Forgot your password?
typodupeerror
Security

Windows 2000 Gets Common Criteria Certification 533

Posted by timothy
from the endorsement dept.
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
This discussion has been archived. No new comments can be posted.

Windows 2000 Gets Common Criteria Certification

Comments Filter:
  • by I_am_Rambi (536614) on Thursday October 31, 2002 @02:00PM (#4572343) Homepage
    Watch out for the EULA on service pack 3, its a killer.
    • what, exactly, about the EULA is a killer?
    • by dboyles (65512)
      Watch out for the EULA on service pack 3, its a killer.

      I see this as the main problem with closed-source software. I work at a university, and all of the professors in the department in which I work run Windows (95% are 2000 Professional). Security is a very big issue, because universities are often targeted by crackers because of our resources (bandwidth and hardware). Keeping computers secure is a difficult job when you're relying on a single vendor to (1) acknowledge security vulnerabilities and (2) provide patches for those vulnerabilities. If Microsoft doesn't want to acknowledge a flaw for fear of having egg on its proverbial face, we're SOL.

      So when they do issue patches/service packs, we're usually quick to apply them. But in the case of SP3, in order to secure our computers, we also have to accept an overly-broad EULA. A grad student geek and I were talking about this today while I was installing SP3 on a computer that had not yet had the patch applied.

      So do you give up control of your machines to Microsoft or to crackers? Right now we've chosen Microsoft, and I'm not completely convinced that the other alternative wouldn't be better.
  • by Jeremiah Cornelius (137) on Thursday October 31, 2002 @02:01PM (#4572346) Homepage Journal
    From the Reg: http://www.theregister.co.uk/content/55/27874.html [theregister.co.uk]

    Read their earlier report as well. CC accredation is a running certification, for a specific configuration.

    • Another article [theregister.co.uk], more in-depth as to the prereqs for certification:

    • by Marillion (33728) <ericbardes@gmail. c o m> on Thursday October 31, 2002 @03:04PM (#4572854)
      The certification is just documenting that your security model. The fact that Microsoft can demonstrate the following features:
      • Audit
      • Cryptographic Support
      • Communications
      • User Data Protection
      • Identification and Authentication
      • Security Management
      • Privacy
      • Protection of the TOE Security Functions
      • Resource Utilisation
      • TOE Access
      • Trusted Path/Channels
      Is all that's required for the certification. Does the OS have the right features with a configuration policy that sets those features properly.
      It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
      Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
  • No wonder (Score:4, Funny)

    by Subcarrier (262294) on Thursday October 31, 2002 @02:01PM (#4572349)
    Microsoft Windows 2000 has been awarded Common Criteria Certification.

    Sounds like Windows 2000 is the lowest common denominator.
    • Re:No wonder (Score:5, Insightful)

      by User 956 (568564) on Thursday October 31, 2002 @02:46PM (#4572692) Homepage
      The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs...

      Too bad Linux isn't cerfitied at all.
      • by WasteOfAmmo (526018) on Thursday October 31, 2002 @03:49PM (#4573282) Journal
        Too bad Linux isn't cerfitied at all.

        Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.

        No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the /. editors. If I had wanted mud slinging news I would have checked out the local political race, or any one of the national tabloids. It would also be different if /. put a satirical flavor on every headline then the "Too bad it takes 3 Service Packs..." sort of comment would have been humourous. Instead I find it tiring and all to common.

        MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.

        /.'s roll should be to report the news in a non-bias way while the /.'s readers' roll is to review, evaluate, and comment on the story thereby giving other readers some insite, food for thought, background information, and/or research needed for them to make informed decisions. If the /. editors feel it necessary to throw in such comments then they should keep them off the headlines and post their feelings like the rest of us do.... in the comments.

        damnedIfIknowHowToUseAn'Or,Merlin.
        • Interesting thing is, /. was never set up to be a definitive news source, from what I understand. It was (and still is) a few guys throwing stuff that interests them up on the web. By spending a lot of time on the site, you're in essence buying in to their [sometimes twisted] take on things. If you want a different flavor of propoganda, you either go somewhere else or create your own.

          The FACT is, that it has taken 3 service packs and a huge amount of public thrashing to get the OS to the point that it can be certified.

          As to whether the certification means anything, that's up to each of us to decide for ourselves. My Win 2000 will remain firewalled off from the rest of my network, while I use what I feel to be more secure OS's to get the job done.
      • 1 service pack (Score:3, Insightful)

        by Nailer (69468)
        And too bad it only takes 1 service pack: they're cumulative in nature. Install Win2k, and if your install media wasn't updated to SP3 already, apply SP3 yourself.
  • OK (Score:5, Insightful)

    by 4of12 (97621) on Thursday October 31, 2002 @02:02PM (#4572350) Homepage Journal

    This kind of certification is a great thing for people running Win2K.

    But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?

    A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.

    It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.

    • Windows 2000 (all versions) are covered until 2005.

    • Re:OK (Score:5, Informative)

      by danheskett (178529) <danheskett@@@gmail...com> on Thursday October 31, 2002 @02:31PM (#4572567)
      It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.

      MS has just changed thier support policy.

      Win2k Server/Workstation is available/fully supported (as far as anything Microsoft is) until 31-Mar-2005. Additionally it is supported in an "extended" capacity (security bugfixes, web-based support, per-hour billed support) until 31-Mar-2007.

      That means if you were in on the beginning, your lifecycle is 7 yrs for Win2k - 5 years of fully supported and 2 yrs for migration. If you get in now its like 2.5 yrs for fully supported and 2 yrs for migration.

      Its a pretty good lifecycle policy, really. A bit better than some, a bit worse than some. It will depend really on how well it is implemented.
    • Win2k is CC evaluated/certified now.

      An upgrade cycle won't and can't take that away.

      That being said, XP and .Net server are currently being CC evaluated. Their evaluations shouldn't take as long because they are both from 2K's code base with mostly cosmetic and relatively minor system changes.
      • Actually the CC certifaation will take every bit as long as the certification for 2k. That's the whole point, they test it from head to foot, balls to bone.
    • Ah hell, this certifation expires with Windows 2000 service pack 4. The Certification is only valid on the product as installed, configured, and tested.
  • by Telastyn (206146) on Thursday October 31, 2002 @02:02PM (#4572352)
    Hopefully the amount of hoops common criteria makes you jump through will be enough to 'persuade' microsoft into just keeping win2k around instead of EOLing it.
  • 3 Service packs (Score:3, Insightful)

    by CounterZer0 (199086) on Thursday October 31, 2002 @02:03PM (#4572358) Homepage
    But linux still doesn't have it, does it? I'd rather have service packs, than have to hand-apply the hundreds of patches that are put out each year. How does linux handle masses of patches? New kernel build's? That's essentially all a service pack is.
    • Re:3 Service packs (Score:5, Insightful)

      by garcia (6573) on Thursday October 31, 2002 @02:11PM (#4572407) Homepage
      Plus his statement that it has only taken 3 SPs? Who the hell cares how many it has taken? As long as it is getting closer to being secure. People run Windows. People who use Windows are less likely to know-how, or care-to-know-how to install patches for their OS.

      Be thankful that MS does SOMETHING to repair SOME holes.

      Stop w/the little jabs at the end of every fucking Microsoft related article, I really can't stand it.
      • Re:3 Service packs (Score:2, Insightful)

        by JWhitlock (201845)
        Stop w/the little jabs at the end of every fucking Microsoft related article, I really can't stand it.

        I agree - the post would have been just fine without that misguided last sentence. It's the editor's job to take that stuff out. Who was the editor on that last one?

        ...

        Nevermind, it was Timothy. There's a 50/50 chance he added the comment and forgot to add the </I> after the submission.

      • So what happens if an enormous hole is discovered in Windows 2000 SP3 tomorrow?
    • What Linux really needs is the equivalent of Windows Update so you can get a full listing of what needs to be updated.

      With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.
    • Re:3 Service packs (Score:5, Insightful)

      by iCharles (242580) on Thursday October 31, 2002 @02:17PM (#4572442) Homepage
      Quite common on this board. If a patch, service pack, or fix is put out for a Microsoft product, it is a sign of weakness. At best, it is said to come out on too slow a cycle, and it is "closed."


      As you note, if Linux releases a new patch, bug fix, etc, it is a triumph of the platform! See how they fix the problem? See how they respond?


      It is, at best, frustrating. It is also, IMHO, a bit hypocritial. There are tons of rationalizations (timing, the fact that it is closed, the fact there was the bug in the first place), but, at the end of the day, patching is part of any software product.


