Slashdot Mirror
CCIA Urges Dept. of Homeland Security to Avoid Microsoft
An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
The Department of Homeland Security continues to use Microsoft products despite massive flaws, just like everyone else for whom familiarity is more important than actual security.
Asking what else there is to use. ;>
On a more serious note... blah
Mod me down im a newf (wiki)
And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?
People tend to forget that more holes are found in Microsoft products partly because more people use Microsoft products. As a result, that's where the attackers focus a great deal of their energy. Linux would have the same problem if it had Microsoft's market share.
If Slamer has taught us anything, it is that a Microsoft operating system should not even be on the same network as any critical systems. Nor should it be used for any "less critical" systems, such as fault or load monitoring systems.
So ships are not important. I see.
Favorite line: "Although Unix is more reliable, Redman said, NT may become more reliable with time"
I live in that area, and there are a LOT of Msft job openings requiring security clearance these days.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
ANY software can be compromised to ANY degree. There are just as many exploits lurking in an Open Source distribution (let's face it, it's rare that someone uses ONLY the Operating System), as there are in anything.
Implementing (and adhering to) strong policy, working diligintly to keep systems updated, and keeping users informed. These are essential parts to creating (and maintaining) a "secure" infrastructure.
Granted, it's easier said than done; but it's possible. There are FAR MORE corporations/entities that DID NOT get affected by blaster/sobig/melissa/codered/etc. than there are corps/entities that did.
It would be totally inappropriate for a goverment agency to blacklist a specific vendor without going through extensive hearings. That does not mean that they should not consider the vendor's history when evaluating each purchase. For the anti-MS crowd that means that they should reject each MS product individually.
More seriously, they need to evaluate what their software requirements are. I strongly suspect that they need software which will:
I doubt that you do work for the DOD or anything in a secured area.
If so, then you would not be commenting here about what you do and do not run at work.
remember Big brother watches more closely now.
Bad news dude, you're full of it. The DoD is riddled with Microsoft products. Not only desktop - a lot of military sites I have seen are running on IIS. SQL Server 2k is used also.
I don't think anyone in an IT capacity in the DoD could possibly say that there are 'no microsoft products here' - that's just ludicrous. At least the boss's laptop has Win2k on it or something.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Well, this may be all well and good for government applications, as when dealing with resources of the government, security is obviously of the utmost importance. Let's be realistic, though. More damage is done to government and commercial sites by infected HOME user machines than probably any number of virii/worms that have slipped through some lazy sysadmin's email filters. A network is only as secure as the nodes remotely connected to it.
Too bad Linux-philes are running in too many (bleeping) directions to unite and make an operating system worthy of the Ma and Pa test. Tons of free software, very few general domain standards, and too many zealots who will see that it stays that way forever.
Pa: What the hell is a shell, and why do I want to make in it? That sounds like a Destruction Man reference. This thing is filthy and too complicated.
They came, they saw, they left, disguisted.
So can Open Source developers do a better job of building secure software? Is this an area in which Open Source software can compete with Microsoft?
Yuioup
And add to that Microsofts own security patches that reenabled closed ports and disabled other protections that sysadmins but into place so the SQL worm could infect the system.
Does an internet web site qualify as important or is it weapons control?
Salut a toi EX Punk anarchiste devenu nouveau mouton conformiste...
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
What turns that glib claim into a lie is, with closed source it's impossible to know what you're doing.
Never mind that security has never been an overriding concern in Windows' basic design. The end result speaks for itself, as any 13 year old can see.
Have you got your LWN subscription yet?
I'm as much of a Linux advocate as the next guy, but it would be a HUGE task to migrate all of the United States Federal government Microsoft-based systems to Linux, especially if there was some sort of mandated short timeline.
The relatively easy part would be replacing simple desktop functionality. The not-so-easy part would be identifying and analyzing all of the custom software used by the US Federal governement that is deployed using Microsoft-specific technology (e.g. Visual Basic).
Even if there IS a shift from Microsoft to Linux (or any other platform), out of necessity it will need to be a slow and careful process.
So an organization whose tagline is, OPEN MARKETS, OPEN SYSTEMS, OPEN NETWORKS, AND FULL, FAIR AND OPEN COMPETITION, is asking that the department of homeland security not use Windows based on security concerns. For crying out loud, their mission statement is the following:
CCIA's mission is to further our members' business interests by being the leading industry advocate in promoting open, barrier-free competition in the offering of computer and communications products and services worldwide.
Maybe I'm missing something, but this seems like nothing more than a high powered Washington based lobbying group whose business constituents are diametrically opposed to Microsoft. How is this even news?
If we could look at M$ source code, you'd be getting THOUSANDS of emails a day notifying you of critical software fixes! :-)
"Unfortunately all anyone sees is the fact that two worms came out near the same time -- and not the fact that they could have been prevented easily by more competent sysadmins and informed users."
Couple of problems with this...
We obviously are not going to get more competent sysadmins and informed users any time soon. If we were, we would have had them already.
MS promotes its products as being "easy" and therefore (implied) not needing more competent sysadmins and informed users to use properly, and people buy it.
Wouldn't "competent" people design their systems better if they know they are going to be setup and used by "incompetent" people?
all the best,
drew
If I had gone and said the north american power grid should be replaced at the wake of the outages [ . . . ], I would have been accused of countless acts of civil disobediance.
My first question is what is wrong with Slashdot? I mean someone saw fit to give the parent coward "Insightful" for what she or he wrote? Someone wind the clock back before 2000 when Slashdot wasn't frequented by Microsoft apologists.
I'm not sure what makes you think your exercising your 1st Amendment right to speak freely (assuming you're a US citizen) would be branded civil disobedince, but in case you're really worried (and not just ranting) know you're in good comapny: first, the outage of August 2003 has produced a US-Canadain task force to investigate problems with the aging power grid. In fact, the power grid is so important that it is the subject of dozens of assessments conducted by North American Electric Reliabilty Council. Let's just say that NERC is not sanguine about the reliability of the North-American power grid. The problem is so widespread that even US lawmakers anticipate a massive political dispute.
Regarding your comparison of the power grid to the Internet, network events such as MSBlaster and Sobig.F highlight the fragility of an information network built of insecure nodes. At present, the overwelming majority of the nodes of the Internet are powered by Microsoft software. For better or for worse, "press releases and open letters right at the wake [sic] of major worms" draw attention to the real effects of maintaining so insecure an information network. MSBlaster and Sobig.F are not theories but facts and so prove the unreliability of an Internet composed mainly of Microsoft-powered nodes. The timely discussion of network events such as MSBlaster, Mimda, Code Red, Sobig.X, etc. in the press should, in my opinion, be an obligation of network adminstrators.
Given your post, you'd probably have us ignore the problem in the hopes that the next worm/virus/trojan does not damage our shared information network even more spectacularly. Thanks, but I would rather disseminate information and share data about such network events rather than stop my eyes, ears, and mouth with sand.
blog
Well designed systems do not expose RPC control intended only for LANs to internet accessible interfaces, and they do not enable by default these services that very few users will ever need.
Well designed email clients do not allow users to easily execute code. For example, mozilla in linux will only allow you to save an attachment that appears to be code (not run it directly), and attachments are never saved with execute permission set.
So yes, you are correct, that nothing bad would have occured had many millions of end users been aware of these risky capabilities in their software, and actively chosen to not follow the default settings.
Also, had one company not made the incredibly stupid decision to allow any email attachment ending in .exe, .com, .pif, .vbs (and many others) to obtain control over the end user's computer when the user clicks on it and accepts the default choice, then SoBig would have never managed to spread. The sad truth is that they made this stupid design decision many years ago, and time and time again they're refused to disallow executable attachments, despite a many years long history of email-based viruses.
Likewise, this is really no compelling reason to have port 135 listening by default. Smart design it to leave these things off by default, and require the user to enable them if needed..... especially very seldom used services like RPC.
It does appear that Microsoft might finally be learning from their long history of stupid design. But I doubt it's because of the infections. They are finally starting to wake up because of letter like this one, which make a well reasoned arguement that Microsoft's systems just aren't safe for widespread deployment.
Sure, you may disagree. That is your (silly) choice.... but experience has shown that any system will by and large be deployed with its default configuration. Your arguement that it's perfectly fine for to have a horribly dangerous default setting, and expect the burden to be on millions of end users to consciously change the settings and consciously select non-default choices on every potentially malicious piece of network-arrived data they handle is, well, simply an absurd arguement that blindly ignores many years of experience that default settings and choices are the norm.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Substitute "leading desktop opertaing system provider" for Microsoft and you will get a something more credible. If Linux were to ever take over the desktop market just as many bugs could be found, because it would be "the thing" to exploit, just as Windows is right now.
Just to save anyone the time, I will ridicule myself for posting as an Anonymous Coward, but I don't feel like putting up with an angry mob of elitist geeks right now.
Look, in place of "Microsoft" in your post insert the word "government." How different is it? This is not to say Microsoft _is_ going to be our government (although billg might like that), but that, for a very long time now, domestic and foreign political issues have been examined and delt with almost exclusively as economic issues.
Economics is the New Way, and the hell with true security and the constitution. The US contiues to prop up monster governments not because they're believe in what this country ostensibly stands for under the constitution, but solely because they provide us with something we need; usually oil.
There's nothing wrong with needing oil, it's useful and plentiful (if it's not plentiful google "DeBeers.") We're living through the last throes of 1) The countless proxy wars we and the Soviets fought from the late 40s to the 90s. We (the US), have created most of the monsters that so hate us now because we tend to abandon our allies once they no longer serve our purposes. And, 2) The death of religion. I think it's becoming increasingly difficult to postulate a supreme creator in the face of the murder of people, especially children, one sees in the world today. All there is is tautologies, circular logic and appeals to ancient scriptures that always, always, go back to, not a god, but a human being who says they have the Word directly.
If there was a God, anybody's God, all of this sorrow could and would be cleaned up in an instant. But what do you see? Planes crashed into buildings for nought, Irish school buses blown to bits for "noble beliefs" while the Pontiff sits on his ass. Children's arms chopped off to pleasure forgotten tribal dictates.
You may not like what Science has given the world, but it's the only thing that has delivered the goods; Good and Bad. End of rant.
The NMCI (nmci-isf.com) situation is just going to make this so much worse. At least the individual sections of the WAN used to be heterogeneous, as they had individual IT officers and chiefs at the local end.
Now there will be one contracter providing all support for the entire (homogenized) network, and a single vulnerability could conceivably down the whole system.
Agreed, capitalism is great, but we're arriving at the point of extremism. Common sense should regain some terrain or we'll become victim of ourselves.
I don't want to make any comment on the issue itself, but I do want to ask, why does the CCIA rep feel the need to quote a Washington Post editorial in his open letter?
Quoting someone to add weight to your argument, whether it's a philosopher, pop star or journalist, generally removes credibility from what you're saying because it suggests that you don't feel your argument is strong enough on its own.
If I were posting a comment on Slashdot about security, for example, and I quoted a security expert, then that would be fair enough because the intention would be to reference knowledge that I couldn't personally have.
But the CCIA published their open letter because, supposedly, their opinion is important and should be taken seriously. Quoting a journalist, especially at the conclusion of the letter, seems inappropriate and even a little desperate.
Let's consider, then, how the issue can be addressed. So-called "Trusted" Operating Systems (ie: OS' that have a B2 rating or better) have certain capabilities that address the human element.
A "Trusted" OS, for example, isolates everything. Memory, disk space, network bandwidth. I mean everything. You can move information from one compartment to another if and only if you explicitly have the necessary permissions to do so. This is called "Mandatory Access Control".
In such an environment, damage can be contained. If person X gets a virus in their e-mail, then the permissions the virus has are the subset of permissions granted both that specific user AND the e-mail system. Even if the person wanted to, they couldn't grant the virus more permissions than that.
In consequence, damage is isolated. Only that user is affected. No other user can be infected, and the system as a whole cannot be compromised.
In such an environment, the individuals cannot affect the security, accidently or intentionally. Negligent or reckless bosses cannot impose working conditions which compromise security, as the system will prohibit it. MAC, when designed to operate universally, is a very powerful tool.
Windows has no concept of MAC. The architecture isn't designed for such a notion. Everything is done centrally. MAC doesn't work well, if you centralize everything, because you then have a single entity to work with. How do you compartmentalize a single entity?
Linux is developing the concept of MAC, through the work of the SE-Linux coders and the Linux Security Module folk. The modular nature of Linux makes the work slightly easier than it could have been. The work on distributed architectures probably helps some, too, as - when you get right down to it - compartmentalization is really the special case where you distribute all functions over a single node.
Besides MAC, what else is significant about the architecture, that reduces the risk of human error?
Windows' time-slicing is still poor. If an application locks up, it can freeze or even take down the OS. Without a true upper limit to time-slices, it would be easy for an attacker to essentially freeze-out any counter-measures, by grabbing all the CPU time.
Linux now has a pre-emptive kernel. Even kernel-level operations can be paused, when needed, making it impossible for any piece of software to seize effective control over the machine.
Real-Time OS' have had similar features for some time, as they are designed to guarantee a certain amount of time to each program.
In the end, not all architectures are the same. You pick an OS by whether or not it is strong in the areas you want it to be strong in. You do not pick it because the box cover looks pretty.
If you want something that's resistant to attacks, you pick a B-class OS. If you want something that guarantees evenly-distributed performance, you pick a RTOS.
Now, if you want something that is designed to be trivial to use, then Windows is probably a good choice. The interface is about as simple as you can get, and that is the primary strength of Windows.
Using Windows in a public library or an Internet cafe is probably a reasonable choice. Simplicity is a greater priority, because users can't be expected to be savvy in technology. Everybody should have equal access to the resources in a library, no matter what their knowledge.
When you're talking about specialized machines in a professional workplace, especially when it is supposedly secure, ease-of-use is not an issue. If you don't like the GUI, pay someone to
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yeah, and funnier still, how many open source products do those same companies produce?
The real threat is that when you have a closed system, you have a central point of failure (Microsoft) and you don't have the flexability to change and mondify things when you need to. Anyone who'se read the "art of war" knows that real defense is about how flexabile you are, and that you are able to deal with the exceptions, not the rules. - or how easy it is to change your stripes and addapt to changing situations and threats. You simply can't do that thru a closed one vendor system, no matter how much you plan. You simply can't do that when you can't access the source code, change it, and share those changes freely, you simply cant do that if you half to pay a subscription or royality and keep tabs on every nuck and cranny application and license - you can never decentralize, never regroup, never deal with unpredicted failures, when you're attached to a BSA dog-leash.
Just like freedom in the USA is the only real reason why it's so much better than the enemies, the freedom offered by Linux and the GPL has an internal value that makes it so much better than the alternatives. Only that is then end game, and only that is what will make us truely secure.
Remember the destroyer that had to be towed into port because its Windows network crashed and it was dead in the water, because someone entered a 'zero' into a database field, and windows shit the bed? Yeah, the mission-critical functions of a nuclear powered destroyer aren't very important.
If entering a zero into a database field causes Windows to crash, it's because a badly written device driver (more than likely NOT provided / approved by Microsoft!) was the cause. Next question: Why is your code blindly accepting input parameters without validating them?
Since Windows itself does not rely on MSDE or SQL Server, why don't you try blaming the right components?
You should be modded down as flamebait.
If the Department of Homeland Security were to be highly concerned about security, they wouldn't even have workstations with off-the-shelf distributions on them. They'd download the source code themselves, inspect it, and compile the distribution as an internal thing. And even according to the GPL, if it remains internal, i.e. no distribution to other parties, then they don't even have to say what their changes are.
In fact, they would be able to use a framework for distribution through their computer network modelled after Debian's or Slackware's or RedHat's, but with only their own versions software in the update tree. This way, they can hire staff with existing administrative knowledge of the flavour of distribution that they choose, and the person will not really have much of a learning curve. Or, if they're really paranoid, they can write it themselves.
I'd personally recommend against having any personal computer on the user's desk. Give them an X Term that uses some kind if high-encryption tunnelling scheme to deliver the applications to the X Server, and have departmental-sized or building-sized computers for the users to work on. This ensures much better physical security for the equipment, with a fraction of the physical assets to watch, better data integrity since it would be stored on some fault-tolerant medium like RAID5. With a properly implemented security scheme for user login, either with some kind of biometric ID or an actually decent password scheme, it would be relatively difficult to break in compared to normaly corporate environments.
As for local security on the application servers, it would require a fairly decent file security model, but big computers have been done before. The implementers would have to work to ensure no local root exploits, but that would be good for the community as a whole.
Do not look into laser with remaining eye.
You *can* make Windows as secure as any other OS out there, because there are counter-measures to the _known_ exploits in Windows.
Known exploits are not the problem. I have protected myself from many *unknown* exploits on my UNIX systems (layers of stateful ingress *and* egress filtering, chroot jails, system-level IDS, etc...). There is a lot of research taking that even further.
Besides, I wouldn't say something's securable just because fixes to previous problems have been easy with filtering or provided in a timely manner. Luck is not security.
-- The world is watching America, and America is watching TV.
Let's seem them get into my fully patched XP box. Really. All the recent viruses, etc haven't affected me. Security is as much dependent on the user as the software. Sure, it's fun to blame MS for the Windows security problems, but when the users don't apply the patches how can MS be on the hook? Off the cuff I'd say the average Linux user is much more technically saavy than the average Windows user. That certainly plays a big part in the security of the box.
If entering a zero into a database field causes Windows to crash, it's because a badly written device driver
If that is true, Microsoft is in even worse shape that I think it is.
"Since Windows itself does not rely on MSDE or SQL Server, why don't you try blaming the right components?"
Aren't MSDE and SQL Server also Microsoft products? Aren't robust software packages NOT supposed to blindly crash in a chain reaction that takes them all down?