Yesterday, the very first day, Microsoft announced that Windows 2000 has passed all required tests for certification under the Common Criteria (CC) at Evaluated Assurance Level 4 (EAL4) to demonstrate their “commitment to security.” Unlike the Windows® NT 4.0 TCSEC (Trusted Computer Security Evaluation Criteria, a.k.a. “Orange Book”) C2 certification which was on a non-networked machine without a floppy drive, the Windows 2000 CC EAL4 tests included among others the Active Directory Service, Virtual Private Networking (VPN), the Kerberos implementation, and the Encrypted File System. Where was Linux™ when Microsoft dropped this bombshell? Linux™ was nowhere to be found. There was no one from Red Hat, no one from Mandrakesoft (makers of Mandrake Linux), and no one from SuSE. Linus wasn’t there. Not even the self-appointed patron saint of open source, Richard Stallman, bothered to show up.

Oh Linux™, oh Linux™. Where art thou, Linux™? Why dist thou not showst up? The answer lies in a small, little excerpt from John Pescatore, Director of Internet Security for Gartner. He said, “Not all but some of versions of Linux could meet this level [CC EAL4] as well.”

That’s right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.

“Well,” you ask, “exactly which versions of Linux can and cannot meet CC EAL4 requirements?” It stands to reason that the core Linux™ kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux™ would meet these minimum requirements. After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true. The reason that only some of the Linux™ versions would pass CC EAL4 is that those versions patch the main Linux™ distribution. In other words, those more secure versions are forks, alternative versions of Linux™ that were not accepted into the main distribution.

This means that Linux™, as released by saint Linus, the same Linux™ that all these so-called “experts” have been touting as the more stable, more secure alternative to Windows, is actually less secure than Windows 2000. Now I don’t want to get any email from you Linux™ naysayers asking me that if Microsoft Windows 2000 is so secure why does Microsoft® Windows 2000 have so many more security bugs, or security bulletins, than Linux™. Measuring the security of an operating system by the number of security bulletins is like measuring the security of a bank by the number of robberies. By that standard, my small town bank out here in the sticks with 2 tellers, 3 security cameras, and never more than US$1,000 cash on-hand is the most secure bank in the world.

The “theory of a thousand eyes” (the theory that open source is more secure because everybody can see the code and instantly discover a problem) doesn't make an operating system any more secure either. While the potential for more security exists, this doesn't ensure that the “thousand eyes” are actually looking. To the contrary, Red Hat has discovered bugs in the Linux kernel in sections that went unchanged for years. For example, not only did the Teardrop vulnerability in TCP/IP exist for decades, but the Teardrop vulnerability was ported to other operating systems, even though “thousands of eyes” had to be looking at the code in order to port it to another operating system. Peer review, an extension of this theory, doesn't provide any assurance either, because the reviewing peer may not be well versed in security and hence not fully understand or appreciate the implications of a given piece of code.

I’ve said it before, and I’ll say it again. The only way to fully evaluate operating system security, and to compare one operating system's security to another operating system's security, is to have that operating system evaluated under TCSEC or CC. These are comprehensive methods of fully and exhaustively evaluating security, and the fact that they are common standards allows operating systems evaluated by the same criteria to be compared in terms of total security assurance. Until Linus and his open source goons get their act together, get their kernel up to snuff, and get their kernel certified, Linux™ will remain less secure than its arch-nemesis, Microsoft Windows 2000.

full story: http://www.worldtechtribune.com/worl...sv10302002.asp

and
and

Also, have a look at:

http://worldtechtribune.com/worldtec...bz06282002.asp

and

http://www.worldtechtribune.com/worldtechtribune/

to find out which side their bread is buttered on. In fact, looking at those articles there appears little to offer it creditibility. Those articles are full of value judgements and opinion dressed up as fact.

In fact according to Microsoft's latest missive from the November meeting in Berlin, the Anti OSS jihad is finished, and it never worked:

http://www.opensource.org/halloween/halloween7.php

Looks like worldtechtribune's editorial team will need to have a rethink.

In the words of porky pig: "B-B-B-B-B-B-Bull$hit".

Whoever wrote that article is obviously saying that because my well-respected friend (who I paid) has checked out my OS and has found no more flaws in it that haven't been discovered yet anyway, it must be secure, and because my next door neighbour didn't turn up this pointless, costly ceremony his OS is very unsecure.

And who knows, maybe his bank in his home town is actually the most secure bank in the world if it hasn't had any robberies?!?

Linux is not the most secure operating system out of the box, you're right about that. I'd suggest that award would probably go to OpenBSD, or possibly to the long reigning mainframe operating system, OS/MVS (in whatever incantation or name its given today).

Linux software, and the systems upon which they were based, the UNIX systems, were not originally designed with security in mind at all, so you're right about that much. Both UNIX and Linux designs, however, are extremely flexible and extensible, so that they can be easily made to be reasonably, or even extremely, secure.

The OpenBSD project focuses on security, so it is, by definition and intent, secure, whereas that is a secondary (but important) goal for Linux systems. The SE Linux project is specifically aimed at security, and that effort brings sound security principles to Linux software.

The Windows 9x series OS are inherently insecure, the Windows NT series OS (which includes NT, 2000, and XP), have more built in security. I think that the security vulnerabilities in the NT family come mostly from applications, not the system per se, so I'd agree with you that NT family OSs have decent built in security, possibly more default security than a plain, unaltered Linux system.

The good news (or maybe it is the sad news) is that most modern OS are taking security more seriously. Linux vulnerabilities seem to come mostly from buffer overflow issues, and those are being rapidly located and fixed. Windows vulnerabilities seem to come mostly from the convenience of being able to execute macros and embedded executables without sufficient safe guards in place. It's really too bad that we have to tighten down security, the openness of communication between processes and applications has been really convenient.

I get the distinct sense, though, that you're interested in taking shots at Linux software wherever you can. I think this forum is mainly designed to deal with Linux questions rather than Linux rants. I think there is room for constructive criticism, but let's leave it to that, and be careful about turning constructive criticisms into rants. The former are worthwhile, the latter are more annoying than they are useful. So I'll leave this that NT-based OS have some nice access control features that are not found by default in Linux systems, unless they happen to have the Secure Linux (SE Linux) features.

Where Art Linux? In the same open, flexible, extensible place it's always been, right where I like it!

The article is copied verbatim though, it's not necessarily aaronluke's opinion. It's still a heap of dumpy.

I hope it's not Aaronluke's opinion. I wasn't looking for that kind of dialog in LinuxQuestions.org. Ziff Davis did post some links over the past 24 hours that showed, on one hand, studies that linked people moving over to Red Hat Linux to a seriousness about security, and another article that showed Windows 2000 meets high security standards (and not all Linux distros could meet the same standards). I think it was a reference to the second set of resources (which were probably the originals) from which the comments emanated. There is certainly some truth to each of the statements. In the end, security is a function of due diligence on the part of those using the system. Some systems include better tools than others, but it is users and administrators that are the weakest link, not always the systems themselves.