Windows 2000 Gets Common Criteria Certification 533
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
OK (Score:5, Insightful)
This kind of certification is a great thing for people running Win2K.
But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?
A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.
It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.
3 Service packs (Score:3, Insightful)
Which propaganda is worse? (Score:5, Insightful)
A classic case of a narrow minded zealot.
Does Linux try for this certification? If so, how did they do? Is anything being done to ensure this? Does it matter?
Those are questions that SHOULD be answered in the article, if you don't like MS.
How about we just show that Linux is better instead of trying to whine about MS throwing out propaganda.
After all, would you rather be someone that says "Hey, look at what linux can do with the same thing", or a kid whining and crying that MS is horrible without any backup or info (for this particular certification).
You guys fight the battle in the wrong way. That's why people roll their eyes when you mention linux. You give the real supporters a bad name.
Aren't service packs... (Score:3, Insightful)
Fine until you install something. (Score:5, Insightful)
Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.
How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
Service Pack (Score:5, Insightful)
This should be cheered not jeered (Score:5, Insightful)
First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.
Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.
Re:3 Service packs (Score:5, Insightful)
Be thankful that MS does SOMETHING to repair SOME holes.
Stop w/the little jabs at the end of every fucking Microsoft related article, I really can't stand it.
Stupidity (Score:5, Insightful)
I say bollocks.
Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
Correct me on this, but I don't remember Linux getting an ISO certification about anything.
The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
You're A Debian user, right?
Huh? (Score:2, Insightful)
But the 2.4 kernel has had 19 service packs. Three is hardly bad at all.
Re:3 Service packs (Score:5, Insightful)
As you note, if Linux releases a new patch, bug fix, etc, it is a triumph of the platform! See how they fix the problem? See how they respond?
It is, at best, frustrating. It is also, IMHO, a bit hypocritial. There are tons of rationalizations (timing, the fact that it is closed, the fact there was the bug in the first place), but, at the end of the day, patching is part of any software product.
Ultimately, I think that the "MS patch bad" propoganda lowers the overall credibility if it comes from the same source as "we produce fast patches, and you can even write the patches yourself!" Decide: either patches are bad, or they are good!
(The relative merits of closed vs. open source cna be debated at length--I personnally don't feel that one method is inherently better than the other.)
EULA (Score:2, Insightful)
Sounds a bit hard to me. Besides, we all know Microsoft has its campaign for 'secure Windows'. It doesn't strike me as a surprise that as part of this program they come up with a certificate.
I'm not trying to state here that this is all a bad thing, it is good that they finally are focussing on security, but I have some real big question marks on this certificate.
And to the obvious posters stating Linux doesn't have this: Linux cannot buy such a certificate, but not having it, doesn't mean you don't deserver it.
Re:Which propaganda is worse? (Score:2, Insightful)
Microsoft software is sold, partly, on the basis that it is secure
Linux and *BSD are used, mostly, on the basis that it is secure.
Lemmie ask you? Have you ever released software and it break on something afterward? Mr. Torvalds hasn't. Something as complex as an OS is bound to have an error that is found after release. Especially security errors that people try hacking into every day.
Part of their reason for selling it at such high prices is the security supposedly offered.
And they release those patches for free. They even made it so that it will download the patches when they are available automatically, and just prompt you to install them. No need to even KNOW about windowsupdate.microsoft.com.
Now, we've got a "user friendly way" of keeping something more secure than understanding apt-get and knowing when to do it, vs money.
Now, am I such a scary person that you have to reply anonymously to me?
Re:Which propaganda is worse? (Score:5, Insightful)
This kind of whining is getting downright silly. First a loud group whines about Windows and its applications being insecure, the source of tons of problems, and that MS should get better security. Since Windows is widely accepted and used by many businesses you'd think these people would be happy that there's a certified Windows that should keep your data safe.
Instead we get more whiners saying that its a shame it took 3 Service Packs to do and that a security certificate is merely propaganda. No pleasing some people I suppose.
Really, instead of criticism, why don't we be happy that it's getting harder to get at everybody's files? I love linux as much as the next person here, but come on, we as a community need to drop the double standards and be a little more mature in our criticism. And when a step is taken in the right direction, well, give credit where it's due.
common criteria (Score:3, Insightful)
Common criteria is quite complicated - to understand what common criteria really means, you'll need to read some things that are NOT posted at Microsoft. This may mean that they basically implement what they have documented, or that they implement a specific feature set.
"Propaganda" (Score:5, Insightful)
In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.
If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.
Slanderdot? (Score:2, Insightful)
For the longest time everyone here has been criticizing Microsoft because they have poor security. So they start fixing it. They release patches. Then everyone criticizes the fact that they release all these patches. They are only being responsive to your criticism. Now an objective panel gives them a reward for their efforts, and everyone here is angry!
You know, I really thought everyone here genuinely wanted Microsoft to improve security. I thought we all were in it for the benefit of all. I thought that was what the Linux community was all about. But clearly the intent here is more religion than technical. Either you are part of my religion, or you are to be destroyed. How's that better than your perceptions of how Microsoft acts?
You know, maybe the .ORG domain name really is more appropriate, since it's a religion and all.
So who is working on certifying Linux? Is anyone going to actually try to improve the net, or are we going to just keep pulling Microsoft down?
Re:3 Service packs (Score:5, Insightful)
I still hate that snide comment about the three service packs though. It's just childish and moronic.
Re:3 Service packs (Score:5, Insightful)
Personally... I think that both windows and Linux should have some sort of hotfix/patch scheme, AND a service pack scheme. After all... if a problem comes out with a piece of software be it a security hole, or a bug, or whatever.... system admins should be allowed to patch their systems right away without having to wait for a service pack. This goes for both windows and Linux systems. I like being able to keep up to date on patches and similar... but I also know that there are people out there who are less technical than the average geek. And while they aren't informed enough to install every patch, they have enough know how to install a single service pack. Which is in reality, better than nothing.
But seriously, I wouldn't put down patches and hotfixes because they ARE good for people who keep their system up to date. They ARE a necessity for quick fixes of small (relatively speaking) problems. But I do agree that we could use service packs as a catch-all for people who don't know exactly how to apply all the patches, or even where to look when they do come out.
/. Should stop trolling in it's articles... (Score:5, Insightful)
Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if
Re:Editors are trolls (Score:5, Insightful)
Slashdot is a never-never land where there is a ubiquitous source of evil (Microsoft) and a benevolent force that is accepting of all (GNU/Linux).
Try again (Score:2, Insightful)
Second, Common Criteria isn't a panacea or a magical certificate saying that Win2k is uber-secure. It is an assurance that it meets a specific level of security and reliability on failure (ie, will STOP instead of going into an insecure mode on a kernel exception).
Its predecessor was called Orange Book, which WinNT scored a C2 rating. That's about as good as you are going to get with an "off the shelf" operating system. A Level 3 really doesn't mean it's better than other OSs, just certified that it will operate in a predictable and reliable fashion, has DACLs and user-based security, etc... Big whoop.
Why Service Pack 3? Gee, it takes a bit of time for certification. IIRC, NT took 2 years to get C2 certified. Remember, this is the government.
By the way, I don't see Linux listed anywhere on the CC list. Check your pots, I think they're talking to your kettles.
Finally, I take exception to the author's use of "propaganda". Is it becoming the thing to call anything propaganda that paints Microsoft as something other than the Evil Empire?
Re:No wonder (Score:5, Insightful)
Too bad Linux isn't cerfitied at all.
Re:3 Service packs (Score:2, Insightful)
I agree - the post would have been just fine without that misguided last sentence. It's the editor's job to take that stuff out. Who was the editor on that last one?
Nevermind, it was Timothy. There's a 50/50 chance he added the comment and forgot to add the </I> after the submission.
SAIC Press Release (Score:3, Insightful)
FOR IMMEDIATE RELEASE
October 29, 2002
SAIC Awarded Common Criteria Certificate for Microsoft Windows 2000 Operating System Evaluation
(MCLEAN, VA) Science Applications International Corporation (SAIC) today announced that it has received a National Information Assurance Partnership (NIAP) Common Criteria certificate for successfully performing the evaluation of the Microsoft Windows 2000 operating system. SAIC's Common Criteria Testing Laboratory (CCTL) performed the evaluation and received the certificate at the Federal Information Assurance Conference (FIAC) 2002 in College Park, Md.
"SAIC is proud to have contributed to this Common Criteria milestone event and congratulates Microsoft for attaining this significant achievement in computer security," said Duane Andrews, SAIC corporate executive vice president.
The Windows 2000 operating system evaluation was conducted in accordance with ISO 15048 Common Criteria Evaluation Assurance Level (EAL) Level 4 Augmented requirements and was evaluated against the Common Criteria Controlled Access Protection Profile, which is consistent with the commercial-level information security requirements for the Department of Defense (DoD). An EAL4 is the highest evaluation rating that a commercial CCTL can perform and Windows 2000 is the first operating system to achieve an EAL4 rating under the United States Common Criteria Evaluation and Validation Scheme (CCEVS).
"The SAIC CCTL took on a complex challenge, and we were successful in completing the evaluation of the Windows 2000 operation system," said Tammy Compton, co-director of the SAIC CCTL, and the leader of the evaluation team. "The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations. This led to the completion of one of the more challenging projects we have conducted, and we are confident of more successful evaluations in the near future."
"We have embraced the Common Criteria evaluation process from its inception, because we saw the high quality bar for security we could provide to customers," said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp. "With CC certification and the support resources we are releasing today, customers now have an internationally-recognized template for Windows 2000 that enables them to build an IT system for secure computing beyond that of any other commercially-available platform today."
Located in Columbia, Md., the SAIC CCTL is a division of SAIC's Secure Business Solutions and was accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) in August 2000. SAIC CCTL was one of the first commercial laboratories to be listed in the NIAP's CCEVS. SAIC's Secure Business Solutions provides security solutions for networks and business systems. Its 500 engineers can assess, test, design, certify, deploy, and manage solutions for information and physical security, and train organizations to be a core part of overall security solutions.
Re:Reg: Proof that Win2K is STILL insecure, by des (Score:5, Insightful)
- Audit
- Cryptographic Support
- Communications
- User Data Protection
- Identification and Authentication
- Security Management
- Privacy
- Protection of the TOE Security Functions
- Resource Utilisation
- TOE Access
- Trusted Path/Channels
Is all that's required for the certification. Does the OS have the right features with a configuration policy that sets those features properly.It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
Re:Here We Go Again (Score:2, Insightful)
But with Open Source, the patches get applied to a product with a quick release turnover. I can go buy Redhat, Mandrake, SuSE, FreeBSD, etc, *NOW* and have a current system. Or I can choose to buy a three year old system knowing that I need three service packs just to get it up to par.
Releases every six to nine months are better than releases every three years. In addition, I can get patches for Open Source Software the day they are created, instead of several months down the road when Microsoft decides a issue the next service pack.
Re:If you want to update (Score:2, Insightful)
But it isn't (Score:3, Insightful)
If that were the case, maybe we'd be happy. But because the EULA of SP3 requires you to open your entire system to Microsoft for them to do with it as they will, at their discretion, I think most people would hesitate to describe that as making it harder to get at everybody's files.
As for the Certification, since it in no way provides any guarantees about the usefulness/applicability of the security components present, it will give users a false and misleading sense of their security.
Re:3 Service packs (Score:3, Insightful)
Re:If you want to update (Score:4, Insightful)
Do you honestly want to give them that option?
And if it is just for Windows Update, why don't they reword the EULA then?
Legality of EULA (Score:2, Insightful)
It is enough that a company gets sued over a reasonable EULA (if there is such a thing), and a judge deems that EULA legal, in order to make all EULA's legal. That would open a whole can of worms...
I'm pretty sure EULA's are not legal in Europe, but I am not sure at all.
Re:Comment about 3 service packs and linux (Score:5, Insightful)
Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.
No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.
/.'s roll should be to report the news in a non-bias way while the
damnedIfIknowHowToUseAn'Or,Merlin.
Re:3 Service packs (Score:2, Insightful)
Now I have to be thankful to a software company to provide me with security fixes for a product that I'm forking out big $$ for? I guess it's kinda silly of me, I always thought it was said company's obligation to its customers to make sure they're informed and protected. Especially in Microsoft's case considering organizations like the DoD and banks will be using their products.
Stop complaining about Submitter's Comments (Score:2, Insightful)
I know this may sound self-defeating, but people should stop complaining about the commentaries placed by the article's submitter.
It's been too often that readers quip "*cough* Zealot *cough*", or "wish you were a little unbiased" ....
Well people, you should understand that commentaries are ... well, commentaries. Since, when are commentaries supposed to be unbiased??? They are exactly supposed to be subjective, for God's sake. So what if he's a zealot. That's his opinion. Read the article itself, and don't complain that the submitter's views are not the same as yours.
Re:Here's the real news: (Score:3, Insightful)
It can be done, but why waste the large sum of money just to satisfy a very tiny segment of the populace and also risk getting sued when you dont own over 1/2 the lawyers in the western hemisphere if that certified setup get's hacked.
microsoft can get whatever claims they present certified... and they really cant get sued as they have a goon squad that can even take down the US government (as they demonstrated already) little ol'e redhat.... cant.
Re:Comment about 3 service packs and linux (Score:3, Insightful)
The FACT is, that it has taken 3 service packs and a huge amount of public thrashing to get the OS to the point that it can be certified.
As to whether the certification means anything, that's up to each of us to decide for ourselves. My Win 2000 will remain firewalled off from the rest of my network, while I use what I feel to be more secure OS's to get the job done.
Re:Which propaganda is worse? (Score:2, Insightful)
> security. I do not see the open source community
>as being anything other than complacent. Too often
>the open source elitist response is security by
>assertion rather than resting on any actual facts.
Um, as a systems professional, one of the reasons why I use GNU and Linux software is that they have years of public scrutiny. The CERT reports show long lists of linux vulnerabilities, partly because of reporting the same bug in $randomfreesoftware in every distro known to man.
There are other advantages. Like being able to fix something that the closed source types have not acknowledged.
As far as complacency goes, Most free software coders I know personally are deathly afraid of releasing insecure and/or buggy software because of the damage it does to their reputation. This seems to cause the many sub version releases.
That being said, yes, there have been a few eggs on a few faces. But the quality of the years old BSD and GNU utilities is quite good. Part of the "unix philosophy" dictates tools that do one thing and one thing only. Its easier to audit such a tool. Thats sort of the source of the "complacency". Lots of these pieces are too small to have significant holes. Bigger pieces are harder to audit.
There is no way I can believe that 6 month old code from MS with no public scrutiny has a better chance of being secure than 15 year old public code.
1 service pack (Score:3, Insightful)
Re:Linux is better... (Score:2, Insightful)
Re:Stop complaining about Submitter's Comments (Score:2, Insightful)
I am well aware that Slashdot is a Linux-biased web site and that such hypocrisy probably isn't unexpected or even unjustified as a result, but it's the zealots who pretend they aren't zealots who make it so satisfying to point out the contradictions. It's like an orthodox Catholic calling someone else hypocritical.
I, personally, don't like zealots of any kind who ignore reality in the eternal quest to show everyone else how right (and clever) they are at all times, despite the fact that it's often completely undeserved. Pointing those things out is, frankly, fun and is probably why so many of us "MS-trolls" (in reality, just people who aren't solidly on board the S.S. Linuxfanboy) stick around this place.