Slashdot Mirror
CCIA Urges Dept. of Homeland Security to Avoid Microsoft
An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
If Ridge and DHS doesn't already know this, they've been asleep. I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.
Government spending is just another way to dump money into the local economy, while rewarding campaign contributions.
Man if it wasn't for timestamps, I'd swear we were in 15th century Britan. Hello Fifedom!
You think that I'm crazy, you should see this guy!
Microsoft isn't that bad. They're getting more attention and anger transferred to them from virus writers because they're the biggest company in the industry. Nothing's perfect & security is the hardest aspect of a software system to test and validate. And frankly, I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes. I just don't have that kind of time.
The OMB (Office of Management and Budget?) just added MacOS X and Linux to approved OS's to use for government applications.
With the right push, we might see the tides change in *nix favor.
Seriously, if this guy really wanted to help out the government, he'd be suggesting that they keep their systems patched and stripped down and firewalled, and that they employ and expert security team no matter what OS they are.
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
I think it's fishy that they don't back up their "obvious and easily exploited vulnerabilities" claim with any real examples. The only evidence they provide is Blaster and SoBig -- an exploit for a vulnerability patched a month in advance, and a simple dumb-user email worm. Unfortunately all anyone sees is the fact that two worms came out near the same time -- and not the fact that they could have been prevented easily by more competent sysadmins and informed users.
Anyway, I think it would be cool to see the DHS use a less-mainstream OS. But I don't think this open letter makes an argument any more sophisticated than the "microsoft sucks! You'll get a million viruses dude!" spouted off by any 13-year-old linux zealot.
The following sentence is true. The preceding sentence was false.
Come on, people, take a look at the membership of this organization and ask yourself if they would EVER take a position which was NOT anti-microsoft. This is not some middle-of-the-road computer science organization, it's a lobbying organization with an axe to grind. That MS software has security flaws is a given, and their position in this case may well be correct, but the CCIA's opposition to MS software is NOT news.
Oddly, I don't think many OSS developers are trying to solve the security problems that plague windows. That's Microsoft's job.
Weapons of Mass Analysis
Is that really the case? Are there really that many more vulnerabilities in MS operating systems than any other?
Or, is it just that since there are so many machines running Microsoft OS's, it is just easier to find and exploit these bugs?
I have yet to be convinced that the open source model truly leads to fewer bugs and vulnerabilities. Yes, more eyes can see the code, but still these many pairs of eyes miss things. Look at sendmail for crying out loud.
Check out our infosecurity industry blog: http://securitymusings.com/
And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?
If they are obvious, then we already found them. Numerous... I don't think so, not in the core system. When a new Linux vulnerability comes out, it's big news and dozens of hackers descend on it immediately. Then when the fixes go out, they are *easy* to apply and highly unlikely to break anything unrelated in your system.
Any new features that go into core systems get heavily peer-reviewed for security impact. That's *proactive* security. This process has been going on for 30 years (long before Linux appeared) and you might say, it's reached a state of comparative maturity.
This is the difference between security as an afterthought and security as a process. Besides that, Linux 2.6 has a gleaming new plug-in security harness. This allows the user to tailor their own security system. For example, mandatory access controls allow the administrator to limit the actions of any process, even root. The impetus for this originally came from the NSA. You can bet that's interesting to government departments across the board.
Have you got your LWN subscription yet?
Well, you have the million monkey effect. The thing about Linux over Windows is that if a major bug is found, there are a hundreds of quality programmers ready to fix and able to fix it very quickly. Anyone who wants to fix the bug is allowed to.
So you end up with, sure if bugs are found for Linux, they'll probably get fixed faster, and from past experience with Linux and bugs this is very very true.
~ kjrose
Well let's certainly hope that if DHS does decide to switch to open source, that it's not because CCIA advised them to. Making security decisions based on the allegations of some lobbying group, be they valid or otherwise, is pure idiocy. Do some independent research for christsake.
Maybe this letter is a step in the right direction in this regard, but I have to believe that DHS already knew all of this. They are, after all, a government department DEDICATED to security.
http://www.securityfocus.com
Note: Flaws like "Race condition allows local user to DoS emacs" are akin to notepad running unusually slowly. Which is to say, not critical. But they fully disclose and fix them anyway becuase they don't have a stock value to keep inflated.
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
Can you?
Can an NT administrator, using user level tools, perform the equivalent of a chroot jail? Can he make specific apps suid or sgid?
While Windows technically does not imply use of other Microsoft products, it does tend to be correlated with it. Outlook has had numerous poor security decisions that a mail admin simply cannot fix. IIS has also had poor architectural decisions. Remember MS swearing that they'd rewrite the thing from the ground up for the next release? The design of IE -- permeating the entire OS, providing many services to applications, and with no internal security model in place, makes for all kinds of nasty problems. It's a great way for spyware to slip pass personal firewalls, it's used in places like Outlook where a full-blown HTML renderer with the huge variety of features it has is a pretty bad idea from a security standpoint, and it provides a high degree of control to remote websites over the local computer -- much higher, than Mozilla.
The MS Blaster issue wasn't actually all that egregious, AFAIK. It's not like UNIX systems haven't had RPC flaws in the past, either. The real problem was the number of unmaintained machines that were vulnerable. I'd call something like Melissa, that relies on phenomenally stupid security decisions from Microsoft ("let's have an automatic execution environments in our documents, which are intended for wide interchange!") much worse.
May we never see th
To disable Messenger in XP Pro:
Click Start->Settings ->Control Panel
Click Administrative Tools
Click Services
Double click Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button.
Select Disable or Manual in the Startup Type scroll bar
Click OK
How to Disable Windows Messenger Service
I always like being the devils advocate, and will probably get modded to flamebait for this, but here's something to put in your pipe and think about....
The lead story says "'riddled with obvious and easily exploited vulnerabilities.'"...How many people found the exploit that the blaster worm uses? Maybe a couple dozen at most? That doesn't seem like an obvious exploit to me. Heck, any exploit (*nix or Windows) that requires a buffer overflow of a certain amount of characters, or a specifically formed packet, is not that obvious to me.
Zro . two
"I come from Canada...they say I'm slow....eh?"
I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes
If you took a few minutes to read those fixes you would realize almost all of them are "proactive", that is, they are fixing vulnerabilities, before an exploit is made against them. This is intrinsic in the OSS model, where experts worldwide examine the source code all the time, for instance in university classes and research centers. Commercial, closed-source software, on the other hand, usually is examined only by crackers who throw anything they can at the software until it breaks.
Personally, the system I prefer is Conectiva's, where apt-get is combined with rpm packages. Running "apt-get update; apt-get dist-upgrade" each time I get a vulnerability warning takes much less time than deleting spam, even in my relatively well protected email account.
If it's a costly and drawn out project I'm sure they'll be on the short-list.
Ahh, I love the words Homeland Security. That "War on Terror", it's gonna be just like that "War on Drugs". You know, it's great that people can't buy drugs anymore.....
A few days ago, I did a simple test using Mozilla's email client, where I emailed a copy of /bin/ls to myself, to see what Mozilla would do when it received a linux binary executable.
I'm happy to report that I was offered the choice to save it to disk, or to open the data with an application (which I had to choose without a default, and apps handle the binary data as data, not executable code).
When I saved the file to /tmp, the resulting binary was of course byte-for-byte identical to the copy in /bin, but Mozilla did not set the execute permission bit by default. Since I knew the file was ok, I type "chmod 755 /tmp/ls", and then I was able to run the executable.
I had to save the file, then locate the file using another application (I used a shell, but many people might perfer a file manager like Konq), and I had to explicitly change the permissions to allow the internet-received data to be able to run and have (non-root) control over my computer.
So, getting back to the original question.... it's safe to say the until linux systems are populated with dangerous email clients, email-virus writers are going to have to try a lot harder to trick users into executing their code!
PJRC: Electronic Projects, 8051 Microcontroller Tools
Let's see, spend lots of $$$ to deal with patching MS security holes (lots of centralized and automated Software Install packages out there for Win32), or deal with user-unfriendly Linux suites that do not scale or integrate with others no matter how well patchable the platform is. Personally, I never trust third-party RPMs and they're never compiled the way I want them anyway.
I believe in MS on the front-end, linux on the back-end, running a virus gateway at the mailservers, antivirus software at the desktop, and centralized patching to fire off new patches on all desktops at once. That said, I would only put MS on the back-end at gunpoint. Linux may not need any of that protection at the desktop, but the lack of apps keeps it from being as usable; the apps that are available are not very compatible with what everyone else is using. In these days of limited sysadmin resources, I would rather the users have a very intuitive package in front of them to minimize calls like "how do I start using this? I have to source what and do what to my environment?" The sysadmin resources should be left to take care of the valuable back end.
Linux is far from 100% secure...take a look at various security bulletins each week and you'll see all sorts of apps that are being patched. Have we forgotten past Linux worms? How many recently patched phpBB2 or Nuke for recent problems according to those advisories? Where is the mantra of "the hole shouldn't be there in the first place?" that is constantly fire off at MS when those holes are found in open source software? Is it because many Linux apps are like that and the blame is distributed across a multitude of developers rather than a single monolithic software company that simple minds can more easily divert their attention to? Sorry, but "they patched it within 8 hours" is not an excuse. For both platforms, "the hole should not have been there! where is the code auditing that should have prevented that problem from being there in the first place?" As complex as software is becoming, I do not think that this is going to go away without radically altering current coding practices.
What we need is a very large corporation to adopt 100% Linux (reference Guinea Pig in wikipedia) so that apps become more compatible and patches are more easily recognized. We've seen smaller companies like Ernie Ball do this, but we need bigger testbeds. Then, we can complain in 10 years about the Linux juggernaut and how Putrix is better.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
I have started doing that where I work. Whatever has no equivalent in Linux, I run onder Wine, temporarily, until I find a better way. Nowadays, I'm about 99% MSwindows-free, and about 80% Microsoft free, that is, I boot under MSwindows less than 1% of the time and only one out of five programs I use regularly comes from MS.
There was nothing wrong with a load of Enron shares in your portfolio a few years ago, either...
Yes, Microsoft is about money, but I wouldn't want to risk my investment money in a company with the medium term business issues Microsoft currently face, or in a company that engages in the same sorts of dubious accounting practices as Enron (don't ask, Google) and just hasn't been caught yet.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.