From: BMM <bmm@minder.net>
Date: Sun, 15 Nov 1998 15:55:07 +0800
To: "Paul H. Merrill" <PaulMerrill@acm.org>
Subject: Re: rainbow series
In-Reply-To: <364E789E.850EA9CD@ACM.Org>
Message-ID: <Pine.LNX.3.96.981115022427.24394A-100000@waste.minder.net>
MIME-Version: 1.0
Content-Type: text/plain



Amen.  In my experience, no network I've _ever_ been associated with
(private, public, miltary, or whatever) has ever proactively pursued a
security model.  Security has always been defined as preventing a
well-defined (and well-experienced) exploit from being repeatedly used.

Rainbow series, feh!  Even the folks who should know better call NT4 C2
compliant.  CYA is the TLA of the day.

On Sat, 14 Nov 1998, Paul H. Merrill wrote:

> Anonymous wrote:
> <<snip>>
> > failed TCSEC/Rainbow testing program.  I say "failed"
> > because it hasn't caught on in the private sector, it's expensive and,
> > of course, the laughable "C2 in '92."
> 
> While I was never a great fan of the Rainbow Series, to say that it
> failed because it hasn't caught on in the private sector is not holding
> very close to the point of it all. The "typical" private sector approach
> to security is to do nothing 'til the hackers come over the iInternet
> and wreak havoc the throw up a proxie server/firewall and go back to
> normal practices until the next "event" and try to plug That Hole.
> 
> C2 by 92 was an effort on the part of the govenment/military to stop
> those practices on their own parts.  True, not ompletely succesful, but
> hey what the Hell, how many of the efforts by them folk are?
> 
> PHM
>