Air Force Warns Microsoft/Others to Tighten Security 357
FattyBoeBatty wrote to us with a story
from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
Then why do they stay? (Score:4, Insightful)
Why hasn't anyone asked this question?
We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.
Why sit and wait for MS to comply?
It just seems odd to me.
Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.
Re: It's not the server, it's the client. (Score:3, Insightful)
Re:Then why do they stay? (Score:3, Insightful)
The costs of retraining and reconfiguring all their hardware far outweighs the kick in the ass scare they can put into Bill to fix up what they're already using.
Just about everyone who has ever come into contact with a computer has experience with windows. From a user-interface point of view, its quick, clean, and easy.
From a security point of view, its a nightmare.
Unfortunately, the people who are deciding what to buy and what to install aren't the security-savvy techs.. they're the corporate middle management suits who see the flashy bells and whistles MS offers and bite so fast it'd make your head spin. MS had advertising, marketers, and a well-known product. Security wasn't as big a concern. All that adds up to a major problem today.
Not only that, but lets face it, back when the USAF were first installing and configuring these services, there weren't many viable options out there. Yes yes, i know
Responsibility (Score:5, Insightful)
I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)
Re:Then why do they stay? (Score:3, Insightful)
Being a Communications/Computer officer in the AF (Score:5, Insightful)
We are whole heartedly all out sold out to Microsoft.
We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.
We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.
Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..
Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.
This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.
mistaken perceptions.... (Score:5, Insightful)
Security Upgrade (Score:2, Insightful)
The costs that many are concerned with are new applications checkout and user education.
When a local church was considering upgrading their Windows 3.1 system to 95, 98 or NT, I suggested that it would be just as easy to upgrade to a Mac. The secretary didn't know how to use anything other than WordPerfect, and the new Pastor already knew how to use a Mac. That left teaching the secretary how to boot and shut down the Mac - which you'd have to do with 95, 98 or NT. Naturally, the Air Force would have more work to do.
When the DOJ case came out, at least one comment circulating was that the US should simply stop buying MS products - as that would cost MS more. As I understand it, this is the China solution.
The Media is getting a clue (Score:3, Insightful)
Accuracy is nice, maybe the general public will soon learn who is really at fault here.
Re:Being a Communications/Computer officer in the (Score:3, Insightful)
Trying to lay the catch-up game with Microsoft products is not a positive thing to do; the positive thing to do would be to get non-Microsoft solutions so that these problems don't occur. Positive solutions fix the problem, not patch the symptoms. Incessant, needless patching and worrying is what builds up the negative energy.
Re:Then why do they stay? (Score:5, Insightful)
It does not cost the Air Force anything to retrain, nor to reconfigure.
The Air Force (and the military in general) is already paying for the training of every person that enters the service. It would be a trivial matter for them to re-tool the courses in their Computer Sciences School, so that the students learned some other product or technology. (Besides, it's not like they teach an "NT Systems Administrator" course... They teach basics, like "Computer Programming," or "Computer Operations." The real training occurs on the job, after the E-2 or E-3 posts to his first duty station. In the Marine Corps, I entered as a "Cobol Programmer," and my fist duty billet was in networking (Banyan Vines, Ethernet and Token Ring environments).)
Likewise, the cost of reconfiguring all of the systems they've already purchased is also free. They have a labor force that they are already paying (that they have to pay, twice monthly, regardless of what they are tasked with), so why not "upgrade" all of the mail systems. It will not affect their costs at all.
This is a luxury that most of Microsoft's customers do not have, but is a very real, very possible option for the Armed Forces.
Re:Being a Communications/Computer officer in the (Score:3, Insightful)
I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.
The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.
And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.
The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.
Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.
Re:Responsibility (Score:3, Insightful)
The Air Force shouldn't be using Outlook. How did the worst possible email client get deployed in the Air Force? It's a platform for launching viruses and worms. (You can also read your email with it.) Users should be able to click on an email attachment- hell, they should be able to view the email in a preview pane- without having to worry that it might propagate a worm. Period. Anyone who thinks otherwise shouldn't be let anywhere near a compiler.
Using Outlook is inherently risky. Our company has standardized on it for some reason (it comes with Office is why, I guess) and our network admin is resisting whiny requests from management for an Exchange server. Just last week someone using Outlook clicked on an
If I were a four star general and that happened to me, I'd want to drop a daisy cutter on the Microsoft campus.
Re:Then why do they stay? (Score:3, Insightful)
For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.
Plus you're assuming that the trainers would be military also. I seriously doubt that. Which means you have to hire civilian consultants, which involves a rather long and expensive bureaucratic process just to get bids, not to mention the actual cost of paying them for services rendered.
And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.
As to the original question - what else are they going to use? There's a great huge gaping whole when it comes to productivity software like Exchange/Outlook. Yes, there's Notes. Yes, there's Netscape/Solaris whatever-its-called-now. And maybe Novell still has a solution (I don't know personally). But none of them match the ease of use, "ease" of administration, and interoperability offered by Exchange/Outlook. They either don't work as well together across various pieces, they cost too much to maintain, or they don't integrate as well into the OS (gee, surprise... anyone? And no... I'm sure being a monopoly had NOTHING to do with that... riiight).
Yes, the lies about the low cost of administration on Exchange are starting to be revealed now. But only after MS has beaten most of the competition into pulp. Within a release or two Exchange will be considerably better than what it is now. This is how MS operates.
Re:Then why do they stay? (Score:4, Insightful)
A solution allowing internal use of Exchange is also possible.
Don't expose Exchange servers to the internet. Have internet email come to a secure MTA (no, not sendmail, something more simple and more easily secured). The internet-MTA can then spool email for virusscanning and whatever other mangling needs to be done (remove every attachment with filename ending with
Easy, doesn't require powerful machines even for a large amount of email (OK, depends on the amount of mangling done), easily replicated to several sites, and likely to be near-zero administration.
Re:No Security without Liability (Score:3, Insightful)
That's a good distinction to make because it allows free speech. It seems like a small thing, but all the software I use at home falls under this catagory.
In some ways, it's reasonable for vendors to be held responsible for their products, but the idea is still problematic. Liability hurts small vendors more than large vendors. How do you measure the harm done? How do you assign blame to products that were developed by more than one company? Is every Linux company liable for a problem in the Linux kernel? What about software that costs money but is downloaded from another country? What about free products such as Internet Explorer or Outlook?
Some of common security problems are really user interface problems. For example, most users misconfigure windows network neighborhood. Is Microsoft liable for that?
In your first post you stated: "My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else."
I agree with you, and I suspect no new laws are going to change this. There may be some consumers that may need protection from vendor laziness, but the airforce knew about the problems with Microsoft products and chose to use them anyways. I don't think they should be able to sue Microsoft for something they knew was going to be a problem all along.
consumer choice (Score:3, Insightful)
No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.
The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.
Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.
Re:Responsibility (Score:2, Insightful)
Some Generals were probably conned by M$ sales reps like usually. Except when Generals give orders you have to obey.