Slashdot Mirror

← Back to Stories (view on slashdot.org)

CCIA Urges Dept. of Homeland Security to Avoid Microsoft

Posted by CowboyNeal on from the friendly-advice dept.

An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"

15 of 413 comments (clear)

  1. and in other news... by Anonymous Coward · · Score: 5, Insightful

    The Department of Homeland Security continues to use Microsoft products despite massive flaws, just like everyone else for whom familiarity is more important than actual security.

  2. Then what? by nakhla · · Score: 4, Insightful

    And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?

    People tend to forget that more holes are found in Microsoft products partly because more people use Microsoft products. As a result, that's where the attackers focus a great deal of their energy. Linux would have the same problem if it had Microsoft's market share.

    1. Re:Then what? by gregfortune · · Score: 4, Insightful

      That argument lost its punch some time ago. Large, commercial entities are using Linux so the interest is certainly there. Google is one really good example.

    2. Re:Then what? by Enry · · Score: 4, Insightful

      Besides, if anyone truly believes that more security-related bugs are found in windows than in linux, they must not be subscribed to the debian-security mailing list. 23 new announcements in august alone.

      For 8710 packages across 11 different architectures, only 23 announcements isn't bad at all. That's 1 out of every 355 packages.

      If you wanted to extrapolate from there, MSFT has what, maybe 100 or 200 software packages? Let's say 250 and be fair. According to Windows update, I've had 4 security related updates this month. If Microsoft distributed as many packages as Debian does, that would equate to 128 patches over the same time period.

      I'll stick with Debian, thanks.

    3. Re:Then what? by bob670 · · Score: 4, Insightful

      I always enjoy it when rhetoric that sprung from MS public relations machine becomes a fact. MS product vulnerabilities are discovered in higher numbers because they exist in legion. MS operating systems are inherently insecure, period. XP was supposed to bring real security, but I spend much of my clients time and money applying MS security patches, updating A/V software and tightening firewalls. Between the draconian licensing policies, the vicous upgrade cycle and the total lack of security, I pray homeland security gets off of MS ASAP.

  3. Re:Pretty obvious by Anonymous Coward · · Score: 4, Insightful

    If Slamer has taught us anything, it is that a Microsoft operating system should not even be on the same network as any critical systems. Nor should it be used for any "less critical" systems, such as fault or load monitoring systems.

  4. Re:Pretty obvious by ch-chuck · · Score: 5, Insightful

    So ships are not important. I see.

    Favorite line: "Although Unix is more reliable, Redman said, NT may become more reliable with time"

    I live in that area, and there are a LOT of Msft job openings requiring security clearance these days.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  5. Something more helpful would be... by djrisk · · Score: 4, Insightful
    ... to suggest that the DHS implement a strong policy structure to ensure high integrity computing; because in all practicality, "don't use this" never works.

    ANY software can be compromised to ANY degree. There are just as many exploits lurking in an Open Source distribution (let's face it, it's rare that someone uses ONLY the Operating System), as there are in anything.

    Implementing (and adhering to) strong policy, working diligintly to keep systems updated, and keeping users informed. These are essential parts to creating (and maintaining) a "secure" infrastructure.

    Granted, it's easier said than done; but it's possible. There are FAR MORE corporations/entities that DID NOT get affected by blaster/sobig/melissa/codered/etc. than there are corps/entities that did.

  6. What are the Impartial Objectives? by cait56 · · Score: 5, Insightful

    It would be totally inappropriate for a goverment agency to blacklist a specific vendor without going through extensive hearings. That does not mean that they should not consider the vendor's history when evaluating each purchase. For the anti-MS crowd that means that they should reject each MS product individually.

    More seriously, they need to evaluate what their software requirements are. I strongly suspect that they need software which will:

    • Not expire: We are going to reach a point where terrorism is not a "hot button" item, and the spending will slack off. Eventually there will be another attack. The software purchased now has to work four years from now, even if the individual participating agencies have upgraded their hardware in the meantime.
    • Platform independent: The federal government should not be telling local police departments what type of equipment they need. If they do, we'll end up with some equivalent of having to keep an old 286 running in the corner to deal with Homeland Security. Or on the flip side, some police department that relies on donated leftovers won't be able to run the latest software.
    • Auditable: The code used for this software must be reviewable, preferably by the widest audience possible. Escrow is the absolute minimum for all source code involved. Open Source certainly qualifies, but technically the department does not need to have the right to modify the software itself. And in fact might need to keep any modifications that it keeps confidential. (Not that I really think that the GPL would deter anyone in the Bush Administration from doing something for "national security" -- I mean the Constitution doesn't.)
  7. Re:Pretty obvious by HBI · · Score: 3, Insightful

    Bad news dude, you're full of it. The DoD is riddled with Microsoft products. Not only desktop - a lot of military sites I have seen are running on IIS. SQL Server 2k is used also.

    I don't think anyone in an IT capacity in the DoD could possibly say that there are 'no microsoft products here' - that's just ludicrous. At least the boss's laptop has Win2k on it or something.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  8. Re:obvious and easily exploited and easily patched by Daniel+Phillips · · Score: 3, Insightful

    The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.

    What turns that glib claim into a lie is, with closed source it's impossible to know what you're doing.

    Never mind that security has never been an overriding concern in Windows' basic design. The end result speaks for itself, as any 13 year old can see.

    --
    Have you got your LWN subscription yet?
  9. Not news by Darth_Burrito · · Score: 3, Insightful

    So an organization whose tagline is, OPEN MARKETS, OPEN SYSTEMS, OPEN NETWORKS, AND FULL, FAIR AND OPEN COMPETITION, is asking that the department of homeland security not use Windows based on security concerns. For crying out loud, their mission statement is the following:

    CCIA's mission is to further our members' business interests by being the leading industry advocate in promoting open, barrier-free competition in the offering of computer and communications products and services worldwide.

    Maybe I'm missing something, but this seems like nothing more than a high powered Washington based lobbying group whose business constituents are diametrically opposed to Microsoft. How is this even news?

  10. The bullshit is yours. by MisterSquid · · Score: 4, Insightful

    If I had gone and said the north american power grid should be replaced at the wake of the outages [ . . . ], I would have been accused of countless acts of civil disobediance.

    My first question is what is wrong with Slashdot? I mean someone saw fit to give the parent coward "Insightful" for what she or he wrote? Someone wind the clock back before 2000 when Slashdot wasn't frequented by Microsoft apologists.

    I'm not sure what makes you think your exercising your 1st Amendment right to speak freely (assuming you're a US citizen) would be branded civil disobedince, but in case you're really worried (and not just ranting) know you're in good comapny: first, the outage of August 2003 has produced a US-Canadain task force to investigate problems with the aging power grid. In fact, the power grid is so important that it is the subject of dozens of assessments conducted by North American Electric Reliabilty Council. Let's just say that NERC is not sanguine about the reliability of the North-American power grid. The problem is so widespread that even US lawmakers anticipate a massive political dispute.

    Regarding your comparison of the power grid to the Internet, network events such as MSBlaster and Sobig.F highlight the fragility of an information network built of insecure nodes. At present, the overwelming majority of the nodes of the Internet are powered by Microsoft software. For better or for worse, "press releases and open letters right at the wake [sic] of major worms" draw attention to the real effects of maintaining so insecure an information network. MSBlaster and Sobig.F are not theories but facts and so prove the unreliability of an Internet composed mainly of Microsoft-powered nodes. The timely discussion of network events such as MSBlaster, Mimda, Code Red, Sobig.X, etc. in the press should, in my opinion, be an obligation of network adminstrators.

    Given your post, you'd probably have us ignore the problem in the hopes that the next worm/virus/trojan does not damage our shared information network even more spectacularly. Thanks, but I would rather disseminate information and share data about such network events rather than stop my eyes, ears, and mouth with sand.

    --
    blog
  11. The real threat isn't the flaws!!! by argoff · · Score: 3, Insightful

    The real threat is that when you have a closed system, you have a central point of failure (Microsoft) and you don't have the flexability to change and mondify things when you need to. Anyone who'se read the "art of war" knows that real defense is about how flexabile you are, and that you are able to deal with the exceptions, not the rules. - or how easy it is to change your stripes and addapt to changing situations and threats. You simply can't do that thru a closed one vendor system, no matter how much you plan. You simply can't do that when you can't access the source code, change it, and share those changes freely, you simply cant do that if you half to pay a subscription or royality and keep tabs on every nuck and cranny application and license - you can never decentralize, never regroup, never deal with unpredicted failures, when you're attached to a BSA dog-leash.

    Just like freedom in the USA is the only real reason why it's so much better than the enemies, the freedom offered by Linux and the GPL has an internal value that makes it so much better than the alternatives. Only that is then end game, and only that is what will make us truely secure.

  12. It's all about the approach by TWX · · Score: 3, Insightful

    If the Department of Homeland Security were to be highly concerned about security, they wouldn't even have workstations with off-the-shelf distributions on them. They'd download the source code themselves, inspect it, and compile the distribution as an internal thing. And even according to the GPL, if it remains internal, i.e. no distribution to other parties, then they don't even have to say what their changes are.

    In fact, they would be able to use a framework for distribution through their computer network modelled after Debian's or Slackware's or RedHat's, but with only their own versions software in the update tree. This way, they can hire staff with existing administrative knowledge of the flavour of distribution that they choose, and the person will not really have much of a learning curve. Or, if they're really paranoid, they can write it themselves.

    I'd personally recommend against having any personal computer on the user's desk. Give them an X Term that uses some kind if high-encryption tunnelling scheme to deliver the applications to the X Server, and have departmental-sized or building-sized computers for the users to work on. This ensures much better physical security for the equipment, with a fraction of the physical assets to watch, better data integrity since it would be stored on some fault-tolerant medium like RAID5. With a properly implemented security scheme for user login, either with some kind of biometric ID or an actually decent password scheme, it would be relatively difficult to break in compared to normaly corporate environments.

    As for local security on the application servers, it would require a fairly decent file security model, but big computers have been done before. The implementers would have to work to ensure no local root exploits, but that would be good for the community as a whole.

    --
    Do not look into laser with remaining eye.