[ISN] Linux looks to pass government standards

From: InfoSec News (isnat_private)
Date: Mon Aug 19 2002 - 05:40:44 PDT

  • Next message: InfoSec News: "[ISN] Microsoft patches Windows 2000 flaw, SQL holes"

    By Robert Lemos 
    Special to ZDNet News
    August 16, 2002, 4:00 AM PT
    SAN FRANCISCO -- A technology think tank is campaigning to win Linux a
    greater role in government by offering to act as a central repository
    for a federally certified version of the open-source operating system.
    The Cyberspace Policy Institute, a decade-old technology policy think
    tank established at George Washington University, plans to push for
    Linux to be certified under the Common Criteria, a standard grading of
    technology required by the United States and other countries before
    products can be sold into sensitive government applications.
    If successful, the initiative would lead to a single, standard version
    of Linux acceptable to the government, and hence make it easier for
    Linux companies to compete against Microsoft and other large software
    makers. Certification costs anywhere from $100,000 to millions of
    dollars and takes up to five years--Microsoft is just finishing the
    certification of Windows 2000--but the effort could be a boon for
    Linux companies.
    "The government wants to get open-source certified, but they don't
    want to certify for any specific vendor," Tony Stanco, senior policy
    analyst for open-source and e-government at the Cyberspace Policy
    Institute, said at a panel discussion on promoting Linux to the
    A single agency administering the certification process for Linux is a
    must, Stanco said. Otherwise, only a few companies will be able to
    offer products and the entire community wouldn't benefit from the
    "Only one company (Red Hat) has enough money to get certified," he
    said. "I don't think even United Linux has enough money to get Linux
    The initiative would also add the United States to the list of
    national governments that are supporting open-source efforts to add a
    second choice to Microsoft within federal agencies. On Monday, the
    British government confirmed that it would consider open-source
    software alternatives to buying Microsoft software. And, in June, the
    German government signed a deal with IBM and Linux vendor SuSE to
    provide and open-source alternative to Microsoft operating systems.  
    China and Taiwan, two nations that rarely agree, have also dipped
    their toes into Linux.
    A better Linux
    Strong support for the open-source operating system within the
    government came from a surprising quarter in early 2001 with the
    release of Security-Enhanced Linux from the National Security Agency,
    which for decades stymied researchers' and technology companies'
    efforts to create broadly available strong encryption.
    SE Linux adds military-strength architecture improvements to Linux,
    the most obvious security improvement being mandatory access controls,
    or MACs, based on technology developed by Secure Computing Corp. The
    Cyberspace Policy Institute plans to also add authentication and key
    management features to the operating system.
    Such technologies make computers much less susceptible to attacks.  
    Mark Westerman, managing partner with network consultant Westcam,
    installed the SE Linux access controls on a critical server for one of
    his customers after a common security flaw, known as a buffer
    overflow, allowed a hacker to take control of the company's server.  
    Westerman configured the access rules but left the buffer overflow
    unpatched on the server as a test.
    When the hacker came back a second time to the server and attempted to
    gain control of the process, the access controls limited what the
    attacker could do. Instead of taking control of the computer, the
    hacker could only crash the service that had the buffer overflow, but
    do no other damage.
    "With the access controls, the customer doesn't have to worry about
    the next buffer overflow that comes along," said Westerman at a panel
    discussion at this week's LinuxWorld Conference and Expo. "SE Linux
    gives you military grade security at open-source cost."
    Microsoft vs. the NSA
    SE Linux may be the NSA's last direct contribution to open-source
    security, however. Because of the loud criticism, the NSA will have a
    far less direct role in the creation of more secure versions of
    open-source software.
    "We didn't fully understand the consequences of releasing software
    under the GPL (General Public License)," said Dick Schafer, deputy
    director of the NSA. "We received a lot of loud complaints regarding
    our efforts with SE Linux."
    Many complaints criticized the agency for providing the fruits of
    research to everyone, not just U.S. companies, and thus hurting
    American business.
    While stressing that the agency received a loud chorus of support as
    well, the chagrined Schafer said that the issue was contentious enough
    that "we won't be doing anything like that again."
    Sources familiar with events said that aggressive Microsoft lobbying
    efforts have contributed to a halt on any further work. "Microsoft was
    worried that the NSA's releasing open-source software would compete
    with American proprietary software," said a source familiar with the
    complaints against the NSA who asked not to be identified.
    Microsoft would not comment directly on its lobbying efforts, but did
    stress that it wanted to ensure the government continued to fund
    commercial ventures. "The federal government plays an important role
    in funding basic software research," said a Microsoft representative.  
    "Our interest is in helping to ensure that the government licenses its
    research in ways that take into account a stated goal of the U.S.  
    government: to promote commercialization of public research."
    The debate over whether the government should fund open source
    projects has been raging for some time. In July, the MITRE Corp., a
    defense contractor and think tank, released a much-awaited report
    sponsored by the Department of Defense endorsing the use of
    open-source software in the government.
    "Open source methods and products are well worth considering seriously
    in a wide range of government applications," concluded the report.
    After news of the favorable report leaked out in May, a second report
    appeared in early June from the Alexis de Tocqueville Institution, a
    newcomer to the open-source debate, calling such software insecure. A
    press release preceding the report breathlessly announced "open-source
    software may offer target for terrorists."
    Many critics have claimed that Microsoft funded the report, but a
    Microsoft representative denied that charge, saying that while the
    software giant does fund the institution, it doesn't fund any specific
    Despite the intense battle surrounding the open source, the NSA will
    still fund research on secure operating systems based on Linux as well
    as work with U.S. companies to create better security in their own
    operating systems.
    Both Red Hat's CEO Matthew Szulik and Chief Technology Officer Michael
    Tiemann said the company is working with the NSA on security projects,
    but neither would give details about the initiatives. On Tuesday
    morning, Tiemann and other technologists from companies including
    Intel, IBM and Oracle met to discuss the future of Linux in the
    government, said a source familiar with the meeting.
    Through the Composable High Assurance Trusted Systems (CHATS) fund,
    the Defense Advanced Research Projects Agency, an arm of the
    Department of Defense, funds open-source initiatives that improve
    security. A year ago, Network Associates received $1.2 million from
    the CHATS program to create a common set of security features for
    open-source operating systems.
    Apple also will push its own operating system, the Mac OS X, which is
    based on the open-source Unix variant, FreeBSD, for government
    certification. Apple and a coalition of 40 government agencies have
    formed the Secure Trusted Operating System (STOS) consortium to create
    security features for the base OpenBSD operating system known as
    Welcome to certification
    The road to certification will not be easy, however.
    For one, the co-developer of SE Linux, Secure Computing, has indicated
    that it plans to enforce patent claims on part of the access control
    technology based on its research and development.
    In addition, the Common Criteria process, run jointly by the NSA and
    the National Institute of Standards and Technology under the National
    Information Assurance Partnership (NIAP), is better suited to certify
    proprietary software coming from a single company. It's ill suited to
    deal with the myriad updates that the open-source community produces
    on a regular basis.
    "The big issue is how you fit this wild community into the all the
    little boxes that the government bureaucracy wants," said CPI's
    NIAP Common Criteria certifications run from Evaluation Assurance
    Level 1 (EAL), the lowest level, to EAL 7, the highest. The first four
    levels can be obtained through commercial labs, but the levels 5
    through 7 require certification from the NSA themselves.
    Because it is Linux's first time through the process, the Cyberspace
    Policy Institute has modest aims: EAL 2.
    "That way we get some validation of open-source security," said
    Stanco. "Going straight to EAL 4 would be tough."
    Shooting for a modest target gives the open-source community time to
    work out some kinks--not in Linux, but in the government's
    certification process.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:20:31 PDT