Slashdot Mirror
CCIA Urges Dept. of Homeland Security to Avoid Microsoft
An anonymous reader writes "The Inquirer has posted an article reporting that the Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security, in an open letter to Tom Ridge, secretary of the department, to avoid using Microsoft software because Microsoft's software is 'riddled with obvious and easily exploited vulnerabilities.'"
The Department of Homeland Security continues to use Microsoft products despite massive flaws, just like everyone else for whom familiarity is more important than actual security.
Asking what else there is to use. ;>
On a more serious note... blah
Mod me down im a newf (wiki)
Unfortunately, there is ample evidence that for many years economic, marketing, and even anticompetitive goals were far more important considerations than security for Microsoft s software developers, and these broader objectives were often achieved at the cost of adequate security.
Duh...
to use OpenBSD without a windowing environment, or any ethernet interfaces.... "most secure setup in the world" the report claimed. When the department asked about useability and productivity of these other avenues they were told "STFU n00blah and RTFM".....
If Ridge and DHS doesn't already know this, they've been asleep. I do work for the Defense Department, and we won't consider using Microsoft code for anything that's important.
Government spending is just another way to dump money into the local economy, while rewarding campaign contributions.
Man if it wasn't for timestamps, I'd swear we were in 15th century Britan. Hello Fifedom!
You think that I'm crazy, you should see this guy!
And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?
People tend to forget that more holes are found in Microsoft products partly because more people use Microsoft products. As a result, that's where the attackers focus a great deal of their energy. Linux would have the same problem if it had Microsoft's market share.
What happens if SCO goes after the Department of Homeland security for using something like linux? Would it be considering terrorism?
I've left to find myself. If you happen to see me, please, keep me there until I return.
Amazing! A company whose tag line is "open markets, open systems, open networks, and full, fair, and open competition" urges the adoption of open source software? And The Inquirer posted this MS bashing news story?
Next thing you know, it will be linked off of slashdot. This is highly irregular behavior, and very newsworthy.
Slow news day?
I'm going to mention this in my class, in front of everyone. I'm also going to tell them how flaky XP and MS products are in general!
This is a lesson to us future PHBs!!!!!There is no spoon or sig.
Microsoft isn't that bad. They're getting more attention and anger transferred to them from virus writers because they're the biggest company in the industry. Nothing's perfect & security is the hardest aspect of a software system to test and validate. And frankly, I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes. I just don't have that kind of time.
Microsoft supports terrorism!
The OMB (Office of Management and Budget?) just added MacOS X and Linux to approved OS's to use for government applications.
With the right push, we might see the tides change in *nix favor.
Seriously, if this guy really wanted to help out the government, he'd be suggesting that they keep their systems patched and stripped down and firewalled, and that they employ and expert security team no matter what OS they are.
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
I think it's fishy that they don't back up their "obvious and easily exploited vulnerabilities" claim with any real examples. The only evidence they provide is Blaster and SoBig -- an exploit for a vulnerability patched a month in advance, and a simple dumb-user email worm. Unfortunately all anyone sees is the fact that two worms came out near the same time -- and not the fact that they could have been prevented easily by more competent sysadmins and informed users.
Anyway, I think it would be cool to see the DHS use a less-mainstream OS. But I don't think this open letter makes an argument any more sophisticated than the "microsoft sucks! You'll get a million viruses dude!" spouted off by any 13-year-old linux zealot.
The following sentence is true. The preceding sentence was false.
ANY software can be compromised to ANY degree. There are just as many exploits lurking in an Open Source distribution (let's face it, it's rare that someone uses ONLY the Operating System), as there are in anything.
Implementing (and adhering to) strong policy, working diligintly to keep systems updated, and keeping users informed. These are essential parts to creating (and maintaining) a "secure" infrastructure.
Granted, it's easier said than done; but it's possible. There are FAR MORE corporations/entities that DID NOT get affected by blaster/sobig/melissa/codered/etc. than there are corps/entities that did.
