Red Hat embarrassed by SuSE certification

LAST FEBRUARY, Red Hat and Oracle jointly announced ( C|NET) cooperation to obtain Common Criteria (CC) certification for the Red Hat Advanced Server operating system and the Oracle 9i Release 2 database running on that platform. But at LinuxWorld last week, IBM and SuSE revealed their achievement ( LWN) of CC Enterprise Assurance Level 2+ (EAL2+) certification first, with SuSE Linux Enterprise Server 8 on the IBM xSeries platforms, thus beating Red Hat and Oracle to this critical security milestone.

Rumor is that Red Hat's Common Criteria certification effort is stalled, held up indefinitely by the UK-based testing laboratory Red Hat selected to do the work. The UK lab's certification board reportedly hasn't even met as yet to review and approve Red Hat's CC EAL2 testing proposal and plan, incurring several months of all too typical bureaucratic delay.

Compounding this situation, Red Hat Advanced Server was granted a Common Operating Environment (COE) certification this year by the US Department of Defense (DoD), but SuSE Linux Enterprise Server isn't anticipated to gain equivalent COE certification from the US DoD for several months.

Both Common Criteria and Common Operating Environment certifications are formally required for platforms used within US DoD IT infrastructure, we are led to understand. That Linux systems are widely deployed already in DoD organizations is due to numerous administrative exceptions that have been quietly granted in recent years -- exceptions that are seen as more and more awkward as Microsoft and EDS apply lobbyists at high levels.

Microsoft obtained Common Criteria EAL4+ certification of its variations of Windows 2000 last year, and Windows 2000 is COE certified as well.

As we've recently seen, these certifications don't guarantee that these platforms are secure. These Microsoft "certified" operating systems have just been compromised on a massive international scale by the "LoveSAN" or "MSBlaster" worm. Microsoft has had to front-end its "WindowsUpdate" site with about 15,000 Akamai servers this weekend (and very ironically, those Akamai servers are all running Linux). This vulnerability is even suspected as the root cause of Thursday night's extensive power blackout throughout the Northeast and Upper Midwest US and extending into Canada, as this SecurityFocus posting posits. At this juncture, one might really wonder how much the DoD formal certifications are actually worth, in terms of effective IT infrastructure security.

For Microsoft, which can easily afford the estimated $1 million pricetag of each major DoD certification effort, emphasizing the certification of software is an attractive -- and innocently responsible seeming -- route of attack against its Free / Open Source Software (FOSS) competitors.

Electronic Data Systems (EDS) is currently Microsoft's ally, since it is struggling with a multi-year, billion dollar contract for the US Navy / Marine Corps Computing Infrastructure (NMCI) systems management rollout. EDS apparently bid this contract on the assumption that it would be able to standardize on commodity Microsoft platforms throughout most Navy and Marine Corps organizations, but discovered that a lot of systems are run using Linux instead. Thus, it's widely thought that EDS lost hundreds of millions of dollars performing NMCI work last year, and this might have had something to do with the EDS Chairman's rather sudden departure ( internalmemos.com) last March. Between Microsoft and EDS, Linux is under attack at DoD.

But this places US DoD organizations in an extremely difficult position. As a US Army funded study by Mitre Corporation had revealed last year, many US DoD organizations are already highly dependent upon Linux based systems throughout their infrastructures. Simply ripping all those "non-compliant" Linux systems out of the US defense establishment would probably lead to severe disruptions, so that is not likely to happen.

Meanwhile, due to the heightened emphasis on adherence to standards that has been emanating from Washington, DC in recent months (as orchestrated remotely from Redmond, WA and Plano, TX), US DoD organizations are under orders not to initiate new projects unless they employ software that is certified, or at least officially listed as under certification testing, which effectively prevents DoD CIOs from starting new Linux installs.

So DoD organizations can just switch to SuSE to meet the Common Criteria requirement, right? Not likely, because -- as one DoD CIO is reported to have said -- "We don't use that German ****!" As one might well imagine, the US Department of Defense is an extremely "top-down" environment, and US Secretary of Defense Donald Rumsfeld's grudge against those so-called "Old Europe" countries Germany and France is reflected at all levels.

It's stupid of course, because SuSE is quite scrupulous in observing the Gnu General Public License (GPL) -- as are Red Hat, Mandrake, Debian and other Linux distributions. But US jingoism reigns in the US military.

At a risk of somewhat disappointing SuSE, but also as a way to cut in on its database rival Oracle, maybe IBM might offer to help out Red Hat? µ