Re: Media Excitement!

[pageexec () freemail hu]

On 22 Apr 2005 at 10:09, robert () dyadsecurity com wrote:
> The goal here wasn't to say "This one is more secure than that one". 
> It's to say "We have this level of sensitivity and require these
> particular security mechanisms, and need this assurance level as to the
> effectiveness of the security mechanisms".  Basically, choose the right
> technology for your environment.

i understood this much ;-), the real question is, which of the solutions
in the mentioned URL gives *appropriate assuarance* against exploitation
(remember the original question about alternatives to patching)? based
on my experience and instinct, none of them does (EAL 4 is little more
than a joke), but i'd like to be *proven* wrong.

> > side question, which one of those didn't have security patches since
> > their evaluation?
>
> I believe every product listed has had patches since their evaluation. 
> As I pointed out though in an earlier post, the containment of the
> compromise, or rather the inherent ability to limit intrusion should
> be designed into the TCB, not bolted on afterwards.

does any of the mentioned products at that URL contain a compromise
(thinking of kernel bugs)? or to be more precise, does any real-life
policy (since any deployed MAC system implements one) exclude the
compromise of the TCB? if not (which would match my experience), then
what's the real point (of getting certified at EAL<7)?

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave