From: David Loysen <dwl@hnc.com>
Date: Fri, 22 Mar 1996 05:49:23 +0800
To: cypherpunks@toad.com
Subject: Re: NT's C2 rating
Message-ID: <199603211813.KAA15750@spike.hnc.com>
MIME-Version: 1.0
Content-Type: text/plain


At 04:53 AM 3/21/96 -0800, you wrote:
>> Basically, I'm now questioning the C2 rating of Windows NT.  The 
>> entire security layer is  modular to the Kernel.  As a modular 
>> driver, it can be removed, rewritten, and replaced.   
>
>Good questioning.
> 
>> So, what makes it secure?  What gives it the C2 Rating?  How would 
>> one go about getting a C2 rating?
>
>The fine print says its insecure as soon as its connected to a network. 

Ain't nothing fine about that print. An operating system or piece of
hardware may be C2 certifiable. But only a complete system in a specific
configuration can be certified as C2 compliant. The way I read the orange
book, no system with a network connection can ever be C2. For that matter a
system can't get C2 unless it is in an area where you can control and
monitor physical access to the system.

So if you can't hack it over the wire, and you can't remove, rewrite and
replace the kernel because you can't get near the keyboard what's the problem?

dwl@hnc.com		
David Loysen		
619-546-8877 x245