Forgot your password?
typodupeerror
Security

Air Force Warns Microsoft/Others to Tighten Security 357

Posted by Hemos
from the interesting-point dept.
FattyBoeBatty wrote to us with a story from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
This discussion has been archived. No new comments can be posted.

Air Force Warns Microsoft/Others to Tighten Security

Comments Filter:
  • real CIO (Score:2, Funny)

    by The Iconoclast (24795)
    i guess in the airforce the CIO is a REAL O. ;-)
    • by wiredog (43288)
      If the Air Force is anything like the Army, it's the sergeants who keep things running.
  • by FortKnox (169099) on Tuesday March 12, 2002 @12:19PM (#3150060) Homepage Journal
    Why do they stick with MS if they have security issues?
    Why hasn't anyone asked this question?

    We run Exchange Server, and we get hit by an Exchange Server virii
    Quick solution: Don't use exchange server.

    Why sit and wait for MS to comply?
    It just seems odd to me.

    Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.
    • Exchange may have it's faults, but I've seen virii spread with equal rapidity via Sendmail. If you want to blame something, blame Outlook. Or more correctly blame the default settings to which Outlook installs.

    • Because the Air Force doesn't want to retrain all their personnel on software they're not familiar with.
      The costs of retraining and reconfiguring all their hardware far outweighs the kick in the ass scare they can put into Bill to fix up what they're already using.
      Just about everyone who has ever come into contact with a computer has experience with windows. From a user-interface point of view, its quick, clean, and easy.
      From a security point of view, its a nightmare.
      Unfortunately, the people who are deciding what to buy and what to install aren't the security-savvy techs.. they're the corporate middle management suits who see the flashy bells and whistles MS offers and bite so fast it'd make your head spin. MS had advertising, marketers, and a well-known product. Security wasn't as big a concern. All that adds up to a major problem today.
      Not only that, but lets face it, back when the USAF were first installing and configuring these services, there weren't many viable options out there. Yes yes, i know .. sendmail, etc. But who was out there pitching sendmail to the AF?
      • Another issue is that microsoft will come in and setup an entire system for you. One stop shopping. Believe it or not, this sells. IBM is basically the same way. When you want a complex system put in place its often easier to deal with a single large vendor than several smaller but better vendors.
      • by Pii (1955) <jedi AT lightsaber DOT org> on Tuesday March 12, 2002 @01:22PM (#3150656) Journal
        I'm not sure you understand the economics of the military...

        It does not cost the Air Force anything to retrain, nor to reconfigure.

        The Air Force (and the military in general) is already paying for the training of every person that enters the service. It would be a trivial matter for them to re-tool the courses in their Computer Sciences School, so that the students learned some other product or technology. (Besides, it's not like they teach an "NT Systems Administrator" course... They teach basics, like "Computer Programming," or "Computer Operations." The real training occurs on the job, after the E-2 or E-3 posts to his first duty station. In the Marine Corps, I entered as a "Cobol Programmer," and my fist duty billet was in networking (Banyan Vines, Ethernet and Token Ring environments).)

        Likewise, the cost of reconfiguring all of the systems they've already purchased is also free. They have a labor force that they are already paying (that they have to pay, twice monthly, regardless of what they are tasked with), so why not "upgrade" all of the mail systems. It will not affect their costs at all.

        This is a luxury that most of Microsoft's customers do not have, but is a very real, very possible option for the Armed Forces.

        • Sure they're paying for the training of everyone in the military already. But you seem to think that they have nothing better to do with that time than to train them.

          For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.

          Plus you're assuming that the trainers would be military also. I seriously doubt that. Which means you have to hire civilian consultants, which involves a rather long and expensive bureaucratic process just to get bids, not to mention the actual cost of paying them for services rendered.

          And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.

          As to the original question - what else are they going to use? There's a great huge gaping whole when it comes to productivity software like Exchange/Outlook. Yes, there's Notes. Yes, there's Netscape/Solaris whatever-its-called-now. And maybe Novell still has a solution (I don't know personally). But none of them match the ease of use, "ease" of administration, and interoperability offered by Exchange/Outlook. They either don't work as well together across various pieces, they cost too much to maintain, or they don't integrate as well into the OS (gee, surprise... anyone? And no... I'm sure being a monopoly had NOTHING to do with that... riiight).

          Yes, the lies about the low cost of administration on Exchange are starting to be revealed now. But only after MS has beaten most of the competition into pulp. Within a release or two Exchange will be considerably better than what it is now. This is how MS operates.
          • by Pii (1955)
            For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.
            We are talking about changing the back end, not necessarily the client side. The only people that need retraining would be the IT folk, not every Pilot, Mechanic, or Clerk.
            Plus you're assuming that the trainers would be military also. I seriously doubt that.
            I have no first hand experience with the Air Force in this regard, but I do have first hand experience with the way the Marine Corps does this. Every single instructor at the Marine Corps' Computer Science School is a Marine. Every non-instructor position that made up the rest of the school was either a Marine, or a Purple person (Civilian employees of the Department of Defense). I would be surprised if the same did not hold true for the other branches of Service. (Not terribly surprised... The Marine Corps does a number of things differently than the other branches...)
            And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.
            And this is what people seem to be misunderstanding about the Military... This is nowhere near the same issue that corporations face. Every decision a corporation makes reflects the bottom line, as corporations exist to turn a profit. The Military is not encumbered by this guiding principle. Sure, they have a budget to work within, but if their requirements change, or the need is great, they get additional funds, and they do what must be done to satisfy requirements that no corporation has to consider.

            The purpose of the military is to win wars, and when they make a decision, lives hang in the balance .

            Few corporations can make that boast, defense contractors being the most likely exceptions.

            If the solution carries a higher pricetag, but saves lives, and better enables the military to communicate effectively and securely, putting the ultimate goal (winning wars) within reach, the cost or effort does not matter. For them, bottom line is not the single most important factor in arriving at a solution, and the profit-motive is non-existant.

      • The costs of retraining and reconfiguring...

        That's not correct. The cost is the same if they brush their teeth or learn a new system. With the military, it's a fixed cost...for the most part...most military people just do busy work when not at war.
      • Retraining isnt an argument. People learn to navigate websites, people easily learn to use games, and those are the most UI-divergent 'applications' in existence today, far more different than Windows-vs-GNOME/KDE. Not to mention you have to 'retrain' all those people every time you upgrade MS software anyway.

        If they can handle all that, they can *easily* handle doing their basic job with Linux rather than Windows.

        People arent *quite* as stupid as some UI experts would have us believe (well, most people at least. The helpdesk hoggers are another matter, but they call even if their desktop looks the same as it did yesterday). Most people can easily move from one piece of software to another. They do it every day.
    • by alen (225700)
      It's easier to train users not to open up certain attachments. And with the right software you can block certain attachments all together. With it's faults I still think Exchange is the best corporate messaging/groupware solution. It's fully integrated and you don't have to worry about trying to make a bunch of different products work together to give you the same functionality as Exchange.

    • You don't simply up and abandon your entire email structure on a whim. First you threaten the manufacturer to improve or else, and that's what the AF has done.

      I work on an AF base, and in my building alone we have about a half-dozen Exchange servers. (One alone can't handle the load.) What do you recommend as the "quick solution" here? What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.

      What "quick solution" do you recommend for thousands of people at a time?

      • One possible quick solution would be an IMAP server(s) and the Bynari Insight Connector.

        I've tried it and it does what they say it does.

        Exchange does NOT do tasks and meetings. Outlook does. Two Outlook users on separate ISP pop accounts can schedule meetings and send tasks back and forth. The only thing Exchange adds to the mix is handling free/busy times and Outlook has the capability to publish these to something other than an Exchange server.

        Exchange is a proprietary IMAP server with window dressing, and marketed to make PHB's think they can't use Outlook's features without it. Obviously you bought into that.
      • What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.

        What "quick solution" do you recommend for thousands of people at a time?

        Lotus Domino. Preferably on an IBM iSeries. Consolidate your six Exchange crap-boxes into one Model 820 with six server LPARs. All of the calendaring and better searching than MSX, with NO viruses (as of yet). I can't believe that the military is so stupid as to think that MS is the only groupware supplier out there.

    • Why do they stick with MS if they have security issues?

      Who is going to get back the BSOD-submarines [microsoft.com] when the contract with MS is being terminated?
    • by flatrock (79357) on Tuesday March 12, 2002 @02:23PM (#3151161)
      Because security is only one of the issues they have to deal with.

      I worked as a contractor in computer support for the Air Force years ago. This was before they used Exchange. They were using DEC Teamlinks where I was at. Teamlinks wasn't very easy to use. The client interface was cludgey and didn't have all the nice integrated features you get with Outlook today. The server which was a DEC Alpha crashed a lot. I think the server was simply a very expensive lemmon. The DEC staff on site, as well as outside support people spent a lot of time replacing parts and tweaking software, but couldn't get it to remain stable.

      Exchange and Outlook were a much better choice even with the risk of a virus taking down the system because the system they had was taking itself down on a regular basis.

      Training is also a serious issue. There was a full time person who's job was to train users to use Teamlinks. One thing many people don't realize is that the majority of the people using this software on an Air Force base aren't military. They're civil servants and contractors. Military people follow orders pretty well, and contractors do as their told, or find themselves without a job. Civil servants are a different story. Contractors come and go, militry people get transferred after about 4 years or so, but the civil servants will still be there when the others are gone. If they aren't interested in learning something, they just make a few excuses and put it off until there's a new Deputy DIrector, or whoever's making the decisions. We had a chief scientist that refused to use the email or calandar software. He had his secretary print all his email and put it in his inbox. She would respond to his email as he directed her to, and handle all the scheduling in the calander software. She had been around for a very long time, and wasn't very computer friendly herself. Every time she got confused or made a mistake, it was the computer's fault, and whoever got the support call was in for a bad day. One contractor didn't seem to realize that she was always right and got himself banned from her office which led to his eventual dismissal. These people don't like to learn new things. If it isn't easy to learn, they pretty much have the ability to make everyone's life a living hell, and sooner or later the people making the decisions realize that any solution has to take that into account.

      While email is a security issue in that poor security can result in lost productivity, it shouldn't be an issue of national security. Confidential and secret information should never end up on the email system.

      In my experience with the AIr Force, the people making the decisions were not technically incompetent. They also requested and received input from many different highly skilled technical people, and they had a lot of experienced people with backgrounds in Unix, VMS, and NT to draw upon. They were trying to get a product that best met all their needs. Security was obviously a consideration in their decision, but it didn't outweigh their need for a usable system.

      The real issue is that the ease of use that they desire is somewhat in opposition to a high level of security. This means that an alternative to Exchange/Outlook may not provide them with greatly increased security. For them to change and eat the rather high costs or retraining their employees, there needs to be a product that does a considerably better better job of meeting their needs, with security only being part of those needs.
    • by elandal (9242) on Tuesday March 12, 2002 @02:26PM (#3151201) Homepage
      We run Exchange Server, and we get hit by an Exchange Server virii
      Quick solution: Don't use exchange server.

      A solution allowing internal use of Exchange is also possible.

      Don't expose Exchange servers to the internet. Have internet email come to a secure MTA (no, not sendmail, something more simple and more easily secured). The internet-MTA can then spool email for virusscanning and whatever other mangling needs to be done (remove every attachment with filename ending with .vbs (and a hundred others) and so on). After mangling, forward to internal Exchange servers.

      Easy, doesn't require powerful machines even for a large amount of email (OK, depends on the amount of mangling done), easily replicated to several sites, and likely to be near-zero administration.
  • Nice to see... (Score:4, Interesting)

    by Pii (1955) <jedi AT lightsaber DOT org> on Tuesday March 12, 2002 @12:20PM (#3150070) Journal
    You know, when a customer that has $6B dollars a year to spend on technology say jump, Microsoft had better damn well be asking "How High?"

    I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.

    • You know, when a customer that has $6B dollars a year to spend on technology say jump, Microsoft had better damn well be asking "How High?"

      EXCEPT it appears that Microsoft have been giving the Air Force the run around for two years. If they can do that, what hope do morals have ?
    • I am afraid I agree. I would think that the DoD would want to use their own version of Linux or an OS totally their own. The military historically has made alot of their own stuff using their own programming languages. Why would this be different?

      I think that I can answer my question myself though. With spending cutbacks + computers in every military building, they need something that they can easily and cheaply contract new software for. Windows has VB, VC++ etc so that the same app can be more cheaply than for other OS's (well, whether that is true or not is not as important as the fact that the BELIEVE that it is true). Like many corporations nowdays, they just want to point to a problem, throw some money at someone and say 'fix it' without having worrying about it anymore. This would be as opposed to having teams of their own computer scientists writing programs for and supporting Linux/DoDix/whatever.

      I am thinking that their current use of windows is a transitional state, but a transition to what is the quesiton.

  • by Toshito (452851) on Tuesday March 12, 2002 @12:21PM (#3150073)
    The canadian air force is also putting a lot of pressure on punch card manufacturers to force them to close a lot a security holes in their software...
  • by jfonseca (203760)
    It doesn't matter who warns Microsoft and when. Security isn't something you suddenly do, it is built from architecture to deployment, and Microsoft is nowhere close to engineering any secure products.

    Windows is insecure in its conception, and unfortunately I see very little that can be done to reverse this.

    • You probably have a different sense of "security" than Microsoft does. The edict from billg was only the first step in Microsoft's embracing and extending the public's perception of computer security. It's not that MS will re-engineer their software to meet security standards derived from decades of experience, because Microsoft has never done anything like that. The closest example to this process would be the focus on Internet Explorer throughout the late '90s, where MS made strides in browser engine design, but at the expense of standards and other browser companies. Microsoft has never played nice in the sandbox (only "concessions", like today's MSKerberos story from the EU), they simply use advertising and PR to redefine "security" as "that which Microsoft provides".
      • Microsoft's sense of security is not only different from mine, it is different from reality. Like a PhD thesis, these types of things are only proven in practice, and practice shows, time and time again, that their approach to software construction is insecure.

        And still some admire them for releasing timely patches. Well if were Microsoft I'd thank the white hats for warning them of a security flaw weeks before the public.

        I agree with you. Their view of security is a marketed approach to security. Just read what Bruce Schneier has to say [counterpane.com] about Microsoft's "sense".

        Still on the practical side of things, not going into OS wars, just subscribe to bugtraq and do a little statistics on daily microsoft bugs and holes discovered. I find it amazing that anyone out there on mission critical environments, specifically official government and defense agencies, are still using this stuff.

        I apologize if I am offending some Microsoft fans out there but to me Microsoft security, reliability and credibility have ceased to exist long ago.
  • by ctp (29513) <.slashdot. .at. .ctpdesign.com.> on Tuesday March 12, 2002 @12:22PM (#3150082)
    The Air Force wants M$ to fix their swiss cheez security?

    When the Air Force says "Aim High", I didn't think they meant impossibly high.
  • by sharkey (16670) on Tuesday March 12, 2002 @12:25PM (#3150120)
    MS President Steve Ballmer has responded to statements made by Air Force CIO Gilligan today. Ballmer paid a visit to Gilligan, whacked him with his hat and stated, "You'll do as we say, Little Buddy!"
  • haha!!! (Score:2, Funny)

    by Anonymous Coward
    "Air Force official has warned Microsoft to dramatically improve the security of its software or risk losing the Air Force as a customer"
    Admiral C to Bill Gates.

    Bill,
    As part of our special deal, the Air Force has been actively using and promoting Microsoft products for the past few months. We've also suffered the greatest percentage of fatal losses to date. If this goes on, there won't be an air force to promote you.
    So, please, I'm begging you, tighten the security just a little or risk losing yet another customer.
  • Responsibility (Score:5, Insightful)

    by ksw2 (520093) <obeyeater@gmaiBLUEl.com minus berry> on Tuesday March 12, 2002 @12:30PM (#3150174) Homepage
    As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this? I'm not fluent in Windows holes, but it seems to me if they have a huge problem with Outlook in particular, USAF could mandate Eudora as their official email client rather easily.

