IBM Clinches Security Certification for Linux 373
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
Just wondering.. (Score:5, Interesting)
What are the ratings and how does other common OS's score? Anybody know?
Re:Just wondering.. (Score:5, Informative)
Re:Just wondering.. (Score:5, Informative)
Re:Just wondering.. (Score:5, Insightful)
Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
Re:Just wondering.. (Score:3, Informative)
Read the certification assumptions: cooperative users in a benign environment, and network connections only to hosts in the same administrative domain. In short: "Don't use this on the Internet, or the certification is completely meaningless."
Furthermore, certification just guarantees that a certain process is followed, and the process itself doesn't guarantee anything about implementation errors (except
Re:Just wondering.. (Score:4, Informative)
This is true at the moment, but it's changing with new product releases.
For example, on Windows Server 2003, IIS is not installed by default, and if you install it, it binds to localhost only by default. I find this rather impressive for Microsoft because it shows that the company sacrifices trivial installation for more security. I wonder where they are heading. IMHO, it's getting more and more likely that Microsoft crushes the free software competition in the security area. Not because of certification, but because of more reliable software, better product management, courage to make decisions which inconvenience users etc. Right now, their advisories are already among the best the market offers (which also says something about the market, but still I wouldn't have predicted this two years ago).
Re:Just wondering.. (Score:5, Insightful)
These lower level security evaluations don't mean much [jhu.edu] in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed [slashdot.org] on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD [openbsd.org], who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's [sigmasoft.com] comments [sigmasoft.com] on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels [commoncriteria.org] Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." [counterpane.com] No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.
How then... (Score:3)
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of
Re:Just wondering.. (Score:4, Interesting)
Re:Just wondering.. (Score:5, Informative)
Re:Just wondering.. (Score:3, Insightful)
Re:Just wondering.. (Score:2)
Basicly, the "scoring" in the Common Criteria is based uppon Evaluation Assurance Levels from EAL1 to EAL7. List of the levelss here [commoncriteria.org].
After evaluation product get on the CCPL (Centralised Certified Product List) here [commoncriteria.org]
Apperantly this is not a complete list; and Linux via IBM is not listed yet.
It is not o the "Products in Evaluation List" here [commoncriteria.org] either, so I guess they are uppdating their lists now.
No product has a higher rating than 5 right now. Most product get a 4 or
Re:Just wondering.. (Score:3, Informative)
and the NIST's Validated Products List (Operating Systems) [nist.gov].
AIX 5L for PowerPC V5.2, Program Number 5765-E62
B1/EST-X, V2.0.1 with AIX, V 4.3 (Bull)
HP-UX (11i) Version 11.11
IRIX v 6.5.13, with patches 4354, 4451, 4452
IPSO 3.5 and 3.5.1 (Nokia)
Trusted IRIX
Solaris 8 2/02
Trusted Solaris 8 4/01
Sun Solaris Version 8 with AdminSuite v3.0.1
Windows 2000 Professional, Server, and Advanced Server w
Another link (Score:5, Informative)
Re:Another link (Score:5, Informative)
So it isn't yet certified at the same level as Windows.
So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.
So maybe not much use for the overall community, but certainly a landmark in the history of Linux, and it shows that it certainly can be done!
Big win for Linux! (Score:5, Informative)
Linux now has the upper hand because MS does not yet have XP certified.
Re:Big win for Linux! (Score:4, Insightful)
Re:Big win for Linux! (Score:5, Insightful)
Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.
People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.
When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.
Now how do you do that within a 5 year Window again?
Cool ;-) IBM forked over the few milllion.... (Score:3, Interesting)
It REALLY beats closed source OS'es (for govt's) as even our own MS of America wont let us see the code because it's "dangerous". However showing the Chinese is A-OK.
Gotta makes you think: what would our gov't choose if they didnt have their hand in MS'es pocket?
Re:Cool ;-) IBM forked over the few milllion.... (Score:3, Informative)
EAL1 = "Whats a computer?" user tested
EAL2 = "What's this button do?" user tested
EAL3 = "What's this linu
Red Hat / Oracle (Score:5, Interesting)
Kernel or distro? (Score:4, Insightful)
Re:Kernel or distro? (Score:2)
Re:Kernel or distro? (Score:2)
Re:Kernel or distro? (Score:2)
ObRMS: The headline and article mention Linux, therefore only the kernel is certified. If they had said GNU/Linux then they are referring to the entire operating system distribution which is comprised mainly of GNU tools. :-)
Distro *and* hardware! (Score:3, Informative)
What about BSD? (Score:2, Interesting)
Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.
It seems to me that if they're talking about security and such, there's still a bit to be left desired. Additionally, SuSE is by no means the most standard (IMO, it's the most backward) dis
Re:What about BSD? (Score:2, Insightful)
What I'm trying to figure out is, "What's important? The kernel or the glibc?"
Apps written to glibc will run on GNU/HURD, Linux, Lava, and other kernels, too. Technically, that's a better story. But business wise, the brand in people's mind is "Linux".
Re:What about BSD? (Score:2, Insightful)
[wawannem@weswlinux]:/home/wawannem
$ apt-cache dump | wc -l
100543
I think this is what really makes the case for linux. It is sort of a Catch-22, there is more software available
No, I won't spare you those "flames" (Score:3, Informative)
I work at a gov't site. We have plenty of systems in production and dev environments running Linux, in part because the project managers were able to use the Dell fed contract to get those servers with
Re:What about BSD? (Score:2)
Because they just use it. I'd say most of the firewall appliances out there run some form of BSD and not Linux, for example. It's just invisible. The BSD people are out to produce a good OS, so such "successes" are simply business as usual and
It must really be secure then... (Score:5, Interesting)
Secure enough to persuade your PHB. (Score:3, Informative)
This will carry a lot of weight to any argument with a PHB or similar.
J.
Re:It must really be secure then... (Score:5, Funny)
Does it include removing the Ethernet card from the system???
Linux in Government (Score:5, Interesting)
Over-hype - not highest rating possible (Score:5, Informative)
IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.
Re:Over-hype - not highest rating possible (Score:3, Insightful)
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest
Yep. I wonder if the "highest possible" hyperbole didn't come out of some (clueful) statement about how this may be the highest common criteria rating possible for a Linux system to a (clueless) reporter, who just fixated on the "highest possible" part.
Whichever, it may be true that Linux can't get higher CC ratings because of the nature of the development process. CC ratings
Re:Over-hype - not highest rating possible (Score:3, Insightful)
Of course formal validation is valuable; sorry if I appeared to imply that it's not. The AC's question seemed to be saying that formal methods would eliminate vulnerabilities completely, which they will not.
It's also worth noting that the OSS patch-treadmill approach is completely inapplicable in some environments -- those where patches aren't feasible. I work on smart card systems for a living, and that's the situation for smart card operating system code. You can only patch it by replacing the cards
simple question for someone in the know... (Score:2)
Re:simple question for someone in the know... (Score:2, Interesting)
What, you thought government certifications mean something?
It's just beurocracy. If it means anything, it means the OS exists. Keeps them from buying too much vaporware.
*Which* Linux is certified, actually? (Score:2)
So does that mean that a specific version of Suse is certified, and nothing else? So what about Red Hat etc? Or future Suse versions? I presume they'd have to get another certification (probably easier after Suse got the 1st one, but anyway).
Re:*Which* Linux is certified, actually? (Score:2)
Wrong. Wrong wrong wrong... (Score:5, Informative)
Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.
Linux got the highest rating possible
No it didn't. FUD. According to this story [philly.com]...
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.
In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.
Some more info from SuSE (Score:2)
From that release...
SuSE Linux Enterprise Server 8 has achieved Common Criteria Security running on IBM eServer xSeries.
Re:Wrong. Wrong wrong wrong... (Score:3, Insightful)
FUD = Fear, Uncertainty, and Doubt
Overexageration is not FUD. It may be inaccurate or perhaps just plain wrong, but it is not FUD.
NOT highest possible rating sez CNN (Score:4, Informative)
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.
windows certifications (Score:5, Informative)
if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here [jhu.edu].
Playing D.A. here.... (Score:2, Interesting)
At least with proprietary technology there is the promise of accoutability [*] in the product.
[*] Yes I know this would mean Microsoft. DA damnit!
Tom
Re:Playing D.A. here.... (Score:3, Insightful)
That isn't accountability. It's accounting. A real man admits he was wrong, and works to fix it. A coward insists the world is at fault, and ducks the problem entirely.
This world was not built by cowards. Though they have done their share of destroying great empires, both political, intellectual, and capital.
Re:Playing D.A. here.... (Score:2)
Won't they need to re-cert constantly ?? (Score:2, Interesting)
Are there any secure Os's out there? (Score:3, Interesting)
Re:Are there any secure Os's out there? (Score:4, Funny)
When was the last time someone made a virus for a mac?
Security By Lack Of Popularity they call it. (:
Re:Are there any secure Os's out there? (Score:5, Insightful)
Linux was tested for test "low and moderate" security and passed. It was not tested for anything higher so we don't now if it would have failed those.
The tests costs lots of money and time, so you start at the bottom and work youre way up. It is like say a soccer team passing the semi-finals, you don't then say, oh that means they missed the finals? No that is yet to come.
High and higher (Score:4, Funny)
The highest rating for linux is Bill Gates using it (secretly at home)!
Re:High and higher (Score:3, Funny)
The obligatory flamebait defending the facts (Score:4, Insightful)
Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?
Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.
Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.
Re:The obligatory flamebait defending the facts (Score:3, Interesting)
Re:The obligatory flamebait defending the facts (Score:3, Informative)
Windows 2000SP3 has a remote root RPC exploit.
SuSE, not Linux (Score:5, Insightful)
Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?
Linux got 'highest rating possible'? Maybe not... (Score:2)
Is this right? Because that's not how the Wall Street Journal [wsj.com] (subscription only) reported it today:
SuSE Linux got a Level 2 certification, which he [Jonathan Eunice, principal analyst at market researcher Illuminata] said "isn't particularly detailed." Microsoft Corp. has a Level 4 certification, which involves "substantially more detailed" investigation by testing labs.
The Wall Street Journal gave this big play
Re:Linux got 'highest rating possible'? Maybe not. (Score:3, Informative)
Journalism? (Score:4, Insightful)
WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?
Wrong place in the article to put that bit.
Highest rating possible? (Score:2)
CC is just not that simple. (Score:4, Insightful)
2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.
3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.
Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.
Tread carefully.
LET'S SLASHDOT! (Score:3, Informative)
There's that "Rate This Message" on the bottom. Just everyone pick "5" and the news will make to the "highest rated" and possibly to top headlines of Yahoo news.
Windows NT 3.5 (Score:3, Funny)
Very true that it got C2 certification, but if I recall correctly only when external drives where removed and the PC was not hooked up to a network.
Highest Rating Possible is misleading! (Score:3, Interesting)
Windows 2K received an EAL4+, according to NIAP's evaluated product list [nist.gov]; which is *supposed* to show it was "methodically designed, tested, and reviewed". This is probably about on par with the old Orange Book (TCSEC) C3 it used to have. EAL4 does "not require substantial specialist knowledge" and is the "highest level in which it is likely to be economically feasible to retrofit in an existing product line." It's intended that an EAL4 system shows "low-level design for the Target of Evaluation (ToE)"; with testing that supports "independent search for obvious vulnerabilities."
That being said, having an EAL2 or EAL4 will probably not get you into a job that involves holding classified data.
All of this is accessible from , the CC website [commoncriteria.org].
Smell those contracts (Score:5, Insightful)
Nobody ever got fired for buying IBM (Score:4, Insightful)
All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.
Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.
As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.
The significance of EAL2,3,4, etc. (Score:5, Informative)
Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?
Read the C|Net article [com.com] and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.
Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.
So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.
What Common Criteria really means (Score:4, Informative)
This is incorrect maybe (Score:3, Interesting)
In a article [cnn.com] on CNN it is reported that the Common Criteria organization, an international technology standards body, certified Linux for the first time on "mission critical" computers, including those in America's top-secret spy agencies and those used to deliver ammunition, food and fuel to soldiers.
While only certified for Low to Moderate security Linux is still under testing for higher security ratings. IBM says this is good since it gives them a footing in a area that has been dominated by Windows sales. Of note is the fact that IBM paid over $500,000 for testing and was also supported and jointly by SuSE
You need to know the CC to know what this means. (Score:3, Interesting)
The biggest thing to remember about the CC is that the level rating is relatively meaningless without considering the protection profile. The problem is vendors don't readily tell you the protection profile they use.
Re:Alright...? (Score:5, Informative)
Re:Alright...? (Score:3, Informative)
In this case 'No-one ever got fired for choosing Common Criteria software'.
The important thing to remember here is that a lot of central government positions and even more local government positions are taken by people who could not support their employment in the private sector.
