Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software Linux

IBM Clinches Security Certification for Linux 373

Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
This discussion has been archived. No new comments can be posted.

IBM Clinches Security Certification for Linux

Comments Filter:
  • Just wondering.. (Score:5, Interesting)

    by CausticWindow ( 632215 ) on Tuesday August 05, 2003 @08:37AM (#6614484)

    What are the ratings and how does other common OS's score? Anybody know?

    • Re:Just wondering.. (Score:5, Informative)

      by nakhla ( 68363 ) on Tuesday August 05, 2003 @08:42AM (#6614528) Homepage
      I believe Linux received an EAL 2. Windows 2000, however has received an EAL 4. An EAL 4 involves more security checks and requirements.
      • Re:Just wondering.. (Score:5, Informative)

        by Anonymous Coward on Tuesday August 05, 2003 @08:57AM (#6614658)
        You can get an overview at networkcomputing.com [nwc.com] or at the common citeria [commoncriteria.org] web site.
      • by TedCheshireAcad ( 311748 ) <ted AT fc DOT rit DOT edu> on Tuesday August 05, 2003 @09:18AM (#6614817) Homepage
        If Win2k gets a higher rating than Linux, then why do we have stuff like this [cert.org] happening?

        Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
        • If Win2k gets a higher rating than Linux, then why do we have stuff like this [cert.org] happening?

          Read the certification assumptions: cooperative users in a benign environment, and network connections only to hosts in the same administrative domain. In short: "Don't use this on the Internet, or the certification is completely meaningless."

          Furthermore, certification just guarantees that a certain process is followed, and the process itself doesn't guarantee anything about implementation errors (except
        • by evenprime ( 324363 ) on Tuesday August 05, 2003 @10:28AM (#6615357) Homepage Journal
          TedCheshireAcad asked
          If Win2k gets a higher rating than Linux, then why do we have
          stuff like this [cert.org] happening?

          Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
          No, it is not odd. It is expected, in fact. Microsoft's rating was for common criteria "CAPP/EAL4". The CAPP part means that the OS provides "a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security". I don't consider the internet to be a non-hostile and well-managed user community, so I'm not the least bit surprised that hostile remote attacks are possible. The evaluations didn't say that it was safe to hang the microsoft box - or the linux one - on the internet.

          These lower level security evaluations don't mean much [jhu.edu] in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed [slashdot.org] on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD [openbsd.org], who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's [sigmasoft.com] comments [sigmasoft.com] on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels [commoncriteria.org]
          EAL4 - methodically designed, tested and reviewed

          EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs.

          An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
          Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." [counterpane.com] No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.
      • Re:Just wondering.. (Score:4, Interesting)

        by molarmass192 ( 608071 ) on Tuesday August 05, 2003 @09:33AM (#6614925) Homepage Journal
        I found this link [com.com] which has more details, looks like it is EAL2 after all. I also found that Red Hat and Oracle are planning [redhat.com] on going after EAL4 for the latest RHAS so the W2K advantage might be short lived.
    • Re:Just wondering.. (Score:5, Informative)

      by Anonymous Coward on Tuesday August 05, 2003 @08:45AM (#6614565)
      Check out here: http://www.commoncriteria.org/ [commoncriteria.org]
    • by gurisees ( 315528 )
      Try the CCEVS home page... Here [nist.gov] you can find the Validated Products List.
    • I was looking into this yesterday.
      Basicly, the "scoring" in the Common Criteria is based uppon Evaluation Assurance Levels from EAL1 to EAL7. List of the levelss here [commoncriteria.org].

      After evaluation product get on the CCPL (Centralised Certified Product List) here [commoncriteria.org]
      Apperantly this is not a complete list; and Linux via IBM is not listed yet.
      It is not o the "Products in Evaluation List" here [commoncriteria.org] either, so I guess they are uppdating their lists now.

      No product has a higher rating than 5 right now. Most product get a 4 or

    • Re:Just wondering.. (Score:3, Informative)

      by plcurechax ( 247883 )
      Common Criteria's CCPL (Centralised Certified Product List)- OS [commoncriteria.org]
      and the NIST's Validated Products List (Operating Systems) [nist.gov].

      AIX 5L for PowerPC V5.2, Program Number 5765-E62
      B1/EST-X, V2.0.1 with AIX, V 4.3 (Bull)
      HP-UX (11i) Version 11.11
      IRIX v 6.5.13, with patches 4354, 4451, 4452
      IPSO 3.5 and 3.5.1 (Nokia)
      Trusted IRIX /CMW v 6.5.13, with patches 4354, 4451, 4452, 4373, 4473
      Solaris 8 2/02
      Trusted Solaris 8 4/01
      Sun Solaris Version 8 with AdminSuite v3.0.1
      Windows 2000 Professional, Server, and Advanced Server w
  • Another link (Score:5, Informative)

    by manduwok ( 610836 ) on Tuesday August 05, 2003 @08:38AM (#6614487)
    CNN.com [cnn.com] has this story too.
    • Re:Another link (Score:5, Informative)

      by plaa ( 29967 ) <sampo.niskanen@ik i . fi> on Tuesday August 05, 2003 @08:53AM (#6614628) Homepage
      The CNN article (as some others I found using Google News) point out a few important facts that were omitted from the Yahoo story. A few important quotes:

      Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.


      So it isn't yet certified at the same level as Windows.

      The approval, being announced Tuesday, involves only one version of Linux, from SuSE Linux AG, a vendor based in Nuremberg, Germany, when the software is installed on a particular line of IBM's server computers. IBM, which paid roughly $500,000 for the testing, and SuSE were announcing the certification jointly.


      So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.

      So maybe not much use for the overall community, but certainly a landmark in the history of Linux, and it shows that it certainly can be done!
  • Big win for Linux! (Score:5, Informative)

    by Anonymous Coward on Tuesday August 05, 2003 @08:38AM (#6614501)
    Microsoft set out to get Win2K certified and only completed the process last October according to . [entmag.com]

    Linux now has the upper hand because MS does not yet have XP certified.
    • by Dot.Com.CEO ( 624226 ) * on Tuesday August 05, 2003 @08:45AM (#6614555)
      XP is a desktop OS, and hardly needs security certification of that level. Windows 2003 server just came out a few months ago. Give it time. I bet the Linux configuration that was certified was not exactly 2.5 kernel material running debian unstable.
      • by EvilTwinSkippy ( 112490 ) <yoda@nOSpAM.etoyoc.com> on Tuesday August 05, 2003 @09:21AM (#6614847) Homepage Journal
        Excuse me? Windows 2003 is an entirely new product and requires an entirely new certification.

        Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.

        People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.

        When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.

        Now how do you do that within a 5 year Window again?

  • by Creepy Crawler ( 680178 ) on Tuesday August 05, 2003 @08:39AM (#6614505)
    Hey, you really cant go wrong with a open source, GPL'ed operating system where drivers are wrote by guys from NASA (Thanks Mr. Becker), and your security ACL's are wrote by the Spooks (heh, thanks NoSuchAgency ;-).

    It REALLY beats closed source OS'es (for govt's) as even our own MS of America wont let us see the code because it's "dangerous". However showing the Chinese is A-OK.

    Gotta makes you think: what would our gov't choose if they didnt have their hand in MS'es pocket?
  • Red Hat / Oracle (Score:5, Interesting)

    by jmkaza ( 173878 ) on Tuesday August 05, 2003 @08:41AM (#6614515)
    According to this [com.com] article, Red Hat and Oracle are working on gaining the same level of certification by the end of the year.
  • Kernel or distro? (Score:4, Insightful)

    by NineNine ( 235196 ) on Tuesday August 05, 2003 @08:41AM (#6614522)
    So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.
    • it will be for a specific version. Thats partly why it is a pain to get as by the time you do the shipped version might be obsolete. Preumably IBM and Suse will sell this specific version labelled as such, with an installer that only installs the right parts.
    • Only that exact config of Suse on that hardware if it is like the C2 security certifications.
    • So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.

      ObRMS: The headline and article mention Linux, therefore only the kernel is certified. If they had said GNU/Linux then they are referring to the entire operating system distribution which is comprised mainly of GNU tools. :-)

    • According to the press release [suse.com] the certification covers the `SuSE Linux Enterprise Server 8 on IBM eServer xSeries', i.e. a specific SuSE product running on a specific family of servers. And nothing else. Read also this bit [suse.com].
  • What about BSD? (Score:2, Interesting)

    by dodell ( 83471 )
    Please spare me of all the "BSD SUCKS" and "BSD IS DEAD" flames. Kthx.

    Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.

    It seems to me that if they're talking about security and such, there's still a bit to be left desired. Additionally, SuSE is by no means the most standard (IMO, it's the most backward) dis
    • Re:What about BSD? (Score:2, Insightful)

      by eer ( 526805 )
      Because it lacks the corporate hype that Red Hat, et al, gave to Linux.

      What I'm trying to figure out is, "What's important? The kernel or the glibc?"

      Apps written to glibc will run on GNU/HURD, Linux, Lava, and other kernels, too. Technically, that's a better story. But business wise, the brand in people's mind is "Linux".
    • Re:What about BSD? (Score:2, Insightful)

      by wawannem ( 591061 )
      There are many reasons why BSD should be ahead of the game, but unfortunately it is not. I wish I had some real numbers, but I remember having one of my BSD zealot friends run a command and pipe it to wc to see how many packages were available in the BSD ports tree. At that time there was about 2,000. I was impressed, until:

      [wawannem@weswlinux]:/home/wawannem
      $ apt-cache dump | wc -l
      100543

      I think this is what really makes the case for linux. It is sort of a Catch-22, there is more software available
    • *BSD might as well be dead to the commercial and government enterprises. Until you see the likes of Dell and IBM slapping FreeBSD on their shiny metal systems, your run-of-the-mill IT buyer will still regard the OS as something whose name simply rings a bell or is the answer to an IT-related trivia question.

      I work at a gov't site. We have plenty of systems in production and dev environments running Linux, in part because the project managers were able to use the Dell fed contract to get those servers with
    • I'd be interested in learning why more companies don't take a look into BSD environments. The security is there. The license is TOTALLY unrestrictive. It's stable, secure, well documented and well accepted (except on /.) -- why doesn't it get more corporate love?

      Because they just use it. I'd say most of the firewall appliances out there run some form of BSD and not Linux, for example. It's just invisible. The BSD people are out to produce a good OS, so such "successes" are simply business as usual and
  • by Dot.Com.CEO ( 624226 ) * on Tuesday August 05, 2003 @08:42AM (#6614530)
    I mean, look at all the other level 4 assurance level OSs here [commoncriteria.org]. Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?
  • Linux in Government (Score:5, Interesting)

    by Sogol ( 43574 ) on Tuesday August 05, 2003 @08:42AM (#6614532) Journal
    I'm a sysadmin for a large government data center. We've been using Linux in production for years, and we always purchase boxed distributions, even some preconfigured(!) machines from Dell. Government regulations do, however, prevent me from ordering Windex and Duster. These are considered janitorial supplies, and there is no justification in Information Systems procuring these items. So frankly, I'm not sure what all the fuss is about. Things look a lot different on the ground.
  • by eer ( 526805 ) on Tuesday August 05, 2003 @08:43AM (#6614539)
    The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest [commoncriteria.org]. But, it's a great start.

    IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.
    • The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest

      Yep. I wonder if the "highest possible" hyperbole didn't come out of some (clueful) statement about how this may be the highest common criteria rating possible for a Linux system to a (clueless) reporter, who just fixated on the "highest possible" part.

      Whichever, it may be true that Linux can't get higher CC ratings because of the nature of the development process. CC ratings

  • what kind of items are covered in the Common Criteria?
  • Article quote: "International Business Machines Corp. and Linux distributor SuSE said on Tuesday that they received the highest level of security evaluation used by governments when deciding to use software in their organizations."

    So does that mean that a specific version of Suse is certified, and nothing else? So what about Red Hat etc? Or future Suse versions? I presume they'd have to get another certification (probably easier after Suse got the 1st one, but anyway).

  • by kiwimate ( 458274 ) on Tuesday August 05, 2003 @08:48AM (#6614584) Journal
    IBM has gotten Linux certified

    Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.

    Linux got the highest rating possible

    No it didn't. FUD. According to this story [philly.com]...

    Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.

    In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.
  • by bourne ( 539955 ) on Tuesday August 05, 2003 @08:50AM (#6614602)
    CNN has a different version [cnn.com] of the story:

    Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.

    I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.

  • by non ( 130182 ) on Tuesday August 05, 2003 @08:51AM (#6614608) Homepage Journal
    if you're curious about some of the history of microsoft and the certication of windows for government work, click here [gcn.com], and look elsewhere for the story of ed curry. its been linked to here on slashdot before.

    if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here [jhu.edu].

  • I'm not sure that the government adopting OSS is such a good idea. I mean when something doesn't work who is held accountable? Linus? Alan? ...?

    At least with proprietary technology there is the promise of accoutability [*] in the product.

    [*] Yes I know this would mean Microsoft. DA damnit!

    Tom
    • Accountabilty? Bullshit. Try "wall tossing". Most EULA's indemnify the vendor from legal action. All you end up with is the ability to blame someone else.

      That isn't accountability. It's accounting. A real man admits he was wrong, and works to fix it. A coward insists the world is at fault, and ducks the problem entirely.

      This world was not built by cowards. Though they have done their share of destroying great empires, both political, intellectual, and capital.

    • The only accountability you have with most commercial EULAs is the market. If the market decides the feature needs to be fixed, it'll be fixed. Of course, key players often define the market--I'm sure the government would fits in this category.
  • by Anonymous Coward
    Being that Linux is ever evolving and in a constant state of change, wouldn't that mean constant recertification ?
  • by sirrube ( 622137 ) on Tuesday August 05, 2003 @09:01AM (#6614688) Homepage
    If Linux only got Low2Moderate - and Windows2k got Moderate2High. Are there any off the shelf OS's that rank equal or better to win2k or is Windows2k the only one out there? Thinking of all the security breaches in Windows2k a Low2Moderate score does not impress me nor does Microsoft when it comes to Security.
  • by Rutje ( 606635 ) on Tuesday August 05, 2003 @09:03AM (#6614706)
    Linux got the highest rating possible

    The highest rating for linux is Bill Gates using it (secretly at home)!
  • by Drestin ( 82768 ) on Tuesday August 05, 2003 @09:06AM (#6614722)
    Windows has had a higher level rating for over a year now. There are nice Word DOCs available to tell you exactly how to obtain the same (or higher) level of security as tested.

    Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software.

    Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?

    Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.

    Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.

    • Well since your being factual why do you start with a lie? Windows does not have security rating, Windows 2000 service pack 3 has a rating. As for it already having it for a year is meaningless. Linux has started out as a free OS, meaning that it simply could not buy the testing. Half a million is of course peanuts to MS and for that matter IBM but to the loose group of coders it is a lot of money that would be next to impossible to collect, and why would they want to? What you are saying is that a train le
  • SuSE, not Linux (Score:5, Insightful)

    by perly-king-69 ( 580000 ) on Tuesday August 05, 2003 @09:08AM (#6614736)

    Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?

  • Linux got the highest rating possible.

    Is this right? Because that's not how the Wall Street Journal [wsj.com] (subscription only) reported it today:
    SuSE Linux got a Level 2 certification, which he [Jonathan Eunice, principal analyst at market researcher Illuminata] said "isn't particularly detailed." Microsoft Corp. has a Level 4 certification, which involves "substantially more detailed" investigation by testing labs.

    The Wall Street Journal gave this big play ... it's subscription only, but here's some details:
    • I'm not sure what it means by the "higest rating possible," but I do know that Level 2 security clearance is what you need in order to take orders and be a real DoD contracter. This is the level that I believe Raytheon's ICCC division (the ones that program the missiles) and other companies such as Boeing work on. The divisons themselves have to be certified in order to work on projects, and since about last year the gov't has started to push their contracters to do this, it makes sense that this finally ha
  • Journalism? (Score:4, Insightful)

    by Quila ( 201335 ) on Tuesday August 05, 2003 @09:12AM (#6614767)
    Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.

    WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?

    Wrong place in the article to put that bit.
  • What would BSD get then? This rating goes to 11?
  • by Osrin ( 599427 ) on Tuesday August 05, 2003 @09:15AM (#6614787) Homepage
    1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.

    2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.

    3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.

    Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.

    Tread carefully.
  • LET'S SLASHDOT! (Score:3, Informative)

    by SharpFang ( 651121 ) on Tuesday August 05, 2003 @09:16AM (#6614805) Homepage Journal
    Nope, we won't slashdot Yahoo. But we may slashdot their rating system :)

    There's that "Rate This Message" on the bottom. Just everyone pick "5" and the news will make to the "highest rated" and possibly to top headlines of Yahoo news.
  • by CaptainZapp ( 182233 ) * on Tuesday August 05, 2003 @09:18AM (#6614818) Homepage
    Anybody remembers the Windows NT 3.5 certification fiasko?

    Very true that it got C2 certification, but if I recall correctly only when external drives where removed and the PC was not hooked up to a network.

  • by sh4d0wb0x3r ( 601377 ) on Tuesday August 05, 2003 @09:30AM (#6614904)
    Linux received it's evaluation at a level of EAL2; according to the CC guidelines, this is "structurally tested" and means that it should "not demand more effort on the part of the developer that is consistent with good commercial practice"; applicable where "a low to moderate level of independently assured security" is required.
    Windows 2K received an EAL4+, according to NIAP's evaluated product list [nist.gov]; which is *supposed* to show it was "methodically designed, tested, and reviewed". This is probably about on par with the old Orange Book (TCSEC) C3 it used to have. EAL4 does "not require substantial specialist knowledge" and is the "highest level in which it is likely to be economically feasible to retrofit in an existing product line." It's intended that an EAL4 system shows "low-level design for the Target of Evaluation (ToE)"; with testing that supports "independent search for obvious vulnerabilities."
    That being said, having an EAL2 or EAL4 will probably not get you into a job that involves holding classified data.
    All of this is accessible from , the CC website [commoncriteria.org].
  • by Teahouse ( 267087 ) on Tuesday August 05, 2003 @09:31AM (#6614908)
    This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.

  • by karlandtanya ( 601084 ) on Tuesday August 05, 2003 @10:14AM (#6615219)
    True or not, the point is that (at least the SuSE distribution of) GNU/Linux now has a serious backer with right to sell to the gubmit.

    All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.

    Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.

    As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.

  • by swordgeek ( 112599 ) on Tuesday August 05, 2003 @10:19AM (#6615254) Journal
    First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.

    Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?

    Read the C|Net article [com.com] and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.

    Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.

    So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.
  • by Wesley Felter ( 138342 ) <wesley@felter.org> on Tuesday August 05, 2003 @10:20AM (#6615262) Homepage
    Jonathan Shapiro wrote a great article analyzing the Windows Common Criteria certification [jhu.edu]; much of it applies to Linux as well. Among other things, it explains why Windows can get certified even with its remote root exploits: "An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected."
  • by Bruha ( 412869 ) on Tuesday August 05, 2003 @10:51AM (#6615628) Homepage Journal
    Haha, what I submitted was still in my paste buffer 12 hours later (Yeah nerds do sleep).. This story according to CNN counterdicts what the main story says. Linux only got a rating for low to moderate security not the highest security.

    In a article [cnn.com] on CNN it is reported that the Common Criteria organization, an international technology standards body, certified Linux for the first time on "mission critical" computers, including those in America's top-secret spy agencies and those used to deliver ammunition, food and fuel to soldiers.

    While only certified for Low to Moderate security Linux is still under testing for higher security ratings. IBM says this is good since it gives them a footing in a area that has been dominated by Windows sales. Of note is the fact that IBM paid over $500,000 for testing and was also supported and jointly by SuSE
  • by ibex42 ( 135204 ) on Tuesday August 05, 2003 @04:40PM (#6620250)
    These articles all are very vague and do not provide nearly enough information to allow anyone to form a reasonable opinion. First, EAL2 is no where near the highest level of evaluation. More importantly, even if it was evaluated to EAL7, we have no idea what that means without looking at the protection profile (PP). The PP defines the features that are looked at for the evaluation. Without knowing the PP, they could be evaluationing Linux or any OS only for it's ability to control access with a username and password. So in theory, that could mean that once a username and password are provided, the user has unlimited access to all files on the system. As long as that feature is documented, mathematically modeled, and tested correctly it could get a high EAL rating.


    The biggest thing to remember about the CC is that the level rating is relatively meaningless without considering the protection profile. The problem is vendors don't readily tell you the protection profile they use.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...