[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack Microsoft?



Ray scribes:

>   Microsoft recently got C2-security status approved for Windows NT by
>the National Computer Security Center, a division of the NSA. They
>are supposed to put systems through "laborious testing and review" before
>they approve C2.

Not so laborious, the brunt of C1 and C2 testing is accomplished by a test
suites that do topical levels only. The issue is that there is a NCSC
engineer watching it happen. Hence if oit passes it is "blessed".

As per the orange book itself, C2 is about the lowest level of "Secure"
that you can get. In fact if Microsoft had gone to the trouble of a B1 or
B2 rating this would have been impressive but since most systems analysts
have not been familiarized with the levels of system accounting and access
control/logging that represents the various levels of "Orange Book" Rating
it is somewhat superfluous.

>So, if one can find bugs in NT's security, one can
>toss a little more egg on the NSA's face and the sham that part of
>their activies to *help* to secure american computers. A simple
>violation of NT's C2 status would be to demostrate a flaw in it's
>memory protection implementation.



>Personally, I think NT is
>*riddled* with bugs waiting to be discovered. Hell, even the
>NT "service pack" is included in the C2 status, which I bet
>has plenty of holes.

No Doubt;  NT should be easily hacked in the upcomming months by any number
of mortals let alone the gods themselves. What UNIX has that NT doesn't
(which makes it more vuknerable to attack) is 20 more years of evolution,
More copies, everybody knows it (at least in our group)...

As per NT's orange book C2 Rating... C2 is about the lowest level of Secure
that you can get. In fact I personally am unimpressed, rather it is a box
on an RFQ that gets checked Very few people run C anything sites in
reality. If Microsoft had gone to the trouble of a B1 or B2 rating this
would have been cool but since most system's analysts have not been
familiarized with the levels of system accounting and access
control/logging that represents the various levels of "Orange Book" Rating
it is somewhat superfluous.

This is especially true since the Folks at the FRB and FDIC/FSLIC
orgaizations are more likely to require B2 or the like on the National
Standards for "blessed" commerce Engines (I wonder what the FSTC has to say
about this?). Seems to me like the "Evil Empire" is just puffing it's chest
for a very very small market...

IMHO - Military sites passing real classified data usually are not run on
anything as low as C2. If you want a secure os, look at the Harris Computer
Corp's B1-Certified version of ES/MP UNIX (they call it CX/SX). FOUO - For
Official Use Only sites often run C1/C2 based OS's for Audit training but
are usually not part of the Trusted Computing Base and as such not real
threats. Still the most common problem is human not the OS. Not the actual
OS itself,.

>
>  If Cypherpunks can find flaws that the NSA can't, or won't divulge,
>what does that say about their so-called COMSEC ability.


Not necessarily on the NSA, you have to start somewhere and they do a good
job as far as NIST and NCSC efforts are concerned. If you can do better
then you have a good career in commercial cracking or will have lots of
time on your hands (Federal Food is the Pits, and the golf course is gone
from Lompoc!).

>
>-Ray
>
>
>
>

Regards,

T. S. Glassey
Chief Technologist
Looking Glass Technologies
[email protected]


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQB1AwUBMFu5E6gNRnWhagU5AQHI+gL+Mwpcd3lAWd8FF06qcG6rnLhIYveHW71a
XC7xh1T0uu8qnYX31yMp17OG28jWpKUbWec1IM9/eXOi+gInA7rKICWczV8zo9Z0
0puxjRRN7yO4KfRb3cPpk+r0p6pDg01Y
=bTYb
-----END PGP SIGNATURE-----