| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Linux Rated Less Secure than Windows | |
|
||
| Time: 00:00 EST/05:00 GMT | News Source: WinInformant | Posted By: Todd Richardson | ||
|
Thanks RMD. When Microsoft announced that its Windows 2000 operating system had been awarded the highest possible grade in the Common Criteria (CC) security certification last fall, open source advocates downplayed the honor as insignificant and unrelated to real-world security analysis. This week, however, Linux was also awarded with CC security certification, and as one might expect, this announcement greeted with cheers from the open source community. There's just one catch: Linux got a lower security rating than Windows 2000 did last year. Linux was certified as providing "low to moderate" security, while Windows 2000 received a "moderate to high" security rating last year. According to people close to the certification, Linux was being tested for better security ratings, but only achieved the "low to moderate" rating. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 156 Last | Next |
The time now is
9:50:23 PM
ET.
Any comment problems? E-mail us |
| #1 By 10896 (24.25.182.11) at 8/6/2003 7:08:58 AM |
|
This was even a special version of SUSE Linux on IBM hardware.
It was trying to get the higher rating and failed so only the low to moderate was achieved. Any company with security in mind should be very careful in deploying other versions of Linux. If you dont have the high rating like Windows 2000, you cant compete for many contracts that require CC certification. |
| #2 By 6859 (206.156.242.36) at 8/6/2003 9:04:58 AM |
| SomeDork has a valid question. I, too, would like to know how 2003 did, if they even tested it yet... |
| #3 By 20 (67.9.179.51) at 8/6/2003 10:42:53 AM |
|
The process is arduous and I'm sure it takes at least 1-2 years. There are reams of documentation necessary and probably even some code audits for critical security processes.
I don't know how Linux even got low to moderate because it doesn't even have DAC (Discretionary Access Control -- basically full access control lists (with deny capability) to sensitive resources like files and network resources)). DAC is generally considered a basic requirement for any serious security implementation. Most commercial Unixes have it now and have gone away from the kindergarten User/Group/Everyone model that Unix used to use and Linux still uses. There are ACL implementations for Linux but they're unstable and don't provide full DAC across the OS, just ACLs for files. |
| #4 By 20 (67.9.179.51) at 8/6/2003 11:51:35 AM |
|
I don't think it's something you decide to add one day. DAC is a mindset and a design choice and Linux was not designed with that in mind. It's a major effort to overhaul the entire security infrastructure of the OS and it took most Unix vendors several years to get it to the point where they could get certified.
Linux is lost in this regard and it'll take a monumental effort by some large corporate entity to bring it up to the level of HP-UX and longer for Windows 2003 |
| #5 By 16451 (63.227.226.13) at 8/6/2003 2:43:08 PM |
| PAM |
| #6 By 20 (67.9.179.51) at 8/6/2003 7:19:39 PM |
|
#12: So far Red Hat has released 46 vulnerabilities for it's Linux 9.0 product this year.
Windows 2003 has had one vulnerability so far (well, ok, 3 if you count the IE vulnerabilities that don't affect Win2K3 by default, you have to TRY to get the vulnerability) How many times have you tried to connect to a Windows ahred folder and had it forget to ask for a password? Never. Either passwords are required or not. It never "forgets" to ask you. Each time you try to connect it sends your username and password for authentication... Bzz. Wrong. Either you're a liar or ignorant (probably a mix of both). NTLMv2 authentication never sends the password across the wire. It only sends a response to the challenge (which includes an irreversible hash of your password combined with the challenge and some "magic" info to prevent against replay attacks, Kerberos uses a similar model) In fact, if you're on a domain, it doesn't even do that. You are issued an authentication ticket from the domain controller and that ticket serves as your authentication to Domain-trusting computers. What kind of crappy security is that? Well, since you based it on false premise, that question isn't valid. Maybe you should look at Linux security. Sending passwords in plain-text over Telnet connections. What about NIS authentication for remote mount points? Ever seen the traffic that thing puts out? What about storing hashed passwords on the disk without any type of protection other than basic file permissions? And speaking of basic file permissions, what about the 1st-grade level User/Group/Everyone permissionbits model of Linux for file security? What a joke. Not to mention numerous holes in the kernel that help allow you to get around these (yes, most are patched as long as you keep up on your patching). Security was not a priority in the development of Linux. It only got what little security, and full of holes security it is, from it's Unix ancestors. Windows 2000 and 2003 were designed from the ground up based on the NSA-certified security of NT4 SP3 and later and expanded on those trusted and certified security designs and practices. I suggest you go back to the festering pool of ignorance that is Slashdot, #12. |
| #7 By 9589 (68.17.52.2) at 8/7/2003 12:36:31 AM |
|
According to this article, http://news.com.com/2100-1001-984383.html, written in February 2003, Red Hat and Oracle were trying to do the same thing as IBM with SUSE, but apparently knew better than to try for anything higher than EAL 2 certification. Nevertheless, all the companies concerned went ahead with the certification process because without it most of the industrialized countries' governments are not able to use it in many contexts. EAL 2 certification will give Linux certain in roads, but certainly not full acceptance in the lucrative government realm. To quote CCEVS, "in general, the U.S. Department of Defense views EALs 1 and 2 as Basic Level Assurance, Levels 3 and 4 as Medium Level Assurance and Levels 5 through 7 as High Level Assurance." And, "Some Departments (e.g., U.S. Department of Defense) offer guidance as to appropriate assurance levels for given threat environments."
For a list of operating systems that have already achieved EAL 3 or 4, go to: http://niap.nist.gov/cc-scheme/ValidatedProducts.html#operatingsystem For a list of CCRA participants, go to: http://niap.nist.gov/cc-scheme/ccra-participants.html By the way, crapple has OS X and XServer in testing for EAL 3 certification, http://niap.nist.gov/cc-scheme/InEvaluation.html. There is apparently no mention of any Linux OS in evaluation or having passed any EAL level, for that matter, on the CCEVS web site. |
| #8 By 20 (67.9.179.51) at 8/7/2003 1:36:25 PM |
|
#18: *sigh*... you guys never get its. Permission bits do not offer even a fraction of the security or functionality that DACLs provide.
And no, not every *nix uses it today. Most major Unix implementations have completely overhauled their security infrastructure to support ACLs and you can install it in that mode, or install it in that mode and allow "legacy" permissions so chmod still works. As far as that acl.bestbits, like I said, there are several ACL implementations for Linux which are just hacks on top of the frail security already present. There is no comprehensive, complete overhaul of Linux security. Mainly because that would break many legacy application and require complete overhauls of other systems and applications who depend on the weak U/G/E permissions. With permission bits you cannot: - Set explicit deny (a requirement for higher security certifications including the Redbook TSEC certification) - Set automatic permission inheritence (so a change at the top level automatically affects all children) - Configure multiple groups with different security to the same resource - And several other things that I can't think of right now But DAC is more than just DACLs, it's a comprehensive security mindset throughout the OS which Linux does not have. As far as real world performance, Windows smokes everyone. Check out www.tpc.org, Look at all the companies switching their old Unix mainframes for Windows Datacenter Servers. It seems you can buy single or clustered Windows boxes, or an army of cheap-o Linux boxes to replace your Unix system and the choice is obvious, unless you're an ABMer and you HAVE to use Linux. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 156 Last | Next |
The time now is
9:50:23 PM
ET.
Any comment problems? E-mail us |