    I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)


    • You forget that Outlook+Exchange is more than an email client. Yes, we could mandate Eudora (or whatever) as an email client. What then do we mandate for a meeting scheduler and a remote task assigner and all the other crap that Outlook+Exchange does?

      And then who are you going to get to train people in all these new programs?

    • As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this?

      The Air Force shouldn't be using Outlook. How did the worst possible email client get deployed in the Air Force? It's a platform for launching viruses and worms. (You can also read your email with it.) Users should be able to click on an email attachment- hell, they should be able to view the email in a preview pane- without having to worry that it might propagate a worm. Period. Anyone who thinks otherwise shouldn't be let anywhere near a compiler.

      Using Outlook is inherently risky. Our company has standardized on it for some reason (it comes with Office is why, I guess) and our network admin is resisting whiny requests from management for an Exchange server. Just last week someone using Outlook clicked on an .scr attachment he got from a guy he exchanged business cards with at a conference. Well, as soon as he did that, the .scr went out to every single one of our customers. ("Hey, c'mere, what's an .scr file supposed to do?") Serves us right, I guess.

      If I were a four star general and that happened to me, I'd want to drop a daisy cutter on the Microsoft campus.
      • You can make it so Outlook won't run .scr files. I agree that this should be the default case, but this is something you can fix.

        Your company has probably standardized on Outlook because they need Calander and a Mail CLient, and Outlook is a powerful, integrated tool for these tasks, ..... and it comes with Office. Outlook is very insecure in it's default install, but if can be made much better with a little effort. You trade sume functionality for the increased security, but that's uaually a tradeoff you have to make for increased security.

        You definately don't like Outlook, but what do you reccomend? What do you think is a good replacement for the functionality that Outlook provides, including features such as calander software and such?
        • You definately don't like Outlook, but what do you reccomend? What do you think is a good replacement for the functionality that Outlook provides, including features such as calander software and such?

          Lotus Domino. Preferably on an IBM iSeries, but on a PC if you have to. All of the calendaring, none of the viruses...

    • Look, if I, a Junior sysadmin was able to protect my company from the ILOVU virus (we use Exchange and Outlook btw); I have to wonder how the government fails to protect itself. Maybe the sysadmins in there are ignorant or maybe they just don't have much time on there hands.
      • They like everyone else always have more to do than time to do it, but they deal with a tremendous amount of email volume from all over the world. This means that they often get these viruses before the security alerts go out, and don't get the advanced warning that many small companies get the benefit of.

    • If you are smart enough to setup email filers, etc, then you are smart enough not to use microsoft server products.


      After all MS does billet its warez as "easy to use", so it puts people in the mindset that they shouldnt have to do anything intelligent.


      (I worked at defense contractor where the Air Force's security demands amounted to: "all traffic must go through port 80, because that makes it secure")...

  • by gsfprez (27403) on Tuesday March 12, 2002 @12:34PM (#3150211)
    I totaly disbelieve this article.

    We are whole heartedly all out sold out to Microsoft.

    We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.

    We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.

    Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.

    As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)

    After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..

    Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.

    This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.
    • We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.

      And what public domain software is there out there that suports S/MIME security labels as mandated by the DoD?

      PGP is simply not up to the task of providing a military messaging system. In fact the principle insight that Phil Z. had was that PEM was being designed with the assumption that the rest of the world ran according to the strict hierarchical principles of the military.

      What the posters on this whole story don't understand is that they have a radically different approach to security than the Air Force. In the real world you increase security by removing features. In the military you increase security by adding security features.

      DMS was designed in the days before 'Commercial Off the Shelf' (COTS) became a US govt buzword. The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality. But there is no reason why they need their own message formats and there is no reason why DMS can't use COTS to provide at least a core.

      • The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality.

        I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.

        The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.

        And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.

        The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.

        Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.


    • As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)

      Man.. that work must have sucked majorly... Sounds like the typical case of the suits believing glossy MS brochures instead of their own techs and other people with actual experience. Or in this case, s/suits/guys-with-more-funny-looking-shiny-metal-t hingies-on-their-collars-than-you/g :)
    • As an officer in the Air Force, perhaps you have some insight.

      Back in the 1980's, I was at the Supercomputer Computations Research Institute, a DOE-funded site. Although ours was the designated unclassified site, we dealt with a lot of groups (Oak Ridge, Lawrence Livermore, etc.) who weren't exactly unconcerned with security. The operating systems they used in house very very tight and had to pass fairly stringent security requirements just to be considered. This was one of the reasons that VMS was so popular; DEC had worked very hard on the security.

      If you had asked me then whether this would have happened, I would have laughed.

      I can see why the business and consumer cultures played the lemming. But the military has a reputation for getting thing that work, even if they cost, and dammit, Mil Spec used to mean something.

      So, what happened?

    • And on another subject, I'm right in the middle of getting Linux approved for use within the DoD and, by extension, the Air Force.

      No, I kid you not. Linux is getting the COE suite ported to it, elements of DISA are gung-ho about bringing it in, and some elements of AF/SC are doing their best to help. The specifics of who is doing what in what time frame are not things that can be discussed here.

      And how is this justified? What military program is forging the way for this OS (which is getting so big, commercially speaking, that every high tech company EXCEPT Microsoft and most of the gaming industry has a strategy on how to get in on the action) to be brought into the fold? Who had to put their [appropriate genitals] on the line in a military manner to get this going forward?

      The weather men.

      I kid you not. And you know what the biggest stumbling block is, besides office-internal politics? AF Communications. Capt. gsfprez (I'm guessing here) is right: Comm sold the Air Force infrastructure to Microsoft, and most of the old clever Sergeants and Airmen and young LTs who knew their UNIX during the dot-com times said, "Good-bye, sir! Patriotism and service warms the heart, but six figures will warm a whole house, and provide the house, too." So now the Comm field is whining "We can't have Linux! We don't have anyone who can administer it! We structured our entire training cycle around Windows! We're lucky to have two Unix-savvy people left in the whole squadron, and they're the overworked Master Sergeants." (Conjecture: I'm not in Comm. But I do get email from them.)

      Yep, Linux is coming the the DoD. The smug excuse of "Linux isn't an AF-approved operating system" will soon be susceptable to the rebutal of "Wanna bet?" Soon it will be time for stalwart young LTs and Captains to make Powerpoint presentations to the Majors and Lt Cols of the Comm squadron explaining why they should move vital network services to a Linux box. They're probably going to get slapped down; bureaucratic intertia is like that. But LTs and Captains become Majors and Lt Cols, some day.

      Oh, and by the way, the weather system that runs on Linux works so well that profanity is usually used as a magnifying adjective to words like "incredible" and "outstanding". [Any active duty guys who wants some details, email is welcome.]

      #include std.disclaimer: None of these statements are made on behalf of the AF. All opinions are my own. My perceptions may not take into account facts that have not been available to me. I may be wrong about any number of things. If you're going to get flustered by something you read on Slashdot, you seriously need to re-examine your priorities.
  • by rusty0101 (565565) on Tuesday March 12, 2002 @12:35PM (#3150225) Homepage Journal
    I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty
  • We'll never see (more) secure products until the manufacturers become legally liable for losses due to the software. There's simply no financial incentive to improve security, especially if you're the biggest player.

    My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else.
    • Liability is a bad idea. It is a right of free speech and free thinking for people to be able to create any type of software and distribute it so long as it isn't malicious. They shouldn't have to have a legal department.

      If you ask me, the airforce can't complain. Everyone smart enough to watch TV can tell you Microsoft does not make secure products.

      It's stupid to pretend to be shocked by this. If anyone should be have to pay for Microsoft's security problems it's the people who bought the software with known security problems... Oh wait, they already do.

      • So basically it is the user's fault they used the software simply because software is free speech? That is a silly argument.

        Under your argument the customer should have been liable for any problems caused from Y2K bugs. Instead what happened was laws were passed that created a financial incentive for IT pros to certify everything was y2K compliant.

        If you want to write software that absolves you of any kind of product liability then you should not be charging for it. You can then hide your product up in the free speech argument all you want. Name me any other industry where a manufacturer can pawn off ALL (not just gross negligence or imporoper use of the product) but ALL responsibilities for product defects onto the customer.
        • So basically it is the user's fault they used the software simply because software is free speech? That is a silly argument.

          Not really. He's saying that the consumer has a responsibility to make an informed purchase, and that creating liability and a pork barrel for lawyers is not a good solution. He's right.

          All of the information to warn a would-be purchaser that Microsoft Exchange Server is probably the worst possible choice one could make for a mail server if security is any concern whatsoever was widely and publicly available. Clearly the person or persons who made the decision to go with Microsoft, when demonstrably more secure (by orders of magnitude) options were available at little or no cost, either grossly neglected their duty and did no research, or were in a sweatheart agreement of some kind with Microsoft's salespeople, or Microsoft itself. That, or they opted for the product when it was still in the vaporware stage, which is even doubly incompetent.

          Either way, the person or persons who made this incompetent, and very possibly corrupt, decision should indeed be the ones to pay for it ... with their careers.
        • "If you want to write software that absolves you of any kind of product liability then you should not be charging for it."

          That's a good distinction to make because it allows free speech. It seems like a small thing, but all the software I use at home falls under this catagory.

          In some ways, it's reasonable for vendors to be held responsible for their products, but the idea is still problematic. Liability hurts small vendors more than large vendors. How do you measure the harm done? How do you assign blame to products that were developed by more than one company? Is every Linux company liable for a problem in the Linux kernel? What about software that costs money but is downloaded from another country? What about free products such as Internet Explorer or Outlook?

          Some of common security problems are really user interface problems. For example, most users misconfigure windows network neighborhood. Is Microsoft liable for that?

          In your first post you stated: "My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else."

          I agree with you, and I suspect no new laws are going to change this. There may be some consumers that may need protection from vendor laziness, but the airforce knew about the problems with Microsoft products and chose to use them anyways. I don't think they should be able to sue Microsoft for something they knew was going to be a problem all along.

    • "We now hold MS responsable for all mishaps that occur due to problems in their operating system. Every time something bad happens to a soldier on the field, the same thing will happen to a MS executive. Gates is going to love taking the punisment of the guy who just got captured and tortured..."

      I wonder if that would speed up their security fixes.
  • NSA Secure Linux (Score:4, Interesting)

    by PineHall (206441) on Tuesday March 12, 2002 @12:42PM (#3150286)
    Maybe the Air Force should look at NSA's secure Linux [nsa.gov]? It can install over Red Hat. (Is there a distribution out there that uses NSA's stuff?)
  • by gdyas (240438) on Tuesday March 12, 2002 @12:42PM (#3150287) Homepage

    Not about the Air Force or MS, but related.

    The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary [cnn.com].

    The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.

    Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.

    • and is secure, running WinXP

      Does this strike anyone else as oxymoronic? (Firewall or not.)
    • by Amazing Quantum Man (458715) on Tuesday March 12, 2002 @01:37PM (#3150799) Homepage
      Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).

      When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."
      • Yes, I'm aware of that. Just thought I'd throw out another problem in another part of the government to show that security issues tend to be systemic across the gov't.

        And with the DoI being in charge of federal agencies like the Natl Park Service, the Forest Service, Fish & Wildlands, federal payroll & accounting, farm issues, etc etc etc, it's silly to argue that the preservation of the integrity of our country's internal assets is more or less important than the military's responsibilities. Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?

    • I dunno about the military, but Interior is apparently desperate for decent IT support.

      I don't know about the DoI, but if it's anything like applying for civilian IT positions in the military or the FBI, they're going to need a lot of luck in getting good IT people who aren't just Windows monkeys in there to make a buck.

