Schneier on Security
A blog covering security and security technology.
« New York Times Magazine on Electronic Voting Machines |
| Hacking the Boeing 787 »
January 7, 2008
U.S. Army Installing Apple Computers
Because they're harder to hack:
Though Apple machines are still pricier than their Windows counterparts, the added security they offer might be worth the cost, says Wallington. He points out that Apple's X Serve servers, which are gradually becoming more commonplace in Army data centers, are proving their mettle. "Those are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off," he says.
Posted on January 7, 2008 at 6:21 AM
• 67 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Oh dear what can you say to the reasoning,
"Those are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off,"
Buying a machine with a two or more year life should not be based on such requirments.
I suspect that in many ways the Aple Macs are nomore secure than many many other OS's. It is only that they have not yet been put under the hackers spot light.
It's "Security by Obscurity"...
i don't think this is security by obscurity, rather security by diversification. A monoculture is always easier to attack than a mixed environment.
security by obsurity would be: "we bought new servers, but for security reasons we can't tell you what they are"
This is protection only from the general independent hacker or script kiddie who is just roaming for targets. So this makes some sense.
However, In the real cyber war theater, I am sure that China and several other countries military already have engineered and developed cyber weapons to attack these computers. I expect they have been developing this attack on the same model of computers.
This is a false sense of security at best.
They are much harder to hack, until the hackers have a good reason to turn their attention to them.
Oh, a good reason like this one?
It just like crops. If you plant a field with nothing but one crop, the pests (which attack that specific crops) will have a "field" day. If you have a field with 19 different plants all intermingled, the pests are less able to cope with them (as are modern agricultural harvesting methods).
It's good to see the US armed forces moving away from the Windows servers that have embarrassed them so many times over the years.
Apple has it's own security problems, and hasn't shown itself to be very responsive to resolving security issues - but I suspect (and seriously hope) that is something that was addressed during negotiations.
As a market pressure, I think this sends an signal of sorts, although I'm sure there will be numerous interpretations of it, some with more spin than others.
At the very least, it's a sign that at least portions of the US army are taking security more seriously than they used to. It's been an ongoing source of embarrassment.
I don't see this as security by obscurity either.
If someone is blindly shooting dozens of rounds a minute down an alley, and you can't really stop them, it only makes sense to go down the next alley over if you need to travel that way. If the gunman is too stupid to realize that he should shift his attack, who are we to argue?
Apple are BSD based, which means they are inherently better (by design) that Windows of any kind or configuration.
What's so hard to understand about that? It may be hard to comprehend for people who think "90% can't be wrong". They can, and they are. It takes some time, but once people (100%!) thought Earth is flat. They were wrong, too.
There are a few reasons why this is actually pretty good logic:
1) As already stated, mixed environments are more secure
2) Large sections of OSX are open source. This doesn't make it _more_ secure, but gives us a better idea of how insecure it is.
That said- the rep is obviously not an IT guy. Security isn't an inherent property of a software system. A more realistic claim would be, "OSX is _easier to secure_ than Windows", not that it "is more secure".
That's a really important difference.
"A monoculture is always easier to attack than a mixed environment."
Is that really so? Where I work, we got a lot of different OS's, patchlevel's etc. I would say it would be a lot easier to keep our systems patched, if they all ran like Redhat 4 update 3.
@Yosi: "They can, and they are. It takes some time, but once people (100%!) thought Earth is flat. They were wrong, too."
Your conclusion is correct, but your supporting evidence is wrong. Only very small (and usually ignorant) sections of the population ever believed the world was flat. Considering the ancient Greeks measured the circumference with incredible accuracy, the vast swath of recorded history tells us that anyone vaguely educated (or living near a coastline) knew the world was round.
Why go out of your way to announce what hardware and OS you'll be using.
Sure the pros would find out quickly enough anyway but now every skiddy in town knows to go get some Apple apps.
why make life difficult for yourself.
"Is that really so?"
Yes, it is really so. Diversity is more robust. That it may be more difficult to maintain is a costs, but it hardly comes close to the benefit.
Security by obscurity, thanks us.mil! How long do they think it will take for crackers to wise up and start creating attacks custom-designed to take down a Mac?
"I am sure that China and several other countries military already have engineered and developed cyber weapons to attack these computers."
You say you are sure. Where, then, is the evidence? Or am I just allowed to categorically state that "I am sure that the DOD have engineered and developed cyber-weapons to defend these computers."? Or is FUD only something you are allowed to fling around?
I love the guy in the article who says: "In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house,"
He has completely missed the point... if they hadn't diversified,and they'd all chosen straw houses then all three would have been eaten. Diversifying doesn't make you invulnerable, it makes sure that the same attack won't work on all targets.
Even worse is that the story of the three pigs is not one of diversification, but simply using one's head and hands. The first two pigs were lazy, and got eaten as a result. The third pig made better use of his time, thought more deeply, and, because of all that, prevailed.
In addition to the particular details of whether this new OS really is inherently easier to secure, the general decision to use a less common system seems to be, to Bruce's favorite phrase, a trade-off.
The benefits are that there isn't an established expertise in attacking this system, so attackers have to invest a lot more effort up front. The drawback is that there isn't an established expertise in defending it, so there's a much bigger risk that big unknown vulnerabilities exist, and the defenders will have to invest more effort in patching holes that are found.
As mentioned, mixing systems has its own trade-offs: no single attack can compromise everything, but more than twice the effort is required to maintain everything.
It's not security through obscurity. If the Army was counting on obscurity as a defense, it would not be telling the world it's installing more Apple computers.
Diversifying and using a less popular system are sound, rational decisions. For commercial hackers, the effort invested in developing an attack need to be justified by the payoff, which is related to the number of systems the attack is able to compromise/commandeer. Economy of scale generally favors attacking the more popular systems, if developing an attack is no more difficult than developing one for less popular systems. Adopting a less popular system can be viewed as a way of reducing the budget justifiable to the attacker. That seems rational.
Diversity can both strengthen and weaken security, depending on how it is done. However, in the case of firewalls and IDSes, you don't want them to be susceptible to the same attacks as the systems they are protecting.
I think another issue is the fact that there are several crossplatform attacks that could make OS X as vulnerable as windows. Look at all the quicktime and flash vulnerabilities that have come out in the past year. Exploits that rely on the attacker manipulating the victim into clicking something or running a malicious program or providing information also could be successful.
This will only increase the footprint for an attacker. With all the vulnerabilities in Mac reported this year that instead having Windows vulnerabilities to attack an attacker has 3 times more doors. Diversifying and layering the perimeter defenses makes sense however this does not. Unless the Army moves toward a Linux approach this is a wasted effort.
While there's little doubt that OSX has many structural security advantages over Windows, by virtue of its UNIX heritage, we should not forget that UNIX systems have a long and painful history of exploitable weaknesses in network software. The relative hardness of UNIX-esque systems is in part due to the shocking awakening to security issues that occurred during the '80s and '90s, when people who write kernel and network software suddenly realized that security could not be bolted onto the side of existing software, but had to be designed in and implemented from the ground up.
These issues have not gone away, however much they may have been abated by heightened awareness. Network software continues to be the avenue by which determined attackers continue to compromise UNIX/Linux servers, and we would be foolish to expect that situation to end any time soon. Which means that relying on Macs simply because "They are more secure" is asking for trouble.
The point is, software security is more of a vendor attitude issue than a software perfection issue. If a vendor has effective security design processes, if they respond rapidly to vulnerabilities as they are alerted to them, if their in-house security design people have the authority to override their marketing people, if they make security upgrades quick and painless, with few or no side-effects, their customers will lead more secure existences.
The above conditions apply, to greater or lesser extents, to the main commercial UNIX vendors and Linux distributors, as well as to the various BSDs. They apply only very modestly, if at all, to Microsoft. It is not clear to me that Apple scores very high here either. I get the impression that they have a lot to learn, although perhaps they are capable of learning. However, if they are counting on their UNIX heritage alone to protect them, they are heading for a nasty surprise.
A straw house is a straw house. Diversifying isn't going to make it better, and hard work isn't going to make it better.
There may be an initial benefit to switching to Apple in the sense that the 'easiest target' (less secure systems) will still draw more attacks, but some of that ground will be lost as the aggressors develop/obtain tools effective against Apple's architecture.
@ Clive Robinson
"I suspect that in many ways the Aple [sic] Macs are nomore [sic] secure than many many other OS's [sic]"
The U.S. military can't base its requirements on Mr. Clive Robinson's "suspicions".
And, in any case, the spokesman did *not* say that OS X is more secure than Windows; he said that "attacks used against [the military's machines] are designed for Windows-based machines".
That being so, not using Windows-based machines would seem, at least on the face of it, to be a sensible decision.
Maybe the strategy is not well-conceived, but it would be nice to have a genuine critique with some reasons given *not* thinly-disguised pro-Microsoft trolling.
I wrote about this kind of thing some years ago, here:
I had once commented on comp.virus, about 13 years ago, that biological viruses only evolve to attack an organism when a large enough "population of opportunity" is available. Same for any single/multi-cell parasites... of which some evolve enough to be symbiotic.
Here's one for you: Why are there no real attacks against Lotus Notes? Simple. No one wants to admit that they spent time learning enough LotusScript.
Now, because malware is (hopefully) written by human beings, rather than evolving from something else, it is no longer the size of the population but the value of the data behind the wall that matters.
The main advantage I see w/ the use of Mac OS X-- and other deviants of Unix-- is that the system was originally written to be multi-user, and, so, has the concept of isolation between accounts built into the very kernel itself, rather than patched onto a bit of jell-o that is being held together with rubber bands, which makes most exploits... limited. It is NOT a given that you get root authority as soon as you crack a web-server, though you might be able to do so with a few extra steps in an exploit.
Probably one of the greatest problems using Apple's Intel-based Xserves is that the CPU instruction set is the same as windows and so a lot of the same limitations on the defending software are in play. Having multiple CPU types running multiple OSes and Network stacks and applications would provide better resiliency.
"There may be an initial benefit to switching to Apple in the sense that the 'easiest target' (less secure systems) will still draw more attacks, but some of that ground will be lost as the aggressors develop/obtain tools effective against Apple's architecture."
This has been the pro-Microsoft FUD mantra for years. And yet despite the obvious bragging rights - and probably more - for just sitting down and doing the job, so far no one has actually shown BSD, Linux, OSX, etc, are in fact just as vulnerable as Windoze has demonstrated itself to be.
That is to say, low hanging fruit is low hanging fruit. A rational predator doesn't care what species of tree is at issue.
Anyone remember the "One to One" initiative to put laptop computers in the hands of students, pre-loaded with all of their textbooks? The iBook-based programs had few, if any, virus or spyware problems, mostly because most spyware targets IE and Windows. The biggest problem I heard about was bullies tossing other students' computers into ponds, etc... and the infamous hinge problem (which the clamshells DID NOT have) along with the fragile DC input connector. (The MacBooks may not have solved the former, but they finally did something about the latter.)
The "Apple is more secure" marketing seems to have worked. Try integrating Macs into your enterprise security policies. Apple simply can not provide the granularity and control that you get with Windows.
A default install of OSX or Linux IS more secure than a default install of any Microsoft OS. With no Active-X, IE, Windows Media Player, or Outlook Express, any non-Microsoft OS is more secure than any Windows.
'The "Apple is more secure" marketing seems to have worked.'
Who the heck cares what the marketing says if the machinery is in fact more secure? Who the heck cares if Windoze is more flexible, if it is far more prone to attack?
Why not diversify with Linux (ASLR), OpenBSD (W^X), and NetBSD (ASLR) for servers? If you need/want Windows servers, try Windows Server 2003, 64-bit Edition (make sure you're using NX or XD-bit with hardware DEP and have an OVAL-Compatible vulnerability management solution).
Linux, unlike most of other server operating systems, also has some easy ways of moving to MAC/LSPP with default-installed SELinux. Some distributions of Linux even come with GRSecurity installed by default.
I prefer standardizing on 64-bit, that way you know you're getting NX or XD-bit support. No need to diversify there (well, diversification of Intel and AMD and other competitors is left as an exercise for the reader).
If Mac OS X provided a working ASLR, I might "think differently". Mac OS X also leaves a lot to be desired for patch/vulnerability management, rootkit detection, integrity monitoring, and other basic server security criteria (e.g. I don't think there is any OVAL-Compatible software for Mac OS X). I haven't recently gone through the NSA, NIST, or DoD guides for "hardening" Mac OS X servers, but somehow I doubt that anything more advanced than sudo (especially any non-DAC/CAPP based access control system), chroot (or any working sandboxes that reduce attack surface), disk options (e.g. nodev,noexec,nosuid), systrace, and SSP/ProPolice (only available in Leopard) are mentioned or thoroughly explored. Even these are not on or correctly configured by default.
The best way to reduce attack surface isn't hardening; it's reduction of number of systems, applications, and network paths. OS security is not quite as important as application security (which in turn, isn't as important as software security / assurance). By "adding" new servers, this is clearly a mistake. Maybe if the Army is retiring old servers to make way for these new ones, that makes more sense.
Hardware virtualization, which requires PAE and either Intel VT or AMD-V (64-bit ring a bell here?), is best accomplished under Linux or NetBSD, where Xen is available. Windows Server 2003 could use VirtualIron, but the free version is only available for single socket processors (Microsoft requires cost through licenses anyways and VirtualIron is more affordable than, say, VMWare or other options). There are vulnerabilities to be found in these products (Xen had one exposed 6 months ago), but other hardening techniques preclude the criticality compared to the benefit of reducing attack surface.
Desktops/endpoints are different. Personally, I think desktops, laptops, PDAs, PDA phones, and UMPC's do not belong in an Enterprise setting (or more importantly, a government/military IT infrastructure) because of attack surface. These should be replaced with safer alternatives, such as thin clients. HP makes an affordable array of thin clients (not sure if they're TEMPEST safe, however - but TEMPEST is usually the keyboards, mice, monitors and power cords). Safebook.net provides thin client laptops. Using a strong access control system becomes even more important in thin client computing, where SELinux has made available domain and type enforcement to best suit this sort of situation.
I also don't think very highly of Mac OS X software assurance programs, nor do I think highly of any applications that run under Mac OS X and their subsequent software assurance programs. In order to maintain a growing lack of vulnerabilities due to software weaknesses -- software assurance programs and metrics need to become available to the public in the form of a five-star rating system, in addition to official consumer reports. The military should already have these measurements, which surprises me that they would choose Mac OS X. Part of the problem is that parts of Mac OS X are closed-source, in addition to having no formalized or announced secure coding practices (e.g. Microsoft SDL, Cigital Touchpoints, et al).
Getting access to some of Apple's source code (e.g. via WebKit) along with code coverage metrics has proven to provide reliable vulnerability research in the form of common software weaknesses based on integer overflows and signedness errors (as well as other issues). These are signs that Mac OS X has no formal secure coding practices, nor understanding of how software weaknesses work. Personally, I would direct Apple developers to MITRE CWE, as well as as multiple CWE-Compatible software weakness solutions (use all of them, if possible!).
When Apple has announced exploitation countermeasures or "default hardening", they have typically failed to provide workable solutions in the end (I would be curious as to where they have succeeded -- I know that they did recently add support for SSP/ProPolice and compiled system binaries using it). Their response to vulnerability researchers has been abysmal, and no improvements have yet been realized. If every reported vulnerability stays in regression testing until Apple hears about the bugs being exploited in the wild, this creates two problems. First of all, it sends a message to malicious insiders interested in fraud/embezzlement/etc -- in addition to online organized crime for use in phishing, fraud, active exploitation, etc. Secondly, it prevents users from knowing about a fix until several years after the bug is privately known -- increasing the vulnerability and exploit lifetimes.
