Slashdot Mirror
Army Buys Macs to Beef Up Security
agent_blue writes "The Army is integrating Macs into their IT network to thwart hack attempts. The Mac platform, they argue, is more secure because there are fewer attacks against OS X than Windows-based systems. 'Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military. The Army's Apple program, created [in 2005], is working to change that.'"
i thought they don't allow gays in the military?!?
http://www.serverwatch.com/news/article.php/201361
:)
i always liked the idea...
from the article: "Until the Army's Web site was hacked in late June by a 19-year old Wisconsin man, the site had been using a Microsoft Windows NT-based Web server..."
How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?
Yes, Windows has vulnerabilities. Windows sucks as far as security goes. That goes for Vista, too. But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.
My blog
Well, I'm sure that adopting Macs will ensure that people will continue to leave them alone in their attempts to compromise systems with something valuable enough to make it worth the attempt.
Whatever happened to "Don't ask, Don't tell?"
One small step for Mac one giant leap for Mac kind.
--- If the bible proves the existence of God, then Superman comics prove the existence of Superman.
http://www.google.com/search?client=safari&rls=en&q=cac+on+mac&ie=UTF-8&oe=UTF-8
Support is built into Safari, and it is possible to set it up to log into a Windows domain, I believe.
_sig_ is away
One would think if the 'Military procurement has long been driven by cost and availability of additional software' that Linux would be the better chose. Seems like there is some other factors. Perhaps Ubuntu is to hard to use?
Why, yes it does!
Vonal Declosion
All computers used in the military facilities in the Transformers movie by the teams trying to break the Decepticon's code where Apples. It should also be pointed out that the computer that defeated the martins in Independence Day where macs.
Life imitating "art"?
Ask not what you can do for your country. Ask what your country did to you
Definitely. I love using Macs, but for servers, embedded systems, and field equipment, it would seem that Linux or BSD would be the better choice for the military.
How will they know if the user prefers a Mac or PC with their "Don't ask, don't tell" policy?
Trolling is a art,
... because the total cost of hardware ownership in the military wasn't high enough already.
The Mac platform, they argue, is more secure because there are fewer attacks against OSX than Windows-based systems
Not that it's more secure because it's better, but because there are fewer attacks? Won't adopting give hackers more incentive to attack it? They shouldn't judge the OS based on how many attacks there are now, but on how secure it can be made since one would assume that anything the government runs is interesting to hackers.
I stole this sig from a more creative user.
why not liunx it is free and runs on any x86 hardware?
also the lack of mid-range desktop forces you buy a macpro in places where a imac will not work As the mini is under powered or over priced.
$600 for gma 950, dvd / cdwr, laptop cpu and hdd, and only 1gb of ram. Any other system at the same price will have better hardware and will be a lot easy to open up fix bad parts.
I love using Macs, but for servers, embedded systems, and field equipment, it would seem that Linux or BSD would be the better choice for the military.
MacOSX has chewy unix underpinnings, why would it not be a good choice?
Trolling is a art,
With a runaway defense budget like ours, I'd say the mac is a perfect fit!
One of these days, I'm going to cut you into little pieces.
I met airforce officers at a computer show in maine years ago, who were active developers of OpenBSD for the AF. Also, from what i remember, the navy started using PowerMac's years ago for the same reasons.
It's too bad Apple stopped making iMacs with colours and prints on the cases. Otherwise, they could have made some cool looking computers with camoflogue cases!
Wanting to keep as much of my income as possible, mostly :) Tax $$$, you know. Buying cheap generic parts in bulk and custom designing equipment would be both more flexible and less expensive. Come to think of it, why doesn't the military implement the card reader software themselves? Most of the readers I've see are simple USB devices...
The Army will surely rush to take advice from someone who can't cobble together a complete sentence.
The article points out that only "20,000 of the Army's 700,000 or so desktops and servers are Apple-made". This likely means that they have 20,000 Macs at the Pentagon alone, where the security is needed. Those other hundreds of thousands of computers probably belong to recruiters or low-level contractors, whose data is not too critical to national security. The Army would have no intention to spend money to upgrade systems, such as those belonging to recruiters, that don't have very sensitive data on it. I foresee that this Mac craze will be short lived, although I am not doubting it's impact on security.
"MALLEIS MILITO" (I Soldier With A Hammer) 62ND ENGINEER BATTALION
Now that terrorists know the Army uses Macs expect to see terrorist Mac-Hack attempts go up.
Seriously, out of the box neither Microsoft, MacOS, nor non-hardened Linux is designed to be a secure OS.
For security, either work with Apple or Microsoft to harden the system out of the box, start with SELinux or a hardened BSD, or up the ante and use a mainframe or other system designed from the ground up with military-grade hardening in mind.
Of course, even a partial air gap or strong firewall helps too.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Macs & beef!!! I thought they were all vegans.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Maybe because no one would bribe anyone to buy linux, the profit margin is thin.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Perhaps juicy military contracts will encourage Apple to expand their product offerings to fill that gap?
If you read the article instead of the headline, you'll see that the Army is making the attack target more diversified, so that a single attack will not bring down all computers. What's wrong with that tactic?
The clear majority of the really high end computer security people I know are driving Macs. On the military side Army and Marines seem to be tinkering more with Linux. The Marines less so because of NMCI, but there was a demo of battlefield information system that was Linux based. Navy and Marines have pretty much locked themselves into Windows desktops managed by EDS on the administrative side. A move I believe will go down as one of the great defeats in Naval history, with casualties of 250 million American taxpayers.
Don't know about the Air Force but the few AF people I've met at conferences seemed pretty on the ball and struck me as Linux curious if not outright supporters.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Because they are Army.
Gimme 20,000 big Macs and double the beef!
Nic
Very clever! Bottom level hardware that with software written by college undergrads. That's sure to move them up the security totem.
If they were clever, they'd be running their workstations with a solid defense-level OS, such as GHS INTEGRITY or one of Boeing's internal systems, while running Linux or Windows through a hypervisor for UI and usability.
The MS systems might be cheaper, since they'd save on the unix admin budget.
HThe Army's push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army's chief information officer, gave a speech calling for more diversity in the Army's computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.
"Sir, I have the DOJ on line 2."
"Tell them to get Bill Gates in here."
"Yes sir."
(door opens an hour later)
"Bill Gates, you told us Windows Vista would be more secure!"
"It IS more secure, over five million...(BLAM)"
Mac: Hi I'm a Mac
PC: and I'm a PC
Military Intelligence: And I'm no longer an oxymoron
This is my sig. There are many like it but this one is mine.
Yes, and no.
I think they should use tools available cross-architecture for their software, and then have a multi-arch setup. For example:
30% Free/Net/Open BSD
30% Linux
25% Mac
15% Windows
This would alleviate the issues of an entire-network compromise from potentially overlooked vulnerabilities in any one system. Because you can get fairly simple general interaction for the operating systems listed (given modern desktop environments offered on Linux/BSD, Mac would be the most "different" and not terribly so even then), and applications That had cross-platform natures would be all that's used, there would be little difficulty for the end users to go between systems.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Probably afraid to make Microsoft mad.
History lesson
NSA worked on SElinux Made improvements to security and gave the changes away (paid for by the public after all)
Microsoft got there tame Senators to come down hard on them and it stopped (Microsoft shouldn't have to compete with the government
it's not fair waaaa).
Microsoft no longer considers the Mac a threat so they will let this slide.
Yeah, spend money on Macs and not on bullet proofing the Hummers.
Apple may have unix roots, but openBSD it is not. There is no comparison security-wise, openBSD wins hands down. If you need user-friendliness and usability, then that significantly changes the equation. My guess is they are looking for improved security with the happy clickiness that Macs provide.
I didn't think I'd see this "security through obscurity" myth repeated on Slashdot.
Not any more.
If the army is using it for that reason then you know the Chinese, Russians, and any other tech savvy nation will now point their hackers at Macs.
-- I ignore anonymous replies to my comments and postings.
Mac's have CAC support. Try /usr/sbin/cac_setup
I'm not trivializing the work that would need to be done to work in a DOD environment where most of the CAC-enabled apps need a osX port. The low-level strong authentication portion is done.
In true government contracting fashion, the bulk of the work is done by Axalto, with some DC-based project management middleman cashing the Fed's checks. Axalto is probably barely breaking even on the project despite the huge volume of cards in the field.
Got Trader Joe's? friendwich.com RSS feeds work now!
Back in the late 90s the Army switched its us.army.mil stuff to Mac based servers based on the input of a low ranking enlisted guy (whom I knew, and I myself was in the same unit when he made the suggestion). They publicity at the time was that the Windows servers were getting hacked on a daily basis, so they switched to the Mac OS server stuff and the problem was solved...the hackers no longer were able to hack the front page of the US Army on a daily basis. I wonder why they are just now realizing this and going back to an old solution?
Why? Because the government knows accountability (when it matters to them, anyway). Macs have a large corporation backing them. With the partial exception of Red Hat, any given flavor of *nix doesn't. Despite all the "it's good enough for government work" jokes, the government requires a well-known model of support for times when stuff breaks down. A large corporation backing their products fits the bill nicely. The community-driven open-source model doesn't.
... nobody in Washington gives a rat's ass about sticking it to a corporation, especially when said corporation is still relied upon heavily for products and services.
And as to your Redmond comment
The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.
When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data. This is not a case of "redundant systems", but rather a case of "the weakest link". The more OSs are supported the more chances that AN OS will get hacked (as opposed to ALL OSs), but when it comes to protecting data, hacking that ONE OS is all it takes. Hackers are certainly more agile than the government, and the government should try to minimize its profile, together with hacking avenues, rather than build redundant systems where redundancy is not the solution for the problem at hand.
In other cases when the issue IS parallel, such as protecting a mission-critical system (think Space Shuttle), then yes, multiple OS's increase the chance that any one will survive. But this doesn't apply to data security. They should stick to one OS as well as one of everything else, preferably as secure as possible (NetBSD, some Linux distros, etc). But even JUST Windows is more secure than Windows and OTHER stuff together, because you keep all the risks of Windows while adding the extra (even if relatively smaller) risk of the other system on top of the original risk.
Macs are nothing in the eyes of malicious hosers out there.
/home/moron just as easily as /var/www/html. Linux is secure - sure, until you install a CMS on it and never update said CMS software. Once that happens, you might as well be using Windows.
/home/moron.
The majority of compromisation attempts happen now in order to set up botnets. There are two huge targets for this. First, Windows. Your average home cable modem has a decent chunk of bandwidth and - let's face it, it's Windows. By default, it's completely insecure. There's not much work at all involved in getting into Joe User's Windows box.
Second is - surprise surprise, Linux. Why Linux? Because Linux is insecure by default as well. Oh, I know, I'm invoking the wrath of the Open Sores Horde here, but it is. "UNIX PERMISSIONS LOL" - my ass, a credit card phishing site can sit in
Botnets are just as easy to run from
And frankly, Linux is as easy to compromise as Windows - once you get on. Install crappy CMS software and never update? You're asking to be hosed. Using passwords instead of SSH keys for user login? You're asking to be hosed.
And compromisation of Linux systems happens far more often than the frothing Linux zealots would have you believe. By default - sure, Linux is 'more secure'. Nobody using Linux leaves the system in a default state. That's the problem.
Now, where's Mac in all this?
Nowhere. Mac isn't popular enough to warrant the attention of script-kiddy like prepackaged exploit tools. Nine times out of ten, if you hit up a residential IP, you'll find Windows boxes at the other end. Why bother wasting time with Mac-related crap?
Conversely, you're more likely to hit Linux and Windows if you hit up boxes sitting in a datacenter.
For the two high-priority targets of malicious idiots - Mac is nowhere to be found. That's the reason your Mac is safe. Sure, you can go on about e-mail worms and other exploits of twelve year olds, but we're talking systems being hacked, not ill-trained users who click on WICKEDSCREENSAVER.zip.exe.
Brings a whole new meaning to BootCamp, doesn't it?
In some ways that would be an improvement, but it wouldn't address the largest issue. That being the people using the computers. If memory serves that British "cracker" managed to get into a huge number of systems which had weak or non-existent security. Most OSes need to be hardened before they are deployed, and if you're not going to bother doing that alone with educating you're users, you may as well just hand over the info on the computers on a nice CD.
Diversifying the set ups would help, in the sense that any OS that is widespread in the US military will be focused on for exploits. There's just too much of an incentive to terrorists, foreign nations and wannabe code crackers to pass up. If you combine that with sensible passwords, multiple layers of security, segmenting of network, regular security audits and obscuring from the public exactly what you've got, that will get you quite far in terms of maintaining the integrity of you're network. There will always be a couple of bugs somewhere in the system, a good security plan makes them as difficult to exploit as possible, but in the end anybody that can access a machine on the network can potentially break it all.
I keep hoping that something as important as military computer systems would be protected by a more robust system than obscurity.
They are switching to Macs because fewer attacks are designed for them? What do they imagine will happen to the number of attacks directed against Macs when tanks, silos, and aircraft carriers are running it?
While Apple systems have always been slightly higher priced (when compared to equal pc systems not home made random part systems) I figured this was mostly do to higher manufacturing costs. I could be totally wrong, and probably am, but I'm hoping that with the Army switching out all their systems to Apple machines that the manufacturing costs over all will go down and maybe we'll start to see some cheaper Apple systems coming out. Yeah yeah it's a lot to ask for but I like to hope for the best I guess.
Ave Molech Setting
so whats wrong with supporting more than one OS? Would you prefer one point of failure? A good sys admin can support multiple platforms. The only people I ever hear complain about this are Windows people who can't support anything else. Linux admins can ALWAYS support Windows and Mac platforms so why is it so hard for the vast majority of Windows admins to support the other platforms? Hmmm...? Do you just prefer having a single point of failure?
This is my sig. There are many like it but this one is mine.
Why not split up the Linux category just for the heck of it?
5% Gentoo
5% Slackware 5% !Suse 5% Red Hat 5% Ubuntu 5% SELinux
The security partly comes from using an uncommon OS, not just a more secure one. It's a security by obscurity thing... and although obscurity may not be a perfect measure, it's good when it's coupled with a truly more secure OS.
This implies that the perfect obscurity would come from a homebrew computer system, designed and built in its entirety in one's home. And if it were designed to be secure by default and its creator was a perfect mathematician and engineer, then it would probably be the most secure system in the world.
Or maybe not. If we maintain that no one is perfect and that bugs will creep in anywhere, then we can only hope to solve security holes with the "when there are enough eyeballs" law.
But then again why not try an open-source homebrew system...
And if we think for a while about it, modern free OSes as such homebrews that just became more popular after some years in existence. So, perhaps the best security can be found in free OSes that are popular enough to attract many bug fixers but unknown enough to not attract a lot of crackers (yet).
What I find intriguing is how similar security is to life and evolution. The whole security field can be modelled with positive and negative feedback. Crackers come to eat your lunch, just like predators in nature do, and you try to protect against them, just like all life does... Then whitehats and researchers come to help fix the security holes, just like animals in symbiosis (you get fixed software, they get jobs or recognition or a warm fuzzy feeling). Software that adapts to its environment (crackers) lives on and on (GNU/Linux and *BSD), and software that is stubborn and refuses to adapt dies (Win9x anyone?). Of course there is nothing special that makes security similar to life, because both are just examples of dynamic systems and all such systems have this behaviour.
Therefore, using a biology example, we can say that a computer running a mainstream popular OS is in a mainstream ecology which has already attracted many predators (and if the OS is an insecure one, the ecology does not offer any natural hiding places... it's kinda like an open field where you have nowhere to hide, and it would be really stupid to live in such an open field filled with predators if you had choices). But a computer running an alternative less-known OS like GNU/Linux is in an ecological niche which has not attracted many predators yet. And since the OS is more secure as well, this ecological niche offers you lots of places to hide when a predator finally comes, eg you can go underwater or hide among bushes.
So, start seeing OSes like ecological niches... If one ecology is filled with predators and does not offer any hiding opportunities, it would be dumb to choose it. Choose an ecological niche that is free of predators and it works in such a way that even when predators come you can defend.. That's the most intelligent choice..
I don't disagree with you, but I was talking from a completely systems perspective.
Actually, given that it is military and should have very fine grained security, nobody should have the rights to install a program, not even on their own space, except administrators. Such a system should be fairly user proof, except for the data the user can access, and at that point, password rule constraints in the software can get rid of the biggest problem for the standard user.
It's not something I would put on a home system, because a home user wouldn't want a system that restrictive, but for business/government systems, the software should be set up to the point the user can't cause an issue except with they data that user is allowed to access (and even that can be fairly well made to be a limited risk through UI solutions.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
That's more along the lines of, like, your ASCII art suX0rs.
Anyway, who else has a hard time imagining an army without right clicks?
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
$10 says the army unwittingly installs Windows on these new macs... ...
I wish I were old enough to put "Computer" on my resume.
Sorry had to ask...
So I guess AIX, HP-UX and Solaris don't have large corporations backing them.
Always best to be careful what you say about who does back those three, they all seem to have blood thirsty ninja vampire lawyers to hand...
The best is the enemy of the good
It's not directly related, but this reminded me of a story I heard about the "Black Mac", a tempest shielded Macintosh SE 30 1891 T that some guy found at a second hand shop. Nobody is sure where it came from, or why it was built, but it seems to have been made by Apple (as opposed to being some weird aftermarket mod). Presumably it was built for the military, or some intelligence agency...
Some bring out the best in others, some the worst. Some bring out far more.
Buying Macs is going to stop or slow down hack attempts of the US military? I doesn't matter what OS they use, someone is always going to try and hack the military. That may work for normal users sence Macs are such a small target market wise,but i dont see it changing anything for the military.
Jack of all trades,master of none
Actually on a properly designed system not even the Administrator's should be able to install applications alone. And no one should be able to open every file.
Files should be locked, So while the Admin's can see them, move/copy them, they can't actually open the file itself. security should extend to more than just the file system, but to the files themselves. Of course being open to all should also be a manual changed possibility.
I wonder how long it will take for someone who makes more money than I will ever see to figure that out.
i thought once I was found, but it was only a dream.
Having spent time in Iraq (as a Marine) dealing with systems marked with all kinds of stickers telling you what they were for, I can tell you that even on "Secret" computers, tech security is a joke militarily. Why?, because information on the battlespace is key, and when your in the middle of nowhere with a bunch of POGs (People Other than Grunts) in some air conditioned tent controlling your username/password access to a SIPR machine, and you need access to SIPR, it causes all kinds of trouble. In Iraq/Afghanistan the systems are run by the undertrained overworked IT POG, and CONUS things are run by NMCI which takes its time and doesn't give a shit about your issues. Basically, the military is all about a balance between usability and security, and MACs, except for the IT guys, are going to be as useful as a brick to the people that actually use and need the system, aka Sgt. Grunt.(remember that especially during times of war, if your not a ground pounder, then your are there to support the groundpounder) /end infantry soapbox
"It's ok, I'm completely secure as long as my iron is off"
I met airforce officers at a computer show in maine years ago, who were active developers of OpenBSD for the AF. Also, from what i remember, the navy started using PowerMac's years ago for the same reasons.
Are you thinking of the onboard sonar processing software used in submarines? Mac hardware was chosen because it was PowerPC based and PowerPC had a big computation advantage over Intel for this particular application. The PowerMacs were running Yellow Dog Linux not Max OS X, they were replacing Suns. Mac OS X vs Windows security issues were not relevant.
Seems to me that because the Mac is largely secure through obscurity (as this was already tagged), the military is just increasing the incentive to crack the Mac for the Bad Guys. Three years from now (or who am I kidding, three DAYS from now) when then exploits begin to be released into the wild, I think their reasoning will be found to be faulty. While there still won't be as many Macs out there, there will be a select few with wildly valuable data, and therefore it will become more lucrative to crack them.
It is pitch black. You are likely to be eaten by a grue.
but i thought they don't allow gays in the military?!?
They expect the computer to be running MS Office on an Intel CPU. They are not allowed to ask, and you are not supposed to volunteer, whether you are doing so under Windows or Mac OS X. It is a don't ask, don't tell policy, and it upsets a lot of people in the Bay area.
About five years ago I was doing a training session/presentation for IT staff at an Army base where I was told that the Army would never use anything other than Windows. I made the mistake of referring to Linux, Mac OSX and open source software during the presentation which caused some folks in the room to get upset with me. I remember a comment about hell freezing over first. I guess hell is a bit colder today.
*(even their 'patent protection' program allows them to say 'stop using that software/feature',, with impunity.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
The opposite of a self-fulfilling prophecy. The army is now using Macs? Time to start cracking Macs...
This doesn't seem like the answer.
because there's a lot of Linux, and aside from the default apps/versions, they share a very similar core. I think any two of the three main BSDs are a bit more variant than any two distros of Linux from a similar time frame.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Mac OS based servers, like MS-DOS based servers, were pretty damn secure because they had little to no remote access. Mac OS X is a completely different story. Other than name it has nearly nothing in common with Mac OS, it is a descendent of NextStep, a known Unix-based platform.
I disagree. There are always cases that the software needs to be updated or new versions installed, and thus an administrator should be able to install new software. Arguably the constraints for such should be high (i.e. only with passes/keys etc. available at only certain locations, to prevent it from being done on a live system). There may be "maintainer" types of administrators that keep the system up and working, occasionally performing necessary tasks the users cant, and these need not be given the right to install applications.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
My blog
GO ARMY!
(If they were reported for buying more windoze boxes, I'd say, in Navy football fashion, "BEAT ARMY!")
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
They hand over an IQ test, and if they can sign their name without a giant "X" they give 'em a Mac.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
$10 says the army unwittingly installs Windows on these new macs...
I bet it is entirely intentional, but most likely in a dual boot or parallels scenario.
Its happened before. Linux advocates have successfully gotten university departments to replace Sun and SGI boxes with PCs running Linux, for general purpose use, and of course these boxes ended up dual booting to Windows or Linux.
It's hardly surprising that the military is buying Macs. Security through obscurity has ALWAYS been their security model. That's why they are getting hacked by China all the time.
But hey, when you let kids under 20 with no experience make decisions like this, don't be surprised when they start making poor decisions. You can't blame them, they have been hearing anti-MS FUD for most of their lives, and don't have any real IT experience under their belt (yet) to know how many lies the FOSSies and Leoptards have been telling.
But on the more serious note:
Why not Linux?
A: http://www.openbsd.org/
Which at one time was a DARPA funded project.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
I still think a good chunk of the military should use an entirely new OS, kernal and even framework, releasing to the public only after they move on from that.
Ginga no Rekshiya Mata Each page.
You can get the source for the bits of OS X that you'd break into if in fact ports weren't all locked down by default, in Darwin.
You can get the source for the only remaining logical entry point into the system by an attacker - a user using Safari - through WebKit.
You can get the source for the webserver that a Mac would stand up, Apache, from anywhere.
So where's the obscurity again? Nothing is obscure about the components you'd actually attack were you attempting to do so. If you want to write a window manager the system looks pretty closed, otherwise not so much.
Seems to me Macs simply have a very good security model in place, with quick response in patching and a patching system that doesn't really seem to break things. That an it adds more diversity to your computer ecosystem which is always a good thing.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Since when is SELinux a distro?
"Earth provides enough to satisfy every man's need, but not every man's greed." -- Mahatma Gandhi
1) Out of the box, you don't have services running you can exploit.
2) On install, OS X makes you chose a username so you have to log in to use the system.
3) OS X by default is suspicious of all content coming in from the web.
OS X already starts out with a high level of security, and doesn't do anything that would lead a user to weaken that without need (say opening a port for printer sharing).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
One of the biggest security problems is when security reduces usability to the point where users bypass the security for convenience, or simply because it is easier. I've even seen situations where no one had rights to install any software because of security policies, and the admins were then ordered to look the other way for security violations in general because a company still needed to get work done and make money. Good security does not reduce usability. If users don't have the ability to run the software they want to, you've greatly reduced usability and should not be surprised when users start rebooting from a flash drive or working on their home PCs with basically no security.
revelation, or an apple-ation?
http://dict.die.net/appellation/
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Obligatory Military Security Joke
"Hello, I'm a Mac."
"And I'm an MP!"
Those who believe the Internet is private,
find their privates are on the Internet.
When I read the headline, I interpreted "Macs" as being "Big Macs" (from McD's) and was like "oh, hmm 'beef up' security, I get it...." It took me a couple of seconds to realize what it actually meant.
I like basketball!!1!
I would guess that the Army probably doesn't need mid-range for most of their tasks. I don't see the average Mac in the Army being used to edit video or sound. I would also guess that the Army would remove applications like internet browsers from machines that don't need them. For high end serving applications, they are probably going to use the XServe which the article mentions.
I agree that Linux is probably a good fit for the military but I think the CAC issues affects Linux too.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Probably because they already use Linux. It's hard to start using something you already use.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
The corporate agreements to set up a business (or in this case, base or warship, etc) with all MS products is much more extensive and useful than what you get when you go out and buy vista.
There is more to science than physics!
www.iomalfunction.blogspot.com
The only reason why Macs are safer is because no one is bothering to write viruses and the link for the OS X platform. Macs are ignored, not safer.
I can just imagine some major going "... but will it do PowerPoint?"
Not to mention that the Linux workstations have to be spread across i686, AMD64, SPARC64, MIPS and ARM. While we're at it, let's also split up between 2.2, 2.4 and 2.6 boxen. That would give us a cool 90 combinations. One of them is bound to survive most given attacks!
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
While openBSD may be more secure, remember the Army is about procedures. Leopard has been certified as Unix like AIX and Solaris. Leopard has gone through the time and expense to be certified, and it has a better UI whereas openBSD has not.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I can't wait to see the next ad with PC and Mac...
The army has battalions of guys that do nothing else. In my quite narrow experience with the military, they generally buy the top of the line of whatever's available, even if it means the guy running the point-of-sale in the mess gets an Intellistation or a Mac Pro.
Don't blame me, I voted for Baltar.
Don't ask, don't Intel?
Move all sig!
The soldiers were wasting too much time playing video games on the PCs...
Now it won't be a problem.
Leaving aside the recent news that OS X Leopard potentially has more exploits and security holes than Vista, why would they switch to Macs for security? Am I the only one who wants to scream linux? It's more secure and the best part, it's free! Maybe they can cut down on the billions of dollars deficits that they keep running up.
Fear the penguin.
In response to the tag "whynotopenbsd," I, for one, would love to see *BSD or Linux make some big inroads to the US government like this. Yes, us slashgeeks know that Open Office, GIMP, etc., can replace big name software.
But in the end, it's a lot easier sell to a different operating system that runs the big name software already. First, let's reduce the reliance on M$ software, then work towards getting F/OSS into big time use. OS X is a nice middleman in between the Evil Empire and software freedom.
:q!
"Lips like sugar (sugar, sugar)
Sugar Kisses..."
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Ah, the new US Army motto:
"Security through obscurity."
Seriously... Macs have fewer attacks and viruses than PCs because they only have a 5-10% userbase. Most malevolent virus writers are aiming for damage, or botnets, so of course they're written for the dominant platform. Lets wait until Macs become the dominant hardware, and then we can all complain about how all the viruses are for them and PCs are pretty secure.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
1) No Bonjour services listen on open ports by default, even if the Bonjour handler itself may be running somewhere on the system.
2) Bonjour is ZeroConf is Open Source. And included in Darwin...
You don't have to assume anything, you can see it right there on a stock install.
Aqua really is a lot more of a window manager, it's not there to handle things like Bonjour.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
if the news had said, 'Army moves to UN*X based Computing on Intel hardware, for security', it would never have even made it into /. but as soon as you say Mac, the fight is on. It's now a certified UN*X platform, you can run Windoze on it if you really need to.
There was an unknown error in the submission.
They DO run linux. All over the place. It just doesn't make headlines.
... Mac OS is about to get a whole lot less secure.
Macs have fewer attacks and viruses than PCs because they only have a 5-10% userbase.
Macs never had a huge market share, but they used to have a flourishing viral ecosystem. Even oddballs like the Amiga had their share of viruses. If it was just market share you'd still have hundreds of OS X viruses to Windows thousands.
The surface area exposed to attacks is increased by market share, but Windows has a huge surface area independent of its market share, caused by their desktop/browser integration and their complex binary formats and configuration files.
Apple was already systematically eliminating their virus problem even before OS X, removing rather than trying to protect avenues for automatic code execution. Microsoft declared that sandboxes were too slow, that automatic native code execution "protected" by certificates and security zones, was the only way to go. What we see now is the result of that.
Considering what has been going on in the realm of hacking, I expect this will cause many Chinese hackers that are supported by their government to shift their focus to hacking and exploiting vulnerabilities in MacOS X.
Of course there are. Just because they are less well known /unpublished does not mean they don't exist. Undocumented holes exist in practically everything, possibly even OpenBSD kernels. Why do you think those exploits cost hundreds of thousands of $$?
I didn't say holes. I said services. As in network services.
If a port is not open for listening, it doesn't matter what vulnerabilities that service has - you can't exploit it if it's not listening. Not from the outside. Something running ON THE BOX ITSELF may be able to do so, but that's why I mention Safari as the next possible vector of attack, and you have to get through that first.
Again, network port not open? External attack not possible through said port. End of story.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Today the military, in an effort to bolster it's defensive capabilities, has begun to upgrade to BB Guns. As quoted from the general "Although rubber-bands shot from the thumb has served us well in the past, we must employ newer more powerful technologies to keep up with an ever-changing and resourceful enemy".
The new BB Guns will shoot much farther than the rubber-bands did, and they sting a lot more, deterring enemy intrusion.
There were talks of using "guns"--a powerful device popular among those we are trying to combat. These guns are aparently more powerful than ruber-bands or bb-guns, but they require maintenance--regular cleanings and we would have to train soldiers to properly maintain them, a feat the military considers too difficult--apparently these complicated devices can only be understood by our enemies.
We are also considering an upgrade offered by our current vendor called "Sling Shots". These are said to be better than the BB Guns offered by their competitor, but a design flaw causes a soldier to be vulnerable during a critical period--when you go to release your payload, the sling-shot asks "You look like you are trying to defend your country, would you like some help with this?"
in a couple of years to see who's right. a) macs are more secure because they run on unix OR b) security through obscurity. My personal opinion? I'll wait to until I know the answer, then I can be a fanboy who actually knows something.
Being certified a Unix doesn't mean but one thing, your organization was willing to throw a pile of money at another organization, nothing more and nothing less.
The user interface of any Unix is whatever the user wants, KDE, GNOME, WM, CDE, they don't matter and are immaterial. The Aqua interface is no more special or better than KDE. OpenBSD has security, Mac OS X doesn't. Mac OS X has Aqua, OpenBSD does not. That what it is, the illusion of security which Mac OS X currently hold will be blown even more wide in the near future as this Mac OS X intake continues, security through obscurity is no security, and that's what Mac OS X has - many of it's bugs to date come from completely out of date FreeBSD code that the lazy-ass Mac OS X developers should have never let get so dated.
I think Wendy's triple burgers, and BK Whoppers have more beef than Big Macs.
Well, isn't that part of the idea? If you can divide your opponent's attention in half with only a small amount of your own resources, that seems like it would be a worthwhile tactic.
Apple's enterprise support is awful.
If you want to support a network with 100k seats then you don't go to Apple, you go to IBM Global. Even when they sub it out to a cut-rate body shop like EDS, it's still better than Apple.
Apple has some great products. I love the XSAN. I would NEVER deploy the XSAN for any customer. I would rather homebrew a SAN solution, because even if it meant I would lose sleep for the next year, at least the solution would get SOME support.
...was to control sunbathing farters. Don't bask. don't smell.
...Lorenzo / I'm into kinky crustaceans. I just discovered internet praWn.
Except that Solaris is popular in the army.
Really the Army uses about every major OS. It's all a matter of the machines purpose. Certain machines are designed for people to do basic administrative work, those will be windows. Some machines are mission critical, those won't be windows. Most mission critical machines are designed to do only one thing and if thats the case you don't need an OS with a GUI all you need is an App with a GUI.
Dude. If they really want to beef up security, what they need to do is switch to OpenBSD and hire a gazillion programmers to audit the darn thing all day long. Only two remote holes in the default install in over ten years! Now all they need to do is invent condoms that work as well. Heh heh.
Go to the way back machine, or hit netcraft and you will see that the US Army has been using OSX server since it became a viable product. Several years now, back to at least 2000.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Of course, even restricted to these choices, Solaris might have been a better choice. OSX is the sort of vendor lock in I would hope my taxpayer dollars wouldn't go toward supporting. Windows is bad enough, but with OSX you get lock-in of hardware and software. Recalling how skiddish the US government got about Thinkpads and the like when Lenovo bought those bits, I wonder what the contingency plan would be if Apple sold off their computing bits to an offshore company. Even in and of the software platform itself, despite the Darwin base, OSX software tends to require the proprietary Quartz/Cocoa underpinnings, so supporting third party software with new hardware without Apple's blessing would be challenging. Windows is a little better in terms of hardware support, but the software portion is bad enough, though at least there is an excuse of the market situation as to why they haven't thrown it out completely.
Meanwhile, Solaris has an equally reputable backer, doesn't implement many proprietary APIs that common applications would make use of (AIX goes this far as well), has an unlocked x86 implementation (no hardware vendor ties, unlike any other officially certified UNIX), and is also under an open source license. In terms of an official UNIX with options for contingency plans, it doesn't get better than that.
*BSD, Linux, et. al. may or may not be even better choices, but this was sticking strictly to the assumed criteria of being able to officially declare it a Unix system.
BTW: The Aqua interface is no more special or better than KDE. Which may well be true, but wanted to emphasize the converse is not true. KDE/Gnome/Motif/Xaw/raw Xlib all have full stacks in terms of implementation available as truly open-source. If serious about security, the potential to audit your running stack as resources permit would be great. Also, goes back to the futureproofing mentioned earlier, if ultimately the organization can fork a private copy and do whatever the hell they want, they can avoid vendor lock in.
XML is like violence. If it doesn't solve the problem, use more.
True, but that doesn't mean it does not affect purchasing by the military. I've worked on getting software certified in various ways for government use. It is absurd and illogical. The conversation went like this;
Them: "Sure we'll buy your device so long as it is built on this really outdated version of Linux or on Windows XP SP1, since those are the only ones certified for security."
Me: "Umm, both of those have more security problems than the recent version of Linux we're using."
Them: "Yeah but those are certified, and we can't buy unless it is certified."
Me: "How did WinXP SP1 get certified? It is missing half the criteria in your request for purchase."
Them: "Oh, it isn't certified for this project, just certified."
Me: "What is it certified to do."
Them: "It's just certified to meet the criteria for whatever they certified it for, but since it was certified for something we can use it."
Me: "So you can just certify something saying it will boot most of the time and then you can buy it even if it won't do what you need, but you can't use something that does what you need, unless we pay thousands of dollars and spend months getting it 'certified' for something, and then we can't update it ever again without doing it all over again?"
Them: "Yes, that's it exactly. It's stupid, but those are the rules."
Me: "Okay who do we pay to get it certified?"
Simple fact of the matter is that Apple is a more expensive brand that enjoys wider margins and they love it that way. They could probably drop prices to increase volume, but I'm sure their interpretation of the marketing data in front of them is that staying a boutique brand is the appropriate strategy as a business (i.e., brand acceptance won't go up enough to offset the profit margin drop).
XML is like violence. If it doesn't solve the problem, use more.
i\hbar\dot{\psi}=\hat{H}\psi
While I won't disagree that Macs have fewer reported vulnerabilities than Windows this whole thing stinks of a cargo cult mentality. No magic OS is going to get rid of all of your security problems. We should also consider the fundamentals of security, not just a magic bullet.
It took me studying mathematics through MSc to see how horribly blinkered the hard science academic types can be. I have since moved to studying the history of mathematics at research level. Maths itself just requires a skilled pattern matching ability in the brain and a limited imagination, whereas having to combine that with understanding personalities and motivations, individuals and cultures, is not only a greater challenge, but prepares me to make a far more valuable contribution to humanity.
And while, a short while ago, I was preparing to enter the realtime software industry via contacts at Raytheon, today I'd sooner jump off a bridge than strike such a heavy blow to my moral integrity.
And, to bring this on topic, I also recently got a Mac. Its design reflects a thought process that goes beyond the technical detail and concentrates on the whole experience.
Building your own often works out more difficult - you have to divert resources into building and maintaining your hardware rather than solving the core business problem. If you have a cap on the number of staff that you can have (like many government depts) this will hurt you - buying off-the-shelf systems from Dell/HP/IBM/Sun/Apple wont.
Well, isn't that part of the idea? If you can divide your opponent's attention in half with only a small amount of your own resources, that seems like it would be a worthwhile tactic.
Exactly. Its kind of like building a fortified bunker in a strategic position. Either the enemy will have to put more resources to attack it directly which will delay and hold them up or they will have to go around and attack other areas no so strong.
Of course this leaves them open for attack from behind if they bypass it.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I mean the average person won't know were to look in the system, or won't care about the number of MRE's being sent to Zimbabwai. For the most part isn't the real threat that information will get to the people that will know how to interpret it and care? In that case won't the foreign governments/terrorists just learn how to exploit Mac's rather than Windows? This seems a lot like security by obscurity, except, well Macs aren't that obscure.
What a waste of money.
Why don't they install linux instead?
Assuming that the Army didn't just dump their entire current system, it means that they just had to double their own efforts (they now have to secure OSes/networks instead of one), and the enemy only has to hack into one of them to get in. Doesn't sound worthwhile to me.
Please elaborate on Apple screwing its users. I have been using Apple since the 80s. I would be a long time users if Apple was screwing us.
Installing new applications shouldn't mean that the administrator should have unconditional access to the data.
Applications are one thing, and overall useless. the Data is what is worth money. Photoshop is worthless. The artwork that is produced because of Photoshop is worth $700 a licensed copy.
autoCad is worthless, the building blueprints produced by it is worth millions. The Social Security Database is worth far more than the database server.
Admins should be able to have access to applications without data mattering.
i thought once I was found, but it was only a dream.
Answer: Yes.
End of Line.
Swiss tanks are the best in the world because nobody ever invaded Switzerland.
I am government man, come from the government. The government has sent me. -- G.I.R.
"There is no comparison security-wise, openBSD wins hands down." And this is based on what metrics? I agree with the article on one point and that is diversity is essential to survivability. This does not mean that it is good for improving security against penetration unless one uses shell within shell within shell,,, firewalling.
Be as you would have the world become.
The NSA wrote security patches, but are not accountable for terrible architectural decisions that represent base security problems. Minix (Or linus's implementation, linux) was far better as an example OS- it does not belong in businesses and definitely does not belong in the military.
The NSA did not write Unix, it was tossed together by a group of AT&T engineers- and they certainly did not kludge linux together.
A ramshackle hut is not superior to a brick house, even if they had professionals around to hand-patch the holes- it's still a mound of mud and sticks.
NMCI is the devil, as evidenced by their phone number. 1-866-THE-NMCI. That spells THE-6624. Simple math reveals the beasts number THE-666 or "The Devil", if you prefer. I've had way too much time to think about this while waiting for their tech support on the phone. And let me tell you, they can't even get Windows right. (Some have a twinkle of life you cant detect in their voice, but not many) And not that I'm saying any OS is easier or harder to administrate on a grand scale, but better to perfect one before moving on to another... Personally I prefer my Mac laptop, and Linux home server, but I'd take even a good working Windows desktop if I could get my hands on it...
On another note, their definition of Legacy applications still escapes the laws of reality. It is actively developed by and used by the Marine Corps; but it's "Legacy"... Hmmmm....
But, it is still worth pointing out a few things. In TFA i read, which might be different the army guys referred to the macs running on unix. It's disconcerting to me because you know, there was a big problem with the word unix itself, which is why FreeBSD was named FreeBSD.
Aside from that, i truly think it's bad for those who are dabbling with nix systems. Because they think linux is more secure because it's not windows, and its less used which "means hackers target it less." Thats stupid! Also, those who use BSD systems might think that (i doubt it).
Security through obscurity is the opposite of what we're (*nix's) all about. I was really happy that apple is using BSD as their base because of so many lame mac fans i personally know. They aren't lame because they're mac fans, they're lame because they think apple products are safer than windows or bsds/linux's because it's apple. They are the dummies who will fall victim to "well hardly anyone uses it so hackers can't hurt it." They also believe that there are no viruses for that platform as well.
Anyways^&!*@^#*&!^# Merry xmas, happy new year and Go BSD!
My abilities are only limited by my imagination