Re: [Full-disclosure] Can ISO15408 evaluated products be trusted?

From: Nora Barrera (nora15408_at_yahoo.com)
Date: 05/21/05

  • Next message: Thierry Carrez: "[Full-disclosure] [ GLSA 200505-16 ] ImageMagick, GraphicsMagick: Denial of Service vulnerability" 
    Date: Sat, 21 May 2005 06:36:29 -0700 (PDT)
To: Valdis.Kletnieks@vt.edu

    --- Valdis.Kletnieks@vt.edu wrote:

    > Ask the vendor for a copy of the evaluation report.

    But those reports do not contain any valuable
    information for me. What kind of tests were done? How?
    It looks like security by obscurity.

    > Note that the EAL and PP interact - a CAPP
    > (Controlled Access) evaluated at EAL4
    > may actually provide less *real* protection than an
    > LSPP (Labeled System) evaluated
    > to EAL3 - the EAL4 just means they've done more work
    > to prove the *provided* security works as
    advertised.

    What's the use of security functions if they can be
    circumvented?

                    
    Yahoo! Mail
    Stay connected, organized, and protected. Take the tour:
    http://tour.mail.yahoo.com/mailtour.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Thierry Carrez: "[Full-disclosure] [ GLSA 200505-16 ] ImageMagick, GraphicsMagick: Denial of Service vulnerability"

    Relevant Pages

    • Re: Pentester convicted..
      ... and thus politely forcing them take responsibility for the protection of privacy of the data they carry. ... and ignored the first 2 reports. ... A security pro notices a flaw, checks to make sure he is not on crack ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • Some over-classified al Qaeda files left on a train in England.
      ... The two reports were assessments made by the government's Joint ... According to the BBC's security correspondent, Frank Gardner, ... intelligence assessment on al-Qaeda is so sensitive that every ... Police are investigating a "serious" security breach after a civil ...
      (sci.military.naval)
    • RE: The Linksys WRT54G "security problem" doesnt exist
      ... several security lists and Internet news outlets, ... Just because no one else ever reports a problem does not mean it does not ... to my amendments and that he planned a follow-up to clarify. ... I *know* what I saw on the original units, but like I told Maggie, just one ...
      (Bugtraq)
    • In Asia Security Monitor
      ... HOMELAND SECURITY, THAI STYLE; ... government to resort to a new homeland defense tactic: ... The International Herald Tribune reports that government-run schools ... teachers, who are considered high-profile members of the community, ...
      (soc.culture.cambodia)
    • [NT] Multiple Vulnerabilities in SuperScout Web Reports Server
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Contains the usernames and passwords for each user of the reports server. ... an attacker can access any reports available on the ...
      (Securiteam)