OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE:
From: Larry Paul (lpaulasus.net)
Date: Wed Nov 29 2000 - 18:02:48 CST

I counted 60 acronyms in the first 2 pages of the functional
requirements.(TOC) A short sample:
FIA_AFL, TSF(FMT_MOF),FPR_ANO, FPT_ITC, TOE TSF, FRU_RSA, FTA_MCS, FAU_GEN,
FCO_NRR, FCS_CKM, FDP_ACF, etc. etc. Somone up there must LOVE
abbreviations.
*-----Original Message-----
*From: firewalls-ownerLists.GNAC.NET
*[mailto:firewalls-ownerLists.GNAC.NET]On Behalf Of Marcus J. Ranum
*Sent: Tuesday, November 28, 2000 4:43 PM
*To: FirewallsLists.GNAC.NET
*Subject: Re:
*
*
*Frederick M Avolio <fredavolio.com> writes:
*>Yes I encourage anyone who thinks that the Common Criteria sounds like a
*>wonderful invention to skim at least a few of the documents
*
*That's cruel, Fred. That stuff's completely unreadable
*gibberish and you know it. The only reason anyone should
*read it is if they:
* a) want an example of how _not_ to convey information effectively
* b) are suffering from sleep disorder and wish to become unconscious
*
*Here's a fun common criteria story. ;) The names have been
*left out, but the story is true <dum-dah-dum-dum> - about
*a year after I stopped writing firewalls for a living ('95+)
*I got a call from someone who'd been working on common criteria
*profiles for firewalls. They worked for one of the agencies
*that helped perpetuate the whole common criteria thing, and
*were very seriously into the whole concept. The guy invited
*me to review and comment on the profile for firewalls (I may
*have some of the terminology wrong) and offered to send it.
*At that time, I had been sharpening my fangs on ICSA's ankles,
*and so the whole topic of certifying firewalls was "interesting"
*to me. So I agreed. Then I got this - thing - that appeared
*to have been written in its own language. As I studied it
*more closely, I realized that it was written entirely in
*code - every term that was in common use had been redefined
*into another term. In fact, the whole document appeared to
*be the output of an extended game of gnomic. It was the most
*amazing pile of unreadable bureaucratese - for unreadability
*it beat rijdael ciphertext quite easily. So I get on the
*phone with the guy, not wanting to commit my comments to
*E-mail and posterity:
* M: "Hi, this is Marcus. I've been reviewing the stuff you
* sent and I have a couple of questions about it."
* ?: "OK, sure!"
* M: "Alright: where's the executive summary?"
* ?: "Huh?"
* M: "You know, the 1 page summary that tells a manager
* what it _means_ so they don't have to read the rest?"
* ?: "We don't have those. That's not what this program
* is about!"
* M: "Ok, then, who do you expect to use these documents?"
* ?: "Security officers who are seeing if products meet the
* profile for deployment."
* M: "Oh, so you mean this is written in the language of
* a mysterious priesthood that nobody listens to, so that
* other members of the mysterious priesthood will nod
* sagely? Meanwhile everyone will base their product
* deployments on what they read in 'Data Communications'?"*
* ...
* and it went downhill from there. I fear I lost a friend.
*
* The DOD-oids who are working on this formal security
*stuff and common criteria are the most out-of-touch people
*on earth, as far as I can tell. What good is a spec that
*nobody can or will read? You can't even use it as a paperweight
*because it's also paper!
*
*(* a great and sorely-missed journal that had some top-notch
*product reviews that had real teeth)
*
*mjr.
*-----
*
*Marcus J. Ranum
*Chief Technology Officer, NFR Security, Inc.
*Work: http://www.nfr.com
*Personal: http://www.ranum.com
*
*-
*[To unsubscribe, send mail to majordomolists.gnac.net with
*"unsubscribe firewalls" in the body of the message.]
*

-
[To unsubscribe, send mail to majordomolists.gnac.net with
"unsubscribe firewalls" in the body of the message.]