Windows 2000 Gets Common Criteria Certification

Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."

If you want to update

[I_am_Rambi]

Watch out for the EULA on service pack 3, its a killer.

Does this mean it won't be discontinued?

[Telastyn]

Hopefully the amount of hoops common criteria makes you jump through will be enough to 'persuade' microsoft into just keeping win2k around instead of EOLing it.

UnitedLinux should implement this!

[MtViewGuy]

What Linux really needs is the equivalent of Windows Update so you can get a full listing of what needs to be updated.

With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.

Re:Of course SAIC would say that...

[Jim Norton]

Just out of curiosity, but ... how does IIS run on Solaris?

Re:3 Service packs

[RagManX]

emerge rsync
emerge -u world

Or, if that doesn't cover everything well enough:

emerge rsync
emerge -u --deep world

And I'm all up to date. Might occasionally have to rebuild the kernel, but other than that, emerge handles all my updates, and much more easily than M$ auto-crash installer. I love Gentoo.

RagManX

What the CC means

[PotatoMan]

OK. Enough with the childish flames. MS got a security rating. Good for them. Now, what does it mean?

Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)

All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.

For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.

So these certs are of no use except to PR flaks. And trolls.

Re:3 Service packs

[CableModemSniper]

I don't know about you, but I had to explicitly setup and install windows update notification gizmo to automatically d/l the patches. Same difference as making a a cron job, if a little prettier.

Re:Which propaganda is worse?

[hwyguy2]

Does Linux try for this certification? If so, how did they do? Is anything being done to ensure this? Does it matter?

First and foremost, yes, it does matter. New government directives require the DoD, as well as other government agencies, to use common criteria products if they are available. Thus, if Linux doesn't have a CC evaluation, Win2K or Solaris will be used instead (or Irix, or Apple (in evaluation, check out niap.nist.gov, or any of the other unixes).

The problem is: one has to pay for evaluation. Will any of the Linux shops do this? I don't know. I sure hope so.

Daniel

Remember the Last Time?

[RedLeg]

Does anyone remember when Windows NT achieved C2 certification? It was:

• An older version (3.5 or 3.51)
  
• Without removable media (floppy or CDROM)
  
• Without a network connection
  
• Bound to the specific PC it was tested on
  
• Of no real use to real users
  
  

This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.

If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.

Marcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:

I once thought about trying to get a 10baseT hub ITSEC evaluated
as a firewall (albeit a very permissive one) but the mountains of
paperwork and the huge amount of time and money necessary are daunting.

I'm sure that many on this list will be shocked to hear me say this, but the ICSA
firewall product certification is orders of magnitude more valuable to real
customers than ITSEC evaluation.

Marcus' Full Quote [nfr.com]

Re:If you want to update

[dboyles]

Watch out for the EULA on service pack 3, its a killer.

I see this as the main problem with closed-source software. I work at a university, and all of the professors in the department in which I work run Windows (95% are 2000 Professional). Security is a very big issue, because universities are often targeted by crackers because of our resources (bandwidth and hardware). Keeping computers secure is a difficult job when you're relying on a single vendor to (1) acknowledge security vulnerabilities and (2) provide patches for those vulnerabilities. If Microsoft doesn't want to acknowledge a flaw for fear of having egg on its proverbial face, we're SOL.

So when they do issue patches/service packs, we're usually quick to apply them. But in the case of SP3, in order to secure our computers, we also have to accept an overly-broad EULA. A grad student geek and I were talking about this today while I was installing SP3 on a computer that had not yet had the patch applied.

So do you give up control of your machines to Microsoft or to crackers? Right now we've chosen Microsoft, and I'm not completely convinced that the other alternative wouldn't be better.

Re:3 Service packs

[dboyles]

I don't know any rational person who thinks that a patch is "bad." The problem with patches from Microsoft is that there are essentially four steps to them materializing:

1. A vulnerability is discovered in Microsoft software
2. Microsoft acknowledges the vulnerability
3. Microsoft issues a patch
4. Administrators apply the patch based on Microsoft's terms

Ask yourself, who's in control of that entire process? Is it one entity? An entity that has an interest in profit and corporate image? Do you think those two things come before "what's best for the computing world?"

Ideally, OSS eliminates the problems with this process. Anybody can discover a vulnerability, make it public, and issue a patch. Likewise, anybody can apply that patch in any way they see fit.