>EAL2 is hardly a top security certification. BTW - Windows has had EAL4 for years now.

Well, I wouldn't characterize October of 2002 as 'years', perhaps in about 6 months you can make that statement.

BTW, only Windows 2000 Profession Server and Advanced Server SP3 with patch Q326886 applied are EAL 4 certified.

David

It is interesting that O'Dowd quotes Common Criteria, ISO 15408, EAL level 7, etc. Yet, the company and product for whom he has been advertising, Green Hills Integrity in these white papers is conspicuously absent from a list of certified products on the NIST website.

http://niap.nist.gov/cc-scheme/vpl/vpl_vendor.html

Prior to ISO 15408 was the Orange Book or DoD Trusted Computer System Evaluation Criteria (TCSEC), reissued in 1985 as DoD Standard (DOD 5200.28-STD). Green Hills product is also not on this list:

http://www.radium.ncsc.mil/tpep/epl/index.html

O'Dowd talks about EAL7, but they are not even in the process of being certified!

I, however, note that Redhat Linux 3 is certified at EAL 2, and SuSe Linux Enterprise Server v8, SP3 is certified at EAL 3+.

O'Dowd is just shilling for Green Hills, I wonder how many hits their web site has gotten this month as opposed to the last three years?!

I sent O'Dowd a letter with the above information, I wonder if he will reply?

David Tomlinson

Even Bill must be astonished with this crap.

Interesting how EAL4, or "Common Criteria", is promoted as certifying an OS as being safe. Yes, Windows 2000 has EAL4; but if you were to install this "Safe OS" today, you would probably be hit by the vulnerability in LSASS before you could download all the patches from Microsoft. And LSASS is an absolutely fundamental part of the OS' security system. Just given this information, surely EAL4 should be withdrawn for Windows 2000?

Furthermore, EAL4 only has any meaning if the OS is configured in a particular way (eg. Auditing must be enabled). IT Professionals knows that any OS *can* be made secure, if sufficient effort and skill is put into it. But does this mean that a software company can tell anyone who cares to listen that they have EAL4?

Any secure algorithm or program must maintain its security even if the source is leaked. Because it will be. The only rational solution is to open source the code and publish it ad naseum. How many mature SSL packages are there out there? Right, 1: OpenSSL. It is one of the most studied and scutinized codes by amateur and professional cryptanalysists out there. We all trust it since its security is in the mathematics and keys, not in the source. How long until all of the basic libraries are "perfected" by accumulation of experience? Then, the work of the code becomes the central focus, not the low-level manipulations which is where a huge majority of security holes are found. Mr. Dowd is fighting for the viability of his company, not for rational security.

The GPL open source license only requires the vendor of a software to provide the customer with the source ON REQUEST. It specifically does not require publication of the source on a large scale. So this whole article is a load of bullshit.

"Also, Redhat recently got a top security certification:"

EAL2 is hardly a top security certification. BTW - Windows has had EAL4 for years now.

Personally, I have a great deal of experience with military comms and IT. I think Dan should consider a new career in entertainment - O'Dowd the CLOWN!

o'dowd is just one of those people that wishes the world was flat. Unfortunatly for him, fortunate for us. Linux as already prooven to be secure, stable and easy to use!

But in o'dowds world there was no 'blaster32' and other virii. I agree with the above comments. He's the farthest from the definition of a 'security expert'

If O'Dowd thinks that Linux is not secure since its open source, what made he thinks that Microsoft is more secure? Think about this Mr. O'Dowd, Microsoft's sites has been terribly penetrated most of the times, and most the time, they used linux appliance to continue its service. Now, think about it! how secure is microsoft if you dont see their source code? eh? now take linux source code, re-design it, and make a public announcement that your defense system is ran by linux which has been re-designed for your defense system, give thanks to the ppl who worked primarily on linux and make the code disappear from the eyes of the many.. thats it! youll make the linux community proud! CAN YOU DIG IT! SUCKA!

$1000 per line of code? Holy crap! I am in the wrong line of work!

Sure, maybe the procurement bureaucracy within the US military would pay such a price, but that is only because the procurement bureaucracy there is absolutely hopeless. How does this guy know that they won't completely outsource this to a code audit company? Its hard to imagine a single such company that would not consider a measly $500 per LINE. Hell, I bet some would go down as low as $400 per single line of code. Actually, can any of us think of a company that wouldn't do it for $10 per line of code? A 2000 line program would be vetted at a price of $20,000 in cold hard cash. I think I'd take that.

What an asshat. :)

Dan O'Dowd does reference SE Linux in his article. But while he critiques SE Linux, he misses the point of using off the shelf software, particularly in the DoD world. There are open standards for software which are in common military use, e.g. DES and AES cryptography. I would much rather a GS-2 secretary use a vanilla Linux release than attempt to secure a Windows 98 workstation. The Green Hills folks are correct about generic Linux being a universal plugin to DoD problems. Real time control are not candidates for Linux or any other general purpose operating system, radar scheduling, flight controls and navigation are but a few processes which need an RTOS. I don't think that any disclosure of sensitive hardware has much to do with the operating system used, software layers, drivers and Red-Black interfaces are there for that purpose.

This guy is smoking crack.
Havent they heard of NSA's Linux SE?:
http://www.nsa.gov/selinux/
Also, Redhat recently got a top security certification:
http://www.redhat.com/about/presscenter/2004/press_security.html
I still have to wonder why LinuxWorld feels the need to give this crap headlines.

Compare this with the article posted 2 days earlier that indicates Red Hat has already gotten level 2 security certification with RHEL v.3, and that they intend to get levels 3 and 4 with RHEL v.4.

My observation has been that anything beyond level 4 or 5 doesn't really do anything but eat CPU cycles and development time, and is very seldom actually a requirement.

At least one security principle not being broken by open source is that security by obscurity should be avoided. So the paper's title appears to be false.

If my understanding of the GPL is correct he is also wrong that it compels defense contractors to publish the source code. I believe it would compel them to provide source with any Linux system they sold. However if they only sell to the US government then it need go no further.

Is it my imagination, or is this guy just trying to sell his product? Something tells me he just feels threatened...by Linux
steve