*BSD News Article 43618


Return to BSD News archive

Xref: sserve comp.sys.powerpc:38338 comp.os.linux.misc:42657 comp.unix.bsd.386bsd.misc:52 comp.unix.bsd.freebsd.misc:1019 comp.unix.bsd.netbsd.misc:295 comp.unix.misc:16911 comp.security.misc:14550 comp.os.ms-windows.nt.misc:44420
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msunews!uwm.edu!lll-winken.llnl.gov!hookup!news.mathworks.com!bigboote.WPI.EDU!news3.near.net!eisner!kilgallen
From: kilgallen@eisner.decus.org (Larry Kilgallen)
Newsgroups: comp.sys.powerpc,comp.os.linux.misc,comp.unix.bsd.386bsd.misc,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.misc,comp.security.misc,comp.os.ms-windows.nt.misc
Subject: Re: WNT security problems (was: Best platform to learn Unix on ?)
Message-ID: <1995May11.090105.9912@eisner>
Date: 11 May 95 09:01:04 -0400
References: <ABB885FB96683E495@vader.demon.co.uk> <3n8tjr$h1t@nz12.rz.uni-karlsruhe.de>   <3o8r01$287@park.uvsc.edu>
Organization: LJK Software
Lines: 56

In article <3o8r01$287@park.uvsc.edu>, Terry Lambert <terry@cs.weber.edu> writes:
> kilgallen@eisner.decus.org (Larry Kilgallen) wrote:
> ] For those who will settle for unevaluated software "designed-to-meet"
> ] particular standards, consider that a major difference between B1 and
> ] B2 is that the latter requires covert channel analysis.  The very idea
> ] that someone claims something meets a standard of analysis and yet is
> ] unwilling to have that analysis evaluated seems fatuous.
> 
> I'd be perfectly happy to see a C2 or better evaluation of FreeBSD,
> with a couple of minor configuration changes away from the defaults
> as it is distributed that will probably be in the 2.1 release.
> 
> Feel free to evaluate to your hearts content.
> 
> Since the software is provided on a volunteer basis, I assume the
> evaluation will be provided on the same basis?

No, "evaluation" as used in the industry means formal evaluation by an
authority or their proxy.  In Europe you pay an independent testing lab.
In the US (where the C2/B1/B2 names are used) you may not pay directly
to the NCSC (I am not sure) but you pay lots to have your employees work
through the process with the NCSC.

Neither of these settings can handle a freeware case, since there is no
legal entity standing behind the software.

> This is, of course, the problem with non-commercial projects: they
> are intrinsically non-commercial (which is probably why they are
> calle "non-commercial projects").

It is not a problem, only a "difference".  Software with an informal
distribution model will use an informal trust model.  People will say
"Linux (is/is not) pretty secure.", and that will be good enough for
that market.

> The other issue is that an exaluation is only useful for a fairly
> stagnant system; changes to the system invalidate the conclusions
> of an evaluation, then require another evaluation.
> 
> On the other hand, systems whose bugs haven't been fixed for years
> are perfect candidates for evaluation: they are unlikely to be
> fixed *ever* and so the evaluation will remain valid for a long
> time.
> 
> Generally, a company offering an evaluated product will have it
> frozen at several revs lower than their current main-stream
> release to keep the certification valid for as long as possible.

In the US, there is a "RAMP" program to allow vendors to maintain
ratings for subsequent versions.  DEC is trying that now to get
VAX VMS/SEVMS V6.1 evaluated at C2/B1 (V6.0 was evaluated the hard
way).  They are even trying to use RAMP to get Alpha VMS evaluated
as a cross-architecture port (which I don't think has ever been done
before, but is at least theoretically possible).

Larry Kilgallen