Slashdot Mirror
Richard Clarke on Microsoft security
hizzo writes "Richard Clarke, former White House cybersecurity and counterterrorism adviser, harshly critized Microsoft's security track record. 'Given their record in the security area, I don't know why anybody would buy from them.' He also called for some regulation of security for ISPs in addition to better industry self-regulation, such as disclosing QA practices and becoming more accountable for secure code. I wonder if anyone will finally start listening to him?"
Clarke has talked about cyber security before. To the IEEE, in fact. Read it here.
Karma: Can there be a void?
.. -. - . .-. .-. --- -...
Richard Clark is a smart guy, and his book, "Against All Enemies," is a very good read. Highly recommended by the HouseOfMisterE.
From July 2003
From Feb 2001
Karma: Can there be a void?
.. -. - . .-. .-. --- -...
He's not a politician, he's a civil servant. There is a huge difference there.
Why these people put up with it most likely can be put into two categories: 1) ignorance, and 2) laziness. Either they don't know there are viable options, or they are too lazy to actually pursue said options.
:-)
My excuse for running Windows?
Half Life 2
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
But people really are stupid and/or lazy
I work hard, and I'm not (very) stupid. The disruption in daily operations for me to cut 40 live web and db servers, along with all of the code, over to Linux from Win2003/SQL/IIS/ASP/VB would be: total budget killer.
Just changing my group's desktops (including the dev tools, custom apps, storage, file structures, user environments, etc) and ignoring the desktops: total budget killer.
Much better off to talk about the suitability of the Linux stack for new business units, operations, or totally-clean-slate start-up companies. Of course, many new business units are spun off by too-busy growing companies, using people that are already hip-deep in their existing IT framework. This is NOT like deciding that, at home, this weekend, maybe it's time to switch. Any real change would occupy a typical department's people for man-months at least. Very few operations of any kind have that kind of slop in their budgets, as we're coming out of a recession and an only just now loosening IT cost clamp down.
I'd be organizing class-action suits, writing letters, storming Redmond with torches in hand
Maybe I would, but... I've had a busy day doing things for which I collect money, and which help my customers to make money. And I spent that whole day using MS products, none of which crashed, none of which picked up any worms, and none of which required a busy team of people to totally grok a new operating system or try to guess where they'd ever come up with time to do that.
Why these people put up with it most likely can be put into two categories: 1) ignorance, and 2) laziness. Either they don't know there are viable options, or they are too lazy to actually pursue said options.
Don't work in a very competitive, time-stressed, low-margin business environment, do you? Or are you 1) too ignorant or 2) too intellectually lazy to imagine that there might be actual, practical barriers to the quick adoption of something that's completely different and which would require hiring, consultants, and substantial risks? It's called inertia, and in tight economic circumstances, bosses and investors don't like to hear: "It's OK, it's completely different, and no one that works here has ever needed to compile code in order to patch something, but we'll figure it out before anything bad happens! Plus, it's free, other than the huge disruption, support costs, and unknown impact on all of our software! Relax, boss - don't be ignorant and lazy. Certain people on Slashdot have a magic Linux wand that they can wave to make this totally painless, instant, and more or less free."
Don't disappoint your bird dog. Go to the range.
What are your credentials? Must lie in something other than computers and internet, since all of the nerds here can answer questions such as yours by doing a Google search. If you had bothered to so so, you'd have read that Clarke was chairman of Bush's Critical Infrastructure Protection (CIP) Board when he retired in 2003. He was also the first counter-terrorism coordinator. His office also released the US National Strategy to Secure Cyberspace, and he seems to be enough of an authority in the field to be interviewed by IEEE Security & Privacy. There is a lot more to his background, if one really cares to investigate.
So, I'd say that he's pretty well credentialed to comment on threats to US cybersecurity. Perhaps not from the perspective as a bits-and-bytes technologist, but certainly as someone who has expertise in assessing systemic strengths/weaknesses from the perspective of counter-terrorism.
---anactofgod---
"Equal opportunity swindling - *that* is the true test of a sustainable democracy."
Did you read the article?
It was Redhat vs. Windows, as a web server, default installation. It was considered more secure because it took longer for redhat to issue specific patches than microsoft. If they would have simply compiled apache from source, like most competent administrators do, the patch would have been available in hours/days instead of weeks.
Please troll elsewhere.
My knowledge of Clarke isn't very good, did he politicise himself or was he politicised by the Bush administration ?
Clarke was a civil servant/bureacrat during his time working in the US government. He never ran for office and his service was never a sinecure in exchange for political contributions. He served in various capacities under three Presidents (Bush the Elder, Clinton and Bush the Younger). It wasn't until he had spent time working for Bush the Younger that he began publicly criticizing anybody in the US government. He did so after resigning from government service.
Bush the Younger's entourage began to politicize Clarke and his work in an attempt to discredit him. It didn't work particularly well, although for some reason, US voters chose not to punish their President for his lousy track record on terror.
Anybody who has read Clarke's book can see for themselves that he is not some raving madman. He's a professional who has made a career out of imagining the worst, figuring out who's likely to do bad things, and then trying to get others to do what's necessary to prevent the bad things or capture/arrest/kill the bad people. His failure, if you can call it that, is that he was unable to get the current US President to take al Qaeda and the threat of International Terror seriously until after 9/11, and even then, the President was more worried about Saddam Hussein and Iraq than he was about Mullah Omar and Osama bin Laden.
And the ex Counter-Terrorism boss of the administration speaking against the war, or at least against how it was carried out, was Richard Clark. This Richard Clark. Sorry buddy.
Here's an interesting interview with Clarke which discusses some of this history. It's part of the background material for the Frontline documentary "The Man Who Knew" which is also viewable online.
"Most of the time when someone on the left starts getting a lot of publicity like that, it is really part of a media campaign to sell a book."
Richard Clark is a registered republician.
Where Macs Belong in the Living Room
The U.S. needs more people like Clarke in public service. Not because he spins a good yarn, but because he has consistently offered lucid and nonpartisan analysis of the terrorist threat throughout his career. It is shameful that rather than responding to his arguments the Bush Administration went into attack mode, and even more shameful that the Democrats were unwilling to make Bush's failure in the war on terrorism a bigger campaign issue.
Yesterday, in a Manhattan Chamber of Commerce presentation, Microsoft's CIO Ron Markezich came out to take a Q&A. Most questions were softballs, but two really stuck out, showing Microsoft really is at least as out of touch as it is "evil".
Markezich had detailed how his IT department did more than just support 90K desktops worldwide. The were the first consumers of MS software - MS "eats its own dogfood", as Markezich said, and nothing gets released without Markezich's department signing off, after supporting it for months, if not years. A question from the audience asked "I've been using Internet Explorer for 4 or 5 years. It has so many issues, new ones all the time. So much so that when something like Firefox comes along, it knocks IE out of the leadership. What good is all your testing, if it can produce something as bad as IE"? While there are few good answers to that question, Markezich offered probably the worst possible: "I don't know, it works for me". He said he doesn't have IE problems, that they were surprised that it had all the problems in the field, that he doesn't have to install all the patches MS releases, because he doesn't have the problems they address. Astonishing. Remember, this is the CIO of Microsoft, responsible for all their IT globally, including release of their software "when it's ready".
Another question described, anecdotally, getting a black desktop and mysterious prompt warning that the computer had a security compromise, and the user should click to install important MS security updates. But the user wasn't sure the prompt was from Microsoft, though it claimed to be, and the next click could completely trash a compromised computer. Their question was "how can I tell that a warning and recommendation is from Microsoft, and trust it", considering scams like trojan horses and phishing messages. But Markezich laughed it off, treating it like a weird request for personal tech support - saying "call MS for tech support". I'd have thought that his IT department would be familiar with the scenario, and the issue, and that the question would easily trigger whatever was Markezich's stock response, like "Longhorn will make sure that if a window says "Microsoft" in the title bar, that it's a message only from MS software, or some other lie he made up on the spot. Instead, it's obvious that that kind of social engineering security hole is news to him, though it's been addressed in, say, Java, since day 1.
There is no Microsoft security. There is only spin control. The marketers, and their lawyer "quality control" agents, control the whole company. Even their CIO just takes their marching orders. Without their monopoly, they'd be a joke, game over. As it is, such performances as we got in midtown yesterday have the smell of a dying beast.
--
make install -not war
Viruses are a serious problem for all computers.
No, just some OSs. Never had a Linux virus.
Spyware is a serious problem for all computers.
Same thing here. What is this Spyware you talk about? Never seen it on Linux.
Crashing is a serious problem for all computers.
Okay, yes, my computers crash too. Sometimes more than once a year.
Constant headaches with system failures, bit rot, and software/hardware installation is a serious problem for all computers.
Bits can rot? System failures? Is that like crashes? Software/hardware installation is not a problem for my Linux systems. I once replaced a motherboard with a whole different motherboard in my RAID server and the system automaticly detected and configured my software RAID when I put the drives on different controllers and in a different order without me needing to edit a single file. It simply works. I plug in a new firewire card or whatever, chances are I have drivers for it already. Except those open source DRI drivers for some video equipment. But 2D always seems to work , sometimes with minor tweaks.
Macs are too expensive. - cf.) "I need a fast CPU"
Macs are too expensive. I need a fast CPU, too. I need a dual-core 3+ Ghz CPU today for under $200. *sigh*
But I think it all boils down to laziness for most people. I mean, who really wants to learn how these things work, besides me? But at least I offer my services for free to early Linux adopters.
Clarke said he would want to see government regulation of ISPs to ensure that they offer adequate levels of security to their customers.
He gave a speech at a Global Tech Summit back when he was the President's Cyber Security Advisor. Here's a link to it.
And let me give you a few select comments from that speech:
I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.
TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough.
It is not beyond the wit of this industry to figure out a way of forcing down patches
ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.
A law to require ISP's to impose security on their customers. The security he means is TCPA, also known as Trusted Computing, TCG, Palladium, NEXUS, Longhorn and about 42 other names. And using this system they can "force down" operating system patches, whether you want them or not. Of course you can't get onling in the first place without an approved operating system (Trusted Linux is in the works, but you'd be screwed trying to use it). It can also scan what software you are running, in order to insist that you are running an approved firewall and/or virus scanner. And any other software they feel like making mandatory.
Of course it will be a few years before ISP's could do this, almost no one has a Trusted Computer yet. But as Clarke said, the system is to be built into all the products brought to market. Samsung announced a few months ago that they are now manufacturing nothing but Trusted systems. IBM, Dell, and pretty much any PC maker is already selling Trusted system and that will only increase. Microsoft has announced that only Trusted hardware will be properly compatible with the next Windows release, Longhorn. If Longhorn runs on non-Trusted hardware at all, it will only run in a crippled reduced graphics mode. So once Longhorn comes you you can be sure all new PCs will be sold Trusted compliant only. Give it a couple of years after than for the normal PC replacement cycle and *poof*, the majority of PC's out there will be Trusted compliant. And at that point ISPs could very well impose such a security system. And anyone with a non-Trusted computer would be unable to get on the internet. Anyone who did have a Trusted computer but who wanted to control his own computer and software would also be unable to get on an internet.
Clarke is no longer the President's Cyber Security Advisor, but there are still draft poposals in the government for forcing this through. There's really not much point in them doing anything publicly until more Trusted PCs ship. They'll probably wait for Longhorn to come out and start getting established.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I work hard, and I'm not (very) stupid. The disruption in daily operations for me to cut 40 live web and db servers, along with all of the code, over to Linux from Win2003/SQL/IIS/ASP/VB would be: total budget killer.
;-)
Ok, lesson in best practices:
1) Migrate gradually and without downtime. Start by migrating the applications to PHP or Perl with a database abstraction layer. This may be slow. Then you can switch out the OS for Linux with no downtime if you already have load balancing (and very little downtime if you don't). Then you can work on moving to PostgreSQL. Expect that this will take 5 years on average
Ok, so your company doesn't want to hire a full-time employee to do that? Push out the deadlines and migrate app by app and server by server over a longer time. I.e. migrate code first then servers.
Just changing my group's desktops (including the dev tools, custom apps, storage, file structures, user environments, etc) and ignoring the desktops: total budget killer.
Migrate tool by tool. Then you can switch the rest of the OS with little shock.
Note: My first thought about IBM's Linux desktop migration was "it is going to take much longer than the 2 years they are targetting." Again, this is not something you just switch. It is something that takes years.
LedgerSMB: Open source Accounting/ERP
I support everything he's saying, but he's leaking credibility at an alarming rate.
Blanket statements like that don't help your credibility either. I've read his book, and he's a darling of the left wing media because he has by far heaped the most criticism on the Bush II administration. However, his praise and criticism of others did come off as fair and even-handed, and he names names everywhere. For example, praise for George HW Bush for the delicate diplomatic balancing act of holding together a coalition (a real one) containing many Arab countries in Gulf War I, and jeers to former FBI director Louis Freeh for incompetent micromanagement particularly in the '96 Atlanta Olympics bombing investigation. No way you'd ever see any right wing pundit criticize one of their own. Never.
This guy is a career Fed (I mean it in a positive way) who started in the State Dept. He's no liberal hippie. Given his background, some of his ideas on security may seem too authoritarian to many Slashdotters, but at least he's able to make reasonable arguments for their necessity. From his writing style he sounds like a reasonable, no-nonsense kind of guy who values competence over loyalty. These kinds of people tend to piss off other people who have the opposite priorities (loyalty over competence).
The only thing that Richard Clark [sic] ever did was approve flights for members of Osama bin LAden's family in the US out of the US and into Saudi Arabia shortly after the attacks.
Clarke's memo to Condoleezza Rice dated January 25, 2001 shows quite plainly that Clarke was urgently asking the White House to start moving on al Qaeda eight months before 9/11. Now that it has been declassified, you can see the actual memo here. [PDF link]
That doesn't look like "BS" to me. In fact, it suggests that "his record" shows a true concern in getting the Bush administration up to speed on what he felt was a huge threat. In the memo, he says "We urgently need such a Principals level review..." Rice finally held his requested meeting on September 4, 2001.
So what's the "only thing" he ever did, again?
this bio suggests that he worked for a total of five administrations, four at the cabinet level:a dministration_units/officeofcyberspacesecurity/spe cialassistanttothepresidentandchairpresidentscriti calinfrastructureboard/richardaclarke/a_index.shtm l
http://www.americanpresident.org/action/orgchart/
Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
he quickly jumped on the "not me" wagon by trying to control the discussion
..".
Saying 'not me'? Quite the opposite I think. Perhaps you saw his testimony to Congress, when he
apologized to the country for not preventing 9/11 and said among other things ".. I failed you
Wow. Saying that out loud for the grieving 9/11 family members and the rest of the country took incredible courage. Contrast Clarke's plain speaking with the circumlocutions spouted by the Bush inner circle.
By the way, I read his book. It was excellent. Clarke's a straight talker who give a clear idea of life in government. (You might want to save the first chapter till the end though, it's easier to follow once you've digested the reset of the book.)
"Just like I lobby the government every time I write my Congressman a letter. It's called "representative democracy."
Yea but chances are your letter is read by a coop and filed in obscurity unless you are the Congressman's campaign contribution list or he otherwise knows who you are.
Large corporations, or their K street lobbyist, on the other will routinely meet your congressmen face to face, offer campaign contributions to the full extent of the law, and other assorted favors to insure their clients get what they want from legislation and contracts.
You should have watched the House and Senate during the Medicare "Reform" Act. The lobby of the Capitol building was swarming with lobbyists for the drug, insurance and healthcare corporations, all circling like the sharks they are, smelling blood(money) in the water. The bill was such a horrible piece of legislation it couldn't pass on its own so House and Senate leadership had to arm twist all night to get the votes they needed and they held the vote open for hours which is against the rules until they got just enough votes to pass it.
During this same time the lobbyists were also hard at work outright buying votes because they desperately wanted that bill to pass. Its a bonanza for the drug and healthcare corporations, and in fact does frighteningly little for seniors for the price tag.
As I recall one congressman was retiring from politics and dead set against it. The lobbyists couldn't buy him because he was fed up and quitting, so they tried buying his vote by promising to get his son elected. As I recall it was in fact probably illegal vote buying though not sure what came of it.
Another example of how corporations lobby and you don't is Billy Tauzin. He is the relatively corrupt politician who lead the charge to ram the Medicare reform bill through Congress. He did this at a time when he had a million dollar plus job offer waiting for him from an industry group representing, you guessed it the drug companies. The unspoken deal, pass Medicare "reform" and we make you rich when you retire.
Another fascinating aspect of the the Medicare Reform, it really is a case study in how deeply corrupted our government has become, is that the Medicare administrator, Thomas Scully, was also job shopping with corporations he dealt with during the run up to passing the "reform bill". It was a blatant conflict of interest but the White House approved his job shopping anyway. This same administrator intentionally and blatantly suppressed the true cost estimates for the bill. If the true cost had come out before the vote it never would have passed. Scully needed the estimate to be not over $400 billion over ten years to get is passed so, he lied and told everyone thats what it was. He was no doubt assured a high paying job in in the private sector in return for being corrupt. One of the people who worked for him had some ethics and started demanding the true numbers, which were $551 billion, be released and Scully threatened him with ruination. The true figure was suppressed until the bill passed and then about a month later the Bush administration admited it was really at least $551 billion which would have never passed. A few weeks ago new estimates came out and its ballooned to $700 billion dollars and it really hasn't even started yet.
