Slashdot Mirror
CCIA Urges Dept. of Homeland Security to Avoid Microsoft
An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
The Department of Homeland Security continues to use Microsoft products despite massive flaws, just like everyone else for whom familiarity is more important than actual security.
Asking what else there is to use. ;>
On a more serious note... blah
Mod me down im a newf (wiki)
Unfortunately, there is ample evidence that for many years economic, marketing, and even anticompetitive goals were far more important considerations than security for Microsoft s software developers, and these broader objectives were often achieved at the cost of adequate security.
Duh...
to use OpenBSD without a windowing environment, or any ethernet interfaces.... "most secure setup in the world" the report claimed. When the department asked about useability and productivity of these other avenues they were told "STFU n00blah and RTFM".....
If Ridge and DHS doesn't already know this, they've been asleep. I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.
Government spending is just another way to dump money into the local economy, while rewarding campaign contributions.
Man if it wasn't for timestamps, I'd swear we were in 15th century Britan. Hello Fifedom!
You think that I'm crazy, you should see this guy!
a few security adm templates, patches , service packs, reg hacks, etc et.c
and your fine.
And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?
People tend to forget that more holes are found in Microsoft products partly because more people use Microsoft products. As a result, that's where the attackers focus a great deal of their energy. Linux would have the same problem if it had Microsoft's market share.
What happens if SCO goes after the Department of Homeland security for using something like linux? Would it be considering terrorism?
I've left to find myself. If you happen to see me, please, keep me there until I return.
"Now you tell me!"
Amazing! A company whose tag line is "open markets, open systems, open networks, and full, fair, and open competition" urges the adoption of open source software? And The Inquirer posted this MS bashing news story?
Next thing you know, it will be linked off of slashdot. This is highly irregular behavior, and very newsworthy.
Slow news day?
Take cover people - penguins at 12 o'clock.
Now if only we could mod lead stories as flamebait.
I'm going to mention this in my class, in front of everyone. I'm also going to tell them how flaky XP and MS products are in general!
This is a lesson to us future PHBs!!!!!There is no spoon or sig.
Microsoft isn't that bad. They're getting more attention and anger transferred to them from virus writers because they're the biggest company in the industry. Nothing's perfect & security is the hardest aspect of a software system to test and validate. And frankly, I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes. I just don't have that kind of time.
Microsoft supports terrorism!
The OMB (Office of Management and Budget?) just added MacOS X and Linux to approved OS's to use for government applications.
With the right push, we might see the tides change in *nix favor.
Seriously, if this guy really wanted to help out the government, he'd be suggesting that they keep their systems patched and stripped down and firewalled, and that they employ and expert security team no matter what OS they are.
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
I think it's fishy that they don't back up their "obvious and easily exploited vulnerabilities" claim with any real examples. The only evidence they provide is Blaster and SoBig -- an exploit for a vulnerability patched a month in advance, and a simple dumb-user email worm. Unfortunately all anyone sees is the fact that two worms came out near the same time -- and not the fact that they could have been prevented easily by more competent sysadmins and informed users.
Anyway, I think it would be cool to see the DHS use a less-mainstream OS. But I don't think this open letter makes an argument any more sophisticated than the "microsoft sucks! You'll get a million viruses dude!" spouted off by any 13-year-old linux zealot.
The following sentence is true. The preceding sentence was false.
dpvtank@hotmail.com
ANY software can be compromised to ANY degree. There are just as many exploits lurking in an Open Source distribution (let's face it, it's rare that someone uses ONLY the Operating System), as there are in anything.
Implementing (and adhering to) strong policy, working diligintly to keep systems updated, and keeping users informed. These are essential parts to creating (and maintaining) a "secure" infrastructure.
Granted, it's easier said than done; but it's possible. There are FAR MORE corporations/entities that DID NOT get affected by blaster/sobig/melissa/codered/etc. than there are corps/entities that did.
It would be totally inappropriate for a goverment agency to blacklist a specific vendor without going through extensive hearings. That does not mean that they should not consider the vendor's history when evaluating each purchase. For the anti-MS crowd that means that they should reject each MS product individually.
More seriously, they need to evaluate what their software requirements are. I strongly suspect that they need software which will:
The best way to convince Tom Ridge and the DHS to do anything, is to scream your lungs out at them /not/ to do something.
Good Lord, what a steaming pile... You're even worse than the *nix zealots.
Everything's got flaws, but Microsoft is documented as demonstrating a disproportionally high frequency of them. Inside and outside their dominant markets.
Reading through the article, I'm concerned by the severity of some of the failure examples cited. In particular, that relating to the disabling of a nuclear power plant's monitoring system. Maybe I should wait until after I have had my coffee but, at risk of embarrassing myself, I have to ask. Why in the world is an energy company's critical system attached to its common network? Why would they configure their network topology in such a way that would permit an email-borne virus to infiltrate such a critical system? What are they achieving via NetBEUI that cannot otherwise be accomplished via SSL-based socket communications? (I'm assuming the NetBEUI part but, other than file-sharing, I can't imagine any other purpose.)
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
Come on, people, take a look at the membership of this organization and ask yourself if they would EVER take a position which was NOT anti-microsoft. This is not some middle-of-the-road computer science organization, it's a lobbying organization with an axe to grind. That MS software has security flaws is a given, and their position in this case may well be correct, but the CCIA's opposition to MS software is NOT news.
I suppose for a really secure server they could use openBSD. I am working on setting one up at home to play around on, but i've been reading that there hasn't been a remote exploit in many years. While usability is somewhat... lacking, its not impossible to configure and evidently very secure.
Hooray for Fear, Uncertainty and Doubt!
Is that really the case? Are there really that many more vulnerabilities in MS operating systems than any other?
Or, is it just that since there are so many machines running Microsoft OS's, it is just easier to find and exploit these bugs?
I have yet to be convinced that the open source model truly leads to fewer bugs and vulnerabilities. Yes, more eyes can see the code, but still these many pairs of eyes miss things. Look at sendmail for crying out loud.
Check out our infosecurity industry blog: http://securitymusings.com/
Parent is obviously a troll. Don't bite.
Well, this may be all well and good for government applications, as when dealing with resources of the government, security is obviously of the utmost importance. Let's be realistic, though. More damage is done to government and commercial sites by infected HOME user machines than probably any number of virii/worms that have slipped through some lazy sysadmin's email filters. A network is only as secure as the nodes remotely connected to it.
Too bad Linux-philes are running in too many (bleeping) directions to unite and make an operating system worthy of the Ma and Pa test. Tons of free software, very few general domain standards, and too many zealots who will see that it stays that way forever.
Pa: What the hell is a shell, and why do I want to make in it? That sounds like a Destruction Man reference. This thing is filthy and too complicated.
They came, they saw, they left, disguisted.
So can Open Source developers do a better job of building secure software? Is this an area in which Open Source software can compete with Microsoft?
Yuioup
Anyone else happen to catch the CCIA's street address?
There's a joke in there somewhere..
A quick look at About CCIA lists the following:
Our member companies range from Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, and Vion to AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL
Its the who's who of MS competition.
The only way this will change is if the
homeland computers are compromised, and
used to launch an attack that scores some
moderate success, e.g., taking down an airline
reserveration system, or ddos'ing some
government computer system. Only then will
homeland get the message that Microsoft's
insecure code is a liability.
Perhaps some hackers will see this as the
challenge.
Well let's certainly hope that if DHS does decide to switch to open source, that it's not because CCIA advised them to. Making security decisions based on the allegations of some lobbying group, be they valid or otherwise, is pure idiocy. Do some independent research for christsake.
Maybe this letter is a step in the right direction in this regard, but I have to believe that DHS already knew all of this. They are, after all, a government department DEDICATED to security.
... Tom Ridge's mother sent him an open letter reminding him to "brush your teeth dear, make your bed, and please wear your galoshes. I think it might rain this afternoon."
Ridge declined comment, but it was noted that no one stood too close to him as he spoke.
It's not considered polite to insult open source operating systems and their user interfaces in mixed company.
There are no karma whores, only moderation johns
"Race condition in app may enable a local DoS of said app in pre-2.4.18 kernels. Problem located and fixed by app developer one week after introduction in a previous patch."
Just doesn't cause quite the same exhilirating sense of alarm as:
"Critical flaw in OS DCOM service allows a remote attacker to completely hijack machine. Problem located by hackers and known/used for an unknown length of time before vendor alerted. Fixed by vendor, but flaw in vendor's update system causes many failed patches to register as complete."
Actually, it's common sense. What was I doing while everyone else was scrambling to remove Blaster from thier PC and updating thie rpatches to prevent more attacks? Nothing... I run linux, and although yes, it does contain security flaws, the source is open for peer review, which results in exploits/flaws being found and patched quickly, as opposed being forced to wait for MS to release patches.
And no, this isn't because of the recent attacks... windows has proven to be, by nature, riddled with security flaws that go by unpatched for months at a time... meanwhile the system is just sitting there like an unlocked car with the keys in the ignition.
Nice place to store sensitive data.
More than you realize. MS has made it easy for terrorist to break into our systems AND steal a large amount of credit cards/money. This is not about just disrupting us, but more about funding themselves.
This example is pure FUD. The power plant mentioned has not been in operation since Feb of 2002 and it also had backup systems in place that were not affected.
The reason the plant was not in operation? There was a 5 inch+ hole forming in one of the reactor heads! Much scarier than a worm disabling the monitoring system which went to a backup system as designed. I recall reading about them discovering this bulge/hole and how there was a flaw in how safety inspections are carried out within nuclear power plants. It should be simple to find archives of the incident via Google.
Finally, the "critical system" was not attached to a public (common) network. It came in through a contracter's WAN line where an affected computer was introduced to the network.
Please check your facts before spewing this info to folks. The only thing it was missing was a plea of "think about the *children*!".
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
Can you?
Can an NT administrator, using user level tools, perform the equivalent of a chroot jail? Can he make specific apps suid or sgid?
While Windows technically does not imply use of other Microsoft products, it does tend to be correlated with it. Outlook has had numerous poor security decisions that a mail admin simply cannot fix. IIS has also had poor architectural decisions. Remember MS swearing that they'd rewrite the thing from the ground up for the next release? The design of IE -- permeating the entire OS, providing many services to applications, and with no internal security model in place, makes for all kinds of nasty problems. It's a great way for spyware to slip pass personal firewalls, it's used in places like Outlook where a full-blown HTML renderer with the huge variety of features it has is a pretty bad idea from a security standpoint, and it provides a high degree of control to remote websites over the local computer -- much higher, than Mozilla.
The MS Blaster issue wasn't actually all that egregious, AFAIK. It's not like UNIX systems haven't had RPC flaws in the past, either. The real problem was the number of unmaintained machines that were vulnerable. I'd call something like Melissa, that relies on phenomenally stupid security decisions from Microsoft ("let's have an automatic execution environments in our documents, which are intended for wide interchange!") much worse.
May we never see th
2002
Microsoft Yearly Earings $6.16 billion.
Microsoft Cash Reserves $46 billion
Microsoft Market Share 92% of the Desktop
Watching Ed Black poke Microsoft with the sword of it's own making - Priceless
No, it just happens that these particular moderators didn't know about "Duh", so they got information from that post.
I'm as much of a Linux advocate as the next guy, but it would be a HUGE task to migrate all of the United States Federal government Microsoft-based systems to Linux, especially if there was some sort of mandated short timeline.
The relatively easy part would be replacing simple desktop functionality. The not-so-easy part would be identifying and analyzing all of the custom software used by the US Federal governement that is deployed using Microsoft-specific technology (e.g. Visual Basic).
Even if there IS a shift from Microsoft to Linux (or any other platform), out of necessity it will need to be a slow and careful process.
They're getting more attention and anger transferred to them from virus writers because they're the biggest company in the industry.
That statement is definitely correct, but even if windows can be setup to provide the same level of security as linux, the fact that MS is being targeted to a much higher degree than linux makes MS systems much more vulnerable.
So an organization whose tagline is, OPEN MARKETS, OPEN SYSTEMS, OPEN NETWORKS, AND FULL, FAIR AND OPEN COMPETITION, is asking that the department of homeland security not use Windows based on security concerns. For crying out loud, their mission statement is the following:
CCIA's mission is to further our members' business interests by being the leading industry advocate in promoting open, barrier-free competition in the offering of computer and communications products and services worldwide.
Maybe I'm missing something, but this seems like nothing more than a high powered Washington based lobbying group whose business constituents are diametrically opposed to Microsoft. How is this even news?
" because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
and so is everything else. AND? Why is this news?
You can hear faint laughter from a basement in Iraq, perhaps echoed from some remote cave near the Afghan-Pak border.
My rights don't need management.
I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes
If you took a few minutes to read those fixes you would realize almost all of them are "proactive", that is, they are fixing vulnerabilities, before an exploit is made against them. This is intrinsic in the OSS model, where experts worldwide examine the source code all the time, for instance in university classes and research centers. Commercial, closed-source software, on the other hand, usually is examined only by crackers who throw anything they can at the software until it breaks.
Personally, the system I prefer is Conectiva's, where apt-get is combined with rpm packages. Running "apt-get update; apt-get dist-upgrade" each time I get a vulnerability warning takes much less time than deleting spam, even in my relatively well protected email account.
If I had gone and said the north american power grid should be replaced at the wake of the outages [ . . . ], I would have been accused of countless acts of civil disobediance.
My first question is what is wrong with Slashdot? I mean someone saw fit to give the parent coward "Insightful" for what she or he wrote? Someone wind the clock back before 2000 when Slashdot wasn't frequented by Microsoft apologists.
I'm not sure what makes you think your exercising your 1st Amendment right to speak freely (assuming you're a US citizen) would be branded civil disobedince, but in case you're really worried (and not just ranting) know you're in good comapny: first, the outage of August 2003 has produced a US-Canadain task force to investigate problems with the aging power grid. In fact, the power grid is so important that it is the subject of dozens of assessments conducted by North American Electric Reliabilty Council. Let's just say that NERC is not sanguine about the reliability of the North-American power grid. The problem is so widespread that even US lawmakers anticipate a massive political dispute.
Regarding your comparison of the power grid to the Internet, network events such as MSBlaster and Sobig.F highlight the fragility of an information network built of insecure nodes. At present, the overwelming majority of the nodes of the Internet are powered by Microsoft software. For better or for worse, "press releases and open letters right at the wake [sic] of major worms" draw attention to the real effects of maintaining so insecure an information network. MSBlaster and Sobig.F are not theories but facts and so prove the unreliability of an Internet composed mainly of Microsoft-powered nodes. The timely discussion of network events such as MSBlaster, Mimda, Code Red, Sobig.X, etc. in the press should, in my opinion, be an obligation of network adminstrators.
Given your post, you'd probably have us ignore the problem in the hopes that the next worm/virus/trojan does not damage our shared information network even more spectacularly. Thanks, but I would rather disseminate information and share data about such network events rather than stop my eyes, ears, and mouth with sand.
blog
If it's a costly and drawn out project I'm sure they'll be on the short-list.
i didn't see or hear anything about the blaster worm for several days or anything unless until the trickle down hit people i knew and then i had to find out how to fix it, why? cause i'm a cave dweller but not my machines as they were sitting behind my OpenBSD firewall were totally unaffected so troll all day about obsd but the fact is it beats the fuck out of wintendos for security any day, that's what you get with regular code audits instead of adding extra witty clippy sayings...
but my guess is with a troll based around no windowing system you're an apple fanboi
to write a Linux virus, M$ will be releasing hundreds of them every month.....
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
...the terrorists will be able to shut down the whole department-- they just need someone to pose as a "disgruntled former employee" and call the BSA tipline. The resulting software license audit will tie up DHS resources, and for a while the terrorists will have carte blanche to prepare their next attack.
Windows identifies a file as an executable by it's extension (.exe, .com , .pif ). If you download an executable from internet, you just need to click on it to run it.
Unix/Linux identify a file as an executable by it's permissions. By default all files are created as rw- (read, write, no execute).
If you download an executable from Internet, you need to explicitly give it execute permission before being able to run it.
That doesn't mean that a virus for Linux is impossible to create, but it will be much more difficult to get an user to run it and it's impossible to execute it by mistake.
So, regarding viruses, yes, Linux/Unix is far more secure than M$.
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
"Well, two organizations support Microsoft, only one against" said Tom Ridge. "I guess that means we'll stick with Microsoft!"
Ahh, I love the words Homeland Security. That "War on Terror", it's gonna be just like that "War on Drugs". You know, it's great that people can't buy drugs anymore.....
Finally: a reality TV show for the rest of us!!
Truth isn't Truth - Guliani
Open letter to Tom Riddle, Microsoft: your software is riddled with vulnerabilities!
Reminds me of something...
I would watch *this* show.. (with popcorn!)
"Yea, but if we use Linux we have to pony up megabucks to those SCOBozos. Not fine for the bottom line.." :)
The reason it has been unpatched for months at a time is because IT guys aren't doing their jobs. I have all of the computers in my department set to download any new Windows Update patches, then install them at 3:00am. Was I affected by the MSBlaster worm? Well, I had two machines out of 150 infected, and only because I missed them when I set up automatic Windows Update. However, it didn't spread to the other machines in my network.
Substitute "leading desktop opertaing system provider" for Microsoft and you will get a something more credible. If Linux were to ever take over the desktop market just as many bugs could be found, because it would be "the thing" to exploit, just as Windows is right now.
Just to save anyone the time, I will ridicule myself for posting as an Anonymous Coward, but I don't feel like putting up with an angry mob of elitist geeks right now.
FYI
The inquirer article incorrectly states 300 billion. The PDF states 200 billion.
Being off by 100 billion dollars is slightly significant.
- Zav - Imagine a Beowulf cluster of insensitive clods...
I have started doing that where I work. Whatever has no equivalent in Linux, I run onder Wine, temporarily, until I find a better way. Nowadays, I'm about 99% MSwindows-free, and about 80% Microsoft free, that is, I boot under MSwindows less than 1% of the time and only one out of five programs I use regularly comes from MS.
Look, in place of "Microsoft" in your post insert the word "government." How different is it? This is not to say Microsoft _is_ going to be our government (although billg might like that), but that, for a very long time now, domestic and foreign political issues have been examined and delt with almost exclusively as economic issues.
Economics is the New Way, and the hell with true security and the constitution. The US contiues to prop up monster governments not because they're believe in what this country ostensibly stands for under the constitution, but solely because they provide us with something we need; usually oil.
