Re: irc summary

From: Gleef <gleef capital net>
To: Stephan Pfab <pfab thales sai mathematik uni-ulm de>
cc: effugas best com, gnome-gui-list gnome org
Subject: Re: irc summary
Date: Sat, 8 Aug 1998 13:18:09 -0400 (EDT)

On Tue, 4 Aug 1998, Stephan Pfab wrote:

> 
> "Dan Kaminsky" <effugas@best.com> wrote:
> >OK, OFFICIALLY, does *ANYBODY AT ALL* think it's a good idea to have C2 be
> >an abbreviation for Complaince Level 2 for GNOME when in the NT world C2 is
> >a rating that Microsoft cheated to get for itself?
> 
> >Are you guys SURE we should associate ourselves with a cheated rating,
> >especially considering Linux itself will eventually get rated C2 as a whole,
> >for *real*?
> 
> 
> 1: Microsoft did not cheat to get C2.
>    C2 is simply that weak.
>    In other words: C2 does not say much about security

Microsoft got a C2 rating for NT 3.5 with Service Patch 3, in July 1995, 
in a standalone mode.  To quote the NCSC evaluation: "Because the
evaluated configuration does not include a network environment, both
products [NT Server and NT Workstation] are considered stand-alone
workstations.", and later "A network configuration of the Windows NT
platform is currently pending evaluation agreement."

In spite of Microsoft's stated interest in the RAMP program (a program to
make it easier for later versions of an approved system to be approved).
No version of any Windows operating system has received any rating.  Other
RAMP vendors have multiple versions on the Evaluated Products List
<http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html>.

In spite of the fact that only a standalone, obsolete version that is no
longer sold has the security rating, Microsoft persists in advertizing NT
as being a C2 system, implying that the security applies to its
networking as well.  I would agree that this is cheating.

-Gleef

References:
- Re: irc summary
  - From: Stephan Pfab

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]