Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

White House Specifies And Mandates Secure Windows

Zonk posted more than 7 years ago | from the on-the-up-and-up dept.

Windows 242

twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"

cancel ×

242 comments

Sorry! There are no comments related to the filter you selected.

Heh (4, Insightful)

Ethelred Unraed (32954) | more than 7 years ago | (#18455939)

The phrase "don't put all your eggs into one basket" comes to mind...

Cheers,

Ethelred

Re:Heh (4, Interesting)

UPZ (947916) | more than 7 years ago | (#18458669)

The phrase "don't put all your eggs into one basket" comes to mind... Cheers, Ethelred

If all MS baskets have holes, does it really matter?

Re:Heh (4, Funny)

jac89 (979421) | more than 7 years ago | (#18459353)

Get bigger eggs, then they wont be able to fit through the holes. Goose eggs would do, or maybe ostrich.

Re:Heh (3, Insightful)

jimstapleton (999106) | more than 7 years ago | (#18458695)

I would have added "All applications must run in Wine under BSD or Linux", or have a version in BSD or Linux, to the requirements to prevent lock-in

Re:Heh (4, Insightful)

Anonymous Coward | more than 7 years ago | (#18458745)

To be fair they are mandating specific Windows configurations for systems running Windows. They are not mandating the use of Windows (or course a lot of gov system do for other reasons...).

Monoculture Worries. (4, Insightful)

twitter (104583) | more than 7 years ago | (#18458863)

The phrase "don't put all your eggs into one basket" comes to mind...

The net result will be identically configured computers with fewer applications, a bot maker's paradise. The comply/no-comply label give M$ more veto power over applications and that will reduce the number of applications that can be used. Everything must now be done the M$ way on Windoze, so the worst practices with the worst track record have been mandated. The identical settings are only more "secure" until someone breaks them and then they are all equally hosed.

Re:Monoculture Worries. (1)

Anonymous Coward | more than 7 years ago | (#18458945)

I mean, it's your journal and you couldn't even interpret the summary properly.

The comply/no-comply label give M$ more veto power over applications and that will reduce the number of applications that can be used

Everything must now be done the M$ way on Windoze
It's the government mandating this version of Windows, not Microsoft. Reading comprehension much?

Ultimate Control. (3, Interesting)

twitter (104583) | more than 7 years ago | (#18459173)

A very Silly AC taunts:

It's the government mandating this version of Windows, not Microsoft. Reading comprehension much?

Once the settings are specified, M$ can make the system do as they please. What, do you think Uncle Sam is going to give up patch Tuesday? The whole point is to make it easier to apply patches. It won't really work, of course, because M$ and others will keep playing the same anti-competitive tricks. When an application does not work with the settings, it not Windoze is rejected.

The net result is contrary to commodity computing. The whole reason for using M$ is to gain access to cheap hardware and a universe of software. Reducing your choice in software goes a long way toward making your hardware worthless. A fancy computer that does not do the task you want it to is not doing you any good. The proposed flexibility will inevitably sink to Dell software install options and people who want to get work done with specialized programs will be forced off Windoze or suffer with second rate software on expensive hardware.

The same kind of program would not be such a disaster in the free world. First, it's easy to tell what works and upgrades are already painless. Second, if something does not work, it will be fixed quickly. Third, and most importantly, the software does not have "owners" who want to mess with other software "owners".

Re:Ultimate Control. (1)

Afecks (899057) | more than 7 years ago | (#18459685)

A fancy computer that does not do the task you want it to is not doing you any good.

But it is doing what the customer wants. They want a baseline configuration and any programs that don't work with their configuration aren't allowed.

You're trying so hard to turn this around and make it about Microsoft but they have little to do with it. This is the federal government making up these rules. If they don't want to allow program X because program X doesn't support feature Y then that's nobody's problem but the authors of program X.

The proposed flexibility will inevitably sink to Dell software install options and people who want to get work done with specialized programs will be forced off Windoze or suffer with second rate software on expensive hardware.

Oh please, don't act like open source doesn't exist in Win32. If you think program X is "second rate" then make a better version. I know of several free compilers if you'd like me to point you to them.

--
Everytime someone buys a Windows PC, a twitter dies.

Re:Ultimate Control. (0)

Anonymous Coward | more than 7 years ago | (#18460085)

For someone who accuses me of being 'silly' (what are you, twelve?), you completely avoided my point: this is still a government-mandated change. I couldn't even begin to predict how much damage Microsoft would do to their relationship with the government if they acted the way you're 'predicting'. It is not Microsoft saying how a computer should operate, as pointed out in the article it is the current administration who wants limits on what will run and what won't.

As for your 'advantages of free software': Too easy.

First, it's easy to tell what works and upgrades are already painless.

Ubuntu and nVidia drivers. Not all upgrades are painless, because you can't foresee everything. Developers are human, not robots. There are plenty of instances where upgrades [kryogenix.org] break [litech.org] something [sladen.org] important. [dcglug.org.uk]

Second, if something does not work, it will be fixed quickly.

From linked article: [internetnews.com]

RHEL Linux average time to fix any class of vulnerability: 58 days.
Microsoft windows average time to fix any class of vulnerability: 13 days.

Third, and most importantly, the software does not have "owners" who want to mess with other software "owners".

Tell that to Gentoo users that have had several developers quit over the last few months due to differences of opinion. A lack of ownership can actually negatively impact development when there are conflicts that can't be resolved due to a lack of a resolution path.

That;'s one way to look at it. (5, Insightful)

khasim (1285) | more than 7 years ago | (#18459183)

The net result will be identically configured computers with fewer applications, a bot maker's paradise.

Yep. That's one way to look at it.

A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.

I for one fucking HATE the 500MB "service packs" that are released. It is far easier to test frequent, minor changes than infrequent MASSIVE changes. And it looks as if the Federal Government is finally catching on to that fact.

#1. There is no security without physical security.
#2. Run only what you absolutely need.
#3. Run it with the minimum possible rights.

Re:That;'s one way to look at it. (1)

twitter (104583) | more than 7 years ago | (#18459255)

A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.

You may also minimize the work your users can do, on Windoze at least.

Re:That;'s one way to look at it. (4, Funny)

ColdWetDog (752185) | more than 7 years ago | (#18459307)

You may also minimize the work your users can do, on Windoze at least.

You're talking about the Federal Government here, I'm not sure that is at all a relevant concern. At worst, it's a feature, not a bug.

Re:That;'s one way to look at it. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18459999)

And it looks as if the Federal Government is finally catching on to that fact. ...
#3. Run it with the minimum possible rights.


Too bad they think that applies to people too.

Re:Monoculture Worries. (2, Insightful)

mabhatter654 (561290) | more than 7 years ago | (#18459483)

This is a very good thing!! The feds are simply stating they will be using a particular configuration of windows their experts have determined increases security and removes the gaping holes the default WinTel box at the store ships with. They're mandating that all their vendors get with the program and MAKE their software work with the new increased security settings already built into Windows. It's what Microsoft keeps promising to do when they say "most secure ever" but then the first thing vendors do is require IT to "turn down" security settings because highly paid programmers can't be bothered to make their software work properly under security settings.

We see this all the time on home PCs where you have to be Admin to run simple games... the feds are saying NO MORE to that. This is a VERY good thing!!

Re:Monoculture Worries. (4, Funny)

FlopEJoe (784551) | more than 7 years ago | (#18459717)

The net result will be identically configured computers with fewer applications

That's a Mac, right?

Security (5, Funny)

Mateo_LeFou (859634) | more than 7 years ago | (#18458671)

Well, if there's one White House that I think might be experts on Security, it's this one

Re:Security (4, Insightful)

eln (21727) | more than 7 years ago | (#18458765)

Actually, this White House seems to champion the idea of "security through obscurity," which puts them right in line with Microsoft's idea of security. This should work out well.

Security and Liberty. (3, Insightful)

twitter (104583) | more than 7 years ago | (#18458947)

Well, if there's one White House that I think might be experts on Security, it's this one.

I'm not very impressed with most of the "security" people have traded their liberty for. The failure [slashdot.org] is nowhere more apparent than the non free computing world [slashdot.org] .

Re:Security and Liberty. (1)

Macthorpe (960048) | more than 7 years ago | (#18459007)

nowhere more apparent than the non free computing world [slashdot.org].
Read that article again. 1 in 4 computers, not 1 in 4 Windows computers.

I was so happy you managed to keep your bias out of the summary, but then you had to go and ruin it, didn't you?

Calculation... (1)

Mateo_LeFou (859634) | more than 7 years ago | (#18459377)

Don't you have to finish the math before making judgment positive or negative, i.e.

25% of computers are bots -- let's say 500 million computers. What % of those run windows? Is it higher or lower than the % of *all computers that are running windows?

Re:Calculation... (1)

Macthorpe (960048) | more than 7 years ago | (#18459847)

Let's be honest, I wasn't the one misrepresenting the situation in the first place. What I'm saying is that the number given isn't indicative of anything at all in the context of what he was saying - he says 1 in 4 computers being in a botnet shows inherent insecurity in non-free OSes, and that is not the case at all.

I absolutely agree with you that there needs to be more facts before we can make a decision either way - hence my point.

If I Have Learned One Thing... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18458705)

If I have learned one thing when dealing with the federal government, it is where there is a regulation there is always a way to get an exception to that regulation.

Yikes! (3, Insightful)

martyb (196687) | more than 7 years ago | (#18458729)

One word: Monoculture.

Yes, this might be a darn sight better than what currently exists, but having all the systems have the same configuration is just ASKING for trouble. I predict that within two years, some virus or the like which would have attacked just a department or two is going to hit a huge swath across multiple departments, instead.

Unless, of course, the federal government has figured out how to configure their systems to be entirely secure. In which cse, I'd suggest they share it with Microsoft and the rest of the systems on the internet.

Re:Yikes! (1)

Mateo_LeFou (859634) | more than 7 years ago | (#18458755)

Are you suggesting that Bruce Schneier [schneier.com] knows more about security than W and friends?

I'm looking forward to color-coded "Vista Alert Level" updates and thousands of other goodies.

Re:Yikes! (1)

gEvil (beta) (945888) | more than 7 years ago | (#18458965)

I'm looking forward to color-coded "Vista Alert Level" updates

Why do I suspect that the highest level will be blue?

Re:Yikes! (4, Funny)

Trona Andy (983314) | more than 7 years ago | (#18458897)

You have it all wrong. This is going to work because the Decider has said it has to work. Case closed, just like the wonderful success we're having making Baghdad a bastion of stability and tolerance for political, religious and cultural difference. You go, George!

Re:Yikes! (1)

RingDev (879105) | more than 7 years ago | (#18459375)

I wouldn't go so far as to say Monoculture... All jokes aside, there are a lot of highly skilled IT professionals in the government sector, there just also happens to be a large number of incompetent ones as well. The competent ones will continue to run tight ships with secure and functional networks, and the incompetent will continue to run crap piles, although with this regulation they would at least be given "less smelly" crap to add to their respective piles.

-Rick

Re:Yikes! (3, Insightful)

afidel (530433) | more than 7 years ago | (#18459379)

Since the current monoculture for Windows PC's in government is probably the default windows install, a more secure default configuration can't possibly be a worse situation.

That's strange.. (0)

Anonymous Coward | more than 7 years ago | (#18458739)

Re:That's strange.. (1)

morgan_greywolf (835522) | more than 7 years ago | (#18459125)

Because, if you read the article you linked to, you'd know that Windows has had more severe vulnerabilities than both OS X and Red Hat, really making Windows the least secure.

Re:That's strange.. (0)

Anonymous Coward | more than 7 years ago | (#18459305)

Your sarcasm detection abilities are top-notch.

Re:That's strange.. (1)

mabhatter654 (561290) | more than 7 years ago | (#18459551)

I'd bet the Feds over all, through all the departments spend HUNDREDS of millions of dollars on Windows desktops per year!! If the feds would even offer Apple or Red Hat 1/10 of that business they'd comply automatically without being asked.

From TFA... (5, Funny)

Steve--Balllmer (1070854) | more than 7 years ago | (#18458751)

""No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista,"

I just wanted to let you know all of those people who purchased "Unsecured Version" of Vista can upgrade to the "Secure Version" for a fee, when it is released (probably in late 2009-early 2010).

Sincerely,
Steve "Monkeyman" Ballmer

Re:From TFA... (2, Insightful)

wizzahd (995765) | more than 7 years ago | (#18459347)

I was unaware that there is a "secure" version.

Re:From TFA... (1)

alexandreracine (859693) | more than 7 years ago | (#18459711)

You misspell "for free"...

Re:From TFA... (1)

mgblst (80109) | more than 7 years ago | (#18460005)

Wow, that is going to piss of about a dozen people, way to go Steve.

So long Apple (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18458767)

Good to know the Feds are doing this for PCs.

Say good bye to Apple in the Federal workspace, Vista is getting the 'required' stamp.

Re:So long Apple (1)

geoffrobinson (109879) | more than 7 years ago | (#18459295)

When was the last time someone saw an Apple in a federal work area? I'm not being snarky. Seriously, when?

Quoting myself (4, Insightful)

starglider29a (719559) | more than 7 years ago | (#18458773)

http://slashdot.org/comments.pl?sid=152118&cid=127 64232 [slashdot.org]

Has anyone considered if [Apple adopting Intel] is *** INTEL's *** way of diversifying, as an "off world colony of Planet Wintel"? In other words, is this a backup location in the seemingly increasingly likely implosion of the 'Win Wing" of WinTel? Nothing is "unthinkable", merely improbable.

Blustery pundits have used the phrase "national security risk" when referring to Windows. What if it were outlawed in government facilities? I have worked with LARGE corporations that 'forbade' IE on the computers. What if something unthinkable, as unthinkable as an asteroid strike is on Planet Earth, happened to Windows?

---
Don't put all yer x86's in one basket
------
And myself in 1998

The day will come when WinPlanet implodes. It happened to IBM. Hell, it happened to Apple. On that day, you will ask the reflection in your blank monitor the question, "Where do you want to go today?" [made with Mac logo]

Re:Quoting myself (0)

Anonymous Coward | more than 7 years ago | (#18459241)

Has anyone considered if [Apple adopting Intel] is *** INTEL's *** way of diversifying, as an "off world colony of Planet Wintel"?

"A new life awaits you in the Off-World Colonies. The chance to begin again in a golden land of opportunity and adventure, new climate, recreational facilities ..."

Re:Quoting myself (1)

Magada (741361) | more than 7 years ago | (#18459459)

Thanks for the laugh.

Re:Quoting myself (0)

Anonymous Coward | more than 7 years ago | (#18459479)

> What if something unthinkable, as unthinkable as an asteroid strike is on Planet Earth, happened to Windows?

Windows would be shattered?

Re:Quoting myself (0)

Anonymous Coward | more than 7 years ago | (#18459497)

The day will come when WinPlanet implodes. It happened to IBM. Hell, it happened to Apple. On that day, you will ask the reflection in your blank monitor the question, "Where do you want to go today?" [made with Mac logo]


Linux. No single company to "implode". I'm already there, in fact. [made with Gimp logo]

And this is unusual why? (3, Funny)

Itninja (937614) | more than 7 years ago | (#18458779)

No Vista application will be able to be sold to federal agencies
What!!?? You mean that my local Social Security office will not be upgrading?

I was there a few weeks ago and they all were using what looked like Windows 98 still. I don't think 'Vista' and 'federal agency' will be in the same sentence again for many, many years.

Re:And this is unusual why? (2, Interesting)

jfengel (409917) | more than 7 years ago | (#18459117)

And ya know, that's not necessarily a bad thing.

I don't know exactly what goes on in that office, but I suspect it hasn't changed radically in 10 years. They're probably running identical software, perhaps with occasional upgrades. Probably some custom application providing access to their database. Why replace all the hardware just to stay in place?

Sure, the security of 98 is a nightmare. They definitely need to keep these computers behind a firewall, and in fact preferably with absolutely no access at all. Buy different computers if they need to do email or web surfing; these computers are a complete loss from a security standpoint. But if all they need to do is run some set of applications that haven't changed in years, don't fix what ain't broke.

Re:And this is unusual why? (1)

Itninja (937614) | more than 7 years ago | (#18459539)

"Microsoft. Reinventing the wheel since 1989" That's why!

Re:And this is unusual why? (1)

xealot (96947) | more than 7 years ago | (#18459841)

They're probably running identical software, perhaps with occasional upgrades. Probably some custom application providing access to their database
I work for Sacramento county mental health services. Our computers here run Win2k, and the most important software we use is apparently located on a couple IBM mainframes which serve the entire county/state, which we access through telnet. I can't imagine any single area where my productivity would improve by "upgrading" to Vista. However, considering we deal with Private Health Information, which includes SS#, Medi-Cal ID, etc.. I'd feel much more comfortable running linux using ssh. I'm surprised there isn't a huge botnet running out of every county office in the state.. in fact, there probably is for all I know.

Re:And this is unusual why? (0)

Anonymous Coward | more than 7 years ago | (#18459231)

You sure it wasn't Windows 2000?

Secure Vista... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18458789)

...is like Unbreakable Oracle. A nice name for a marketing campaign. Something it would be nice to have. But probably a pipe dream. And it's a naming that's almost DARING people to try to break it. Not the best idea in that regard.

That said, it must be acknowledged that the federal government is actually showing some real intelligent thinking here for a change, and we should support that. "Just use whatever configuration Microsoft shipped it with" is dangerous thinking. They're looking at what services should be running, how things should be configured, etc., with a mindset of security (and not, mercifully, "ease of use"). This is a Very Good Thing.

Yeah, we can rail at "defective by design" ideas in Windows all we want, but one of the big security complaints about Microsoft OS'es is that they are NOT "Secure by default." Changing defaults doesn't get you home for security, but let's applaud a positive step, and hope Microsoft takes some note of this.

HAHAAH (0, Flamebait)

Anon-Admin (443764) | more than 7 years ago | (#18458857)

HAHAHAHAHAHAHAHAH,,,,HAHAHAHAHAHAHAAHA Secure Windows, HAHAHAHAHAHAHAHAHAHAHAHAHA

I wonder if the spy ware/Viruses/Trojans will run on it?

HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHHAAHAHAHAH,,,,,HAHAH AHAHAHA

Sorry I cant help my self.... The government wants to secure windows.... HAHAHAHAHAHAHAHAHAHAHAHAHAAHA

The only way I know to truly secure windows is to turn it off and unplug it from the network!

HAAHAHAHAHAHAHAAH

Re:HAHAAH (3, Funny)

AP2k (991160) | more than 7 years ago | (#18458921)

Where is the "Beyond Overrated" or "Stupid" mod tags when you need them?

You might need this:

while(1){
      printf("HA");}

Re:HAHAAH (1)

loafing_oaf (1054200) | more than 7 years ago | (#18459043)

Networking in Vista is easier than ever. Now, you'll always have access to the latest and greatest new viruses.

Madness (-1, Troll)

voice_of_all_reason (926702) | more than 7 years ago | (#18458887)

All along, the answer to virii, malware, hacking, and botnets was right at our fingertips. Just have the government "mandate" Windows be secure!

Let's just follow King Canute instead. At least he was kidding around when he told the sea to obey him.

Re:Madness (0)

Anonymous Coward | more than 7 years ago | (#18459639)

Your point would be taken more seriously if you could
pluralise "virus" correctly

Will make problems for R&D/scientific applicat (1)

a_timid_mouse (607237) | more than 7 years ago | (#18458935)

There's a lot of talk around NASA how this will cause huge headaches for scientists and R&D folks. There are very determined efforts afoot to homogenize Windows support and configuration at all NASA centers. Will make for a great bot target, and will most likely stifle development of new technologies to support NASA missions and objectives.

If apps can run without admin accounts... (2, Interesting)

denis-The-menace (471988) | more than 7 years ago | (#18458955)

If this makes most apps able to run without admin accounts it will be a step in the right direction.
Where I work, I waste half my time tweaking and proding half-assed, government-mandated, useless POS apps just for them to work without being an administrator.

It seems Windows developers will always trade end-users security to prevent permissions-issue support calls. And *ALL* of them develop and test as administrators. QA'ing with a user account is too much work.

BTW: Yes, the other half of my time is paperwork.(close to TPS reports)

Re:If apps can run without admin accounts... (1)

mabhatter654 (561290) | more than 7 years ago | (#18459659)

bonus points if they made this an open spec to follow. Then state govts could benifit as well for their depts and schools. Hopefully it will be a "evolving" standard, perhaps on a yearly basis, then the industry could pick it apart and help make it better!!!! (I'm hungry for pie in the sky now) It's the one thing Microsoft hasn't been able to fix is their developers!developers!developers! refusing to adopt the new security features and draging the ship down.

Something they should've done 10 years ago (0)

Anonymous Coward | more than 7 years ago | (#18458959)

Maybe now we'll start to see a decrease of .gov and .mil boxen in the botnets...

It's a step in the right direction. A bold baby step.

Where did March go? (0, Funny)

Anonymous Coward | more than 7 years ago | (#18458979)

Is it April 1st already?

Re:Where did March go? (1)

Anon-Admin (443764) | more than 7 years ago | (#18459443)

Thanks, You got me.

I actually looked at my calendar to see if it was April 1st. :)

Stamp out diversity! (1)

PingSpike (947548) | more than 7 years ago | (#18458987)

Yes...I think the security problems caused by the monoculture can definately be solved by making the various installs of this operating system as close to identical as possible. Furthermore, we should post all of these assumed similarities somewhere that all can see.

Heh, thats not to say any other OS would do great as the defacto standard either. I'm no big fan of windows these days, but if linux or macOS were top dog they'd be the target too. I just have to question the wisdom of this logic: This isn't working, so lets do it even harder!

Re:Stamp out diversity! (0)

Anonymous Coward | more than 7 years ago | (#18459423)

You are, with due respect, an idiot. Whether you're a DANGEROUS idiot depends on whether you work in a position that requires you to deal with machine configuration, which I kind of doubt, but I'm open minded.

Before you get into the "rail against monoculture!" Slashdot groupthink, consider the following.

Which of the following sets of desktop firewall rules for a 1000 desktop environment do you consider more secure?
* All 1000 have a single set of firewall rules. These rules drop all externally generated connection requests. They allow outgoing connections only from a set of approved applications, and only on specified ports.
* All 1000 have potentially different firewall rules, ranging from the configuration above to "Wide open!" to (what I usually find) whatever you get when someone tries to "make the popups go away by telling them everything is OK" and is potentially different on each machine.

If you think the first group is less secure because it's an evil monoculture, well, I'm glad I don't have to work with you.

Re:Stamp out diversity! (1)

B3ryllium (571199) | more than 7 years ago | (#18459487)

The obvious answer is to run everything through a single LinkSys home office router, and then not have any firewalls on individual machines. :)

I hate the US (0, Troll)

stratjakt (596332) | more than 7 years ago | (#18458997)

They are so racist, and hate muslims.

I'm going to move to germany, who are progressive enough to allow muslims to beat their wives [foxnews.com] , becuase the Koran says it's OkEeDokee.

What a bunch of cowards. That's how afraid they are of the islamic world, a judge will rule it's OK for a muslim man to abuse his wife - rather than offend the muslims.

Just like the cowards in Minnesota, who wont revoke the licenses of muslim cab drivers who refuse to pick up the blind, in blatant opposition to the ADA.

Cowardice disguised as PC. Terrorism is real, and has worked.

Quit blaming Bush for all of the countries problems, because you're too cowardly to point at the real problem.

great moments in the bush administration (0, Flamebait)

circletimessquare (444983) | more than 7 years ago | (#18459031)

"We shall topple Saddam and Iraq will be a bulwark of^W against terror"

(waves magic wand)

"We shall put our best men (cough) in charge and New Orleans will be spared the worst from Hurricane Katrina"

(waves magic wand)

"We shall mandate that Windows be secure and it shall, simply because we say it should be so"

(waves magic wand)

National Operating Systems Commission! (0)

Anonymous Coward | more than 7 years ago | (#18459067)

Several years ago at the anti-trust trial they ridiculed the idea of someone else determining what should and shouldn't be in their Operating System. They twisted what the Intuit CEO said, saying it would result in a National Operating System Commission. Some of us thought that idea would come back to bite them some day - and this appears to be the day. It IS a good idea for the Feds to standardize on a minimum set of functions, saying what they think should be the operating system functionality (and by default, what not). Surely it is somewhat arguable, but it is a good start, with a CUSTOMER saying what their idea of an OS is.

[Search Google for >> Microsoft antitrust "national operating system commission" ]

Re:National Operating Systems Commission! (2)

AP2k (991160) | more than 7 years ago | (#18459201)

Shouldnt this apply to OSes that are commercially sold? At some point I may write my own OS and release it under GPL. Should I be forced to write in functions for security, even though I am operating a car? What about embedded Linux OSes? What about FreeRTOS?

I dont think forcing OS makers to include specific functions is a step in the right direction. I think that suggesting the same is a good idea, however.

Standard Best Practice (0)

Anonymous Coward | more than 7 years ago | (#18459081)

nd this differs from standard practices in most large coroprations...how?

Yes, monocultures are "infect one, infect all." However, not knowing what's running on machines, having nonstanrard installed apps, allowing users to override security settings, etc. is a terrible idea for security as well. Not only does it usually lead to MORE possible exploit vectors, it also makes support a nightmare.

Every company of more than 500 employees I've dealt with has had a "standard" desktop image for it's software, and and restrictions about what you can do with company equipment. I'd suggest anyone suggesting this is a bad idea has no idea what supporting a large number of user machines is like. Locking down to a standard, reviewed, "secure by default" configuration is CONSIDERABLY BETTER than any plausible alternative.

It's too darn easy to say "monocultures bad!" Which is, in the abstract, true. But not when the difference between the pre-existing polyculture and the new monoculture is by removing exploit vectors present in the original polyculture. This is bad...how?

Also, at the very least, with a limited and common set of vulnerabilities, the IT staff can focus on guarding the doors they know are open, without worrying about someone coming in through the now-bricked-up window.

I'm a bit confused here.... (1)

zappepcs (820751) | more than 7 years ago | (#18459091)

Not that I don't like a good MS bashing, but the government should be getting the bashing right now, not MS. The government branches/organizations should have been doing this all along, that is making every effort to ensure that their computing platforms are secure, AND comparing one vendor against another. That is how smart businesses are run. The fact that they are just now doing this is fscking scary! What compromises have already been exploited and not discovered as yet?

That it has been mandated to secure Windows installations and applications that run on it is in fact a step in the right direction. Now they just have to do the same with ALL other computing platforms. The NSA has a few hints on that http://it.slashdot.org/article.pl?sid=07/01/09/135 6222 [slashdot.org] and there is also help for Linux? http://books.slashdot.org/article.pl?sid=07/03/14/ 1534241 [slashdot.org]

To me, this is something that should have ALREADY been done several years ago. If they manage to get through all the virus/malware attacks without suffering loss of information I'll be amazed since they are just now mandating secure computing environments??? WTF?

Honesty (5, Funny)

DoofusOfDeath (636671) | more than 7 years ago | (#18459107)

White House Specifies And Mandates Secure Windows

Look, if they just don't want to use Windows why can't they say so???

What, no "haha" tag? (0, Troll)

Scareduck (177470) | more than 7 years ago | (#18459131)

Seriously, can Windows — any version — be made secure?

Re:What, no "haha" tag? (1)

i.r.id10t (595143) | more than 7 years ago | (#18459281)

Yup. Just unplug the network cable (and don't go wireless) and post a physical guard for hte physical security.

Re:What, no "haha" tag? (1)

rolfwind (528248) | more than 7 years ago | (#18459749)

I still don't trust that. How about unplugging the electric cord?

Re:What, no "haha" tag? (1)

allscan (1030606) | more than 7 years ago | (#18459381)

Of course, just don't hook it up to any tubes.

Re:What, no "haha" tag? (1)

Rohan427 (521859) | more than 7 years ago | (#18459741)

Sure, here's the instructions:

1. If you have a Windows installation CD, get it and set it aside. You will need it for a later step.
2. Boot the computer.
3. Make a Windows Boot Floppy.
4. Restart the computer with the floppy and boot it to the command line.
5. Type fdisk at the command prompt and hit .
6. Follow the on-screen instructions for deleting all partitions on all hard drives.
7. Remove the floppy and set it aside for the moment.
8. Reboot the computer and install any operating system that is not made by Microsoft.
9. Take the installation CD (from step 1) and the floppy and burn them both.

PGA

mod 0P (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18459133)

around return it marketing surveys it just 0wnz.', Corpse turned over a 8elatively Smells worse than a

Regulated businesses already have this (5, Insightful)

zerofoo (262795) | more than 7 years ago | (#18459147)

I was the network manager for a bank a while back, and during our audits were were given a list of registry/active directory policies required to get a good rating by those auditors. They also had a list of services that needed to be disabled as well (unless there was a compelling business case for those services).

I have to admit, the federal regulators did not ask us to do anything that I did not agree with. The only exception was changing our default SQL server port. I think that was around the slammer virus time and that was the quick fix. Unfortunately their "quick fix" turned into months of application research trying to figure out what we were going to break by changing the SQL port. I told the auditors that a quick nmap scan would reveal the new port easily.....and future worms would have that ability built-in. They made us change it anyway.

Beyond that, they also looked at our audit trail, monitoring and alerting, and our network/firewall architecture. You pretty much had to do everything they asked or you lost your FDIC insurance.

You should be glad the feds care about bank security....after all, it is your money they are protecting.

-ted

Hmmm.... (0, Troll)

RobertM1968 (951074) | more than 7 years ago | (#18459165)

"No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"

I didnt know there was such a thing... :-)

Laugh, it was supposed to be funny!

we can't disclose the settings (0)

Anonymous Coward | more than 7 years ago | (#18459233)

GWB and Co. live by and love security by obscurity. So, while it's mandated that software run in the most secure setup, they a) won't tell you what the settings are,
b) will slap a gag order on if you ask what the settings are because:
1) if the public were to know you asked then it could be dangerous
2) if the public were the know about yet another about which the public is not allowed to know it could be dangerous
3) if the public were to know that someone knows about yet another about which the public is not allowed to know it could be dangerous
4) if a vendor asks about the settings then they might talk with Carl Rove of Dicky C and everybody knows those blabber mouths can't keep a secret what with Carl admitting the vote fixing last fall by claiming that he had "the math", and Dick can't keep his mouth shut about CIA operatives.

and c) and get Bert to sue you if you point out that it's readily apparent that they left the most commonly hijacked ports wide open.

Vista only? Who are you foolin'? (1)

idiosynchronic (582249) | more than 7 years ago | (#18459235)

Nevermind that most researchers are ambivalent that Vista is actually more secure than the previous Windows XP. Nevermind that most large organizations take YEARS to adopt new operating systems - Principal Financial Services, headquartered in my town as a major employer, adopted XP 3 years after it was released! TFA is not necessarily "White House says use our secure Vista or You're Fired!" It's about standardizing the security settings on both existing XP and future Vista systems. Vista is promoted in the article because all federal databases and applications will have to run on it someday. I'll let the better geeks argue about homgeneity of systems, Vista's general health and superior security still being evaluated - and not mention the value of using MS vs the OS 'nixes. But the summary is specious. (But what else is new?)

That's great, but... (1)

evil_Tak (964978) | more than 7 years ago | (#18459243)

This won't really make much difference when Manager Bill at the Social Security Administration takes a bunch of people's personal data home, to work over the weekend, and copies it over to the spyware-infested botnet zombie sitting in his home office.

But my application requires admin rights! (1)

zerofoo (262795) | more than 7 years ago | (#18459247)

How many times have you heard this from your users?

The government is now putting developers on notice. If your application needs something strange.....like administrative / root access for all who use the app, then guess what - you can't sell that application to the US government.

I'm actually happy to hear this. All users on our network run as a standard user. No one outside of our IT department gets administrative or root access....if their application requires it.....too bad.

-ted

Why don't they roll their own? (2, Interesting)

Peter Trepan (572016) | more than 7 years ago | (#18459251)

Why don't they have a DARPA-BSD or something, so they can secure the code themselves? Can the government not afford any CS majors?

Re:Why don't they roll their own? (4, Informative)

evil_Tak (964978) | more than 7 years ago | (#18459417)

Or perhaps some kind of security-enhanced Linux [wikipedia.org] variant...the NSA [nsa.gov] could even help develop it!

Mandates secure windows.... (3, Funny)

gmuslera (3436) | more than 7 years ago | (#18459273)

what next in the agenda? Mandate water to flow upwards? Ice to burn things? Pigs to fly?

There are rumors that such things exist, in very special cases, but is easier to see pigs fly than to see a secure windows machine.

Re:Mandates secure windows.... (1, Flamebait)

abb3w (696381) | more than 7 years ago | (#18460067)

what next in the agenda? Mandate water to flow upwards? Ice to burn things? Pigs to fly?

Trying to set "pi" equal to three [bible.cc] is a traditional passtime of Bible thumpers, and about on my expectation level for this White House.

There are rumors that such things exist, in very special cases, but is easier to see pigs fly than to see a secure windows machine.

This is because most geeks who try it find building a trebuchet simple and fun, with clear documentation readily available. It also usually involves less shit being thrown at your efforts to make the project blow up.

Shocking (0)

Anonymous Coward | more than 7 years ago | (#18459301)

After six years of idiocy and incompetence, it's actually amazing an intelligent, well thought out decision was made.

It must have accidentally slipped through the cracks. Now that Slashdot pointed it out, they will probably decide to "standardize" on Lunix. I'm sure their rollout would go as swimmingly as Munich's Linux rollout... or Bush's wars in Afghanistan or Iraq.

Their real problem is (0, Flamebait)

JustNiz (692889) | more than 7 years ago | (#18459303)

this incorrect but nevertheless pervasive presumption that the only PC os in the world is a Microsoft product.

Why don't they just switch to Linux? end of security problem.

Re:Their real problem is (1)

inviolet (797804) | more than 7 years ago | (#18459689)

Why don't they just switch to Linux? end of security problem.

Linux would not be so secure if it became mainstream, or if it became the dominant OS in use at a valuable target (US government computers). Presently, Linux doesn't receive near the same blackhat attention that Windows does.

As well, Linux is no more secure than its administrators are competent. There is not a lot of Linux expertise out there right now. If the feds switched to Linux tomorrow, it would be quite a while (and truckloads of money) before we reached critical mass of Linux administration skills. Until that time, there would be a lot of broken, misconfigured, and unpatched Linux installations.

Right Hand. Meet Left Hand. (1)

asphaltjesus (978804) | more than 7 years ago | (#18459433)

NIST does a very nice job specifying _how_ to harden a windows PC.

I have a feeling whomever is issuing directives at the white house hasn't bothered to check with NIST. http://csrc.nist.gov/itsec/guidance_WinXP.html [nist.gov]

I just noticed they've got a Vista document going.

I've hardened PC's the NIST way. Most applications do very unexpected things when you least expect it.

This, by the way, is clearly the result of strenuous lobbying on Microsoft's part so early in the Vista game.

A word on federal security mandates (2, Insightful)

192939495969798999 (58312) | more than 7 years ago | (#18459453)

In terms of making "unbreakable" anything, this will be as successful as the stripe in money. Within a week of the Mint putting a plastic stripe in money, there were guys in bars demonstrating how to take said stripe back out. While that is a fairly victimless crime, demonstrating how to hack and debilitate the "government standard" vista configuration will just lead to a massive botnet as everyone (except the appropriate govt bodies, of course) has already figured out.

Dumb question, maybe. (1)

seandiggity (992657) | more than 7 years ago | (#18459473)

Maybe this is a dumb question but it seems too obvious not to mention: If a Vista app requires one of the services the White House's "secure" Vista has turned off by default, does that mean it can't be installed (or at least shouldn't be installed if the mandate is actually followed)? How about if the application installs a new service?

Switch? (1)

HalAtWork (926717) | more than 7 years ago | (#18459511)

If it's not secure and doesn't work the way they want, shouldn't they find another product, and shouldn't Microsoft be responsible for identifying and fixing these problems and not the government with our tax dollars?

The actual OMB memo (3, Informative)

beetle496 (677137) | more than 7 years ago | (#18459527)

The actual OMB memo (pdf, sorry) can be found at URL:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07 -11.pdf [whitehouse.gov]

The text follows:

EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
DEPUTY DIRECTOR FOR MANAGEMENT
March 22, 2007

M-07-11 / MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

FROM: Clay Johnson / Deputy Director for Management

SUBJECT: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems

To improve information security and reduce overall IT operating costs, agencies who have Windows XP TM deployed and plan to upgrade to the VistaTM operating system, are directed to adopt the security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).

The recent release of the VistaTM operating system provides a unique opportunity for agencies to deploy secure configurations for the first time when an operating system is released. Therefore, it is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used.

DoD has worked with NIST and DHS to reach a consensus agreement on secure configurations of the VistaTM operating system, and to deploy standard secure desk tops for Windows XPTM. Information is more secure, overall network performance is improved, and overall operating costs are lower.

Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations by February 1, 2008. Agencies are requested to submit their draft implementation plans by May 1, 2007 at fisma@omb.eop.gov. With your endorsement we will work with your CIOs on this effort to improve our security for government information. If you have questions about this requirement, please contact Karen Evans, Administrator, E-Government and Information Technology at (202)395-1181 or at fisma@omb.eop.gov.

Re:The actual OMB memo (0)

Anonymous Coward | more than 7 years ago | (#18460043)

net stop Netman

Hrm ... (3, Insightful)

B3ryllium (571199) | more than 7 years ago | (#18459587)

While this sounds like a good thing on the surface (the mere fact that they're paying attention to OS security is nice), I think it's bad for two reasons.

1) It ties the entire government into Windows - and on top of that, the most expensive and resource-consuming version thereof. Think of the thousands of PCs that would have to be upgraded for Vista? Now ... what happens to all the old ones? (I sincerely hope that they get donated to schools or something)

2) It may prevent opensource applications from achieving any traction in the US government. Unless, of course, Microsoft is willing to give them the keys to be declared "Secure/Vista Friendly" or whatever the latest gimmick certification is. Granted, the big guns like OpenOffice and Mozilla might be able to make inroads, but smaller opensource applications might be S.O.L.

So it's nice that the issue has received consideration, but it may be a rather insidious form of consideration. And that's not a good thing.

very good (1)

Nex6 (471172) | more than 7 years ago | (#18459617)

The goverment has alot of different OS's I am sure. With I am sure windows having the biggest footprint. I am also sure this is an attempt to secure the windows footptint. they should have mandated patching and security settings / levels a long time ago, and once more they should do it will all OSs in use with the goverment not just microsoft OS. but all software used by the goverment should have to conform to a standard. and that should apply accross the board. with it runs on a Nix or win.

-Nex6

What if Office or IE or Lookout won't run (0)

Anonymous Coward | more than 7 years ago | (#18459831)

What if Office or IE or Lookout won't run under Secure Vista but Open Office and Firefox etc. will ? Could be an opportunity, or at the worst ( ;-) ) more secure MS apps

Wow, no one on here RTFA (3, Interesting)

Raleel (30913) | more than 7 years ago | (#18459857)

GEEEZ

lets start with the second goddamn line of the article

"A White House directive to federal chief information officers issued this week calls for all new Windows PC acquisitions, beginning 30 June, to use a common "secure configuration"."

You'll notice that there is no mention of Macs or Linux. That's because this only affects _new windows PC acquisitions". That means it only affects the box when you have windows on it.

"Applications (such as anti-virus, email etc) loaded onto systems remain flexible but what will be specified in the registry settings and which services would be turned on or off by default."

Look here... configuration management mandated. How about that??!

"Even more importantly, the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations."

OMFG, vendors actually have to put out products that work in secure configurations. holy crap!!! end of the goddamn world. heaven forbid we make them code securely and force them to make it work in something other than the Administrator account.

"The federal government scheme builds on the "comply or don't connect" program of the US Air Force. The principal targets are Windows XP and Vista client systems but the same ideas might be applied in Unix and Windows Servers environments over time."

Lookie there, it only applies to windows again. later on, it'll apply to windows Desktops! Not even servers. wtf is this call of monoculture I keep seeing.

Every consumer should be happy to see this, because a huge client (the biggest?) of computer hardware and software says "that's quite enough. If you can't work in our secure environment, you are going to lose a lot of business. Fix it already".
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>