Re: [Fed-Talk] Question on Mac approval
Re: [Fed-Talk] Question on Mac approval
- Subject: Re: [Fed-Talk] Question on Mac approval
- From: JEFFREY COMPTON <email@hidden>
- Date: Fri, 30 Aug 2013 18:01:28 -0400
Careful Joel,
Look carefully - not ALL vulnerabilities in 10.6 are being patched.
Best I can tell - Apple has focused 10.6 patches on server-centric components
Historically - Apple has only provided patches for current OS minus 1. But I can't for the life of me get an honest answer from my reps, or anyone from Apple about the CURRENT policy.
Sent from my iPhone
On Aug 30, 2013, at 1:45 PM, Joel Peterson <email@hidden> wrote:
> 10.6 is still receiving security updates as recently as last month:
> http://support.apple.com/kb/HT1222
>
> Joel Peterson
> email@hidden
>
>
> On 8/30/13 10:22 AM, "Mike Bainter" <email@hidden> wrote:
>
>> Could you please provide a link or source regarding your statement that
>> 10.6 is EOL?
>>
>> Thanks!
>>
>> Mike
>>
>> On Aug 29, 2013, at 4:36 PM, Joel Esler wrote:
>>
>>> 10.6 is eol. No patches. So is 10.5 obviously.
>>>
>>> --
>>> Joel Esler
>>>
>>>> On Aug 29, 2013, at 7:21 PM, "Beatty, Daniel D CIV NAVAIR, 474300D"
>>>> <email@hidden> wrote:
>>>>
>>>> Hi Peter,
>>>> First, I should say take it easy. I am not against you. That said,
>>>> you kind of proved my point. Apple has buy in with NIST, and from the
>>>> point of view of having a good product. It is just as much a matter
>>>> of our relevance as a customer as it is their relevance as a provider.
>>>>
>>>>
>>>> The point I made about OSI is very relevant. The USG also mandated
>>>> that OSI be used throughout its networks. In other words, OSI was
>>>> supposed to be the network. Just when did OSI work? IBM had a few
>>>> prototypes that did not live up to its own standards. If we played
>>>> by that rule, the internet would never have been. However, the
>>>> President mandated use of the internet in 1994. What do you think the
>>>> people were doing in between the two mandates? A lot of people were
>>>> using the internet, even in the USG, before the President's mandate.
>>>> Were they in violation of mandates? Or did they choose to comply with
>>>> their mission, which also a mandate? There is always someone who has
>>>> the ability to get our customers what they need to do their job, even
>>>> if it removes us from relevance. It happened in the case OSI.
>>>>
>>>> In any case, you are right in the fact we should encourage Apple on
>>>> higher standards. We should check both with Apple and their third
>>>> party supporters. There is always some incentive to encourage mutual
>>>> goals.
>>>>
>>>> V/R,
>>>>
>>>> Daniel Beatty, Ph.D.
>>>> Computer Scientist
>>>> Code 474300D
>>>> 1 Administration Circle. M/S 1109
>>>> China Lake, CA 93555
>>>> email@hidden
>>>> (760)939-7097
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Peter Thoenen - NOAA Federal [mailto:email@hidden]
>>>> Sent: Thursday, August 29, 2013 2:57 PM
>>>> To: Beatty, Daniel D CIV NAVAIR, 474300D; Fed Talk
>>>> Subject: RE: [Fed-Talk] Question on Mac approval
>>>>
>>>> True but irrelevant IMHO. Regardless of the private sector we have a
>>>> statutory requirement within the Federal IT space to follow NIST
>>>> SP800-70 via 800-53 CM-2 via FIPS200.
>>>>
>>>> If a commercial vendor can't meet hard requirements, then we simply
>>>> shouldn't be using that vendor. We seem to understand that in all
>>>> procurements EXCEPT It procurements, i.e. we don't use construction
>>>> contractors that can't meet code (and history of such) nor do we
>>>> purchase
>>>> various other widgets that can't meet our requirements. In IT
>>>> (because we
>>>> hate to imagine ourselves as a boring commodity/utility instead of a
>>>> sexy sales/rockstar/engineer/creative class) we have a distinct
>>>> inability to simply follow the rules as written.
>>>>
>>>> If the requirement is 10.6, then you use 10.6. If you can't use 10.6,
>>>> then buy something else.
>>>>
>>>> And once again I'm saying that from a high horse, I live in the same
>>>> reality as the rest of you were in practice our supervisors and senior
>>>> organizational managers say "Don't care, want to sexy widget" :)
>>>>
>>>>> -----Original Message-----
>>>>> From: fed-talk-bounces+peter.thoenen=email@hidden
>>>>> [mailto:fed-talk-
>>>>> bounces+peter.thoenen=email@hidden] On Behalf Of Beatty,
>>>>> Daniel D CIV NAVAIR, 474300D
>>>>> Sent: Thursday, August 29, 2013 10:08
>>>>> To: Fed Talk (email@hidden)
>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>
>>>>> Hi Paul,
>>>>> That is kind of the point. When the Federal government is not the
>>>>> only customer, those other customers may have a greater influence.
>>>>> Hence, the notion of standards is kind of a requirement.
>>>>> However, for such a thing to have value there has to be buy in by all
>>>>> parties, including the manufactures. If a manufacture can say, my
>>>>> customers don't need it, then it is hard to influence an outcome that
>>>>> has the feature desired.
>>>>>
>>>>> On the flip side, the OSI veterans can fill an ear about how they had
>>>>> the
>>>>> "right people" on their committees. OSI talked a good
>>>>> scheme, but TCP-IP walked the walk much more effectively. The irony
>>>>> was that TCP-IP was built into every BSD variant, and thus the
>>>>> internet was borne. OSI wanted the credit, but in the end their
>>>>> vendors buy in looked like "sunk cash."
>>>>>
>>>>> What will happen with NIST/DISA standards for security? They have
>>>>> the
>>>>> buy in, just like OSI. However, Apple looks like the TCP-IP
>>>>> cowboy. So is there a pattern?
>>>>>
>>>>> V/R,
>>>>>
>>>>> Daniel Beatty, Ph.D.
>>>>> Computer Scientist
>>>>> Code 474300D
>>>>> 1 Administration Circle. M/S 1109
>>>>> China Lake, CA 93555
>>>>> email@hidden
>>>>> (760)939-7097
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: fed-talk-bounces+daniel.beatty=email@hidden
>>>>> [mailto:fed-talk-bounces+daniel.beatty=email@hidden]
>>>>> On Behalf Of Robinson, Paul, DVI/DMA-Fort Meade
>>>>> Sent: Thursday, August 29, 2013 12:33 PM
>>>>> To: Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]; Moore,
>>>>> Dallas
>>>>> Cc: Apple Fed-Talk List
>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>
>>>>> This point Ridley makes (see below) is illustrated by the 10.8
>>>>> release.
>>>>> Apple's disk encryption capability changed in 10.8. In 10.7 the CAC
>>>>> could be used to provide the encryption key making it possible to
>>>>> boot
>>>>> up the computer with a CAC. 10.8 dropped this support, so encryption
>>>>> is via username/password. Once set it is not possible to enable CAC
>>>>> login.
>>>>>
>>>>> The only solution is to procure a third-party disk encryption tool
>>>>> for
>>>>> DAR compliance. I expressed this to an Apple rep yesterday and he
>>>>> says their focus is small groups use of the workstations, despite the
>>>>> enterprise use of the Apple OS across the Apple enterprise.
>>>>> Sad really.
>>>>>
>>>>> Paul Robinson, CISSP
>>>>> Defense Media Activity
>>>>>
>>>>> From: "Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]"
>>>>> <email@hidden<mailto:email@hidden>>
>>>>> Date: Thursday, August 29, 2013 12:31 PM
>>>>> To: "Moore, Dallas"
>>>>> <email@hidden<mailto:email@hidden>>
>>>>> Cc: Apple Fed-Talk List
>>>>> <email@hidden<mailto:email@hidden>>
>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>
>>>>> Another reason in my opinion, is the rapid release cycle from Apple
>>>>> which is only compounded by the veil of secrecy and lack of
>>>>> confidence
>>>>> the federal space has in the future releases. Most if not all
>>>>> Federal
>>>>> agencies have no assurance in what security features will remain in
>>>>> Apple provided operating systems from one version to the next, year
>>>>> after year, what will be deprecated / left limping with lack of
>>>>> adequate support, or what will be removed entirely and cease to be a
>>>>> feature.
>>>>>
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>> mil
>>>>>
>>>>> This email sent to email@hidden
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>
>>> _______________________________________________
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden