Secureware response to C2 issue

Ken Seefried iii ken at dali.cc.gatech.edu
Sat Mar 16 02:10:20 AEST 1991 

------

This is a response to a chain of articles critical of Secureware, and
comes from Secureware's CEO, Michael McChesney.  I would like to note
that Secureware has not been `quiet' on this discussion because of
unethical behavior.  Secureware has been quiet because we do not get
news.  There are two or three Secureware employees who read news
through other means, and have kept the company apprised of net
discussions that relate to us.  In the past, we have avoided involving
ourselves in threads critical of us, but in this case feel that
accusations have been made that warrant an official reply.

------

In response to John F Haugh II's recent diatribe about various 
security issues:

As Mr. Haugh points out, the issue of whether or not the "auth" or 
"sysadmin" accounts introduced in our C2-targeted product marketed 
as an OEM technology under the name "SMP" properly enforces the 
Least Privilege concept misses a critical point:  that is that Least 
Privilege is not a requirement at the C2 class of trust.  SecureWare 
has never claimed that the SMP enforces Least Privilege.  

We agree  that the breaking up of roles into "auth" and "sysadmin" 
offers only a marginal gain in overall system security since a 
malicious user with access to either or both accounts can do great 
damage to a system.  These role programs were added to the SMP 
product because several large government procurements specified 
just this functionality.  Some of our OEM customers have appreciated 
the opportunity to win these large procurements.

Anyone interested in SecureWare's approach to enforcing Least 
Privilege should review our CMW+ product, which is built upon the 
SMP technology base, but includes higher level security features, 
including Least Privilege.

What I do not understand are Mr. Haugh's accusations that 
SecureWare is obfuscating the difference between systems that have 
been "rated" by the NCSC and those that are targeted at a class of 
trust, and that SecureWare is "=unethical=" because we do not 
participate as actively as Mr. Haugh would like in the net traffic.  

Speaking to the first accusation:  SecureWare has always tried very 
hard to not fall into the habit of referring to "our C2 product" or "our 
B1 product", but to rather use the terminology suggested by the NCSC 
and refer to our products as "C2-targeted", "B1-targeted", etc.  
Despite our advice to the contrary, however, several of our OEM 
customers have fallen into this trap (although I do not believe any of 
them have done this intentionally).  In any case, I do not believe Mr. 
Haugh should be too put out by these lapses since the SecureWare 
technology has indeed been successfully "rated" by the NCSC at the 
B1 class of trust.  In fact, although the Least Privilege mechanism of 
our CMW+ product is not required by the Orange Book until the B2 
level, it has also been successfully accredited by the Defense 
Intelligence Agency against the Compartmented Mode Workstation 
requirements.

As to the second accusation:  I do not consider it "=unethical=" to 
occassionally ignore discussions on the net.  Sometimes taking care of 
our business commitments comes first.  I do, however, find it 
"=rude=" and "=irresponsible=" to make such uninformed accusations 
in a public forum.  If Mr. Haugh is actually interested in learning 
about our products and/or contributing constructive ideas to our 
development team, my number is 404-876-4840, ext. 13.

Michael McChesney
Chief Executive Officer
SecureWare, Inc.
--
	 ken seefried iii	ken at dali.cc.gatech.edu

	"If 'ya can't be with the one you love, 
		   honey, love the one you're with..."

More information about the Comp.unix.programmer mailing list