Army Buys Macs to Beef Up Security

agent_blue writes "The Army is integrating Macs into their IT network to thwart hack attempts. The Mac platform, they argue, is more secure because there are fewer attacks against OS X than Windows-based systems. 'Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military. The Army's Apple program, created [in 2005], is working to change that.'"

but

[Anonymous Coward]

i thought they don't allow gays in the military?!?

Re:but

[Anonymous Coward]

Hey I'm gay you insensitive clod... wait no...!!! That joke backfired horribly!!

Re:but

[Anonymous Coward]

There's no rule against being a Mac user in the military. You're just not allowed to tell people that you're a Mac user, and they're not allowed to ask if you're a Mac user.

Don't ask, don't tell ...

[AHumbleOpinion]

but i thought they don't allow gays in the military?!?

They expect the computer to be running MS Office on an Intel CPU. They are not allowed to ask, and you are not supposed to volunteer, whether you are doing so under Windows or Mac OS X. It is a don't ask, don't tell policy, and it upsets a lot of people in the Bay area.

Re:

[tsa]

That's funny, you may have a point there. I wonder how many % of Macs are bought by women...

Don't ask, ...

[AnomaliesAndrew]

Don't ask, don't Intel?

US Army used Macs in/since 1999 for servers

[lixlpixel]

http://www.serverwatch.com/news/article.php/201361 [serverwatch.com]

i always liked the idea...

from the article: "Until the Army's Web site was hacked in late June by a 19-year old Wisconsin man, the site had been using a Microsoft Windows NT-based Web server..." :)

How many times?

[morgan_greywolf]

How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?

Yes, Windows has vulnerabilities. Windows sucks as far as security goes. That goes for Vista, too. But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

Re:

[splatterboy]

It may not be a magic bullet, but it probably will make life easier - isn't that good enough for you? Or is it all black and white to you...

Re:How many times?

[Daniel Dvorkin]

How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?

"More about" is not the same as "entirely about." Sure, a good IT staff with a bad system will be more secure than a bad IT staff with a good system. But a good IT staff with a good system will be more secure than either. And Unix-based systems, including OS X, are demonstrably better in terms of security than Windows-based systems are.

Do you think the Army should go back to using bolt-action rifles? It's true that a good marksman with an M1903 is more useful on the battlefield than a bad marksman with an M16, but ...

It's about avoiding a computing monoculture

[QuietLagoon]

But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

If you read the article instead of the headline, you'll see that the Army is making the attack target more diversified, so that a single attack will not bring down all computers. What's wrong with that tactic?

Re:It's about avoiding a computing monoculture

[WinterSolstice]

As a long time opponent of homogeneous computing/infrastructure I think this is a great move. Any security conscious shop makes certain to balance the management benefits along with the heterogeneous benefits.

Sure, it's cute and cheap to run everything on any one platform, but like they always say "spread out or one grenade will get you all".

Re:

[cgenman]

I worked somewhere that our network was rather violently infected by a new and nasty worm. Being an all windows-shop at the time, every computer that was tasked with figuring out the problem and fixing it was also infected. Thank goodness for Knoppix.

Serial, not parallel

[SamP2]

The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.

When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data. This is not a case of "redundant systems", but rather a case of "the weakest link". The more OSs are supported the more chances that AN OS will get hacked (as opposed to ALL OSs), but when it comes to protecting data, hacking that ONE OS is all it takes. Hackers are certainly more agile than the government, and the government should try to minimize its profile, together with hacking avenues, rather than build redundant systems where redundancy is not the solution for the problem at hand.

In other cases when the issue IS parallel, such as protecting a mission-critical system (think Space Shuttle), then yes, multiple OS's increase the chance that any one will survive. But this doesn't apply to data security. They should stick to one OS as well as one of everything else, preferably as secure as possible (NetBSD, some Linux distros, etc). But even JUST Windows is more secure than Windows and OTHER stuff together, because you keep all the risks of Windows while adding the extra (even if relatively smaller) risk of the other system on top of the original risk.

one point of failure

[Foofoobar]

so whats wrong with supporting more than one OS? Would you prefer one point of failure? A good sys admin can support multiple platforms. The only people I ever hear complain about this are Windows people who can't support anything else. Linux admins can ALWAYS support Windows and Mac platforms so why is it so hard for the vast majority of Windows admins to support the other platforms? Hmmm...? Do you just prefer having a single point of failure?

Re:

[SamP2]

No, I prefer people who bother to read posts before a kneejerk reaction at replying to them. :-)

Re:

[Foofoobar]

and I prefer people who can state facts instead of partial truths but I'll take what I can get this christmas with a republican in the white house. :)

Re:

[fermion]

One side would say that there are benefits to supporting only one system. One can get expertise in supporting, maintaining, and securing the system. There are cost savings in not having to maintain separate inventories. There are cost saving in being able to hire a cheaper labor who must only know the rote procedure for the system, rather than understand the basic principles that will allow the person to work on multiple systems.

However, predictability poses a significant security risk. If I know exact

Re:

[TeraCo]

You might be a good admin but your comprehension kind of blows. His ENTIRE POINT was that finding 'non sucky' admins (as you put it) is very difficult. People who are skilled to an enterprise level in multiple operating systems are extremely rare. (My previous enterprise that I worked in had about 3 or 4 such people across 40,000 staff total (and about 5,000 IT staff).

Re:Serial, not parallel

[QuietLagoon]

The simple thing that's wrong with that tactic is that instead of having to provide security for one OS, they now have to provide security for both.

And your point is? That extra security costs money?

When protecting data, think "serial" and not "parallel". You won't get extra security by diversifying your OSs because hackers don't need to hack ALL of them, but just ONE of them, to compromise data.

In one instance you may be correct, but in other instances, you are not. Whether or not data are compromised depends upon how that data are partitioned and where the data reside.

You do get extra security by diversification, because you have the ability to continue to function while one OS's computers are struggling with a malware attack.

Note that the article is not saying that diversification of OS will make an installation 100% secure, just that it will improve the likelihood of continued operation albeit at reduced levels.

Re:

[P3NIS_CLEAVER]

You kind of have a chicken-and-egg thing here. If you have competent admins and give them a choice, wouldn't they pick something other than windows?

Re:

[jellomizer]

True but, there is no harm in getting a more secure OS. There are people with different skill levels, of handling security, There are people who follow stupid security and think it is good security... Having a better OS will help reduce Human error. No having Macs won't make you invincible against all problems but it will keep the riff raff out.

It is like securing your house. Having Locks on the door is better then not even though most anyone could with some effort break the door down to get in. A strong

Re:

[eno2001]

Tell that to the OpenVMS guy in the food line down the street. Did I say that out loud?

Magic Bullets Kill... sometimes not who you think

[theshowmecanuck]

... The Mac platform, they argue, is more secure because there are fewer attacks against OSX than Windows-based systems. ...

Not any more.

If the army is using it for that reason then you know the Chinese, Russians, and any other tech savvy nation will now point their hackers at Macs.

Re:Magic Bullets Kill... sometimes not who you thi

[Bo'Bob'O]

Well, isn't that part of the idea? If you can divide your opponent's attention in half with only a small amount of your own resources, that seems like it would be a worthwhile tactic.

Re:

[hey!]

To play devil's advocate here for a moment, having several operating systems in your network makes it more likely that some of the nodes will continue to function when vulnerabilities are found in the platform some of them run.

On the other hand, securing a network means knowing how to secure each kind of host on it, so you don't want to have an unlimited number of platforms. You'd probably have a significant problems with them at any time.

If operating at all times, even under attack by a determined and wel

Re:

[0racle]

Wouldn't the skilled IT staff also know enough to choose the proper platform? Security is a process not a product, what things run on is part of the process.

I don't see the Military switching to OS X for everything then wiping their hands and saying "we're done, it's secure now."

security by obscurity and evolution

[wikinerd]

waving around an OS like it was some magic bullet

The security partly comes from using an uncommon OS, not just a more secure one. It's a security by obscurity thing... and although obscurity may not be a perfect measure, it's good when it's coupled with a truly more secure OS.

This implies that the perfect obscurity would come from a homebrew computer system, designed and built in its entirety in one's home. And if it were designed to be secure by default and its creator was a perfect mathematician and engineer, then it would probably be the most sec

Re:

[raddan]

But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

Google "sane defaults". Windows fails miserably in this regard, as does much commercial and free software. Apple usually gets sane defaults right, at least from a UI perspective, but the only group of people (as far as I am aware) who have put a lot of thought into sane defaults from a security perspective is the OpenBSD group. Making sure that things work securely, out-of-the-box is important, because IT shops are often in need of something quick-and-dirty. Often those quick-and-dirty implementations

Re:

[99BottlesOfBeerInMyF]

How many times do I have to keep telling people that security is more about the skill of the IT staff than it is about the operating system it runs on?

I'd argue the skill of the IT staff includes choosing appropriately secure and securable OS's for your purpose. For example, in a university setting, choosing to supply all students with an laptop running OS X or Ubuntu, may well solve 90% of your security problems, whereas choosing laptops loaded with Windows to distribute, may well make securing your network with the resources available impossible.

But waving around an OS like it was some magic bullet that's going to somehow fix your security problems is, well, insanity.

In some cases, choosing the OS does solve most security problems, and that is just the way the malware

Re:How many times?

[VirusEqualsVeryYes]

Psh, yeah. That 8% of Macs -- only a few tens of millions? All with no anti-virus software whatsoever? And the fame/infamy of being the first to write a self-replicating virus for Macs?

Yeah. Totally not worth it.

Stop perpetuating simple-minded myths.

Re:

[stewbacca]

100 million plus, the last figures I saw. So yeah, you are right, a "few tens of millions".

Re:

[Anonymous Coward]

Because Linux is insecure by default as well.

Linux is secure - sure, until you install a CMS on it and never update said CMS software.

I'm sensing some cognitive dissonance here...

"Security through obscurity"

[theurge14]

I didn't think I'd see this "security through obscurity" myth repeated on Slashdot.

Re:

[rob1980]

You must be new here. Welcome!

Re:

[runningduck]

Even if the market was split evenly there is still an advantage to utilizing two different platforms which the article clearly points out; a single attack is unlikely to take down all systems. This falls in line with the principal of using different platforms between a DMZ and an internal server when providing a service to the Internet. The difference, mathematically speaking, greatly reduces the probability of a successful internal compromise.

Re:How many times?

[mi]

If the military starts using them, it's only a matter of time until attackers hone their Mac skills and then the Army is right back to where it started, possibly even worse off because they evidently wouldn't see it coming.

Well, if they mix the OS-vendors like they (finally) mix aircraft-engine suppliers [aviation.com], it will be harder for an adversary to knock out all computers with the same (cyber-)attack. If a flow is found and/or exploited in some of the systems, they can be shut down and the same tasks performed on systems of (an)other type(s).

This argument — strength of diversity — floated here before...

Re:

[mi]

Once you can lose [windows or *nix or Mac] systems, for all intents & purposes, the IT infrastructure in question is near useless.

This presumes, the systems are always used in sequence (links in a chain), rather than in parallel (say, like a fishing net). This presumption is false.

For example, if half of a unit's desktops have to be shut down due to a particular flaw (in design or in implementation — does not matter) in their OS getting exploited by the enemy (or for some other reason, such as

Re:

[dave562]

It isn't because Macs are in the minority that they aren't vulnerable to exploits. There simply aren't as many vectors for infection/compromise on a crapintosh. If you want to spread some more educated sounding FUD, focus on how now that Apples are using the x86 Intel architecture, the real hackers who have been writing x86 based assembly code since the late 1980s can now port their knowledge over to the Apple platform.

By the time the knowledge is ported over the Army will have seen it coming. The fact t

Re:How many times?

[jackpot777]

Let's put this in a language we can all understand.

Money.

According to one of these links, a press release, on Google [google.com], ID thieving alone "costs more than $56 billion, or $6383 per victim, annually". That's US, obviously.

Social hacks (phishing) can be done to anyone clever enough to hold a conversation but stupid enough not to be even slightly cynical when strangers start asking certain questions. But many phishing techniques ask the hapless victim to download an attachment, or get access to the victim's computer using online foot-in-the-door tricks like eCards that are more than they appear [hexus.net].

What's the level of Mac penetration? 5%? 8%? Let's say it's the lowest number. Five percent of $56 billion is still $2.8 billion a year. If anyone manages to write malware that could spread in the way PC malware can multiply, especially with the average Mac user's attitude ("virus protection? Why should I save a PC user's arse when I send them Word documents? My iBook's fine..."), imagine the draw for crime syndicates. A guaranteed first shot at nearly three billion EVERY YEAR.

And yet it hasn't happened. An illegal industry that pays better than drugs, without the inherent violence on the streets, and Mac users steadfastly refuse to get fleeced.

Which means either the criminals either aren't really that hungry for this potential sector, or there's an easier way to get the money.

Just having the standard feature in a Mac that asks for your password for any new program being installed means you're put on guard. "Hey, I went to see this funny ReindeerYourself card and it's asking for my passowrd? No way..." and the keylogger software remains off your computer. It wouldn't matter if Mac penetration was 12%, 15%. If it's so much easier to hack the PC system for financial gain, it's not financially viable for anyone to write the keylogger software and then wait for enough Mac owners to be stupid enough to install the software to recopu their costs. Just let Windows users visit the page you mass-maile and enough will click the link with high speed connections. Ker-ching.

So this is finally put-up-or-shut-up for the Windows fanboyz. If the US Army puts its weight behind it, this shifts the whole landscape for writing malware. You see: before this announcement, any jihadist that wanted death to America would just do what all the other fanboys did: learn Visual Basic and send away. But now? Now they'll need to try and sneak through the Mac architecture. And unlike the Russian Mafia, cost isn't an issue. The 'enemy' will throw everything they have to bring the Army system down. Cost isn't an issue if money is not what you're after.

So if it turns out that a world full of hate-filled terrorists that care nowt for money can't hack their way in, what then for the Apple bashers?

Re:How many times?

[gnasher719]

The worst part about this all is that there are usually just about as many vulnerabilities affecting Apple's platform as there are vulnerabilities affecting Microsoft's platform for any period of time. I invite you to review a few pages and look at the volume by date range.

On the other hand, when you compare the number of Macs that have actually fallen victim to any vulnerabilities with the number of PCs, then the Macs are outnumbered more than one to a million.

One small step

[kryliss]

One small step for Mac one giant leap for Mac kind.

Re:

[calebt3]

even *i* think this is a really, really stupid idea.

That makes you an "enthusiast".

CAC on OS X has been working for a while...

[Eagle7]

http://www.google.com/search?client=safari&rls=en&q=cac+on+mac&ie=UTF-8&oe=UTF-8 [google.com]

Support is built into Safari, and it is possible to set it up to log into a Windows domain, I believe.

Re:

[Kadin2048]

Glad you pointed that out; I was going to say the same thing. CACs work very well on recent versions of OS X, the trick is just getting IT departments to realize this and allow them, and of course ensuring that you don't need any software that's PC-only.

But you can use any number of a bunch of commodity USB smartcard readers and do just fine on the Mac. The drivers are all there; once enabled [apple.com], it's pretty slick actually. At least as of a while ago, Apple actually had at least one full-time employee working

According to Hollywood

[techpawn]

All computers used in the military facilities in the Transformers movie by the teams trying to break the Decepticon's code where Apples. It should also be pointed out that the computer that defeated the martins in Independence Day where macs.

Life imitating "art"?

Re:

[techpawn]

The good guys all used macs. The bad guys, something else.

That's far deeper and more profound than I think you meant it to be...

I'm stumped.

[grub]

How will they know if the user prefers a Mac or PC with their "Don't ask, don't tell" policy?

Re:

[geekoid]

Very good. I about sprayed salad all over my monitor when I read that.

Like flies to honey

[jtroutman]

The Mac platform, they argue, is more secure because there are fewer attacks against OSX than Windows-based systems

Not that it's more secure because it's better, but because there are fewer attacks? Won't adopting give hackers more incentive to attack it? They shouldn't judge the OS based on how many attacks there are now, but on how secure it can be made since one would assume that anything the government runs is interesting to hackers.

Re:

[stewbacca]

The Army is a "bottom-line" organization. They don't care WHY something happens, only that it does. In this case, it might be short-sighted, but for the short-term, I think it's a fairly decent plan, considering how many years and how much money they've wasted trying to make Windows secure for the military environment. By the time a hacking threat becomes real on OS X (if ever), the military will have moved on to the next threat.

