“This week, however, Linux was also awarded with CC security certification, and as one might expect, this announcement greeted with cheers from the open source community. There’s just one catch: Linux got a lower security rating than Windows 2000 did last year.” Read it at WinInformant. Update: The WinInformant article is a little slanted in its reporting, since the ratings discussed have little to do with how secure either OS is in real-world use. Keep in mind that to achieve the higher rating, the computer is not allowed to be connected to any network, since network-connected computers are inherently vulnerable. A CNN article shoots a little straighter on the subject. The certification is not a contest to see which is more secure, simply a test to see if the OS matches a certain objective set of criteria. You have to severely cripple a modern OS to make it meet government high security certification.
Linux Rated Less Secure than Windows
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Linux got a lower security rating because that’s all that IBM cared to have it certified for. It’s not like this was a qualitative comparison between Windows 2000 and Linux, and Windows 2000 qualified whilst Linux did not. Linux *applied* for the lower rating, and got it. Note that even this cost hundreds of thousands of dollars, and even then only the SuSE distribution is covered and only on IBM hardware.
“greeted with cheers from the open source community”? No-one’s going to care except for IBM, and, to a lesser extent, SuSE. The certification’s way overpriced for what it is, and as a result of achieving it Linux is no better or worse than it was before, except for a nice shiny seal of approval which benefits no-one but the parties who paid for the testing in the first place.
it would of course be useful to know on which points exactly the linux systems failed to achieve a higher security rating.
http://www.cnn.com/2003/TECH/industry/08/05/linux.software.ap/index…
Here is the full story and it bypasses the usual Windows zealotry commentary by Paul
That’s a pretty weak argument given that Linux is such a fractured entity (and by fractured I mean numerous distros and endless setups).
In any case how “secure” an OS is often comes down to whomever admins the box anyways and what software runs on top of the OS.
This kind of certification tests the design of an OS. Does the OS have ACLs? Can I prevent a user from seeing the processes of other users? Is there a special key for entering password without trojan horses that intercept them (that’s why WinNT required you to press ctrl-alt-del before entering a password!). Things like that
They do not measure the number of security flaws…
It’s amazing that crap like this gets posted. The title is biased and misleading in itself, nevermind the content. As it has been stated already, Linux was tested for C2 certification while Win2000 has been tested for C4 certification, both received the certification that they were testing for. XP is not certified at all. Besides that, it has no real meaning to the average user because it is also dependent on hardware and configuration. This is just a nice piece of paper to show off to governmnet agencies. No need to celebrate or to worry.
Are you incapable of writing your own headlines and filler text? Of all the sites carrying the story, you have to link to what must be the most innacurate, hyperbole filled fanboi drivel. Why not link to the CNN or ZDNet stories, which actually contain some facts?
Linux was only submitted for L2+ certification; it was not submitted for higher certification. It does not mean that Linux is less secure than Windows, or indeed that it was “rated less secure than Windows2. For that to have been the case, Linux would have had to have been entered for and failed to recieve CC4 certification.
Why didn’t Eugina post the title of this article “red hot flame bait”.
Come on this article is dumb and is once that takes facts and portrays them in a way help bias. Articles like this are only going to start massive flamewars.
Post some real news.
Agreed.
Let’s see if they pull it like they pulled that “Introduction to Linux” piece which was similarly bad.
IBM and SuSE requested (and paid for) level 2. They got it, now they intend to get evaluation assurance level 3 (and later 4) which takes only more time and money.
“read the article. post something intelligent. don’t just sit around and wait for something to be pissed at. cuz thats what you are doing.”
Obviously you like telling people what to do, because I note that you yourself only added to the fire rather than posting something on-topic.
Why don’t you go back and read comment number one again, for instance. There are a few others like it, as well. What more remains to be said? There’s no substance *to* the article that we can discuss beyond what has already been covered.
IT’s not like it’s new that Linux isn’t secure, to high uncontrolled developmed rate without any management is just what makes flaws. That will allways be the story of Linux
I’d love to see how FreeBSD would manage a test like this, not to mention openBSD…
There are several implemantations in linuxfor limiting what rights of users including the root user (including which process they can se and acls) both in the form of Rules(www.rsbac.org)/Roles based Access Control Systems like Security-enhanced Linux by nsa(www.nsa.gov/selinux/) and Mandatory Access Control systems like lids (www.lids.org). There are also plenty of implemenations of systems to protect against various kinds of overflowattacks.
No it don’t have special keyshortcut for entering passwords but it has ways for programs that need to enter passwords to lookout trojans (mainly by not allowing just anybody to read the keyboard at anytime). I must say i wonder what pressing ctrl-alt-delete does to prevent passwordsnooping. Running in kernelmode is the only possible protection i can think of short of reinstalling keyboardhandlingroutines.
Besides the article writer “forgets” that windows 2000 in all shapes is not certified no matter what microsoft says but “Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886 Hotfix (OS) (http://www.commoncriteria.org/ccc/epl/productType/epldetail.jsp?id=…) is.
I have no idea which of these tools ibm brought to the table if any.
The article says..
[[According to people close to the certification, Linux was being tested for better security ratings, but only achieved the “low to moderate” rating.]]
Now I don’t know whether this guy is right or wrong, but that paragraph implies that they tried to go for a high rating but only managed to score a low one. If you guys know the REAL facts, rather post links to them so that at least you have something to back up your bashing of the author. You’re probably right, but the articles implication is pretty clear.
“IBM and SuSE requested (and paid for) level 2. They got it, now they intend to get evaluation assurance level 3 (and later 4) which takes only more time and money.”
EXACTLY – the title of the article is utterly misleading. Eugenia, looks like this time YOU did not bother to read the article.
How about the CNN article which someone posted earlier? http://www.cnn.com/2003/TECH/industry/08/05/linux.software.ap/index…
Again and again another FUD against de Free software.
An interesting observation:
How can windows more secure with thousands and thousands
of virus infecting user files a causing a traffic overhead
in the internet ??
My GNU/Linux box works fine lots of weeks and i dont need to
care about viruses and no bluescreens.
Free software and Linux RULEZZZZZZ
I would like to thank to P. Turrot for this unbiased, very objective review of linux system security.
I think can said that Mr. Turrot’s comments were and always be considered by the IT industry.
Jokes aside, the guy is just a troll paid by MS for propaganda and OSNews only looses in quality posting things like these.
Again and again another FUD against de Free software.
Please stop referring to Linux as free software!!!!!
Linux is NOT free software, and that has nothing to do with the SCO thingie going on. Linux is GPL, which is anything but free!!!!
Did you ever take your time to read the license???? Well if you had, then read BSD or MIT license and you tell me what’s free!!!
What people don’t understand and CJ got partially right is that in order for Linux to match and pass Windows 2000 in a Common Criteria evaluation, it has to do the same things as Windows 2000. One of the requirements of the obsolete TCSEC C2 evaluation (and CC for EAL4) process is auditing of various events:
1. Logon and logoff events for all users
2. File and object access (including copy, move, and delete)
3. File and object reuse
This is a requirement for US Government use with classified data, that the operating system supports C2/EAL4 auditing. Linux out of the box does not have the auditing capabilities of Windows NT/2000/XP or commerical Unix. If a Linux box won’t pass C2, it won’t pass EAL4 either. Oracle and RedHat are also going for EAL2 for RedHat Advanced Server.
“Linux is GPL, which is anything but free!!!!”
The term “Free Software” was coined by the Free Software Foundation (http://www.fsf.org), the definition of which can be found at http://www.fsf.org/philosophy/free-sw.html if you care to read it.
Since the GPL was created by the Free Software Foundation, who coined the term “Free Software”, and maintain the Free Software definition at the link I posted above, it is fairly clear that the GPL is indeed a Free license.
Define Free Software and learn the meanings of the words free and freedom. And explain to me why only BSD and BSD-like licenses should be allowed to use the term Free Software.
But lets start another f*g license flamewar. What is it all you BSD-zealots hang up on with GPL that makes it unfree or i should say more unfree than BSD. Last time i looked the BSD license put demand on the user of the code too. Sure GPL have harder restrictions to keep the code open for everyone while with BSD it is okay for a commercial company to take the code add a couple of lines and sell it.
Where is Brett Glass he usually loves these “GPL is hostile to capatalism and freedom of proprietary software developer”-disscusions so much he crash lists where he doesn’t really belong with promises that if the project stays away from GPL he might develop code for it.
<sarcasm>
And we all know how meaningful certifications are.
Someone with an RHCE is definitely more qualified to admin a Linux server than I am
</sarcasm>
This is all inconsequential, because these security certification levels don’t mean either one is more or less secure. However, it is easier to sell Linux to the higher-ups now because you can say…look Linux has XXX certification!!!
To be honest, neither is all that secure in implementation, while both are very secure in terms of design.
If security is crucially important, you have to go with something like OpenBSD http://www.openbsd.org/ even FreeBSD http://www.freebsd.org/ has a better security track record than Linux or Windows.
All that the Common Criteria standards up to level 4 really signifies is how much paperwork you have filled out, in addition to lab testing, to “certify” your product. It’s only if you get past level 4 that it really makes any difference on how secure a system really is. Neither Windows nor Linux have gone there yet. Oh, and it also depends on whether IBM is willing to put up the money to get it certified to level 4. As for security in the real world, I’ll place my bets on open source products over Windows any day– I know I have a community of people who can be relied upon to respond when there is a problem, instead of deny and stall on rolling out a patch. Oh, and they don’t rely on APIs that are inherently flawed, as Windows is.
What is it all you BSD-zealots hang up on with GPL that makes it unfree or i should say more unfree than BSD.
I’ll bite on this, even though it’s OT.
This is basically all about different interpretations of the meaning of the word “free”
There is the common sense meaning of the word, which means “no restrictions” and then there is the FSF’s definition of it, which means “freedom to view the underlying source code”
To a certain degree, both definitions are “correct”.
Personally, I believe that the BSD is a less demanding license, and it is MUCH easier to understand for the layman. (You tell me that you honestly understand EVERY single line of the GPL?)
I’m afraid that much of the software that is under the GPL has been placed under that license because it’s “KEWL” to do so. That’s about as good a reason to choose a license as it is a good reason to start smoking crack.
I would estimate that as many as half the authors of GPLed software have never read the GPL in its entirety. While I would also say that at least 80% of BSD licensed software is released under that license because the author has read and is in full understanding of that license.
I want my software to be used, by anyone, in any way that they see fit. I don’t have a vendetta against corporations, and if WidgetTech Systems wants to use my code in their new WidgetXP software, well all the more power to them.
In fact, if it weren’t so legally dangerous to do so, I’d put all of my OpenSource software in the public domain. Well, enough OT ranting.
The term “Free Software” was coined by the Free Software Foundation (http://www.fsf.org), the definition of which can be found at http://www.fsf.org/philosophy/free-sw.html if you care to read it.
Since the GPL was created by the Free Software Foundation, who coined the term “Free Software”, and maintain the Free Software definition at the link I posted above, it is fairly clear that the GPL is indeed a Free license.
I’ve read it all! Just because it says it’s free there doesn’t mean it’s free. If you read that the world will end tomorrow on some site would you believe it? If you think for yourself and read the license you would come up with something like CJ has come up with.
However, the difference is a lot bigger than small restrictions.
Thanks to BSD licensed stuff we see something new creative like OS X. As if that is ever gonna happen with GPL stuff, yyah right!
It’s a huge difference to free software and free software, even though I admit MIT is probably the most free license out there.
http://wwws.sun.com/software/star/gnome/documentation/index.html
http://www.novell.com/news/leadstories/inthenews.html
http://www.lindows.com/
http://www.redhat.com/
http://www.microsoft.com/windows/sfu/productinfo/overview/default.a…
http://www.linksys.com/support/gpl.asp
http://developer.apple.com/cgi-bin/search.pl?&q=gpl&num=10&ie=utf8&…
Riight, nothing creative will EVER happen with GPL based software.
Add-ons due to ignorant peoples popularity.
Solaris is hardly GPL…
Microsoft? GPL? Ehrrr….
Apple? Based on BSD.
Redhat hardly a creative company neither is Lindows.
It’s jsut cloning…. and I think OSX is a brilliant proof of this. That’s the potential of having a software licensed in a way which makes it useful to place R&D money on it.
The Sun link was Gnome and the Microsoft link was Services for Unix, both of which can be read from the URLs without even clicking the links.
Not that I think either involves a great deal of creativity (in fact, none as far as sfu goes).
Try reading. You may actually like it.
This just in:
OpenBSD is much less secure than Windows 2000, since it has no security clearing at all.
//Thanks to BSD licensed stuff we see something new creative like OS X. As if that is ever gonna happen with GPL stuff, yyah right!//
I hope you know that the BSD licensed portion of Mac OSX is a pretty standard BSD interface (horribley paired with the Mach microkernel), nothing new or exciting. The desktop, which is the most innovative part of OSX, is entirely propietary. Linux could also have an entirely propietary desktop if someone cared to make one.
It is true that BSD has less restrictions, in the sense that it can be made non-free. GPL, on the other hand, cannot be made non-free.
So this is all a philosophical debate: which is freer? Something free that can be made non-free, or something free that must remain free?
Also, whose freedom are we talking about? End-users or proprietary corporations?
Those who see the GPL as non-free are just clinging to an particular model of software production…unfortunately, industries evolve through disruptive technologies, and the GPL is one such technology. We should not try to “engineer” the evolution of software development, but rather follow its evolution and adapt to it.
He’s so biased it’s nauseating……….good case in point was the article regarding how fast Windows passwords can be hacked……..the exact same article with the exact same source was on Macweek and in part the person being interviewed stated that OSX was less susceptible to that kind of attack. But on Paul’s site that part of it was conveniently left out – yet he delights in posting Apple news that puts it in a bad light.
If you want useful Windows info go to either http://www.winbeta.org or winxp.bink.nu
J.
FreeBSD is freer, because it allows you to do anything with the code… Code that is already FREE will remain FREE, but whatever you do with the modified or extra code is up to you…
Microsoft can (and probably has) placed some BSD code (which is available to everyone else) into their Windows kernel, but they don’t have to now open up parts of Windows for the public to see.
Reason why some consider GPL a virus.
So this is all a philosophical debate: which is freer? Something free that can be made non-free, or something free that must remain free?
How about from a more pragmatic point of view:
Something that imposes no future licensing restrictions (except source code credit), compared to something that requires a license that places restrictions on redistribution.
I know it’s a little more complicated than that, but that’s how it basically boils down.
SuSE Linux Passes EAL2+ Security Test ; EAL3 on the Horizon
http://www.secadministrator.com/Articles/Index.cfm?ArticleID=39803
Sorry, this is horribly off topic, but it seems that licensing for free software is a bit of a mess…
Would it not be easier to have a license based on three core criteria? For every criteria there are two types of exclusive restrictions – it MUST do this “xor” it CAN’T do this.
TYPE – RESTRICTION
COST – MUST BE FREE / NONE / CAN’T BE FREE
SOURCE – MUST PROVIDE / NONE / CAN’T PROVIDE
DISTRIBUTE – MUST BE DISTRIBUTABLE / NONE / CAN’T DISTRIBUTE
(if source is distributed, it can be inherently modified, their could be a 4th criteria – I guess – for modify rights to the program – that way source could be seen but not used… this seems like a dangerous option though…once the source is available the cat is out of the bag)
Their, done… now a license has only three criteria to choose from. If it is NONE, then it can either become a MUST or a CAN’T – but it can’t go back to NONE once it has changed to either restrictive form. So you can have licensing change over time, and totally open licenses can be adapted as needed according to the needs of the person writing the software.
Maybe some techie lawyer type can draft something up… then again I am sure I am missing some obvious point, or some explicit guarantee that is required by someone… seems to me that it would be easier to understand right off the bat what type of license you are agreeing to.
Something that imposes no future licensing restrictions
Well, if MS takes some BSD code and integrates it into Windows, then there definitely is a license restriction put on it!
Microsoft can (and probably has) placed some BSD code (which is available to everyone else) into their Windows kernel, but they don’t have to now open up parts of Windows for the public to see.
In other words, they’re profiting from someone else’s work without giving anything in return…
Anyway, ultimately it’s up to the developer. If he/she wants other to profit from his work without giving something back, that’s fine. If he/she wants to publish it under the GPL, that’s fine as well. If he/she wants to publish it under a proprietary license, it’s still fine. There is room for all of these licenses – saying that one is “freer” than another is trying to say that one license is inherently “better” than another. In the end, the best license depends on what the developer wants…
Probably because she knows her readers are probably already skewed towards Linux and hate Microsoft. In an attempt to be entirely judicious, she is being prejudicial towards Microsoft precisely because she is scared she will look pro Linux =)
Wow, Eugenia accused of being prejudicial towards Microsoft! Last week it was being prejudicial towards Apple, before that it was Amiga, the week before blah blah blah,etc….
I’ve been reading OSnews for quite a long time and I think OSnews has been pretty balanced in presenting information on ALL kinds of different operating systems, some of which I have only heard of here.
The Common Criteria is a documentation only certification. All it means is that someone wrote a document and it got approved. It has no basis on turning on a computer and performing any testing on it.
Depending on the amount of documentation you provide is what certification you receive.
Some food for thought (insert standard disclaimer about proof-by-analogy):
Which society would the average person find more free?
A medieval society, in which the law establishes few restrictions on people, and thus the strength of the few overrules the will of the many,
— or —
A republic, in which a few well-chosen restrictions on freedom ensure continued freedom for everyone?
Both the BSD license and the GPL are free.
The GPL goes further to protect the freedom of users, BSD tilts a bit more towards developers. One or the other may be more appropriate in certain circumstances. Even Richard Stallman has endorsed use of the BSD license instead of the GPL when it makes more sense.
If the availability of free software is obscured by non-free derivatives of the same software, potential users lose a bit of freedom. The GPL is designed to prevent this, and it clearly works. For example, gcc is widely available and incredibly popular. If gcc had been under the BSD license, I suspect that it would have splintered into a multitude of commercial derivatives, each obscuring their free origins.
