Session recording

[Ben Scott]

On Mon, Mar 31, 2008 at 3:35 PM, Dan Coutu <coutu at snowy-owl.com> wrote:
>  Sounds to me like you need the kind of security auditing that is found
>  in DoD administered machines.

  Also banks, insurance companies, and other financial institutions,
hospitals and other health-care institutions, airlines... this really
is not new stuff.  :)

> I recall this from my days at
>  Digital when we were making DEC OSF/1 able to be C2 level secure and B1
>  level secure.

  FWIW and FYI:

  The old NSA rainbow book security levels aren't in vogue anymore,
and tend to be considered obsolete.  These days, it's the Common
Criteria standards, and I seem to recall that some vendor got flavor
of Linux put on some CC list.

  Ultimately, all those standards are about having a system in which
one can define the protections one needs, and evaluate a given system
configuration to see if it meets those needs.  It's up to the user to
use the standards appropriately.  As I saw one wag put it, "You can
shit in a box and get that accredited, as long as you write your
Protection Profile for it".

  Put another way: Windows 98 could be and often was accredited for
DoD classified use.  You just had to lock the computer up in a safe
when you weren't using it.  :-)

-- Ben