Slashdot Mirror
Reliance On MS A Danger To National Security
An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.
welcome our new security overlords.
"We always consider security to be our absolute top priority," - Microsoft spokesman Sean Sundwall
You mean their proclivity to collect the worlds cash is a secondary mission? Wow, Windows must be like the most impregnable fortress ever, and more.
I hope the government, in the interest of national security, can clean up MS. All the anti-trust cases don't help the problem, rather they just help companies with posturing.
Now, putting this kind of pressure on MS may really make them work harder. Imagine the government turning its back on MS, in the interest of national security. Wake up, Microsoft, before it's too late.
Urantian -- and proud of it!
the most important line in the article:
"And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem."
Finally someone realizes its not enough to just fix the problem, problems should be avoided in the first place! (I know, I know, easier said than done, {insert OS here} isn't perfect either).
Children in the backseats don't cause accidents. Accidents in the back seats cause children.
Remember adequacy.org? The internet became less fun the day that site died.
Reliance On MS A Danger To Rational Security
See the Pictures of the Flood of '08
This article help explains very well why diversity in computers is a good thing.
(It's harder for virus makers to affect more computers at once if less computers use the same OS)
I see no mention that it is the administrators who must share responsibility for the compromises and exploits.
Feed the need: Digitaladdiction.net
Bears shit in the woods and the Pope turns out to be catholic!
Now lets all unanimously stand up and give a long, groaning "duuhhhh"
If I had a dime for each time someone wrote a report stating that the MS monopoly was dangerous to _____, I would probably have enough money to pay my parking tickets.
IMHO, the government should take notice of all the warnings, and act before its too late.
I also appreciate the report comparing all PC's running MS to a farmer only harvesting one crop (and having the risk of infestation ruining everything).
Celebrate Steak and a Blowjob Day!
Uhm, you're kinda new around here, aren't you?
I find the argument against Microsoft as a problem for national security ringing a little hollow. First, The US government is a complete hodge-podge of computer systems, databases, technologies from various epochs; all of which is unfunded. In fact, the latest US CIO is not going to get the funding need to create a central IT.
So the problem, as I see it, is that the US government has some severe, indemic, structual problems relating to IT policy which makes citizen privacy, national security, and proprietary knowledge at risk.
Of course, put Microsoft on top of the quagmire and you've simply opened the door to the vault for every hacker in the known universe.
I have a hard time blaming the problems of US IT policy on an OS; it's hard to fathom.
"This isn't a study in computer science, its a study in human behavior"
And the Navy is going to Microsoft in a wholesale way. The new mega contract NMCI is locking the Navy into a MS solution for _all_ IT. Non conforming (ie non-microsoft) are labeled as a legacy systems and all new development will be required to use MS products in order to be on the network. Also, all network storage will be stored in a single facility !.
This is I believe a very dangerous approach for the reasons discussed in the article.
In addition to inefficiency of restricting a solution to a small set of tools. How many large organization standard on a single environment for all computing and IT needs?
Hell no! Kill Gates, he's gonna get us killed with a national security disaster! AND he's big business... and he's abusive of his power. DOWN WITH GATES (they hold you back) and UP WITH TUX (freely permits anything you need). And... I just forgot of the constructive comment I had... :/
Karma: Good, or bust!
Ho hum...windows security sucks....what else is new.... Though quite honestly, Microsoft should stick more to what it's good with, being a user friendly operating system where security isn't a concern for the end user. Let the *nix geeks create the ultra powerful, ultra robust secure as can be solutions anyways...
...in bed
From the pdf properties....
Application: Acrobat PDFMaker 5.0 for Word
PDF Producer: Acrobat Distiller 5.9 (Windows)
As much as I have great respect for the authors, why does the word Hypocrisy spring to mind....
"Microsoft's monopoly threatens consumers in a number of ways, it's clear it is now also a threat to our security, our safety, and even our national security." Well spoken
You can get more with a kind word and a gun than you can with a kind word alone. - Al Capone (1899-1947)
Prediction: most of the counters to this will come from the observation that it was sponsored by the CCIA, which contains many of Microsoft's would-be competition. Of course, the CCIA contains just about everyone -- but then I repeat myself.
Lacking <sarcasm> tags,
(trying desperately to remember the quote from Ghost In The Shell)
It's not Microsoft, specifically. The problem is monoculture. No matter what the dominant OS - Windows, Linux, Mac OS, BeOS - the number one guy gets picked on the most, and exploited the most. That creates weakness all the "trustworthy computing" in the world can't fix.
What I fear is some kind of mathematical "reduction" of the problem. "OK," they'll say, "we'll mandate that 30% of stuff move to Linux". OK, great idea: which 30%? "Hmm, you're right. We'll say 10% of web servers, 10% of desktops, and 10% of back-end (DB, etc) stuff." Getting warmer: which 10% of the web servers? Which 10% of the DB servers? Can you get rid of some of your MSSQL on W2k and replace it with Sybase on Linux (easily, with not serious cost and porting problems)? Etcetera, etcetera. I call that "going nowhere fast".
I guess what I'm trying to say here is, I don't really see how to undo the monoculture, when it is backed by 1)such amazing industry power and 2)such entrenched mindset. Figure out how to get people to seriously believe they can run Linux, or Mac, or whatever, and you've gone a long way to solving the problem; but isn't that what people like Microsoft are working just as hard to undo?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
dos=high,umb
files=8192
Good luck!
To Hell with compromising US security. They use Windows??? Ha ha! We've got them covered.
Red Eagle, Red Eagle, that's a positive. Strike co-ordinates confirmed.
Reports like this frighten me deeply. The possibility that people exist who don't already know that "operating system monoculture = bad" just boggles my mind. Of course, there are the people who do know this, and pretetnd not to (read "Microsoft, MCSEs, maybe government kick-back-takers"). Those people make me angry, but I think that we are in more danger from the first group (idiots) than the second (the willfully evil). OK - that was some good spleen-venting.
While the report's authors note the seriousness of their recommendations, they stood by them. "When the government uses a product whose monopoly position undermines its security, anti-trust becomes a national security issue..."
That's it! Get the National Guard surrounding Redmond immediately! Shut 'er down!
I watched C-beams glitter in the dark near the Tannhauser gate.
"Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over," Geer added.
My computer has a first name, its M-i-c-r-o-s-o-f-t, and my computer has a second name its M-o-n-o-p-o-l-y....
Racist Asshole! Even though you're just trolling you're still an asshole, who should go to hell because he so ignorant he can realize that sort of shit's not funny. Fucktard.
In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
Not that I like MS, but this situation would pertain to any other OS if 90% of machines were using the same OS. Even it it was an OS you liked or felt was secure it is a big issue.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
We rely upon half-baked right wing Dr. Strangeloves to choose the foreign countries that will welcome our invasions...
We rely upon deregulated billionaires to keep our stock market and investment firms honest...
We rely upon greedy employers not to send our jobs overseas in order to ratchet up the stock value and buy themselves extra homes and diamonds...
So why shouldn't we rely on a convicted monopolist with a track record of utter failure behind it to keep our national computer infrastructure secure, too?
This is just Ed Black--a consultant for Sun and Oracle with a history of slamming Microsoft on behalf of his clients--using a forum to once again go after Microsoft. Ed Black ain't no security expert. He's a lobbyist. And what the heck has @stake done to be deemed a leading security firm? Ooh. They're consultants for IBM. (http://infosecuritymag.techtarget.com/2003/jun/di gest05.shtml) Imagine that! IBM, Oracle and Sun bashing Microsoft.
This "analysis" is just a load of crap from Microsoft's competitors looking to get a piece of the defense-contracting pie.
This really is nothing more than common sense. As is pointed out, a monoculture of anything is asking for trouble, be it in computers or in agriculture. When there's only one type of target to attack, it's much more vulnerable than a diverse population is. This is a basic concept that extends all the way from basic genetics to the high tech of today - it's just that we occassionally need to be reminded of it, evidently.
No, not new. Maybe I'm just suffering from MS/SCO overload. I should stop reading slashdot for a while and get to work.
What wonders come from the labs of the troll scientists...
This new form of passive troll isn't as shocking as the other ones, but it does show a slight glimmer of creativity.
For those not convinced, look for the acronym in bold letters.
I agree with the report authors that the monoculture of Microsoft is dangerous. Any one of us can see that, particularly after this exceedingly expensive summer, the MS monoculture we're enduring is costing us billions.
However, I cannot agree with the recommendations that require MS to do this, that, and the other thing. Recommendations such as releasing Office for other platforms at the same time as for Linux and MacOS for example. The only recommendations I could see supporting would be those that explicitly break up the company into OS and application divisions - in order to shatter their monopoly.
The recommendation that they must release their apps onto different platforms is, IMO, dangerous. It means that they will then unleash their "user friendly" nonsense on OSes such as Linux, and we'll end up with the absurdity of the Windows platform paradigm trying to seed its ugly crop of security problems in a new field instead.
For National Security purposes Governments should insist on only using applications that they can also purchase the source code to. They should insist on using applications that are proven to be secure, not just popular. And they should insist that software companies be held liable for flaws that cost them security.
Pierre
heh, and you probably wonder why your Karma is at "Bad"
real men don't reply to trolls, dumbass
I'll probably get moded down to troll or flaimbait but really, how much better are any other OS? On the heels of the two OpenSSH and the sendmail exploit, this comes out. Arn't OpenSSH and sendmail both *nix based programs? Yes, the actual OS itself isnt to blame in this circumstance but don't these tools come stock with most *nix distros?
Don't get me wrong, I'm not saying that M$ shouldn't be held liable for the craptastic OS that it spews out all the time but really, how much worse is it security wise vanilla compaired to a vanilla install of any other os? If I remember correctly, after installing redhat 9 the other day, 2 hrs of d/ling for patchs commenced to update all the packages on it.
But everyone keeps saying "OpenBSD is dying"?!
I should stop reading slashdot for a while and get to work.
GOOD GOD, MAN! Get a hold of yourself! Do you HEAR what you're saying?
I can't see companies suddenly rushing out to switch to Linux from this alone. The recent virii, worms, and trojans have had a cumulative effect, and this will add to it, but I can't see it making a difference on its own.
Nothing - well thats something.
I agree with the article's conclusions, but I am not sure I agree with their proposed remedies. I think the most appropriate thing to do (for a government) is to require the use of open protocols.
For example, if the various departments and branches of the U.S. government would stop exclusively using MS Word as their ubiquitous document exchange format, that would make a big difference. Right now, if you want to do business with the U.S. government, you pretty much have to purchase and use MS Word. Then your office needs to purchase and use MS Word. Well, as long as your Washington office is using MS Word, I guess that field office that decided to save some money by using Word Perfect ought to "upgrade" to MS Word as well. Seems the import filters for Word Perfect don't quite get the latest version of MS Word just right.
OK, you can use Open Office or Word Perfect to create your documents, but will the pagination, headers, footers, and other tid bits come out right? No. These software products cannot make a "perfect" MS Word file because they don't know how. Microsoft has not published the specs for such a file. When the import filters get close, the MS Word format (the default format that the latest version saves to) changes ever so slightly.
How about the U.S. standardize on an open document format (egads-- not SGML but maybe even Microsoft's own RTF... anything!). Then, make sure their e-mail systems, VPN protocols, encryption formats, etc. remain based on open standards. Where Microsoft (and to be fair, others) "embrace and extend"... don't allow such non-standard extensions for dealings with the government.
Any false property right is a danger to societies security. Just look at how slavery led to the civil war. Today many are betting trillions of dollars on a false premise, that works of knowledge can or should be owned without any understanding of what that implies. Because information is becomming so easy to copy, change, and manipulate - the "middle" gound is quickly evaporating, either all information will half to be controlled or none of it.
Even with perfect administration the danger of monoculture exists.
A single MS RPC exploit would make all machines vulnerable until patched.
A single WMA buffer overflow makes all machines vulnerable until patched.
No matter how perfect, the problem isn't the administrators, but the monoculture. If one in 3 machines was Mac, and one in 4 were Linux, you'd have enough diversity that a virus would slow down drastically enough to be contained.
GPL Deconstructed
Is relying on one vendor even that bad of an idea? The really bad idea is relying on computers for national security.
Think of the locks that are used for locking the doors of government buildings. Are they all from one vendor? What happens when it is discovered that locks form that vendor are more vulnerable to being kicked in? I don't imagine a bunch of engineers get together to design better locks in their spare time, however there is the chance that might happen if the most popular lock company was constantly making locks that were more vulnerable than neccessary.
However there is still a key difference between locks and computer security that must be considered: location. A locked building in Washington, DC isn't going to be compromised by someone in China. Anything that is so important that obtaining it can be considered compromising national security should not be stored on a computer accessible to the internet.
The government should realise this (they probably do) because this isn't the first time this has been an issue. Long distance communications during wars before the internet used various means of encryption to keep national secrets secure. Why can't they do the same for electronic communications? Create the electronic message on a machine that isn't connected to the internet, encrypt it, and burn it to a CD. Either mail the CD or send it using a computer connected to the internet. Then destroy the CD.
The government likely knows this and almost certainly has national secrets under more heavy protection than a sneakernet. When they complain about insecurity, whether it be from terrorists flying planes or chinese youths, what they really want is money and laws. They're not actually so clueless as to leave valuable lying around, but it's useful to let citizens think they do.
That's pretty mean-spirited, but if you really want it to be effective, provide the full path to rm (usually /bin/rm) because some shells have rm aliased to rm -i
No-- not fair.
OpenBSD does *not* have a variety of mostly unused ports open by default. Windows does.
OpenBSD does *not* release "features" that few people need (or even use), that later are exploited by worms or viri. Windows does (e.g. messenger service, RPC, etc.).
OpenBSD does *not* come with a built in mail client that will execute any random code sent to an inbox. Windows does.
http://www.iht.com/articles/111195.html
WASHINGTON A virus seriously disrupted computer systems at the State Department this week, including the database for checking every visa applicant for terrorist or criminal history. The failure left the government unable to issue visas worldwide for nine hours.
The virus, which struck Tuesday, crippled the department's Consular Lookout and Support System, which contains more than 15 million records from the FBI, the State Department and immigration, drug enforcement and intelligence agencies. Among the names are those of at least 78,000 terror suspects.
A State Department spokesman said the virus, known as Welchia, did not affect any data on the name-checking system, and the agency's classified computer network - used to send its most sensitive messages and files - was not affected.
$cat
No system is 100% safe. There are some things one can do, like making sure everything is patched and another is to use odd systems. I worked for an architecture firm that used several ALPHA server for rendering projects. Several of these boxes had True64 Unix. When a couple were retired from rendering duty, we reconfigured those boxes as our router and firewall in the office. Why? Well, True64Unix is an odd platform and not many know much about the system. Its an added measure against script kiddies. Is it fool proof, no I am sure, but as one admin put it, "If they know the exploits of True64 Unix, they're a pro and proably not much we can do to stop those types". One of our boxes was attacked with the OpenSSH bug. If the attack would have been about 6 hours later, it proably would have been patched. Our other 17 boxes were patched without a problem and someone has tried to attack our OpenBSD boxes several times (hell I try once a month just to see how they react) with no luck. But hey, some bug with an FTP daemon or some PHP code and we're SOL. Bottom line: Keep patches up to date, use odd and unusual systems on the in/outbound traffic if you can, and keep lots of backups...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Gates is a Bilderberger. The Bilderberger group is a transatlantic neofascist organisation that was started in response to Hitler's defeat in WWII. They have infiltrated the highest echelons of Western countries.
Remember always that the upper classes in the USA, Britain and Ireland were largely pro-fascism.
Keep your rent for when people say "OpenBSD is good". Today Timothy said "OpenBSD is bad". You can't have it both ways.
Haha. For god's sake don't listen to that.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It's better to spend taxpayer money and make one company rich (which helps the stock market) than save taxpayer money and make nobody rich. Duh.
How is this logic different from that of a pyramid scheme?
S
YOU FAIL IT AGAIN.
I believe you forgot the tags.
I hear ya.
.. :)
Of course, I'm *at* work
--- There isn't any problem that can't be solved by a small, low yield nuclear device, is there??
First, the use of Acrobat files should be discouraged in most cases due to readability issues. Second, this really does demonstrate the fact that Joe User likes his Word. Third, a couple of guys asked about making PDFs w/o Acrobat on the desktop. - Adobe used to have a page where you could make them for free on their website.
OR - you could get a Mac where any print job can be directed as Acrobat output if you like to torture others gratuitously - I like to make mine out of a plain text editor or BBEdit Lite. Muah ha ha - Yo ho ho and a bottle of Trolls.
Bloody Jack's sig.
Any preoccupation with ideas of what is right or wrong in conduct shows an arrested intellectual development. (Wilde)
Its kind of a shame that we aren't still in the days when this was all a game and nothing serious was in the way...
An infinite number of monkeys will eventually come up with the complete works of
That it doesn't only affect US gov IT. It affects US military IT, US medical IT, US business IT, US service IT...
Nearly every sector of the US economy suffers from the Microsoft monoculture, and is therefore vulnerable to the same problems every other sector has...
Once one gets it, all will get it. That's kind of the inherent danger of monoculture.
GPL Deconstructed
Quite so - the monoculture argument is a red herring.
But Longhorn will ship with a secure code environment (Dotnet), where, as with Java, potential security flaws such as the use of pointers or unchecked code have been eliminated.
Meanwhile, Linux will be staggering on with C/C++. There's good reason to fear that then the shoe will be firmly on the other foot.
The Dibold crap is written in Visual Basic....
exploited by worms or viri
viri means men. Did you mean that?
I know it's OT, but OpenBSD is probably running all of the services in the default install that you'll ever use.
It's already running a hardened Apache, Sendmail, and OpenSSH and has PF installed and ready to go. What else would you plan on using an OpenBSD box for?
Personally, I'd guess that those programs probably perform 90% of the functions that people use OpenBSD for.
And the muscular cyborg German dudes dance with sexy French Canadians
Some people persist in saying that Windows isn't less secure, it's just a bigger target! Just today someone forwarded this to me from a David Pogue column in the New York Times. Sorry I don't have a link.
g gedin /bal-mac082803,0,1353478.column
***
I also wrote that Mac OS X and Linux are virus-free because
they offer virus writers a much smaller "audience" than
Windows -- a notion that's been much repeated in the press,
most recently last week's BusinessWeek cover story.
That, as it turns out, is a myth, no matter who repeats it.
There's a much bigger reason virus writers don't like Mac OS
X and Linux.
"Unix [which underlies Mac OS X] and Linux ARE more secure,"
wrote one reader. "They have been developed, open-source
style, by people who know exactly what they are doing. Unix
and Linux have had at least 10 years of battling hackers to
better themselves. This leads to an extremely secure
environment."
Many of you also pointed out simple design decisions that
make Mac OS X and Linux much more secure than Windows XP.
For example:
* Windows comes with five of its ports open; Mac OS X comes
with all of them shut and locked. (Ports are back-door
channels to the Internet: one for instant-messaging, one for
Windows XP's remote-control feature and so on.) These ports
are precisely what permitted viruses like Blaster to
infiltrate millions of PC's. Microsoft says that it won't
have an opportunity to close these ports until the next
version of Windows, which is a couple of years away.
* When a program tries to install itself in Mac OS X or
Linux, a dialog box interrupts your work and asks you
permission for that installation -- in fact, requires your
account password. Windows XP goes ahead and installs it,
potentially without your awareness.
* Administrator accounts in Windows (and therefore viruses
that exploit it) have access to all areas of the operating
system. In Mac OS X, even an administrator can't touch the
files that drive the operating system itself. A Mac OS X
virus (if there were such a thing) could theoretically wipe
out all of your files, but wouldn't be able to access anyone
else's stuff -- and couldn't touch the operating system
itself.
* No Macintosh e-mail program automatically runs scripts
that come attached to incoming messages, as Microsoft
Outlook does.
Evidently, I'm not the only columnist to have fallen for
this old myth; see
http://www.sunspot.net/technology/custom/plu
for another writer's more technical apology. But the
conclusion is clear: Linux and Mac OS X aren't just more
secure because fewer people use them. They're also much
harder to crack right out of the box
***
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
In a post from last week.
Somebody should hire me to predict the future of various aspects of I.T. ;-)
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" - BF
...it would cost less for the government to rent all that juicy unused fibre all-across america and build a large private intranet.You want security?Well disconnecting from the internet would be a good start.
JaredSyn.
I find it a little suspicious that the story refers to an anonymous group of "leading" security experts with no credentials listed. One needs to be skeptical of these things, especially when it appears that much of it is backed by Microsoft's competitors. Could they be an objective panel? Possibly. Could it be FUD? Possibly.
Slashdot: Playing Favorites Since 1997
Windows XP Professional
Windows XP Home Edition
Windows XP Tablet PC Edition
Windows XP Media Center Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
Windows Server 2003, Web Edition
Windows Small Business Server 2003
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows Me
Windows 98
Windows 95
Windows NT Workstation
Windows NT Server
I find the whole thing very strange considering Slashdot itself posted the study about how Linux is the most breached OS on the net.
But every day is I-hate-Microsoft day at Slashdot.
"Sufferin' succotash."
No mention of the identities of the so called security experts either.
Alcohol may be bad for your liver. Film at 11.
For reference, look at the recent discussion here about all ATM's moving to a hacked down version of Windows because it would be compatible with the rest of the banks' networks.
Microsoft is a company. It's reason to be is profits... as much profits as possible. Just like every other company.
The problem is that they are too good at corralling all the business. (Someone somewhere is going to blow a gasket at the idea that could be a bad thing -- "Free Marketeers, unite!")
We sometimes look at this as though Microsoft's goal is to make the best operating system. That's only true as long as you define that in terms of whatever will get the most only marginally clueful management folk to swing the business in Microsoft's direction.
I think Microsoft feels that it's only in their best interests to provide the most security in their OS that they can as long as it contributes to the bottom line. If it comes to a choice between making things "easy" to sway the business, and making things more "secure", the choice has always gone with the money. They don't really have to make a truly secure operating system because they get the business through marketing tricks without going to the extra trouble.
And of course, once they have an iron grip on one market, they look for any way they can to use it to drop a hammer on competition in the next market they set their sites on.
This is why we have anti-trust laws. They are the check-and-balance of capitalism. There *is* such a thing as being too good at creating a profit. There's a point where you haven't *explicitly* broken any laws but you've driven the competition out and there's no incentive for you to produce good products because you're now in a position to create barriers to entry so high that no one can challenge you.
Unless the newborn competition can wish on a genie's magic lamp and instantly have equivalent marketing muscle to the company that already has a monopoly. Uh... yeah... right... that's going to happen. At that point, the market doesn't fix things anymore. A new set of rules apply.
Writing papers to point out the fact that a monopoly is bad hasn't worked so well for anyone so far. This isn't the first one published.
Quoth he
"It's all academic anyway..."
10% of the webservers, 10% of the desktops, 10% of the back-end-stuff, makes 10% of (webservers+desktops+back-end-stuff ...)
Evert
Just don't let Microsoft Computers connect to the internet directly With properly placed firewalls there shouldn't be a problem
"Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer.
Gotta love it.
"Suppose you were an idiot..... And suppose you were a member of Congress... But I repeate myself."
Face it, if Linux had the 97% computer marketshare that Windows has, those recent strings of ssh vulnerabilities would have been remote code worms making the rounds. And everything would be reversed, and probably most of the people posting here would hate Linux and be using some other "alternative" OS.
"Sufferin' succotash."
You have a good point here, because the point was ringing in my ears as I read the report.
On the one hand, it is true that the combination of Windows' lack of interoperability, closed-source nature, tight integration, and near-monopoly status make it uniquely qualified to spread damaging viruses quickly, better than other operating systems. If you don't take great consideration to how you set up your IT infrastructure, you're going to get burned.
As you say, the problem is ultimately one of policy, not technology. If you know what you're dealing with, if you know what you're doing, you can establish and enforce policies in your IT infrastructure that prevent the spread of viruses. Every time a virus strikes, we hear about it from the ones that don't. We aren't hearing about the places that haven't had problems. They are out there!
