Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Microsoft United States

Reliance On MS A Danger To National Security 465

An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.
This discussion has been archived. No new comments can be posted.

Reliance On MS A Danger To National Security

Comments Filter:
  • I for one, (Score:5, Funny)

    by tarquin_fim_bim ( 649994 ) on Wednesday September 24, 2003 @05:46PM (#7049671)
    welcome our new security overlords.

    "We always consider security to be our absolute top priority," - Microsoft spokesman Sean Sundwall

    You mean their proclivity to collect the worlds cash is a secondary mission? Wow, Windows must be like the most impregnable fortress ever, and more.
    • by prockcore ( 543967 ) on Wednesday September 24, 2003 @05:49PM (#7049696)
      "We always consider security to be our absolute top priority," - Microsoft spokesman Sean Sundwall

      You mean their proclivity to collect the worlds cash is a secondary mission?

      He was talking about Financial security.
  • It's About Time (Score:5, Interesting)

    by Urantian ( 263132 ) * on Wednesday September 24, 2003 @05:47PM (#7049677)
    I hope the government, in the interest of national security, can clean up MS. All the anti-trust cases don't help the problem, rather they just help companies with posturing.

    Now, putting this kind of pressure on MS may really make them work harder. Imagine the government turning its back on MS, in the interest of national security. Wake up, Microsoft, before it's too late.
    • What pressure? This isn't a government report, it's an industry report, done by a bunch of Microsoft's competitors. MS will dismiss it as sour grapes, and the government will look at the cost of switching to Macs (the only non-Windows platform available, since Dell doesn't sell anything but Windows XP) and conclude that Bill's right, this so-called expert report is just Gates-bashing at it's worst.

      Remember, this is the Bush administration we're talking about. Besides, the CIA and the Army are probably telli

      • by MillionthMonkey ( 240664 ) on Wednesday September 24, 2003 @06:17PM (#7049961)
        In related news...

        Allegations that the new Diebold touch screen voting systems are insecure, because they store votes in an easily modifiable Access .mdb file with no password protection or referential integrity, have been dismissed as sour grapes on the part of the hole punching industry.

        "People love the systems", said a representative for Diebold. "Security and accuracy are guaranteed by pretty flashing lights."

      • Re:It's About Time (Score:4, Insightful)

        by connsmythe96 ( 576445 ) <slashdot&adamkemp,com> on Wednesday September 24, 2003 @06:18PM (#7049968) Homepage
        China doesn't seem to be falling for this. They're probably the closest thing to an enemy I can think of that can actually afford enough computers to make it worth hacking into them.

        How many computers was Iraq's government relying on? (that's a serious question, I really don't know)
      • Re:It's About Time (Score:5, Informative)

        by protogoogoo69 ( 579336 ) <`ten.ximorej' `ta' `todhsals.1m'> on Wednesday September 24, 2003 @06:23PM (#7050010) Homepage Journal
        this so-called expert report is just Gates-bashing

        Umm, if you actually read the article, you'd see that there were seven authors of this "gates-bashing" report. Two of which stand out: Dan Geer and Bruce Schneier. Dan Geer being the chief technology officer of @Stake, a security consulting firm. (Ever heard of L0phtCrack?) And Bruce Schneier is famous for his work with cryptography research (ever heard of twofish? blowfish, maybe?), but works for Counterpane Security Consulting firm.

        These guys probably detest MS, but I'm sure they're not willing to sacrifice their credibility just to produce a stupid report just to bash gates.

        • Re:It's About Time (Score:5, Interesting)

          by hbo ( 62590 ) * on Wednesday September 24, 2003 @09:10PM (#7051271) Homepage
          Thise are the two that stood out for me, too. I have vast respect for both gentlemen. And it's based on years of watching their work product.

          The political angles aside, what they are saying is just common sense. They are talking about the vast majority of computing power being at the periphery of the network. That means at home, on your desk, in your plamtop and cell phone. The number of vulnerable servers, of whatever stripe, is just swamped by the vast numbers of desktop devices. And 90-97% (depending on whose stats you believe) of those systems run Microsoft OSen. When a worm is turned loose targeting those systems, it spreads like wildfire. They call it "cascade failure." These systems then turn around and attack systems at the core of the network. At that point, it doesn't matter what OS those core systems are running. They are very likely to be toast, regardless.

          They also make the point that Microsoft systems are uniquely vulnerable because of the malodorous pile of layered marketing driven technology decisions, and the tight integration of Microsoft's applocations and OS software. That last point should be obvious, too. If your interfaces are loosly coupled, it's easier decouple them when malware hits.
        • Re:It's About Time (Score:3, Informative)

          by Zeinfeld ( 263942 )
          Umm, if you actually read the article, you'd see that there were seven authors of this "gates-bashing" report. Two of which stand out: Dan Geer and Bruce Schneier. Dan Geer being the chief technology officer of @Stake, a security consulting firm.

          Yeah, yeah, and look at what the panel actually said rather than the slashdot headline interpreting it. The effect is kind of like Fox News commenting on Wes Clark running for president, headlined 'Hilary to run in 2004?', by the end of the piece they were discus

            1. If you think that Unix is such a great security architecture take a look at the C language and the APIs in the standard C runtime. The buffer overun problem was almost non existent before C. Fortran, Algol and even Basic always supported array bounds checking (OK some fortrans made you turn it on). Then along came C with the loosey goosey null terminated strings and array pointers without bounds specifiers.

              The APIs of the standard C runtime are not much better, look at the way that functions like atoi s

        • Bruce Schneier is famous for his work with cryptography research (ever heard of twofish? blowfish, maybe?)

          Was he responsible for Swordfish too? Because if so, I've just lost all professional respect for him.
      • Re:It's About Time (Score:3, Insightful)

        by FuzzyDaddy ( 584528 )
        This isn't a government report, it's an industry report

        With Bush in office, what's the difference?

    • By most general measures what you can buy for the same amount of money doubles every eighteen months (?Moore 's Law?). With a conservative estimate of a four year lifetime for a computer ? in other words, consumers replace computers every four years on average ? the total computing power on the Internet therefore increases by a factor of 2.7 per annum (or doubles every 10 months). If a constant fraction of computers are under threat of misuse, then the force available to misusers will thus double every 10 m

  • by NumLk ( 709027 ) on Wednesday September 24, 2003 @05:48PM (#7049687)
    the most important line in the article:
    "And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem."

    Finally someone realizes its not enough to just fix the problem, problems should be avoided in the first place! (I know, I know, easier said than done, {insert OS here} isn't perfect either).
    • by SkArcher ( 676201 ) on Wednesday September 24, 2003 @05:56PM (#7049781) Journal
      The entire strategy of MS (and for that matter closed source software as a whole) makes vulnerabilities more likely, more severe and harder to patch. While Open source DOES have issues, it is easier to fix (or even simply rewrite) things, right down to replacing large portions of the kernel if need be.

      The major difference between something that might go wrong and something that cannot possibly go wrong is that when something that cannot possibly go wrong eventually goes wrong it usually turns out to be almost impossible to get at or repair
      -Douglas Adams, The Hitch Hikers Guide to the Galaxy

      • by NumLk ( 709027 )
        I partially agree. Without starting the world's largest flamefest, there have been very successful closed source OSs. Notably OS390 & 400. Granted, you paid an arm, leg, and reproductive organ for the privledge, and therefore they were never designed for the masses, but for their market they are very well designed, traditionally (although this is changing) closed source software.

        Oranges-to-oranges I do agree though, for the same machine, Open Source OSs do have security advantages.
      • Not necessarily. I've seen lots of instances where a bug fix works for people running a standard installation of an operating system, but breaks horribly for people using some non-standard patches.

        Microsoft has a big advantage here -- it is actually possible for them to test their patches with some sense of completeness. (They don't always do so, but that's a different matter.) With open source software, a security officer can release a patch and say "well, this patch works for me", but it's impossible
        • by fuzzix ( 700457 )
          Microsoft have a "richer" history of patches not working/breaking previously working functions than any Open Source project I employ.
          They seem to test their patches the same way a headless chicken tests for the ground - "It's there, lets go!"
          As well as the ASAP patches, the maintenance patches, which have a greater time-span for testing, have occasionally been disasterous (NT SP 6)...
          My experience with OSS indicates to me a solid development method with a fast, reliable response to bugs/vulns. My experience
  • by Anonym1ty ( 534715 ) on Wednesday September 24, 2003 @05:49PM (#7049703) Homepage Journal
    Reliance On MS A Danger To Rational Security
  • diversity (Score:5, Insightful)

    by endx7 ( 706884 ) on Wednesday September 24, 2003 @05:50PM (#7049707) Homepage Journal
    This article help explains very well why diversity in computers is a good thing.

    (It's harder for virus makers to affect more computers at once if less computers use the same OS)
  • I see no mention that it is the administrators who must share responsibility for the compromises and exploits.
    • by Alien Being ( 18488 ) on Wednesday September 24, 2003 @05:55PM (#7049763)
      "I see no mention that it is the administrators who must share responsibility for the compromises and exploits."

      What would be their fair share? According to MS, it's zero [].
    • by 2nd Post! ( 213333 ) <{ten.llebcap} {ta} {raebdnug}> on Wednesday September 24, 2003 @06:03PM (#7049851) Homepage
      Even with perfect administration the danger of monoculture exists.

      A single MS RPC exploit would make all machines vulnerable until patched.

      A single WMA buffer overflow makes all machines vulnerable until patched.

      No matter how perfect, the problem isn't the administrators, but the monoculture. If one in 3 machines was Mac, and one in 4 were Linux, you'd have enough diversity that a virus would slow down drastically enough to be contained.
      • by Sxooter ( 29722 ) on Wednesday September 24, 2003 @06:13PM (#7049935)
        Please note that the machines do not suddenly become vulnerable when the vulnerability is first reported. The vulnerability was there from the beginning, and may well have been exploited long before publication.

        I.e. the fact that MS is fairly quick to patch doesn't get them a free right, the fact that they produce an OS with so many vulnerabilities means that someone, somewhere, right now, is being hacked via a vulnerability they don't know they have, and since MS OSes tend to have more than their fair share of remotely expoitable vulnerabilities, AND there are scads of those machines around, it is far more likely than not that the box being hacked as we speak, is a MS box.
  • by Anonymous Coward on Wednesday September 24, 2003 @05:50PM (#7049711)
    Bears shit in the woods and the Pope turns out to be catholic!
  • by airrage ( 514164 ) on Wednesday September 24, 2003 @05:52PM (#7049729) Homepage Journal
    I find the argument against Microsoft as a problem for national security ringing a little hollow. First, The US government is a complete hodge-podge of computer systems, databases, technologies from various epochs; all of which is unfunded. In fact, the latest US CIO is not going to get the funding need to create a central IT.

    So the problem, as I see it, is that the US government has some severe, indemic, structual problems relating to IT policy which makes citizen privacy, national security, and proprietary knowledge at risk.

    Of course, put Microsoft on top of the quagmire and you've simply opened the door to the vault for every hacker in the known universe.

    I have a hard time blaming the problems of US IT policy on an OS; it's hard to fathom.

    • They probably just use the national security angle to get the government to listen. However, the fuzzy math and some of the recommendations in the PDF don't help their argument, in my opinion. Requiring MS to publish the interfaces to its software is what's needed, like they mention, but requiring MS to make "Office for Linux" is kinda useless, especially if it costs $300+, no one buys it, and the interfaces are not published. Both would work fine though, but requiring a compnay to produce a product no o
    • That it doesn't only affect US gov IT. It affects US military IT, US medical IT, US business IT, US service IT...

      Nearly every sector of the US economy suffers from the Microsoft monoculture, and is therefore vulnerable to the same problems every other sector has...

      Once one gets it, all will get it. That's kind of the inherent danger of monoculture.
    • by Rimbo ( 139781 ) <> on Wednesday September 24, 2003 @06:42PM (#7050185) Homepage Journal
      You have a good point here, because the point was ringing in my ears as I read the report.

      On the one hand, it is true that the combination of Windows' lack of interoperability, closed-source nature, tight integration, and near-monopoly status make it uniquely qualified to spread damaging viruses quickly, better than other operating systems. If you don't take great consideration to how you set up your IT infrastructure, you're going to get burned.

      As you say, the problem is ultimately one of policy, not technology. If you know what you're dealing with, if you know what you're doing, you can establish and enforce policies in your IT infrastructure that prevent the spread of viruses. Every time a virus strikes, we hear about it from the ones that don't. We aren't hearing about the places that haven't had problems. They are out there!

      Is Windows adoption by itself a danger to national security? Hardly. Bad IT policy is, regardless of OS. So when a group like this overstates their case, it really damages the valid point that Windows IS more difficult than other OSes, that certain things about Windows DO make it dangerous to adopt by a government.

      I'd rather hear them talking in more moderate and modest terms. Making overblown claims that aren't easily and obviously supported by the evidence is going to make people think that the pro-OSS/anti-Windows folks are a bunch of frickin' loonies when the slightest bit of investigation can find flaws in the claims.
    • They're not blaming the problems on an OS - they're blaming them on a lack of diversity. Bruce talks about this in his latest book, Beyond Fear. The topic of interest is called a "class break". The idea is that anytime you have a bunch of system sharing common security pieces you're increasing the chances that it will be attacked indirectly. For example, no one may be immediately interested in your secrets, but they might be interested in someone else's - and when that other system is attacked, yours is by
  • NMCI (Score:5, Interesting)

    by Anonymous Coward on Wednesday September 24, 2003 @05:52PM (#7049734)
    And the Navy is going to Microsoft in a wholesale way. The new mega contract NMCI is locking the Navy into a MS solution for _all_ IT. Non conforming (ie non-microsoft) are labeled as a legacy systems and all new development will be required to use MS products in order to be on the network. Also, all network storage will be stored in a single facility !.

    This is I believe a very dangerous approach for the reasons discussed in the article.

    In addition to inefficiency of restricting a solution to a small set of tools. How many large organization standard on a single environment for all computing and IT needs?

    • Re:NMCI (Score:4, Interesting)

      by Short Circuit ( 52384 ) <> on Wednesday September 24, 2003 @06:29PM (#7050057) Homepage Journal
      The USS Yorktown had to be towed to port due to NT crashing. I can't find the original news articles, though.
    • Re:NMCI (Score:5, Interesting)

      by ScrewMaster ( 602015 ) on Wednesday September 24, 2003 @07:56PM (#7050757)
      How many large organizations standardize on a single environment for all computing and IT needs?

      Actually, most of them. Standardizing on a single platform makes the Information Technology crowd's life easier, although there is a price to pay for that convenience. Your point is well-taken that no operating system is optimal for every possible application or use: permitting some variety is a good thing in terms of both safety and productivity. The IT folks themselves are generally unaware of the costs incurred by their monomaniacal focus on a single environment, whatever that may be.

      Problems ensue when you are a corporate user with specific needs that don't fit the mainstream. Then exceptions have to be made, IT drones get irritated and unco-operative ... generally it's a mess. I've been through that wringer several times in the past few years: my company sells some fairly sophisticated industrial data-acquisition systems. While they are PC-based, the problems come in when the local IT departments absolutely INSIST that our machines MUST be on their domain (no reason given ... it simply MUST) and we MUST install Service Pack X and we MUST install THIS version {insert required antivirus/utility/monitoring/security package here} etc., etc., etc. ad-nauseam, even if their requirements completely break our equipment. The systems we install are mission-critical to the companies that buy them (downtime simply isn't tolerated.) We may have a few go arounds involving complete plant shutdowns before the IT people get told to back off from someone upstairs. Once they realize the damage they've done (and the trouble they're in!) things run a bit more smoothly.
  • by overshoot ( 39700 ) on Wednesday September 24, 2003 @05:53PM (#7049745)
    The report really doesn't add anything new. Everyone and his cousin's dog have already commented on how "monoculture" is a Bad Thing and Mircrosoft's (in)security is legendary.

    Prediction: most of the counters to this will come from the observation that it was sponsored by the CCIA, which contains many of Microsoft's would-be competition. Of course, the CCIA contains just about everyone -- but then I repeat myself.

  • by banky ( 9941 ) <gregg AT neurobashing DOT com> on Wednesday September 24, 2003 @05:54PM (#7049750) Homepage Journal
    (trying desperately to remember the quote from Ghost In The Shell)

    It's not Microsoft, specifically. The problem is monoculture. No matter what the dominant OS - Windows, Linux, Mac OS, BeOS - the number one guy gets picked on the most, and exploited the most. That creates weakness all the "trustworthy computing" in the world can't fix.

    What I fear is some kind of mathematical "reduction" of the problem. "OK," they'll say, "we'll mandate that 30% of stuff move to Linux". OK, great idea: which 30%? "Hmm, you're right. We'll say 10% of web servers, 10% of desktops, and 10% of back-end (DB, etc) stuff." Getting warmer: which 10% of the web servers? Which 10% of the DB servers? Can you get rid of some of your MSSQL on W2k and replace it with Sybase on Linux (easily, with not serious cost and porting problems)? Etcetera, etcetera. I call that "going nowhere fast".

    I guess what I'm trying to say here is, I don't really see how to undo the monoculture, when it is backed by 1)such amazing industry power and 2)such entrenched mindset. Figure out how to get people to seriously believe they can run Linux, or Mac, or whatever, and you've gone a long way to solving the problem; but isn't that what people like Microsoft are working just as hard to undo?
    • "OK," they'll say, "we'll mandate that 30% of stuff move to Linux". OK, great idea: which 30%? "Hmm, you're right. We'll say 10% of web servers, 10% of desktops, and 10% of back-end (DB, etc) stuff." Getting warmer: which 10% of the web servers? Which 10% of the DB servers?

      Doesn't having different parts of your infrastructure spread over a smorgasbord of different operating systems just increase your exposure? All it takes is a single unpatched exploit on any one of your operating systems, and suddenly

    • "I don't really see how to undo the monoculture,"

      Force MS to pay for their crimes. If they had played fairly, they could never have grown like they did. We should hit MS with fines equivalent to about 2/3 of their market cap. Most of the money should be used pay back people who were forced to pay too much for sw and stockholders of companies that were illegaly eaten by the beast. The rest of it should be given as grants to develop free sw.

      Alas, this could only happen over dubya's dead body.
    • by Isomer ( 48061 ) on Wednesday September 24, 2003 @06:29PM (#7050052) Homepage
      While doing this within one organisational unit completely screws with your TCO (now instead of sitting smugly every time there is a Linux exploit, you now have to patch servers every time there is an exploit on Windows/Linux/FreeBSD/OpenBSD/....), having different departments or different companies have different distros.

      If you really need fault tolerance, having two redundant systems running different software is an excellent idea if you're willing to pay for that level of support.

      You can also avoid the monoculture effect by making your "strain" subtly different, for instance prelink lets you randomise the addresses in memory of dynamically loaded libraries making automated exploits harder (since all the addresses changed), or using something like gentoo where you compile everything from scratch with subtly different USE lines, or optimisations.

      Even recompiling your kernel with certain options can change the machine enough that common automated exploits won't work.

      This is why the proliferation of Linux distros are a good thing, you can have some level of diversity by installing different distros without getting so much diversity that you your support costs go through the roof.

      Portability of Linux means you can run Linux on intel and powerpc chips causing almost all automated exploits to fail, but only requiring a recompile as far as software is concerned. This can be a good solution for having two servers in a load balanced, failover cluster by having each server running on a different architecture.

      In general, Windows doesn't have these advantages, Windows isn't portable across platforms. Windows doesn't let you recompile large chunks of the OS with different options, Windows only has a limited range of "Editions" and different editions are usually unsuitable for running the same task. Windows is often lacking equivilent software (How many replacements for exchange are there? How many Linux MTA/MDA/MAA's are there?)
    • No matter what the dominant OS - Windows, Linux, Mac OS, BeOS - the number one guy gets picked on the most, and exploited the most.

      If only this applied to IIS. Not even nearly the dominant player and still defaced/cracked/prised open ten times more often than all the others put together. Defacement sites eventually stopped keeping mirrors of IIS hacks because there were so many.
    • the number one guy gets picked on the most, and exploited the most

      I think that's arguably not true in the web server market, in which Apache pretty clearly dominates. I've been curious for a while to see if anyone would do a study between Apache and IIS comparing rates of security hole discovery, average time to patch/update release, and average time between release and install. My suspicion is that despite being the clear market leader, Apache's stats in this regard are competetive with IIS.

      I think Micr
  • No shit, Sherlock (Score:2, Insightful)

    by Bistronaut ( 267467 ) *
    Reports like this frighten me deeply. The possibility that people exist who don't already know that "operating system monoculture = bad" just boggles my mind. Of course, there are the people who do know this, and pretetnd not to (read "Microsoft, MCSEs, maybe government kick-back-takers"). Those people make me angry, but I think that we are in more danger from the first group (idiots) than the second (the willfully evil). OK - that was some good spleen-venting.
  • by daeley ( 126313 ) * on Wednesday September 24, 2003 @05:56PM (#7049779) Homepage
    While the report's authors note the seriousness of their recommendations, they stood by them. "When the government uses a product whose monopoly position undermines its security, anti-trust becomes a national security issue..."

    That's it! Get the National Guard surrounding Redmond immediately! Shut 'er down!
  • Not that bad on MS (Score:5, Interesting)

    by JoeCommodore ( 567479 ) <> on Wednesday September 24, 2003 @05:57PM (#7049786) Homepage
    The article stated that having SO many computers on one OS was a threat (makes it easier to bring down a whole lot of systems in one fail swoop instead of say a cluster of one type of OS.), also the person mentioned that that one OS has been having some security issues.

    Not that I like MS, but this situation would pertain to any other OS if 90% of machines were using the same OS. Even it it was an OS you liked or felt was secure it is a big issue.

    • Bad enough on MS (Score:3, Insightful)

      by AJWM ( 19027 )
      this situation would pertain to any other OS if 90% of machines were using the same OS

      Yes and no. For example, I'm running the same OS (SuSE Linux) on several of my machines, but they're not a monoculture: one's a Sparc, one's a PPC, the rest are x86s. Of the latter, no two are running the same set of services, nor necessarily the same executable for the same service on different machines.

      The former (different architectures) isn't even possible with MS (not since NT4, anyway), and the latter (differen
  • by Zhe Mappel ( 607548 ) on Wednesday September 24, 2003 @05:57PM (#7049787)
    The choice of Microsoft has a kind of nice symmetry, though, you must admit.

    We rely upon half-baked right wing Dr. Strangeloves to choose the foreign countries that will welcome our invasions...

    We rely upon deregulated billionaires to keep our stock market and investment firms honest...

    We rely upon greedy employers not to send our jobs overseas in order to ratchet up the stock value and buy themselves extra homes and diamonds...

    So why shouldn't we rely on a convicted monopolist with a track record of utter failure behind it to keep our national computer infrastructure secure, too?

  • by Anonymous Coward
    This is just Ed Black--a consultant for Sun and Oracle with a history of slamming Microsoft on behalf of his clients--using a forum to once again go after Microsoft. Ed Black ain't no security expert. He's a lobbyist. And what the heck has @stake done to be deemed a leading security firm? Ooh. They're consultants for IBM. ( i gest05.shtml) Imagine that! IBM, Oracle and Sun bashing Microsoft.

    This "analysis" is just a load of crap from Microsoft's competitors l
    • Re:bogus report (Score:4, Informative)

      by RealAlaskan ( 576404 ) on Wednesday September 24, 2003 @07:14PM (#7050470) Homepage Journal
      Ed Black ain't no security expert. He's a lobbyist.

      Imagine for a moment that you were right[1] about the author's credentials. That would make him the IDEAL spokesman for a very valid idea: that a software monoculture (even if it were a good one, rather than a MS monoculture) is BAD.

      Think about this: who listens to lobbyists? Why, Senators and Congresscritters do! The very people we're going to have to convince on this issue, to have a prayer of overcoming the bureaucrat's resistance to change. If the authors include some lobbyists, that would be a great thing.

      Imagine that! IBM, Oracle and Sun bashing Microsoft.

      The idea that software monocultures are bad, and MS's products are insecure, is correct. It's true, even if SCO, or Satan say it. You should avoid ad hominem attacks; they make the attacker look silly.

      [1] The authors, by the way, were (from the pdf):

      Daniel Geer, Sc.D - Chief Technical Officer, @Stake

      Charles P. Pfleeger, Ph.D - Master Security Architect, Exodus Communications, Inc.
      Bruce Schneier - Founder, Chief Technical Officer, Counterpane Internet Security
      John S. Quarterman - Founder, InternetPerils, Matrix NetSystems, Inc.
      Perry Metzger - Independent Consultant
      Rebecca Bace - CEO, Infidel
      Peter Gutmann - Researcher, Department of Computer Science, University of Auckland
      Some of these people know what they're talking about. Some are respectable in political circles. That's all good.
  • This really is nothing more than common sense. As is pointed out, a monoculture of anything is asking for trouble, be it in computers or in agriculture. When there's only one type of target to attack, it's much more vulnerable than a diverse population is. This is a basic concept that extends all the way from basic genetics to the high tech of today - it's just that we occassionally need to be reminded of it, evidently.
  • Moncropping (Score:5, Insightful)

    by phoneyman ( 706381 ) on Wednesday September 24, 2003 @05:59PM (#7049805)
    I agree with the report authors that the monoculture of Microsoft is dangerous. Any one of us can see that, particularly after this exceedingly expensive summer, the MS monoculture we're enduring is costing us billions.

    However, I cannot agree with the recommendations that require MS to do this, that, and the other thing. Recommendations such as releasing Office for other platforms at the same time as for Linux and MacOS for example. The only recommendations I could see supporting would be those that explicitly break up the company into OS and application divisions - in order to shatter their monopoly.

    The recommendation that they must release their apps onto different platforms is, IMO, dangerous. It means that they will then unleash their "user friendly" nonsense on OSes such as Linux, and we'll end up with the absurdity of the Windows platform paradigm trying to seed its ugly crop of security problems in a new field instead.

    For National Security purposes Governments should insist on only using applications that they can also purchase the source code to. They should insist on using applications that are proven to be secure, not just popular. And they should insist that software companies be held liable for flaws that cost them security.

  • I'll probably get moded down to troll or flaimbait but really, how much better are any other OS? On the heels of the two OpenSSH and the sendmail exploit, this comes out. Arn't OpenSSH and sendmail both *nix based programs? Yes, the actual OS itself isnt to blame in this circumstance but don't these tools come stock with most *nix distros?

    Don't get me wrong, I'm not saying that M$ shouldn't be held liable for the craptastic OS that it spews out all the time but really, how much worse is it security wise
    • To think that problems won't be found in any large software project at some point is, I think niave. The point however is one of culture and scale
      1) Microsoft's OS is ubiquitous.
      2) Its a user-friendly desktop OS which people plug straight into the Internet
      3) You have no choice but to wait for Windows Update to supply you with a patch for any holes
      4) Everything is intigrated to such an extent that a hole in one part can lead to exploits system wide and patches can just as easily break one thing as they
    • by JimmytheGeek ( 180805 ) <jamesaffeld@yahoo.cCOUGARom minus cat> on Wednesday September 24, 2003 @07:35PM (#7050633) Journal
      SSH is amazing. Sure, I have to block it at the router at the moment, pending updates, but are you really considering it a net disadvantage? I'd say the presence of OpenSSH in the *nix world (and it's fine port Putty for win32) is a huge plus.

      The equivalent in win32 is to throw a bunch of poorly implemented and largely documented controls at the world and let the kiddies run wild. A big piece of the evolution of windows is the increase in ways for strangers to do stuff to your machine. Dcom? What the hell is that? Why is it running? Why does it take a registry hack to eliminate it?
  • I can't see companies suddenly rushing out to switch to Linux from this alone. The recent virii, worms, and trojans have had a cumulative effect, and this will add to it, but I can't see it making a difference on its own.
  • by RT Alec ( 608475 ) * <`alec' `at' `'> on Wednesday September 24, 2003 @06:01PM (#7049830) Homepage Journal
    I agree with the article's conclusions, but I am not sure I agree with their proposed remedies. I think the most appropriate thing to do (for a government) is to require the use of open protocols.

    For example, if the various departments and branches of the U.S. government would stop exclusively using MS Word as their ubiquitous document exchange format, that would make a big difference. Right now, if you want to do business with the U.S. government, you pretty much have to purchase and use MS Word. Then your office needs to purchase and use MS Word. Well, as long as your Washington office is using MS Word, I guess that field office that decided to save some money by using Word Perfect ought to "upgrade" to MS Word as well. Seems the import filters for Word Perfect don't quite get the latest version of MS Word just right.

    OK, you can use Open Office or Word Perfect to create your documents, but will the pagination, headers, footers, and other tid bits come out right? No. These software products cannot make a "perfect" MS Word file because they don't know how. Microsoft has not published the specs for such a file. When the import filters get close, the MS Word format (the default format that the latest version saves to) changes ever so slightly.

    How about the U.S. standardize on an open document format (egads-- not SGML but maybe even Microsoft's own RTF... anything!). Then, make sure their e-mail systems, VPN protocols, encryption formats, etc. remain based on open standards. Where Microsoft (and to be fair, others) "embrace and extend"... don't allow such non-standard extensions for dealings with the government.
  • by argoff ( 142580 ) on Wednesday September 24, 2003 @06:01PM (#7049835)

    Any false property right is a danger to societies security. Just look at how slavery led to the civil war. Today many are betting trillions of dollars on a false premise, that works of knowledge can or should be owned without any understanding of what that implies. Because information is becomming so easy to copy, change, and manipulate - the "middle" gound is quickly evaporating, either all information will half to be controlled or none of it.
    • by jdunlevy ( 187745 ) on Wednesday September 24, 2003 @06:28PM (#7050049) Homepage
      Any false property right is a danger to societies security. Just look at how slavery led to the civil war.

      How would you define a false property right? In your view, are there any property rights that are not false? If some property rights are false, and others true (or legitimate) what criteria are we to use to distinguish between the two? Clearly, there is no right to have slaves, so any claim of that as a right is a false claim; but what is it about copyright that is similar to slavery that makes it also a false property right -- especially if there is such thing as a true property right?

  • by SpamJunkie ( 557825 ) on Wednesday September 24, 2003 @06:04PM (#7049861)
    Is relying on one vendor even that bad of an idea? The really bad idea is relying on computers for national security.

    Think of the locks that are used for locking the doors of government buildings. Are they all from one vendor? What happens when it is discovered that locks form that vendor are more vulnerable to being kicked in? I don't imagine a bunch of engineers get together to design better locks in their spare time, however there is the chance that might happen if the most popular lock company was constantly making locks that were more vulnerable than neccessary.

    However there is still a key difference between locks and computer security that must be considered: location. A locked building in Washington, DC isn't going to be compromised by someone in China. Anything that is so important that obtaining it can be considered compromising national security should not be stored on a computer accessible to the internet.

    The government should realise this (they probably do) because this isn't the first time this has been an issue. Long distance communications during wars before the internet used various means of encryption to keep national secrets secure. Why can't they do the same for electronic communications? Create the electronic message on a machine that isn't connected to the internet, encrypt it, and burn it to a CD. Either mail the CD or send it using a computer connected to the internet. Then destroy the CD.

    The government likely knows this and almost certainly has national secrets under more heavy protection than a sneakernet. When they complain about insecurity, whether it be from terrorists flying planes or chinese youths, what they really want is money and laws. They're not actually so clueless as to leave valuable lying around, but it's useful to let citizens think they do.
    • Long distance communications during wars before the internet used various means of encryption to keep national secrets secure. Why can't they do the same for electronic communications?

      And there is no way to prosecute modern warfare with a sneakernet.

      Real-time imagery, intel, decisions, and targeting cannot happen without real-time communications.
      The ability of the Chiefs in the Pentagon to see exactly what a tank commanders sees is invaluable. And for them to tell him that there are in fact enemy tank
  • by ejaw5 ( 570071 ) on Wednesday September 24, 2003 @06:07PM (#7049892)

    WASHINGTON A virus seriously disrupted computer systems at the State Department this week, including the database for checking every visa applicant for terrorist or criminal history. The failure left the government unable to issue visas worldwide for nine hours.

    The virus, which struck Tuesday, crippled the department's Consular Lookout and Support System, which contains more than 15 million records from the FBI, the State Department and immigration, drug enforcement and intelligence agencies. Among the names are those of at least 78,000 terror suspects.

    A State Department spokesman said the virus, known as Welchia, did not affect any data on the name-checking system, and the agency's classified computer network - used to send its most sensitive messages and files - was not affected.
    • We hear about this kind of thing constantly, from around the world (remember those two mainframes stolen from that Australian airport a couple weeks ago.) And every time they say something like "... while the computers involved were important, no confidential information was exposed or affected by the attack." Baloney. If they were so important then something valuable was stolen. Tip of the iceberg time, my friends. I think that information theft on a Biblical scale is going on all around us, from stea
  • by ducomputergeek ( 595742 ) on Wednesday September 24, 2003 @06:10PM (#7049911)
    No system is 100% safe. There are some things one can do, like making sure everything is patched and another is to use odd systems. I worked for an architecture firm that used several ALPHA server for rendering projects. Several of these boxes had True64 Unix. When a couple were retired from rendering duty, we reconfigured those boxes as our router and firewall in the office. Why? Well, True64Unix is an odd platform and not many know much about the system. Its an added measure against script kiddies. Is it fool proof, no I am sure, but as one admin put it, "If they know the exploits of True64 Unix, they're a pro and proably not much we can do to stop those types". One of our boxes was attacked with the OpenSSH bug. If the attack would have been about 6 hours later, it proably would have been patched. Our other 17 boxes were patched without a problem and someone has tried to attack our OpenBSD boxes several times (hell I try once a month just to see how they react) with no luck. But hey, some bug with an FTP daemon or some PHP code and we're SOL. Bottom line: Keep patches up to date, use odd and unusual systems on the in/outbound traffic if you can, and keep lots of backups...
  • In a post [] from last week.

    Somebody should hire me to predict the future of various aspects of I.T. ;-)

  • I wonder if... (Score:4, Insightful)

    by Anonymous Coward on Wednesday September 24, 2003 @06:25PM (#7050032) would cost less for the government to rent all that juicy unused fibre all-across america and build a large private intranet.You want security?Well disconnecting from the internet would be a good start.


  • "A panel of leading security experts..."

    I find it a little suspicious that the story refers to an anonymous group of "leading" security experts with no credentials listed. One needs to be skeptical of these things, especially when it appears that much of it is backed by Microsoft's competitors. Could they be an objective panel? Possibly. Could it be FUD? Possibly.

  • by product byproduct ( 628318 ) on Wednesday September 24, 2003 @06:31PM (#7050064)
    Windows XP Professional
    Windows XP Home Edition
    Windows XP Tablet PC Edition
    Windows XP Media Center Edition
    Windows Server 2003, Standard Edition
    Windows Server 2003, Enterprise Edition
    Windows Server 2003, Datacenter Edition
    Windows Server 2003, Web Edition
    Windows Small Business Server 2003
    Windows 2000 Professional
    Windows 2000 Server
    Windows 2000 Advanced Server
    Windows 2000 Datacenter Server
    Windows Me
    Windows 98
    Windows 95
    Windows NT Workstation
    Windows NT Server
  • Alcohol may be bad for your liver. Film at 11.
  • by silconous ( 636675 ) on Wednesday September 24, 2003 @06:37PM (#7050141) Journal
    Just don't let Microsoft Computers connect to the internet directly With properly placed firewalls there shouldn't be a problem
    • With properly placed firewalls there shouldn't be a problem

      not true. it's not uncommon for a mobile user to get infected through their (unfirewalled) internet connection at home, and unknowingy bring something bad into the corporate network.

  • by marian ( 127443 ) on Wednesday September 24, 2003 @06:38PM (#7050151)

    "Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer.
    Gotta love it.

  • by nomad_monster ( 703212 ) on Wednesday September 24, 2003 @06:55PM (#7050318)
    I would usually be the first to jump on the bandwagon here, especially since the US Govt/Bureaucracy is notoriously stupid/slow/inefficient. However, I do know a few things.

    1. Information which has military and security significance is not kept on Microsoft based computers. And before you go off and say that this VISA system contains top secret information, or whatever....first, this system isnt internet connected. Second, this worm was probably introduced via poor security practices. Third... BIG F*CKIN your cousin cant get his visa issued for a few days. Like I said, this is not a critical system, and they just send everyone back home, and new visas are able to be issued in a few days. If nothing else, we should be happy this happened, as it reiterates the security problems in Microsoft's OS. The high level thinkers here aren't idiots, far from it. Remember, the government employees you interact with on a daily basis aren't necessarily representative of the intellect on high.

    2. There is a good general practice of not connecting these networks together. Not only that, but anyone slightly familiar with places like the NSA and CIA will tell you that there are separate networks for classified, secret, and top secret. Even when these computers all sit on the same desk, they are not allowed to move information between them, since there is theoretical possibility of data leakage.

    3. Anything deemed secret or higher is run on things like virtual vault, trusted HPUX or Solaris. NSA has some stuff with Linux, but this isnt widespread yet.

    Remember, the big thinkers in the Govt, arent in the fucking post office, VA, IRS, etc...

    Geez people, do you think we got this far by being a nation of morons. Why do most wealthy foreign nationals send their kids here to the US to be educated?

"I have just one word for you, my boy...plastics." - from "The Graduate"