Air Force Warns Microsoft/Others to Tighten Security

FattyBoeBatty wrote to us with a story from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.

Then why do they stay?

[FortKnox]

Why do they stick with MS if they have security issues?
Why hasn't anyone asked this question?

We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.

Why sit and wait for MS to comply?
It just seems odd to me.

Note: I'm not saying "Y d0nt j00 B 1337 4nd us3 L1NU><?" I'm just asking why stick with MS.

Re:Then why do they stay?

[Pii]

I'm not sure you understand the economics of the military...

It does not cost the Air Force anything to retrain, nor to reconfigure.

The Air Force (and the military in general) is already paying for the training of every person that enters the service. It would be a trivial matter for them to re-tool the courses in their Computer Sciences School, so that the students learned some other product or technology. (Besides, it's not like they teach an "NT Systems Administrator" course... They teach basics, like "Computer Programming," or "Computer Operations." The real training occurs on the job, after the E-2 or E-3 posts to his first duty station. In the Marine Corps, I entered as a "Cobol Programmer," and my fist duty billet was in networking (Banyan Vines, Ethernet and Token Ring environments).)

Likewise, the cost of reconfiguring all of the systems they've already purchased is also free. They have a labor force that they are already paying (that they have to pay, twice monthly, regardless of what they are tasked with), so why not "upgrade" all of the mail systems. It will not affect their costs at all.

This is a luxury that most of Microsoft's customers do not have, but is a very real, very possible option for the Armed Forces.

Re:Then why do they stay?

[flatrock]

Because security is only one of the issues they have to deal with.

I worked as a contractor in computer support for the Air Force years ago. This was before they used Exchange. They were using DEC Teamlinks where I was at. Teamlinks wasn't very easy to use. The client interface was cludgey and didn't have all the nice integrated features you get with Outlook today. The server which was a DEC Alpha crashed a lot. I think the server was simply a very expensive lemmon. The DEC staff on site, as well as outside support people spent a lot of time replacing parts and tweaking software, but couldn't get it to remain stable.

Exchange and Outlook were a much better choice even with the risk of a virus taking down the system because the system they had was taking itself down on a regular basis.

Training is also a serious issue. There was a full time person who's job was to train users to use Teamlinks. One thing many people don't realize is that the majority of the people using this software on an Air Force base aren't military. They're civil servants and contractors. Military people follow orders pretty well, and contractors do as their told, or find themselves without a job. Civil servants are a different story. Contractors come and go, militry people get transferred after about 4 years or so, but the civil servants will still be there when the others are gone. If they aren't interested in learning something, they just make a few excuses and put it off until there's a new Deputy DIrector, or whoever's making the decisions. We had a chief scientist that refused to use the email or calandar software. He had his secretary print all his email and put it in his inbox. She would respond to his email as he directed her to, and handle all the scheduling in the calander software. She had been around for a very long time, and wasn't very computer friendly herself. Every time she got confused or made a mistake, it was the computer's fault, and whoever got the support call was in for a bad day. One contractor didn't seem to realize that she was always right and got himself banned from her office which led to his eventual dismissal. These people don't like to learn new things. If it isn't easy to learn, they pretty much have the ability to make everyone's life a living hell, and sooner or later the people making the decisions realize that any solution has to take that into account.

While email is a security issue in that poor security can result in lost productivity, it shouldn't be an issue of national security. Confidential and secret information should never end up on the email system.

In my experience with the AIr Force, the people making the decisions were not technically incompetent. They also requested and received input from many different highly skilled technical people, and they had a lot of experienced people with backgrounds in Unix, VMS, and NT to draw upon. They were trying to get a product that best met all their needs. Security was obviously a consideration in their decision, but it didn't outweigh their need for a usable system.

The real issue is that the ease of use that they desire is somewhat in opposition to a high level of security. This means that an alternative to Exchange/Outlook may not provide them with greatly increased security. For them to change and eat the rather high costs or retraining their employees, there needs to be a product that does a considerably better better job of meeting their needs, with security only being part of those needs.

Re:Then why do they stay?

[elandal]

We run Exchange Server, and we get hit by an Exchange Server virii
Quick solution: Don't use exchange server.

A solution allowing internal use of Exchange is also possible.

Don't expose Exchange servers to the internet. Have internet email come to a secure MTA (no, not sendmail, something more simple and more easily secured). The internet-MTA can then spool email for virusscanning and whatever other mangling needs to be done (remove every attachment with filename ending with .vbs (and a hundred others) and so on). After mangling, forward to internal Exchange servers.

Easy, doesn't require powerful machines even for a large amount of email (OK, depends on the amount of mangling done), easily replicated to several sites, and likely to be near-zero administration.

Nice to see...

[Pii]

You know, when a customer that has $6B dollars a year to spend on technology say jump, Microsoft had better damn well be asking "How High?"

I'm kind of disappointed that the Air Force is using Exchange in the first place. I hope that when they realize that Microsoft is not ever going to be able to meet the somewhat unique requirements of the DoD (For them, lives do hang in the balance), that they are willing to take their business elsewhere.

canadian air force

[Toshito]

The canadian air force is also putting a lot of pressure on punch card manufacturers to force them to close a lot a security holes in their software...

Re:Is this government's role?

[Pii]

Political pressure? Hogwash...

The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.

That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.

To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."

Responsibility

[ksw2]

As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this? I'm not fluent in Windows holes, but it seems to me if they have a huge problem with Outlook in particular, USAF could mandate Eudora as their official email client rather easily.

I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)

Re:Is this government's role?

[BasharTeg]

Let's let free enterprise do its job. Political pressure has no role here. The private sector must remain free and independent so that it can provide the solutions that the marketplace wants.

This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."

Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.

Being a Communications/Computer officer in the AF

[gsfprez]

I totaly disbelieve this article.

We are whole heartedly all out sold out to Microsoft.

We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.

We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.

Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.

As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)

After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..

Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.

This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.

mistaken perceptions....

[rusty0101]

I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty

Dept of Interior's Network - An Interesting Story

[gdyas]

Not about the Air Force or MS, but related.

The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary.

The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.

Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.

Isn't the AF due a letter from the MS or BSA?

[theinfobox]

This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.

And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).

Re:My Humble Opinion

[gmack]

That is a complete load of crap. How many apache exploits have we seen in 2 years? How many in IIS? Apache runs 60% of web sites according to netcraft. Yet Apache has had few exploits.

What really blows your theory apart is that in the past there have been smaller companies with worse records.

MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.

I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.

The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.

This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.

Re:My Humble Opinion

[sphealey]

In my humble opinion, the only reason all the security holes are being found in Microsoft's software, is by virtue of the fact that it is, like it or not, running the majority of the world's computers, something like 95%. I am sure that if any other OS was as widely used, more breaches would be found

How long have you been involved with information technology? Do you remember the days when computer systems actually worked according to specification? And when their suppliers could understand and fix things that were broken? To pick a very recent example, were you around when Microsoft marketing and monopoly clout started pushing Netware out of the NOS arena, despite the fact that Microsoft's offering had 20% of the features and 5% of the stability of Netware? Have you ever compared MS Active Directory to Novell eDirectory on a point-by-point basis, including features, managability, and stability?

sPh

Re:Dept of Interior's Network - An Interesting Sto

[Amazing+Quantum+Man]

Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).

When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."