Army working in more Macs to diversify systems, thwart attackers
By Nilay Patel 
posted December 22nd 2007 8:04AM
posted December 22nd 2007 8:04AM
The Army's been poking around with OS X for a while -- Xserves have run army.mil for a couple years now -- but it looks like it's about to deploy even more Apple machines in an effort to diversify its install base and frustrate would-be attackers. The move is partially due to the upcoming release of software that will allow OS X machines to work with the Army's Common Access Card smart card system, but the Army's experience with the Xserves seems like it's really the deciding factor: "[The Army's Xserves] are some of the most attacked computers there are," according to Lt. Col. C.J. Wallington, of the Army's office of enterprise information systems. "But the attacks used against them are designed for Windows-based machines, so they shrug them off." Outside security consultants say that diversity isn't enough, though -- while OS X may be difficult to break, hackers will simply learn to target the Army's Windows machines. "In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house," according to one analyst interviewed by Forbes. That's a good point -- but we're also a little concerned that all that white, aluminum and glass might clash with the Army's color scheme.
CACs work on OS X natively since 10.3, and with the Federal Smart Card package in 10.2. The article is referring to Thursby's ADmitMac for CAC, which completes the picture. ADmitMac supports AD smartcard logon (Kerberos with PKINIT) and allows management of OS X systems via group policy.
Army Reserve just recently got CAC working with OWA. They are so fricking slow with security it's pathetic.
Wow, another way to waste my tax dollars. Thanks, Army.
affirmative action strikes again!
There servers were hacked because they were using an OLD NT server that was not updated. Switching to another OS will not solve this problem. If they stayed up to date and actually set it up correctly they would not have had a problem.
right.... an old NT server.. as in one.. that wasn't updated.. wow.. you must be 744t to the core. Not set up correctly? How do you know? Where are your sources? How about you check out nsa's documents on their common security practices. Or, please inform us where you are getting your 733t information from.
How about you read the news. This happened 3 years ago. They were running NT4.0
i'll play along.. you are saying 1) i need to read the news... 3 years ago. Okay, assuming that I read the news every single day, keeping up with even /just/ technology, coding, security as well as hardware; you want me to recall an instance where the army was running /One/ NT4 server that got hacked because a)it wasn't set up correctly and b)it wasn't patched. Okay, rediculous at best, but still I will play along further. You are also suggesting that if both conditions above were true, then they 'wouldn't have had a problem'... Let me ask you, why do you think they release patches regularly? Because someone comes up with an exploit that no one else has figured out yet (most times.. code red was a good example). If you knew a robber was going to enter your window and steal all your possessions, wouldn't you protect that window? That is why you don't use sh*t products like NT4 and you use something that has proven itself in mission critical situations (or in life systems). I would choose the crappiest linux server over the best microsoft one any day (unless they change their security framework). Anyway, not sure where you get your information and merely recommending that someone read the news from 3 years ago is a little rediculous. Hell, I even googled it to see if I would stumble upon some big security breach where the army's 1 NT server got hacked because it was not setup correctly nor patched... no such luck. Could you point me in the right direction?
I can tell you don't live in the real world. I have a lot of websites running Windows 2003 Server. 0 hacks If you don't keep up with updates on your linux boxes you will get hacked there as well. I have seen several sites taken down, and they were not all running Windows. Several were using Linux and some other were running Unix. The point is, if you don't keep up with updates then switching to another OS or program will not fix that issue. I have used Windows for 10+ years, and have never gotten any virues. Switching to OSX because it is more secure. (200+ security updates in the last year http://secunia.com, and check each issue [each patch containts 10+ updates at a time on a Mac ]) is stupid, when you have users that just install anything.
well my friends any real hacker outhere will tell you that windows security is a joke really, and what makes it even worse is the simple fact that a windows user can't delete the the fuel to it all, Internet explorer, you could disable parts of it but you can't take it out and have windows worked normally. OS X its not perfect but when it gets to viruses and hidden worms they just can't do anything but to sit there and wait for a mac to come in contact with a windows machine and attack it
In any case, the government does lock their computers/servers down pretty good. they're not the run of the mill home user running kazaa and AIM. have you seen the NSA documents on securing an OS? it's some serious stuff.
http://www.nsa.gov/snac/downloads_all.cfm
Aren't the comments getting slightly off topic, from topics about the army to your typical household computer vulnerability?
