Air Force Warns Microsoft/Others to Tighten Security

FattyBoeBatty wrote to us with a story from USA Today about the the Air Force and security concerns. The Microsoft point is the primary point of the article, but the AF CIO has also made the point at industry forums, and evidently with Cisco. Specific companies aside, I think it's a good thing that organizations are beignning to realize the exposure they have on security issues - and maybe will actually start to take steps to close them.

Re:Is this government's role?

[Pii]

Political pressure? Hogwash...

The Air Force is waving it's $6 Billion annual budget at Microsoft, and saying to them that if their shoddy, unsecure software does not dramatically improve, these dollars will be going to your competitors.

That's called "Economic Pressure," and in the free market, it's the single greatest motivator ever, and it always will be.

To put it in democratic terms, the Air Force has issued fair warning that it intends to "vote with it's feet."

Responsibility

[ksw2]

As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this? I'm not fluent in Windows holes, but it seems to me if they have a huge problem with Outlook in particular, USAF could mandate Eudora as their official email client rather easily.

I'm not trying to say M$ is inoccent, I just want to point out that no matter how secure the OS is, users need to be educated in computer security, or it's all going to go to shit anwyay. My $0.02 (cha-ching)

Re:Is this government's role?

[BasharTeg]

Let's let free enterprise do its job. Political pressure has no role here. The private sector must remain free and independent so that it can provide the solutions that the marketplace wants.

This is complete garbage. The government is a customer and a member of the marketplace too. Just as IBM, or DELL, or some other company who does business with Microsoft could put "pressure" on them, so can government agencies, who are customers also. The government harrassment, and Air Force's "threatening posture" are no different than two businesses exchanging fire over their differences. THIS is how free enterprise works. You are free to make a crappy product, but the Air Force is free to complain about it, demand that you fix it, slam you publicly about it, and threaten to take action, including switching to another product. You're forgetting the consumer side of "free enterprise."

Besides, national security is a priority, and they have every right to demand security in the software that's trusted for that use. What happens when NASA buys a crappy booster rocket, and it falls apart? Are they not allowed to put political pressure on the company that produced it, because that would be a bother to free enterpise? Give me a break.

Being a Communications/Computer officer in the AF

[gsfprez]

I totaly disbelieve this article.

We are whole heartedly all out sold out to Microsoft.

We (actually, the US military) have recently implimented a MS only messaging solution using Exchange and Outlook called DMS. The solution took well over 6 years to develop secure email (snicker), and still doesn't work right. Even though there is freeware that could have been implimented that we would be able to see the source code for - the PHB lemmings of the AF chose, instead, to go with a MS solution.

We also recently moved to a multi-thousand GAL (global Address list) - the microsoft proprietary solution which has opened us up for years to things like Mellissa and I LOVE YOU and all of that other crap that used MS features to spread itself like wildfire.

Every base has MS license agreemets for support - and by those agreements - like the rest of the world - are either going to continue paying $.50 a hit for our fix each year, or pay $100 each time we buy another computer.

As a young Lt., I spent 6 months replaceing perfectly functional Solaris boxes that performed our web, smtp, DNS, SQL, and other basic network services with NT 4.0 boxes. A week after we recovered from Service Pack 2 - i strongly recommended that we slow our migration - and that it was costing us more time and money supporting Windows machines than the UNIX boxes which never needed any work or upkeep. Some had uptimes of 4 years until I pulled the plugs on them. (don't beat me - i was the lowest ranking puke in the house - and i did what i was told)

After the first virus attack - I stood up in a meeting and demanded to know why the room wanted to spend all its time figureing out how to rip out the functionalities of the Windows boxes that made us vulnerable and didn't look at solutions which were inherently not vulnerable - and was flabbergasted. It was like I was in a room full of guys from Boston and had said that the Bruins sucked. They all became instant apologists for MS and their shit software... how it wasn't that hard to fix the problem and that we had virus software, yada yada yada..

Meanwhile - my home Mac OS 8 server was chugging along just fine, even though I had gotten the viruses from lots of people at work. But it easily could have been a FreeBSD or Linux box too.

This is a lot of huffing a puffing. Its a farce. It is because there is no one with the nads to make a descision against what everyone knows - that MS 0wn2 J00, stupid Air Force.

mistaken perceptions....

[rusty0101]

I was just thinking back on why this might be a problem for the military in general. Havng had some experience as an admin in the Army, amoungst some other experiences, I feel comfortable with the asertion that from the perspective of a software user, the millitary is no different than any major corporate entity. While they do have hardware and software than most corporations do not have, the same can be said for GM, Sabre, and Citicorp. Yet for most day to day operational stuff, admins, supply people, and more and more mechanics are using off the shelf software to support their job. Part of this is cost savings. Even at inflated dod prices, it costs them less to purchase Office than it does to write their own office suite. For situations that do not require hardened computers, it is cheaper to buy off the shelf than to custom order. That doesn't mean that these systems require any less security than corporate systems do, or even that they need more security, though that is arguable. However the implications of a hacked PC that manages where soldiers are going to be stationed, or what parts are in inventory, or what grade screw belongs on that part of the engine, are a bit different for computers in the military than they are for a corporate office. Likewise for whether that order makes it to the server in a timely manner. For a buisness, it means money. For the Military it also means money, but it can also mean lives, or battles. -Rusty

Dept of Interior's Network - An Interesting Story

[gdyas]

Not about the Air Force or MS, but related.

The Dep't of the Interior's networks & web sites are now just coming back up, after being shut down for over 2 months by court order due to an almost complete lack of security on the network that allowed virtually anyone with a port sniffer to get into the Indian Trust Database -- a terrible failure of their IT, and a wonderful example of how exposed & poorly run many government networks are. CNN has a short summary.

The interesting story here is that my mom (a Nat'l Park Service employee) was recently given a service award for letting the accounting people go to her house & use her computer at home (which I set up, and is secure, running WinXP behind a Linksys BFSR41 routed switch w/ firewall) to install software to make payments to contractors, do office supply, etc.

Interior deserved what they got & should have had their shit together, but the result was over 2 months of torture for almost every DoI employee. It's fearsome, though, that a firewalled home connection could be more secure than government and military networks. I dunno about the military, but Interior is apparently desperate for decent IT support.

Isn't the AF due a letter from the MS or BSA?

[theinfobox]

This "warning" to Microsoft makes me wonder if the Air Force will soon be recieving a letter from MS's Licensing Dept. about whether they have the "correct" number of Windows and Office licenses.

And on a more serious note... A couple of posts have questioned why the AF uses MS products. When I was in the Air Force we were directed to convert our bases' Novell/cc:mail/Linux servers all over to MS products. The reason we were told was that they wanted a standard set of products used at all AF locations. This way, when you went from base to base, you would already be familiar with the software infrastructure. The reason MS was chosen was because it was easier to train people to learn the basics of Windows compared to the others. At the time, the Air Force was also learning that if they spent 4 years teaching someone to be a Linux/Solaris/etc guru, they would opt for a civilian job when their re-enlistment time came(i.e. they rather double or triple their salary and not have to worry about being sent to Bosnia).

Re:My Humble Opinion

[gmack]

That is a complete load of crap. How many apache exploits have we seen in 2 years? How many in IIS? Apache runs 60% of web sites according to netcraft. Yet Apache has had few exploits.

What really blows your theory apart is that in the past there have been smaller companies with worse records.

MS' problem is that they never seem to consider the security implications when they start tossing on new features. Then when something does break they pass the blame. Or cry about getting more attention for being the leader.

I find it rather sad that they clame to have a server that any monkey can set up and run but then when it breaks they blame the monkey.

The problem does *not* end with the discovered exploit either. Exploits happen and they need to deal with them properly.

This means:
Not treating exploits as a PR problem.
Not rolling bug fixes into feature upgrades.
Not having other software accidentally remove fixes.

Re:Then why do they stay?

[Pii]

I'm not sure you understand the economics of the military...

It does not cost the Air Force anything to retrain, nor to reconfigure.

The Air Force (and the military in general) is already paying for the training of every person that enters the service. It would be a trivial matter for them to re-tool the courses in their Computer Sciences School, so that the students learned some other product or technology. (Besides, it's not like they teach an "NT Systems Administrator" course... They teach basics, like "Computer Programming," or "Computer Operations." The real training occurs on the job, after the E-2 or E-3 posts to his first duty station. In the Marine Corps, I entered as a "Cobol Programmer," and my fist duty billet was in networking (Banyan Vines, Ethernet and Token Ring environments).)

Likewise, the cost of reconfiguring all of the systems they've already purchased is also free. They have a labor force that they are already paying (that they have to pay, twice monthly, regardless of what they are tasked with), so why not "upgrade" all of the mail systems. It will not affect their costs at all.

This is a luxury that most of Microsoft's customers do not have, but is a very real, very possible option for the Armed Forces.

Re:Dept of Interior's Network - An Interesting Sto

[Amazing+Quantum+Man]

Dude, remember that the DoD has a rather different idea of "Secure" than the average website (.com OR .gov).

When they say "secure", they're talking Orange Book. They're talking about lives in the balance. "Secure" means, "If you fucked up, somebody died."