A BSD reference imnplementation of a standard protocol makes a great deal of sense, though. Encouraging widespread adoption of conforming implementations preserves more important freedoms than the ability to fix a closed derivative of the open reference code. Derivatives which deliberately break conformance, however, demonstrate the weak points of the BSD license which the GPL was designed to address.
Both licenses are good. Both are free. If you don’t like the license that some code is under, write your own. The GPL is not a plot to contaminate your code, and the BSD license isn’t a plot to commercialize other people’s code. The author chooses the license, and we should respect that choice. Some pick the BSD because they want to give the code away with the minimum restrictions. Others pick the GPL because they want all derivatives to be given away, too. Both seem fair and reasonable to me.
It’s quite obvious that many do not understand the purpose of the Common Criteria Evaluation. This is not a line by line code audit, ala OpenBSD. This is simply a validation of a design. If you eliminated the possibility of any programming errors in either Windows 2000 or Linux, Windows 2000 would score higher as it has a more comprehensive set of security mechanisms. Linux, to the best of my knowledge, could not be certified at any higher level due to missing required features. Again, this does not take into account the possibility that the system can be tricked into doing something it’s not designed to do. It is simply and evaluation to ensure that the system does the things it is supposed to do to achieve the level of certification attempted. I am a die hard Linux fan and have been an outspoken Slackware bigot since September of 1993. I believe that Linux is more secure than Windows 2000, but that does not mean that it should achieve the same level of certification as Windows 2000 under these circumstances. This is really not a big deal. If you visit http://niap.nist.gov/cc-scheme/ValidatedProducts.html you will see the list of products that have completed evaluations.
The only analogy I can come up with is what I call a McNealy’ism. From the automotive world…
The car must exceed 150 mph in order to achieve level 17 certification. It does not matter that the car can only do this for 1 nanosecond before being towed o the garage for repairs. It does not matter that another car can travel at a sustained 149.999999 mph for 3459834555 hours without a hiccup. The criteria calls for 150 mph.
These tests prove nothing, be they for Windows or Linux. Read http://www.theage.com.au/articles/2002/11/18/1037490106637.html for the evaluation of an expert and then see the tests for the smokescreen they are.
Well, if MS takes some BSD code and integrates it into Windows, then there definitely is a license restriction put on it!
The point was that the license did not stipulate anything regarding the license. The very fact that Microsoft, Joe Developer, or anyone can use it for whatever they want (including closing the source, some of us not are not company-phobic), just goes to further show how free it is.
Free to use, copy, change, relicense.
CC isn’t a scale on how secure something are. The numbers in CC describes how well the documentation is documented. To know how secure the thing is you have to read the security profile and the requirements for how it is secure. The 4+ that windows 2K got doesn’t say that if you implement it with those criterieas you can’t use the W2K to anything like it is at out of the shelf.
People should read the security targets to say how secure the SW are. Not the number in CC.
Man, a genuinely intelligent and informative comment on OSNews… are you sure you didn’t come to the wrong site by mistake?
“IBM and SuSE requested (and paid for) level 2. They got it, now they intend to get evaluation assurance level 3 (and later 4) which takes only more time and money.”
…in regards to the comment about hiding processes, and ubiquitous ACL’s.
Windows has ubiquitous ACL’s for years. So, why was it possible to get C2 security on NT 4 only with a disconnected computer?
I’d venture to say that the big problem with Microsoft security is application developers who can’t seem to writhe apps that install <I)and run[/i] unless Everyone has Full Control.
Maybe, once Linux has ubiquitous ACL’s, this won’t happen there because application developers for the UNIX world are used to tightly-controlled environments?
Microsoft can (and probably has) placed some BSD code (which is available to everyone else) into their Windows kernel, but they don’t have to now open up parts of Windows for the public to see.
I heard a while ago that Microsoft took the Kerberos (?) code from BSD, changed it or added to it so it was incompatible with the original and incorporated it into Windows. This is the problem I have with the BSD license, it can be abused.
I’m also not convinced that the GPL is as viral as some people make it out to be. I have used the SN systems development tools which are based upon GCC, Sony released Linux for PS/2 without revealing certain proprietary information, and isn’t TiVO running on Linux?
I must say i wonder what pressing ctrl-alt-delete does to prevent passwordsnooping. Running in kernelmode is the only possible protection i can think of short of reinstalling keyboardhandlingroutines.
<p>That’s pretty much it. Ctrl+Alt+Del triggers a hardware trap that must be handled by the kernel. Hence, user space applications can’t intercept it and present a fake login screen.
..I finally got modded down. What took you so long, Eugenia?