Help! MS Teaches the Air Force about Security

by Preston Gralla

Every once in a while, you read a news story about the tech world that stops you cold.



Here's one that hit me this week: "Air Force turns to Microsoft for network security."



The CNet news story noted that Microsoft has signed a five-year, $500 million deal with the Air Force for 525,000 licenses to Windows and Office, and, in the words of the article, to also "work with the Air Force to define security configurations for the agency's desktop and servers."



Let me get this straight - the company that can't plug holes in its browser, or stop worms from crawling through Outlook, is going to provide security for the U.S. Air Force? The same U.S. Air Force that has all those bombs and missiles and nuclear weapons, and that has enough firepower to destroy the world over who knows how many times?



I recently rented the Cold War classic black comedy "Dr. Strangelove," and I have to admit that the idea of Microsoft providing security for the Air Force is as frightening that movie's Brigadier General Jack D. Ripper, ranting about the Commies desire to taint our "precious bodily fluids," and then sending dozens of bombers on a nuclear strike of Russia.



Let's update the movie with today's news. Imagine this: A technician notices a blip on a Windows-based radar screen that may be an incoming missile heading straight for Washington, D.C.. Where's it coming from? Who fired it? Is it a missile or a flock of geese? He clicks with his mouse to try get more information. Windows freezes.



He has to reboot. So he waits...and...waits...and waits.



I can see the headline now: "System Freeze Leads to Nuclear War."



Kind of gives new meaning to the phrase "Blue Screen of Death," doesn't it?


Does the idea of Microsoft providing security for the U.S. Air Force make you feel all warm and fuzzy? Let me know.


11 Comments

ahockley
2004-11-23 09:17:52
Yawn
Right... because it's the same programmers who wrote buggy insecure MS code that will be doing system administration consulting.


Nothing to see here, please move along...

aristotle
2004-11-23 10:07:48
Please don't be a typical Slashdot troll
The problem is not that Microsoft is incapable of security. That is kind of a silly assumption, don't you think?


The problem is that the market neither provides them with any incentive to write software with security in mind from the beginning nor any disincentive to treat security problems in their operating system and browser and other products as anything other than a marketing problem. It simply isn't profitable. And Microsoft is an enterprise, not a charity or welfare organization. I personally believe that the upshot is that standard software such as operating systems and browsers must not be controlled by any single commercial entity, but that's just my thinking.


However, that commercial entity's capability to do security adequately when it's the core competence of the business unit involved is entirely orthogonal to aforementioned string of arguments. So I don't see how there is a conflict here. I do wonder whether security infrastructure such as the Microsoft unit in question is indubitably going to prescribe is as good a choice as it could be, but not in terms of achievable security. After all, Microsoft themselves run most of their company on Microsoft software, and for all that's been publicised they don't seem to be having any more security trouble than any other Fortune 500 company, even if the choice of a more suitable platform would have avoided a disproportionate amount of administrative effort and hardware horsepower requirements. (Compare how much Google get out of their iron with how much effort to how much Microsoft get out of theirs with their effort.)

tmo9d
2004-11-23 15:51:17
The math is what worries me
$500,000,000 divided by 500,000 works out to roughly $1,000 a machine for Windows and Office. Strikes me as a bit odd that the Air Force would let themselves get such a crappy deal. I would at least expect something of a volume discount, maybe something like 50%. Let's also assume that we are only seeing a portion of the amount of money that will ultimately be spent supporting and maintaining these installations.


BTW, a software glitch destroying civilization is almost a certainty. It just makes too much sense that a stupid programming error would bring evolution to an abrupt halt.


tmo9d
2004-11-23 16:00:56
Wait, he's right.
Thanks Aristotle, but he brings up a valid point. Microsoft's track record on security is terrible. The argument that the "core competence of the business unit involved is entirely orthogonal to aforementioned string of arguments" is both haughty and arbitrary.


Microsoft continues to fail on security in a way that has affected almost every user of its operating system. Outsourcing the network security of the agency the operates our early warning system and missle defense is questionable. Outsourcing it to a biased technology vendor is even worse. Personally, I would opt for a 3rd-party like Neohapsis.


But, I'm sure someone got a call from a senator on this. A $500m decision is usually a result of lobbying.


peter_g_22
2004-11-24 06:17:08
B52
Hmm.. presumably this is the same airforce that tried to overfly the Farnborough International Air Show 2004 in a B52 and
mistakenly overflew Blackbushe Airfield which also doubles as a weekend market, 5 miles away instead.


But wait .. a B52 would surely have an old version of Windows, and XP surely stands for e

    X
act
    P
ositioning.. So that'll be alright then :-)
aristotle
2004-11-24 08:21:14
Wait, he's right.
No, I still disagree.


What's the incentive for MSFT to make IE secure? They don't stand to lose any money due to the bad state it's in. And unlike something like Wordpad vs Word/OOo, IE is "good enough" for a casual user that they won't be likely to make even the trivial effort to switch to Firefox. I predict that a browser shipped with Longhorn that has half the extra features that now distinguish Firefox will likely climb back to taking 95% market share very easily.


Now, MSFT have a company network of their own, and if their own network's security was as bad as their products, they wouldn't possibly have been able to survive, particularly considering what a high-profile target they are. Obviously they don't have a terrible track record with security — where they have a vital interest in it.


Oh, I am certain this is the result of lobbying. I did say I don't want to know how much effort it's going to take to secure a Windows infrastructure. Any competitor would probably have been a vastly more cost effective choice. And maybe they would have been a more secure one, too. But not by much: the idea that MSFT is going to botch this so completely as they've botched IE security overly trivializes matters.

Afantee
2004-11-26 20:39:03
Please don't be a typical Slashdot troll
>> The problem is that the market neither provides them with any incentive to write software with security in mind from the beginning nor any disincentive to treat security problems in their operating system and browser and other products as anything other than a marketing problem. It simply isn't profitable.


That's exactly the problem, don't you think? MS almost always favors short term profit / market share over long term quality and security, and is either incompetent or irresponsible or both, therefore simply not fit to lead the computer industry. But sadly, you and legions of Microsoft apologists often blame the world rather than the perpetrator for the wrongdoing.


You have to realize that most other commercial companies (such as IBM / Apple / Sun) as well as the OSS and Java communities have a much better track record in security. The world doesn't have to put up with MS craps forever, there are plenty viable alternatives.

houseflyarmy
2004-11-29 09:23:02
Go Army
It seems like they are making an effort to help out in some way. houseflyarmy.com
JustthefactsPlease
2005-01-21 11:46:32
Factually I disagree
To date nobody has provided free remedies to fix security vulnerabilites...oh wait accept Microsoft.


To date Microsoft Operating Systems are over 300% more secure than Linux.


Whomever is the biggest boy on the block in software will unfortunately have this issue. So comment with that in mind, so far I don't see much reasoning that give this blog any credibility, but alas this is a problem with a lot of writers or people that just hate Microsoft.


What free Enterprise Software Exist out there other than what Microsoft is trying to do? Plus as far as securiung the USAF, MS has been able to do things nobody else has been able to do in USAF as far as securing the environment.


It goes back to the old saying, you are only as secure as the smartest hacker in the world, a criminal, a terrorist. If someone wants in bad enough they will get in, at least Microsoft is trying and getting there, I don't see anyone else as big as them around as far as systems out there. So when you show me someone that does if there ever is, I bet they will be the prime target as well.
You would be surprised at how many Government Agencies and Military are very secure due to Microsofts involvement.

JustthefactsPlease
2005-01-21 11:50:33
Yawn
Wrong, what a goof.
JustthefactsPlease
2005-01-21 11:58:27
Please don't be a typical Slashdot troll
If this is about profit and that they really don't care, then why do they even fix security holes?
Why has XP Sp2 decreased in the number of vulnerabilites (free service pack), why is Windows 2003 Server like 90% less security flaws than Windows 2000?
Then why has it been such a primary focus of Microsoft over the last 3 years?


As for other companies not having flaws, Thats because they don't have over 90% of the Operating system market and when they ever did, we didn't have anything but 386's. Duh.