At 09:35 PM 11/14/98 -0500, John Young <jya@pipeline.com> wrote:
An NSA team presented at NISSC98 in October "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments:"
...
Not that NSA would ever exploit OS weaknesses not warned about.
Part of the context for this: NSA is trying to encourage their new testing program for security products. My feeling is that program, in turn, is intended to preserve the spaces for all the employees involved in the failed TCSEC/Rainbow testing program. I say "failed" because it hasn't caught on in the private sector, it's expensive and, of course, the laughable "C2 in '92." If you can't trust your OS, Dum-dum-Dah! NSA to the rescue with testing! The new Common Criteria is to replace TCSEC/Rainbow next year, but if it walks like a duck....
Anonymous wrote: <<snip>>
failed TCSEC/Rainbow testing program. I say "failed" because it hasn't caught on in the private sector, it's expensive and, of course, the laughable "C2 in '92."
While I was never a great fan of the Rainbow Series, to say that it failed because it hasn't caught on in the private sector is not holding very close to the point of it all. The "typical" private sector approach to security is to do nothing 'til the hackers come over the iInternet and wreak havoc the throw up a proxie server/firewall and go back to normal practices until the next "event" and try to plug That Hole. C2 by 92 was an effort on the part of the govenment/military to stop those practices on their own parts. True, not ompletely succesful, but hey what the Hell, how many of the efforts by them folk are? PHM
Amen. In my experience, no network I've _ever_ been associated with (private, public, miltary, or whatever) has ever proactively pursued a security model. Security has always been defined as preventing a well-defined (and well-experienced) exploit from being repeatedly used. Rainbow series, feh! Even the folks who should know better call NT4 C2 compliant. CYA is the TLA of the day. On Sat, 14 Nov 1998, Paul H. Merrill wrote:
Anonymous wrote: <<snip>>
failed TCSEC/Rainbow testing program. I say "failed" because it hasn't caught on in the private sector, it's expensive and, of course, the laughable "C2 in '92."
While I was never a great fan of the Rainbow Series, to say that it failed because it hasn't caught on in the private sector is not holding very close to the point of it all. The "typical" private sector approach to security is to do nothing 'til the hackers come over the iInternet and wreak havoc the throw up a proxie server/firewall and go back to normal practices until the next "event" and try to plug That Hole.
C2 by 92 was an effort on the part of the govenment/military to stop those practices on their own parts. True, not ompletely succesful, but hey what the Hell, how many of the efforts by them folk are?
PHM
participants (3)
-
Anonymous -
BMM -
Paul H. Merrill