Re: DoD Security Clearance for cygwin?

Re: DoD Security Clearance for cygwin?

[Keen Wayne A Contr AFRL/MNGG]

Cygwin is not used (at least in this office and lab) in an environment in
which its security
(or lack thereof) is an issue.

Thats about all I can say and be secure.

Your warning was well taken, completely honest, and sincerly appreciated!

Wayne Keen

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for cygwin? (OT)

[Graeme Merrall]

On Wed, Aug 21, 2002 at 11:06:14AM -0500, Keen Wayne A Contr AFRL/MNGG wrote:
> Cygwin is not used (at least in this office and lab) in an environment in
> which its security
> (or lack thereof) is an issue.
> 
> Thats about all I can say and be secure.

As a non-US, non-military exposed individual I love this security stuff.
I recall a post on another mailing list in which the author had to
include a classified status to all his mails. They all started:
CLASSIFICATION: UNCLASSIFIED

So which one of you guys has got the Roswell bits in his office? :)
Just some Aussie humour there...

Cheers,
 Graeme

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for cygwin? (OT)

[Shankar Unni]

Graeme Merrall wrote:
> On Wed, Aug 21, 2002 at 11:06:14AM -0500, Keen Wayne A Contr AFRL/MNGG wrote:
> 
>>Cygwin is not used (at least in this office and lab) in an environment in
>>which its security (or lack thereof) is an issue.
>>
>>Thats about all I can say and be secure.

> As a non-US, non-military exposed individual I love this security stuff.

As an aside to an OT aside, the question is important. If you have a 
host OS that has, say, a B1 certification (which I doubt Windows has, 
even disconnected from the Net :-), you don't want to run a system or 
application on it that could theoretically allow you to bypass those 
access checks (say, due to a bug in the authentication and authorization 
code).

I wonder if anyone is sufficiently motivated to perform such a thorough 
security review of the entire Cygwin platform.
--
Shankar.




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for cygwin?

[Christopher Faylor]

On Wed, Aug 21, 2002 at 11:06:14AM -0500, Keen Wayne A Contr AFRL/MNGG wrote:
>Cygwin is not used (at least in this office and lab) in an environment
>in which its security (or lack thereof) is an issue.
>
>Thats about all I can say and be secure.
>
>Your warning was well taken, completely honest, and sincerly
>appreciated!

Thank you!  It is gratifying to see that you understood my intent.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for cygwin? (OT)

[Christopher Faylor]

On Thu, Aug 22, 2002 at 11:06:29AM -0700, Shankar Unni wrote:
>I wonder if anyone is sufficiently motivated to perform such a thorough 
>security review of the entire Cygwin platform.

Shudder.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: DoD Security Clearance for cygwin?

[Carter Dennis L Civ AFRL/VAAA]

Absolutely, Positively Clear.

We are not in a secure environment, that is not running classified.  But we do run proprietary for several contractors as well as for government only.

If Cygwin is not secure enough for that, I will have to notify some other agencies (non-DoD) that they might want to reconsider its use.

Thanks for your help.

- Dennis


-----Original Message-----
From: Christopher Faylor [mailto:cgf@redhat.com]
Sent: Wednesday, August 21, 2002 11:47 AM
To: cygwin@cygwin.com
Cc: Dennis.Carter@wpafb.af.mil
Subject: Re: DoD Security Clearance for cygwin?


On Wed, Aug 21, 2002 at 08:14:30AM -0500, Keen Wayne A Contr AFRL/MNGG wrote:
>I replied directly to Dennis.  I know Cygwin showed up on an "approved"
>list of open source tools that was circulated here about a year ago.
>What was involved in the approval process I have little insight into.

I SINCERELY hope that no one uses cygwin in a secure environment.  It is
very much not a secure tool.

I'm sure that Red Hat would entertain the option to fix up all of the
myriad security holes in Cygwin but, for now, please PLEASE do not use it
in a secure environment.

I hope this is clear.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for cygwin?

[Christopher Faylor]

On Wed, Aug 21, 2002 at 08:14:30AM -0500, Keen Wayne A Contr AFRL/MNGG wrote:
>I replied directly to Dennis.  I know Cygwin showed up on an "approved"
>list of open source tools that was circulated here about a year ago.
>What was involved in the approval process I have little insight into.

I SINCERELY hope that no one uses cygwin in a secure environment.  It is
very much not a secure tool.

I'm sure that Red Hat would entertain the option to fix up all of the
myriad security holes in Cygwin but, for now, please PLEASE do not use it
in a secure environment.

I hope this is clear.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: DoD Security Clearance for Cygwin?

[Keen Wayne A Contr AFRL/MNGG]

I replied directly to Dennis. I know Cygwin showed up on an
"approved" list of open source tools that was circulated here
about a year ago.  What was involved in the approval process
I have little insight into.

In a bit of irony / humor, I remember Cygwin being on the
list, but GNAT was not.  Humor of a formerly DOD mandated language
not appearing on the list aside, the additional layer of 
humor was that apparently noone had asked for it.

Sorry, my child go me up early crouping, and I have a weird 
sense of humor anyway.

Wayne

-----Original Message-----
From: Nicholas Wourms [mailto:nwourms@yahoo.com]
Sent: Wednesday, August 21, 2002 8:09 AM
To: Carter Dennis L Civ AFRL/VAAA; 'cygwin@cygwin.com'
Cc: Keen Wayne A Contr AFRL/MNGG
Subject: Re: DoD Security Clearance for Cygwin?



--- Carter Dennis L Civ AFRL/VAAA <Dennis.Carter@wpafb.af.mil> wrote:
> While I have heard good reviews on the capabilities of Cygwin, my
> security people are requiring an extensive analysis of the code
> before permitting it to be used on our machines.
> 
> Has any DoD center already completed this security review so we
> don't have to reaccomplish it?

Perhaps Wayne would have an idea of this since he also works for the
DoD.  Wayne, do you know what the word is on this?

Cheers,
Nicholas

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for Cygwin?

[Nicholas Wourms]

--- Carter Dennis L Civ AFRL/VAAA <Dennis.Carter@wpafb.af.mil> wrote:
> While I have heard good reviews on the capabilities of Cygwin, my
> security people are requiring an extensive analysis of the code
> before permitting it to be used on our machines.
> 
> Has any DoD center already completed this security review so we
> don't have to reaccomplish it?

Perhaps Wayne would have an idea of this since he also works for the
DoD.  Wayne, do you know what the word is on this?

Cheers,
Nicholas

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: DoD Security Clearance for Cygwin?

[Larry Hall (RFK Partners, Inc)]

At 07:52 AM 8/21/2002, Carter Dennis L Civ AFRL/VAAA wrote:
>While I have heard good reviews on the capabilities of Cygwin, my security people are requiring an extensive analysis of the code before permitting it to be used on our machines.


Good to hear the "press" likes Cygwin. ;-)


>Has any DoD center already completed this security review so we don't have to reaccomplish it?



If they have, we haven't heard about it.  Still, I expect the review would
be pointless.  Cygwin is not a secure multi-user environment locally.  It
can be used as a secure environment remotely via SSH.



Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

DoD Security Clearance for Cygwin?

[Carter Dennis L Civ AFRL/VAAA]

While I have heard good reviews on the capabilities of Cygwin, my security people are requiring an extensive analysis of the code before permitting it to be used on our machines.

Has any DoD center already completed this security review so we don't have to reaccomplish it?

- Dennis


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/