1998-11-02 - Re: NOT the Orange Book

Header Data

From: “Paul H. Merrill” <PHM@sprynet.com>
To: John Young <jya@pipeline.com>
Message Hash: 23028843f8d5eba1ac382122e8e7ef6b788346153911f4cce4123e51559995e3
Message ID: <363D3654.AA1AF05E@sprynet.com>
Reply To: <199811020104.UAA18004@camel8.mindspring.com>
UTC Datetime: 1998-11-02 02:13:33 UTC
Raw Date: Mon, 2 Nov 1998 10:13:33 +0800

Raw message

From: "Paul H. Merrill" <PHM@sprynet.com>
Date: Mon, 2 Nov 1998 10:13:33 +0800
To: John Young <jya@pipeline.com>
Subject: Re: NOT the Orange Book
In-Reply-To: <199811020104.UAA18004@camel8.mindspring.com>
Message-ID: <363D3654.AA1AF05E@sprynet.com>
MIME-Version: 1.0
Content-Type: text/plain

While I perhaps would not have phrased things in quite the same colorful
manner, John Youngs commentary here is substantially correct.  The
intent however was to hellp the developers develop systems that would
preclude the need for K-Bars.


John Young wrote:
> Paul Merrill, the author of "NOT the Orange Book," has
> provided a digital version of his "Guide to the Definition,
> Specification, Tasking, and Documentation for the
> Development of Secure Computer Systems -- Including
> Condensations of the Members of the Rainbow Series
> and Related Documents:"
>    http://jya.com/ntob.htm  (385K)
> Zipped:
>    http://jya.com/ntob.zip  (92K)
> This is Paul's 1992 manual prepared while working for
> DoD to evaluate and purchase secure computer systems,
> for ADP, C4I and weapons, and to compensate for the
> shortcomings of the official regulations.
> It's still widely used, Paul says, for the unending conflict
> between DoD, NSA, DIA and defense contractors about
> how to develop and assure computer security from lab rat
> pipedream to the warfighter's "wha's this piece of shit."
> Section IV, Case Studies, is a wonder at describing what
> to do when perfect design goes to hell in the field, and a
> pissed warrior who's comm's been compromised got a
> K-Bar sawing your apple, roaring "tech support, now!"