Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reliance On MS A Danger To National Security

Posted by timothy on from the well-duh dept.

An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.

24 of 465 comments (clear)

  1. It's About Time by Urantian · · Score: 5, Interesting

    I hope the government, in the interest of national security, can clean up MS. All the anti-trust cases don't help the problem, rather they just help companies with posturing.

    Now, putting this kind of pressure on MS may really make them work harder. Imagine the government turning its back on MS, in the interest of national security. Wake up, Microsoft, before it's too late.

    --
    Urantian -- and proud of it!
    1. Re:It's About Time by Rick+the+Red · · Score: 3, Interesting
      What pressure? This isn't a government report, it's an industry report, done by a bunch of Microsoft's competitors. MS will dismiss it as sour grapes, and the government will look at the cost of switching to Macs (the only non-Windows platform available, since Dell doesn't sell anything but Windows XP) and conclude that Bill's right, this so-called expert report is just Gates-bashing at it's worst.

      Remember, this is the Bush administration we're talking about. Besides, the CIA and the Army are probably telling Bush that if we promote Windows (i.e., continue to use it for all government desktops) then our enemies are more likely to adopt it as well, leaving them open to attack by us.

      --
      If all this should have a reason, we would be the last to know.
    2. Re:It's About Time by hbo · · Score: 4, Interesting

      Thise are the two that stood out for me, too. I have vast respect for both gentlemen. And it's based on years of watching their work product.

      The political angles aside, what they are saying is just common sense. They are talking about the vast majority of computing power being at the periphery of the network. That means at home, on your desk, in your plamtop and cell phone. The number of vulnerable servers, of whatever stripe, is just swamped by the vast numbers of desktop devices. And 90-97% (depending on whose stats you believe) of those systems run Microsoft OSen. When a worm is turned loose targeting those systems, it spreads like wildfire. They call it "cascade failure." These systems then turn around and attack systems at the core of the network. At that point, it doesn't matter what OS those core systems are running. They are very likely to be toast, regardless.

      They also make the point that Microsoft systems are uniquely vulnerable because of the malodorous pile of layered marketing driven technology decisions, and the tight integration of Microsoft's applocations and OS software. That last point should be obvious, too. If your interfaces are loosly coupled, it's easier decouple them when malware hits.

      --

      "Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers

  2. Its easy to blame the product by Jailbrekr · · Score: 2, Interesting

    I see no mention that it is the administrators who must share responsibility for the compromises and exploits.

    --
    Feed the need: Digitaladdiction.net
  3. NMCI by Anonymous Coward · · Score: 5, Interesting

    And the Navy is going to Microsoft in a wholesale way. The new mega contract NMCI is locking the Navy into a MS solution for _all_ IT. Non conforming (ie non-microsoft) are labeled as a legacy systems and all new development will be required to use MS products in order to be on the network. Also, all network storage will be stored in a single facility !.

    This is I believe a very dangerous approach for the reasons discussed in the article.

    In addition to inefficiency of restricting a solution to a small set of tools. How many large organization standard on a single environment for all computing and IT needs?

    1. Re:NMCI by Short+Circuit · · Score: 4, Interesting

      The USS Yorktown had to be towed to port due to NT crashing. I can't find the original news articles, though.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    2. Re:NMCI by ScrewMaster · · Score: 4, Interesting

      How many large organizations standardize on a single environment for all computing and IT needs?

      Actually, most of them. Standardizing on a single platform makes the Information Technology crowd's life easier, although there is a price to pay for that convenience. Your point is well-taken that no operating system is optimal for every possible application or use: permitting some variety is a good thing in terms of both safety and productivity. The IT folks themselves are generally unaware of the costs incurred by their monomaniacal focus on a single environment, whatever that may be.

      Problems ensue when you are a corporate user with specific needs that don't fit the mainstream. Then exceptions have to be made, IT drones get irritated and unco-operative ... generally it's a mess. I've been through that wringer several times in the past few years: my company sells some fairly sophisticated industrial data-acquisition systems. While they are PC-based, the problems come in when the local IT departments absolutely INSIST that our machines MUST be on their domain (no reason given ... it simply MUST) and we MUST install Service Pack X and we MUST install THIS version {insert required antivirus/utility/monitoring/security package here} etc., etc., etc. ad-nauseam, even if their requirements completely break our equipment. The systems we install are mission-critical to the companies that buy them (downtime simply isn't tolerated.) We may have a few go arounds involving complete plant shutdowns before the IT people get told to back off from someone upstairs. Once they realize the damage they've done (and the trouble they're in!) things run a bit more smoothly.

      --
      The higher the technology, the sharper that two-edged sword.
  4. Not that bad on MS by JoeCommodore · · Score: 4, Interesting
    The article stated that having SO many computers on one OS was a threat (makes it easier to bring down a whole lot of systems in one fail swoop instead of say a cluster of one type of OS.), also the person mentioned that that one OS has been having some security issues.

    Not that I like MS, but this situation would pertain to any other OS if 90% of machines were using the same OS. Even it it was an OS you liked or felt was secure it is a big issue.

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
  5. National security 'R us! by Zhe+Mappel · · Score: 4, Interesting
    The choice of Microsoft has a kind of nice symmetry, though, you must admit.

    We rely upon half-baked right wing Dr. Strangeloves to choose the foreign countries that will welcome our invasions...

    We rely upon deregulated billionaires to keep our stock market and investment firms honest...

    We rely upon greedy employers not to send our jobs overseas in order to ratchet up the stock value and buy themselves extra homes and diamonds...

    So why shouldn't we rely on a convicted monopolist with a track record of utter failure behind it to keep our national computer infrastructure secure, too?

  6. Is it really even that bad? by SpamJunkie · · Score: 5, Interesting

    Is relying on one vendor even that bad of an idea? The really bad idea is relying on computers for national security.

    Think of the locks that are used for locking the doors of government buildings. Are they all from one vendor? What happens when it is discovered that locks form that vendor are more vulnerable to being kicked in? I don't imagine a bunch of engineers get together to design better locks in their spare time, however there is the chance that might happen if the most popular lock company was constantly making locks that were more vulnerable than neccessary.

    However there is still a key difference between locks and computer security that must be considered: location. A locked building in Washington, DC isn't going to be compromised by someone in China. Anything that is so important that obtaining it can be considered compromising national security should not be stored on a computer accessible to the internet.

    The government should realise this (they probably do) because this isn't the first time this has been an issue. Long distance communications during wars before the internet used various means of encryption to keep national secrets secure. Why can't they do the same for electronic communications? Create the electronic message on a machine that isn't connected to the internet, encrypt it, and burn it to a CD. Either mail the CD or send it using a computer connected to the internet. Then destroy the CD.

    The government likely knows this and almost certainly has national secrets under more heavy protection than a sneakernet. When they complain about insecurity, whether it be from terrorists flying planes or chinese youths, what they really want is money and laws. They're not actually so clueless as to leave valuable lying around, but it's useful to let citizens think they do.

  7. Only so much one can do... by ducomputergeek · · Score: 5, Interesting

    No system is 100% safe. There are some things one can do, like making sure everything is patched and another is to use odd systems. I worked for an architecture firm that used several ALPHA server for rendering projects. Several of these boxes had True64 Unix. When a couple were retired from rendering duty, we reconfigured those boxes as our router and firewall in the office. Why? Well, True64Unix is an odd platform and not many know much about the system. Its an added measure against script kiddies. Is it fool proof, no I am sure, but as one admin put it, "If they know the exploits of True64 Unix, they're a pro and proably not much we can do to stop those types". One of our boxes was attacked with the OpenSSH bug. If the attack would have been about 6 hours later, it proably would have been patched. Our other 17 boxes were patched without a problem and someone has tried to attack our OpenBSD boxes several times (hell I try once a month just to see how they react) with no luck. But hey, some bug with an FTP daemon or some PHP code and we're SOL. Bottom line: Keep patches up to date, use odd and unusual systems on the in/outbound traffic if you can, and keep lots of backups...

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  8. Re:The problem with monoculture by Alien+Being · · Score: 2, Interesting

    "I don't really see how to undo the monoculture,"

    Force MS to pay for their crimes. If they had played fairly, they could never have grown like they did. We should hit MS with fines equivalent to about 2/3 of their market cap. Most of the money should be used pay back people who were forced to pay too much for sw and stockholders of companies that were illegaly eaten by the beast. The rest of it should be given as grants to develop free sw.

    Alas, this could only happen over dubya's dead body.

  9. Re:Copyrights - a danger to national security by jdunlevy · · Score: 3, Interesting
    Any false property right is a danger to societies security. Just look at how slavery led to the civil war.

    How would you define a false property right? In your view, are there any property rights that are not false? If some property rights are false, and others true (or legitimate) what criteria are we to use to distinguish between the two? Clearly, there is no right to have slaves, so any claim of that as a right is a false claim; but what is it about copyright that is similar to slavery that makes it also a false property right -- especially if there is such thing as a true property right?

  10. Computer Security 101 by bninja_penguin · · Score: 5, Interesting

    Yeah, I read the stories about that also. And, since most web and e-mail servers and most small ISPs are running Linux, it could stand to reason.
    However, even though Linux servers are the most attacked/breached or whatever, when mom and pop ISP #1231 gets '0WNZORD', it doesn't cause the gigantic ripple effect of every server on the 'net falling over, unlike a Windows box. When a Windows box gets '0WNZORD', entire countries get swamped off the 'net. You know, ala the Slammer worm, which knocked South Korea off the 'net, and swamped damn near everyone, no matter what their box was running.

    This is what true computer security personnel take into consideration. Not just how many systems are attacked, but what the effects of those attacks are. You know, if one Linux box gets taken over, does it automatically take over more? Very unlikely. Each box usually needs the individual attention of the cracker, and then, when successful, it is usually only with the permissions of the logged in user, i.e. not root. Compare this with most Windows boxes, which, when one is cracked, it automatically turns and attacks more, and way more Windows boxes run as Administrator, either by default, or because some shit-ass program requires it.

    So, yes, more Linux boxes are attacked, but the overall effect of these attacks are orders of magnitude less than the overall effects of the attacks on Windows boxes.

    --
    For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
    1. Re:Computer Security 101 by coyote-san · · Score: 2, Interesting

      (begin old fart mode)

      I don't know if you're old enough to remember it, but "boxen" comes from "vaxen," plural of DEC VAX minicomputers. The size of your closet, with the computing power of your palm pilot, and we were damn glad to have them.

      I don't remember if it was Digital or somebody else who started "vaxen" instead of the more awkward and easily mispronounced "vaxes."

      --
      For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
    2. Re:Computer Security 101 by bninja_penguin · · Score: 5, Interesting

      Swen, SoBig, Klez, Mimail, Yaha, Dumaru, SirCam.
      Just a few of Message Labs "Top Ten" Viruses they've determined as the most active for the last 28 days. Klez and SirCam?!?! Man, those are old! WTF are they still doing on the "Top Ten"? Should I be concerned, and patch my Linux box against the Morris Worm?!?

      1. No, I do remember the Morris worm, and the Lion. So, to be fair, I'm mentioning them now.

      2. Actually, with Windows 2000, it is not normal to run as 'admin'. I work on customers PCs all day long, and, with the advent of Windows XP it is. Even if they have setup individual accounts, they have given 'admin' privledges to each user, as Windows XP is a bitch to install, modify, or network, etc. as a normal user. The workarounds for this (right-click and run as, or logout/in as admin) are not intuitive at all. Mandrake will pop a window asking for the root password as needed, no need to even run chown anymore. And yes, it is default to run the user accounts with admin privledges on Windows XP.

      3. I realize your point, and yes, I do blame the programmers, for that is a very poor implementation to use to get a program to run.

      4. Yes, the main way to crack any system is by attacking Internet accessible services/daemons, and Microsoft claims Internet Explorer, Media Player, MS Messenger and Outlook Express (all Internet accessable 'services') are an integral part of the underlying OS, and cannot be removed without destroying the enitre OS. Google for "Microsoft Anti-Trust" if you don't believe me.
      Now, search for "top ten viruses", and peruse the lists you find. The Klez worm, well over a year old, is still up around 5 on most lists. Most of the others are old viruses/worms, or just new revisions of prior ones. The thing about this is, these viruses (some of which were in the wild before Windows XP was even released) are still alive and well. There is a patch or a fix for all of them, but still they persist. How the FUCK does a virus written for Windows 98 infect Windows XP? The number one reason you said yourself, "Internet accessible services...". Now tell me, why, why, why is Media player, IE, OE, and a god forsaken chat program imbedded into an OS?? Why, why, why does a mail program execute code, blindly, and by default? Why, why, why does a server OS (2000 Server) have a Media Player embedded into it, with full access to the Internet?

      Okay, before I start frothing at the mouth, suffice it to say, yes, Linux does get hit by worms occasionally, and cracked often, but rarely due to MONUMENTALLY STUPID designs of an OS that is developed by the marketing department, instead of the programmers.

      --
      For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
  11. Re:Here we go again! by Avihson · · Score: 2, Interesting

    Granted, Outlook is not Windows - but Windows has Outlook and the outlook engine deeply integrated into the core of the OS. You may be able to hide it from yourself, but not from a virus.

    But we are talking about the computer that your Aunt Tilly buys to chat on the interweb-thingie!

    And Guess what?
    Your Aunt Tilly uses the default login from the OEM, which has full admin rights!
    Your Aunt Tilly does not know what ports to close!
    Your Aunt Tilly does not want to be bothered with firewall rules, IDS or security patches - She just wants to play Swedish Bingo at www.slingo.com!
    Your Aunt Tilly can't de-install or permantly disable Active X, Outlook, or Internet Explorer, or the VBS scripting in MS Office 9x through XP-Pro!

    I doubt that you can either.

    But if you hack at it long enough, maybe you can disable all the OLE that makes Windows insecure, but then you would just have a crippled GUI on an OS that is not able to connect to a network.

    And Aunt Tilly would not like that!

    I know this for a fact, I have an Aunt Tilly!

  12. Re:This is easy to fix by gyratedotorg · · Score: 2, Interesting

    With properly placed firewalls there shouldn't be a problem

    not true. it's not uncommon for a mobile user to get infected through their (unfirewalled) internet connection at home, and unknowingy bring something bad into the corporate network.

    --
    Gyrate Dot Org - "Where high-tech meets low-life"
  13. Microsoft - A Proven Danger to National Security by BanjoBob · · Score: 2, Interesting

    This is old news. In May 2000, infowarrior.org carried an article "Microsoft - A Proven Danger to National Security". I can't find the article on infowarrior but it was very popular and controversial for a while -- even here on /. The sad thing is this article, was a warning that nobody in the government ever listened to. Microsoft sure didn't read this document. If they did, they've spent 3 years doing absolutely nothing.

    --
    Banjo - The more I know about Windoze, the more I love *nix
  14. Re:"Linux most attacked server" by shaitand · · Score: 4, Interesting

    Perhaps his would, but mine certainly wouldn't be, as I'm sure you've figured out since I pointed out the exact argument he is using with some numbers at the time (actually I think it was you I pointed it out to). It's called bias when you ignore one side of the issue in favor of another. Considering all the facts and comparing ALL the numbers is not bias. Even if you only mention it when it suits your overall conclusions it's not bias so long as you HAVE considered all the facts.

    There is a difference between being biased and shooting yourself in the foot. The truth is that when you look at the numbers from real web reporting engines and any firm that is not funded by microsoft (pretty sure apache funds NONE how about you?), the numbers show microsoft is something on par to apache in web servers what apple is to microsoft in the desktop market, I'm refering to share gap of course.

  15. Re:This is easy to fix by Anonymous Coward · · Score: 1, Interesting

    not true. it's not uncommon for a mobile user to get infected through their (unfirewalled) internet connection at home, and unknowingy bring something bad into the corporate network.

    You notice how they said "properly placed". I dont think having a machine go between work and home, and meanwhile not having a firewall at home be considered "proper". Although parent made a very obvious statement, it is very true.

  16. Re:An interesting factor highlighted by the report by westlake · · Score: 2, Interesting

    So why not a license for computer programmers ? You know, the only guys who know how to write and distribute a virus, hack into an on-line game, etc. Keep them off the roads until they grow up.

  17. Re:Here we go again! by gothicpoet · · Score: 2, Interesting
    I think the argument might be made that Microsoft didn't produce quality products that customers love and buy over everything else.

    You say that the key is competition, however if you have a monopoly there is no competition. That's the definition of a monopoly.

    In the case of a monopoly of a national or international scale there's no way for a true competitor to appear. The monopolist has the ability to crush a competitor through means that have nothing to do with the relative merits of the products in question. Any company with the instincts to successfully become a monopolist on a national or international scale has to have done so by being willing to squash the competition by any means it thinks it can get away with.

    If a company can squash the competition by leveraging an existing monopoly, why would they compete on the merits? There's no incentive. Competition is inherently risky. It's a surer road to profit to make sure that the competition cannot reach a level playing field.

    Not many companies can reach the place where they have the ability to leverage a monopoly to quash their competition. When a company reaches that position and begins to do so, we *DO* need the intervention along the lines of the Sherman Antitrust Act.

    To quote your message, Can anyone think of any monopolies that have *NOT* tried to "use their market leadership to maintain their monopoly"?

    --
    Quoth he ::
    "It's all academic anyway..."
  18. Well, DUH. by Anonymous Coward · · Score: 1, Interesting
    Well, DUH.

    Back when MS was actually in court and actually in danger, I suggested a simple solution to the whole monopoly problem:

    1. The government is the biggest single consumer of computers.

    2. The government mostly runs on Windows, which is only exacerbating the problem.

    3. We recognise that there are many situations where Windows is, in fact, the best choice for a particular computer or task (no, really! Like solitaire! You played solitaire on Linux? It sucks.

    4. The government (meaning the US gov't, though any other can do the same) should do a complete audit of all computers in use and the OS they run.

    5. They should also audit exactly what these computers are used FOR.

    6. The results of these two audits should be cross-referenced, and every gov't computer that CAN use an alternative OS to do it's business should be FORCED to do so.

    7. Problem solved.