Reliance On MS A Danger To National Security

An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.

I for one,

[tarquin_fim_bim]

welcome our new security overlords.

"We always consider security to be our absolute top priority," - Microsoft spokesman Sean Sundwall

You mean their proclivity to collect the worlds cash is a secondary mission? Wow, Windows must be like the most impregnable fortress ever, and more.

Re:I for one,

[prockcore]

"We always consider security to be our absolute top priority," - Microsoft spokesman Sean Sundwall

You mean their proclivity to collect the worlds cash is a secondary mission?

He was talking about Financial security.

It's About Time

[Urantian]

I hope the government, in the interest of national security, can clean up MS. All the anti-trust cases don't help the problem, rather they just help companies with posturing.

Now, putting this kind of pressure on MS may really make them work harder. Imagine the government turning its back on MS, in the interest of national security. Wake up, Microsoft, before it's too late.

Re:It's About Time

[protogoogoo69]

this so-called expert report is just Gates-bashing

Umm, if you actually read the article, you'd see that there were seven authors of this "gates-bashing" report. Two of which stand out: Dan Geer and Bruce Schneier. Dan Geer being the chief technology officer of @Stake, a security consulting firm. (Ever heard of L0phtCrack?) And Bruce Schneier is famous for his work with cryptography research (ever heard of twofish? blowfish, maybe?), but works for Counterpane Security Consulting firm.

These guys probably detest MS, but I'm sure they're not willing to sacrifice their credibility just to produce a stupid report just to bash gates.

forget the fluff...

[NumLk]

the most important line in the article:
"And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem."

Finally someone realizes its not enough to just fix the problem, problems should be avoided in the first place! (I know, I know, easier said than done, {insert OS here} isn't perfect either).

diversity

[endx7]

This article help explains very well why diversity in computers is a good thing.

(It's harder for virus makers to affect more computers at once if less computers use the same OS)

NMCI

And the Navy is going to Microsoft in a wholesale way. The new mega contract NMCI is locking the Navy into a MS solution for _all_ IT. Non conforming (ie non-microsoft) are labeled as a legacy systems and all new development will be required to use MS products in order to be on the network. Also, all network storage will be stored in a single facility !.

This is I believe a very dangerous approach for the reasons discussed in the article.

In addition to inefficiency of restricting a solution to a small set of tools. How many large organization standard on a single environment for all computing and IT needs?

Re:Its easy to blame the product

[Alien+Being]

"I see no mention that it is the administrators who must share responsibility for the compromises and exploits."

What would be their fair share? According to MS, it's zero.

Moncropping

[phoneyman]

I agree with the report authors that the monoculture of Microsoft is dangerous. Any one of us can see that, particularly after this exceedingly expensive summer, the MS monoculture we're enduring is costing us billions.

However, I cannot agree with the recommendations that require MS to do this, that, and the other thing. Recommendations such as releasing Office for other platforms at the same time as for Linux and MacOS for example. The only recommendations I could see supporting would be those that explicitly break up the company into OS and application divisions - in order to shatter their monopoly.

The recommendation that they must release their apps onto different platforms is, IMO, dangerous. It means that they will then unleash their "user friendly" nonsense on OSes such as Linux, and we'll end up with the absurdity of the Windows platform paradigm trying to seed its ugly crop of security problems in a new field instead.

For National Security purposes Governments should insist on only using applications that they can also purchase the source code to. They should insist on using applications that are proven to be secure, not just popular. And they should insist that software companies be held liable for flaws that cost them security.

Pierre

Re:Hmmm....

[jbottero]

I should stop reading slashdot for a while and get to work.

GOOD GOD, MAN! Get a hold of yourself! Do you HEAR what you're saying?

Is it really even that bad?

[SpamJunkie]

Is relying on one vendor even that bad of an idea? The really bad idea is relying on computers for national security.

Think of the locks that are used for locking the doors of government buildings. Are they all from one vendor? What happens when it is discovered that locks form that vendor are more vulnerable to being kicked in? I don't imagine a bunch of engineers get together to design better locks in their spare time, however there is the chance that might happen if the most popular lock company was constantly making locks that were more vulnerable than neccessary.

However there is still a key difference between locks and computer security that must be considered: location. A locked building in Washington, DC isn't going to be compromised by someone in China. Anything that is so important that obtaining it can be considered compromising national security should not be stored on a computer accessible to the internet.

The government should realise this (they probably do) because this isn't the first time this has been an issue. Long distance communications during wars before the internet used various means of encryption to keep national secrets secure. Why can't they do the same for electronic communications? Create the electronic message on a machine that isn't connected to the internet, encrypt it, and burn it to a CD. Either mail the CD or send it using a computer connected to the internet. Then destroy the CD.

The government likely knows this and almost certainly has national secrets under more heavy protection than a sneakernet. When they complain about insecurity, whether it be from terrorists flying planes or chinese youths, what they really want is money and laws. They're not actually so clueless as to leave valuable lying around, but it's useful to let citizens think they do.

Only so much one can do...

[ducomputergeek]

No system is 100% safe. There are some things one can do, like making sure everything is patched and another is to use odd systems. I worked for an architecture firm that used several ALPHA server for rendering projects. Several of these boxes had True64 Unix. When a couple were retired from rendering duty, we reconfigured those boxes as our router and firewall in the office. Why? Well, True64Unix is an odd platform and not many know much about the system. Its an added measure against script kiddies. Is it fool proof, no I am sure, but as one admin put it, "If they know the exploits of True64 Unix, they're a pro and proably not much we can do to stop those types". One of our boxes was attacked with the OpenSSH bug. If the attack would have been about 6 hours later, it proably would have been patched. Our other 17 boxes were patched without a problem and someone has tried to attack our OpenBSD boxes several times (hell I try once a month just to see how they react) with no luck. But hey, some bug with an FTP daemon or some PHP code and we're SOL. Bottom line: Keep patches up to date, use odd and unusual systems on the in/outbound traffic if you can, and keep lots of backups...

My favorite quote from the article:

[marian]

"Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer.
Gotta love it.

Computer Security 101

[bninja_penguin]

Yeah, I read the stories about that also. And, since most web and e-mail servers and most small ISPs are running Linux, it could stand to reason.
However, even though Linux servers are the most attacked/breached or whatever, when mom and pop ISP #1231 gets '0WNZORD', it doesn't cause the gigantic ripple effect of every server on the 'net falling over, unlike a Windows box. When a Windows box gets '0WNZORD', entire countries get swamped off the 'net. You know, ala the Slammer worm, which knocked South Korea off the 'net, and swamped damn near everyone, no matter what their box was running.

This is what true computer security personnel take into consideration. Not just how many systems are attacked, but what the effects of those attacks are. You know, if one Linux box gets taken over, does it automatically take over more? Very unlikely. Each box usually needs the individual attention of the cracker, and then, when successful, it is usually only with the permissions of the logged in user, i.e. not root. Compare this with most Windows boxes, which, when one is cracked, it automatically turns and attacks more, and way more Windows boxes run as Administrator, either by default, or because some shit-ass program requires it.

So, yes, more Linux boxes are attacked, but the overall effect of these attacks are orders of magnitude less than the overall effects of the attacks on Windows boxes.

Re:Computer Security 101

[tuba_dude]

I think you're accurate on most of your points, but which incarnation of windows are you talking about? 95/98 both have multi-user capabilites kludged on, meaning everyone is admin. I'm not sure about 2000, but on XP, when new users are created, they default to admin status. Microsoft's got some responsibility there. Maybe not all, but that is still a problem.

Re:Computer Security 101

[bninja_penguin]

Swen, SoBig, Klez, Mimail, Yaha, Dumaru, SirCam.
Just a few of Message Labs "Top Ten" Viruses they've determined as the most active for the last 28 days. Klez and SirCam?!?! Man, those are old! WTF are they still doing on the "Top Ten"? Should I be concerned, and patch my Linux box against the Morris Worm?!?

1. No, I do remember the Morris worm, and the Lion. So, to be fair, I'm mentioning them now.

2. Actually, with Windows 2000, it is not normal to run as 'admin'. I work on customers PCs all day long, and, with the advent of Windows XP it is. Even if they have setup individual accounts, they have given 'admin' privledges to each user, as Windows XP is a bitch to install, modify, or network, etc. as a normal user. The workarounds for this (right-click and run as, or logout/in as admin) are not intuitive at all. Mandrake will pop a window asking for the root password as needed, no need to even run chown anymore. And yes, it is default to run the user accounts with admin privledges on Windows XP.

3. I realize your point, and yes, I do blame the programmers, for that is a very poor implementation to use to get a program to run.

4. Yes, the main way to crack any system is by attacking Internet accessible services/daemons, and Microsoft claims Internet Explorer, Media Player, MS Messenger and Outlook Express (all Internet accessable 'services') are an integral part of the underlying OS, and cannot be removed without destroying the enitre OS. Google for "Microsoft Anti-Trust" if you don't believe me.
Now, search for "top ten viruses", and peruse the lists you find. The Klez worm, well over a year old, is still up around 5 on most lists. Most of the others are old viruses/worms, or just new revisions of prior ones. The thing about this is, these viruses (some of which were in the wild before Windows XP was even released) are still alive and well. There is a patch or a fix for all of them, but still they persist. How the FUCK does a virus written for Windows 98 infect Windows XP? The number one reason you said yourself, "Internet accessible services...". Now tell me, why, why, why is Media player, IE, OE, and a god forsaken chat program imbedded into an OS?? Why, why, why does a mail program execute code, blindly, and by default? Why, why, why does a server OS (2000 Server) have a Media Player embedded into it, with full access to the Internet?

Okay, before I start frothing at the mouth, suffice it to say, yes, Linux does get hit by worms occasionally, and cracked often, but rarely due to MONUMENTALLY STUPID designs of an OS that is developed by the marketing department, instead of the programmers.

Re:"Linux most attacked server"

[Tony-A]

But every day is I-hate-Microsoft day at Slashdot.
That's why I'm here.
Why are you here?