Ray scribes:

Microsoft recently got C2-security status approved for Windows NT by the National Computer Security Center, a division of the NSA. They are supposed to put systems through "laborious testing and review" before they approve C2.

Not so laborious, the brunt of C1 and C2 testing is accomplished by a test suites that do topical levels only. The issue is that there is a NCSC engineer watching it happen. Hence if oit passes it is "blessed". As per the orange book itself, C2 is about the lowest level of "Secure" that you can get. In fact if Microsoft had gone to the trouble of a B1 or B2 rating this would have been impressive but since most systems analysts have not been familiarized with the levels of system accounting and access control/logging that represents the various levels of "Orange Book" Rating it is somewhat superfluous.

So, if one can find bugs in NT's security, one can toss a little more egg on the NSA's face and the sham that part of their activies to *help* to secure american computers. A simple violation of NT's C2 status would be to demostrate a flaw in it's memory protection implementation.

Personally, I think NT is *riddled* with bugs waiting to be discovered. Hell, even the NT "service pack" is included in the C2 status, which I bet has plenty of holes.

No Doubt; NT should be easily hacked in the upcomming months by any number of mortals let alone the gods themselves. What UNIX has that NT doesn't (which makes it more vuknerable to attack) is 20 more years of evolution, More copies, everybody knows it (at least in our group)... As per NT's orange book C2 Rating... C2 is about the lowest level of Secure that you can get. In fact I personally am unimpressed, rather it is a box on an RFQ that gets checked Very few people run C anything sites in reality. If Microsoft had gone to the trouble of a B1 or B2 rating this would have been cool but since most system's analysts have not been familiarized with the levels of system accounting and access control/logging that represents the various levels of "Orange Book" Rating it is somewhat superfluous. This is especially true since the Folks at the FRB and FDIC/FSLIC orgaizations are more likely to require B2 or the like on the National Standards for "blessed" commerce Engines (I wonder what the FSTC has to say about this?). Seems to me like the "Evil Empire" is just puffing it's chest for a very very small market... IMHO - Military sites passing real classified data usually are not run on anything as low as C2. If you want a secure os, look at the Harris Computer Corp's B1-Certified version of ES/MP UNIX (they call it CX/SX). FOUO - For Official Use Only sites often run C1/C2 based OS's for Audit training but are usually not part of the Trusted Computing Base and as such not real threats. Still the most common problem is human not the OS. Not the actual OS itself,.

If Cypherpunks can find flaws that the NSA can't, or won't divulge, what does that say about their so-called COMSEC ability.

Not necessarily on the NSA, you have to start somewhere and they do a good job as far as NIST and NCSC efforts are concerned. If you can do better then you have a good career in commercial cracking or will have lots of time on your hands (Federal Food is the Pits, and the golf course is gone from Lompoc!).

-Ray

Regards, T. S. Glassey Chief Technologist Looking Glass Technologies todd@lgt.com -----BEGIN PGP SIGNATURE----- Version: 2.6 iQB1AwUBMFu5E6gNRnWhagU5AQHI+gL+Mwpcd3lAWd8FF06qcG6rnLhIYveHW71a XC7xh1T0uu8qnYX31yMp17OG28jWpKUbWec1IM9/eXOi+gInA7rKICWczV8zo9Z0 0puxjRRN7yO4KfRb3cPpk+r0p6pDg01Y =bTYb -----END PGP SIGNATURE-----