USDOI Goes 100% Microsoft

SatanIsHere writes: "A memo (here, here, here, and here) dated September 19th, 2002 from the Department of the Interior's Acting CIO notes the new policy of a "Department-wide standard for computer operating systems (desktop and server)" Of course the good news is that this will herald a new era in government transparancy for the Department of the Interior. SatanIsHere Continues: "On September 13, 2002, the Assistant Secretary for Policy, Management and Budget signed the attached Findings and Determination establishing Microsoft Corporation's enterprise desktop and server software as the Department-wide standard for computer operating systems (desktop and server), office automation, and asset management software.... Benefits of establishing this new Department-wide standard include:

• Lower Total Cost of Ownership for the desktop, including lower user training costs.
• Centralized and efficient security policy administration
• Greater flexibility and management functionality from products that offer a broader range of management solutions that integrate with non-Microsoft environments
• Greater productivity and reliability attributed to less downtime.
• Extended support for a large base of software applications.

Business specific application software requirements (such as Sun/Solaris, IBM, AIX, etc.) outside the established Microsoft standard may be addressed through the OCIO waiver process."

This looks to freeze out an entire Federal Department (70,000+ employees) from non-Microsoft solutions, requiring a "waiver" to use anything non-MS. One more step to complete Microsoft World Domination. This is particularly ironic considering the problems DOI has had recently regarding IT security. If this isn't leveraging a desktop monopoly into other areas I don't know what is. :-P"

Brilliant tactic!

[aborchers]

Now they can blame MS for their abysmal performance!

Re:Brilliant tactic!

[aborchers]

OK, since my earlier attempt at taut humor met with a troll mod, I will attempt to elaborate what I meant by "Brilliant Tactic: Now they can blame MS for their abysmal performance".

DOI has cultivated a reputation for being total mongos for decades, and since Gale Norton came on board, all pretenses of their mandate to protect US natural and cultural resources have been pretty much dropped. Their handling of Native American and environmental issues have been atrocious (so much so that they were recently called to task by a federal judge for their incompetence) and their recently publicized network security problems are just icing.

I would post links, but why /. the sites. Just google for some combination of: Department of Interior, Native American, Environment, Pollution, Oil, and - if you really want to loose the gates of heck - throw in Gale Norton by name.

In short, the DOI is largely derided as an incompetent bunch of bumbling boobs, hence my weak attempt at humor noting that installing a uniform MS environment would be an excellent diversion and scapegoat.

Re:Brilliant tactic!

[Scratch-O-Matic]

Their handling of Native American and environmental issues have been atrocious (so much so that they were recently called to task by a federal judge for their incompetence)

Just to be clear, Gale Norton was named by the judge ALONG WITH at least two of her immediate predecessors.

Re:Brilliant tactic!

[Alsee]

For anyone not familiar with the DOI Indian trust fiasco, here are some quotes from various news stories.

the third Cabinet-level officer to be held in contempt

10 to 40 billion in missing funds

Some of the money was stolen or used for other federal programs... Thousands of the accounts have money but no names attached.

the government had no idea where to send the Indians' money, billions had just gone into the federal treasury, reducing the national debt

stop the government from shredding documents

agency officials failed to carry out court orders or covered up failures

The ruling ... found the two officials had "committed a fraud upon the court"

accounts have been mismanaged, the government acknowledges

Federal Judge Royce Lamberth has decried the government's "egregious misconduct

Department of Interior once hired the accounting firm of Arthur Andersen

Sue Ellen Wooldridge, deputy chief of staff for Interior Secretary Gale A. Norton, discussed her qualifications for the job... she was uniquely qualified in one respect: She was the only appointee who had ever castrated a sheep -- with her teeth.

-

This page is currently unavailable...

[Zakabog]

We're sorry, but this page is currently unavailable for viewing.
If this site belongs to you, you owe us big time, one of our rack's just melted from this fatal slashdoting.

Re:This page is currently unavailable...

[Publicus]

I just got amazing deja-vu reading your post. Do you or someone else say something like this every time this happens?

It's totally weird. I'm bidding on a server on ebay too, that is tying into it. I wonder if my gf put something into this coffee.

Oh yeah, to be on topic, I wanted to say that I work for gov't, and our department's CIO has declared that only MS is going to be "supported software." It doesn't mean anything. People are going to use what they want. There are plenty of Unix boxen on our network.

Of course our CIO is a joke, the DOI CIO isn't neccessarily...

Re:This page is currently unavailable...

[haplo21112]

Yeah right! If you haven't noticed changing anything that is not in the interest of the business world in the US has become impossible...we are governed by the lobbists...its impossible to get my congressmen, who are supposed to represent me....to even listen to my opinions....

Re:gone

[rasjani]

Geocities/Yahoo have "Bandwidthquota" that has been used up. That quota is quite strict so its not that unfamiliar.

So?

[nuggz]

Software is cheap, a few hundred bucks, much less then paying the employee for a few days.

I use linux at home, but at work I gladly use windows & MS Office, it is the best solution, or at least a decent one for many situations.

Hopefully the waiver process isn't so difficult that people can still select the best tool for the job.

Re:So?

[abase]

You use the right tool for the right job. Linux is not the end-all be-all for everything, nothing is. I enjoy using Linux at home (Mandrake 8.1 on a K6-2/350 with a GeForce 2 card) and I also enjoy using XP at work and at home on another computer. I won't give up my Dreamweaver ;-) Enjoy and 73 -Pat

Re:So?

[DustMagnet]

Does the phrase "waiver process" in the context of US Govt. bring forth visions of simplicity dancing in your head?

Actually it did. I work for a state government. Sure the rules we get to "save money" cost us a fortune, but some wavers are easy to get and some hard. You can't tell from this memo, but I guessed this one would be easy.

I still think it's lame, especially after the NSA was told not the help Linux security in the name of a free market.

Re:So?

[ryepup]

<td>
<font><font></font><font>Y ou us</font>e
<font></font></font><font>Dreamwea<fon t>v er
</font></font>
</td>
</tr>
<tr><td></td></t r>
<tr><td></td></tr>
<tr><td></td></tr>
<tr><t d></td></tr>

era of transparancy

[EkiM+in+De]

Of course the good news is that this will herald a new era in government transparancy for the Department of the Interior.

With the security in Microsoft products transparency comes as an unwanted standard feature.

Benefits??

[struppi]

> [...]
> Centralized and efficient security policy administration
> [...]
> Greater productivity and reliability attributed to less downtime.
That are the Benefits of using M$? Funny, I never knew that widooze provides these features...

Re:Benefits??

[rde]

> Centralized and efficient security policy administration
> [...]
> Greater productivity and reliability attributed to less downtime.
That are the Benefits of using M$? Funny, I never knew that widooze provides these features...

You've got to pay attention.
Centralized and efficient security policy administration
This says nothing about security; just a security policy (apply patches and hope for the best)

Greater productivity and reliability attributed to less downtime
'greater productivity' means that Spider Solitaire isn't as easy as freecell, so users will give up in disgust and do some work.
'reliability' is a truncation in the memo of "re: liability"
'less downtime' refers to the microsoft helpdesk

Re:Benefits??

[dbrutus]

Group policies date back to at least NT 4 (and probably 3.5.1). I know I had to study them for my MCSE.

The problem is that MS is so arrogant, so slapdash, and so powerful, that you just can't trust them. When a company spends an appreciable amount of effort at suppressing security flaw reports, it's time to find another company to rely on for your IT infrastructure.

Re:why is this news?

[baldass_newbie]

I think the two things that stick out are:
1. This applies not just to desktop but to ALL servers as well. and...
2. In order to use non-MicroSoft stuff, you need a waiver (which, based on the way government works, I'm sure is easy to get.)
Sorry to state the obvious, but this seems rather closed-minded on the DOI's part. Especially when you consider MicroSoft's track record for security.

Did you even read any of the above? Or did you just go into 'Troll' mode?

Benn there, done that..

[lurvdrum]

This is more or less exactly the policy implemented in my organisation five or six years ago, justified on TCO grounds. Since then, the TCO for all IT systems has increased by around a factor of ten while the amount of useful IT systems being run has perhaps doubled. Go figure. Perhaps the original TCO arguments were flawed. Smoke, mirrors, and marketing...

Re:Benn there, done that..

[kevin+lyda]

> it is just these stupid managers with their multibillion enterprises ... They just don't know how to run their businesses.

actually, if you've been watching the economy lately you'll note that they're multimillion dollar enterprises...

Re:why is this news?

[nathanh]

what is is that you are implying here? that running a solution that fits their needs is bad?

Which part of "everybody will use this single piece of proprietary software" allows people to choose a solution which fits their needs?

should they suddenly switch to Linux or some other system that doesn't fulfill their requirements just to satisfy some zealots?

It's more likely that they are running Linux or some other system and this decision is forcing them to change to something that doesn't suit their requirements.

NB: taking this all with a grain of salt. A geocities page with some "leaked documents" that slashdots within 5 minutes might just be a hoax.

One by One

[e8johan]

Ok, lets cover them one by one:

* Lower Total Cost of Ownership for the desktop, including lower user training costs.

We've got problems at my work with people thinking that they are fully fledged programmers since they can record two macros and cut'n'paste the results into a super-macro. Of course users need to be educated, otherwise they will not be able to use the applications properly. (One example is people insisting on using spaces when they try to indent text, then go to the IT department and complain about the lines not being properly aligned...)

* Centralized and efficient security policy administration.

Oh, what? Surely one can pull the TP-cable out of *nix boxes too. Even the 'central' one in the basement... Security can not be a reason to use M$ software.

* Greater flexibility and management functionality from products that offer a broader range of management solutions that integrate with non-Microsoft environments.

This is M$ key to new markets. Take a standard, implement it, expand it in your solution in order to make your app 'integrate' with others, but not the other way around. A good application should be able both to import and export data properly. (M$ Word RTFs crash my FrameMaker... portable format - not).

* Greater productivity and reliability attributed to less downtime.

Again, you do not get less downtime by buying an expensive system with big flaws. They probably pay loads of $$$ to get a guaranteed time to support arrives and press the 'reset' button. *nix usually do not fail as ofter as Win*, thus no need to advertise that support will arrive in 2.3ms. The lack of service can be because it is not needed, not because it is an ingnored flaw.

* Extended support for a large base of software applications.

Since most advertised software is commersial, and they probably do not look for software them selves (just ask for it in a formal way and have companies make offers). Just use KDE as the German government intends to do. This does not only give a better quality of the software, but also save loads of license $$$.

But since Bill payed Bush's campain, Bush has to give the money back to Bill. As he doesn't fancy paying up at few $$$, he just takes the $$$ from the tax payers. Bomb the hell out of a few arabs and the software sums looks small in the contents.

Re:One by One

Centralized and efficient security policy administration.

Oh, what? Surely one can pull the TP-cable out of *nix boxes too. Even the 'central' one in the basement... Security can not be a reason to use M$ software

As much as I loath to defend any decision to choose Microsoft, I still need to point out that the sentence you quote talks about policy administration WindowsNT security model is based on ACL's. Combine that with LDAP and you have a system which is ideal for centralized and efficient security policy administration. Currently, thats something that Unix just can't do, at least not on the same level as Windows can do it.

Re:One by One

[micromoog]

M$ Word RTFs crash my FrameMaker... portable format - not

I don't suppose you've considered that this might be a FrameMaker problem?

Re:One by One

"thats something that Unix just can't do, at least not on the same level as Windows can do it"

It just depends on what you want to implement. There are good options out there, including ldap, kerberos, etc.

On the other hand, Windows won't show you file permissions by default. And most users don't even know they can (and should) set those permissions (I guess lots of Windows sysadmins don't).

I never had any problems editing other people's files in my company. I used that in a productive way and with permission from the owners, but it is a security risk.

You can make your system secure either way (even using Windows). It just depends on you. This advocacy for MS products stems from fear. Windows sysadmins go for the easy road (where decisions are made in Redmond) instead of taking responsibility for developing a security policy of their own.

Just like my company: 90% of the Internet has been blocked out. For security reasons. Everybody afraid of the killer ActiveX control. But if you go to the web site, they post dozens of Excel spreadsheets and Word documents. Talk about security risk (and liability, since those documents can spread virus)!

Re:One by One

[duffbeer703]

Please just make it stop!

"We've got problems at my work with people thinking that they are fully fledged programmers since they can record two macros and cut'n'paste the results into a super-macro"

That's a problem anywhere. When I was a junior sysadmin at a university Unix shop we'd have PhD candidates dropping fork bombs and other stupid Unix programmer tricks.

"Oh, what? Surely one can pull the TP-cable out of *nix boxes too. Even the 'central' one in the basement... Security can not be a reason to use M$ software."

Microsoft Security is pretty decent and granular in an all Windows 2000 / Active Directory environment. Try implementing group policy and acls in Linux or Solaris.... it can be done, but you do not know anyone who can.

IIS vulnerabilities do not count -- Apache has it's share of exploits and doesn't belong in an LDAP or NIS server. Similarly, you keep IIS where it belongs.

"Take a standard, implement it, expand it in your solution in order to make your app 'integrate' with others, but not the other way around. A good application should be able both to import and export data properly. (M$ Word RTFs crash my FrameMaker... portable format - not)."

No disagreement with you there.

