Doesn't sound to me like I'd want to trust my precious financial or personal data to such a "pretty good" level of trust.
Look at why Linux can't get a higher rating....
But then neither can any other OS except one designed for security first and foremost.
Is it possible to get a higher rating? Yes. At an enormous cost. But yes it is. What is the cost? Years and millions. And a committment to do security right from the begining... design being the begining.
On the part of the developer... is it good enough to ship.
On the part of the buyer... is it good enough to use.
Both have some risk. Both are imprecise judgements (said as one who makes the call in the first case weekls and in the second, occasionally).
To take 95% of the risk out, multiply the cost and time by 5.
You'll never take all the bugs out of a complex product.
Those safety in flight and NASA programs that are cited are often very small in terms of lines of code big, don't have people pressing any of 50 buttons in any combinations, very single function and took 5 years and millions to develop.
If you were to develop and test to that degree of quality, just maybe someone else would come out with a product that people felt was good enough and, by the time your product was ready, there would be no market because people would already be attached to rev 3 of the good-enough program.
Think about it, how many of us buy the absolutely most reliable car? Or music player? Why should our buying software programs be different?
The practicality of my world as a businessman is I exchange documents every day in Microsoft Office formats with other businesses, government agencies and internally within my company. I never ask what format we are going to exchange documents in (unlike the early days of PCs). It just works.
The cost of Microsoft Office is trivial to me compared to the benefits it brings by its providing me de-facto standards that allow my productivity. If I waste 4 hours of my time fiddling with files that won't convert, I've more than paid for the Office license. My mantra: PCs and Software are cheap compared to the business value of the time of talented people
When another format can provide the same ease of exchange, edit, return edit, return, etc then it will become the de-facto standard.
This can happen several ways. A big gorilla called the US Government can mandate it (but look how long it is taking them to implement the already mandated IPv6). A collection of smaller entities can mandate it and ultimately achieve critical mass. Microsoft can adopt it. But in any of these cases, it will take 5 years at least before the same trivial exchange can be achieved.
Until that time, any attempt by a single small entity to adopt a standard the rest of us can't use without change, training, hassle is a major problem.
We have developed much of our product documentation in HTML format for its ease of use as well as its portability across platforms. One set of documents has thousands of links within and between documents rather than massive indexes. We find no negatives in using that format for exchange because everyone can use it (if the feature set is somewhat restricted). But even that format would be a problem if it had to be shared with a Microsoft Office user as the returned document would be a nightmare to compare due to the differences in HTML formatting. And HTML has been out there for years.
My conclusion:
This isn't going to happen overnight.
It is going to take some serious players saying things like "I won't buy your next office product if it doesn't support xyz open standard."
There better be some darn good converters.
In the bast case, it will cost business billions to convert not in $ to M$ but in upgrades, training, lost productivity, etc.
"EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit an existing product line."
"EAL4 is applicable to those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity (OSs) and are prepared to incur additional security-specific engineering costs."
Compare that with EAL5's description,.
"EAL5 permits a developer to gain maximum assurance from security engineering based on rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a (OS) will likely be designed and developed with the intent of achieving EAL5 assurance."
"EAL5 is... applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development".
EAL 5 (and 6 and 7) provide more assurance but achieving those levels is only done at significant cost both in the design requirements they impose on the OS, as well as the cost in $ and time to develop the additional documantation necessary to achieve these levels.
EAL5 requires "semiformal design descriptions, the entire implementation, a more structured (and hence analyzable) architecture, covert channel analysis, and improved mechanisms that provide confidence that the (OS) will not be tampered with during development."
EAL5 begins the series of levels which require the OS developer to design for security first. They also require tests and documentation to be written to exacting standards.
I'd be disappointed too if a person who had cooperated and facilitated my efforts over a many year period was being taken advantage of by my allies.
Lets posit that BitKeeper contributed to the success of the Linux movement/project by providing a superior free capability that wasn't there before and did it at some expense charging nothing (but gaining some good karma/publicity).
Now you can reverse engineer legally. But should you?
Or should you allow that deviation from OSS purity because that person/company tried to be helpful to your efforts?
Would you be upset that something so bound up in your way of doing your work (which many consider vital to the OSS) is attacked in such a way as to cause you to have to change the way you do your work? At a cost of disruption and productivity...how many fixes aren't going to get reviewed as thoroughly because Linus has to switch the way he works (and even go off and develop an application like SCM)? Kernel guys are precious. Linus is especially vital and any distraction from his efforts to produce the best kernel possible is bad.
I'm an OEM and I buy drives from suppliers (IBM/Hitachi) who accept my companies written word who accepts my customer's written word that a drive has been destroyed or who accept a Xerox of the drive case and a written stastement (Seagate). Since my drives go into 3 letter agencies, I anticipate the possible repair need in selecting a supplier.
Doesn't help you in your "transfer a working drive to another person" scenerio but does solve the RMA need (I never did figure out why I'd trust a overwrite performed by a drive that was known to be failing).
And since the "transfer" case affects working systems, what you want there is a software product loaded from a floppy that deals with the drive on a physical level. Takes a long time given today's size drives.
There is at least one product that has been Evaluated at the EAL5 or higher level. I forget whether it was in the US or UK. I didn't check all the signatories when I was looking. Recall that EAL5 or higher Evaluations are given by specific countries and are not recognized generally by other countries.
And EAL4 is a significant achievement. Now try for EAL5 and that is something absolutely huge. There is only one OS in evaluation at that level right now and it's Evaluation has streatched years. And millions.
The newspapers have nothing, it is all online or word of mouth.
My group is looking for about 10 UNIX programmer types. Actually finding it hard to find good ones even though no security clearance required for some positions, just US Citizenship. Applications and OS programmers.
Part of that I attribute to the holidays, no one looks around this time.
If SELinux is so secure, how come it isn't evaluated at a high enough level to matter?
SELinux is the product of one group in NSA and a bunch of talented contractors. They don't speak for the whole of the agency nor has the group that evaluates the secuirty of products blessed SELinux.
The answer to why no evaluation (assuming the issues of where the source code comes from can be ignored or "solved") is about 5 years and $12M (my estimate) and you have to freeze in place and forgo any improvements that happen while the Evaluation is in progress. Better to have the security it does add while migrating to the latest code base? Yes, for many uses.
I'm not sure it matters that much what languages and character sets work, the basic program logic has to work first.
I work in a Windows document format world. So does every other company or government agency I seem to interact with.
I have Linux devotees working for me. I love what they can do. Smart people.
But there are some things they can't do, it seems.
The last two documents I received from them (one began life as a Word document you filled in to create a draft of your performance appraisal and the other was a spreadsheet expense account) had to be returned to them with the request "I don't care what you do them in but they must print correctly from Word/Excel because that is the corporate standard". It took them each 2 to 4 hours to work through all the differences, convert the text to Word, etc. That is just not acceptable, we pay them to write good tough code, not work out compatibility differences. It drives our overhead through the roof because when they are doing that, it just isn't billable to the client or productive to the product.
Such an experience speaks to me of the current state of 2 of the widely used desktop applications available from the OSS world.
I didn't go looking for negative examples, they were just there.
I wish it weren't so.
When OSS products can:
- install trivially on 98% of the hardware
- use a consistent user interface that allows 98% of the keystroke shortcuts and menus and commands to be relied on to be common between applications
- and can exchange the 4 most common file formats from the dominant player in a reliable manner only then can we convert our corporate desktops.
Until then, we in business who just have to get things done by interacting with dozens of other companies, can't convert.
I exchange documents with people I'm working with for the first time every day and I depend on everyone using a de-facto standard that all of us can use trivially, not an "almost the same and you can get it to sorta work if you are really smart..and it is free" program. File format is never even dicsussed, it is assumed.
The first time my CEO/CIO/CFO wants to send a proposal/statement/etc and it printed askew at the other end, the OSS advocate would be explaining and listening to "I am worried about a $20M proposal and you are worried about saving $500 a desktop...I'm getting someone new with judgment around here."
I think the OSS world of forking and emphasizing diversity really hurts it in the desktop world. Because all those things that are strengths in the kernel world are weaknesses in the desktop world.
If we spent less time inventing new interfaces and more time getting the one we have working....
If we spent more time adapting a single interface.... and abandoning our own because sometimes better is not important... standard is.
