[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD and C2 certification



Hi Vikram,

On Sat, 4 Dec 1999, Vikram Kulkarni wrote:

> > Consider the fact that C2 compliance means no network connection and no
> > floppy drive and I think you'll be able to draw a reasonable conclusion by
> > yourself... ;-)
> 
> No it doesn't... read below from NTBugTraq:

Oh dear.  I guess I'm a little out of date here...

> - - Server operating as a primary domain controller
[..other 5 snipped..]

Is it just me or does this seem more than a little strange?  

What kind of security certification can validate a networking
implementation (i.e. SMB) that passes around password "hashes" on the wire
that can easily be sniffed and reused?  Or does the C2 update "fix" this?

I guess I'll have to go dig up the C2 compliance specification from
somewhere.  I'll get back in my box now - I don't want to sully a nice,
decent, family-oriented OpenBSD list with too much talk of NT... 

Thanks for the info.

Adrian Close					email: 	adrian_(_at_)_esec_(_dot_)_com_(_dot_)_au
Network Architect	  			phone:	+61 3 8341 2400
eSec Ltd					fax:	+61 3 8341 2499
P.O. Box 302, Carlton, VIC, 3053, Australia	web:  http://www.esec.com.au




Visit your host, monkey.org