On Sep 17, 9:10 am, Roy Schestowitz <newsgro...@xxxxxxxxxxxxxxx>
wrote:
> Open-source software gets a plug from Congress
> ,----[ Quote ]
> | “The committee is concerned by the rising costs and decreasing security
> | associated with software development for information technology systems.
Microsoft's "back doors" have finally been noticed. Actually, they've
been noticed
for years. The DOD, FBI, NSA, and CIA have all been reviewing Linux
because of
known vulnerabilities in Windows that were NOT fixed in Vista.
All Microsoft did with Vista was attempt to extend it's monopoly into
the antivirus and
anti-malware market, and they didn't do a very good job of that,
because Microsoft
does not treat digitally signed malware as malware. In effect, they
have paid Microsoft
not to be purged as malware.
In addition, Microsoft has added ADDITIONAL back doors for "piracy
monitoring", including
the additional "holes" in Office 2007 OOXML.
> | These rising costs are linked to the increasing complexity of software, which
> | has also resulted in increasing numbers of system vulnerabilities that might
> | be exploited by malicious hackers and potential adversaries,” the report
> | states, “The committee encourages the department to rely more broadly on
> | [open-source software] and establish it as a standard for intra-department
> | software development.”
This is a very accurate assesment. One of the big advantages of Open
Source Software, especially Linux/Unix software, is that most of the
applications are built from simple combinations of simple
applications, which reduces the risk of introducing new defects and
vulnerabilities in core level applications.
Second, Open Source Software guarantees that Open Standards, as
implemented by Open Source Software will actually be compliant with
the standard and that the full standard will be implementable without
relying on mysterious or unpredictable proprietary components.
It is also becoming more and more obvious that most of Microsoft's
"enhancements" to public industry standard protocols have turned out
to be security problems.
It's not like this is even news. The problem has existed for almost
20 years now, even back in the days when DOD PCs were being infected
with malware hidden in the boot tracks and hidden files on the
floppies passed between office workers.
Since the introduction of Windows, the Military has been acutely aware
of security problems with Windows, ranging from the ease of cracking
into FAT and FAT32, to the ease of infecting Outlook/IE users with
trivial ActiveX calling HTML with embedded ActiveScript.
The problem is that the crackers who used to be proud of their ability
to hack into a system and let everybody know the infamous pseudonym of
the hacker, have grown up. Today, these people routinely create
customized viruses, worms, and trojans, designed to target specific
organizations, and even specific people, which keeps them out of the
sights of the Antivirus companies. They collect insider trading
information, bidding, and competitive marketing information, and even
politically damaging information. The damage can be $billions, and
can even alter the outcome of political elections. It can even impact
the outcome of military campaigns. It can even cost lives.
So after repeated calls for switching to Open Source Software (most of
which have been quashed by the Bush administration), the most
sensitive agencies are now putting their foot down and demanding that
Open Source be given a preference over Proprietary software. If they
could, without getting quashed by the Bush administration, they would
probably reccomend that ONLY Open Source Software be used for most
desktop and "appliance" applications.
> http://www.gcn.com/print/27_23/47157-1.html
> So they reject non-Free software for being insecure. It's also about quality,
> not cost.
Ultimately it's the bigger cost they are considering. Imagine if a
hacker could
gain control of an armed predator, and use it to attack our own
troops.
Imagine if a hacker could use a family ActiveX embedded e-mail to
plant a virus
that gave the opposition the exact location of troops, and even the
commands
being sent to those troops. Even worse, what if they could paint
targets where they
aren't, and hide the real targets - as they ambush the troops.
Imagine a predator dropping a cluster-bomb on a US deployment where
their only
shelter is tents. Since it wasn't identified as a threat, everyone
would still be sitting
next to the tanks as the entire area started exploding.
> Recent:
> With Vista breached, Linux unbeaten in hacking contest
> ,----[ Quote ]
> | The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on
> | the last day of the contest; but it was Linux, running on a Sony Vaio, that
> | remained undefeated as conference organizers ended a three-way computer
> | hacking challenge Friday at the CanSecWest conference.
> `----
I'm surprised it took that long to crack Vista.
But then, the Vista box was not actually doing anything.
> http://www.linuxworld.com/news/2008/032908-with-vista-breached-linux-...
>
> Vista Called as Vulnerable as Predecessors
Actually more vulnerable - especially with Office 2007 installed.
> http://www.pcworld.com/businesscenter/article/146281/vista_called_as_...
> Vista security credentials tarnished in malware survey
The problem was that Vista killed the competition for Vista anti-virus
and anti-malware.
The result is that Microsoft's monopoly-ware isn't being as
aggressively managed as
the more competitive Norton vs Symantic vs McAffee vs others market.
There are over 250,000 known forms of Malware and probably about
500,000 variants that have not been detected due to target scoping
(instead of infecting all computers, they only spread when the
computer is in a particular domain or subnet.
Microsoft has very little skin in the game. If a virus gets past
McCaffee or Symantic, they risk losing market to their competitor.
Microsoft's claim that Vista is the most secure version ever, is based
on comparison with other versions of Windows "As Shipped". This would
mean that XP would have no antivirus at all. It would mean that
Windows 2000 would have no firewall capability.
> http://www.theregister.co.uk/2008/05/09/win_malware_survey/
>
> Vista as Insecure as Windows 2000
If you have Windows 2000 with an I-Zone firewall, McAffee or Symantic
antivirus, and 3rd party anti-spyware, this would be more secure than
a Vista machine with Microsoft's "turn it off because it's a pain"
firewall, "kill only malware that isn't signed" antivirus, and "turn
it off because it's stopping you from installing software you want"
anti-Spyware.
The biggest problem is that Vista with all the security features
turned on becomes unusable, and a usable version of Vista becomes
inherantly insecure. The biggest problem being that Microsoft doesn't
provide enough information about the application and vendor or
"intruder" to allow the user to make an informed decision. Worse,
Microsoft doesn't block ActiveX controls being pulled in by IE and
Outlook previews, and doesn't block viruses embedded in OOXML
documents.
> http://www.pcworld.com/businesscenter/article/145681/vista_as_insecur...
|
|
