Re: [Fed-Talk] Question on Mac approval
Re: [Fed-Talk] Question on Mac approval
- Subject: Re: [Fed-Talk] Question on Mac approval
- From: Joel Esler <email@hidden>
- Date: Fri, 30 Aug 2013 20:24:00 -0400
Bingo.
--
Joel Esler
> On Aug 30, 2013, at 6:01 PM, JEFFREY COMPTON <email@hidden> wrote:
>
> Careful Joel,
>
> Look carefully - not ALL vulnerabilities in 10.6 are being patched.
>
> Best I can tell - Apple has focused 10.6 patches on server-centric components
>
> Historically - Apple has only provided patches for current OS minus 1. But I can't for the life of me get an honest answer from my reps, or anyone from Apple about the CURRENT policy.
>
>
> Sent from my iPhone
>
>> On Aug 30, 2013, at 1:45 PM, Joel Peterson <email@hidden> wrote:
>>
>> 10.6 is still receiving security updates as recently as last month:
>> http://support.apple.com/kb/HT1222
>>
>> Joel Peterson
>> email@hidden
>>
>>
>>> On 8/30/13 10:22 AM, "Mike Bainter" <email@hidden> wrote:
>>>
>>> Could you please provide a link or source regarding your statement that
>>> 10.6 is EOL?
>>>
>>> Thanks!
>>>
>>> Mike
>>>
>>>> On Aug 29, 2013, at 4:36 PM, Joel Esler wrote:
>>>>
>>>> 10.6 is eol. No patches. So is 10.5 obviously.
>>>>
>>>> --
>>>> Joel Esler
>>>>
>>>>> On Aug 29, 2013, at 7:21 PM, "Beatty, Daniel D CIV NAVAIR, 474300D"
>>>>> <email@hidden> wrote:
>>>>>
>>>>> Hi Peter,
>>>>> First, I should say take it easy. I am not against you. That said,
>>>>> you kind of proved my point. Apple has buy in with NIST, and from the
>>>>> point of view of having a good product. It is just as much a matter
>>>>> of our relevance as a customer as it is their relevance as a provider.
>>>>>
>>>>>
>>>>> The point I made about OSI is very relevant. The USG also mandated
>>>>> that OSI be used throughout its networks. In other words, OSI was
>>>>> supposed to be the network. Just when did OSI work? IBM had a few
>>>>> prototypes that did not live up to its own standards. If we played
>>>>> by that rule, the internet would never have been. However, the
>>>>> President mandated use of the internet in 1994. What do you think the
>>>>> people were doing in between the two mandates? A lot of people were
>>>>> using the internet, even in the USG, before the President's mandate.
>>>>> Were they in violation of mandates? Or did they choose to comply with
>>>>> their mission, which also a mandate? There is always someone who has
>>>>> the ability to get our customers what they need to do their job, even
>>>>> if it removes us from relevance. It happened in the case OSI.
>>>>>
>>>>> In any case, you are right in the fact we should encourage Apple on
>>>>> higher standards. We should check both with Apple and their third
>>>>> party supporters. There is always some incentive to encourage mutual
>>>>> goals.
>>>>>
>>>>> V/R,
>>>>>
>>>>> Daniel Beatty, Ph.D.
>>>>> Computer Scientist
>>>>> Code 474300D
>>>>> 1 Administration Circle. M/S 1109
>>>>> China Lake, CA 93555
>>>>> email@hidden
>>>>> (760)939-7097
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Peter Thoenen - NOAA Federal [mailto:email@hidden]
>>>>> Sent: Thursday, August 29, 2013 2:57 PM
>>>>> To: Beatty, Daniel D CIV NAVAIR, 474300D; Fed Talk
>>>>> Subject: RE: [Fed-Talk] Question on Mac approval
>>>>>
>>>>> True but irrelevant IMHO. Regardless of the private sector we have a
>>>>> statutory requirement within the Federal IT space to follow NIST
>>>>> SP800-70 via 800-53 CM-2 via FIPS200.
>>>>>
>>>>> If a commercial vendor can't meet hard requirements, then we simply
>>>>> shouldn't be using that vendor. We seem to understand that in all
>>>>> procurements EXCEPT It procurements, i.e. we don't use construction
>>>>> contractors that can't meet code (and history of such) nor do we
>>>>> purchase
>>>>> various other widgets that can't meet our requirements. In IT
>>>>> (because we
>>>>> hate to imagine ourselves as a boring commodity/utility instead of a
>>>>> sexy sales/rockstar/engineer/creative class) we have a distinct
>>>>> inability to simply follow the rules as written.
>>>>>
>>>>> If the requirement is 10.6, then you use 10.6. If you can't use 10.6,
>>>>> then buy something else.
>>>>>
>>>>> And once again I'm saying that from a high horse, I live in the same
>>>>> reality as the rest of you were in practice our supervisors and senior
>>>>> organizational managers say "Don't care, want to sexy widget" :)
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fed-talk-bounces+peter.thoenen=email@hidden
>>>>>> [mailto:fed-talk-
>>>>>> bounces+peter.thoenen=email@hidden] On Behalf Of Beatty,
>>>>>> Daniel D CIV NAVAIR, 474300D
>>>>>> Sent: Thursday, August 29, 2013 10:08
>>>>>> To: Fed Talk (email@hidden)
>>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>>
>>>>>> Hi Paul,
>>>>>> That is kind of the point. When the Federal government is not the
>>>>>> only customer, those other customers may have a greater influence.
>>>>>> Hence, the notion of standards is kind of a requirement.
>>>>>> However, for such a thing to have value there has to be buy in by all
>>>>>> parties, including the manufactures. If a manufacture can say, my
>>>>>> customers don't need it, then it is hard to influence an outcome that
>>>>>> has the feature desired.
>>>>>>
>>>>>> On the flip side, the OSI veterans can fill an ear about how they had
>>>>>> the
>>>>>> "right people" on their committees. OSI talked a good
>>>>>> scheme, but TCP-IP walked the walk much more effectively. The irony
>>>>>> was that TCP-IP was built into every BSD variant, and thus the
>>>>>> internet was borne. OSI wanted the credit, but in the end their
>>>>>> vendors buy in looked like "sunk cash."
>>>>>>
>>>>>> What will happen with NIST/DISA standards for security? They have
>>>>>> the
>>>>>> buy in, just like OSI. However, Apple looks like the TCP-IP
>>>>>> cowboy. So is there a pattern?
>>>>>>
>>>>>> V/R,
>>>>>>
>>>>>> Daniel Beatty, Ph.D.
>>>>>> Computer Scientist
>>>>>> Code 474300D
>>>>>> 1 Administration Circle. M/S 1109
>>>>>> China Lake, CA 93555
>>>>>> email@hidden
>>>>>> (760)939-7097
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fed-talk-bounces+daniel.beatty=email@hidden
>>>>>> [mailto:fed-talk-bounces+daniel.beatty=email@hidden]
>>>>>> On Behalf Of Robinson, Paul, DVI/DMA-Fort Meade
>>>>>> Sent: Thursday, August 29, 2013 12:33 PM
>>>>>> To: Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]; Moore,
>>>>>> Dallas
>>>>>> Cc: Apple Fed-Talk List
>>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>>
>>>>>> This point Ridley makes (see below) is illustrated by the 10.8
>>>>>> release.
>>>>>> Apple's disk encryption capability changed in 10.8. In 10.7 the CAC
>>>>>> could be used to provide the encryption key making it possible to
>>>>>> boot
>>>>>> up the computer with a CAC. 10.8 dropped this support, so encryption
>>>>>> is via username/password. Once set it is not possible to enable CAC
>>>>>> login.
>>>>>>
>>>>>> The only solution is to procure a third-party disk encryption tool
>>>>>> for
>>>>>> DAR compliance. I expressed this to an Apple rep yesterday and he
>>>>>> says their focus is small groups use of the workstations, despite the
>>>>>> enterprise use of the Apple OS across the Apple enterprise.
>>>>>> Sad really.
>>>>>>
>>>>>> Paul Robinson, CISSP
>>>>>> Defense Media Activity
>>>>>>
>>>>>> From: "Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]"
>>>>>> <email@hidden<mailto:email@hidden>>
>>>>>> Date: Thursday, August 29, 2013 12:31 PM
>>>>>> To: "Moore, Dallas"
>>>>>> <email@hidden<mailto:email@hidden>>
>>>>>> Cc: Apple Fed-Talk List
>>>>>> <email@hidden<mailto:email@hidden>>
>>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>>
>>>>>> Another reason in my opinion, is the rapid release cycle from Apple
>>>>>> which is only compounded by the veil of secrecy and lack of
>>>>>> confidence
>>>>>> the federal space has in the future releases. Most if not all
>>>>>> Federal
>>>>>> agencies have no assurance in what security features will remain in
>>>>>> Apple provided operating systems from one version to the next, year
>>>>>> after year, what will be deprecated / left limping with lack of
>>>>>> adequate support, or what will be removed entirely and cease to be a
>>>>>> feature.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>> Fed-talk mailing list (email@hidden)
>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>> mil
>>>>>>
>>>>>> This email sent to email@hidden
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>> _______________________________________________
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden