Slashdot Mirror
CCIA Urges Dept. of Homeland Security to Avoid Microsoft
An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
Unfortunately, there is ample evidence that for many years economic, marketing, and even anticompetitive goals were far more important considerations than security for Microsoft s software developers, and these broader objectives were often achieved at the cost of adequate security.
Duh...
Things are never that cut&dry.
Linux has more market share than Windows in the server market, yet Windows has a disproportionally higher frequency of reported critical OS flaws.
True dat. Actually the security of OSS comes under false pretenses. Major differences
1. Types of users that use windows.
2. Number of users that use windows.
3. Speed of fixes.
Typically in OSS security bugs are fixed within hours of the report. And OSS software is not bug free. If windows users transfer wholesale to Linux we'll just see the same problems over again.
While OSS is great and should be used over proprietary technology so far as public service is concerned [at the least] it isn't going to solve the security problems that plague windows.
Tom
Someday, I'll have a real sig.
Where is this 90% drop you are talking about??
It took around a year to drop from a high of around $60 to a low of about $20, and that's a 66% drop.
"...an exploit for a vulnerability patched a month in advance..."
For a hole that was in the system for years, which is similar to many other major in the news exploits. The fact that the patch was available for months is little consolation if there were nefarious groups who were aware of these holes for years, which is something that no one can conclusively answer.
I think the simplistic "all other systems are secure, but MS systems are weak" zealotry often repeated by the puppets is incredibly weak, but at the same time let's face the fact that there are likely hundreds (or thousands) more exploits on every Windows machine out there, silently waiting to be exploited. (Linux may have as many or more, but I'm not talking about that here). It disturbs me to think that there are very likely countries and groups doing the same research that companies like eEye do, but perhaps they don't have a business model that relies upon publishing exploits for media PR...instead they keep them under their belts for selective and intelligent use when necessary (rather than the Ebola like high school student worm).
Perhaps the month long security audit at Microsoft was a good step forward, however there is no doubt that it will be a massive undertaking to basically give the entire codebase an enema, removing ridiculously trivial exploits like buffer overflows. The security issues in Microsoft code is much more than a month long effort: Microsoft must put a massive, concerted, effective effort at securing their code, because each time another buffer overflow exploit comes out, or an exploit for a trivial service that absolutely no one uses (internet printer service, home automation plug & play), it makes them look like a completely amateur shop that can't be trusted.
A quick look at About CCIA lists the following:
Our member companies range from Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, and Vion to AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL
Its the who's who of MS competition.
This line--that Windows has the largest market share in worms and viruses because Windows has the largest market share--was trotted out in the last few weeks during the peak of the Sobig and Blaster activity, and routinely shot down. The problem is inherent design flaws, not market share. Many have pointed out that unix-type OSes run the majority of critical Internet services, and by the market-share argument, these services should be the subject of continual attack. And yet they are not.
In short, this argument that greater adoption of unix-type OSes by the masses will result in more unix-type worms and viruses is nothing short of FUD.
Have a look at Mac's Immunity to Recent Virus Attacks which came about in response to an article posted on MacCentral on this topic. In sum, some columnist repeated the assertion that "Macs have "no more inherent security" than their PC counterparts, it's just that they've failed "to capture interest" among the creators of these viruses." This post is fairly representative of many, and makes clear the vulnerabilities of Windows are real, stem from technical reasons, and not just market share.
Mac OS X is the subject of the links above because that is where my interests lie, but the jist of the arguements could apply to any unix-type OS
To reduce crime, make fewer things against the law.
How typical of someone who works in defense- you haven't the slightest idea what goes on anywhere except in your little world.
Remember the destroyer that had to be towed into port because its Windows network crashed and it was dead in the water, because someone entered a 'zero' into a database field, and windows shit the bed? Yeah, the mission-critical functions of a nuclear powered destroyer aren't very important.
Register article about land-attack destroyer
Carrier with windows network(including a joke prediction about how the USS Ronald Regan be running SP2).
Report about the USS Yorktown
They insist Windows NT wasn't the cause of the problems, but the funny thing is, no non-Windows-NT/2k powered 'smart' ship has these problems. If it looks like a duck, quacks like a duck, and crashes like a duck...:-)
While NT may not have been the direct cause, the problem propagated(which is typical of windows systems), and never should have happened in the first place- even on crappy programming by an application developer, the DB and OS should not shit the bed because you have a zero in a field.
According to the register articles, Microsoft Federal Systems is now actively engaged in weapons systems integration, not just propulsion and shipboard operations. That is truly frightening...
Please help metamoderate.
Slashdot - the place where you can look like a genius by restating the obvious
The GPL does not require you to give away modifications you make. You only have to provide source to the public if you provide binaries to the public.
"Martin" is obviously a veiled reference to Lockheed-Martin, maker of the Littoral Combat Ship which is slated to be introduced into the Navy arsenel in 2010. I would go on more about this ship but you can get a better overview at http://www.lockheedmartin.com/news/articles/071703 _4.html.
There is a push to have this ship's operations be controlled via *nix-based operating systems and I would not be surprised to find that the CCIA has its nose in that whole fiasco as well. Finally, while I've heard vague rumors of CCIA/Freemason connections, these are mostly unsubstantiated.
"Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone."
All bugs in Linux, whether exploitable or not, whether severe or merely cosmetic, whether dangerous or merely annoying (or just plain non-optimal), are publicly announced and fixed at the time they are found.
Microsoft publicly announces only a small fraction of the known bugs and security problems found in its products. If Microsoft were to be as thorough in its security announcements and fixes, you would be inundated with 8 new announcements, if not more, per hour, every day, for the rest of your life.
the www.army.mil webserver runs on OSX
"Server: 4D_WebSTAR_S/5.3.0 (MacOS X)"
The reason it has been unpatched for months at a time is because IT guys aren't doing their jobs. I have all of the computers in my department set to download any new Windows Update patches, then install them at 3:00am. Was I affected by the MSBlaster worm? Well, I had two machines out of 150 infected, and only because I missed them when I set up automatic Windows Update. However, it didn't spread to the other machines in my network.
Ummm...yeah. I guess the fact all Linux distros which I've seen have Apache "in unpatched and default configuration" (unless the user chooses to not install the web server) doesn't matter?
Yay! Another idiot who just counts the number of vulnerabilities instead of paying attention to what they are. Somehow things like: "Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving the high score file. This vulnerability could be exploited by a local user to gain gid 'games', if they can achieve a high score." don't scare me. Lots of this is obscure stuff in the first place--who uses the atari800 emulator? Who uses LinuxNode--some sort of amateur radio networking(?) program? I've never even heard of it.
Many of these are local compromises--something MS has just barely started looking at. Many of these are programs which wouldn't be included with a Windows disk. Linux distros often come with hundreds (or thousands) of different programs, and would not normally be installed. Debian comes with over 8710 packages.
What about multiple programs which do the same thing? One of the vulnerabilities was a program which uses qmail. I believe Debian also has sendmail and postfix. So were counting problems with all three? And programs which attach to them as well? Is someone going to install all of these mail servers on their box? How many mail server programs does MS make? About wu-ftp, there also appear to be multiple ftp server programs. Do we count them all? Wu-ftp is well known to be insecure. Does this mean "Linux" is more insecure than Windows if someone chooses an insecure ftp server when their distro gives them the choice of several?
Very few of these vulnerabilities would even touch the default install, and the video games? Well, maybe we should include all the video games you can buy for Windows. Oh no! What if GTA: Vice City will allow people to cheat by changing the high scores file??? That's a major vulnerability! We'd better notify the security team and get all our Windows boxes patched! Even the ones which don't have GTA installed!!!
Just counting the number of vulnerabilities is the red herring. Most of those MS wouldn't even pay attention to and insist they aren't even security related. Linux and developers of other systems such as FreeBSD and OpenBSD are far more paranoid than MS could ever dream. That is why you see more security announcements for them. It means they are MORE secure, not less. Would you say a security guard who sleeps on the job is more secure than a guard who reports every little incident??? The sleepyhead only reported three problems last month! He must be doing his job! Never mind the fact half our inventory disappeard on his watch. That could've happened to anyone.
1 Open MSN Messenger
2 Click on Tools>Options
3 Click on General
4 Uncheck "Automatically run Messenger when I log onto Windows"
5 Uncheck "Open Messenger main window when Messenger starts"
6 Uncheck "Allow automatic sign on when connected to the Internet"
Programs like Microsoft's XP and broadband only P2P networking client threedegrees will need MSN Messenger services.
bruceb consulting has a solution which should anchor your status bar in all instances of Internet Explorer and Windows Explorer:
1. Open just one window of Internet Explorer.
2. Click the "View" menu, then "Status Bar."
3. Hold down Ctrl while clicking the X to close the window.
4. Open My Computer.
5. Click the "View" menu, then "Status Bar."
6. Click the "Tools" menu, then "Folder Options."
7. Click the "View" tab.
8. Click "Apply to all folders."
9. Click "OK."
10. Close Windows Explorer.
bruceb consulting also offers a reminder to XP home users that the backup program for XP Pro can be installed from the VALUEADD folder on their XP Home installation (or "restore") disk.
I find this all so amusing. In the current conditions, You *can* make Windows as secure as any other OS out there, because there are counter-measures to the _known_ exploits in Windows. Because Windows is closed source, there are *probably* hundreds of vulnerabilities that are _unknown_ and that the current worm/virus writers are simply not aware of. Through time, it stands to reason that some of these bugs will be discovered, and that they will be exploited, patched, and re-exploited again. The real concern that I have, is that somehow, and this could happen, the entire source, or major portion of the source of Windows could be discovered/leaked and give all the hidden holes broad visibility. With all of those eyes in the world (and probably not all with the best of intentions) looking at the code at the same time, I am sure that we would see not just one hole being exploited at any given time, and I'm sure that the programmers at Microsoft, and other interested parties would find it very difficult to keep up with all of the vermin that would show up in all the various forms of virii. This is only theorhetical, but just imagine for a moment... if just 1 or 2 worms exploiting the same vunlerability can bring down the amount of systems we've seen blaster and sobig.f doing, when all the vulnerabilities are shown at once.... Ouch. We'll be in a world of hurt. Not a pretty picture, and granted, not the most likely scenario, but _what if_??
How does that old saying with the eggs, and the basket go?
It's not the fall that kills you, it's the sudden stop at the end.
The Unix chroot kludge doesn't really translate to NT, but there are NT kludges for making sandboxes, usually involving ACLs.
I've never seen or heard of a NT sandbox.
Fortunately not. setuid is the door to so many Unix exploits it isn't even funny. For NT, you would use services to do this.
Setuid improperly used, sure. To say that suid is flawed is ridiculous, though. It's an interface for giving privilege escallation with an application-defined interface. You cannot say that something that basic is flawed. You *can* run something under NT as a service. It's a small, limited subset of exactly what can be done with suid/sgid. It gives zero security benefits over suid/sgid, and doesn't work for apps that can't run as a service.
May we never see th