[1248] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] certifications, etc.

daemon@ATHENA.MIT.EDU (Yuri Volobuev)
Sun Oct 20 07:31:10 1996

Date: Sun, 20 Oct 1996 00:30:44 -0500 (CDT)
From: Yuri Volobuev <volobuev@t1.chem.umn.edu>
To: linux-security@tarsier.cv.nrao.edu

Hi

I guess I didn't make myself clear.

Yes, I know that NT isn't C2 if it's on the net, it wasn't my point.
The point is: Linux has no certification at all, not even C3, and
probably never will, by its very nature. [REW: (*)] I personally don't
regret about it, but people who have bosses do.  If you are a
corporate IS, you have to look at things differently.  Even if such a
person knows Linux is better, he/she still has to prove it to the
Boss, and in such an argument NT certainly sounds better than Linux.
It's not only security, it's everything.  Open any PC Mag and you'll
see what I mean.  If Linux ever gets mentioned, it's only like an
interesting phenomena, not like a trustworthy OS.  It pisses me of
each time, but unfortunately it's true -- Linux isn't a corporate
users choice.  There are exceptions, but... And security is one of the
points.  While Linux is (IMHO) is better, NT is safer. [REW: (#)] "No
one ever got fired for buying IBM" - Micro$oft plays the same game.
It's not an advocacy group, so...

On the other hand, NT exists for few years now, without many serious
security problems discovered, while Unices have dozens of them, some
inherently difficult to fix (just looking at sendmail history can make one
think NT), because Unix architecture is better known and many utilities
share common parts of source code available to public, so finding holes is
easier. Linux holes are known better than holes in any other OS (see CERT
advisories). So even though C2 is empty buzzword, it does reflect the
reality in some sense, -- and that's what I originally meant.

yuri

[REW: (*) I don't think that that is true. Eventually someone will 
simply go out and ask for C2 certification, just like it was done
with Posix. (Yes, we're not even close yet....)

I think that the Microsoft policy of "try to prevent CERT warnings
about NT" is paying off. The Unix vendors have been blackmailed into
allowing CERT warnings. This way everyone is informed that there is
an occasional security hole discovered, and that it's been fixed.
In the Windows NT arena, you call microsoft, they tell you to disable
the service, and maybe they'll fix it the next release a few years from 
now.....

(#) I prefer to read this in the light of the following statement....
"NT is safer if you want to keep your job..... " :-)

I'd like to close this discussion. I'll (always) make an exception for
arguments that can help convice management to take a Linux system in
favor of an NT system.]

home help back first fref pref prev next nref lref last post