Reliance On MS A Danger To National Security

An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.

Re:It's About Time

[protogoogoo69]

this so-called expert report is just Gates-bashing

Umm, if you actually read the article, you'd see that there were seven authors of this "gates-bashing" report. Two of which stand out: Dan Geer and Bruce Schneier. Dan Geer being the chief technology officer of @Stake, a security consulting firm. (Ever heard of L0phtCrack?) And Bruce Schneier is famous for his work with cryptography research (ever heard of twofish? blowfish, maybe?), but works for Counterpane Security Consulting firm.

These guys probably detest MS, but I'm sure they're not willing to sacrifice their credibility just to produce a stupid report just to bash gates.

Re:Here we go again!

[schnarff]

And I'm sick of slashdot glorifying OpenBSD!

First of all, welcome to Slashdot, where prejudices are as regular as the sunrise (or moreso). If you want a prejudice-free environment, go elsewhere.

As to the security of OpenBSD (and I suppose everyone should take my comment with a grain of salt, since I run it on my servers), show me another OS with privilege separation, practically no suid programs, a chroot()'ed Apache, integrated ProPolice support, etc., ad nauseum. For heaven's sake, with 3.4 they're switching i386 from a.out to ELF -- forcing all of us i386 users to install from scratch -- simply because it's harder to crack. Show me any other OS that will go to such extremes for security, and maybe I'll quit glorifying OpenBSD.

Re:bogus report

[RealAlaskan]

Ed Black ain't no security expert. He's a lobbyist.

Imagine for a moment that you were right[1] about the author's credentials. That would make him the IDEAL spokesman for a very valid idea: that a software monoculture (even if it were a good one, rather than a MS monoculture) is BAD.

Think about this: who listens to lobbyists? Why, Senators and Congresscritters do! The very people we're going to have to convince on this issue, to have a prayer of overcoming the bureaucrat's resistance to change. If the authors include some lobbyists, that would be a great thing.

Imagine that! IBM, Oracle and Sun bashing Microsoft.

The idea that software monocultures are bad, and MS's products are insecure, is correct. It's true, even if SCO, or Satan say it. You should avoid ad hominem attacks; they make the attacker look silly.

[1] The authors, by the way, were (from the pdf):

Daniel Geer, Sc.D - Chief Technical Officer, @Stake
Charles P. Pfleeger, Ph.D - Master Security Architect, Exodus Communications, Inc.
Bruce Schneier - Founder, Chief Technical Officer, Counterpane Internet Security
John S. Quarterman - Founder, InternetPerils, Matrix NetSystems, Inc.
Perry Metzger - Independent Consultant
Rebecca Bace - CEO, Infidel
Peter Gutmann - Researcher, Department of Computer Science, University of Auckland

Some of these people know what they're talking about. Some are respectable in political circles. That's all good.

Re:Computer Security 101

[Karn]

Worms like the Ramen and Lion worm are a good example of what happens when a company doesn't take security into consideration.

That said, it's nice that companies like Redhat have learned from their past mistakes, and now disable network services by default, and really push a personal firewall onto you.

There is no need to listen to network ports by default. If someone needs to share something, make them take the concious effort of turning it on themselves.

Anyway, Microsoft is most certainly guilty of not paying enough attention to security issues, and they deserve to be blasted for it, just as Redhat deserved to be blasted by enabling ftp severs and such by default in the pre Redhat 7.1(2?) days..