Unix & X-Windows on 386SX

Lee Story lee at wang.com
Fri Dec 14 04:54:40 AEST 1990 

---------------------
This is specifically in response to Mr. Schwake's comment that C2 security
isn't "part of the government", but rather "a certain level of security".
(Perhaps the general discussion belongs in another group, but......

I must agree with the former poster (Davidsen?).  The "orange book" DoD
security mandates certain technical ways of achieving a secure system, to
wit, compartmentalization, access control lists, etc. (not all of which
come into play at the C2 level); while this *determines* "a certain level
of security", it is more than that.  For example, encryption is not
considered acceptable for most purposes:  if it's too weak, the "enemy"
can break it; if too strong, the National Security Agency can't.  The
same people who determine these standards want to try to make it a crime
to send public domain information (e.g., DES implementations) to other
countries.  (I'm planning to send everyone I know in Europe and Latin
America a copy of the requisite pages of Tanenbaum's book for Christmas.)

Now I admit that a very few commercial users may have the same sort of
concerns as DoD (for example, funds transfer systems), but the majority
of us would have to be wholly irrational to take on the additional
complexity of DoD-style security in exchange for the marginal improvement
offered.  The favorite ploys of vendors are:

(1)  to imply "if it's good enough for the Department of Defense, it's
     good enough for you";

(2)  to offer "C2 (or higher) -certifiable" systems without actually
     having (any intention to) certify them, thus leaving the way open
     for any number of breaches, especially from below (in old system
     software -- it's still basically the AT&T System V code base, with
     "hooks" and "fixes" here and there).

My company sells SCO Unix and ODT.  I think they are good products.
We use and sell it not only on PCs but on i486-based timesharing systems.
I don't know ANY developer who wouldn't pay a few bucks out of their
one pockets to have the additional security "feature" completely removed.

------------------------------------------------------------------------
Please don't hold Wang Labs or Rick Miller or for that matter
anyone else except me responsible for these damfool opinions .
------------------------------------------------------------------------
Lee Story (lee at wang.com)
Wang Laboratories, Inc.
Lowell Massachusetts 01851

More information about the Comp.unix.sysv386 mailing list