However, from my point of view, both operating systems are still vulnerable. Whether the percentage of viruses in a Windows is higher than a Mac, or not, it doesn't mean that you won't get a virus on your Mac.
So when it comes down to it, I think that what is most important is for users to simply be cautious with what they do, and have sufficient, updated anti-virus on their computers. With a rational mindset whilst using the computers, and judgment of what websites/downloads to get, and the ability to quickly conquer whatever bad comes at their way, I think that everyone can stay safe.
Why dont they just go to solaris if they want to be safe
Trusted Solaris is in heavy use where appropriate. The article is discussing unclassified networks.
Seems only reasonable that the percentage of Macs in regular society should reflect in the army.
If a mac user enlist he should not be forced into going windows I think.
As for linux, I'm sure they use that already.
And remember: better macs than computers running vista, and I fear MS will trick them into putting that on their systems :o
Nevertheless, I don't want a mac, thanks.
Well, Imo. in the short term, the macs would mean that if the Windows systems go down the OSX systems will still be running.. which is good.
But in the long run, I cant help feeling that it might spur someone to start creating mac based exploits.
The comments about security are always funny. I can't help but laugh at stuff like 'you can't delete the fuel to everything: internet explorer (snitch)"... oooh ooh i know! How about trying a different browser like... err.. firefox? Like carbonize and several others, I am OS independent.. it comes down to taste ultimately, but there /is/ an objective rating system that one can apply to computers. Personally i run duel boot with windows and fc 7. Personally I think windows is a better user-based computer. However, I doubt anything beats a linux/unix based server. Thats the catch 22 in all of this, macs are obviously unix based so that does make xserver a good option.. however, if I was the army (more than the army of one), I would say to myself.. 'what is linux/unix based, gives me /complete/ control over security and allows me to obfuscate my presence (e.g. completely reduce/eliminate 99% of the script kiddie exploits out there), and costs me the lowest amount of money?' Again, I think I may know this answer.. linux? Doesn't it come with full source code? Doesn't it cost 0 dollars/euros/pounds (however i think $0==20 pesos). Now while I realize money may not be the issue at hand, I would rather allocate resources in favor of the people. Kevin Mitnick could make windows 3.1 more secure than my idiot neighbor running OSX. Wouldn't the ultimate answer to this whole equation be: design an army-linux flavor (milux? military-linux/unix) in-house? Theres nothing worse than depending on a company to issue bug fixes for an OS that has the source code locked away. Get a couple bright people on ground zero to take equipment down, make fixes, and then you have what essentially becomes a living OS. While true A.I. is off in the distance, humans offer the ultimate ability to conform to new situations and make an O.S. close to impossible to break (yes, i said close.. not completely).
Reason why military intelligence is an oxymoron, "But the attacks used against them are designed for Windows-based machines, so they shrug them off."
How long before hackers switch their tactics after this proclamation.
LOL do they even realize that OSX doesint need drivers for the CAC card cuz I just pluged mine it and it worked without any middlewhere it was awsome!
maybe there talking about a cliant that can switch and edit the profiles inside the chips witch the windows softwhere they are useing does. (ActiveCliant)
That's exactly what they are using. (ActiveClient) Just plugging in a CAC card into a computer without it won't get you anywhere.
You can tell Evan's from the Army, just look at his spelling =^_^=
@Dustoman:
Get as CCID-compliant card reader (any of the newer SCM readers like the SCR3310 or 3311), plug it in, insert your CAC, launch Keychain Access and click Show Keychains. You'll see your CAC show up in the keychain. You can now use it with Safari.
