Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!usc!apple!ames!haven!uvaarpa!murdoch!news From: randall@Virginia.EDU (Ran Atkinson) Newsgroups: comp.unix.sysv386 Subject: Re: security levels, V.4 Message-ID: <1990Dec3.151344.25821@murdoch.acc.Virginia.EDU> Date: 3 Dec 90 15:13:44 GMT References: <1990Nov23.182943.21094@cs.dal.ca> <2389@sixhub.UUCP> <2313@tabbs.UUCP> <1990Nov29.224243.2934@ico.isc.com> <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU> <873@visenix.UUCP> Sender: news@murdoch.acc.Virginia.EDU Reply-To: Ran Atkinson Followup-To: misc.security Distribution: na Organization: University of Virginia Lines: 29 In article <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU>, Ran Atkinson writes: >>If folks dislike C2, they will be much more unhappy with B2. I on the other >>hand prefer at least a B1 system because it is much safer from breakins In article <873@visenix.UUCP> beattie@visenix.UUCP (Brian Beattie) writes: >B1 is no more resitant to breakins than C2. >in fact the C2 requirements for I&A (login and password) >are the same as for B2. >A properly administered C1 system is >as safe from _breakin_ as a B2 system. >The extra requirements for B1 and B2 are for >labeling of data and are required to prevent >users with accounts from accessing data improperly >not for preventing unauthorized access to the machine. >It is a common misconception that the higher the rating >the more secure the system is from breakin, this is >generally not the case. I consider ANY unauthorised access to data on a system to be a break-in. Most breakins are from folks who have access to a system not from outsiders. My original statement is entirely correct. I avoided using the technical terminology of the trusted systems world deliberately since the audience here is primarily not folks in that community. Ran randall@Virginia.EDU