And if there were an interface certification body so that a spamp meant we could trust the thing to a user without weeks of training or handholding.
And if we tested and tested against millions of documents so that we could be sure that they would exchange trivially....
And documented....
But those things sound like the things Microsoft does every release.... and I'm not sure how (or if) OSS can organize to duplicate them.
I want a choice.... but now I have to go get some work done.
I build several hundred servers a year and use AMIdiag to burn them in and test them. I actually ship a legal copy of the product with every server I ship.
As others have said, there are 2 versions, one runs under Windows. One under DOS. I use the floppy or CD loading version. It does a fairly comprehensive test of the hardware and devices.
Do we modify or exempt, sure, all the time if we want the person. But if they show in their negotiations that they have a know it all attitude and want to run the company (as opposed to having a problem we can jointly solve so they can start contributing), then I might turn suddenly rigid and not want to make changes and maybe I'll get to learn something about the potential employee in the process. You are a new person still trying to make an impression, if you go in with the attitude that you have a apparent conflict that you want to resolve because you are excited about the oppertunity and just know you can work something out so there is no conflict, then you have a chance, IMHO. You don't want to lose by winning. You want to create a long term win-win.
Professional means: Coding to a standard; does open source have a reviewer who can compell every project/fix to adhere to the coding standards UI to a standard; ditto Documentation to a standard; ditto Providing tests which go into a test suite that is used to assure no regression; ditto Release management that assures that standard functionality, load, longevity, security and stress tests are run before the product goes out; ditto
The wornderful anarchy that is the open source movement is one of its strengths, but is the source of some significant weeknesses IMHO.
Proprietary development has its down side but at least there is someone who can enforce the standards and make sure that those things that are necessary for total product quality are there.
We use OSS a lot and it is wonderful for CS types who work full time in software development. But can I deploy it to a entire company or give it to my wife?
I have HDTV over an outside antenna, digital satellite and over the air analog. All it has to do is rain or snow or the wind blow strong and guess which is the only service working... good old analog.
The new fancy stuff is great when it works... maybe more than great. But I'd guess 5% of the time, I'm back to the stone age.
Now fast forward a few years to where there are no analog signals in the air...
Anyone who wants a product certified/evaluated according to the Common Criteria rules has to pay the lab that does the evidence evaluation. Those are just the CC rules. MS is just doing things the way the CC set them up to be done.
Now you could quibble about the Protection Profile that was used or the Security Target and how much functionality they contained. You could also ask how rigorous the examination of evidence by the lab was. You could ask why they couldn't achieve a higher EAL level.
But to compain because MS paid the lab is unfair because there are no options. In some countries, you also have to pay the government body who is overseeing the lab for their labor!
(said as one who is also paying a lab a lot of $ to evaluate a OS... see http://www.digitalnet.com/solutions/info_sec_sol/x ts400_trusted_sys.htm).
TCSEC was the spec and yes WindowsNT met it only at some low level and then only when not plugged into a network.
But there is an OS that did meet the spec and a higher spec at that that was repeatedly OK'ed when connected to a network, in fact multiple networks of differnet levels. DigitalNet's STOP.
BTW, STOP in its newest version is currnetly being evaluated under the Common Criteria at the highest level ever attempted for a general pourpose OS. http://www.entrust.com/entrustcygnacom/labs/pfSEL0 181xts400.htm
While you assert: "... all O/S are written as independent modules. The issue is whether those modules interact in a coherent manner or an incoherent one. Unix regretably flunks that test, although propagandists will try to deny it."
You are lumping all UNIX or UNIX-like OSs together. There are UNIX API/ABI compatible OSs designed with security as the foremost consideration with formal provable security policies enforced over all object accesses. Written as multiple modules, yes. Designed and proven to interface correctly so as to permit correct user interface while preventing "illegal" ones, yes. Does it take a rigor unknown in most commercial OS shops Yes. But it can and has been done. See STOP.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. If one looks at the chart on page 54 of the Common Criteria Part 3 Security Assurance Requirements document, one sees that an EAL7 system would be analyzed in 25 areas where a EAL2 one would be analyzed in only 13. And even in the 13 areas that are common, there are requirements at the EAL7 level to do each thing much better that don't appear at the EAL2. What may seem like a minor wording difference between 2 requiremnets may take millions to achieve.
EAL2 does not require an exhaustive vulnerability analysis or penetration testing or a covert channel analysis as do those levels above EAL4.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
Acquiring that EAL5+ rating even for a operating system that previously received NSA's highest rating ever for a general purpose operating system takes several years and multiple million $, not the $500K quoted in another post.
The Govt procuring agency is responsible for assuring that the protection profile or security target that the OS was evaluated against is appropriate for the value of the data they are trying to protect and that the assurance level is also appropriate.
All an EAL2 does is allows the government to buy and to use Linux in the most insensitive areas. Surely three letter agencies would require much more than an EAL2.
For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
It is quite possible to have rigorous coding standards, standardized development tools, rigorous design reviews before the code is written, rigorous reviews of all written code by multiple people (each with the power to stop the shipment!), rigorous documentation standards, independent individual code-chunk/fix testing, independent release testing...all in a closed source environment. Plus, when I know my three lead architects have signed off, I know the quality of the reviewers as nationally acknowledged authorities in their specialties.
The number of eyes is important, but so is the knowledge, skill as reviewer and diligence of the reviewer.
So are the management controls to assure that all these things are done to all code all the time in exactly the same way.
Not only did I get bit by a hard disk crash and have to go through Intuit's nightmare of tech support but that wasn't, to me, the worst. Their "file 2 paper rebates" program has me thoroughly ticked. I buy their product to make my paperwork easier, not to do some silly paperwork for them. And to do it twice only shows they just don't have my convenience at the forefront of their planning conferences.
Unfortunately, the alternative packages have the same rebate plans.
To build a truely secure Operating System takes about twice as many resources as to build one with equivalent functionality. And it runs slower.
To audit such an Operating System for security takes a two+ year multi-million dollar effort to prepare for audit/evaluation and a ~million dollar one year audit/evaluation.
How many people are willing to pay for this level of assurance which must be reflected in the price? Suffer this delay? Run slower? The installed base of all such operating systems is less than 2,000.
An operating system product I work with is in the middle of just such a rigorous security evaluation.
For business or security critical use, you need that evaluated product (http://www.entrust.com/entrustcygnacom/labs/ and look at the XTS-400 entry). But be aware. it costs many times as much as the "good enough for desktop use" one from Microsoft. And is always going to be behind in features because that evaluation takes so many resources away from pure development. And to do all that security checking takes CPU cycles.
It is possible to have a proprietary model and to have code reviews required (and documented) done by competent system architects and security experts. It is also possible for proprietary developers to do no reviews and to lack the skill and experience and coding standards and automation to produce reliable code.
It is possible to have an open source model and have the code reviewed by no one but the original coder. Or to have 15 reviewers of varying competence looking at ever line and debating it vigorously.
It is possible in the same OS to have source files or code fragments from various sources with various development and review methodologies. Some can be as extreme as using/requiring automated tools to find potential errors and requiring skilled reviewers. Some as lax as no review by anybody or anything.
Given this diversity, how can the terms open and proprietary be used to usefully describe software quality? Doesn't it depend not on the open/closed but on the amount of skill of the coder, automation of the review and experience of the reviewers. And isn't that independent of open/proprietary?
Of course the dumb terminal model is going to be cheaper, especially when combined with free software.
But what happens when you have to support 200 people living off campus? What happens when you have to explain to Dad who just bought his kid a $2000 portable that he can't use all that software? What happens when you have to explain to the professors that they have to convert all their files?
The knowledge people have of how to use the tools they have is extrordinarily valuable. I've had people tell me "tell me to use Windows" and I quit. I've had people tell me "Linux and I quit". They have extraordinary loyalty to the tools. Sure it is emotional and not rational, but you sure better understand the politics when you advocate change. And figure in the education and lost productivity costs while people regain their comfort level.
Slashdot Mirror
Doesn't sound to me like I'd want to trust my precious financial or personal data to such a "pretty good" level of trust.
... design being the begining.
Look at why Linux can't get a higher rating....
But then neither can any other OS except one designed for security first and foremost.
Is it possible to get a higher rating? Yes. At an enormous cost. But yes it is.
What is the cost? Years and millions. And a committment to do security right from the begining
It all comes down to a business proposition.
... is it good enough to ship.
... is it good enough to use.
On the part of the developer
On the part of the buyer
Both have some risk. Both are imprecise judgements (said as one who makes the call in the first case weekls and in the second, occasionally).
To take 95% of the risk out, multiply the cost and time by 5.
You'll never take all the bugs out of a complex product.
Those safety in flight and NASA programs that are cited are often very small in terms of lines of code big, don't have people pressing any of 50 buttons in any combinations, very single function and took 5 years and millions to develop.
If you were to develop and test to that degree of quality, just maybe someone else would come out with a product that people felt was good enough and, by the time your product was ready, there would be no market because people would already be attached to rev 3 of the good-enough program.
Think about it, how many of us buy the absolutely most reliable car? Or music player? Why should our buying software programs be different?
The practicality of my world as a businessman is I exchange documents every day in Microsoft Office formats with other businesses, government agencies and internally within my company. I never ask what format we are going to exchange documents in (unlike the early days of PCs). It just works.
The cost of Microsoft Office is trivial to me compared to the benefits it brings by its providing me de-facto standards that allow my productivity. If I waste 4 hours of my time fiddling with files that won't convert, I've more than paid for the Office license. My mantra: PCs and Software are cheap compared to the business value of the time of talented people
When another format can provide the same ease of exchange, edit, return edit, return, etc then it will become the de-facto standard.
This can happen several ways. A big gorilla called the US Government can mandate it (but look how long it is taking them to implement the already mandated IPv6). A collection of smaller entities can mandate it and ultimately achieve critical mass. Microsoft can adopt it. But in any of these cases, it will take 5 years at least before the same trivial exchange can be achieved.
Until that time, any attempt by a single small entity to adopt a standard the rest of us can't use without change, training, hassle is a major problem.
We have developed much of our product documentation in HTML format for its ease of use as well as its portability across platforms. One set of documents has thousands of links within and between documents rather than massive indexes. We find no negatives in using that format for exchange because everyone can use it (if the feature set is somewhat restricted). But even that format would be a problem if it had to be shared with a Microsoft Office user as the returned document would be a nightmare to compare due to the differences in HTML formatting. And HTML has been out there for years.
My conclusion:
This isn't going to happen overnight.
It is going to take some serious players saying things like "I won't buy your next office product if it doesn't support xyz open standard."
There better be some darn good converters.
In the bast case, it will cost business billions to convert not in $ to M$ but in upgrades, training, lost productivity, etc.
"EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit an existing product line."
... applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development".
"EAL4 is applicable to those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity (OSs) and are prepared to incur additional security-specific engineering costs."
Compare that with EAL5's description,.
"EAL5 permits a developer to gain maximum assurance from security engineering based on rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a (OS) will likely be designed and developed with the intent of achieving EAL5 assurance."
"EAL5 is
EAL 5 (and 6 and 7) provide more assurance but achieving those levels is only done at significant cost both in the design requirements they impose on the OS, as well as the cost in $ and time to develop the additional documantation necessary to achieve these levels.
EAL5 requires "semiformal design descriptions, the entire implementation, a more structured (and hence analyzable) architecture, covert channel analysis, and improved mechanisms that provide confidence that the (OS) will not be tampered with during development."
EAL5 begins the series of levels which require the OS developer to design for security first. They also require tests and documentation to be written to exacting standards.
Quotes are from CC documents themselves.
I'd be disappointed too if a person who had cooperated and facilitated my efforts over a many year period was being taken advantage of by my allies.
Lets posit that BitKeeper contributed to the success of the Linux movement/project by providing a superior free capability that wasn't there before and did it at some expense charging nothing (but gaining some good karma/publicity).
Now you can reverse engineer legally. But should you?
Or should you allow that deviation from OSS purity because that person/company tried to be helpful to your efforts?
Would you be upset that something so bound up in your way of doing your work (which many consider vital to the OSS) is attacked in such a way as to cause you to have to change the way you do your work? At a cost of disruption and productivity...how many fixes aren't going to get reviewed as thoroughly because Linus has to switch the way he works (and even go off and develop an application like SCM)? Kernel guys are precious. Linus is especially vital and any distraction from his efforts to produce the best kernel possible is bad.
I'm an OEM and I buy drives from suppliers (IBM/Hitachi) who accept my companies written word who accepts my customer's written word that a drive has been destroyed or who accept a Xerox of the drive case and a written stastement (Seagate). Since my drives go into 3 letter agencies, I anticipate the possible repair need in selecting a supplier.
Doesn't help you in your "transfer a working drive to another person" scenerio but does solve the RMA need (I never did figure out why I'd trust a overwrite performed by a drive that was known to be failing).
And since the "transfer" case affects working systems, what you want there is a software product loaded from a floppy that deals with the drive on a physical level. Takes a long time given today's size drives.
There is at least one product that has been Evaluated at the EAL5 or higher level. I forget whether it was in the US or UK. I didn't check all the signatories when I was looking. Recall that EAL5 or higher Evaluations are given by specific countries and are not recognized generally by other countries.
And EAL4 is a significant achievement. Now try for EAL5 and that is something absolutely huge. There is only one OS in evaluation at that level right now and it's Evaluation has streatched years. And millions.
The newspapers have nothing, it is all online or word of mouth.
My group is looking for about 10 UNIX programmer types. Actually finding it hard to find good ones even though no security clearance required for some positions, just US Citizenship. Applications and OS programmers.
Part of that I attribute to the holidays, no one looks around this time.
After New Years then people start looking again.
If SELinux is so secure, how come it isn't evaluated at a high enough level to matter?
SELinux is the product of one group in NSA and a bunch of talented contractors. They don't speak for the whole of the agency nor has the group that evaluates the secuirty of products blessed SELinux.
The answer to why no evaluation (assuming the issues of where the source code comes from can be ignored or "solved") is about 5 years and $12M (my estimate) and you have to freeze in place and forgo any improvements that happen while the Evaluation is in progress. Better to have the security it does add while migrating to the latest code base? Yes, for many uses.
I'm not sure it matters that much what languages and character sets work, the basic program logic has to work first.
...I'm getting someone new with judgment around here."
.... and abandoning our own because sometimes better is not important ... standard is.
....
.... and I'm not sure how (or if) OSS can organize to duplicate them.
.... but now I have to go get some work done.
I work in a Windows document format world. So does every other company or government agency I seem to interact with.
I have Linux devotees working for me. I love what they can do. Smart people.
But there are some things they can't do, it seems.
The last two documents I received from them (one began life as a Word document you filled in to create a draft of your performance appraisal and the other was a spreadsheet expense account) had to be returned to them with the request "I don't care what you do them in but they must print correctly from Word/Excel because that is the corporate standard". It took them each 2 to 4 hours to work through all the differences, convert the text to Word, etc. That is just not acceptable, we pay them to write good tough code, not work out compatibility differences. It drives our overhead through the roof because when they are doing that, it just isn't billable to the client or productive to the product.
Such an experience speaks to me of the current state of 2 of the widely used desktop applications available from the OSS world.
I didn't go looking for negative examples, they were just there.
I wish it weren't so.
When OSS products can:
- install trivially on 98% of the hardware
- use a consistent user interface that allows 98% of the keystroke shortcuts and menus and commands to be relied on to be common between applications
- and can exchange the 4 most common file formats from the dominant player in a reliable manner
only then can we convert our corporate desktops.
Until then, we in business who just have to get things done by interacting with dozens of other companies, can't convert.
I exchange documents with people I'm working with for the first time every day and I depend on everyone using a de-facto standard that all of us can use trivially, not an "almost the same and you can get it to sorta work if you are really smart..and it is free" program. File format is never even dicsussed, it is assumed.
The first time my CEO/CIO/CFO wants to send a proposal/statement/etc and it printed askew at the other end, the OSS advocate would be explaining and listening to "I am worried about a $20M proposal and you are worried about saving $500 a desktop
I think the OSS world of forking and emphasizing diversity really hurts it in the desktop world. Because all those things that are strengths in the kernel world are weaknesses in the desktop world.
If we spent less time inventing new interfaces and more time getting the one we have working....
If we spent more time adapting a single interface
And if there were an interface certification body so that a spamp meant we could trust the thing to a user without weeks of training or handholding.