There's nothing wrong with needing oil, it's useful and plentiful (if it's not plentiful google "DeBeers.") We're living through the last throes of 1) The countless proxy wars we and the Soviets fought from the late 40s to the 90s. We (the US), have created most of the monsters that so hate us now because we tend to abandon our allies once they no longer serve our purposes. And, 2) The death of religion. I think it's becoming increasingly difficult to postulate a supreme creator in the face of the murder of people, especially children, one sees in the world today. All there is is tautologies, circular logic and appeals to ancient scriptures that always, always, go back to, not a god, but a human being who says they have the Word directly.
If there was a God, anybody's God, all of this sorrow could and would be cleaned up in an instant. But what do you see? Planes crashed into buildings for nought, Irish school buses blown to bits for "noble beliefs" while the Pontiff sits on his ass. Children's arms chopped off to pleasure forgotten tribal dictates.
You may not like what Science has given the world, but it's the only thing that has delivered the goods; Good and Bad. End of rant.
As said way above, people want to use something first, then they want to make it secure. Microsoft wants to make money, and expand their market, so they create new technologies that only work on MS systems.
If MS would stop for a bit, and stop thinking of themselves as the pioneers, then perhaps they can think of the more important things, like security. Until then, people will keep buying MS because it's easier to use, and MS will keep creating more functionalities, as the letter put it.
Microsoft continues because it made computers easier to use. We're in a world where people don't want to learn new stuff, just do. They don't care how or why it works, just that it works. Microsoft will still be insecure unless they reconsider their goals and their purpose (currently it appears to be making money). And, Microsoft will still be used until *nix develops ease of use.
--<Mike>--
As this article just came out. Pretty interesting.
Basically, it says patching and patch management has gotten out of control, but 99% of the verbiage in the article seems to be referring to Windows (ha, I typed Sindows by accident. Or maybe it wasn't an accident? Bum bum bum BUUUUUUUUM!)
And the best thing is, all the above is absolutely true.
You know a product is seriously flawed when an enumeration of its most recent flaws and disruptions sounds like the scenario of one of these movies where a computer takes over the world, but it turns out it's evil, oops.
I dunno about the robustness of MS products. But kudos to the thickness of their skin. I, as a developer, would have died of embarassment and remorse long ago. But do I see an epidemic of seppuku in Redmond? Nope.
Anyway, thanks to Bill Gates for providing thousands of $10/hr helpdesk jobs to students who are right now scrambling in dorms and labs and applying patches to infected machines.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Agreed, capitalism is great, but we're arriving at the point of extremism. Common sense should regain some terrain or we'll become victim of ourselves.
You, sir, are an idiot! for two reasons:
1. for automatically rolling out M$ patches without testing them first. One day you will come in to find the entire company down! Let the fun begin!
2. For actually believing that this is sufficient to guarantee that you are up to date on patches. The M$ patch procedure has well-documenetd flaws in their auto-update procedure that will say the patch is installed when it really isn't. There were people posting here on slashdot that got burnt even though their systems said they were updated with the correct patches.
> Microsoft supports terrorism!
So by the PATRIOT act, Microsoft must be detained without trial in Guantanamo Bay for an indefinate period of time.
Cool.
I don't want to make any comment on the issue itself, but I do want to ask, why does the CCIA rep feel the need to quote a Washington Post editorial in his open letter?
Quoting someone to add weight to your argument, whether it's a philosopher, pop star or journalist, generally removes credibility from what you're saying because it suggests that you don't feel your argument is strong enough on its own.
If I were posting a comment on Slashdot about security, for example, and I quoted a security expert, then that would be fair enough because the intention would be to reference knowledge that I couldn't personally have.
But the CCIA published their open letter because, supposedly, their opinion is important and should be taken seriously. Quoting a journalist, especially at the conclusion of the letter, seems inappropriate and even a little desperate.
In fairness, the article you cite is based on six-year-old policy, well before both the recent world-wide "killer" worms/viruses and before the wave of many actual exploits kicked in. It's quite possible the policy has changed in that time.
And of course, the quote was right. Windows 2000 was much more stable than any previous Windows OS, maybe even comparable to a Unix platform if both were set up by a reasonably competent sysadmin. Such a shame about XP... ;-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You can't be an administrator because if you were, you'd know that Microsoft patches are notorious for causing other unrelated problems. Even Microsoft engineers don't fully patch their systems because of this. (any google search will confirm this)
Any administrator worth his salt would test out any system patch with current system configurations to measure the impact of how useful the patch is, since sometimes the cure is worse than the disease.
This is especially true if something that you're not using gets patches and causes problems with something that you are. In the past, you could get individual patches (like you can with up2date in RedHat) and choose which to install. These days, Microsoft has decided that they want everyone to use service packs so it's all or nothing. And to install service packs, you have to click on a EULA with more and more invasive terms each release.
If I had mod points, I'd give you +1 funnah for the security guard analogy.
If anyone managed to get the pdf, please mirror it for the rest of us....
Thanks!
One reason people don't like to patch MS software is that the patches or other changes often change unrelated settings without warning. So, Microsoft products have insecurity on a psychological level, too. You never know what new software problem will sneak into your life.
Maybe MS software is not only fundamentally insecure, but also fundamentally sloppy, and gets part of its insecurity through sloppiness.
The CCIA letter implies that there was intelligence behind the insecurity, that Microsoft was seeking higher profits: "Unfortunately, there is ample evidence that for many years economic, marketing, and even anticompetitive goals were far more important considerations than security for Microsoft's software developers, and these broader objectives were often achieved at the cost of adequate security."
However, more and more it appears to me that a lot of the problems with Microsoft software occur because the programmers have not been allowed to finish their work. The product is shipped and the programmer re-assigned rather than clean up the first draft.
If this was the first security incident involving Microsoft products, then yes, such comments may be inflammatory. But Microsoft has established a history of gross security failures in their operating systems and applications. With security problems plaguing Microsoft, encouraging the Department of Homeland SECURITY to migrate to non-MS products is not inflammatory, but prudent.
I would also encourage you to review the definition of "civil disobediance".
but the entire Navy/MC WAN is NT4
What is that I'm hearing ? Oh, seems like it's just a bunch of Chinese generals laughing their ass off. Gee, I wonder why.
United States of America, good ol' backers of world peace.
And I sold out at $110. Course, I bought $15 grands worth in 1986. Nice view from my lakefront home, go Microsoft!
Wish I had bought twice that.
The United States Air Force is Microsoft's largest customer. ... The Air Force is readying the system for combat
Pronounced feefdumb. Long e, the second syllable was recommended by the resume police. I know, I omitted the diacritical mark from resume, stupid Windows OS.
It's French, look it up cheese eating surrender monkey who doesn't look in on his elderly neighbor in 90 degree heat.
Can you back your claims up with data? How do you know MS publicly announces only a small fraction of known bugs unless you have some kind of detailed knowledge of those that are kept secret? And how do you derive your figure of 8 new announcements?
Isn't that because they went to War ON Drugs? There was probably no intention of completly getting rid of them. Too useful as population control...
The real threat is that when you have a closed system, you have a central point of failure (Microsoft) and you don't have the flexability to change and mondify things when you need to. Anyone who'se read the "art of war" knows that real defense is about how flexabile you are, and that you are able to deal with the exceptions, not the rules. - or how easy it is to change your stripes and addapt to changing situations and threats. You simply can't do that thru a closed one vendor system, no matter how much you plan. You simply can't do that when you can't access the source code, change it, and share those changes freely, you simply cant do that if you half to pay a subscription or royality and keep tabs on every nuck and cranny application and license - you can never decentralize, never regroup, never deal with unpredicted failures, when you're attached to a BSA dog-leash.
Just like freedom in the USA is the only real reason why it's so much better than the enemies, the freedom offered by Linux and the GPL has an internal value that makes it so much better than the alternatives. Only that is then end game, and only that is what will make us truely secure.
reads LIEk an armIE of phonIE ?pr? bots posting the defenses of the evile wons. LIEk the BugWear(tm) works just fine, & these guise are complaining because they're not billyonerrors? ms0k eye gas. is there ANY real fans of the felonious kingdumb of softwar gangsters? we think not.--
August 27, 2003 The Honorable Tom Ridge Secretary U.S. Department of Homeland Security Washington, D.C. 20528
Dear Secretary Ridge:
In light of last week s events revealing additional serious flaws in the Windows software bundle, I am writing concerning the Department of Homeland Security s choice of Microsoft as the preferred supplier of desktop and server software for its computing needs. I strongly urge you to reconsider this decision. The Computer & Communications Industry Association (CCIA) is an association of computer, communications, Internet and technology companies that range from small entrepreneurial firms to some of the largest members of the industry. CCIA was founded over 30 years ago and our members include equipment manufacturers, software developers, providers of electronic commerce, networking, telecommunications and online services, resellers, systems integrators, and third-party vendors. Our member companies employ nearly one million people and generate annual revenues exceeding $200 billion. Although we have always supported open, industry-wide fair and efficient procurement policies, we do not represent companies in the bidding and procurement process. CCIA also has a long history of advocacy and expertise in the area of cybersecurity. We recently pointed out in submissions sent to the Administration and the Congress the importance of security testing, the dangers of relying on single suppliers for information technology, the inherent risks associated with homogenous systems, and the need for biodiversity among software components and applications. We believe that for software to be truly secure it must be well written from the outset with security considerations given a high priority. Unfortunately, there is ample evidence that for many years economic, marketing, and even anticompetitive goals were far more important considerations than security for Microsoft s software developers, and these broader objectives were often achieved at the cost of adequate security. Also, from a security standpoint, the lack of diversity within a networked system amplifies the risk emanating from any vulnerabilities that do exist. But diversity is difficult without interoperability, and the benefits of interoperating with more robust systems can be blocked if any dominant player does not cooperate in fostering interoperability. Unfortunately, numerous courts and government enforcement bodies, including the United States Department of Justice, have formally found that Microsoft has used technical barriers to inhibit interoperability with, and competition from, other software platforms and applications. We are currently engaged in extensive security research in this area and our preliminary findings indicate the severity of the security problems relating to some Microsoft software is
substantial. The news from the last few weeks demonstrates that this problem is not just theoretical, but real and immediate and one that imperils homeland security. In just the last two weeks, Microsoft products have been attacked by a virus and worm -- Sobig.F and Blaster -- but these are only the most recent examples of major security failure created by vulnerabilities in Microsoft s dominant software portfolio. The damage caused by these attacks is significant and has caused millions of dollars of harm to our economy, but security experts agree the damage could easily have been much worse. According to the Washington Post, Blaster and its associated counter-measures were responsible for the temporary closure of Maryland s Department of Motor Vehicles offices, failure of the passenger check-in system at Air Canada, an intrusion on the Navy-Marine intranet, and cancellations and suspensions of service on the CSX railroad.
What we need is a very large corporation to adopt 100% Linux (reference Guinea Pig in wikipedia) so that apps become more compatible and patches are more easily recognized.
Yeah. SCO, for example :-P Are you sure about that? What GNU/Linux needs is not a company as we know in the real way, but more developers to be able to offer the best product to the users through Open Source.
You have a lot of propietary Unixes out there.
If the Department of Homeland Security were to be highly concerned about security, they wouldn't even have workstations with off-the-shelf distributions on them. They'd download the source code themselves, inspect it, and compile the distribution as an internal thing. And even according to the GPL, if it remains internal, i.e. no distribution to other parties, then they don't even have to say what their changes are.
In fact, they would be able to use a framework for distribution through their computer network modelled after Debian's or Slackware's or RedHat's, but with only their own versions software in the update tree. This way, they can hire staff with existing administrative knowledge of the flavour of distribution that they choose, and the person will not really have much of a learning curve. Or, if they're really paranoid, they can write it themselves.
I'd personally recommend against having any personal computer on the user's desk. Give them an X Term that uses some kind if high-encryption tunnelling scheme to deliver the applications to the X Server, and have departmental-sized or building-sized computers for the users to work on. This ensures much better physical security for the equipment, with a fraction of the physical assets to watch, better data integrity since it would be stored on some fault-tolerant medium like RAID5. With a properly implemented security scheme for user login, either with some kind of biometric ID or an actually decent password scheme, it would be relatively difficult to break in compared to normaly corporate environments.
As for local security on the application servers, it would require a fairly decent file security model, but big computers have been done before. The implementers would have to work to ensure no local root exploits, but that would be good for the community as a whole.
Do not look into laser with remaining eye.
I would love to live in a foreign country. Why not move to India? The Indians that get paid less than us to do IT work still live around the same way we do because the cost of living is (MUCH) lower, yes? So just take all your shit with you and hang out over there for a while.
+++ATH0
We want Homeland security to use Microsoft. This way when they inevitably overstep there bounds, we can shut off there Nazi wanna be ass.
The Kruger Dunning explains most post on
Gay, Michigan zip code 49945 (Lake Linden)is north of Mohawk (49950), on the way to Little Betsy and Lac la Belle.
It has the Gay Bar as its only business. It would be filmed here. Too bad the snooty +2 surfers won't see this.
...help nothing when Joe Sixpack gets his "funny little program of the day" from one of his friends, and realizes he has to go through all those steps just to run it. Then he'll demand that it can be done by just double-clicking, and there you are. Not to mention, he'll be running as root as default anyway, because "he knows what he's doing" or thinks he does, anyway.
In the "going to have to try a lot harder to trick users into executing their code!" bit, it'll never be over until "trick" is the hard part, not "execute".
Kjella
Live today, because you never know what tomorrow brings
I'm sure they get the similar amount of lobbying from MS. If only one side does the lobbying, they'll never go against "all expert advice", unless they feel particularly omnipotent that morning.
If both sides quarrel, you can have your own independent research and go with what makes the most sense. However, OSS have never had any real lobbying group, I'd say this is just leveling the playing field. It'll still have to win on merits.
Kjella
Live today, because you never know what tomorrow brings
Dick Cheney, as we all know, is head of the Ministry of Silly Walks.
you all go on about all the flaws in linux and shit, well see, the difference is that linux' flaws arent with linux itself, it's the apps that are used, the linux kernel itself is damn stable, the only really major flaw I've seen with it was back with 2.2 and the DoS bug. windows, down the the core, is flawed and riddled with security holes and other problems. it's not set up correctly, nor is is feasible for any kind of major government security, that's like basically showing your information off. use linux for backend, or if you're daring and dont wanna pay shit, use linux. but still, when it comes to ease of use, use windows as the frame of the machine, and use linux as the engine. linux has the security and power, and besides, I looked back on those linux worms, the worst of them all only hit 45 people, people who dont keep up on security, or lazy linux admins. and one more difference is that when a virus/worm hits windows, it ruins the system, a worm hits linux, first, it's a rare occasion, second, if you security the permissions, etc and dont run anything but init and non-server related programs as root (all the net services have their own user accounts and groups) the worm wont spread very far. and its attack will be very weak and it'll get discarded right off (as simple as deleting a /tmp/ entry.)
anyways, that's where linux has the power, even the most secure of systems still can get exploited, but what makes the system truly secure is how well it can handle such worms after they've entered the system. Microsoft's idea of security is to make a strong ass wall that will stop all attacks right there, but that's a highly stupid way to go, becuase once the worm finds a hol or tunnels under the wall, the system is fucked, becuase there's nothing in the system that will save it. linux has this, so it's not the matter of who creates the bigger wall, it's how the enemy is responded to after it enters in. aka, trapped and destroyed, then the hole is mended.
that's true security right there.
That place seems to have an anti-Microsoft hardon... I wonder who's paying the bills?
This looks like just another lobbying attempt by MS' competitors. They do it, MS does it, everyone does it, so move along - nothing to see here.
Wierd, I had the same experience.
Lets see, I get a linux security update notification every day. I get a microsoft security notification maybe avery 2-3 weeks.
Let's seem them get into my fully patched XP box. Really. All the recent viruses, etc haven't affected me. Security is as much dependent on the user as the software. Sure, it's fun to blame MS for the Windows security problems, but when the users don't apply the patches how can MS be on the hook? Off the cuff I'd say the average Linux user is much more technically saavy than the average Windows user. That certainly plays a big part in the security of the box.
Hmm... you managed to turn a discussion of microsoft security issues into an atheistic rant... and got modded insightfull. What the fuck? I normally don't respond to trolls but I don't have mod points to mod you off topic.
Damn right!!
BTW, I'm Canadian...
Oh well, what the hell...
If the Department of Defense is in charge of unprovoked attacks on countries that pose no threat, I don't see why the Department of Homeland Security shouldn't be doing everything in it's power to make the U.S. less secure.
We all know thet the MSBlaster came from Linux.
Have they no shame!
Help fight continental drift.
Your comment was very informative; while I was aware that the power plant was off-line, I did know the reasons. However, the fact still remains that too many companies integrate their critical systems with their common networks. It is not FUD (what was it that I was trying to create FUD over, anyway) but an observation based on my professional experiences. Not with this power company, mind you, but with a host of corporations that I have worked with in the past. Other examples cited by the media also indicate that this is a prevalent problem.
It's a shame that you did not stand behind your comment convincingly, however. Perhaps, next time, you won't be an AC when you flame people and, instead, will "think about the children."
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
Lead by example. Think about it.
What are they doing?
Publically they say one thing, then go out and buy/install insecure systems.
They are supposed to be the best and the brightest, but it seems the crew there, are too mentally feeble to learn something a bit different.
If you turn around and say we got MS for 'productivity' reasons, the Joe public and big business, can say 'for productivity reasons, we did not patch - and you failed to protect us'.
Time to set a good example fella's - and that includes checking your own for shonk qualifications.
The few critical flaws Linux has had have been truly catastrophic. The Apache and SSH ones were particularly bad, because these (especially SSH) often operate on even stripped down secured systems.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I'm not denying that there is an OS that's gone for the past 15 years without a single remote root exploit, but I can't think of any offhand (even OpenBSD has had one).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
And if you look at the membership list, it seems quite obvious that what they hope to push for is the adoption of their proprietary software.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The only code that is provably audited is code that has acquired an A1 rating from the US DoD. Absolutely no software you are ever likely to see will be A1-rated. The best OS' out there (eg: Trusted Irix) are only B1-rated.
The difference is significant. The A* ratings require actual proof of security. They require that the code not only be looked at, but that the examination demonstrably have shown zero flaws in the code.
B* ratings were much easier to obtain. So long as you had the necessary features, and had done some decent quality control, you had a good chance of getting a B* rating.
If you want absolutely 100% watertight, proven code, with absolutely no defects of any kind, you are unlikely to be using any computer in the near future. Either that, or you're in charge of the NSA and can afford a computer that meets those kinds of standards.
I estimated, in a post elsewhere, that to do this for Linux would cost in the upper billions, lower trillions, per year. (This allows for continued development and addition of new code, along with the necessary checks to make sure that the new code isn't buggy, and that it doesn't interfere unexpectedly with what already existed.)
While I believe that it would be worth the money, nobody has the money to spend, or the manpower to allocate, to such a project.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)