Windows 2000 Gets Common Criteria Certification 533
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
If you want to update (Score:3, Interesting)
Does this mean it won't be discontinued? (Score:3, Interesting)
UnitedLinux should implement this! (Score:3, Interesting)
With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.
Re:Of course SAIC would say that... (Score:3, Interesting)
Re:3 Service packs (Score:4, Interesting)
RagManX
What the CC means (Score:5, Interesting)
Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)
All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
So these certs are of no use except to PR flaks. And trolls.
Re:3 Service packs (Score:2, Interesting)
Re:Which propaganda is worse? (Score:2, Interesting)
First and foremost, yes, it does matter. New government directives require the DoD, as well as other government agencies, to use common criteria products if they are available. Thus, if Linux doesn't have a CC evaluation, Win2K or Solaris will be used instead (or Irix, or Apple (in evaluation, check out niap.nist.gov, or any of the other unixes).
The problem is: one has to pay for evaluation. Will any of the Linux shops do this? I don't know. I sure hope so.
Daniel
Remember the Last Time? (Score:2, Interesting)
This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.
If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.
Marcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:
Re:If you want to update (Score:3, Interesting)
I see this as the main problem with closed-source software. I work at a university, and all of the professors in the department in which I work run Windows (95% are 2000 Professional). Security is a very big issue, because universities are often targeted by crackers because of our resources (bandwidth and hardware). Keeping computers secure is a difficult job when you're relying on a single vendor to (1) acknowledge security vulnerabilities and (2) provide patches for those vulnerabilities. If Microsoft doesn't want to acknowledge a flaw for fear of having egg on its proverbial face, we're SOL.
So when they do issue patches/service packs, we're usually quick to apply them. But in the case of SP3, in order to secure our computers, we also have to accept an overly-broad EULA. A grad student geek and I were talking about this today while I was installing SP3 on a computer that had not yet had the patch applied.
So do you give up control of your machines to Microsoft or to crackers? Right now we've chosen Microsoft, and I'm not completely convinced that the other alternative wouldn't be better.
Re:3 Service packs (Score:3, Interesting)
1. A vulnerability is discovered in Microsoft software
2. Microsoft acknowledges the vulnerability
3. Microsoft issues a patch
4. Administrators apply the patch based on Microsoft's terms
Ask yourself, who's in control of that entire process? Is it one entity? An entity that has an interest in profit and corporate image? Do you think those two things come before "what's best for the computing world?"
Ideally, OSS eliminates the problems with this process. Anybody can discover a vulnerability, make it public, and issue a patch. Likewise, anybody can apply that patch in any way they see fit.