Air Force Warns Microsoft/Others to Tighten Security 357
FattyBoeBatty wrote to us with a story
from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
real CIO (Score:2, Funny)
But (Score:2)
Re:My Humble Opinion (Score:5, Interesting)
What really blows your theory apart is that in the past there have been smaller companies with worse records.
MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.
I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.
The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.
This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.
Re:My Humble Opinion (Score:2)
Re:My Humble Opinion (Score:4, Interesting)
sPh
Re:My Humble Opinion (Score:3, Informative)
sPh
Re:My Humble Opinion (Score:2)
As to Lanman 1.1: I have been working with NT 4.0 and now Windows 2000 since 1996. I find NT usable if not the best technology in the world. However, I have seen very little in Microsoft Networking that has changed since 3Com 3+Open / Lanman 1.0/1.1. In fact, my Netware-centric coworkers were amazed when I just jumped in and started configuring NT 4 literally without having seen it before my first logon. "How did I know all that stuff?" they wondered.
Active Directory is a bit of a different story, but not entirely if you have worked with NT domains, which are based on MS Networking, which is based on Lanman, which is based on PCLP...
sPh
Then why do they stay? (Score:4, Insightful)
Why hasn't anyone asked this question?
We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.
Why sit and wait for MS to comply?
It just seems odd to me.
Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.
Re: It's not the server, it's the client. (Score:3, Insightful)
Re: It's not the server, it's the client. (Score:2)
Re:Then why do they stay? (Score:3, Insightful)
The costs of retraining and reconfiguring all their hardware far outweighs the kick in the ass scare they can put into Bill to fix up what they're already using.
Just about everyone who has ever come into contact with a computer has experience with windows. From a user-interface point of view, its quick, clean, and easy.
From a security point of view, its a nightmare.
Unfortunately, the people who are deciding what to buy and what to install aren't the security-savvy techs.. they're the corporate middle management suits who see the flashy bells and whistles MS offers and bite so fast it'd make your head spin. MS had advertising, marketers, and a well-known product. Security wasn't as big a concern. All that adds up to a major problem today.
Not only that, but lets face it, back when the USAF were first installing and configuring these services, there weren't many viable options out there. Yes yes, i know
Re:Then why do they stay? (Score:2)
Re:Then why do they stay? (Score:5, Insightful)
It does not cost the Air Force anything to retrain, nor to reconfigure.
The Air Force (and the military in general) is already paying for the training of every person that enters the service. It would be a trivial matter for them to re-tool the courses in their Computer Sciences School, so that the students learned some other product or technology. (Besides, it's not like they teach an "NT Systems Administrator" course... They teach basics, like "Computer Programming," or "Computer Operations." The real training occurs on the job, after the E-2 or E-3 posts to his first duty station. In the Marine Corps, I entered as a "Cobol Programmer," and my fist duty billet was in networking (Banyan Vines, Ethernet and Token Ring environments).)
Likewise, the cost of reconfiguring all of the systems they've already purchased is also free. They have a labor force that they are already paying (that they have to pay, twice monthly, regardless of what they are tasked with), so why not "upgrade" all of the mail systems. It will not affect their costs at all.
This is a luxury that most of Microsoft's customers do not have, but is a very real, very possible option for the Armed Forces.
Re:Then why do they stay? (Score:3, Insightful)
For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.
Plus you're assuming that the trainers would be military also. I seriously doubt that. Which means you have to hire civilian consultants, which involves a rather long and expensive bureaucratic process just to get bids, not to mention the actual cost of paying them for services rendered.
And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.
As to the original question - what else are they going to use? There's a great huge gaping whole when it comes to productivity software like Exchange/Outlook. Yes, there's Notes. Yes, there's Netscape/Solaris whatever-its-called-now. And maybe Novell still has a solution (I don't know personally). But none of them match the ease of use, "ease" of administration, and interoperability offered by Exchange/Outlook. They either don't work as well together across various pieces, they cost too much to maintain, or they don't integrate as well into the OS (gee, surprise... anyone? And no... I'm sure being a monopoly had NOTHING to do with that... riiight).
Yes, the lies about the low cost of administration on Exchange are starting to be revealed now. But only after MS has beaten most of the competition into pulp. Within a release or two Exchange will be considerably better than what it is now. This is how MS operates.
Re:Then why do they stay? (Score:3, Informative)
The purpose of the military is to win wars, and when they make a decision, lives hang in the balance .
Few corporations can make that boast, defense contractors being the most likely exceptions.
If the solution carries a higher pricetag, but saves lives, and better enables the military to communicate effectively and securely, putting the ultimate goal (winning wars) within reach, the cost or effort does not matter. For them, bottom line is not the single most important factor in arriving at a solution, and the profit-motive is non-existant.
Re:Then why do they stay? (Score:2)
That's not correct. The cost is the same if they brush their teeth or learn a new system. With the military, it's a fixed cost...for the most part...most military people just do busy work when not at war.
Re:Then why do they stay? (Score:2)
If they can handle all that, they can *easily* handle doing their basic job with Linux rather than Windows.
People arent *quite* as stupid as some UI experts would have us believe (well, most people at least. The helpdesk hoggers are another matter, but they call even if their desktop looks the same as it did yesterday). Most people can easily move from one piece of software to another. They do it every day.
Re:Then why do they stay? (Score:2)
Re:Then why do they stay? (Score:3, Insightful)
A few reasons (Score:2)
You don't simply up and abandon your entire email structure on a whim. First you threaten the manufacturer to improve or else, and that's what the AF has done.
I work on an AF base, and in my building alone we have about a half-dozen Exchange servers. (One alone can't handle the load.) What do you recommend as the "quick solution" here? What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.
What "quick solution" do you recommend for thousands of people at a time?
Re:A few reasons (Score:2)
I've tried it and it does what they say it does.
Exchange does NOT do tasks and meetings. Outlook does. Two Outlook users on separate ISP pop accounts can schedule meetings and send tasks back and forth. The only thing Exchange adds to the mix is handling free/busy times and Outlook has the capability to publish these to something other than an Exchange server.
Exchange is a proprietary IMAP server with window dressing, and marketed to make PHB's think they can't use Outlook's features without it. Obviously you bought into that.
Re:A few reasons (Score:2)
What "quick solution" do you recommend for thousands of people at a time?
Lotus Domino. Preferably on an IBM iSeries. Consolidate your six Exchange crap-boxes into one Model 820 with six server LPARs. All of the calendaring and better searching than MSX, with NO viruses (as of yet). I can't believe that the military is so stupid as to think that MS is the only groupware supplier out there.
Re:Then why do they stay? (Score:2)
Who is going to get back the BSOD-submarines [microsoft.com] when the contract with MS is being terminated?
Re:Then why do they stay? (Score:4, Informative)
I worked as a contractor in computer support for the Air Force years ago. This was before they used Exchange. They were using DEC Teamlinks where I was at. Teamlinks wasn't very easy to use. The client interface was cludgey and didn't have all the nice integrated features you get with Outlook today. The server which was a DEC Alpha crashed a lot. I think the server was simply a very expensive lemmon. The DEC staff on site, as well as outside support people spent a lot of time replacing parts and tweaking software, but couldn't get it to remain stable.
Exchange and Outlook were a much better choice even with the risk of a virus taking down the system because the system they had was taking itself down on a regular basis.
Training is also a serious issue. There was a full time person who's job was to train users to use Teamlinks. One thing many people don't realize is that the majority of the people using this software on an Air Force base aren't military. They're civil servants and contractors. Military people follow orders pretty well, and contractors do as their told, or find themselves without a job. Civil servants are a different story. Contractors come and go, militry people get transferred after about 4 years or so, but the civil servants will still be there when the others are gone. If they aren't interested in learning something, they just make a few excuses and put it off until there's a new Deputy DIrector, or whoever's making the decisions. We had a chief scientist that refused to use the email or calandar software. He had his secretary print all his email and put it in his inbox. She would respond to his email as he directed her to, and handle all the scheduling in the calander software. She had been around for a very long time, and wasn't very computer friendly herself. Every time she got confused or made a mistake, it was the computer's fault, and whoever got the support call was in for a bad day. One contractor didn't seem to realize that she was always right and got himself banned from her office which led to his eventual dismissal. These people don't like to learn new things. If it isn't easy to learn, they pretty much have the ability to make everyone's life a living hell, and sooner or later the people making the decisions realize that any solution has to take that into account.
While email is a security issue in that poor security can result in lost productivity, it shouldn't be an issue of national security. Confidential and secret information should never end up on the email system.
