Windows 2000 Gets Common Criteria Certification 533
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
If you want to update (Score:3, Interesting)
Re:If you want to update (Score:2)
Re:If you want to update (Score:4, Informative)
> Basically gives MS the right to access data in you
> computer.
Close. It gives MS the right to access data and install anything it wants to (like a certain distributed network OS called Millenium).
If your business is in the health care, banking, or financial fields, you may not be able to install this service pack (or sp1 for XP) due to the EULA being in conflict with the guidelines and laws your business must operate under. If you are not in those fields, you would still be advised to run the EULA past legal to make sure it won't cause problems.
BTW, 2000 sp 3 and XP (sp1?) will be the minimum requirements for Office 11 due out in 2003. Previous versions either will not be supported, or plain won't run it.
"All our tomorrows, Great Sun, by the Light, are very forgotten.
The Light dies. We pray and it sleeps."
"Oh Peace Oh Light Return" (national song of mourning)
From "Gojira", November 3, 1954
Re:If you want to update (Score:4, Insightful)
Do you honestly want to give them that option?
And if it is just for Windows Update, why don't they reword the EULA then?
Re:If you want to update (Score:3, Interesting)
I see this as the main problem with closed-source software. I work at a university, and all of the professors in the department in which I work run Windows (95% are 2000 Professional). Security is a very big issue, because universities are often targeted by crackers because of our resources (bandwidth and hardware). Keeping computers secure is a difficult job when you're relying on a single vendor to (1) acknowledge security vulnerabilities and (2) provide patches for those vulnerabilities. If Microsoft doesn't want to acknowledge a flaw for fear of having egg on its proverbial face, we're SOL.
So when they do issue patches/service packs, we're usually quick to apply them. But in the case of SP3, in order to secure our computers, we also have to accept an overly-broad EULA. A grad student geek and I were talking about this today while I was installing SP3 on a computer that had not yet had the patch applied.
So do you give up control of your machines to Microsoft or to crackers? Right now we've chosen Microsoft, and I'm not completely convinced that the other alternative wouldn't be better.
Re:If you want to update (Score:3, Funny)
I like this. Time to hire a 16 year old who's only job it will be to click Accept on software installs...
Reg: Proof that Win2K is STILL insecure, by design (Score:5, Informative)
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
Speaking of The Register... (Score:3, Informative)
Re:Reg: Proof that Win2K is STILL insecure, by des (Score:5, Insightful)
It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
No wonder (Score:4, Funny)
Sounds like Windows 2000 is the lowest common denominator.
Re:No wonder (Score:5, Insightful)
Too bad Linux isn't cerfitied at all.
Re:Comment about 3 service packs and linux (Score:5, Insightful)
Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.
No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.
/.'s roll should be to report the news in a non-bias way while the
damnedIfIknowHowToUseAn'Or,Merlin.
Re:Comment about 3 service packs and linux (Score:3, Insightful)
The FACT is, that it has taken 3 service packs and a huge amount of public thrashing to get the OS to the point that it can be certified.
As to whether the certification means anything, that's up to each of us to decide for ourselves. My Win 2000 will remain firewalled off from the rest of my network, while I use what I feel to be more secure OS's to get the job done.
1 service pack (Score:3, Insightful)
OK (Score:5, Insightful)
This kind of certification is a great thing for people running Win2K.
But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?
A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.
It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.
Re:OK (Score:2)
Comment removed (Score:5, Informative)
Re:OK (Score:2)
An upgrade cycle won't and can't take that away.
That being said, XP and
Re:OK (Score:2)
Re:OK (Score:2)
Does this mean it won't be discontinued? (Score:3, Interesting)
3 Service packs (Score:3, Insightful)
Re:3 Service packs (Score:5, Insightful)
Be thankful that MS does SOMETHING to repair SOME holes.
Stop w/the little jabs at the end of every fucking Microsoft related article, I really can't stand it.
Re:3 Service packs (Score:2, Insightful)
I agree - the post would have been just fine without that misguided last sentence. It's the editor's job to take that stuff out. Who was the editor on that last one?
Nevermind, it was Timothy. There's a 50/50 chance he added the comment and forgot to add the </I> after the submission.
Re:3 Service packs (Score:2)
Re:3 Service packs (Score:2)
"it's primarily available and supported with an expensive connection to the Internet"
How do you get Windows? Go out and spend >$100 bucks for it? ($100 for the upgrade to Home edition; add a hundred more for each of the professional and full version.) I got an 1100-page book with Linux for $35, no broadband required. Simple visit to Amazon or B&N or probably several other places. (You'll pay more at a real store.)
UnitedLinux should implement this! (Score:3, Interesting)
With the rollout of UnitedLinux due anytime now, I hope they implement something akin to Windows Update so we don't waste valuable time chasing down manually every important software update to your Linux installation.
Re:UnitedLinux should implement this! (Score:5, Informative)
Re:UnitedLinux should implement this! (Score:2)
Re:UnitedLinux should implement this! (Score:2)
apt-get update ; apt-get upgrade works fine for me.
no problem (Score:2, Informative)
select, download, install - there are really equivalent tools.
in Mandrake it's called "Mandrake Update" - even the naming convention is similar..
Re:UnitedLinux should implement this! (Score:2)
It all hinges on cvsup. There aren't any nice GUI frontends to the process (some are being written as we speak), but it's trivial to put the process in a weekly cron job.
Re:UnitedLinux should implement this! (Score:2)
Re:3 Service packs (Score:5, Insightful)
As you note, if Linux releases a new patch, bug fix, etc, it is a triumph of the platform! See how they fix the problem? See how they respond?
It is, at best, frustrating. It is also, IMHO, a bit hypocritial. There are tons of rationalizations (timing, the fact that it is closed, the fact there was the bug in the first place), but, at the end of the day, patching is part of any software product.
Ultimately, I think that the "MS patch bad" propoganda lowers the overall credibility if it comes from the same source as "we produce fast patches, and you can even write the patches yourself!" Decide: either patches are bad, or they are good!
(The relative merits of closed vs. open source cna be debated at length--I personnally don't feel that one method is inherently better than the other.)
Re:3 Service packs (Score:3, Funny)
Re:3 Service packs (Score:3, Interesting)
1. A vulnerability is discovered in Microsoft software
2. Microsoft acknowledges the vulnerability
3. Microsoft issues a patch
4. Administrators apply the patch based on Microsoft's terms
Ask yourself, who's in control of that entire process? Is it one entity? An entity that has an interest in profit and corporate image? Do you think those two things come before "what's best for the computing world?"
Ideally, OSS eliminates the problems with this process. Anybody can discover a vulnerability, make it public, and issue a patch. Likewise, anybody can apply that patch in any way they see fit.
Re:3 Service packs (Score:3, Insightful)
Re:3 Service packs (Score:4, Interesting)
RagManX
Re:3 Service packs (Score:5, Insightful)
I still hate that snide comment about the three service packs though. It's just childish and moronic.
Re:3 Service packs (Score:5, Insightful)
Personally... I think that both windows and Linux should have some sort of hotfix/patch scheme, AND a service pack scheme. After all... if a problem comes out with a piece of software be it a security hole, or a bug, or whatever.... system admins should be allowed to patch their systems right away without having to wait for a service pack. This goes for both windows and Linux systems. I like being able to keep up to date on patches and similar... but I also know that there are people out there who are less technical than the average geek. And while they aren't informed enough to install every patch, they have enough know how to install a single service pack. Which is in reality, better than nothing.
But seriously, I wouldn't put down patches and hotfixes because they ARE good for people who keep their system up to date. They ARE a necessity for quick fixes of small (relatively speaking) problems. But I do agree that we could use service packs as a catch-all for people who don't know exactly how to apply all the patches, or even where to look when they do come out.
Re:3 Service packs (Score:2)
Re:3 Service packs (Score:2, Informative)
Re:3 Service packs (Score:2, Interesting)
Which propaganda is worse? (Score:5, Insightful)
A classic case of a narrow minded zealot.
Does Linux try for this certification? If so, how did they do? Is anything being done to ensure this? Does it matter?
Those are questions that SHOULD be answered in the article, if you don't like MS.
How about we just show that Linux is better instead of trying to whine about MS throwing out propaganda.
After all, would you rather be someone that says "Hey, look at what linux can do with the same thing", or a kid whining and crying that MS is horrible without any backup or info (for this particular certification).
You guys fight the battle in the wrong way. That's why people roll their eyes when you mention linux. You give the real supporters a bad name.
Re:Which propaganda is worse? (Score:5, Insightful)
This kind of whining is getting downright silly. First a loud group whines about Windows and its applications being insecure, the source of tons of problems, and that MS should get better security. Since Windows is widely accepted and used by many businesses you'd think these people would be happy that there's a certified Windows that should keep your data safe.
Instead we get more whiners saying that its a shame it took 3 Service Packs to do and that a security certificate is merely propaganda. No pleasing some people I suppose.
Really, instead of criticism, why don't we be happy that it's getting harder to get at everybody's files? I love linux as much as the next person here, but come on, we as a community need to drop the double standards and be a little more mature in our criticism. And when a step is taken in the right direction, well, give credit where it's due.
But it isn't (Score:3, Insightful)
If that were the case, maybe we'd be happy. But because the EULA of SP3 requires you to open your entire system to Microsoft for them to do with it as they will, at their discretion, I think most people would hesitate to describe that as making it harder to get at everybody's files.
As for the Certification, since it in no way provides any guarantees about the usefulness/applicability of the security components present, it will give users a false and misleading sense of their security.
Re:Which propaganda is worse? (Score:2)
Re:Which propaganda is worse? (Score:2, Interesting)
First and foremost, yes, it does matter. New government directives require the DoD, as well as other government agencies, to use common criteria products if they are available. Thus, if Linux doesn't have a CC evaluation, Win2K or Solaris will be used instead (or Irix, or Apple (in evaluation, check out niap.nist.gov, or any of the other unixes).
The problem is: one has to pay for evaluation. Will any of the Linux shops do this? I don't know. I sure hope so.
Daniel
Re:Which propaganda is worse? (Score:2, Insightful)
Microsoft software is sold, partly, on the basis that it is secure
Linux and *BSD are used, mostly, on the basis that it is secure.
Lemmie ask you? Have you ever released software and it break on something afterward? Mr. Torvalds hasn't. Something as complex as an OS is bound to have an error that is found after release. Especially security errors that people try hacking into every day.
Part of their reason for selling it at such high prices is the security supposedly offered.
And they release those patches for free. They even made it so that it will download the patches when they are available automatically, and just prompt you to install them. No need to even KNOW about windowsupdate.microsoft.com.
Now, we've got a "user friendly way" of keeping something more secure than understanding apt-get and knowing when to do it, vs money.
Now, am I such a scary person that you have to reply anonymously to me?
Re:Editors are trolls (Score:5, Insightful)
Slashdot is a never-never land where there is a ubiquitous source of evil (Microsoft) and a benevolent force that is accepting of all (GNU/Linux).
Aren't service packs... (Score:3, Insightful)
Fine until you install something. (Score:5, Insightful)
Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.
How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
What is this 'dll hell' of which you speak? (Score:2)
Compare that to the pain you often have to go through to install an RPM on Linux...
Re:Fine until you install something. (Score:3, Informative)
1) The NT5.x kernal has built in dll version management. From the end-user perspective DLL Hell is a thing of the past. There are still, however, some (very) small headaches for developers.
2)
Service Pack (Score:5, Insightful)
give me a freakin' break. (Score:2)
It could have been 1 service poack or 2, and it still would have been written the same way. Gotta have the obligatory jab at MS(even if they are doing something right).
And I can express my view against it by simply not subscribing to Slashdot.
This should be cheered not jeered (Score:5, Insightful)
First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.
Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.
Re:This should be cheered not jeered (Score:2)
Is the entire net under the control of a single management domain? No, thus any Win2K box connected to the "entire net" doesn't meet the requirements for certification and is just as problematic in regards to trojans/viruses/etc.
In other words: No change. Nothing to see, move along.
Re:This should be cheered not jeered (Score:2)
Why stop when it seems to be working?
Re: (Score:2)
Here We Go Again (Score:5, Funny)
Yea, because we all know that open source software never needs to be patched. Yep, it's all 100% secure from the start. All open source software is versioned in whole number increments with no point releases for bugs. It's positively magical!
Gag me with an overstuffed penguin doll...
Re:Here We Go Again (Score:2, Insightful)
But with Open Source, the patches get applied to a product with a quick release turnover. I can go buy Redhat, Mandrake, SuSE, FreeBSD, etc, *NOW* and have a current system. Or I can choose to buy a three year old system knowing that I need three service packs just to get it up to par.
Releases every six to nine months are better than releases every three years. In addition, I can get patches for Open Source Software the day they are created, instead of several months down the road when Microsoft decides a issue the next service pack.
hilarious fud (Score:2)
Re:hilarious fud (Score:2)
Until I see someone explain why Win2000 can pass the certification and Linux cannot, you can't really call it FUD.
It's FUD because (Score:2)
That's right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.
"Well," you ask, "exactly which versions of Linux can and cannot meet CC EAL4 requirements?" It stands to reason that the core Linux(TM) kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux(TM) would meet these minimum requirements.
Kernel.org does not release an operating system, they release a kernel.
His article is FUD because he blasts the core kernel in much the same way I could say:
"Windows sucks, Bill sucks, and the MS goons suck, because while Windows 2000 SP3 can meet the cert the Windows XP kernel.exe file can't."
He himself admits that many Linux distributions can meet this cert. But it's as if he doesn't understand that there's a different between a Linux distribution and a Linux kernel.
In fact, the follow quote refering to kernel.org
After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true.
Really shows his lack of knowledge, because
1> kernel.org isn't a distribution, it's a kernel.
2> A full distibution with services(ftp, nntp, http) is totally less secure than a kernel without a distribution(ie. you can't even log into the machine).
Re:hilarious fud (Score:2)
World Tech Tribune had a rather hilarious FUD article [worldtechtribune.com] covering this several days ago.
Wow, that... is.... incredible. 'Hilarious' doesn't even come close to describing it.
The article you mention does, however illustrate the salient point we should all be taking away from this, which is that 'security' is a multidimensional word with orthogonal meanings: when MS says 'it's secure' you have to consider whether they are talking about Palladium/DRM (others get to decide how your PC works) or Filesystem ACLs (you get to decide who can access what inside your box) or PKI algorithms (you get to decide whether someone else's identity can be verified and how to exchange data in a manner that is difficult for third-parties intercept.) This is what the newbies and PHBs need to understand.
Now, the CC certification means *something* (read the specs to find out exactly what) but there is no "SECURITY = ON/OFF" button you can go push to lock everything down. (Yeah yeah, I know: "power button", ha-ha, very funny.) Anyway, with the machine turned ON, security is only the end result of a process of auditing, testing, fixing and policy enforcement.
Stupidity (Score:5, Insightful)
I say bollocks.
Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
Correct me on this, but I don't remember Linux getting an ISO certification about anything.
The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
You're A Debian user, right?
Re:Stupidity (Score:4, Funny)
You're A Debian user, right?"
Now who's being outrageous and attacking with a blanket statement.
exact same system? (Score:5, Funny)
Their test system had two 120Gig HDs full of fansubbed anime and was running at 100 cpu doing divx encodes ?
Well, they said "exactly the same system".
Wait, did they mean my exact system ? How do I sue them for wasting my cpu cycles running benchmarks ?
This post was nearly funny. Blame the cough syrup.
graspee
Re:exact same system? (Score:2, Funny)
(mutters)Fucking cough syrup(/mutters)
BE MORE FUNNY!
Huh? (Score:2, Insightful)
But the 2.4 kernel has had 19 service packs. Three is hardly bad at all.
Solaris 8 has been for two years now! (Score:3, Informative)
Same system? (Score:2)
Umm, no!?!
EULA (Score:2, Insightful)
Sounds a bit hard to me. Besides, we all know Microsoft has its campaign for 'secure Windows'. It doesn't strike me as a surprise that as part of this program they come up with a certificate.
I'm not trying to state here that this is all a bad thing, it is good that they finally are focussing on security, but I have some real big question marks on this certificate.
And to the obvious posters stating Linux doesn't have this: Linux cannot buy such a certificate, but not having it, doesn't mean you don't deserver it.
Common criteria website (Score:5, Informative)
common criteria (Score:3, Insightful)
Common criteria is quite complicated - to understand what common criteria really means, you'll need to read some things that are NOT posted at Microsoft. This may mean that they basically implement what they have documented, or that they implement a specific feature set.
Re:common criteria (Score:3, Informative)
"Propaganda" (Score:5, Insightful)
In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.
If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.
Re:"Propaganda" (Score:2)
ex: "The terrorists terrorized the people who were terrorized by the terrorists. Everything the terrorists said to claim they weren't terrorists was just terrorist propaganda, because they are in fact terrorists." ( -- this was just an example, but it actually describes current US, Chinese, Russian, and Israeli foreign policy)
Slanderdot? (Score:2, Insightful)
For the longest time everyone here has been criticizing Microsoft because they have poor security. So they start fixing it. They release patches. Then everyone criticizes the fact that they release all these patches. They are only being responsive to your criticism. Now an objective panel gives them a reward for their efforts, and everyone here is angry!
You know, I really thought everyone here genuinely wanted Microsoft to improve security. I thought we all were in it for the benefit of all. I thought that was what the Linux community was all about. But clearly the intent here is more religion than technical. Either you are part of my religion, or you are to be destroyed. How's that better than your perceptions of how Microsoft acts?
You know, maybe the .ORG domain name really is more appropriate, since it's a religion and all.
So who is working on certifying Linux? Is anyone going to actually try to improve the net, or are we going to just keep pulling Microsoft down?
What the CC means (Score:5, Interesting)
Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)
All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
So these certs are of no use except to PR flaks. And trolls.
You're Right (Score:2)
Just to clarify, I didn't mean to imply that NT3.5 ever received a B1; just that it could be configured to meet that level. The main point being that while a specific cert might be nice in the PR wars, how you apply the system is what's important. For example, just as soon as a W2K user loads MS Office onto that machine, the cert is no longer valid.
The CC cert is less revealing than a NIST cert, because the CC evaluate the design of the system, and only a part of the implementation. So it is better suited to show that a developer has good security processes, rather than secure products.
And let's not slight MS here. From what I've seen, they are making an honest effort to secure their products. I think they've finally reached the point at which they have to in order to stay in business.
/. Should stop trolling in it's articles... (Score:5, Insightful)
Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if
EAL4 Not so bad really (Score:3, Informative)
The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).
Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.
I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.
FYI, here is what the Common Criteria [commoncriteria.org] says about EAL4:
EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
HIPPA (Score:2)
All your base!
Common Criteria Certificate (Score:2)
I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
Meaningless context (Score:2)
Try again (Score:2, Insightful)
Second, Common Criteria isn't a panacea or a magical certificate saying that Win2k is uber-secure. It is an assurance that it meets a specific level of security and reliability on failure (ie, will STOP instead of going into an insecure mode on a kernel exception).
Its predecessor was called Orange Book, which WinNT scored a C2 rating. That's about as good as you are going to get with an "off the shelf" operating system. A Level 3 really doesn't mean it's better than other OSs, just certified that it will operate in a predictable and reliable fashion, has DACLs and user-based security, etc... Big whoop.
Why Service Pack 3? Gee, it takes a bit of time for certification. IIRC, NT took 2 years to get C2 certified. Remember, this is the government.
By the way, I don't see Linux listed anywhere on the CC list. Check your pots, I think they're talking to your kettles.
Finally, I take exception to the author's use of "propaganda". Is it becoming the thing to call anything propaganda that paints Microsoft as something other than the Evil Empire?
Common Criteria - Getting It (Score:5, Informative)
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
Remember the Last Time? (Score:2, Interesting)
This certification isn't much different, in that is has no real meaning or value to end users. All it does is allow M$ to sell into markets, primarily government, where CC certification is a requirement.
If a vulnerability is discovered in this certified version, there is nothing which forces M$ to make a correction. Further, if M$ issues Patches, HotFixes, Services Packs or whatever subsequent to this evaluation, they will NOT be certified, or even examined.
Marcus Ranum (father of the Internet Firewall, speaking on CC evaluation of Firewalls) said it best:
And what exactly was the test? (Score:2)
To begin with, the UL techs had very little clue about what it was they were certifying, they spent more time ensuring that all of the hardware we used had UL certifications. After that, they bascially re-wrote the spec's around our system. In the end we passed, of course. It would have been kinda tough to fail when the spec was being modified to fit our system, not the other way around.
After that wonderful experience, I came to realize just how big of a con the UL is pulling on all of us. Its bunk, it doesn't even prove that there is a decent level of quality behind a product. As an example, one of our system configurations requires an ethernet serial provider (ESP), for use with a modem and remote managment software. Easy enough, we've done this for years. But, the ESP we used was not UL listed, so we had to change manufacturers. When we finally found one we discovered that it would not work with a modem and the remote managment software, even had the manufacturer tell us as much! So now we are scrambling, trying to find another supplier. All because of some stupid little UL sticker.
I can say with confidence, the UL certification is a con. Also, I've dealt with ISO certification, its a con as well (yes, we have documentation on all of our procedures, just ignore that it is very loose and only ensures that we do roughly the same thing every time, and gets universally ignored, we're a custom shop after all, doing the same thing every time is impossible). And I would bet that this common criteria cert is a con, you pay them, play around for a few days to make the inspectors happy, and they sign off on your system.
Linky (Score:2)
Here's the real news: (Score:5, Informative)
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide [microsoft.com] describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide [microsoft.com] tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide [microsoft.com] tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
Re:Here's the real news: (Score:3, Insightful)
It can be done, but why waste the large sum of money just to satisfy a very tiny segment of the populace and also risk getting sued when you dont own over 1/2 the lawyers in the western hemisphere if that certified setup get's hacked.
microsoft can get whatever claims they present certified... and they really cant get sued as they have a goon squad that can even take down the US government (as they demonstrated already) little ol'e redhat.... cant.
SAIC Press Release (Score:3, Insightful)
FOR IMMEDIATE RELEASE
October 29, 2002
SAIC Awarded Common Criteria Certificate for Microsoft Windows 2000 Operating System Evaluation
(MCLEAN, VA) Science Applications International Corporation (SAIC) today announced that it has received a National Information Assurance Partnership (NIAP) Common Criteria certificate for successfully performing the evaluation of the Microsoft Windows 2000 operating system. SAIC's Common Criteria Testing Laboratory (CCTL) performed the evaluation and received the certificate at the Federal Information Assurance Conference (FIAC) 2002 in College Park, Md.
"SAIC is proud to have contributed to this Common Criteria milestone event and congratulates Microsoft for attaining this significant achievement in computer security," said Duane Andrews, SAIC corporate executive vice president.
The Windows 2000 operating system evaluation was conducted in accordance with ISO 15048 Common Criteria Evaluation Assurance Level (EAL) Level 4 Augmented requirements and was evaluated against the Common Criteria Controlled Access Protection Profile, which is consistent with the commercial-level information security requirements for the Department of Defense (DoD). An EAL4 is the highest evaluation rating that a commercial CCTL can perform and Windows 2000 is the first operating system to achieve an EAL4 rating under the United States Common Criteria Evaluation and Validation Scheme (CCEVS).
"The SAIC CCTL took on a complex challenge, and we were successful in completing the evaluation of the Windows 2000 operation system," said Tammy Compton, co-director of the SAIC CCTL, and the leader of the evaluation team. "The common criteria evaluation methodologies we used were applied to Windows 2000 without using evidence from any previous evaluations. This led to the completion of one of the more challenging projects we have conducted, and we are confident of more successful evaluations in the near future."
"We have embraced the Common Criteria evaluation process from its inception, because we saw the high quality bar for security we could provide to customers," said Bill Veghte, corporate vice president, Windows Server Group, Microsoft Corp. "With CC certification and the support resources we are releasing today, customers now have an internationally-recognized template for Windows 2000 that enables them to build an IT system for secure computing beyond that of any other commercially-available platform today."
Located in Columbia, Md., the SAIC CCTL is a division of SAIC's Secure Business Solutions and was accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) in August 2000. SAIC CCTL was one of the first commercial laboratories to be listed in the NIAP's CCEVS. SAIC's Secure Business Solutions provides security solutions for networks and business systems. Its 500 engineers can assess, test, design, certify, deploy, and manage solutions for information and physical security, and train organizations to be a core part of overall security solutions.
Why the sarcastic tone? (Score:2)
Boy, what a zing. (Score:2)
Two words.... (Score:2)
Steve Ballmer.
Re:Of course SAIC would say that... (Score:3, Interesting)
Re:Of course SAIC would say that... (Score:2)
The same as it runs on Windows: crashed.