Slashdot Mirror
Reliance On MS A Danger To National Security
An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.
the most important line in the article:
"And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem."
Finally someone realizes its not enough to just fix the problem, problems should be avoided in the first place! (I know, I know, easier said than done, {insert OS here} isn't perfect either).
Children in the backseats don't cause accidents. Accidents in the back seats cause children.
This article help explains very well why diversity in computers is a good thing.
(It's harder for virus makers to affect more computers at once if less computers use the same OS)
I find the argument against Microsoft as a problem for national security ringing a little hollow. First, The US government is a complete hodge-podge of computer systems, databases, technologies from various epochs; all of which is unfunded. In fact, the latest US CIO is not going to get the funding need to create a central IT.
So the problem, as I see it, is that the US government has some severe, indemic, structual problems relating to IT policy which makes citizen privacy, national security, and proprietary knowledge at risk.
Of course, put Microsoft on top of the quagmire and you've simply opened the door to the vault for every hacker in the known universe.
I have a hard time blaming the problems of US IT policy on an OS; it's hard to fathom.
"This isn't a study in computer science, its a study in human behavior"
(trying desperately to remember the quote from Ghost In The Shell)
It's not Microsoft, specifically. The problem is monoculture. No matter what the dominant OS - Windows, Linux, Mac OS, BeOS - the number one guy gets picked on the most, and exploited the most. That creates weakness all the "trustworthy computing" in the world can't fix.
What I fear is some kind of mathematical "reduction" of the problem. "OK," they'll say, "we'll mandate that 30% of stuff move to Linux". OK, great idea: which 30%? "Hmm, you're right. We'll say 10% of web servers, 10% of desktops, and 10% of back-end (DB, etc) stuff." Getting warmer: which 10% of the web servers? Which 10% of the DB servers? Can you get rid of some of your MSSQL on W2k and replace it with Sybase on Linux (easily, with not serious cost and porting problems)? Etcetera, etcetera. I call that "going nowhere fast".
I guess what I'm trying to say here is, I don't really see how to undo the monoculture, when it is backed by 1)such amazing industry power and 2)such entrenched mindset. Figure out how to get people to seriously believe they can run Linux, or Mac, or whatever, and you've gone a long way to solving the problem; but isn't that what people like Microsoft are working just as hard to undo?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
I agree with the report authors that the monoculture of Microsoft is dangerous. Any one of us can see that, particularly after this exceedingly expensive summer, the MS monoculture we're enduring is costing us billions.
However, I cannot agree with the recommendations that require MS to do this, that, and the other thing. Recommendations such as releasing Office for other platforms at the same time as for Linux and MacOS for example. The only recommendations I could see supporting would be those that explicitly break up the company into OS and application divisions - in order to shatter their monopoly.
The recommendation that they must release their apps onto different platforms is, IMO, dangerous. It means that they will then unleash their "user friendly" nonsense on OSes such as Linux, and we'll end up with the absurdity of the Windows platform paradigm trying to seed its ugly crop of security problems in a new field instead.
For National Security purposes Governments should insist on only using applications that they can also purchase the source code to. They should insist on using applications that are proven to be secure, not just popular. And they should insist that software companies be held liable for flaws that cost them security.
Pierre
I agree with the article's conclusions, but I am not sure I agree with their proposed remedies. I think the most appropriate thing to do (for a government) is to require the use of open protocols.
For example, if the various departments and branches of the U.S. government would stop exclusively using MS Word as their ubiquitous document exchange format, that would make a big difference. Right now, if you want to do business with the U.S. government, you pretty much have to purchase and use MS Word. Then your office needs to purchase and use MS Word. Well, as long as your Washington office is using MS Word, I guess that field office that decided to save some money by using Word Perfect ought to "upgrade" to MS Word as well. Seems the import filters for Word Perfect don't quite get the latest version of MS Word just right.
OK, you can use Open Office or Word Perfect to create your documents, but will the pagination, headers, footers, and other tid bits come out right? No. These software products cannot make a "perfect" MS Word file because they don't know how. Microsoft has not published the specs for such a file. When the import filters get close, the MS Word format (the default format that the latest version saves to) changes ever so slightly.
How about the U.S. standardize on an open document format (egads-- not SGML but maybe even Microsoft's own RTF... anything!). Then, make sure their e-mail systems, VPN protocols, encryption formats, etc. remain based on open standards. Where Microsoft (and to be fair, others) "embrace and extend"... don't allow such non-standard extensions for dealings with the government.
Any false property right is a danger to societies security. Just look at how slavery led to the civil war. Today many are betting trillions of dollars on a false premise, that works of knowledge can or should be owned without any understanding of what that implies. Because information is becomming so easy to copy, change, and manipulate - the "middle" gound is quickly evaporating, either all information will half to be controlled or none of it.
Even with perfect administration the danger of monoculture exists.
A single MS RPC exploit would make all machines vulnerable until patched.
A single WMA buffer overflow makes all machines vulnerable until patched.
No matter how perfect, the problem isn't the administrators, but the monoculture. If one in 3 machines was Mac, and one in 4 were Linux, you'd have enough diversity that a virus would slow down drastically enough to be contained.
GPL Deconstructed
http://www.iht.com/articles/111195.html
WASHINGTON A virus seriously disrupted computer systems at the State Department this week, including the database for checking every visa applicant for terrorist or criminal history. The failure left the government unable to issue visas worldwide for nine hours.
The virus, which struck Tuesday, crippled the department's Consular Lookout and Support System, which contains more than 15 million records from the FBI, the State Department and immigration, drug enforcement and intelligence agencies. Among the names are those of at least 78,000 terror suspects.
A State Department spokesman said the virus, known as Welchia, did not affect any data on the name-checking system, and the agency's classified computer network - used to send its most sensitive messages and files - was not affected.
$cat
China doesn't seem to be falling for this. They're probably the closest thing to an enemy I can think of that can actually afford enough computers to make it worth hacking into them.
How many computers was Iraq's government relying on? (that's a serious question, I really don't know)
if(!cool) exit(-1);
Some people persist in saying that Windows isn't less secure, it's just a bigger target! Just today someone forwarded this to me from a David Pogue column in the New York Times. Sorry I don't have a link.
g gedin /bal-mac082803,0,1353478.column
***
I also wrote that Mac OS X and Linux are virus-free because
they offer virus writers a much smaller "audience" than
Windows -- a notion that's been much repeated in the press,
most recently last week's BusinessWeek cover story.
That, as it turns out, is a myth, no matter who repeats it.
There's a much bigger reason virus writers don't like Mac OS
X and Linux.
"Unix [which underlies Mac OS X] and Linux ARE more secure,"
wrote one reader. "They have been developed, open-source
style, by people who know exactly what they are doing. Unix
and Linux have had at least 10 years of battling hackers to
better themselves. This leads to an extremely secure
environment."
Many of you also pointed out simple design decisions that
make Mac OS X and Linux much more secure than Windows XP.
For example:
* Windows comes with five of its ports open; Mac OS X comes
with all of them shut and locked. (Ports are back-door
channels to the Internet: one for instant-messaging, one for
Windows XP's remote-control feature and so on.) These ports
are precisely what permitted viruses like Blaster to
infiltrate millions of PC's. Microsoft says that it won't
have an opportunity to close these ports until the next
version of Windows, which is a couple of years away.
* When a program tries to install itself in Mac OS X or
Linux, a dialog box interrupts your work and asks you
permission for that installation -- in fact, requires your
account password. Windows XP goes ahead and installs it,
potentially without your awareness.
* Administrator accounts in Windows (and therefore viruses
that exploit it) have access to all areas of the operating
system. In Mac OS X, even an administrator can't touch the
files that drive the operating system itself. A Mac OS X
virus (if there were such a thing) could theoretically wipe
out all of your files, but wouldn't be able to access anyone
else's stuff -- and couldn't touch the operating system
itself.
* No Macintosh e-mail program automatically runs scripts
that come attached to incoming messages, as Microsoft
Outlook does.
