridge, but in the past (1998) some Sales droid came up with the idea of having PSR's (Product Support Representatives) sell ink after a support call. Just before I left Canon to get a real IT job they were going to a quota system where each PSR had to sell so much ink a month!
I figure it's only a matter of time before Canon follows suite to prop up their profits.
If I wanted to do something like this I would use a NetworkAppliance Filer which "speaks" both NFS and CIFS natively, and uses snapshot techology. There is nothing like "drag and drop restores" from a read only copy of the data (snapshot reserve) and the ability to back up the snapshot without worrying about open files! And yes I would use tape to back up the Filer!
Obviously the software is custom written for this particular use and considering there are any number of commercial alternatives, I just don't see the point other than to say "we built it ourselves". It might be faster, but you had better hope nothing fails!
I agree, the project I am working on "talks the talk" but can't "walk the walk" on security. They base their level of security on a scan and the DISA USTIG, do not care about SSH and allow telnet! And God forbid we don't audit everything, despite the lack of tools to exploit the information. It's just another box to check off saying it's done!
What needs to happen is for Government agencies to get slammed in a "real" security audit conducted by "outside" personnel. After a few senior managers get canned the rest will fall in line.
I have personally never worked with a "Trusted" OS, despite working on systems up to and including Top Secret. In too many cases security takes a back seat to cost. I like the idea of Trusted operating systems, and I hope Debian gets there.
The problem with the DISA STIG is that it is out of date, and by the time you get done "securing" your machine, you have to be root to do anything! The permissions they want you to set on directories is stupid, and secures nothing!
I guess the idea of least privilege falls on a lot of deaf ears at DISA. Unfortunately DISA follows TCSEC a little too closely. I just have a problem with with sudo or su to root to read/var/adm/messages, and this is better security?
If you work for the Government on classified systems they prefer "Trusted" versions of operating systems (Trusted Solaris, AIX, IRIX, etc.)
These operating systems are approved for TCSEC B level security (Common Criteria EAL4 and higher). All parts of the OS are tested for Mandatory Access Control, extended auditing and logging, and data protection. installing any of these on a home system is overkill (and in the case of the ones I just mentioned, expensive). But if you are processing Top Secret information and want full audit trails and complete trust, these are the operating systems that will deliver it.
The only thing I do not see with Trusted Debian is the extended auditing and logging. The secure code base is nice, but if they intend to get into the Government with this, I think they have a long way to go.
Enlighenment development cycle
on
State of the E-nion
·
· Score: 2, Insightful
Although I do not use E, I have checked the progress of its development through www.cuddletech.com and their efforts to improve E and port it to Solaris.
I actually like the idea of slow, methodical development as opposed to the "let's add every feature under the sun (no pun intended)" effort ending up in a convuluted mess of bad code and incomplete or non working features.
My experiences with Gnome and KDE under Solaris attest to the "it's gotta look cool despite the bad code" effort. People complain about CDE's memory footprint, Gnome just sucks up memory like there is no tomorrow and the only "feature" I can see that remotely benefits anyone is the ability to have more than four desktops (Gnome 6, CDE 4). And lets not mention KDE's memory leaks (which I do not know if they have been totally fixed yet).
All I want from a graphical interface is the ability to run graphical applications effectively. At least with cuddletech's efforts (being performed by a working system administrator) functionalty is not being lost to "cool features". Maybe it is time to take another look at E since (at least for me) I am not satisfied with Gnome and Sun's efforts to bring it to Solaris.
As a system administrator who works on a large Government contract, and previously worked for NMCI (where Dell is the prime vendor for Wintel hardware) I can say Unix is alive and well.
NMCI's Enterprise Services run for the most part on Solaris (Oracle, Remedy, Tivoli, Veritas NetBackup, etc.). In the 18 months I worked NMCI the Windows guys were pulling their hair out with nmerous problems and the Unix team was "chillin"! Maybe Dell's CIO is predicting the death of Unix based on their sales to the Government (where virtually every desktop is a Dell). And the project I am working on now uses Solaris and AIX for SAP R/3 and Oracle, as well as Tivoli.
I wouldn't exactly "bet the farm" on this because eventually the Government will figure out that Dell is selling them a "pig in a poke"!
What I am waiting for is Microsoft to announce the system requirements for Longhorn only to change them (by a factor of 2 or 4). This happened with Windows 2000 Server where until the launch day the minimum requirements was 128 MB of RAM. On launch day the memory requirement doubled to 256 MB!
Not that I advocate installing on minimal hardware but it would have been interesting to see the requirements for this release. If for nothing else than to see how much hardware Microsoft wants us to "toss out and purchase new stuff" in order to get decent performance from Longhorn!
I remember reading an article in 1992 where Bill Gates said "Windows NT will be a better Unix than Unix". So I don't think the vision was limited to Dave Cutler.
I am still wondering how Bill could say that when Windows NT/2000 has minimal Posix support (1000.3 System Calls), is single user multitasking (unless you use Terminal Services, another Microsoft product you pay through the nose for), and has the worst scripting language ever! I guess that is why MKS (MKS Toolkit), Interix (OpenNT), and Cygwin are around, to fill the gaping holes in the "vision" of Bill and Dave and bring Unix to Windows because Microsoft can't or won't do it!
This is the first time I have seen a book since my leadership training in the mid 80's that actually talks about measured improvement! Every job I have held since I retired from the Navy (all IT related), security "success or failure" is based on scanning with Nessus or a similar tool and if the machine passes "It's secure". No measurement of improvement, no training, just run the scan and use a "click through PowerPoint presentation" and you're done!
The problem with the Government and security is that it gets tied up too much in "committee" where you have people who have no clue on security weighing in and actually believing that if you are C2, you are secure. This book should be a requirement for IT management, regardless of whether they are in the public or private sector. From what I can see of the worksheets, it is not tied down with details, but straightforward questions of what to do and how to measure the results. Find that in TCSEC or Common Criteria!
The problem in pushing RedHat Advanced Server is that Government agencies that process classified data require an operating system be certified at a particular level (TCSEC or Common Criteria) based on the classification of data being handled on the network.
The two key phrases is Discretionary Access Control and Mandatory Access Control, the difference between TCSEC C2/Common Criteria EAL4 (DAC) and TCSEC B2/Common Criteria EAL5 (MAC). Unless RedHat has added features of Security Enhanced Linux (NSA) and LinSec (which uses Mandatory Access Control), they are going to have a hard time selling it to any agency. You have to be able to audit logon/logoff events, object use and reuse amongst other things (I know this because I work on a large Government Contract and deal with security).
The best they could hope for without help is EAL2, and I am actually surprised with Oracle jumping in on this since they are attempting to get Oracle 9i EAL4 certified under CC.
We use RedHat Linux for our DNS servers and we are in the process of getting rid of them for Solaris machines for this very reason!
You are talking about two different things, Common Criteria is about security and Common Operating Environment is a military standard for mission critical applcations (Command and Control, Intelligence, etc).
What it means is that if you use applications designed for Motif/CDE and use COE as a standard, they can run on RedHat Linux Advanced Server. This is more about functionality than security.
Sun has chosen to make graphical tools in Solaris use Java over straight X/Motif binaries. An example is Solaris Management Console, the replacement for AdminTool. If you run AdminTool on Solaris 9 you get a warning (every time you run it) that it will be replaced. So you start SMC (which requires Web Based Enterprise Management to be running) and wait, and wait. SMC is a pig in both performance and memory utilization! Unfortunately for those who prefer a GUI for managing disks (Solstice DiskSuite), it is being replaced by Solaris Volume Manager (Solaris 9), which runs under SMC!
Most of Sun's enterprise level management products extensively use Java and you would think somebody would have taken a look at how slow their products perform (unless they tested them on "the latest and greatest" and found the performance OK. I would like to know what their definition of OK is!
Java works for some things, but it doesn't work for everything! It almost seems like management said "We created it, let's use it!" without realizing the performance hit, or just simply ignored it.
