Slashdot Mirror
Air Force Warns Microsoft/Others to Tighten Security
FattyBoeBatty wrote to us with a story
from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
It's good to know that the people we're relying on for air defense of our nation are smart enough to NOT open the Love Bug email. I think I'm moving now.
i guess in the airforce the CIO is a REAL O. ;-)
Quando Omni Flunkus Moritati
I guess 28 days haven't been enough for MS to fix their trash :)
...if they have to give up features for security. The crap features and reinvented "new features" are why you buy the OS in the first place.
The government has been trying to get M$ to do what they want for a while now in the US Courts.. you think the Military is going to get any progress??
thelikesofwhich.com
Why do they stick with MS if they have security issues?
Why hasn't anyone asked this question?
We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.
Why sit and wait for MS to comply?
It just seems odd to me.
Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
The air force seeks the quite good security from Microsoft by Byron Acohido, USA today Seattle. The top United States Air Force official warned Microsoft fiercely improved its software safety or the risk loss air force takes the customer. In interviews, air force chief information official Gilligan revealed his John and the senior Microsoft board of directors returned to the surface tells them air force " is raising the bar in the expectation our level " is security software
I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
The Air Force is free to buy a better operating system, if they can find one. And, yes, it's right and proper for a customer to make requests known to vendors. However, the threatening posture of the Air Force in this matter, in the context of ongoing government harrassment of the vendor, is very ominous. The federal government is in the habit of enforcing its "preferences" with deadly force at times, and their reservations about the worth of free competition are well known.
Let's let free enterprise do its job. Political pressure has no role here. The private sector must remain free and independent so that it can provide the solutions that the marketplace wants.
"Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive" -- hey, that's me!
The canadian air force is also putting a lot of pressure on punch card manufacturers to force them to close a lot a security holes in their software...
Try it! Library of Babel
... a 12 year old taliban-boy hacked their win2k servers? *outch*
Life sucks.
It doesn't matter who warns Microsoft and when. Security isn't something you suddenly do, it is built from architecture to deployment, and Microsoft is nowhere close to engineering any secure products.
Windows is insecure in its conception, and unfortunately I see very little that can be done to reverse this.
Broken Hearts are for Assholes. - Frank Zappa
This is a large customer threatening (sorta) to take their buisness elsewhere. When large high profile customers raise a stink vendors take notice. This is exactly how the security problem will get fixed. Hopefully other large clients will follow suit.
Ever heard the saying "The sqeeky wheel gets the grease"?
Exchange may have it's faults, but I've seen virii spread with equal rapidity via Sendmail. If you want to blame something, blame Outlook. Or more correctly blame the default settings to which Outlook installs.
You're using her as bait, Master!
In my humble opinion, the only reason all the security holes are being found in Microsoft's software, is by virtue of the fact that it is, like it or not, running the majority of the world's computers, something like 95%. I am sure that if any other OS was as widely used, more breaches would be found in it's security, and don't say that *nix does not have any security holes, because we all know that it has had it's share, although not quite as numerous. So I believe that Popularity=Exploitation
I hate sigs.
Why don't the airforce look at the self. When choosing their systems they must have been aware about the major security riscs Microsoft products hav a history of having. They must have known that their excists ten's-of-thousands viruses targeted at the Windows operating system. They must also have known that in the war against the viruses the crackers have got the element of suprise. They must also have known that Microsoft products are - by crackers - looked at as unreasonable easy systems to break into. Is this information I'm sitting on some kind of secret or is there another reason the US Air Force did choose to base their framework on Microsoft.
I would dare to say that the airforce has been misleaded. Maybe they overlooked alternatives - like Linux - because there wasn't a big organization behind or maybe they were swayed by something else. Is it now too late for them to change their systems or is there still hope for their security? How can they ever be sure that Microsoft has secured their systems?
Look a monkey!
Microsoft must provide a secure OS. And it has to be more than words. Businesses and government agencies are recognizing the cost of an insecure OS. Right now I wonder if Microsoft truely realizes that they are in a precarious place. They need to spend big bucks to make their OS secure. Talking the talk will not do it. Adding on security to their OS will not do it. They need a major rewrite of the OS to fix it. That will cost, but Microsoft has the money. Do they have the will to do it?
I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)
That impenetrable fortress of electronic communication?
Hence the Army's move 2 years ago to a more secure system. Who's the jarhead now?
(is there a '-1 Mactroll' option?)
You know what?
Instead of the military spending billions on operating systems, why don't they just use Linux and use the money to hire programmers that will maintain security??
I totaly disbelieve this article.
We are whole heartedly all out sold out to Microsoft.
We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.
We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.
Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..
Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.
This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.
guns kill people like spoons make Rosie O'Donnell fat.
That's great, Steve. Except how long ago was this message sent - two years? four years? six years? You guys have had lousy security ever since you happened upon the 'net, and you're just now figuring out that it's important? Exactly how slow are your nervous systems, anyway?
Pretty much everything said from the Mouth of Microsoft these days is in CYA-mode, it seems to me.
Your right to not believe: Americans United for Separation of Church and
I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty
You never know...
"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.
Let this be the thread for the Free Software zealots to reply saying, "and therein lies the problem with proprietary software".
Is this post not nifty? Sluggy Freelance. Worshi
...to wait for a full settlement in the case against Microsoft, rather than to wait for them to fix security issues.
Can't help but feel that running an operating system that loads of people all have to play with and hack into at will is a strange thing for the Air Force to do.
If I have a car, and I don't like its security features, I sell it and buy another car.
The Microsoft strategy has been, since day one, to marry Windows and the Home PC such that this kind of consumer choice is not possible... but people KEEP buying Windows licences.
Go figure.
Conversion Rate Optimisation French / English consultant
This is a step in the right direction, but it won't be enough to make MS and other big vendors make their products secure. If technology users want security, they must demand it. The Air Force, while possibly a big customer, is most likely not the biggest that MS must deal with. If OEMs and large corporations demanded secure products, then we'd get somewhere. As it stands, MS doesn't really have to do much for the Air Force. If the AF wants to interact with much of the rest of the world, they have to use MS, secure or not.
From: the office of B.Gates:
To: AFCIO
I'd like to remind you I own 10% of General Dynamics.
Thank you for your time.
EOF.
Man this is going to be some ineresting politics.
