In the mid-90s I requested a copy of all the books in the Rainbow Series. It took a while, and I forgot about it. One day my roommate says "You have a package from Satan". I saw the return address was Ft Meade, and assumed he meant because of that. But no, it was because the postage was $6.66. What are the chances.
I went through that era and worked on one of the high-security systems mentioned.
We never got it to run fast enough on a PDP-11, partly because we ran out of 16-bit address space and had to remove functionality to get it to fit. The OS was written in Modula I.
The Orange Book / NSA approach to evaluation upset many vendors. The original policy, borrowed from safe and lock evaluation, was that vendors got two tries at security evaluation. For the first try, the evaluators told the vendor what problems they'd found. The second try was pass/fail, and failure meant rejection of the product. Published, public rejection as defective. A few systems did pass, but they were well out of the mainstream. Prime Computer had a secure operating system for their minicomputers. Most failed. Computer vendors hated that.
This resulted in demands that evaluation be outsourced to "third party labs" paid by vendors, instead of NSA employees. The third party labs could be paid to retest and retest until the thing passed. This was pretty worthless. There was even a demand from vendors that NSA stop promoting the higher levels of assurance as inappropriate to the commercial market.
Computer security was not a big issue within NSA at the time. They were still all about radio interception and analysis, and focused on the USSR. NSA's main facility is at Fort Meade, MD. There was (and still is) an auxiliary facility called Friendship Annex or FANX, near Friendship Airport, now Baltimore Washington International. FANX handled low-priority NSA functions, such as personnel and training. Being assigned to FANX was low-status within NSA. Computer security was at FANX. The location alone made it something of a career backwater. This had a non-trivial effect on the effort.
If anybody has an original copy of the Orange Book (and/or the rest of the rainbow series), I'd love to pick them up! Just about impossible to find these days (and no, you can't get them on amazon - that's just someone making cash re-printing public domain data).
I just found I have the whole rainbow series that I've stored in a box since the mid-90s. They're a kind of relic of hacker memorobilia, and were in a box with a bunch of old blackhat presentation materials and swag. I'm sure there is an O'Reilly animal book t-shirt titled "practical unix terrorism," down there somewhere as well.
12 comments
[ 578 ms ] story [ 322 ms ] threadMy conclusion from all of this: people need to stop naming books after rainbow colors.
https://www.martinfowler.com/bliki/TwoHardThings.html
The Orange Book / NSA approach to evaluation upset many vendors. The original policy, borrowed from safe and lock evaluation, was that vendors got two tries at security evaluation. For the first try, the evaluators told the vendor what problems they'd found. The second try was pass/fail, and failure meant rejection of the product. Published, public rejection as defective. A few systems did pass, but they were well out of the mainstream. Prime Computer had a secure operating system for their minicomputers. Most failed. Computer vendors hated that.
This resulted in demands that evaluation be outsourced to "third party labs" paid by vendors, instead of NSA employees. The third party labs could be paid to retest and retest until the thing passed. This was pretty worthless. There was even a demand from vendors that NSA stop promoting the higher levels of assurance as inappropriate to the commercial market.
Computer security was not a big issue within NSA at the time. They were still all about radio interception and analysis, and focused on the USSR. NSA's main facility is at Fort Meade, MD. There was (and still is) an auxiliary facility called Friendship Annex or FANX, near Friendship Airport, now Baltimore Washington International. FANX handled low-priority NSA functions, such as personnel and training. Being assigned to FANX was low-status within NSA. Computer security was at FANX. The location alone made it something of a career backwater. This had a non-trivial effect on the effort.