Return to BSD News archive
Path: euryale.cc.adfa.oz.au!olive.mil.adfa.oz.au!navmat.navy.gov.au!posgate.acis.com.au!warrane.connect.com.au!news.syd.connect.com.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!agate!howland.reston.ans.net!newsfeed.internetmci.com!news.mathworks.com!uunet!in2.uu.net!news2.interlog.com!news1.io.org!not-for-mail From: cbbrown@zip.io.org (Christopher B. Browne) Newsgroups: comp.os.linux.development.system,comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.bsdi.misc,comp.security.misc Subject: Re: need secure OS to entrust millions to Date: 25 Feb 1996 15:25:09 -0500 Organization: Internex Online (io.org) Data: 416-363-4151 Voice: 416-363-8676 Lines: 47 Message-ID: <4gqgj5$r1g@zip.io.org> References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com> <y5ad974s4v4.fsf@graphics.cs.nyu.edu> <4gqf17$1lr@cynic.portal.ca> NNTP-Posting-Host: zip.io.org Xref: euryale.cc.adfa.oz.au comp.os.linux.development.system:18065 comp.os.linux.misc:88640 comp.os.linux.networking:29760 comp.unix.bsd.freebsd.misc:14390 comp.unix.bsd.netbsd.misc:2330 comp.unix.bsd.bsdi.misc:2472 comp.security.misc:22681 In article <4gqf17$1lr@cynic.portal.ca>, Curt Sampson <curt@cynic.portal.ca> wrote: >In article <y5ad974s4v4.fsf@graphics.cs.nyu.edu>, >David Fox <fox@graphics.cs.nyu.edu> wrote: >> >>Of course, so that you know there is someone standing behind the >>system who is competent enough that they have the confidence to take >>legal responsibility for the security of the software. > >Am I out to lunch, or does every single agreement I've ever seen >on a shrink-wrap box specifically state that the company makes no >respresentations the the software will even boot, much less work >or be secure? a) We're not talking about shrink-wrapped software. b) If you're paying the extra bucks for a B-1 or B-2 secured OS environment, then you certainly *do* get a representation from the manufacturer that the software has that level of security. I find it remarkable that only one person so far has mentioned the infamous "coloured books" from the DOD. The solution for a high security banking application is *not* to run with free software that has relatively little in the way of security features designed into it. I doubt that the banks need a Boeing SCOMP (rated B-3, if I remember correctly), but they *do* need more than what the "free" UNIXes offer. They also need more than anything Microsoft offers; security is certainly not the prime design factor of Windows NT which is the only *faintly* secure OS product that Redmond offers. Gentle readers should consult the following sources, particularly the Rainbow books, before suggesting rash opinions about what's supposed to be pretty secure. <LI><a href="http://www.yahoo.com/Science/Mathematics/Security_and_Encryption/"> Security and Encryption</a> <LI><a href="http://hightop.nrl.navy.mil/rainbow.html">Rainbow Books - US DOD</a> <LI><a href="http://hightop.nrl.navy.mil/docs/greenbook.txt">Green Book </a> -- Christopher Browne - Email:<cbbrown@io.org>, WWW:<http://www.io.org/~cbbrown/> SAP Basis Consultant/Systems Engineer -------- Certified SAP ABAP/4 Consultant PGP key available - check my .plan, Web Page Share and Enjoy