Forwarded from: matthew patton <pattonme@private> --- InfoSec News <isn@private> wrote: > http://www.nwfusion.com/news/2004/1119airforce.html > > By Ellen Messmer > Network World Fusion > 11/19/04 > > The U.S. Air Force early next year will require its 525,000 personnel > and civilian support staff to use a single and specially configured > version of Microsoft's operating system and applications, said the > military department's CIO. right, so if "configured with security in mind" is defined the same way DISA/USAF/USNAVY have defined "secured windows OS configuration" then I seriously doubt they've accomplished anything really productive. I'd settle for Office2004 fitting inside 50MB. That would kill 90+% of the features that are unneeded cruft anyway and which cause most of the problems. And then I wouldn't have to worry about arcane voodoo to "secure" something that is as out of control as MS NT let alone Office. But from an attacker's standpoint I couldn't be more DELIGHTED at the prospect of taking down all 525,000 users with one hole. Afterall, instead of an ecosystem of varying configurations, I can come up with one hole to rule them all. (Lord of the Rings reference) WHEN OH WHEN will they learn that a single image is a lousy idea? I don't mean to imply that we shouldn't have guidelines and group policy objects that have a modicum of teeth to them but this is just begging for disaster IMO. For some reason whenever I design a GPO or strip an NT system (win2K etc are just NT) my users bellyache about stuff not working like it used to. I like to respond with, "well, you have no business doing that as your normal user account. And if some piece of software is so poorly written that it doesn't work now, go beat the vendor's door down and demand they fix their bleeping product!" Hasn't been an entirely popular stance for some reason. Can't imagine why... Instead of negotiating 30+ contracts down to 2, I have a much more useful bargaining chip. "The US Air Force (neigh the entire DoD) will forthwith refuse to use windows in any form until you Microsoft can fit it inside 100MB and strip it of every service and feature not absolutely inseparable from the core functions of an OS as defined as filesystem storage, memory allocation, process control, and basic UI. The list of immediate rejection criteria includes even the smallest vestiges of Internet Explorer. Ok, maybe 100MB is too small but a fully fledged Linux box runs on 60MB or less. Barebones X11 adds a bit more. > "We're spending more money patching and fixing than buying > software," Yo USAF, in case you missed the memo, the rest of the IT World has the same issue. > "We want Microsoft focused not on selling us products but to enhance > the Air Force in our mission," said Gilligan, adding that he hoped > the new effort would lead to the kind of support Microsoft could > provide other organizations in the future. "Hope"? That's all you guys got out of Balmer? Why don't we spring for DEMAND and HOLD FEET TO THE FIRE instead? > determined the transition costs would simply be too high. probably true. Windoze admins who grace the ranks of gov't help desks are more often than not, not exactly of superior quality. And many have the utmost fear of anything CLI. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Nov 25 2004 - 22:40:53 PST