In my experience with the AIr Force, the people making the decisions were not technically incompetent. They also requested and received input from many different highly skilled technical people, and they had a lot of experienced people with backgrounds in Unix, VMS, and NT to draw upon. They were trying to get a product that best met all their needs. Security was obviously a consideration in their decision, but it didn't outweigh their need for a usable system.
The real issue is that the ease of use that they desire is somewhat in opposition to a high level of security. This means that an alternative to Exchange/Outlook may not provide them with greatly increased security. For them to change and eat the rather high costs or retraining their employees, there needs to be a product that does a considerably better better job of meeting their needs, with security only being part of those needs.
Re:Then why do they stay? (Score:4, Insightful)
A solution allowing internal use of Exchange is also possible.
Don't expose Exchange servers to the internet. Have internet email come to a secure MTA (no, not sendmail, something more simple and more easily secured). The internet-MTA can then spool email for virusscanning and whatever other mangling needs to be done (remove every attachment with filename ending with
Easy, doesn't require powerful machines even for a large amount of email (OK, depends on the amount of mangling done), easily replicated to several sites, and likely to be near-zero administration.
Nice to see... (Score:4, Interesting)
I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.
Re:Nice to see... (Score:2)
EXCEPT it appears that Microsoft have been giving the Air Force the run around for two years. If they can do that, what hope do morals have ?
Re:Nice to see... (Score:2)
I think that I can answer my question myself though. With spending cutbacks + computers in every military building, they need something that they can easily and cheaply contract new software for. Windows has VB, VC++ etc so that the same app can be more cheaply than for other OS's (well, whether that is true or not is not as important as the fact that the BELIEVE that it is true). Like many corporations nowdays, they just want to point to a problem, throw some money at someone and say 'fix it' without having worrying about it anymore. This would be as opposed to having teams of their own computer scientists writing programs for and supporting Linux/DoDix/whatever.
I am thinking that their current use of windows is a transitional state, but a transition to what is the quesiton.
Re:Nice to see... (Score:2)
Great post though, really. Keep 'em coming.
canadian air force (Score:4, Funny)
Thousands of Holes In There Too! (Score:2)
Not a matter of warning (Score:2, Informative)
Windows is insecure in its conception, and unfortunately I see very little that can be done to reverse this.
Re:Not a matter of warning (Score:2, Interesting)
Re:Not a matter of warning (Score:2, Interesting)
And still some admire them for releasing timely patches. Well if were Microsoft I'd thank the white hats for warning them of a security flaw weeks before the public.
I agree with you. Their view of security is a marketed approach to security. Just read what Bruce Schneier has to say [counterpane.com] about Microsoft's "sense".
Still on the practical side of things, not going into OS wars, just subscribe to bugtraq and do a little statistics on daily microsoft bugs and holes discovered. I find it amazing that anyone out there on mission critical environments, specifically official government and defense agencies, are still using this stuff.
I apologize if I am offending some Microsoft fans out there but to me Microsoft security, reliability and credibility have ceased to exist long ago.
Re:Not a matter of warning: Really? (Score:3, Interesting)
Yeah, keep parroting this...then you should mention that at the same time the vulnerability was announced, a fix was available: download zlib-1.1.4. Sheesh. You NEVER get this responsiveness from M$. Also, the vulnerability wasn't a root exploit, you couldn't trash a system with it, couldn't use it to gain root.
Re:Not a matter of warning (Score:2)
You have adequately defined what the Internet was designed for, but you have mislabelled it.
The Internet was not designes to be secure. It was designed to be redundant, or fault tolerant, and the protocols it uses are designed to ensure standards based interoperability.
I whole-hearedly agree with your sentiments regarding Postel and company, though.
Too High? (troll) (Score:3, Funny)
When the Air Force says "Aim High", I didn't think they meant impossibly high.
Re:Too High? (troll) (Score:2)
Late Edition Follow-up (Score:5, Funny)
haha!!! (Score:2, Funny)
Admiral C to Bill Gates.
Bill,
As part of our special deal, the Air Force has been actively using and promoting Microsoft products for the past few months. We've also suffered the greatest percentage of fatal losses to date. If this goes on, there won't be an air force to promote you.
So, please, I'm begging you, tighten the security just a little or risk losing yet another customer.