Why is it I see this fraught with problems! First who are they going to get to record the concerts and what is the sound quality going to be like, a polished professional product, or sound like it was recorded in a bucket? Is the bands going to even allow this to take place? Some bands are pretty selective as to which concerts they perform are recorded for release.
Then comes the money issue, how much does the band get, the recording studio, the RIAA (if they allow this to take place), and how much does ClearChannel expect to make?
It is long on promise and short on details.
Why is it I see this fraught with problems! Who is going to record the concert, will this sound like a slick, polished product or sound like it was recorded in a bucket? I do not see how they are going to do this without at least some testing not ony if they can do this quickly, but is the sound quality "up to speed".
Is the band going to even allow this place without their "cut" of the money? Some bands are pretty picky about which shows get recorded for live "albums". And of course there is the RIAA and I am sure they are going to have their "hand out" for a chunk of the money if they allow it to happen!
I agree! How do kids get into system administration when they are not given the opportunity! I responded to a 16 year old on one of the SecurityFocus mailing lists who wanted to get into IT security and was looking for a means to "cut his teeth". Unfortunately in the area we both live in (Virginia Beach, VA.) there are not a whole lot of options for this.
I applaud any effort to teach kids more than how to format a document in Word! My daughter is bored in computer class because they do not have the personnel with the experience to teach advanced topics. As long as the program does not get so vendor specific that the only knowledge they have is RedHat, I think it would be great! Wished I was a teenager again, these opportunities were not available when I was going through school!
From reading the eWeek article my guess would be that Enterprise customers would be the likely candidates to see a price drop. Microsoft makes their money in Client Access Licenses (CAL) and that is where Open Source comes in. I am sure that Microsoft is beginning to "feel the pinch" of Linux and other Unix variants stomping on their money making juggernaut!
I read an article awhile back comparing the costs between an IBM Z Series mainframe running Linux and Microsoft software running on some boxes (probably Dell), but what was shocking was that the CAL's for Exchange for 5000 users with something over $250,000! Somehow I do not think that "Joe Six Pack" is going to benefit from this at all! That is where Microsoft will more than likely make up their losses to big customers.
So the MPAA didn't win the first round, so let's try to nail him for "computer crime". So I wonder what crime he committed, and I also find it curious that the specifics of the the Norweigan Computer Crime Division will be "in their offices Monday afternoon". Does that mean they have to "manufacture" something to justify the appeal?
Here is a case where the school actually employed someone who has the necessary skills to deploy Linux, compile and install applications, and actually had a plan! I have spent some time volunteering in area schools and the problems aren't just getting hardware and finding the money to purchase software and licenses, its getting the money for the talent necessary to keep the network running and teach something useful!
One school in this area (Hampton Roads Virginia) had Cox Communications set them up with a state-of-the-art (for that time) fiber based network. The school administrators show it off in "dog and pony" shows because they cannot afford the staff necessary to make it work! Another school I attempted to work with had the "lofty goal" of teaching eighth graders how to make a web page! The "system administrator" was the English teacher and she was chosen because she knew how to use a couple of programs! Their network was Macintosh based, sold to them by an idiot I used to work for who did not tell them they would need additional software to connect their Macs to Windows machines (MacOS 7.5), and the machines had insufficient memory and nobody on staff that was Mac literate! They ended up getting someone from Apple to get everything working and I am sure that cost them some big bucks that they were not expecting to spend.
Educators and administrators have the right idea about putting computers in the schools, the problem is they do not think about what they are going to do with it, or the end result is so lame that the kids get seriously short changed! A 16 year old posted to BugTrak on SecurityFocus about trying to get an internship to learn system and network security because the school he attended could not (and would not) teach the subject matter!
For computers to really work in schools, the school systems of this country have to decide what they are going to teach, and get the necessary talent in to teach it! And that is why this particular computer lab actually works!
I have read both articles from Ace's Hardware about how they built their "killer" web server. And in all that talk about the server and the applications that run on it they make no mention of what they did to the OS and the machine itself other than putting faster drives in it.
