Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reliance On MS A Danger To National Security

Posted by timothy on from the well-duh dept.

An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.

14 of 465 comments (clear)

  1. It's About Time by Urantian · · Score: 5, Interesting

    I hope the government, in the interest of national security, can clean up MS. All the anti-trust cases don't help the problem, rather they just help companies with posturing.

    Now, putting this kind of pressure on MS may really make them work harder. Imagine the government turning its back on MS, in the interest of national security. Wake up, Microsoft, before it's too late.

    --
    Urantian -- and proud of it!
    1. Re:It's About Time by Rick+the+Red · · Score: 3, Interesting
      What pressure? This isn't a government report, it's an industry report, done by a bunch of Microsoft's competitors. MS will dismiss it as sour grapes, and the government will look at the cost of switching to Macs (the only non-Windows platform available, since Dell doesn't sell anything but Windows XP) and conclude that Bill's right, this so-called expert report is just Gates-bashing at it's worst.

      Remember, this is the Bush administration we're talking about. Besides, the CIA and the Army are probably telling Bush that if we promote Windows (i.e., continue to use it for all government desktops) then our enemies are more likely to adopt it as well, leaving them open to attack by us.

      --
      If all this should have a reason, we would be the last to know.
    2. Re:It's About Time by hbo · · Score: 4, Interesting

      Thise are the two that stood out for me, too. I have vast respect for both gentlemen. And it's based on years of watching their work product.

      The political angles aside, what they are saying is just common sense. They are talking about the vast majority of computing power being at the periphery of the network. That means at home, on your desk, in your plamtop and cell phone. The number of vulnerable servers, of whatever stripe, is just swamped by the vast numbers of desktop devices. And 90-97% (depending on whose stats you believe) of those systems run Microsoft OSen. When a worm is turned loose targeting those systems, it spreads like wildfire. They call it "cascade failure." These systems then turn around and attack systems at the core of the network. At that point, it doesn't matter what OS those core systems are running. They are very likely to be toast, regardless.

      They also make the point that Microsoft systems are uniquely vulnerable because of the malodorous pile of layered marketing driven technology decisions, and the tight integration of Microsoft's applocations and OS software. That last point should be obvious, too. If your interfaces are loosly coupled, it's easier decouple them when malware hits.

      --

      "Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers

  2. NMCI by Anonymous Coward · · Score: 5, Interesting

    And the Navy is going to Microsoft in a wholesale way. The new mega contract NMCI is locking the Navy into a MS solution for _all_ IT. Non conforming (ie non-microsoft) are labeled as a legacy systems and all new development will be required to use MS products in order to be on the network. Also, all network storage will be stored in a single facility !.

    This is I believe a very dangerous approach for the reasons discussed in the article.

    In addition to inefficiency of restricting a solution to a small set of tools. How many large organization standard on a single environment for all computing and IT needs?

    1. Re:NMCI by Short+Circuit · · Score: 4, Interesting

      The USS Yorktown had to be towed to port due to NT crashing. I can't find the original news articles, though.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    2. Re:NMCI by ScrewMaster · · Score: 4, Interesting

      How many large organizations standardize on a single environment for all computing and IT needs?

      Actually, most of them. Standardizing on a single platform makes the Information Technology crowd's life easier, although there is a price to pay for that convenience. Your point is well-taken that no operating system is optimal for every possible application or use: permitting some variety is a good thing in terms of both safety and productivity. The IT folks themselves are generally unaware of the costs incurred by their monomaniacal focus on a single environment, whatever that may be.

      Problems ensue when you are a corporate user with specific needs that don't fit the mainstream. Then exceptions have to be made, IT drones get irritated and unco-operative ... generally it's a mess. I've been through that wringer several times in the past few years: my company sells some fairly sophisticated industrial data-acquisition systems. While they are PC-based, the problems come in when the local IT departments absolutely INSIST that our machines MUST be on their domain (no reason given ... it simply MUST) and we MUST install Service Pack X and we MUST install THIS version {insert required antivirus/utility/monitoring/security package here} etc., etc., etc. ad-nauseam, even if their requirements completely break our equipment. The systems we install are mission-critical to the companies that buy them (downtime simply isn't tolerated.) We may have a few go arounds involving complete plant shutdowns before the IT people get told to back off from someone upstairs. Once they realize the damage they've done (and the trouble they're in!) things run a bit more smoothly.

