Vulnerability Development mailing list archives
Re: Win2K Local DoS?
From: "Timothy J. Miller" <cerebus () SACKHEADS ORG>
Date: Wed, 9 Aug 2000 13:32:19 -0500
bfiero () BINARY MENTALFLOSS NET writes:
The system specified for testing was not on a network. As soon as you hook a M$ box to a network, all security certifications are invalid. NT, and now Win2k, are and never will be network worthy systems.
That was true previously (NT351), but the latest C2 certification (NT4, SP6a, C2 pack, finished Nov 99) was actually specified as being on a network. I haven't yet read the NCSC FER yet (they tend to be rather dry) so I'm not familiar with the particulars. And to be pedantic, once you install on *any other platform than the evaluated one* you invalidate the rating. Oh, and don't update any drivers either. A C2 rating is a combination of hardware and software, a fact usually glossed over by most vendors. Of course, Win2K will be evaluated against Common Criteria, not the Rainbow books, should it ever get that far. But since it makes extensive use of RC4 which isn't on the FIPS algorithim list, used in the DoD is *supposed* to be moot... In other words, none of it means anything. Not a bit. Not in any practical sense.
Current thread:
- Re: Win2K Local DoS?, (continued)
- Re: Win2K Local DoS? Alexander Sanda (Aug 03)
- Re: Win2K Local DoS? LordRaYden (Aug 05)
- Re: Win2K Local DoS? Oliver Friedrichs (Aug 03)
- Re: Win2K Local DoS? Maxime Rousseau (Aug 05)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? Kevin Stephenson (Aug 06)
- Re: Win2K Local DoS? Mikael Olsson (Aug 08)
- Re: Win2K Local DoS? Nicolas Rachinsky (Aug 09)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? pantera (Aug 05)
- Re: Win2K Local DoS? bfiero (Aug 09)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)
- Re: Win2K Local DoS? Richard Rager (Aug 14)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)