Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Red Hat Software Software Businesses Linux

Red Hat, Oracle to get Gov't Certification for Linux 171

Mark writes "As this news.com article states, 'Red Hat and Oracle plan to announce on Thursday that the companies have teamed to get Linux evaluated under the Common Criteria, a certification that could open doors for the broader use of open-source software by government agencies.' It looks like this will be an important step in getting Linux to be more widely adopted in governments around the world."
This discussion has been archived. No new comments can be posted.

Red Hat, Oracle to get Gov't Certification for Linux

Comments Filter:
  • Germany (Score:5, Funny)

    by intermodal ( 534361 ) on Thursday February 13, 2003 @11:11PM (#5299609) Homepage Journal
    It's good to know the US Government is catching up technologically with the Germans...again...
    • Your .sig reminds me of the stupid SBC Yahoo DSL commercials I hear on the radio all the time, where they tell you how great Yahoo DSL is because it has a great homepage that will hold your hand as you explore the internet. Every time I hear their tag line ("it's internet that logs on to you!"), I can't help but thinking of all the bad In Soviet Russia jokes.
    • in 1918, and they've hardly bothered us since then. - Tom Lehrer

      KFG
    • Only last year the Dutch goverment made a commitment to use Open Source software.
      http://www.computable.nl/artikels/archi ef2/d50mh2i j.htm (in Dutch)

      Also the goverments of France and Spain funded Open Souce initiatives.
      http://www.osopinion.com/perl/story/ 18157.html

      Altough costs are a one of the big reasons for countries like Spain, the Dutch goverment believes that using Open Source software opposed to properietary software will improve quality, realibility, security and innovation of the software.

    • And politically, too!
  • What a positive (Score:2, Flamebait)

    by amigaluvr ( 644269 )
    Having 2 companies presenting a working solution like this. Not only do we know Linux is a good workable system, but this is a way to present it in its best

    Having a working solution already in place works for business. You can say "we have system X already go, and can set it up for you". It shows you are on the ball.

    Working for a certification like this is similar. Best solutions combine the strengths. What other pre-made solutions do users see as a good thing? perhaps systems such as linux plus apache. That's another well known one

    note: slashdot user 'danamania' is a transsexual. guy's watch out if you are talking to him
  • Frankly... (Score:5, Funny)

    by $$$$$exyGal ( 638164 ) on Thursday February 13, 2003 @11:17PM (#5299637) Homepage Journal
    "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems."

    Thanks for being frank. This should be a wake-up call for all slashdot users.

    --sex [slashdot.org]

    • Re:Frankly... (Score:5, Insightful)

      by mentin ( 202456 ) on Friday February 14, 2003 @12:22AM (#5299871)
      How would certification for EAL Level 2 would position Linux above Microsoft? Windows 2000 is already certified for EAL Level 4 (supposed to be more secure).

      And where are all those articles that were popular on /. when NT was certified, basically telling us that this Common Criteria is total crap? Is it not a crap anymore?

      • Re:Frankly... (Score:5, Interesting)

        by jeff4747 ( 256583 ) on Friday February 14, 2003 @01:10AM (#5300006)
        The NT crap comments arose because NT only got CC it's certification _without_ a network connection.

        And as for the other point, wouldn't level 2 be a step towards level 4? Ya gotta start somewhere, and level 2 opens a lot of doors.
        • Re:Frankly... (Score:1, Informative)

          by Anonymous Coward
          NT, yes, but all versions of Windows 2000 (from Professional to DataCenter) acheived EAL4 with full networking.
        • The NT crap comments arose because NT only got CC it's certification _without_ a network connection.

          Wake up, and stop spreading FUD. Not only "without a network" was NT4, but it also was completely different certification.

          For Common Criteria EAL 4 Microsoft certified Windows 2000, and with full networking.

  • RHAS again? (Score:3, Insightful)

    by lspd ( 566786 ) on Thursday February 13, 2003 @11:18PM (#5299640) Journal
    The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2.

    Sheesh... How much pushing does RHAS need? Show me a TCO study where RHAS at $800/server/year beats any free Linux distro. Simply plugging in a $800/server/year cost into most of the TCO studies I've seen makes Windows look like a bargain.
    • Re:RHAS again? (Score:5, Informative)

      by Anonymous Coward on Thursday February 13, 2003 @11:26PM (#5299683)
      RHAS is free...They don't provide an iso for you, but check their website, they do provide step-by-step instructions on how to "create" a RHAS installation for free.

      But for those that want service and don't want the hastle of putting all the pieces together they also provide a nice package.

      As far as windows a bargain, how much does quality node-balancing software cost (~$500), Quality Firewall (~$300), Advanced Server ($750), I could keep going but I think you get the picture. If you don't need HA then RHAS isn't a great deal, but then again if you do, MS doesn't have a competive product...say what you want about 2000&XP (big improvement over NT&9x), you can't call them HA.

      BTBTBT

      scooby
      • I'm not a GPL expert, so, I'll ask. What keeps someone from making a 3rd party iso of RHAS?
        • Re:RHAS again? (Score:3, Informative)

          by Anonymous Coward
          Nothing...except...I sort of fibbed...99% of RHAS is free, a tiny bit of the code is redhat's but not open source. But there are other free options to do these tasks (just not so pretty ones).

          BUT if you read redhat's site, they explicitly say that you can make your own ANYTHING based off their open source code (+ others), are sell it as their own. The only caveat is that you CAN'T use the RH logo or name to endorse your product...it HAS to be in your name, and show no direct affiliation (the most you can say is that it is based on RH, like Mandrake does/did).

          So if you follow their directions, build your own ISO, you could sell it as yourDistroLinux, the only problem is support, etc. Most companies that really have HA requirements also have the money (and need) for large full service support contracts. And if they are going to pay for it, they might as well pay RedHat (the industry standard).

          I think is would be a great OSS project, and in fact there are several like it out there. http://linux-ha.org/ (I've counted 8 "developer groups" that looked like they already had a decent HA solution).

          BTBTBT

          snoopy
      • Can you post a link to the "step-by-step instructions"? I searched RedHat's site for 5 or 10 minutes, I couldn't find it.
    • Re:RHAS again? (Score:5, Insightful)

      by Herkum01 ( 592704 ) on Thursday February 13, 2003 @11:29PM (#5299698)

      The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2.

      Sheesh... How much pushing does RHAS need?

      Sometimes that all a company look's at is certification levels. I have a friend that runs a software development company. They cannot get any big jobs because they lack a software process certification. It does not say that they are great programmer's or effective, it just says, "Hey we went through this process and this is the type of service that we provide."

      It is is the same thing with certain types of software. If you don't have the correct certification, certain agencies and businesses cannot even consider doing business with you. They would not go through these hoops if they don't not believe that they would get somewhere

      • Re:RHAS again? (Score:5, Informative)

        by Afrosheen ( 42464 ) on Friday February 14, 2003 @05:17AM (#5300609)
        I worked for an ISO9002 certified company before (York International) and my boss told me the crap behind the cert with ISO also. Basically companies won't do business with you if you're in manufacturing and don't have your ISO cert. The only thing ISO really requires is that your processes are fully documented in specific ways. You could build a product that doesn't fuckin' work and still be ISO certified as long as the docs are there.
      • The problem in pushing RedHat Advanced Server is that Government agencies that process classified data require an operating system be certified at a particular level (TCSEC or Common Criteria) based on the classification of data being handled on the network. The two key phrases is Discretionary Access Control and Mandatory Access Control, the difference between TCSEC C2/Common Criteria EAL4 (DAC) and TCSEC B2/Common Criteria EAL5 (MAC). Unless RedHat has added features of Security Enhanced Linux (NSA) and LinSec (which uses Mandatory Access Control), they are going to have a hard time selling it to any agency. You have to be able to audit logon/logoff events, object use and reuse amongst other things (I know this because I work on a large Government Contract and deal with security). The best they could hope for without help is EAL2, and I am actually surprised with Oracle jumping in on this since they are attempting to get Oracle 9i EAL4 certified under CC. We use RedHat Linux for our DNS servers and we are in the process of getting rid of them for Solaris machines for this very reason!
    • Re:RHAS again? (Score:4, Interesting)

      by nathanh ( 1214 ) on Friday February 14, 2003 @02:11AM (#5300149) Homepage
      Simply plugging in a $800/server/year cost into most of the TCO studies I've seen makes Windows look like a bargain.

      Huh?

      1. RHAS is free. The added professional services cost $800 but the whole CD is GPL. Read this (http://www.redhat.com/software/whichlinux.html):

      Advanced Server is sold through a one-year subscription and it does have a licensing agreement. But before you mention the "p"-word ("proprietary"), understand that the code is open and protected by the GPL license. It's not proprietary. We're licensing the services, not the software. The source code files can be downloaded by anyone, and you still have the right to use the software after the license and services expire.

      2. A Windows Cluster with SiteServer and SQL Server can cost upwards of $20,000. I don't see how this is a "bargain" compared to $800.

    • Anyone who needs EAL certifications doesn't really CARE about $800. That's still cheaper than the hardware for a serious server. And that is also list price. Can you tell me the last time you paid list price for software?
  • by mj01nir ( 153067 ) on Thursday February 13, 2003 @11:18PM (#5299641)
    "We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems." ... said Mary-Ann Davidson, chief security officer for Oracle.

    Wow. I knew Larry hated Bill and MS, but I sure wouldn't have expected this! Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?

    Hmm...
    • by speeding_cat ( 631744 ) on Thursday February 13, 2003 @11:42PM (#5299743)
      "We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems." ... said Mary-Ann Davidson, chief security officer for Oracle.

      Wow. I knew Larry hated Bill and MS, but I sure wouldn't have expected this! Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?


      Smart companies try to transform complementary products of other companies into commodity items. OS for Oracle nicely fits into this picture. Since they need it anyway, might as well be inexpensive Linux. Also, one more Linux system - one less Windows system that could run MSSQL instead of Oracle. The choice to support Linux is really no brainer for Larry the Nut.

      Linux port should also be relatively cheap for Oracle, since it is very much like standard Unix and Oracle tends to use basic OS facilities anyway.
    • by earlytime ( 15364 ) on Thursday February 13, 2003 @11:50PM (#5299771) Homepage
      FYI,

      larry & co have been pushing oracle on linux for years. after all, if you run oracle on a stable and cheap OS, there's more licensing and support $$$ left over for larry.

      larry's support for linux is not a big deal for sun (at least it wasn't when he started), since 99.999% of linux runs on x86, and (almost)nobody uses solaris on x86.

      larry has always hated bill. he's a simple man. he wants, power money and women(in that order), and bill is after the first two. linus is a hippie who's already married, so there's more for larry with linux.
      • by josh crawley ( 537561 ) on Friday February 14, 2003 @12:53AM (#5299947)
        Why do I keep thinking "Leisure Suit Larry" whenever you mention Larry in this post? ;-P
      • At Oracle AppWorld, one person asked Larry Ellison if Oracle plans to provide solutions to cutting edge science research such as Molecular Dymics Simulation. His answer was No, though Oracle plans to support science research in some other way (he puts a lot of money in medical research personally).

        Hearing this Q&A, I get the impression that Oracle is an enterprise software developer and they continue to be that way, but the stuff that they do is not kind of computing that requires 1024 64bit processors running simultaneously. Linux is good enough; Linux has matured enough so that it can handle enterprise software level computing, though it might not do Molecular Dynamics Simulation (yet).

        So, sure, this all makes sense. Linux does what it needs to do to run an enterprise software, and certainly cheaper than Sun UltraSparc+Solaris and IBM mainframes. One thing that Linux supposedly lacks is Label, Certificate, an official Statement that says "Linux is a good OS". Oracle wants it to push Linux to corporate gulf players because these gulf players want to see "Linux Approved" stamp. Once Oracle accomplishes it, they've got all the tools to conquer the world of Enterprise Software.
    • by Malcontent ( 40834 ) on Friday February 14, 2003 @01:09AM (#5300002)
      "Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?"

      He seems to be saying that there is no windows database server market. I think that probably is pretty correct as far as Oracle is concerned. I don't know too many people who would run oracle on windows espcially for large operations where oracle really shines. If you need oracle and can pay for it there is ZERO reason to put it on windows.
      • No doubt. Oracle really is a great product. Expensive as shit, but worth it if you need it. My previous employer ran it on Windows for some reason, but why is totally beyond me. Windows is such a secretary's OS. If MS had kept Xenix then they would be a contender, but the very fact that they dropped it years ago shows that they are clueless.

        I'm not a MS basher by nature, but rather from experience. I have endured over 10 years of crashy shitty programs that were developed for their sucky OS and I just can't deal with it anymore.

        At work, I probably know more about MS Windows than anybody else, but if anybody asks me for help I shut them down and tell them to call the IT department. I simply do not have the time or inclination to help a company which has caused me so much grief. Ask me a Linux question and I will help you all day, ask me a Windows question and I will tell you to call MS Tech support.

      • I don't know too many people who would run oracle on windows espcially for large operations where oracle really shines.

        My company runs the intranet portal on the Portal-Server, on a NT4 BOX. We have about 2000 employees.
        At the beginning, they had such huge problems, that it almost wouldn't run and they escalated the issue up to Oracle HQ (we're an important company for Oracle).
        Now, it runs more or less, but don't ask about TCO ;-)
        The reason some people run it on Windoze is, that they don't know anything else and thus have a Windozw-only infrastructure. This is OK, as long as you can pay for it....

      • He seems to be saying that there is no windows database server market.

        If that were true, then MSSQL Server would not exist, and I bet that is what you would run on a Windows box.

        Plus, unless things have changed recently, Oracle's primary OS target is Solaris, and all of the other builds are ports from the Solaris build.
        • "If that were true, then MSSQL Server would not exist"

          MSSQL server only runs on windows. It's the only database that I am aware of that only runs on one platform. People who run Oracle need big databases and for that windows is inadequate. Yes there is a market for windows databases but not if you are Larry Ellison.

          "and I bet that is what you would run on a Windows box."

          Most likely not. Interbase, Sapdb, Mysql, and Postgres all run on windows and are free and open source. If I wanted a commercial database product I could choose from informix, db/2, sybase, sql anywhere, mimer, frontbase, and openbase. Most of these cost significantly less then MS-SQL server and perform wonderfully on windows as an added bonus I could migrate to another operating system if I ever needed to.

          Honestly I don't see any real advantages to MS-SQL server. If my needs are small to modest open source products are great. If I need more power I can buy cheaper products, If I need enterprise level stuff I wouldn't use windows anyway.

    • I knew Larry hated Bill and MS, but I sure wouldn't have expected this! Or is he just conceding the Windows server database market to Bill?

      Didn't Oracle dump Windows as a strategic platform back in '95? Linux is a completely natural development path for Oracle.

  • This is what I love about open source, different companies (who are competitors in a sense) working together for the furtherment of the community. Although I would think that after all the lasest internet issues with M$ swiss cheese, the gov. would be looking at open src at least from a security standpoint.
    • Not quite... (Score:4, Interesting)

      by LordZardoz ( 155141 ) on Thursday February 13, 2003 @11:28PM (#5299691)
      They are working together to convince a potential customer that their collective product is worth buying.

      Getting the US Government to start buying Linux based solutions gives them more potential customers. I would guess that is a given that if it is certified for government use at the federal level, that it becomes a legitimate product for the state governments as well.

      Besides, how is this different from say, IBM and Sun working together to promote Java?

      END COMMUNICATION
      • I was just saying that it's a good thing there isn't fierce competition between the distros. And I'm not saying this type of thing is uncommon, just that this is another good example of a good thing.
    • I'm not really sure how they're "competitors", since they make different products. Red Hat develop Linux distros, and Oracle develop database servers. While Red Hat distros do include free database servers, big business (read "Government") is already invested in Oracle. Either company getting more business is gonna benefit the other.
  • by marko123 ( 131635 ) on Thursday February 13, 2003 @11:19PM (#5299646) Homepage
    And the world can see what the DoD are using. I'd love to submit patches to the armed forces.
  • by anto ( 41846 ) <ajw@poboxBALDWIN.com minus author> on Thursday February 13, 2003 @11:19PM (#5299647) Homepage Journal
    It is good to see that the requests for the certifications arn't coming from a vendor or the developers but the end users who will be deploying the product. You really can't get a better advertisment than that.
    Having Oracle on side will help as well, as the article mentions they have tones of experience getting their product (and thus the OS) certified. It is massivly in Oracle's interest to do so - less $'s on the OS means the purchaser can spend more on the hardware / DB.
  • Comment removed based on user account deletion
  • Again? (Score:2, Funny)

    by Niten ( 201835 )

    I think Slashdot just got certified by the Department of Redundancy Department.

  • Hypocritical? (Score:3, Insightful)

    by m00nun1t ( 588082 ) on Thursday February 13, 2003 @11:21PM (#5299660) Homepage
    Isn't this the same thing we criticised [slashdot.org] when Microsoft was certified and said that if they made it through, it must be hopelessly inadequate certification process? Now the Linux is involved, it's suddenly a good thing?

    A bit of MS bashing is fine, but this is taking it a bit far for me.
    • Re:Hypocritical? (Score:5, Informative)

      by Mandi Walls ( 6721 ) on Thursday February 13, 2003 @11:45PM (#5299756) Homepage Journal
      Ah, here we go again.

      The Common Criteria is of the fashion:

      "I have this product. I am going to tell you what it does in a security-related context. You can take this checklist, test my product, and certify that it does in fact do these things."

      There is no security implied by the certification. It is a recommendation from the vendor of what the product is best used for when the customer is shopping for products to do certain security-related tasks. The vendor makes the checklist, a third party says "yay" or "nay", the customer says "i need a product that does X, Y, and Z. Windows does X, HP-UX does X and Y, and this one all three, plus it will help my sex life". Or something similar, anyway.

      These things can be as simple as "userA cannot access userB's files" to "enforces complex passwords" to "has the biggest crazy ass firewall known to man". Well, maybe not that last one...

      Now y'all can go back to shootin' your mouths off.

      --mandi

    • Re:Hypocritical? (Score:3, Interesting)

      by Roofus ( 15591 )
      Isn't this the same thing we criticised [slashdot.org] when Microsoft was certified and ...

      Isn't this practically the same post that got modded up the first time [slashdot.org] we saw this article?
    • Re:Hypocritical? (Score:2, Interesting)

      Isn't this the same thing
      we criticised [slashdot.org] when Microsoft was certified and said that if they made it through, it must be hopelessly inadequate certification process? Now the Linux is involved, it's suddenly a good thing?

      Isn't this the same question [slashdot.org] that someone asked when the same story [slashdot.org] was posted yesterday?

      The answer remains unchanged 24 hours later. No, it's not the same certification.

      A bit of MS bashing is fine, but this is taking it a bit far for me.

      Hmmmm...duped question for a duped article from someone thinking that there's such a thing as "taking it a bit too far" when it comes to MS bashing on SlashDot.

      Dude, stop drinking that decaf stuff -- it's obviously slowing your cognitive processes down. Take two expressos and try again in the morning. (If you're lucky, this article'll be posted for the third time by then. :-)

    • > Now the Linux is involved, it's suddenly a good > thing? Exactly. ;)
    • Re:Hypocritical? (Score:5, Insightful)

      by zmooc ( 33175 ) <zmooc@zmooc.DEGASnet minus painter> on Friday February 14, 2003 @12:03AM (#5299818) Homepage
      The quality of the test doesn't matter at all - if MS passed, it could have been better. But that doesn't make it any less interesting to have Linux pass the test to show those who really (have to) use such certifications in decision-making that Linux is an option.

      People that have to make such decisions are also a lot safer by choosing certified products; if something goes terribly wrong, you can always say that the product you choose was has some "official" certification upon which you based your decision and you're pretty safe. If it goes wrong and you don't have any such paperwork to fall back on, you're definately in a much weaker position explaining why you didn't choose the "safer" product to someone that doesn't know the difference between product A and product B and only sees "product A is certified, product B isn't". It's just that maybe you and I know that Linux is often a better choice but an incredible lot of other people don't.
  • by Herkum01 ( 592704 ) on Thursday February 13, 2003 @11:21PM (#5299661)

    Sometimes it takes something that has a drastic economic impact to for people to seriously look at alternatives. Linux is gather momentum at just the right time, I believe. Everyone has financial problems, and is looking for cheaper alternatives. Linux packages are hitting that point which say "We're professional software." These sort of certifications which add reinforce to that reputation.

    Linux has a bright future ahead.

    • How are Linux packagaes hitting that point which say "We're professional software"??

      I agree that Linux, and UNIX systems, have merit and are powerful tools.

      I don't see how a certification process, which will 'certify' one binary distribution of Linux, validates Linux. It validates one binary distribution of Linux. You don't seriously believe that said certification will mean anything more than a single binary snapshot is certified, I hope.
      • I don't see how a certification process, which will 'certify' one binary distribution of Linux, validates Linux.

        Think like a marketer, and you'll get the point of all this. Remember, the folks at your local government agency who actually run the IT systems are seldom the folks who determine which systems enter the selection process.

        Politics and marketing trump technical merits, as our friends and Microsoft know so well.

        • When Linux advocates start 'thinking like a marketer' the revolution is over. It's just that plain and simple.
          • I'm not sure how using marketing to trumpet the value of Linux means that the "revolution" is over. Hasn't Red Hat been marking the crap out of Linux? Haven't VA and IBM? Would Linux be as popular, would the "revolution" have spread as far as it has without organizations out in front making decisionmakers aware of Linux?

            Marketing may be a distasteful exercise to you, but I'd be willing to bet that that without the marketing that Linux has received so far, the great explosion of Linux distros, books about Linux, software tools, Linux-optimized hardware, Linux drivers, and so on would simply not exist.

            If the "revolution" means Linux as a hobbyist's OS, or as a geeks-only OS, then you're right. The revolution IS over. But isn't the point of a revolution to bring your ideas into the mainstream?

            • The drivers would exist without 'the hype.' Because they're mostly user created, and let's face it, people who buy a shrink-wrap boxed Red Hat are not the same people who hack driver code.

              The 'great explosion of distros' could also be called 'the rising tower of babel'. So damned many distros out there. I prefer the same old Slackware I was using in 1994.

              'Books about Linux.' Hmmm. I like the O'Reilly books, and the ones I like the best aren't even specifically about Linux. They're UNIX books.

              Almost nothing I like about Linux wouldn't exist without marketing. A lot of it would probably be actually more focused and powerful without all the marketing hype and the way it distracts people off to 'oooooh pretty' features.
  • Even Micro$oft is now admitting [eweek.com] that open source has a bright future.
  • This is not a Dupe! (Score:5, Informative)

    by MrByte420 ( 554317 ) on Thursday February 13, 2003 @11:48PM (#5299760) Journal
    This is not a dupe. The story from yesterday is about how the DoD has certified RedHat server as a common operating environment. This story talks about how IBM and Oracle are attempting to get Linux certified on a wider federal level so that agencies can be permitted to use it. They are two different certifications and two different issues and hence two different stories.

    I'm always amazed by the number of clarivoyant slashdot users we have around here who don't need to read a story before posting...
  • Can someone please post a mirror of this article or a full copy of text. For some reason my employers firewalling software is barfing at news.com.com pages. Thanks!
    • here ya go:

      Red Hat and Oracle plan to announce on Thursday that the companies have teamed to get Linux evaluated under the Common Criteria, a certification that could open doors for the broader use of open-source software by government agencies.

      The effort is expected to take nine to 10 months and cost up to $1 million. But if successful, it could pay off handsomely for Red Hat and Oracle, as well as for Linux.

      "The government has been deploying Linux in smaller settings quite broadly, but it's still done by exception, by and large," said Mark De Visser, vice president of marketing for Red Hat. "What happens with these certifications is that they will push Linux into the mainstream."

      The United States government is among 14 nations that recognize the Common Criteria evaluation. A certification from one country is recognized in the others. With countries from Germany to Peru considering using open-source software, having a certified version of Linux will help break down barriers.

      The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2. In total, there are seven levels of certification attesting to varying grades of security, reliability and developmental process control. The highest level that a commercial software laboratory can certify is EAL 4, which Microsoft received for Windows 2000 last fall.

      The EAL level needed by a government customer depends largely on the agency and the application in which the software will be used. On Tuesday, the Department of Defense (DOD) gave Red Hat a Common Operating Environment certification, which attests to a certain level of interoperability with other operating systems.

      Oracle 9i has already been certified at EAL 4 on both Windows NT and Solaris, but has to be recertified for each operating system on which it runs. And Oracle thinks that there is a large market among government customers for the company's database running on Linux. In fact, some government clients have been clamoring for Linux, said Mary-Ann Davidson, chief security officer for Oracle.

      "One of our large DOD customers asked us if we could foster a Linux evaluation," she said. "The customers truly care about getting Linux evaluated and want Oracle running on it."

      There hasn't been much interest in running Oracle on Microsoft's Windows platform because of past security problems with Microsoft products, despite the company's major security push, Davidson said.

      "We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems."

      After Red Hat earns the EAL 2 certification, Oracle plans to work toward getting its Oracle 9i Release 2 database running on the evaluated Red Hat Linux Advanced Server certified at the highest commercial rating, EAL 4. Oracle currently ships Oracle 9i Release 2 on Red Hat Linux Advanced Server as part of its Unbreakable campaign.

      The final goal for both companies is to have both Red Hat's software and Oracle's software certified under the Common Criteria at EAL 4.

      Oracle has tackled the process 15 times on a variety of operating systems.

      The Common Criteria, an international standard administered by the National Institute of Standards and Technology in the United States, grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems.

      Other nations that have signed the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security are Canada, France, Germany, the United Kingdom, Australia, New Zealand, Italy, Spain, the Netherlands, Norway, Finland, Greece and Israel.

      The benefits of Common Criteria certification for Red Hat's Linux products should trickled down to the rest of the Linux community as well, said Dave Dargo, vice president of Oracle's Linux program office.

      "The benefits of this evaluation extend beyond Red Hat in the long term," Dargo said, adding that the enterprise-level changes Red Hat and Oracle have made to the Linux kernel have made their way into Linux 2.5, the newest version of the kernel under development.

