1998-11-02 - NOT the Orange Book

Header Data

From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: da21ab99bf7c4dd97e0c3c55d2d893acc189a70bb80dae6f89b682ae74f95be5
Message ID: <199811020104.UAA18004@camel8.mindspring.com>
Reply To: N/A
UTC Datetime: 1998-11-02 01:52:15 UTC
Raw Date: Mon, 2 Nov 1998 09:52:15 +0800

Raw message

From: John Young <jya@pipeline.com>
Date: Mon, 2 Nov 1998 09:52:15 +0800
To: cypherpunks@toad.com
Subject: NOT the Orange Book
Message-ID: <199811020104.UAA18004@camel8.mindspring.com>
MIME-Version: 1.0
Content-Type: text/plain

Paul Merrill, the author of "NOT the Orange Book," has
provided a digital version of his "Guide to the Definition, 
Specification, Tasking, and Documentation for the 
Development of Secure Computer Systems -- Including 
Condensations of the Members of the Rainbow Series 
and Related Documents:" 

   http://jya.com/ntob.htm  (385K)


   http://jya.com/ntob.zip  (92K)

This is Paul's 1992 manual prepared while working for 
DoD to evaluate and purchase secure computer systems,
for ADP, C4I and weapons, and to compensate for the 
shortcomings of the official regulations. 

It's still widely used, Paul says, for the unending conflict 
between DoD, NSA, DIA and defense contractors about
how to develop and assure computer security from lab rat
pipedream to the warfighter's "wha's this piece of shit."

Section IV, Case Studies, is a wonder at describing what
to do when perfect design goes to hell in the field, and a 
pissed warrior who's comm's been compromised got a 
K-Bar sawing your apple, roaring "tech support, now!"