Re:

[SirGarlon]

Not that it's more secure because it's better, but because there are fewer attacks? Won't adopting give hackers more incentive to attack it?

Yes. But.

Attacks most often propagate from machine to machine via worms or botnets or whatever. The more homogeneous the network, the greater the transmission probability from one node to the next (if you have an all-Windows network, then something that penetrates one machine will penetrate the next one). Attackers generally have to choose an OS which they want

Re:

[Danathar]

Yes. It is better. Not by virtue that people who program are any less prone to mistakes like buffer overflows, but because (in my opinion of course) the UNIX design for OS security is better than the Windows design for security.

Ask just about any security expert which design philosophy they like better and I'll bet hands down UNIX wins over Windows.

No surprise

[L4m3rthanyou]

With a runaway defense budget like ours, I'd say the mac is a perfect fit!

Wait a minute

[$RANDOMLUSER]

Macs & beef!!! I thought they were all vegans.

Computer security specialists

[HangingChad]

The clear majority of the really high end computer security people I know are driving Macs. On the military side Army and Marines seem to be tinkering more with Linux. The Marines less so because of NMCI, but there was a demo of battlefield information system that was Linux based. Navy and Marines have pretty much locked themselves into Windows desktops managed by EDS on the administrative side. A move I believe will go down as one of the great defeats in Naval history, with casualties of 250 million American taxpayers.

Don't know about the Air Force but the few AF people I've met at conferences seemed pretty on the ball and struck me as Linux curious if not outright supporters.

Re:

[stewbacca]

The Air Force has had a long standing, strict, commercial-off-the-shelf policy when it comes to IT standards. In other words, they are 99% Windows based.

Re:

[Joe The Dragon]

and that other 1% is used on the star gate program where they us a custom os and hardware that is based in part of tech found off world.

I've seen this before...

[theurge14]

HThe Army's push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army's chief information officer, gave a speech calling for more diversity in the Army's computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.

"Sir, I have the DOJ on line 2."
"Tell them to get Bill Gates in here."
"Yes sir."
(door opens an hour later)
"Bill Gates, you told us Windows Vista would be more secure!"
"It IS more secure, over five million...(BLAM)"

Military Intelligence

[Foofoobar]

Mac: Hi I'm a Mac
PC: and I'm a PC
Military Intelligence: And I'm no longer an oxymoron

Summary is Totally Misleading

[asphaltjesus]

Mac's have CAC support. Try /usr/sbin/cac_setup

I'm not trivializing the work that would need to be done to work in a DOD environment where most of the CAC-enabled apps need a osX port. The low-level strong authentication portion is done.

In true government contracting fashion, the bulk of the work is done by Axalto, with some DC-based project management middleman cashing the Fed's checks. Axalto is probably barely breaking even on the project despite the huge volume of cards in the field.

Story is a bit late

[stewbacca]

Back in the late 90s the Army switched its us.army.mil stuff to Mac based servers based on the input of a low ranking enlisted guy (whom I knew, and I myself was in the same unit when he made the suggestion). They publicity at the time was that the Windows servers were getting hacked on a daily basis, so they switched to the Mac OS server stuff and the problem was solved...the hackers no longer were able to hack the front page of the US Army on a daily basis. I wonder why they are just now realizing this

Can't compare Mac OS and Mac OS X

[AHumbleOpinion]

Mac OS based servers, like MS-DOS based servers, were pretty damn secure because they had little to no remote access. Mac OS X is a completely different story. Other than name it has nearly nothing in common with Mac OS, it is a descendent of NextStep, a known Unix-based platform.

Bootcamp

[corychristison]

Brings a whole new meaning to BootCamp, doesn't it?

So does that mean they will be cheaper soon?

[greymond]

While Apple systems have always been slightly higher priced (when compared to equal pc systems not home made random part systems) I figured this was mostly do to higher manufacturing costs. I could be totally wrong, and probably am, but I'm hoping that with the Army switching out all their systems to Apple machines that the manufacturing costs over all will go down and maybe we'll start to see some cheaper Apple systems coming out. Yeah yeah it's a lot to ask for but I like to hope for the best I guess.

Re:

[99BottlesOfBeerInMyF]

While Apple systems have always been slightly higher priced (when compared to equal pc systems not home made random part systems) I figured this was mostly do to higher manufacturing costs.

Actually if you compare just hardware, from other vendors with similar reliability ratings, Macs are about the same price as other PC hardware. The last study I saw put them at about 20% above average in price, which is about the same as Sony (who also sells mostly mid and high end machines with top end reliability ratings). Apple systems are about the same cost as any other PC, assuming you're looking at all the hardware criteria, not just bullet points. And by all the criteria i.e. a system with a 120 G

The Black Mac

[NiteShaed]

It's not directly related, but this reminded me of a story [wired.com] I heard about the "Black Mac", a tempest shielded Macintosh SE 30 1891 T that some guy found at a second hand shop. Nobody is sure where it came from, or why it was built, but it seems to have been made by Apple (as opposed to being some weird aftermarket mod). Presumably it was built for the military, or some intelligence agency...

very short-term solution

[eck011219]

Seems to me that because the Mac is largely secure through obscurity (as this was already tagged), the military is just increasing the incentive to crack the Mac for the Bad Guys. Three years from now (or who am I kidding, three DAYS from now) when then exploits begin to be released into the wild, I think their reasoning will be found to be faulty. While there still won't be as many Macs out there, there will be a select few with wildly valuable data, and therefore it will become more lucrative to crack the

No open ports

[SuperKendall]

1) No Bonjour services listen on open ports by default, even if the Bonjour handler itself may be running somewhere on the system.

2) Bonjour is ZeroConf is Open Source. And included in Darwin...

You don't have to assume anything, you can see it right there on a stock install.

Aqua really is a lot more of a window manager, it's not there to handle things like Bonjour.

Hell is a bit colder today

[eyebits]

About five years ago I was doing a training session/presentation for IT staff at an Army base where I was told that the Army would never use anything other than Windows. I made the mistake of referring to Linux, Mac OSX and open source software during the presentation which caused some folks in the room to get upset with me. I remember a comment about hell freezing over first. I guess hell is a bit colder today.

Bah, MI-5's been doing this for years

[ducomputergeek]

http://www.imdb.com/title/tt0160904/ [imdb.com]

But on the more serious note:

Why not Linux?

A: http://www.openbsd.org/ [openbsd.org]

Which at one time was a DARPA funded project.

Re:

[CptChipJew]

Why, yes it does! [terrasoftsolutions.com]

Re:

[Nerrd]

I met airforce officers at a computer show in maine years ago, who were active developers of OpenBSD for the AF. Also, from what i remember, the navy started using PowerMac's years ago for the same reasons.

Navy Macs ran Yellow Dog Linux not Mac OS X

[AHumbleOpinion]

I met airforce officers at a computer show in maine years ago, who were active developers of OpenBSD for the AF. Also, from what i remember, the navy started using PowerMac's years ago for the same reasons.

Are you thinking of the onboard sonar processing software used in submarines? Mac hardware was chosen because it was PowerPC based and PowerPC had a big computation advantage over Intel for this particular application. The PowerMacs were running Yellow Dog Linux not Max OS X, they were replacing Suns.

Re:OpenBSD???

[ByOhTek]

Yes, and no.

I think they should use tools available cross-architecture for their software, and then have a multi-arch setup. For example:

30% Free/Net/Open BSD
30% Linux
25% Mac
15% Windows

This would alleviate the issues of an entire-network compromise from potentially overlooked vulnerabilities in any one system. Because you can get fairly simple general interaction for the operating systems listed (given modern desktop environments offered on Linux/BSD, Mac would be the most "different" and not terribly so even then), and applications That had cross-platform natures would be all that's used, there would be little difficulty for the end users to go between systems.

Re:

[hedwards]

In some ways that would be an improvement, but it wouldn't address the largest issue. That being the people using the computers. If memory serves that British "cracker" managed to get into a huge number of systems which had weak or non-existent security. Most OSes need to be hardened before they are deployed, and if you're not going to bother doing that alone with educating you're users, you may as well just hand over the info on the computers on a nice CD.

Diversifying the set ups would help, in the sense t

Re:

[ByOhTek]

I don't disagree with you, but I was talking from a completely systems perspective.

Actually, given that it is military and should have very fine grained security, nobody should have the rights to install a program, not even on their own space, except administrators. Such a system should be fairly user proof, except for the data the user can access, and at that point, password rule constraints in the software can get rid of the biggest problem for the standard user.

It's not something I would put on a home sy

Re:OpenBSD???

[peragrin]

Actually on a properly designed system not even the Administrator's should be able to install applications alone. And no one should be able to open every file.

Files should be locked, So while the Admin's can see them, move/copy them, they can't actually open the file itself. security should extend to more than just the file system, but to the files themselves. Of course being open to all should also be a manual changed possibility.

I wonder how long it will take for someone who makes more money than I will ever see to figure that out.

Re:OpenBSD???

[99BottlesOfBeerInMyF]

Actually, given that it is military and should have very fine grained security, nobody should have the rights to install a program, not even on their own space, except administrators.

One of the biggest security problems is when security reduces usability to the point where users bypass the security for convenience, or simply because it is easier. I've even seen situations where no one had rights to install any software because of security policies, and the admins were then ordered to look the other way for security violations in general because a company still needed to get work done and make money. Good security does not reduce usability. If users don't have the ability to run the software they want to, you've greatly reduced usability and should not be surprised when users start rebooting from a flash drive or working on their home PCs with basically no security.

Re:

[calebt3]

Why not split up the Linux category just for the heck of it?
5% Gentoo
5% Slackware 5% !Suse 5% Red Hat 5% Ubuntu 5% SELinux

Re:

[ByOhTek]

because there's a lot of Linux, and aside from the default apps/versions, they share a very similar core. I think any two of the three main BSDs are a bit more variant than any two distros of Linux from a similar time frame.

Re:

[VirusEqualsVeryYes]

Why? Because the government knows accountability (when it matters to them, anyway). Macs have a large corporation backing them. With the partial exception of Red Hat, any given flavor of *nix doesn't. Despite all the "it's good enough for government work" jokes, the government requires a well-known model of support for times when stuff breaks down. A large corporation backing their products fits the bill nicely. The community-driven open-source model doesn't.

And as to your Redmond comment ... nobody in Wash

Re:

[nightgeometry]

Macs have a large corporation backing them. With the partial exception of Red Hat, any given flavor of *nix doesn't.

So I guess AIX [ibm.com], HP-UX [hp.com] and Solaris [sun.com] don't have large corporations backing them.

Always best to be careful what you say about who does back those three, they all seem to have blood thirsty ninja vampire lawyers to hand...

Corporate Backing? *Windows*?! Ha! ha!

[darkonc]

Have you read Microsoft's EULAs recently? They pretty much take no responsibility for anything* -- If they don't want to fix it, you're toast! You don't even have the right (or the tools) to fix it yourself.

*(even their 'patent protection' program allows them to say 'stop using that software/feature',, with impunity.

Re:

[cromar]

Wanting to keep as much of my income as possible, mostly :) Tax $$$, you know. Buying cheap generic parts in bulk and custom designing equipment would be both more flexible and less expensive. Come to think of it, why doesn't the military implement the card reader software themselves? Most of the readers I've see are simple USB devices...

Re:OpenBSD???

[eli pabst]

Apple may have unix roots, but openBSD it is not. There is no comparison security-wise, openBSD wins hands down. If you need user-friendliness and usability, then that significantly changes the equation. My guess is they are looking for improved security with the happy clickiness that Macs provide.

Re:OpenBSD???

[UnknowingFool]

While openBSD may be more secure, remember the Army is about procedures. Leopard has been certified as Unix like AIX and Solaris. Leopard has gone through the time and expense to be certified, and it has a better UI whereas openBSD has not.

Re:OpenBSD???

[Junta]

Being certified a Unix doesn't mean but one thing, your organization was willing to throw a pile of money at another organization, nothing more and nothing less.

Which was implicitly his point, perhaps you missed the part...

While openBSD may be more secure, remember the Army is about procedures

Essentially declaring that perhaps one bullet point on a requirement to address this problem somewhere was 'UNIX platform'. Technical reality be damned, per the grandparent post, it could be the Army had that criteria and was therefore limited to Solaris, AIX, or OSX in terms of actively released/maintained platforms.

Of course, even restricted to these choices, Solaris might have been a better choice. OSX is the sort of vendor lock in I would hope my taxpayer dollars wouldn't go toward supporting. Windows is bad enough, but with OSX you get lock-in of hardware and software. Recalling how skiddish the US government got about Thinkpads and the like when Lenovo bought those bits, I wonder what the contingency plan would be if Apple sold off their computing bits to an offshore company. Even in and of the software platform itself, despite the Darwin base, OSX software tends to require the proprietary Quartz/Cocoa underpinnings, so supporting third party software with new hardware without Apple's blessing would be challenging. Windows is a little better in terms of hardware support, but the software portion is bad enough, though at least there is an excuse of the market situation as to why they haven't thrown it out completely.

Meanwhile, Solaris has an equally reputable backer, doesn't implement many proprietary APIs that common applications would make use of (AIX goes this far as well), has an unlocked x86 implementation (no hardware vendor ties, unlike any other officially certified UNIX), and is also under an open source license. In terms of an official UNIX with options for contingency plans, it doesn't get better than that.

*BSD, Linux, et. al. may or may not be even better choices, but this was sticking strictly to the assumed criteria of being able to officially declare it a Unix system.

BTW:

The Aqua interface is no more special or better than KDE.

Which may well be true, but wanted to emphasize the converse is not true. KDE/Gnome/Motif/Xaw/raw Xlib all have full stacks in terms of implementation available as truly open-source. If serious about security, the potential to audit your running stack as resources permit would be great. Also, goes back to the futureproofing mentioned earlier, if ultimately the organization can fork a private copy and do whatever the hell they want, they can avoid vendor lock in.

Re:

[M. Baranczak]

Just be glad they've never heard of Sun hardware.

Re:

[eno2001]

I'll second that... (Kicking those grey and purple monstrosities down the hall to the rubbish bin as I ditch iPlanet for Zimbra)

Re:why not liunx it is free and runs on any x86 ha

[someone1234]

Maybe because no one would bribe anyone to buy linux, the profit margin is thin.

Re:

[C0rinthian]

Perhaps juicy military contracts will encourage Apple to expand their product offerings to fill that gap?

Re:why not liunx it is free and runs on any x86 ha

[Jesus_666]

Probably because they already use Linux [slashdot.org]. It's hard to start using something you already use.

Re:

[everphilski]

Back when I worked for the Army we used Red Hat and Windows XP. I had more Red Hat boxes than Windows machines, and all of my Windows machines dual-booted Red Hat or Fedora. You have to remember, Linux is not free, you have to pay for someone to support it. And a good Linux admin commands a good price. Regardless, I always felt the Army was pretty progressive with respect to having a diverse field of operating systems (and an iron curtain of a firewall) and relatively strong network and physical security.

Re:

[damburger]

Because Linux is for European communist queers who pirate music. Macs are all-american and manly (sort of).

Seriously though, its probably to do with letting Apple join in at the endless corporate trough that is the US military, in order to expand their domestic support. Geeks will be more likely to be in favour of an idiotic war if it generates tech jobs.

Also, the international, share-everything ethos associated with Linux is unlikely to be popular with the people who came up with ITAR.

Re:OMG Terrorists will attack Macs!

[abigor]

The NSA have an OS X hardening guide you may be interested in: http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/applemac/I731-006R-2007.pdf [nsa.gov]

Beg to differ, OS X at install pretty secure

[SuperKendall]

1) Out of the box, you don't have services running you can exploit.

2) On install, OS X makes you chose a username so you have to log in to use the system.

3) OS X by default is suspicious of all content coming in from the web.

OS X already starts out with a high level of security, and doesn't do anything that would lead a user to weaken that without need (say opening a port for printer sharing).

Army buys BigMacs to Beef Up

[antek9]

That's more along the lines of, like, your ASCII art suX0rs.

Anyway, who else has a hard time imagining an army without right clicks?

Re:Army buys BigMacs to Beef Up

[Nullav]

Anyway, who else has a hard time imagining an army without right clicks?

Not me! How do they plan to assign orders after selecting units? It's like these people have never been on the field!

Re:

[Epsillon]

Surely you mean iMissiles, iTanks, iFighters and iWarships, all available as a generously discounted bundle package, iConquer?

You're right, though. I sincerely hope they know about Leopard's "firewall" issues and can read man pages.