Air Force Warns Microsoft/Others to Tighten Security 357
FattyBoeBatty wrote to us with a story
from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
Nice to see... (Score:4, Interesting)
I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.
Re:Is this government's role? (Score:5, Interesting)
The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.
That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.
To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."
Re:Is this government's role? (Score:5, Interesting)
This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."
Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.
Re:Not a matter of warning (Score:2, Interesting)
NSA Secure Linux (Score:4, Interesting)
Dept of Interior's Network - An Interesting Story (Score:5, Interesting)
Not about the Air Force or MS, but related.
The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary [cnn.com].
The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.
Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.
Isn't the AF due a letter from the MS or BSA? (Score:5, Interesting)
And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).
Re:My Humble Opinion (Score:5, Interesting)
What really blows your theory apart is that in the past there have been smaller companies with worse records.
MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.
I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.
The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.
This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.
Re:Not a matter of warning (Score:2, Interesting)
And still some admire them for releasing timely patches. Well if were Microsoft I'd thank the white hats for warning them of a security flaw weeks before the public.
I agree with you. Their view of security is a marketed approach to security. Just read what Bruce Schneier has to say [counterpane.com] about Microsoft's "sense".
Still on the practical side of things, not going into OS wars, just subscribe to bugtraq and do a little statistics on daily microsoft bugs and holes discovered. I find it amazing that anyone out there on mission critical environments, specifically official government and defense agencies, are still using this stuff.
I apologize if I am offending some Microsoft fans out there but to me Microsoft security, reliability and credibility have ceased to exist long ago.
Tale from the trenches... (Score:3, Interesting)
One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.
A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.
The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.
Air force warns MS (Score:1, Interesting)
Re:Try as they will.. (Score:2, Interesting)
Speaking from experience, the typical geek simply isn't cut out for the military life. And to make matters worse, advancing in the military means spending more time being a pointy-haired boss and less time being a geek. That's the way it is.
I'd love to see linux adopted by the AF, but 1) I've had the suggestion shot down too many times myself to expect it to actually happen and 2) they will have a tough time gathering the experience to do it.
Re:My Humble Opinion (Score:4, Interesting)
sPh
Re:Not a matter of warning: Really? (Score:3, Interesting)
Yeah, keep parroting this...then you should mention that at the same time the vulnerability was announced, a fix was available: download zlib-1.1.4. Sheesh. You NEVER get this responsiveness from M$. Also, the vulnerability wasn't a root exploit, you couldn't trash a system with it, couldn't use it to gain root.
Re:Dept of Interior's Network - An Interesting Sto (Score:5, Interesting)
When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."
Re:Being a Communications/Computer officer in the (Score:3, Interesting)
First of all, if you were a smart unix user, you would not be using Sendmail. You talk about 'understanding', but do not understand that you have a nice choice of alternatives that are much more proactively secure than Sendmail, such as Postfix or Qmail. Same goes for Bind (we have djbdns and such). What do you get from Microsoft? Their one product. Big choice there.
I do so fully well how and why things work. That's why I say to choose free unixes. They are not blackboxes. You can easily poke in, and figure out what's wrong. You can fix the problems yourself, even more proactively than your proprietary provider. All this and more you cannot do with proprietary, closed products.
Furthermore, you aren't being proactive by simply applying vendor-supplied patches when they say to; that's reactive. Being proactive means learning how your software security works, especially internally, and performing appropriate actions.