Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On 2/22/2010 9:23 AM, Bret S. Lambert wrote: Unless some benefactor is willing to come forward and deal with the logistical headache of doing the paperwork and keeping it all as up to date as it needs to be, it's not going to happen, even if getting an EAL meant ponies, rainbows, and money trees for everybody. To be severely offtopic, if getting an EAL genuinely meant ponies, rainbows and money trees I'd be quitting my job and working on it right now.. I doubt I'm alone in that What other motivation could you possibly want? Moon on an unobtanium stick? ;) PK
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Mon, Feb 22, 2010 at 03:51:28PM +0200, Aram H??v??rneanu wrote: > EAL4 is meaningless. The auditor is not required to view the software > in any way (binary or source). Wrong. EAL4 is the lowest EAL that includes ADV_IMP.1, which in turn requires checking the actual implementation, i.e. source code in case of software TOEs. It does not, however, require a full code review - a sampling of whether the implementation actually implements the design is sufficient. > Any vendor with money can get its OS to > be certified at least at EAL 4 because all that means is that the OS > has some mechanisms in place for implementing security. It does not > guarantee that those mechanisms really work Again wrong. The mechanisms that are *claimed* by the vendor have to be implemented accurately. > or that the OS is not full of security holes. Now *that's* where it gets interesting because you're absolutely right on with this one - CC only verifies the claims made by the vendor, nothing more. There is no requirement as such to go looking for security holes that are outside the claimed scope. As you write in your other mail (and I've written myself before) EALx means zilch without reading the claims (i.e. Security Target). If the vendor does not claim a lot of security and/or lists a lot of environmental restrictions/assumptions (wasn't that the NT4 EAL4 where there was no network and suchlike) he might very well be able to get a reasonably high EAL without too much effort. Hence, whoever is looking at EALs does well to carefully read the corresponding Security Target, *especially* if it's not claiming conformance to a standardised Protection Profile[0]... Whether this type of evaluation/certification is of any use in "real life" is left as an exercise to the reader... Cheerio, Thomas [0] like e.g. smart cards -- ** PLEASE: NO Cc's to me privately, I do read the list - thanks! ** - Thomas Ribbrockhttp://www.ribbrock.orgICQ#: 15839919 "You have to live on the edge of reality - to make your dreams come true!"
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Mon, Feb 22, 2010 at 04:04:39PM +0200, Aram H??v??rneanu wrote: > Besides what's written above. EAL is meaningless unless you read the > Protection Profile. EAL is the assurance level *against* the > protection profile. If your PP specifies only that in your systems, > users login using passwords you can easily get EAL7, but that would be > so meaningless... ITYM s/Protection Profile/Security Target/ Protection Profiles are optional. Security Targets are mandatory and *can* claim conformance to a PP, but don't need to unless you have a e.g. certain target market. Cheerio, Thomas -- - Thomas Ribbrockhttp://www.ribbrock.org/ "You have to live on the edge of reality - to make your dreams come true!"
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
Steve Shockley wrote: > On 2/22/2010 9:23 AM, Bret S. Lambert wrote: >> Unless some benefactor is willing to come forward and deal with the >> logistical headache of doing the paperwork and keeping it all as >> up to date as it needs to be, it's not going to happen, even if >> getting an EAL meant ponies, rainbows, and money trees for everybody. > > Can't someone just port it from FreeBSD? Can't port a process but a group certification may be an option. Note the recent "Re: Is OpenBSD + PF accredited or certified in any way ?" thread. I'll inquire with GeNUA, FreeBSD and the person who asked at the conference. Do any OpenBSD Foundation people care about EAL? Michael
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On 2/22/2010 9:23 AM, Bret S. Lambert wrote: Unless some benefactor is willing to come forward and deal with the logistical headache of doing the paperwork and keeping it all as up to date as it needs to be, it's not going to happen, even if getting an EAL meant ponies, rainbows, and money trees for everybody. Can't someone just port it from FreeBSD?
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Monday, February 22, 2010, Bret S. Lambert wrote: > Unless some benefactor is willing to come forward and deal with the > logistical headache of doing the paperwork and keeping it all as > up to date as it needs to be, it's not going to happen, even if > getting an EAL meant ponies, rainbows, and money trees for everybody. > Ponies and rainbows? Forget it. Money tree? Drop me an email. I would love to get paid to do somethng with my CISA... -N
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Mon, 22 Feb 2010, Aram HD~CvD~Crneanu wrote: SNIP > *model*, not the *implementation*. I seriously doubt .mil or .gov has > such requirements for high security networks. I see this kind of > nonsense in the Enterprise world. Chuckle, you are living in a fantasy world if you think "this kind of nonsense" only exists "in the Enterprise world". diana
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Mon, Feb 22, 2010 at 04:04:39PM +0200, Aram H??v??rneanu wrote: > On Mon, Feb 22, 2010 at 3:51 PM, Aram HDvDrneanu wrote: > > EAL4 is meaningless. The auditor is not required to view the software > > in any way (binary or source). Any vendor with money can get its OS to > > be certified at least at EAL 4 because all that means is that the OS > > has some mechanisms in place for implementing security. It does not > > guarantee that those mechanisms really work or that the OS is not full > > of security holes. > > > > Security certifications are futile. At best, they can certify the > > *model*, not the *implementation*. I seriously doubt .mil or .gov has > > such requirements for high security networks. I see this kind of > > nonsense in the Enterprise world. > > > > Besides what's written above. EAL is meaningless unless you read the Technically meaningless, yes, but managerially meaningful in some cases, as there are organizations which require some level of certification for software to be used "off-the-shelf". Would it be useful for OpenBSD to get some sort of certification level for this purpose? Possibly. Is it going to happen unless somebody absolutely needs it in order to deploy a solution? No. Unless some benefactor is willing to come forward and deal with the logistical headache of doing the paperwork and keeping it all as up to date as it needs to be, it's not going to happen, even if getting an EAL meant ponies, rainbows, and money trees for everybody. > Protection Profile. EAL is the assurance level *against* the > protection profile. If your PP specifies only that in your systems, > users login using passwords you can easily get EAL7, but that would be > so meaningless... > > -- > Aram HDvDrneanu
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Mon, Feb 22, 2010 at 3:51 PM, Aram HDvDrneanu wrote: > EAL4 is meaningless. The auditor is not required to view the software > in any way (binary or source). Any vendor with money can get its OS to > be certified at least at EAL 4 because all that means is that the OS > has some mechanisms in place for implementing security. It does not > guarantee that those mechanisms really work or that the OS is not full > of security holes. > > Security certifications are futile. At best, they can certify the > *model*, not the *implementation*. I seriously doubt .mil or .gov has > such requirements for high security networks. I see this kind of > nonsense in the Enterprise world. > Besides what's written above. EAL is meaningless unless you read the Protection Profile. EAL is the assurance level *against* the protection profile. If your PP specifies only that in your systems, users login using passwords you can easily get EAL7, but that would be so meaningless... -- Aram HDvDrneanu
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
EAL4 is meaningless. The auditor is not required to view the software in any way (binary or source). Any vendor with money can get its OS to be certified at least at EAL 4 because all that means is that the OS has some mechanisms in place for implementing security. It does not guarantee that those mechanisms really work or that the OS is not full of security holes. Security certifications are futile. At best, they can certify the *model*, not the *implementation*. I seriously doubt .mil or .gov has such requirements for high security networks. I see this kind of nonsense in the Enterprise world. On Mon, Feb 22, 2010 at 7:03 AM, Lori Barfield wrote: > On Sun, Feb 21, 2010 at 8:39 PM, Darrin Chandler > wrote: > >> On Sun, Feb 21, 2010 at 03:35:32PM -0800, Michael Dexter wrote: >> > Thank you Seth and Brooke for materializing and putting on a great >> > OpenBSD booth at SCaLE in Los Angeles. >> >> Seth and Brooke? I know those two! Good people. >> > > i volunteer for SCaLE and worked with a lot of the exhibitors this year, and > would like to say you guys did a nice job. > > ...lori > > -- Aram HDvDrneanu
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Sun, Feb 21, 2010 at 8:39 PM, Darrin Chandler wrote: > On Sun, Feb 21, 2010 at 03:35:32PM -0800, Michael Dexter wrote: > > Thank you Seth and Brooke for materializing and putting on a great > > OpenBSD booth at SCaLE in Los Angeles. > > Seth and Brooke? I know those two! Good people. > i volunteer for SCaLE and worked with a lot of the exhibitors this year, and would like to say you guys did a nice job. ...lori
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Sun, Feb 21, 2010 at 03:35:32PM -0800, Michael Dexter wrote: > Thank you Seth and Brooke for materializing and putting on a great > OpenBSD booth at SCaLE in Los Angeles. Seth and Brooke? I know those two! Good people. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG dwchand...@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
> In my own opinion EAL level 4 cert has some serious issues. A lot of > what you get is Process and Procedure done by some large corporate > entity. What you find is code revs rarely go through certification. > For example Cisco ASA / Pix have to run pretty old code to get EAL 4 > cert. > > my US$.02 worth If the EAL level X rubber stamp with travel cost only $.02, how far would OpenBSD be from compliance? Michael
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Sun, 21 Feb 2010, Michael Dexter wrote: Thank you Seth and Brooke for materializing and putting on a great OpenBSD booth at SCaLE in Los Angeles. Overheard question of the day: Could you please get EAL level 4 certification so I can use you in the US Air Force? (Milaero country...) Michael OpenBSD is already used in the .mil sector, just not in high security networks because of what you stated. However I'm pretty sure some entity outside regular OenBSD developers would have to persue that costly process. In my own opinion EAL level 4 cert has some serious issues. A lot of what you get is Process and Procedure done by some large corporate entity. What you find is code revs rarely go through certification. For example Cisco ASA / Pix have to run pretty old code to get EAL 4 cert. my US$.02 worth diana
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Sun, 21 Feb 2010 15:35 -0800, "Michael Dexter" wrote: > Thank you Seth and Brooke for materializing and putting on a great > OpenBSD booth at SCaLE in Los Angeles. > > Overheard question of the day: Could you please get EAL level 4 > certification so I can use you in the US Air Force? (Milaero country...) Glad the booth was manned... however, with time, money and the right scenario, anyone can get a rubber stamp: http://web.archive.org/web/20060527063317/http://eros.cs.jhu.edu/~shap/NT-EAL4.html > Michael
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
Thank you Seth and Brooke for materializing and putting on a great OpenBSD booth at SCaLE in Los Angeles. Overheard question of the day: Could you please get EAL level 4 certification so I can use you in the US Air Force? (Milaero country...) Michael