And if we tested and tested against millions of documents so that we could be sure that they would exchange trivially....
And documented
But those things sound like the things Microsoft does every release
I want a choice
I build several hundred servers a year and use AMIdiag to burn them in and test them. I actually ship a legal copy of the product with every server I ship.
As others have said, there are 2 versions, one runs under Windows. One under DOS. I use the floppy or CD loading version. It does a fairly comprehensive test of the hardware and devices.
On the attitude of the employer.
Of the tone you use.
Do we modify or exempt, sure, all the time if we want the person. But if they show in their negotiations that they have a know it all attitude and want to run the company (as opposed to having a problem we can jointly solve so they can start contributing), then I might turn suddenly rigid and not want to make changes and maybe I'll get to learn something about the potential employee in the process. You are a new person still trying to make an impression, if you go in with the attitude that you have a apparent conflict that you want to resolve because you are excited about the oppertunity and just know you can work something out so there is no conflict, then you have a chance, IMHO. You don't want to lose by winning. You want to create a long term win-win.
Professional means:
Coding to a standard; does open source have a reviewer who can compell every project/fix to adhere to the coding standards
UI to a standard; ditto
Documentation to a standard; ditto
Providing tests which go into a test suite that is used to assure no regression; ditto
Release management that assures that standard functionality, load, longevity, security and stress tests are run before the product goes out; ditto
The wornderful anarchy that is the open source movement is one of its strengths, but is the source of some significant weeknesses IMHO.
Proprietary development has its down side but at least there is someone who can enforce the standards and make sure that those things that are necessary for total product quality are there.
We use OSS a lot and it is wonderful for CS types who work full time in software development. But can I deploy it to a entire company or give it to my wife?
I have HDTV over an outside antenna, digital satellite and over the air analog. All it has to do is rain or snow or the wind blow strong and guess which is the only service working ... good old analog.
... maybe more than great. But I'd guess 5% of the time, I'm back to the stone age.
...
The new fancy stuff is great when it works
Now fast forward a few years to where there are no analog signals in the air
Is this an advance? Are we sure?
Anyone who wants a product certified/evaluated according to the Common Criteria rules has to pay the lab that does the evidence evaluation. Those are just the CC rules. MS is just doing things the way the CC set them up to be done.
... see http://www.digitalnet.com/solutions/info_sec_sol/x ts400_trusted_sys.htm).
Now you could quibble about the Protection Profile that was used or the Security Target and how much functionality they contained. You could also ask how rigorous the examination of evidence by the lab was. You could ask why they couldn't achieve a higher EAL level.
But to compain because MS paid the lab is unfair because there are no options. In some countries, you also have to pay the government body who is overseeing the lab for their labor!
(said as one who is also paying a lab a lot of $ to evaluate a OS
Anytime you want to fund the lawsuit.....
OSS developers are liable to not be the best positioned to afford lawyers.
Now if OSS only paid their developers (and we were willing to pay for it to fund those payments !!!) maybe they would/could.
TCSEC was the spec and yes WindowsNT met it only at some low level and then only when not plugged into a network.
0 181xts400.htm
But there is an OS that did meet the spec and a higher spec at that that was repeatedly OK'ed when connected to a network, in fact multiple networks of differnet levels. DigitalNet's STOP.
BTW, STOP in its newest version is currnetly being evaluated under the Common Criteria at the highest level ever attempted for a general pourpose OS. http://www.entrust.com/entrustcygnacom/labs/pfSEL
While you assert: "... all O/S are written as independent modules. The issue is whether those modules interact in a coherent manner or an incoherent one. Unix regretably flunks that test, although propagandists will try to deny it."
You are lumping all UNIX or UNIX-like OSs together. There are UNIX API/ABI compatible OSs designed with security as the foremost consideration with formal provable security policies enforced over all object accesses. Written as multiple modules, yes. Designed and proven to interface correctly so as to permit correct user interface while preventing "illegal" ones, yes. Does it take a rigor unknown in most commercial OS shops Yes. But it can and has been done. See STOP.
My complements.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. If one looks at the chart on page 54 of the Common Criteria Part 3 Security Assurance Requirements document, one sees that an EAL7 system would be analyzed in 25 areas where a EAL2 one would be analyzed in only 13. And even in the 13 areas that are common, there are requirements at the EAL7 level to do each thing much better that don't appear at the EAL2. What may seem like a minor wording difference between 2 requiremnets may take millions to achieve.
EAL2 does not require an exhaustive vulnerability analysis or penetration testing or a covert channel analysis as do those levels above EAL4.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
Acquiring that EAL5+ rating even for a operating system that previously received NSA's highest rating ever for a general purpose operating system takes several years and multiple million $, not the $500K quoted in another post.
The Govt procuring agency is responsible for assuring that the protection profile or security target that the OS was evaluated against is appropriate for the value of the data they are trying to protect and that the assurance level is also appropriate.
All an EAL2 does is allows the government to buy and to use Linux in the most insensitive areas. Surely three letter agencies would require much more than an EAL2.
For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
Ever use Crosseyes? It is a Word Perfect show codes for Word. Enables you to do lots of repairs.s sEyes.html
http://www.levitjames.com/crosseyes/Cro
It is quite possible to have rigorous coding standards, standardized development tools, rigorous design reviews before the code is written, rigorous reviews of all written code by multiple people (each with the power to stop the shipment!), rigorous documentation standards, independent individual code-chunk/fix testing, independent release testing ...all in a closed source environment. Plus, when I know my three lead architects have signed off, I know the quality of the reviewers as nationally acknowledged authorities in their specialties.
The number of eyes is important, but so is the knowledge, skill as reviewer and diligence of the reviewer.
So are the management controls to assure that all these things are done to all code all the time in exactly the same way.
But it costs !!!!
Not only did I get bit by a hard disk crash and have to go through Intuit's nightmare of tech support but that wasn't, to me, the worst. Their "file 2 paper rebates" program has me thoroughly ticked. I buy their product to make my paperwork easier, not to do some silly paperwork for them. And to do it twice only shows they just don't have my convenience at the forefront of their planning conferences.
Unfortunately, the alternative packages have the same rebate plans.
To build a truely secure Operating System takes about twice as many resources as to build one with equivalent functionality. And it runs slower.
To audit such an Operating System for security takes a two+ year multi-million dollar effort to prepare for audit/evaluation and a ~million dollar one year audit/evaluation.
How many people are willing to pay for this level of assurance which must be reflected in the price? Suffer this delay? Run slower? The installed base of all such operating systems is less than 2,000.
An operating system product I work with is in the middle of just such a rigorous security evaluation.
For business or security critical use, you need that evaluated product (http://www.entrust.com/entrustcygnacom/labs/ and look at the XTS-400 entry). But be aware. it costs many times as much as the "good enough for desktop use" one from Microsoft. And is always going to be behind in features because that evaluation takes so many resources away from pure development. And to do all that security checking takes CPU cycles.
It is possible to have a proprietary model and to have code reviews required (and documented) done by competent system architects and security experts. It is also possible for proprietary developers to do no reviews and to lack the skill and experience and coding standards and automation to produce reliable code.
It is possible to have an open source model and have the code reviewed by no one but the original coder. Or to have 15 reviewers of varying competence looking at ever line and debating it vigorously.
It is possible in the same OS to have source files or code fragments from various sources with various development and review methodologies. Some can be as extreme as using/requiring automated tools to find potential errors and requiring skilled reviewers. Some as lax as no review by anybody or anything.
Given this diversity, how can the terms open and proprietary be used to usefully describe software quality? Doesn't it depend not on the open/closed but on the amount of skill of the coder, automation of the review and experience of the reviewers. And isn't that independent of open/proprietary?
Of course the dumb terminal model is going to be cheaper, especially when combined with free software.
But what happens when you have to support 200 people living off campus? What happens when you have to explain to Dad who just bought his kid a $2000 portable that he can't use all that software? What happens when you have to explain to the professors that they have to convert all their files?
The knowledge people have of how to use the tools they have is extrordinarily valuable. I've had people tell me "tell me to use Windows" and I quit. I've had people tell me "Linux and I quit". They have extraordinary loyalty to the tools. Sure it is emotional and not rational, but you sure better understand the politics when you advocate change. And figure in the education and lost productivity costs while people regain their comfort level.