meo@Dixie.Com (Miles ONeal) (03/15/91)
John F Haugh II writes: >Well, I think it is very important to expose fraud whereever it >is found. Part of the concept behind the TCSEC and the NCSC is >that we trust the NCSC to properly apply the criteria described >in the TCSEC so that the criteria have some meaning. What >companies such as SecureWare are doing is to take a meaningful >collection of criteria and announce, without proof, that they >adhere to these well defined criteria. Naive users do not >fully understand what the difference between a "rated" and an >"unrated" system are - there are very real differences and >SecureWare is clouding them up. Notice how quiet SecureWare is? >They =are= on the net, and yet they do not get engaged in this >discussion because their behavior is =unethical=. Mr Haugh: Your postings are getting into the are of slander and libel. They are also, at least in part, simply incorrect. 1) SecureWare's being quiet about this SecureWare is *not* "on the net", per se. SecureWare has email via emory and uunet, and has sometimes ftp access. SecureWare does NOT have a news feed, and was generally unaware of this discussion until I stumbled across it (in alt.sources.d, where ELSE would I expect it?) and started forwarding it to SecureWare. I have net access by virtue of a paid-for account on a public access system here in Atlanta. I pay for it it myself. One or two other SecureWare employees have net access as students at Georgia Tech. As far as I am aware, that's it. But the company itself certainly has no news access. 2) SecureWare's behavior & ethics In this article at least, you make claims you do not substantiate. Just what is this unethical behavior? One of the things that attracted me to SecureWare was that they seemed far more ethical in many areas than most of the software/systems houses with which I am familiar. I have been there almost a year, and have yet to see evidence to the contrary. Nor am I posting this out of duty or hoping to win brownie points - they don't go in for that sort of bull and neither do I. Ordinarily I would have responded via email, but felt you had gone too far publicly to respond privately. I do not claim to speak for SecureWare on these issues. -Miles O'Neal (S&SSI is my consulting company on the side. It has nothing whatsoever to do with SecureWare, its products, or its markets.)
jfh@rpp386.cactus.org (John F Haugh II) (03/15/91)
In article <8178@rsiatl.Dixie.Com> meo@Dixie.Com (Miles ONeal) writes: >They are also, at least in part, simply incorrect. They are not "simply incorrect". I had parts of this discussion at great length in comp.unix.sysv386 and comp.unix.xenix and a few of the other comp.unix groups. >2) SecureWare's behavior & ethics > >In this article at least, you make claims you do not substantiate. >Just what is this unethical behavior? One of the things that >attracted me to SecureWare was that they seemed far more ethical >in many areas than most of the software/systems houses with >which I am familiar. I have been there almost a year, and have >yet to see evidence to the contrary. Nor am I posting this out >of duty or hoping to win brownie points - they don't go in for >that sort of bull and neither do I. SCO and SecureWare developed a product, which is called "SCO UNIX" that is sold by SCO as a "C2" product. SCO relies on SecureWare's name when they sell the product, that is, they freely say the product was developed with SecureWare, and they freely claim that it is a C2 product. No, SCO does not say they have a blue letter, and they don't say they are "formally evaluated", and I've been very careful not to claim that they do - but they do continue to use "C2" to describe what "SCO UNIX" is. They also continue to use SecureWare's name, and SecureWare continues to point at SCO UNIX as a product it developed. Based on descriptions of the features of SCO UNIX, and the criteria in the TCSEC, SCO UNIX is not "C2 compliant", for some minimum set of "C2 compliance". It does, and I have stated this previously, contain quite a few B1 and higher features (which, btw is not a "bad" thing in any sense). However, there are areas in which it lacks some "C2" feature. Of course, the issue is completely moot because the system was never evaluated at the C2 level, nor could it be because the formal evaluation process involves more than just the particular software - it also involves the hardware the system is to be installed on. There are many things that are "unethical" and still very legal. I am not claiming that SCO or SecureWare has done anything illegal. Just that SCO and SecureWare have clouded a complicated issue for their own gain. You don't just slap a "C2" label on a product and hope people don't know what an "Evaluated Products List" is. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "I've never written a device driver, but I have written a device driver manual" -- Robert Hartman, IDE Corp.
meo@Dixie.Com (Miles ONeal) (03/18/91)
John F Haugh II writes: |In article <8178@rsiatl.Dixie.Com> meo@Dixie.Com (Miles ONeal) writes: |>They are also, at least in part, simply incorrect. |They are not "simply incorrect". I had parts of this discussion at |great length in comp.unix.sysv386 and comp.unix.xenix and a few of the |other comp.unix groups. Well, I suppose if you choose to simply throw out the first point I make, you can blithely ignore any and all facts, eh? SecureWare is NOT on the net! You BLEW that one. It was incorrect. Can you just not admit this, or are you so busy crusading you don't care about the facts? -Miles