Get APLawrence.com by RSSRemember C2?
Mon Jul 5 11:55:15 2004 Remember
C2?
Search Keys: C2 secure, c2 security
Referencing: http://theosos.sourceforge.net/
I happened to Stumble across the
reference link above. Looks to me like this is trying to reinvent
C2. That set me thinking about what ever happened to all the C2
buzz: a few years back, everyone was talking about C2 security, but
now, a Google search turns up only mostly very old links. Why?
Well, for one thing C2 security has absolutely nothing to do with
the computer security most of us worry about today. Windows NT 3.51
is "C2 Secure" :
http://www.microsoft.com/technet/prodtechnol/winntas/plan/security.mspx
Amusing, but true. That's because C2 security has nothing to do with buffer overflows, worms and the like. It's concern is control of data - whether or not person X can give file A to person B, and how you know it is person X to start with. See C2 Microsoft Windows NT Administrator's and User's Security Guide
There's some amusing stuff in there too. For example, one of the items NOT included in the NT 4.0 systems submitted for C2 security evaluation was:
Other services which must run as part of the system such as Internet Information Server
So I guess they knew that was a problem ahead of time ?
What about Linux? Well, again, most of the links I find are old. There's http://secureaudit.sourceforge.net/index.html, but it hasn't been updated in more than a year. There's plenty of "C2-like" mentioned:
C2 security Note that SNARE uses C2-level auditing and event logging. C2 is a high security standard created by the National Computer Security Center (NCSC), a division of the U.S. National Security Administration.
but "like" isn't certified.
Do we care anymore? Well, probably not. I think most folks have realized that they need C2 security about as much as they need an ICBM missile. Those who do need ICBM's or are otherwise involved in the design or manufacture of similar things need to worry about it, but for most of us, C2 security simply gets in the way of things we need to do. The original design of Unix wasn't for protecting files, it was for sharing them in a cooperative environment, and to a greater or lesser extent, that's what most of our computer activities are about still: sharing, not protecting. Sure, we protect our passwords to our bank accounts and other important things, but those are the exceptions: most of what we do with computers is sharing. Yes, we may have users in groups that restrict their access here and there, but it seems to me that the ability to share is the more important paradigm.
So the buzz of C2 security seems to have faded away. Part of that is due to the understanding of how unimportant it is to most of us. Another part might be simple embarassment: can you imagine Microsoft making a big deal about their C2 qualification today? The jeers and catcalls would be immediate - perhaps undeserved, because C2 isn't necessarily related to the other security problems Microsoft has. But this wouldn't seem to be the time to be blowing that trumpet again, would it?
If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
I sell and support
Kerio Mail server
Click here to add your comments
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
Well, with so man acronym's today, ICBM might mean something else too :-)
Anyway, with reagrf to the adage, you are sure to get a grin from this quote from that page:
"Every customer's security needs are different, and not all customers will deploy Windows NT in the C2 configuration. However, the evaluation is significant even for customers who don't need to deploy the C2 configuration. The fact that third-party security experts have examined Windows NT 4.0 and awarded it a C2 evaluation confirms what customers already know -- that Windows NT 4.0 provides a strong, flexible security architecture."
Cough..cough..cough :-)
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
Well, with so many acronym's today, ICBM might mean something else too :-)
Anyway, with reagrf to the adage, you are sure to get a grin from this quote from that page:
"Every customer's security needs are different, and not all customers will deploy Windows NT in the C2 configuration. However, the evaluation is significant even for customers who don't need to deploy the C2 configuration. The fact that third-party security experts have examined Windows NT 4.0 and awarded it a C2 evaluation confirms what customers already know -- that Windows NT 4.0 provides a strong, flexible security architecture."
Cough..cough..cough :-)
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
Well, with so many acronym's today, ICBM might mean something else too :-)
Anyway, with regard to the adage, you are sure to get a grin from this quote from that page:
"Every customer's security needs are different, and not all customers will deploy Windows NT in the C2 configuration. However, the evaluation is significant even for customers who don't need to deploy the C2 configuration. The fact that third-party security experts have examined Windows NT 4.0 and awarded it a C2 evaluation confirms what customers already know -- that Windows NT 4.0 provides a strong, flexible security architecture."
Cough..cough..cough :-)
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
Well, with so many acronym's today, ICBM might mean something else too :-)
Anyway, with regard to the adage, you are sure to get a grin from this quote from that page:
"Every customer's security needs are different, and not all customers will deploy Windows NT in the C2 configuration. However, the evaluation is significant even for customers who don't need to deploy the C2 configuration. The fact that third-party security experts have examined Windows NT 4.0 and awarded it a C2 evaluation confirms what customers already know -- that Windows NT 4.0 provides a strong, flexible security architecture."
Cough..cough..cough :-)
--TonyLawrence
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
Well, with so many acronym's today, ICBM might mean something else too :-)
Anyway, with regard to the adage, you are sure to get a grin from this quote from that page:
"Every customer's security needs are different, and not all customers will deploy Windows NT in the C2 configuration. However, the evaluation is significant even for customers who don't need to deploy the C2 configuration. The fact that third-party security experts have examined Windows NT 4.0 and awarded it a C2 evaluation confirms what customers already know -- that Windows NT 4.0 provides a strong, flexible security architecture."
Cough..cough..cough :-)
--TonyLawrence
Yes, I do remember that quote, which demonstrates just how wide the gap is between what the engineering department can do and what the sales department says can be done. In any case, how would the "customers already know?"
--BigDumbDinosaur
"ICBM missile"
Ah, I see you are a member of the Department of Redundancy Department.
"If for some reason you are concerned about Microsoft and C2, see http://www.microsoft.com/technet/security/news/c2eval.mspx"
I can't imagine anyone in their right mind running any Microsoft system with any expectations of real security. There's an old adage in manufacturing that says quality cannot be inspected into a product, it must be built in. The same principle applies to operating system security.
--BigDumbDinosaur
Well, with so many acronym's today, ICBM might mean something else too :-)
Anyway, with regard to the adage, you are sure to get a grin from this quote from that page:
"Every customer's security needs are different, and not all customers will deploy Windows NT in the C2 configuration. However, the evaluation is significant even for customers who don't need to deploy the C2 configuration. The fact that third-party security experts have examined Windows NT 4.0 and awarded it a C2 evaluation confirms what customers already know -- that Windows NT 4.0 provides a strong, flexible security architecture."
Cough..cough..cough :-)
--TonyLawrence
Yes, I do remember that quote, which demonstrates just how wide the gap is between what the Microsoft software engineering department can do and what the sales department says can be done. In any case, how would the "customers already know?"
--BigDumbDinosaur
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar