[ntp:hackers] Findinterface

Brad Knowles brad at stop.mail-abuse.org
Mon Jun 13 13:31:27 PDT 2005


At 11:09 AM -0700 2005-06-13, todd glassey wrote:

>>  NSA waasn't smoking anything when I saw the first edition of the orange
>>  book in 1983.
>
>  Ah, I liked the Red Book myself - the damn think never fit on a shelf
>  properly.

	When talking about computer security, none of those books are 
valid anymore.  You need to be talking about the TCSEC.


	If you did want to talk about Orange book security, I'll start 
digging up old stories I got while working at the Pentagon about 
different problems that occurred after a particular box got a certain 
level of certification, only to be demonstrated to be insecure once 
put into a more operational-style test.

	Certifications like A-1, A-2, B-1, B-2, C-1, C-2, etc... really 
don't mean anything, except as an upper limit on the level of 
security that you could possibly achieve in a non-networked 
environment.  The moment you throw those things on a network, all 
Orange book security ratings go out the window.

>  I would beg to differ,  and we will in our test and release plan build the
>  certification matrix - this will have to get some input from various
>  parties - we will also get those parties shipping NTP who are going to want
>  to use the secured version to participate more formally.

	Given the extreme variations in the ability of different OSes to 
drop interrupts and to give good timing information to the 
applications running on the machine, I would be very curious how 
anyone can make any claims about NTP and time performance that are 
going to be independent of the hardware and OS platform.

	You're going to have a very hard time proving that one to me.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the hackers mailing list