Re: [Fed-Talk] re: OpenSSL on OS X old?
Re: [Fed-Talk] re: OpenSSL on OS X old?
- Subject: Re: [Fed-Talk] re: OpenSSL on OS X old?
- From: David Emery <email@hidden>
- Date: Fri, 08 May 2009 09:10:06 -0400
With the recent leaks in F22/LMCO, I suspect we'll see increasing
attention to IA issues in the contractor base. For most "IT Nazis" that
will probably mean tightly locked down Windows machines (with all those
latent vulnerabilities.)
My perspective back to my sponsors has been, "If the government wants to
issue me a Windows machine, I'll of course use it, but it will be their
responsibility to sustain that machine, and that includes all aspects of
Tech Support. And I'm not responsible for any downtime caused by
problems with that machine."
If Apple is at all serious about the government, it needs to take a
really strong look at the list prepared by Boyd Fletcher. There's stuff
in there I don't agree with, but overall we owe him a big debt or the
effort in making such a list including his rationale.
The three big things that are essential from my perspective are
a. full CAC integration, including Safari, Mail.app, and a means
for 3rd party apps to make appropriate use of CAC Cards.
b. Whole-disk encryption (and that's something so dangerous to get
wrong, that I think the OS vendor is the right vendor to do it.) (And
that encryption needs to be tied to CAC...)
c. Disabling the camera and probably BlueTooth (both computers and
iPhone)
dave
Trent Townsend wrote:
To revisit an old topic, we are again getting questioned about the
OpenSSL on OS X? It hasn't been updated since 2006 and probably
includes a number of IAVA related issues that are not fixed. Is
anyone else having this problem? Is Apple even aware?
Respectfully,
------------
Trent Townsend, CISSP
DoD Supercomputing Resource Center
US Army Engineer R&D Center
Email: email@hidden
Office: 601.634.4051
Cell: 601.631.1879
Fax: 601.634.3266
http://www.erdc.hpc.mil
On Jun 20, 2008, at 11:09 AM, David Emery wrote:
One of the problems we discovered is that OpenSSL is often -built in- to
other applications. So you could go and replace the OpenSSL library
itself, but there's no guarantee that all COTS products (including web
browsers) will use the default system SSL (dynamic) library.
dave
--
David Emery, DSCI, supporting PdM FCS (BCT) SW Integration
703 298 3473 (office/cell), 703 272 7496 (fax)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
David Emery, DSCI, supporting PdM FCS (BCT) SW Integration
703 298 3473 (office/cell), 703 272 7496 (fax)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden