[Fwd: Linux is More Secure than NT- Lets Prove It.]

Mike Rambo mrambo@lsd.k12.mi.us
Fri, 15 Sep 2000 16:37:56 -0400
Previous message: Internet sharing with linux and win98 machines
Next message: compiling PHP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I certainly don't want to spam but thought you all might find this
interesting.

"Wagner, Joseph" wrote:
> 
> A recent osOpinion article perked my interest about the Navy's recent
> decision to use the Microsoft Windows operating system in its next
> generation aircraft carrier
> (http://www.fcw.com/fcw/articles/2000/0807/news-navy-08-07-00.asp). Two
> years earlier, a divide by zero error on a Microsoft Windows NT machine left
> the USS Yorktown dead in the water for over two hours
> (http://www.gcn.com/archives/gcn/1998/july13/cov2.htm). The sequence of
> these events forces one to ask the question: why would the government choose
> the Microsoft Windows operating system despite the known defects and
> problems? The answer is really quite simple - they do not have a choice in
> the matter.
> 
> The Department of Defense has a little known rule that all computer products
> (hardware and software) containing classified or unclassified sensitive
> information must be evaluated and rated. The National Computer Security
> Center (NCSC), a branch of the NSA, is responsible for evaluating and rating
> commercial security products. These products fall into one of four
> divisions: D - Minimal Security, C - Discretionary Protection, B - Mandatory
> Protection, and A - Verified Protection. Divisions C, B, and A are divided
> into classes: C1 - Discretionary Security Protection (no longer in use), C2
> - Controlled Access Protection, B1 - Labeled Security Protection, B2 -
> Structured Protection, B3 - Security Domains, and A1 - Verified Design (see
> Orange Book, http://www.radium.ncsc.mil/tpep/library/rainbow/index.html).
> The ratings, in order from least secure to most secure, are D, C1, C2, B1,
> B2, B3, and A1.
> 
> To make the rating system a little clearer, I'll draw an analogy. Microsoft
> DOS with the equivalent security of a Speedo - not very secure - would have
> a D rating. Microsoft Windows 95/98/ME with the equivalent security of a
> wooden barrel - stops rotten vegetables thrown by novice users but not
> bullets from professional hackers/crackers - would have a C1 rating.
> Microsoft Windows NT/2000 with the equivalent security of a bulletproof vest
> - able to stop professional hackers/crackers - has a C2 rating.
> 
> Microsoft was very cunning in obtaining this rating. Microsoft Windows NT
> 4.0 is the only general-purpose operating system rated by the NCSC
> (http://www.radium.ncsc.mil/tpep/epl/historical.html). Other operating
> systems are rated, but those operating systems are designed for specific
> machines like mainframes and supercomputers, not general-purpose personal
> computers. Since all computer products containing classified or unclassified
> sensitive information must be rated for the government to use them,
> Microsoft Windows is the only general-purpose operating system the
> government can use. Hence, Microsoft has a monopoly on all general-purpose
> operating systems sold to the government.
> 
> If you really want to break Microsoft's monopoly, you need to get
> alternative operating systems, like Linux, rated by the NCSC. Many
> companies, like Red Hat, do not want to invest the time or money to have
> their products evaluated and rated, but I believe that the potential for
> government contracts (and the knowledge that our nuclear secrets are a
> little bit safer) is well worth the investment. In addition, Microsoft will
> no longer be able to beat the Linux crowd over the head with the "No
> Security Rating" argument
> (http://www.microsoft.com/NTServer/nts/news/msnw/LinuxMyths.asp).
> 
> I believe Linux is capable of much more than just meeting the C2 rating
> Microsoft Windows NT holds. Since Linux can do everything that Microsoft
> Windows NT can do (and then some), one can reasonably assume that Linux can
> achieve a minimum C2 rating. In order to meet the B1 requirements, the
> operating system must be able to append security information to objects
> after they leave the system. Microsoft Windows NT could not achieve this
> rating because they supported only the FAT file system for floppy disks,
> which cannot track security information. Linux supports the EXT2 file system
> for floppy disks, and the kernel can be compiled to remove support for the
> less secure FAT, forcing users to use a file system that contains security
> information, hence mandatory protection. However, requirements for B3 and A1
> require that the operating systems be stripped of all components not vital
> to system security (http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html).
> While this is theoretically possible given the Open Source nature of Linux,
> stripping away all non-security components would change the nature of Linux,
> and the stripped down version of Linux would no longer be a general-purpose
> operating system. I believe Linux is capable of at least a B1 or perhaps a
> B2 rating.
> 
> I believe companies of alternative operating systems should buckle down and
> have their products rated by the NCSC to better compete with Microsoft and
> make us feel proud (and more secure) in using alternative operating systems,
> like Linux. Please email companies of alternative operating systems, like
> Red Hat, and tell them to get their products rated by the National Computer
> Security Center.
> 
> That's my two-cents worth. For more information on Commercial Product
> Evaluations, check out the website of the NCSC at
> http://www.radium.ncsc.mil/tpep/.
> 
>

-- 
Mike Rambo
mrambo@lsd.k12.mi.us
Previous message: Internet sharing with linux and win98 machines
Next message: compiling PHP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]