Frederick M Avolio <[EMAIL PROTECTED]> writes:
>Yes I encourage anyone who thinks that the Common Criteria sounds like a
>wonderful invention to skim at least a few of the documents
That's cruel, Fred. That stuff's completely unreadable
gibberish and you know it. The only reason anyone should
read it is if they:
a) want an example of how _not_ to convey information effectively
b) are suffering from sleep disorder and wish to become unconscious
Here's a fun common criteria story. ;) The names have been
left out, but the story is true <dum-dah-dum-dum> - about
a year after I stopped writing firewalls for a living ('95+)
I got a call from someone who'd been working on common criteria
profiles for firewalls. They worked for one of the agencies
that helped perpetuate the whole common criteria thing, and
were very seriously into the whole concept. The guy invited
me to review and comment on the profile for firewalls (I may
have some of the terminology wrong) and offered to send it.
At that time, I had been sharpening my fangs on ICSA's ankles,
and so the whole topic of certifying firewalls was "interesting"
to me. So I agreed. Then I got this - thing - that appeared
to have been written in its own language. As I studied it
more closely, I realized that it was written entirely in
code - every term that was in common use had been redefined
into another term. In fact, the whole document appeared to
be the output of an extended game of gnomic. It was the most
amazing pile of unreadable bureaucratese - for unreadability
it beat rijdael ciphertext quite easily. So I get on the
phone with the guy, not wanting to commit my comments to
E-mail and posterity:
M: "Hi, this is Marcus. I've been reviewing the stuff you
sent and I have a couple of questions about it."
?: "OK, sure!"
M: "Alright: where's the executive summary?"
?: "Huh?"
M: "You know, the 1 page summary that tells a manager
what it _means_ so they don't have to read the rest?"
?: "We don't have those. That's not what this program
is about!"
M: "Ok, then, who do you expect to use these documents?"
?: "Security officers who are seeing if products meet the
profile for deployment."
M: "Oh, so you mean this is written in the language of
a mysterious priesthood that nobody listens to, so that
other members of the mysterious priesthood will nod
sagely? Meanwhile everyone will base their product
deployments on what they read in 'Data Communications'?"*
...
and it went downhill from there. I fear I lost a friend.
The DOD-oids who are working on this formal security
stuff and common criteria are the most out-of-touch people
on earth, as far as I can tell. What good is a spec that
nobody can or will read? You can't even use it as a paperweight
because it's also paper!
(* a great and sorely-missed journal that had some top-notch
product reviews that had real teeth)
mjr.
-----
Marcus J. Ranum
Chief Technology Officer, NFR Security, Inc.
Work: http://www.nfr.com
Personal: http://www.ranum.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
