Information Technology Reference
In-Depth Information
Aharoni
: This does not comply with the open source advantage; the fact that when
you a have a real, a true open source device, then this is exposed to a very large
community of users that actually have the ability to monitor all the weaknesses and
suggest corrections. If Cisco sells a device to a US government agency, I am sure that
they do allow the source inspection of the product itself. I think that this is exactly where
we stand today.
Handy
: The NATO secret network is a closed network. What is the most probable and
likely vulnerability given that it is a closed network?
Stanley
: The NATO secret network by and large runs Windows operating systems:
Windows NT, Windows 2000. So every time there is a vulnerability, and now it is in
Windows, it exists on the NATO secret network. There are things in place to try to stop
files from being carried on to there; there are software restrictions, floppy restrictions,
CD ROM restrictions. We are looking at the moment at the USB tokens restrictions
because Windows 2000 will install the drivers automatically; Windows NT4 protects us
at the moment because it does not have USB drivers. So, the threat at the end of the day
is the insider because you need someone, by malice or by accident, to actually install the
attack tools. But as you can carry on a USB token of this size or a CD ROM or every
useful hacking tool that is available, you really have to have trusted users. NATO at the
moment operates in a lot of combined joint task forces. I have been down to Sarajevo and
we have NATO people sitting next to non-NATO people on the same mission. They are
on a separate physical network but there is not much separating them as far as physically
getting access to these machines. We are as vulnerable as the rest of the Internet The
NATO secret network I am involved in is the internet exchange gateway, connecting
NATO to nineteen member nations at the moment, twenty-six from next year. Each one
of those nations signs a piece of paper saying that they are not connecting to anything
else. But can you stand there with hand on heart and say that the sister net has no
connections to certain non-secret networks with appropriate guards in place; certified
guards, evaluation, source code checked? Yes I can. We are also working on a one way
dial to allow CNN type things into the secret network, so that they work on the problem
of stopping things leaving the network but they do not solve the problem of things getting
into the network.
Uneri
: The Turkish military has signed an agreement with Microsoft to look at the
code. Three officers from the Turkish army went to Seattle to look at the code but
Microsoft showed them into an isolated room and only gave access to a part of the code
with hundreds of pages that you would not use anywhere. So, I personally believe that
Microsoft is trying to convince people that its operating system is secure. But I cannot
see any academic proof. Looking at the Microsoft code, Microsoft Windows 2000,
which contains more than forty million lines of code, just looking at it, analysing it and
compiling it and saying that this code is secure is impossible. This is my opinion. In
evaluation, I have to tell you that all the source code is not examined. There are several
levels of evaluation insurance, common criteria, etc., but Microsoft is at the level where
only the source code is examined very carefully. At level four, only part of the code is
examined. So when a product is certified it does not mean that every line of code is
examined carefully, so there is a problem with this approach. I cannot say that achieving
secure operating systems is not done properly in the Microsoft way, and also for Cisco's.
Search WWH ::
Custom Search