Slashdot Mirror

← Back to Stories (view on slashdot.org)

CCIA Urges Dept. of Homeland Security to Avoid Microsoft

Posted by CowboyNeal on from the friendly-advice dept.

An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"

7 of 413 comments (clear)

  1. Re:Then what? by Anonymous Coward · · Score: 5, Informative

    Things are never that cut&dry.

    Linux has more market share than Windows in the server market, yet Windows has a disproportionally higher frequency of reported critical OS flaws.

  2. Re:obvious and easily exploited and easily patched by ergo98 · · Score: 3, Informative

    "...an exploit for a vulnerability patched a month in advance..."

    For a hole that was in the system for years, which is similar to many other major in the news exploits. The fact that the patch was available for months is little consolation if there were nefarious groups who were aware of these holes for years, which is something that no one can conclusively answer.

    I think the simplistic "all other systems are secure, but MS systems are weak" zealotry often repeated by the puppets is incredibly weak, but at the same time let's face the fact that there are likely hundreds (or thousands) more exploits on every Windows machine out there, silently waiting to be exploited. (Linux may have as many or more, but I'm not talking about that here). It disturbs me to think that there are very likely countries and groups doing the same research that companies like eEye do, but perhaps they don't have a business model that relies upon publishing exploits for media PR...instead they keep them under their belts for selective and intelligent use when necessary (rather than the Ebola like high school student worm).

    Perhaps the month long security audit at Microsoft was a good step forward, however there is no doubt that it will be a massive undertaking to basically give the entire codebase an enema, removing ridiculously trivial exploits like buffer overflows. The security issues in Microsoft code is much more than a month long effort: Microsoft must put a massive, concerted, effective effort at securing their code, because each time another buffer overflow exploit comes out, or an exploit for a trivial service that absolutely no one uses (internet printer service, home automation plug & play), it makes them look like a completely amateur shop that can't be trusted.

  3. About CCIA by Anonymous Coward · · Score: 5, Informative

    A quick look at About CCIA lists the following:

    Our member companies range from Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, and Vion to AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL

    Its the who's who of MS competition.

  4. Re:Then what? by bruce_the_moose · · Score: 5, Informative

    This line--that Windows has the largest market share in worms and viruses because Windows has the largest market share--was trotted out in the last few weeks during the peak of the Sobig and Blaster activity, and routinely shot down. The problem is inherent design flaws, not market share. Many have pointed out that unix-type OSes run the majority of critical Internet services, and by the market-share argument, these services should be the subject of continual attack. And yet they are not.

    In short, this argument that greater adoption of unix-type OSes by the masses will result in more unix-type worms and viruses is nothing short of FUD.

    Have a look at Mac's Immunity to Recent Virus Attacks which came about in response to an article posted on MacCentral on this topic. In sum, some columnist repeated the assertion that "Macs have "no more inherent security" than their PC counterparts, it's just that they've failed "to capture interest" among the creators of these viruses." This post is fairly representative of many, and makes clear the vulnerabilities of Windows are real, stem from technical reasons, and not just market share.

    Mac OS X is the subject of the links above because that is where my interests lie, but the jist of the arguements could apply to any unix-type OS

    --
    To reduce crime, make fewer things against the law.
  5. Re:Pretty obvious by SuperBanana · · Score: 3, Informative
    I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.

    How typical of someone who works in defense- you haven't the slightest idea what goes on anywhere except in your little world.

    Remember the destroyer that had to be towed into port because its Windows network crashed and it was dead in the water, because someone entered a 'zero' into a database field, and windows shit the bed? Yeah, the mission-critical functions of a nuclear powered destroyer aren't very important.

    Register article about land-attack destroyer
    Carrier with windows network(including a joke prediction about how the USS Ronald Regan be running SP2).
    Report about the USS Yorktown

    They insist Windows NT wasn't the cause of the problems, but the funny thing is, no non-Windows-NT/2k powered 'smart' ship has these problems. If it looks like a duck, quacks like a duck, and crashes like a duck...:-)

    While NT may not have been the direct cause, the problem propagated(which is typical of windows systems), and never should have happened in the first place- even on crappy programming by an application developer, the DB and OS should not shit the bed because you have a zero in a field.

    According to the register articles, Microsoft Federal Systems is now actively engaged in weapons systems integration, not just propulsion and shipboard operations. That is truly frightening...

    --
    Please help metamoderate.
  6. Re:Then what? by StormReaver · · Score: 4, Informative

    "Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone."

    All bugs in Linux, whether exploitable or not, whether severe or merely cosmetic, whether dangerous or merely annoying (or just plain non-optimal), are publicly announced and fixed at the time they are found.

    Microsoft publicly announces only a small fraction of the known bugs and security problems found in its products. If Microsoft were to be as thorough in its security announcements and fixes, you would be inundated with 8 new announcements, if not more, per hour, every day, for the rest of your life.

  7. Re:Then what? by moncyb · · Score: 3, Informative

    and a lot of people use it as it comes with the OS -- in unpatched and default configuration. That's why it has more holes than the pretty robust Apache.

    Ummm...yeah. I guess the fact all Linux distros which I've seen have Apache "in unpatched and default configuration" (unless the user chooses to not install the web server) doesn't matter?

    Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone.

    Yay! Another idiot who just counts the number of vulnerabilities instead of paying attention to what they are. Somehow things like: "Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving the high score file. This vulnerability could be exploited by a local user to gain gid 'games', if they can achieve a high score." don't scare me. Lots of this is obscure stuff in the first place--who uses the atari800 emulator? Who uses LinuxNode--some sort of amateur radio networking(?) program? I've never even heard of it.

    Many of these are local compromises--something MS has just barely started looking at. Many of these are programs which wouldn't be included with a Windows disk. Linux distros often come with hundreds (or thousands) of different programs, and would not normally be installed. Debian comes with over 8710 packages.

    What about multiple programs which do the same thing? One of the vulnerabilities was a program which uses qmail. I believe Debian also has sendmail and postfix. So were counting problems with all three? And programs which attach to them as well? Is someone going to install all of these mail servers on their box? How many mail server programs does MS make? About wu-ftp, there also appear to be multiple ftp server programs. Do we count them all? Wu-ftp is well known to be insecure. Does this mean "Linux" is more insecure than Windows if someone chooses an insecure ftp server when their distro gives them the choice of several?

    Very few of these vulnerabilities would even touch the default install, and the video games? Well, maybe we should include all the video games you can buy for Windows. Oh no! What if GTA: Vice City will allow people to cheat by changing the high scores file??? That's a major vulnerability! We'd better notify the security team and get all our Windows boxes patched! Even the ones which don't have GTA installed!!!

    Just counting the number of vulnerabilities is the red herring. Most of those MS wouldn't even pay attention to and insist they aren't even security related. Linux and developers of other systems such as FreeBSD and OpenBSD are far more paranoid than MS could ever dream. That is why you see more security announcements for them. It means they are MORE secure, not less. Would you say a security guard who sleeps on the job is more secure than a guard who reports every little incident??? The sleepyhead only reported three problems last month! He must be doing his job! Never mind the fact half our inventory disappeard on his watch. That could've happened to anyone.