IBM Clinches Security Certification for Linux 373
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
Thank you IBM (Score:1, Insightful)
Can vs. Will (Score:1, Insightful)
Kernel or distro? (Score:4, Insightful)
Re:Can vs. Will (Score:5, Insightful)
Re:Alright...? (Score:2, Insightful)
Re:Big win for Linux! (Score:4, Insightful)
Re:Can vs. Will (Score:5, Insightful)
Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.
Re:What about BSD? (Score:2, Insightful)
What I'm trying to figure out is, "What's important? The kernel or the glibc?"
Apps written to glibc will run on GNU/HURD, Linux, Lava, and other kernels, too. Technically, that's a better story. But business wise, the brand in people's mind is "Linux".
Re:Just wondering.. (Score:3, Insightful)
Re:Can vs. Will (Score:2, Insightful)
When you've got them by the balls, you don't need to hold all that firmly.
Re:Can vs. Will (Score:5, Insightful)
The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.
Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.
This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.
Re:What about BSD? (Score:2, Insightful)
[wawannem@weswlinux]:/home/wawannem
$ apt-cache dump | wc -l
100543
I think this is what really makes the case for linux. It is sort of a Catch-22, there is more software available for linux, so more software is created for linux.
The obligatory flamebait defending the facts (Score:4, Insightful)
Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?
Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.
Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.
Re:Playing D.A. here.... (Score:3, Insightful)
That isn't accountability. It's accounting. A real man admits he was wrong, and works to fix it. A coward insists the world is at fault, and ducks the problem entirely.
This world was not built by cowards. Though they have done their share of destroying great empires, both political, intellectual, and capital.
SuSE, not Linux (Score:5, Insightful)
Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?
Journalism? (Score:4, Insightful)
WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?
Wrong place in the article to put that bit.
CC is just not that simple. (Score:4, Insightful)
2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.
3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.
Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.
Tread carefully.
Re:Just wondering.. (Score:5, Insightful)
Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
Re:Big win for Linux! (Score:5, Insightful)
Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.
People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.
When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.
Now how do you do that within a 5 year Window again?
Smell those contracts (Score:5, Insightful)
Re:Are there any secure Os's out there? (Score:5, Insightful)
Linux was tested for test "low and moderate" security and passed. It was not tested for anything higher so we don't now if it would have failed those.
The tests costs lots of money and time, so you start at the bottom and work youre way up. It is like say a soccer team passing the semi-finals, you don't then say, oh that means they missed the finals? No that is yet to come.
Re:Wrong. Wrong wrong wrong... (Score:3, Insightful)
FUD = Fear, Uncertainty, and Doubt
Overexageration is not FUD. It may be inaccurate or perhaps just plain wrong, but it is not FUD.
Re:Over-hype - not highest rating possible (Score:3, Insightful)
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest
Yep. I wonder if the "highest possible" hyperbole didn't come out of some (clueful) statement about how this may be the highest common criteria rating possible for a Linux system to a (clueless) reporter, who just fixated on the "highest possible" part.
Whichever, it may be true that Linux can't get higher CC ratings because of the nature of the development process. CC ratings beyond level 2 demand more and more tightly controlled and regimented design and development processes. At the highest level (EAL7), you basically have to apply formal proofs of correctness to a very thoroughly vetted design, as well as to perform extremely careful management of all of the design documentation and code so that you can be sure it's not tampered with.
It *might* be possible for Linux to get a level 3 rating, but it would be very, very expensive, since that would require analysis and documentation of much more of the system design (CC doesn't believe in "the code is the documentation"), so that the implementation can be methodically verified.
This doesn't mean that Linux can't be or isn't secure, it just means that its development process is incompatible with the assumptions underlying Common Criteria. Basically, CC assumes that security can only be achieved through very methodical, formal, controlled development processes, with intense security-focused scrutiny applied at each step. The OSS world believes there's another way, the "many eyes make all bugs shallow" approach.
The underlying assumptions of the two approaches are interesting to me. CC presumes that it's possible to close all of the security holes during design and development, ensuring that the resulting system is airtight. The OSS approach presumes that bugs happen, that security is an arms race between the white hats and the black hats, and that the way to win it is to make sure that you recruit as many white hats as possible and give them complete access.
In both cases, the software will inevitably contain exploitable security flaws. CC aims to make them rare and hard to find (particularly since the source will probably not be published), OSS aims to fix them faster than they can be exploited. The result is that EAL7 software probably contains a few hard-to-exploit but very long-lived defects, whereas OSS contains many more defects with much shorter lifespans.
The common criteria specifications were defined before the security benefits of open source were understood, and therefore don't consider them at all. I think that after a few more years of experience CC needs to be revisited and revised in light of this new information. The very highest security rating should probably only go to software that utilizes both approaches.
Re:In your face! (Score:3, Insightful)
At least, that's *my* humble opinion.
Re:In your face! (Score:4, Insightful)
Nobody ever got fired for buying IBM (Score:4, Insightful)
All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.
Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.
As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.
Re:Just wondering.. (Score:5, Insightful)
These lower level security evaluations don't mean much [jhu.edu] in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed [slashdot.org] on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD [openbsd.org], who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's [sigmasoft.com] comments [sigmasoft.com] on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels [commoncriteria.org] Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." [counterpane.com] No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.
Re:Can vs. Will (Score:3, Insightful)
Dunno. I've met MCSEs that would never be able to navigate an Xterm, and Unix zealots that think Win2K is equivalent with W95.
Running a large Windows network properly does require knowledge and experience, and I'm not convinced that most *nix admins would be able to do the same without at least half a year of training (but a typical *nix admin would probably learn the Win fundamentals faster than the other way around).
Gads...an informed post on security and the CC (Score:2, Insightful)
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. If one looks at the chart on page 54 of the Common Criteria Part 3 Security Assurance Requirements document, one sees that an EAL7 system would be analyzed in 25 areas where a EAL2 one would be analyzed in only 13. And even in the 13 areas that are common, there are requirements at the EAL7 level to do each thing much better that don't appear at the EAL2. What may seem like a minor wording difference between 2 requiremnets may take millions to achieve.
EAL2 does not require an exhaustive vulnerability analysis or penetration testing or a covert channel analysis as do those levels above EAL4.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
Acquiring that EAL5+ rating even for a operating system that previously received NSA's highest rating ever for a general purpose operating system takes several years and multiple million $, not the $500K quoted in another post.
The Govt procuring agency is responsible for assuring that the protection profile or security target that the OS was evaluated against is appropriate for the value of the data they are trying to protect and that the assurance level is also appropriate.
All an EAL2 does is allows the government to buy and to use Linux in the most insensitive areas. Surely three letter agencies would require much more than an EAL2.
For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
Re:Over-hype - not highest rating possible (Score:3, Insightful)
Of course formal validation is valuable; sorry if I appeared to imply that it's not. The AC's question seemed to be saying that formal methods would eliminate vulnerabilities completely, which they will not.
It's also worth noting that the OSS patch-treadmill approach is completely inapplicable in some environments -- those where patches aren't feasible. I work on smart card systems for a living, and that's the situation for smart card operating system code. You can only patch it by replacing the cards, and that is often cost-prohibitive. In those environments, as well as the very high-security environments that you mention, rapid discovery and patching doesn't work, so formal methods and extreme attention to detail are the only option. They only take you so far (*everything* only takes you so far) but the name of the game is "mitigate what risks you can, bound the rest and build backup plans".
The patch treadmill approach is somewhat more resilient from a security standpoint, because in a formal system, when you find a defect the process of fixing it has to be similarly formal, which means complex and time-consuming, and it's likely that there isn't a good mechanism in place for delivering updates. However, the patch treadmill approach is also more likely to see successful penetrations in the short term.
At the end of the day, there are places for both approaches, and places for a combined approach as well.
at least with some sort of certification system, you can sure that what you have is better than the choices...
I wouldn't go quite that far. With the certification system, you can be sure that the software has passed the required verification tests. That tells you something valuable about the system, but it doesn't really tell you anything about the alternatives, unless they've also been tested. Still, as long as you understand what it is and is not, certification is definitely worthwhile.