Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
United States Microsoft Security

CCIA Urges Dept. of Homeland Security to Avoid Microsoft 413

An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
This discussion has been archived. No new comments can be posted.

CCIA Urges Dept. of Homeland Security to Avoid Microsoft

Comments Filter:
  • by Anonymous Coward on Saturday August 30, 2003 @09:37AM (#6832723)
    The Department of Homeland Security continues to use Microsoft products despite massive flaws, just like everyone else for whom familiarity is more important than actual security.
    • There is nothing massively flawed about a buttload of MSFT shares in your portfolio.
      Money. It boils down to money.
    • by Angry White Guy ( 521337 ) <CaptainBurly[AT]goodbadmovies.com> on Saturday August 30, 2003 @09:40AM (#6832738)
      Government spending is just another way to dump money into the local economy, while rewarding campaign contributions.

      Man if it wasn't for timestamps, I'd swear we were in 15th century Britan. Hello Fifedom!
    • by argoff ( 142580 ) on Saturday August 30, 2003 @01:48PM (#6834159)
      The real threat is that when you have a closed system, you have a central point of failure (Microsoft) and you don't have the flexability to change and mondify things when you need to. Anyone who'se read the "art of war" knows that real defense is about how flexabile you are, and that you are able to deal with the exceptions, not the rules. - or how easy it is to change your stripes and addapt to changing situations and threats. You simply can't do that thru a closed one vendor system, no matter how much you plan. You simply can't do that when you can't access the source code, change it, and share those changes freely, you simply cant do that if you half to pay a subscription or royality and keep tabs on every nuck and cranny application and license - you can never decentralize, never regroup, never deal with unpredicted failures, when you're attached to a BSA dog-leash.

      Just like freedom in the USA is the only real reason why it's so much better than the enemies, the freedom offered by Linux and the GPL has an internal value that makes it so much better than the alternatives. Only that is then end game, and only that is what will make us truely secure.

  • Asking what else there is to use.
    On a more serious note... blah ;>
    • by shokk ( 187512 ) <ernieoporto AT yahoo DOT com> on Saturday August 30, 2003 @11:20AM (#6833236) Homepage Journal
      Let's see, spend lots of $$$ to deal with patching MS security holes (lots of centralized and automated Software Install packages out there for Win32), or deal with user-unfriendly Linux suites that do not scale or integrate with others no matter how well patchable the platform is. Personally, I never trust third-party RPMs and they're never compiled the way I want them anyway.

      I believe in MS on the front-end, linux on the back-end, running a virus gateway at the mailservers, antivirus software at the desktop, and centralized patching to fire off new patches on all desktops at once. That said, I would only put MS on the back-end at gunpoint. Linux may not need any of that protection at the desktop, but the lack of apps keeps it from being as usable; the apps that are available are not very compatible with what everyone else is using. In these days of limited sysadmin resources, I would rather the users have a very intuitive package in front of them to minimize calls like "how do I start using this? I have to source what and do what to my environment?" The sysadmin resources should be left to take care of the valuable back end.

      Linux is far from 100% secure...take a look at various security bulletins each week and you'll see all sorts of apps that are being patched. Have we forgotten past Linux worms? How many recently patched phpBB2 or Nuke for recent problems according to those advisories? Where is the mantra of "the hole shouldn't be there in the first place?" that is constantly fire off at MS when those holes are found in open source software? Is it because many Linux apps are like that and the blame is distributed across a multitude of developers rather than a single monolithic software company that simple minds can more easily divert their attention to? Sorry, but "they patched it within 8 hours" is not an excuse. For both platforms, "the hole should not have been there! where is the code auditing that should have prevented that problem from being there in the first place?" As complex as software is becoming, I do not think that this is going to go away without radically altering current coding practices.

      What we need is a very large corporation to adopt 100% Linux (reference Guinea Pig in wikipedia) so that apps become more compatible and patches are more easily recognized. We've seen smaller companies like Ernie Ball do this, but we need bigger testbeds. Then, we can complain in 10 years about the Linux juggernaut and how Putrix is better.
      • If the Department of Homeland Security were to be highly concerned about security, they wouldn't even have workstations with off-the-shelf distributions on them. They'd download the source code themselves, inspect it, and compile the distribution as an internal thing. And even according to the GPL, if it remains internal, i.e. no distribution to other parties, then they don't even have to say what their changes are.

        In fact, they would be able to use a framework for distribution through their computer n
  • Duh... (Score:2, Informative)

    by Manic Ken ( 678260 )
    Unfortunately, there is ample evidence that for many years economic, marketing, and even anticompetitive goals were far more important considerations than security for Microsoft s software developers, and these broader objectives were often achieved at the cost of adequate security.
    Duh...
    • Re:Duh... (Score:3, Insightful)

      by jackb_guppy ( 204733 )
      And add to that Microsofts own security patches that reenabled closed ports and disabled other protections that sysadmins but into place so the SQL worm could infect the system.
  • by Anonymous Coward on Saturday August 30, 2003 @09:39AM (#6832731)
    to use OpenBSD without a windowing environment, or any ethernet interfaces.... "most secure setup in the world" the report claimed. When the department asked about useability and productivity of these other avenues they were told "STFU n00blah and RTFM".....
  • Pretty obvious (Score:5, Interesting)

    by John Jorsett ( 171560 ) on Saturday August 30, 2003 @09:39AM (#6832732)
    If Ridge and DHS doesn't already know this, they've been asleep. I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.
    • Re:Pretty obvious (Score:4, Insightful)

      by Anonymous Coward on Saturday August 30, 2003 @09:46AM (#6832774)
      If Slamer has taught us anything, it is that a Microsoft operating system should not even be on the same network as any critical systems. Nor should it be used for any "less critical" systems, such as fault or load monitoring systems.
    • Re:Pretty obvious (Score:5, Insightful)

      by ch-chuck ( 9622 ) on Saturday August 30, 2003 @09:46AM (#6832779) Homepage
      So ships [gcn.com] are not important. I see.

      Favorite line: "Although Unix is more reliable, Redman said, NT may become more reliable with time"

      I live in that area, and there are a LOT of Msft job openings requiring security clearance these days.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Saturday August 30, 2003 @10:03AM (#6832854)
      Comment removed based on user account deletion
      • "Not only desktop - a lot of military sites I have seen are running on IIS. SQL Server 2k is used also."

        Yeah, but are those used for *important* things? Bear in mind that what the DOD counts as "important" may be more life-and-death stuff.
      • Re:Pretty obvious (Score:2, Insightful)

        by Pegasuce ( 455700 )
        Does an internet web site qualify as important or is it weapons control?
      • Re:Pretty obvious (Score:3, Interesting)

        I don't think anyone in an IT capacity in the DoD could possibly say that there are 'no microsoft products here' - that's just ludicrous.

        Indeed it is, which is why nobody is saying it here. I'm not Dick Cheney, so I can't speak for all of DoD. The group I work with doesn't use Microsoft products in anything that has to be a) secure and/or b) reliable.

    • Re:Pretty obvious (Score:3, Informative)

      by SuperBanana ( 662181 )
      I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.

      How typical of someone who works in defense- you haven't the slightest idea what goes on anywhere except in your little world.

      Remember the destroyer that had to be towed into port because its Windows network crashed and it was dead in the water, because someone entered a 'zero' into a database field, and windows shit the bed? Yeah, the mission-critical functions of a nuclear powered destroyer

      • Re:Pretty obvious (Score:3, Insightful)

        by nvrrobx ( 71970 )

        Remember the destroyer that had to be towed into port because its Windows network crashed and it was dead in the water, because someone entered a 'zero' into a database field, and windows shit the bed? Yeah, the mission-critical functions of a nuclear powered destroyer aren't very important.

        If entering a zero into a database field causes Windows to crash, it's because a badly written device driver (more than likely NOT provided / approved by Microsoft!) was the cause. Next question: Why is your code bl

        • Re:Pretty obvious (Score:3, Insightful)

          by Tony-A ( 29931 )
          If entering a zero into a database field causes Windows to crash, it's because a badly written device driver

          If that is true, Microsoft is in even worse shape that I think it is.

    • Re:Pretty obvious (Score:5, Interesting)

      by jd ( 1658 ) <imipak AT yahoo DOT com> on Saturday August 30, 2003 @10:49AM (#6833064) Homepage Journal
      The US Navy recently moved a lot of developers from Unix platforms onto Windows plus CITRIX, as part of the NMCI contract.


      (The machines running the actual applications were also Windows boxes.)


      The Windows boxes were considered "safe enough" to put on the public network. If it wasn't Windows, even if it had an A1 rating, Gibson's "Black Ice", and half of Fort Knox guarding it, it was considered unfit for use on a public network.


      From what I've been told, by people working in the US Navy, Windows computers on ships are often riddled with viruses and other nasties. Protection is minimal to non-existant. I've no reason to doubt these first-hand accounts.


      The use of Windows, alone, is not the problem. Windows can be made reasonably secure, and proper counter-measures do exist for dealing with intrusions and viruses.


      The problem is in the sheer reckless stupidity of key personnel who are high enough up the chain of command to enforce their stupidity on others. You cannot afford to have such people in any key organization, much less an organization whose role is national and international security.


      I don't want to imagine what would happen if critical RADAR stations or missile systems were ordered to switch to Windows. The Department of Homeland Security is all fretting about "sleeper cells", while the DoD seems to be spending its time asleep.


      I can say, from practical experience, that Windows is used in situations for which it is not authorized or certified. I can also say that the use of Windows in potentially vulnerable situations is on the rise. Sure, there's nothing I can do about it, but that doesn't mean I like it.


      Would I work in such situations? Already have, and I would again. Why? Because Government jobs pay better than any company I might be able to talk into using a secure environment.


      That's the sad part of it. I could very easily build you a computing environment that had rock-solid security, combined with phenominal ease-of-use, combined with amazing performance, for less than it is costing companies to install and maintain Windows, plus pay for outage caused by viruses and crackers. I'd say that probably 30-40% of all regular Slashdot readers could.


      As Megadeth noted on one of their albums: ...but who's buying?

    • Re:Pretty obvious (Score:5, Interesting)

      by Theatetus ( 521747 ) on Saturday August 30, 2003 @11:36AM (#6833317) Journal
      I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.

      Funny... I'm in the Marine Corps (part of the DoD last time I checked), where we and the Navy have a mandated Microsoft-only procurement requirement. Not just "you have to justify buying non-Microsoft software" but "you have to prove that a Windows NT platform absolutely cannot do what you need to do". The usmc.mil website runs Domino (and doesn't properly sign its certificates... grrr....), but the entire Navy/MC WAN is NT4.

      Maybe our WAN is not what you are calling "important". It's true, we don't put Windows on fighter jets or in tanks, but we don't put UNIX in them either. So maybe the medical and service records of all the men and women in the Navy and Marine Corps aren't "important" to you, but they're damn sure "important" to me, and I'm outraged that the network seems to have been compromised over the past few weeks.

  • Then what? (Score:4, Insightful)

    by nakhla ( 68363 ) on Saturday August 30, 2003 @09:42AM (#6832749) Homepage
    And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?

    People tend to forget that more holes are found in Microsoft products partly because more people use Microsoft products. As a result, that's where the attackers focus a great deal of their energy. Linux would have the same problem if it had Microsoft's market share.
    • Re:Then what? (Score:5, Informative)

      by Anonymous Coward on Saturday August 30, 2003 @09:45AM (#6832763)
      Things are never that cut&dry.

      Linux has more market share than Windows in the server market, yet Windows has a disproportionally higher frequency of reported critical OS flaws.
      • Re:Then what? (Score:2, Insightful)

        by Anonymous Coward
        And that's even without source code available for the bad guys to scrutinize for flaws.
      • really?

        What's your source of the number of "reported critical OS flaws" in linux?
    • by DASHSL0T ( 634167 ) on Saturday August 30, 2003 @09:49AM (#6832788) Homepage
      That must be why Apache has so many more security problems than IIS, since it is twice as widely used.
      • Re:Then what? (Score:3, Insightful)

        by PenguiN42 ( 86863 )
        This argument is spouted off so much that it's getting tiring.

        Obviously popularity isn't the *only* reason that vulnerabilities are found. ISS is just a suck-ass product, and a lot of people use it as it comes with the OS -- in unpatched and default configuration. That's why it has more holes than the pretty robust Apache.

        But the argument it responds to is saying that The windows OS does have decent security, but more bugs are exploited due to its popularity. In this context, talking about IIS vs Apache i
        • Re:Then what? (Score:5, Insightful)

          by Enry ( 630 ) <enry AT wayga DOT net> on Saturday August 30, 2003 @10:33AM (#6832987) Journal
          Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone.

          For 8710 [debian.org] packages across 11 different architectures, only 23 announcements isn't bad at all. That's 1 out of every 355 packages.

          If you wanted to extrapolate from there, MSFT has what, maybe 100 or 200 software packages? Let's say 250 and be fair. According to Windows update, I've had 4 security related updates this month. If Microsoft distributed as many packages as Debian does, that would equate to 128 patches over the same time period.

          I'll stick with Debian, thanks.
        • Re:Then what? (Score:5, Informative)

          by StormReaver ( 59959 ) on Saturday August 30, 2003 @10:53AM (#6833089)
          "Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone."

          All bugs in Linux, whether exploitable or not, whether severe or merely cosmetic, whether dangerous or merely annoying (or just plain non-optimal), are publicly announced and fixed at the time they are found.

          Microsoft publicly announces only a small fraction of the known bugs and security problems found in its products. If Microsoft were to be as thorough in its security announcements and fixes, you would be inundated with 8 new announcements, if not more, per hour, every day, for the rest of your life.
        • Re:Then what? (Score:4, Informative)

          by moncyb ( 456490 ) on Saturday August 30, 2003 @11:46AM (#6833387) Journal

          and a lot of people use it as it comes with the OS -- in unpatched and default configuration. That's why it has more holes than the pretty robust Apache.

          Ummm...yeah. I guess the fact all Linux distros which I've seen have Apache "in unpatched and default configuration" (unless the user chooses to not install the web server) doesn't matter?

          Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone.

          Yay! Another idiot who just counts the number of vulnerabilities instead of paying attention to what they are. Somehow things like: "Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving the high score file. This vulnerability could be exploited by a local user to gain gid 'games', if they can achieve a high score." don't scare me. Lots of this is obscure stuff in the first place--who uses the atari800 emulator? Who uses LinuxNode--some sort of amateur radio networking(?) program? I've never even heard of it.

          Many of these are local compromises--something MS has just barely started looking at. Many of these are programs which wouldn't be included with a Windows disk. Linux distros often come with hundreds (or thousands) of different programs, and would not normally be installed. Debian comes with over 8710 packages.

          What about multiple programs which do the same thing? One of the vulnerabilities was a program which uses qmail. I believe Debian also has sendmail and postfix. So were counting problems with all three? And programs which attach to them as well? Is someone going to install all of these mail servers on their box? How many mail server programs does MS make? About wu-ftp, there also appear to be multiple ftp server programs. Do we count them all? Wu-ftp is well known to be insecure. Does this mean "Linux" is more insecure than Windows if someone chooses an insecure ftp server when their distro gives them the choice of several?

          Very few of these vulnerabilities would even touch the default install, and the video games? Well, maybe we should include all the video games you can buy for Windows. Oh no! What if GTA: Vice City will allow people to cheat by changing the high scores file??? That's a major vulnerability! We'd better notify the security team and get all our Windows boxes patched! Even the ones which don't have GTA installed!!!

          Just counting the number of vulnerabilities is the red herring. Most of those MS wouldn't even pay attention to and insist they aren't even security related. Linux and developers of other systems such as FreeBSD and OpenBSD are far more paranoid than MS could ever dream. That is why you see more security announcements for them. It means they are MORE secure, not less. Would you say a security guard who sleeps on the job is more secure than a guard who reports every little incident??? The sleepyhead only reported three problems last month! He must be doing his job! Never mind the fact half our inventory disappeard on his watch. That could've happened to anyone.

    • Re:Then what? (Score:5, Insightful)

      by gregfortune ( 313889 ) on Saturday August 30, 2003 @09:50AM (#6832790)
      That argument lost its punch some time ago. Large, commercial entities are using Linux so the interest is certainly there. Google [netcraft.com] is one really good example.
    • by _Pablo ( 126574 )
      The Department of Homeland Security can use any *nix they like (if SCO allows) safe in the knowledge that according to 100% of Microsoft competitors, anti-Microsoft zealots, Mac Zealots, survivalists, conspiracy theorists and many teenage elitist OSS users:

      1) There has never, at any time, anywhere on the face of the planet been any security problems in any software produced by any company, other than Microsoft.

      2) The only reason for the multitude of releases of all other software, is to add features and f
    • Re:Then what? (Score:5, Interesting)

      by Daniel Phillips ( 238627 ) on Saturday August 30, 2003 @10:09AM (#6832880)
      And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?

      If they are obvious, then we already found them. Numerous... I don't think so, not in the core system. When a new Linux vulnerability comes out, it's big news and dozens of hackers descend on it immediately. Then when the fixes go out, they are *easy* to apply and highly unlikely to break anything unrelated in your system.

      Any new features that go into core systems get heavily peer-reviewed for security impact. That's *proactive* security. This process has been going on for 30 years (long before Linux appeared) and you might say, it's reached a state of comparative maturity.

      This is the difference between security as an afterthought and security as a process. Besides that, Linux 2.6 has a gleaming new plug-in security harness. This allows the user to tailor their own security system. For example, mandatory access controls allow the administrator to limit the actions of any process, even root. The impetus for this originally came from the NSA [nsa.gov]. You can bet that's interesting to government departments across the board.
      • Re:Then what? (Score:5, Interesting)

        by pjrc ( 134994 ) <paul@pjrc.com> on Saturday August 30, 2003 @11:12AM (#6833201) Homepage Journal
        what happens when the DHS begins to use Linux/Solaris/et al

        A few days ago, I did a simple test using Mozilla's email client, where I emailed a copy of /bin/ls to myself, to see what Mozilla would do when it received a linux binary executable.

        I'm happy to report that I was offered the choice to save it to disk, or to open the data with an application (which I had to choose without a default, and apps handle the binary data as data, not executable code).

        When I saved the file to /tmp, the resulting binary was of course byte-for-byte identical to the copy in /bin, but Mozilla did not set the execute permission bit by default. Since I knew the file was ok, I type "chmod 755 /tmp/ls", and then I was able to run the executable.

        I had to save the file, then locate the file using another application (I used a shell, but many people might perfer a file manager like Konq), and I had to explicitly change the permissions to allow the internet-received data to be able to run and have (non-root) control over my computer.

        So, getting back to the original question.... it's safe to say the until linux systems are populated with dangerous email clients, email-virus writers are going to have to try a lot harder to trick users into executing their code!

    • Re:Then what? (Score:5, Informative)

      by bruce_the_moose ( 621423 ) on Saturday August 30, 2003 @10:14AM (#6832897)

      This line--that Windows has the largest market share in worms and viruses because Windows has the largest market share--was trotted out in the last few weeks during the peak of the Sobig and Blaster activity, and routinely shot down. The problem is inherent design flaws, not market share. Many have pointed out that unix-type OSes run the majority of critical Internet services, and by the market-share argument, these services should be the subject of continual attack. And yet they are not.

      In short, this argument that greater adoption of unix-type OSes by the masses will result in more unix-type worms and viruses is nothing short of FUD.

      Have a look at Mac's Immunity to Recent Virus Attacks [slashdot.org] which came about in response to an article posted on MacCentral [macworld.com] on this topic. In sum, some columnist repeated the assertion that "Macs have "no more inherent security" than their PC counterparts, it's just that they've failed "to capture interest" among the creators of these viruses." This post [maccentral.com] is fairly representative of many, and makes clear the vulnerabilities of Windows are real, stem from technical reasons, and not just market share.

      Mac OS X is the subject of the links above because that is where my interests lie, but the jist of the arguements could apply to any unix-type OS

    • Re:Then what? (Score:3, Interesting)

      by MarvinMouse ( 323641 ) *
      Well, you have the million monkey effect. The thing about Linux over Windows is that if a major bug is found, there are a hundreds of quality programmers ready to fix and able to fix it very quickly. Anyone who wants to fix the bug is allowed to.

      So you end up with, sure if bugs are found for Linux, they'll probably get fixed faster, and from past experience with Linux and bugs this is very very true.
      • And furthermore, if you ask 12 Linux developers to fix one problem, you'll end up with something like 18 different fixes. Many of these will be mutually exclusive, many will be really stupid ("No matter how bad the nosebleed, a tourniquet round the neck is a bad idea"), and some will be just plain unsuitable for what you want. But, you *do* have the choice, and you can fix it in the way that suits you best. Hopefully, without breaking something else.
        • and in spite of this situation, it works well.
          The best solution will percalate to the top rather than having the top dictate what you will use.
    • Re:Then what? (Score:2, Insightful)

      by Morosoph ( 693565 )

      People tend to forget that more holes are found in Microsoft products partly because more people use Microsoft products. As a result, that's where the attackers focus a great deal of their energy. Linux would have the same problem if it had Microsoft's market share.

      Hardly. Consider this: Linux programmers increase in number with the penetration of Linux. As Linux penetration grows, so does the number of people able to fix security flaws. Whilst the number of crackers may increase, both sides of the

    • Then why are my Apache logs full of IIS exploit attempts, even though Apache runs on over twice as many servers [netcraft.com]?

    • Re:Then what? (Score:2, Interesting)

      I always like being the devils advocate, and will probably get modded to flamebait for this, but here's something to put in your pipe and think about....

      The lead story says "'riddled with obvious and easily exploited vulnerabilities.'"...How many people found the exploit that the blaster worm uses? Maybe a couple dozen at most? That doesn't seem like an obvious exploit to me. Heck, any exploit (*nix or Windows) that requires a buffer overflow of a certain amount of characters, or a specifically formed p
    • Re:Then what? (Score:4, Insightful)

      by bob670 ( 645306 ) on Saturday August 30, 2003 @11:30AM (#6833294)
      I always enjoy it when rhetoric that sprung from MS public relations machine becomes a fact. MS product vulnerabilities are discovered in higher numbers because they exist in legion. MS operating systems are inherently insecure, period. XP was supposed to bring real security, but I spend much of my clients time and money applying MS security patches, updating A/V software and tightening firewalls. Between the draconian licensing policies, the vicous upgrade cycle and the total lack of security, I pray homeland security gets off of MS ASAP.
  • by DaLiNKz ( 557579 ) on Saturday August 30, 2003 @09:42AM (#6832751) Homepage Journal
    What happens if SCO goes after the Department of Homeland security for using something like linux? Would it be considering terrorism?
  • by Anonymous Coward on Saturday August 30, 2003 @09:43AM (#6832759)
    Amazing! A company [ccianet.org] whose tag line is "open markets, open systems, open networks, and full, fair, and open competition" urges the adoption of open source software? And The Inquirer posted this MS bashing news story?

    Next thing you know, it will be linked off of slashdot. This is highly irregular behavior, and very newsworthy.

    Slow news day?
  • by MisanthropicProggram ( 597526 ) on Saturday August 30, 2003 @09:45AM (#6832766)
    Unfortunately, I have to use MS crap. I'm taking a graduate CIS class and we're doing .NET shit. Anyway, here I am logging in this morning and a weight loss ad comes across their instant messenger program. I've tried to remove the program, but XP WON"T LET ME BECAUSE IT SAYS THAT IT NEEDS IT FOR SYSTEM FUNCTIONS! So, anyone can push shit onto my machine! Can you imagine Winduhs at the Dept. of Homeland security? All a terrorist has to do is send a bunch of weight loss ads as a DOS against them... arrrrggggg!

    I'm going to mention this in my class, in front of everyone. I'm also going to tell them how flaky XP and MS products are in general!

    This is a lesson to us future PHBs!!!!!
    • If the add is a plain text "Messenger Service" pop-up, you have a network service enabled that was intended to push out urgent messages from system administrators. It has legitimate purposes, so ask first before acting.

      To disable Messenger in XP Pro:

      Click Start->Settings ->Control Panel
      Click Administrative Tools
      Click Services
      Double click Services
      Scroll down and highlight "Messenger"
      Right-click the highlighted line and choose Properties.
      Click the STOP button.
      Select Disable or Manual in the S

  • Actual Security (Score:2, Interesting)

    by mhotas ( 680248 )
    Microsoft isn't that bad. They're getting more attention and anger transferred to them from virus writers because they're the biggest company in the industry. Nothing's perfect & security is the hardest aspect of a software system to test and validate. And frankly, I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes. I just don't have that kind of time.
    • They're getting more attention and anger transferred to them from virus writers because they're the biggest company in the industry.

      That statement is definitely correct, but even if windows can be setup to provide the same level of security as linux, the fact that MS is being targeted to a much higher degree than linux makes MS systems much more vulnerable.
    • Redundant (Score:5, Interesting)

      by mangu ( 126918 ) on Saturday August 30, 2003 @10:54AM (#6833095)
      This "they are the biggest, so crackers go after them" line has been debunked so many times by so many people... But, anyway, here we go again:


      I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes


      If you took a few minutes to read those fixes you would realize almost all of them are "proactive", that is, they are fixing vulnerabilities, before an exploit is made against them. This is intrinsic in the OSS model, where experts worldwide examine the source code all the time, for instance in university classes and research centers. Commercial, closed-source software, on the other hand, usually is examined only by crackers who throw anything they can at the software until it breaks.


      Personally, the system I prefer is Conectiva's, where apt-get is combined with rpm packages. Running "apt-get update; apt-get dist-upgrade" each time I get a vulnerability warning takes much less time than deleting spam, even in my relatively well protected email account.

  • I knew it! (Score:5, Funny)

    by Anonymous Coward on Saturday August 30, 2003 @09:48AM (#6832785)
    Microsoft supports terrorism!
  • In a similar note... (Score:5, Interesting)

    by Anonymous Coward on Saturday August 30, 2003 @09:48AM (#6832787)
    The OMB (Office of Management and Budget?) just added MacOS X and Linux to approved OS's to use for government applications.

    With the right push, we might see the tides change in *nix favor.
  • by PenguiN42 ( 86863 ) <taylork@alum.mit . e du> on Saturday August 30, 2003 @09:51AM (#6832795) Journal
    Seriously, if this guy really wanted to help out the government, he'd be suggesting that they keep their systems patched and stripped down and firewalled, and that they employ and expert security team no matter what OS they are.

    The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.

    I think it's fishy that they don't back up their "obvious and easily exploited vulnerabilities" claim with any real examples. The only evidence they provide is Blaster and SoBig -- an exploit for a vulnerability patched a month in advance, and a simple dumb-user email worm. Unfortunately all anyone sees is the fact that two worms came out near the same time -- and not the fact that they could have been prevented easily by more competent sysadmins and informed users.

    Anyway, I think it would be cool to see the DHS use a less-mainstream OS. But I don't think this open letter makes an argument any more sophisticated than the "microsoft sucks! You'll get a million viruses dude!" spouted off by any 13-year-old linux zealot.
    • "...an exploit for a vulnerability patched a month in advance..."

      For a hole that was in the system for years, which is similar to many other major in the news exploits. The fact that the patch was available for months is little consolation if there were nefarious groups who were aware of these holes for years, which is something that no one can conclusively answer.

      I think the simplistic "all other systems are secure, but MS systems are weak" zealotry often repeated by the puppets is incredibly weak, but a
    • by Daniel Phillips ( 238627 ) on Saturday August 30, 2003 @10:25AM (#6832955)
      The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.

      What turns that glib claim into a lie is, with closed source it's impossible to know what you're doing.

      Never mind that security has never been an overriding concern in Windows' basic design. The end result speaks for itself, as any 13 year old can see.
    • by 0x0d0a ( 568518 ) on Saturday August 30, 2003 @10:29AM (#6832971) Journal
      The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.

      Can you?

      Can an NT administrator, using user level tools, perform the equivalent of a chroot jail? Can he make specific apps suid or sgid?

      While Windows technically does not imply use of other Microsoft products, it does tend to be correlated with it. Outlook has had numerous poor security decisions that a mail admin simply cannot fix. IIS has also had poor architectural decisions. Remember MS swearing that they'd rewrite the thing from the ground up for the next release? The design of IE -- permeating the entire OS, providing many services to applications, and with no internal security model in place, makes for all kinds of nasty problems. It's a great way for spyware to slip pass personal firewalls, it's used in places like Outlook where a full-blown HTML renderer with the huge variety of features it has is a pretty bad idea from a security standpoint, and it provides a high degree of control to remote websites over the local computer -- much higher, than Mozilla.

      The MS Blaster issue wasn't actually all that egregious, AFAIK. It's not like UNIX systems haven't had RPC flaws in the past, either. The real problem was the number of unmaintained machines that were vulnerable. I'd call something like Melissa, that relies on phenomenally stupid security decisions from Microsoft ("let's have an automatic execution environments in our documents, which are intended for wide interchange!") much worse.
    • The only evidence they provide is Blaster and SoBig ...[snip]... they could have been prevented easily by more competent sysadmins and informed users.

      Well designed systems do not expose RPC control intended only for LANs to internet accessible interfaces, and they do not enable by default these services that very few users will ever need.

      Well designed email clients do not allow users to easily execute code. For example, mozilla in linux will only allow you to save an attachment that appears to be code

  • by djrisk ( 689742 ) on Saturday August 30, 2003 @09:56AM (#6832817)
    ... to suggest that the DHS implement a strong policy structure to ensure high integrity computing; because in all practicality, "don't use this" never works.

    ANY software can be compromised to ANY degree. There are just as many exploits lurking in an Open Source distribution (let's face it, it's rare that someone uses ONLY the Operating System), as there are in anything.

    Implementing (and adhering to) strong policy, working diligintly to keep systems updated, and keeping users informed. These are essential parts to creating (and maintaining) a "secure" infrastructure.

    Granted, it's easier said than done; but it's possible. There are FAR MORE corporations/entities that DID NOT get affected by blaster/sobig/melissa/codered/etc. than there are corps/entities that did.

  • by cait56 ( 677299 ) on Saturday August 30, 2003 @09:58AM (#6832826) Homepage

    It would be totally inappropriate for a goverment agency to blacklist a specific vendor without going through extensive hearings. That does not mean that they should not consider the vendor's history when evaluating each purchase. For the anti-MS crowd that means that they should reject each MS product individually.

    More seriously, they need to evaluate what their software requirements are. I strongly suspect that they need software which will:

    • Not expire: We are going to reach a point where terrorism is not a "hot button" item, and the spending will slack off. Eventually there will be another attack. The software purchased now has to work four years from now, even if the individual participating agencies have upgraded their hardware in the meantime.
    • Platform independent: The federal government should not be telling local police departments what type of equipment they need. If they do, we'll end up with some equivalent of having to keep an old 286 running in the corner to deal with Homeland Security. Or on the flip side, some police department that relies on donated leftovers won't be able to run the latest software.
    • Auditable: The code used for this software must be reviewable, preferably by the widest audience possible. Escrow is the absolute minimum for all source code involved. Open Source certainly qualifies, but technically the department does not need to have the right to modify the software itself. And in fact might need to keep any modifications that it keeps confidential. (Not that I really think that the GPL would deter anyone in the Bush Administration from doing something for "national security" -- I mean the Constitution doesn't.)
    • What are the Impartial Objectives?

      that is an oxymoron

      Only empty, vague generalities are impartial. everything else is quite flexible. The appearance of objectivity is a red flag, especially when we're talking about politicians (or your job).

      Good list though :-)

    • Overrated. Here's why:

      "And in fact might need to keep any modifications that it keeps confidential. (Not that I really think that the GPL would deter anyone in the Bush Administration from doing something for "national security" -- I mean the Constitution doesn't.)"

      The GPL does not restrict the US (or any other) government (or any company, for that matter) from keeping modifications confidential. As long as the government does not distribute the software outside of itself, it can do whatever it wants. T

  • Reading through the article, I'm concerned by the severity of some of the failure examples cited. In particular, that relating to the disabling of a nuclear power plant's monitoring system. Maybe I should wait until after I have had my coffee but, at risk of embarrassing myself, I have to ask. Why in the world is an energy company's critical system attached to its common network? Why would they configure their network topology in such a way that would permit an email-borne virus to infiltrate such a critica
  • by TardBoy ( 69070 ) on Saturday August 30, 2003 @10:01AM (#6832847)
    Come on, people, take a look at the membership of this organization and ask yourself if they would EVER take a position which was NOT anti-microsoft. This is not some middle-of-the-road computer science organization, it's a lobbying organization with an axe to grind. That MS software has security flaws is a given, and their position in this case may well be correct, but the CCIA's opposition to MS software is NOT news.
    • Yep, this report is just as biased as something from Microsoft saying that the Government should use their products. Consider the sources once in a while...
    • Yep. Here are some headlines from their home page:

      "CCIA Unsuprised By New Evidence in European Commission Microsoft Case, Stresses Importance of Effective Remedies"

      "Attorney General Tom Reilly is right to continue fighting a settlement with the Microsoft Corporation that fails to protect consumers."

      "CCIA Welcomes Microsoft "Netscape Fine"

      "CCIA Condemns Microsoft Predatory Pricing Scheme "

      "CCIA, SIIA Filing Brief Appealing U.S. v. Microsoft Decision"

  • FUD!!! (Score:3, Interesting)

    by DangerTenor ( 104151 ) <pmhesse2@gem i n i s e c urity.com> on Saturday August 30, 2003 @10:05AM (#6832866) Homepage
    Is that really the case? Are there really that many more vulnerabilities in MS operating systems than any other?

    Or, is it just that since there are so many machines running Microsoft OS's, it is just easier to find and exploit these bugs?

    I have yet to be convinced that the open source model truly leads to fewer bugs and vulnerabilities. Yes, more eyes can see the code, but still these many pairs of eyes miss things. Look at sendmail for crying out loud.
  • Well, this may be all well and good for government applications, as when dealing with resources of the government, security is obviously of the utmost importance. Let's be realistic, though. More damage is done to government and commercial sites by infected HOME user machines than probably any number of virii/worms that have slipped through some lazy sysadmin's email filters. A network is only as secure as the nodes remotely connected to it.

    Too bad Linux-philes are running in too many (bleeping) directi
  • OSS more secure? (Score:2, Insightful)

    by Yuioup ( 452151 )

    So can Open Source developers do a better job of building secure software? Is this an area in which Open Source software can compete with Microsoft?

    Yuioup

  • Anyone else happen to catch the CCIA's street address?

    There's a joke in there somewhere..
  • About CCIA (Score:5, Informative)

    by Anonymous Coward on Saturday August 30, 2003 @10:11AM (#6832886)
    A quick look at About CCIA lists the following:

    Our member companies range from Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, and Vion to AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL

    Its the who's who of MS competition.
  • Idiotic (Score:3, Interesting)

    by Bueller_007 ( 535588 ) on Saturday August 30, 2003 @10:16AM (#6832906)
    Well let's certainly hope that if DHS does decide to switch to open source, that it's not because CCIA advised them to. Making security decisions based on the allegations of some lobbying group, be they valid or otherwise, is pure idiocy. Do some independent research for christsake.

    Maybe this letter is a step in the right direction in this regard, but I have to believe that DHS already knew all of this. They are, after all, a government department DEDICATED to security.
  • by defishguy ( 649645 ) on Saturday August 30, 2003 @10:30AM (#6832975) Journal
    2002

    Microsoft Yearly Earings $6.16 billion.
    Microsoft Cash Reserves $46 billion
    Microsoft Market Share 92% of the Desktop


    Watching Ed Black poke Microsoft with the sword of it's own making - Priceless

  • I'm as much of a Linux advocate as the next guy, but it would be a HUGE task to migrate all of the United States Federal government Microsoft-based systems to Linux, especially if there was some sort of mandated short timeline.

    The relatively easy part would be replacing simple desktop functionality. The not-so-easy part would be identifying and analyzing all of the custom software used by the US Federal governement that is deployed using Microsoft-specific technology (e.g. Visual Basic).

    Even if there IS
    • by mangu ( 126918 ) on Saturday August 30, 2003 @11:31AM (#6833300)
      I have started doing that where I work. Whatever has no equivalent in Linux, I run onder Wine, temporarily, until I find a better way. Nowadays, I'm about 99% MSwindows-free, and about 80% Microsoft free, that is, I boot under MSwindows less than 1% of the time and only one out of five programs I use regularly comes from MS.
  • Not news (Score:4, Insightful)

    by Darth_Burrito ( 227272 ) on Saturday August 30, 2003 @10:35AM (#6833000)
    So an organization whose tagline is, OPEN MARKETS, OPEN SYSTEMS, OPEN NETWORKS, AND FULL, FAIR AND OPEN COMPETITION, is asking that the department of homeland security not use Windows based on security concerns. For crying out loud, their mission statement is the following:

    CCIA's mission is to further our members' business interests by being the leading industry advocate in promoting open, barrier-free competition in the offering of computer and communications products and services worldwide.

    Maybe I'm missing something, but this seems like nothing more than a high powered Washington based lobbying group whose business constituents are diametrically opposed to Microsoft. How is this even news?

  • You can hear faint laughter from a basement in Iraq, perhaps echoed from some remote cave near the Afghan-Pak border.
  • by One Louder ( 595430 ) on Saturday August 30, 2003 @11:08AM (#6833184)
    ...the International Axis of Evil and the Coalition of Rogue States announced their enthusiastic support for the continued use of Microsoft products by the US Department of Homeland Security.

    "Well, two organizations support Microsoft, only one against" said Tom Ridge. "I guess that means we'll stick with Microsoft!"

  • by Andy Smith ( 55346 ) on Saturday August 30, 2003 @12:08PM (#6833561)
    I don't want to make any comment on the issue itself, but I do want to ask, why does the CCIA rep feel the need to quote a Washington Post editorial in his open letter?

    Quoting someone to add weight to your argument, whether it's a philosopher, pop star or journalist, generally removes credibility from what you're saying because it suggests that you don't feel your argument is strong enough on its own.

    If I were posting a comment on Slashdot about security, for example, and I quoted a security expert, then that would be fair enough because the intention would be to reference knowledge that I couldn't personally have.

    But the CCIA published their open letter because, supposedly, their opinion is important and should be taken seriously. Quoting a journalist, especially at the conclusion of the letter, seems inappropriate and even a little desperate.
  • Oh yeah? (Score:3, Insightful)

    by Call Me Black Cloud ( 616282 ) on Saturday August 30, 2003 @04:16PM (#6834932)
    Let's seem them get into my fully patched XP box. Really. All the recent viruses, etc haven't affected me. Security is as much dependent on the user as the software. Sure, it's fun to blame MS for the Windows security problems, but when the users don't apply the patches how can MS be on the hook? Off the cuff I'd say the average Linux user is much more technically saavy than the average Windows user. That certainly plays a big part in the security of the box.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...