It would be totally inappropriate for a goverment agency to blacklist a specific vendor without going through extensive hearings. That does not mean that they should not consider the vendor's history when evaluating each purchase. For the anti-MS crowd that means that they should reject each MS product individually.
More seriously, they need to evaluate what their software requirements are. I strongly suspect that they need software which will:
Come on, people, take a look at the membership of this organization and ask yourself if they would EVER take a position which was NOT anti-microsoft. This is not some middle-of-the-road computer science organization, it's a lobbying organization with an axe to grind. That MS software has security flaws is a given, and their position in this case may well be correct, but the CCIA's opposition to MS software is NOT news.
Is that really the case? Are there really that many more vulnerabilities in MS operating systems than any other?
Or, is it just that since there are so many machines running Microsoft OS's, it is just easier to find and exploit these bugs?
I have yet to be convinced that the open source model truly leads to fewer bugs and vulnerabilities. Yes, more eyes can see the code, but still these many pairs of eyes miss things. Look at sendmail for crying out loud.
Check out our infosecurity industry blog: http://securitymusings.com/
Well, this may be all well and good for government applications, as when dealing with resources of the government, security is obviously of the utmost importance. Let's be realistic, though. More damage is done to government and commercial sites by infected HOME user machines than probably any number of virii/worms that have slipped through some lazy sysadmin's email filters. A network is only as secure as the nodes remotely connected to it.
Too bad Linux-philes are running in too many (bleeping) directions to unite and make an operating system worthy of the Ma and Pa test. Tons of free software, very few general domain standards, and too many zealots who will see that it stays that way forever.
Pa: What the hell is a shell, and why do I want to make in it? That sounds like a Destruction Man reference. This thing is filthy and too complicated.
They came, they saw, they left, disguisted.
So can Open Source developers do a better job of building secure software? Is this an area in which Open Source software can compete with Microsoft?
Yuioup
A quick look at About CCIA lists the following:
Our member companies range from Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, and Vion to AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL
Its the who's who of MS competition.
Well let's certainly hope that if DHS does decide to switch to open source, that it's not because CCIA advised them to. Making security decisions based on the allegations of some lobbying group, be they valid or otherwise, is pure idiocy. Do some independent research for christsake.
Maybe this letter is a step in the right direction in this regard, but I have to believe that DHS already knew all of this. They are, after all, a government department DEDICATED to security.
It's not considered polite to insult open source operating systems and their user interfaces in mixed company.
There are no karma whores, only moderation johns
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
Can you?
Can an NT administrator, using user level tools, perform the equivalent of a chroot jail? Can he make specific apps suid or sgid?
While Windows technically does not imply use of other Microsoft products, it does tend to be correlated with it. Outlook has had numerous poor security decisions that a mail admin simply cannot fix. IIS has also had poor architectural decisions. Remember MS swearing that they'd rewrite the thing from the ground up for the next release? The design of IE -- permeating the entire OS, providing many services to applications, and with no internal security model in place, makes for all kinds of nasty problems. It's a great way for spyware to slip pass personal firewalls, it's used in places like Outlook where a full-blown HTML renderer with the huge variety of features it has is a pretty bad idea from a security standpoint, and it provides a high degree of control to remote websites over the local computer -- much higher, than Mozilla.
The MS Blaster issue wasn't actually all that egregious, AFAIK. It's not like UNIX systems haven't had RPC flaws in the past, either. The real problem was the number of unmaintained machines that were vulnerable. I'd call something like Melissa, that relies on phenomenally stupid security decisions from Microsoft ("let's have an automatic execution environments in our documents, which are intended for wide interchange!") much worse.
May we never see th
2002
Microsoft Yearly Earings $6.16 billion.
Microsoft Cash Reserves $46 billion
Microsoft Market Share 92% of the Desktop
Watching Ed Black poke Microsoft with the sword of it's own making - Priceless
I'm as much of a Linux advocate as the next guy, but it would be a HUGE task to migrate all of the United States Federal government Microsoft-based systems to Linux, especially if there was some sort of mandated short timeline.
The relatively easy part would be replacing simple desktop functionality. The not-so-easy part would be identifying and analyzing all of the custom software used by the US Federal governement that is deployed using Microsoft-specific technology (e.g. Visual Basic).
Even if there IS a shift from Microsoft to Linux (or any other platform), out of necessity it will need to be a slow and careful process.
So an organization whose tagline is, OPEN MARKETS, OPEN SYSTEMS, OPEN NETWORKS, AND FULL, FAIR AND OPEN COMPETITION, is asking that the department of homeland security not use Windows based on security concerns. For crying out loud, their mission statement is the following:
CCIA's mission is to further our members' business interests by being the leading industry advocate in promoting open, barrier-free competition in the offering of computer and communications products and services worldwide.
Maybe I'm missing something, but this seems like nothing more than a high powered Washington based lobbying group whose business constituents are diametrically opposed to Microsoft. How is this even news?
I think their model works better than Red Hat's, where I get 3-5 emails a day notifying me of critical software fixes
If you took a few minutes to read those fixes you would realize almost all of them are "proactive", that is, they are fixing vulnerabilities, before an exploit is made against them. This is intrinsic in the OSS model, where experts worldwide examine the source code all the time, for instance in university classes and research centers. Commercial, closed-source software, on the other hand, usually is examined only by crackers who throw anything they can at the software until it breaks.
Personally, the system I prefer is Conectiva's, where apt-get is combined with rpm packages. Running "apt-get update; apt-get dist-upgrade" each time I get a vulnerability warning takes much less time than deleting spam, even in my relatively well protected email account.
If I had gone and said the north american power grid should be replaced at the wake of the outages [ . . . ], I would have been accused of countless acts of civil disobediance.
My first question is what is wrong with Slashdot? I mean someone saw fit to give the parent coward "Insightful" for what she or he wrote? Someone wind the clock back before 2000 when Slashdot wasn't frequented by Microsoft apologists.
I'm not sure what makes you think your exercising your 1st Amendment right to speak freely (assuming you're a US citizen) would be branded civil disobedince, but in case you're really worried (and not just ranting) know you're in good comapny: first, the outage of August 2003 has produced a US-Canadain task force to investigate problems with the aging power grid. In fact, the power grid is so important that it is the subject of dozens of assessments conducted by North American Electric Reliabilty Council. Let's just say that NERC is not sanguine about the reliability of the North-American power grid. The problem is so widespread that even US lawmakers anticipate a massive political dispute.
Regarding your comparison of the power grid to the Internet, network events such as MSBlaster and Sobig.F highlight the fragility of an information network built of insecure nodes. At present, the overwelming majority of the nodes of the Internet are powered by Microsoft software. For better or for worse, "press releases and open letters right at the wake [sic] of major worms" draw attention to the real effects of maintaining so insecure an information network. MSBlaster and Sobig.F are not theories but facts and so prove the unreliability of an Internet composed mainly of Microsoft-powered nodes. The timely discussion of network events such as MSBlaster, Mimda, Code Red, Sobig.X, etc. in the press should, in my opinion, be an obligation of network adminstrators.
Given your post, you'd probably have us ignore the problem in the hopes that the next worm/virus/trojan does not damage our shared information network even more spectacularly. Thanks, but I would rather disseminate information and share data about such network events rather than stop my eyes, ears, and mouth with sand.
blog
...the terrorists will be able to shut down the whole department-- they just need someone to pose as a "disgruntled former employee" and call the BSA tipline. The resulting software license audit will tie up DHS resources, and for a while the terrorists will have carte blanche to prepare their next attack.
"Well, two organizations support Microsoft, only one against" said Tom Ridge. "I guess that means we'll stick with Microsoft!"
The reason it has been unpatched for months at a time is because IT guys aren't doing their jobs. I have all of the computers in my department set to download any new Windows Update patches, then install them at 3:00am. Was I affected by the MSBlaster worm? Well, I had two machines out of 150 infected, and only because I missed them when I set up automatic Windows Update. However, it didn't spread to the other machines in my network.
I have started doing that where I work. Whatever has no equivalent in Linux, I run onder Wine, temporarily, until I find a better way. Nowadays, I'm about 99% MSwindows-free, and about 80% Microsoft free, that is, I boot under MSwindows less than 1% of the time and only one out of five programs I use regularly comes from MS.
I don't want to make any comment on the issue itself, but I do want to ask, why does the CCIA rep feel the need to quote a Washington Post editorial in his open letter?
Quoting someone to add weight to your argument, whether it's a philosopher, pop star or journalist, generally removes credibility from what you're saying because it suggests that you don't feel your argument is strong enough on its own.
If I were posting a comment on Slashdot about security, for example, and I quoted a security expert, then that would be fair enough because the intention would be to reference knowledge that I couldn't personally have.
But the CCIA published their open letter because, supposedly, their opinion is important and should be taken seriously. Quoting a journalist, especially at the conclusion of the letter, seems inappropriate and even a little desperate.
Yeah, there really needs to be "-1 Has no sense of humour."
(and no one better say anything about the spelling.)
// file: mice.h
#include "frickin_lasers.h"
The real threat is that when you have a closed system, you have a central point of failure (Microsoft) and you don't have the flexability to change and mondify things when you need to. Anyone who'se read the "art of war" knows that real defense is about how flexabile you are, and that you are able to deal with the exceptions, not the rules. - or how easy it is to change your stripes and addapt to changing situations and threats. You simply can't do that thru a closed one vendor system, no matter how much you plan. You simply can't do that when you can't access the source code, change it, and share those changes freely, you simply cant do that if you half to pay a subscription or royality and keep tabs on every nuck and cranny application and license - you can never decentralize, never regroup, never deal with unpredicted failures, when you're attached to a BSA dog-leash.
Just like freedom in the USA is the only real reason why it's so much better than the enemies, the freedom offered by Linux and the GPL has an internal value that makes it so much better than the alternatives. Only that is then end game, and only that is what will make us truely secure.
If the Department of Homeland Security were to be highly concerned about security, they wouldn't even have workstations with off-the-shelf distributions on them. They'd download the source code themselves, inspect it, and compile the distribution as an internal thing. And even according to the GPL, if it remains internal, i.e. no distribution to other parties, then they don't even have to say what their changes are.
In fact, they would be able to use a framework for distribution through their computer network modelled after Debian's or Slackware's or RedHat's, but with only their own versions software in the update tree. This way, they can hire staff with existing administrative knowledge of the flavour of distribution that they choose, and the person will not really have much of a learning curve. Or, if they're really paranoid, they can write it themselves.
I'd personally recommend against having any personal computer on the user's desk. Give them an X Term that uses some kind if high-encryption tunnelling scheme to deliver the applications to the X Server, and have departmental-sized or building-sized computers for the users to work on. This ensures much better physical security for the equipment, with a fraction of the physical assets to watch, better data integrity since it would be stored on some fault-tolerant medium like RAID5. With a properly implemented security scheme for user login, either with some kind of biometric ID or an actually decent password scheme, it would be relatively difficult to break in compared to normaly corporate environments.
As for local security on the application servers, it would require a fairly decent file security model, but big computers have been done before. The implementers would have to work to ensure no local root exploits, but that would be good for the community as a whole.
Do not look into laser with remaining eye.
Let's seem them get into my fully patched XP box. Really. All the recent viruses, etc haven't affected me. Security is as much dependent on the user as the software. Sure, it's fun to blame MS for the Windows security problems, but when the users don't apply the patches how can MS be on the hook? Off the cuff I'd say the average Linux user is much more technically saavy than the average Windows user. That certainly plays a big part in the security of the box.