Microsoft on Wednesday clinched Common Criteria security certification from the US government's National Information Assurance Partnership for six versions of its flagship Windows OS. At the Security Summit East here, Microsoft announced that all the products earned the EAL 4 + (Evaluation Assurance Level), which is the highest level granted to a commercial product.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:"Microsoft writes some damn good code."
So, why I simply have a .doc screwed up like 20 years ago when I pass it from a machine to another? More than with Open Documents? How damn complicated would you make to preserve a layout? Or, while you have no concurrence because of the 040 1234567 magic activation code of Office 97 that let you conqueer the monopoly in Office suites, you will continue responding that I should not expect a document editor to preserve the layout on another machine, even with the same version/ patch level of the same damned application???
Why XP's DNS is so damn flawed that if I don't specify the DNS server a XP machine would trash for 5 minutes before logging into a 2K server domain?
Why a Windows server running Terminal Server should be rebooted weekly or more to be stable?
Why for years MS used Vigenere crypto (xor with "Netscape programmers are weenies"), that was considered outdated since the beginning of the 20°century (Vernam's studies are of 1911)?
Why some passwords in Office formats are saved in clear in the document and can be trivially recovered with an hex editor or a silly recover program?
Why IE developement was freezed for years making it the most flawed browser of the world? (same thing for Outlook and OE)
Why in 20 years I cannot have a decent command line comparable to x* under Windowes?
Why in 20 years you don't released a decent bundled IDE for Windows like XCode for OSX and KDevelop for Linux?
Why in 20 years you don't released a decent image editor?
Why the old Media Player of 98-NT4 era was capable of saving videoclips and now with new drm features of newer Media Player i'm no longer able to take even screenshots??? Not talk about of the lack of feature comparing your MP to a free product Videolan VLC!
Why can I easily connect machines with VNC without caring of the OS and your remote desktop is so shy?
I won't call it "great code"
Member since:
Member since:2005-07-06
Never seen this issue.
Also, never seen this issue.
I never have to reboot my server (which runs terminal clients 24/7, amongst many other things). But I am on Server 2003
Can't honestly say I know what you are talking about here so I'll move on.
Because it's just a simple password system. They do have a more fully functional system, with a server and such to track the documents, DRM them, etc...
IE development froze because 1) Nobody was anywhere nar IE was for quite some time, and 2) Because they got lazy. Outlook development was never frozen, though, OE was as it is considered part of IE.
No IDE because they would probably get in trouble with the DOJ. BUT, they do now offer a VS Express, which is pretty nice.
What do you mean by decent image editor? Paint is for basic functionality and not really meant for image editing. There are other things (available for free from MS), but they would also get in trouble for shipping these with the OS.
You can actually take screenshots of movies, you have to disable the hardware accelleration feature though. This is no way shape or form DRM.
Because remote desktop uses the RDP protocol, which is only available on Mac (client only) and Windows.
There are maybe 2 good points here (not really points either). The rest is because you didn't know how to go about doing these things.
Member since:
Okay, I'll bite...
I was one of the engineers who worked on the CC eval for W2K3 and XP. What a lot of people don't understand is what the CC is really intended to do. It's designed to evaluate the security DESIGN of an application, not necessarily the implementation. (At least, at this EAL. At higher EALs there are requirements for vulnerability assessments, etc.) This involves security checking when performing security-related actions, and then audit logging these actions appropriately. However, if a buffer overflow vulnerability exists 2 lines before this security check, that is not within the scope of this particular evaluation.
To all the open-source fanatics out there who criticize Microsoft code, let me tell you: Microsoft writes some damn good code. Not only that, it is FAR more complex than you would think. In addition, it's relatively well architected, so the pieces fit together quite well. Are there security holes? Of course. Any application or OS of that size is going to have security holes. Is Linux more secure just because it's open source? No. Linux is generally more secure because it lacks the complexity and many of the features of W2K3.
Now, some discussion has been made regarding the scope of the evaluation itself. It is true the Redhat et al have/will have their products certified at EAL 4 as well. However, it's important to note the difference in what the eval covers. With Redhat, I don't believe it included any sort of centralized authentication. W2K3's eval included Active Directory. Smartcard authentication? Not in Redhat. So, it's important to note that just because 2 products are evaluated at the same EAL, they're not necessarily equal.