LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Relicensing and rebasing LibreOffice

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Red Hat gains security certification (News.com)

Red Hat gains security certification (News.com)

Posted Apr 29, 2004 23:04 UTC (Thu) by Soruk (guest, #2722)
Parent article: Red Hat gains security certification (News.com)

I can only assume that for Windows to get EAL4 certifcation, they offered a machine with no networking ability and the PSU removed.
:-)

(Log in to post comments)

Red Hat gains security certification (News.com)

Posted Apr 30, 2004 4:35 UTC (Fri) by flewellyn (subscriber, #5047) [Link]

That wouldn't be sufficient; you also have to bury it in concrete two miles down, and surround
the area with full-scale military deterrents, such as a tank battallion, armed guards, and
loudspeakers blaring the complete works of Barry Manilow 24/7. Only then would a Windows
machine be considered fully secure.

Alternatively, you could just pay lots of money to the certifying body.

Red Hat gains security certification (News.com)

Posted Apr 30, 2004 6:21 UTC (Fri) by anselm (subscriber, #2796) [Link]

Remember that at these levels EAL certification mostly means that somebody has checked that the documentation is complete. It does not involve looking at the actual system in any detail, let alone doing so from the point of view of a dedicated attacker.

Even the Windows EAL4 certification doesn't say much more than that the system may be reasonably secure if nobody on it is misbehaving (and that includes the programmers of third-party applications). If I remember right, the Windows machine in question was one with no networking and no software installed beyond the actual operating system.

Red Hat gains security certification (News.com)

Posted Apr 30, 2004 11:23 UTC (Fri) by crankysysadmin (guest, #19449) [Link]

Does anyone take these certifications seriously anyway? (with the exception of marketing people and managers who must show something to non-techs who have power over them in order to make them feel good)

Red Hat gains security certification (News.com)

Posted May 8, 2004 9:31 UTC (Sat) by apollock (subscriber, #14629) [Link]

Remember that at these levels EAL certification mostly means that somebody has checked that the documentation is complete. It does not involve looking at the actual system in any detail, let alone doing so from the point of view of a dedicated attacker.

That's not strictly correct. When a product is evaluated under the Common Criteria, it's done so under specific Terms of Evaluation (TOE). In the case of Windows, I do believe the TOE included not having it plugged into a network (or at least it used to for NT4). I'm yet to read the TOE for Red Hat, but it'll be under a certain configuration, and if you deviate from that one inch, it's no longer certified to EAL2. End of story. And they do take into consideration the software, the source code etc. I remember once, Firewall-1 fell off an Evaluated Products List because they didn't get source code in by a deadline...

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds