Slashdot Mirror
Air Force Warns Microsoft/Others to Tighten Security
FattyBoeBatty wrote to us with a story
from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
i guess in the airforce the CIO is a REAL O. ;-)
Quando Omni Flunkus Moritati
Why do they stick with MS if they have security issues?
Why hasn't anyone asked this question?
We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.
Why sit and wait for MS to comply?
It just seems odd to me.
Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
The canadian air force is also putting a lot of pressure on punch card manufacturers to force them to close a lot a security holes in their software...
Try it! Library of Babel
It doesn't matter who warns Microsoft and when. Security isn't something you suddenly do, it is built from architecture to deployment, and Microsoft is nowhere close to engineering any secure products.
Windows is insecure in its conception, and unfortunately I see very little that can be done to reverse this.
Broken Hearts are for Assholes. - Frank Zappa
you think the Military is going to get any progress??
Sure -- the military has weapons that go *boom*, as opposed the government as a whole, which has a Justice Department that just goes bust.
In walking, just walk. In sitting, just sit. Above all, don't wobble.
-- Yun-Men
The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.
That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.
To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Exchange may have it's faults, but I've seen virii spread with equal rapidity via Sendmail. If you want to blame something, blame Outlook. Or more correctly blame the default settings to which Outlook installs.
You're using her as bait, Master!
government harrassment of the vendor
I think you misspelled "government bending over for the vendor".
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)
This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."
Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.
I totaly disbelieve this article.
We are whole heartedly all out sold out to Microsoft.
We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.
We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.
Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..
Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.
This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.
guns kill people like spoons make Rosie O'Donnell fat.
I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty
You never know...
Government organizations more so than anyone else need a scapegoat to point a finger at when something doesn't go right. Free software is starting to make inroads into these types of organizations, but the root of the problem is the level of bureaucracy that has to be dealt with in order to actually DO anything in government. In the name of protecting taxpayer "investment", there is all sorts of documentation, testing, and basic criteria that have to be met, and while Linux and BSD are completely capable of meeting those criteria, they require someone like RedHat to actually do the legwork to get them in the door. Up until very recently nobody has been interested because of the level of nastiness that has to be dealt with; with the advent of the NSA's secure linux, however, this may be apt to change in the near and not-terribly-distant future.
If the Air Force is anything like the Army, it's the sergeants who keep things running.
Best Slashdot Co
We'll never see (more) secure products until the manufacturers become legally liable for losses due to the software. There's simply no financial incentive to improve security, especially if you're the biggest player.
My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else.
Not about the Air Force or MS, but related.
The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary.
The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.
Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.
The only tool you've got against psychosis is experience.
It might make a dent in M$ is the Air Force follows the Army's lead and switches to Apple. Pretty damn secure is Apple, love Macs or hate 'em.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.
And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).
You don't simply up and abandon your entire email structure on a whim. First you threaten the manufacturer to improve or else, and that's what the AF has done.
I work on an AF base, and in my building alone we have about a half-dozen Exchange servers. (One alone can't handle the load.) What do you recommend as the "quick solution" here? What suite of programs are we going to use on all the desktops now that Exchange is gone? Remember that it doesn't just do email; it does tasks and meetings and all that crap.
What "quick solution" do you recommend for thousands of people at a time?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
That is a complete load of crap. How many apache exploits have we seen in 2 years? How many in IIS? Apache runs 60% of web sites according to netcraft. Yet Apache has had few exploits.
What really blows your theory apart is that in the past there have been smaller companies with worse records.
MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.
I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.
The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.
This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.
From the article:
Gilligan, former Energy Department CIO, has discussed security most often with executives at Microsoft. "They are the biggest supplier to the Air Force, and my attempt has been to encourage them to set an example," he says.
I am guessing if M$ is a major supplier of software to the Air Force, it is probably the same for the other branches of service as well.
Now I see why all of our helicopters and planes have been crashing without being shot down. Brings a whole new meaning to "Fatal Exception"
--Jon
The costs that many are concerned with are new applications checkout and user education.
When a local church was considering upgrading their Windows 3.1 system to 95, 98 or NT, I suggested that it would be just as easy to upgrade to a Mac. The secretary didn't know how to use anything other than WordPerfect, and the new Pastor already knew how to use a Mac. That left teaching the secretary how to boot and shut down the Mac - which you'd have to do with 95, 98 or NT. Naturally, the Air Force would have more work to do.
When the DOJ case came out, at least one comment circulating was that the US should simply stop buying MS products - as that would cost MS more. As I understand it, this is the China solution.
-- Stephen.
Since 9/11 and the new attention paid to security, more people are willing to make good on their threat to take their business elsewhere if the security of a product is poor. The excuse of comfort with Win products will no longer be an excuse to let Bill off the hook.
M$ being a marketing firm will respond to market pressures way before they'd give up in court.
/.
Given the history of inept system administration in the US Armed Services, I have to laugh.
If M$oft actually delivers a secure system, it will immediately be compromised by some knucklehead who wants to play Everquest without his superior officer finding out.
--Charlie
I think mainstream media may be finally catching on. This is the first article I've seen were they flat-out state that Love-Bug, Melissa, Sir-Cam, and Nimba are Windows/Outlook viruses, not email viruses or internet viruses.
Accuracy is nice, maybe the general public will soon learn who is really at fault here.
www.lucernesys.comHorizon: Calendar-based personal finance
The difference is that Outlook server gives you the ability to create huge expanding without your control mail lists. Thus, one user can send a thousand emails because he has access to those thousand email addresses via the outlook server.
There are more secure alternatives than sendmail. For example qmail and postfix. And sendmail has reportedly improved lately too. Personally I'd take any of them over exchange any day.
When I was stationed at Langley I was part of a team that implemented the first version of what's now called CTAPS.
One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.
A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.
The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.
668: Neighbour of the Beast
And what public domain software is there out there that suports S/MIME security labels as mandated by the DoD?
PGP is simply not up to the task of providing a military messaging system. In fact the principle insight that Phil Z. had was that PEM was being designed with the assumption that the rest of the world ran according to the strict hierarchical principles of the military.
What the posters on this whole story don't understand is that they have a radically different approach to security than the Air Force. In the real world you increase security by removing features. In the military you increase security by adding security features.
DMS was designed in the days before 'Commercial Off the Shelf' (COTS) became a US govt buzword. The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality. But there is no reason why they need their own message formats and there is no reason why DMS can't use COTS to provide at least a core.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Tis true. But the sad fact is that the AF has a terrible time holding onto the technically savvy people needed to make this happen. Once trained, they get out to make 2 or 3 times the money in the civilian world. I know I was one of them.
Speaking from experience, the typical geek simply isn't cut out for the military life. And to make matters worse, advancing in the military means spending more time being a pointy-haired boss and less time being a geek. That's the way it is.
I'd love to see linux adopted by the AF, but 1) I've had the suggestion shot down too many times myself to expect it to actually happen and 2) they will have a tough time gathering the experience to do it.
You forget that Outlook+Exchange is more than an email client. Yes, we could mandate Eudora (or whatever) as an email client. What then do we mandate for a meeting scheduler and a remote task assigner and all the other crap that Outlook+Exchange does?
And then who are you going to get to train people in all these new programs?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
sPh
Yeah, keep parroting this...then you should mention that at the same time the vulnerability was announced, a fix was available: download zlib-1.1.4. Sheesh. You NEVER get this responsiveness from M$. Also, the vulnerability wasn't a root exploit, you couldn't trash a system with it, couldn't use it to gain root.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
Huh? The MILITARY has national security interests in this. Of COURSE they have say. They are NOT threatening to attack Redmond with B-52s if security issues aren't better dealt with, they are implying that M$ may lose a major customer if they don't clean up their crap. That is absolutely valid and correct.
Feel free to remove your aluminum foil hat and catch some sunshine.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
Trying to lay the catch-up game with Microsoft products is not a positive thing to do; the positive thing to do would be to get non-Microsoft solutions so that these problems don't occur. Positive solutions fix the problem, not patch the symptoms. Incessant, needless patching and worrying is what builds up the negative energy.
and is secure, running WinXP
Does this strike anyone else as oxymoronic? (Firewall or not.)
-- Alastair
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
Man.. that work must have sucked majorly... Sounds like the typical case of the suits believing glossy MS brochures instead of their own techs and other people with actual experience. Or in this case, s/suits/guys-with-more-funny-looking-shiny-metal-
So basically it is the user's fault they used the software simply because software is free speech? That is a silly argument.
... with their careers.
Not really. He's saying that the consumer has a responsibility to make an informed purchase, and that creating liability and a pork barrel for lawyers is not a good solution. He's right.
All of the information to warn a would-be purchaser that Microsoft Exchange Server is probably the worst possible choice one could make for a mail server if security is any concern whatsoever was widely and publicly available. Clearly the person or persons who made the decision to go with Microsoft, when demonstrably more secure (by orders of magnitude) options were available at little or no cost, either grossly neglected their duty and did no research, or were in a sweatheart agreement of some kind with Microsoft's salespeople, or Microsoft itself. That, or they opted for the product when it was still in the vaporware stage, which is even doubly incompetent.
Either way, the person or persons who made this incompetent, and very possibly corrupt, decision should indeed be the ones to pay for it
The Future of Human Evolution: Autonomy
From a cracker's POV, I doubt they care that much about *all* web sites. If I were on that side of the fence, I'd be focusing on the ones with juicy credit card databases and so forth -- in other words, the big e-commerce sites, like online vendors, transaction processors and so forth. How many of those run Apache? 60%? More? Less?
Only the dead have seen the end of war.
You've definitely got a point, but how many times do you have to learn a lesson before you figure out that Microsoft's security really sucks?
Let's say that you get hit with ILOVEYOU and start to filter out attachments. Good job.
Now you get hit with Code Red. You decide to check daily for security fixes at Windows Update. Good job there, too.
Next, you get hit with a nasty virus because one of your employees couldn't live without his favorite screensaver. You install up-to-date virus definitions on all your PCs and check daily for new virus definitions. Also, you lock down all your PCs, so that nobody can install/remove programs without MIS approval. The employees grumble and complain, but it's obviously necessary.
And after that, a disgruntled employee (perhaps the same one that caused the virus outbreak) decides to sabotage a few of the servers after he gets fired. You disable all remote manageability and literally lock the servers away in a secure room. MIS begins to grumble and complain now, too, but it's necessary...
At what point do you finally switch over to something different? When no work can be done, because you're trying to patch the millions of holes Microsoft themself refuses to patch?
UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure.
Gates directed 7,000 programmers to spend February scouring the Windows operating system for openings hackers might exploit to steal data or shut down systems.
Wow, 7000 programmers! I bet they figure out how to close the barn door.
Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).
When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality.
I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.
The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.
And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.
The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.
Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.
I'd rather you do it wrong, than for me to have to do it at all.
Exchange is a 'non-proprietary core' (at least in the DMS usage). Exchange 5.5 is an X.400 MTA. The is nothing proprietary about X.400, it is just that Microsoft is the only vendor that still sells that junk.
Exchange 2000 removes the X.400 junk from the core. It is not an OSI MTA that also does Internet, it is an Internet MTA that also does OSI. Don't judge Exchange by the horrors of 5.5, those horrors are mostly intrinsic to the OSI junk it is based on (plus the MAPI horrors).
The problem with DMS is not that they chose prorpietary software, they simply chose the wrong open standard. Even today we have DMS folk comming to the IETF with drafts proposing some form of X.400 interop for S/MIME.
What it comes down to is that the military defined a mail system that was so complex that Microsoft was the only company arround with the resources to provide client support.
I think in hindsight, that would have been a very sensible decision, don't you?
It isn't a matter of hindsight, there are plenty of reasons why DMS and the Federal govt. PKI are problematic. Most of those were known at the start.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Do you know how long it will take to fill in each of the holes in those punch cards?
sPh
As an officer in the Air Force, perhaps you have some insight.
Back in the 1980's, I was at the Supercomputer Computations Research Institute, a DOE-funded site. Although ours was the designated unclassified site, we dealt with a lot of groups (Oak Ridge, Lawrence Livermore, etc.) who weren't exactly unconcerned with security. The operating systems they used in house very very tight and had to pass fairly stringent security requirements just to be considered. This was one of the reasons that VMS was so popular; DEC had worked very hard on the security.
If you had asked me then whether this would have happened, I would have laughed.
I can see why the business and consumer cultures played the lemming. But the military has a reputation for getting thing that work, even if they cost, and dammit, Mil Spec used to mean something.
So, what happened?
Hence the Army's move 2 years ago [appleturns.com] to a more secure system. Who's the jarhead now?
Uh, the Marines? No offense intended to any leathernecks out there. But when I dealt with the Army and the USMC, the Marines were the jarheads.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
"We now hold MS responsable for all mishaps that occur due to problems in their operating system. Every time something bad happens to a soldier on the field, the same thing will happen to a MS executive. Gates is going to love taking the punisment of the guy who just got captured and tortured..."
I wonder if that would speed up their security fixes.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.
No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.
The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.
Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.
PRECISELY. I was struck by that phrase that went..
"UNIX boxes that don't need upgrading or maintenance..."
Frankly, I'm fighting this same battle at my company. We've got a multiplatform network, and while the UNIX boxes require LESS maintenance, they'll still go to hell in a handbasket if someone doesn't feed/care for them every so often.
Admittedly, the down side of UNIX isn't as brutal as that of NT (the server stays up), but people seem to miss the fact that the no maintenance *nix box is just as absurd a notion as the no maintenance NT box.
The competition here isn't NT/*nix, but securing boxes, and the skript kiddiez using the cracks probably don't care WHAT they're breaking into, just THAT they're breaking into something.
ceci n'est pas un sig.
If you are smart enough to setup email filers, etc, then you are smart enough not to use microsoft server products.
After all MS does billet its warez as "easy to use", so it puts people in the mindset that they shouldnt have to do anything intelligent.
(I worked at defense contractor where the Air Force's security demands amounted to: "all traffic must go through port 80, because that makes it secure")...
Really. Please take a look at the length of the interval between a black hat creates an exploit, and a working patch is available for your platform. How many days a year is your computer exposed?
With the "we don't tell you 'till we got a patch" information policy, you can be exposed for months without knowing it. With the "we tell you, and then we release the patch" information policy, you can react according to your relevant security policy.
Microsoft has a long history of the former. Linux is generally rather quick on releasing comments and patches, and I believe almost all the major Linux distributions have automated security patch services now. I know Mandrake, Debian and Red Hat do.
Until recently, windows update was used for pushing new versions of software. They rarely released security fixes, and then usually clogged together. If you wanted to stay secure in windows-land, you needed to look around for the patches. They appear to be using windows update for pushing security now, but remember that one of the worms of fall 2001 infected a windows update server. Do you trust these guys? Really?
Oh - btw - the fact that they let a mac/solaris guy administer NT boxes could be yet another sign of brassy incompetence. And judgement is always biased. That is what judgement is. If it is purely bases upon facts and clear rules, it is not "judgement" but a fact.
Stop the brainwash
Um, that would be the point in having all those open sockets behind a firewall.
The only tool you've got against psychosis is experience.
Yes, I'm aware of that. Just thought I'd throw out another problem in another part of the government to show that security issues tend to be systemic across the gov't.
And with the DoI being in charge of federal agencies like the Natl Park Service, the Forest Service, Fish & Wildlands, federal payroll & accounting, farm issues, etc etc etc, it's silly to argue that the preservation of the integrity of our country's internal assets is more or less important than the military's responsibilities. Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?
The only tool you've got against psychosis is experience.
As to Lanman 1.1: I have been working with NT 4.0 and now Windows 2000 since 1996. I find NT usable if not the best technology in the world. However, I have seen very little in Microsoft Networking that has changed since 3Com 3+Open / Lanman 1.0/1.1. In fact, my Netware-centric coworkers were amazed when I just jumped in and started configuring NT 4 literally without having seen it before my first logon. "How did I know all that stuff?" they wondered.
Active Directory is a bit of a different story, but not entirely if you have worked with NT domains, which are based on MS Networking, which is based on Lanman, which is based on PCLP...
sPh
And on another subject, I'm right in the middle of getting Linux approved for use within the DoD and, by extension, the Air Force.
No, I kid you not. Linux is getting the COE suite ported to it, elements of DISA are gung-ho about bringing it in, and some elements of AF/SC are doing their best to help. The specifics of who is doing what in what time frame are not things that can be discussed here.
And how is this justified? What military program is forging the way for this OS (which is getting so big, commercially speaking, that every high tech company EXCEPT Microsoft and most of the gaming industry has a strategy on how to get in on the action) to be brought into the fold? Who had to put their [appropriate genitals] on the line in a military manner to get this going forward?
The weather men.
I kid you not. And you know what the biggest stumbling block is, besides office-internal politics? AF Communications. Capt. gsfprez (I'm guessing here) is right: Comm sold the Air Force infrastructure to Microsoft, and most of the old clever Sergeants and Airmen and young LTs who knew their UNIX during the dot-com times said, "Good-bye, sir! Patriotism and service warms the heart, but six figures will warm a whole house, and provide the house, too." So now the Comm field is whining "We can't have Linux! We don't have anyone who can administer it! We structured our entire training cycle around Windows! We're lucky to have two Unix-savvy people left in the whole squadron, and they're the overworked Master Sergeants." (Conjecture: I'm not in Comm. But I do get email from them.)
Yep, Linux is coming the the DoD. The smug excuse of "Linux isn't an AF-approved operating system" will soon be susceptable to the rebutal of "Wanna bet?" Soon it will be time for stalwart young LTs and Captains to make Powerpoint presentations to the Majors and Lt Cols of the Comm squadron explaining why they should move vital network services to a Linux box. They're probably going to get slapped down; bureaucratic intertia is like that. But LTs and Captains become Majors and Lt Cols, some day.
Oh, and by the way, the weather system that runs on Linux works so well that profanity is usually used as a magnifying adjective to words like "incredible" and "outstanding". [Any active duty guys who wants some details, email is welcome.]
#include std.disclaimer: None of these statements are made on behalf of the AF. All opinions are my own. My perceptions may not take into account facts that have not been available to me. I may be wrong about any number of things. If you're going to get flustered by something you read on Slashdot, you seriously need to re-examine your priorities.
I don't know about the DoI, but if it's anything like applying for civilian IT positions in the military or the FBI, they're going to need a lot of luck in getting good IT people who aren't just Windows monkeys in there to make a buck.
Before landing the commercial job I spent months trying to get into an FBI or civiliant military position, but the application process is incredibly depressing. Position opening descriptions are incredibly verbose, but contain absolutely no useful information. They all tend to just say things along the lines of "Will work with computer systems to support the required needs." Just take a look at the first Computer Specialist opening I found at the FBI jobs site. Armed Forces position openings the same. Furthermore, the application process itself tends to be burdensome and unclear, requiring lots of documentation up-front, often dead-tree-style; there is seemingly no process of escalating back-and-forth information exchange which the commercial world tends to prefer.
They are definitely trying to improve the application process, but they definitely need to clear up the red tape.
Personally I'd like to work for a social institution like the federal government, even though the pay scale is significantly lower. However, they really need to streamline their application process if they want good people.
"At what point do you finally switch over to something different? "
At what point do you finally realize that switching to something different doesn't solve problems, it just creates new ones?
The answer is still... education... Learn how to admin what you have now, and save yourself a whole lot of hassle!
"UNIX has a whole slew of problems, too, but at least it isn't designed to be insecure."
No moreso than Windows 2000. The point is that if you know what you are doing and set things up properly, you don't have issues.
