Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Peter Kay (Syllopsium)]

On 2/22/2010 9:23 AM, Bret S. Lambert wrote:

Unless some benefactor is willing to come forward and deal with the
logistical headache of doing the paperwork and keeping it all as
up to date as it needs to be, it's not going to happen, even if
getting an EAL meant ponies, rainbows, and money trees for everybody.


To be severely offtopic, if getting an EAL genuinely meant ponies, rainbows 
and money trees
I'd be quitting my job and working on it right now.. I doubt I'm alone in 
that


What other motivation could you possibly want? Moon on an unobtanium stick? 
;)


PK 

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[T. Ribbrock]

On Mon, Feb 22, 2010 at 03:51:28PM +0200, Aram H??v??rneanu wrote:
> EAL4 is meaningless. The auditor is not required to view the software
> in any way (binary or source).

Wrong. EAL4 is the lowest EAL that includes ADV_IMP.1, which in turn
requires checking the actual implementation, i.e. source code in case of
software TOEs. It does not, however, require a full code review - a
sampling of whether the implementation actually implements the design is
sufficient.


> Any vendor with money can get its OS to
> be certified at least at EAL 4 because all that means is that the OS
> has some mechanisms in place for implementing security. It does not
> guarantee that those mechanisms really work

Again wrong. The mechanisms that are *claimed* by the vendor have to be
implemented accurately.


> or that the OS is not full of security holes.

Now *that's* where it gets interesting because you're absolutely right
on with this one - CC only verifies the claims made by the vendor,
nothing more. There is no requirement as such to go looking for security
holes that are outside the claimed scope. As you write in your other
mail (and I've written myself before) EALx means zilch without reading
the claims (i.e. Security Target). If the vendor does not claim a lot of
security and/or lists a lot of environmental restrictions/assumptions
(wasn't that the NT4 EAL4 where there was no network and suchlike) he
might very well be able to get a reasonably high EAL without too much
effort. Hence, whoever is looking at EALs does well to carefully read
the corresponding Security Target, *especially* if it's not claiming
conformance to a standardised Protection Profile[0]...

Whether this type of evaluation/certification is of any use in "real
life" is left as an exercise to the reader...

Cheerio,

Thomas

[0] like e.g. smart cards
-- 
 ** PLEASE: NO Cc's to me privately, I do read the list - thanks! **
-
  Thomas Ribbrockhttp://www.ribbrock.orgICQ#: 15839919
   "You have to live on the edge of reality - to make your dreams come true!"

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[T. Ribbrock]

On Mon, Feb 22, 2010 at 04:04:39PM +0200, Aram H??v??rneanu wrote:
> Besides what's written above. EAL is meaningless unless you read the
> Protection Profile. EAL is the assurance level *against* the
> protection profile. If your PP specifies only that in your systems,
> users login using passwords you can easily get EAL7, but that would be
> so meaningless...

ITYM s/Protection Profile/Security Target/

Protection Profiles are optional. Security Targets are mandatory and *can*
claim conformance to a PP, but don't need to unless you have a e.g. certain
target market.

Cheerio,

Thomas
-- 
-
Thomas Ribbrockhttp://www.ribbrock.org/
   "You have to live on the edge of reality - to make your dreams come true!"

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Michael Dexter]

Steve Shockley wrote:
> On 2/22/2010 9:23 AM, Bret S. Lambert wrote:
>> Unless some benefactor is willing to come forward and deal with the
>> logistical headache of doing the paperwork and keeping it all as
>> up to date as it needs to be, it's not going to happen, even if
>> getting an EAL meant ponies, rainbows, and money trees for everybody.
> 
> Can't someone just port it from FreeBSD?

Can't port a process but a group certification may be an option.

Note the recent "Re: Is OpenBSD + PF accredited or certified in any way
?" thread.

I'll inquire with GeNUA, FreeBSD and the person who asked at the conference.

Do any OpenBSD Foundation people care about EAL?

Michael

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Steve Shockley]

On 2/22/2010 9:23 AM, Bret S. Lambert wrote:

Unless some benefactor is willing to come forward and deal with the
logistical headache of doing the paperwork and keeping it all as
up to date as it needs to be, it's not going to happen, even if
getting an EAL meant ponies, rainbows, and money trees for everybody.


Can't someone just port it from FreeBSD?

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Nick Bender]

On Monday, February 22, 2010, Bret S. Lambert  wrote:
> Unless some benefactor is willing to come forward and deal with the
> logistical headache of doing the paperwork and keeping it all as
> up to date as it needs to be, it's not going to happen, even if
> getting an EAL meant ponies, rainbows, and money trees for everybody.
>

Ponies and rainbows? Forget it.

Money tree? Drop me an email. I would love to get paid to do somethng
with my CISA...

-N

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Diana Eichert]

On Mon, 22 Feb 2010, Aram HD~CvD~Crneanu wrote:
SNIP
> *model*, not the *implementation*. I seriously doubt .mil or .gov has
> such requirements for high security networks. I see this kind of
> nonsense in the Enterprise world.

Chuckle, you are living in a fantasy world if you think "this kind of
nonsense" only exists "in the Enterprise world".

diana

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Bret S. Lambert]

On Mon, Feb 22, 2010 at 04:04:39PM +0200, Aram H??v??rneanu wrote:
> On Mon, Feb 22, 2010 at 3:51 PM, Aram HDvDrneanu  wrote:
> > EAL4 is meaningless. The auditor is not required to view the software
> > in any way (binary or source). Any vendor with money can get its OS to
> > be certified at least at EAL 4 because all that means is that the OS
> > has some mechanisms in place for implementing security. It does not
> > guarantee that those mechanisms really work or that the OS is not full
> > of security holes.
> >
> > Security certifications are futile. At best, they can certify the
> > *model*, not the *implementation*. I seriously doubt .mil or .gov has
> > such requirements for high security networks. I see this kind of
> > nonsense in the Enterprise world.
> >
>
> Besides what's written above. EAL is meaningless unless you read the

Technically meaningless, yes, but managerially meaningful in some
cases, as there are organizations which require some level of
certification for software to be used "off-the-shelf".

Would it be useful for OpenBSD to get some sort of certification
level for this purpose? Possibly.

Is it going to happen unless somebody absolutely needs it in order
to deploy a solution? No.

Unless some benefactor is willing to come forward and deal with the
logistical headache of doing the paperwork and keeping it all as
up to date as it needs to be, it's not going to happen, even if
getting an EAL meant ponies, rainbows, and money trees for everybody.

> Protection Profile. EAL is the assurance level *against* the
> protection profile. If your PP specifies only that in your systems,
> users login using passwords you can easily get EAL7, but that would be
> so meaningless...
>
> --
> Aram HDvDrneanu

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Aram Hăvărneanu]

On Mon, Feb 22, 2010 at 3:51 PM, Aram HDvDrneanu  wrote:
> EAL4 is meaningless. The auditor is not required to view the software
> in any way (binary or source). Any vendor with money can get its OS to
> be certified at least at EAL 4 because all that means is that the OS
> has some mechanisms in place for implementing security. It does not
> guarantee that those mechanisms really work or that the OS is not full
> of security holes.
>
> Security certifications are futile. At best, they can certify the
> *model*, not the *implementation*. I seriously doubt .mil or .gov has
> such requirements for high security networks. I see this kind of
> nonsense in the Enterprise world.
>

Besides what's written above. EAL is meaningless unless you read the
Protection Profile. EAL is the assurance level *against* the
protection profile. If your PP specifies only that in your systems,
users login using passwords you can easily get EAL7, but that would be
so meaningless...

--
Aram HDvDrneanu

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Aram Hăvărneanu]

EAL4 is meaningless. The auditor is not required to view the software
in any way (binary or source). Any vendor with money can get its OS to
be certified at least at EAL 4 because all that means is that the OS
has some mechanisms in place for implementing security. It does not
guarantee that those mechanisms really work or that the OS is not full
of security holes.

Security certifications are futile. At best, they can certify the
*model*, not the *implementation*. I seriously doubt .mil or .gov has
such requirements for high security networks. I see this kind of
nonsense in the Enterprise world.

On Mon, Feb 22, 2010 at 7:03 AM, Lori Barfield  wrote:
> On Sun, Feb 21, 2010 at 8:39 PM, Darrin Chandler
> wrote:
>
>> On Sun, Feb 21, 2010 at 03:35:32PM -0800, Michael Dexter wrote:
>> > Thank you Seth and Brooke for materializing and putting on a great
>> > OpenBSD booth at SCaLE in Los Angeles.
>>
>> Seth and Brooke? I know those two! Good people.
>>
>
> i volunteer for SCaLE and worked with a lot of the exhibitors this year,
and
> would like to say you guys did a nice job.
>
> ...lori
>
>



--
Aram HDvDrneanu

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Lori Barfield]

On Sun, Feb 21, 2010 at 8:39 PM, Darrin Chandler
wrote:

> On Sun, Feb 21, 2010 at 03:35:32PM -0800, Michael Dexter wrote:
> > Thank you Seth and Brooke for materializing and putting on a great
> > OpenBSD booth at SCaLE in Los Angeles.
>
> Seth and Brooke? I know those two! Good people.
>

i volunteer for SCaLE and worked with a lot of the exhibitors this year, and
would like to say you guys did a nice job.

...lori

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Darrin Chandler]

On Sun, Feb 21, 2010 at 03:35:32PM -0800, Michael Dexter wrote:
> Thank you Seth and Brooke for materializing and putting on a great
> OpenBSD booth at SCaLE in Los Angeles.

Seth and Brooke? I know those two! Good people.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Michael Dexter]

> In my own opinion EAL level 4 cert has some serious issues.  A lot of
> what you get is Process and Procedure done by some large corporate
> entity.  What you find is code revs rarely go through certification.
> For example Cisco ASA / Pix have to run pretty old code to get EAL 4
> cert.
> 
> my US$.02 worth

If the EAL level X rubber stamp with travel cost only $.02, how far
would OpenBSD be from compliance?

Michael

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Diana Eichert]

On Sun, 21 Feb 2010, Michael Dexter wrote:


Thank you Seth and Brooke for materializing and putting on a great
OpenBSD booth at SCaLE in Los Angeles.

Overheard question of the day: Could you please get EAL level 4
certification so I can use you in the US Air Force? (Milaero country...)

Michael


OpenBSD is already used in the .mil sector, just not in high security
networks because of what you stated.  However I'm pretty sure some
entity outside regular OenBSD developers would have to persue that
costly process.

In my own opinion EAL level 4 cert has some serious issues.  A lot of
what you get is Process and Procedure done by some large corporate
entity.  What you find is code revs rarely go through certification.
For example Cisco ASA / Pix have to run pretty old code to get EAL 4
cert.

my US$.02 worth

diana

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Brad Tilley]

On Sun, 21 Feb 2010 15:35 -0800, "Michael Dexter" 
wrote:
> Thank you Seth and Brooke for materializing and putting on a great
> OpenBSD booth at SCaLE in Los Angeles.
> 
> Overheard question of the day: Could you please get EAL level 4
> certification so I can use you in the US Air Force? (Milaero country...)

Glad the booth was manned... however, with time, money and the right
scenario, anyone can get a rubber stamp: 

http://web.archive.org/web/20060527063317/http://eros.cs.jhu.edu/~shap/NT-EAL4.html

> Michael

Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Michael Dexter]

Thank you Seth and Brooke for materializing and putting on a great
OpenBSD booth at SCaLE in Los Angeles.

Overheard question of the day: Could you please get EAL level 4
certification so I can use you in the US Air Force? (Milaero country...)

Michael