Is Windows adoption by itself a danger to national security? Hardly. Bad IT policy is, regardless of OS. So when a group like this overstates their case, it really damages the valid point that Windows IS more difficult than other OSes, that certain things about Windows DO make it dangerous to adopt by a government.
I'd rather hear them talking in more moderate and modest terms. Making overblown claims that aren't easily and obviously supported by the evidence is going to make people think that the pro-OSS/anti-Windows folks are a bunch of frickin' loonies when the slightest bit of investigation can find flaws in the claims.
First of all, welcome to Slashdot, where prejudices are as regular as the sunrise (or moreso). If you want a prejudice-free environment, go elsewhere.
As to the security of OpenBSD (and I suppose everyone should take my comment with a grain of salt, since I run it on my servers), show me another OS with privilege separation, practically no suid programs, a chroot()'ed Apache, integrated ProPolice support, etc., ad nauseum. For heaven's sake, with 3.4 they're switching i386 from a.out to ELF -- forcing all of us i386 users to install from scratch -- simply because it's harder to crack. Show me any other OS that will go to such extremes for security, and maybe I'll quit glorifying OpenBSD.
How To Get Humans To Mars
Check the author field in the pdf document summary.
Seriously.
I read a lot of folks saying that "any OS will have problems". Sure, that's true to some extent.
However think about this: Microsoft code is on 90+% of all the systems out there. Your doctor. Your lawyer. Homeland security. The bank. Your friends. Everybody that does anything important with your life is probably using Windows to do it. That means Microsoft has a HUGE responsibility to society. It goes beyond the responsibility that Apple or IBM or anybody else has.
And think about this: Microsoft has vast capital. Imagine it: one billion dollars (barely a scratch in microsoft's bank account) could pay ONE THOUSAND developers ONE MILLION dollars apiece to find security holes. That's just one example.
And finally this: there IS software that is more secure. OpenBSD and qmail are two examples.
Put these things together and you'll realize just how ashamed Microsoft should be. How on earth can a company with so many resources, so many PhDs and billions of dollars, and so many customers fall so short on security? Why do people say with a straight face that this enormous company is "just the same as Linux/BSD/Mac" in terms of security?
Microsoft should be FAR AHEAD of all these other companies in terms of security and quality code. The best they can do is Palladium, which locks everything down completely?
THere are several possible explanations:
1) microsoft is incompetent. (I don't believe this one.)
2) paying through the nose for software doesn't buy you anything. Infinite resources can't improve software. You might as well use free software. (I kinda believe this one myself).
3) Microsoft is playing a game, knowing exactly what they are doing at every step. They know not to give their customers any more than the bare minimum to keep them as customers, and not one feature more. They know that if software quality legislation is passed, only they have the resources to survive. So they hang tight and hide behind the EULAs. (This is probably the real reason).
So what do we do?? We better do something FAST before the government steps in.
I tend to disagree.
...
Reliance on open-source means keeping at least some level of control, instead of giving the control away.
The company I work for is another nice example of a Mickey-shop.
It's mind-boggling how much they are the slaves of the imposed upgrades, and how they even accept it, or worse, choose to do so.
Choosing for open-source should not be merely based on financial arguments, but more on trying to safeguard the ability to do what you want/need to do with the software, and when, and how
Evert
A little off subject, but Dell does sell linux-based workstations....they just don't advertise them.
Yeah, I read the stories about that also. And, since most web and e-mail servers and most small ISPs are running Linux, it could stand to reason.
However, even though Linux servers are the most attacked/breached or whatever, when mom and pop ISP #1231 gets '0WNZORD', it doesn't cause the gigantic ripple effect of every server on the 'net falling over, unlike a Windows box. When a Windows box gets '0WNZORD', entire countries get swamped off the 'net. You know, ala the Slammer worm, which knocked South Korea off the 'net, and swamped damn near everyone, no matter what their box was running.
This is what true computer security personnel take into consideration. Not just how many systems are attacked, but what the effects of those attacks are. You know, if one Linux box gets taken over, does it automatically take over more? Very unlikely. Each box usually needs the individual attention of the cracker, and then, when successful, it is usually only with the permissions of the logged in user, i.e. not root. Compare this with most Windows boxes, which, when one is cracked, it automatically turns and attacks more, and way more Windows boxes run as Administrator, either by default, or because some shit-ass program requires it.
So, yes, more Linux boxes are attacked, but the overall effect of these attacks are orders of magnitude less than the overall effects of the attacks on Windows boxes.
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
MS focus is on making computers easy for the everyman to use, and thus sell beaucoup license - unfortunately that includes the criminal / terrorists / spammers / worm author / etc.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I would usually be the first to jump on the bandwagon here, especially since the US Govt/Bureaucracy is notoriously stupid/slow/inefficient. However, I do know a few things.
1. Information which has military and security significance is not kept on Microsoft based computers. And before you go off and say that this VISA system contains top secret information, or whatever....first, this system isnt internet connected. Second, this worm was probably introduced via poor security practices. Third... BIG F*CKIN DEAL...so your cousin cant get his visa issued for a few days. Like I said, this is not a critical system, and they just send everyone back home, and new visas are able to be issued in a few days. If nothing else, we should be happy this happened, as it reiterates the security problems in Microsoft's OS. The high level thinkers here aren't idiots, far from it. Remember, the government employees you interact with on a daily basis aren't necessarily representative of the intellect on high.
2. There is a good general practice of not connecting these networks together. Not only that, but anyone slightly familiar with places like the NSA and CIA will tell you that there are separate networks for classified, secret, and top secret. Even when these computers all sit on the same desk, they are not allowed to move information between them, since there is theoretical possibility of data leakage.
3. Anything deemed secret or higher is run on things like virtual vault, trusted HPUX or Solaris. NSA has some stuff with Linux, but this isnt widespread yet.
Remember, the big thinkers in the Govt, arent in the fucking post office, VA, IRS, etc...
Geez people, do you think we got this far by being a nation of morons. Why do most wealthy foreign nationals send their kids here to the US to be educated?
Since we've started to address the issue of HOW to change, and WHAT to change, people who read may begin to realize it's not as simple as IT administrators and MCSEs saying, "OH! What was I thinking? I'll convert this all right now." It gets far more complex than that. While monoculture itself certainly can and does lead to an environment where one vulnerability hits everyone, it is neverhteless true that every OS has its vulnerabilities, and aside from the OS vulnerabilities, every application running on the OSes have their vulnerabilities. If you get rid of OS monoculture, what do you do about application monoculture? If you force Microsoft to interoperate with various Unix flavors, why doesn't the newest Sendmail exploit not affect everyone, especially if they use the same source? It's not a simple answer. Also, while not everyone who picks Microsoft as a target to bash is indulging in sour grapes complaining, the quote "Microsoft should not be allowed to release Office for any one platform, such as Windows, until it releases comparable Linux and Mac OS versions." certainly tends to make one think that in this case, they are. After all, what industry in the US is required, *required!* to make components that work with their competitors?
now really, is this news? must be a slow day in the world. Those schmart cookies from Redmond are at it again.
http://www.geocities.com/baddsectorr
In Mac OS X, even an administrator can't touch the
files that drive the operating system itself. A Mac OS X
virus (if there were such a thing) could theoretically wipe
out all of your files, but wouldn't be able to access anyone
else's stuff -- and couldn't touch the operating system
itself.
I don't know where he gets that notion. If you have root access on *any* Unix, you can do whatever you like to any file, period.
And on Mac OS X's default installation, httpd, sshd and inetd all run as root. Granted, they're not all switched on, but as with Windows, a buffer overrun in any one of them will give you complete control over the system.
It's possible to protect yourself by running Apache as nobody, iff you can live with only one user having access to it. It's not possible to run sshd as anything less than root because it has to be able to setuid.
This is a problem relating to the user-based security system that all commercially viable modern OS's use. There has to be a root user who can impersonate any other user, but it also means that once an attacker gets root, checkmate.
man, that's a 5 if I ever saw one
Consider breathing. Everytime you take a big breath, you are killing yourself. Now, I doubt you'll consider *not* breathing anytime soon.
"It's simple, overspecialize and you breed in weakness."
Always liked that line.
There is no excellent beauty that hath not some strangeness in the proportion. -- Francis Bacon
SSH is amazing. Sure, I have to block it at the router at the moment, pending updates, but are you really considering it a net disadvantage? I'd say the presence of OpenSSH in the *nix world (and it's fine port Putty for win32) is a huge plus.
The equivalent in win32 is to throw a bunch of poorly implemented and largely documented controls at the world and let the kiddies run wild. A big piece of the evolution of windows is the increase in ways for strangers to do stuff to your machine. Dcom? What the hell is that? Why is it running? Why does it take a registry hack to eliminate it?
Lets look at your points.
You don't think that Mac and Linux are less of a target? If 90% of the world uses something, regardless of it's inherent security, it will be attacked more. You disagree with that?
Another important reason that Windows systems are more often compromised is the general skill of the user base: Linux and Mac users tend to be more skilled at security then Windows users-not an absolute, just a trend.
Windows comes with 5 ports open...
Ok? What's the problem? If you don't want those services running...stop them! It's not a problem, just something in the default install you don't like.
Your next point, about software installation, is basically complaining that most Windows users log on as Administrator, or root. Again, if you are worried about this, DO NOT RUN THINGS AS ADMIN! Not a problem.
About protected OS files: Many people WANT to screw around with the OS. I don't see you complaining about Linux users being able to mess with OS files. Also, if someone roots your box, and can delete all your data files, what good, really, does having the OS still there do? You can just reinstall it, while you cannot get back your data.
Also, Outlook is not windows. I'm fairly sure that one can change some Outlook settings to make it not automatically run scripts. If not, nothing prevents you from, say, using Mozilla Mail.
Those sand niggers stink so bad I can spell them from here. Hell, I think that stench permeates their code even. With all the money they make you think they could afford some fucking deodorant or something, instead of rubbing curry on their nuts or sand in their pits or whatever they do to "bathe."
Worse, they wear cologne.
They fucking smell like a dead fucking horse, and add cologne to that.
What the fuck?!
You're closer to the truth than you think.
The President of the richest sport in the World, Formula 1 (no, not fucking CART or NASCAR) is Max Mosely, son of Oswald Mosely, leader of the British fascist "Black Shirts" during WWII!
Granted, Outlook is not Windows - but Windows has Outlook and the outlook engine deeply integrated into the core of the OS. You may be able to hide it from yourself, but not from a virus.
But we are talking about the computer that your Aunt Tilly buys to chat on the interweb-thingie!
And Guess what?
Your Aunt Tilly uses the default login from the OEM, which has full admin rights!
Your Aunt Tilly does not know what ports to close!
Your Aunt Tilly does not want to be bothered with firewall rules, IDS or security patches - She just wants to play Swedish Bingo at www.slingo.com!
Your Aunt Tilly can't de-install or permantly disable Active X, Outlook, or Internet Explorer, or the VBS scripting in MS Office 9x through XP-Pro!
I doubt that you can either.
But if you hack at it long enough, maybe you can disable all the OLE that makes Windows insecure, but then you would just have a crippled GUI on an OS that is not able to connect to a network.
And Aunt Tilly would not like that!
I know this for a fact, I have an Aunt Tilly!
We hear about this kind of thing constantly, from around the world (remember those two mainframes stolen from that Australian airport a couple weeks ago.) And every time they say something like "... while the computers involved were important, no confidential information was exposed or affected by the attack." Baloney. If they were so important then something valuable was stolen. Tip of the iceberg time, my friends. I think that information theft on a Biblical scale is going on all around us, from stealing actual computers to remote exploits ... we just hear about the ones that the media happens to cotton onto, and that only because the people doing it were clumsy enough to leave traces. The bulk of this theft goes unmentioned (and probably unnoticed as well ... the best system compromise is one that flies under the radar, leaving the victims blissfully unaware that it ever happened.)
The higher the technology, the sharper that two-edged sword.
"Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer. "
My karma is not a Chameleon.
47 billion dollars Cash
Greater than 95% of the desktop market
A greater monopoly than Al Capone
Security is their number one priority
BULLSHIT!
What a bunch o losers LOL
Why don't you just buy this one and use it on your forehead?
This is old news. In May 2000, infowarrior.org carried an article "Microsoft - A Proven Danger to National Security". I can't find the article on infowarrior but it was very popular and controversial for a while -- even here on /. The sad thing is this article, was a warning that nobody in the government ever listened to. Microsoft sure didn't read this document. If they did, they've spent 3 years doing absolutely nothing.
Banjo - The more I know about Windoze, the more I love *nix
Actually, historically most illegal monopolies got to where they were by explicitly breaking laws, with malice aforethought. It's hard to prosecute a company that took over a market by producing quality products that customers love and buy over everything else. I'll use Intuit, for example. They took over the personal/small business accounting market because they were, well, just good at what they do. So, a monopoly in that context isn't intrinsically bad. Furthermore, such legitimate monopolies are inherently unstable as they will eventually screw up somehow, be superseded by a competitor, or just become obsolete. In those cases there is little need for government intervention along the lines of the Sherman Antitrust Act, because they will eventually fall from favor when they fail to meet the needs of their customers.
However, the problem comes in when monopolies use their market leadership to maintain their monopoly. That invariably involves stretching the law or outright breaking it, and is what got Microsoft in hot water, antitrust-wise. Many companies over the years have achieved market dominance at one time or another, and were eventually toppled from that position by their competition. And that's the key: competition. Microsoft has broken the law in order to suppress competition, and that's what makes them a "bad" monopoly.
The higher the technology, the sharper that two-edged sword.
Windows NT code volume rose 35% per year (implying that its complexity rose 80%/year) while Internet Explorer code volume rose 220%/year (implying that its complexity rose 380%/year). Consensus estimates of accumulated code volume peg Microsoft operating systems at 4-6x competitor systems and hence at 15-35x competitor systems in the complexity-based costs in quality. Microsoft's accumulated code volume and rate of code volume growth are indisputably industry outliers that concentrate complexity in the periphery of the computing infrastructure. Because it is the complexity that drives the creation of security flaws, the default assumption must be that Microsoft's products would have 15-35x as many flaws as the other operating systems.
First, the footnote to this paragraph says nothing about where this square of code volume stuff comes from, and there is a later reference to Lehman & Belady at IBM, but anyway...
I have a hard time taking this at face value. What is the rate of code growth in competitors? I thought all of Mozilla is new code from the last few years; that's pretty rapid. Maybe they're comparing it to Lynx.
Overall the report makes lots of specific claims about Microsoft and declares them to be bad, few or no specific comparisons to the competition, and it's written in part by Microsoft's competitors.
1. Information which has military and security significance is not kept on Microsoft based computers.
You my friend are totally full of shit. I am not going to say where I saw it or what I saw but there are tons of MS systems even connected to networks that where holding sensitive data. At least this was the case 5+ years ago and I would assume it is even worse now. It scares me to no end when I even think about the vulnerabilities.
these people are now JUST finding this out?
gotta love beaucracy.
I predict that by 2013, two things will happen.
Spammers are going to discover that just like if you tell a billion people to send you ten dollars, at least 1% of 1% of them will listen to you and you'll make $10,000,000, if you annoy a billion people sufficiently enough, at least 1% of 1% of them will also kill you without thinking twice. The only reason the spammers are still alive is because the people who would kill them if they saw them on the street don't know that they're spammers. That will change. Spammers will start being killed. Spamming will become a very dirty business and it will be abandoned by all. And that's when the mob will get into spamming.
God help us all.
this situation would pertain to any other OS if 90% of machines were using the same OS
Yes and no. For example, I'm running the same OS (SuSE Linux) on several of my machines, but they're not a monoculture: one's a Sparc, one's a PPC, the rest are x86s. Of the latter, no two are running the same set of services, nor necessarily the same executable for the same service on different machines.
The former (different architectures) isn't even possible with MS (not since NT4, anyway), and the latter (different apps for the same service) is discouraged by the OS vendor. (Sure, some folks are probably running Apache on Windows instead of IIS -- but why not just swap out the OS while you're at it.)
The fact is that no other OS is likely to be the sort of monoculture that Windows presents even with a 90% share, for the reasons outlined above (not to mention the differences introduced by the different distro vendors). It'll be close enough for applications that the user wants to install, but tough for viruses and worms that have to be tweaked to target different holes in each's armor.
-- Alastair
I agree that the default install of Windows isn't amazingly secure. However, I don't feel that that that represents a fundamental flaw in an OS.
The NT project was our last, best hope for secure computing. It failed. But in the year of the DoS war, it became something greater. Our last best hope for more overtime due to endless patching. The version is 5.1. The name: Windows XP.
If Windows is, in essence, a default OS for most people and "computing" for lack of a better all inclusive term, has become vital as part of our national infrastructure along the lines of power grids, interstate highways etc. why is it a bad idea to nationalize Windows, at some drastically unfair rate of compensation to MS and open source it? For the good of the masses if you will. Isn't 40 odd billion enough with no more threat of litigation? By having Windows source picked over by the open source community wouldn't we be having the cake and eating it too?
Flame away...
...that NMCI is contractually obligated to be no more than one revision behind the "current" Microsoft OS. Ergo, once the new Windows comes out, everybody is getting shuffled to XP.
Our site is in the middle of NMCI rollout right now. It's a horrid horrid nightmare...
the number one guy gets picked on the most, and exploited the most
I think that's arguably not true in the web server market, in which Apache pretty clearly dominates. I've been curious for a while to see if anyone would do a study between Apache and IIS comparing rates of security hole discovery, average time to patch/update release, and average time between release and install. My suspicion is that despite being the clear market leader, Apache's stats in this regard are competetive with IIS.
I think Microsoft's spin "we're picked on because we're number one, it's a terrible burden to carry but we do it" is brilliant, but there are few mass markets in which to test that theory. The Apache vs IIS comparison is a great one.
Tweet, tweet.
Confucious say:
Open Source is like Bit Torrent, the more people that use it the better it gets.
So I think it's incorrect to think that if OpenBSD or Linux had 95% market share they'd be as flawed and bloated as Macro$haft's software products.
Show me one of their products that doesn't look like a cow that's been dead for a week: bloated to the point of bursting.
If DOS we're still in production it would be a 3.6 GB install...
You say that the key is competition, however if you have a monopoly there is no competition. That's the definition of a monopoly.
In the case of a monopoly of a national or international scale there's no way for a true competitor to appear. The monopolist has the ability to crush a competitor through means that have nothing to do with the relative merits of the products in question. Any company with the instincts to successfully become a monopolist on a national or international scale has to have done so by being willing to squash the competition by any means it thinks it can get away with.
If a company can squash the competition by leveraging an existing monopoly, why would they compete on the merits? There's no incentive. Competition is inherently risky. It's a surer road to profit to make sure that the competition cannot reach a level playing field.
Not many companies can reach the place where they have the ability to leverage a monopoly to quash their competition. When a company reaches that position and begins to do so, we *DO* need the intervention along the lines of the Sherman Antitrust Act.
To quote your message, Can anyone think of any monopolies that have *NOT* tried to "use their market leadership to maintain their monopoly"?
Quoth he
"It's all academic anyway..."
my fault, i forgot to visually note my sarcasm.
Stupid people make stupid things profitable.
Right on, Bro. If you're going to point out the real downside to monoculture, do that instead of bashing such an easy target as MS installations. Grand-parent had a good point that folks who know what they're doing can stem the evil tide a bit with good implementation & policy. The only caveat to that is alot of them get to the level of knowing what's what by getting burned enough times ;!{
Can I bum a sig? I left mine at the office.
windoze has no security risk and it is bug free. .
If you dont believe let me send you a check
I bought off home land security. (Bill Gates snickers)
Let me see if Ive got the timeline right: 1) US military uses MS software, 2)China is concerned about MS security, asks to see MS source code. 3) MS agrees, shows China MS source code 4) China decides MS is not the way to go, commits all government agencies to using locally developed version of Linux 5) WWIII starts and US military built around 'network centric warfare' finds all its computers crashing, US chaos and death on the battlefield ensues. War ends, MS anounces major new patch that should have been installed... Wow MS, just another good reason not to start WWIII...
I dont do meaning of life questions.
I'm so tempted, but I would rather not burn my karma down on another MS (I didn't even use the $ !!) story...
(But, I'm so, so tempted to sing Tra la la, tra la la, oh what a happy day that I don't use MS!)
But I didn't say that, did I??
Oh fuck it! I do it, AC!!
Back when MS was actually in court and actually in danger, I suggested a simple solution to the whole monopoly problem:
1. The government is the biggest single consumer of computers.
2. The government mostly runs on Windows, which is only exacerbating the problem.
3. We recognise that there are many situations where Windows is, in fact, the best choice for a particular computer or task (no, really! Like solitaire! You played solitaire on Linux? It sucks.
4. The government (meaning the US gov't, though any other can do the same) should do a complete audit of all computers in use and the OS they run.
5. They should also audit exactly what these computers are used FOR.
6. The results of these two audits should be cross-referenced, and every gov't computer that CAN use an alternative OS to do it's business should be FORCED to do so.
7. Problem solved.
geez, I really enjoyed the extra dark subliminals.
Yes, and even worse, on a WinNT system, the administrator as less rights as the System user. It means that Unix root is more powerfull than Admin on NT.
The main problem with NT is that they don't respect the rule for the services or GUI:
* On WinNT, for performance reasons, the GUI is in the kernel. Compared to the X Window system, it is in my opinion a bad choice.
* Worse, IIS 6 is running in kernel mode !!!!
Apache runs as a user with no rights because it is safer, but since MS enginers think it can increase performance, let's put IIS in the Kernel !!!
It seems Cod Red and other worms did not change anything to their security policy.
Microsoft makes safe software, for all of us. Persons of common sense know that to want something else is to be an odd-minded hacker. Do you want your neighbors doing their own thing however dangerous? There has got be a way to keep things in line. What about you, Mr. Smith? You know what we offer is for you. Everyone knows that if we are going there today you want to be there tomorrow, with a nice new machine and lots of Gigaram and the fast bus and we're going to include the new features that you really need. You can't just expect these things to come from nowhere. We work hard and we can help you think. We think of it and your machine does it, what you want, what we want. You are too busy to know every bit that flips and we could show you a few if you want so here they are now eat and enjoy. Fish and snake and spider and fly all live in the same soil and wetness and air scented carefully to meet their needs by our caring staff. Achieve joy by finding your place on our desktop and evolving into our beautiful environment.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
M$ must start writing secure code. They haven't in the past because there's no money in it. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them to keep the net secure. Don't blame the hackers/crackers for airing their dirty laundry / wiping their collective arses with the M$ flag. If M$ loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that. Meanwhile, the news of the exploit gets into the wrong hands where some 1337 h4x0r develops code and releases it to a world of completely unpatched machines...
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Maybe they are -now- getting into security,
but I don't think there have been doing so,
ie in the -past-
Like your grammar teacher once told you:
Tense is very important...
Popes shit in the wood and the Bear turns out to be catholic!
"Our products just aren't engineered for security."
- Brian Valentine, Senior Vice President of Microsoft's Windows Department
What's this all about, eh? Make your mind up, etc, etc.
http://www.totallyfuckingobvious.com
pr0n - keeping monitor glass spotless since 1981.
some of your points are valid, some less so and some plain wrong
.. Even this did not always work. Installed Warcraft3 (as admin of course, not possible otherwise) log out, log in as user, it wouldn't run - you have to play it as the user who installed it. This is only a sample of the troubles I ran into. your solution is only possible in a corporate environment where the users do not install anything and only use the computers for limited things.
#1: Mac and linux less sof a target. yes, but would they be as vulnerable as windows? probably not.
#2: general skill. yes. and the 'standard OS' will always have this problem. --One exception - Mac users are not much if any more skilled than windows users. ( less true now than earlier I think)
#3: open ports. mostly true, except windows tends to depend on various 'services' that need those ports open.
#4: do not run things as admin. wrong. or more precicely, not practical. I tried this with win2k. home user. every time I wanted to do something I had to log out, log in as Admin, change it log out
#5: protected OS files. yes. - except for the points from #4
#6: Outlook is not windows. true - it is more like windows is outlook! Even if you do not run outlook itself, and do everything that M$ approves of to disable/uninstall outlook, there are still pieces of outlook installed, and they are used by other programs, including things installed with the OS. This is even more true with IE, IIS, and MediaPlayer. Running Mozilla Mail does not even come close to solving the problem.
This is comming from someone who really does not know that much, I am not a developer, etc. just a slashdot lurker.
Am I the only one who feels that the corporations who choose to use Microsoft's "solutions" for their technology needs deserve what they get?
Ahem... that is... hoping that said corporation doesn't just so happen to have some sort of public service function in some sort of critical applications such as energy management or some sort of life-supporting systems. (I know Microsoft doesn't endorse that...)
Oh, really? When was that welchia worm as most active? I've never experienced any such slowdowns on the internet, no matter what worm who's been ravaging the net...
Perhaps it's just the awesome swedish communications infrastructure. =)
This is a conversation I've had with people in businesses and the UK government using gentic diversity and the dangers of inbreeding as examples. Reason? Simple - It's bloody obvious to any one with half a brain particularly when genetics gives such a strong and proven example.
As long as people make decisions based on bulk purchase price and only needing lower waged mono-system trained IT staff it will be a problem.
It was good to see that the UK government put their stationary ordering system on Linux. At least when the Gov web services, NHS, Inland Revenue etc. computers go tits up through some evil virus they'll still be able to order paperclips.
-- If accountants were capable of making engineering decisions they'd be engineers --
Hmmmmmm..... Deep fried and look like Squirrel.
You have to think about it from their M$ perspective. The OS is their weapon to dominate the computer industry. When you're building weapons, you don't want them to be small and safe. You want the biggest, hairiest, and most devastating gun your enemies have ever been on the wrong end of.
Of course the problem is that you can also blow your own leg off--or the customers' legs these days.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
The letter points out a more severe, general problem:
And he forgot also "... of Microsoft ...".
So to clarify everything, I'm quite sure prockcore wanted to write:
He was talking about Financial security of Microsoft, you insensitive clod!
:)
hany
I wonder if GWB is a Bilderberger. I'm sure his daddy is a member.
welcome our new MS/SCO overloads
In an age where the world is becoming ever increasingly dependent on computers, we must take a step back and formulate a strategy to make sure history does not repeat itself in the most disaterous way.
It was not too long ago that Ireland suffered its infamous "potato famine" that devistated its population that was, in its day, dependent on the crop.
One of the key reasons why the famine was so intense was the fact that the Irish were repeatedly planting the same type of potato throughout the country. By doing this, and not realizing that nature provided diversification in the form of hundreds of varieties of potatos to make sure that one set of circumstances could never decimate the potato population, the Irish learned a very valuable, if not painful, lesson indeed.
In the land of computers, this form of "biodiversity" only makes sense. If 90% of all nodes on the network are of one kind of "potato" (namely Microsoft) than it's very easy for one plague (or virus) to have incredibly devestating results.
We have already seen the damage caused by recent Windows viruses. Each of these have been relatively small and harmless annoyances compared to what a committed and intelligent person could create should such a someone be so inclined and motivated.
However, if the world's computers were not so heavily tilted towards a single OS, such attacks wouldn't stand nearly as much of a chance in succeeding to harm a large section of the world's network population.
In conclusion, not only do operating systems such as Mac and Linux (as well as Solaris, Unix, etc) represent an excellent freedom of choice for consumers, they represent an enlightened strategy to prevent a cataclysmic disaster to our networks that we've come so dependent on.
Sugapablo
one day we will have different 'admin' levels with proper ACL and apps with access to only what they need.
start shooting now- i am a relative newbie.
The open-source "only game" er, "scenario", is actually composed of "billions and billions" (thank you Carl) of distros, hacks, and whatnot. Most of which are much safer than any microsquish.
The fact is that refuse-brained management (and up), ladle-fed economic drivel - echoed by syncophantic "consultants" - ever since they could say "BMW", will, through (adjective) cost-cutting, ensure that they always choose the worst best-hyped systems and cheapest coders and "grunt" admins.
microgoo will probably survive among them (their "natural" environment - they really love each other) by becoming a "business distro solution provider". Or some similar insanity. Better not go into details.
There is no such thing as an open-source "only game". They can't stop being silly, can they ?
The only solution to the patching problem is an automatic patch system trusted by the vast majority of users.
But with the diversity in hardware out there, it is more or less certain that any patch will nix a certain proportion of machines (however small), so unconditional trust of such a system is not possible.
Look at the current situation - even clueful admins of Microsoft systems typically wait and watch NTBUGTRAQ whenever a new patch is released, only patching after they are satisfied that they can trust the patch not to hose their systems.
This would be the case no matter what system has dominance, and with non-technical consumers connected to the Net, it doesn't matter what system they run - they just aren't up to patching every hole that appears.
Now OpenBSD / Linux with a default 'safe as possible' configuration will ameliorate the problems, but it won't make them go away.
Never.
oh brave new world, that has such people in it!
It just thinks about it for a few minutes and then prints out page 2 and only page 2.
It seems to me that the security of a computer is proportional to the computer literacy of the person using it. Linux is an OS that only a computer expert would use and so it becomes more secure since it has mostly experts using it.
Don't even bother reading it. You learn nothing and it's filled with assumptions rather than hard coded facts. Their assumption that MS products (specifically Windows) is filled to the brim with vulnerabilities to the tone of ~10x to ~35x the other operating systems is insane. That would mean that *nix(es) would have no more than 1 full vulnerability per year--clearly not true. A vulnerability only exists once it's discovered. And once discovered if a patch exists then it become the user's fault for not applying the patch, not the OS vendor. To apply a reverse logic makes every OS vendor equally guilty of this "crime."
The only way to correctly interpret this document is to accept that reliance on any OS is a mistake with regard to security. Beit MS, Linux, or otherwise.
If you read the entire article (fat chance), you'll see they do blame it partly on NT's lack of error handling.
Daniel Geer, Sc.D-- What is Sc.D? Is that supposed to be doctor of science? Nice to make up new honorifics...
passively relying on any technology vendor is a danger to national security.
-relying- on OSS would similarly be a danger to security.
you will always have to have people who keep up with digital security just as you have people who continually keep up with meatspace security. You don't just 'trust' a vendor that their electric razor-wire fence is impregnable - you patrol and monitor as well.
Blindly relying on anything is dangerous.
Yes government machines should definitely not be uniformly Windows. Neither should they be uniformly connected to the internet.
But they should also be running the best anti-virus, firewalls, and 3rd party security/authentication packages out there.
Most importantly they need a proper quantity of skilled security analysts and administrators no matter what environment they're running.
// "Can't clowns and pirates just -try- to get along?"
Do you have any verifiable source besides some radio mouth? I live in Maine and there is nothing about this anywhere, nor on any of the numerous websites I've checked. Put up or quit trolling!
Connect all the computers together says Guvenator Arnold.
payper liesenese stock markup FraUDs, &/or the Godless murdering/thieving georgewellian fuddite southern baptist freemason execrable, etc..., would not be good thinking, & would be a risky bet for all of US, except for a handful of felonious billyonerrors, even if the pateNTdead BugWear(tm) did work as advertised, & was not whoreabully infactdead.
lookout bulllow.
consult with/trust in yOUR creator. vote with yOUR wallet. that's the spirit. the planet/population will become self-cleaning.
Requoting: "Unix [which underlies Mac OS X] and Linux ARE more secure," wrote one reader. "They have been developed, open-source
style, by people who know exactly what they are doing. Unix and Linux have had at least 10 years of battling hackers to better themselves. This leads to an extremely secure environment."
Too bad this person obviously doesn't know what he's talking about.
1) Unix wasn't developed as open source from the start.
2) it hasn't had 10 years of battling hackers, but thirty, the first 15 of which were such a disaster on the security plane that MS's efforts after 10 years of Win32 look like a darn good job in comparison.
OTOH, MS should have been able to do better than they did, but they were too stubborn in their belief they could do it all by themselves. They only had to look at the first half on unix's life to see how not to approach security, but instead they made the same errors all over again (like storing password hashes somewhere where a hacker can get at them, long after unix had been bitten and stopped doing that).
I wonder if leaders in the DHS, Army, and Navy are concerned about their billion-dollar POs to Microsoft resellers. I wonder if military strategists who understand what vulnerability to attack really is have provided any input into the purchasing decisions of these organizations.
It almost seems these purchasing decisions must have been purely "orders from the clouds," where the rank-n-file workers disagree but having dealing with it or quitting as their only options.
Healthcare article at Kuro5hin
its silly to make microsoft port, and only allows for thier app monopoly to continue, even if that does take care of the OS one. if the browser *is* ie, then its easier for microsoft to make the server have to be IIS. they could easily make a "mistake" in the spec and drag thier feet about fixing it. instead there are two things to do.
the first would be to support a well documented format that they did not write(since we obviously cant trust them), and is open for anyone to use and/or develop with. (not"reasonable licencing" since that leaves out free(as in open source) software). openoffice.org comes to mind, or OASIS, which will probably be the same thing.
the other is forcing microsoft to open thier protocols for free as the paper mentioned. whats important is that the protocols and formats really are free (again, instead of "resonably licenced") if they have to hide behind the "security" defence, then that software could simply be declared unfit for use. open source software has already proved itself viable.
this way, we dont have the same software on different platforms, we have both differnt software and different platforms, reducing the monoculture and allowing for more competition. having multiple platforms and apps has the side effect of making the whole more adaptable to changing conditions.
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
No, but I was the happy recepient of some mighty fine blowjobben last weekend.
The "recent string of ssh vulnerabilties", while troubling, were only remote exploitable when privilege separation is turned OFF - a non-standard setting.
Which goes back to the whole issue of whether Windows is less secure - RPC communications run as a system or root account, NO privelege separation by default.
Everyone will start to cheer when you put on your sailin' shoes.
After all, what industry in the US is required, *required!* to make components that work with their competitors?
Car bumpers have to be at a certain height, so if you smash a Ford head on into a Chevy, the driver of one doesn't get the bumper of the other in the face.
Cars all have to run on the same gasoline, and meet pollution requirements while doing so.
Cars have to meet certain limits as far as size goes, so that one car can't take up three lanes on the freeway. (Although the way some SUV's are going, you have to wonder about this one...)
Cars have to have mounts for licence plates that are standard across all makes.
Cars have to have headlights at a certain height, so that you don't blind oncoming drivers in other makes of cars.
Although there's no regulation for it (I think), cars have to use similar tires/light bulbs/etc, or nobody would buy the car with the 15.38 inch tires, because BF Goodrich and GoodYear wouldn't make replacements for them. You'd have to get tires directly from your manufacturer, probably at several times the cost of anybody else's tires.
It's this last point where Microsoft doesn't follow the rules of any other industry. Because they've got an abusive monopoly, attained through unethical and illegal means, they can make the tires for their cars whatever the fsck size they want, and BF Goodrich and GoodYear have to start making tires that size, or they'll never sell any tires themselves, because everybody has to buy Microsoft tires. Then there's the problem that the measurement of the tires is copyrighted and patented by Microsoft, so even if BFG and GY do start making tires to fit Microsoft cars, they have to pay a royalty to MS to make them that exact size.
"City hall" in German is "Rathaus" Kinda explains a few things......
Ah HA! This paper was, in fact, NOT written by the esteemed group of security experts that are listed - the true author is the famed author Umberto Eco as is evidenced by the document information in the PDF file.
Few people know that the author of The Name of the Rose and Foucault's Pendulum is also a secret info-sec expert.
Also amazing is that, for all of the insecurities brought on by Microsoft's products, the authors still used it to write this paper (or at least to create the PDF). Based on that, I would assume that this paper has been hacked, and not believe anything it says.
Fight Back!
</humor>
Power corrupts. PowerPoint corrupts absolutely. E. Tufte
How'd ya like them apples... Who says being critical of Microsoft can't put an end to your career?
Quoth he
"It's all academic anyway..."
The result is that simple hybridity does very little for security.There are already examples of viruses that have been designed to exploit multiple vulnerabilities on different platforms - the Moriss worm itself was intended to exploit multiple vulnerabilities on the same platform.
The latter sentence contradicts the first, so the point is lost, and instead supports what the @stake authors are saying, that, like 'mono' agriculture, when there is an environment in which one company has a monopoly, it makes it very easy for a virus to cause alot of damage.
If you think that Unix is such a great security architecture take a look at the C language Certainly OSs could be written in other languages, but C is the language of choice for many reasons. Perhaps Java? VB? Ever wonder what NT is written in? Yep - a few versions of DOS were in assembler, then they went to C.
I don't see much evidence of defensive programming or security engineering methodology when looking at UNIX code.
Perhaps to the untrained eye, but not to any CS student taking an operating system class since it would probably cover the details of the Unix security system. The Unix security system is actually quite sophisticated, and probably has its roots in Multics (since the authors also worked on Multics), which goes even farther back.
The flaw in the biological analogy that he uses is that biological viruses evolve through Darwinian processes, survival of the fittests. Viruses evolve through a Lamarkian process, their creators do analyse the environmental challenges they face and adapt in direct and planned responses to those changes.
Exactly. And that's why Unix security keeps getting better and better.
Windows CE (otherwise known as Wince!)
The Confederate States were strong advocates of states' rights, the principle that all rights not explicitly granted to the federal government by the Constitiution were bestowed to the individual governing states. Congressional action and rhetoric violated their principles, so they felt that they didn't need to be part of the United States.
It's actually a fascinating study to see how the Civil War history classes vary from region to region and over time. I went to high school in Vicksburg, Mississippi and studied US history under a national Teacher of the Year award winner (you may have seen Mr. Wong on a stay-in-school commerical). Given our location, we spent a long time talking about the Civil War. He took his job very seriously and didn't cut corners, telling a fairly unadulterated view of our (the United States of America's, not the South's) history.
I don't want to brow-beat your comment, but that's just one of those statements that I feel necessitates clarification. Call it a pet peeve from a Southerner living in Indiana.
Go ahead and mod me off-topic. :)
There are two types of people: those prepared for the zombie apocalypse and those who will be eaten.
I am no expert at administration, but my experience on a W2K box that my kids use for games is that trying to run the games as user causes much grief.
Isn't that more of the Game's fault than it is windows' fault?
Windows only reveals their security holes when they've produced a patch, not when it's found. Linux on the other hand, is open-source, and crackers can just look and find holes. With Windows, they just try to figure it out. I feel that that might be the reason.
Isn't that more of the Game's fault than it is windows' fault?
Agreed, but it still means that my kids wind up running as administrator.
Hmmm, all nice points, but:
Ford's bumpers, while at the same height for safety reasons don't interoperate with Chevy... e.g., you can't simply take the bumper off the Ford and put it on the Chevy without modifying it.
All computers run on the same electricity, the fuel type makes no nevermind.
Limits as far as size goes is *somewhat* analagous to being limited by the available resources on the computers you're working with. As those resources grow, the size of the software (cars) running on it increases; only legislation keeps cars and trucks from getting bigger, as well as practicality.
License plates are not generated by Ford to be put on Chevies and Toyotas. The Government makes them, and that would be closer to a processor serial number than a product feature.
Headlights at a certain height... and yet they still vary widely. Seen a jeep lately? In any case, AGAIN, Ford ain't makin headlights for Chevy, we count ourselves lucky when one kind of headlight fits in multiple different vendor types.
Similar tires? Like you said, they don't HAVE to, and the manufacturers are STILL not makin tires for other manufacturer's cars.
And to address your last point: While I agree Microsoft may be abusive (based on all the hearsay I have), unless you are talking about a regulated industry (software is not) there is no such thing as an illegal monopoly in the U.S. People don't understand that antitrust refers to existing monopolies using their power to unfairly create ANOTHER monopoly. Which I would also agree that they have done. But there are no "rules of the industry" they are violating. They may be violating civil or criminal law though. As to the BF Goodrich and GY HAVING to make tires of a certain size to work with a particular car; well this is a different ball of wax, they are COMPONENT companies, not car manufacturers themselves. Kind of a silly example, really.
What you did not give was an answer to the question you quoted.
your colloquial cliche crap is - crap.
more saynothingness from the master of saying nothing and knowing nothing, "crappersys"
thats a good nick for you, "crappersys."