Air Force Warns Microsoft/Others to Tighten Security

FattyBoeBatty wrote to us with a story from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.

Great

It's good to know that the people we're relying on for air defense of our nation are smart enough to NOT open the Love Bug email. I think I'm moving now.

real CIO

[The+Iconoclast]

i guess in the airforce the CIO is a REAL O. ;-)

Try as they will..

[psycht]

The government has been trying to get M$ to do what they want for a while now in the US Courts.. you think the Military is going to get any progress??

Re:Try as they will..

[jmb-d]

you think the Military is going to get any progress??

Sure -- the military has weapons that go *boom*, as opposed the government as a whole, which has a Justice Department that just goes bust.

Re:Try as they will..

[fireweaver]

ob Linux plug:

Air Force could always look into Linux. Actually being able to have the source code handy and being able to fool around with it would be a benefit to them. Same goes for the other branches of the armed forces as well. Perhaps the NSA could help them there with hier "Security Enhanced Linux".

Also be a great way for geeks to serve thier country as well.

Re:Try as they will..

[BLAMM!]

Tis true. But the sad fact is that the AF has a terrible time holding onto the technically savvy people needed to make this happen. Once trained, they get out to make 2 or 3 times the money in the civilian world. I know I was one of them.

Speaking from experience, the typical geek simply isn't cut out for the military life. And to make matters worse, advancing in the military means spending more time being a pointy-haired boss and less time being a geek. That's the way it is.

I'd love to see linux adopted by the AF, but 1) I've had the suggestion shot down too many times myself to expect it to actually happen and 2) they will have a tough time gathering the experience to do it.

Then why do they stay?

[FortKnox]

Why do they stick with MS if they have security issues?
Why hasn't anyone asked this question?

We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.

Why sit and wait for MS to comply?
It just seems odd to me.

Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.

Re:Then why do they stay?

[ari{Dal}]

Because the Air Force doesn't want to retrain all their personnel on software they're not familiar with.
The costs of retraining and reconfiguring all their hardware far outweighs the kick in the ass scare they can put into Bill to fix up what they're already using.
Just about everyone who has ever come into contact with a computer has experience with windows. From a user-interface point of view, its quick, clean, and easy.
From a security point of view, its a nightmare.
Unfortunately, the people who are deciding what to buy and what to install aren't the security-savvy techs.. they're the corporate middle management suits who see the flashy bells and whistles MS offers and bite so fast it'd make your head spin. MS had advertising, marketers, and a well-known product. Security wasn't as big a concern. All that adds up to a major problem today.
Not only that, but lets face it, back when the USAF were first installing and configuring these services, there weren't many viable options out there. Yes yes, i know .. sendmail, etc. But who was out there pitching sendmail to the AF?

Re:Then why do they stay?

[alen]

It's easier to train users not to open up certain attachments. And with the right software you can block certain attachments all together. With it's faults I still think Exchange is the best corporate messaging/groupware solution. It's fully integrated and you don't have to worry about trying to make a bunch of different products work together to give you the same functionality as Exchange.

Re: Re:Then why do they stay?

[FortKnox]

Sorry. Went from singular to plural on the fly. My apologies.

Re:Then why do they stay?

[!ramirez]

When you spend $6 billion a year, it's kinda hard to make a jump from one platform to another just because of security fixes. Sometimes, it's easier to fix the problems that exist than spend the overhead to jump to a new system. It takes an awful lot for a customer *that* large to drop a vendor that they do *that* much business with. Maybe my understanding of business processes is wrong, but it just seems that it would be easier for them to ask Microsoft, politely, to change their ways. After all, the only thing MS seems to understand (or most big companies) is the bottom line.

Robbie.

Re:Then why do they stay?

[regen]

Another issue is that microsoft will come in and setup an entire system for you. One stop shopping. Believe it or not, this sells. IBM is basically the same way. When you want a complex system put in place its often easier to deal with a single large vendor than several smaller but better vendors.

Re:Then why do they stay?

[jsse]

Why do they stick with MS if they have security issues?

Who is going to get back the BSOD-submarines when the contract with MS is being terminated?

Re:Then why do they stay?

[jalewis]

When I worked for the Navy as a contractor, the Admiral in charge of deciding what software we used asked Bill Gates to lower the license fees. We were buying Exchange 5.5 for all of Naval Sea Systems Command. Bill said no.

Microsoft looks at the military as a business, it doesn't get any special treatment. MS knows they have them by the balls and they treat them as such.

Re:Then why do they stay?

[linzeal]

You know the military has plenty of hardware that soldiers become intimately familar with through boot camp and various training methods. I mean the interface to a howitzer is not exactly the same as a aegis cruisers but they still seem to get by.

Re:Then why do they stay?

[Pii]

I'm not sure you understand the economics of the military...

It does not cost the Air Force anything to retrain, nor to reconfigure.

The Air Force (and the military in general) is already paying for the training of every person that enters the service. It would be a trivial matter for them to re-tool the courses in their Computer Sciences School, so that the students learned some other product or technology. (Besides, it's not like they teach an "NT Systems Administrator" course... They teach basics, like "Computer Programming," or "Computer Operations." The real training occurs on the job, after the E-2 or E-3 posts to his first duty station. In the Marine Corps, I entered as a "Cobol Programmer," and my fist duty billet was in networking (Banyan Vines, Ethernet and Token Ring environments).)

Likewise, the cost of reconfiguring all of the systems they've already purchased is also free. They have a labor force that they are already paying (that they have to pay, twice monthly, regardless of what they are tasked with), so why not "upgrade" all of the mail systems. It will not affect their costs at all.

This is a luxury that most of Microsoft's customers do not have, but is a very real, very possible option for the Armed Forces.

Re:Then why do they stay?

[Amazing+Quantum+Man]

The interface to Howitzers ran on Solaris (AFATDS), SCO Openserver (IFSAS), or proprietary systems (Paladin, LTACFIRE).

Re:Then why do they stay?

[Zathrus]

Sure they're paying for the training of everyone in the military already. But you seem to think that they have nothing better to do with that time than to train them.

For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.

Plus you're assuming that the trainers would be military also. I seriously doubt that. Which means you have to hire civilian consultants, which involves a rather long and expensive bureaucratic process just to get bids, not to mention the actual cost of paying them for services rendered.

And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.

As to the original question - what else are they going to use? There's a great huge gaping whole when it comes to productivity software like Exchange/Outlook. Yes, there's Notes. Yes, there's Netscape/Solaris whatever-its-called-now. And maybe Novell still has a solution (I don't know personally). But none of them match the ease of use, "ease" of administration, and interoperability offered by Exchange/Outlook. They either don't work as well together across various pieces, they cost too much to maintain, or they don't integrate as well into the OS (gee, surprise... anyone? And no... I'm sure being a monopoly had NOTHING to do with that... riiight).

Yes, the lies about the low cost of administration on Exchange are starting to be revealed now. But only after MS has beaten most of the competition into pulp. Within a release or two Exchange will be considerably better than what it is now. This is how MS operates.

Re:Then why do they stay?

[GooberToo]

The costs of retraining and reconfiguring...

That's not correct. The cost is the same if they brush their teeth or learn a new system. With the military, it's a fixed cost...for the most part...most military people just do busy work when not at war.

Re:Then why do they stay?

[flatrock]

Because security is only one of the issues they have to deal with.

I worked as a contractor in computer support for the Air Force years ago. This was before they used Exchange. They were using DEC Teamlinks where I was at. Teamlinks wasn't very easy to use. The client interface was cludgey and didn't have all the nice integrated features you get with Outlook today. The server which was a DEC Alpha crashed a lot. I think the server was simply a very expensive lemmon. The DEC staff on site, as well as outside support people spent a lot of time replacing parts and tweaking software, but couldn't get it to remain stable.

Exchange and Outlook were a much better choice even with the risk of a virus taking down the system because the system they had was taking itself down on a regular basis.

Training is also a serious issue. There was a full time person who's job was to train users to use Teamlinks. One thing many people don't realize is that the majority of the people using this software on an Air Force base aren't military. They're civil servants and contractors. Military people follow orders pretty well, and contractors do as their told, or find themselves without a job. Civil servants are a different story. Contractors come and go, militry people get transferred after about 4 years or so, but the civil servants will still be there when the others are gone. If they aren't interested in learning something, they just make a few excuses and put it off until there's a new Deputy DIrector, or whoever's making the decisions. We had a chief scientist that refused to use the email or calandar software. He had his secretary print all his email and put it in his inbox. She would respond to his email as he directed her to, and handle all the scheduling in the calander software. She had been around for a very long time, and wasn't very computer friendly herself. Every time she got confused or made a mistake, it was the computer's fault, and whoever got the support call was in for a bad day. One contractor didn't seem to realize that she was always right and got himself banned from her office which led to his eventual dismissal. These people don't like to learn new things. If it isn't easy to learn, they pretty much have the ability to make everyone's life a living hell, and sooner or later the people making the decisions realize that any solution has to take that into account.

While email is a security issue in that poor security can result in lost productivity, it shouldn't be an issue of national security. Confidential and secret information should never end up on the email system.

In my experience with the AIr Force, the people making the decisions were not technically incompetent. They also requested and received input from many different highly skilled technical people, and they had a lot of experienced people with backgrounds in Unix, VMS, and NT to draw upon. They were trying to get a product that best met all their needs. Security was obviously a consideration in their decision, but it didn't outweigh their need for a usable system.

The real issue is that the ease of use that they desire is somewhat in opposition to a high level of security. This means that an alternative to Exchange/Outlook may not provide them with greatly increased security. For them to change and eat the rather high costs or retraining their employees, there needs to be a product that does a considerably better better job of meeting their needs, with security only being part of those needs.

Re:Then why do they stay?

[elandal]

We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.

A solution allowing internal use of Exchange is also possible.

Don't expose Exchange servers to the internet. Have internet email come to a secure MTA (no, not sendmail, something more simple and more easily secured). The internet-MTA can then spool email for virusscanning and whatever other mangling needs to be done (remove every attachment with filename ending with .vbs (and a hundred others) and so on). After mangling, forward to internal Exchange servers.

Easy, doesn't require powerful machines even for a large amount of email (OK, depends on the amount of mangling done), easily replicated to several sites, and likely to be near-zero administration.

Re:Then why do they stay?

[Pii]

For every hour that an USAF fighter jock, mechanic, paper-pusher, or whatever is in training, that's one less hour they are available to do their real job. And yeah, some people may have enough slack time that this wouldn't be an issue, but I suspect that it's not true for the organization as a whole. You have to look at things like opportunity costs when you're talking about a change over to an entirely new system.

We are talking about changing the back end, not necessarily the client side. The only people that need retraining would be the IT folk, not every Pilot, Mechanic, or Clerk.

Plus you're assuming that the trainers would be military also. I seriously doubt that.

I have no first hand experience with the Air Force in this regard, but I do have first hand experience with the way the Marine Corps does this. Every single instructor at the Marine Corps' Computer Science School is a Marine. Every non-instructor position that made up the rest of the school was either a Marine, or a Purple person (Civilian employees of the Department of Defense). I would be surprised if the same did not hold true for the other branches of Service. (Not terribly surprised... The Marine Corps does a number of things differently than the other branches...)

And, funny thing, this is exactly the same issues that corporations face. After all, they're already paying people for their time, regardless of what they're tasked with. And they're responsible (osteniably) for all job-related training. But the costs - in both time and money - are not insignificant for any company of any size.

And this is what people seem to be misunderstanding about the Military... This is nowhere near the same issue that corporations face. Every decision a corporation makes reflects the bottom line, as corporations exist to turn a profit. The Military is not encumbered by this guiding principle. Sure, they have a budget to work within, but if their requirements change, or the need is great, they get additional funds, and they do what must be done to satisfy requirements that no corporation has to consider.

The purpose of the military is to win wars, and when they make a decision, lives hang in the balance .

Few corporations can make that boast, defense contractors being the most likely exceptions.

If the solution carries a higher pricetag, but saves lives, and better enables the military to communicate effectively and securely, putting the ultimate goal (winning wars) within reach, the cost or effort does not matter. For them, bottom line is not the single most important factor in arriving at a solution, and the profit-motive is non-existant.

Re:Then why do they stay?

[Znork]

Retraining isnt an argument. People learn to navigate websites, people easily learn to use games, and those are the most UI-divergent 'applications' in existence today, far more different than Windows-vs-GNOME/KDE. Not to mention you have to 'retrain' all those people every time you upgrade MS software anyway.

If they can handle all that, they can *easily* handle doing their basic job with Linux rather than Windows.

People arent *quite* as stupid as some UI experts would have us believe (well, most people at least. The helpdesk hoggers are another matter, but they call even if their desktop looks the same as it did yesterday). Most people can easily move from one piece of software to another. They do it every day.

Re:Then why do they stay?

[ari{Dal}]

I wasn't talking about the training of new people coming in... you'll notice in my post i said "REtrain". Anyone who's going to switch software systems to something they've never used before is going to need retraining.. and that's going to be just about everyone from the top down. The initial training isn't the problem, its the repitition of that week of training or so that's going to cause headaches.

Re:Then why do they stay?

[jtosburn]

Quoth Zathrus:
As to the original question - what else are they going to use? There's a great huge gaping whole when it comes to productivity software like Exchange/Outlook. Yes, there's Notes. Yes, there's Netscape/Solaris whatever-its-called-now. And maybe Novell still has a solution (I don't know personally). But none of them match the ease of use, "ease" of administration, and interoperability offered by Exchange/Outlook. They either don't work as well together across various pieces, they cost too much to maintain, or they don't integrate as well into the OS (gee, surprise... anyone? And no... I'm sure being a monopoly had NOTHING to do with that... riiight).

If you aren't familiar with the alternatives, how can you assess their attributes in any remotely meaningful way? I won't try to provide the answers, though I'm evaluating everything I can find to fill this gap at my company, but for the record, the main possibilities that I see, so far are:

* MS Exchange
* Lotus Domino / Notes (can use Outlook as client if you wish)
* Novell Groupwise
* Samsung SDS Contact, the next version of HP's OpenMail, which no one appears to have seen yet.
* Sun's iPlanet Calendar Server, maybe can use Outlook as client, but intends web client access
* Steltor Corporate Time Server, can use Outlook as client
* Bynari Insight, also can use Outlook as a client (can you tell that this a (unfortunate) requirement for me ? )

This is taking the definition of groupware rather loosely...providing email is no big deal, so providing calendar / resource scheduling services is the priority for me. Others may be just as interested in the various collaboration tools and archiving stuff found in Notes & Groupwise.

Re:Then why do they stay?

[Caraig]

The purpose of the military is to win wars,

Exactly. The purpose of the military is to win wars. The trouble with implementing any new computer system in the military, however, is that, while you have people who know their jobs very well, they don't usually know more than their jobs, nor can they be expected to.

A good example is in the Coast Guard, and I know this applies to other services. The USCG was using an old Unisys BTOS/CTOS systems running over an X.25 network, approximately five-six years ago. We were making the transition to a Windows NT system.

Now, contrary to what one might think, every person in the Coast Guard has a job to do, and in order to even break even, the Coast Guard has to get at least eight hours of that person's work out of them a day (less weekends, usually, but not always; let's not even go into duty aboard cutters!)

Let's look into how implementing that new system works: you start with your TTs, the Telecom Techs, who tend to already be understaffed. You need to send them to training for *administrating* the new system even before you have them installing the new boxen. If nobody else in the service knows how to teach others how to run that system, your TTs/SysOps need to be sent to a civilian training center, or you need to somehow compensate them for taking a training course. Microsoft or Novell courses can run upwards of a couple thousand, easilly.
(Keep in mind, that knowing how to administer a system is much, much different from knowing how to TEACH someone to administer a system.)

Now that you have taken a few weeks to send all your TTs to MCSA or MCSE courses and gotten them certified, and meanwhile the systems back at their commands going to hell and back, you can then make the big decision: implement the new system, or train your people in the new system? This is not an easy question, and just saying 'do both at the same time!' doesn't cut it, kemo sabe. Let's say you take some people off their current duties and send them to training before the new system comes in. You just lost the work of those people in their assigned specialty, and in some understaffed commands that is painful.

Now, say they come back and will help out the other users while the new system gets thrown in hurriedly. First off, your TTs are going to be working 24-hour days to get that new system in, they won't be able to help the users. The 'core group' of people you trained before the turnover will not only have to do their work on (very likely) a system experiencing teething pains, they'll have to nursemaid all the rest of the users in using the new system before they can be sent off to training as well. Now, this second batch of training can be spread out over the course of several months, and by then you might have people in the service who can teach them, so you don't have to go out to civilian agencies. However, chances are, these instructors will be full time instructors: they are more people on the service's payroll, either uniformed or DoD employee. Granted, their duties are to train, train, and train some more, but they are another expense, especially if you had to send them off into civilian world get trained as instructors, and even more so if you have to train someone to take over the work they were doing before becoming instructors.

Now, let's go back to your point about just changing the back end. In this case, that's not really an option. Sure, you could transfer all the servers to Linux boxen running some version of sendmail, but you still have to deal with Outlook and it's miserable foibles. And you still have to train your TTs in administrating *nixie-boxen and sendmail servers. Oh, and you might have to train them to be programmers too, because unless you shell out the bucks for a commercial sendmail implementation, there won't be any reliable support they can fall back on. (Insert off-topic rant about problems with open-source, non-commercial solutions HERE.) =) Or you could train up some TTs or hire some consultants to do your programming for you, which is MORE cost, MORE training, MORE mouths to feed. Maybe not as much as if the whole system was shifted over entirely to a new system, but still very much non-trivial. And then you'll have to do the rollover to the new system, which will mean more 24-hour days for your already haggard TTs. For The Good Of The Country notwithstanding, you have just made your TTs both very highly trained and very highly miserable, which means they will be very highly inclined to trade in their fatigues for business suits and a very stable and comfortable life for their families which doesn't mean moving to some new and exotic hellhole every four years.

The military does not have some magic source of funds that renews itself every pay cycle. That money has to come from somewhere. The growing trend these days is to do "more with less:" more work with less personnel. "More with less" means, actually, "more work with less trained personnel." These are people who have to be trained for their job; I would not expect a bosun's mate fresh out of BM school to be able to run the armory at a base, neither would I expect a gunny's mate to do the deckwork aboard a CG cutter. And that training is also a non-trivial expense, since you have dedicated training facilities, dedicated material, and dedicated instructors, PLUS you're still paying the student his regular wages, AND feeding everyone involved!

I don't know how it is for the combat arms, but for us REMFs and other non-combat personnel (marine inspector, in my case) you start kissing away any semblance of a stable life. Which is all well and good if you're risking your life for your country and achieving something that is worthwhile, but crawling through a double-bottomed tanker at 2AM with a 'Dear John' letter waiting for you at home just so the tanker inspection can be done that night, and so you can do the same thing but *twice* the next day.... Well, let's just say that it wears on you. I'm sure those TT's whom you have just consigned to Military Server Room Hell for a couple of weeks are going to start thinking that "more with less" sucks rocks. =)

This is why you will not see a turn-over to a new system more than maybe once a decade or two: that is, enough time for the people in charge to forget how expensive, time-consuming, problem-ridden the last one was, and for the newer technology to be glitzy and sparkly enough. The Air Force (and the other services) have already devoted gobs of manpower, time, and money into moving over to the new Windows systems. They're not going to say 'This was a bad idea,' and adopt penguin-boxen all around, or any other kindof system. They're going to tough throuh with what they have as best as they can, because they've already put in a lot of effort into training and hardware (and software, too, considering MS's pricing schemes.)

Re:Then why do they stay?

[guisar]

Nonsense- complete and total nonsense. I hear this sort of stuff all the time and yet do I see any specific examples other than a list of meaningless features none of which actually work as advertised? NO! I say this as a field grade (aka relatively senior) officer in the military who is force to use exchange at work. At home I use the KDE and Mozilla. I don't feel hampered at all using the system at home- can't say the same regarding Exchange/Outlook. they are a heavy duty (in terms of resources), slow and awkward "system". They offer no real functional advantages I have ever seen over Mozilla and KDE.

Justin

Re:Then why do they stay?

[YrWrstNtmr]

"most military people just do busy work when not at war."

Not even close, Sunshine. In the USAF, the daily mission is the same in combat or peacetime. Support the flying mission.
Basically, only the pilots job is different. Drop training bombs or real bombs.

Re:Then why do they stay?

[GooberToo]

Hmmm...the half dozen people I know that are in the service tell a completely different story.

Re:Then why do they stay?

[farsighed]

Except that the USAF is phasing out it's programmer types- the 3C0 (used to be 491) career field is now Information Management- in other words, programmers and operators are having to compete with secretaries, er, administrative assistants for promotions, career advancement, etc. Which is unfair to both the computer guys and the secretaries; I couldn't care less what shelf the regulation for keeping my hair cut right is on, and they couldn't tell the difference between a function and a procedure. Nor should they. (I got out in '97.)

All development (and i get the feeling operations) are moving towards contracting... and so did I. :)

-- F.S.

Re:Then why do they stay?

[argel]

We are talking about changing the back end, not necessarily the client side. The only people that need retraining would be the IT folk, not every Pilot, Mechanic, or Clerk.

But what is the point of running Exchange without using the Outlook client??? You cannot always sperate the backend from the client!

Nice to see...

[Pii]

You know, when a customer that has $6B dollars a year to spend on technology say jump, Microsoft had better damn well be asking "How High?"

I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.

Re:Nice to see...

[Budgreen]

. "We just can't afford the exposures, and so those who give us better solutions,that's where we're going to put our business," Sounds Like a call for USAF-linux eh? eh?

Re:Nice to see...

[Pii]

Well actually, as a veteran (see my Bio) with an IT Specialty, I do actually have some insight as to the requirements for Information Technology in the military. Since I left the service, I've supported myself as a consultant it this industry, so yes, I do have a good grasp of why Microsoft is a bad choice.

Great post though, really. Keep 'em coming.

Re:Nice to see...

[Martin+S.]

You know, when a customer that has $6B dollars a year to spend on technology say jump, Microsoft had better damn well be asking "How High?"

EXCEPT it appears that Microsoft have been giving the Air Force the run around for two years. If they can do that, what hope do morals have ?

Re:Nice to see...

[BlueboyX]

I am afraid I agree. I would think that the DoD would want to use their own version of Linux or an OS totally their own. The military historically has made alot of their own stuff using their own programming languages. Why would this be different?

I think that I can answer my question myself though. With spending cutbacks + computers in every military building, they need something that they can easily and cheaply contract new software for. Windows has VB, VC++ etc so that the same app can be more cheaply than for other OS's (well, whether that is true or not is not as important as the fact that the BELIEVE that it is true). Like many corporations nowdays, they just want to point to a problem, throw some money at someone and say 'fix it' without having worrying about it anymore. This would be as opposed to having teams of their own computer scientists writing programs for and supporting Linux/DoDix/whatever.

I am thinking that their current use of windows is a transitional state, but a transition to what is the quesiton.

Is this government's role?

[theonomist]

The Air Force is free to buy a better operating system, if they can find one. And, yes, it's right and proper for a customer to make requests known to vendors. However, the threatening posture of the Air Force in this matter, in the context of ongoing government harrassment of the vendor, is very ominous. The federal government is in the habit of enforcing its "preferences" with deadly force at times, and their reservations about the worth of free competition are well known.

Let's let free enterprise do its job. Political pressure has no role here. The private sector must remain free and independent so that it can provide the solutions that the marketplace wants.

Re:Is this government's role?

[Pii]

Political pressure? Hogwash...

The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.

That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.

To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."

Re:Is this government's role?

[sharkey]

government harrassment of the vendor

I think you misspelled "government bending over for the vendor".

Re:Is this government's role?

[coltrane99]

Air force is part of the public sector. Any pressure they apply can be construed as 'political'. In this case, such a view is unfounded.

Re:Is this government's role?

[BasharTeg]

Let's let free enterprise do its job. Political pressure has no role here. The private sector must remain free and independent so that it can provide the solutions that the marketplace wants.

This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."

Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.

Re:Is this government's role?

[Cirrocco]

This doesn't amount to political pressure as I see it. This seems to me to be a case of, "Your product isn't meeting our specifications. You need to change your ways or else you will be replaced." I believe that the free market should be "Darwinic" (that's supposed to be an adjective) but when lives are in the balance there is little room for error and putting pressure on Microsoft to change their ways is a GOOD thing. I wouldn't mind using Microsoft products if they were stable.

Re:Is this government's role?

[chuckr11]

I think you're misunderstanding. The USAF CIO is
making no political statement, they're only trying to use their fairly large budget to coerce MS. This often backfires on them, because while they *do* have a large budget, it's not so large as to wield irrestible economic force. If they ask for too much (and they do that more than once a year, usually) then they just get ignored, except in the press.

Re:Is this government's role?

[the_consumer]

From the article:

A top U.S. Air Force official has warned Microsoft to dramatically improve the security of its software or risk losing the Air Force as a customer.

This is harrasment? This is political pressure? Did you read the article? Are you a MS shill?

Re:Is this government's role?

[praedor]

Huh? The MILITARY has national security interests in this. Of COURSE they have say. They are NOT threatening to attack Redmond with B-52s if security issues aren't better dealt with, they are implying that M$ may lose a major customer if they don't clean up their crap. That is absolutely valid and correct.

Feel free to remove your aluminum foil hat and catch some sunshine.

Re:Is this government's role?

[Grishnakh]

They are NOT threatening to attack Redmond with B-52s if security issues aren't better dealt with...

Now that's something I'd like to see.

canadian air force

[Toshito]

The canadian air force is also putting a lot of pressure on punch card manufacturers to force them to close a lot a security holes in their software...

Re:canadian air force

[TheTomcat]

Nice pun. (-;

S

Re:canadian air force

[Pope]

Only cuz you guys took our Arrows away! :)

Re:canadian air force

[Toshito]

I'm a canadian... and yes they took our Arrows!!!

Is this because ...

[NWT]

... a 12 year old taliban-boy hacked their win2k servers? *outch*

Re:Is this because ...

[ethereal]

Was this after he got done watching DivX movies on his Commodore?

Not a matter of warning

[jfonseca]

It doesn't matter who warns Microsoft and when. Security isn't something you suddenly do, it is built from architecture to deployment, and Microsoft is nowhere close to engineering any secure products.

Windows is insecure in its conception, and unfortunately I see very little that can be done to reverse this.

Re:Not a matter of warning

[fireweaver]

Actually, it could be done, but -only- at the expence of tossing out everything they have done so far and starting with a blank slate. Somehow, I think M$ is not willing to do that.

Re:Not a matter of warning

[rhizome]

You probably have a different sense of "security" than Microsoft does. The edict from billg was only the first step in Microsoft's embracing and extending the public's perception of computer security. It's not that MS will re-engineer their software to meet security standards derived from decades of experience, because Microsoft has never done anything like that. The closest example to this process would be the focus on Internet Explorer throughout the late '90s, where MS made strides in browser engine design, but at the expense of standards and other browser companies. Microsoft has never played nice in the sandbox (only "concessions", like today's MSKerberos story from the EU), they simply use advertising and PR to redefine "security" as "that which Microsoft provides".

Re:Not a matter of warning

[Waffle+Iron]

Security isn't something you suddenly do, it is built from architecture to deployment

This is very true. Lately, however, I've been thinking that Microsoft and Unix/Linux/*BSD are all pretty much in the same boat. The update treadmills for both OS families have been spinning faster and faster. I need to run Windows Update half a dozen times in series to attempt to secure a fresh Windows install. The update RPMs since RedHat 7.2 came out are something like 800MB.

For a different perspective, check out the EROS OS website. This is an OS "capabilities" based security model. They claim that in an age of interconnected machines and portable code, the ACL-style security model of NT and Posix is woefully inadequate.

(If resources are like doors, then an ACL is like a security badge reader. You give your badge to your programs, and they are free to try to open any door they find with your badge. In a capability system, OTOH, resources have keyed locks, and no two locks are the same. You hand your programs only the keys they need for the resources they should use. They have no other way to open any other doors. In fact, they can't even see doors they don't have keys for.)

I'm not an expert, I don't know how much I should buy into their arguments, but it's opened my mind to the possibility that there could be better security models out there than what most people have always assumed. Security probably should be built into the system even deeper than it is done on current popular OSes.

Re:Not a matter of warning

[ClosedSource]

"Security isn't something you suddenly do, it is built from architecture to deployment"

Of course, the Internet itself wasn't designed to be secure, so by your standard we should throw it out and come up with something else.

Re:Not a matter of warning

[jfonseca]

Microsoft's sense of security is not only different from mine, it is different from reality. Like a PhD thesis, these types of things are only proven in practice, and practice shows, time and time again, that their approach to software construction is insecure.

And still some admire them for releasing timely patches. Well if were Microsoft I'd thank the white hats for warning them of a security flaw weeks before the public.

I agree with you. Their view of security is a marketed approach to security. Just read what Bruce Schneier has to say about Microsoft's "sense".

Still on the practical side of things, not going into OS wars, just subscribe to bugtraq and do a little statistics on daily microsoft bugs and holes discovered. I find it amazing that anyone out there on mission critical environments, specifically official government and defense agencies, are still using this stuff.

I apologize if I am offending some Microsoft fans out there but to me Microsoft security, reliability and credibility have ceased to exist long ago.

Re:Not a matter of warning

[jfonseca]

The Internet was designed with the sole purpose of being secure, to stand through a massive nuclear attack on US soil and still communicate through alternate routes.

Go back to 101 kid, you have no clue what the internet is. And you completely lack the respect that the late Jon Postel and the original creators of the first Internet protocols deserve.

Re:Not a matter of warning

[Pii]

Ummm... No.

You have adequately defined what the Internet was designed for, but you have mislabelled it.

The Internet was not designes to be secure. It was designed to be redundant, or fault tolerant, and the protocols it uses are designed to ensure standards based interoperability.

I whole-hearedly agree with your sentiments regarding Postel and company, though.

Re:Not a matter of warning

[ClosedSource]

"The Internet was designed with the sole purpose of being secure, to stand through a massive nuclear attack on US soil and still communicate through alternate routes."

I think you're confusing robustness with security.

"Go back to 101 kid, you have no clue what the internet is."

Ah, the ad hominem argument. If you believe that internet protocols are so secure why don't you give the details instead of insulting me?

Re:Not a matter of warning

[jfonseca]

Redundancy is a form of physical security.

Logical security includes what you are probably thinking of as the whole deal. But your concept is incomplete, since fault tolerance is also vital to a system, there is no use in having a very logically secure network that is not tolerant to mass physical failure. Am I saying something absurd here, or have you seen what I meant?

Indeed I made a final nervous comment, but read back through your reply to my post, you totally discarded my argument as childish and unfundamented.

The details? Well the internet is insecure huh? Right now, drop what you are doing, and take the internet down. Hack it, make yourself untraceable, isn't the internet insecure? I'll see you on 8 PM news, you have a few hours to do it.

You can't. The internet is secure, the protocols are good, and so far the brightest minds out there have not come up with something better.

I am not saying you can't revolutionize it all, in fact I encourage you to.

When I was criticizing an obviously flawed and mediocre operating system, you came and compared it to the internet. The world can't do without the internet, it can do without Windows.

Sorry if I offended you, didn't mean to. My argument is sound, and I dare not compare the Internet to Windows.

Re:Not a matter of warning

[jfonseca]

Please take a look at my reply below, fault tolerance is a form of security, since the system will not respond in case of physical failure - remember the security concept the chain is only as strong as its weakest link? You might have thought of logical security only, which is ok, but incomplete. Without physical security a system is worthless.

The internet was designed do be a defense project, if you still want to argue it was not made to be secure I'd please ask you to read some more on DARPA and why congress spends so much tax payer money there.

I guarantee you it is not for making insecure though fault tolerant systems.

Re:Not a matter of warning

[ClosedSource]

"Redundancy is a form of physical security."

I can accept that. But obviously the point of your original post on MS had nothing to do with physical security, so you might have changed the definition to avoid having to meet my argument head-on.

"Indeed I made a final nervous comment, but read back through your reply to my post, you totally discarded my argument as childish and unfundamented."

That was not my intent. But if you're going to make a general argument and then use it against someone or something, you should be prepared to have that argument applied in ways that you might not like. Thus it seems like a great argument when applied to MS, but you're not so comfortable with it when it is applied to the Internet.

"Hack it, make yourself untraceable, isn't the internet insecure? I'll see you on 8 PM news, you have a few hours to do it."

I have no desire to do so, but are you suggesting that all Internet hackers have been caught?

Anyway, thanks for the informative conversation.

Re:Not a matter of warning

[Pii]

I understand how you can include redundant capabilities into a comprehensive view of security, but I don't think that's what the original poster meant when he referred to "security," nor is it what most people would categorize as "security" today.

Aside from that, your view falls apart for other reasons. If, as you seem to believe, the protocols commonly referred to as TCP/IP were "designed to be secure," or to "provide security," then why was packet-level payload encryption only recently (in the 30 years of TCP/IP) added? How did usernames/passwords transmitted across the network in clear-text become the norm, rather than the exception? Why was source routing ever included?

The TCP/IP protocol suite is not, nor has it ever been, about security. It has always been about redundancy, fault-tolerance, and interoperability.

"Security" has until recently been left to the applications themselves. Security has always been an afterthought. If that were not the case, how would the man-in-the-middle attacks, and packet sniffers, ever have posed a security risk?

Our favorite little DARPA project did indeed begin as a defense project, and was primarily to increase our level of national security, but that end was served by providing the mechanisms to route around failures in the network, not in keeping the network traffic safe from prying eyes.

Re:Not a matter of warning

[jfonseca]

Your argument is wrong once again. TCP/IP includes what we call the applicaton layer which is free to encrypt the payload or not. The protocol is secure because it allows the encapsulation of secure data within it's payload transparently. You may even encapsulate TCP/IP within TCP/IP, encrypt it, etc

This discussion is going nowhere, we're obviously talking at two different perspectives, I think the application is responsible for the logical security and the protocol is responsible for the physical security. You think the protocol should handle it all....

In the end TCP/IP is a masterpiece, it is secure alright. Not that there won't be many future improvements to it, but it is one heck of an engineering craft.

This is free enterprise.

[glrotate]

This is a large customer threatening (sorta) to take their buisness elsewhere. When large high profile customers raise a stink vendors take notice. This is exactly how the security problem will get fixed. Hopefully other large clients will follow suit.

Ever heard the saying "The sqeeky wheel gets the grease"?

Re: It's not the server, it's the client.

[Robber+Baron]

Exchange may have it's faults, but I've seen virii spread with equal rapidity via Sendmail. If you want to blame something, blame Outlook. Or more correctly blame the default settings to which Outlook installs.

It's their own fault

[halftrack]

Why don't the airforce look at the self. When choosing their systems they must have been aware about the major security riscs Microsoft products hav a history of having. They must have known that their excists ten's-of-thousands viruses targeted at the Windows operating system. They must also have known that in the war against the viruses the crackers have got the element of suprise. They must also have known that Microsoft products are - by crackers - looked at as unreasonable easy systems to break into. Is this information I'm sitting on some kind of secret or is there another reason the US Air Force did choose to base their framework on Microsoft.

I would dare to say that the airforce has been misleaded. Maybe they overlooked alternatives - like Linux - because there wasn't a big organization behind or maybe they were swayed by something else. Is it now too late for them to change their systems or is there still hope for their security? How can they ever be sure that Microsoft has secured their systems?

Re:It's their own fault

[tongue]

Government organizations more so than anyone else need a scapegoat to point a finger at when something doesn't go right. Free software is starting to make inroads into these types of organizations, but the root of the problem is the level of bureaucracy that has to be dealt with in order to actually DO anything in government. In the name of protecting taxpayer "investment", there is all sorts of documentation, testing, and basic criteria that have to be met, and while Linux and BSD are completely capable of meeting those criteria, they require someone like RedHat to actually do the legwork to get them in the door. Up until very recently nobody has been interested because of the level of nastiness that has to be dealt with; with the advent of the NSA's secure linux, however, this may be apt to change in the near and not-terribly-distant future.

Security is a Must

[PineHall]

Microsoft must provide a secure OS. And it has to be more than words. Businesses and government agencies are recognizing the cost of an insecure OS. Right now I wonder if Microsoft truely realizes that they are in a precarious place. They need to spend big bucks to make their OS secure. Talking the talk will not do it. Adding on security to their OS will not do it. They need a major rewrite of the OS to fix it. That will cost, but Microsoft has the money. Do they have the will to do it?

Responsibility

[ksw2]

As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this? I'm not fluent in Windows holes, but it seems to me if they have a huge problem with Outlook in particular, USAF could mandate Eudora as their official email client rather easily.

I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)

Re:Responsibility

[sheldon]

There are add-on's to exchange that prevent the spread of these viruses thru filtering.

There are patches to Outlook that prevent the spread of these viruses.

There is anti-virus software with links into Outlook that prevents the spread of these viruses.

Your right, with a proper security policy in place this isn't an issue.

Re:Responsibility

[MillionthMonkey]

As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this?

The Air Force shouldn't be using Outlook. How did the worst possible email client get deployed in the Air Force? It's a platform for launching viruses and worms. (You can also read your email with it.) Users should be able to click on an email attachment- hell, they should be able to view the email in a preview pane- without having to worry that it might propagate a worm. Period. Anyone who thinks otherwise shouldn't be let anywhere near a compiler.

Using Outlook is inherently risky. Our company has standardized on it for some reason (it comes with Office is why, I guess) and our network admin is resisting whiny requests from management for an Exchange server. Just last week someone using Outlook clicked on an .scr attachment he got from a guy he exchanged business cards with at a conference. Well, as soon as he did that, the .scr went out to every single one of our customers. ("Hey, c'mere, what's an .scr file supposed to do?") Serves us right, I guess.

If I were a four star general and that happened to me, I'd want to drop a daisy cutter on the Microsoft campus.

Re:Responsibility

[WildBeast]

Look, if I, a Junior sysadmin was able to protect my company from the ILOVU virus (we use Exchange and Outlook btw); I have to wonder how the government fails to protect itself. Maybe the sysadmins in there are ignorant or maybe they just don't have much time on there hands.

Re:Responsibility

[flatrock]

You can make it so Outlook won't run .scr files. I agree that this should be the default case, but this is something you can fix.

Your company has probably standardized on Outlook because they need Calander and a Mail CLient, and Outlook is a powerful, integrated tool for these tasks, ..... and it comes with Office. Outlook is very insecure in it's default install, but if can be made much better with a little effort. You trade sume functionality for the increased security, but that's uaually a tradeoff you have to make for increased security.

You definately don't like Outlook, but what do you reccomend? What do you think is a good replacement for the functionality that Outlook provides, including features such as calander software and such?

Re:Responsibility

[flatrock]

They like everyone else always have more to do than time to do it, but they deal with a tremendous amount of email volume from all over the world. This means that they often get these viruses before the security alerts go out, and don't get the advanced warning that many small companies get the benefit of.

Re:Responsibility

[DunbarTheInept]

You bandy about the word "prevent" too easily.
If thpse updates actually prevented the spread of viruses, there would only need to be one such update. But they keep having to come out with new ones, for some reason - oh yeah, because the previous ones didn't catch everything.

Re:Responsibility

[frank_adrian314159]

You definately don't like Outlook, but what do you reccomend? What do you think is a good replacement for the functionality that Outlook provides, including features such as calander software and such?

Lotus Domino. Preferably on an IBM iSeries, but on a PC if you have to. All of the calendaring, none of the viruses...

Re:Responsibility

[Shadarr]

"Our company has standardized on it for some reason..."

Our company standardized on Outlook/Exchange (and got taken down by Code Red because of it). The reason I heard that actually makes sense is that investors (who are completely clueless about technology but invest in tech companies) think Outlook is what "serious" companies use. So even though the people at our company making the decision know it's stupid, they did it anyway because otherwise people who know nothing won't give them money. It's sick, but it's better than having a CIO who actually thinks Outlook is a good product.

Re:Responsibility

[sheldon]

If you do not understand the issues, please don't bother to respond.

The updates I spoke of are only re-released when new versions of the applications come out, for compatibility reasons. Yes, the virus definition files do have weekly updates, but that is all.

Are you even aware of the Outlook 2000 update and what it does?

Re:Responsibility

[zeda]

How do you think Outlook got deployed.

Some Generals were probably conned by M$ sales reps like usually. Except when Generals give orders you have to obey.

Re:Responsibility

[DunbarTheInept]

It doesn't matter what the Outlook 2000 update does. ALL software has the following common problem: FIRST the exploit is discovered, THEN LATER it gets patched. Thus to claim that a patch "prevents" the security holes is a claim that cannot possibly be true. There will always be a window of time between discovery and patch during which the system is vulnerable. It cannot be any other way.

And they should have used Sendmail?

[glrotate]

That impenetrable fortress of electronic communication?

I Love (Bug) the Air Force!

[switcha]

Two years ago, the Love Bug virus "ran rampant" through the Air Force's e-mail system, which runs on Microsoft Exchange software, says Michael Erbschloe, vice president of research at Computer Economics and author of two books on computer security.

Hence the Army's move 2 years ago to a more secure system. Who's the jarhead now?

(is there a '-1 Mactroll' option?)

Re:I Love (Bug) the Air Force!

[switcha]

Ouch. Busted. +1 Calling Me Out.

Re:I Love (Bug) the Air Force!

[Amazing+Quantum+Man]

Hence the Army's move 2 years ago [appleturns.com] to a more secure system. Who's the jarhead now?

Uh, the Marines? No offense intended to any leathernecks out there. But when I dealt with the Army and the USMC, the Marines were the jarheads.

ummm....just hire better programmers

[v0id_nine]

Instead of the military spending billions on operating systems, why don't they just use Linux and use the money to hire programmers that will maintain security??

Re:ummm....just hire better programmers

[RangerBob]

Umm.... could it be because private citizens and companies looking for governmental corporate welfare would start screaming about this magical "Big Government" bit?

See, any government organization is prone to the "damned if you do, damned if you don't" mantra. In the US case, it's because politicians have been laying out lines of bull for so long that people believe it. Yes, using OSS in some cases and keeping some programmers around would probably be cheaper. If you don't believe me, first go look at how much some governmental contracts cost and then look at what services are provided. Yes, in most cases they're bilking the taxpayers. The problem is that Congressmen get their money from big businesses that want these cash cow contracts and the general public is too lazy to figure out that most of these contracts cost far more than it would to just keep some Federal employees around.

Re:ummm....just hire better programmers

[behanna]

There's a reason that DARPA is funding the Trusted BSD project, not the TrustedLinux project.

Being a Communications/Computer officer in the AF

[gsfprez]

I totaly disbelieve this article.

We are whole heartedly all out sold out to Microsoft.

We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.

We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.

Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.

As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)

After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..

Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.

This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.

message received?

[ethereal]

"This is what our customers expect and demand," says Steve Lipner, Microsoft's director of security assurance. "Message received. We're working night and day on security."

That's great, Steve. Except how long ago was this message sent - two years? four years? six years? You guys have had lousy security ever since you happened upon the 'net, and you're just now figuring out that it's important? Exactly how slow are your nervous systems, anyway?

Pretty much everything said from the Mouth of Microsoft these days is in CYA-mode, it seems to me.

mistaken perceptions....

[rusty0101]

I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty

Re:mistaken perceptions....

[mgkimsal2]

Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite.

Fair enough, but ...

How much does the Air Force spend on MS Office? Could we say $1 million per year? For that million, they could dedicate 8-10 programmers to open office, helping to add in missing features and special things the Air Force would like to see, all the while being able to audit the security of it.

Most corps can't do that. The military/government *could*. Instead of constantly saying 'but it's cheaper to buy' run some numbers. What's it cheaper for in 1-3 years, not just next quarter.

If there were more dedicated people working on larger projects like openoffice, perhaps the quality and features would increase to the point where MS Office wouldn't be the defacto standard. And as for support - well, hey, you have people on staff who actually wrote the code. That helps for starters. And training? Again, take some of the money saved and invest it in training for people.

I don't want to sound like a raving anti-MS bigot. I'm far from it. But some long term benefits to computing as a whole could be achieved if organizations could look beyond the short term.

Re:mistaken perceptions....

[Pfhreakaz0id]

if the military is anything like the gov. agency I contract for, money is allocated in fiscal year budgets, period. That's better than public companies, which only look a quarter ahead.

Re:mistaken perceptions....

[dillon_rinker]

It's not just the military or your government agency...it's the whole government. NO monies are allocated on anything more than an annual basis...thus the yearly budget fiasco. It would be VERY difficult to extend this to much more than two years, since the House originates all appropriations bills, and they have 100% turnover every two years (though some of the reps get rehired).

My sister-in-law worked on a ten year project, and every year was a nail-biter as she waited to find out if the last 4-5-6 years of work had been wasted or not.

Re:mistaken perceptions....

[rusty0101]

I am not advocating, defending, or arguing against the decisions that people in the military make. I never was in a position to really advise anyone in what software should be used. My experience was as one of the people using the software.8-10 years ago.

From a user perspective, I have a job that has to be done now. Not when you get around to writing software to support my job. The decisions about what software to start putting on systems were made several years before OpenOffice was even considered as a project.

Considering the interest the NSA has taken in Linux, I would honestly be surprised if there was not several dozen hackers in the military looking through the source code for OpenOffice and providing contributions. They may even be doing so as part of their occupational specialty, though I would be more inclined to suspect that it was being done after hours.

As there is major awareness of problems with the Microsoft Software, and others including Cisco, I am further inclined to suspect that ther are several people in reasonably high positions who are willing to advocate moving to open source. They may even be doing that right now.

At the same time, they are going to be fighting the same arguments from non-open source advocates that any open source advocate faces in the buisness world. In some cases they will have a harder time of it as well. That is because the military likes a single look and feel to things. So, will they standardize on KDE, or Gnome? Or something else?

If handled properly, this could be the entry point for Linux on the desktop to gain market share. If the military uses it, you are probably going to see more businesses convert to it as reservists see it's capabilities. As more businesses convert because of the reservists, you will see more companies selling computers with Linux and Open Office as standard builds.

Then again I'm probably dreaming.

-Rusty

Karma whoring at its finest

[DebtAngel]

"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.

Let this be the thread for the Free Software zealots to reply saying, "and therein lies the problem with proprietary software".

It would be quicker...

[fruey]

...to wait for a full settlement in the case against Microsoft, rather than to wait for them to fix security issues.

Can't help but feel that running an operating system that loads of people all have to play with and hack into at will is a strange thing for the Air Force to do.

If I have a car, and I don't like its security features, I sell it and buy another car.

The Microsoft strategy has been, since day one, to marry Windows and the Home PC such that this kind of consumer choice is not possible... but people KEEP buying Windows licences.

Go figure.

A step in the right direction...

[BlueFall]

This is a step in the right direction, but it won't be enough to make MS and other big vendors make their products secure. If technology users want security, they must demand it. The Air Force, while possibly a big customer, is most likely not the biggest that MS must deal with. If OEMs and large corporations demanded secure products, then we'd get somewhere. As it stands, MS doesn't really have to do much for the Air Force. If the AF wants to interact with much of the rest of the world, they have to use MS, secure or not.

Re:A step in the right direction...

[praedor]

It might make a dent in M$ is the Air Force follows the Army's lead and switches to Apple. Pretty damn secure is Apple, love Macs or hate 'em.

oh boy...

[geekoid]

From: the office of B.Gates:
To: AFCIO

I'd like to remind you I own 10% of General Dynamics.
Thank you for your time.

EOF.

Man this is going to be some ineresting politics.
This is what happens when military specs say things like "Must run windows"
Instead of
"Must have GUI front end"

But

[wiredog]

If the Air Force is anything like the Army, it's the sergeants who keep things running.

Re:But

[HeyZuess]

nah... in the army, it's more like us contractors.

Re:But

[jlower]

If they were like the Army, they would have dumped IIS in favor of WebStar running on Mac OS9 which (AFAIK) has never been compromised by an external attack.

No Security without Liability

[Lysander+Luddite]

We'll never see (more) secure products until the manufacturers become legally liable for losses due to the software. There's simply no financial incentive to improve security, especially if you're the biggest player.

My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else.

Re:No Security without Liability

[Error27]

Liability is a bad idea. It is a right of free speech and free thinking for people to be able to create any type of software and distribute it so long as it isn't malicious. They shouldn't have to have a legal department.

If you ask me, the airforce can't complain. Everyone smart enough to watch TV can tell you Microsoft does not make secure products.

It's stupid to pretend to be shocked by this. If anyone should be have to pay for Microsoft's security problems it's the people who bought the software with known security problems... Oh wait, they already do.

Re:No Security without Liability

[Lysander+Luddite]

So basically it is the user's fault they used the software simply because software is free speech? That is a silly argument.

Under your argument the customer should have been liable for any problems caused from Y2K bugs. Instead what happened was laws were passed that created a financial incentive for IT pros to certify everything was y2K compliant.

If you want to write software that absolves you of any kind of product liability then you should not be charging for it. You can then hide your product up in the free speech argument all you want. Name me any other industry where a manufacturer can pawn off ALL (not just gross negligence or imporoper use of the product) but ALL responsibilities for product defects onto the customer.

Re:No Security without Liability

[Xannor]

Liability is a bad idea... Who would be liable if a company used Linux and they got hacked....?

But I do think that companys that release software should "warrenty" it. Basicaly like with UPSs and surge protectord, they should bakc up their software with some kind of damages package when when it fails.

of course there would probably be so many restrictions on how you could claim damages that it would not be worth it.

Re:No Security without Liability

[Error27]

"If you want to write software that absolves you of any kind of product liability then you should not be charging for it."

That's a good distinction to make because it allows free speech. It seems like a small thing, but all the software I use at home falls under this catagory.

In some ways, it's reasonable for vendors to be held responsible for their products, but the idea is still problematic. Liability hurts small vendors more than large vendors. How do you measure the harm done? How do you assign blame to products that were developed by more than one company? Is every Linux company liable for a problem in the Linux kernel? What about software that costs money but is downloaded from another country? What about free products such as Internet Explorer or Outlook?

Some of common security problems are really user interface problems. For example, most users misconfigure windows network neighborhood. Is Microsoft liable for that?

In your first post you stated: "My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else."

I agree with you, and I suspect no new laws are going to change this. There may be some consumers that may need protection from vendor laziness, but the airforce knew about the problems with Microsoft products and chose to use them anyways. I don't think they should be able to sue Microsoft for something they knew was going to be a problem all along.

Re:No Security without Liability

[Lysander+Luddite]

My whole problem with the free-speech protects me from liability argument is the fact that all benefits flow to the programmer/seller and none to the consumer.

Now if you don't charge for a product then I can see how liability wouldn't be an issue. However, if you sell me a product you have engaged in a market contract. I am buying the product assuming it will perform as advertised.

Take the iPod/iTunes fiasco. When i-Pod was released there was an update to iTunes which, in some circumstances, erased the user's hard drive. Since iTunes was a free download the responsibility is on the owner. But if Apple sold that piece of sftware they should be liable because I obviously didn't pay for software that would delete my harddrive upon installation.

Yes, small software developers would be hit the most. That is regrettable. OTOH, I have found software written by smaller companies to have, in general, fewer bugs.

I'm not asking for perfect software, but users should have a reasonable expectation that software they willingly have purchased will not cause losses. If I buy a car I just assume the tires will not blow if I take a corner fast. Likewise, if a software bug is known and nothing done to resolve it in a timely manner, then I should be able to collect damages commiserate with my losses.

There is no easy answer. Saying people should just move to Open Source or do more shopping are not operating within the business realities of contemporary America.

Thank you for the chance for discussion.

Re:No Security without Liability

[Error27]

>>My whole problem with the free-speech protects me from liability argument is the fact that all benefits flow to the programmer/seller and none to the consumer.

I completely agree with you that the free-speech argument can only affect authors and distributors, not vendors. In my mind saying "Vendors should be held responsible" is entirely different than saying "Programmers should be held liable."

You may be entirely correct when you say that vendors should have some level of responsibility. It opens a whole can of worms, but it's something to potentially consider.

Dept of Interior's Network - An Interesting Story

[gdyas]

Not about the Air Force or MS, but related.

The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary.

The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.

Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.

Isn't the AF due a letter from the MS or BSA?

[theinfobox]

This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.

And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).

Re:Isn't the AF due a letter from the MS or BSA?

[qurob]

Very good point. But, wouldn't people take MS jobs as a civillian?

Re:Isn't the AF due a letter from the MS or BSA?

[prockcore]

God I'd love to see that.

We open at the gates of some airforce base, somewhere.

The armed guard at the gate stops a car that tried to slip passed the checkpoint without the proper stickers.

"Let me in! I need to see your computers"

"Which computers? and let's see some identification."

"All of your computers."

"I don't see you on our list.. you can turn around right here"

"I'm not on your list, this is a suprise audit"

"We don't do suprises here. What are you looking for on our computers?"

"We're looking for ...uh.. illegal software"

"Step over here please. *picks up radio* Colonel, we have detained a possible threat to national security. He was trying to sneak in and look at our computers... yeah, something about illegal software..."

Anti-virus package?

[Magus311X]

Why doesn't the air force get an anti-virus solution for the server/clients? Block attachment types (obvious ones, .pif, .scr, .com, .bat, .exe, etc), filter for virii, and have it update automagically.

SERVERAL vendors make a product like this (i.e. Trend Micro).

-----

A few reasons

[devphil]

You don't simply up and abandon your entire email structure on a whim. First you threaten the manufacturer to improve or else, and that's what the AF has done.

I work on an AF base, and in my building alone we have about a half-dozen Exchange servers. (One alone can't handle the load.) What do you recommend as the "quick solution" here? What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.

What "quick solution" do you recommend for thousands of people at a time?

Re:A few reasons

[Chang]

One possible quick solution would be an IMAP server(s) and the Bynari Insight Connector.

I've tried it and it does what they say it does.

Exchange does NOT do tasks and meetings. Outlook does. Two Outlook users on separate ISP pop accounts can schedule meetings and send tasks back and forth. The only thing Exchange adds to the mix is handling free/busy times and Outlook has the capability to publish these to something other than an Exchange server.

Exchange is a proprietary IMAP server with window dressing, and marketed to make PHB's think they can't use Outlook's features without it. Obviously you bought into that.

Re:A few reasons

[wo1verin3]

I can't remember seeing a recent security vulnerability for Lotus Notes.

Lotus Domino Server for you.

Re:A few reasons

[phil+reed]

What "quick solution" do you recommend for thousands of people at a time?

Novell Groupwise.

Re:A few reasons

[Kenneth+Stephen]

The Domino SNMP agent was vulnerable to the recent SNMP problem.

Re:A few reasons

[frank_adrian314159]

What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.

What "quick solution" do you recommend for thousands of people at a time?

Lotus Domino. Preferably on an IBM iSeries. Consolidate your six Exchange crap-boxes into one Model 820 with six server LPARs. All of the calendaring and better searching than MSX, with NO viruses (as of yet). I can't believe that the military is so stupid as to think that MS is the only groupware supplier out there.

Re:A few reasons

[devphil]

Exchange is a proprietary IMAP server with window dressing, and marketed to make PHB's think they can't use Outlook's features without it. Obviously you bought into that.

Well yeah, because it' true.

Re:My Humble Opinion

[gmack]

That is a complete load of crap. How many apache exploits have we seen in 2 years? How many in IIS? Apache runs 60% of web sites according to netcraft. Yet Apache has had few exploits.

What really blows your theory apart is that in the past there have been smaller companies with worse records.

MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.

I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.

The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.

This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.

USAF == MS's bitch?

[Aaron_Pike]

"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.

WTF? Erbschloe (try saying that ten times fast) is saying that the United States Air Force is dependent entirely on Microsoft for its IT systems? Couple this with the fear that the USAF infrastructure controls enough stuff that a successful attack could shut down vital systems, and you've basically got the whole Air Force relying on Micros~1.

The USAF is Microsoft's bitch. Go fig.

This makes sense now...

[niola]

From the article:
Gilligan, former Energy Department CIO, has discussed security most often with executives at Microsoft. "They are the biggest supplier to the Air Force, and my attempt has been to encourage them to set an example," he says.

I am guessing if M$ is a major supplier of software to the Air Force, it is probably the same for the other branches of service as well.

Now I see why all of our helicopters and planes have been crashing without being shot down. Brings a whole new meaning to "Fatal Exception"

--Jon

Re:This makes sense now...

[praedor]

Except that the Army has switched to Macs because of security headaches.

Re:This makes sense now...

[GSloop]

Hey, is that what's wrong with the Taliban too?

They "performed an illegal operation"?
Damn - I KNEW there was an exlaination!

Well, if they'd just start operation Remo-M-Softo we'd have those EVIL ones in Redmond under control!

Cheers!

Re:This makes sense now...

[niola]

Except that the Army has switched to Macs because of security headaches.

Seriously? Where did you hear that? I find that interesting.

I have never been much of a Mac fan and as user-friendly their OS was, before OS X it performed like a pig and lacked such common features as preemptive multitasking, etc.

Good for Apple. It would be nice to see them gain some market share. Now only if their hardware was more affordable...

--Jon

Re:This makes sense now...

[Spencerian]

Here's a link to this change, from the makers of the WebStar web server software for Mac OS. This was a couple of years ago.

http://www.webstar.com/army/

This was based on Mac OS 9 technology, which is pretty unhackable. Mac OS X is just another UNIX in the Web world (uses Apache) but WebStar is making a OS X version of its web server that doesn't sound like they're putting a GUI on Apache but using their own code.

Security Upgrade

[suitti]

Upgrades are painful. When the vendor makes big changes, upgrading to another vendor reduces the differences in costs. If the Air Force wants better security, they'll need to upgrade. The cost of upgrading to, say, Linux, may be cheaper than the cost of upgrading to the next MS product. And, the security implications may be well understood by then.

The costs that many are concerned with are new applications checkout and user education.

When a local church was considering upgrading their Windows 3.1 system to 95, 98 or NT, I suggested that it would be just as easy to upgrade to a Mac. The secretary didn't know how to use anything other than WordPerfect, and the new Pastor already knew how to use a Mac. That left teaching the secretary how to boot and shut down the Mac - which you'd have to do with 95, 98 or NT. Naturally, the Air Force would have more work to do.

When the DOJ case came out, at least one comment circulating was that the US should simply stop buying MS products - as that would cost MS more. As I understand it, this is the China solution.

Absolutely

[GedLandsEnd]

The Air Force is displaying what we can only hope is a shifting in the mind-set of M$ customers - not litigants. Hopefully, other big-budget customers of M$ will follow suit.

Since 9/11 and the new attention paid to security, more people are willing to make good on their threat to take their business elsewhere if the security of a product is poor. The excuse of comfort with Win products will no longer be an excuse to let Bill off the hook.

M$ being a marketing firm will respond to market pressures way before they'd give up in court.

Pot Calls Kettle Black - news at 11:00!

[Medievalist]

/.
Given the history of inept system administration in the US Armed Services, I have to laugh.
If M$oft actually delivers a secure system, it will immediately be compromised by some knucklehead who wants to play Everquest without his superior officer finding out.
--Charlie

The Media is getting a clue

[tb3]

I think mainstream media may be finally catching on. This is the first article I've seen were they flat-out state that Love-Bug, Melissa, Sir-Cam, and Nimba are Windows/Outlook viruses, not email viruses or internet viruses.

Accuracy is nice, maybe the general public will soon learn who is really at fault here.

Re:My Humble Opinion

[jlower]

I disagree. No other OS ships with the kind of brain-dead defaults and features that make cracking it this easy.

Organizations vs individuals

[ciole]

Time for organizations to realize the importance of security?

Anything that leads to a more secure product is great, obviously, but it saddens me that the pressure must always come from thegov't and industry, rather than the community of individual consumers. i suppose this is because i see the individual as having more to lose when it comes to lacking awareness of security and cryptography issues. It is with these large organizations, gov't, military and industry, that we're fighting for our right to completely private and secure systems.

Aside from that, i'm with everyone else in this thread. Let them turn to BSD if they care about security.

BOUT FREAKIN TIME for the USAF

[kk5wa]

I work in IT for the AF. *nix any day.

Too bad the app I support is Windows only. :-(

Re: It's not the server, it's the client.

[Steveftoth]

The difference is that Outlook server gives you the ability to create huge expanding without your control mail lists. Thus, one user can send a thousand emails because he has access to those thousand email addresses via the outlook server.

Not necessarily

[joib]

There are more secure alternatives than sendmail. For example qmail and postfix. And sendmail has reportedly improved lately too. Personally I'd take any of them over exchange any day.

Re:My Humble Opinion

[Raven42rac]

Actually Apache runs way more than 60 percent of web sites. Also, software writing is a tad more difficult to do than you would have us believe. In a perfect world every software company would be able to account for every variable from every other piece of software ever written for every platform that may or may not interfere with one of their millions and millions of lines of code, but it just does not work that way my friend.

Tale from the trenches...

[PHAEDRU5]

When I was stationed at Langley I was part of a team that implemented the first version of what's now called CTAPS.

One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.

A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.

The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.

Air force warns MS

I don't know why the Gov't just doesn't teach them a hard lesson and start switching to Linux. I think it's frightening to think the Gov't relies so heavily on a closed OS with a very poor track record on security. Instead of telling MS "Please, make your software more secure" and then wait a few years for that more secure OS when they can have it now and many other benefits by using linux for instance.

Re:Being a Communications/Computer officer in the

[Zeinfeld]

We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.

