Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IBM Clinches Security Certification for Linux

CmdrTaco posted more than 11 years ago | from the we're-like-secure-or-something dept.

Security 373

Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

Sorry! There are no comments related to the filter you selected.

watch me fail it! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6614465)

furzt poast!!

FP! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6614467)

FIRST POST! again! :)

FAILED (-1)

Anonymous Coward | more than 11 years ago | (#6614513)

FAILED FAILED FAILED FAILED FAILED

You now have to attend summer posting school as you have FAILED.

Alright...? (1, Interesting)

mschoolbus (627182) | more than 11 years ago | (#6614470)

What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

So what the hell was going on before?

Re:Alright...? (5, Informative)

azzy (86427) | more than 11 years ago | (#6614511)

I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.

Re:Alright...? (2, Informative)

akadruid (606405) | more than 11 years ago | (#6614581)

Yeah it's like the whole 'No-one ever got fired for choosing Oracle' thing.
In this case 'No-one ever got fired for choosing Common Criteria software'.
The important thing to remember here is that a lot of central government positions and even more local government positions are taken by people who could not support their employment in the private sector.
Another interesting point in this article is that statement that the Linux market is expected to grow from $2 billion to more than $5 billion in 2006. That's a very important increase in a short period of time. Definitly something for Microsoft to be worried about.

Re:Alright...? (1, Insightful)

Cutriss (262920) | more than 11 years ago | (#6614536)

I think Taco screwed up the newspost. It should read "What this means is that government can consider IBM's Linux solutions when making purchasing decisions. IBM got the highest rating possible."

Re:Alright...? (2, Informative)

ComputerSlicer23 (516509) | more than 11 years ago | (#6614563)

No, it was actually Suse's Linux distribution (at least according the article I read). I know some of the security ratings are a software and hardware combination. That is, it's certified secure on hardware X, and software Y. I know that's what C2 security ratings are all about. However, I'm not sure if the common criteria includes the hardware or not.

Kirby

Re:Alright...? (2, Funny)

Anonymous Coward | more than 11 years ago | (#6614587)

So what the hell was going on before?

The government would have to buy a trusted operating system that meets the common criteria.. for example, Microsoft Windows 2000. Yes, it is certified too. Let's not start sucking each others dicks on this just yet.

Re:Alright...? (4, Informative)

eyegor (148503) | more than 11 years ago | (#6614595)

According to the articles, Win2k got an EAL4 (click here [entmag.com] ) and Linux got an EAL2+ (suse press release [suse.com] )

It's still good to see Linux get this certification though. It's another step towards displacing Windows.

Thank you IBM (1, Insightful)

azzy (86427) | more than 11 years ago | (#6614478)

Glad to see they aren't letting SCO scare them away from giving Linux their support time after time

Re:Thank you IBM (4, Interesting)

DarkSarin (651985) | more than 11 years ago | (#6614542)

Glad to see they aren't letting SCO scare them away from giving Linux their support time after time

Did you seriously think that they would? If so you need to share some of the dope you've been smoking. As has been said numerous times on this board: to IBM, SCO is nothing more than an annoying mosquito. They might be carrying West Nile, but they are still just a mosquito, and can be crushed or captured almost any time.

The cool part about this whole article is that with the security cert, the government could begin switching some of their offices over. It also means that organizations like hospitals (who need to be concerned with privacy due to HIPAA) can be sold on the fact that it is secure and they don't have to worry as much about some hacker stealing confidential information.

Think about it.

Re:Thank you IBM (-1)

Anonymous Coward | more than 11 years ago | (#6614643)

he should share the dope anyway. puh-leeeze???

dont care (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6614480)

I dont care. jfyi

Can vs. Will (1, Insightful)

Acidic_Diarrhea (641390) | more than 11 years ago | (#6614482)

Just because the government can consider buying Linux, doesn't mean it will. After all, Microsoft has got a pretty firm hold on the burecrats in charge.

Re:Can vs. Will (5, Insightful)

Anonymous Coward | more than 11 years ago | (#6614529)

And you think IBM doesn't know how to handle bureaucrats? They invented the game and probably patented it as well.

