Return to BSD News archive
Xref: sserve comp.sys.powerpc:38338 comp.os.linux.misc:42657 comp.unix.bsd.386bsd.misc:52 comp.unix.bsd.freebsd.misc:1019 comp.unix.bsd.netbsd.misc:295 comp.unix.misc:16911 comp.security.misc:14550 comp.os.ms-windows.nt.misc:44420 Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msunews!uwm.edu!lll-winken.llnl.gov!hookup!news.mathworks.com!bigboote.WPI.EDU!news3.near.net!eisner!kilgallen From: kilgallen@eisner.decus.org (Larry Kilgallen) Newsgroups: comp.sys.powerpc,comp.os.linux.misc,comp.unix.bsd.386bsd.misc,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.misc,comp.security.misc,comp.os.ms-windows.nt.misc Subject: Re: WNT security problems (was: Best platform to learn Unix on ?) Message-ID: <1995May11.090105.9912@eisner> Date: 11 May 95 09:01:04 -0400 References: <ABB885FB96683E495@vader.demon.co.uk> <3n8tjr$h1t@nz12.rz.uni-karlsruhe.de> <3o8r01$287@park.uvsc.edu> Organization: LJK Software Lines: 56 In article <3o8r01$287@park.uvsc.edu>, Terry Lambert <terry@cs.weber.edu> writes: > kilgallen@eisner.decus.org (Larry Kilgallen) wrote: > ] For those who will settle for unevaluated software "designed-to-meet" > ] particular standards, consider that a major difference between B1 and > ] B2 is that the latter requires covert channel analysis. The very idea > ] that someone claims something meets a standard of analysis and yet is > ] unwilling to have that analysis evaluated seems fatuous. > > I'd be perfectly happy to see a C2 or better evaluation of FreeBSD, > with a couple of minor configuration changes away from the defaults > as it is distributed that will probably be in the 2.1 release. > > Feel free to evaluate to your hearts content. > > Since the software is provided on a volunteer basis, I assume the > evaluation will be provided on the same basis? No, "evaluation" as used in the industry means formal evaluation by an authority or their proxy. In Europe you pay an independent testing lab. In the US (where the C2/B1/B2 names are used) you may not pay directly to the NCSC (I am not sure) but you pay lots to have your employees work through the process with the NCSC. Neither of these settings can handle a freeware case, since there is no legal entity standing behind the software. > This is, of course, the problem with non-commercial projects: they > are intrinsically non-commercial (which is probably why they are > calle "non-commercial projects"). It is not a problem, only a "difference". Software with an informal distribution model will use an informal trust model. People will say "Linux (is/is not) pretty secure.", and that will be good enough for that market. > The other issue is that an exaluation is only useful for a fairly > stagnant system; changes to the system invalidate the conclusions > of an evaluation, then require another evaluation. > > On the other hand, systems whose bugs haven't been fixed for years > are perfect candidates for evaluation: they are unlikely to be > fixed *ever* and so the evaluation will remain valid for a long > time. > > Generally, a company offering an evaluated product will have it > frozen at several revs lower than their current main-stream > release to keep the certification valid for as long as possible. In the US, there is a "RAMP" program to allow vendors to maintain ratings for subsequent versions. DEC is trying that now to get VAX VMS/SEVMS V6.1 evaluated at C2/B1 (V6.0 was evaluated the hard way). They are even trying to use RAMP to get Alpha VMS evaluated as a cross-architecture port (which I don't think has ever been done before, but is at least theoretically possible). Larry Kilgallen