      Moreover, the evaluation process, while expensive, should result in a more secure version of Linux being generally available, added Davidson.

      "Fixing a major security hole costs a lot," she said. "And while certification won't prevent those holes, it helps to have a stricter development process. Finding one security hole that you otherwise would have missed, easily pays for evaluation."
  • by Anonymous Coward
    drm is an important [dlib.org] technology that will save the world from Communism and crackers. The DOD needs security and according to world software maker Microsoft, drm is needed to provide better multimedia and security.

    Someone please think about our children.

  • Is there any reason why RH needs to be government-certified? If M$ is gov-cert, what does this say about RH and Oracle?
    • Because being government certified means that they are eligible for use on government systems. Which equals money. 1. Build a distro. 2. Get certified. 3. ... 4. Profit!
    • Because most big organisations don't trust anything that is open source or related to it. Sometimes they won't even consider open source as an alternative. This kind of certification can take away much of their "objections", and at least can be an argument for considering RH as an alternative for Windows.
      • Wow...so people actually prefer a closed-source, less-secure OS over one that is open-source and significantly more secure? Hmm...something doesn't seem to be working out correctly here...
    • NSTISSP #11 and its various interpretations requires those of us working in much of US Gov IT to use either CC certified or FIPS products and we need more things in our toolkits other than MS 2000 or Solaris. There are tons of software and hardware items we cannot use because they are not certified.
  • Red Hat and Oracle plan to announce on Thursday that the companies have teamed to get Linux evaluated under the Common Criteria, a certification that could open doors for the broader use of open-source software by government agencies.

    The effort is expected to take nine to 10 months and cost up to $1 million. But if successful, it could pay off handsomely for Red Hat and Oracle, as well as for Linux.

    "The government has been deploying Linux in smaller settings quite broadly, but it's still done by exception, by and large," said Mark De Visser, vice president of marketing for Red Hat. "What happens with these certifications is that they will push Linux into the mainstream."

    The United States government is among 14 nations that recognize the Common Criteria evaluation. A certification from one country is recognized in the others. With countries from Germany to Peru considering using open-source software, having a certified version of Linux will help break down barriers.

    The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2. In total, there are seven levels of certification attesting to varying grades of security, reliability and developmental process control. The highest level that a commercial software laboratory can certify is EAL 4, which Microsoft received for Windows 2000 last fall.

    The EAL level needed by a government customer depends largely on the agency and the application in which the software will be used. On Tuesday, the Department of Defense (DOD) gave Red Hat a Common Operating Environment certification, which attests to a certain level of interoperability with other operating systems.

    Oracle 9i has already been certified at EAL 4 on both Windows NT and Solaris, but has to be recertified for each operating system on which it runs. And Oracle thinks that there is a large market among government customers for the company's database running on Linux. In fact, some government clients have been clamoring for Linux, said Mary-Ann Davidson, chief security officer for Oracle.

    "One of our large DOD customers asked us if we could foster a Linux evaluation," she said. "The customers truly care about getting Linux evaluated and want Oracle running on it."

    There hasn't been much interest in running Oracle on Microsoft's Windows platform because of past security problems with Microsoft products, despite the company's major security push, Davidson said.

    "We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems."

    After Red Hat earns the EAL 2 certification, Oracle plans to work toward getting its Oracle 9i Release 2 database running on the evaluated Red Hat Linux Advanced Server certified at the highest commercial rating, EAL 4. Oracle currently ships Oracle 9i Release 2 on Red Hat Linux Advanced Server as part of its Unbreakable campaign.

    The final goal for both companies is to have both Red Hat's software and Oracle's software certified under the Common Criteria at EAL 4.

    Oracle has tackled the process 15 times on a variety of operating systems.

    The Common Criteria, an international standard administered by the National Institute of Standards and Technology in the United States, grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems.

    Other nations that have signed the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security are Canada, France, Germany, the United Kingdom, Australia, New Zealand, Italy, Spain, the Netherlands, Norway, Finland, Greece and Israel.

    The benefits of Common Criteria certification for Red Hat's Linux products should trickled down to the rest of the Linux community as well, said Dave Dargo, vice president of Oracle's Linux program office.

    "The benefits of this evaluation extend beyond Red Hat in the long term," Dargo said, adding that the enterprise-level changes Red Hat and Oracle have made to the Linux kernel have made their way into Linux 2.5, the newest version of the kernel under development.

    Moreover, the evaluation process, while expensive, should result in a more secure version of Linux being generally available, added Davidson.

    "Fixing a major security hole costs a lot," she said. "And while certification won't prevent those holes, it helps to have a stricter development process. Finding one security hole that you otherwise would have missed, easily pays for evaluation."
  • Windows is certified at EAL4 [jhu.edu], and that doesn't provide much assurance of security. The article says RH and Oracle are working on EAL2, which is much weaker.

    (Why does Common Criteria start to remind me of Dilbert strips about ISO 9000?)
  • I just read , maybe 4 days ago, that they had it. The army uses it pretty extensively too, and has been for quite some time.
  • Well... (Score:2, Interesting)

    by ackthpt ( 218170 )
    the companies have teamed to get Linux evaluated under the Common Criteria

    If Outlook, SQL Server, IIS or any other Microsoft product which has been riddled with holes have been certified, I'd say this isn't much of an endorsement. If Microsoft hasn't achieved any such ceritification, for products listed above, than you have a point about it opening doors.

    For good and for bad (for Microsoft in particular) they are the benchmark for software as a commodity. Expect some writhing in the vicinity of Redmond.

  • Encouraging step. (Score:4, Interesting)

    by dwheeler ( 321049 ) on Friday February 14, 2003 @12:52AM (#5299943) Homepage Journal
    I take this as an encouraging step, especially since they note that the final goal is to certify both Oracle and the underlying GNU/Linux system at EAL 4. This sort of thing makes it much easier to deploy GNU/Linux widely in governments; it will be much easier for governments to base operating system acquisition decisions based on factors like functionality, cost, flexibility, and lock-in.

    The article is very short on details, though. Starting small (EAL 2) is probably a good idea - especially since I know of no open source software / Free Software that's gone through a full, normal Common Criteria evaluation (so it would be a first test case). EAL 4 only measures the evaluation effort - it doesn't specify what security functions will be evaluated (nor what threats, assumptions, organizational security policies, configuration, etc. will be used). Hopefully Oracle and Red Hat will include security functions based on a widely-accepted "Protection Profile" (a document that specifies what the users want, including the threats to be countered and the security functions that need to be provided). Currently, the U.S. DoD strongly encourages only purchasing products that have been evaluated to meet not just an EAL level, but meet a "government-approved" PP.

    Evaluations are specific to a particular configuration, so this would mean that those who need the evaluated version would need to get the Red Hat distribution named here - not the inexpensive version used by many. That's a side-effect worth noting.

  • Why complain about the $800/yr/liscense? Do you realize that the government has to spend so much money on businesses to also help the economy out? Besides most of the people making the money/OS decision don't get to involved with computers, and I'm sure they have a stipulation of "free software" not being so secure, besides you can't blame anyone if you use it ;-) . Atop of that I'm sure RH could probably charge less to nothing for this BUT I look at it more as a weeding out process. Think about it, if you streamline your customer base, you narrow down the people you have to build for, because of the price, not too many businesses or people will buy for the heck of it. You should see the type of contracts the government get bought into by some lobbyists or committee members, I'm glad that the money is going to Red Hat!
  • by frozencesium ( 591780 ) on Friday February 14, 2003 @01:24AM (#5300047) Journal
    um, the NSA has already modified linux (the kernel) so that it will meet their standards. redhat is named as a tested distro...see this [nsa.gov] for details. The biggest problem is that the US government seems to think that they must rely on M$ software (in the unclassified environment at least) for things like exchange and ease of use for the "typical" user.

    this is simple posturing at it's finest. of course...the government's high performance systems (read clusters) aren't running windows anyway. this won't change anything.

    -frozen
  • Where is PostgreSQL? (Score:3, Interesting)

    by axxackall ( 579006 ) on Friday February 14, 2003 @06:51AM (#5300834) Homepage Journal
    Why Oracle? What's happened to so-called RedHat Database? RedHat Database was actually PostgreSQL, just renamed for marketing purposes. What's happened to it? Was it dropped by RedHat? Or now RedHat Database is Oracle, just renamed for marketing purpuses? Or should we soon expect Oracle Linux - RedHat Linux just renamed for marketing purposes?

    Many questions, no answers.

    • Postgres is a nifty mid-weight database. Oracle has many more of the features to scale (think parallelism and other features), be safe (various backup mechanisms) and be secure. Granted, no software achieves the secure part perfectly, Oracle is making leaps and bounsd in the DB sector where mysql and postgresql are slowly following.

      Postgres has its uses. Hell, Berkley DB has its uses. I think that in terms of Gov't, support contracts, extreme usage, Oracle and RedHat have come a long way. I'm not surprised that Postgresql isn't being pushed.
    • Simple: Oracle is a recognized database engine with a long track record and a boatload of experienced developers.

      It would be like trying to market "EvilTwinSkippy Brand(tm)" cars instead of Daimler Benz.

      • I have no problem with Oracle as long as they agree to make it open source under a BSD license.

        Otherwise, Why is this such great news?
        • Well because open source or not, there are a ton of VERY expensive and extensive database projects written for Oracle, ESPECIALLY for government.

          Have Oracle (again open source or no) means that you can tell a PHB that the software you already have will run under Linux, and if that wasn't enought, it is CERTIFIED.

  • "The Common Criteria, ..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
    Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?
  • This has to do with the way the VM is saved. We have tried very hard to get a true CC Linux for our contracts but the "Secure" OS needs the following:

    A page of memory when freed must be cleared. This includes Virtual memory saved to disk or even laying around in memory.

    Linux current does not have this. Sorry folks.

    Because I like you guys, here is Alan Cox's response to an email concerning this very issue:

    -------------
    > 1. When a process removes itself/crashes: is the memory blocks zeroed out
    > and then free'd, or does the data still remain in memory just marked free?

    It remains in memory, but it will be cleared before being given to another
    process if it was private memory. Much of a process of course is shared
    pages in read only format (eg the binary). These pages are simply shared
    and reused. If a process wrote to a copy of such a page it got a private
    copy which will not be given back to someone else.

    > 2. When swapping to disk and you read the block into memory and clean it
    > (Zero it out), does the block on disk get immediatly updated or is it just
    > marked "free" and still has the data on disk?

    Linux like most OS's does a lazy rewrite when swapping. When you
    swap something back into memory it is left on disk as if we have to swap
    it out again it saves writing it back to disk once more. Again when we
    allocate new memory to a process we erase the data so a new task always
    sees empty disk blocks and empty memory (subject to there being no bugs
    as is always the case).

    The disk case is more complex. There are situations that ext2/ext3 like the
    BSD UFS may expose data after a crash/restart. The ext3 file system supports
    a slightly slower performing mode that guarantees this won't happen.

    Alan Cox
    ---------------

    What does this mean? It means Linux needs a lot of work before it has CC.

    LordMage - Working to better yourself.
    • What if you had a compatible with Linux OS that was EAL5+ CC targeted and in evaluation?

      Such a thing does exist. See http://www.entrust.com/entrustcygnacom/labs/pfSEL0 181xts400.htm
    • You said that "We have tried very hard to get a true CC Linux for our contracts but the "Secure" OS needs the following: A page of memory when freed must be cleared. This includes Virtual memory saved to disk or even laying around in memory." But that's not true in general, and indeed, even those who require clearing generally only require it before or when it's allocated - which is what GNU/Linux provides.

      First, a few clarifications about the CC itself. The CC lets users pick the requirements that they want, and vendors to state the requirements they happen to meet. The CC by itself doesn't require you to have this particular requirement. Instead, what's happening is that the CC defines a standard set of security requirements, and users are supposed to then identify the requirements they believe they need (using something called a "Protection Profile" (PP)). Then vendors can show whether or not they meet them. Now, it may be true that your customers are imposing this requirement for their needs, but that's different than claiming anything general about the CC.

      More specifically, I suspect you're talking about the CC requirements in FDP_RIP (Residual Information Protection). But the CC is like a Chinese Menu; whether or not users want it is determined by users, and whether or not a vendor provides it (and someone is willing to pay to evaluate the function) is another. And in the CC, even if you select FDP_RIP as a requirement, there's a choice about WHEN you erase information (it may be set by the user, or stated by the vendor).

      For example, the Controlled Access Protection Profile (CAPP) [ncsc.mil] corresponds more-or-less to the old "Orange Book" C2 level. There are other PPs that apply to operating systems, too. But the CAPP was used to evaluate other operating systems, so it's fair to use it as an example. The CAPP does select the CC function FDP_RIP.2, "Object Residual Information Protection" requirement, so users who are requiring CAPP will require it. But its text simply says that "The TSF shall ensure that any previous information content of a resource is made unavailable upon the allocation of the resource to all objects." There's a clarifying note in the CAPP that "Clearing the information content of resources on deallocation from objects is sufficient to satisfy this requirement, if unallocated resources will not accumulate new information until they are allocated again." It also includes a similar "Subject Residual Information Protection" requirement, stating that "The TSF shall ensure that any previous information content of a resource is made unavailable upon the allocation of the resource to all subjects." See CAPP sections 5.2.3 and 5.2.4.

      (Oh, a few quick definitions first for those who don't know. Oversimplifying things, think of "subject" as Linux thread/process, and "object" as data such as filesystem objects, network packets, or memory. A "TOE" is the Target of Evaluation (think "this particular version of GNU/Linux configured a particular way"), and a "TSF" is the TOE security functions (it's the subset of the system responsible for security, including the Linux kernel, processes that run as root, and setuid root programs). Go look at the CC for more official definitions; I'm just trying to give the jist.)

      In the CC, users can determine if they want to require clearing data when it's deallocated, or when it's allocated. It appears that the CAPP (and probably many other PPs) only require it by the time it's allocated (the clarifying text hopefully makes it clear that you can clear it earlier, as long as you don't seep data back into it later).

      Thus, even if you mean CC requirements like FDP_RIP.2, it appears that GNU/Linux may meet it as long as the PP specifies that it's just when it's allocated - a common user choice. There's no requirement in the CAPP that the erasure happen when the object/subject is freed - merely that the erasure happen some time before it's reused.

      Alan Cox's response actually sounds like evidence that GNU/Linux might meet this requirement! Pages are cleared before being handed to another process - that handles one issue. Disk blocks are retrieved as empty disk blocks. And, for crashing, there's a slower mode that would probably be required for use in a secured situation - but that's okay, you just specify that for this kind of use, you have to turn on that configuration option.

      There is a known bug in older Linux kernels - many network drivers don't clear out their data, so you can get some information leakage via network packets. That's already been patched (I forget when). It's worth noting that many other operating systems over the years have had that problem too, it's a standard thing to look for in an evaluation.

      Of course, intentions are great, but the real test is if it really happens. An evaluation would look over the evidence to determine if it's reasonable to believe that all residual information really is getting cleared. How much effort would be expended to do this examination depends on the EAL level.

  • This is great, if i get some money then I will create a team to secure a slackware based system, make a distribution of it and get it to pass this test. Im sure its possible.
  • I remember something like. . .
    1. Oracle says, people are upset at Windows' instability, say they are coming out with Oracle on Linux.
    2. Linux businesses rub their hands together, tool up, and start selling
    3. Larry Ellison says in some sort of press conferance that you'd be nuts to run Oracle on Linux (or words to that effect)
    4. VA Linux, which apparently had been telling customers that it was a good idea, gets miffed
    5. (Customers panic?)
    6. VA Linux isn't selling systems any more
    7. Oracle says, customers are upset at Windows' insecurity, promote running on Linux
    What did I miss?

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...