Re:Can vs. Will (5, Insightful)

Liselle (684663) | more than 11 years ago | (#6614567)

Don't underestimate how cheap people can be. It goes hand-in-hand with greed. Windows is not precisely free.

Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.

Re:Can vs. Will (5, Informative)

idontgno (624372) | more than 11 years ago | (#6614642)

There are a lot of factors, indeed, but at in least one US military IT acquisition that I'm familiar with, the choice of OS platform was driven purely by purchase cost. That's why this contract chose Major-Brand (tm) PCs with some flavor of RedHat (with support contract) to succeed Sun Ultra workstations running Slowlaris(tm), the incumbent system in the field. Customer wanted to drive the acquisition cost down down down.

Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.

Re:Can vs. Will (0)

Anonymous Coward | more than 11 years ago | (#6614604)

M$/Dell/EDS has the Navy and Marine Corps locked in for the next seven years.... Unless there is a congessional mandate, there won't be any changes here for a while...

Re:Can vs. Will (1)

EvilTwinSkippy (112490) | more than 11 years ago | (#6614606)

With ever tightening budgets, and demands to do more with less people the equations naturally point towards Linux.

Capital, like water, flows downhill seeking the softest path at every turn. One can steer a river, over a short stretch. One can even try to place a river where none ever existed with a Canal. But these artifical minglings require work to maintain. They are ever under siege from the elements. Those that seek to build around them always fall into woe when the river itself overflows.

Will is a powerful thing, but the natural order of the Universe in unsurmountable.

Re:Can vs. Will (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6614615)


For the record, Rob Malda has a firm hold on my penis and is showing no signs of letting go.

I kinda like it too ...

Re:Can vs. Will (4, Interesting)

sporty (27564) | more than 11 years ago | (#6614632)

Well, look at it this way. If you couldn't, trying would be futile. Sorta like trying to get water/blood from a stone. But, with linux certified, saying that you will not even have one supporter of linux in gov't just got a little unreasonable.

You have big corps like IBM, HP and Dell saying, "it's ok."
You have many countries saying "It's ok, see?"
You have the US (via certification) saying "it's ok."

Seems more unreasonable to say it will never happen every other day.

Re:Can vs. Will (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6614641)

Where did the parent say that there wouldn't be a single supporter?

Re:Can vs. Will (2, Insightful)

Anonym0us Cow Herd (231084) | more than 11 years ago | (#6614633)

After all, Microsoft has got a pretty firm hold on the burecrats in charge.

When you've got them by the balls, you don't need to hold all that firmly.

Re:Can vs. Will (5, Insightful)

keester (646050) | more than 11 years ago | (#6614657)

The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.

Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.

This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.

Re:Can vs. Will (4, Interesting)

jellomizer (103300) | more than 11 years ago | (#6614683)

Well IBM is a force to be reckoned with as well. In some ways a little more then Microsoft. Especially in New York State, where almost all the agencies use IBM products. But it was IBM who brought Microsoft into the mainstream. And they can probably bring Linux into the mainstream. It will not be an overnight adoption but a gradual one.

Re:Can vs. Will (3, Interesting)

4of12 (97621) | more than 11 years ago | (#6614700)


Just because the government can consider buying Linux, doesn't mean it will.

Correct. And it's true that no one ever got fired for buying Microsoft.

But much of the Linux deployment in government up to this point has been precisely because it can be had for no official government expenditure. It's always harder to get money for projects than it is to get money to keep your existing people. Those people have been doing some testing of Linux.

Shoestring Linux projects have proven themselves to be not only cost-effective, but generally reliable and useful.

Given that prototype testing already in place, authorizing incremental purchases to add on to that base of Linux functionality is an easier decision than if were made cold, without any evidence to support.

GOODBYE, SLASHDOT (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6614483)

Adequacy.com, here I come.

P.S. I won't miss you.

Just wondering.. (4, Interesting)

CausticWindow (632215) | more than 11 years ago | (#6614484)

What are the ratings and how does other common OS's score? Anybody know?

Re:Just wondering.. (5, Informative)

nakhla (68363) | more than 11 years ago | (#6614528)

I believe Linux received an EAL 2. Windows 2000, however has received an EAL 4. An EAL 4 involves more security checks and requirements.

Re:Just wondering.. (5, Informative)

Anonymous Coward | more than 11 years ago | (#6614658)

You can get an overview at networkcomputing.com [nwc.com] or at the common citeria [commoncriteria.org] web site.

Re:Just wondering.. (5, Informative)

Anonymous Coward | more than 11 years ago | (#6614565)

Check out here: http://www.commoncriteria.org/ [commoncriteria.org]

Re:Just wondering.. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6614590)

Linux has some catching up to do until it's secure as Windows, given that Linux was put together by a professional company, whereas Windows was just knocked up by amateurs around the world.

Uh, no..wait..I mean...

Re:Just wondering.. (3, Insightful)

gurisees (315528) | more than 11 years ago | (#6614599)

Try the CCEVS home page... Here [nist.gov] you can find the Validated Products List.

Re:Just wondering.. (1)

WARM3CH (662028) | more than 11 years ago | (#6614655)

check this [commoncriteria.org] list. As you can seen there are mostly *nix based systems and also Win2K listed as EAL4 and no, XP is not there!

Another link (5, Informative)

manduwok (610836) | more than 11 years ago | (#6614487)

CNN.com [cnn.com] has this story too.

Re:Another link (4, Informative)

plaa (29967) | more than 11 years ago | (#6614628)

The CNN article (as some others I found using Google News) point out a few important facts that were omitted from the Yahoo story. A few important quotes:

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.


So it isn't yet certified at the same level as Windows.

The approval, being announced Tuesday, involves only one version of Linux, from SuSE Linux AG, a vendor based in Nuremberg, Germany, when the software is installed on a particular line of IBM's server computers. IBM, which paid roughly $500,000 for the testing, and SuSE were announcing the certification jointly.


So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.

So maybe not much use for the overall community, but certainly a landmark in the history of Linux, and it shows that it certainly can be done!

as they say ... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6614488)

Locked and loaded !!

Finally confirming it (1)

AndyFewt (694753) | more than 11 years ago | (#6614498)

What this means is that government can consider Linux when making purchasing decisions.
I thought they already could and have in most cases. Now they have the extra bit of paper which says its ok to use it though.

Linux got the highest rating possible.
Would you expect anything less?

Big win for Linux! (5, Informative)

Anonymous Coward | more than 11 years ago | (#6614501)

Microsoft set out to get Win2K certified and only completed the process last October according to . [entmag.com]

Linux now has the upper hand because MS does not yet have XP certified.

Re:Big win for Linux! (3, Insightful)

Dot.Com.CEO (624226) | more than 11 years ago | (#6614555)

XP is a desktop OS, and hardly needs security certification of that level. Windows 2003 server just came out a few months ago. Give it time. I bet the Linux configuration that was certified was not exactly 2.5 kernel material running debian unstable.

Re:Big win for Linux! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6614572)

uhhh.... XP Server Edition?

Cool ;-) IBM forked over the few milllion.... (3, Interesting)

Creepy Crawler (680178) | more than 11 years ago | (#6614505)

Hey, you really cant go wrong with a open source, GPL'ed operating system where drivers are wrote by guys from NASA (Thanks Mr. Becker), and your security ACL's are wrote by the Spooks (heh, thanks NoSuchAgency ;-).

It REALLY beats closed source OS'es (for govt's) as even our own MS of America wont let us see the code because it's "dangerous". However showing the Chinese is A-OK.

Gotta makes you think: what would our gov't choose if they didnt have their hand in MS'es pocket?

Re:Cool ;-) IBM forked over the few milllion.... (1)

trg83 (555416) | more than 11 years ago | (#6614616)

I don't want to nitpick about your subject line, but one of the articles I read said IBM spent $500,000 to obtain the certification.

Let's hope Microsoft follows (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6614509)

Oh nos! BSOD!
lololololololol I made a M$ funny!

PS: SCQ sux.

Red Hat / Oracle (4, Interesting)

jmkaza (173878) | more than 11 years ago | (#6614515)

According to this [com.com] article, Red Hat and Oracle are working on gaining the same level of certification by the end of the year.

