Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!olivea!uunet!wang!lee From: lee@wang.com (Lee Story) Newsgroups: comp.unix.sysv386 Subject: Re: Unix & X-Windows on 386SX Message-ID: Date: 13 Dec 90 17:54:40 GMT References: <2389@sixhub.UUCP> <1990Nov26.010554.574@fiver> <156@raysnec.UUCP> Organization: Wang Labs, Lowell MA, USA Lines: 45 --------------------- This is specifically in response to Mr. Schwake's comment that C2 security isn't "part of the government", but rather "a certain level of security". (Perhaps the general discussion belongs in another group, but...... I must agree with the former poster (Davidsen?). The "orange book" DoD security mandates certain technical ways of achieving a secure system, to wit, compartmentalization, access control lists, etc. (not all of which come into play at the C2 level); while this *determines* "a certain level of security", it is more than that. For example, encryption is not considered acceptable for most purposes: if it's too weak, the "enemy" can break it; if too strong, the National Security Agency can't. The same people who determine these standards want to try to make it a crime to send public domain information (e.g., DES implementations) to other countries. (I'm planning to send everyone I know in Europe and Latin America a copy of the requisite pages of Tanenbaum's book for Christmas.) Now I admit that a very few commercial users may have the same sort of concerns as DoD (for example, funds transfer systems), but the majority of us would have to be wholly irrational to take on the additional complexity of DoD-style security in exchange for the marginal improvement offered. The favorite ploys of vendors are: (1) to imply "if it's good enough for the Department of Defense, it's good enough for you"; (2) to offer "C2 (or higher) -certifiable" systems without actually having (any intention to) certify them, thus leaving the way open for any number of breaches, especially from below (in old system software -- it's still basically the AT&T System V code base, with "hooks" and "fixes" here and there). My company sells SCO Unix and ODT. I think they are good products. We use and sell it not only on PCs but on i486-based timesharing systems. I don't know ANY developer who wouldn't pay a few bucks out of their one pockets to have the additional security "feature" completely removed. ------------------------------------------------------------------------ Please don't hold Wang Labs or Rick Miller or for that matter anyone else except me responsible for these damfool opinions . ------------------------------------------------------------------------ Lee Story (lee@wang.com) Wang Laboratories, Inc. Lowell Massachusetts 01851