Slashdot Mirror
Army Buys Macs to Beef Up Security
agent_blue writes "The Army is integrating Macs into their IT network to thwart hack attempts. The Mac platform, they argue, is more secure because there are fewer attacks against OS X than Windows-based systems. 'Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military. The Army's Apple program, created [in 2005], is working to change that.'"
How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?
Yes, Windows has vulnerabilities. Windows sucks as far as security goes. That goes for Vista, too. But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.
My blog
Maybe because no one would bribe anyone to buy linux, the profit margin is thin.
Patents Drive Free Software as Hurricanes Drive Construction Industry
If you read the article instead of the headline, you'll see that the Army is making the attack target more diversified, so that a single attack will not bring down all computers. What's wrong with that tactic?
Yes, and no.
I think they should use tools available cross-architecture for their software, and then have a multi-arch setup. For example:
30% Free/Net/Open BSD
30% Linux
25% Mac
15% Windows
This would alleviate the issues of an entire-network compromise from potentially overlooked vulnerabilities in any one system. Because you can get fairly simple general interaction for the operating systems listed (given modern desktop environments offered on Linux/BSD, Mac would be the most "different" and not terribly so even then), and applications That had cross-platform natures would be all that's used, there would be little difficulty for the end users to go between systems.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Apple may have unix roots, but openBSD it is not. There is no comparison security-wise, openBSD wins hands down. If you need user-friendliness and usability, then that significantly changes the equation. My guess is they are looking for improved security with the happy clickiness that Macs provide.
Not any more.
If the army is using it for that reason then you know the Chinese, Russians, and any other tech savvy nation will now point their hackers at Macs.
-- I ignore anonymous replies to my comments and postings.
The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.
When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data. This is not a case of "redundant systems", but rather a case of "the weakest link". The more OSs are supported the more chances that AN OS will get hacked (as opposed to ALL OSs), but when it comes to protecting data, hacking that ONE OS is all it takes. Hackers are certainly more agile than the government, and the government should try to minimize its profile, together with hacking avenues, rather than build redundant systems where redundancy is not the solution for the problem at hand.
In other cases when the issue IS parallel, such as protecting a mission-critical system (think Space Shuttle), then yes, multiple OS's increase the chance that any one will survive. But this doesn't apply to data security. They should stick to one OS as well as one of everything else, preferably as secure as possible (NetBSD, some Linux distros, etc). But even JUST Windows is more secure than Windows and OTHER stuff together, because you keep all the risks of Windows while adding the extra (even if relatively smaller) risk of the other system on top of the original risk.
Macs are nothing in the eyes of malicious hosers out there.
/home/moron just as easily as /var/www/html. Linux is secure - sure, until you install a CMS on it and never update said CMS software. Once that happens, you might as well be using Windows.
/home/moron.
The majority of compromisation attempts happen now in order to set up botnets. There are two huge targets for this. First, Windows. Your average home cable modem has a decent chunk of bandwidth and - let's face it, it's Windows. By default, it's completely insecure. There's not much work at all involved in getting into Joe User's Windows box.
Second is - surprise surprise, Linux. Why Linux? Because Linux is insecure by default as well. Oh, I know, I'm invoking the wrath of the Open Sores Horde here, but it is. "UNIX PERMISSIONS LOL" - my ass, a credit card phishing site can sit in
Botnets are just as easy to run from
And frankly, Linux is as easy to compromise as Windows - once you get on. Install crappy CMS software and never update? You're asking to be hosed. Using passwords instead of SSH keys for user login? You're asking to be hosed.
And compromisation of Linux systems happens far more often than the frothing Linux zealots would have you believe. By default - sure, Linux is 'more secure'. Nobody using Linux leaves the system in a default state. That's the problem.
Now, where's Mac in all this?
Nowhere. Mac isn't popular enough to warrant the attention of script-kiddy like prepackaged exploit tools. Nine times out of ten, if you hit up a residential IP, you'll find Windows boxes at the other end. Why bother wasting time with Mac-related crap?
Conversely, you're more likely to hit Linux and Windows if you hit up boxes sitting in a datacenter.
For the two high-priority targets of malicious idiots - Mac is nowhere to be found. That's the reason your Mac is safe. Sure, you can go on about e-mail worms and other exploits of twelve year olds, but we're talking systems being hacked, not ill-trained users who click on WICKEDSCREENSAVER.zip.exe.
so whats wrong with supporting more than one OS? Would you prefer one point of failure? A good sys admin can support multiple platforms. The only people I ever hear complain about this are Windows people who can't support anything else. Linux admins can ALWAYS support Windows and Mac platforms so why is it so hard for the vast majority of Windows admins to support the other platforms? Hmmm...? Do you just prefer having a single point of failure?
This is my sig. There are many like it but this one is mine.
Because Linux is for European communist queers who pirate music. Macs are all-american and manly (sort of).
Seriously though, its probably to do with letting Apple join in at the endless corporate trough that is the US military, in order to expand their domestic support. Geeks will be more likely to be in favour of an idiotic war if it generates tech jobs.
Also, the international, share-everything ethos associated with Linux is unlikely to be popular with the people who came up with ITAR.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
So I guess AIX, HP-UX and Solaris don't have large corporations backing them.
Always best to be careful what you say about who does back those three, they all seem to have blood thirsty ninja vampire lawyers to hand...
The best is the enemy of the good
Actually on a properly designed system not even the Administrator's should be able to install applications alone. And no one should be able to open every file.
Files should be locked, So while the Admin's can see them, move/copy them, they can't actually open the file itself. security should extend to more than just the file system, but to the files themselves. Of course being open to all should also be a manual changed possibility.
I wonder how long it will take for someone who makes more money than I will ever see to figure that out.
i thought once I was found, but it was only a dream.
It's hardly surprising that the military is buying Macs. Security through obscurity has ALWAYS been their security model. That's why they are getting hacked by China all the time.
But hey, when you let kids under 20 with no experience make decisions like this, don't be surprised when they start making poor decisions. You can't blame them, they have been hearing anti-MS FUD for most of their lives, and don't have any real IT experience under their belt (yet) to know how many lies the FOSSies and Leoptards have been telling.
One of the biggest security problems is when security reduces usability to the point where users bypass the security for convenience, or simply because it is easier. I've even seen situations where no one had rights to install any software because of security policies, and the admins were then ordered to look the other way for security violations in general because a company still needed to get work done and make money. Good security does not reduce usability. If users don't have the ability to run the software they want to, you've greatly reduced usability and should not be surprised when users start rebooting from a flash drive or working on their home PCs with basically no security.
Probably because they already use Linux. It's hard to start using something you already use.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
While openBSD may be more secure, remember the Army is about procedures. Leopard has been certified as Unix like AIX and Solaris. Leopard has gone through the time and expense to be certified, and it has a better UI whereas openBSD has not.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Well, isn't that part of the idea? If you can divide your opponent's attention in half with only a small amount of your own resources, that seems like it would be a worthwhile tactic.
Of course, even restricted to these choices, Solaris might have been a better choice. OSX is the sort of vendor lock in I would hope my taxpayer dollars wouldn't go toward supporting. Windows is bad enough, but with OSX you get lock-in of hardware and software. Recalling how skiddish the US government got about Thinkpads and the like when Lenovo bought those bits, I wonder what the contingency plan would be if Apple sold off their computing bits to an offshore company. Even in and of the software platform itself, despite the Darwin base, OSX software tends to require the proprietary Quartz/Cocoa underpinnings, so supporting third party software with new hardware without Apple's blessing would be challenging. Windows is a little better in terms of hardware support, but the software portion is bad enough, though at least there is an excuse of the market situation as to why they haven't thrown it out completely.
Meanwhile, Solaris has an equally reputable backer, doesn't implement many proprietary APIs that common applications would make use of (AIX goes this far as well), has an unlocked x86 implementation (no hardware vendor ties, unlike any other officially certified UNIX), and is also under an open source license. In terms of an official UNIX with options for contingency plans, it doesn't get better than that.
*BSD, Linux, et. al. may or may not be even better choices, but this was sticking strictly to the assumed criteria of being able to officially declare it a Unix system.
BTW: The Aqua interface is no more special or better than KDE. Which may well be true, but wanted to emphasize the converse is not true. KDE/Gnome/Motif/Xaw/raw Xlib all have full stacks in terms of implementation available as truly open-source. If serious about security, the potential to audit your running stack as resources permit would be great. Also, goes back to the futureproofing mentioned earlier, if ultimately the organization can fork a private copy and do whatever the hell they want, they can avoid vendor lock in.
XML is like violence. If it doesn't solve the problem, use more.