Forgot your password?
typodupeerror
Government Businesses The Military News Apple

Army Buys Macs to Beef Up Security 342

Posted by Zonk
from the shiny-red-firewall dept.
agent_blue writes "The Army is integrating Macs into their IT network to thwart hack attempts. The Mac platform, they argue, is more secure because there are fewer attacks against OS X than Windows-based systems. 'Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military. The Army's Apple program, created [in 2005], is working to change that.'"
This discussion has been archived. No new comments can be posted.

Army Buys Macs to Beef Up Security

Comments Filter:
  • but (Score:4, Funny)

    by Anonymous Coward on Friday December 21, 2007 @04:15PM (#21783614)
    i thought they don't allow gays in the military?!?
    • Re:but (Score:5, Funny)

      by Anonymous Coward on Friday December 21, 2007 @04:28PM (#21783826)
      Hey I'm gay you insensitive clod... wait no...!!! That joke backfired horribly!!
    • Re:but (Score:5, Funny)

      by Anonymous Coward on Friday December 21, 2007 @04:53PM (#21784228)
      There's no rule against being a Mac user in the military. You're just not allowed to tell people that you're a Mac user, and they're not allowed to ask if you're a Mac user.
    • but i thought they don't allow gays in the military?!?

      They expect the computer to be running MS Office on an Intel CPU. They are not allowed to ask, and you are not supposed to volunteer, whether you are doing so under Windows or Mac OS X. It is a don't ask, don't tell policy, and it upsets a lot of people in the Bay area.
    • by tsa (15680)
      That's funny, you may have a point there. I wonder how many % of Macs are bought by women...
    • Don't ask, don't Intel?
  • by lixlpixel (747466) on Friday December 21, 2007 @04:16PM (#21783644) Homepage Journal
    http://www.serverwatch.com/news/article.php/201361 [serverwatch.com]

    i always liked the idea...

    from the article: "Until the Army's Web site was hacked in late June by a 19-year old Wisconsin man, the site had been using a Microsoft Windows NT-based Web server..." :)
  • How many times? (Score:4, Insightful)

    by morgan_greywolf (835522) on Friday December 21, 2007 @04:17PM (#21783658) Homepage Journal
    How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?

    Yes, Windows has vulnerabilities. Windows sucks as far as security goes. That goes for Vista, too. But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

    • It may not be a magic bullet, but it probably will make life easier - isn't that good enough for you? Or is it all black and white to you...
    • Re:How many times? (Score:5, Insightful)

      by Daniel Dvorkin (106857) on Friday December 21, 2007 @04:30PM (#21783884) Homepage Journal
      How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?

      "More about" is not the same as "entirely about." Sure, a good IT staff with a bad system will be more secure than a bad IT staff with a good system. But a good IT staff with a good system will be more secure than either. And Unix-based systems, including OS X, are demonstrably better in terms of security than Windows-based systems are.

      Do you think the Army should go back to using bolt-action rifles? It's true that a good marksman with an M1903 is more useful on the battlefield than a bad marksman with an M16, but ...
    • by QuietLagoon (813062) on Friday December 21, 2007 @04:31PM (#21783900)
      But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

      If you read the article instead of the headline, you'll see that the Army is making the attack target more diversified, so that a single attack will not bring down all computers. What's wrong with that tactic?

      • by WinterSolstice (223271) on Friday December 21, 2007 @04:35PM (#21783974)
        As a long time opponent of homogeneous computing/infrastructure I think this is a great move. Any security conscious shop makes certain to balance the management benefits along with the heterogeneous benefits.

        Sure, it's cute and cheap to run everything on any one platform, but like they always say "spread out or one grenade will get you all".
        • by cgenman (325138)
          I worked somewhere that our network was rather violently infected by a new and nasty worm. Being an all windows-shop at the time, every computer that was tasked with figuring out the problem and fixing it was also infected. Thank goodness for Knoppix.

      • by SamP2 (1097897) on Friday December 21, 2007 @04:41PM (#21784058)
        The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.

        When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data. This is not a case of "redundant systems", but rather a case of "the weakest link". The more OSs are supported the more chances that AN OS will get hacked (as opposed to ALL OSs), but when it comes to protecting data, hacking that ONE OS is all it takes. Hackers are certainly more agile than the government, and the government should try to minimize its profile, together with hacking avenues, rather than build redundant systems where redundancy is not the solution for the problem at hand.

        In other cases when the issue IS parallel, such as protecting a mission-critical system (think Space Shuttle), then yes, multiple OS's increase the chance that any one will survive. But this doesn't apply to data security. They should stick to one OS as well as one of everything else, preferably as secure as possible (NetBSD, some Linux distros, etc). But even JUST Windows is more secure than Windows and OTHER stuff together, because you keep all the risks of Windows while adding the extra (even if relatively smaller) risk of the other system on top of the original risk.
        • by Foofoobar (318279) on Friday December 21, 2007 @04:55PM (#21784260)
          so whats wrong with supporting more than one OS? Would you prefer one point of failure? A good sys admin can support multiple platforms. The only people I ever hear complain about this are Windows people who can't support anything else. Linux admins can ALWAYS support Windows and Mac platforms so why is it so hard for the vast majority of Windows admins to support the other platforms? Hmmm...? Do you just prefer having a single point of failure?
          • by SamP2 (1097897)
            No, I prefer people who bother to read posts before a kneejerk reaction at replying to them. :-)
            • by Foofoobar (318279)
              and I prefer people who can state facts instead of partial truths but I'll take what I can get this christmas with a republican in the white house. :)
          • Re: (Score:3, Insightful)

            by fermion (181285)
            One side would say that there are benefits to supporting only one system. One can get expertise in supporting, maintaining, and securing the system. There are cost savings in not having to maintain separate inventories. There are cost saving in being able to hire a cheaper labor who must only know the rote procedure for the system, rather than understand the basic principles that will allow the person to work on multiple systems.

            However, predictability poses a significant security risk. If I know exact

        • by QuietLagoon (813062) on Friday December 21, 2007 @05:02PM (#21784350)
          The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.

          And your point is? That extra security costs money?

          When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data.

          In one instance you may be correct, but in other instances, you are not. Whether or not data are compromised depends upon how that data are partitioned and where the data reside.

          You do get extra security by diversification, because you have the ability to continue to function while one OS's computers are struggling with a malware attack.

          Note that the article is not saying that diversification of OS will make an installation 100% secure, just that it will improve the likelihood of continued operation albeit at reduced levels.

    • You kind of have a chicken-and-egg thing here. If you have competent admins and give them a choice, wouldn't they pick something other than windows?
    • True but, there is no harm in getting a more secure OS. There are people with different skill levels, of handling security, There are people who follow stupid security and think it is good security... Having a better OS will help reduce Human error. No having Macs won't make you invincible against all problems but it will keep the riff raff out.

      It is like securing your house. Having Locks on the door is better then not even though most anyone could with some effort break the door down to get in. A strong
    • Re: (Score:3, Funny)

      by eno2001 (527078)
      Tell that to the OpenVMS guy in the food line down the street. Did I say that out loud?
    • by theshowmecanuck (703852) on Friday December 21, 2007 @04:38PM (#21784022) Journal

      ... The Mac platform, they argue, is more secure because there are fewer attacks against OSX than Windows-based systems. ...

      Not any more.

      If the army is using it for that reason then you know the Chinese, Russians, and any other tech savvy nation will now point their hackers at Macs.
    • by hey! (33014)
      To play devil's advocate here for a moment, having several operating systems in your network makes it more likely that some of the nodes will continue to function when vulnerabilities are found in the platform some of them run.

      On the other hand, securing a network means knowing how to secure each kind of host on it, so you don't want to have an unlimited number of platforms. You'd probably have a significant problems with them at any time.

      If operating at all times, even under attack by a determined and wel
    • by 0racle (667029)
      Wouldn't the skilled IT staff also know enough to choose the proper platform? Security is a process not a product, what things run on is part of the process.

      I don't see the Military switching to OS X for everything then wiping their hands and saying "we're done, it's secure now."
    • waving around an OS like it was some magic bullet

      The security partly comes from using an uncommon OS, not just a more secure one. It's a security by obscurity thing... and although obscurity may not be a perfect measure, it's good when it's coupled with a truly more secure OS.

      This implies that the perfect obscurity would come from a homebrew computer system, designed and built in its entirety in one's home. And if it were designed to be secure by default and its creator was a perfect mathematician and engineer, then it would probably be the most sec

    • by raddan (519638)

      But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

      Google "sane defaults". Windows fails miserably in this regard, as does much commercial and free software. Apple usually gets sane defaults right, at least from a UI perspective, but the only group of people (as far as I am aware) who have put a lot of thought into sane defaults from a security perspective is the OpenBSD group. Making sure that things work securely, out-of-the-box is important, because IT shops are often in need of something quick-and-dirty. Often those quick-and-dirty implementations

    • How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?

      I'd argue the skill of the IT staff includes choosing appropriately secure and securable OS's for your purpose. For example, in a university setting, choosing to supply all students with an laptop running OS X or Ubuntu, may well solve 90% of your security problems, whereas choosing laptops loaded with Windows to distribute, may well make securing your network with the resources available impossible.

      But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

      In some cases, choosing the OS does solve most security problems, and that is just the way the malware

  • by kryliss (72493) on Friday December 21, 2007 @04:18PM (#21783674)
    One small step for Mac one giant leap for Mac kind.
  • by Eagle7 (111475) on Friday December 21, 2007 @04:20PM (#21783700) Homepage
    http://www.google.com/search?client=safari&rls=en&q=cac+on+mac&ie=UTF-8&oe=UTF-8 [google.com]

    Support is built into Safari, and it is possible to set it up to log into a Windows domain, I believe.
    • by Kadin2048 (468275) *
      Glad you pointed that out; I was going to say the same thing. CACs work very well on recent versions of OS X, the trick is just getting IT departments to realize this and allow them, and of course ensuring that you don't need any software that's PC-only.

      But you can use any number of a bunch of commodity USB smartcard readers and do just fine on the Mac. The drivers are all there; once enabled [apple.com], it's pretty slick actually. At least as of a while ago, Apple actually had at least one full-time employee working
  • by techpawn (969834) on Friday December 21, 2007 @04:21PM (#21783722) Journal
    All computers used in the military facilities in the Transformers movie by the teams trying to break the Decepticon's code where Apples. It should also be pointed out that the computer that defeated the martins in Independence Day where macs.

    Life imitating "art"?
  • by grub (11606) <slashdot@grub.net> on Friday December 21, 2007 @04:22PM (#21783746) Homepage Journal

    How will they know if the user prefers a Mac or PC with their "Don't ask, don't tell" policy?

  • The Mac platform, they argue, is more secure because there are fewer attacks against OSX than Windows-based systems

    Not that it's more secure because it's better, but because there are fewer attacks? Won't adopting give hackers more incentive to attack it? They shouldn't judge the OS based on how many attacks there are now, but on how secure it can be made since one would assume that anything the government runs is interesting to hackers.
    • The Army is a "bottom-line" organization. They don't care WHY something happens, only that it does. In this case, it might be short-sighted, but for the short-term, I think it's a fairly decent plan, considering how many years and how much money they've wasted trying to make Windows secure for the military environment. By the time a hacking threat becomes real on OS X (if ever), the military will have moved on to the next threat.
    • by SirGarlon (845873)

      Not that it's more secure because it's better, but because there are fewer attacks? Won't adopting give hackers more incentive to attack it?

      Yes. But.

      Attacks most often propagate from machine to machine via worms or botnets or whatever. The more homogeneous the network, the greater the transmission probability from one node to the next (if you have an all-Windows network, then something that penetrates one machine will penetrate the next one). Attackers generally have to choose an OS which they want

    • by Danathar (267989)
      Yes. It is better. Not by virtue that people who program are any less prone to mistakes like buffer overflows, but because (in my opinion of course) the UNIX design for OS security is better than the Windows design for security.

      Ask just about any security expert which design philosophy they like better and I'll bet hands down UNIX wins over Windows.
  • No surprise (Score:3, Funny)

    by L4m3rthanyou (1015323) on Friday December 21, 2007 @04:25PM (#21783786)
    With a runaway defense budget like ours, I'd say the mac is a perfect fit!
  • Macs & beef!!! I thought they were all vegans.
  • by HangingChad (677530) on Friday December 21, 2007 @04:32PM (#21783922) Homepage

    The clear majority of the really high end computer security people I know are driving Macs. On the military side Army and Marines seem to be tinkering more with Linux. The Marines less so because of NMCI, but there was a demo of battlefield information system that was Linux based. Navy and Marines have pretty much locked themselves into Windows desktops managed by EDS on the administrative side. A move I believe will go down as one of the great defeats in Naval history, with casualties of 250 million American taxpayers.

    Don't know about the Air Force but the few AF people I've met at conferences seemed pretty on the ball and struck me as Linux curious if not outright supporters.

    • The Air Force has had a long standing, strict, commercial-off-the-shelf policy when it comes to IT standards. In other words, they are 99% Windows based.
      • and that other 1% is used on the star gate program where they us a custom os and hardware that is based in part of tech found off world.
  • by theurge14 (820596) on Friday December 21, 2007 @04:33PM (#21783942)
    HThe Army's push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army's chief information officer, gave a speech calling for more diversity in the Army's computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.

    "Sir, I have the DOJ on line 2."
    "Tell them to get Bill Gates in here."
    "Yes sir."
    (door opens an hour later)
    "Bill Gates, you told us Windows Vista would be more secure!"
    "It IS more secure, over five million...(BLAM)"
  • by Foofoobar (318279) on Friday December 21, 2007 @04:34PM (#21783958)
    Mac: Hi I'm a Mac
    PC: and I'm a PC
    Military Intelligence: And I'm no longer an oxymoron
  • Mac's have CAC support. Try /usr/sbin/cac_setup

    I'm not trivializing the work that would need to be done to work in a DOD environment where most of the CAC-enabled apps need a osX port. The low-level strong authentication portion is done.

    In true government contracting fashion, the bulk of the work is done by Axalto, with some DC-based project management middleman cashing the Fed's checks. Axalto is probably barely breaking even on the project despite the huge volume of cards in the field.
  • Back in the late 90s the Army switched its us.army.mil stuff to Mac based servers based on the input of a low ranking enlisted guy (whom I knew, and I myself was in the same unit when he made the suggestion). They publicity at the time was that the Windows servers were getting hacked on a daily basis, so they switched to the Mac OS server stuff and the problem was solved...the hackers no longer were able to hack the front page of the US Army on a daily basis. I wonder why they are just now realizing this
    • Mac OS based servers, like MS-DOS based servers, were pretty damn secure because they had little to no remote access. Mac OS X is a completely different story. Other than name it has nearly nothing in common with Mac OS, it is a descendent of NextStep, a known Unix-based platform.
  • Bootcamp (Score:5, Funny)

    by corychristison (951993) on Friday December 21, 2007 @04:43PM (#21784096)
    Brings a whole new meaning to BootCamp, doesn't it?
  • While Apple systems have always been slightly higher priced (when compared to equal pc systems not home made random part systems) I figured this was mostly do to higher manufacturing costs. I could be totally wrong, and probably am, but I'm hoping that with the Army switching out all their systems to Apple machines that the manufacturing costs over all will go down and maybe we'll start to see some cheaper Apple systems coming out. Yeah yeah it's a lot to ask for but I like to hope for the best I guess.
    • While Apple systems have always been slightly higher priced (when compared to equal pc systems not home made random part systems) I figured this was mostly do to higher manufacturing costs.

      Actually if you compare just hardware, from other vendors with similar reliability ratings, Macs are about the same price as other PC hardware. The last study I saw put them at about 20% above average in price, which is about the same as Sony (who also sells mostly mid and high end machines with top end reliability ratings). Apple systems are about the same cost as any other PC, assuming you're looking at all the hardware criteria, not just bullet points. And by all the criteria i.e. a system with a 120 G

  • It's not directly related, but this reminded me of a story [wired.com] I heard about the "Black Mac", a tempest shielded Macintosh SE 30 1891 T that some guy found at a second hand shop. Nobody is sure where it came from, or why it was built, but it seems to have been made by Apple (as opposed to being some weird aftermarket mod). Presumably it was built for the military, or some intelligence agency...
  • Seems to me that because the Mac is largely secure through obscurity (as this was already tagged), the military is just increasing the incentive to crack the Mac for the Bad Guys. Three years from now (or who am I kidding, three DAYS from now) when then exploits begin to be released into the wild, I think their reasoning will be found to be faulty. While there still won't be as many Macs out there, there will be a select few with wildly valuable data, and therefore it will become more lucrative to crack the
  • by eyebits (649032) on Friday December 21, 2007 @05:24PM (#21784658)
    About five years ago I was doing a training session/presentation for IT staff at an Army base where I was told that the Army would never use anything other than Windows. I made the mistake of referring to Linux, Mac OSX and open source software during the presentation which caused some folks in the room to get upset with me. I remember a comment about hell freezing over first. I guess hell is a bit colder today.
  • by ducomputergeek (595742) on Friday December 21, 2007 @05:44PM (#21784900)
    http://www.imdb.com/title/tt0160904/ [imdb.com]

    But on the more serious note:

    Why not Linux?

    A: http://www.openbsd.org/ [openbsd.org]

    Which at one time was a DARPA funded project.

There's a whole WORLD in a mud puddle! -- Doug Clifford

Working...