Alexander wrote:
> When was SGI going to let the rest of the world in on this info? :)
--- We have been letting folks know -- we are active in other security project lists, my manager has been on the speaking tour and mentioned more than once on slashdot -- the whole giving away the B1 on OSS has been mentioned more than once. I spoke in Florida last week and have 2 European speaking engagements in June, another one in August, and another unconfirmed possibility in July. Most of these talks (SGI "Linux" University) are open to the public, the others are at public conferences. Meanwhile we are trying to move while the movin' is good. :-)> That sounds a lot like it should be in the realm of a customized distribution that someone would > sell/support while making all of their changes open. --- For the user level programs we are looking at distro industry partnering. We've already partnered w/RH in an earlier release to add in some I/O enhancements or something (I'm not sure of the exact details, 6.0 I think) for Oracle. We are partnering in the Trillian project for ia64 Linux and want to see Linux be a fully commercial player -- hopefully scaling up to the number of processors IRIX supports (currently 256P). My and my group's work on 'trusted' Linux is just another aspect of our desire to contribute and enhance Linux.
> > Why wasn't "SMP released as a working "add-on"? Auditing and MAC need to be integrated > > into the kernel -- they can be build-time configurable, but they can't exist as separately developed > > modules. > > Hrm. I'd say that was because SMP was more important to people than DOD-supported trust certification. :) --- SMP would not be *able* to be modularized into a module. It's not just a US DoD thing, it's international.
> Look at pcmcia-cs, it was used by everyone and their brother, and it wasn't included into the main kernel > distribution until recently. And it was included, IIRC, because it actually provided functionality that > people wanted/needed, AND it had a proven track record. --- That was a driver to support specific devices (which I use as well - I was surprised when I had to rebuild pcmcia separately from the kernel the first time I redid my laptop kernel) this is a kernel feature like
> Hah, I have one word: Fahrenheit. Where is it now? --- I dunno. What was it? Wasn't it some graphics thing? :-o Dod requirements have been around since 1985 and in 97 they merged their requirements with the European ITSec and came up with the Common Criteria standard. Whether you believe we (SGI) will finish/meet CAPP or LSPP, is only partially relevant since we are doing our work and giving it to the community (or at least trying to) as fast as they will take it. The requirements are spelled out in exhausting detail. We've open-sourced all the security code we created for TRIX out on OSS. If you think we won't finish -- take a snapshot of the B1 code, grab the spec and go for it. Give us input as to what you'd like to see. I only implemented the "session id" because of input I got here on the kernel list -- I didn't dictate that my way was the only way -- I'm all "let's see how everyone can win". I think I'm making myself sick...where's my cynicism...my bad-attitude. Oh well... sorry, I'm just minorly enthused in this ... just an itty bitty bit...:-)
> Well, good luck. You have my best wishes. --- Thanks, please support us with insight and feedback and help getting stuff in. If something doesn't work, lets work to make it work. (I'm gonna have to adjust my medication...I'm far too enthused about this...)...
Ya know, while the Dod's directives only mandate its own compliance it is also recommending use of evaluated systems, only, to the rest of the government as well. I don't want to see NT get chosen over Linux just because of, as Rik puts it, this piece of paper. This isn't just about "real security". It's *evaluated* security -- "assured levels" of security that count in the Trust industry. Common Criteria has functional specs for Crypto, non-deducibility, data integrity -- a whole range of features that *isn't* addressed by LSPP/CAPP. I haven't seen any other Protection Profiles, official or otherwise, so for now, those are the only "official" measures out there.
The DoD is enthused about the possibilities in Linux. They don't want to have to pay 2-20K more for a system they are dependent on a private vendor to fix and maintain. They don't know *all* the backdoors that have been left in closed source products (just probably alot of them). Imagine asking an NSA director if they'd like a trusted, open source Linux and hearing back "The wonder and joy of this is not in dispute". Dunno about you, but I think that is serious coolness.
-l
-- Linda A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:11 EST