Kernel or distro? (3, Insightful)

NineNine (235196) | more than 11 years ago | (#6614522)

So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.

Re:Kernel or distro? (1)

DarkAurora (324657) | more than 11 years ago | (#6614550)

Probably just the SuSE distro with a specified set of settings. To make NT 4.0 "C2 secure" (what the Common Criteria specification used to be called) you had to install something that would set things up properly. I don't believe you have to do this with W2K, but there still is a specified setup that is "secure" not the OS itself.

Re:Kernel or distro? (1)

jpc (33615) | more than 11 years ago | (#6614553)

it will be for a specific version. Thats partly why it is a pain to get as by the time you do the shipped version might be obsolete. Preumably IBM and Suse will sell this specific version labelled as such, with an installer that only installs the right parts.

Re:Kernel or distro? (1)

azzy (86427) | more than 11 years ago | (#6614564)

Well if you put together a wide open distro using linux, that can be cracked by 1yr old babies, no, it won't be secure. To say a system is secure or not requires an analysis of more than just the kernel. Hence a secure label needs to be obtained on a per distro basis I suppose.

Re:Kernel or distro? (1)

afidel (530433) | more than 11 years ago | (#6614597)

Only that exact config of Suse on that hardware if it is like the C2 security certifications.

Re:Kernel or distro? (1)

AKnightCowboy (608632) | more than 11 years ago | (#6614611)

So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.

ObRMS: The headline and article mention Linux, therefore only the kernel is certified. If they had said GNU/Linux then they are referring to the entire operating system distribution which is comprised mainly of GNU tools. :-)

More importantly..... (-1)

TheScienceKid (611371) | more than 11 years ago | (#6614526)

....will this rating increase the value of my property and save me money on my home insurance? :D

(note for the humour impaired - this was a joke)

What about BSD? (2, Interesting)

dodell (83471) | more than 11 years ago | (#6614527)

Please spare me of all the "BSD SUCKS" and "BSD IS DEAD" flames. Kthx.

Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.

It seems to me that if they're talking about security and such, there's still a bit to be left desired. Additionally, SuSE is by no means the most standard (IMO, it's the most backward) distribution of Linux.

I'd be interested in learning why more companies don't take a look into BSD environments. The security is there. The license is TOTALLY unrestrictive. It's stable, secure, well documented and well accepted (except on /.) -- why doesn't it get more corporate love?

Re:What about BSD? (2, Insightful)

eer (526805) | more than 11 years ago | (#6614582)

Because it lacks the corporate hype that Red Hat, et al, gave to Linux.

What I'm trying to figure out is, "What's important? The kernel or the glibc?"

Apps written to glibc will run on GNU/HURD, Linux, Lava, and other kernels, too. Technically, that's a better story. But business wise, the brand in people's mind is "Linux".

Re:What about BSD? (-1)

Anonymous Coward | more than 11 years ago | (#6614603)

The End of FreeBSD

[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

Discussion

I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

Shouts

To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. It's when you get distracted by the politickers that they sideline you. The tireless work that you perform keeping the system clean and building is what provides the platform for the obsessives and the prima donnas to have their moments in the sun. In the end, we need you all; in order to go forwards we must first avoid going backwards.

To the paranoid conspiracy theorists - yes, I work for Apple too. No, my resignation wasn't on Steve's direct orders, or in any way related to work I'm doing, may do, may not do, or indeed what was in the tea I had at lunchtime today. It's about real problems that the project faces, real problems that the project has brought upon itself. You can't escape them by inventing excuses about outside influence, the problem stems from within.

To the politically obsessed - give it a break, if you can. No, the project isn't a lemonade stand anymore, but it's not a world-spanning corporate juggernaut either and some of the more grandiose visions going around are in need of a solid dose of reality. Keep it simple, stupid.

To the grandstanders, the prima donnas, and anyone that thinks that they can hold the project to ransom for their own agenda - give it a break, if you can. When the current core were elected, we took a conscious stand against vigorous sanctions, and some of you have exploited that. A new core is going to have to decide whether to repeat this mistake or get tough. I hope they learn from our errors.

Future

I started work on FreeBSD because it was fun. If I'm going to continue, it has to be fun again. There are things I still feel obligated to do, and with any luck I'll find the time to meet those obligations.

However I don't feel an obligation to get involved in the political mess the project is in right now. I tried, I burnt out. I don't feel that my efforts were worthwhile. So I won't be standing for election, I won't be shouting from the sidelines, and I probably won't vote in the next round of ballots.

You could say I'm packing up my toys. I'm not going home just yet, but I'm not going to play unless you can work out how to make the project somewhere fun to be again.

= Mike

--

To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public. -- Theodore Roosevelt

Re:What about BSD? (0)

Anonymous Coward | more than 11 years ago | (#6614685)

The "TOTALLY unrestrictive" license might be part of the problem.

If the business is trying to leverage the community to outsource part of its development work, the GPL makes more sense because any competitor that extends the code has to give it back to you too.

The BSD license only makes sense if your business model is to add closed extensions to free software and sell it.

If, however, your business model is to commoditize , say, operating systems and sell services, hardware, and large business applications on top of it, the GPL rules. You can donate code to the OS and not worry about proprietary forks.

The GPL enforces a common code base to build upon. That's why with Linux, we don't have to worry about yet another iteration of the Unix wars.

omg BSD sux lol (0, Troll)

Ralp (541345) | more than 11 years ago | (#6614692)

more liek BSOD am i rite??

P.S. a/s/l?

Re:What about BSD? (0)

Anonymous Coward | more than 11 years ago | (#6614701)

Because it's old. Not that there is anything wrong with being a well established and time tested operating system, but we are the ADD society. Linux is the shiny new operating system that caught the presses and managements attention only just recently. BSD started to go there years ago but was overwhelmed with FUD. It survived, but it has lost it's "shiny new" status. The best ideas or ways of doing things rarely win out over the ones with the most momentum/hype. Not that I'm saying BSD is inherently better than Linux - just that it doesn't have the wave of shiny newness pushing it up the executive elevator shaft.

Re:What about BSD? (2, Insightful)

wawannem (591061) | more than 11 years ago | (#6614707)

There are many reasons why BSD should be ahead of the game, but unfortunately it is not. I wish I had some real numbers, but I remember having one of my BSD zealot friends run a command and pipe it to wc to see how many packages were available in the BSD ports tree. At that time there was about 2,000. I was impressed, until:

[wawannem@weswlinux]:/home/wawannem
$ apt-cache dump | wc -l
100543

I think this is what really makes the case for linux. It is sort of a Catch-22, there is more software available for linux, so more software is created for linux.

Re:What about BSD? (0)

Anonymous Coward | more than 11 years ago | (#6614727)

It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

It must really be secure then... (4, Interesting)

Dot.Com.CEO (624226) | more than 11 years ago | (#6614530)

I mean, look at all the other level 4 assurance level OSs here [commoncriteria.org] . Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?

Secure enough to persuade your PHB. (2, Informative)

aug24 (38229) | more than 11 years ago | (#6614649)

I think the biggest aspect of this news is not that Linux is especially secure, but that it is good enough to get a security classification.

This will carry a lot of weight to any argument with a PHB or similar.

J.

Re:It must really be secure then... (5, Funny)

Mr Bill (21249) | more than 11 years ago | (#6614676)

Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin

Does it include removing the Ethernet card from the system???

Linux in Government (5, Interesting)

Sogol (43574) | more than 11 years ago | (#6614532)

I'm a sysadmin for a large government data center. We've been using Linux in production for years, and we always purchase boxed distributions, even some preconfigured(!) machines from Dell. Government regulations do, however, prevent me from ordering Windex and Duster. These are considered janitorial supplies, and there is no justification in Information Systems procuring these items. So frankly, I'm not sure what all the fuss is about. Things look a lot different on the ground.

Great! Now... (-1, Offtopic)

csoto (220540) | more than 11 years ago | (#6614533)

can they do anything about the choices of toilet paper available at most federal offices? My rhoids can't take much more of this rough Homeland Security teepee...

Safe for medical storage info ? (1, Interesting)

Anonymous Coward | more than 11 years ago | (#6614535)

Does this mean that it is safe/legal to use linux on a machine used to store medical information, in compliance with HIPPA and other mandated privacy policies ?

Re:Safe for medical storage info ? (0)

Anonymous Coward | more than 11 years ago | (#6614648)

Nope.

HIPPA mandates that only certain groups (doctors, medicaid) can view such data, and sets up a ton of hoops for other people to view or know it, even with your approval. It says virtually nothing about how they must store it.

It's a ridiculous law. I work with software for EMT's, fire stations and cops, and basically, if you have a heart attack and call an ambulance, they cannot keep any record of it.

They also cannot know if you're allergic to penicillin, this is your third heart attack, have AIDS, etc.. If they remember you from your last heart attack, they're in violation of the law.

Over-hype - not highest rating possible (5, Informative)

eer (526805) | more than 11 years ago | (#6614539)

The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest [commoncriteria.org] . But, it's a great start.

IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.

Very good news... (1)

IWorkForMorons (679120) | more than 11 years ago | (#6614543)

...but what does it mean in the end? Nothing at all, since MS is branded onto the forearms and foreheads of most politicians? Or will Linux become the next tool for monitoring it's citizens? Hopefully neither. Hopefully, instead, big businesses like Red Hat and Suse(through IBM) will begin lobbying the government with the same strength and voracity that MS and others have been for years. Then we can begin to see some real change, even if we have to use some of the same slimy tactics.

SEP! (-1)

Anonymous Coward | more than 11 years ago | (#6614547)

Somewhat Early Post for Me!

simple question for someone in the know... (2)

jeffy124 (453342) | more than 11 years ago | (#6614548)

what kind of items are covered in the Common Criteria?

Re:simple question for someone in the know... (2, Interesting)

stratjakt (596332) | more than 11 years ago | (#6614717)

Why, just a bunch of bullshit rhetoric. [commoncriteria.org]

What, you thought government certifications mean something?

It's just beurocracy. If it means anything, it means the OS exists. Keeps them from buying too much vaporware.

In Mother Russia ... (-1)

Anonymous Coward | more than 11 years ago | (#6614552)

You don't clinch security,
Security clinches YOU.

Re:In Mother Russia ... (-1)

Anonymous Coward | more than 11 years ago | (#6614638)

OK, firstly, It's SOVIET RUSSIA. Secondly, it's a one liner. Capitalization is important, as are appropraite exclaimation points.

Eg:

In Soviet Russia... (Score:0)

SECURITY clinches YOU!!

Please don't troll if you don't know what you are doing. Somebody might get hurt.

Re:In Mother Russia ... (0)

Anonymous Coward | more than 11 years ago | (#6614716)

More like....

In Soviet Russia... (Score: -100, Tired old joke that none likes)

SECURITY clinches YOU!!

<3 IBM (1)

mcgroarty (633843) | more than 11 years ago | (#6614561)

Suddenly I'm just starting to love IBM more and more these days :-)

Re:3 IBM (1)

LucidityZero (602202) | more than 11 years ago | (#6614698)

Suddenly I'm just starting to love IBM more and more these days :-)

Isn't it interesting how in slightly over a decade, IBM has gone from being sworn enemy of geeks all over the world, to best ally?

What will we be thinking about Microsoft in 10 or 15 years?

*Which* Linux is certified, actually? (1)

Urkki (668283) | more than 11 years ago | (#6614570)

Article quote: "International Business Machines Corp. and Linux distributor SuSE said on Tuesday that they received the highest level of security evaluation used by governments when deciding to use software in their organizations."

So does that mean that a specific version of Suse is certified, and nothing else? So what about Red Hat etc? Or future Suse versions? I presume they'd have to get another certification (probably easier after Suse got the 1st one, but anyway).

Re:*Which* Linux is certified, actually? (1)

arivanov (12034) | more than 11 years ago | (#6614610)

Specific version of SuSe at a specific patch level with specific software running on specific hardware with a specific network configuration.

gov't applications (1)

avageek (537035) | more than 11 years ago | (#6614577)

first off, the certification validates that they can consider this spacific distro of linux on certain IBM machines for *secret* uses. They certainly could have (and most likely have) used linux on other types of applications and such, but they couldn't say, set up a linux box on a secret LAN or mission critical applications.

CC4Linux (1)

eb676324be5598948888 (684612) | more than 11 years ago | (#6614578)

EAL2 != Security
CC EAL<n> [commoncriteria.org]
I would like to have EAL5 or better...

Wrong. Wrong wrong wrong... (4, Informative)

kiwimate (458274) | more than 11 years ago | (#6614584)

IBM has gotten Linux certified

Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.

Linux got the highest rating possible

No it didn't. FUD. According to this story [philly.com] ...

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.

In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.

Re:Wrong. Wrong wrong wrong... (-1)

Anonymous Coward | more than 11 years ago | (#6614640)

Mod parent down.

-999999999999999, Inconvienient Fact.

Some more info from SuSE (1)

kiwimate (458274) | more than 11 years ago | (#6614702)

Their press release [suse.com] .

From that release...

SuSE Linux Enterprise Server 8 has achieved Common Criteria Security running on IBM eServer xSeries.

Suse running on IBM (0)

aplank (678451) | more than 11 years ago | (#6614601)

The article seems to imply that only Linux running on IBM computers and SuSE Linux have been certified. Is the certification *any* distro running on IBM and SuSE running on *any* computer or is it just SuSE running on IBM?

NOT highest possible rating sez CNN (3, Informative)

bourne (539955) | more than 11 years ago | (#6614602)

CNN has a different version [cnn.com] of the story:

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.

I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.

windows certifications (4, Informative)

non (130182) | more than 11 years ago | (#6614608)

if you're curious about some of the history of microsoft and the certication of windows for government work, click here [gcn.com] , and look elsewhere for the story of ed curry. its been linked to here on slashdot before.

if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here [jhu.edu] .

Playing D.A. here.... (2, Interesting)

tomstdenis (446163) | more than 11 years ago | (#6614614)

I'm not sure that the government adopting OSS is such a good idea. I mean when something doesn't work who is held accountable? Linus? Alan? ...?

At least with proprietary technology there is the promise of accoutability [*] in the product.

[*] Yes I know this would mean Microsoft. DA damnit!

Tom

In other news... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6614617)

From USAToday [usatoday.com] :

EFF urges RIAA to change legal tune
By Jefferson Graham USA TODAY
The Recording Industry Association of America just hired a new CEO, at a salary of $1 million a year.
Meanwhile, the Electronic Frontier Foundation, its legal nemesis, exists on a total annual budget of $2 million, doled out in small checks to fight government and industry opponents in battles over online song swapping, privacy, computer hacking and other Internet related issues.

"We are defending the constitution," says John Perry Barlow, 55, a former Grateful Dead lyricist, cattle rancher and writer, who co-founded the EFF in 1990. "The desire to share information is second only to sex and basic survival in terms of human motivation. The record labels and movie studios are convinced they have the means to control this, and we can't allow that to happen."

EFF, located on a rundown street in San Francisco's Mission district, is the leading advocate for consumer rights in the RIAA's plans to sue hundreds of song swappers. The non-profit EFF, which has 23 staffers, recently put up a database on its eff.org Web site to let worried users of pirate file-sharing services check to see if their screen names are listed on the over 1,000 subpoenas that have been filed by the RIAA for possible lawsuits. EFF has also launched a "Let the Music Play" ad campaign promoting alternatives to litigation.

Even while sounding the alarm, executive director Shari Steele admits the RIAA's stance towards music fans is the best thing that ever happened to the EFF.

"In the past, we were getting five to 10 new members per day," she says. "Now we're up to 60 to 70. Our site almost went down the other day due to its popularity. This is the busiest we've ever been, by far."

Sarah Deutsch, associate general counsel for Internet provider Verizon, assumed at first that the EFF was some scrappy, "radical," San Francisco fringe group. But as she got to know them, she saw that "they know the law inside and out. They make very compelling arguments."

EFF filed a brief in support of Verizon in its battle with the RIAA over the Internet provider's refusal to reveal names of subscribers accused of swapping music, a case Verizon lost but is appealing.

Unlike Verizon, which makes its money from subscriber fees, or the RIAA, whose dues are paid by the five major record labels, EFF's annual budget comes mostly from computer users, in membership fees averaging $65. Corporate money is rare. None of EFF's well-financed neighbors -- Apple, Intel, Palm, Google, Hewlett-Packard -- has pitched in a cent. Neither have friends such as Verizon.

"Corporations don't like us, because we can't guarantee that we'll be on their side," says Steele. "We take positions early, and that makes people uncomfortable."

The "Let the Music Play" ad campaign, kicked off this month in Rolling Stone, "was a huge gamble," says legal director Cindy Cohn. "For the money we spent in Rolling Stone alone, that was the yearly salary of two employees." Ads also are planned in Spin and other music magazines.

EFF chose to do it because "we can either save this thing or it will drown," says Cohn. "Congress needs to hear from the people, not the corporations and their big campaign contributions. Look at what happened with the FCC," she says. New regulations easing radio and TV station ownership touched off a public backlash so intense the House voted 400 to 21 to overturn the rules, despite the threat of a presidential veto.

"It proved that when people make their voice heard, lawmakers listen," Cohn says.

The RIAA declined comment for this story, but James DeLong, a senior fellow with D.C. advocacy group the Freedom and Progress Foundation, says, "The EFF's basic stance on most issues is plain wrong."

Unlike the EFF, the FPF, which supports the RIAA and the new FCC rules, lists corporate sponsors such as Microsoft, AOL Time Warner and Amazon. DeLong says the RIAA has no other choice but to sue song swappers. "They have to enforce their copyrights. I don't see how you can compensate the artist any other way."

For now, with the RIAA readying hundreds of lawsuits against swappers, "we're trying to gear up," says Steele. "We can't take them all on. We'll pick and choose, and try and support the ones who are the worst victims of the RIAA's greed."

The EFF is online at eff.org.

Linux got the highest rating possible. (1)

514x0r (691137) | more than 11 years ago | (#6614627)

is it too late for the dept. of homeland surveillance to switch or are they satisfied with the security that can be broken by a midi file?

what did m$ get on this anyways?

Like this made any difference before? (1, Informative)

Anonymous Coward | more than 11 years ago | (#6614646)

I know the agency I work at follows these ridiculous regulations only when they fall in line with what they were planning on purchasing anyway. For example, most of the security products we use are not FIPS 140-1 compliant anyway. Who cares?

Won't they need to re-cert constantly ?? (2, Interesting)

Anonymous Coward | more than 11 years ago | (#6614669)

Being that Linux is ever evolving and in a constant state of change, wouldn't that mean constant recertification ?

CmdrTaco's real name is Jayson Blair (1, Interesting)

Anonymous Coward | more than 11 years ago | (#6614672)

SuSE got the lowest possible passing rating, not the highest.

As someone else mentioned, IBM probrably went for the cheapest testing first.

But that does not change the fact that you deliberately told an untruth.

Are there any secure Os's out there? (3, Interesting)

sirrube (622137) | more than 11 years ago | (#6614688)

If Linux only got Low2Moderate - and Windows2k got Moderate2High. Are there any off the shelf OS's that rank equal or better to win2k or is Windows2k the only one out there? Thinking of all the security breaches in Windows2k a Low2Moderate score does not impress me nor does Microsoft when it comes to Security.

Re:Are there any secure Os's out there? (4, Funny)

dema (103780) | more than 11 years ago | (#6614720)

Mac OS X.....duh!

When was the last time someone made a virus for a mac?

Security By Lack Of Popularity they call it. (:

Alone on Earth (1)

i-neo (176120) | more than 11 years ago | (#6614695)

government can consider Linux

As often, article writers are a bit egocentrics. Did you know there are several governments in here ?

To the article author: I give you 1 troll point :)

High and higher (4, Funny)

Rutje (606635) | more than 11 years ago | (#6614706)

Linux got the highest rating possible

The highest rating for linux is Bill Gates using it (secretly at home)!

The obligatory flamebait defending the facts (3, Insightful)

Drestin (82768) | more than 11 years ago | (#6614722)

Windows has had a higher level rating for over a year now. There are nice Word DOCs available to tell you exactly how to obtain the same (or higher) level of security as tested.

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software.

Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?

Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.

Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?