On Sat, 2002-11-02 at 17:48, Adam Shostack wrote: > On Sat, Nov 02, 2002 at 03:12:51PM -0500, Jonathan S. Shapiro wrote: > > | Given that an EAL4 certification can fairly be characterized as "nowhere > | near good enough for serious commercial use today", I think it is fair > | to harshly criticize these rationales as rather thin rationalizations. > > Here I'd like to disagree. Unfortunately, EAL4 level stuff is > considered good enough for serious deployment today.
Yes, but that's not what I said. You are right that people running businesses consider EAL4 systems good enough to deploy. However, there is ample empirical evidence that they are wrong. These systems are routinely hacked by script kiddies. My statement concerned objective reality, not the wishful thinking of the people doing the deployment. > Witness the US Navy's choice of OS. This needs to be looked at carefully to understand what is going on. First, the Navy has many applications that aren't the least bit sensitive. For these, Win/NT may be a fine solution. In addition, the Navy has also deployed Win/NT into some potentially sensitive tactical applications. In these cases, Win/NT has *always* been deployed onto a secure network that is physically isolated from the rest of the ship systems. This has the effect of rendering the environment non-hostile. In a non-hostile environment, Win/NT may be a fine solution. > Perhaps this is because people haven't learned > to tally up cost of ownerships properly. Perhaps its because security > is not yet a requirement for commercial use. But, as you > point out, there is no one agitating in the commercial space to fix > the issues that make EAL4 all we get. This is inaccurate. There are *lots* of people demanding that security be fixed. The problem is that all of them are customers, and in a monopoly environment the customers don't carry any great amount of weight. Until there is a viable commercial alternative to Windows (preferably several), secure or otherwise, this is a commercial non-issue. While I understand the basis for the ruling and reluctantly agree that it was a legally sound decision, security will be a casualty of Colleen Kollar-Kotelly's decision in the near term. > | ... I would > | argue that EAL4 is not a barrier to any current commodity operating > | system, and the US national interest is not served so long as the best > > Actually, I think it is. I don't think that Linux would pass EAL4; as > you've pointed out, that requires a documented and followed QA > process. True, but the documentation can be generated retroactively. The fact is that several UNIX systems *have* passed EAL4. With sufficient work, Linux could do so too. > How does SELinux stack up here? I haven't looked at SELinux in detail, but evaluation of SElinux wasn't a design goal, and I have heard skepticism about whether it could evaluate successfully from within NSA. In any case, any evaluation of SElinux would have to begin by cleaning up the baseline Linux system for evaluation. > Do you think that the buyers of these higher EALs actually know what > they're getting? My reading of the commentary on Win2k getting > certified is that most people don't know what an assurance level is, > nor do they know that there are other ones.. I think you are probably right. At the level of "higher is better" people understand it. Since nothing higher than EAL4 is widely available, that's not a very useful level of differentiation in practice. > I think that there is an incentive for someone (Sun? IBM?) to go get > a EAL5 certification, if only to tweak MSFT's nose. Since the cost of the EAL4->EAL5 jump is O($1M) and several years, and since Linux/UNIX probably can't actually get there, do you really think so? > Here I strongly agree with you, however, I'm not sure that the CC are > the incentive structure; I think the problem is more fundamental, > which is that costs for insecure software are mis-allocated. The > benefit of being able to sell a little secure software is pretty low, > and will remain low as long as someone can simply certify that there's > nothing secure that meets the requirement of running win32 code, so > lets just install windows. I disagree. The problem is even more fundamental than that. The problem today is the absence of liability for the consequences of bad software. Once liability goes into place, CC becomes the industry-accepted standard of diligent practice. Until then it's just a way of killing trees. shap --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
