Russell Coker wrote: > Do some research about C2, then do some research into what's needed to > implement secure systems in the real world. Talk to someone who has worked > as a network administrator at a large ISP or another site involving security > and real-world requirements. Then you will know how little relevance C2 had > unless you were trying to sell software to the US military. > > Then do some research into the amount of time that it used to require > (mandated not through beuracracy) to get a C2 and compare it to the way that > Linux software is developed. It's really not a good match. As one of the few remaining experts on the implementation, evaluation, and productization of Trusted Systems, I can authoritatively say that none of these arguments are new, and they are no more convincing now than they were when they were applied to UNIX in 1987. "Real World" requirements haven't changed that much, save perhaps that all the world is now your terminal room. Yes, the evaluation process is a royal pain in the bum, but that's mostly because so much software is developed without any thought to either "Real World" or "Contrived Circumstances" security. No documentation, no thought to how it will work with other software, no consideration of context. But that hasn't changed from the UNIX world. So, I personally don't care much for most of what passes for "security" today. That's OKay. Security is all about how you feel about your system. If rigorous inspection of your system's security policy and it's implementation doesn't give you warm fuzzies, that's not my issue. But for some of us, that's what security is all about. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 16:22:58 PST