One key reason the cost is ballooning is the drug industry lobbyists managed to add a clause in the legislation that forbids Medicare from negotiating the prices for the drugs its buying for seniors. The drug companies can charge as much as they feel like and raise the prices at their whim. They invested a few million on lobbyists and they will reap hundreds of billions of dollars in profits at the expense of tax payers. The only cap on how much this bill will cost taxpayers is how blatant the drug companies want to be in jacking up the prices of the drugs they sell to Medicare.
You really have no clue if you think your silly little letter is even remotely the
@de_machina
Yeah, Clinton was occupied by Congress trying to impeach him for a blowjob, stopping him from doing more to stop al Qaeda. When he tried to do more, like target bin Laden's mobile phone with a drone, the CIA and the Pentagon fought over passing the buck until it was too late. Behind the Republican-controlled Congressional Intelligence Committees smokescreens. The Cole was proven by Clinton's team to be al Qaeda after the 2000 election was over, and presented promptly to Bush as hard proof, but Bush did nothing. As usual, rightwing partisanship has twisted the blame exactly backwards.
--
make install -not war
During the show Frontline show you'll see Clarke using his a slick Powerbook G4. Its nice to know I'm in good company, using a platform that represents a small yet prominent minority. These days unless my users have a specific application(s) that only runs on Windowson, my usual recommendation because of all my frustration with Windows is for them to get a Mac. If they can't afford to upgrade their hardware to Apple yet, I point them to the most popular Linux distro sites (except Red Hat) or BSD flavors, but I do warn them that there is a little of bit of work involved to get their environment set up right. For those people who like to argue that Windows has more security issues because its more popular, I say that's baloney. Five to six years ago it was my SGI Irix machines that kept getting hacked into once or twice a year. SGIs representing the smallest Unix flavor we had at the time and significantly smaller than the Mac population. Over the past 3 years the number of Windows security issues has exploded exponentially where I can't in good conscience recommend it to most folks.
A Visit from the FBI Seems like FBI prefers Mac OSX as well.
MINNEAPOLIS & ST. L. R. CO. v. BECKWITH, January 7,1889
"we admit the soundness of his position, that corporations are persons within the meaning of the clause in question."
This gave corporations privileges like freedom of speech and due process.
From Timeline of Personhood Rights and Powers "Of the 14th Amendment cases brought before the Supreme Court between 1890 and 1910, 19 dealt with African Americans, 288 dealt with corporations." America - home of the free.
Yes, its totally off topic.
It is illegal to give outright bribes to politicians and civil servants but the laws are easy to skirtl
In particular, there isn't anything really illegal about taking lucrative payoffs to politcians after they retire from government service which is the payoff of choice at the moment, its called the revolving door from government to the private sector and in some cases like Dick Cheney back in to government and then in 2008 back to the private sector.
I vaguely recall in the late 80's, it might have been illegal for civil servants, not sure about politicians, to take jobs in the private sector with companies they dealt with when in government service. I'm pretty sure it was overturned shortly after it was passed because it ended the gravy train of working in government for a relatively low wage, throwing business to the private sector and then taking a lucrative job in that same private sector. Not sure but I think Dick Cheney in fact led the charge to reopen the revolving door, at least in defense contracting, and he of course took advantage of that very revolving door to go from Defense secretary to Halliburton CEO which made him a multimillionaire. Halliburton's KBR wins billion and billions of dollars of sole source contracts for the army and has since Vietnam. Dick Cheney also lead the push to contract out vast amounts of work from the military to contractors, like food service, fuel supply and transport, etc. Its a just a coinkydink all the work he outsourced to contractors went to KBR, the company he took over as soon as he left office. It stinks, he stinks. Halliburton was caught engaged in blatant profiteering in Iraq in both fuel contracts and catering to the military.
Darlene Druyun is another case study in the revolving door. As the Air Force's lead procurement office she steered a 20+ billion contract to Boeing for 767 tankers and then took a lucrative position as a Boeing exec right after. It was so blatant people in Congress like John McCain screamed bloody murder and Boeing was pressured to fire her and the CEO who presided over the massive corruption but this punishment was the exception not the rule. Lockheed and Boeing's executive ranks are loaded with retired Generals, civil servants and politicians.
@de_machina