      Ultimately, I think that the "MS patch bad" propoganda lowers the overall credibility if it comes from the same source as "we produce fast patches, and you can even write the patches yourself!" Decide: either patches are bad, or they are good!


      (The relative merits of closed vs. open source cna be debated at length--I personnally don't feel that one method is inherently better than the other.)

      • Nah, you can only have service packs when you actually get around to releasing something. Pehaps that's why so many open source apps seem to be at 0.0.9997 release? Going to 1.0 would mean that those were bugs being fixed rather than just incremental development...
      • Re:3 Service packs (Score:3, Interesting)

        by dboyles (65512)
        I don't know any rational person who thinks that a patch is "bad." The problem with patches from Microsoft is that there are essentially four steps to them materializing:

        1. A vulnerability is discovered in Microsoft software
        2. Microsoft acknowledges the vulnerability
        3. Microsoft issues a patch
        4. Administrators apply the patch based on Microsoft's terms

        Ask yourself, who's in control of that entire process? Is it one entity? An entity that has an interest in profit and corporate image? Do you think those two things come before "what's best for the computing world?"

        Ideally, OSS eliminates the problems with this process. Anybody can discover a vulnerability, make it public, and issue a patch. Likewise, anybody can apply that patch in any way they see fit.
      • Re:3 Service packs (Score:3, Insightful)

        by N3WBI3 (595976)
        Because I have yet to get a patch that changed my eula..
    • Re:3 Service packs (Score:4, Interesting)

      by RagManX (258563) <ragmanx AT gamerdemos DOT com> on Thursday October 31, 2002 @02:19PM (#4572468) Homepage Journal
      emerge rsync
      emerge -u world
      Or, if that doesn't cover everything well enough:
      emerge rsync
      emerge -u --deep world
      And I'm all up to date. Might occasionally have to rebuild the kernel, but other than that, emerge handles all my updates, and much more easily than M$ auto-crash installer. I love Gentoo.

      RagManX
    • Re:3 Service packs (Score:5, Insightful)

      by GauteL (29207) on Thursday October 31, 2002 @02:33PM (#4572588)
      Please... almost all distributions have a sane way of doing security upgrades.. at least the common ones. I'm not talking about Linux From Scratch here.

      I still hate that snide comment about the three service packs though. It's just childish and moronic.
    • Re:3 Service packs (Score:5, Insightful)

      by EvilOpie (534946) on Thursday October 31, 2002 @02:38PM (#4572629) Homepage
      I think that service packs are a mixed blessing.

      Personally... I think that both windows and Linux should have some sort of hotfix/patch scheme, AND a service pack scheme. After all... if a problem comes out with a piece of software be it a security hole, or a bug, or whatever.... system admins should be allowed to patch their systems right away without having to wait for a service pack. This goes for both windows and Linux systems. I like being able to keep up to date on patches and similar... but I also know that there are people out there who are less technical than the average geek. And while they aren't informed enough to install every patch, they have enough know how to install a single service pack. Which is in reality, better than nothing.

      But seriously, I wouldn't put down patches and hotfixes because they ARE good for people who keep their system up to date. They ARE a necessity for quick fixes of small (relatively speaking) problems. But I do agree that we could use service packs as a catch-all for people who don't know exactly how to apply all the patches, or even where to look when they do come out.
      • I would not be too surprised if the service packs had more regression testing than individual fixes, as well -- the latter might be a bit pressed for time (e.g. security fix), but there's seldom real reason to rush the former.
  • by FortKnox (169099) on Thursday October 31, 2002 @02:04PM (#4572362) Homepage Journal
    Positive or negative?
    ...Read more of the propaganda here...Too bad it takes 3 Service Packs...

    A classic case of a narrow minded zealot.
    Does Linux try for this certification? If so, how did they do? Is anything being done to ensure this? Does it matter?

    Those are questions that SHOULD be answered in the article, if you don't like MS.

    How about we just show that Linux is better instead of trying to whine about MS throwing out propaganda.
    After all, would you rather be someone that says "Hey, look at what linux can do with the same thing", or a kid whining and crying that MS is horrible without any backup or info (for this particular certification).

    You guys fight the battle in the wrong way. That's why people roll their eyes when you mention linux. You give the real supporters a bad name.
    • by dead sun (104217) <aranach&gmail,com> on Thursday October 31, 2002 @02:21PM (#4572487) Homepage Journal
      I've taken notice to a lot of flaimbait article write-ups recently. Even if it took time, I'd say it is a good thing that Win2k has a certification.

      This kind of whining is getting downright silly. First a loud group whines about Windows and its applications being insecure, the source of tons of problems, and that MS should get better security. Since Windows is widely accepted and used by many businesses you'd think these people would be happy that there's a certified Windows that should keep your data safe.

      Instead we get more whiners saying that its a shame it took 3 Service Packs to do and that a security certificate is merely propaganda. No pleasing some people I suppose.

      Really, instead of criticism, why don't we be happy that it's getting harder to get at everybody's files? I love linux as much as the next person here, but come on, we as a community need to drop the double standards and be a little more mature in our criticism. And when a step is taken in the right direction, well, give credit where it's due.

      • But it isn't (Score:3, Insightful)

        by burgburgburg (574866)
        why don't we be happy that it's getting harder to get at everybody's files?

        If that were the case, maybe we'd be happy. But because the EULA of SP3 requires you to open your entire system to Microsoft for them to do with it as they will, at their discretion, I think most people would hesitate to describe that as making it harder to get at everybody's files.

        As for the Certification, since it in no way provides any guarantees about the usefulness/applicability of the security components present, it will give users a false and misleading sense of their security.

    • According to this thread [commoncriteria.org] on the Common Criteria forum, Linux has not been evaluated. The answering post also mentions that an OS is evaluated, not certified, so I'm not sure how Win2k got 'certified'.
    • Does Linux try for this certification? If so, how did they do? Is anything being done to ensure this? Does it matter?

      First and foremost, yes, it does matter. New government directives require the DoD, as well as other government agencies, to use common criteria products if they are available. Thus, if Linux doesn't have a CC evaluation, Win2K or Solaris will be used instead (or Irix, or Apple (in evaluation, check out niap.nist.gov, or any of the other unixes).

      The problem is: one has to pay for evaluation. Will any of the Linux shops do this? I don't know. I sure hope so.

      Daniel
  • by Anonymous Coward on Thursday October 31, 2002 @02:05PM (#4572368)
    ...bug fixes? Who can write software without bugs in them? Linus can't.
  • by phorm (591458) on Thursday October 31, 2002 @02:06PM (#4572369) Journal
    Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated

    Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.

    How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
    • I can't remember the last time I ever had dll problems. It was probably back with Windows 95 or something. W2K and XP have dll version management built in. I hear people on /. talk about DLL Hell, but I mainly get the impression that they haven't used Windows since 3.11 or something...

      Compare that to the pain you often have to go through to install an RPM on Linux...
    • As already posted by others it seems that you haven't been actively using a recent version of Windows. DLL Hell is a thing of the past for two reasons:

      1) The NT5.x kernal has built in dll version management. From the end-user perspective DLL Hell is a thing of the past. There are still, however, some (very) small headaches for developers.

      2) .NET has not only completely eliminated DLL Hell, it has one upped the issue by not locking the DLL while in use, so that the DLL's can be dynamically updated w/o reboot.
  • Service Pack (Score:5, Insightful)

    by Quill_28 (553921) on Thursday October 31, 2002 @02:07PM (#4572380) Journal
    Ok did the 3 Service Packs statement rub anyone else the wrong way? Or was it just me?
    • Yes, it showed me that whoever wrote the article just had to put the mandatory anti-MS comment to get it submitted.

      It could have been 1 service poack or 2, and it still would have been written the same way. Gotta have the obligatory jab at MS(even if they are doing something right).

      And I can express my view against it by simply not subscribing to Slashdot.
  • by mehip2001 (600856) on Thursday October 31, 2002 @02:08PM (#4572384)
    I don't get the cynical comments in the post.

    First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.

    Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.

    • Besides, a more secure Win2K should mean a better Net for everyone.

      Is the entire net under the control of a single management domain? No, thus any Win2K box connected to the "entire net" doesn't meet the requirements for certification and is just as problematic in regards to trojans/viruses/etc.

      In other words: No change. Nothing to see, move along.
    • First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.

      Why stop when it seems to be working?
  • by _Neurotic (39687) on Thursday October 31, 2002 @02:08PM (#4572385) Journal
    Too bad it takes 3 service packs...

    Yea, because we all know that open source software never needs to be patched. Yep, it's all 100% secure from the start. All open source software is versioned in whole number increments with no point releases for bugs. It's positively magical!

    Gag me with an overstuffed penguin doll...
    • by Arandir (19206)
      All software needs to be patched. It's a given.

      But with Open Source, the patches get applied to a product with a quick release turnover. I can go buy Redhat, Mandrake, SuSE, FreeBSD, etc, *NOW* and have a current system. Or I can choose to buy a three year old system knowing that I need three service packs just to get it up to par.

      Releases every six to nine months are better than releases every three years. In addition, I can get patches for Open Source Software the day they are created, instead of several months down the road when Microsoft decides a issue the next service pack.
  • World Tech Tribune had a rather hilarious FUD article [worldtechtribune.com] covering this several days ago.
    • Can you counter the points?

      Until I see someone explain why Win2000 can pass the certification and Linux cannot, you can't really call it FUD.
      • From the article:

        That's right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.

        "Well," you ask, "exactly which versions of Linux can and cannot meet CC EAL4 requirements?" It stands to reason that the core Linux(TM) kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux(TM) would meet these minimum requirements.


        Kernel.org does not release an operating system, they release a kernel.

        His article is FUD because he blasts the core kernel in much the same way I could say:

        "Windows sucks, Bill sucks, and the MS goons suck, because while Windows 2000 SP3 can meet the cert the Windows XP kernel.exe file can't."

        He himself admits that many Linux distributions can meet this cert. But it's as if he doesn't understand that there's a different between a Linux distribution and a Linux kernel.

        In fact, the follow quote refering to kernel.org

        After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true.

        Really shows his lack of knowledge, because

        1> kernel.org isn't a distribution, it's a kernel.
        2> A full distibution with services(ftp, nntp, http) is totally less secure than a kernel without a distribution(ie. you can't even log into the machine).


    • World Tech Tribune had a rather hilarious FUD article [worldtechtribune.com] covering this several days ago.


      Wow, that... is.... incredible. 'Hilarious' doesn't even come close to describing it.

      The article you mention does, however illustrate the salient point we should all be taking away from this, which is that 'security' is a multidimensional word with orthogonal meanings: when MS says 'it's secure' you have to consider whether they are talking about Palladium/DRM (others get to decide how your PC works) or Filesystem ACLs (you get to decide who can access what inside your box) or PKI algorithms (you get to decide whether someone else's identity can be verified and how to exchange data in a manner that is difficult for third-parties intercept.) This is what the newbies and PHBs need to understand.

      Now, the CC certification means *something* (read the specs to find out exactly what) but there is no "SECURITY = ON/OFF" button you can go push to lock everything down. (Yeah yeah, I know: "power button", ha-ha, very funny.) Anyway, with the machine turned ON, security is only the end result of a process of auditing, testing, fixing and policy enforcement.

  • Stupidity (Score:5, Insightful)

    by Czernobog (588687) on Thursday October 31, 2002 @02:14PM (#4572422) Journal
    Propaganda?
    I say bollocks.
    Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
    The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
    Correct me on this, but I don't remember Linux getting an ISO certification about anything.
    The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
    You're A Debian user, right?

  • by Graspee_Leemoor (302316) on Thursday October 31, 2002 @02:14PM (#4572424) Homepage Journal
    " Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated"

    Their test system had two 120Gig HDs full of fansubbed anime and was running at 100 cpu doing divx encodes ?

    Well, they said "exactly the same system".

    Wait, did they mean my exact system ? How do I sue them for wasting my cpu cycles running benchmarks ?

    This post was nearly funny. Blame the cough syrup.

    graspee

  • Huh? (Score:2, Insightful)

    by Anonymous Coward
    Too bad it takes 3 Service Packs...

    But the 2.4 kernel has had 19 service packs. Three is hardly bad at all.
  • by mdeslaur (530851) on Thursday October 31, 2002 @02:17PM (#4572440)
    Solaris 8 got Common Criteria Certified two years ago...how come it took so long for Windows? :)
  • "Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated."

    Umm, no!?!
  • EULA (Score:2, Insightful)

    by triptolemeus (538604)
    Might be a bit redundant, but I'm wondering how can a system be secure when MS actually has the right to access your box when you install the latest servicepack?

    Sounds a bit hard to me. Besides, we all know Microsoft has its campaign for 'secure Windows'. It doesn't strike me as a surprise that as part of this program they come up with a certificate.

    I'm not trying to state here that this is all a bad thing, it is good that they finally are focussing on security, but I have some real big question marks on this certificate.

    And to the obvious posters stating Linux doesn't have this: Linux cannot buy such a certificate, but not having it, doesn't mean you don't deserver it.
  • by Quikah (14419) on Thursday October 31, 2002 @02:22PM (#4572489)
    In case you were wondering what this is all about. http://www.commoncriteria.org/ [commoncriteria.org]
  • common criteria (Score:3, Insightful)

    by matman (71405) on Thursday October 31, 2002 @02:22PM (#4572492)
    Common criteria does not mean secure. There are multiple levels of the common criteria that mean different things. It doesn't appear that the article states the level achieved.

    Common criteria is quite complicated - to understand what common criteria really means, you'll need to read some things that are NOT posted at Microsoft. This may mean that they basically implement what they have documented, or that they implement a specific feature set.
    • Re:common criteria (Score:3, Informative)

      by NineNine (235196)
      They got a level 4 [com.com]. The agency that did it can't give them a higher rating because they're not gov't. But, there's no way to know if they won't get a higher one after more reviews.
  • "Propaganda" (Score:5, Insightful)

    by Otter (3800) on Thursday October 31, 2002 @02:22PM (#4572495) Journal
    Read more of the propaganda here.

    In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.

    If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.

    • You're a bit confused I think. To describe something that people don't like, use the word "terrorist". The word "propaganda" is used to describe anything written or said which does not support your position. (not you, the previous poster, personally)

      ex: "The terrorists terrorized the people who were terrorized by the terrorists. Everything the terrorists said to claim they weren't terrorists was just terrorist propaganda, because they are in fact terrorists." ( -- this was just an example, but it actually describes current US, Chinese, Russian, and Israeli foreign policy)

  • Slanderdot? (Score:2, Insightful)

    by jmulvey (233344)
    Along with the physical space change, maybe slashdot should move it's domain name space... to "slanderdot.com", or "org" (ha, yeah right VA Software Corporation is a not-for-profit).

    For the longest time everyone here has been criticizing Microsoft because they have poor security. So they start fixing it. They release patches. Then everyone criticizes the fact that they release all these patches. They are only being responsive to your criticism. Now an objective panel gives them a reward for their efforts, and everyone here is angry!

    You know, I really thought everyone here genuinely wanted Microsoft to improve security. I thought we all were in it for the benefit of all. I thought that was what the Linux community was all about. But clearly the intent here is more religion than technical. Either you are part of my religion, or you are to be destroyed. How's that better than your perceptions of how Microsoft acts?

    You know, maybe the .ORG domain name really is more appropriate, since it's a religion and all.

    So who is working on certifying Linux? Is anyone going to actually try to improve the net, or are we going to just keep pulling Microsoft down?

  • What the CC means (Score:5, Interesting)

    by PotatoMan (130809) on Thursday October 31, 2002 @02:35PM (#4572601)
    OK. Enough with the childish flames. MS got a security rating. Good for them. Now, what does it mean?


    Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)


    All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.


    For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.


    So these certs are of no use except to PR flaks. And trolls.

  • by tshak (173364) on Thursday October 31, 2002 @02:39PM (#4572636) Homepage
    Too bad it takes 3 Service Packs..."

    Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if /. wants to maintain any level of credibility as a technology site (not a blind MS-bashing site) then it shouldn't post comments like this.
  • by dogfart (601976) on Thursday October 31, 2002 @02:42PM (#4572664) Homepage Journal
    EAL4 is the level of assurance - how well the product implements the set of security features. Looks like this is a pretty decent level.

    The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).

    Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.

    I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.

    FYI, here is what the Common Criteria [commoncriteria.org] says about EAL4:

    EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

  • All well and good but you cannot run W2K with macines with personal data on them, since that macine would then be violating the Federal HIPPA.

    All your base!

  • Common Criteria Certificate basically replaced the rainbow series of certificate. The more familiar one that we know are C2 of Orange book which NT 4 had.

    I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
  • To put this in perspective: PIX v5.2 and Checkpoint NG are both certified to EAL 4. However, I still can't tell my PIX to not bother logging dropped packets to port 137 without telling it to not log _any_ drops at all! On checkpoint I can log based specifically on the rule, not just service or action. Both are "certified" but there is only one I would prefer to use.
  • Try again (Score:2, Insightful)

    by TheCabal (215908)
    First of all, CC certification was achieved with Service Pack 3 plus Hotfix Q326886, not just SP3. The author's statement is incorrect.

    Second, Common Criteria isn't a panacea or a magical certificate saying that Win2k is uber-secure. It is an assurance that it meets a specific level of security and reliability on failure (ie, will STOP instead of going into an insecure mode on a kernel exception).

    Its predecessor was called Orange Book, which WinNT scored a C2 rating. That's about as good as you are going to get with an "off the shelf" operating system. A Level 3 really doesn't mean it's better than other OSs, just certified that it will operate in a predictable and reliable fashion, has DACLs and user-based security, etc... Big whoop.

    Why Service Pack 3? Gee, it takes a bit of time for certification. IIRC, NT took 2 years to get C2 certified. Remember, this is the government.

    By the way, I don't see Linux listed anywhere on the CC list. Check your pots, I think they're talking to your kettles.

    Finally, I take exception to the author's use of "propaganda". Is it becoming the thing to call anything propaganda that paints Microsoft as something other than the Evil Empire?
  • by Mandi Walls (6721) on Thursday October 31, 2002 @02:47PM (#4572706) Homepage Journal
    Okay. So. Common Criteria.

    To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.

    So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.

    There are different guidelines for different products, including firewalls and network management equipment and software.

    You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.

    There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.

    You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.

    The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".

    --mandi
    Now back to your carrying on. Yes, I worked on a product that was to be CC'd.

  • by RedLeg (22564)
    Does anyone remember when Windows NT achieved C2 certification? It was:
    • An older version (3.5 or 3.51)
    • Without removable media (floppy or CDROM)
    • Without a network connection
    • Bound to the specific PC it was tested on
    • Of no real use to real users


    This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.


    If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.


    Marcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:

    I once thought about trying to get a 10baseT hub ITSEC evaluated
    as a firewall (albeit a very permissive one) but the mountains of
    paperwork and the huge amount of time and money necessary are daunting.

    I'm sure that many on this list will be shocked to hear me say this, but the ICSA
    firewall product certification is orders of magnitude more valuable to real
    customers than ITSEC evaluation.
    Marcus' Full Quote [nfr.com]
  • This reminds me of when my current employer went through UL certification. It was truly eye opening experience for what those little stickers mean.
    To begin with, the UL techs had very little clue about what it was they were certifying, they spent more time ensuring that all of the hardware we used had UL certifications. After that, they bascially re-wrote the spec's around our system. In the end we passed, of course. It would have been kinda tough to fail when the spec was being modified to fit our system, not the other way around.
    After that wonderful experience, I came to realize just how big of a con the UL is pulling on all of us. Its bunk, it doesn't even prove that there is a decent level of quality behind a product. As an example, one of our system configurations requires an ethernet serial provider (ESP), for use with a modem and remote managment software. Easy enough, we've done this for years. But, the ESP we used was not UL listed, so we had to change manufacturers. When we finally found one we discovered that it would not work with a modem and the remote managment software, even had the manufacturer tell us as much! So now we are scrambling, trying to find another supplier. All because of some stupid little UL sticker.
    I can say with confidence, the UL certification is a con. Also, I've dealt with ISO certification, its a con as well (yes, we have documentation on all of our procedures, just ignore that it is very loose and only ensures that we do roughly the same thing every time, and gets universally ignored, we're a custom shop after all, doing the same thing every time is impossible). And I would bet that this common criteria cert is a con, you pay them, play around for a few days to make the inspectors happy, and they sign off on your system.
  • by foo fighter (151863) on Thursday October 31, 2002 @02:55PM (#4572772) Homepage
    My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.

    For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct0 2/10-29CommonCriteriaPR.asp [microsoft.com]
    The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct0 2/1029CommonCriteriaFAQ.asp [microsoft.com]

    This is huge:
    1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.

    2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.

    3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.

    4) There are three very helpful checklists Microsoft released with this announcement:
    I) Common Criteria Evaluated Configuration User's Guide [microsoft.com] describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
    II) Common Criteria Evaluated Configuration Administrator's Guide [microsoft.com] tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
    III) Common Criteria Security Configuration Guide [microsoft.com] tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
    These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.

    5) Windows XP and Windows .Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.

    The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.

    This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."

    For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.

    I guess I'm done.

    See http://microsoft.com/windows2000/server/evaluation /news/bulletins/cccert.asp [microsoft.com] for more info.
    • by Lumpy (12016)
      I would also agree, but I doubt that RedHat can afford the nearly 1/2 of a million dollars for the certification. and secondly redhat needs to build a install function in setup to make such a system currently there is WAY to much included with redhat to actually have a chance in passing... Microsoft certified W2K with Sp3 that's it... NOTHING ELSE INSTALLED. redhat comes with 95,354,323,121.5 other programs which is great for you and me but very very VERY bad for any type of secure certification..

      It can be done, but why waste the large sum of money just to satisfy a very tiny segment of the populace and also risk getting sued when you dont own over 1/2 the lawyers in the western hemisphere if that certified setup get's hacked.

      microsoft can get whatever claims they present certified... and they really cant get sued as they have a goon squad that can even take down the US government (as they demonstrated already) little ol'e redhat.... cant.
  • SAIC Press Release (Score:3, Insightful)

    by N8F8 (4562) on Thursday October 31, 2002 @03:01PM (#4572832)
    From SAIC News [saic.com]

    FOR IMMEDIATE RELEASE
    October 29, 2002

    SAIC Awarded Common Criteria Certificate for Microsoft Windows 2000 Operating System Evaluation

    (MCLEAN, VA) Science Applications International Corporation (SAIC) today announced that it has received a National Information Assurance Partnership (NIAP) Common Criteria certificate for successfully performing the evaluation of the Microsoft Windows 2000 operating system. SAIC's Common Criteria Testing Laboratory (CCTL) performed the evaluation and received the certificate at the Federal Information Assurance Conference (FIAC) 2002 in College Park, Md.

    "SAIC is proud to have contributed to this Common Criteria milestone event and congratulates Microsoft for attaining this significant achievement in computer security," said Duane Andrews, SAIC corporate executive vice president.

    The Windows 2000 operating system evaluation was conducted in accordance with ISO 15048 Common Criteria Evaluation Assurance Level (EAL) Level 4 Augmented requirements and was evaluated against the Common Criteria Controlled Access Protection Profile, which is consistent with the commercial-level information security requirements for the Department of Defense (DoD). An EAL4 is the highest evaluation rating that a commercial CCTL can perform and Windows 2000 is the first operating system to achieve an EAL4 rating under the United States Common Criteria Evaluation and Validation Scheme (CCEVS).

    "The SAIC CCTL took on a complex challenge, and we were successful in completing the evaluation of the Windows 2000 operation system," said Tammy Compton, co-director of the SAIC CCTL, and the leader of the evaluation team. "The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations. This led to the completion of one of the more challenging projects we have conducted, and we are confident of more successful evaluations in the near future."

    "We have embraced the Common Criteria evaluation process from its inception, because we saw the high quality bar for security we could provide to customers," said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp. "With CC certification and the support resources we are releasing today, customers now have an internationally-recognized template for Windows 2000 that enables them to build an IT system for secure computing beyond that of any other commercially-available platform today."

    Located in Columbia, Md., the SAIC CCTL is a division of SAIC's Secure Business Solutions and was accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) in August 2000. SAIC CCTL was one of the first commercial laboratories to be listed in the NIAP's CCEVS. SAIC's Secure Business Solutions provides security solutions for networks and business systems. Its 500 engineers can assess, test, design, certify, deploy, and manage solutions for information and physical security, and train organizations to be a core part of overall security solutions.

  • Why is this story presented as 'propaganda'? I mean, I disklike windows as much as the next person, but lets at least acknowledge they they have made a serious effort and spent a lot of money to improve security and that that effort has paid off. At least give them props for that.
  • "Too bad it takes 3 Service Packs..." So what? Nt4 had what.. 7 service packs? Up to 6a or something wasn't it?
  • In response to all those posters who've said our negative remarks against Microsoft are uncalled for, I have only two words....

    Steve Ballmer.

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Working...