lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405180232.i4I2WaDC002719@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Support the Sasser-author fund started 

On Tue, 18 May 2004 12:39:46 +1200, Nick FitzGerald <nick@...us-l.demon.co.uk>  said:
> "Shane C. Hage" to Bill Royds:
> 
> > I agree with most of your statements below.  
> 
> Well, actually, he was wrong if you consider the NT family of OSes 
> starting in about 1993-4 (true, OOTB they were configured to be "fully 
> Win 3.x compatible" -- that is, with all security disabled/dumbed down
> -- but the underlying architecture design at least met most of the 
> minimum criteria for C2...).

Actually reading what C2 *required* is quite enlightening.

Code identified as a 'Trusted Computing Base'. Identification of specific
users.. discretionary access controls.. an audit trail.. object clearing before
reuse.. Testing for *obvious* flaws..

Yep, that's about it.  Userid/password, some sort of user-settable file
permissions, don't let the next user snarf blocks off the disk by allocating
a big file, and keep an audit trail.  *real* stringent. Even when NT came out, C2
wasn't considered much security at all...  Most of this stuff was already
well understood when Multics was done in the mid-60s.

Security labels? MAC? Those are B1.

"A team of individuals who thoroughly understand the specific implementation
of the TCB shall subject its design documentation, source code, and object code
to through analysis and testing".  That's not a requirement till B1 either.
(Yeah.. ponder THAT one - you don't have to do a thorough test to get C2 ;)

"Trusted Path" for login?  That's in B2, as is covert channel analysis.

You get the idea... ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040517/e1cd6014/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