| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft Gets DHS Contract | |
|
||
| Time: 08:07 EST/13:07 GMT | News Source: eWeek | Posted By: Robert Stein | ||
|
The federal government last week awarded a $90 million contract to Microsoft Corp. to provide the Department of Homeland Security with desktop and server software. The move could send a signal to enterprises and other software vendors that the government is happy with Microsoft's progress in improving the security of its software. As part of the National Strategy to Secure Cyberspace, which the Bush administration unveiled last year, officials in all agencies of the federal government are supposed to be using their purchasing power to pressure vendors into producing more secure software. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 157 Last | Next |
The time now is
4:01:34 AM
ET.
Any comment problems? E-mail us |
| #1 By 442 (65.33.163.218) at 7/22/2003 8:34:00 AM |
| This is a very scary thought. MS has had quite a few gaping security holes (and thankfully patches, too) in the last month alone. Patches do not forgive the sloppy coding though. Some Department of Homeland Security we have. What a joke :-( |
| #2 By 1295 (216.84.210.100) at 7/22/2003 9:58:58 AM |
|
Most of the gaping security holes you refer to have to have a firewall incorrectly configured. Even if on an internal network you can put the servers behind their own firewall keeping even internal client computers from attacking servers.
There is a way to cover your ass in most cases even for buffer overruns etc. If you correctly build your network you can keep alot of things from happening. And of course this has to do with any OS not just Windows. |
| #3 By 6859 (206.156.242.36) at 7/22/2003 10:10:04 AM |
| #2 is right on the money. And the question is how many vulnerabilities has the "competition" had?.... Oh, gee, let's see um... more than what, 20? |
| #4 By 3653 (63.162.177.143) at 7/22/2003 11:21:57 AM |
| wow, it appears the media over-hyped open-sources appeal in the government? |
| #5 By 20 (67.9.179.51) at 7/22/2003 11:29:07 AM |
|
http://www.securityfocus.com/bid/vendor/
Windows 2003 Server shipped in... what? April 2003? I count 46 vulnerabilities involving Red Hat Linux since that time. How many for Windows 2003 Server? 2. Maybe 3. The first one or two were IE 6 vulnerabilities that do not affect Win2K3 by default (since IE is locked in hard administrator mode by default. You have to undo the security policy first, which is not trivial). The last one was an old legacy RPC vulnerability which, admittedly, is a first-class vulnerability, unfortunately, and does affect default installs of Win2K3. So which is more secure? 2-3 vulnerabilities in the last 3-4 months, or 46? (edit: typos) This post was edited by daz on Tuesday, July 22, 2003 at 11:31. |
| #6 By 11888 (64.230.66.108) at 7/22/2003 12:19:05 PM |
|
wait a minute, are you justifying Windows as a secure platform because it has *fewer* exploits than the competition, or are you implying that it's less insecure? I think that severity of exploits is a more intelligent point than quantity, but I don't feel like looking it up. Does anyone have a balanced unbiased answer regarding the severity?
It appears that your options are one OS will several minor exploits, or another OS will a few major exploits. How can anyone pick a winner there? This post was edited by MrRoper on Tuesday, July 22, 2003 at 12:21. |
| #7 By 135 (209.180.28.6) at 7/22/2003 12:24:42 PM |
|
#9 - "Anyone has a balanced unbiased answer regarding the severity? "
Yeah, all the platforms suck, but Microsoft is the only one making a serious commitment to improvement. This DHS thing should send a message to those advocating Linux that Windows is here to stay, it isn't going away and either update your knowledge of the platform or leave the IT industry. |
| #8 By 10896 (65.213.122.66) at 7/22/2003 3:51:13 PM |
|
#12
No wonder NSA has to rewrite RedHat Linux to make it more secure. 34 security fixes in a little over three months for RedHat 9.0. Can anybody explain why RedHat has so many security fixes compared to other Linux distributions. |
| #9 By 135 (209.180.28.6) at 7/22/2003 3:57:38 PM |
|
linuxhippie - "This NSA thing should send a message to those advocating Windows that Linux is here to stay, it isn't going away and either update your knowledge of the platform or leave the IT industry."
Fair enough. But I already know how to use Linux. I'm not the one with his head stuck in the sand, afraid to learn new skills and advocating the use of old technology. |
| #10 By 135 (209.180.28.6) at 7/22/2003 4:04:38 PM |
|
#12 - "Can anybody explain why RedHat has so many security fixes compared to other Linux distributions. "
It's largely because Redhat is the only Linux distribution with anything resembling a professional organization behind it. It's not that the other distros aren't affected by these issues, it's just that Redhat is the only one providing information and patches to their customers. One of the things that linuxhippie doesn't address is that SELinux from the NSA is not considered a usable product, it's not certified for Govt use nor is there any plans for it to be. Rather it is research work. They're experimenting with different security techniques. So they aren't looking into vulnerabilities, but rather addressing ways to make sure vulnerabilities have less of an impact. The goals of the SELinux project is to come up with techniques that can be adopted by other people... possibly in conjunction with Linux, but most likely in conjunction with Windows, Solaris, etc. |
| #11 By 10896 (65.213.122.66) at 7/22/2003 4:13:58 PM |
|
#15
Well maybe but I think there is an excellent technical staff with SUSE, and they dont have anywhere near the security vulnerabilities as Redhat with essentialily the same software packages. I thought RedHat was rushing out the packages to get people on their RHN and make money. This is GPL code and I am assuming that RedHat modifies without much security checking. |
| #12 By 135 (209.180.28.6) at 7/22/2003 4:20:52 PM |
|
billmac - Yes, the GPL works counter to the best interests of the customer. In order for Redhat to make money, they need to behave in a way that encourages adoption of their service organization, i.e. subscribe to the RHN. Which is why patches are not available for download off their website for their enterprise linux product.
But I have also tracked a number of these vulnerabilities, and SuSe simply doesn't address them. The vulnerabilities still exist. SuSe isn't doing value-added code reviews of packages from KDE, etc. Later tonight I'll provide some examples. |
| #13 By 20 (67.9.179.51) at 7/22/2003 6:46:36 PM |
|
wait a minute, are you justifying Windows as a secure platform because it has *fewer* exploits than the competition, or are you implying that it's less insecure?
No software is completely insecure, so the best you can do is get the most secure that's currently available. This is the same argument Linux folks used against Windows, but now that the tables are turned, they're crying foul. Standard operating procedure for the Linux crowd. One slightly-less-than-scientific measure of software security is the vulnerabilities discovered as a function of it's popularity. It stands to reason that more vulnerabilities would be found in software that's used more often. Windows has historically had many vulnerabilities as a result of a.) increased public scrutiny b.) sheer number of attackers c.) poor coding and management techniques at Microsoft. a.) and b.) still remain, but c.) has been drastically improved by MS' adoption of a new Security Czar and the adoption of the new S3+C methodology of secure code development, vulnerability recognition and correction, and communication with the community. This open, honest, and pro-active approach to security puts MS on a different footing than its competitors. Linux is in a slightly different position because a.) is medium-high, b.) is pretty low (because most hackers like Linux, so they incestuously protect it's reputation as much as possible by keeping vulnerabilities secret or low-key). c.) is very poor for Linux. So the (#users * #attackers)/vulnerabilities ratio for Windows means that many more vulnerabilities should be found as compared with Linux which has a much different (#users * #attackers)/vulnerabilities ratio. So the fact that major Linux distros have such a high rate of vulnerabilities despite having such a low user and attacker base suggest that the c.) code quality is extremely low (which, of course, we all know). As a matter of logic, it stands to reason that Windows 2003 is several orders of magnitude more secure than current Linux distros including Red Hat and SuSE. Aside from all the other major business reasons to go with Windows over Linux, this is a HUGE reason. I think that severity of exploits is a more intelligent point than quantity, but I don't feel like looking it up. Does anyone have a balanced unbiased answer regarding the severity? I was going to add a comment to my post. Of those 46 vulnerabilities, I'm not sure of the severity. I can say that at least 20 of them were remote exploits which are VERY severe and extremely dangerous. At any rate, the number of VERY SEVERE linux exploits is far greater than the 1 for Windows 2003. It appears that your options are one OS will several minor exploits, or another OS will a few major exploits. How can anyone pick a winner there? No, that's not correct. It's something like (estimate): Windows 2003 Server: 1 major, 2 minors Red Hat Linux: 20 major, 26 minor (estimate) But you must also factor in the development, review, and public scrutiny arguments as well which puts Windows 2003 as the clear winner. |
| #14 By 20 (67.9.179.51) at 7/22/2003 7:09:25 PM |
|
Rough estimate (world-wide):
Let RH Linux 9 users = 250,000 Let Linux attackers = 60,000 (estimate of all Linux attackers) Let RH Linux 9 vuln's = 20 Let Win2K3 users = 5 million Let Win2K3 attackers = 200,000 (estimate of all Windows attackers) Let Win2K3 vuln's = 3 Linux Security Factor: (250,000 * 60,000) / 20 = 750,000,000 Win2K3 Security Factor: (5,000,000 * 200,000) / 3 = 333,333,333,333.33_ So you see, Windows 2003 Server is more secure than Linux by 444.4_ Security Factors(TM)(C)(R)(SM) (about 2 orders of magnitude, something like that) :) Now that's something you can take to the bank! |
| #15 By 135 (208.186.90.91) at 7/22/2003 8:20:42 PM |
|
Ok, this is just random sampling, looking at major packages I suspect both have.
I guess the most interesting discrepancy is how many kernel updates Redhat has announced that Suse has not. Another one is a mySQL vulnerability announced on 5/2/03 by Redhat, which apparently affects all versions prior to 3.23.55, whereas the last mention of mySQL by Suse is January 2nd with an upgrade to 3.23.52. Redhat announced a problem on 1/15/03, but recommended an upgrade to 2.23.54a.. Hmm, Redhat has a bulletin for unzip, I see nothing on Suse's site but I would suspect they include that common utility. There's also a PHP vulnerability on Redhat's site announced in early July that I don't see on Suse, yet they both have the February announcement. BTW, it's interesting. Now redhat is listing the CVE, so you can go in and pull up the original date the vulnerability was admitted to and then follow thru with the fix date. For instance a CUPS vulnerability was first identified on 4/1/03, but redhat didn't release patches until 5/27/03. That would make for an interesting study to see whether the Linux zealot claim that pathces are released faster is true. |
| #16 By 135 (209.180.28.6) at 7/23/2003 12:31:49 PM |
|
linuxhippie - Fascinating. So Suse makes the updates available, they just don't provide a security bulletin to warn their customers. As I said, their processes are a bit immature.
"Not considered by whom?" The NSA. Read the FAQ on the SELinux page you linked to. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 157 Last | Next |
The time now is
4:01:34 AM
ET.
Any comment problems? E-mail us |