At our local recruiting station, it is ALL Dells. Down to the last keyboard, printer and laptop, everything in that office is a Dell.
As it should be, from looking at the choices I have on brands of computers that are available to the Army. Dell is the only brand I want to work it because of the support I get.
Obviously its possible to create an exploit for the Mac, but the Windows fanboys are hilarious. They all hate OS X so much, you'd think just one of them would have been able to create a Mac exploit in the past 6+ years of whining about how terrible Macs are. They'd be a hero in their own sad little club.
Meanwhile, they remain unable to explain why NOBODY I know using OS X runs any kind of antivirus or third-party security software, and yet we have zero problems. They just keep saying "but there are hacks out there in the wild, I promise!!!!"
Of course, the Army making a big deal out of this move, and the increasing userbase means it will become a more and more attractive target. It'll be a sad day when I have to start wasting computing cycles on security software on my Macs.
In any event, 5+ years of never having to deal with the nightmare security/spyware/virus world of Windows is priceless, here's to as many more as we can manage....
Probably a result of buying the Mac. But then again, I knew Windows was a pain in the ass before I had ever used anything else, and I also knew it was a pain in the ass when I switched to Linux. The difference was, I didn't realize how powerful and polished an OS could be until that fateful day in '02 when I bought my first Mac.
I'll have to get back to you on the homosexuality, though. Lance needs my help in the other room.
reid.. funny retort. I do like mac os. I think the way it works is beautiful (i like beryl a /lot/ more, but that is just me). I just hate the cultures that come along with mac/windows/linux.. each one thumbs their nose at the other one.. Lets face facts, each one is driven by silicoln, copper, lead, and little light switches. From there it is a matter of which one offers the most benefit for the user (most often based on a price/performance/demand scale). Windows just so happens to have a cheap, reliable, and very available base of products that is used throughout the world. I love open office, but i have to face the facts that open office has to (at the core) support most microsoft office product formats.
Hmmm I've been on Windows for 8 years now and never had a virus nor any spyware. Guess it's not only Mac's that can be run without the need for an anti virus or third party security app. The only third party app I find Windows needs is common sense but that applies to all operating systems.
I love how most Mac users think their system is ultra secure because their are no serious viruses/worms/exploits known for it. But, as I stated earlier, this is because the people who look for exploits and write worms/viruses want publicity and you get this by attacking the the largest userbase. What's the point in writing a worm for the Mac when only 1 in every 100 IPs it connects to are Macs if that. This is not a slight on the Mac but a statement of how things are and the mentality of the script kiddies out there.
@Liam09 - Hopefully the .doc domination is coming to an end. The Dutch government is switching to Open Office and has said all documents must now be saved in the open source document format.
Carbonize,
I agree that I've never had spyware on my Windows machines, though it is nice to be able to browse less-than-upstanding content (wink) without worrying about what might happen if you click on X link. You are exaggerating by saying 1 in 100 IPs though. I'd say its more like 5 in 100 IPs which is not insignificant, especially in the world of the hacking underground, where fame, if not fortune, comes from doing something nobody else can do. You must admit that major notoriety would be bestowed upon the first dude who released a terribly destructive worm upon the Mac community.
Then again, I think we all wonder why the worms and viruses that are out there aren't more destructive. If you can program a Melissa, what's to prevent you from programming something that would propagate to an entire addressbook (like Melissa does), then trash the entire system 30 minutes later? Yeah, there's much more to be gained from running a botnet than from destroying many systems, but so many malware authors care more about being famous than about making money on the Russian botnet market :)
I, too, read the bit about the Dutch government switching to OpenOffice and PDF and it is very encouraging. I am happy to see any major government wake up and switch to open formats. Avoiding vendor lock-in of any sort is important when tax dollars are stake, and I am not one to say that Apple's any better than Microsoft in this regard. Just because I happen to think that Apple's vendor lock-in is better than Microsoft's, does not mean that we're not better off in the long run without either. I am fortunate enough (!) to get MS Office for $20 for home usage so I run it on my Macs out of simplicity's sake rather than running OOO. I have not used another Office suite since StarOffice 5 or 6 years ago under Linux. I'll have to take another look. .docx must die, I hate how the default documents in 2007 are unreadable under 2004. Grr.
Wow intelligent debate on Engadget. Who would ever of thought it. Specially in this thread given some of the previous comments.
I'm not sure about for Mac but I did read the MS has released a patch that lets you view and save 2007 docs in older versions of office although I believe the saving was dodgy.
ALL HAIL OPEN OFFICE.
Back to the debate. Yup you're right. Most of the nasty things out there are not programmed to be destructive but instead to silently infect your system so it can be used to post spam on forums/blogs or to send spam emails. Thing is because these things are done silently it's hard to know they even exist so it's quite possible there are infected Macs out there.
Opera used to go on about how it was superior and more secure than the other browsers and that it had no known exploits but a look at the current changelog shows that's gone out the window. Exploits exist in most software and the bigger the program the more chance of finding one. Operating systems being the biggest program you can get (yeah ok they aer not technically programs). But at the same time the more popular a program the more likely someone will try and find exploits in it.
Going back to the late 80s & early 90s- PCs were cheaper than macs, and you could build your own, so even if you couldn't afford a MAC or PC, at least you could start piece-mealing them together. So you had more hackers on PCS than MACs. Then came the fall of the wall.
Most former east-block (communist) programmers, couldn't find jobs that paid them well, and they worked on older OSs and such. Many of them turned to work where they were paid at least somewhat decent and immigrated, while others began working for small Russian mafiya outfits. Trying to buy a MAC was impossible over there, especially for the prices. Many used discarded pieces and built their own- PCs. Result- more PC hackers.
Don't go thinking you're safe though. Today there are viruses for the MAC- I've had to help repair many MACs that had been damaged by exploits and viruses- and each of them claimed there were no viruses for the MAC. To each I've said "whatever" and continued working on their machine.
------------------------------------------------------------------------------------------------------
Really? what Virus are you speaking of? Which OS version?
The whole MAC vs PC thing used to really be:
MAC vs Intel (because they would argue over performance and speed, even though since the mid 90s if you spent the same amount on a PC as you did on a MAC, the PC often won)
So did the Mac. It has always gone back & forth.
However, as we all know- Apple lost that war, and now they use Intel Inside. :) But the Apple fan bois don't like to lose, so now it's:
MAC OS vs Microsoft Windows- which is a matter of taste, so there is no winner. However price/performance wise- PCs still come out on top, and all the latest benchmark figures show that
--------------------------------------------------------------------------------------------
Wrong again. Unless of course you build your own (less expensive). Seriously, I think you are just making shit up.
As for security- the basic built in MAC security blows- pure and simple. Regardless of if there are less people who know how to/bother to pick the lock- it's still a crappy lock.
---------------------------------------------
Now you're really just making shit up....please explain oh wise one. Unix has been around for thirty years. That's what OSX is.
The underlying code is open. How exactly is there a crappy lock on OSX? Please explain. Maybe you got confused & wanted to say windows.
Nothings perfect OSX is not invulnerable....but you are just talking out of your ass. Maybe you're a MS waterboy?
You will find that if you want to actually have a go at someone it helps if you click the reply button on either their post or the post that started the thread they are commenting in.
As to your last comment. Building a sandcastle on concrete foundations would not make the sandcastle secure. In most operating systems it's not the core that is exploitable but the outer lying stuff such as the file manager, the programs such as media players and pretty much anything that connects to the net.
Sorry about the location of the post...Maybe you ( or the person I was actually was responding to) could explain exactly what the problems are.
Right now all I hear is theory & conjecture. Like I said nothings perfect but, that's a far cry from making the hyperbolic statements that the original post made.
You have done nothing to clear them up. Like I said he is just making things up. A virus on OSX (maybe someday, of course) but show me an actual in the wild virus. There were maybe 50 Viruses in existence for the classic Mac OS & most of them had to be transfered by floppy & were dead years ago. His statements on the security of the OS are absurd & he has nothing to back them up.
I do agree that much of the debate is conjecture, but then again, how many posters here actually know /anything/ more than theory about hacking. How many people actually have successfully owned a box, or a service, much less root?
People like joem can think they know what they are talking about, but in the end, all they know is a topical amount of information about hardware and security. How many have actually (and successfully) pulled off a man in the middle attack? The reason why I am even asking these questions is because of the fact that debating security in a forum like this, is like debating politics on a blogging site. Everyone is a pro at political science, siting amazingly accurate sources like wikipedia (sighh..). The point of this forum is to discuss the military's move to xserver and more mac based products... is it a good move? In my opinion.. sure. But then again just get Unix, modify it to the nsa standards, put the massive amount of money you saved towards competent personnel, and you have yourself a pretty impenetrable server farm.
I don't have to site /any/ source for virus infected macs. What is the point of a virus or trojan? Why are most of them considered exploits? Because it is a way for other people (most of the time) to exploit something from someone else (bandwidth, aggregate DoS attacks, remote zombies etc..) I own macs all the time; they are by /far/ the easiest targets mostly because of their users. While i am not sitting their stealing credit card numbers, I am proving that viruses or trojans are almost irrelevant. If macs are so amazing, why is there a website called macfixitforums.com?.. Curtisoy of 'the best page in the universe', maddox sites one thing pc users can do that mac users can't... 'shut the fuck up'. Its an OS; if it were superior to everything else then what does that make unix?
My favorite thing in the whole world, is when large corporations take free ideas, labor, and theory; bundle it up into their own 'product', create a pompous niche in the market, and then urinate into that niche until it is filled with cry baby know-it alls that thumb their nose at the rest of the lowly OS world. We bow down to you all mighty mac user.
Well you had me at the beginning then it turned into some irrational name calling episode. If you check the posts here you will find that it is usually the comments are just as negative, usually more so from windows users. Is the Mac less secure than Windows? Are you saying that the typical Windows user is better at securing their systems? Most people have lives to lead. They are not security experts on either side. PC users that shut the fuck up? Since when. Both communities are a mixed bag. Except most PC users have never used a Mac for any long period of time. That's fine...I could care less. Again read the posts or any other story on the net that is a positive story about Apple. See where the negative comments start. Like I said nothing is perfect. What denotes the quality of a product is the amount of imperfections. Read your own comments:
"My favorite thing in the whole world, is when large corporations take free ideas, labor, and theory; bundle it up into their own 'product', create a pompous niche in the market, and then urinate into that niche until it is filled with cry baby know-it alls that thumb their nose at the rest of the lowly OS world. We bow down to you all mighty mac user."
Ah...Okay.
BTW.. Everyone should read this. It is in the spirit of this whole debate.. By far the best web site out there:
http://www.thebestpageintheuniverse.net/c.cgi?u=macs_cant
OSX is the best OS now because it drives tanks.
No.1 baby, OSX.
Will the army be able to play Doom now?
Oh, please, please! I am so sick of working with/against/around Microsoft. They obsess about security to the point where we can't even change our own computer settings, yet they use software that has holes an elephant can walk through. So blind.
It's grammar nazi time! Some of you have been referring to Macs as MACs. Here's why that is wrong:
1. MAC is an acronym for Media Access Control.
2. Mac is a proper name, which is a noun. It's an abbreviation of Macintosh.
Slow the destruction of the English language by learning the difference between an acronym and a proper name, and we will all be better for it.
Carry on.