Windows 2000 declared secure

Jonathan S. Shapiro shap at eros-os.org
Sat Nov 2 20:36:04 EST 2002 

On Sat, 2002-11-02 at 17:48, Adam Shostack wrote:
> On Sat, Nov 02, 2002 at 03:12:51PM -0500, Jonathan S. Shapiro wrote:
>
> | Given that an EAL4 certification can fairly be characterized as "nowhere
> | near good enough for serious commercial use today", I think it is fair
> | to harshly criticize these rationales as rather thin rationalizations.
> 
> Here I'd like to disagree.  Unfortunately, EAL4 level stuff is
> considered good enough for serious deployment today.

Yes, but that's not what I said. You are right that people running
businesses consider EAL4 systems good enough to deploy. However, there
is ample empirical evidence that they are wrong. These systems are
routinely hacked by script kiddies. My statement concerned objective
reality, not the wishful thinking of the people doing the deployment.

> Witness the US Navy's choice of OS.

This needs to be looked at carefully to understand what is going on.
First, the Navy has many applications that aren't the least bit
sensitive. For these, Win/NT may be a fine solution.

In addition, the Navy has also deployed Win/NT into some potentially
sensitive tactical applications. In these cases, Win/NT has *always*
been deployed onto a secure network that is physically isolated from the
rest of the ship systems. This has the effect of rendering the
environment non-hostile. In a non-hostile environment, Win/NT may be a
fine solution.

> Perhaps this is because people haven't learned
> to tally up cost of ownerships properly.  Perhaps its because security
> is not yet a requirement for commercial use.  But, as you
> point out, there is no one agitating in the commercial space to fix
> the issues that make EAL4 all we get.

This is inaccurate. There are *lots* of people demanding that security
be fixed. The problem is that all of them are customers, and in a
monopoly environment the customers don't carry any great amount of
weight. Until there is a viable commercial alternative to Windows
(preferably several), secure or otherwise, this is a commercial
non-issue. While I understand the basis for the ruling and reluctantly
agree that it was a legally sound decision, security will be a casualty
of Colleen Kollar-Kotelly's decision in the near term.

> | ... I would
> | argue that EAL4 is not a barrier to any current commodity operating
> | system, and the US national interest is not served so long as the best
> 
> Actually, I think it is.  I don't think that Linux would pass EAL4; as
> you've pointed out, that requires a documented and followed QA
> process.

True, but the documentation can be generated retroactively. The fact is
that several UNIX systems *have* passed EAL4. With sufficient work,
Linux could do so too.

> How does SELinux stack up here?

I haven't looked at SELinux in detail, but evaluation of SElinux wasn't
a design goal, and I have heard skepticism about whether it could
evaluate successfully from within NSA. In any case, any evaluation of
SElinux would have to begin by cleaning up the baseline Linux system for
evaluation.

> Do you think that the buyers of these higher EALs actually know what
> they're getting?  My reading of the commentary on Win2k getting
> certified is that most people don't know what an assurance level is,
> nor do they know that there are other ones..

I think you are probably right. At the level of "higher is better"
people understand it. Since nothing higher than EAL4 is widely
available, that's not a very useful level of differentiation in
practice.

> I think that there is an incentive for someone (Sun?  IBM?) to go get
> a EAL5 certification, if only to tweak MSFT's nose.

Since the cost of the EAL4->EAL5 jump is O($1M) and several years, and
since Linux/UNIX probably can't actually get there, do you really think
so?


> Here I strongly agree with you, however, I'm not sure that the CC are
> the incentive structure; I think the problem is more fundamental,
> which is that costs for insecure software are mis-allocated.  The
> benefit of being able to sell a little secure software is pretty low,
> and will remain low as long as someone can simply certify that there's
> nothing secure that meets the requirement of running win32 code, so
> lets just install windows.

I disagree. The problem is even more fundamental than that. The problem
today is the absence of liability for the consequences of bad software.
Once liability goes into place, CC becomes the industry-accepted
standard of diligent practice. Until then it's just a way of killing
trees.


shap


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list