| Date: Fri, 27 Jul 2007 08:55:01 +0100
| From: Michael Watterson <watty at eircom.net>
| Are these complete?
I've no idea if that's complete (I haven't been involved
in this area for at least a decade), but Yes, those are
the books being talked about.
| It's an information overload. Effective security
| design & systems are simple and easy to folllow
| but hard to defeat.
Back when I was involved, the problem was thought to be
that most systems — which in this context means software
AND hardware AND the policies/procedures — were poorly
designed, if they existed at all. At that time, part of
the rationale was to kick everybody's arse and treat the
issues more seriously. Whether or not that was happened
is unclear; to take just one example, the rampant problem
of ID theft suggests the principles laid out are not being
followed very well, if at all.
| Who has time to read & learn all this?
Back then, when (and why) I was involved, if you wanted
to sell to the USA Federal Government (not just NSA/DoD,
but any government bid) your package was supposed to be
certified as meeting one of the defined security levels.
So many system designers and so on, back then, had to
get to grips with it.
Software-wise, Unix had a big advantage, since it was
thought to be _almost_ C2, lacking (technically) mostly
an acceptable audit system (i.e., means to log who did
what when). (There was also a lack of suitable design
documentation.) Everything else was thought to be D
(no useful security (pedantically, has or would fail
the certification process)), excepting a few specialist
(expensive/classified) and research systems.
It all came more-or-less to naught, however. There were
multiple problems, including, but not limited to: The
NSA was involved (so everything proceeded very slowly
if there was any movement at all); the focus of the
certification was ensuring the system kept things secret
(which is not quite what is needed outside the limited
NSA/DoD-land); the process(es) the NSA tended to assume
(e.g., waterfall) were both obsolete and generally not
used (in the Unix community); even the most minor of
upgrades or changes would invalid the certification
(so certified software was effective frozen solid); and
the preferred systems were so-called “mixed-level”(? or
something like that). Mixed-level systems could be used
for BOTH classified and un-classified work without any
danger of the classified material leaking. Mixed-level
is an interesting theorical problem — and is why the
original Orange Book was so heavy on theory — but in
practice, separated independent systems work rather
Upshot is whilst you can(? could?) get exotic products
like CMW and B2, there wasn't any compelling reason
(unless you are inside NSA/DoD-land). And it's fairly
clear that policies and procedures are still, generally,
It's been too long since I was involved to know if any
of the books are useful for day-to-day administration;
I suspect not. I recall that there was, back then, an
attempt at a pamphlet for end-users, but again it was
(as I recall) heavily infused with NSA/DoD-land concerns
(e.g., shoot yerself rather than say anything ;-) ).
Apologies in advance for errors and over-simplifications.
(I have simplified (cynicalified?) several points.)
▶ ▶ I AM CURRENTLY LOOKING FOR A JOB! ◀ ◀ | Brian Foster
Experienced (>25 yrs) software engineer: | Montpellier, FRANCE
• Unix, Linux, embedded, design-for-test; | Stop E$$o (ExxonMobile)!
• Software/hardware co-design, debugging; | http:/www.stopesso.com
• Kernels, drivers, filesystems, &tc; Résumé (CV) & contact details:
• IDL, automated testing, process, &tc. http://www.blf.utvinternet.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!