"Again, you do not get less downtime by buying an expensive system with big flaws. They probably pay loads of $$$ to get a guaranteed time to support arrives and press the 'reset' button. *nix usually do not fail as ofter as Win*, thus no need to advertise that support will arrive in 2.3ms. The lack of service can be because it is not needed, not because it is an ingnored flaw."

That's really not true anymore -- busy Windows servers are nearly as reliable as Unix these days. The only real disadvantage of Windows (and Linux) vs. Commerical Unix are mass-deployment and backup tools. Comparing your Windows XP desktop computer's uptime to your Linux boxes' is not a valid comparison.

As far as your delusions about support go, you need to think a little. Our datacenter pays about $1.2M annually for 4-hour support contracts for Unix machines. (For our most important machines only) Similar contracts from Dell or Compaq for Intel hardware cost about 1/2 of a similar Unix contract.

"Since most advertised software is commersial, and they probably do not look for software them selves (just ask for it in a formal way and have companies make offers). Just use KDE as the German government intends to do. This does not only give a better quality of the software, but also save loads of license $$$."

If you have ever worked in a large IT shop with lots of custom applications, you will know that custom software sucks and costs about 5x an off-the-shelf solution. Plus, who has the budget for full-time developers to make software that is already on the market for 1/5 the cost??

Re:One by One

[Enry]

I'll bite....

Microsoft Security is pretty decent and granular in an all Windows 2000 / Active Directory environment. Try implementing group policy and acls in Linux or Solaris.... it can be done, but you do not know anyone who can.

Why would you want to? If I need to, I can fire up man pages and search google. I administer about 10 fileservers across three departments totaling a good 15-20TB and hundreds of users and have never run into a situation where ACLs are needed.

Comparing your Windows XP desktop computer's uptime to your Linux boxes' is not a valid comparison.

Why not? I use Linux on the desktop as well. The problem with Windows boxes is that mgmt. often thinks that trained monkeys can administer a box. And it's probably true. Until something fails. Then "Monkey Boy" does you no good.

Similar contracts from Dell or Compaq for Intel hardware cost about 1/2 of a similar Unix contract.

Probably. Better reason to use Linux on Intel.

If you have ever worked in a large IT shop with lots of custom applications, you will know that custom software sucks and costs about 5x an off-the-shelf solution. Plus, who has the budget for full-time developers to make software that is already on the market for 1/5 the cost??

Now you're confusing "custom software" with "non-shrinkwrapped software". There's plenty of software floating around here running everything from the web server to our ticketing system to databases, and none of it is written in house. The cost to replace them with shrinkwrapped equivalents far exceeds the cost of a few highly trained system administrators . Oh, did I mention we're often times in contact with the authors of said software, and they're usually pretty responsive to bug patches and feature requests.

Re:One by One

[Gaetano]

Can you explain to me how you keep your windows servers up as long as unix servers?

What I can't understand is when windows server security patch comes out and requires you to REBOOT your server how do you keep it up?

And after you install several "hot fixes" and "roll up patches" how do you keep the windows server stable? How do you experiance strange errors that require some more installation of "hot fixes" and reboots which generally follow the installation of said "hot fixes" and "roll up patches".

You do patch you windows servers and keep them secure don't you?

See we have this problem where I work. Our windows admins are pretty good but they are constantly playing wack a mole with the windows servers keeping them patched and secure.

The unix/linux servers however don't need a reboot unless the kernel needs to be patched.

Re:One by One

[pmz]

Currently, thats something that Unix just can't do, at least not on the same level as Windows can do it.

Since when? Did NIS, LDAP, Kerberos, and ACLs suddenly disappear from Solaris? UNIX vendors have been selling centralized policy administration tools for years. With a little thought and planning, they can even be efficient. Many of them have very nice GUIs, too.

There are even "trusted" versions of UNIX if you want to go crazy with military-style need-to-know setups.

Basically, Microsoft is delivering nothing new, here, except more marketing spin.

Re:One by One

[Dark+Fire]

ACLs have been proven to be considerably less secure and harder to audit than UNIX permissions.

http://www.wikipedia.com/wiki/Computer_Security

There have been several papers examining the subject. See the above article and the confused deputy problem for details.

ACLs are certainly more flexible in certain cases than UNIX permissions. But flexibility usually has a cost, as aforementioned.

I agree with you on LDAP, it is a great way to centralize security. UNIX would certainly benefit from a clean way of tying the two together (PAM is only part of the puzzle and is certainly not simple to setup in my opinion).

Kerberos? It was never designed to resist attacks in which a listener can capture packets. That pretty much means how secure active directory is depends on the physical security of your network. If someone can get onto your network you out of luck. Why? Well, because your domain controller encrypts an ascii timestamp with your password when a request is sent to it to logon as a certain user. An RC4 cipher is used and given that RC4 has been torn apart cryptographically, that you know atleast a 80% part of the ascii timestamp because the dc will happily tell you the time, you have plenty of info to crack the password.

Since MCSE's like defaults, I would imagine and as far as I have seen, most admins use the out of the box kerberos authentication as is. In there defense, Microsoft does offer the use of PKI in place of RC4 which is resistance to these particular attacks, but it generally requires a smart card reader and smart cards to deploy. There is an additional substitution option, but I cannot vouch for the strength of it either. Hopefully, microsoft will use a strong authentication protocol like SRP in the future in place of the weak mechanism included in there kerberos implementation.

Re:One by One

[mcrbids]

Linux has tcpwrappers (ACLs) and inherent permissions at the file level. Linux also works smoothly with LDAP (using a PAM module) thus granting everything on your (short) list.

If you don't know it, don't say it!

Re:One by One

[pmz]

The only real disadvantage of Windows (and Linux) vs. Commerical Unix are mass-deployment and backup tools.

Don't forget the Registry, DLL Hell, Office File Format Lock-In, EULA-of-the-Month Club, DRM, the Upgrade Treadmill, the GUI Frontal Lobotomy, BSA Audits, Drive Letters, IE Everywhere, Competitor Aquire and Crush, False Advertising, Not Engineered for Security, Automatic Updates, #1 Virus Host, Tax Evasion, 3rd World Corruption, Congress Payroll, Embrace and Extend, and the Microsoft "we got you where we want you" XPerience.

Re:One by One

[ftobin]

What utter BS. At the NCSA, they use centralized, efficient security policy administration using Kerberos + AFS.

Jeez I hate Windows people who think they know stuff about the unix world.

Re:One by One

[duffbeer703]

Pretty simple, actually.

You schedule downtime windows. We do up to 6 hours every 3 months or so.

Then you READ the patch documentation. If you don't need the patch, don't install it. As an example, we do not allow IIS on any server that does not explicity require it. We do not patch disabled services that are not in use.

The few servers that we run that have IIS and require frequent patching are clustered. We then upgrade the cluster one machine at a time, resulting in no downtime for our customers.

Unix needs to rebooted for security patches as well. If you install AIX or Solaris rollup patches, they require a reboot. Plenty of Linux security problems and critical bugs (ex. memory subsystem in 2.4 anyone) require kernel upgrades as well.

Re:One by One

[duffbeer703]

"Why would you want to? If I need to, I can fire up man pages and search google. I administer about 10 fileservers across three departments totaling a good 15-20TB and hundreds of users and have never run into a situation where ACLs are needed."

You have never worked with a secure application, or with a company which protects client data properly.

DoD requires that information access be compartmentalized. That means that your system admin can't read the data, either.

HIPAA requires that all patient healthcare data be secure and compartmentalized -- even amoung business units of the same company who need access to data. How do you do that without ACL's?

There's alot out there besides file servers.
Windows is hardly perfect -- but is a great choice for small to medium-sized applications.

Re:One by One

[HiThere]

I'm sorry, I cannot trust anything with companies who do things as MS does it. Do you read the licenses? Do you know what you sign away? Do you really know what is going on in your spare CPU cycles. Sorry, maybe if you are a company and can afford it and need the solutions now ms might be the way to go. But it seems to me it's never really any less work, just more familiar to the masses

Sorry. Have you read any of the recent EULAs? From the one's I've seen, a company, even more than an individual, can't afford to be that exposed. (The license(s) is(are) my original and major problem with MS.)

Then again, IANAL.

Re:One by One

[poot_rootbeer]

I agree with this bozo, the DOI should have put Solaris on every office schlep's desktop!

Homogenous systems are easier to maintain than diverse ones. If they determined that Microsoft solutions best met their needs, then the Unix community still has a lot of work to do -- either in implementation, or in public opinion, or both.

Re:One by One

[cscx]

I'll pull one thing out of your spew of lies and damn lies:

Drive Letters

They're irrelevant in NTFS as you can mount anywhere as under Unix, in addition to drive letters.

HAND

Re:One by One

[pmz]

I'll pull one thing out of your spew of lies and damn lies:

Drive Letters

They're irrelevant in NTFS as you can mount anywhere as under Unix, in addition to drive letters.

Actually, they aren't lies but my personal list of things that annoy me about Windows and Microsoft, in general. For things like "3rd World Corruption", think Peru. For things like "Not Engineered for Security", think recent comments by Microsoft VPs. For things like "False Advertising", think about MS ads spouting "Low TCO this" or "scalability that". None of this is stretching the truth.

As for drive letters, take a look in the Registry and other config files. The drive letters are everywhere. Whoever decided what went into the Registry for software like MS Office obviously had no experience with data modeling. Most likely, the Office development team abuses the Registry out of laziness. Simple operations like moving a software application from one filesystem to another can be nearly impossible without a painful cycle of edit, see things break, edit, ad nauseum. It really is unsettling whenever I see such glimpses of Windows' underpinnings.

Re:One by One

[pmz]

I agree with this bozo, the DOI should have put Solaris on every office schlep's desktop!

I read your sarcasm. However, Solaris 8 and Solaris 9 would be very suitable for office desktops. CDE and Gnome can be site-customized by the sysadmin, and software like Mozilla, StarOffice, Evolution, etc. are really a formidable set of applications that are available for Solaris. On top of that, the Solaris kernel is bulletproof and was designed with networking and distributed management in mind from nearly the beginning.

I think picking among Solaris, Linux, and Mac OS X would be very hard to do, since each is an excellent platform trading various strengths and weaknesses. Fortunately, due to standards, these systems could exist very well in a heterogenous environment even with common logins, shared filesystems, and network printers. Uniformity is just not a strong argument to make when choosing Microsoft.

Re:One by One

[cascadefx]

Give me a piece... I'll bite too.

Microsoft Security is pretty decent and granular in an all Windows 2000 / Active Directory environment. Try implementing group policy and acls in Linux or Solaris.... it can be done, but you do not know anyone who can.

Why would you want to? If I need to, I can fire up man pages and search google. I administer about 10 fileservers across three departments totaling a good 15-20TB and hundreds of users and have never run into a situation where ACLs are needed.

It's funny (I agree), I have seen ACLs in practice on a number of systems and you just have to find the right combination that give you the least restrictive clause to jump out of them. The rules of inheritance on a Windows box (the default is that Everyone can see and do everything on the root account... not changed and inheritance bites you in the ass), when not understood by the user and/or admin lead to trouble. Let's not even get into the wonderful mixure that is shared AND local permission interaction.

File permissions are a lot easier for people to understand and therefore get easier for them to get right.

Comparing your Windows XP desktop computer's uptime to your Linux boxes' is not a valid comparison.

Why not? I use Linux on the desktop as well. The problem with Windows boxes is that mgmt. often thinks that trained monkeys can administer a box. And it's probably true. Until something fails. Then "Monkey Boy" does you no good.

I would agree with the original post if uptime of workstations is not an issue as well. Have you worked client support? Workstations being down raising the TCO because productivity goes in the crapper and you still have to hire someone to get, and keep, the damn things running. If it takes 1 support person per 200 Linux/Unix/Mac OS X workstations to do the job versus conservative estimates of 1 support person per 50 (ok, I'll give you 100) XP machines, you're price for simply running a more stable desktop like Linux/Unix/Mac OS X has halved your support cost (a big part of TCO).

Re:One by One

[Zeinfeld]

ACLs have been proven to be considerably less secure and harder to audit than UNIX permissions.

You cite one paper, hardly convincing. You also quote it out of context. What the paper actually says is:

Within computer systems, the two fundamental means of enforcing privilege separation are access control lists (ACLs) and capabilities?. The semantics of ACLs have been proven to be insecure in many situations (e.g., Confused Deputy Problem?). It has also been shown that ACL's promise of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities.

Rather different eh? For the record UNIX does not support capabilities. Nor does NT, in fact capabilities are not supported for some very good reasons, in particular the difficulty of managing them. BTW Windows actually supports the UNIX permisions model in addition to ACLs.

Your comments on Kerberos are completely off base. In the first place Kerberos does not use RC4, parts of Windows use RC4 but not the Kerberos system. What you appear to be describing is the scheme that allows a legacy Windows box that does not support the domain login to access files. This is well known to be a bad idea.

Finaly, although RC4 has been 'broken' by Adi and co nobody has broken the cipher in the specific modes of use recommended by RSA labs. Burt et al knew that the principal weaknesses in a stream cipher were inducing the initial state of the stream generator from the initial portion of the cipher stream and related key attacks. That is why they recommended steps like throwing away the first 256 bytes of the stream and processing the key values through a one way function to minimize the probability of a related key attack.

Re:One by One

[Zeinfeld]

The comment below explains RC4-HMACs role in the kerberos authentication process

What comment? Ah lets try google - from the internet draft:

The Microsoft Windows 2000 implementation of Kerberos contains new encryption and checksum types for two reasons: for export reasons early in the development process, 56 bit DES encryption could not be exported, and because upon upgrade from Windows NT 4.0 to Windows 2000, accounts will not have the appropriate DES keying material to do the standard DES encryption. Furthermore, 3DES is not available for export, and there was a desire to use a single flavor of encryption in the product for both US and international products. As a result, there are two new encryption types and one new checksum type introduced in Microsoft Windows 2000.

In other words they were proposing to use RC4 for crypto export reasons.

Given the time the decision must have been made RC4 was not subject at that time to a known weakness and certainly looked better than the DES based password encryption used in UNIX.

In fact given that most UNIX systems ship today with applications that send passwords in the clear I don't think that the comparison is in favor of UNIX.

As for your other comments on ACLS, the problem was not the number of references you gave it was the fact that the reference you gave did not support your case. Even if it did one paper does not constitute 'proof' on an issue of that sort, particularly when it is not backed by any empirical studies.

The one contribution made by Ann Coulter to the world is that she has demonstrated the importance of following up references to see if they actually support the case put forward. Yours do not support your case either.

It sounds to me as if this is not your argument but an argument made by someone else that you are repeating and misconstruing.

Re:One by One

[Gaetano]

You can't explain to me how 6 hours every 3 months works on systems that need to stay secure when a security patch is realesed once a month, unless every system is clusered.

I have unix boxes that have been up for 450 days. Many more have been up for 300 days. They are all up to date on their security patches and are working well. We have about 26 unix/linux boxes in operation.

We are a 24hour/7day shop.

We have 50 windows boxes with security patches that need to be installed once every month. These windows servers require about 4 times as much administration as the unix servers while they perform about the same amount of services for our customers as the 26 unix/linux boxes.

Re:All-Microsoft?

[1010011010]

Okay, I expect all those people complaining about the "open source must be considered" laws to start complaining about this "nothing but Windows is allowed to be considered" administrative policy.


Troll? Maybe. But I would expect those principled people who go on about the "freedom to innovate" to object to a strict Microsoft-only policy -- simply because they objected to other, less stringent policies, such as the "open source software must be considered" policies. These policies didn't rule out the use of commercial software. This policy rules out the use of anything but Microsoft software. Where's the "freedom to innovate?"

Re:All-Microsoft?

[nathanh]

Okay, I expect all those people complaining about the "open source must be considered" laws to start complaining about this "nothing but Windows is allowed to be considered" administrative policy.

I'd complain just as bitterly if some naive bureaucrat declared "nothing but open source is allowed to be considered". So what's your point?

How it all works.

Sure, Go 100% Microsoft. It'll make the drooling MCSE's on the site titter with glee at the thought of "unifying" everything in the Microsoft way.

But you know what 100% Microsoft translates to? 100% downtime when the next "melissa" or "nimda" hits. I've BEEN there. I've worked at companies like this. Just wait--they'll get tagged by the next Outlook script and the entire site will be down for a day or two while ONE MCSE pokes at the keyboard, surrounded by one or two other MCSEs standing and staring at the guy typing--all the while pulling in huge $$$ in overtime, on top of the huge $$$ they get just for having a 4-letter Microsoft-approved title. Everything is on hold until the next virus update to "fix" the problem, since goodness knows there isn't much in terms if diagnostics and repair you can do in WinNT by itself.

There's a reason why I gave up being a sysadmin--100% Microsoft is mostly why. Can anyone else stuck in 100% Microsoft/MCSE land corrorborate the above story? I'd be surprised if the exact same song-and-dance didn't happen at every Microsoft site.

Re:How it all works.

[technix4beos]

I hear ya brother! Amen.

At work, we have a win2k server which shares our internet connection, provides a domain controller for the windows boxen, and basically serves files all day. Big deal...

Problem. DNS entries and isp continues to be flaky. Solution? reboot the win2k server..

How is that a diagnostic solution? It isn't... Which is why I am steering people to the linux world, and other alternatives.

Microsoft has been a joke in security, configuration and ease of use for YEARS. I think the masses are finally starting to sense something wrong with the herd, and moving on to a better pasture.

Hopefully.

Your comment is totally on the money, even though you ARE an AC, but I'll let that slide. ;)

Re:How it all works.

[Your_Mom]

But you know what 100% Microsoft translates to? 100% downtime when the next "melissa" or "nimda" hits.

No. No, No, No, and No again. It's not about a 100% homogenous networks, its not about MSFT or Linux, and it's not about what certifications you have. It's about competent administration. I am a NT admin, I enjoy Linux, I use it at home regularly, but NT pays the bills. We got hit by Nimda, but, we only lost 2 computers. One of which was a Developer's box who decided to be running IIS and told no one about it (Patient Zero, I think he was rooted within 5 minutes of the first onslaught of IIS exploits), the other one ran an attachment 5 minutes before we pushed out the AnitVirus updates ("But I only previewed it!" LART - Hard). I think we had spare boxes swapped out in about 1 hour and had files salvaged off the old PCs in about 3h. Did we do mop up duty for the next 2 days due to infected boxes from "trusted" people spewing .eml files onto our file server? [1] Indeedy do. Did we put in some overtime? I think all of IT did about 2 hours per person the night after the initial infection, and I put in about 2 hours watching snort logs scroll by the first night the sh*t hit the fan. under $200 OT, probably cost my department $300-$400 tops. Did my 2 IIS servers (*shudder* Yes, I hate them too) get rooted? No way. I patch those things like there is no tommorow.Did we lose the entire network to the thing? Not on your life.

Also, when everything calmed down, we all sat down over a nice glass of Guiness and figured out "What can we do better next time?" there is always room for improvement. (We initiated policies of port scanning computers in the NT domain for unauthorized services, as we were proved once again that some people can't be trusted)

That is how it all works . thank you.

Wow, that was a nice rant

[1]"Why is $luser's account disabled?"
"Because she was spewing nimda into our file server"
"But she needs to access $important_file"
"When she gets fixed and I cna inspect her computer, I will re-enable the account"

Re:How it all works.

[dpilot]

You're obviously better than the average MSCE.

Part of the problem is the attitude apparently shipped with MS products that MSCE==competent sysadmin for those systems.

I don't have the numbers on my fingertips, but I suspect that none of the major Win-exploits of the past few years used a new hole. They spread so badly because of poor administration. By that token, it would seem that a competent sysadmin could indeed run a secure Win-based business.

But a few weeks back there was a new kid in town, and this time it hit Linux - slapper. From what I understand, this was a newly discovered hole that was made into a worm in record time. Still the infection rate turned out to be minor, mostly because of competent sysadmins and the **rapid release** of a security fix.

Slapper broke new ground in several respects, between hole-to-worm time and its use of peer-to-peer. Now try running this combination against the more common (not yours obviously, though you can only deploy released patches) Windows security environment. Add to this the chilling effect of the DMCA on grey-hat activities, especially in the closed-source security arena.

Re:How it all works.

[Bake]

Oh, that's ok.
The US Government has that part covered.
They'll just declare virus writing/deploying as a terrorist act and use as an excuse to invade the Philipines or other asian countries.

Re:How it all works.

[haggar]

You are correct: a 100% Microsoft network is very vulnerable. I, let's say, am closely affiliated with this famous company that makes mobile phones, and it's a 100% pure Microsoft shop, including IIS, Exchange, Outlook and Office - Microsoft end to end. Well, when these mail viruses attack our IM people look like idiots. They perhaps are not idiots, but they look so helpless and inefficient, and network services just don't work.

And we're punished every time some schmuck writes one of these macrovirii, because of this uniform, Microsoft infrastructure.

Microsoft *is* the choice for Dept of Interior

[tshoppa]

What the head article fails to mention is that a Federal judge ordered the Department of the Interior to shut down all internet connections last year. With no from-the-outside network attacks, the Microsoft systems might stay up for days, even.

Re:Microsoft *is* the choice for Dept of Interior

[Sycraft-fu]

"the Microsoft systems might stay up for days, even."

Interesting, so you're saying that MS systems connected to the internet CAN'T stay up for days? Hmm, well then I'd better check my server again because I could SWEAR it's running Windows 2000 Server.... Yep, it is. It's also been up for about 40 days straight now. Yes, that DOES mean that there are critical patches, including the NetBIOS venurability, that haven't been applied. It's not affected though. Why? I took the time to secure it in the first place. None of the venurabilities are relivant since none of the services they affect are turned on or allowed through the firewall.

Of course far more important than uptime, which is something that many Linux users seem inordinatly obsessed with, is unscheduled downtime. It is acceptable and expected that a non-critical system like a webserver will go down for scheduled matenence. Hell, most systems do. I'm a night person and from time ot time when I try and do something like pay my phone bill on the web at 3am it tells me that their finincal system is down for matenence. E-bay goes down every week for matenece at a certian time in the morning. Downtime is only a problem if it is unscheduled, ie happening because of a failure.

In the case of my 2k server it has been down precisely once: when the power failed. It has never been hacked, or crashed.

Really, the incessant ragging on MS is just unwarranted. If people would bother to take the time to learn a little about Windows server and secure them, and then keep current with patches, there wouldn't be near so many problem. The patch for code red came out long before it hit the fan and none of the servers I admin were affected. Hell, if you do a good job with securing the server, many patches you don't even have to worry about and can put off until your next scheduled matenence since the services they effect are either turned off or protected by firewall.

As the receant Linux worm showed, it's bad administrators that are the real problem, not the OS.

Re:Microsoft *is* the choice for Dept of Interior

[Red+Rocket]

It's also been up for about 40 days straight now.

Only a friend of Bill would brag about 40 days of uptime.

Re:Microsoft *is* the choice for Dept of Interior

[kin_korn_karn]

"you're either with the Linux Revolucion or You Are Against It! Viva Torvalds! Ay ay ay!"

Re:Microsoft *is* the choice for Dept of Interior

[SquadBoy]

You sir are the exception and you just prove the rule. But you do have a point. But my point, and I suspect many others will make this same point, is that it is *much* easier for a good admin to admin a *nix box well. For example my Debian servers. I can patch everything I need to except for the kernel with no reboots. But you are right. It just happens that *nix has better technology and in general better admins.

Re:Microsoft *is* the choice for Dept of Interior

[megaduck]

As the receant Linux worm showed, it's bad administrators that are the real problem, not the OS.

Bullshit. That's a straw man argument. Just because Linux isn't invulnerable doesn't mean that Windows isn't a steaming pile. Here's a little experiment for you: Take two boxes, one Windows and one Linux (or OS X or BSD or...). Give them the latest and greatest patches. Run everything you can out of the box using default settings (webservers, mail, filesharing, etc.). Put them on a network like the DOI, with no further administration.

I'll bet you a shiny new nickel that the windows box gets rooted six ways to Sunday first. In fact, I would be shocked if it wasn't a crap-spewing zombie within a few months. Your *nix box, though, has a fair chance of coming through unscathed.

What's the point? The poing is that Windows requires excellent administrators to be reliable and secure. The *nix OSes are a lot more forgiving of lazy administration. I run a lot of OS X, and I am an awful administrator when it comes to my personal boxes. All services are on, patches don't get installed for a month or two, etc. Hell, I run a totally open wireless network too. I've never had a security problem either, and I'll take the Pepsi challenge against any of your uptimes.

A good administrator can make any box secure. In a massive organization like the DOI, you're going to get some not-so-good administrators. Running Windows, constant security problems will eat those people alive.

Re:Microsoft *is* the choice for Dept of Interior

[kijiki]

"None of the venurabilities are relivant since none of the services they affect are turned on or allowed through the firewall."

You have an unpleasant surprise in store when the next virus (like nimda) comes right through your firewall in an email attachment and then starts exploiting your vulnerable "firewalled" systems right and left.

I've seen that exact scenario TWICE now.

Pride, the fall, etc, etc. be careful. its a dangerous internet out there, and firewalls are just one layer in effecitve security.

/. Editors should know the safty tips.

[Bocaj]

Offtopic example.
Peter: "Why not cross the streams?"
Egon: "It would be bad."
Peter: "Define bad."
Egon: "Imagine all life as you know it stopping instantainiously, and every molocule in your body exploding at the speed of light."
Peter: "Ok that's bad. Important safety tip."

Ontopic example.
Hemos: "Don't post links to That server!"
chrisd: "Why?"
Hemos: "It would be bad."
chrisd: "Define bad."
Hemos: "Imagine all internet traffic as you know it stopping instantainiously, and every packet on the network bombarding the server at the speed of light." chrisd: "Ok, that's bad. Important safety tip."

Re:why is this news?

[dup_account]

The problem with a bid process is that, for the government, this means ONLY commerical entities. Getting Open Source into this process would be very difficult.

From my experience with the bidding process there was probably a requirement in the RFP that any software be able to 100% read MS word/excel documents. Again, very difficult to prove.

The Government RFP process makes it very difficult to factor in TCO for a purchase. They generally can only look at the lowest initial cost (that meets the requirements).

Re:why is this news?

[N3WBI3]

This has nothing to do with being a zealot, They can do what they like on the desktop (windows), but when it comes to my tax dollars windows does not belong on a server with information that is no to be public knowledge.

They should use *nix because its far more secure than windows (on the servers). If you lock down windows on the desktoip so that all files are stored on a NFS/Samba server than use windows on the desktop..

The crap about a learning curve is just that, crap.

Can someone explain to me...

[Per+Abrahamsen]

why is it such a terrible thing if a government office standardize on some license requirements (e.g. only buy free software) allowing any vendor to compete, but not a problem when a government office standardize on a single vendor, and accept whatever license that vendor provides?

Somehow the idea of a government office being unwilling to accept any license is soo evil that even some traditional free software advocates are against it, yet standardizing on a single vendor is so commonn that it rarely get mentioned.

Re:Can someone explain to me...

[Tikiman]

I don't know about what others think, but the fact that they are standardizing on the single most expensive solution bothers me. I am also bothered by the fact that they have either subscribed to microsoft FUD or just don't care. The vast majority of those 70,000 need word processing, web browsing, and email for which MS is a stupidly expensive solution. I would rather see them all using 5 year old hardware running a stripped down, custom Linux distro with Mozilla and an office suite.

The effective of a MS solution is not justified by its cost period - and as a taxpayer, I say its a problem.

Re:Can someone explain to me...

[Pig+Hogger]

why is it such a terrible thing if a government office standardize on some license requirements (e.g. only buy free software) allowing any vendor to compete, but not a problem when a government office standardize on a single vendor, and accept whatever license that vendor provides?

Think biologically: compare the evolutionary performance of organisms issued through sexual reproduction (by screwing), versus organisms issued through asexual reproduction (by budding/cloning).

Or, for you hick types, look at the general health status of normal people versus inbreds (the O'Higgins living accross the tracks, or the britshit royal family).

Re:Can someone explain to me...

[mmol_6453]

Gov't spending my tax dollars on the most expensive software available.

Maybe the EFF should do an awareness campaign to government departments?? Not bombard the poor department heads like most lobbyists. Just fax them (god, not all you slashdot people, though. <shudder!>) some Ph.D's recent report on the advantages of using open source software. Let them recognize the benefits for themselves, so we can let them argue with congress.

Don't send anything to Congress. There aren't enough of us for a grass-roots operation, and we don't have enough money to lobby them "properly."

Sending it to the department head has two advantages: First, you don't have to get through the Senators' and congressmen's screeners. Second, the legislative person will receive a copy of the report, directly, from people they respect more than your average 16-year-old writing a letter.

I'll probably make a link to this post for my sig.

waiver process?!?

[Ender+Ryan]

Why the hell should there be a waiver process at all to use the best tool for the job, just because it's not an *M$ Solution(TM).

That's the kind of sh*t that pisses me off, I don't pay taxes to have the government simply hand that money to a corp. I am morally opposed to. I wouldn't mind if they simply chose the best tool for the job and the tools they needed happened to be MS software, but this just reeks.

There is absolutely NO REASON why a waiver should be needed to use something other than M$ software, that's ludicrous and stinks of corporate pandering.

* i usually stay away from using $'s in M$, but in this case i thought it was appropriate

Re:waiver process?!?

[jspaleta]

There is a strong case to be made for conformance of systems

And I'd say take that one step further had have conformance of systems...but conformance to a published open standard...so you can have competition without conformance degration.

Once you start down the MS road and start using software that does not conform to a published standard you are locked in and the cost of switch over to any else becomes extremely high..and higher after every release cycle.

Its hard to talk about conformance when the issues at hand are vendor specific since the vendor can force change on you via updates. You can get conformance and competition if you limit yourself to an open specification that all vendors can compete for. Once you let the vendor dictate to you what features are worth using and what features you are going to get...your stuck...without paying a huge penalty to get out. But if you don't pay the huge penalty in the short term you pay a gigantic penalty in the long term after several upgrade cycles, where you have lost the power to make decisions as to what you really need and who can provide the software and the systems.

Honestly, sometimes, it makes sense to standardize

It sure does...so stop using MS...becuase MS software does not conform to OPEN standards. How standard is a standard if there isn't a neutral 3rd body overseeing conformance to that standard.
If we used a standard of length measurement only sold to us by MS, we'd have to upgrade our rulers every 2 years becuase the standard would surely change.

-jef

Re:waiver process?!?

[Darby]

But don't fret. It's your government. You should feel blessed in that you can change it if you want to.

This argument is dead now.
It was once true, but the last election showed absolutely that we can no longer select our own leaders.

Re:waiver process?!?

[frank_adrian314159]

From a SysAdmin standpoint, I want every desktop to have the precise same hardware, software, settings, and packages regardless of location or job function.

And this is why, from a user standpoint, we want SysAdmins to die, die, die. The fact is that different job functions need different tools. SysAdmins too often are like industrial engineers who recommend adjustable wrenches on assembly line to "lower the costs of training and replacement" while not noticing that productivity has gone down by 20% because line workers are spending all of their time fiddling with the tools.

The bottom line is that one needs to take a multi-dimensional look at any policy before deciding to implement it and failure to do so can come around and bite you in the butt.

Re:waiver process?!?

[jspaleta]

From a SysAdmin standpoint, I want every desktop to have the precise same hardware, software, settings, and packages regardless of location or job function


It's nice to want things. Everyone wants to be lazy..but the example is very much a fantasy. As companies get larger and the reasons for using a computer usage inside the companies get more varied...you need to have some room to balance the sysadmins desire to be lazy and the users need for the right tool. It might make sense to have an all MS shop if everyone has the NEED for the MS tools specifically. And I'm not saying every sysadmin wannabe geek in the department should be allowed or encourage to run linux to be different. But if someone feels a work related NEED to use a specific tool...it shouldn't be an uphill battle to get that tool. I think the sysadmin should be the one who needs to make a case for not supporting a specific set of software...since I really doubt in most circumstances sysadmins really understand the work to be performed and are just looking to narrow the software support for convience and not on any really technical argument.

Let me assure you that having sysadmins or managers in general dictate what tools should be used is a great way to hamper how much work gets done by those people who have a real need for a specific tool especially when the work from employee to employee is highly specialized.

Having a sysadmin tell accounting which accounting software they should be using is just plain silly. A sysadmin typically does not know enough about accounting to really make a case for any specific application based on the the work being done with the application.

Now lets talk about how diverse a workspace the DOI is really. How specialized is the workforce? How diverse is the range of computer work that most be overseen by the whole DOI. If they want to standardize....stanardize and give people open published guidelines for their software to meet. Dictating MS(or any vendor solution) as the one true way is only going to hamper work when its most critical that it be performed well. Asking for permission to get the job done with the best toolset is the wrong way to set things up. Instead establish vendor neutral guidelines that software needs to meet and do a waiver system based on those vendor neutral guidelines. Locking yourself into one supplier of anything is really bad especially for governments.

-jef

Re:waiver process?!?

[jspaleta]

Just imagine the nightmare of supporting five different WPs, three different SS, and six different Presentation packages that all shared formats but nothing else.The help desk and IT staff would be swamped.

There is an argument here about how varied an application set can be and still be officially supported. But maybe not all applications need to be officially supported by a help desk or IT staff to be useful...and usable. There should be some open guideline as to what can be used and there needs to be some leeway to allow unsupported applications to be used to meet a specific need. But as things progress there needs a way for the helpdesk to get feedback from users as to what applications are in most need of support. So if an application becomes popular then support for that application can be added while support for an unused application can be dropped. Helpdesks aren't particularly useful to most users who would know enough to NEED a specific peice of software to begin with...so in a lot of cases where you would want a waiver the point is moot.

And on the size of an organization as big and dispersed as the DOI...there isnt just one set of IT professionals...there are prob several different helpdesk staffs supporting small segments of the whole department. I see know reason why the entire DOI needs to used vendor specific solutions...when open standard file formats and protocals would work well with each small IT staff could service the specific application needs for the chunk of DOI staff they are there to support. What does it matter if someone in an office in california is using a different word processor than the person in a new york office...as long as they are using the official file format that both word processors handle. The IT staffs on either coast can support the applications needed locally.

-jef

Re:waiver process?!?

[Darby]

Fair enough.

I vote for who I believe is the best person running.
The person I voted for in the last election wasn't even close by any way of counting.

The person who was legally elected president was not allowed to take the office after the last election. That was my point.
Saying, "if you don't like it vote to change it", is no longer a valid option since you can vote all you want and it won't help at all any more.

Re:why is this news?

[isorox]

(which, based on the way government works, I'm sure is easy to get.)

Then theres no problem is there.

So.....

[tanveer1979]

how will it help. Geocities has been slashdotted, ,memo's been approved the harms been done.

And this time they didnt boil the frog, the put it in hot water first!

On the other hand, all is there is something by satanishere, geocities is trashed. So no proof. Is this story true? And Mr.Editors you know too well not to post links to geocities.. dont you. Better aproach would have been to download the images and then put them on slashdot.

Nobody here knows what that memo contains, what is there in it, so before this post goes to the HALL OF FAME maybe we can see the images please.

Another thing, apparently DOI has 70000 employees, are any of them on slashdot.. I really want to hear what they say about it. Or if none of them are there on /. i would presume that its very good for them to be on M$. Come to think of it.... its about improving productivity. If a 70000 workforce says that wanna work on M$ why should anyone stop them.... But I guess this wont be true, there will be numerous who are opposing this.... and in this case slashdotters cant do anything except slashdot the DOI site every second day.... Its upto those employees to get together and raise a ruckus.

Mirror

[mraymer]

Seeing as how the article was fresh, I thought I'd do everyone here a favor and mirror the images before the inevitable Slashdoting began. I'm such a nice guy.

Much to my surprise, though, all I was able to mirror for you guys is this: http://home.centurytel.net/mraymer/sorry.gif

Never underestimate the power of a Slashdoting, I guess. ;)

Re:Mirror

[Darby]

And be sure to substitute 'A' with 'a' and 'HREF with 'href' since lowercase tags have been established as the standard for some years now.

Comment removed

[account_deleted]

Comment removed based on user account deletion

lets not get emotional

if you look at the stated reasons, I think that most from past experience will see the majority of them as not just flaky but bass ackwards. However, the question begs if now it is the same. Is 2000 server more reliable than NT, absolutely. Is the centralized domain control 'better' than NT, well sure. However, is it better than a *nix system as far as domain reliability and efficiency of managment? Well, that is what needs to be proven here.

The biggest joke is perhaps the part about lower costs from more reliable services. Sorry, but I don't know of anyone who has knowledge of Unix and Windows systems than can attest to better MS reliability, ever. It would seem that it would have been just as valid for the report (when naming reasons) to say, "MS has cool commercials" and "The trees around Redmond are really pretty this time of year."

Windows is definitely the solution in the case of desktops, especially with users already used to Windows. However, for backend reliability Windows has proven that it is only reliable in attracting exploiters and malicious code. This is just another example of blind bureacracy in action. The licensing costs alone will put the budget to a point that the equivelent agency that runs Linux backends would be able to buy 100's of more computers. I would like to see some detailed studies by the DOI as to backup their financial claims. However, they do have one point that is valid. If starting from scratch, it is indeed easier and cheaper to train administrators (at least to a partially competent technician level) in Windows than in any *nix. Call everyone monkeys if you wish, but the fact that a well organized GUI can be quickly adapted to by many will produce much more technicians than the unorganized mess (usually the fault of app/package and distro producers admittingly) that is *nix. Too many times, people trying to simply get the damn thing to work will ask, "where do I find out all the details on how to make X happen?" Often the answer is not there, or buried deep within a chaotic cavern of unorganized information and references. When asked about the silly redundancy (good example is Apache, where in writting to the httpd.conf you must often put certain definitions and features in multiple places) I can't answer except say, "Well I think someone just wanted it that way." (don't get me wrong, I love Apache... but that is an oft repeated question by many)

DOI ?

[__aahlyu4518]

Department Of Injustice

Re:why is this news?

[MaxVlast]

Well, that's 'cause Salon has a little credibility, being an actual news site with actual authors who have to actually defend their journalism.

Notice it's the ACTING cio

[ch-chuck]

Not the real thing, and of course, the easiest solution to any computing problem is "Buy what Msft has" - and if they don't use any Win9X/ME it'll be good enough. But they're sure to run into 'issues and limitations' that'll require regular payments to Msft in the future, but by then the ACTING CIO will likely be outta there. Remember that when you go to your favorite national park and have to pay $22 to get in, a fraction of that is guarenteed Msft income, and they own the digital rights to the sunset too.

My favorite stand in govt official is "Acting Assistant Deputy Secretary" - that actually exists!

Re:All-Microsoft?

[Quixote]

As a taxpayer (I assume), I sure hope your interest in this issue is more than just in making snide remarks.

As a taxpayer, I don't like the idea of my tax dollars being used to get locked into some monopoly; and I'm not talking about MS' business monopoly here. For example: all the documents created in Office2K or whatever will not readable (faithfully) by any other software, including OpenOffice.

If USDOI wants to go with MS exclusively, then they should have a plan in place to be able to use replacement software in an emergency situation. In other words, make MS release the specs for the documents created using MSOffice before finalising this deal.

I urge all the readers to contact your local congressperson and state Senator about this. Here's a list of the senators in the Interior subcommittee (the department comes under Appropriations):
Senators Byrd, Leahy, Hollings, Reid, Dorgan, Feinstein, Murray, Inouye, Burns, Stevens, Cochran, Domenici, Bennett, Gregg, Campbell.
Of these, Sen Feinstein may be the one who can be most influenced by the geeks here.

If possible, write (deadtree letter) or FAX them; an email just doesn't cut it.

Not that strange that they do this.

[miffo.swe]

Since Linux and open source in general is a grounds up movement its hard to fight for Microsoft. They target the big players instead. When the snowball starts and some big agency adopts linux and it falls out well there will be no way in h'll to stop it. Microsoft needs to fight general adoption of linux. The day linux get widespread is the day when all the other players curently developing for windows only will throw an eye onto linux too.

One thing i have hard to understand is how they can prise interoperability on one hand and not demand open standards at the same time.

Bidding process?

[Anonymous+Custard]

Did they go through the appropriate bidding process that is needed whenever a substantial government contract is offered?

If you used all Sun, Linux, or Apple software/hardware, you'd have the same compatibility bonuses as you do with Microsoft. Compatibility is not unique, or even native, to Microsoft. Hell, they removed from Office XP the ability to open other office suites' documents with the default install; isn't that a step BACKWARDS for compatibility?

Waiver allows other tools

[micromoog]

This policy, by providing a waiver process, is actually less restrictive than the "100% Open Source" public policies that people have been cheerleading for here on Slashdot.

This means a Linux box will be allowed in the DOI if it's really necessary. All this really does is prevent the l337 h4x0r downstairs from running a Linux box he doesn't understand and can't make secure.

The "100% Open Source" policies would not allow anything Microsoft, even if it is the best tool (gasp!), based purely on ideological (read: impractical) reasoning.

Re:Waiver allows other tools

[micromoog]

That makes more sense to me.

Maybe so, but it's not true. A 100% Open Source policy categorically excludes all closed source software. The DOI's policy is not strictly "100%" Microsoft, despite chrisd's propaganda.

Ten Year Ban

[NumberSyx]

I personally beleive the Federal Government should be banned for ten years from buying any NEW products or services from any company which has been found guilty of being an illegal monopoly, when there are alternatives available from other companies.

Re:Ten Year Ban

[dpilot]

Monopoly status can kick in well below 100% market share. It's more a matter of what the monopolist is capable of doing to a given market than the absolute share. Once you're big enough to twist the arms of competitors and customers, monopoly concerns begin.

we knew MS would win

[rppp01]

I mean, think about it, we have a president, who doesn't give a rats ass about anything except corporations and the military. Look at the economy, it has to be every one else's fault but the administration's. Yell at Congress to lower spending, so we can raise military spending, and then keep pointing to Iraq as doing what they do, drawing attention away from the economy and from Isreal basically doing what Bush moans that Iraq might do in the future. What utter nonsense!
But we knew this would happen. With a pro-corp prez in place, MS would get off, and now it is being espoused by the government. Nice going, morons. We don't want to punish MS for being a monopoly, no, we want to have them continue to publish wonderless software, and we'll even use them!

If I could convince my gf and my ex (for the kids), I'd move to Canada already, or even Europe. Sure, freedoms and technology are not the same, but so what. These areas of the world are getting it (except Blair, what's he gonna get for his support?). Some Superpower....what's that saying? Power corrupts, and absolute power corrupts absolutely. Thanks Bushki!

Re:we knew MS would win

[bnenning]

Look at the economy, it has to be every one else's fault but the administration's.

You mean the economy that started tanking well before the 2000 election and which was further damaged by revalations of criminal acts which occurred during the previous administration? Yes, that's clearly Bush's fault. Come on.

Isreal basically doing what Bush moans that Iraq might do in the future

I must have missed the stories about Israel using weapons of mass destruction on civilians. Or for that matter, the stories of Israeli suicide bombers deliberately targeting Palestinian women and children.

as a DOI employee

[briancnorton]

I work first hand with DOI IT, and I can tell you that there will be waivers flying every direction. Everything is UNIX now, and there are not enough qualified people to migrate. They spent MILLIONS replacing 3000 mail servers with 32 Domino servers, and they arent changing that anytime soon.

All specialized applications are UNIX, and will be waived.

The major problem is with administrators. There arent enough qualified people here to run a multimode environment. They cant pay enough to get qualified Americans to work for them, and they cant contract out to H1Bs.

in short, I dont think this will have much of an effect.

Re:as a DOI employee

[Remus+Shepherd]

I'll second this. I'm a DOI subcontractor, and all our systems are DOI-owned. We have Linux, Unix, Irix, and SunOs all over the place, plus a Mac here and there. Most of these systems are running custom applications and their OS cannot be replaced by Windows. This will have little if any effect.

Re:as a DOI employee

[Andrew+Gilmore]

And as a fellow DOI employee, my take on this is they did no scoping or internal comment or ANYTHING to base this decision on. I do not think it is going to fly, in the long term.

My entire IT office is up in arms about this. With NO comments from the rank and file, many people are upset.

Re:as a DOI employee

[killmenow]

I dont think this will have much of an effect.

It may not have much effect in the DoI, but I submit it will have the following effect:

• New (note I said NEW) contractors looking to work with the DoI will see this as an indicator that NEW stuff will be done on a Microsoft platform.
• MILLIONS will be spent by vendors, contractors, etc. in training and otherwise getting up to speed on said Microsoft platforms
• A lot of CIOs will take their cue from this and do the same thing
• Microsoft will market the S%*t out of this, using it as an argument against other government departments (not just US ones) who are pro-OSS
• Other US departments will follow suit...and it will all repeat

Now, I'm not saying OSS is dead in the DoI. But I am betting OSS will be slowly phased out if this policy stands, as any NEW projects will be hard pressed to justify those waivers.

But I admit: I could be wrong.

Re:as a DOI employee

[Skapare]

There are currently thousands of highly qualified people available now who will work for half or even a third of the salary as average. This is why the government conspired with wall street to bust the big bubble, because no one would work for the government anymore (no stock options). And unlike H-1Bs, who have to be paid what the average person makes, you can legally pay Americans way under average. So now there are plenty of admins available ... and programmers, too. Just post the openings here and watch the geeks resumes come flooding in.

Re:as a DOI employee

[spencerogden]

And how exactly does one conspire with the non-existing entity called wall street? I'm that a huge bear market is just what all of the brokers on Wall Street wanted...

Re:as a DOI employee

[scoove]

MILLIONS will be spent by vendors, contractors, etc. in training and otherwise getting up to speed on said Microsoft platforms

Isn't it interesting that in an era of budget cutbacks, lack of funds, etc., the DoI has millions to blow buying new toys?

Oh wait a second, here's a few spare billion lying around in a DoI file cabinet. Might as well spend it - hell, as Bruce Babbit would say, you give it back to the indians and they'll just blow it on booze.

*sigh*

scoove

Re:as a DOI employee

[greenrd]

Your post is a bit hard to make sense out of. Government/market conspiracy to burst the bubble, to raise unemployment? Now that's a bit way out there. I'm well aware that interest rates etc. are used as a tool to increase unemployment - but I don't think they would intentionally set out to create a recession, which is what you seem to be implying. Anyways, downturns are part of the business cycle, and no matter what any arrogant politician says (like the UK's chancellor Gordon Brown in the late '90s) the business cycle ain't going away anytime soon.

And your link is encouraging people to spam Slashdot - I'm sure you just forgot to fill in the href.

Re:as a DOI employee

[greenrd]

Hmmm... I can't help suspecting something dodgy here. If there was no consulation done, on what grounds is this being done? Believing MS's flashy marketing efforts? Those in charge of IT being clueless? Or some kind of dodgy deal in a smoke-filled room?

MS has a lot to gain by snagging an entire department (it does have real effects in terms of future projects, no matter how many waivers existing projects get), and I wouldn't put it past Microsoft to use unethical inducements.

Re:as a DOI employee

[Darby]

I'm a DOI subcontractor, and all our systems are DOI-owned. We have Linux, Unix, Irix, and SunOs all over the place, ....This will have little if any effect.

Well, except that we (the taxpayers) will be paying MS every year for licenses for their complete software library for each and every one of those Sun, SGI, Apple etc. machines even though they can't run any of it. Don't forget, that's how MS licensing works.

Re:as a DOI employee

[Darby]

So, you'd rather have a murderous coward who takes civilian life as a standard operating procedure instead of reasoned debate and diplomacy?

Well, I'm not him, but I would rather have someone who you at least knows where he stands.
9/11 happened because Bush allowed it to happen.
That's why the Deputy Director of the FBI resigned in protest *BEFORE* the attacks complaining that Bush *ordered* the FBI to stop investigating the bin Laden family.

So we have a murderous coward in office who is only there because he cheated.

That's quite possibly the most disgusting thing I've ever seen on screen.

What about your blatant ignorance of the most basic facts about the Bush administration.? That's pretty disgusting to see in a citizen of a democracy. If you can't be bothered to inform yourself, then your ignorance affects me too. Please stop it.

Re:as a DOI employee

[ewhac]

There arent enough qualified people here to run a multimode environment. They cant pay enough to get qualified Americans to work for them, [ ... ]

Really? I'm an American out of work right now. What are they paying?

Schwab

Re:as a DOI employee

[Darby]

Bush allowed it to happen? Interesting mix of abject leftism and conspiracy theory.

It is, in fact, neither leftist nor a conspiracy theory.
It is something that you would know as well if you could be bothered to take an active role in informing yourself. You, completely ignored the well-documented fact I stated about the deputy director of the FBI. Couple this with the fact that many foreign governments informed our government about the attacks, including names dates and places before hand, and it is perfectly clear that Bush knew about the attacks beforehand.
Now, it is a fact and a matter of public record that he knew what was being planned, and that he ordered the FBI to stop investigating the people responsible.
Just because CNN or Fox news, or whoever you get your news from doesn't see a way to increase profits by telling you this, doesn't absolve you of your responsibility as a citizen of a democracy to inform yourself.

Hmm, interesting theory you have there. I hardly support everything President Bush does (and I did, in fact, vote for Harry Browne). However, I see little reason to belittle him, even when I do disagree with his policies, and I certainly don't cry sour grapes about the outcome of a political fiasco that neither side deserved to win.

Again, you clearly haven't bothered to inform yourself about what happened.
In the first place, Bush lost the election. That is a well documented fact. When they recounted the entire state of Florida, it was determined absolutely, with no doubt whatsoever in the mind of anybody involved with the process. This is not under any dispute by anybody.
Now, this did come out after Bush was already sworn in, and far be it from me to argue that Gore wasn't a complete fuckwad about the whole issue.
But the fact remains that if Bush had a shred of integrity he would have stepped down when this became public.

This isn't even the important part of the issue though. The important part is that the election would not have even been close enough for this to have mattered if Bush hadn't cheated beforehand.
The manner in which it was done shows quite clearly that Bush has nothing but hatred and contempt for everything this country stands for.
You do know that Jeb Bush, George's brother is the governor of Florida don't you? You do also know that he had his secretary of state throw about 80,000 citizens of Florida off of the voter rolls don't you? You also know that these people were all registered democrats, and mostly black don't you? You are also aware that they are being sued for this aren't you?

If any of these things are news to you, which they clearly are otherwise you wouldn't have made that post proclaiming your ignorance, then you are ignorant (look it up) of this issue

Now, this is not an ad hominem attack, nor was the "blatant ignorance" comment previously.

If you are a white man and I call you a white man, that is a statement of fact, not an attack on your person.
Similarly if I call you left-handed and you are.

So when you demonstrate quite clearly and publicly that you are ignorant of an issue which it is your duty to be informed of, then you are in fact blatantly ignorant of that issue.
This isn't an insult. It is a simple statement of fact. Ignorance is a state of mind which you can change. I am ignorant of many things such as the current temperature in Somalia, the price of tea in China, and many other things.

If you would actually do some research, you would no longer be ignorant on these issues, but it seems that you would rather blame me for pointing it out than actually fix the problem.

That, my friend, is the way too prevalent attitude in this country that allows fiascos like this to go on.

.

Sometimes a standard just is a standard...

I contracted for the Texas Dept of Human Services, they, like most government shops, had a policy standardizing on MS products. What the higher ups quietly ignore is their critical WAN infrastructure is mostly linux. A small insular group of network guys set it up (the DNS server had a 9 month uptime and was still running a 2.0 kernel). Most of them were not experts, just guys who had setup Linux early and then kicked back and relaxed (not an ideal system from a security standpoint).

Email went down for three days while they blamed the Exchange box, I had explain MX records to them and prove that it was disk overload on their primary MX (sendmail +Redhat 5.2). They couldn't even remember who had the root password.

What I discovered was that government is still the last big company around. The place where no one ever gets fired, or laid off. Where the new technology approval board is run entirely by people whose only IT training is in Cobol and Unisys 2200. The few really smart people are full of great ideas, but they are rendered inert by the great mass of "lifers".

In Texas, most of the real IT work gets done by big name consulting firms, at extraordinary costs and questionable quality.

Requirements are the loophole in bids...

[zerofoo]

I'm a sys-admin for a small school, and I'm familiar with the restrictions of a bidding process. Most likely the DOI will go through the appropriate bidding process by producing an RFP specifying a Microsoft solution, and then various vendors will bid on a systems solution centered on a Microsoft product.

By narrowing the systems specifications right down to the software vendor, a CIO can pretty much get what he/she wants. Sure, there are lots of MCSE's selling MS solutions, but if the RFP specifically requests a Microsoft product, that effectively excludes all other systems vendors.

-ted

Re:why is this news?

[dbrutus]

But if they did it that way, Mac would be on the approved list of vendors (as you can get MS Office for the platform). Xserves, with their unlimited license capabilities, generally blow Windows solutions out of the water for file and print (which is a large proportion of what a govt. server does). Since it can fairly easily integrate into an Active Directory infrastructure there's no reason not to include them.

Purchasing policy

[pubjames]

I find it amazing that a government department should have an official policy of only purchasing from one particular vendor. I would have thought a fundamental factor in defining a purchasing policy in any large organisation would be making sure that there is competition amongst your suppliers. It's basic business sense, isn't it?

win2k/xp doesn't fix reboot problem

[alienmole]

yes kids, Win2k and XP can stay on for months without a reboot..

That's true if the machines aren't connected to the Internet, and if they're not heavily utilized workstations, etc.

In practice, a connected server needs to be rebooted more often than that, if only to apply the latest security patches.

Heavily utilized WinNT/2K/XP workstations need to be rebooted regularly to overcome kernel memory leaks and the like.

If you'd like to see this for yourself, try this test: load enough copies of IE that you run out of kernel memory or other resources. You'll know you've reached that point because it will silently refuse to open another window. Now close all the windows you've just opened. Carry on using the machine and see how long it is before you find that new applications can't be run, that menus don't drop down, etc. To get some sense of what's happening, monitor the numbers on the performance tab of the task manager while you're doing all this, particularly kernel memory - it goes up, but mostly doesn't come down. That might be fine if it was reusing the allocated memory, except that it doesn't - it ultimately cripples the machine.

The bottom line is that Win2K/XP is fine for light-duty use and applications not connected to the Internet. For serious computing, though, you need a real operating system.

Re:win2k/xp doesn't fix reboot problem

[alienmole]

What bullshit. ...

Did they run as well as the BSD machines? no, of course not, but they ran at around 87% as well.

You're contradicting yourself, and making my case. Maybe you're happy with 87% (and I would push that percentage down a bit once you factor in the various TCO-type issues), but what is the point of compromising? Let me see, Microsoft is more expensive, lower quality, less secure, less stable... I must be missing something here. Oh yeah, it's got a point and click GUI for amateur adminstrators.

Re:win2k/xp doesn't fix reboot problem

[Telastyn]

wtf? they *aren't* less stable, that was the entire point of the message, and since when does cost of ownership have anything to do with performance benchmarks?!?

Is it more expensive? yes.
Is it lower quality? debatable. In some places yes, in some places no.
Is it less secure? depends on the situation, but usually.
Is it less stable? no. In my experience win2k has been just as stable and reliable as solaris and bsd machines.
Does it have a lameass point and click gui for lameass MCSE's? unfortunately...

win2k has disadvantages aplenty over bsd or linux or solaris or osx or pretty much anything, but to say it isn't stable and can't do "real" computing is just a fallacy.

Re:win2k/xp doesn't fix reboot problem

[alienmole]

wtf? they *aren't* less stable

Having to do the kills and restarts of explorer, which you mentioned, based on normal, but long-term use, doesn't qualify as "stable" in my book. Besides, killing explorer doesn't fix the issue I'm talking about, which has to do with kernel memory. There's an MS KB related to this, which I'll dig up if you like.

Cost of ownership has nothing to do with performance benchmarks, but I was talking about reliability, stability, and the need to reboot. A big part of the cost of ownership is the amount of time that has to be put into maintaining a machine. Rebooting, patching, and dealing with problems all adds to that time. In that sense, reliability and TCO are very closely related.

it isn't stable and can't do "real" computing is just a fallacy.

No, it's a matter of opinion. You can make excuses for Microsoft all you want, but in the end they're just excuses. My experience, based on supporting clients running all kinds of boxes, is that the Windows boxes are regularly and conspicuously a bigger PITA, and call attention to themselves in one way or another, much more often. The original issue I responded on, that they require reboots more often, is still true in practice and could probably be demonstrated via Netcraft etc.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:why is this news?

[NumberSyx]

(which, based on the way government works, I'm sure is easy to get.)

Then theres no problem is there.

Then why make the policy at all ?

Re:why is this news?

[pantropik]

1) Microsoft does really really bad things.

2) Microsoft gets called to task for doing really really bad things by the United States Government.

3) Microsoft is told sternly to stop being such a big meanie, given an affectionate pat on it's cute lil corporate head, and sent to think about how really really bad it had been. Monopolies will be monopolies, after all.

4) Microsoft promises it isn't really really bad anymore, Scout's Honor.

5) Significant portion of United States Government mandantes the use of Microsoft Software.

Does this mean I can go down to the local bar, beat the crap out of the proprietor, steal everything he owns, drive him out of business, and take over the place? Then when I get caught, I'll promise to be a good boy from now on, keep all my ill-gotten gains, and turn the place into a cop bar. Then I'll have enough money to hire some muscle and really move up in the world.

In all seriousness, however, Microsoft has made sincere strides toward policing its own actions (someone has to, right?). For example, from a recent press release:

"SEATTLE -- Microsoft Corporation is pleased to unveil, over the coming weeks, a series of strategic alliances designed to further the goals of our Trusted Computing Initiative.

Beginning next month, to ease customer transition to and acceptance of Licensing 6.0, all Microsoft End User License Agreements will be accompanied by a single-use packet of high-quality non-pretroleum-based personal lubricant. In line with our Software Choice Program, we have partnered with both AstroGlide and Wet* to provide this service to our Valued Customers.

In response to continuing customer concerns regarding the clarity of our various End User License Agreements, we have elected to move to a Unified EULA structure (patent pending) that we feel will more clearly outline the agreements attached to our Software Products. Beginning November 1, 2002, the following EULA will apply to all newly licensed Microsoft Products. Please note that present Microsoft Customers will still be able to benefit from the new EULA scheme, as we will be attaching it to all vital Software Security Updates and Hotfixes for previous Microsoft Products.

'[Product Name]

END-USER LICENSE AGREEMENT

IMPORTANT-READ CAREFULLY: This End-User
License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and Microsoft Corporation for the Microsoft software product identified above,
which includes computer software and may include associated media, printed materials, "online" or electronic documentation, and Internet-based services ("Product"). An amendment or addendum to this EULA may accompany the Product.

YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA BY INSTALLING, COPYING, OR OTHERWISE USING THE PRODUCT (THIS INCLUDES THE ACT OF PLACING THE PRODUCT MEDIA INTO YOUR CD/DVD-ROM DRIVE).

1) ALL YOUR COMPUTER ARE BELONG TO US!'

We hope that the new Unified Eula (patent pending) system will clear up any lingering customer concerns regarding our Product Licensing.

*This promotion applies to Wet Light only. Wet Platinum is currently unavailable. Offer good in the United States and Canada only, subject to availability."

not too surprising...

[budalite]

Actually, the announcement is probably going to be blatantly ignored by all the DOI Bureaus/Empires. They are all their own little fiefdoms. I retired from the DOI Office of the Secretary IT network/web team team about 3 years ago. At that time, the DOI "Webmaster" did not know HTML, much less CGI or anything else; he used Front Page to build a little office home-page. It had animation bouncy things on it. He had no *nix nor any web experience of any kind when he was hired. ?? The Office of the Secretary Webmaster (my boss) needed to spend most of his day developing and maintaining a COBOL-based personnel administration application. He did not know any *nix nor did he care to learn it. (To be fair, he didn't have the time.) Each of the Bureaus headquartered in the DOI Headquarters building in DC had (has?) a seperate LAN/WAN system and seperate Internet access points. The DOI web site was funded by the Public Affairs office, which was/is not really sure what to do with the web. After working at GSA and FEMA, two orgs. with outstanding IT teams, the DOI lack of interest in IT, lack of qualified IT leadership, and the resulting mediocrity was very disappointing. However, the idea to "invest" in M$ is not very surprising. They had already begun to move that way, years ago. It's what the contractors use. It's what the contractors told them to use. Their lack of IT expertise means they must trust the contractors to provide their IT leadersthip. Apparently, they picked the wrong contractors and are just getting ate up. I could go on and on (and probably already have). Don't place too much emphasis on this "announcement". The Bureaus won't. It's just a way for that office to get its name in lights for a little while. Sad, but true.

pfS.

[Ironically, when the DOI web site was heavily attacked by the Chinese after we accidentally blew up their embassy in Bosnia, our Unix-based Apache web site, a left-over from a previous webmaster (bless his unix-loving butt), administered by a new-to-unix admin.(me), faired pretty well while the Park Service's M$ IIS4-based web site was hammered through an anonymous ftp account and was down for weeks. (Everything was secure but the gifs. I thought I had everything buttoned up, but for some reason, when I uploaded files to the server via Hummingbird, the gifs (& only the gifs) permissions were set to 'w' for everyone. So we had little Chinese flags all over DOI Home page for about 12 hours. Coulda been worse. Oddly, the Chinese sent tons of XXX-rated mail to the webmaster email address. Ow, ow. ]

Linux/Solaris using DOI employee says...

[Andrew+Gilmore]

The rumor is that this was actually caused by someone blaming lack of standard email servers (Lotus Domino and Groupwise) for screwing up a email greeting/distribution from the Secretary. This problem was probably actually caused by network connectivity problems, rather than standardization issues. I got it fine from my Groupwise POP server.

Thus this unfunded mandate to move to some standard platform.

Given that there is no money behind it, and we're talking 40+ mill in LICENCES ALONE!!!

I don't see this happening anytime soon.

On the other hand, it is almost easier for Linux to interoperate with MS stuff than Novell, except Exchange/Outlook, which does have a non-free solution (Evolution).

Further, we have several pieces of Unix only software, and I don't see those being ported soon.

Re:All-Microsoft?

[1010011010]

I'm sure Hollings will be really receptive to my concerns about locking in the DOI to Microsoft-only systems. Not.

But, as you pointed out, my interest does run deeper than making "snide remarks." I am a taxpayer. I live in Raleigh, N.C. I plan to call Senator Jesse Helms' office and ask him to review the DOI's decision to lock out non-Microsoft products in favor of those made by Microsoft -- a monopoly currently being prosecuted by the federal government. I'll point out that there are other U.S. software companies that make fine products, and it's in the government's interest to avoid single sources for their systems. I'll mention RedHat -- based in Raleigh, just like Senator Helms. I'll mention Sun and Apple. I'll mention IBM and Oracle.

Not surprised, don't care, sucks to be them.

[mesozoic]

"Centralized security control"? Sure, Microsoft can do that. Until one of your domain servers gets 0wned.

Frankly, this doesn't come as a shock. Government agencies like the USDOI have always been of the attitude that if they pay more, and do less, it's better in the long run. But if they plan on running their entire networks on Microsoft servers, I plan on watching the news for hack reports.

DOI turned off web in 2001

[peter303]

The DOI is he same agency that was forced off the web by a court ruling in 2001 because it was easy to hack Indian royalty accounts. This turned off National Park Web site, earthquake data sites, etc. also in the DOI. What a mess at the time.

This is Great News!!!

[sdjunky]

We don't need the Freedom of Information Act anymore... and I was worrying about our rights being taken away ... whew

But what about Palladium and DRM?

[Quixadhal]

What happens when a government organizaton decides to use Microsoft products and has to shut down all operations for N days because:

a) The authentication server at MS crashes or screws up so all the Windows XP desktops can't phone home to get Bill's permission to run?

b) One of those lovely IIS virii starts sending sensitive documents out to every pr0n vendor in anyone's mail spool?

c) The DRM system determines that a critical bit of multimedia presentation, which might decide the creation of a policy, can't be shown since it hasn't been authorized and therefore MIGHT be a violation of someone's copyright?

If you thought your Government was lazy before... man!

Re:The real story ...

[Melantha_Bacchae]

An AC wrote:

> The real story is about how government agencies
> are shooting themselves in the foot by NOT going
> with Microsoft, especially .Net. A good article on
> this can be found at AngryCoder [angrycoder.com].

Read the link you posted. The waste of millions was because they changed platforms half way through the development effort. If they had started in Java and then moved to .Net, a similar waste would have occurred.

The waste would not have occurred if they decided at the *start* of the project that vendor lock in was an issue and had gone with Java.

Loathe as I am to recommend Microsoft, yes, it is better to make decisions at the start of projects, on what is best for that project and stick to your decision. Arbitrary department and company wide decisions to go with one vendor and chuck out all the existing work is a massive waste of time and money that no good manager should allow.

That being said, Microsoft's various problems with security and reliablity should put it on the bottom of the list of consideration. Their ambitions and repeated breaking of anti-trust laws should give any government agency serious concerns about doing business with them.

BTW, does anyone know if Microsoft has had the cheek to try to audit a federal government agency? I know they have gone after city governments and poor schools...

"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)

Don't worry, Godzilla is coming to stomp it!

Netcraft Link ?

[Martin+S.]

Interesting, so you're saying that MS systems connected to the internet CAN'T stay up for days?

In the interests of transparency and to prove you are not just another MS Astroturfer perhaps you could prove this rather than just claiming it by supplying a Netcraft link.

Open Source as a requirement not unfair...

[bubbha]

When I was a young SW Engineer working on military systems, I frequently had "great" ideas involving hardware "shot-down" (pun intended) because the system requirements from the gvt. demanded components that had a "second source." This prevented the system from being dependent upon a sole provider of a component. So even if more technically advanced hardware was available, that did not matter because a single supplier placed the whole system at risk... the risk that we may not be able to replace that component in the future - rendering the whole system useless based upon the unavailability of one component.

I believe open source needs to be looked at the same way...and, in fact, many gvt's around the world are doing just that.

Stop saying that requiring open source EXCLUDES MS. It does NOT. The problem is that MS does not have any products which meet the customer's system requirement for multiple sources for system components.

MS (the company) is not excluded, their closed-source products are. If they wish to compete for systems that require multiply-sourced components,they should make products for that market.

Conformance != All Microsoft

[TheConfusedOne]

There is a strong case to be made for conformance of systems.

One problem, conformance of systems usually means that you have to use older systems to ensure conformance. To get conformance right now you'd have to throw out most of your current PC's and buy/upgrade all of the desktops to the latest version of Windows XP. Additionally, you'd have to migrate all of your servers to Windows 2000. With that accomplished you would now have a conformant layout.

Then, you'd have to avoid making any upgrades to the systems. All you could do is patch and make sure every box had all the patches. Sounds great. So, this whole process gets completed somewhere around Q3 2003 (being generous time-wise).

Windows .NET Server 2003 comes out then. What do you do? You either have to upgrade all of your servers (and probably patch your desktops) or stay with a now old server OS.

BTW, this part hasn't even started to go into the actual applications being run on the desktops and servers let alone the hardware being used by them.

Basically, "conformance" is impossible. Hardware changes too quickly. Software changes too quickly. You'll either need to freeze everyone in time or just deal with the fact that everyone will be running different OS's.

Finally, considering the DoI's current track record with security (couldn't even put the Indian records into a DB) I find it very hard to believe they would be able to stay up with the patch-wave that is MS.

Re:Conformance != All Microsoft

[TheConfusedOne]

So, first you still have to get all of your machines up to Win 2K/XP. Then you have to have a sufficient number of test machines to test those patches against. (2K SP 3 breaks Office 2000 install. NT 4 SP 6 disabled Notes. NT 4 SP 2 completely hosed NTFS machines when installed over the network.)

Now, let's look at a modern WAN. You've got regional offices scatterred all across the US. Do you need local servers to redistribute those patches down to? Maybe you want the 5 XP machines in the little RI office to completely flood their 128K frame relay connection back to the main office pulling down the latest Microsoft VM patch? How about that travelling guy with a laptop and a dial-in connection?

Now, how about provisioning that new box in the RI office? Are you going to be constantly updating a stream-lining patch set so that they don't have to download 20 seperate patches and reboot after many of them?

It takes a hell of a lot more time than your 5-10 minutes *per week*.

Re:Conformance != All Microsoft

[TheConfusedOne]

1.5 hrs to test and deploy SP3?!?

Wow, what did you test? How many different software configurations did you test against? What problems did you encounter? Did you hit that Office 2000 issue?

Again, I continue to find your time estimates unbelievable.

Re:Conformance != All Microsoft

[TheConfusedOne]

First off, I'll point out that your list of steps is much longer than that 1.5 hours figure you threw out to begin with.

Second, how many boxes are you running on this setup? How long did it take to get all of the boxes up to Win 2K and convert all of your servers to Win 2K and get Active Directory going?

Sure once you get your entire infrastructure up to a level like this it becomes much easier to administer (and you could even do it easier using something like Novell's ZenWorks). The problem is getting to a point like that. Given the DoI's current track record with technology I don't see them ever reaching this point.

Re:why is this news?

[rseuhs]

what is is that you are implying here? that running a solution that fits their needs is bad?

A policy like this is PREVENTING them to running a solution that fits their needs best. If you think that "run whatever Microsoft gives us" is running the best solution, you are either pretty gullible or have Microsoft-stock (or both as being gullible is a prerequesite for having Microsoft-stock, just look at their P/E)

It also illustrates the incredible Microsoft double-standard. A Microsoft-only policy is great, but an open-source-only policy (which is much less restricting because it is multi-vendor) is evil, evil, evil.

I personally don't like either policy, BTW.

Why should we stop them

[Gerry+Gleason]

If a 70000 workforce says that wanna work on M$ why should anyone stop them.... But I guess this wont be true, there will be numerous who are opposing this.... and in this case slashdotters cant do anything except slashdot the DOI site every second day.... Its upto those employees to get together and raise a ruckus.

Beside the fact that the employees probably had almost nothing to do with the decision, it is objectively bad for the government to lock up our information in a propriatary format.

The real tragedy of this will come down the road, when not even current MS crap (if they survive) will be able to read the obsolete Word2002 formats stored in the archive. Even today, I expect that you would have some problems reading at least some old windows document formats in the most current editions.

MS development processes are so ad-hoc and market driven that they cannot even keep track of all the external representation formats that they have created. They just don't get it. The reason that experienced and skilled software architects and designers insist on supporting mature standards is because otherwise it turns into an unmanagable mess. Stability is way more important than wiz bang features. Note that this is also the source of many of their security problems, at least the ones that aren't due to allowing program fragments to run from untrusted sources, but I digress.

This is also why the Linux platform is so much better. Even though it is not yet at a maturity and stability level that satisfies us, it is still completely usable because it doesn't just abandon standards in an attempt to gain market dominance. Once a standard is established and has become stable, you can be certain that it will be widely adopted. In this environment, any number of projects can implement that standard, and users have a choice to stay with the old reliable tool, or upgrade to get more features and functionality. Or even use both situationally.

Can't upgrade a kernel w/o rebooting - So?

[Andy+Dodd]

Go to Windows Update for a freshly installed Win2k box... How many of those updates say, "This update must be installed seperately from all others"? At least 3-4, even after installing SP3.

How many of those aforementioned updates require a reboot?

All of em'.

When a *web browser* patch requires a reboot, there is something fundamentally WRONG WITH THE SYSTEM.

At worst case under Linux, a web browser patch to Tux will require unloading and reloading a kernal modules. If you're using any other web server, you can do an upgrade, and restart the webserver. Total downtime? Restarting Apache takes a fraction of a second.

This is the difference between Unix and Windows - Unix requires a reboot only for the most major upgrade of all, the kernel. Anything else doesn't require a reboot. Windows, on the other hand, needs an update for damn near any system update you'd like to make, and a significant number of system changes require an update too. You need to reboot to change *font scaling* for chrissakes. (Let's not get into the fact that there is no need whatsoever for any server machine to be running a GUI at all times because it's an unnecessary waste of resources - A true server should be 100% administratable without even a video card and just a serial console for worst-case scenarios when the network goes wonky.)

Re:Can't upgrade a kernel w/o rebooting - So?

[NineNine]

What's wrong with rebooting a web server? Very rarely are web servers mission critical. Hell, the biggest web servers go down for longer than an occasional reboot takes to do. Hell, Slashdot probably only has like 95% uptime, and that's supposedly managed by the super-ultra-mega Apache gurus. A web server reboot takes like a minute. The chances of that being a serious problem are slim. If it is a problem, don't use W2K. IF you can live with it, W2K works just fine.

Re:Can't upgrade a kernel w/o rebooting - So?

[TFloore]

Blockquoteth the poster

What's wrong with rebooting a web server?

Absolutely nothing.

If service availability (*not* uptime) is a serious concern, you don't use a single machine anyway.

You can get systems with 99.999% availability guarantees form various major manufacturers. IBM loves these things, they price them so only major corps can afford them.

The interesting thing... These aren't single computers. Read more about them. Every system sold as "99.999% availability guarantee" is a system cluster with failover. One goes down, the other picks up within some specified timeout period.

If your web server needs a good uptime, use a server farm and a load-balancing switch. Even just 2 web servers behind a round-robin switch. When a web server needs a reboot, take it out of the pool at the switch, reboot it, put it back in the pool.

This has been common practice for years with systems that need service availabilility guarantees.

Uptime is for bragging. Service availability is for people that actually need to get work done.

DOI?

[vogon+jeltz]

So MS equips The Department of InFeriors with its Software?
Good match if you ask me.
Oh well, couldn't resist ...

Fraud, waste and abuse hotline 1 (800) 647-8733

[SgtChaireBourne]

The management at the previous place I worked made the Microsoft Mistake (tm). Their IT dept. put in probably 1000-2000 man-hours per month with Exchange Win2000 and other experimental products and still couldn't manage a week of uptime nor go two months without getting "0wn3d". Their solution was to buy extra licenses, hire extra consultants, and repeat the mantra "it'll work after the next upgrade/servicepack", pay for an upgrade, rinse, repeat.

Contrast that with the high availability for non-experimental products like Netware for file sharing or Exim,Postifix, or Sendmail for mail.

Sounds like the government's Fraud, Waste, and Abuse hotline, 1 (800) 647-8733 is going to be ringing off the hook.

I'm a DOI contractor ..

[cje]

.. and this whole thing is basically nonsense. As briancnorton said in his post, expect waivers to fly like snowflakes in a blizzard (if they even bother to try to enforce this at all.)

At the installation where I work, we've got dozens of legacy systems running on UNIX boxes as far as the eye can see. Some of these are processor-hungry image processing applications that run on high-end boxes from SGI and Sun. These systems are not going away anytime soon, regardless of what some tech-clueless bureaucrat at the top of the chain would like to think.

I'm posting this from an SGI O2, sitting on my desk next to a PC that dual boots Win2K and Linux. All of the developers in the cube farm outside my office door are doing UNIX development on Linux PCs. In the past couple of years, we have started to shun more expensive solutions in favor of software like Apache, PHP, PostgreSQL/MySQL. There are currently several efforts underway to port existing systems from proprietary UNIX (i.e., IRIX or Solaris) to Linux so that we can leverage inexpensive, commodity hardware platforms and get away from paying exorbitant maintenance fees.

We're moving pretty aggressively towards open standards and free software, and I would guess that this memo will have exactly zilch effect on that.

Re:I'm a DOI contractor ..

[cje]

What you will find is that if there is a M$ solution regardless of cost or funstionality, you will be required to use that. I have run into this before and logic does not play a role.

Doubtful. The relationship between contractors and many government agencies is changing. We're moving away from old models where government personnel were actively involved in technical aspects of day-to-day work and into a new model called PBC (Performance-Based Contracting.) In that model, the government serves more of an oversight role (in terms of things like budget and schedule) and assumes a more hands-off role when it comes to how the work is actually done.

This is, of course, how it should be.

Like I said, light loads and low uptime

[alienmole]

Your experiences are based on having low traffic, and running Apache instead of IIS, and still you give examples of the exact problems I was referring to:

It has now been up for 4 and a half months and the last reboot was to install SP2.

Contrast that with the most recently rebooted Linux server I deal with - 300 days uptime, rebooted because of a power failure due to storms, which outlasted backup power.

You say you installed SP2 - what about the post-SP2 hotfixes, or SP3? The countdown to your next reboot has begun... Luckily, you may not have to worry about those as much in your case, because some of the security problems affect IIS, and you're running Apache. So yes, by staying away from Microsoft server products, you do achieve greater uptimes, which is my whole point.

Your 410,000 hits a month is very low traffic. Some of the servers I work with routinely serve that much in a day, and they're not the busiest by any means. But ability to handle load is not really the issue at this point - since about Win2K, Windows has done much better at this (NT4/IIS4 was pretty pathetic at that, also due to memory leaks).

I'm not saying longer uptimes can't possibly be done, but compared to real operating systems, Windows requires more reboots in practice, because of the number of mainly Internet-related security problems it's had over the past few years.

I work with both Windows and Unix machines doing software development and consulting on administration issues, so I have plenty of direct experience with administering Windows boxes. I've worked with WindowsNT/2K/XP since the betas of NT 3.1 in around '91. In my experience, there's just no comparison between the two in terms of security, stability, and ability to run for truly long periods without reboots. If you think otherwise, my guess is it's just because you haven't had much experience with Unix.

Conformance of systems

[dachshund]

There is a strong case to be made for conformance of systems. Using a "standard" tool, even if its not the absolute best for the job, often saves money in the long run, simply by its conformance.

If the gov't had created a policy requiring the department to settle on the most widely used and standardized systems available, that would have acheived the desired end.

As I understand this policy (and I really don't, because all of the links are dead), I'm required to purchase a Microsoft product even if it a) doesn't integrate well with other Microsoft products, b) is completely non-standard, and c) is not the package generally used for that purpose.

One policy is at least vaguely justifiable. The one they've chosen is just a blank check to Microsoft.

Now someone might find that $40B

[haapi]

Well, good! Now perhaps some altruistic hackers
can take a peek inside and find the $40 Billion of
Indian land trust money this department has lost.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

The admin, not the OS

[TFloore]

A good sysadmin, who is familiar with the OS being run, using proper security procedures, and working in a reasonable corporate environment, can keep a system stable and working properly for reasonable periods of time.

A bad sysadmin, who is not familiar with the OS being run, and does not follow proper security procedures, will not have a stable secure system, regardless of the system being run.

This is much more an issue of having good people following proper guidelines. I might accept that some OSes require fewer patches than others. Maybe.

But most of this "my system is better than yours" is coming from people who know one OS and not the other. This is not informed comparisons. This is trying to validate your personal choice by saying any other choice is stupid.

Doesn't matter if you are a Windows admin trying out Linux, or a Linux admin trying out Windows. How much time did you invest in the OS you know now? Spend that long working on the competition, and then you can make an informed comparison.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:why is this news?

[cscx]

That is uninformed bullcrap. NT has ACLs. Unix doesn't (by default, and in most installations). Any OS is as secure as you make it. In fact, I'd bet a double-latte from Starbucks that I could set up an NT box that was more secure than a unix box you could setup any day. Want to take me up on the offer?

Of course you work for the DOI so you know what's best for them...

Wasting Money

[BitGeek]

Ok, I'm going to ignore the justifications given (as I'm sure everyone here knows they are false.)

Am I the only one here that sees this, especially given microsoft's current licensing practices, as a huge waste of money?

And whose money is being wasted? Taxpayers. If our government is flippantly blowing out cash in even the department of the interior then clearly they are getting too much money. Its time to cut taxes and stop letting the leeches live high on the hog.

MS Windows? Office? My god. What obscene spending!

We must cut taxes until our money is spent responsibly.

What what what!

[hendridm]

> They spent MILLIONS replacing 3000 mail servers with 32 Domino servers

Seems to me their biggest problem isn't switching to 100% Windows, it's running Domino as their mail server (for all your database needs! w00t!). Whoever thought of that brilliant idea should be shot. Then again, IBM seems to have some good salesmen and women. GOD HOW I MISS NOTES' INTUITIVE USER-FREIDNLY INTERFACE.

-- ex-Lotus Admin and Flamebait since 1978

Huh?

[PotatoMan]

The meaning of 'transparancy' is completely opaque to me. Your 'parants' should be ashamed.

Had to spend all that Indian money

[egg+troll]

Apparently Gale Norton decided she'd better spend all the money the DoI has kept from Native American tribes. Ah, free software: damned if you're free, damned if you're not....

40 Days uptime...Wow!

[Brendan+Byrd]

Seriously, what's up with people who are amazed at uptimes over a month? I've only seen the Windows side of things do that, as my Linux box has been up for over six months. I've seen boxes up for as much as a year, and it was only down to upgrade the kernel.

Re:40 Days uptime...Wow!

[Sycraft-fu]

It never ceases to amaze me how people on /. can so totally miss the point. I am not amazed about 40 days uptime, it's nothing remarkable, just a point that indeed Windows boxes can adn so stay up more than a couple days just fine.

My other real point was that uptime is just NOT RELIVANT when discussing system stability. the real issue is of the time a system is down, how much is scheduled and howmuch is unscheduled. Hell, the BSD box where I have some of my web stuff has only been up for 19 days currently. Does this mean that BSD is less stable than Windows? No, they took it down for matenece 19 days ago, it was planned and announced. I don't measure the quality of their service based on them trying to have huge uptime numbers (something I have never understood the obession with), I measure it based on their ability to keep their servers up except for when they specifically announce, and plan for, downtime.

I fail to understand this hard-on that some people get form huge uptime numbers. So what? I have routers with years of uptime, it doesn't mean anything. The question is, is your service available when it is supposed to be?

The Ultimate NT Lie

[Loundry]

It's about competent administration.

Your story is yet another of the scores of examples which contradict the long-touted "feature" of (NT|2k|XP) that it is "easy to administer." If it was truly easy to administer, then the administration would not need to be done by competent administration; i.e., anyone should be able to do it.

I maintain that (NT|2k|XP) is equally difficult to administer as *nix and has always been. One may be better than the other for certain tasks, but effective administration for both has been and still is difficult and requires highly skilled professionals to do it right.

I think that my biggest problems with NT systems was the outright deceit which pervaded the marketing surrounding said systems. (See also: "NT Workstation and NT Server are completely different operating systems. Really. I mean it. Pay no attention to the identical kernels.")

Re:The Ultimate NT Lie

[bmajik]

The differentiation that started in NT4 between Workstation and Server SKUs continued with W2k and continues with XP and the XP-based server SKUs.

While the binaries may be the same, the run time operation is not. several scheduler and worker threads defaults are sku-specific.

In the XP server timeframe, the server will be a differentiated enough offering that the average warez kid that always runs whatever the "most expensive sku" pirated copy of windows is, will NOT want to run it on their home machine. It simply wont be any fun for them to use as a desktop machine (unless they just want to look at logs and perf counters from their server-class apps)

You're right though. It's currently too difficult to be a good NT administrator. That is an ongoing goal for MS - to lower the bar to proper administration for being an NT admin.

The reality of the situation is this. IT is a cost center. Lowering that cost by making the software "run it self" or easier to manage when intervention is required is the entire goal of MS. Paying any sum of money for a windows server license is a paltry sum compared to paying $40k for a junior unix admin to run a free OS. If windows could self administer, ask yourself how many windows boxes you could afford with what you're paying for that one junior admin ?

Slashdot is perhaps a skewed market segment, but ask yourself - of all the businesses that use computers, and have an IT department, is that businesses primary focus IT, or something else ?
Should my insurance company be spending money supporing their email system, or should they be lowering my premiums because they can afford to do so and still cover their costs and be profitable ?

Naturally, the IT and system administrator "guilds" abhor the idea that they'll be replaced by a click-through Wizard at some point in the future.

The Guilds have got it coming. Evolve or drown. That's how it works in the job market, and the tech sector is not ${DEITY}'s chosen profession - the .com crash showed us all that.

DOI IT - IDIOT

[starling]

'Nuff said.

Comment removed

[account_deleted]

Comment removed based on user account deletion

MS KB on kernel memory limitations

[alienmole]

I mentioned kernel memory problems with Win2K. For anyone interested, here's a Microsoft KB which relates to this issue: "Windows Reports Out of Resources Error When Memory Is Available "

What the KB doesn't say is that you can trigger this out-of-resources situation in a long-running session, just by running and exiting many applications over time, with IE being particularly guilty. Once you hit the limit, even quitting everything and yes, killing the desktop-controlling Windows Explorer process doesn't completely resolve the problem - it returns much quicker, once a few applications have been loaded. Because of this, there's a limit to how long a Win2K workstation can remain running before needing a reboot.

Since many people turn their machines off daily, it isn't a problem for them in practice. Others have experienced this without knowing the cause - since it usually silently prevents new applications from being loaded, or may prevent e.g. menus from being selected or dropped down, people simply shrug and reboot.

The KB claims that this essentially arises as a consequence of 32-bit addressing, but you can run the same test side by side on a 32-bit Linux box without a problem.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Microsoft is no standard at all

[ebyrob]

Not even defacto. Things might be reasonable when it comes to SQL server, but have you ever tried supporting version 5-6 of IE or versions 97/2000/XP of office all for one website or set of documents? The hot fixes and bug patches alone can throw everything you've got into chaos, even when everyone's on the same revision!

Apache has it's share of exploits

[ebyrob]

Give me a break. You go count the number of "root" exploits in Apache, then you go count the number of exploits in IIS that allow "arbitrary code execution". (Especially the number of days versions with such exploits remained current after disclosure)

When you're done come back and try to say that again with a strait face!

Not putting Apache on an LDAP server is simply a good practice that is easy and "default" so it's generally done that way. IIS on the other hand comes default installed and fully exploitable on MS server OS. Why should I have to be un-installing/disabling ISS on every new server install (or sometimes system update)??!!

Re:Apache has it's share of exploits

[duffbeer703]

Why are you manually installing Windows 2000 Server?

Don't you have a sysprep image of a default server base for your site?

Who has 1-2 hours to spare fiddling with server installs?

Re:Apache has it's share of exploits

[ebyrob]

Being a programmer rather than a sys admin I don't install a new system more than about one or two times a month, and that's at busy times. Also, the systems I do install are often on very different hardware, especially when provided by the customer.

Guess I could give sysprep a try, but I'm not sure how it'll handle the variances in hardware.

Course I'm not sure how sysprep is going to help when installing SP3 on existing machines and IIS (and who knows what else) gets re-enabled...

yes, I can explain that.

[Erris]

why is it such a terrible thing if a government office standardize on some license requirements (e.g. only buy free software) allowing any vendor to compete, but not a problem when a government office standardize on a single vendor, and accept whatever license that vendor provides?

That is the scandal, the sole source requirement. There's only one company that makes M$ OS, and it's proven inferior. So, my government is spending my money to purchase inferior software without bids. There are many providers of free software and the lowest bidder mandate that government is supposed to live by would always pick one of them.

Single vendor bids ordinarilly are seen as a sign of fraud. Here, it looks like incompetence.

pfS. ?

[solferino]

post facto scriptum ?

i like it

Re:Gross Distortion of the Public record

[Alsee]

The Indian Trust fiasco dates back to the turn of the century but the recent court action those quotes came from was from a lawsuit against the previous Interior Department run by Clinton. Please get your facts straight...

My post intened to give a quick general idea of the situation. I didn't think an 18 page post running back to 1887 was appropriate.

Most of thoses quotes WERE from stories about the lawsuit against the current Interior Department under Bush. Many of my snippets happened to come from parts where they discussed the relevant recent history demonstrating it as big, on-going problem. My appologies if too many of my quotes refferenced the Clinton era. Perhaps these quotes will help, all restricted to the Interior Department run by Bush:

"After seven months of deliberations, a federal judge this week finally delivered his decision on the Bush administration's trust fund contempt trial.
It was a big one.
U.S. District Judge Royce Lamberth held Secretary of Interior Gale Norton and Indian affairs aide Neal McCaleb in civil contempt for providing misleading information about efforts to fix the broken Indian trust. A 267-page ruling blasted the pair for committing a fraud on the court for actions that occurred under their watch and that of their predecessors. The decision found misconduct on behalf of attorneys handling the case too."

Bush officials made "fraudulent" claims of progress, the ruling noted

In a scathing decision largely directed at the controversial Bush appointee, U.S. District Judge Royce Lamberth recited a laundry list of behaviors that bordered on misconduct. Griles omitted key facts, stretched the truth and violated legal ethics principles by going public with the Bush administration's disdain for court oversight, the 18-page ruling stated.

there's no indication that the Bush administration is backing down. "The government is going to fight this no matter what, even if it's morally, legally or ethically in the wrong,"

Better?

-

Re:Gross Distortion of the Public record

[Alsee]

The problems with DOI were ongoing.

Yes, ongoing for around 115 years, but the topic was the current situation.

Norton was lambasted by a frustrated ass of a judge

Calling the judge a "frustrated ass" without any statements to support it is not +1 informative, +1 insightful, or +1 interesting. It is -1 flamebait or -1 troll, though if you're lucky a 12 year old moderator might give you +1 funny.

The judge's ruling clearly places Norton's and the other official's current behavior in the wrong, and every story I've come across has apparently agreed with the judge. Inheriting a bad situation does not excuse current misconduct.

-

You keep missing the point

[TheConfusedOne]

The issue isn't whether maintaining a nice homogenous system is easier. Of course it is.

The issue is that you can never get to that homogenous system. Tell me how long you think it would take to upgrade 50,000 machines so that they're all running 2K or XP? Additionally, you have to upgrade all of the servers as well.

Throw in migrating the domain and user structure (if you have that) to Active Directory. Also, any applications currently running on non-MS platforms that won't get a waiver...

If you're starting from square one then standardizing on one OS might be useful. As for a retrofit of a country-wide organization? It'll never happen.

Re:You keep missing the point

[TheConfusedOne]

And its not that hard. I can install 50,000 Win2k machines in about 10% more time than I can install 10

Bull! Unless you take a REAL long time to install 10 machines. Just getting those other 49,990 machines out of boxes and set up on peoples' desks takes a huge amount of time. Not to mention ordering them in the first place, receiving them, inventorying them...

How about those servers? Migrating the user's data from the old box to the new one?

Re:You keep missing the point

[TheConfusedOne]

Yeah! You now have 50,000 machines (assuming you have approximately 50,000 network connections and appropriate electrical supply) configured and ready to go.

So the whole reboxing them, shipping them, getting them unboxed, and users migrated to them is merely a "worker drones" task to you?

Well guess what, those tasks take time. Significant amounts of time. That's the problem. You need to get all of the resources together to buy, receive, configure, ship, AND deploy those boxes before you'll get ANY benefits from "conformance".

That was my whole point. The time involved to get to that point is too prohibitive for a going concern. By mindlessly standardizing on one OS and claiming the benefits of "conformance" they're making a justification that just won't pan out in the real world.

In other words, the claimed benefit will not materialize and they will have accepted the cost anyway.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Then I guess you'd better whip up the DoI a quote.

[TheConfusedOne]

Here's some information from the DoI site concerning physical resources/inventory: http://www.doiu.nbc.gov/orientation/physical.cfm

Give that a good read over. Then tell me how you would go about creating a "conformance system" for a group that widely varied.

Interesting points to know:
1) The DoI includes the US Geological Survey. They'll be a fun group to migrate. (The U.S. Geological Survey rents 4.4 million square feet of space in about 220 GSA buildings nationwide; owns 35 installations with Power plant in Big Thompson Canyon, part of the Colorado Big Thompson Project.1.2 million square feet of space in 287 buildings. In addition, the USGS maintains and operates an earthquake monitoring network comprising a global seismographic network of 120 stations located worldwide and national and regional networks located throughout states and territories, 14 geomagnetic observatories, one landslide network, one volcano hazards network to monitor 44 U.S. volcanoes, 17 science centers and associated field stations, a center for biological informatics, and 7,000 streamgauges.)
2) The Bureau of Reclamation administers or operates 348 reservoirs, 58 hydroelectric power plants, and more than 308 recreation sites. Don't forget all those control and monitoring systems at the reservoirs.

So, where's the cost savings in this project?