Responsibility (Score:5, Insightful)
I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)
Eudora wouldn't help (Score:2)
You forget that Outlook+Exchange is more than an email client. Yes, we could mandate Eudora (or whatever) as an email client. What then do we mandate for a meeting scheduler and a remote task assigner and all the other crap that Outlook+Exchange does?
And then who are you going to get to train people in all these new programs?
Re:Responsibility (Score:3, Insightful)
The Air Force shouldn't be using Outlook. How did the worst possible email client get deployed in the Air Force? It's a platform for launching viruses and worms. (You can also read your email with it.) Users should be able to click on an email attachment- hell, they should be able to view the email in a preview pane- without having to worry that it might propagate a worm. Period. Anyone who thinks otherwise shouldn't be let anywhere near a compiler.
Using Outlook is inherently risky. Our company has standardized on it for some reason (it comes with Office is why, I guess) and our network admin is resisting whiny requests from management for an Exchange server. Just last week someone using Outlook clicked on an
If I were a four star general and that happened to me, I'd want to drop a daisy cutter on the Microsoft campus.
Re:Responsibility (Score:2)
Your company has probably standardized on Outlook because they need Calander and a Mail CLient, and Outlook is a powerful, integrated tool for these tasks,
You definately don't like Outlook, but what do you reccomend? What do you think is a good replacement for the functionality that Outlook provides, including features such as calander software and such?
Re:Responsibility (Score:3, Informative)
Lotus Domino. Preferably on an IBM iSeries, but on a PC if you have to. All of the calendaring, none of the viruses...
Re:Responsibility (Score:2)
Re:Responsibility (Score:2)
Its a catch 22 (Score:2)
If you are smart enough to setup email filers, etc, then you are smart enough not to use microsoft server products.
After all MS does billet its warez as "easy to use", so it puts people in the mindset that they shouldnt have to do anything intelligent.
(I worked at defense contractor where the Air Force's security demands amounted to: "all traffic must go through port 80, because that makes it secure")...
Re:Responsibility (Score:2)
If thpse updates actually prevented the spread of viruses, there would only need to be one such update. But they keep having to come out with new ones, for some reason - oh yeah, because the previous ones didn't catch everything.
Being a Communications/Computer officer in the AF (Score:5, Insightful)
We are whole heartedly all out sold out to Microsoft.
We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.
We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.
Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..
Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.
This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.
Re:Being a Communications/Computer officer in the (Score:2)
And what public domain software is there out there that suports S/MIME security labels as mandated by the DoD?
PGP is simply not up to the task of providing a military messaging system. In fact the principle insight that Phil Z. had was that PEM was being designed with the assumption that the rest of the world ran according to the strict hierarchical principles of the military.
What the posters on this whole story don't understand is that they have a radically different approach to security than the Air Force. In the real world you increase security by removing features. In the military you increase security by adding security features.
DMS was designed in the days before 'Commercial Off the Shelf' (COTS) became a US govt buzword. The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality. But there is no reason why they need their own message formats and there is no reason why DMS can't use COTS to provide at least a core.
Re:Being a Communications/Computer officer in the (Score:3, Insightful)
I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.
The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.
And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.
The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.
Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.
Re:Being a Communications/Computer officer in the (Score:2)
Exchange is a 'non-proprietary core' (at least in the DMS usage). Exchange 5.5 is an X.400 MTA. The is nothing proprietary about X.400, it is just that Microsoft is the only vendor that still sells that junk.
Exchange 2000 removes the X.400 junk from the core. It is not an OSI MTA that also does Internet, it is an Internet MTA that also does OSI. Don't judge Exchange by the horrors of 5.5, those horrors are mostly intrinsic to the OSI junk it is based on (plus the MAPI horrors).
The problem with DMS is not that they chose prorpietary software, they simply chose the wrong open standard. Even today we have DMS folk comming to the IETF with drafts proposing some form of X.400 interop for S/MIME.
What it comes down to is that the military defined a mail system that was so complex that Microsoft was the only company arround with the resources to provide client support.
I think in hindsight, that would have been a very sensible decision, don't you?
It isn't a matter of hindsight, there are plenty of reasons why DMS and the Federal govt. PKI are problematic. Most of those were known at the start.
Re:Being a Communications/Computer officer in the (Score:2)
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
Man.. that work must have sucked majorly... Sounds like the typical case of the suits believing glossy MS brochures instead of their own techs and other people with actual experience. Or in this case, s/suits/guys-with-more-funny-looking-shiny-metal-
Why did this happen? (Score:2)
As an officer in the Air Force, perhaps you have some insight.
Back in the 1980's, I was at the Supercomputer Computations Research Institute, a DOE-funded site. Although ours was the designated unclassified site, we dealt with a lot of groups (Oak Ridge, Lawrence Livermore, etc.) who weren't exactly unconcerned with security. The operating systems they used in house very very tight and had to pass fairly stringent security requirements just to be considered. This was one of the reasons that VMS was so popular; DEC had worked very hard on the security.
If you had asked me then whether this would have happened, I would have laughed.
I can see why the business and consumer cultures played the lemming. But the military has a reputation for getting thing that work, even if they cost, and dammit, Mil Spec used to mean something.
So, what happened?
Re:Being a Communications/Computer officer in the (Score:2, Informative)
No, I kid you not. Linux is getting the COE suite ported to it, elements of DISA are gung-ho about bringing it in, and some elements of AF/SC are doing their best to help. The specifics of who is doing what in what time frame are not things that can be discussed here.
And how is this justified? What military program is forging the way for this OS (which is getting so big, commercially speaking, that every high tech company EXCEPT Microsoft and most of the gaming industry has a strategy on how to get in on the action) to be brought into the fold? Who had to put their [appropriate genitals] on the line in a military manner to get this going forward?
The weather men.
I kid you not. And you know what the biggest stumbling block is, besides office-internal politics? AF Communications. Capt. gsfprez (I'm guessing here) is right: Comm sold the Air Force infrastructure to Microsoft, and most of the old clever Sergeants and Airmen and young LTs who knew their UNIX during the dot-com times said, "Good-bye, sir! Patriotism and service warms the heart, but six figures will warm a whole house, and provide the house, too." So now the Comm field is whining "We can't have Linux! We don't have anyone who can administer it! We structured our entire training cycle around Windows! We're lucky to have two Unix-savvy people left in the whole squadron, and they're the overworked Master Sergeants." (Conjecture: I'm not in Comm. But I do get email from them.)
Yep, Linux is coming the the DoD. The smug excuse of "Linux isn't an AF-approved operating system" will soon be susceptable to the rebutal of "Wanna bet?" Soon it will be time for stalwart young LTs and Captains to make Powerpoint presentations to the Majors and Lt Cols of the Comm squadron explaining why they should move vital network services to a Linux box. They're probably going to get slapped down; bureaucratic intertia is like that. But LTs and Captains become Majors and Lt Cols, some day.
Oh, and by the way, the weather system that runs on Linux works so well that profanity is usually used as a magnifying adjective to words like "incredible" and "outstanding". [Any active duty guys who wants some details, email is welcome.]
#include std.disclaimer: None of these statements are made on behalf of the AF. All opinions are my own. My perceptions may not take into account facts that have not been available to me. I may be wrong about any number of things. If you're going to get flustered by something you read on Slashdot, you seriously need to re-examine your priorities.
Re:Being a Communications/Computer officer in the (Score:3, Insightful)
Trying to lay the catch-up game with Microsoft products is not a positive thing to do; the positive thing to do would be to get non-Microsoft solutions so that these problems don't occur. Positive solutions fix the problem, not patch the symptoms. Incessant, needless patching and worrying is what builds up the negative energy.
Re:Being a Communications/Computer officer in the (Score:3, Interesting)
First of all, if you were a smart unix user, you would not be using Sendmail. You talk about 'understanding', but do not understand that you have a nice choice of alternatives that are much more proactively secure than Sendmail, such as Postfix or Qmail. Same goes for Bind (we have djbdns and such). What do you get from Microsoft? Their one product. Big choice there.
I do so fully well how and why things work. That's why I say to choose free unixes. They are not blackboxes. You can easily poke in, and figure out what's wrong. You can fix the problems yourself, even more proactively than your proprietary provider. All this and more you cannot do with proprietary, closed products.
Furthermore, you aren't being proactive by simply applying vendor-supplied patches when they say to; that's reactive. Being proactive means learning how your software security works, especially internally, and performing appropriate actions.
Re:Being a Communications/Computer officer in the (Score:2)
Let's say that you get hit with ILOVEYOU and start to filter out attachments. Good job.
Now you get hit with Code Red. You decide to check daily for security fixes at Windows Update. Good job there, too.
Next, you get hit with a nasty virus because one of your employees couldn't live without his favorite screensaver. You install up-to-date virus definitions on all your PCs and check daily for new virus definitions. Also, you lock down all your PCs, so that nobody can install/remove programs without MIS approval. The employees grumble and complain, but it's obviously necessary.
And after that, a disgruntled employee (perhaps the same one that caused the virus outbreak) decides to sabotage a few of the servers after he gets fired. You disable all remote manageability and literally lock the servers away in a secure room. MIS begins to grumble and complain now, too, but it's necessary...
At what point do you finally switch over to something different? When no work can be done, because you're trying to patch the millions of holes Microsoft themself refuses to patch?
UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure.
Re:Being a Communications/Computer officer in the (Score:2)
"UNIX boxes that don't need upgrading or maintenance..."
Frankly, I'm fighting this same battle at my company. We've got a multiplatform network, and while the UNIX boxes require LESS maintenance, they'll still go to hell in a handbasket if someone doesn't feed/care for them every so often.
Admittedly, the down side of UNIX isn't as brutal as that of NT (the server stays up), but people seem to miss the fact that the no maintenance *nix box is just as absurd a notion as the no maintenance NT box.
The competition here isn't NT/*nix, but securing boxes, and the skript kiddiez using the cracks probably don't care WHAT they're breaking into, just THAT they're breaking into something.
Timediff between exploit and patch (Score:2)
With the "we don't tell you 'till we got a patch" information policy, you can be exposed for months without knowing it. With the "we tell you, and then we release the patch" information policy, you can react according to your relevant security policy.
Microsoft has a long history of the former. Linux is generally rather quick on releasing comments and patches, and I believe almost all the major Linux distributions have automated security patch services now. I know Mandrake, Debian and Red Hat do.
Until recently, windows update was used for pushing new versions of software. They rarely released security fixes, and then usually clogged together. If you wanted to stay secure in windows-land, you needed to look around for the patches. They appear to be using windows update for pushing security now, but remember that one of the worms of fall 2001 infected a windows update server. Do you trust these guys? Really?
Oh - btw - the fact that they let a mac/solaris guy administer NT boxes could be yet another sign of brassy incompetence. And judgement is always biased. That is what judgement is. If it is purely bases upon facts and clear rules, it is not "judgement" but a fact.
Re:Timediff between exploit and patch (Score:2)
But isn't that exactly what they did with wu-ftpd?
"Do you trust these guys? Really?"
I've been Virus free since 1995, so yeah I trust them.
mistaken perceptions.... (Score:5, Insightful)
No Security without Liability (Score:2)
My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else.
Re:No Security without Liability (Score:2)
If you ask me, the airforce can't complain. Everyone smart enough to watch TV can tell you Microsoft does not make secure products.
It's stupid to pretend to be shocked by this. If anyone should be have to pay for Microsoft's security problems it's the people who bought the software with known security problems... Oh wait, they already do.
Re:No Security without Liability (Score:2)
Under your argument the customer should have been liable for any problems caused from Y2K bugs. Instead what happened was laws were passed that created a financial incentive for IT pros to certify everything was y2K compliant.
If you want to write software that absolves you of any kind of product liability then you should not be charging for it. You can then hide your product up in the free speech argument all you want. Name me any other industry where a manufacturer can pawn off ALL (not just gross negligence or imporoper use of the product) but ALL responsibilities for product defects onto the customer.
Your Proposed Cure is Worse Than the Disease (Score:2)
Not really. He's saying that the consumer has a responsibility to make an informed purchase, and that creating liability and a pork barrel for lawyers is not a good solution. He's right.
All of the information to warn a would-be purchaser that Microsoft Exchange Server is probably the worst possible choice one could make for a mail server if security is any concern whatsoever was widely and publicly available. Clearly the person or persons who made the decision to go with Microsoft, when demonstrably more secure (by orders of magnitude) options were available at little or no cost, either grossly neglected their duty and did no research, or were in a sweatheart agreement of some kind with Microsoft's salespeople, or Microsoft itself. That, or they opted for the product when it was still in the vaporware stage, which is even doubly incompetent.
Either way, the person or persons who made this incompetent, and very possibly corrupt, decision should indeed be the ones to pay for it
Re:No Security without Liability (Score:3, Insightful)
That's a good distinction to make because it allows free speech. It seems like a small thing, but all the software I use at home falls under this catagory.
In some ways, it's reasonable for vendors to be held responsible for their products, but the idea is still problematic. Liability hurts small vendors more than large vendors. How do you measure the harm done? How do you assign blame to products that were developed by more than one company? Is every Linux company liable for a problem in the Linux kernel? What about software that costs money but is downloaded from another country? What about free products such as Internet Explorer or Outlook?
Some of common security problems are really user interface problems. For example, most users misconfigure windows network neighborhood. Is Microsoft liable for that?
In your first post you stated: "My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else."
I agree with you, and I suspect no new laws are going to change this. There may be some consumers that may need protection from vendor laziness, but the airforce knew about the problems with Microsoft products and chose to use them anyways. I don't think they should be able to sue Microsoft for something they knew was going to be a problem all along.
that's a good one (Score:2)
I wonder if that would speed up their security fixes.
NSA Secure Linux (Score:4, Interesting)
Dept of Interior's Network - An Interesting Story (Score:5, Interesting)
Not about the Air Force or MS, but related.
The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary [cnn.com].
The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.
Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.
Re:Dept of Interior's Network - An Interesting Sto (Score:2)
Does this strike anyone else as oxymoronic? (Firewall or not.)
Re:Dept of Interior's Network - An Interesting Sto (Score:2)
Um, that would be the point in having all those open sockets behind a firewall.
Re:Dept of Interior's Network - An Interesting Sto (Score:5, Interesting)
When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."
Re:Dept of Interior's Network - An Interesting Sto (Score:2)
Yes, I'm aware of that. Just thought I'd throw out another problem in another part of the government to show that security issues tend to be systemic across the gov't.
And with the DoI being in charge of federal agencies like the Natl Park Service, the Forest Service, Fish & Wildlands, federal payroll & accounting, farm issues, etc etc etc, it's silly to argue that the preservation of the integrity of our country's internal assets is more or less important than the military's responsibilities. Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?
Re:Dept of Interior's Network - An Interesting Sto (Score:2)
I don't know about the DoI, but if it's anything like applying for civilian IT positions in the military or the FBI, they're going to need a lot of luck in getting good IT people who aren't just Windows monkeys in there to make a buck.
Before landing the commercial job I spent months trying to get into an FBI or civiliant military position, but the application process is incredibly depressing. Position opening descriptions are incredibly verbose, but contain absolutely no useful information. They all tend to just say things along the lines of "Will work with computer systems to support the required needs." Just take a look at the first Computer Specialist opening [fbijobs.com] I found at the FBI jobs site [fbijobs.com]. Armed Forces position openings the same. Furthermore, the application process itself tends to be burdensome and unclear, requiring lots of documentation up-front, often dead-tree-style; there is seemingly no process of escalating back-and-forth information exchange which the commercial world tends to prefer.
They are definitely trying to improve the application process, but they definitely need to clear up the red tape.
Personally I'd like to work for a social institution like the federal government, even though the pay scale is significantly lower. However, they really need to streamline their application process if they want good people.
Isn't the AF due a letter from the MS or BSA? (Score:5, Interesting)
And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).
This makes sense now... (Score:2)
Gilligan, former Energy Department CIO, has discussed security most often with executives at Microsoft. "They are the biggest supplier to the Air Force, and my attempt has been to encourage them to set an example," he says.
I am guessing if M$ is a major supplier of software to the Air Force, it is probably the same for the other branches of service as well.
Now I see why all of our helicopters and planes have been crashing without being shot down. Brings a whole new meaning to "Fatal Exception"
--Jon
Re:This makes sense now... (Score:2)
Except that the Army has switched to Macs because of security headaches.
Re:This makes sense now... (Score:2)
Seriously? Where did you hear that? I find that interesting.
I have never been much of a Mac fan and as user-friendly their OS was, before OS X it performed like a pig and lacked such common features as preemptive multitasking, etc.
Good for Apple. It would be nice to see them gain some market share. Now only if their hardware was more affordable...
--Jon
Security Upgrade (Score:2, Insightful)
The costs that many are concerned with are new applications checkout and user education.
When a local church was considering upgrading their Windows 3.1 system to 95, 98 or NT, I suggested that it would be just as easy to upgrade to a Mac. The secretary didn't know how to use anything other than WordPerfect, and the new Pastor already knew how to use a Mac. That left teaching the secretary how to boot and shut down the Mac - which you'd have to do with 95, 98 or NT. Naturally, the Air Force would have more work to do.
When the DOJ case came out, at least one comment circulating was that the US should simply stop buying MS products - as that would cost MS more. As I understand it, this is the China solution.
Pot Calls Kettle Black - news at 11:00! (Score:2)
Given the history of inept system administration in the US Armed Services, I have to laugh.
If M$oft actually delivers a secure system, it will immediately be compromised by some knucklehead who wants to play Everquest without his superior officer finding out.
--Charlie
The Media is getting a clue (Score:3, Insightful)
Accuracy is nice, maybe the general public will soon learn who is really at fault here.
Tale from the trenches... (Score:3, Interesting)
One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.
A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.
The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.
7000 programmers (Score:2, Funny)
Wow, 7000 programmers! I bet they figure out how to close the barn door.
consumer choice (Score:3, Insightful)
No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.
The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.
Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.
Re:Try as they will.. (Score:2, Funny)
Sure -- the military has weapons that go *boom*, as opposed the government as a whole, which has a Justice Department that just goes bust.
Absolutely (Score:2)
Since 9/11 and the new attention paid to security, more people are willing to make good on their threat to take their business elsewhere if the security of a product is poor. The excuse of comfort with Win products will no longer be an excuse to let Bill off the hook.
M$ being a marketing firm will respond to market pressures way before they'd give up in court.
Re:Try as they will.. (Score:2, Interesting)
Speaking from experience, the typical geek simply isn't cut out for the military life. And to make matters worse, advancing in the military means spending more time being a pointy-haired boss and less time being a geek. That's the way it is.
I'd love to see linux adopted by the AF, but 1) I've had the suggestion shot down too many times myself to expect it to actually happen and 2) they will have a tough time gathering the experience to do it.
Re:Is this government's role? (Score:5, Interesting)
The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.
That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.
To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."
Re:Is this government's role? (Score:2)
I think you misspelled "government bending over for the vendor".
Re:Is this government's role? (Score:5, Interesting)
This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."
Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.
Re:Is this government's role? (Score:2)
Huh? The MILITARY has national security interests in this. Of COURSE they have say. They are NOT threatening to attack Redmond with B-52s if security issues aren't better dealt with, they are implying that M$ may lose a major customer if they don't clean up their crap. That is absolutely valid and correct.
Feel free to remove your aluminum foil hat and catch some sunshine.
Re:It's their own fault (Score:2)
Not necessarily (Score:2)
Re:A good bluff? (Score:2)
It doesn't cost the Air Force anything to switch to Linux. It will simply alter the cirriculum of it's Computer Science School, and those fresh-faced E-2 and E-3s will become proficient in something other than NT and Exchange.
They already have the hardware, and the alternative software is free of charge. When you don't have to worry about the costs associated with training, or labor (both of which are already part of the budget), where is the risk?
Re:A step in the right direction... (Score:2)
It might make a dent in M$ is the Air Force follows the Army's lead and switches to Apple. Pretty damn secure is Apple, love Macs or hate 'em.
I have wondered (Score:2)
Well, I dont see current day terrorists (cyber or otherwise) achieving a vast, multi-system simultaneous attack. However, I CAN imagine a small country being able to pull something like that. A gov can afford tons of computer and computer scientists. When you get a couple thousand evil nerds >:) working together, each armed with new, broadband enabled computers problems just melt away...
Re:I have wondered (Score:2)
Fortunately, the failure for competitive vendors to band together to make their systems interoperate has worked to our advantage on this one. The systems you mention are on so many disparate platforms, OSes, programming languages, etc, that it takes an "army" of programmers just to maintain them. That army?: the IT workforce. Whatever country that wants to attack these systems would make quite a splash hiring the 100,000 or so programmers that built these systems.
Plus, each system is likely only statewide.
Re:I Love (Bug) the Air Force! (Score:2)
Uh, the Marines? No offense intended to any leathernecks out there. But when I dealt with the Army and the USMC, the Marines were the jarheads.