ken@dali.cc.gatech.edu (Ken Seefried iii) (03/16/91)
------ This is a response to a chain of articles critical of Secureware, and comes from Secureware's CEO, Michael McChesney. I would like to note that Secureware has not been `quiet' on this discussion because of unethical behavior. Secureware has been quiet because we do not get news. There are two or three Secureware employees who read news through other means, and have kept the company apprised of net discussions that relate to us. In the past, we have avoided involving ourselves in threads critical of us, but in this case feel that accusations have been made that warrant an official reply. ------ In response to John F Haugh II's recent diatribe about various security issues: As Mr. Haugh points out, the issue of whether or not the "auth" or "sysadmin" accounts introduced in our C2-targeted product marketed as an OEM technology under the name "SMP" properly enforces the Least Privilege concept misses a critical point: that is that Least Privilege is not a requirement at the C2 class of trust. SecureWare has never claimed that the SMP enforces Least Privilege. We agree that the breaking up of roles into "auth" and "sysadmin" offers only a marginal gain in overall system security since a malicious user with access to either or both accounts can do great damage to a system. These role programs were added to the SMP product because several large government procurements specified just this functionality. Some of our OEM customers have appreciated the opportunity to win these large procurements. Anyone interested in SecureWare's approach to enforcing Least Privilege should review our CMW+ product, which is built upon the SMP technology base, but includes higher level security features, including Least Privilege. What I do not understand are Mr. Haugh's accusations that SecureWare is obfuscating the difference between systems that have been "rated" by the NCSC and those that are targeted at a class of trust, and that SecureWare is "=unethical=" because we do not participate as actively as Mr. Haugh would like in the net traffic. Speaking to the first accusation: SecureWare has always tried very hard to not fall into the habit of referring to "our C2 product" or "our B1 product", but to rather use the terminology suggested by the NCSC and refer to our products as "C2-targeted", "B1-targeted", etc. Despite our advice to the contrary, however, several of our OEM customers have fallen into this trap (although I do not believe any of them have done this intentionally). In any case, I do not believe Mr. Haugh should be too put out by these lapses since the SecureWare technology has indeed been successfully "rated" by the NCSC at the B1 class of trust. In fact, although the Least Privilege mechanism of our CMW+ product is not required by the Orange Book until the B2 level, it has also been successfully accredited by the Defense Intelligence Agency against the Compartmented Mode Workstation requirements. As to the second accusation: I do not consider it "=unethical=" to occassionally ignore discussions on the net. Sometimes taking care of our business commitments comes first. I do, however, find it "=rude=" and "=irresponsible=" to make such uninformed accusations in a public forum. If Mr. Haugh is actually interested in learning about our products and/or contributing constructive ideas to our development team, my number is 404-876-4840, ext. 13. Michael McChesney Chief Executive Officer SecureWare, Inc. -- ken seefried iii ken@dali.cc.gatech.edu "If 'ya can't be with the one you love, honey, love the one you're with..."