ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Linux not quite right for government

LinuxWorld

(IDG) -- The biggest threat to Linux becoming the software of choice in government circles is that there is no third-party verification, certification or evaluation of it, according to Linda Walsh, a speaker at the UKUUG Linux 2000 Developers' Conference held July 7-9 in London.

Walsh, a member of Silicon Graphics' Trust Technology group, told LinuxWorld that the OS also fails to meet the Common Criteria (CC) requirements. The CC is an international agreement and protocol regarding security criteria. It is the result of a 1993 agreement among the governments of France, Germany, the Netherlands, the United Kingdom, Canada, and the United States that specifies both functional and assurance requirements. Its authors say CC is needed to develop trusted IT products that can be used to "help protect important information of the government and private sectors. IT security criteria common to Europe and North America will help broaden the market for these products and further lead to economies of scale."

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  LinuxWorld's home page
  LinuxWorld free e-mail alerts
  LinuxWorld features & columns
  LinuxWorld topical index
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"Functionally, Linux lacks the ability to audit the necessary events [all security-relevant events] to meet the functional requirements of the Common Criteria Controlled Access Protection Profile (CAPP)," said Walsh. Linux lacks security procedures -- called Mandatory Access Control (MAC) or Labeled Security Protection Profile (LSPP) -- to specify which users are allowed to send or receive information from others, she said.

On the assurance end, "Linux lacks trust and assurance. The assurance requirements are fairly rigorous and tedious -- not something most kernel hackers want to get involved in to any great depth," Walsh added.

The CC requires "source control, production control [guarantees about what sources made what binaries and how they were built] and reproducibility," she said. "Also needed is a definition of what programs and modules are included in the Trusted Computing Base and some security analysis of those components."

To make Linux secure enough for government agencies and major multinationals, Walsh said the US Department of Defense has demanded evaluated systems only by Jan. 1, 2002. It has also recommended the same for other government agencies. "Specifically, they want systems meeting the CAPP and LSPP," she said. "Assurance Levels [measured on a scale from a low of 1 to a high of 7] up to Evaluated Assurance Level (EAL) 4 are commonly recognized between member nations of the Common Criteria agreement. Governments require assurance and third party evaluation of trusted systems before they will consider them safe to store or process government data."

When reminded that the French government is reportedly close to passing a law making open source code (and specifically Linux) obligatory for applications used by all its computer systems, Walsh told LinuxWorld, "My impression is the US government shares some of those feelings about Microsoft. The fact that it is closed source and they are at the mercy of such a large and dominant vendor such as Microsoft would seem to be a national security risk."

On the assurance end, "Linux lacks trust and assurance. The assurance requirements are fairly rigorous and tedious -- not something most kernel hackers want to get involved in to any great depth," Walsh added.

The CC requires "source control, production control [guarantees about what sources made what binaries and how they were built] and reproducibility," she said. "Also needed is a definition of what programs and modules are included in the Trusted Computing Base and some security analysis of those components."

To make Linux secure enough for government agencies and major multinationals, Walsh said the US Department of Defense has demanded evaluated systems only by Jan. 1, 2002. It has also recommended the same for other government agencies. "Specifically, they want systems meeting the CAPP and LSPP," she said. "Assurance Levels [measured on a scale from a low of 1 to a high of 7] up to Evaluated Assurance Level (EAL) 4 are commonly recognized between member nations of the Common Criteria agreement. Governments require assurance and third party evaluation of trusted systems before they will consider them safe to store or process government data."




RELATED STORIES:
StarOffice: Microsoft Office power for free
July 28, 2000
Flat monitor for Linux does it all
July 24, 2000
Procrastinate with these Linux games
July 21, 2000
Sim City 3000: Unlimited now available for Linux
July 19, 2000
IBM backs Linux across product lines
June 13, 2000

RELATED IDG.net STORIES:
New on the Web?
(LinuxWorld
Intel to introduce CDSA for Linux
(IDG.net)
Boosting confidence in consumer security
(NetworkWorld Fusion)
Presario, meet Linux
(LinuxWorld
Desktop fun with Linux
(IT World)
MandrakeSoft makes Linux easy
(PC World.com)

RELATED SITES:
Open Sources: Voices from the Open Source Revolution

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.