Slashdot Mirror
Microsoft Releases Super-Secure XP to US Air Force
Wired is reporting that Microsoft is releasing the most secure version of Windows XP ever created, but only if you are the US Air Force. "The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us. Security experts have been arguing for this "trickle-down" model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing."
Microsoft would probably have no problem giving it to the public, but nobody would want to use it. Everyone whines about security, then they get it and they whine about having to click "allow" or "accept" on popup boxes. You can't have your cake and eat it too.
Le sigh.
The "only three programs able to run!!!!one!ZOMG!!!" thing is for "Starter Edition", which has been around for years. Have you ever even SEEN it? I don't think so. It's basically a legitimate alternative to Piracy in low-income countries, and even then it's pretty rare. I still have no clue why people assume it's for netbooks.
The BSOD joke stopped being funny when Windows 2000 was the OS to have (Unless you were subjected to ME. If so, I pity you). XP was solid. 2003 was solid. Vista is slow if you have bad video drivers, but other than that solid. 7 is, so far, solid.
so the Air force paid MS to "lock down windows" probably to the STIG.. Instead of doing what DODIIS does and create a Install disk to be installed and tested against, so if you do have to rebuild its there... I thought that MS came up with an affordable PL3 or PL4 System, we have been working with MS for a PL3 system, but it would cost almost a million more than a comparable Trusted Solaris or SELinux solution. and be hell to administer
In all seriousness, I'd imagine usability is likely the reason this won't see a public release -- "really secure" and "really easy to use" aren't necessarily mutually exclusive, but you can bet they sacrificed the latter for the former in this case. I'd fully expect application compatibility to take a serious hit, and for many Windows features to be cut entirely.
This product is probably unusable for the average consumer. I'm sure there are some enterprise contexts in which it'd make perfect sense, though.
And of course, Microsoft doesn't want to dilute Windows Vista/7 sales with a new edition of XP (which they'd have to support for years) either.
The airforce and the military in general would do well not to create a monoculture; especially not one based on an arguably insecure operating system that is nearing its end of life. Despite the existence of *nix alternatives that are of comparable ease of use and generally superior security and customization, the military continues to insist that using an old operating system full of flaws and actively exploited by the vast majority of malware is suitable for government use. There is something very wrong here.
Sigs are too short to say anything truly profound so read the above post instead.
"Having the most secure Windows ever" does not equate to having secure Windows.
Rich And Stupid is not so bad as Working For Rich And Stupid.
You're kidding aren't you? "85 percent of attacks were blocked after the configuration was installed". ...and the remaining 15% were not! The concept of a secure computer running Windows XP is a contradiction in terms. The military needs to do better than this, or China is gonna whup their ass.
Because it's probably not the most compatible Windows and might lack some features.
Slashdot anagrams to "Sad Sloth"
let's see, Windows on hospital equipment recently got Conficker because Microsoft no longer provided security patches for Windows 2000 and NT. I'm now wondering how long the British Navy thinks these subs will last and how they'll deal with unpatched Microsoft operating systems running the show when Microsoft stops feeding them patches?
Hey USAF! If you can't see the source code and see the patches for later versions, you can't have any hope of securing the system in the long run. You're only hope for security dooms you to tearing it all out and replacing it. And you know that is not going to happen and doesn't happen. Good luck with that "Super-Secure XP".
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Now lets rephrase that; 15% of the attacks were still successful after a complete lock-down configuration was applied and lots of manpower went into burning custom installation disks and procedures. Is it just me or does anyone else see a problem with this?
Next up: Why we don't lock our doors, because thieves might happen to carry lockpicks!
After all, locks are not 100% secure, therefore, that security is totally useless, right?
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
if you look closely at the article, this is something that the air force did between 2005-2007. so this is actually old news. 'The Air Force began the project in 2005 and finished installing the new configuration on systems in 2007. In contracts with hardware providers it demanded that vendors pre-load the special Windows XP configuration onto systems before delivering them to the Air Force.'
Wrong analogy. Try: "This bucket has 85% fewer holes than Bucket XP."
Literalism isn't a form of humor, it's you being irritating.
Exactly, locks (unless you pay a shitload for them) are not designed to keep people out. Any locksmith will tell you that the only thing a lock will do is make your neighbours house an easier target.
Computer security is the same way. You *can* cracl WPA(1/2) encryption, but if you neighbour has his connection open (or is using WEP), you are not likely to become a target.
The exception, which appears in this situation, is when you are chosen as a target due to a high payoff (military). In this case, simply being harder than your neighbour is NOT going to help you.
Personally... If I'm being forced to patch a rusty old bucket, I'd rather start with the one that 85% less holes...
Exactly, locks (unless you pay a shitload for them) are not designed to keep people out. Any locksmith will tell you that the only thing a lock will do is make your neighbours house an easier target.
Arguably, an alarm system is more important in keeping people out than the lock on the door. If they kick down the door and a message goes off that lets them know that you know they are there and that the police are coming shortly, they usually won't stick around that long.
Same thing applies to computer systems. It is more important to know that you have an intrusion as soon as possible than the actual prevention of the intrusion.
Not that you want to leave the door unlocked, but rather you need the ability to lockdown and detect when someone is there when they shouldn't be.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Holding out for absolute perfection, I see. Let me know when you find it. I'm stuck here on planet Earth where nothing is 100% anything.
I disagree. Security is a layered thing, both in implementation and subversion. If I'm running Windows NT with no service packs and no firewall, I'm easily hacked by 90% of people.
If I'm running Windows XP patched and firewalled, I'm easily hacked by 1% of the people. If I'm running OpenBSD fully patched with no open ports aside from SSH, I can be easily hacked by .01% of the people (likely a BSD or SSH developer who slipped in a back door).
Nothing is 100% secure -- HOW secure you are is the important thing. If this super XP lets in 15% of attacks, you need to ask who knows and who would bother to run those attacks, as well as what other layers of security beyond the desktop are available.
If you're running a desktop operating system "in the wild" with no patched firewall software of any kind to block basic traffic, then you should add that layer.
As a former sysadmin for an Army brigade, I can tell you that we would have failed an audit horribly as well, considering we simply installed Windows or Office or whatever on any machine whenever we needed to. In fact, probably the only machines that we could guarantee had licensed software, were the ones that came pre-installed with it from Dell.
Then, IIRC, round about mid '03 the Army made a deal with MS where they forked over ~$400 million for unlimited installations of a long list of MS software on Army computers for a number of years. This was no doubt partly to cover the widespread unlicensed copies.
Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
The best known attack against WPA2 is a bruteforce attack. The basis of WPA2 in PSK mode is a 256 bit AES cipher. The key is based on both the password and the SSID (the SSID acts as a salt).
WPA2 with a good password is a perfect example of a truly secure protocol. If you started to crack my home wireless network you might finish around the time that the run is running out of fuel and certainly long after humanity has either evolved to something entirely unrecognizable or is extinct.
Nah, doesnt really work that way. With tens of thousands (or is it hundreds of thousands as I read someplace else?) of these exploits out there for Windows XP, being secure against 85% isn't saying much. Compare that to the number of exploits out there for OpenBSD (times) .01% (times) the number of possible attackers (which will give you a fraction of an exploit).
Yes, nothing is secure, but 85%/15% is not a good ratio when compared with the number of exploits times the number of already exploited machines out there that may be attacking said 85/15 machine.
StarTrekPhase2 - The Five Year Mission Continues!