RE: ISA get EAL4+ rating

• From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 5 Oct 2005 13:41:56 -0500

Oh no, I agree with you on that.  It won't verify -functional- integrity
at all.  What I'd need is to verify that the code has not -changed-
since it was released from the vendor.

Heck if it erases the disk drives and installs FreeBSD on the system
that's for QA/QC to catch..... =?)  I just expect to know if someone
slipped me a different version or not.

Ah, but then again, you are referencing internal developed apps vs. a
3rd party application acquired from Microsoft.  I am not strong in the
way of code-fu, so I can not comment on how bank/remittance/saving and
loan auditor do that portion of it.  All I usually have to do is prove
that I knew exactly what and where that executable came from, and a hash
can supply me with the ability to do that.  For instance - Program A has
hash "XYZ" and came from Bob's Computer-Programs-R-Us and matches their
hash of "XYZ" which is version 1.2.3.4.5 which is approved for use.

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Wednesday, October 05, 2005 11:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA get EAL4+ rating

http://www.ISAserver.org

Read one?  Dude, I can't even *spell* EULA.  Oh, wait... Anyway, I guess
we 
have different auditors... Before I joined Anchor, I had a private 
development company.  My base included financial/banking institutions--
I 
designed varied algorithms to calculate finance rates, verify disclosed 
rates against "true" rates (as dictated by Appendix J of the FTC's Reg Z

documentation), balloon payments, mid-term rates based on odd-days
before 
first payment and all kinds of other crap that made my head hurt... I
then 
wrote the code that integrated said algorithms into various applications
as 
well as stand alone apps.

Never once was I asked to provide file hashes for my executables, even
from 
the auditors.  They did, however, require sit-down audits with me and
the 
source code to verify my math theory, implementation, and exception 
handling...

So I guess we just have two different viewpoints- from mine, any audit
that 
uses a file hash to verify operational integrity is worth about as much
as 
hen poop on a pump handle. ;)

t

----- Original Message ----- 
From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, October 05, 2005 9:12 AM
Subject: [isalist] RE: ISA get EAL4+ rating


http://www.ISAserver.org

True, but have you ever read a EULA?  Basically it says that a bunch of
monkeys could have banged on the keyboard and accidentally had it
compile into a program and that they aren't liable if it makes your
computer start on fire.

The integrity of the bits is all an auditor cares about; since there is
no warranty as to what the software does, if anything at all.  If it can
prove that the software on the disk that I have is what Microsoft says
it should be, then it's good enough. It's the software's fingerprint,
nothing more, nothing less.  Right now, I can't even be sure it's the
correct software that they are referencing.  If I don't know that, then
what it does is a moot point.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, October 05, 2005 10:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA get EAL4+ rating

http://www.ISAserver.org

Good point.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, October 05, 2005 10:47 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA get EAL4+ rating
>
> http://www.ISAserver.org
>
> I'm not so sure... If the true concern is surviving an audit,
> a published
> file hash is worthless, really.  I can publish the hash of
> any of my Hammer
> o' God tools, but unless you have the source code and compile
> it yourself,
> you have no way of knowing what I'm really doing in my code
> when you run it.
> The presence (or absence) of a hash has nothing to do with
> the integrity of
> a tool's operation, purpose, or effect - it's only the
> integrity of the
> bits.
>
> t
>
>
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, October 05, 2005 6:58 AM
> Subject: [isalist] RE: ISA get EAL4+ rating
>
>
> http://www.ISAserver.org
>
> Good point.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx]
> Sent: Wednesday, October 05, 2005 8:49 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA get EAL4+ rating
>
>
> http://www.ISAserver.org
>
>
> That Integrity Check Tool is a joke.  Where's the published
> known good file hash for me to verify that it has not been
> tampered with
> before I downloaded it?  Sure as heck isn't on the web page
> that you can
> download it from.
>
> Using an unverified tool to verify another piece of software
> would have any auditor laughing at you pretty dang quick....
> Just like
> a cashier at a store shouldn't be comparing the back of your
> credit card
> to your signature but to your state/government (hopefully checked and)
> issued ID, since anyone can sign a credit card after it's been mailed
> out.....
>
>
>
>
> ________________________________
>
>
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Tuesday, October 04, 2005 10:00 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA get EAL4+ rating
>
>
>
> http://www.ISAserver.org
>
> I did ;-P
>
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
> ________________________________
>
>
> From: Greg Mulholland
> [mailto:gmulholland@xxxxxxxxxxxxxx]
> Sent: Tuesday, October 04, 2005 9:57 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA get EAL4+ rating
>
> http://www.ISAserver.org
>
> same to you :p
>
>
>
>
> ________________________________
>
>
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, 5 October 2005 12:54 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA get EAL4+ rating
>
> http://www.ISAserver.org
>
> Blog.
>
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
> ________________________________
>
>
> From: Greg Mulholland
> [mailto:gmulholland@xxxxxxxxxxxxxx]
> Sent: Tuesday, October 04, 2005 9:51 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA get EAL4+ rating
>
> http://www.ISAserver.org
>
> got a link?
>
>
>
>
> ________________________________
>
>
> From: Thomas W Shinder
> [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, 5 October 2005 12:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA get EAL4+ rating
>
> http://www.ISAserver.org
>
> 'nuf said.
>
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> <http://www.isaserver.org/>
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
>
> ------------------------------------------------------
> Visit TechGenix.com for more information about
> our other sites:
> http://www.techgenix.com
>
> ------------------------------------------------------
> You are currently subscribed to this
> ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
>
> ------------------------------------------------------
> Visit TechGenix.com for more information about
> our other sites:
> http://www.techgenix.com
>
> ------------------------------------------------------
> You are currently subscribed to this
> ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> All mail to and from this network has been scanned for viruses
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
> sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as: gmulholland@xxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
> sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tradtke@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating
• » RE: ISA get EAL4+ rating

1. Home
2. isalist
3. Archive
4. 10-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---