      --
      The higher the technology, the sharper that two-edged sword.
  3. Not that bad on MS by JoeCommodore · · Score: 4, Interesting
    The article stated that having SO many computers on one OS was a threat (makes it easier to bring down a whole lot of systems in one fail swoop instead of say a cluster of one type of OS.), also the person mentioned that that one OS has been having some security issues.

    Not that I like MS, but this situation would pertain to any other OS if 90% of machines were using the same OS. Even it it was an OS you liked or felt was secure it is a big issue.

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
  4. National security 'R us! by Zhe+Mappel · · Score: 4, Interesting
    The choice of Microsoft has a kind of nice symmetry, though, you must admit.

    We rely upon half-baked right wing Dr. Strangeloves to choose the foreign countries that will welcome our invasions...

    We rely upon deregulated billionaires to keep our stock market and investment firms honest...

    We rely upon greedy employers not to send our jobs overseas in order to ratchet up the stock value and buy themselves extra homes and diamonds...

    So why shouldn't we rely on a convicted monopolist with a track record of utter failure behind it to keep our national computer infrastructure secure, too?

  5. Is it really even that bad? by SpamJunkie · · Score: 5, Interesting

    Is relying on one vendor even that bad of an idea? The really bad idea is relying on computers for national security.

    Think of the locks that are used for locking the doors of government buildings. Are they all from one vendor? What happens when it is discovered that locks form that vendor are more vulnerable to being kicked in? I don't imagine a bunch of engineers get together to design better locks in their spare time, however there is the chance that might happen if the most popular lock company was constantly making locks that were more vulnerable than neccessary.

    However there is still a key difference between locks and computer security that must be considered: location. A locked building in Washington, DC isn't going to be compromised by someone in China. Anything that is so important that obtaining it can be considered compromising national security should not be stored on a computer accessible to the internet.

    The government should realise this (they probably do) because this isn't the first time this has been an issue. Long distance communications during wars before the internet used various means of encryption to keep national secrets secure. Why can't they do the same for electronic communications? Create the electronic message on a machine that isn't connected to the internet, encrypt it, and burn it to a CD. Either mail the CD or send it using a computer connected to the internet. Then destroy the CD.

    The government likely knows this and almost certainly has national secrets under more heavy protection than a sneakernet. When they complain about insecurity, whether it be from terrorists flying planes or chinese youths, what they really want is money and laws. They're not actually so clueless as to leave valuable lying around, but it's useful to let citizens think they do.

  6. Only so much one can do... by ducomputergeek · · Score: 5, Interesting

    No system is 100% safe. There are some things one can do, like making sure everything is patched and another is to use odd systems. I worked for an architecture firm that used several ALPHA server for rendering projects. Several of these boxes had True64 Unix. When a couple were retired from rendering duty, we reconfigured those boxes as our router and firewall in the office. Why? Well, True64Unix is an odd platform and not many know much about the system. Its an added measure against script kiddies. Is it fool proof, no I am sure, but as one admin put it, "If they know the exploits of True64 Unix, they're a pro and proably not much we can do to stop those types". One of our boxes was attacked with the OpenSSH bug. If the attack would have been about 6 hours later, it proably would have been patched. Our other 17 boxes were patched without a problem and someone has tried to attack our OpenBSD boxes several times (hell I try once a month just to see how they react) with no luck. But hey, some bug with an FTP daemon or some PHP code and we're SOL. Bottom line: Keep patches up to date, use odd and unusual systems on the in/outbound traffic if you can, and keep lots of backups...

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  7. Re:Copyrights - a danger to national security by jdunlevy · · Score: 3, Interesting
    Any false property right is a danger to societies security. Just look at how slavery led to the civil war.

    How would you define a false property right? In your view, are there any property rights that are not false? If some property rights are false, and others true (or legitimate) what criteria are we to use to distinguish between the two? Clearly, there is no right to have slaves, so any claim of that as a right is a false claim; but what is it about copyright that is similar to slavery that makes it also a false property right -- especially if there is such thing as a true property right?

  8. Computer Security 101 by bninja_penguin · · Score: 5, Interesting

    Yeah, I read the stories about that also. And, since most web and e-mail servers and most small ISPs are running Linux, it could stand to reason.
    However, even though Linux servers are the most attacked/breached or whatever, when mom and pop ISP #1231 gets '0WNZORD', it doesn't cause the gigantic ripple effect of every server on the 'net falling over, unlike a Windows box. When a Windows box gets '0WNZORD', entire countries get swamped off the 'net. You know, ala the Slammer worm, which knocked South Korea off the 'net, and swamped damn near everyone, no matter what their box was running.

    This is what true computer security personnel take into consideration. Not just how many systems are attacked, but what the effects of those attacks are. You know, if one Linux box gets taken over, does it automatically take over more? Very unlikely. Each box usually needs the individual attention of the cracker, and then, when successful, it is usually only with the permissions of the logged in user, i.e. not root. Compare this with most Windows boxes, which, when one is cracked, it automatically turns and attacks more, and way more Windows boxes run as Administrator, either by default, or because some shit-ass program requires it.

    So, yes, more Linux boxes are attacked, but the overall effect of these attacks are orders of magnitude less than the overall effects of the attacks on Windows boxes.

    --
    For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
    1. Re:Computer Security 101 by bninja_penguin · · Score: 5, Interesting

      Swen, SoBig, Klez, Mimail, Yaha, Dumaru, SirCam.
      Just a few of Message Labs "Top Ten" Viruses they've determined as the most active for the last 28 days. Klez and SirCam?!?! Man, those are old! WTF are they still doing on the "Top Ten"? Should I be concerned, and patch my Linux box against the Morris Worm?!?

      1. No, I do remember the Morris worm, and the Lion. So, to be fair, I'm mentioning them now.

      2. Actually, with Windows 2000, it is not normal to run as 'admin'. I work on customers PCs all day long, and, with the advent of Windows XP it is. Even if they have setup individual accounts, they have given 'admin' privledges to each user, as Windows XP is a bitch to install, modify, or network, etc. as a normal user. The workarounds for this (right-click and run as, or logout/in as admin) are not intuitive at all. Mandrake will pop a window asking for the root password as needed, no need to even run chown anymore. And yes, it is default to run the user accounts with admin privledges on Windows XP.

      3. I realize your point, and yes, I do blame the programmers, for that is a very poor implementation to use to get a program to run.

      4. Yes, the main way to crack any system is by attacking Internet accessible services/daemons, and Microsoft claims Internet Explorer, Media Player, MS Messenger and Outlook Express (all Internet accessable 'services') are an integral part of the underlying OS, and cannot be removed without destroying the enitre OS. Google for "Microsoft Anti-Trust" if you don't believe me.
      Now, search for "top ten viruses", and peruse the lists you find. The Klez worm, well over a year old, is still up around 5 on most lists. Most of the others are old viruses/worms, or just new revisions of prior ones. The thing about this is, these viruses (some of which were in the wild before Windows XP was even released) are still alive and well. There is a patch or a fix for all of them, but still they persist. How the FUCK does a virus written for Windows 98 infect Windows XP? The number one reason you said yourself, "Internet accessible services...". Now tell me, why, why, why is Media player, IE, OE, and a god forsaken chat program imbedded into an OS?? Why, why, why does a mail program execute code, blindly, and by default? Why, why, why does a server OS (2000 Server) have a Media Player embedded into it, with full access to the Internet?

      Okay, before I start frothing at the mouth, suffice it to say, yes, Linux does get hit by worms occasionally, and cracked often, but rarely due to MONUMENTALLY STUPID designs of an OS that is developed by the marketing department, instead of the programmers.

      --
      For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
  9. Re:"Linux most attacked server" by shaitand · · Score: 4, Interesting

    Perhaps his would, but mine certainly wouldn't be, as I'm sure you've figured out since I pointed out the exact argument he is using with some numbers at the time (actually I think it was you I pointed it out to). It's called bias when you ignore one side of the issue in favor of another. Considering all the facts and comparing ALL the numbers is not bias. Even if you only mention it when it suits your overall conclusions it's not bias so long as you HAVE considered all the facts.

    There is a difference between being biased and shooting yourself in the foot. The truth is that when you look at the numbers from real web reporting engines and any firm that is not funded by microsoft (pretty sure apache funds NONE how about you?), the numbers show microsoft is something on par to apache in web servers what apple is to microsoft in the desktop market, I'm refering to share gap of course.