Army Buys Macs to Beef Up Security 342
agent_blue writes "The Army is integrating Macs into their IT network to thwart hack attempts. The Mac platform, they argue, is more secure because there are fewer attacks against OS X than Windows-based systems. 'Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military. The Army's Apple program, created [in 2005], is working to change that.'"
How many times? (Score:4, Insightful)
Yes, Windows has vulnerabilities. Windows sucks as far as security goes. That goes for Vista, too. But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.
Re:How many times? (Score:5, Insightful)
Yeah. Totally not worth it.
Stop perpetuating simple-minded myths.
Re:How many times? (Score:5, Insightful)
"More about" is not the same as "entirely about." Sure, a good IT staff with a bad system will be more secure than a bad IT staff with a good system. But a good IT staff with a good system will be more secure than either. And Unix-based systems, including OS X, are demonstrably better in terms of security than Windows-based systems are.
Do you think the Army should go back to using bolt-action rifles? It's true that a good marksman with an M1903 is more useful on the battlefield than a bad marksman with an M16, but
Re:why not liunx it is free and runs on any x86 ha (Score:4, Insightful)
It's about avoiding a computing monoculture (Score:5, Insightful)
If you read the article instead of the headline, you'll see that the Army is making the attack target more diversified, so that a single attack will not bring down all computers. What's wrong with that tactic?
Re:OpenBSD??? (Score:4, Insightful)
I think they should use tools available cross-architecture for their software, and then have a multi-arch setup. For example:
30% Free/Net/Open BSD
30% Linux
25% Mac
15% Windows
This would alleviate the issues of an entire-network compromise from potentially overlooked vulnerabilities in any one system. Because you can get fairly simple general interaction for the operating systems listed (given modern desktop environments offered on Linux/BSD, Mac would be the most "different" and not terribly so even then), and applications That had cross-platform natures would be all that's used, there would be little difficulty for the end users to go between systems.
Re:It's about avoiding a computing monoculture (Score:5, Insightful)
Sure, it's cute and cheap to run everything on any one platform, but like they always say "spread out or one grenade will get you all".
Re:OpenBSD??? (Score:4, Insightful)
Magic Bullets Kill... sometimes not who you think (Score:5, Insightful)
Not any more.
If the army is using it for that reason then you know the Chinese, Russians, and any other tech savvy nation will now point their hackers at Macs.
Serial, not parallel (Score:4, Insightful)
When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data. This is not a case of "redundant systems", but rather a case of "the weakest link". The more OSs are supported the more chances that AN OS will get hacked (as opposed to ALL OSs), but when it comes to protecting data, hacking that ONE OS is all it takes. Hackers are certainly more agile than the government, and the government should try to minimize its profile, together with hacking avenues, rather than build redundant systems where redundancy is not the solution for the problem at hand.
In other cases when the issue IS parallel, such as protecting a mission-critical system (think Space Shuttle), then yes, multiple OS's increase the chance that any one will survive. But this doesn't apply to data security. They should stick to one OS as well as one of everything else, preferably as secure as possible (NetBSD, some Linux distros, etc). But even JUST Windows is more secure than Windows and OTHER stuff together, because you keep all the risks of Windows while adding the extra (even if relatively smaller) risk of the other system on top of the original risk.
You first. (Score:0, Insightful)
The majority of compromisation attempts happen now in order to set up botnets. There are two huge targets for this. First, Windows. Your average home cable modem has a decent chunk of bandwidth and - let's face it, it's Windows. By default, it's completely insecure. There's not much work at all involved in getting into Joe User's Windows box.
Second is - surprise surprise, Linux. Why Linux? Because Linux is insecure by default as well. Oh, I know, I'm invoking the wrath of the Open Sores Horde here, but it is. "UNIX PERMISSIONS LOL" - my ass, a credit card phishing site can sit in
Botnets are just as easy to run from
And frankly, Linux is as easy to compromise as Windows - once you get on. Install crappy CMS software and never update? You're asking to be hosed. Using passwords instead of SSH keys for user login? You're asking to be hosed.
And compromisation of Linux systems happens far more often than the frothing Linux zealots would have you believe. By default - sure, Linux is 'more secure'. Nobody using Linux leaves the system in a default state. That's the problem.
Now, where's Mac in all this?
Nowhere. Mac isn't popular enough to warrant the attention of script-kiddy like prepackaged exploit tools. Nine times out of ten, if you hit up a residential IP, you'll find Windows boxes at the other end. Why bother wasting time with Mac-related crap?
Conversely, you're more likely to hit Linux and Windows if you hit up boxes sitting in a datacenter.
For the two high-priority targets of malicious idiots - Mac is nowhere to be found. That's the reason your Mac is safe. Sure, you can go on about e-mail worms and other exploits of twelve year olds, but we're talking systems being hacked, not ill-trained users who click on WICKEDSCREENSAVER.zip.exe.
Re:How many times? (Score:2, Insightful)
Re:How many times? (Score:4, Insightful)
Well, if they mix the OS-vendors like they (finally) mix aircraft-engine suppliers [aviation.com], it will be harder for an adversary to knock out all computers with the same (cyber-)attack. If a flow is found and/or exploited in some of the systems, they can be shut down and the same tasks performed on systems of (an)other type(s).
This argument — strength of diversity — floated here before...
one point of failure (Score:5, Insightful)
Re:You first. (Score:2, Insightful)
Re:Serial, not parallel (Score:4, Insightful)
And your point is? That extra security costs money?
When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data.
In one instance you may be correct, but in other instances, you are not. Whether or not data are compromised depends upon how that data are partitioned and where the data reside.
You do get extra security by diversification, because you have the ability to continue to function while one OS's computers are struggling with a malware attack.
Note that the article is not saying that diversification of OS will make an installation 100% secure, just that it will improve the likelihood of continued operation albeit at reduced levels.
Re:Ubuntu? (Score:3, Insightful)
Because Linux is for European communist queers who pirate music. Macs are all-american and manly (sort of).
Seriously though, its probably to do with letting Apple join in at the endless corporate trough that is the US military, in order to expand their domestic support. Geeks will be more likely to be in favour of an idiotic war if it generates tech jobs.
Also, the international, share-everything ethos associated with Linux is unlikely to be popular with the people who came up with ITAR.
Re:OpenBSD??? (Score:3, Insightful)
So I guess AIX [ibm.com], HP-UX [hp.com] and Solaris [sun.com] don't have large corporations backing them.
Always best to be careful what you say about who does back those three, they all seem to have blood thirsty ninja vampire lawyers to hand...
Re:How many times? (Score:4, Insightful)
Money.
According to one of these links, a press release, on Google [google.com], ID thieving alone "costs more than $56 billion, or $6383 per victim, annually". That's US, obviously.
Social hacks (phishing) can be done to anyone clever enough to hold a conversation but stupid enough not to be even slightly cynical when strangers start asking certain questions. But many phishing techniques ask the hapless victim to download an attachment, or get access to the victim's computer using online foot-in-the-door tricks like eCards that are more than they appear [hexus.net].
What's the level of Mac penetration? 5%? 8%? Let's say it's the lowest number. Five percent of $56 billion is still $2.8 billion a year. If anyone manages to write malware that could spread in the way PC malware can multiply, especially with the average Mac user's attitude ("virus protection? Why should I save a PC user's arse when I send them Word documents? My iBook's fine..."), imagine the draw for crime syndicates. A guaranteed first shot at nearly three billion EVERY YEAR.
And yet it hasn't happened. An illegal industry that pays better than drugs, without the inherent violence on the streets, and Mac users steadfastly refuse to get fleeced.
Which means either the criminals either aren't really that hungry for this potential sector, or there's an easier way to get the money.
Just having the standard feature in a Mac that asks for your password for any new program being installed means you're put on guard. "Hey, I went to see this funny ReindeerYourself card and it's asking for my passowrd? No way..." and the keylogger software remains off your computer. It wouldn't matter if Mac penetration was 12%, 15%. If it's so much easier to hack the PC system for financial gain, it's not financially viable for anyone to write the keylogger software and then wait for enough Mac owners to be stupid enough to install the software to recopu their costs. Just let Windows users visit the page you mass-maile and enough will click the link with high speed connections. Ker-ching.
So this is finally put-up-or-shut-up for the Windows fanboyz. If the US Army puts its weight behind it, this shifts the whole landscape for writing malware. You see: before this announcement, any jihadist that wanted death to America would just do what all the other fanboys did: learn Visual Basic and send away. But now? Now they'll need to try and sneak through the Mac architecture. And unlike the Russian Mafia, cost isn't an issue. The 'enemy' will throw everything they have to bring the Army system down. Cost isn't an issue if money is not what you're after.
So if it turns out that a world full of hate-filled terrorists that care nowt for money can't hack their way in, what then for the Apple bashers?
Re:OpenBSD??? (Score:5, Insightful)
Files should be locked, So while the Admin's can see them, move/copy them, they can't actually open the file itself. security should extend to more than just the file system, but to the files themselves. Of course being open to all should also be a manual changed possibility.
I wonder how long it will take for someone who makes more money than I will ever see to figure that out.
More "security through obscurity from military (Score:0, Insightful)
But hey, when you let kids under 20 with no experience make decisions like this, don't be surprised when they start making poor decisions. You can't blame them, they have been hearing anti-MS FUD for most of their lives, and don't have any real IT experience under their belt (yet) to know how many lies the FOSSies and Leoptards have been telling.
Re:OpenBSD??? (Score:4, Insightful)
One of the biggest security problems is when security reduces usability to the point where users bypass the security for convenience, or simply because it is easier. I've even seen situations where no one had rights to install any software because of security policies, and the admins were then ordered to look the other way for security violations in general because a company still needed to get work done and make money. Good security does not reduce usability. If users don't have the ability to run the software they want to, you've greatly reduced usability and should not be surprised when users start rebooting from a flash drive or working on their home PCs with basically no security.
Re:why not liunx it is free and runs on any x86 ha (Score:3, Insightful)
Re:OpenBSD??? (Score:5, Insightful)
Re:one point of failure (Score:3, Insightful)
However, predictability poses a significant security risk. If I know exact schedule of a patrol, I know exactly when to attack. If I know exactly how a system functions, I know exactly how to disable that system. Though security through obscurity is not a valid primary means of defense, no one said that publishing every fact and inflexibility is a valid defense either. The military, of all people, should be able to see the value of unpredictability, for instance a surprise attack.
In my opinion the issue is one you touched on. Like all arguments involving hardware platform, at some point the reality is that people are just scared for their jobs. If Windows goes away, how can they feed their family. In private industry one can justify maintaining inefficiencies, as long a profit is made. The government, however, does not have the freedom to waste public money, and entitlements cannot be continued to infinity. As much as it pains us, if at some point these Windows support personnel have to be let go, I am sure they can all be retrained so as to become productive members of society.
Re:How many times? (Score:4, Insightful)
Re:Magic Bullets Kill... sometimes not who you thi (Score:3, Insightful)
Re:OpenBSD??? (Score:4, Insightful)
Of course, even restricted to these choices, Solaris might have been a better choice. OSX is the sort of vendor lock in I would hope my taxpayer dollars wouldn't go toward supporting. Windows is bad enough, but with OSX you get lock-in of hardware and software. Recalling how skiddish the US government got about Thinkpads and the like when Lenovo bought those bits, I wonder what the contingency plan would be if Apple sold off their computing bits to an offshore company. Even in and of the software platform itself, despite the Darwin base, OSX software tends to require the proprietary Quartz/Cocoa underpinnings, so supporting third party software with new hardware without Apple's blessing would be challenging. Windows is a little better in terms of hardware support, but the software portion is bad enough, though at least there is an excuse of the market situation as to why they haven't thrown it out completely.
Meanwhile, Solaris has an equally reputable backer, doesn't implement many proprietary APIs that common applications would make use of (AIX goes this far as well), has an unlocked x86 implementation (no hardware vendor ties, unlike any other officially certified UNIX), and is also under an open source license. In terms of an official UNIX with options for contingency plans, it doesn't get better than that.
*BSD, Linux, et. al. may or may not be even better choices, but this was sticking strictly to the assumed criteria of being able to officially declare it a Unix system.
BTW: