Return to BSD News archive
Path: euryale.cc.adfa.oz.au!olive.mil.adfa.oz.au!navmat.navy.gov.au!posgate.acis.com.au!warrane.connect.com.au!news.syd.connect.com.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!agate!howland.reston.ans.net!newsfeed.internetmci.com!news.mathworks.com!uunet!in2.uu.net!news2.interlog.com!news1.io.org!not-for-mail
From: cbbrown@zip.io.org (Christopher B. Browne)
Newsgroups: comp.os.linux.development.system,comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.bsdi.misc,comp.security.misc
Subject: Re: need secure OS to entrust millions to
Date: 25 Feb 1996 15:25:09 -0500
Organization: Internex Online (io.org) Data: 416-363-4151 Voice: 416-363-8676
Lines: 47
Message-ID: <4gqgj5$r1g@zip.io.org>
References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com> <y5ad974s4v4.fsf@graphics.cs.nyu.edu> <4gqf17$1lr@cynic.portal.ca>
NNTP-Posting-Host: zip.io.org
Xref: euryale.cc.adfa.oz.au comp.os.linux.development.system:18065 comp.os.linux.misc:88640 comp.os.linux.networking:29760 comp.unix.bsd.freebsd.misc:14390 comp.unix.bsd.netbsd.misc:2330 comp.unix.bsd.bsdi.misc:2472 comp.security.misc:22681
In article <4gqf17$1lr@cynic.portal.ca>,
Curt Sampson <curt@cynic.portal.ca> wrote:
>In article <y5ad974s4v4.fsf@graphics.cs.nyu.edu>,
>David Fox <fox@graphics.cs.nyu.edu> wrote:
>>
>>Of course, so that you know there is someone standing behind the
>>system who is competent enough that they have the confidence to take
>>legal responsibility for the security of the software.
>
>Am I out to lunch, or does every single agreement I've ever seen
>on a shrink-wrap box specifically state that the company makes no
>respresentations the the software will even boot, much less work
>or be secure?
a) We're not talking about shrink-wrapped software.
b) If you're paying the extra bucks for a B-1 or B-2 secured OS
environment, then you certainly *do* get a representation from the
manufacturer that the software has that level of security.
I find it remarkable that only one person so far has mentioned the
infamous "coloured books" from the DOD.
The solution for a high security banking application is *not* to
run with free software that has relatively little in the way of
security features designed into it. I doubt that the banks need
a Boeing SCOMP (rated B-3, if I remember correctly), but they *do*
need more than what the "free" UNIXes offer. They also need more
than anything Microsoft offers; security is certainly not the prime
design factor of Windows NT which is the only *faintly* secure OS
product that Redmond offers.
Gentle readers should consult the following sources, particularly the
Rainbow books, before suggesting rash opinions about what's supposed to
be pretty secure.
<LI><a
href="http://www.yahoo.com/Science/Mathematics/Security_and_Encryption/">
Security and Encryption</a>
<LI><a href="http://hightop.nrl.navy.mil/rainbow.html">Rainbow Books
- US DOD</a>
<LI><a href="http://hightop.nrl.navy.mil/docs/greenbook.txt">Green
Book </a>
--
Christopher Browne - Email:<cbbrown@io.org>, WWW:<http://www.io.org/~cbbrown/>
SAP Basis Consultant/Systems Engineer -------- Certified SAP ABAP/4 Consultant
PGP key available - check my .plan, Web Page Share and Enjoy