A fundamental constituent of Microsoft’s Trustworthy Computing initiative is “Reliability. The customer can depend on the product to fulfil its functions.” No-one wants to be a guinea pig and, after all, Microsoft hardly have a track record of designing secure platforms. Not entirely true. Recent accreditation to CM-EAL4 puts Windows 2000 on a security par with most hardened versions of Unix.
Has Microsoft Delivered Trustworthy Computing in Server 2003?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
This article is crap. This is just marketing (look at all those ads for updating your windows 2k server).
EAL4 doesn’t means nothing without a profil. And they do not spoke about the profil it this article.
I had a look with the crypto team at work at the profil when MS claims EAL4. The conclusion was that it does not bring any interresting security value for a TCP/IP server. With enough money for funding, any OS can target this profil. You barely need the source code for this !
Microsoft hardly have a track record of designing secure platforms.
What is wrong with this guys grammer? Anyway that statement does have truth to it. You remember how many security patches they released for hmmm was it win2000 or xp? Both probaly.
Until they accept full disclosure bug reporting as necessary then they will continue not to trust them. The current keep everyone quite and hope it goes away way of doing things is not helping them.
hmmmm…
Interesting that this article mentions Kerberos, as, if I remember right, the MS implementaion is inconpatable with non MS ticket issuers becouse an extra field they added to there version of the Kerberos Ticket.
This is similar to what the article says they are doing to the Liberty Alliance federated identity scheme. Until they stop trying to embrace and extend everyone out of existence by changing security standards to suit themselves they will not gain any trust.
Whenever you change anything you open the door to bugs, when you change security protocols this is expecially problematic (expecially if you are not changing them to try and increase security).
The .NET CLR will help security cirtainly, but as you can still access raw pointers you can still create buffer overflows. Something that is the core of so many security threats, and so many of MS’ own security threats. Java not being able to access raw pointers is a little better in this area.
With a title of “Has Microsoft Delivered Trustworthy Computing in Server 2003?”, who gives a crap about “Recent accreditation to CM-EAL4 puts Windows 2000 on a security par with most hardened versions of Unix.”???
We’re we going to talk about Server 2003? What does 2000 server getting CM-EAL4 have to do with anything? as Sch posted above, this doesn’t mean jack (or jill).
Great! Microsoft’s spyware is certified by the government now, part of the DOJ antitrust settlement.
Whenever your computer is running a little bit slow… don’t worry, it’s Microsoft’s Remote Desktop Monitoring working in the background, keeping the government safe from free people!
Didn’t MS get w95 certified by some agency that it was also
secure? Which even MS has said (now) in so many words is
ludicrous.
In a technical sense, of course, one day, MS will be secure. After all, they always get it right the nth time
aftert they say they already have achieved something.
In the larger sense of the word they can never be trustworthy? Isn’t this the company that switched computers
midway in a video that was supposed to demo that IE couldn’t be removed from Windows w/o breaking it?
How many chances do you get at redemption when you are
a chronic liar?
Someone may take their spouse back even though they have
been caught cheating, but they will never trust fully
again.
MS makes Hanks Williams ( your cheatin heart) out of all
us.
Michael, do you really think you are so important that Microsoft and the government wants to spy on your computer? Get a freaken life.
So, tell me how Linux is any different? By the way, Linux is full of backdoors for hackers (made by whoelse? hackers). Linux is the most insecure OS ever unleashed on to the public. I can say confidently, that Linux is a certified virus.
Bill Gates rules! Long live Windows!
This is the biggest lie i have ever heard.
Maybe they wont spy on your computer, but that doesn’t matter.
The problem is, if they WANT to spy on you, they ARE ALREADY able to do this without any hassle…
It may not matter to you, as long as they don’t use it against you, but I hate that any of my personal info is always available to M$ or any US agency…
you forgot the <sarcasm> tags
“Until they accept full disclosure bug reporting as necessary then they will continue not to trust them. The current keep everyone quite and hope it goes away way of doing things is not helping them.”
Did it ever occur to you that they could very well be legally obligated NOT to disclose bugs for fear of liability issues? At least until they can work out a patch and/or workaround solutions for the problem.
Back in the mid to late 90’s, Windows NT systems had been evaluated at a C2 security level under the US gov’t’s evaluation process, or at a C2-equivalent level under the British Gov’t’s ITSEC process. MS made a big noise about this, but they failed to say that the C2 security level they got only applied to NT systems that were NOT connected to a network (what does that say for a Network OS??). And it only applied to a specific hardware/software configuration, any changes and the cert was void! MS’s security has been BS, is BS and will continue to be BS.
Here’s a link… http://www.osopinion.com/Opinions/ConZymaris/ConZymaris2-2.html
It’s my in uderstanding that to obtain a C2 level of security that you cannot have the computer attached to a public network anyway. This goes for ANY OS. Not ot mention that the C2 security process requires an established set of hardware and software. Again this goes for ANY OS wishing to obtain C2 certification.
These certificates are ridiculous and totally useless, since any company willing to throw a lot of cash at it can get one.
Free operating systems can’t, because they haven’t got the money.
All that these certificates say is how much money a company wants to spend in order to be able to claim that their product is secure.
I’d rather trust the security of an OS that has proven itself in this area, like OpenBSD, instead of an OS that has a bug-ridden past and that somehow got a little meaningless certificate.
If you take a look at the recent passport hole for example, you can do just one thing: laugh at the total incompetence of the people who wrote that piece of software. I still don’t understand how such a blatant mistake could’ve ever been made. Let’s hope the people that are working on win2k3 are more competent
Imho, every time Microsoft mentions something about security, it’s just hollow marketing speak. But hey, it seems to work time after time, as they keep on selling their products, so we can’t blame them from running their business the easy way, can we?
Did Hell Freeze Over Last Night????????
Thank you for the link..it seems a lot of people have forgot about Microsofts history. No matter how many times you change the name and/or box of a product it stays crap! For god sake its Microsoft! Bla bla bla and product X is becoming even better, really!, Really?
Here is a link to a pdf showing that in 1997 Novell had been C2 rated FOR A NETWORK. http://developer.novell.com/research/appnotes/1997/july/05/a970705_….
Here is the html link to the Google cache for the above pdf link… http://www.google.ca/search?q=cache:-PDBstDYn2sC:developer.novell.c…
Enjoy
The words Microsoft and trust should never be used in the same sentence.
Have you read the EULA? In fact ANY software licence? They are NOT liable for bugs. If a MS bug stole your credit card detatils and mass mailed them to everybody you have ever met the wiped your hard drive then you couldn’t sue them. This has nothing to do with getting sued. As they can’t be.
At least if they put details of what went wrong in there people could get a workaround in place while waiting for afix to come. It would also actually fix the bugs in question, tell MS privately and they will not do anything, publise it and out comes a patch. This is why full disclosure is needed. Trying to force an end to full disclosure is about the bad PR that the stream of bugs against them generates, whilst saing them the programmer hours (therefore money) of having to make a patch.
If you look at other articles from the it-directory.com site, you’ll see things like Windows Server vs. Linux TCO, Upcoming ‘exciting’ features of things like W. Server 2003 and successful Unix-W. Server migrations.
Is this narrow minded or what!
The words Microsoft and trust should never be used in the same sentence.
“I don’t trust Microsoft.”
That was easy.
GMFTatsujin
From what it looks like the author may have gone to the George W Bush school for advanced English.
Thank you for the link..it seems a lot of people have forgot about Microsofts history. No matter how many times you change the name and/or box of a product it stays crap! For god sake its Microsoft! Bla bla bla and product X is becoming even better, really!, Really?
My beef with Microsoft is this. They’re a large company with thousands of programmers, billions of dollars in profit and a mile high pile of cash in their garden yet they can’t even do something as basic as having an operating system designed to be secure and stable from the ground up.
Lets start with the first issue. Had Microsoft stuck with the openstandards, namely UNIX 98, POSIX, LDAP, Kerbos, and numerous other openstandards, would they be in the pickle they are in today? probably not.
Lets move onto the second issue. Microsoft NT never is, never has and never was a superior solution to *NIX. True, people changed as in many cases using UNIX for a small business was comparable to killing a flea with a cannon. However, as people have slowly realised, NT doesn’t deliver. All NT is, is yet another product developed by Microsoft out of a zealot hatred of anything that isn’t developed by them.
Just look at Network Computing. Ellison and Scott both promoted it 6-7 years ago. Microsoft claimed that this was a so-called “return to the dark days of computing”, yet, they gradually slided out the door Windows NT terminal servern and semi-promoted the idea of thin client computing.
This is the kind of company people are competiting against. A company lead by two men who have a zealot hatred of anything that is innovative or openstandards based.
Windows 2000 has been certified at the highest level in Common Criteria, and so can wave a piece of paper with the same title as the one owned by Trusted Solaris, AIX, etc. What this means is that when someone wants to develop a secure platform, Windows 2000 is one of the few platforms that they can choose, and get a copy of that piece of paper to show to their customers, regulators, PHBs and lawyers.
Does this mean that Win2k is more secure than OpenBSD? No. Would I use Win2k as the basis of a secure platform? No. Would my customers, regulators, PHBs and lawyers accept my personal judgment as a substitute for the Common Criteria certificate? Sadly, no.
OpenBSD was developing a friendly relationship with the DoD, which might eventually have led to funding for CC evaluation. Tragically, Theo blew it by exercising his freedom to criticise the war in Iraq. The DoD exercised its freedom to terminate his funding. End of story.
The most important comment on this story is the first one: what profile is the certification of Win2k for? We can safely assume that the certification only applies when services such as IIS are switched off.
You know why OpenBSD, Trustix and other secure Linuxes are not
a lot around? Its because the people who make the discisions
are not qualified and/or have the knowledge the merely follow the ads and the product managers. Also a lot of so called it-specialist are know to setup.exe, click me and whatever wizards. Microsoft is delivering them that, easy installs, easy setups etc. If those so called it-specialist would, please, really question themselfs what they were doing, why and how i think they would rather choose OpenBSd or Linux to get the job done. I am not looking for a wizard webserver setup etc. with ugly plastic organic buttons to show to my girlfriend i can really setup a webserver. I am looking for a decent piece of software that i can control, rewrite, rebuild and reconfig any time at any place.
Microsft is not only bad desktop software it is very bad server software.
Yes!
Keep up the good work.
Do you have proof of this? And no, conspiracy theories do NOT count as proof.
Windows is POSIX compliant, that has nothing to do with security, it just means it can run POSIX apps.
name one POSIX app that ms can run that will run a Unix box???
I waiting….
http://www.berenddeboer.net/eposix/
http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/dn…
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
http://www.microsoft.com/windows/sfu/productinfo/overview/default.a…
1) POSIX implementation wasn’t even close to 1/2 complete. The only reason why they implemented it in such a small portion was so they can get it through the criteria required when bidding for government contracts.
2) POSIX was ripped out of Windows in XP and 2003. Why should I now pay extra for a API I consider a basic part of an operating system? I want an operating system that is UNIX like, POSIX compliant, and unfortunately Microsoft fails to deliver.
3) Why didn’t you reply to my statement regarding UNIX 98? would it be that I’ve struck a factural cord and you don’t want to reply? How many UNIX 98 compliant operating systems out there are built like a strainer with millions of holes?
4) Unlike Win32 api, the unified UNIX api set is mature, fully documented and tested vs the mess, Win32, which Microsoft claims is “superior to *NIX”. An operating system is like a fine wine, it gets better with age. With the right conditions, it can get even better. Microsoft is like a cheap $3.99 bottle of wine matured in a aluminium barrell. The masses will drink it as the majority don’t have any functional taste buds, however, those with class with prefer paying the extra amount for a mature wine.
2) No, it was NOT pulled out of WinXP, and certainly not 2003. (If you look around the net, there are registry hacks to disable POSIX in XP).
3) I didn’t reply because I simply have nothing to say to that.
4) You are truely a zealot. Zealots, in my mind, are truely pathetic. Perhaps you should try opening up your mind… not everything Micrsoft does is bad, and they do make decent products.
Have you even touched 2003 yet?
Here is a link to a pdf showing that in 1997 Novell had been C2 rated FOR A NETWORK.
Although the link (from 1997) says that they were nearing completion of a C2 rating for a network (with all systems on the network being rated C2 for a network or the whole thing is no longer valid), they’re not listed as having achieved that rating, for a network or otherwise, you can check here:
http://niap.nist.gov/cc-scheme/ValidatedProducts.html
and here:
http://www.commoncriteria.org/ccc/epl/productType/eplinfo.jsp?id=99
Windows 2000’s rating, for a network, is based on a Windows 2000 network (ie clients and servers are all running Win2k Pro, Server, or Advanced Server and properly configured), as Novell’s network would’ve been (for Novell products).