[Bloat] [Cerowrt-devel] wired article about bleed and, bloat and underfunded critical infrastructure
David Collier-Brown
davec-b at rogers.com
Mon Apr 14 18:16:49 PDT 2014
> Dave Taht <dave.taht at gmail.com> wrote...
>
> On Mon, Apr 14, 2014 at 4:22 PM, <dpreed at reed.com> wrote:
>> All great points.
>>
>>
>>
>> Regarding the Orange Book for distributed/network systems - the saddest part
>> of that effort was that it was declared "done" when the standards were
>> published, even though the challenges of decentralized networks of
>> autonomously managed computers was already upon us. The Orange Book was for
>> individual computer systems that talked directly to end users and sat in
>> physically secured locations, and did not apply to larger scale compositions
>> of same. It did not apply to PCs in users' hands, either (even if not
>> connected to a network). It did lay out its assumptions; but the temptation
>> to believe its specifics applied when those assumptions weren't met clearly
>> overrode engineering and managerial sense.
> I worked on C2 level stuff in the early 90s, and on a db that tried to get B2
> certification - it was difficult, slow, painful, hard, and ultimately
> just a checkbox
Going far off-topic, I wrote a tongue-in-cheek article that was actually
a suggestion we use labelling and crypto to create severely simplified
orange-book compartments, in turn to protect confidentiality...
http://www.slaw.ca/2014/01/02/thank-goodness-for-the-nsa-a-fable, with a
more technical expansion at
http://broadcast.oreilly.com/2013/12/where-were-ye-orange-book-in-w.html
In part, this was to see if I could reduce the problem space to
something a startup would find possible to fund...
--dave
--dave
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net | -- Mark Twain
More information about the Bloat
mailing list