Path: utzoo!utgpu!news-server.csri.toronto.edu!clyde.concordia.ca!uunet!mcsun!unido!mikros!mwtech!martin
From: martin@mwtech.UUCP (Martin Weitzel)
Newsgroups: comp.unix.i386
Subject: Re: SCO Unix security features
Message-ID: <881@mwtech.UUCP>
Date: 15 Aug 90 12:41:46 GMT
References: <135@happym.wa.com> <9023@scorn.sco.COM> <1990Aug11.183525.19524@NCoast.ORG> <1990Aug13.101924.20284@robobar.co.uk> <1990Aug13.
Reply-To: martin@mwtech.UUCP (Martin Weitzel)
Organization: MIKROS Systemware, Darmstadt/W-Germany
Lines: 39

In article <165@edat.UUCP> root@edat.UUCP (Superuser) writes:
>In article <1990Aug13.143157.12682@specialix.co.uk> jpp@specialix.co.uk (John Pettitt) writes:
>>Some comments on the C2 debate:
>
>[deleted criticisms]
>
>SCO has stated that a whole new version of the C2 system is being
>released in the next update.  I beleive this update is due out
>next week.  In particular the management of C2 is expected to be
>much better.

To throw in another $ 0.02:

Isn't one of the key principles of C2 security the following:

	SECURITY MUST NOT BE ACHIEVED BY OBSCURITY

or in other words: Isn't any C2-secure system obliged to describe
each and any method *how* their (until then only claimed) security
is implemented?

If I'm right with the above, I can not understand the whole discussion
and the many complaints about SCO UNIX security features:

	1) SCO does NOT document how C2 security is achieved.
	2) The ones who complain haven't RTFM.

If 1) is true, SCO shouldn't speak of their "C2-secure-UNIX", but
of their "we-try-but-haven't-quite-managed-to-make-C2-secure-UNIX".

If 2) is true, there's no reason to post any more complaints. (To
those who didn't notice the sarcasm in my article until now: Of
course you should continue to post your complaints, as a C2-secure
system which documents its implementation in such a way that you can
not find easily what you are looking for, may well be considered as
one which trys to achieve security by obscurity and hence is *NOT*
C2.)
-- 
Martin Weitzel, email: martin@mwtech.UUCP, voice: 49-(0)6151-6 56 83