Air Force Warns Microsoft/Others to Tighten Security

FattyBoeBatty wrote to us with a story from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.

Re:My Humble Opinion

[sphealey]

Yes, I do remember when my Commodore 64 worked to specification, I also distincly remember it not doing too much of anything compared to the computer systems of today.

Um, I was thinking more like a DECSystem-10 (3 years uptime with a typical load of 50 simultaneous users), HP 3000 (50 users, at age 10 we dropped the maintenance contract and it ran for 5 more years with no outages or unscheduled downtime), VAX 780, IBM System/1 => AS/400 (2 years uptime on that one after our sysadmin resigned), that sort of thing.

Have you ever had Novell run stable for any length of time?

1250 user 3.11 network, 3 years with no significant unscheduled outages and no excessive maintenance time; 12500 user 4.x network, 4 years with no unscheduled outages. Some others as well.

Have you ever had Netware lock up for no reason whatsoever?

Yes, of course. I have had my car quit on me unexpectedly too. Once every 5 years or so. Not every 48 hours as with MS-LANMan 1.1.

How long have you been involved in IT, long enough to become sour and bitter against anything new?

Sorry dude: "new" != "better".

sPh

Re:Then why do they stay?

[flatrock]

Because security is only one of the issues they have to deal with.

I worked as a contractor in computer support for the Air Force years ago. This was before they used Exchange. They were using DEC Teamlinks where I was at. Teamlinks wasn't very easy to use. The client interface was cludgey and didn't have all the nice integrated features you get with Outlook today. The server which was a DEC Alpha crashed a lot. I think the server was simply a very expensive lemmon. The DEC staff on site, as well as outside support people spent a lot of time replacing parts and tweaking software, but couldn't get it to remain stable.

Exchange and Outlook were a much better choice even with the risk of a virus taking down the system because the system they had was taking itself down on a regular basis.

Training is also a serious issue. There was a full time person who's job was to train users to use Teamlinks. One thing many people don't realize is that the majority of the people using this software on an Air Force base aren't military. They're civil servants and contractors. Military people follow orders pretty well, and contractors do as their told, or find themselves without a job. Civil servants are a different story. Contractors come and go, militry people get transferred after about 4 years or so, but the civil servants will still be there when the others are gone. If they aren't interested in learning something, they just make a few excuses and put it off until there's a new Deputy DIrector, or whoever's making the decisions. We had a chief scientist that refused to use the email or calandar software. He had his secretary print all his email and put it in his inbox. She would respond to his email as he directed her to, and handle all the scheduling in the calander software. She had been around for a very long time, and wasn't very computer friendly herself. Every time she got confused or made a mistake, it was the computer's fault, and whoever got the support call was in for a bad day. One contractor didn't seem to realize that she was always right and got himself banned from her office which led to his eventual dismissal. These people don't like to learn new things. If it isn't easy to learn, they pretty much have the ability to make everyone's life a living hell, and sooner or later the people making the decisions realize that any solution has to take that into account.

While email is a security issue in that poor security can result in lost productivity, it shouldn't be an issue of national security. Confidential and secret information should never end up on the email system.

In my experience with the AIr Force, the people making the decisions were not technically incompetent. They also requested and received input from many different highly skilled technical people, and they had a lot of experienced people with backgrounds in Unix, VMS, and NT to draw upon. They were trying to get a product that best met all their needs. Security was obviously a consideration in their decision, but it didn't outweigh their need for a usable system.

The real issue is that the ease of use that they desire is somewhat in opposition to a high level of security. This means that an alternative to Exchange/Outlook may not provide them with greatly increased security. For them to change and eat the rather high costs or retraining their employees, there needs to be a product that does a considerably better better job of meeting their needs, with security only being part of those needs.

Re:Then why do they stay?

[Pii]

For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.

We are talking about changing the back end, not necessarily the client side. The only people that need retraining would be the IT folk, not every Pilot, Mechanic, or Clerk.

Plus you're assuming that the trainers would be military also. I seriously doubt that.

I have no first hand experience with the Air Force in this regard, but I do have first hand experience with the way the Marine Corps does this. Every single instructor at the Marine Corps' Computer Science School is a Marine. Every non-instructor position that made up the rest of the school was either a Marine, or a Purple person (Civilian employees of the Department of Defense). I would be surprised if the same did not hold true for the other branches of Service. (Not terribly surprised... The Marine Corps does a number of things differently than the other branches...)

And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.

And this is what people seem to be misunderstanding about the Military... This is nowhere near the same issue that corporations face. Every decision a corporation makes reflects the bottom line, as corporations exist to turn a profit. The Military is not encumbered by this guiding principle. Sure, they have a budget to work within, but if their requirements change, or the need is great, they get additional funds, and they do what must be done to satisfy requirements that no corporation has to consider.

The purpose of the military is to win wars, and when they make a decision, lives hang in the balance .

Few corporations can make that boast, defense contractors being the most likely exceptions.

If the solution carries a higher pricetag, but saves lives, and better enables the military to communicate effectively and securely, putting the ultimate goal (winning wars) within reach, the cost or effort does not matter. For them, bottom line is not the single most important factor in arriving at a solution, and the profit-motive is non-existant.

Re:Responsibility

[frank_adrian314159]

You definately don't like Outlook, but what do you reccomend? What do you think is a good replacement for the functionality that Outlook provides, including features such as calander software and such?

Lotus Domino. Preferably on an IBM iSeries, but on a PC if you have to. All of the calendaring, none of the viruses...