This is what happens when military specs say things like "Must run windows"
Instead of
"Must have GUI front end"
The Kruger Dunning explains most post on
If the Air Force is anything like the Army, it's the sergeants who keep things running.
Best Slashdot Co
We'll never see (more) secure products until the manufacturers become legally liable for losses due to the software. There's simply no financial incentive to improve security, especially if you're the biggest player.
My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else.
Not about the Air Force or MS, but related.
The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary.
The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.
Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.
The only tool you've got against psychosis is experience.
This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.
And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).
Why doesn't the air force get an anti-virus solution for the server/clients? Block attachment types (obvious ones, .pif, .scr, .com, .bat, .exe, etc), filter for virii, and have it update automagically.
SERVERAL vendors make a product like this (i.e. Trend Micro).
-----
Hint: It doesn't go boom, more like cha-ching.
the PHB lemmings of the AF chose, instead, to go with a MS solution.
its a lot deeper then that.
Bill Gates owns a large chunk of almost every major military supplier, including General dynamics.
Sometime, when I lie awake at night, I think that if I didn't have a wife and children, I'd kill Bill Gates and lay waste to redmond with some desease. Sure lots of people there are just 'doing there job', but the red coats where just doing there job, and so where the nazis.
But then I relize that would be wrong, or maybe I'm justifine my own cowardice by thinking its wrong.
Are you a coward?
You don't simply up and abandon your entire email structure on a whim. First you threaten the manufacturer to improve or else, and that's what the AF has done.
I work on an AF base, and in my building alone we have about a half-dozen Exchange servers. (One alone can't handle the load.) What do you recommend as the "quick solution" here? What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.
What "quick solution" do you recommend for thousands of people at a time?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
WTF? Erbschloe (try saying that ten times fast) is saying that the United States Air Force is dependent entirely on Microsoft for its IT systems? Couple this with the fear that the USAF infrastructure controls enough stuff that a successful attack could shut down vital systems, and you've basically got the whole Air Force relying on Micros~1.
The USAF is Microsoft's bitch. Go fig.
From the article:
Gilligan, former Energy Department CIO, has discussed security most often with executives at Microsoft. "They are the biggest supplier to the Air Force, and my attempt has been to encourage them to set an example," he says.
I am guessing if M$ is a major supplier of software to the Air Force, it is probably the same for the other branches of service as well.
Now I see why all of our helicopters and planes have been crashing without being shot down. Brings a whole new meaning to "Fatal Exception"
--Jon
The costs that many are concerned with are new applications checkout and user education.
When a local church was considering upgrading their Windows 3.1 system to 95, 98 or NT, I suggested that it would be just as easy to upgrade to a Mac. The secretary didn't know how to use anything other than WordPerfect, and the new Pastor already knew how to use a Mac. That left teaching the secretary how to boot and shut down the Mac - which you'd have to do with 95, 98 or NT. Naturally, the Air Force would have more work to do.
When the DOJ case came out, at least one comment circulating was that the US should simply stop buying MS products - as that would cost MS more. As I understand it, this is the China solution.
-- Stephen.
Since 9/11 and the new attention paid to security, more people are willing to make good on their threat to take their business elsewhere if the security of a product is poor. The excuse of comfort with Win products will no longer be an excuse to let Bill off the hook.
M$ being a marketing firm will respond to market pressures way before they'd give up in court.
/.
Given the history of inept system administration in the US Armed Services, I have to laugh.
If M$oft actually delivers a secure system, it will immediately be compromised by some knucklehead who wants to play Everquest without his superior officer finding out.
--Charlie
The problem with Microsoft security isn't the bugs and the loopholes.
It's the fact that their basic software architecture is fundamentally insecure.
One virus. Two VIRUSES. (Yeah, it's been explained before).
Think, write, think, edit, think...then post.
I think mainstream media may be finally catching on. This is the first article I've seen were they flat-out state that Love-Bug, Melissa, Sir-Cam, and Nimba are Windows/Outlook viruses, not email viruses or internet viruses.
Accuracy is nice, maybe the general public will soon learn who is really at fault here.
www.lucernesys.comHorizon: Calendar-based personal finance
A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security community on Monday.
Several other operating systems that use open-source components are vulnerable too varying degrees as well.
The software bug, known as a double-free vulnerability, causes key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital.
"It is just a matter of time before an exploit is developed," Wreski said.
The flaw, discovered by Linux user Matthias Clasen and Owen Taylor, an engineer at Linux-software company Red Hat, affects any Linux program that uses the zlib library for decompression, including the core software of the operating system, the kernel.
A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security community on Monday.
f
Several other operating systems that use open-source components are vulnerable too varying degrees as well.
The software bug, known as a double-free vulnerability, causes key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital.
"It is just a matter of time before an exploit is developed," Wreski said.
The flaw, discovered by Linux user Matthias Clasen and Owen Taylor, an engineer at Linux-software company Red Hat, affects any Linux program that uses the zlib library for decompression, including the core software of the operating system, the kernel.
Time for organizations to realize the importance of security?
Anything that leads to a more secure product is great, obviously, but it saddens me that the pressure must always come from thegov't and industry, rather than the community of individual consumers. i suppose this is because i see the individual as having more to lose when it comes to lacking awareness of security and cryptography issues. It is with these large organizations, gov't, military and industry, that we're fighting for our right to completely private and secure systems.
Aside from that, i'm with everyone else in this thread. Let them turn to BSD if they care about security.
A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security community on Monday.
Several other operating systems that use open-source components are vulnerable too varying degrees as well.
The software bug, known as a double-free vulnerability, causes key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital.
"It is just a matter of time before an exploit is developed," Wreski said.
The flaw, discovered by Linux user Matthias Clasen and Owen Taylor, an engineer at Linux-software company Red Hat, affects any Linux program that uses the zlib library for decompression, including the core software of the operating system, the kernel.
a
I work in IT for the AF. *nix any day.
:-(
Too bad the app I support is Windows only.
sine puella vita suget
The difference is that Outlook server gives you the ability to create huge expanding without your control mail lists. Thus, one user can send a thousand emails because he has access to those thousand email addresses via the outlook server.
There are more secure alternatives than sendmail. For example qmail and postfix. And sendmail has reportedly improved lately too. Personally I'd take any of them over exchange any day.
When I was stationed at Langley I was part of a team that implemented the first version of what's now called CTAPS.
One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.
A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.
The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.
668: Neighbour of the Beast
I don't know why the Gov't just doesn't teach them a hard lesson and start switching to Linux. I think it's frightening to think the Gov't relies so heavily on a closed OS with a very poor track record on security. Instead of telling MS "Please, make your software more secure" and then wait a few years for that more secure OS when they can have it now and many other benefits by using linux for instance.
And what public domain software is there out there that suports S/MIME security labels as mandated by the DoD?
PGP is simply not up to the task of providing a military messaging system. In fact the principle insight that Phil Z. had was that PEM was being designed with the assumption that the rest of the world ran according to the strict hierarchical principles of the military.
What the posters on this whole story don't understand is that they have a radically different approach to security than the Air Force. In the real world you increase security by removing features. In the military you increase security by adding security features.
DMS was designed in the days before 'Commercial Off the Shelf' (COTS) became a US govt buzword. The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality. But there is no reason why they need their own message formats and there is no reason why DMS can't use COTS to provide at least a core.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I have a suggestion...
Why don't you take all this negative energy and hate and direct it to something positive. Like, learning how to administer your Windows systems so that they aren't vulnerable to issues.
The company I work for has not had any issues with email born viruses since ILOVEYOU. It took one lesson, we learned from it, we corrected the problems and we moved on. If you don't learn then you are too stupid to be in IT.
"running the majority of the world's computers"
And Winders runs on exactly what big iron?!!
Maybe you should more properly phrase that as "Windows runs the majority of the world's PeeCees -- and none of the real computers.
Sheesh. Kids these days with their internet.
You forget that Outlook+Exchange is more than an email client. Yes, we could mandate Eudora (or whatever) as an email client. What then do we mandate for a meeting scheduler and a remote task assigner and all the other crap that Outlook+Exchange does?
And then who are you going to get to train people in all these new programs?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Yeah, keep parroting this...then you should mention that at the same time the vulnerability was announced, a fix was available: download zlib-1.1.4. Sheesh. You NEVER get this responsiveness from M$. Also, the vulnerability wasn't a root exploit, you couldn't trash a system with it, couldn't use it to gain root.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
They could very well have used a non-proprietary core, as the original poster suggested.
I think in hindsight, that would have been a very sensible decision, don't you?
Matt
>>> The company I work for has not had any issues with email born viruses since ILOVEYOU.
Did you connect it back to the Internet? Sounds like you probably didn't.
It's not up to the taxpayers to pay for Microsoft's shortcomings, which are well documented and well understood. Many of the fatal flaws in the design of Microsoft's products, especially those in its so-called "operating systems", can be laid at the feet of its Chief Architect. Maybe if he'd stayed in college and really learned something about computer and software engineering, we wouldn't be suffering from these kinds of problems.
I'm also wondering what role, if any, the NSA had in this situation; I'd have thought they'd have tapped the USAF on the shoulder and told them what to watch out for... More taxpayers' money wasted, apparently.
BTW, other systems vendors, such as Sun (as mentioned in another post), IBM, HP, Compaq/DEC/Tandem, et al., have always had their feet held to the fire by NSA and the various DOD branches. Why not Microsoft? This smacks of a double-standard. Either that, or the COTS concept was taken to an extreme, and the USAF got what it paid for, which was a crappy so-called "operating system" at a severely discounted price from a vendor who laughed all the way to the bank. Sounds like the proverbial $400 hammer to me!
Trying to lay the catch-up game with Microsoft products is not a positive thing to do; the positive thing to do would be to get non-Microsoft solutions so that these problems don't occur. Positive solutions fix the problem, not patch the symptoms. Incessant, needless patching and worrying is what builds up the negative energy.
and is secure, running WinXP
Does this strike anyone else as oxymoronic? (Firewall or not.)
-- Alastair
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
Man.. that work must have sucked majorly... Sounds like the typical case of the suits believing glossy MS brochures instead of their own techs and other people with actual experience. Or in this case, s/suits/guys-with-more-funny-looking-shiny-metal-
What to do? Just wait, time is on our side. No reason to get yourself fired by going against individuals with more power but less understanding than you. Quietly improve your understanding of the alternatives (I highly recommend Linux), and when "Microsoft" is no longer a safe scape-goat for inefficiency (and the inefficient decision makers start getting blamed), it will be your turn to step up to the plate with an alternative that is now like second nature to you.
Soon the powers_that_be will understand that it is not the software but the IT managers, themselves, that determine the success of a given project. However, software _is_ a tool and _can_ tell you a lot about the user. Windows is to Linux what a "Big-Wheel" is to a mountain bike. Enjoy this time in history, when those with the most power are the most clueless (trying to gracefully climb a mountain on one of those "nightrider" edition Big-wheels with streamers, oblivious to the existence of the mountain bike;). It's a funny image . . . It will make you smile at times (perhaps during meetings). Yep . . . good times, my friend . . . good times.
First you learn; then you wait; then you laugh; then you wait some more; then you really laugh; then you learn some more; then you win;)
So basically it is the user's fault they used the software simply because software is free speech? That is a silly argument.
... with their careers.
Not really. He's saying that the consumer has a responsibility to make an informed purchase, and that creating liability and a pork barrel for lawyers is not a good solution. He's right.
All of the information to warn a would-be purchaser that Microsoft Exchange Server is probably the worst possible choice one could make for a mail server if security is any concern whatsoever was widely and publicly available. Clearly the person or persons who made the decision to go with Microsoft, when demonstrably more secure (by orders of magnitude) options were available at little or no cost, either grossly neglected their duty and did no research, or were in a sweatheart agreement of some kind with Microsoft's salespeople, or Microsoft itself. That, or they opted for the product when it was still in the vaporware stage, which is even doubly incompetent.
Either way, the person or persons who made this incompetent, and very possibly corrupt, decision should indeed be the ones to pay for it
The Future of Human Evolution: Autonomy
I thought Enron securities were in last place.
So the next time a DNS exloit is found, dump your *nix boxes.
I think our military needs to think about microsoft's army of evil monkeys before they start pushing them around.
Hacker Media
I can't tell you how many times I've been at meetings with Microsoft where their own employees complain of email problems.
Of course we have to hold off on the snickering until after we leave, but this has happened many times.
You've definitely got a point, but how many times do you have to learn a lesson before you figure out that Microsoft's security really sucks?
Let's say that you get hit with ILOVEYOU and start to filter out attachments. Good job.
Now you get hit with Code Red. You decide to check daily for security fixes at Windows Update. Good job there, too.
Next, you get hit with a nasty virus because one of your employees couldn't live without his favorite screensaver. You install up-to-date virus definitions on all your PCs and check daily for new virus definitions. Also, you lock down all your PCs, so that nobody can install/remove programs without MIS approval. The employees grumble and complain, but it's obviously necessary.
And after that, a disgruntled employee (perhaps the same one that caused the virus outbreak) decides to sabotage a few of the servers after he gets fired. You disable all remote manageability and literally lock the servers away in a secure room. MIS begins to grumble and complain now, too, but it's necessary...
At what point do you finally switch over to something different? When no work can be done, because you're trying to patch the millions of holes Microsoft themself refuses to patch?
UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure.
Gates directed 7,000 programmers to spend February scouring the Windows operating system for openings hackers might exploit to steal data or shut down systems.
Wow, 7000 programmers! I bet they figure out how to close the barn door.
I get my story put on the front page of slashdot AND it's my birthday! Rock'n'Roll!!!
Happy Birthday to Me
-FattyBoeBatty
Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).
When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality.
I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.
The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.
And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.
The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.
Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.
I'd rather you do it wrong, than for me to have to do it at all.
I'm not a computer guy...I'm a satellite guy. But I'm forced to use DMS daily and it's been nothing but problems. From my standpoint I blame the first slew of problems on our lame excuses for "IT People". I consider myself very well versed in computers.....but these people suck. So once DMS got to us...we had two months worth of "install problems". I just sit back and laugh at these wanna be IT morons. Now the Air Force decided to merge admit with IT. This is becoming fun! Oh and ofcourse...they don't let me crosstrain into computers.
Oh did I mention teh sparc in the back of my shop's been on for over 4 years monitoring all of my circuits without a hitch!
The software compression library known as zLib was found dead in its cardboard box domicile in the Bowery distric early Wedensday morning. Once a workhorse of the internet, it had fallen on hard time recently after a botched operation to repair a double double free free condition.
Let's look at the statistics. The fact that a company that's been going out of business for twenty-five years steals an obsolete Unix varient in no basis for a system for creating theft !
Take off every zig!
Exchange is a 'non-proprietary core' (at least in the DMS usage). Exchange 5.5 is an X.400 MTA. The is nothing proprietary about X.400, it is just that Microsoft is the only vendor that still sells that junk.
Exchange 2000 removes the X.400 junk from the core. It is not an OSI MTA that also does Internet, it is an Internet MTA that also does OSI. Don't judge Exchange by the horrors of 5.5, those horrors are mostly intrinsic to the OSI junk it is based on (plus the MAPI horrors).
The problem with DMS is not that they chose prorpietary software, they simply chose the wrong open standard. Even today we have DMS folk comming to the IETF with drafts proposing some form of X.400 interop for S/MIME.
What it comes down to is that the military defined a mail system that was so complex that Microsoft was the only company arround with the resources to provide client support.
I think in hindsight, that would have been a very sensible decision, don't you?
It isn't a matter of hindsight, there are plenty of reasons why DMS and the Federal govt. PKI are problematic. Most of those were known at the start.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Do you know how long it will take to fill in each of the holes in those punch cards?
The Air Force could, I suppose, blame the former CinCPACFlt for the decision. Anyone have a link to the infamous directive sent out ordering the use of MS products, including Exchange, as though they were DII/COE compliant?
Basically, the Admiral took the lead on "consolidating" on Windows because that's what the kids in the ranks all knew how to do.
That resulted in ships being towed back into port (twice!) because their NT Domain servers corrupted their database, couldn't reboot, and the navigation systems (IIRC) wouldn't function (trying out the "fly-by-wire" concept using NT computers!).
It also resulted in a server OS consolidation that has only recently started to be reversed.
And in email messages getting sent to the wrong recipients (an old exchange address book problem).
Which is a problem when we're talking about ship movement orders in the China Sea.
After lots of "get togethers" between admirals, generals, and Billy Boy at his cottage in Seattle, it just seemed the right thing to do for the country, I guess. Shame none of those windows OSes have EVER survived even a C2 evaluation - not even the NT 3.51 they tried to evaluate.
So now, there's no evaluation system left, even! Why bother when the brass know what they want to buy, even if it can't be made secure!
But boy, have they gotten good with PowerPoint!
As an officer in the Air Force, perhaps you have some insight.
Back in the 1980's, I was at the Supercomputer Computations Research Institute, a DOE-funded site. Although ours was the designated unclassified site, we dealt with a lot of groups (Oak Ridge, Lawrence Livermore, etc.) who weren't exactly unconcerned with security. The operating systems they used in house very very tight and had to pass fairly stringent security requirements just to be considered. This was one of the reasons that VMS was so popular; DEC had worked very hard on the security.
If you had asked me then whether this would have happened, I would have laughed.
I can see why the business and consumer cultures played the lemming. But the military has a reputation for getting thing that work, even if they cost, and dammit, Mil Spec used to mean something.
So, what happened?
Since you and Bill are obviously both geeks, you should hack his server and lay waste to his systems instead.
Or maybe you could just act the drama out with your Star Wars dolls? He could be Darth Vader, you could be Luke.
You know, Luke Skywalker was a terrorist too...
Maybe the DoJ is laying off of Microsoft because of the DoD's dependency on them?
...are belong to Microsoft!
Army Protection Racket
The entire sketch is at http://www.montypython.net/scripts/armyprot.php
Did anyone else instantly think of this when they read the item?
Okay, so you're a Mac OS 8 and a Solaris user yet you come here and tell us that you're somehow qualified to administer NT servers? And you also expect us to believe that your judgment is not biased?
Btw, how many holes does sendmail have? Have you forgotten about zlib, how about wu-ftpd?
See Windows NT Cripples US Navy Cruiser for a story from 1998 on the Yorktown
"Blame it on the OS"
"But according to DiGiorgio, who in an interview said he has serviced automated control systems on Navy ships for the past 26 years, the NT operating system is the source of the Yorktown's computer problems. NT applications aboard the Yorktown provide damage control, run the ship's control center on the bridge, monitor the engines and navigate the ship when under way."
"Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor," DiGiorgio said.
"Pacific and Atlantic fleets in March 1997 selected NT 4.0 as the standard OS for both networks and PCs as part of the Navy's Information Technology for the 21st Century initiative. Current guidance approved by the Navy's chief information officer calls for all new applications to run under NT."
[snip]
"Although Unix is more reliable, Redman said, NT may become more reliable with time."
"The Navy is moving the service's command and control applications from Unix to NT as part of IT-21. Under IT-21, the Navy also plans to modernize ships in the Atlantic and Pacific fleets with asynchronous transfer mode LANs. Large ATM networks running NT have already been installed on the USS Abraham Lincoln and USS Essex."
And please don't forget that most of the enlisted folk in the AF are the ones using the computers! And how many do you think can use a computer, except for the ones reading this? You have high ranking officials in the brass and stripe sectors that panic when E-mail is down, or when they can't use thier PDA on a "secure" mail server. /hr, throwing them in a uniform, strict haircuts, and plenty of bogus rules. These specialists will do the same as every highered Computer Specialist-they get trained, even certified for FREE, get four years exper. and leave a crusty Military job @ 15K a year for entry to a $60+K job!
The military needs to keep this simple for the workers in it. Try recruiting Linux specialits at $12
I wish the military would change to Linux BUT so much money has been invested in M$...
This SIG pulled due to lack of funding. (This damn war is costing too much!)
"We now hold MS responsable for all mishaps that occur due to problems in their operating system. Every time something bad happens to a soldier on the field, the same thing will happen to a MS executive. Gates is going to love taking the punisment of the guy who just got captured and tortured..."
I wonder if that would speed up their security fixes.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
Why don't you take all this negative energy and hate and direct it to something positive. Like, learning how to administer your Windows systems so that they aren't vulnerable to issues.
That's a really good idea.
Let's start with one of the most basic defenses: audit the source, look for bugs. Get rid of the buffer-overflow exploits, double-freed pointers, etc.
Oops, can't do that. Chose wrong tool for job.
Fortunately, it can be fixed: use a better tool.
You can learn a lot from reading Sheldon's posts. For example, we have learned that Gates and Balmer really like rimjobs.
Because of the cost of switching all of the PC's they have and training the networking and desktop staff. I work for a .gov right now and they wont even consider it because,
A)The cost of retraining all the desktop staff who NEVER learned any OS'es other than MS or hiring more
B)Cost of retraining the networking staff or hiring more staff
C)The ammount of users that would need retraining and or call the help desk 24/7
They have looked into switching but the inital cost is too high for now. If MS keeps up it's current bad pricing & security it may make them switch but I dont imagine anytime soon. My bosses need to have a red flag waved in front of them that flat out proves something before they do it. Untill then it's easier to compalin to the M$ rep than think about switching.
Vote early. Vote often. Vote CowboyNeal.
Seems to me that after 9/11, the government is blaming plenty of people for the incident yet it should be blaming itself.
While this is partially true, you also are forgetting that the DOI is composed of several agencies. Not all of these agencies have as poor security as BIA would found to have. So first off, saying it's DOI as a whole is incorrect. Plus, as I'm sure someone will say that the DOI should have kept a better eye on things, this is only partially true. The way a government department is set up is that the upper level (ie, the top level DOI staff) have different concerns than the individual agencies. The individual agencies are themselves responsible for day to day operations while Fed department level staff are more concerned with strategic planning. Thus, with the BIA as an example, a part isn't exactly the whole.
See, the thing to keep in mind is that we the people are responsible for how screwed up things get in the government. Contrary to popular belief, WE are the ones in charge. No amount of cynicism can deny the fact that bad officials get into office because the voters put them there. These same officials then strangle budgets so that there's no one left to take care of anything. Many of these agencies also don't have the money to upgrade things. Ask your mom about how much things have gotten cut over the years. Then ask yourself, especially if you're of voting age, how things can get this bad. WE the people have to take the responsibility for OUR government sometime you know.
The airforce, like any other agency that gets money from the govt has to show how and why it spends money. if they go and get some free software thing their budget will be cut. Now not only do they have to go and find the knowledgable few to operate the free software, but incur additional costs upgrading to a new system all because they want to save a few million dollars (which they won't get to use anyways) by running the free software. Contrary to the slashdot belief, government spending money is a *GOOD* thing. It stimulates the economy and helps us in the software business make ridicelous amounts of cash so we can buy nice american cars which stimlates the auto-industry and helps the economy. it's all about stimulation man
did you forget to take your meds?
No I'm not trolling.
That resulted in ships being towed back into port (twice!) because their NT Domain servers corrupted their database, couldn't reboot, and the navigation systems (IIRC) wouldn't function (trying out the "fly-by-wire" concept using NT computers!).
.mil insists there is no grand over-arching security schema
In the MIDDLE of a combat op, this gives new meaning to Blue-Screen-of-Death
more seriously, as i work in security consulting, the entire concept of Orange Book/C2 security was never applied to the military as a whole...
it originally started to be applied to sone individual units and locations where it was thought to be needed, but regardless of what the
strangely enough (or not), executives in the mil are no different from their civilian counterparts, most of them are focused on their main missions and don't pay attention to the services and technologies that they don't believe are vital to accomplishing their mission
a few years back MS paid some outside firms to get NT a C2 cert (can't remember if it was NT 3.51 or 4), eventually between ripping things out and turning things off, they were able to get one firm to certify NT C2 AS A STAND-ALONE OS (non-networked), but by then the Navy had announced its MS migration strategy and the rest of the services "Me Too-ed" the Navy's announcement
sounds like we have some "Buyers' Remorse" with the AirForce...the services have a real tendency to take a vendor messing them around real seriously...
...if this Flag Rank reflects the service's opinion, rather than his own, this is a "warning shot" over MS' bows...
they'd better take it seriously, the military have driven any number of vendors into court and bankruptcy, once they're pissed they stay that way for a long while
"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.
No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.
The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.
Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.
PRECISELY. I was struck by that phrase that went..
"UNIX boxes that don't need upgrading or maintenance..."
Frankly, I'm fighting this same battle at my company. We've got a multiplatform network, and while the UNIX boxes require LESS maintenance, they'll still go to hell in a handbasket if someone doesn't feed/care for them every so often.
Admittedly, the down side of UNIX isn't as brutal as that of NT (the server stays up), but people seem to miss the fact that the no maintenance *nix box is just as absurd a notion as the no maintenance NT box.
The competition here isn't NT/*nix, but securing boxes, and the skript kiddiez using the cracks probably don't care WHAT they're breaking into, just THAT they're breaking into something.
ceci n'est pas un sig.
If you are smart enough to setup email filers, etc, then you are smart enough not to use microsoft server products.
After all MS does billet its warez as "easy to use", so it puts people in the mindset that they shouldnt have to do anything intelligent.
(I worked at defense contractor where the Air Force's security demands amounted to: "all traffic must go through port 80, because that makes it secure")...
Really. Please take a look at the length of the interval between a black hat creates an exploit, and a working patch is available for your platform. How many days a year is your computer exposed?
With the "we don't tell you 'till we got a patch" information policy, you can be exposed for months without knowing it. With the "we tell you, and then we release the patch" information policy, you can react according to your relevant security policy.
Microsoft has a long history of the former. Linux is generally rather quick on releasing comments and patches, and I believe almost all the major Linux distributions have automated security patch services now. I know Mandrake, Debian and Red Hat do.
Until recently, windows update was used for pushing new versions of software. They rarely released security fixes, and then usually clogged together. If you wanted to stay secure in windows-land, you needed to look around for the patches. They appear to be using windows update for pushing security now, but remember that one of the worms of fall 2001 infected a windows update server. Do you trust these guys? Really?
Oh - btw - the fact that they let a mac/solaris guy administer NT boxes could be yet another sign of brassy incompetence. And judgement is always biased. That is what judgement is. If it is purely bases upon facts and clear rules, it is not "judgement" but a fact.
Stop the brainwash
Um, that would be the point in having all those open sockets behind a firewall.
The only tool you've got against psychosis is experience.
its in the command structure, of course. How many people do you have telling you how to wait for fedex?
About 2 years ago I went to Moffet AFB in Northern Calif, they had old Macintoshes in the admin offices.
At the same time I took a cert class from Sun and met a woman who told me their mail servers were Lotus based.
Pardon me for saying so, but I loved the fact that I run a Linux box for corporate email here (and I'm being forced to switch to Exchange) that has crashed 2 times in 2 years for about an hour of total downtime.
It would seem to me that the most plausible solution would be to have Linux running their servers, have a massive secure intranet and MacOS X at the desktop. Unfortunately, IMO, MacOS X is about 6 months - 1 year away from being user friendly enough for your average joe.
How about something 'unbreakable'? Hmm...Larry can go pound salt as far as I'm concerned - his licensing is AFU and WAY too expensive...last thing we need is for Oracle to think they can charge even more when they have a government customer. (Hey then, it might actually be up Uncle Sam and the AF's alley! w00t! Gimmie a five thousand dollar matching cockring to go with my flight suit!)
eharmonic
Yes, I'm aware of that. Just thought I'd throw out another problem in another part of the government to show that security issues tend to be systemic across the gov't.
And with the DoI being in charge of federal agencies like the Natl Park Service, the Forest Service, Fish & Wildlands, federal payroll & accounting, farm issues, etc etc etc, it's silly to argue that the preservation of the integrity of our country's internal assets is more or less important than the military's responsibilities. Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?
The only tool you've got against psychosis is experience.
And on another subject, I'm right in the middle of getting Linux approved for use within the DoD and, by extension, the Air Force.
No, I kid you not. Linux is getting the COE suite ported to it, elements of DISA are gung-ho about bringing it in, and some elements of AF/SC are doing their best to help. The specifics of who is doing what in what time frame are not things that can be discussed here.
And how is this justified? What military program is forging the way for this OS (which is getting so big, commercially speaking, that every high tech company EXCEPT Microsoft and most of the gaming industry has a strategy on how to get in on the action) to be brought into the fold? Who had to put their [appropriate genitals] on the line in a military manner to get this going forward?
The weather men.
I kid you not. And you know what the biggest stumbling block is, besides office-internal politics? AF Communications. Capt. gsfprez (I'm guessing here) is right: Comm sold the Air Force infrastructure to Microsoft, and most of the old clever Sergeants and Airmen and young LTs who knew their UNIX during the dot-com times said, "Good-bye, sir! Patriotism and service warms the heart, but six figures will warm a whole house, and provide the house, too." So now the Comm field is whining "We can't have Linux! We don't have anyone who can administer it! We structured our entire training cycle around Windows! We're lucky to have two Unix-savvy people left in the whole squadron, and they're the overworked Master Sergeants." (Conjecture: I'm not in Comm. But I do get email from them.)
Yep, Linux is coming the the DoD. The smug excuse of "Linux isn't an AF-approved operating system" will soon be susceptable to the rebutal of "Wanna bet?" Soon it will be time for stalwart young LTs and Captains to make Powerpoint presentations to the Majors and Lt Cols of the Comm squadron explaining why they should move vital network services to a Linux box. They're probably going to get slapped down; bureaucratic intertia is like that. But LTs and Captains become Majors and Lt Cols, some day.
Oh, and by the way, the weather system that runs on Linux works so well that profanity is usually used as a magnifying adjective to words like "incredible" and "outstanding". [Any active duty guys who wants some details, email is welcome.]
#include std.disclaimer: None of these statements are made on behalf of the AF. All opinions are my own. My perceptions may not take into account facts that have not been available to me. I may be wrong about any number of things. If you're going to get flustered by something you read on Slashdot, you seriously need to re-examine your priorities.
I don't know about the DoI, but if it's anything like applying for civilian IT positions in the military or the FBI, they're going to need a lot of luck in getting good IT people who aren't just Windows monkeys in there to make a buck.
Before landing the commercial job I spent months trying to get into an FBI or civiliant military position, but the application process is incredibly depressing. Position opening descriptions are incredibly verbose, but contain absolutely no useful information. They all tend to just say things along the lines of "Will work with computer systems to support the required needs." Just take a look at the first Computer Specialist opening I found at the FBI jobs site. Armed Forces position openings the same. Furthermore, the application process itself tends to be burdensome and unclear, requiring lots of documentation up-front, often dead-tree-style; there is seemingly no process of escalating back-and-forth information exchange which the commercial world tends to prefer.
They are definitely trying to improve the application process, but they definitely need to clear up the red tape.
Personally I'd like to work for a social institution like the federal government, even though the pay scale is significantly lower. However, they really need to streamline their application process if they want good people.
Isn't the NSA releasing a version of security enhanced linux? You'd figure that would be backing enough for the Air Force.
Kewl - I'm gonna use that!
Think, write, think, edit, think...then post.
wow dude, you really stirred up a few m$ trolls there! i read a [slashdot?] story a while back about how m$ was paying trolls to post pro-m$ responses. i think you just proved that to be correct!
i agree with the other poster that says linux is coming to the af at some point. it's true. you'll see pro-*nix lt's etc. get promoted, and then there'll be a change.
As much as it satisfies me to see the corps take a battering for loose security and while I'd like to see them do something about it, one thing that concerns me is that the solution could pose a serious problem for Free Software.
I have a feeling that as the consumers demand tighter security control, that will mean independent security testing and certification. That testing will undoubtedly cost the software manufacturers money to pass their products through which will be fine for the corps but a huge problem for Free Software projects.
The result could be a certified, albeit more secure IIS, but an uncertified Apache because the Free Software community didn't have any pockets to fund it.
After all, the department of commerce probably would have a hissy if microsoft put out secure code.
I'm sure this is all very impressive looking to the digital masses, but the last time I looked John Gilligan doesn't have a $6B budget he can lord over Microsoft or Cisco. Nor does he have veto authority over any of the Air Force four-stars who do. As Tigger might say, this whole federal CIO thing is stuff and nonsense.
... ?? The Air Force is not a corporation. Nor are the State Department or the Bureau of Land Management
The first rule of government -- and any large organization -- is the Golden Rule: He who has the gold, rules.
Has it ever occured to anyone that it doesn't make much sense to have a CIO if you don't have a CEO, COO, CFO,
Stuff and nonsense.
Now, his father was a terrorist. His and his emperor's reign was one of terror.
Luke brought hope and justice, and faith.
"Terrorist" comes from "terror", not from "few ppl" vs "big empire"
who not only use Linux but have their own distro?
If it is good enough for the spooks it should be
good enough for the flyboys.
"At what point do you finally switch over to something different? "
At what point do you finally realize that switching to something different doesn't solve problems, it just creates new ones?
The answer is still... education... Learn how to admin what you have now, and save yourself a whole lot of hassle!
"UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure."
No moreso than Windows 2000. The point is that if you know what you are doing and set things up properly, you don't have issues.
Our company was not hit by Code Red. We did have issues with Nimda, but only on development machines which were not well managed; production were fine. We have not had any issues with production systems as a result of windows vulnerabilities in 3 years because we have smart Admins.
Christ I have the GIAC Windows Security administration cert and don't know half what my companies admins know. But I would still recommend to those bitching, especially that air force Lt. that he attend the SANS annual and take Track 5.
So I should dump Unix for SMTP and DNS because of the problems with BIND and sendmail?
Yeah, that's intelligent.
Learn how things work, why things work, and then implement the solutions.
The vast majority of currently known IIS attacks(Code Red, Nimda, and so forth) could have been prevented proactively by implementing the steps in the IIS security checklists from Microsoft, SANS, and so forth. It's not that hard, and all I see in your response is a knee jerk reaction against Microsoft without proper understanding of the issues.
Now I know why you post as an Anonymous Coward. I wouldn't want to take credit for your writings either.
First of all, if you were a smart unix user, you would not be using Sendmail. You talk about 'understanding', but do not understand that you have a nice choice of alternatives that are much more proactively secure than Sendmail, such as Postfix or Qmail. Same goes for Bind (we have djbdns and such). What do you get from Microsoft? Their one product. Big choice there.
I do so fully well how and why things work. That's why I say to choose free unixes. They are not blackboxes. You can easily poke in, and figure out what's wrong. You can fix the problems yourself, even more proactively than your proprietary provider. All this and more you cannot do with proprietary, closed products.
Furthermore, you aren't being proactive by simply applying vendor-supplied patches when they say to; that's reactive. Being proactive means learning how your software security works, especially internally, and performing appropriate actions.
"First of all, if you were a smart unix user, you would not be using Sendmail. "
Well DUH.
"you aren't being proactive by simply applying vendor-supplied patches when they say to"
Who said anything about vendor-supplied patches?
"Being proactive means learning how your software security works, especially internally, and performing appropriate actions. "
That's what I said.
I'm sorry but your post helps reinforce my point that you don't know what you are talking about.
I hope you are not deceiving yourself believing that the AFL CIO cares about software security.
They are only pissed because Microsoft products are made by non-union people.
How about the cost of information, if classified documents wind up into Al-Queda hands? This is the military we are talking about, and they are using Windows?! Hell, I'd be suprised that they would even consider Linux and go straight for BSD, just to make sure that it's secure.
So, just now, the USAF wakes up and says "Hey, I think security is a pretty good idea." Huh? Since when has the military branch of the government not been keen on security? (And why does "military intelligence" sound like an oxymoron. I guess this is yet another indictation of how ass-backwards our govt is.)
Zodiac Survey
Having only one software supplier or only one network equipment supplier is not only bad for the Air Force but for any other organization.
... on a closed source product because of a company failure could be very bad.
Losing support, update capabilities,
If the business can't afford to get decent exchange admins, then they pretty much deserve what they get.
In our company of 30 odd thousand staff, we have about 10 people dedicated to running our 150 odd servers, and we haven't had an outbreak of any of those 'outlook viruses', mainly because our admins are on the ball, and are willing to come in at 2am to ensure that we have the latest virus patterns and etc.
Not Meta-modding due to apathy.
Contrary to the slashdot belief, government spending money is a *GOOD* thing. It stimulates the economy...
The government can't spend money unless they take it from me. Thus, government spending = taxation.
So to paraphrase you...
"Taxation stimulates the economy."
An economic model that implies that the taking and spending of my money stimulates the economy is fundamentally flawed because it asssumes that I won't spend that money myself.
This is not to say that government spending is always bad; I merely want to point out that your reasoning is flawed. Government spending is GOOD when it allows a democratically selected government to concentrate monies in a needed sector - propping up an industry vital to national security, for example. The problem is when we don't have a democratically selected government...but I digress from my off-topicness.
Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?
The point of the military is not preservation of life. I went through basic training with a hillbilly who, when first issued an M-16, gazed at it and reverently stated "This is a gun that was made to kill...people." The military infrastructure is in place to prevent the overthrow of the US government (ie implementation of non-Constitutional rule). No hurricane, forest fire, or regional crop failure can cause this.
This does not alter your point that preservation of human life is essential.
The military doesn't take crap from anybody and they have all the guns.
You start selling shoddy goods to your defendors and you may find out what the Romans found out about their Preatorian guards. And find it out in the same way too. St the point of a "glaive."
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
The point is, you need to tell us your company wasn't hurt by the many viruses, worms, trojans and plain bad engineering built into the Microsoft system. That in itself says enough.
The point is, you need to make the claim that everything Microsoft is good, you need to restate it over and over again precisely because as a satisfied customer, you are the exception. If there were more who were not harmed by stupid engineering, there wouldn't be the need to tell us all how great your production machines have worked.
Sure, there's a place for a Windows OS computer, but it isn't where mission critical data is, it sure isn't where lives are at stake and it isn't where public dollars get spent.
As a recent USAF retiree and programmer, I have a coupla comments.
The AF has been using MS stuff since long before Win3.0. Changing all the desktops and Exchange/NT/2000 servers to *nix would be a *tough* row to hoe. The decision to use M$ was made long before *nix was a viable option. And long before the various holes and security concerns were publicised.
As in any huge organization, there are thousands of small, medium, large custom apps that handle a lot of the daily business. I wrote some of em. Obviously, it couldn't be done all at once. Training, rewriting all those apps, etc, etc...It would literally take years.
Going to Linux on the desktop is probably not a viable option. Too much momentum.
Up until a coupla years ago, the AF was Uncle Bills biggest single customer. Still may be. So yes, they can put some pressure on M$.
They use a lot of Oracle, too. Even though Larry says it is unbreakable (ha), 9i has already broken. *No* connected software is truly secure.
Bug fixes? The mil really needs to have a POC to talk to about a particular problem or hole, not just a disconnected group of eyeballs fixing it. Yes, bug and holes in Linux do get fixed, probably faster. But for national defense, I would not want to rely on that. I need to buttonhole a particular office or person, and say "You fix this"
The Army's solution (Apple) is worse. Sole source for hardware AND OS. When/if Apple changes focus, or goes under, or simply stops making desktop PC's, the Army is up the creek. The holes there are yet to be found. But they are there.
M$ stuff can be made as secure as anything else. A lot is in the admin. But no software that needs to talk to some other software is truly secure, so far.
There was a schedule to coordinate releases. That was a mistake. The knowledge of the exploit should have been released as soon as someone became aware of it. If there was no patch, I would turn off the service until there was a patch - or I would look for a more secure alternative, say, a Java version unless I needed really high performance.
Oh. Virus free? And you give Microsoft credit for that?
Stop the brainwash
sir, and especially 'sir yes sir' do not strike a chord on the harp of the chAir Farce. it is more like... [Srgt to airman] Mr. Smith... if you are feeling up to it, and it does not offend or intrude upon you, could you make a powerpoint presentation explaning what that is that you are playing, and why it is not MS Hearts or surfing the internet like the SOP says you are supposed to be doing? [airman] Huh? yeah, I guess so. Hey, you still got my golf clubs or does our buddy Joe, our Captain, have them still? [sgt] Hmmm, probably my wife has them, or maybe I left them in the Middle East inside one of those nice air conditioned 'tents' with cable, broadband, DVD and big screen TV. [airmen] yeah, it sucks the way we are treated in the military. Making us watch from a meager list of 100 DVD's on a tiny 40" trinitron. Those catered meals are pissing me off too. Hell, next they will want us to fire weapons and actually have to clean and service them ourselves like some stupid ground pounder. [sgt] now Billy... remember that those human guard dogs keep our supply lines open and let us sit on our asses and absorb tax dollars in jobs that should be civilian jobs anyway. Although, I do think that technology will make people obsolete... as technology goes up, vigilance and training go down Billy. [airman] I have heard, but never partaken in, discussions on the net that relate how 6000 years of warfare tell us different... but what did Sun Tzu and other idiots like him know? Oh, look at the time! It's five o'clock... time to hit the racket ball court then the jacuzzi. Hey! I think we both deserve another medal for surfing the web! [sgt] I believe you are right... lets ask one of our empty suit husk officers for some. [airman] Great! Boy I sure do look pretty in my uniform? HEY EVERYBODY! NOTICE ME! hehe [sgt] thats right billy, the REAL reason to join is for self service, college money, job training and networking for future career advancement... I fail to understand ideas like 'duty, honor, country'. [airman] me either... I heard them, but they were applied even less than our actual warrior training in weapons, hand to hand and tactical thinking. Well, guess I will have another Latte and hit the court.
Like anything Gilligan could say will impact anything MS does?! The USAF has ignored strategic relationships with vendors because they are not permitted to show any favoritism. So the hope of convincing Bill that this is a meaningful threat???.... beneath ZERO.
The USAF idea of influencing technotrends is to threaten, and bluster... Gilligan is famous for it. They (the USAF)spec MS products, and use the crap out of them. But only because they have no strategic vision of their own, and no ability to create an internal infrastructure of people (other than losers like Gilligan) with blue uniforms to support IS/IT beyond the garrison. Unfortunately it's a new world, and the USAF is spending more time deployed than in garrison (at US bases read: at home)
First they (the USAF culture) do not consider communications/computers a strategic imperative because it takes someone who cannot necessarily fly a plane to lead these folks. And... in the USAF if you do not have flying wings on your uniform, you are NOT SQUAT!
When they did have a Major Command, the corporate culture dictated that the commander, to get his next star, had to make a choice, get promoted by empire building, AND neglecting the strategic infrastructure OR building a service wide service oriented culture which promotes, and supports technogeeks and technology in uniform (and miss promotion). He (the commander) chose to neglect his customers, and now AF Communications Agency (AFCA) is an O6 position vs. an O8 (Major General)
Finally when they do invest in training, they can't, or choose not to keep the people due to pay and benefits, and other care and feeding issues.
Now how does Gilligan fit in. He is a career civil servant with the supposed long term corporate memory. He has been largely around the USAF for a long time (not withstanding a move to DOE to get himself up a notch or two). He has no real experience in managing technology outside the acquisition space, and most technology programs he managed wound up as failures (or at least in the view of his operator customers). And although he has some clout to influence what goes on, the bottom line is, the USAF CIO is a title with no real $$, no staff to speak of, and a fancy Pentagon office with a 6 figure salary (not even a political apointee I don't think, just an SES). Threatening Bill Gates is the equivalent of screaming at the bus driver as he drives away. But whats new with this guy, he clearly does not get it.