I thought about developing a community based open (CC0 licensed) hardening standard and tool which allows giving more details about the system to be hardened to cover even more hardening options. I'm working as an Information Security Auditor and most companies I have audited are using CIS standards for this. While they are free, they are proprietary and you are not allowed to build products on top of these standards. Additionally these standards are relatively generic and I don't know anybody who knows the decision process on their standards. Also, the Windows standards doesn't even recommend using Windows application allowlisting functionalities such as AppLocker or WDAC.
I've tested Qubes OS for about half a year as a primary OS and ended up switching to another OS. The concept and ideas behind it are great, but battery management and support of my Thunderbolt dock was awful. I switched to Fedora and with regards to graphics it's even more buggy.
It's a matter of whether someone is using HN as intended or not (as far as we can tell). For accounts that repeatedly go against the intended use of the site, we don't have much choice but to ban them, or else the site won't survive for its purpose. We do warn them first, often quite a few times and over a long period before banning—it depends on how much history the account has here. For accounts without much history, we sometimes ban straightaway, if the violation is egregious.
That doesn't seem excessively authoritarian to me and I don't see how we could do it differently without giving up on the site's mandate, which is not an option.
You're certainly welcome to disagree. I'd never claim we get all of this right; but we still have to moderate the site, decide which accounts to ban and when, which comments to mod-reply to, and so on. It's better to have some principles for this than not, and it's better to explain what they are than not. Then (at least some) people (hopefully) won't be (as) surprised if they get moderated or banned.
EAL is not a measure of security but a measure of the depth of analysis. Looking at the complexity of monolithic-kernel-based operating systems, I don't much can be derived from certifications with an EAL < 5.
Evaluated assurance levels (EAL) are a bundle of security assurance requirements (SAR) that reasonably trace to varying levels of assurance that the target of evaluation (TOE) enforces the Security Functional Requirements (SFR) of the product. One of the core SARs being AVA (vulnerability assessment) which evaluates resistance to penetration attackers and the presence of vulnerabilities. It is only at EAL5 that you are required to demonstrate AVA_VAN.4 which is resistance to penetration attackers with a moderate attack potential.
What we derive from companies only able to achieve EAL < 5 is that their systems are not designed, nor capable of protecting against moderate attackers. This has been borne out by decades of experience where the security properties of these systems have been routinely defeated by attackers with moderate or lower attack potential. The certification process is both effective and accurate at identifying that these consumer operating systems are inadequate against attackers of moderate ability as an upper bound.
We further know from decades of experience that any system that attempts EAL5 certification and then fails has structural deficiencies that make it practically impossible for any configuration to ever be certified without a total redesign. As far as I know, nobody has ever achieved that despite decades of attempts and billions of dollars spent attempting to retrofit inherently insecure designs such as Windows, Linux, or macOS.
So, what we know is that macOS, iOS, Linux, Windows, BSDs, etc. are structurally insecure against moderate attacks such as those employed by commercial hackers and organized crime, let alone state-level actors, and that it is hopeless for them to ever be improved to reach such a level. Anything less than EAL5 is inadequate for the modern threat landscape of established commercial hackers and state actors as experienced by consumers, businesses, and governments. Therefore, the systems currently deployed are universally unfit for their usage in these connected systems and we have the certifications and continuous examples to prove it.
How do you define "penetration attackers with a moderate attack potential"?
No EAL>4 certification does not imply that something is insecure.
Judging something as "insecure" or "structurally insecure" is highly opinionated. Not everyone has the same tolerance of risk. For most users the common operating system is secure enough. Besides that security is not only depending on the kernel. Smartphone operating systems which are based on Linux practically provide more security through app isolation than most desktop-oriented Linux-based distributions.
Besides that a CC certification does not necessary certify the product as a whole which finally means you cannot even derive a state of security statement for the end user.
Another example was the genugate firewall which has been certified on EAL4+ (including ALC_FLR.2, ALC_PAM.1, ASE_TSS.2, AVA_VAN.5), so in the end it was certified against attack with a high attack potential. Yet, the product was vulnerable to a simple authentication bypass of the management interface resulting in a CVSS score of 9.8:
https://nvd.nist.gov/vuln/detail/CVE-2021-27215
“Moderate potential” is defined in the standard [1]. As we are generally discussing blackbox attacks on publicly accessible remote endpoints, basically the only relevant factors are “Elapsed Time”, “Expertise”. So, a “moderate attack potential” is: expert proficiency attacking team over four months. A “high attack potential” is expert proficiency attacking team over six months.
I know, the standard is embarrassingly low by modern attack standards. It really should be much stricter these days, but even at these embarrassingly low levels the standard commercial vendors such as Apple can not achieve them.
No, my statement on structural insecurity is quite objective. I said they are structurally insecure against commercial hackers and organized crime. That is a statement relative to a threat model and can be objectively verified.
Our objective verification is that their security properties get routinely invalidated by such attackers thousands of times a year. You would be hard pressed to find a professional hacker who would say something like: “Oh no, they are using a Mac, my plans are foiled.”
Commercial hackers and organized crime are expected threat actors. If you are running a commercial enterprise, you will be attacked by commercial hackers these days. If your systems are useless against them, then your security is objectively inadequate for your use case. Using systems certified to be inadequate for your use case is just engineering malpractice.
Yes, a Common Criteria certification does not mean the entire product is certified in much the same way that a nail certification does not mean your airplane is certified. You need to certify the entire product for the entire product to be certified. That should be obvious.
I do not know why you bring up uncertified composed products having problems in uncertified components. Yes, those components suck, we already know that. That in no way supports using composed products consisting entirely of inadequate components.
You seem to be confused about how you should use a Common Criteria certification to evaluate a product. EAL5 does not mean you are guaranteed to be protected against moderate attackers. It just provides some reasonable confidence that might be the case. What it really tells you is that you should have minimal or no confidence in systems not certified (or even worse failed certification) to EAL5.
A AVA_VAN.5 component might be vulnerable to moderate attacks. But a component that failed certification to AVA_VAN.3 is certainly vulnerable to moderate attacks.
The genugate firewall is EAL4. I do not see how this bolsters your point. There is a reason why we use EAL instead of just reporting the AVA_VAN requirement.
I do not have any particular insights into their product or that vulnerability. It is certainly possible they were over certified.
Looking at the PoC, it seems to indicate a administrator login authentication bypass. In the genugate firewall TOE [2] it indicates that the administrator network is assumed to be isolated and trusted. If an administrator login page is only meant to be accessible from the administrator network then the CVE would be out of scope of their certification. Though the CVE indicates other logins that might be affected, so I can not speculate any further. Certainly could be over-certified. But again, certification does not mean confidently secure, it is non-certification which means confidently insecure.
Yeah, uhh, having seen some of the hearings in recent state legislatures regarding abortion, that’s some flawed thinking. Lawmakers are intentionally vague throughout the entire process sometimes.
Regarding to the struct packing:
That's why I love Ada, there are so called representation clauses which can define the size of struct-alike types called records. In C you have to rely on compiler options or features like __attribute__ which are not compliant to the ISO C standard. It looks like there is a ISO-C compliant version for that since C11 but it just doesn't look nice and like a first class citizen of the language.