Another interesting point in this article is that statement that the Linux market is expected to grow from $2 billion to more than $5 billion in 2006. That's
Government requiring LSB distribution too! (Score:4, Interesting)
Better still the Defense Information Systems Agency is recommending that any Linux purchase support the LSB [gcn.com] and that apps be written to the LSB.
So, not only is it now easier for government agencies to support Linux deployments, but they are going to force any Linux distributor doing business with the government into interoperability.
Re:Alright...? (Score:2, Insightful)
Re:Alright...? (Score:3, Informative)
Kirby
Re:Alright...? (Score:3, Funny)
Isn't X [xfree.org] software though?
(cue rim-shot)
Re:Alright...? (Score:2, Funny)
The government would have to buy a trusted operating system that meets the common criteria.. for example, Microsoft Windows 2000. Yes, it is certified too. Let's not start sucking each others dicks on this just yet.
Re:Alright...? (Score:5, Informative)
It's still good to see Linux get this certification though. It's another step towards displacing Windows.
Re:Can vs. Will (Score:5, Insightful)
Re:Can vs. Will (Score:5, Insightful)
Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.
Re:Can vs. Will (Score:5, Informative)
Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.
Re:Can vs. Will (Score:2)
Capital, like water, flows downhill seeking the softest path at every turn. One can steer a river, over a short stretch. One can even try to place a river where none ever existed with a Canal. But these artifical minglings require work to maintain. They are ever under siege from the elements. Those that seek to build around them always fall into woe when the river itself overflows.
Will is a
Re:Can vs. Will (Score:5, Interesting)
You have big corps like IBM, HP and Dell saying, "it's ok."
You have many countries saying "It's ok, see?"
You have the US (via certification) saying "it's ok."
Seems more unreasonable to say it will never happen every other day.
Re:Can vs. Will (Score:2, Insightful)
When you've got them by the balls, you don't need to hold all that firmly.
Re:Can vs. Will (Score:5, Insightful)
The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.
Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.
This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.
Re:Can vs. Will (Score:5, Interesting)
Re:Can vs. Will (Score:4, Interesting)
Just because the government can consider buying Linux, doesn't mean it will.
Correct. And it's true that no one ever got fired for buying Microsoft.
But much of the Linux deployment in government up to this point has been precisely because it can be had for no official government expenditure. It's always harder to get money for projects than it is to get money to keep your existing people. Those people have been doing some testing of Linux.
Shoestring Linux projects have proven themselves to be not only cost-effective, but generally reliable and useful.
Given that prototype testing already in place, authorizing incremental purchases to add on to that base of Linux functionality is an easier decision than if were made cold, without any evidence to support.
Re:Can vs. Will (Score:3, Interesting)
No one gets fired, true. The powers that be simply move in a Unix admin and eliminate the Windows guy's position.
I speak from experience, on the good end of the shotgun. Unix guys can do Windows, and oh so much more.
Re:Can vs. Will (Score:3, Insightful)
Dunno. I've met MCSEs that would never be able to navigate an Xterm, and Unix zealots that think Win2K is equivalent with W95.
Running a large Windows network properly does require knowledge and experience, and I'm not convinced that most *nix admins would be able to do the same without at least half a year of training (but a typical *nix admin would probably learn the Win fundamentals faster than the ot
Re:Can vs. Will (Score:4, Interesting)
Nope. [google.com]
Re:Can vs. Will (Score:2)
Re:Thank you IBM (Score:4, Interesting)
Did you seriously think that they would? If so you need to share some of the dope you've been smoking. As has been said numerous times on this board: to IBM, SCO is nothing more than an annoying mosquito. They might be carrying West Nile, but they are still just a mosquito, and can be crushed or captured almost any time.
The cool part about this whole article is that with the security cert, the government could begin switching some of their offices over. It also means that organizations like hospitals (who need to be concerned with privacy due to HIPAA) can be sold on the fact that it is secure and they don't have to worry as much about some hacker stealing confidential information.
Think about it.Re:Thank you IBM (Score:3, Interesting)
IBM probably started the process years ago. Note that it's only the IBM/SuSE distro that's certified (I'm guessing). Ot
Re:3 IBM (Score:2)
Isn't it interesting how in slightly over a decade, IBM has gone from being sworn enemy of geeks all over the world, to best ally?
What will we be thinking about Microsoft in 10 or 15 years?
Re:In your face! (Score:3, Insightful)
Re:In your face! (Score:4, Insightful)