And what public domain software is there out there that suports S/MIME security labels as mandated by the DoD?

PGP is simply not up to the task of providing a military messaging system. In fact the principle insight that Phil Z. had was that PEM was being designed with the assumption that the rest of the world ran according to the strict hierarchical principles of the military.

What the posters on this whole story don't understand is that they have a radically different approach to security than the Air Force. In the real world you increase security by removing features. In the military you increase security by adding security features.

DMS was designed in the days before 'Commercial Off the Shelf' (COTS) became a US govt buzword. The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality. But there is no reason why they need their own message formats and there is no reason why DMS can't use COTS to provide at least a core.

Re:Being a Communications/Computer officer in the

[sheldon]

I have a suggestion...

Why don't you take all this negative energy and hate and direct it to something positive. Like, learning how to administer your Windows systems so that they aren't vulnerable to issues.

The company I work for has not had any issues with email born viruses since ILOVEYOU. It took one lesson, we learned from it, we corrected the problems and we moved on. If you don't learn then you are too stupid to be in IT.

Eudora wouldn't help

[devphil]

You forget that Outlook+Exchange is more than an email client. Yes, we could mandate Eudora (or whatever) as an email client. What then do we mandate for a meeting scheduler and a remote task assigner and all the other crap that Outlook+Exchange does?

And then who are you going to get to train people in all these new programs?

Re:My Humble Opinion

[sphealey]

In my humble opinion, the only reason all the security holes are being found in Microsoft's software, is by virtue of the fact that it is, like it or not, running the majority of the world's computers, something like 95%. I am sure that if any other OS was as widely used, more breaches would be found

How long have you been involved with information technology? Do you remember the days when computer systems actually worked according to specification? And when their suppliers could understand and fix things that were broken? To pick a very recent example, were you around when Microsoft marketing and monopoly clout started pushing Netware out of the NOS arena, despite the fact that Microsoft's offering had 20% of the features and 5% of the stability of Netware? Have you ever compared MS Active Directory to Novell eDirectory on a point-by-point basis, including features, managability, and stability?

sPh

Re:Not a matter of warning: Really?

[praedor]

Yeah, keep parroting this...then you should mention that at the same time the vulnerability was announced, a fix was available: download zlib-1.1.4. Sheesh. You NEVER get this responsiveness from M$. Also, the vulnerability wasn't a root exploit, you couldn't trash a system with it, couldn't use it to gain root.

Re:Being a Communications/Computer officer in the

[Monkius]

They could very well have used a non-proprietary core, as the original poster suggested.

I think in hindsight, that would have been a very sensible decision, don't you?

Re:My Humble Opinion

[Liquid(TJ)]

I think that this is partially true. Miscreants probibally spend most of thier time working on exploits for MS based stuff. But I suspect that they did spent more time on open source tools, they wouldn't be able to find as many things in them as in MS programs (just more than they do now).

Re:Being a Communications/Computer officer in the

[ftobin]

Trying to lay the catch-up game with Microsoft products is not a positive thing to do; the positive thing to do would be to get non-Microsoft solutions so that these problems don't occur. Positive solutions fix the problem, not patch the symptoms. Incessant, needless patching and worrying is what builds up the negative energy.

Re:Dept of Interior's Network - An Interesting Sto

[AJWM]

and is secure, running WinXP

Does this strike anyone else as oxymoronic? (Firewall or not.)

Re:Being a Communications/Computer officer in the

[joib]

As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)

Man.. that work must have sucked majorly... Sounds like the typical case of the suits believing glossy MS brochures instead of their own techs and other people with actual experience. Or in this case, s/suits/guys-with-more-funny-looking-shiny-metal-t hingies-on-their-collars-than-you/g :)

Your Proposed Cure is Worse Than the Disease

[FreeUser]

So basically it is the user's fault they used the software simply because software is free speech? That is a silly argument.

Not really. He's saying that the consumer has a responsibility to make an informed purchase, and that creating liability and a pork barrel for lawyers is not a good solution. He's right.

All of the information to warn a would-be purchaser that Microsoft Exchange Server is probably the worst possible choice one could make for a mail server if security is any concern whatsoever was widely and publicly available. Clearly the person or persons who made the decision to go with Microsoft, when demonstrably more secure (by orders of magnitude) options were available at little or no cost, either grossly neglected their duty and did no research, or were in a sweatheart agreement of some kind with Microsoft's salespeople, or Microsoft itself. That, or they opted for the product when it was still in the vaporware stage, which is even doubly incompetent.

Either way, the person or persons who made this incompetent, and very possibly corrupt, decision should indeed be the ones to pay for it ... with their careers.

Re:My Humble Opinion

[Stonehand]

From a cracker's POV, I doubt they care that much about *all* web sites. If I were on that side of the fence, I'd be focusing on the ones with juicy credit card databases and so forth -- in other words, the big e-commerce sites, like online vendors, transaction processors and so forth. How many of those run Apache? 60%? More? Less?

Evil monkeys!

[Kizzle]

I think our military needs to think about microsoft's army of evil monkeys before they start pushing them around.

Re:My Humble Opinion

[shoelock]

I agree that it's hard to think of every variable when writing software.

While we're on the topic of software problems, I read this article this morning about a flaw that was found in Linux. I guess it not just a Microsoft thing. Here's the URL: http://zdnet.com.com/2100-1104-857031.html

Re:Being a Communications/Computer officer in the

[Elbereth]

You've definitely got a point, but how many times do you have to learn a lesson before you figure out that Microsoft's security really sucks?

Let's say that you get hit with ILOVEYOU and start to filter out attachments. Good job.

Now you get hit with Code Red. You decide to check daily for security fixes at Windows Update. Good job there, too.

Next, you get hit with a nasty virus because one of your employees couldn't live without his favorite screensaver. You install up-to-date virus definitions on all your PCs and check daily for new virus definitions. Also, you lock down all your PCs, so that nobody can install/remove programs without MIS approval. The employees grumble and complain, but it's obviously necessary.

And after that, a disgruntled employee (perhaps the same one that caused the virus outbreak) decides to sabotage a few of the servers after he gets fired. You disable all remote manageability and literally lock the servers away in a secure room. MIS begins to grumble and complain now, too, but it's necessary...

At what point do you finally switch over to something different? When no work can be done, because you're trying to patch the millions of holes Microsoft themself refuses to patch?

UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure.

Re:My Humble Opinion

[gmack]

If 1 variable affects a million lines of code than you have one very badly designed program.

7000 programmers

[Rice-Pudding]

Gates directed 7,000 programmers to spend February scouring the Windows operating system for openings hackers might exploit to steal data or shut down systems.

Wow, 7000 programmers! I bet they figure out how to close the barn door.

What a great day!!!

[FattyBoeBatty]

I get my story put on the front page of slashdot AND it's my birthday! Rock'n'Roll!!!

Happy Birthday to Me
-FattyBoeBatty

Re:Dept of Interior's Network - An Interesting Sto

[Amazing+Quantum+Man]

Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).

When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."

Re:Being a Communications/Computer officer in the

[Bios_Hakr]

The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality.

I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.

The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.

And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.

The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.

Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.

DMS sucks ass...

[Seabass55]

I'm not a computer guy...I'm a satellite guy. But I'm forced to use DMS daily and it's been nothing but problems. From my standpoint I blame the first slew of problems on our lame excuses for "IT People". I consider myself very well versed in computers.....but these people suck. So once DMS got to us...we had two months worth of "install problems". I just sit back and laugh at these wanna be IT morons. Now the Air Force decided to merge admit with IT. This is becoming fun! Oh and ofcourse...they don't let me crosstrain into computers.
Oh did I mention teh sparc in the back of my shop's been on for over 4 years monitoring all of my circuits without a hitch!

Re:My Humble Opinion

[gmack]

Yea but look at the turnaround time. Same day day as the advisory and we have bugfixes for the zlib itself and mozilla. Next day for the kernel and most of the static apps on my system.

And nothing was broken by the fix.

Re:Being a Communications/Computer officer in the

[Zeinfeld]

They could very well have used a non-proprietary core, as the original poster suggested.

Exchange is a 'non-proprietary core' (at least in the DMS usage). Exchange 5.5 is an X.400 MTA. The is nothing proprietary about X.400, it is just that Microsoft is the only vendor that still sells that junk.

Exchange 2000 removes the X.400 junk from the core. It is not an OSI MTA that also does Internet, it is an Internet MTA that also does OSI. Don't judge Exchange by the horrors of 5.5, those horrors are mostly intrinsic to the OSI junk it is based on (plus the MAPI horrors).

The problem with DMS is not that they chose prorpietary software, they simply chose the wrong open standard. Even today we have DMS folk comming to the IETF with drafts proposing some form of X.400 interop for S/MIME.

What it comes down to is that the military defined a mail system that was so complex that Microsoft was the only company arround with the resources to provide client support.

I think in hindsight, that would have been a very sensible decision, don't you?

It isn't a matter of hindsight, there are plenty of reasons why DMS and the Federal govt. PKI are problematic. Most of those were known at the start.

Re:My Humble Opinion

[Raven42rac]

Yes, I do remember when my Commodore 64 worked to specification, I also distincly remember it not doing too much of anything compared to the computer systems of today. How long have you been involved in IT, long enough to become sour and bitter against anything new? Is it not impractical to have an OS and NOS seperate? Even *nix OSs have the NOS well integrated. Have you ever had Novell run stable for any length of time? Have you ever had Netware lock up for no reason whatsoever? I know quite a few Novell engineers who will tell you how much of a nightmare it is to use Netware. Lets be fair here, no amount of marketing can sell a crappy product. You are using the old "monopoly" argument that has no merit.

Re:My Humble Opinion

[Raven42rac]

Read my post again, you obviously did not understand. I said that "In a perfect world every software company would be able to account for every variable from every other piece of software ever written for every platform that may or may not interfere with one of their millions and millions of lines of code." Notice I said one line, not millions, please, before you respond, understand the original post completely.

Thousands of Holes In There Too!

[EXTomar]

Do you know how long it will take to fill in each of the holes in those punch cards?

Re:My Humble Opinion

[sphealey]

Yes, I do remember when my Commodore 64 worked to specification, I also distincly remember it not doing too much of anything compared to the computer systems of today.

Um, I was thinking more like a DECSystem-10 (3 years uptime with a typical load of 50 simultaneous users), HP 3000 (50 users, at age 10 we dropped the maintenance contract and it ran for 5 more years with no outages or unscheduled downtime), VAX 780, IBM System/1 => AS/400 (2 years uptime on that one after our sysadmin resigned), that sort of thing.

Have you ever had Novell run stable for any length of time?

1250 user 3.11 network, 3 years with no significant unscheduled outages and no excessive maintenance time; 12500 user 4.x network, 4 years with no unscheduled outages. Some others as well.

Have you ever had Netware lock up for no reason whatsoever?

Yes, of course. I have had my car quit on me unexpectedly too. Once every 5 years or so. Not every 48 hours as with MS-LANMan 1.1.

How long have you been involved in IT, long enough to become sour and bitter against anything new?

Sorry dude: "new" != "better".

sPh

Re:My Humble Opinion

[reflective+recursion]

Are you ignorant of the flaws of bind and sendmail? It really does not take much searching to find flaws in *ix software.

Remember that flaw in many *ix setups that had a CGI which allowed remote access to _any_ command? This was not that long ago either. It was still being exploited in 1997.

MS' problem is that they never seem to consider the security implications when they start tossing on new features.

Oh, come on. Sure, qmail and Apache are designed (nowadays) with security in mind. You are forgetting that *ix has _decades_ of security flaws from piling on features before thinking about those very features.

Comparing Microsoft software to *ix is like apples to oranges. Windows was not designed for use in a networked environment, yet it has adapted. *ix was _always_ networked and multi-user. It has 3 decades of support and is still exploited to this very day. If you really want to talk about Microsoft's security track record, then I would say they are _kicking *ix's ass_. They are admitting they have flaws and are fixing them. Sure beats mouthing off about superior security while looking the other way when real security concerns are given.

The point is moot, though. All software will have bugs and no one can design for future security problems. Many break-ins are caused, not by software flaws, but by social exploitation. How many people do you know tape their password to their monitor?

Why did this happen?

[epepke]

As an officer in the Air Force, perhaps you have some insight.

Back in the 1980's, I was at the Supercomputer Computations Research Institute, a DOE-funded site. Although ours was the designated unclassified site, we dealt with a lot of groups (Oak Ridge, Lawrence Livermore, etc.) who weren't exactly unconcerned with security. The operating systems they used in house very very tight and had to pass fairly stringent security requirements just to be considered. This was one of the reasons that VMS was so popular; DEC had worked very hard on the security.

If you had asked me then whether this would have happened, I would have laughed.

I can see why the business and consumer cultures played the lemming. But the military has a reputation for getting thing that work, even if they cost, and dammit, Mil Spec used to mean something.

So, what happened?

Re:Why did this happen?

[frank_adrian314159]

So, what happened?

COTS initiatives.

Congress, over the last 25 years has gotten tired of paying for specialized military development unless absolutely necessary. You can't go down to your local Office Depot and get a B-2 bomber, but you can get a copy of MS Exchange. If the military DID develop a specialized E-Mail solution, it WOULD have been much more expensive. Unfortunately, they didn't seem to look at the commercial (and free) alternatives very well...

Re:Why did this happen?

[dillon_rinker]

So, what happened?
The end of the cold war. Budget cuts.

The end of the Cold War coincided nicely with the entry of MS into the server market. As the budget cuts of the early 90s began, MS began marketing their server solutions to the military.

Another poster mentions COTS (Commercial Off The Shelf) initiatives as a cause for the MS ascendancy in the military. Granted, but it's only a proximate cause. The COTS initiative was a cost-cutting move.

Remember: Good, fast, cheap: pick any two. You can't have all three.

conspiracy theory

[wbajzek]

Maybe the DoJ is laying off of Microsoft because of the DoD's dependency on them?

The Microsoft Negotiation Team

[Mister_IQ]

Army Protection Racket



The entire sketch is at http://www.montypython.net/scripts/armyprot.php

Did anyone else instantly think of this when they read the item?

Re:Being a Communications/Computer officer in the

[WildBeast]

Okay, so you're a Mac OS 8 and a Solaris user yet you come here and tell us that you're somehow qualified to administer NT servers? And you also expect us to believe that your judgment is not biased?

Btw, how many holes does sendmail have? Have you forgotten about zlib, how about wu-ftpd?

Re:Being a Communications/Computer officer in the

[Martigan80]

And please don't forget that most of the enlisted folk in the AF are the ones using the computers! And how many do you think can use a computer, except for the ones reading this? You have high ranking officials in the brass and stripe sectors that panic when E-mail is down, or when they can't use thier PDA on a "secure" mail server.
The military needs to keep this simple for the workers in it. Try recruiting Linux specialits at $12 /hr, throwing them in a uniform, strict haircuts, and plenty of bogus rules. These specialists will do the same as every highered Computer Specialist-they get trained, even certified for FREE, get four years exper. and leave a crusty Military job @ 15K a year for entry to a $60+K job!
I wish the military would change to Linux BUT so much money has been invested in M$...

that's a good one

[BlueboyX]

"We now hold MS responsable for all mishaps that occur due to problems in their operating system. Every time something bad happens to a soldier on the field, the same thing will happen to a MS executive. Gates is going to love taking the punisment of the guy who just got captured and tortured..."

I wonder if that would speed up their security fixes.

Re:Then why do they stay?=Cost

[MrWinkey]

Because of the cost of switching all of the PC's they have and training the networking and desktop staff. I work for a .gov right now and they wont even consider it because,

A)The cost of retraining all the desktop staff who NEVER learned any OS'es other than MS or hiring more
B)Cost of retraining the networking staff or hiring more staff
C)The ammount of users that would need retraining and or call the help desk 24/7

They have looked into switching but the inital cost is too high for now. If MS keeps up it's current bad pricing & security it may make them switch but I dont imagine anytime soon. My bosses need to have a red flag waved in front of them that flat out proves something before they do it. Untill then it's easier to compalin to the M$ rep than think about switching.

After 9/11

[WildBeast]

Seems to me that after 9/11, the government is blaming plenty of people for the incident yet it should be blaming itself.

Re:Dept of Interior's Network - An Interesting Sto

[RangerBob]

While this is partially true, you also are forgetting that the DOI is composed of several agencies. Not all of these agencies have as poor security as BIA would found to have. So first off, saying it's DOI as a whole is incorrect. Plus, as I'm sure someone will say that the DOI should have kept a better eye on things, this is only partially true. The way a government department is set up is that the upper level (ie, the top level DOI staff) have different concerns than the individual agencies. The individual agencies are themselves responsible for day to day operations while Fed department level staff are more concerned with strategic planning. Thus, with the BIA as an example, a part isn't exactly the whole.

See, the thing to keep in mind is that we the people are responsible for how screwed up things get in the government. Contrary to popular belief, WE are the ones in charge. No amount of cynicism can deny the fact that bad officials get into office because the voters put them there. These same officials then strangle budgets so that there's no one left to take care of anything. Many of these agencies also don't have the money to upgrade things. Ask your mom about how much things have gotten cut over the years. Then ask yourself, especially if you're of voting age, how things can get this bad. WE the people have to take the responsibility for OUR government sometime you know.

Re:My Humble Opinion

[El+Prebso]

Your right. Windows is used on most of the worlds computers. But then you should execpt a higher level of security in Windows. You would think windows would be more secure then Linux, simply because of the larger numbers users. Being the most widly used OS it is your obligation to be the most secure.

Microsoft doesn't seems to feal any obligation to protect the secrets or privacy of their costumers. To bad, they would avoid a lot of criticism if they did. Then again why should I care, I don't use their products.

They have to spend the 6 billion on something

[js3]

The airforce, like any other agency that gets money from the govt has to show how and why it spends money. if they go and get some free software thing their budget will be cut. Now not only do they have to go and find the knowledgable few to operate the free software, but incur additional costs upgrading to a new system all because they want to save a few million dollars (which they won't get to use anyways) by running the free software. Contrary to the slashdot belief, government spending money is a *GOOD* thing. It stimulates the economy and helps us in the software business make ridicelous amounts of cash so we can buy nice american cars which stimlates the auto-industry and helps the economy. it's all about stimulation man

Energy Department & security?!

[Rocko+Bonaparte]

Gilligan, former Energy Department CIO, has discussed security most often with executives at Microsoft. "They are the biggest supplier to the Air Force, and my attempt has been to encourage them to set an example," he says.

Woah woah woah... it is quite obvious he never discussed security while at the Energy Department! And it sure isn't Microsoft's fault a hard drive containing nuclear secrets magically appeared behind a mainframe after everybody started looking for it. Why the sudden change of heart? ;)

consumer choice

[EricEldred]

"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.

No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.

The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.

Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.

Re:Being a Communications/Computer officer in the

[mckwant]

PRECISELY. I was struck by that phrase that went..

"UNIX boxes that don't need upgrading or maintenance..."

Frankly, I'm fighting this same battle at my company. We've got a multiplatform network, and while the UNIX boxes require LESS maintenance, they'll still go to hell in a handbasket if someone doesn't feed/care for them every so often.

Admittedly, the down side of UNIX isn't as brutal as that of NT (the server stays up), but people seem to miss the fact that the no maintenance *nix box is just as absurd a notion as the no maintenance NT box.

The competition here isn't NT/*nix, but securing boxes, and the skript kiddiez using the cracks probably don't care WHAT they're breaking into, just THAT they're breaking into something.

Its a catch 22

[Srin+Tuar]

If you are smart enough to setup email filers, etc, then you are smart enough not to use microsoft server products.

After all MS does billet its warez as "easy to use", so it puts people in the mindset that they shouldnt have to do anything intelligent.

(I worked at defense contractor where the Air Force's security demands amounted to: "all traffic must go through port 80, because that makes it secure")...

Timediff between exploit and patch

[Jeppe+Salvesen]

Really. Please take a look at the length of the interval between a black hat creates an exploit, and a working patch is available for your platform. How many days a year is your computer exposed?

With the "we don't tell you 'till we got a patch" information policy, you can be exposed for months without knowing it. With the "we tell you, and then we release the patch" information policy, you can react according to your relevant security policy.

Microsoft has a long history of the former. Linux is generally rather quick on releasing comments and patches, and I believe almost all the major Linux distributions have automated security patch services now. I know Mandrake, Debian and Red Hat do.

Until recently, windows update was used for pushing new versions of software. They rarely released security fixes, and then usually clogged together. If you wanted to stay secure in windows-land, you needed to look around for the patches. They appear to be using windows update for pushing security now, but remember that one of the worms of fall 2001 infected a windows update server. Do you trust these guys? Really?

Oh - btw - the fact that they let a mac/solaris guy administer NT boxes could be yet another sign of brassy incompetence. And judgement is always biased. That is what judgement is. If it is purely bases upon facts and clear rules, it is not "judgement" but a fact.

Re:Timediff between exploit and patch

[WildBeast]

"we don't tell you 'till we got a patch"

But isn't that exactly what they did with wu-ftpd?

"Do you trust these guys? Really?"

I've been Virus free since 1995, so yeah I trust them.

Re:Dept of Interior's Network - An Interesting Sto

[gdyas]

Um, that would be the point in having all those open sockets behind a firewall.

80% redundancy?

its in the command structure, of course. How many people do you have telling you how to wait for fedex?

Re:Dept of Interior's Network - An Interesting Sto

[gdyas]

Yes, I'm aware of that. Just thought I'd throw out another problem in another part of the government to show that security issues tend to be systemic across the gov't.

And with the DoI being in charge of federal agencies like the Natl Park Service, the Forest Service, Fish & Wildlands, federal payroll & accounting, farm issues, etc etc etc, it's silly to argue that the preservation of the integrity of our country's internal assets is more or less important than the military's responsibilities. Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?

Re:My Humble Opinion

[sphealey]

MS-LANMan 1.1.

Dude, if that's your most recent experience with Microsoft's networking..... wow, man, wow....

First, I should clarify that I do try to be vendor agnostic when selecting vendors and technologies. Let the problem dictate the solution and all that. If I sound bitter about M$, it is simply due to the number of bad experiences I have had with that particular vendor.

As to Lanman 1.1: I have been working with NT 4.0 and now Windows 2000 since 1996. I find NT usable if not the best technology in the world. However, I have seen very little in Microsoft Networking that has changed since 3Com 3+Open / Lanman 1.0/1.1. In fact, my Netware-centric coworkers were amazed when I just jumped in and started configuring NT 4 literally without having seen it before my first logon. "How did I know all that stuff?" they wondered.

Active Directory is a bit of a different story, but not entirely if you have worked with NT domains, which are based on MS Networking, which is based on Lanman, which is based on PCLP...

sPh

Re:Being a Communications/Computer officer in the

[gmcraff]

And on another subject, I'm right in the middle of getting Linux approved for use within the DoD and, by extension, the Air Force.

No, I kid you not. Linux is getting the COE suite ported to it, elements of DISA are gung-ho about bringing it in, and some elements of AF/SC are doing their best to help. The specifics of who is doing what in what time frame are not things that can be discussed here.

And how is this justified? What military program is forging the way for this OS (which is getting so big, commercially speaking, that every high tech company EXCEPT Microsoft and most of the gaming industry has a strategy on how to get in on the action) to be brought into the fold? Who had to put their [appropriate genitals] on the line in a military manner to get this going forward?

The weather men.

I kid you not. And you know what the biggest stumbling block is, besides office-internal politics? AF Communications. Capt. gsfprez (I'm guessing here) is right: Comm sold the Air Force infrastructure to Microsoft, and most of the old clever Sergeants and Airmen and young LTs who knew their UNIX during the dot-com times said, "Good-bye, sir! Patriotism and service warms the heart, but six figures will warm a whole house, and provide the house, too." So now the Comm field is whining "We can't have Linux! We don't have anyone who can administer it! We structured our entire training cycle around Windows! We're lucky to have two Unix-savvy people left in the whole squadron, and they're the overworked Master Sergeants." (Conjecture: I'm not in Comm. But I do get email from them.)

Yep, Linux is coming the the DoD. The smug excuse of "Linux isn't an AF-approved operating system" will soon be susceptable to the rebutal of "Wanna bet?" Soon it will be time for stalwart young LTs and Captains to make Powerpoint presentations to the Majors and Lt Cols of the Comm squadron explaining why they should move vital network services to a Linux box. They're probably going to get slapped down; bureaucratic intertia is like that. But LTs and Captains become Majors and Lt Cols, some day.

Oh, and by the way, the weather system that runs on Linux works so well that profanity is usually used as a magnifying adjective to words like "incredible" and "outstanding". [Any active duty guys who wants some details, email is welcome.]

#include std.disclaimer: None of these statements are made on behalf of the AF. All opinions are my own. My perceptions may not take into account facts that have not been available to me. I may be wrong about any number of things. If you're going to get flustered by something you read on Slashdot, you seriously need to re-examine your priorities.

Re:Dept of Interior's Network - An Interesting Sto

[ftobin]

I dunno about the military, but Interior is apparently desperate for decent IT support.

I don't know about the DoI, but if it's anything like applying for civilian IT positions in the military or the FBI, they're going to need a lot of luck in getting good IT people who aren't just Windows monkeys in there to make a buck.

Before landing the commercial job I spent months trying to get into an FBI or civiliant military position, but the application process is incredibly depressing. Position opening descriptions are incredibly verbose, but contain absolutely no useful information. They all tend to just say things along the lines of "Will work with computer systems to support the required needs." Just take a look at the first Computer Specialist opening I found at the FBI jobs site. Armed Forces position openings the same. Furthermore, the application process itself tends to be burdensome and unclear, requiring lots of documentation up-front, often dead-tree-style; there is seemingly no process of escalating back-and-forth information exchange which the commercial world tends to prefer.

They are definitely trying to improve the application process, but they definitely need to clear up the red tape.

Personally I'd like to work for a social institution like the federal government, even though the pay scale is significantly lower. However, they really need to streamline their application process if they want good people.

Re:Thank you ...

[TheRealSlimShady]

That resulted in ships being towed back into port (twice!) because their NT Domain servers corrupted their database, couldn't reboot,

umm, no. If you do a bt of research, you'll find that it was caused by a divide by zero error in their database app (i.e. sloppy coding). Nice try though.

Ramifications for Free Software

[0w3n]

As much as it satisfies me to see the corps take a battering for loose security and while I'd like to see them do something about it, one thing that concerns me is that the solution could pose a serious problem for Free Software.

I have a feeling that as the consumers demand tighter security control, that will mean independent security testing and certification. That testing will undoubtedly cost the software manufacturers money to pass their products through which will be fine for the corps but a huge problem for Free Software projects.

The result could be a certified, albeit more secure IIS, but an uncertified Apache because the Free Software community didn't have any pockets to fund it.

Toothless Tigger

[kaaona]

I'm sure this is all very impressive looking to the digital masses, but the last time I looked John Gilligan doesn't have a $6B budget he can lord over Microsoft or Cisco. Nor does he have veto authority over any of the Air Force four-stars who do. As Tigger might say, this whole federal CIO thing is stuff and nonsense.

The first rule of government -- and any large organization -- is the Golden Rule: He who has the gold, rules.

Has it ever occured to anyone that it doesn't make much sense to have a CIO if you don't have a CEO, COO, CFO, ... ?? The Air Force is not a corporation. Nor are the State Department or the Bureau of Land Management

Stuff and nonsense.

Re:Thank you ...

[Altus]

ya know.

Ive never tried it but I dont think that a divide by zero error should result in being unable to reboot your system.

I can see taking down an app... I can even imagine taking out the computer, but not so badly that you cant reboot

Re:Being a Communications/Computer officer in the

[sheldon]

"At what point do you finally switch over to something different? "

At what point do you finally realize that switching to something different doesn't solve problems, it just creates new ones?

The answer is still... education... Learn how to admin what you have now, and save yourself a whole lot of hassle!

"UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure."

No moreso than Windows 2000. The point is that if you know what you are doing and set things up properly, you don't have issues.

Our company was not hit by Code Red. We did have issues with Nimda, but only on development machines which were not well managed; production were fine. We have not had any issues with production systems as a result of windows vulnerabilities in 3 years because we have smart Admins.

Christ I have the GIAC Windows Security administration cert and don't know half what my companies admins know. But I would still recommend to those bitching, especially that air force Lt. that he attend the SANS annual and take Track 5.

Re:Being a Communications/Computer officer in the

[sheldon]

So I should dump Unix for SMTP and DNS because of the problems with BIND and sendmail?

Yeah, that's intelligent.

Learn how things work, why things work, and then implement the solutions.

The vast majority of currently known IIS attacks(Code Red, Nimda, and so forth) could have been prevented proactively by implementing the steps in the IIS security checklists from Microsoft, SANS, and so forth. It's not that hard, and all I see in your response is a knee jerk reaction against Microsoft without proper understanding of the issues.

Re:My Humble Opinion

[gmack]

I am well aware of the flaws in bind and sendmail and that is why the former never runs as root on my servers and I almost never use the later.

And if you go back to look at the original post you will see what I was annoyed about was the constant crying about how MS only gets exploited because they are the most popular. That and the fact that they are too busy blaming the administor while selling their system as something any idiot can run.

And as for windows kicking *nix ass I disagree. There are still fewer *nix vulerabilities and I can expect fixes in a much shorter timeframe.

I don't want vendors who try and downplay the damage I want a patch. And I want that patch to fix the hole and only the hole. Not add more features and I *don't* want said patch uninstalled by any applications.

As someone who has to deal with both Linux and Windows on a day to day basis I can tell you that the number of exploits are in fact my smallest complaints with MS. And I don't see them dealing with it, There have been several vulnerabillities reported since that "leaked" memo and still no improvement in their reaction.

I also don't give a damn about internal breakins and social engineering. These days those are a minority of what bothers me. I care about the consant kiddy scanning (5 or 6 times a day lately) Those are the kids I need to outrun. The rest can and is dealt with directly where I work.

Re:My Humble Opinion

[ahde]

You're right. Most of the script kiddies target Microsoft, since most of them, until a couple years ago, didn't know of any other platform. But the real clever hackers target unix and other complex systems. Why don't the smart guys spend their time on MS? Because you don't have to be smart to do it. Even if you were a super hacker, why would go to all the extra effort of being devious when all you really need to do is pick an input and type a bunch of aaaaaaaaaaaa's

Re:Being a Communications/Computer officer in the

[ftobin]

First of all, if you were a smart unix user, you would not be using Sendmail. You talk about 'understanding', but do not understand that you have a nice choice of alternatives that are much more proactively secure than Sendmail, such as Postfix or Qmail. Same goes for Bind (we have djbdns and such). What do you get from Microsoft? Their one product. Big choice there.

I do so fully well how and why things work. That's why I say to choose free unixes. They are not blackboxes. You can easily poke in, and figure out what's wrong. You can fix the problems yourself, even more proactively than your proprietary provider. All this and more you cannot do with proprietary, closed products.

Furthermore, you aren't being proactive by simply applying vendor-supplied patches when they say to; that's reactive. Being proactive means learning how your software security works, especially internally, and performing appropriate actions.

Re:Being a Communications/Computer officer in the

[sheldon]

"First of all, if you were a smart unix user, you would not be using Sendmail. "

Well DUH.

"you aren't being proactive by simply applying vendor-supplied patches when they say to"

Who said anything about vendor-supplied patches?

"Being proactive means learning how your software security works, especially internally, and performing appropriate actions. "

That's what I said.

I'm sorry but your post helps reinforce my point that you don't know what you are talking about.

Costs and balances...

[Brendan+Byrd]

How about the cost of information, if classified documents wind up into Al-Queda hands? This is the military we are talking about, and they are using Windows?! Hell, I'd be suprised that they would even consider Linux and go straight for BSD, just to make sure that it's secure.

So, just now, the USAF wakes up and says "Hey, I think security is a pretty good idea." Huh? Since when has the military branch of the government not been keen on security? (And why does "military intelligence" sound like an oxymoron. I guess this is yet another indictation of how ass-backwards our govt is.)

Redundant support

[ehiris]

Having only one software supplier or only one network equipment supplier is not only bad for the Air Force but for any other organization.

Losing support, update capabilities, ... on a closed source product because of a company failure could be very bad.

Re: It's not the server, it's the client.

[TeraCo]

Yes, because businesses demand that level of integration.

If the business can't afford to get decent exchange admins, then they pretty much deserve what they get.

In our company of 30 odd thousand staff, we have about 10 people dedicated to running our 150 odd servers, and we haven't had an outbreak of any of those 'outlook viruses', mainly because our admins are on the ball, and are willing to come in at 2am to ensure that we have the latest virus patterns and etc.

WAY OT - you're missing the point...

[dillon_rinker]

Contrary to the slashdot belief, government spending money is a *GOOD* thing. It stimulates the economy...
The government can't spend money unless they take it from me. Thus, government spending = taxation.

So to paraphrase you...
"Taxation stimulates the economy."

An economic model that implies that the taking and spending of my money stimulates the economy is fundamentally flawed because it asssumes that I won't spend that money myself.

This is not to say that government spending is always bad; I merely want to point out that your reasoning is flawed. Government spending is GOOD when it allows a democratically selected government to concentrate monies in a needed sector - propping up an industry vital to national security, for example. The problem is when we don't have a democratically selected government...but I digress from my off-topicness.

Re:Dept of Interior's Network - An Interesting Sto

[dillon_rinker]

Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?
The point of the military is not preservation of life. I went through basic training with a hillbilly who, when first issued an M-16, gazed at it and reverently stated "This is a gun that was made to kill...people." The military infrastructure is in place to prevent the overthrow of the US government (ie implementation of non-Constitutional rule). No hurricane, forest fire, or regional crop failure can cause this.

This does not alter your point that preservation of human life is essential.

Re:Being a Communications/Computer officer in the

[wankomatic2000]

That's what I said.

Sorry Sheldon, I think the poster is referring to the fact that you simply can't learn how your software security works when all you've got is a big, nasty black box full of holes you can't possibly know about.

Learn how things work, why things work, and then implement the solutions.

Your solution is the right one in either case, but there's a world of difference in understanding how things work, and understanding why things work the way they do.

Joe McCarthy found out when HE fucked with 'em.

[crovira]

The military doesn't take crap from anybody and they have all the guns.

You start selling shoddy goods to your defendors and you may find out what the Romans found out about their Preatorian guards. And find it out in the same way too. St the point of a "glaive."

Re:Being a Communications/Computer officer in the

[wankomatic2000]

The point is that if you know what you are doing and set things up properly, you don't have issues.

The point is that even if you "set things up properly" you wind up with scores of vulnerabilities still clinging on to the most fundamental parts of the system. Patching one set of vulnerabilities to open up another.

The point is, you need to tell us your company wasn't hurt by the many viruses, worms, trojans and plain bad engineering built into the Microsoft system. That in itself says enough.

The point is, you need to make the claim that everything Microsoft is good, you need to restate it over and over again precisely because as a satisfied customer, you are the exception. If there were more who were not harmed by stupid engineering, there wouldn't be the need to tell us all how great your production machines have worked.

Sure, there's a place for a Windows OS computer, but it isn't where mission critical data is, it sure isn't where lives are at stake and it isn't where public dollars get spent.

USAF from the inside (kinda)

[YrWrstNtmr]

As a recent USAF retiree and programmer, I have a coupla comments.
The AF has been using MS stuff since long before Win3.0. Changing all the desktops and Exchange/NT/2000 servers to *nix would be a *tough* row to hoe. The decision to use M$ was made long before *nix was a viable option. And long before the various holes and security concerns were publicised.
As in any huge organization, there are thousands of small, medium, large custom apps that handle a lot of the daily business. I wrote some of em. Obviously, it couldn't be done all at once. Training, rewriting all those apps, etc, etc...It would literally take years.
Going to Linux on the desktop is probably not a viable option. Too much momentum.
Up until a coupla years ago, the AF was Uncle Bills biggest single customer. Still may be. So yes, they can put some pressure on M$.
They use a lot of Oracle, too. Even though Larry says it is unbreakable (ha), 9i has already broken. *No* connected software is truly secure.
Bug fixes? The mil really needs to have a POC to talk to about a particular problem or hole, not just a disconnected group of eyeballs fixing it. Yes, bug and holes in Linux do get fixed, probably faster. But for national defense, I would not want to rely on that. I need to buttonhole a particular office or person, and say "You fix this"
The Army's solution (Apple) is worse. Sole source for hardware AND OS. When/if Apple changes focus, or goes under, or simply stops making desktop PC's, the Army is up the creek. The holes there are yet to be found. But they are there.
M$ stuff can be made as secure as anything else. A lot is in the admin. But no software that needs to talk to some other software is truly secure, so far.

wu-ftpd was a mistake

[Jeppe+Salvesen]

There was a schedule to coordinate releases. That was a mistake. The knowledge of the exploit should have been released as soon as someone became aware of it. If there was no patch, I would turn off the service until there was a patch - or I would look for a more secure alternative, say, a Java version unless I needed really high performance.

Oh. Virus free? And you give Microsoft credit for that?