They show an Ultra 30 as a server running a GUI, if I wanted "killer" performance CDE would be the first thing to go! They also don't mention any tweaks to improve system and network performance (and there are a few I can think of). Hell I'm willing to bet they didn't change the jumper setting on the Blade to get the memory to run at 100 MHz over the default 84 MHz as shipped! they also don't do anything like multipath or trunk network adapters (which you could easily do with Solaris). It looks like they took a machine out of the box, did a default install of Solaris, loaded applcations and "plugged it into the net"! I wonder how much better their performance would be if they tuned their server like Colin Bitterfield (of Sun Microsystems) did?
Slashdot Mirror
Hope that (1) the Biometric safe cannot be defeated with a Gummy Bear and (2) the "pro" you brought up to the room isn't a geek who knows about defeating Biometric devices with Gummy Bears!
I am a twenty year veteran and I will give you an example of this "they have thought of this". In 1987 a certain aircraft carrier was participating in an operation called Earnest Will (reflagged Kuwaiti tankers). We had people from various Intelligence commands onboard and one of them forgot to mention the film one of these assets was going to be shooting. Since photo intelligence was a critical part of this operation don't you think it would be important to pass on pertinent information to those concerned?! The Photo Labs on an aircraft carrier have certain capabilities, and the people responsible for thinking these things up don't always know everything (or are told everything). That is usually the result of a four star Admiral to Captain conversation "Captain, get this done", response "Yes sir". Don't tell me "they have thought of everything" from personal experience I can tell you they haven't! So it's cool, so what. This isn't no Linux laptop we are talking about. Actual people are going to using this equipment to stay alive, I sure as Hell hope it works!
With DARPA and DoD's never ending penchant for technology to solve every problem, I see potential for numerous problems with the "wired soldier". DoD has a bandwidth problem now trying to control and get imagery from airborne Predator UAV's, what happens when you wire the individual soldier? Where is this bandwidth going to come from? Can this be subject to monitoring and how is it going to be secured? For that matter can it withstand an EMP pulse? If I wanted to take out communicating enemy forces using modern comm gear that is not hardened, a small tactical nuke would do just fine. And what about the possibility of interception even if it is secure? What if a unit that has a base unit to receive updates is captured, then parts of the system (or the whole system) is compromized. This will take years of testing before it ever becomes reality, I wouldn't hold my breath.
Before I retired from the Navy, I worked in an Intelligence facility at the Top Secret level. The equipment that was available to me was several Macs (to produce PowerPoint slides), a Sun Sparc 10 used as a file and print server, a terminal to connect to PROFS (IBM OfficeVision) to read Top Secret e-mail, another Mac to access the Secret LAN and read Secret e-mail. There were no unclassified PC's, Macs, or Unix workstations to "surf the net" despite reading an article in the same command about "open source intelligence". Part of the problem is compartmenting the information which makes it difficult to search for information since not everyone can access all the information based on the compartments an individual is cleared for. This will not go away soon. And let's not get into the politics of it.
Tivoli cannot do the same things as N1, unless IBM has added some amazing tweaks to it that nobody knows about or uses. N1 allows a data center to manage its resources based on business rather than technical requirements. The example that was given to the local Sun User's Group meeting was say your web site was being hammered by requests (Christmas). By using the console and selecting the appropriate options, you could do the following: 1. Reallocate bandwidth 2. Build and deploy new web servers to meet the demand (provided you have the hardware available) This is done with one person, not a team of system, web, and network administrators. Most of the technology to support N1 is already in Solaris (Resource Manager, Live Upgrade, Solaris Flash, JumpStart). I don't know about you, but I can find plenty of uses for N1, and companies wanting to shore up their bottom line can as well. IBM and HP are also working on similar technologies, but Sun is farther ahead and has made purchases of companies that have technology Sun needs (Sun purchased a company to get the "provisioning engine" technology for N1). If N1 actually works (and to me it does), there will be a huge change in how data centers are managed. And a lot of IT people could potentially be out of work!
Canon might not use active electronics in the cartridges to determine the expiration of the cartridge, but in the past (1998) some Sales droid came up with the idea of having PSR's (Product Support Representatives) sell ink after a support call. Just before I left Canon to get a real IT job they were going to a quota system where each PSR had to sell so much ink a month! I figure it's only a matter of time before Canon follows suite to prop up their profits.
If I wanted to do something like this I would use a NetworkAppliance Filer which "speaks" both NFS and CIFS natively, and uses snapshot techology. There is nothing like "drag and drop restores" from a read only copy of the data (snapshot reserve) and the ability to back up the snapshot without worrying about open files! And yes I would use tape to back up the Filer! Obviously the software is custom written for this particular use and considering there are any number of commercial alternatives, I just don't see the point other than to say "we built it ourselves". It might be faster, but you had better hope nothing fails!
I agree, the project I am working on "talks the talk" but can't "walk the walk" on security. They base their level of security on a scan and the DISA USTIG, do not care about SSH and allow telnet! And God forbid we don't audit everything, despite the lack of tools to exploit the information. It's just another box to check off saying it's done! What needs to happen is for Government agencies to get slammed in a "real" security audit conducted by "outside" personnel. After a few senior managers get canned the rest will fall in line. I have personally never worked with a "Trusted" OS, despite working on systems up to and including Top Secret. In too many cases security takes a back seat to cost. I like the idea of Trusted operating systems, and I hope Debian gets there.
The problem with the DISA STIG is that it is out of date, and by the time you get done "securing" your machine, you have to be root to do anything! The permissions they want you to set on directories is stupid, and secures nothing! I guess the idea of least privilege falls on a lot of deaf ears at DISA. Unfortunately DISA follows TCSEC a little too closely. I just have a problem with with sudo or su to root to read /var/adm/messages, and this is better security?
If you work for the Government on classified systems they prefer "Trusted" versions of operating systems (Trusted Solaris, AIX, IRIX, etc.) These operating systems are approved for TCSEC B level security (Common Criteria EAL4 and higher). All parts of the OS are tested for Mandatory Access Control, extended auditing and logging, and data protection. installing any of these on a home system is overkill (and in the case of the ones I just mentioned, expensive). But if you are processing Top Secret information and want full audit trails and complete trust, these are the operating systems that will deliver it. The only thing I do not see with Trusted Debian is the extended auditing and logging. The secure code base is nice, but if they intend to get into the Government with this, I think they have a long way to go.
Although I do not use E, I have checked the progress of its development through www.cuddletech.com and their efforts to improve E and port it to Solaris. I actually like the idea of slow, methodical development as opposed to the "let's add every feature under the sun (no pun intended)" effort ending up in a convuluted mess of bad code and incomplete or non working features. My experiences with Gnome and KDE under Solaris attest to the "it's gotta look cool despite the bad code" effort. People complain about CDE's memory footprint, Gnome just sucks up memory like there is no tomorrow and the only "feature" I can see that remotely benefits anyone is the ability to have more than four desktops (Gnome 6, CDE 4). And lets not mention KDE's memory leaks (which I do not know if they have been totally fixed yet). All I want from a graphical interface is the ability to run graphical applications effectively. At least with cuddletech's efforts (being performed by a working system administrator) functionalty is not being lost to "cool features". Maybe it is time to take another look at E since (at least for me) I am not satisfied with Gnome and Sun's efforts to bring it to Solaris.
As a system administrator who works on a large Government contract, and previously worked for NMCI (where Dell is the prime vendor for Wintel hardware) I can say Unix is alive and well. NMCI's Enterprise Services run for the most part on Solaris (Oracle, Remedy, Tivoli, Veritas NetBackup, etc.). In the 18 months I worked NMCI the Windows guys were pulling their hair out with nmerous problems and the Unix team was "chillin"! Maybe Dell's CIO is predicting the death of Unix based on their sales to the Government (where virtually every desktop is a Dell). And the project I am working on now uses Solaris and AIX for SAP R/3 and Oracle, as well as Tivoli. I wouldn't exactly "bet the farm" on this because eventually the Government will figure out that Dell is selling them a "pig in a poke"!
What I am waiting for is Microsoft to announce the system requirements for Longhorn only to change them (by a factor of 2 or 4). This happened with Windows 2000 Server where until the launch day the minimum requirements was 128 MB of RAM. On launch day the memory requirement doubled to 256 MB! Not that I advocate installing on minimal hardware but it would have been interesting to see the requirements for this release. If for nothing else than to see how much hardware Microsoft wants us to "toss out and purchase new stuff" in order to get decent performance from Longhorn!
I remember reading an article in 1992 where Bill Gates said "Windows NT will be a better Unix than Unix". So I don't think the vision was limited to Dave Cutler. I am still wondering how Bill could say that when Windows NT/2000 has minimal Posix support (1000.3 System Calls), is single user multitasking (unless you use Terminal Services, another Microsoft product you pay through the nose for), and has the worst scripting language ever! I guess that is why MKS (MKS Toolkit), Interix (OpenNT), and Cygwin are around, to fill the gaping holes in the "vision" of Bill and Dave and bring Unix to Windows because Microsoft can't or won't do it!
This is the first time I have seen a book since my leadership training in the mid 80's that actually talks about measured improvement! Every job I have held since I retired from the Navy (all IT related), security "success or failure" is based on scanning with Nessus or a similar tool and if the machine passes "It's secure". No measurement of improvement, no training, just run the scan and use a "click through PowerPoint presentation" and you're done! The problem with the Government and security is that it gets tied up too much in "committee" where you have people who have no clue on security weighing in and actually believing that if you are C2, you are secure. This book should be a requirement for IT management, regardless of whether they are in the public or private sector. From what I can see of the worksheets, it is not tied down with details, but straightforward questions of what to do and how to measure the results. Find that in TCSEC or Common Criteria!
The problem in pushing RedHat Advanced Server is that Government agencies that process classified data require an operating system be certified at a particular level (TCSEC or Common Criteria) based on the classification of data being handled on the network. The two key phrases is Discretionary Access Control and Mandatory Access Control, the difference between TCSEC C2/Common Criteria EAL4 (DAC) and TCSEC B2/Common Criteria EAL5 (MAC). Unless RedHat has added features of Security Enhanced Linux (NSA) and LinSec (which uses Mandatory Access Control), they are going to have a hard time selling it to any agency. You have to be able to audit logon/logoff events, object use and reuse amongst other things (I know this because I work on a large Government Contract and deal with security). The best they could hope for without help is EAL2, and I am actually surprised with Oracle jumping in on this since they are attempting to get Oracle 9i EAL4 certified under CC. We use RedHat Linux for our DNS servers and we are in the process of getting rid of them for Solaris machines for this very reason!
You are talking about two different things, Common Criteria is about security and Common Operating Environment is a military standard for mission critical applcations (Command and Control, Intelligence, etc). What it means is that if you use applications designed for Motif/CDE and use COE as a standard, they can run on RedHat Linux Advanced Server. This is more about functionality than security.
Sun has chosen to make graphical tools in Solaris use Java over straight X/Motif binaries. An example is Solaris Management Console, the replacement for AdminTool. If you run AdminTool on Solaris 9 you get a warning (every time you run it) that it will be replaced. So you start SMC (which requires Web Based Enterprise Management to be running) and wait, and wait. SMC is a pig in both performance and memory utilization! Unfortunately for those who prefer a GUI for managing disks (Solstice DiskSuite), it is being replaced by Solaris Volume Manager (Solaris 9), which runs under SMC! Most of Sun's enterprise level management products extensively use Java and you would think somebody would have taken a look at how slow their products perform (unless they tested them on "the latest and greatest" and found the performance OK. I would like to know what their definition of OK is! Java works for some things, but it doesn't work for everything! It almost seems like management said "We created it, let's use it!" without realizing the performance hit, or just simply ignored it.
Why is it I see this fraught with problems! First who are they going to get to record the concerts and what is the sound quality going to be like, a polished professional product, or sound like it was recorded in a bucket? Is the bands going to even allow this to take place? Some bands are pretty selective as to which concerts they perform are recorded for release. Then comes the money issue, how much does the band get, the recording studio, the RIAA (if they allow this to take place), and how much does ClearChannel expect to make? It is long on promise and short on details.
Why is it I see this fraught with problems! Who is going to record the concert, will this sound like a slick, polished product or sound like it was recorded in a bucket? I do not see how they are going to do this without at least some testing not ony if they can do this quickly, but is the sound quality "up to speed". Is the band going to even allow this place without their "cut" of the money? Some bands are pretty picky about which shows get recorded for live "albums". And of course there is the RIAA and I am sure they are going to have their "hand out" for a chunk of the money if they allow it to happen!
I agree! How do kids get into system administration when they are not given the opportunity! I responded to a 16 year old on one of the SecurityFocus mailing lists who wanted to get into IT security and was looking for a means to "cut his teeth". Unfortunately in the area we both live in (Virginia Beach, VA.) there are not a whole lot of options for this. I applaud any effort to teach kids more than how to format a document in Word! My daughter is bored in computer class because they do not have the personnel with the experience to teach advanced topics. As long as the program does not get so vendor specific that the only knowledge they have is RedHat, I think it would be great! Wished I was a teenager again, these opportunities were not available when I was going through school!
From reading the eWeek article my guess would be that Enterprise customers would be the likely candidates to see a price drop. Microsoft makes their money in Client Access Licenses (CAL) and that is where Open Source comes in. I am sure that Microsoft is beginning to "feel the pinch" of Linux and other Unix variants stomping on their money making juggernaut! I read an article awhile back comparing the costs between an IBM Z Series mainframe running Linux and Microsoft software running on some boxes (probably Dell), but what was shocking was that the CAL's for Exchange for 5000 users with something over $250,000! Somehow I do not think that "Joe Six Pack" is going to benefit from this at all! That is where Microsoft will more than likely make up their losses to big customers.
So the MPAA didn't win the first round, so let's try to nail him for "computer crime". So I wonder what crime he committed, and I also find it curious that the specifics of the the Norweigan Computer Crime Division will be "in their offices Monday afternoon". Does that mean they have to "manufacture" something to justify the appeal?
Here is a case where the school actually employed someone who has the necessary skills to deploy Linux, compile and install applications, and actually had a plan! I have spent some time volunteering in area schools and the problems aren't just getting hardware and finding the money to purchase software and licenses, its getting the money for the talent necessary to keep the network running and teach something useful! One school in this area (Hampton Roads Virginia) had Cox Communications set them up with a state-of-the-art (for that time) fiber based network. The school administrators show it off in "dog and pony" shows because they cannot afford the staff necessary to make it work! Another school I attempted to work with had the "lofty goal" of teaching eighth graders how to make a web page! The "system administrator" was the English teacher and she was chosen because she knew how to use a couple of programs! Their network was Macintosh based, sold to them by an idiot I used to work for who did not tell them they would need additional software to connect their Macs to Windows machines (MacOS 7.5), and the machines had insufficient memory and nobody on staff that was Mac literate! They ended up getting someone from Apple to get everything working and I am sure that cost them some big bucks that they were not expecting to spend. Educators and administrators have the right idea about putting computers in the schools, the problem is they do not think about what they are going to do with it, or the end result is so lame that the kids get seriously short changed! A 16 year old posted to BugTrak on SecurityFocus about trying to get an internship to learn system and network security because the school he attended could not (and would not) teach the subject matter! For computers to really work in schools, the school systems of this country have to decide what they are going to teach, and get the necessary talent in to teach it! And that is why this particular computer lab actually works!
I have read both articles from Ace's Hardware about how they built their "killer" web server. And in all that talk about the server and the applications that run on it they make no mention of what they did to the OS and the machine itself other than putting faster drives in it. They show an Ultra 30 as a server running a GUI, if I wanted "killer" performance CDE would be the first thing to go! They also don't mention any tweaks to improve system and network performance (and there are a few I can think of). Hell I'm willing to bet they didn't change the jumper setting on the Blade to get the memory to run at 100 MHz over the default 84 MHz as shipped! they also don't do anything like multipath or trunk network adapters (which you could easily do with Solaris). It looks like they took a machine out of the box, did a default install of Solaris, loaded applcations and "plugged it into the net"! I wonder how much better their performance would be if they tuned their server like Colin Bitterfield (of Sun Microsystems) did?