Slashdot Mirror
Air Force Warns Microsoft/Others to Tighten Security
FattyBoeBatty wrote to us with a story
from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.
Why do they stick with MS if they have security issues?
Why hasn't anyone asked this question?
We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.
Why sit and wait for MS to comply?
It just seems odd to me.
Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
The canadian air force is also putting a lot of pressure on punch card manufacturers to force them to close a lot a security holes in their software...
Try it! Library of Babel
The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.
That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.
To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Exchange may have it's faults, but I've seen virii spread with equal rapidity via Sendmail. If you want to blame something, blame Outlook. Or more correctly blame the default settings to which Outlook installs.
You're using her as bait, Master!
I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)
This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."
Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.
I totaly disbelieve this article.
We are whole heartedly all out sold out to Microsoft.
We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.
We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.
Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.
As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)
After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..
Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.
This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.
guns kill people like spoons make Rosie O'Donnell fat.
I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty
You never know...
Not about the Air Force or MS, but related.
The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary.
The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.
Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.
The only tool you've got against psychosis is experience.
This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.
And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).
That is a complete load of crap. How many apache exploits have we seen in 2 years? How many in IIS? Apache runs 60% of web sites according to netcraft. Yet Apache has had few exploits.
What really blows your theory apart is that in the past there have been smaller companies with worse records.
MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.
I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.
The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.
This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.
I think mainstream media may be finally catching on. This is the first article I've seen were they flat-out state that Love-Bug, Melissa, Sir-Cam, and Nimba are Windows/Outlook viruses, not email viruses or internet viruses.
Accuracy is nice, maybe the general public will soon learn who is really at fault here.
www.lucernesys.comHorizon: Calendar-based personal finance
When I was stationed at Langley I was part of a team that implemented the first version of what's now called CTAPS.
One part of the project was to take an existing application, Combat Airspace Deconfliction System (CADS), written in Modula 3 on a PC and re-implement it in C/GKS on a MicroVAX III running Ultrix.
A couple of months after the re-implementation, my team got a call from an Army guy looking to use CADS. We asked him if he wanted to buy a MicroVAX III and learn how to use UNIX. Answer: No. He got the TEMPEST Z-150/Modula 3 version, as did a lot of other people.
The reason Microsoft has gotten around is that it offered a reasonably simple-to-use product on a reasonably cheap hardware platform. Things may have changed since then, but there is a reason Microsoft is everywhere, and it's not all to do with a lack of military intelligence.
668: Neighbour of the Beast
sPh
Yeah, keep parroting this...then you should mention that at the same time the vulnerability was announced, a fix was available: download zlib-1.1.4. Sheesh. You NEVER get this responsiveness from M$. Also, the vulnerability wasn't a root exploit, you couldn't trash a system with it, couldn't use it to gain root.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
Trying to lay the catch-up game with Microsoft products is not a positive thing to do; the positive thing to do would be to get non-Microsoft solutions so that these problems don't occur. Positive solutions fix the problem, not patch the symptoms. Incessant, needless patching and worrying is what builds up the negative energy.
Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).
When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
The military do genuinely have a number of requirements that are not shared by the general public, such as the ability to continue functioning after the loss of 80% or more of the infrastructure in a particular locality.
I hope you were saying that as a joke. I am a systems maintainer in the USAF. Every day, I get a call about one or more "vital" telecom lines that have dropped.
The customers that I service are given a single, anemic line running through an overtasked proxy server connected to an abominal firewall mapped with infuriating rules. I am not talking about a single base either either. It seems that most bases are this way. The backbones are generally good, if you happen to work at a base with a NIPRNET/SIPRNET gateway router. If you work at a smaller base, you will understand the constant plague of IDNX system reroutes and satalites that "just dissappear" for hours.
And how do the customers react when they cannot access afpubs.af.mil? Do they use an alternate system? Is their 80% redundancy there? No, it isn't.
The customer gets screwed and no one cares. NO ONE! Why? Because the motto of DISA is "Hey, what choice do you have?" Meanwhile, me and my co-workers dry out "wet cable", querry call paths, and wait for FedEx to bring in replacement line drivers.
Sorry for the rant, I'm just wondering where the 80% redundancy is. I have been in for a while, and I have never seen it.
I'd rather you do it wrong, than for me to have to do it at all.
sPh
That's a good distinction to make because it allows free speech. It seems like a small thing, but all the software I use at home falls under this catagory.
In some ways, it's reasonable for vendors to be held responsible for their products, but the idea is still problematic. Liability hurts small vendors more than large vendors. How do you measure the harm done? How do you assign blame to products that were developed by more than one company? Is every Linux company liable for a problem in the Linux kernel? What about software that costs money but is downloaded from another country? What about free products such as Internet Explorer or Outlook?
Some of common security problems are really user interface problems. For example, most users misconfigure windows network neighborhood. Is Microsoft liable for that?
In your first post you stated: "My guess is, this letter was an attempt to secure a cheaper license from MS. They're not going to simply switch over to something else."
I agree with you, and I suspect no new laws are going to change this. There may be some consumers that may need protection from vendor laziness, but the airforce knew about the problems with Microsoft products and chose to use them anyways. I don't think they should be able to sue Microsoft for something they knew was going to be a problem all along.
"The military and the government don't really have too much choice at this point except to start to put pressure on Microsoft and others to improve software security," Erbschloe says.
No, the consumer (the government here) can buy software that is certifiably secure and not pay for any that does not meet security requirements.
The Air Force can buy Sun hardware and software, for example, instead of Microsoft. It can set requirements in contracts that are not slanted toward Microsoft but which demand software that the consumer can fix rather than waiting for a new version.
Yes, if the government won't do this then it has to live with the consequences of caving in to the antitrust suit and plead with Microsoft to be nice to them.
First of all, if you were a smart unix user, you would not be using Sendmail. You talk about 'understanding', but do not understand that you have a nice choice of alternatives that are much more proactively secure than Sendmail, such as Postfix or Qmail. Same goes for Bind (we have djbdns and such). What do you get from Microsoft? Their one product. Big choice there.
I do so fully well how and why things work. That's why I say to choose free unixes. They are not blackboxes. You can easily poke in, and figure out what's wrong. You can fix the problems yourself, even more proactively than your proprietary provider. All this and more you cannot do with proprietary, closed products.
Furthermore, you aren't being proactive by simply applying vendor-supplied patches when they say to; that's reactive. Being proactive means learning how your software security works, especially internally, and performing appropriate actions.