At 09:35 PM 11/14/98 -0500, John Young <jya@pipeline.com> wrote:
An NSA team presented at NISSC98 in October "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments:"
...
Not that NSA would ever exploit OS weaknesses not warned about.
Part of the context for this: NSA is trying to encourage their new testing program for security products. My feeling is that program, in turn, is intended to preserve the spaces for all the employees involved in the failed TCSEC/Rainbow testing program. I say "failed" because it hasn't caught on in the private sector, it's expensive and, of course, the laughable "C2 in '92." If you can't trust your OS, Dum-dum-Dah! NSA to the rescue with testing! The new Common Criteria is to replace TCSEC/Rainbow next year, but if it walks like a duck....