      Before landing the commercial job I spent months trying to get into an FBI or civiliant military position, but the application process is incredibly depressing. Position opening descriptions are incredibly verbose, but contain absolutely no useful information. They all tend to just say things along the lines of "Will work with computer systems to support the required needs." Just take a look at the first Computer Specialist opening [fbijobs.com] I found at the FBI jobs site [fbijobs.com]. Armed Forces position openings the same. Furthermore, the application process itself tends to be burdensome and unclear, requiring lots of documentation up-front, often dead-tree-style; there is seemingly no process of escalating back-and-forth information exchange which the commercial world tends to prefer.

      They are definitely trying to improve the application process, but they definitely need to clear up the red tape.

      Personally I'd like to work for a social institution like the federal government, even though the pay scale is significantly lower. However, they really need to streamline their application process if they want good people.

  • by theinfobox (188897) on Tuesday March 12, 2002 @12:43PM (#3150291) Homepage Journal
    This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.

    And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).
  • From the article:
    Gilligan, former Energy Department CIO, has discussed security most often with executives at Microsoft. "They are the biggest supplier to the Air Force, and my attempt has been to encourage them to set an example," he says.

    I am guessing if M$ is a major supplier of software to the Air Force, it is probably the same for the other branches of service as well.

    Now I see why all of our helicopters and planes have been crashing without being shot down. Brings a whole new meaning to "Fatal Exception"

    --Jon
    • Except that the Army has switched to Macs because of security headaches.

      • Except that the Army has switched to Macs because of security headaches.

        Seriously? Where did you hear that? I find that interesting.

        I have never been much of a Mac fan and as user-friendly their OS was, before OS X it performed like a pig and lacked such common features as preemptive multitasking, etc.

        Good for Apple. It would be nice to see them gain some market share. Now only if their hardware was more affordable...

        --Jon
  • Security Upgrade (Score:2, Insightful)

    by suitti (447395)
    Upgrades are painful. When the vendor makes big changes, upgrading to another vendor reduces the differences in costs. If the Air Force wants better security, they'll need to upgrade. The cost of upgrading to, say, Linux, may be cheaper than the cost of upgrading to the next MS product. And, the security implications may be well understood by then.

    The costs that many are concerned with are new applications checkout and user education.

    When a local church was considering upgrading their Windows 3.1 system to 95, 98 or NT, I suggested that it would be just as easy to upgrade to a Mac. The secretary didn't know how to use anything other than WordPerfect, and the new Pastor already knew how to use a Mac. That left teaching the secretary how to boot and shut down the Mac - which you'd have to do with 95, 98 or NT. Naturally, the Air Force would have more work to do.

    When the DOJ case came out, at least one comment circulating was that the US should simply stop buying MS products - as that would cost MS more. As I understand it, this is the China solution.

  • /.
    Given the history of inept system administration in the US Armed Services, I have to laugh.
    If M$oft actually delivers a secure system, it will immediately be compromised by some knucklehead who wants to play Everquest without his superior officer finding out.
    --Charlie
  • by tb3 (313150) on Tuesday March 12, 2002 @12:48PM (#3150352) Homepage
    I think mainstream media may be finally catching on. This is the first article I've seen were they flat-out state that Love-Bug, Melissa, Sir-Cam, and Nimba are Windows/Outlook viruses, not email viruses or internet viruses.

    Accuracy is nice, maybe the general public will soon learn who is really at fault here.
  • by PHAEDRU5 (213667) <instascreed.gmail@com> on Tuesday March 12, 2002 @01:05PM (#3150518) Homepage
    When I was stationed at Langley I was part of a team that implemented the first version of what's now called CTAPS.

    One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.

    A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.

    The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.
  • Gates directed 7,000 programmers to spend February scouring the Windows operating system for openings hackers might exploit to steal data or shut down systems.

    Wow, 7000 programmers! I bet they figure out how to close the barn door.
  • consumer choice (Score:3, Insightful)

    by EricEldred (175470) on Tuesday March 12, 2002 @02:38PM (#3151306) Homepage
    "The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.

    No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.

    The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.

    Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...