Our company was not hit by Code Red. We did have issues with Nimda, but only on development machines which were not well managed; production were fine. We have not had any issues with production systems as a result of windows vulnerabilities in 3 years because we have smart Admins.
Christ I have the GIAC Windows Security administration cert and don't know half what my companies admins know. But I would still recommend to those bitching, especially that air force Lt. that he attend the SANS annual and take Track 5.
So I should dump Unix for SMTP and DNS because of the problems with BIND and sendmail?
Yeah, that's intelligent.
Learn how things work, why things work, and then implement the solutions.
The vast majority of currently known IIS attacks(Code Red, Nimda, and so forth) could have been prevented proactively by implementing the steps in the IIS security checklists from Microsoft, SANS, and so forth. It's not that hard, and all I see in your response is a knee jerk reaction against Microsoft without proper understanding of the issues.
You're right. Most of the script kiddies target Microsoft, since most of them, until a couple years ago, didn't know of any other platform. But the real clever hackers target unix and other complex systems. Why don't the smart guys spend their time on MS? Because you don't have to be smart to do it. Even if you were a super hacker, why would go to all the extra effort of being devious when all you really need to do is pick an input and type a bunch of aaaaaaaaaaaa's
First of all, if you were a smart unix user, you would not be using Sendmail. You talk about 'understanding', but do not understand that you have a nice choice of alternatives that are much more proactively secure than Sendmail, such as Postfix or Qmail. Same goes for Bind (we have djbdns and such). What do you get from Microsoft? Their one product. Big choice there.
I do so fully well how and why things work. That's why I say to choose free unixes. They are not blackboxes. You can easily poke in, and figure out what's wrong. You can fix the problems yourself, even more proactively than your proprietary provider. All this and more you cannot do with proprietary, closed products.
Furthermore, you aren't being proactive by simply applying vendor-supplied patches when they say to; that's reactive. Being proactive means learning how your software security works, especially internally, and performing appropriate actions.
"First of all, if you were a smart unix user, you would not be using Sendmail. "
Well DUH.
"you aren't being proactive by simply applying vendor-supplied patches when they say to"
Who said anything about vendor-supplied patches?
"Being proactive means learning how your software security works, especially internally, and performing appropriate actions. "
That's what I said.
I'm sorry but your post helps reinforce my point that you don't know what you are talking about.
How about the cost of information, if classified documents wind up into Al-Queda hands? This is the military we are talking about, and they are using Windows?! Hell, I'd be suprised that they would even consider Linux and go straight for BSD, just to make sure that it's secure.
So, just now, the USAF wakes up and says "Hey, I think security is a pretty good idea." Huh? Since when has the military branch of the government not been keen on security? (And why does "military intelligence" sound like an oxymoron. I guess this is yet another indictation of how ass-backwards our govt is.)
Zodiac Survey
Contrary to the slashdot belief, government spending money is a *GOOD* thing. It stimulates the economy...
The government can't spend money unless they take it from me. Thus, government spending = taxation.
So to paraphrase you...
"Taxation stimulates the economy."
An economic model that implies that the taking and spending of my money stimulates the economy is fundamentally flawed because it asssumes that I won't spend that money myself.
This is not to say that government spending is always bad; I merely want to point out that your reasoning is flawed. Government spending is GOOD when it allows a democratically selected government to concentrate monies in a needed sector - propping up an industry vital to national security, for example. The problem is when we don't have a democratically selected government...but I digress from my off-topicness.
Wildfires, hurricanes, crop failures - lives are in the balance in those situations too, no?
The point of the military is not preservation of life. I went through basic training with a hillbilly who, when first issued an M-16, gazed at it and reverently stated "This is a gun that was made to kill...people." The military infrastructure is in place to prevent the overthrow of the US government (ie implementation of non-Constitutional rule). No hurricane, forest fire, or regional crop failure can cause this.
This does not alter your point that preservation of human life is essential.
The military doesn't take crap from anybody and they have all the guns.
You start selling shoddy goods to your defendors and you may find out what the Romans found out about their Preatorian guards. And find it out in the same way too. St the point of a "glaive."
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.