Slashdot Mirror
Army Buys Macs to Beef Up Security
agent_blue writes "The Army is integrating Macs into their IT network to thwart hack attempts. The Mac platform, they argue, is more secure because there are fewer attacks against OS X than Windows-based systems. 'Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military. The Army's Apple program, created [in 2005], is working to change that.'"
i thought they don't allow gays in the military?!?
http://www.serverwatch.com/news/article.php/201361
:)
i always liked the idea...
from the article: "Until the Army's Web site was hacked in late June by a 19-year old Wisconsin man, the site had been using a Microsoft Windows NT-based Web server..."
How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?
Yes, Windows has vulnerabilities. Windows sucks as far as security goes. That goes for Vista, too. But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.
My blog
One small step for Mac one giant leap for Mac kind.
--- If the bible proves the existence of God, then Superman comics prove the existence of Superman.
http://www.google.com/search?client=safari&rls=en&q=cac+on+mac&ie=UTF-8&oe=UTF-8
Support is built into Safari, and it is possible to set it up to log into a Windows domain, I believe.
_sig_ is away
All computers used in the military facilities in the Transformers movie by the teams trying to break the Decepticon's code where Apples. It should also be pointed out that the computer that defeated the martins in Independence Day where macs.
Life imitating "art"?
Ask not what you can do for your country. Ask what your country did to you
How will they know if the user prefers a Mac or PC with their "Don't ask, don't tell" policy?
Trolling is a art,
With a runaway defense budget like ours, I'd say the mac is a perfect fit!
One of these days, I'm going to cut you into little pieces.
Maybe because no one would bribe anyone to buy linux, the profit margin is thin.
Patents Drive Free Software as Hurricanes Drive Construction Industry
If you read the article instead of the headline, you'll see that the Army is making the attack target more diversified, so that a single attack will not bring down all computers. What's wrong with that tactic?
The clear majority of the really high end computer security people I know are driving Macs. On the military side Army and Marines seem to be tinkering more with Linux. The Marines less so because of NMCI, but there was a demo of battlefield information system that was Linux based. Navy and Marines have pretty much locked themselves into Windows desktops managed by EDS on the administrative side. A move I believe will go down as one of the great defeats in Naval history, with casualties of 250 million American taxpayers.
Don't know about the Air Force but the few AF people I've met at conferences seemed pretty on the ball and struck me as Linux curious if not outright supporters.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
HThe Army's push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army's chief information officer, gave a speech calling for more diversity in the Army's computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.
"Sir, I have the DOJ on line 2."
"Tell them to get Bill Gates in here."
"Yes sir."
(door opens an hour later)
"Bill Gates, you told us Windows Vista would be more secure!"
"It IS more secure, over five million...(BLAM)"
Mac: Hi I'm a Mac
PC: and I'm a PC
Military Intelligence: And I'm no longer an oxymoron
This is my sig. There are many like it but this one is mine.
Yes, and no.
I think they should use tools available cross-architecture for their software, and then have a multi-arch setup. For example:
30% Free/Net/Open BSD
30% Linux
25% Mac
15% Windows
This would alleviate the issues of an entire-network compromise from potentially overlooked vulnerabilities in any one system. Because you can get fairly simple general interaction for the operating systems listed (given modern desktop environments offered on Linux/BSD, Mac would be the most "different" and not terribly so even then), and applications That had cross-platform natures would be all that's used, there would be little difficulty for the end users to go between systems.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Apple may have unix roots, but openBSD it is not. There is no comparison security-wise, openBSD wins hands down. If you need user-friendliness and usability, then that significantly changes the equation. My guess is they are looking for improved security with the happy clickiness that Macs provide.
Not any more.
If the army is using it for that reason then you know the Chinese, Russians, and any other tech savvy nation will now point their hackers at Macs.
-- I ignore anonymous replies to my comments and postings.
The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.
When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data. This is not a case of "redundant systems", but rather a case of "the weakest link". The more OSs are supported the more chances that AN OS will get hacked (as opposed to ALL OSs), but when it comes to protecting data, hacking that ONE OS is all it takes. Hackers are certainly more agile than the government, and the government should try to minimize its profile, together with hacking avenues, rather than build redundant systems where redundancy is not the solution for the problem at hand.
In other cases when the issue IS parallel, such as protecting a mission-critical system (think Space Shuttle), then yes, multiple OS's increase the chance that any one will survive. But this doesn't apply to data security. They should stick to one OS as well as one of everything else, preferably as secure as possible (NetBSD, some Linux distros, etc). But even JUST Windows is more secure than Windows and OTHER stuff together, because you keep all the risks of Windows while adding the extra (even if relatively smaller) risk of the other system on top of the original risk.
Brings a whole new meaning to BootCamp, doesn't it?
The NSA have an OS X hardening guide you may be interested in: http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/applemac/I731-006R-2007.pdf
so whats wrong with supporting more than one OS? Would you prefer one point of failure? A good sys admin can support multiple platforms. The only people I ever hear complain about this are Windows people who can't support anything else. Linux admins can ALWAYS support Windows and Mac platforms so why is it so hard for the vast majority of Windows admins to support the other platforms? Hmmm...? Do you just prefer having a single point of failure?
This is my sig. There are many like it but this one is mine.
Actually on a properly designed system not even the Administrator's should be able to install applications alone. And no one should be able to open every file.
Files should be locked, So while the Admin's can see them, move/copy them, they can't actually open the file itself. security should extend to more than just the file system, but to the files themselves. Of course being open to all should also be a manual changed possibility.
I wonder how long it will take for someone who makes more money than I will ever see to figure that out.
i thought once I was found, but it was only a dream.
About five years ago I was doing a training session/presentation for IT staff at an Army base where I was told that the Army would never use anything other than Windows. I made the mistake of referring to Linux, Mac OSX and open source software during the presentation which caused some folks in the room to get upset with me. I remember a comment about hell freezing over first. I guess hell is a bit colder today.
1) Out of the box, you don't have services running you can exploit.
2) On install, OS X makes you chose a username so you have to log in to use the system.
3) OS X by default is suspicious of all content coming in from the web.
OS X already starts out with a high level of security, and doesn't do anything that would lead a user to weaken that without need (say opening a port for printer sharing).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
One of the biggest security problems is when security reduces usability to the point where users bypass the security for convenience, or simply because it is easier. I've even seen situations where no one had rights to install any software because of security policies, and the admins were then ordered to look the other way for security violations in general because a company still needed to get work done and make money. Good security does not reduce usability. If users don't have the ability to run the software they want to, you've greatly reduced usability and should not be surprised when users start rebooting from a flash drive or working on their home PCs with basically no security.
I just read Slashdot for the articles.
While openBSD may be more secure, remember the Army is about procedures. Leopard has been certified as Unix like AIX and Solaris. Leopard has gone through the time and expense to be certified, and it has a better UI whereas openBSD has not.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Don't ask, don't Intel?
Move all sig!
Of course, even restricted to these choices, Solaris might have been a better choice. OSX is the sort of vendor lock in I would hope my taxpayer dollars wouldn't go toward supporting. Windows is bad enough, but with OSX you get lock-in of hardware and software. Recalling how skiddish the US government got about Thinkpads and the like when Lenovo bought those bits, I wonder what the contingency plan would be if Apple sold off their computing bits to an offshore company. Even in and of the software platform itself, despite the Darwin base, OSX software tends to require the proprietary Quartz/Cocoa underpinnings, so supporting third party software with new hardware without Apple's blessing would be challenging. Windows is a little better in terms of hardware support, but the software portion is bad enough, though at least there is an excuse of the market situation as to why they haven't thrown it out completely.
Meanwhile, Solaris has an equally reputable backer, doesn't implement many proprietary APIs that common applications would make use of (AIX goes this far as well), has an unlocked x86 implementation (no hardware vendor ties, unlike any other officially certified UNIX), and is also under an open source license. In terms of an official UNIX with options for contingency plans, it doesn't get better than that.
*BSD, Linux, et. al. may or may not be even better choices, but this was sticking strictly to the assumed criteria of being able to officially declare it a Unix system.
BTW: The Aqua interface is no more special or better than KDE. Which may well be true, but wanted to emphasize the converse is not true. KDE/Gnome/Motif/Xaw/raw Xlib all have full stacks in terms of implementation available as truly open-source. If serious about security, the potential to audit your running stack as resources permit would be great. Also, goes back to the futureproofing mentioned earlier, if ultimately the organization can fork a private copy and do whatever the hell they want, they can avoid vendor lock in.
XML is like violence. If it doesn't solve the problem, use more.