In the case of the US Army, this situation worsens significantly. Author David Rice of Geekonomics covers the concept of "Broken Windows" as it applies to vulnerabilities. If this theory is correct (as stated in the paragraph above), the threat landscape will change to directly attack the military where they are exposing weakness most.
If the Army is simply going to use Apple infrastructure as honeypots, they must be familiar with mature technology that I am not. Argos, the premier honeypot system for instantly analyzing zero-day exploits -- is not even available for the Mac OS X platform, while being available for most other Unix-based and Windows-based platforms. Integrity monitoring solutions such as DigSig/DSI, Samhain, The99lb, Zeppoo, chrootkit, and rkhunter (as well as St. Jude and St. Michael for kernel integrity monitoring) are not available for Mac OS X -- nor are immature or aspiring alternatives.
Even web application integrity monitoring solutions such as SpyBye probably don't port well to Mac OS X -- and Mac OS X is not well-protected from parameter tampering or form-field manipulation based attacks if Mac OS X servers run web applications accessible on a remote port. In other words, countermeasures such as the ones already mentioned (e.g. chroot, W^X, SELinux, GRSecurity/PaX, disk mount options, et al) are not well provided in Mac OS X -- which directly affects web application attacks that utilize path traversal, predictable resource locations (i.e. random files and directories lying around), OS command injections (this is certainly the scariest of the bunch listed here), or file upload "web application backdoors (e.g. Applescript/Perl/Ruby/Python/PHP/ASP/JSP shells)".
Mac OS X includes locally-installed proprietary scripting languages, databases, and API's that worsen this situation even more (e.g. FileMaker) by providing an enormous attack surface. Mac OS X Server is filled with software that is un-documented, un-tested, un-reliable, and lacking general quality or software assurance "basics". Apple software isn't even 2 or 3Sigma on a generous maturity model.
Monoculture is one thing; completely backwards software assurance is another. Here's another resource for both Apple and Microsoft developers: Dan Bernstein's paper on "Some thoughts on security after ten years of qmail 1.0". Special notes: eliminate bugs, eliminate code, and eliminate trusted code.
Look deep into the work Charlie Miller and ISE has done on the Apple platforms. Just read or view the recent Toorcon or DEFCON/Blackhat talks/videos. If the military strategy is to run "software update" and to rely on Apple and their extended community to "tighten Unix programs", then they obviously have never heard of the advancements available via MITRE OVAL-Compatible solutions or SELinux's use of MAC/LSPP, both of which are unavailable/lacking for Mac OS X.
Uh... Macs were less vulnerable (due to obscurity) up through OS 9 because the operating system was unique, proprietary, and closed. Not a good foundation for security of course, but there was at least a reason it was not as thoroughly hacked as Windows.
As of OS/X Macs are running some bastardized form of BSD Unix and/or NeXT OS, with a Mac GUI slapped on the top.
This isn't REMOTELY as obscure as OS9 was. It's Just Unix fergoodness sakes, customizations notwithstanding. Is the military even using Apple's Common Criteria tools? I'd think SELinux would serve as well or better.
It's been over twenty years since the Rainbow Series were published - hasn't that been time enough for the well-funded U.S. military to produce a secure operating system of its own?
@John R. Campbell -
I'm not sure we're talking about the same thing. My comment was to suggest that any perceived gain in security from a 'less vulnerable' system is illusory/temporary at best. While the majority of hackers will seek the 'easy target,' it's inevitable that someone will turn their efforts to Apple, or whatever platform becomes the standard. It's assuming that computer security is just another flavor of physical security (i.e., a locked door, once installed, solves the problem), and not an environment where the threats keep evolving.
Like I said, a straw house is a straw house.
Okay, know I'm piling on to a huge thread here, but -- OS X: not that much more inherently secure than Windows. Avoiding monoculture good, can see how there might in practice be fewer Mac attacks 'cause it's less widely used. But few exploits circulating today doesn't mean the OS is invulnerable.
And your choice of OS is a pretty small piece of security policy. Is there a restrictive firewall? What's allowed behind it? Are you trusting insecure laptops or BlackBerries with copies of that troop-deployment order? Yada yada.
"Uh... Macs were less vulnerable (due to obscurity) up through OS 9 because the operating system was unique, proprietary, and closed"
This statement makes no sense. MacOS classic was no more proprietary or closed than Windows. Reference materials about the OS internals have been around for two decades.
Unique...what do you mean by that? You're saying that Windows was not unique because of how much internal stuff it inherited from VMS? Or do you just mean "less popular"?
As for pejorative, disdainful descriptions like "a Mac GUI slapped on top" - there are significant features present in the Mac OS which go much deeper into the OS than this "slapped on top" description you give. For example, the Spotlight system searching facility actually hooks into the OS at the file system level, automatically modifying the file system index whenever a file is changed. Time Machine system backups use a similar facility.
The GUI also is heavily involved at the graphics card device driver level - Apple does some pretty unique stuff with graphics acceleration and using 3D acceleration techniques to speed up 2D rendering.
"Slapped on top" sounds like it implies that the GUI only uses very standard interfaces to communicate with the OS and hardware. I'm sure that *some* of the interfaces are standard and boring, but clearly there are a reasonable number that are not. Which OS isn't "slapped on top" using your definition?
My point is that, in biology, viruses evolve to infect a population primarily when there's enough of a population to get an advantage on.
In cybology (sorry, I could not resist coining an analgue to biology) malware is evolved (albeit through not-very-intelligent design) to attack targets of greatest profit, and, if you hearken back to Clifford Stoll's "Egg", that is what is going to happen.
Cyberdiversity alone won't protect the data but is can protect the organization from a complete loss of service.
I can't wait for the commercials.
> 1) As already stated, mixed environments are more secure.
This is highly debatable. There are a number of benefits to running a homogeneous environment, not the least of which is that configuration management and patch management are easier, and interoperability problems are an order of magnitude smaller in number than in a heterogeneous environment. Monitoring solutions, audit solutions, backup solutions, etcetera will all be easier to design and implement and are less likely to suffer from asynchronous updating of underlying OSes.
Yes, it is true that a heterogeneous environment is more difficult to attack catastrophically, because the is a very small likelihood of multiple class breaks, but (barring outright cyberwarfare), full onslaught attacks aren't really that common.
On the whole, the greater danger is the targeted attack, which is going to exploit the weak point in the security process anyway. In a heterogeneous environment, there are going to be a very, very large number of these weak points, because the system is going to be suffering from low cohesion.
I would argue that given competent security personnel and well designed auditing, a homogeneous environment ought (in practice) to be much more secure than a heterogeneous environment, due to a much better understanding of your vulnerability surface.
I think we're saying the same thing with slightly different analogies - that we're dealing with an evolving threat as opposed to a static one, so there's still a need to protect the data regardless of past attempts/successes vs. a given platform.
Installing a shiny lock doesn't mean the criminal is no longer interested in what you keep behind that lock - it just means they have to figure out a way around the lock. Or, using your low-hanging fruit example, the fruit on higher branches is secure until someone brings in a ladder, or finds a method to make the fruit drop and become accessible.
A minor OS X security detail that I came across recently while configuring an OS X 10.4/intel (Tiger) server in a mostly GNU/Linux environment:
When edit sshd_config to prevent plaintext password based logins, in addition to the usual:
One also needs to add:
This appears to be due to an interaction between OpenSSH and PAM on OS X that does not occur on, e.g. RHEL or a typical Debian box.
It may or may not be related to the divergence of OS X's OpenSSH code from the upstream source:
As with the divergence and slow patching time for OS X's Java source:
this may lend some support to @dre 's comment re: Apple's software assurance programs.
"I suspect that in many ways the Aple Macs are nomore secure than many many other OS's. It is only that they have not yet been put under the hackers spot light."
I have heard this bogus reasoning for as long as I can remember -- said about macs and linux. Surely by now there has been plenty of time and incentive to attack these platforms. And in addition, they are more prevalent in the back server room and on the user's desk than they ever have been. So come on -- lets finally admit there are certain basic design principles that Macs and Linux (Unix) use that clearly make it too difficult to attack in the same way Windows has been.
Like this thread needs more opinion, but I'll toss mine in anyway.
This is a classic tradeoff, no more, no less. More complexity by diversifying *can* cause more problems, but it can also make overall system able to resist a systemic attack and compatmentalize it. The deploying organization needs to determine which risk they can better manage and go the way that suits them.
"my OS is better than your OS":
Yeah, old news, and largely *nix is architecturally more secure (at least IMO) but the true overall security isn't really stemming from that layer. Again here the security decision is a bit more subtle than OS religion and gets into broad system design, security requirements, and the capacity of the org to manage those.
Honestly, this might have nothing to do with security in the long run, but rather a way to ensure MSFT doesn't try to "adjust licensing" and price the US Army into a corner. Just by demonstrating they have options and will use them the Military could be pushing back on MSFT on cost and licesne alone.
"I would argue that given competent security personnel and well designed auditing, a homogeneous environment ought (in practice) to be much more secure than a heterogeneous environment, due to a much better understanding of your vulnerability surface."
And I would argue that better understanding of the attack surface isn't going to help you when your entire environment is pwned by a single 0day against an essential service. Monocultures promotes brittleness (in the Schneier sense).
Would you rather have all your systems go down, or only a subset? Take it out of the OS X vs. Windows crap that's dominated the thread-- how do you propose that understanding the attack surface and auditing is going to mitigate the risk for a service/application that you must offer, either because it's business or system critical?
I'm aware of at least two DoD installations that shifted to Apple servers as far back as 1999. They did so expressly for better security following foreign hacks of the existing Windows-based system. OpSec suggests not listing which two, but both were key East Coast facilities.
I'm sure this is pretty naive of me but ...
Apple Mac OS X v10.3.6 and Apple Mac OS X Server V10.3.6 has EAL3 and Windows has EAL4+, furthermore there are more accredited products (e.g full disk encryption) for Windows than Apple.
I know the CC has its faults but does at least try to formalise the process of evaluating security claims.
"Not hacked as prolifically" is not the same as "harder to hack" (just ask HD Moore). And sometimes all it takes is a hubristic comment like that guy's to garner the hacking community's complete and undivided attention.
The crop field analogy is largely dependent on pests spreading among neighboring plants. If the only connection between computer A and the internet is through computer B, then it may help if they're different. But if everything is connected to the internet, diversity doesn't keep computer viruses from spreading. Then the only reason to add a less-secure computer would be as a redundant backup.
> And I would argue that better understanding of the attack surface isn't going to
> help you when your entire environment is pwned by a single 0day against an
> essential service. Monocultures promotes brittleness (in the Schneier sense).
Er, your *entire* environment isn't going to be running the same essential service that is going to be vulnerable to a zero-day exploit. That's crazy talk.
Sure, if all your web servers run "apache-foo", you're vulnerable when a zero-day exploit comes out that can nail "apache-foo". This doesn't mean that your mail servers or file servers or directory servers or whatever are also vulnerable.
But let's say, for the sake of argument, that you're just talking web servers. If you standardize on "apache-foo", yes, you're correct, you're vulnerable to a zero-day exploit in "apache-foo", whereas if you diversify and run half your web servers on apache-foo and the other half on IIS, only half of your machines are vulnerable to a zero-day exploit in one of the web services.
Look at what you're actually talking about here. Think of all the dependencies and bugs you're going to have in any moderately complex web services environment if you're trying to deploy the same services on two different underlying web server platforms. Think of how difficult it is to keep this all up and working when you have OS specific bugs interacting with whatever scripting language or database back-end you're running. Oh, and since you don't believe in homogeneous environments, you'll now have to build not only a web service with a MySQL database backend and PHP and apache, but another one with Oracle and Perl and IIS, and one with MySQL and Perl and IIS, and one with Oracle and PHP and apache... because by God a zero day exploit in any service can't affect your uptime, and so you need to have heterogeneous database environments and scripting languages.
Think about your change management process when you have a bug in Perl-foo that requires you to run Perl-foo-prime on your apache servers but you still have to run Perl-foo on your IIS servers. Think about the insane backup strategy you're developing to back all this stuff up. Think about all the development costs you're paying for when your web service dev team needs to do their work four times over, and how much crazy code this will inject into your production environment.
This is just plain insane.
Now assume all your web services are running with the same backend, the same frontend, and the same underlying OS. Yes, a zero day exploit means you *may* have to down your web presence until you can fix it (note - zero day exploits aren't egregiously uncommon, but those that allow complete remote takeover of the machine are rare, and oftentimes don't apply if you've taken adequate security steps anyway). But you have a snowball's chance in hell of actually making the thing work the way it is supposed to on an ongoing basis, monitoring it effectively, backing it up robustly, and restoring it to an operational state quickly.
Axiom: You can't build a secure system.
Corollary: The next best thing is one you can manage, backup, upgrade, and restore in a scalable fashion.
> So come on -- lets finally admit there are certain basic design principles that
> Macs and Linux (Unix) use that clearly make it too difficult to attack in the same way
> Windows has been.
I would argue that this has very little to do with underlying system design principles and everything to do with default configurations.
I would also argue that the *vast* majority of vulnerabilities in Windows exist in the userspace environment, where the user hits the system.
Most Linux systems aren't desktop systems. Generally speaking, you don't have to worry about Firefox vulnerabilities on your mail server unless you're an idiot and you use your mail server as a console. Similarly, you don't have to worry about IE vulnerabilities on your domain controller, unless you're an idiot and web surf at the console.
Windows has some pretty bad design considerations when it comes to security, but this is largely due to tradeoffs to make the system easier for end-users to use and vendors to create software. Bad security design in device driver installation and interaction with the kernel really doesn't apply in the server environment if your systems administrator knows what they're doing. All of the "default-allow" bad behavior in Windows is largely irrelevant when it comes to server/service design, as you're accounting for that in a production environment anyway.
In my experience, there is little difference in security between a cluster than runs Windows and a cluster that runs Linux when they're both designed and rolled out by a systems administrator who is competent in the OS. There are, however, generally many more lesser-skilled Windows "administrators" than there are Linux "administrators".
Everybody is hacking everybody.
OpenBSD would be the obvious solution for secure operating system, unfortunatly they fell foul of DARPA a while back.
This is nearly the most biased, rhetorical, crazy ass opinionated bunch of nonsense I've heard.
Ditch the "*nix vs. M$" debate kids. The fact of the matter is that both operating systems (and their underlying hardware, more and more similar every year) have plenty of separate security issues, and at the moment, out-of-box or not, neither seems to be taking the lead in the effort to lock down their systems. It's a trade off. It's a free market. They are big business. Think about it. Does coke 'healthy up' their products because they dissolve nails and melt teeth? No. Why? Because we drink it and we love it.
The only advantage I see, OF THE TWO, is that OS X is *vastly more open source on the OS side than Windows. *That* is a good thing. It is *not a security feature (we're not idiots), but it certainly doesn't require nearly as much faith in Apple's abilities to secure it's OS as it does in terms of a Windows OS.
They are different, the attacks and methodologies behind them are different. If someone has a decent set of benchmarks measuring a specific, malicious, and effective exploitation of each system, the time it took to develop, and the gravity of the negative effects, by all means speak up. Other than that, this is just biased, bigoted nonsense with some Address Space Layout Randomization and other fancy buzzphrases thrown in for optimal pretension. IT nerds are the worst. I must be the only IT nerd in the country that *doesn't 'know everything'.
The way I see it is this: if the mother@%#$ing US Army is using commercially available hardware, with a commercially available OS and applications, it would be an asinine assumption that they hadn't performed an insane review of the vulnerabilities, as well as doing everything in their power to harden the living hell out of said systems. If they didn't, if they don't know what they're doing and they're just installing shit with out-of-box configurations, etc... if they are vulnerable to *common* (for fuck's sake, *common* attacks, like the Army isn't going to attempt at prepping themselves for *common* and *known* attacks and vulnerabilities), if they're sending battle plans over unencrypted AIM, then fuck them. It's their loss.
If they want to use rubber bullets and nerf guns instead of their standard issue MK's or whatever the hell, well... I guess it's their loss there too.
If you smarty-pants buzzword spewing security nerds are really incensed by the idea that the Army is using OS X instead of some obscure and crazily configured linux distro on some whacked out 64-bit architecture that sounds new and fancy (as though they don't have their own set of vulnerabilities, it's not like they've been around to stand the test of time), then why don't you get off of your fat, WoW playing asses, finish your 128oz Dr. Pepper Big Gulp, and submit a damn proposal with your resume c/o The US Army.
Better yet, try to break into the Army's infrastructure.
Better yet, leave it to the Army to deal with their own security. If a branch of the US government (funny to note someone talking about NSA, NIST, or DoD guides security guidelines, as though the Army wouldn't take them into account like he would) can't deal with their own security, then we're fucked. Whining about which OS is more secure is a ridiculous thing to do in light of a post like this.
You have no idea what the Army does to those machines prior to their usage, so nearly every word of every one of these comments is moot.
If the Army gets screwed over, they'll adapt. Remember the Revolutionary War kids? Who was diving out of bushes killing at will while the jolly redcoats followed protocol and stood in neat rows for the taking? Us. I don't say trust the government to be the smartest of us all, quite the contrary (the FDA used to treat morphine addicts with heroin, i mean c'mon), but I do say that one area the government doesn't seem to f@ck around in is the military... I know because 95% of my tax dollars pay for their toys.
If you wanna help them out, it's *real easy to join. I guarantee it. Other than that, I say take your Apple vs. Windows debate back to the incestuous IT message boards of who-gives-a-shit.com circa 1997.
"You have no idea what the Army does to those machines prior to their usage, so nearly every word of every one of these comments is moot."
I'm pretty agnostic about operating systems but I'd hate to be a Windows admin working alongside the Apple admins. Just the thought of all the 'told you so' smirks and jibes from the smug 'Unix rules' crowd would drive me around the bend.
When Windows OS no longer main stream and Apple's OS took over, then we would start hearing jokes like worm in your apple and that's organic. I wonder if that "worm" was from oversea or local.
I would like the US army to stay competitive globally, instead of choose the easy way out.
You don't seem to know any more about government procurement than you know about the Revolutionary War. Selling stuff to any government agency is difficult, and selling it to the army is probably more so. Whether nor not by coincidence, government procurement procedures are really onerous for small businesses, and strongly favor large companies.
The single biggest difference I've seen between Windows and Unix, for security purposes, is common practice. In Windows, it has been normal to run in administrator mode. Whenever I've been given administrator access on a Windows box, it's been done by making my account an administrator, rather than giving me a special admin account. Up through XP, the expectation has been to run in administrator mode, although Microsoft's trying to discourage this for Vista.
On Unix systems, I get my user account, and perhaps access to the root account. On the Unix and Unix-like OSes in this house, none comes with a root account by default; they use sudo (sometimes disguised by a GUI) to do system administration.
This means that, at the very least, an escalation attack through the user requires the user to type in his or her password, which is not usual, and therefore should alert a minimally aware user that something might be going on. If the user is running Windows, there's either no notification or yet another one of those blasted permission dialogs that the user is long since used to just clicking through.
teehee...buying 20k with a 700k existing base...yes, they sure are diverse now that only 97% of their systems are Windows.
It occured to me that this might just be an exercise in getting a bigger stick to threaten Microsoft with.
When there is a known hole in Linux, the Army could patch it themselves. When there is a known hole in Windows, the Army have to wait for Microsoft to patch it. The situation isn't much better with Apple but at least the Army can now tell Microsoft "If you don't patch this in the next month, we'll have to move all of our X-type servers over to Apple." and it would seem believable.
I wonder what percentage 20,000 is of their total new purchases for the year...
Given the technical prowess of most soldiers, does this mean the new servers will have a single, round button thing as the user input?
"You have no idea what the Army does to those machines prior to their usage, so nearly every word of every one of these comments is moot."
Unfortunatly we do have quite a reasonably good idea of the constraints put on them due to COTS initiatives and manpower training.
To put it bluntly most mil procurment has moved away from proprietry hardware / software due to the cost and life cycle issues. This has been going on since the late 1970s.
So Comercial of the shelf component parts and software make just as much sense to the Mil as it does to any Fourtune 500 Company. Likewise Admin and Operator personel are going to be using largly commercial software in their ordinary day to day operations so it makes sense for the Mil to follow that route (due to training and other cutbacks).
As for "what the Army does to those machines" they need interoperability just like any fourtune 500 company so you can very much bet that it is actually no more than a fourtune 500...
So I suspect a lot of the more sensible comments made here are very far from moot.
Still stands to reason that if they are using off the shelf configurations, they deserve whatever successful, malicious onslaughts come their way... if for nothing more than to point out their poor judgement.
This is the US military, they should not be using off the shelf configurations for anything, unless it's straight off the shelf of the NSA or the DoD. I wouldn't even think of it in terms of security through obscurity either, I would *hope* that the US military is at least moderately aware of the threats posed against them, and I would also hope that they have a mighty insightful play book of how to counter or prevent those threatening scenarios.
As far as the meaningful nature of many of these comments is concerned, I stand by my original statement, because the way I see it, *if* the Government is using COTS configurations, then it really doesn't matter one way or another what OS they are using, or the inherent vulnerabilities, because either way it's a disaster waiting to happen. Anything else is a Windows vs. *Nix jagoff debate. Albeit, I simply couldn't imagine the idiocy involved in allowing something so vulnerable to house incredibly sensitive military data, but that's just me. On the other hand, if i'm right in assuming that the government isn't 100% public in terms of how it uses its yearly budget (to the tune of something like 1,200 billion dollars), and that they certainly couldn't be dumb enough to use a COTS X-serve for an extremely sensitive, publicly connected data warehouse, it also serves to attach a certain level of irrelevance to much of what's been said here.
If joe blow IT nerd playing some MMORPG in his mom's basement all day can come up with a technical and pretentious list of vulnerabilities pitting *nix against *doze, well, I'm not entirely convinced that the Army isn't able to figure that much out themselves. I could be wrong though. I really could.
Either way, if the military can't secure their data with the money they're raking in, well I suppose that's just too damn bad for them, and likely the rest of us as well.
I wouldn't be surprised though... considering they've even started outsourcing their killing squads using corporately owned rednecks instead of trained military personnel, haha.
Wow. Your smug attitudes about the military are amazing. Stereotypes are so funny, especially if they're totally false, right?
"Er, your *entire* environment isn't going to be running the same essential service that is going to be vulnerable to a zero-day exploit. That's crazy talk."
ummm... DNS? NTP? Internet Explorer?
I fully realize that I'm using service in a loose context, but the point remains.
You can even use MS08-001 as a possible example of an essential service (TCP/IP stack). How confident are you that Microsoft has found *all* the bugs in the network stack?
I agree that there are advantages to standardization as well, but it doesn't come for free.
"Better yet, try to break into the Army's infrastructure."
is ur crazey
dem has gunz
> ummm... DNS? NTP? Internet Explorer?
You'll have to differentiate between the possible security threats to a chunk of client software vs server software to really explore this fully. Yes, all machines (in most clusters) rely upon the DNS service in order to run properly, but a vulnerability in a DNS *client* usually requires the client to be pointing at a compromised DNS server, this sort of a threat can be mitigated by other steps; besides, it's a pretty bad example because you can't have two different DNS clients on the same computer. From a server standpoint, I suppose you could decide to set up two sets of DNS servers (one running BIND and one running Windows DNS, for example), but I'm not sure what sort of attack you'd really be helping defend against - or to be more accurate, I can see what sort of attack you'd be trying to defend yourself against, but I don't think running two different DNS services is going to help you defend against it very much. I've also seen sites that have done exactly this sort of differentiation in the name of making themselves "more secure" and the resulting mess of maintaining proper zone files (not to mention trying to troubleshoot lookup problems when client machines are pointed at two different servers) was way more trouble than it was worth.
> How confident are you that Microsoft has found *all* the bugs in
> the network stack?
Not confident at all. In fact, it would be more accurate to say I'm confident that Microsoft has *not* found all the bugs in the network stack. So? I'm not confident that the Linux or Mac network stack software is bulletproof either. Assume your machines are insecure, because you can't make hosts secure (if for no other reason, because people use them). Build your organizational cluster with layered defenses involving physical security, OS security, software security, network security, and most importantly a real audit policy and review.
Mixing up your client base because you want to try and protect yourself against this sort of vulnerability is nuts - this particular example is rendered trivial by having a real network security policy.
There are lots of good reasons to have multiple types of clients in your domain. Virtually all of them have to do with software and end users.
From a management standpoint, however, homogeneous clusters have a number of staggering advantages over heterogeneous clusters.
Yes, it's bad when everybody in the world runs one operating system (or one anything), generally, for the reasons Bruce pointed out in his monoculture paper. But most of those reasons apply to the common domain, not subset domains. You can run a cluster of all-Windows machines and be many many times more secure than the entire population of Windows machines. You can run a cluster of all-Linux machines and be many many times less secure than the entire population of Linux machines.
This has way more to do with how well you set up your cluster and the steps you take to monitor, audit, manage, and deploy those machines than it does what software you're running on them specifically.
Hey Anonymous. No, not YOU, Anonymous, that other Anonymous over there, the one with the attitude. Yeah you. Do us a favor and think up a handle, willya? I mean, I appreciate you're practicing security by obscurity and all, but conversations among several people called "Anonymous" get too confusing. Thanks.
I still think given more than twenty years to do so, the military could have developed its own secure operating system by now...
And sorry if I offended your sensibilities, gopi at, but Mac OS/X still looks like Amiga to me...
I'm with the poster who stated that wallington should not annonuce what type of computers the army will used to defend itself. To me, if you annoucement what computer or software product you use to defend against cyber attacks, that is simular to a US marine telling an Al Quida operative how to effectively destroy that marine's platoon. While diversfying your IT vendors is a good strategy to defending your IT structure, telling them what you are using is just plain damn stupid. the DOD should use better judgement in giving information when a military branch
talks about IT security. Interesting story though.
I design military networks, and most so called security experts have no idea at all what real security is all about. I was a certified security consultant with 20 years IT experience, and like my colleagues around me, I found when I moved to military networks that in reality I knew nothing of security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.