Evidently, I'm not the only columnist to have fallen for
this old myth; see
http://www.sunspot.net/technology/custom/plu
for another writer's more technical apology. But the
conclusion is clear: Linux and Mac OS X aren't just more
secure because fewer people use them. They're also much
harder to crack right out of the box
***
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
...it would cost less for the government to rent all that juicy unused fibre all-across america and build a large private intranet.You want security?Well disconnecting from the internet would be a good start.
JaredSyn.
With Bush in office, what's the difference?
It's not wasting time, I'm educating myself.
Just don't let Microsoft Computers connect to the internet directly With properly placed firewalls there shouldn't be a problem
You have a good point here, because the point was ringing in my ears as I read the report.
On the one hand, it is true that the combination of Windows' lack of interoperability, closed-source nature, tight integration, and near-monopoly status make it uniquely qualified to spread damaging viruses quickly, better than other operating systems. If you don't take great consideration to how you set up your IT infrastructure, you're going to get burned.
As you say, the problem is ultimately one of policy, not technology. If you know what you're dealing with, if you know what you're doing, you can establish and enforce policies in your IT infrastructure that prevent the spread of viruses. Every time a virus strikes, we hear about it from the ones that don't. We aren't hearing about the places that haven't had problems. They are out there!
Is Windows adoption by itself a danger to national security? Hardly. Bad IT policy is, regardless of OS. So when a group like this overstates their case, it really damages the valid point that Windows IS more difficult than other OSes, that certain things about Windows DO make it dangerous to adopt by a government.
I'd rather hear them talking in more moderate and modest terms. Making overblown claims that aren't easily and obviously supported by the evidence is going to make people think that the pro-OSS/anti-Windows folks are a bunch of frickin' loonies when the slightest bit of investigation can find flaws in the claims.
I would usually be the first to jump on the bandwagon here, especially since the US Govt/Bureaucracy is notoriously stupid/slow/inefficient. However, I do know a few things.
1. Information which has military and security significance is not kept on Microsoft based computers. And before you go off and say that this VISA system contains top secret information, or whatever....first, this system isnt internet connected. Second, this worm was probably introduced via poor security practices. Third... BIG F*CKIN DEAL...so your cousin cant get his visa issued for a few days. Like I said, this is not a critical system, and they just send everyone back home, and new visas are able to be issued in a few days. If nothing else, we should be happy this happened, as it reiterates the security problems in Microsoft's OS. The high level thinkers here aren't idiots, far from it. Remember, the government employees you interact with on a daily basis aren't necessarily representative of the intellect on high.
2. There is a good general practice of not connecting these networks together. Not only that, but anyone slightly familiar with places like the NSA and CIA will tell you that there are separate networks for classified, secret, and top secret. Even when these computers all sit on the same desk, they are not allowed to move information between them, since there is theoretical possibility of data leakage.
3. Anything deemed secret or higher is run on things like virtual vault, trusted HPUX or Solaris. NSA has some stuff with Linux, but this isnt widespread yet.
Remember, the big thinkers in the Govt, arent in the fucking post office, VA, IRS, etc...
Geez people, do you think we got this far by being a nation of morons. Why do most wealthy foreign nationals send their kids here to the US to be educated?
SSH is amazing. Sure, I have to block it at the router at the moment, pending updates, but are you really considering it a net disadvantage? I'd say the presence of OpenSSH in the *nix world (and it's fine port Putty for win32) is a huge plus.
The equivalent in win32 is to throw a bunch of poorly implemented and largely documented controls at the world and let the kiddies run wild. A big piece of the evolution of windows is the increase in ways for strangers to do stuff to your machine. Dcom? What the hell is that? Why is it running? Why does it take a registry hack to eliminate it?
I think you're accurate on most of your points, but which incarnation of windows are you talking about? 95/98 both have multi-user capabilites kludged on, meaning everyone is admin. I'm not sure about 2000, but on XP, when new users are created, they default to admin status. Microsoft's got some responsibility there. Maybe not all, but that is still a problem.
"The government of the United States is not, in any sense, founded on the Christian religion."