Tags:




Wiring the Whitehouse
January 23, 2009 9:16 AM   Subscribe

If you're wondering why whitehouse.gov hasn't been updated since Wednesday, it's because they're still working on bringing the Whitehouse into 2009 technologically. Will it have WiFi? Hopefully they can catch up quickly to what they were used to during the campaign.
posted by yoga (83 comments total) 4 users marked this as a favorite

Should the White House have wifi? Nothing says security like only a wired network.

OTOH, at EMC, we had wifi access only to the VPN gateway secured with RSA SecurId tokens.
posted by fatbird at 9:21 AM on January 23, 2009


The incoming President(ial staff) doesn't know anything about the infrastructure of the WH until after they move in? Seems like a major national security risk, to me.
posted by DU at 9:23 AM on January 23, 2009


Well, first they have to remove all the tubes which Ted Stevens insisted should run all over the place...
posted by Spatch at 9:26 AM on January 23, 2009 [1 favorite]


If there was ever a team to handle the Whitehouse refit to teh computer age, we've got it now.
posted by buzzman at 9:33 AM on January 23, 2009 [2 favorites]


If you're wondering why whitehouse.gov hasn't been updated since Wednesday

Um, no.
posted by ZenMasterThis at 9:33 AM on January 23, 2009 [1 favorite]


As good as the new Whitehouse site is, there's no mobile version, or even an iPhone version.

Yet, I guess.
posted by tapeguy at 9:33 AM on January 23, 2009


So, is anyone from Blue State Digital working for the White House now? I know they made it very clear that they didn't want to work for the government as a company, but I figured Obama would try to shark some of them.
posted by roll truck roll at 9:34 AM on January 23, 2009


Within hours of the "White House is in the stone age" story coming out, the right wing had a response. White House Already Well Wired, Bush Staffers Say.
he White House has everything a modern corporate office would — Windows XP, BlackBerrys, Outlook e-mail, plenty of laptops and lots of flatscreen monitors and TVs.
flatscreen monitors.. it's like The Future!
posted by Nelson at 9:39 AM on January 23, 2009


If you're wondering why whitehouse.gov hasn't been updated since Wednesday

Thanks, I actually was, just a few minutes ago.
posted by moss at 9:39 AM on January 23, 2009


Should the White House have wifi? Nothing says security like only a wired network.

Well, it should have a couple. One for reporters and other visitors. Another for just the President and his family to use from bed. There's no need for those to have privileged access to things like file servers and intranets, though.

I've had enough of Presidents out of touch with the news, so let the man surf in bed, is all I'm saying.
posted by rokusan at 9:40 AM on January 23, 2009 [3 favorites]


The White House website needs to get in line behind Perry Bible Fellowship, which hasn't been updated since early 2008.
posted by DU at 9:43 AM on January 23, 2009 [6 favorites]


...disconnected phone lines, outdated computers running old software, a lack of centralized information, and security regulations that are designed to protect, but strangle usage of the most modern technology.... Obama's team was a Mac shop; they arrived in the White House to find six-year-old Windows PCs and a mess of disconnected land-line phones. (Windows! The horror!)

That is just a pitch perfect memento left over from Mr. CEO President himself.

"Nobody ever lost an election by choosing Microsoft!"
posted by rokusan at 9:44 AM on January 23, 2009


I continue to be astounded by what corporate America thinks is the modern world. We're still using faxes while people in Japan are probably beaming documents to each other's brains with their phones.
posted by tinatiga at 9:45 AM on January 23, 2009 [9 favorites]


The Whitehouse sounds like where I work. So while I have some sympathy for them, it might do them some good to see what it's like for most of us lucky enough to still have jobs.
posted by tommasz at 9:46 AM on January 23, 2009 [1 favorite]


Did Perry Bible Fellowship steal those red curtains from Baz Luhrmann or David Lynch? (And for bonus points, which would be more frightening?)
posted by rokusan at 9:46 AM on January 23, 2009


We're still using faxes...

What's your ratio of junk-mail-fax to actual work-related fax? Mine is about 140:1.
posted by rokusan at 9:47 AM on January 23, 2009


As good as the new Whitehouse site is, there's no mobile version, or even an iPhone version.

WTF, are we back to WAP now? The entire point of a mobile browser based on the same codebase as a desktop browser is so that you DO NOT NEED A MOBILE SPECIFIC VERSION.

Gah, do you only eat gruel through a straw as well? iFood!
posted by GuyZero at 9:49 AM on January 23, 2009 [5 favorites]


On a tiny tangent, and in the hopes of NOT having sixteen Obama threads today, how awesome is this for first-week-in-power news: Obama to reverse abortion policy.

Bush must have left some notes on "how to spend political capital" in that #44 folder.
posted by rokusan at 9:55 AM on January 23, 2009 [1 favorite]


It is worth pointing out that the way that Obama is used to working is pretty damn insecure. Security is inconvenient, and extremely difficult to do properly. Many applications blur the distinction between data and code, and Microsoft's own apps are some of that worst in that regard. When a word processing document can format your hard drive, that's a problem. When it can read data off your drive and phone home to China, that's a disaster.

Tradeoffs for usability that we ordinary mortals are willing to make are things that you just can't do at the White House; if ever there was a high-value target, that's it. There are a lot of very bad people and organizations in the world that would LOVE to have a virus running on the White House computers. They're extremely well-funded, and extremely intelligent. They can fund entire teams of people trying to crack just one machine. Getting just one trojan into that system could be worth tens of billions in economic value.

Computing in the White House isn't like anywhere else, and what they're running may be old and outdated, but it's probably pretty sewed up pretty damn tight. The first and foremost function of White House computing: it has to be trusted. And this is more important than the latest whizbang feel-good fun toys that Apple ships.

The writer here likes to paint the government as being hopelessly behind the times, but the reporter has probably never had entire tiger teams in China trying to crack his network. Every day. All day. 24x7x365.

Most of you have probably seen a virus outbreak at work, and how much scrambling and pain that causes. Think for a minute just how bad that could be if it were specifically targeted at the White House network.

THAT is why the White House is using old stuff. It's not stupidity. It's not incompetence. It's having to deal with a threat level that most of us will never see.
posted by Malor at 9:57 AM on January 23, 2009 [20 favorites]


From the 'bush staffers' article: "It was weird to come back into the private sector," said Almacy, "because I was still writing one-word e-mails — 'yup,' 'sounds good,' 'let's talk.' Finally I realized that I no longer had to worry about it all becoming matter of public record."

What I find most irritating about this is the built-in assumption that of course they're trying as much as possible to keep things hidden from the public record. The mindset of secrecy is so ingrained in these guys that they can't even see it's there anymore.
posted by ook at 10:01 AM on January 23, 2009 [11 favorites]


If you're wondering why whitehouse.gov hasn't been updated since Wednesday

The Executive Orders (and Memos) page has been kept up to date. But they aren't updating the blog, which kind of defeats the point of having one.

One notable thing that I can't find is the press briefings. Not even a link to where they would be posted. The old whitehouse.gov always had the live video, and the transcripts were posted very quickly. Bush +1.

(As a side note, I wonder if there are wonky complications with the government using YouTube. Could one of their competitors complain that YouTube is being favored, without any of the proper government contract protocols being followed? Does it matter that it is free? But really the value is to Youtube, giving them more traffic, so is it really free?)
posted by smackfu at 10:09 AM on January 23, 2009 [1 favorite]


THAT is why the White House is using old stuff. It's not stupidity. It's not incompetence. It's having to deal with a threat level that most of us will never see.

Unless Microsoft is giving the White House a special same-day patch deal that they aren't giving their regular consumers, I think it's safe to say that a switch from XP to OS X is favorable from a security standpoint.
posted by explosion at 10:27 AM on January 23, 2009 [3 favorites]


(As a side note, I wonder if there are wonky complications with the government using YouTube. Could one of their competitors complain that YouTube is being favored, without any of the proper government contract protocols being followed? Does it matter that it is free? But really the value is to Youtube, giving them more traffic, so is it really free?)

Well, seeing as Works of the US Government aren't entitled to domestic copyright protection, there's nothing stopping anyone else from grabbing the videos and posting them on other video sites.

Not that your main point doesn't still stand - However, when the videos are freely available for the taking, I'd think there wouldn't be much of a reason for a given video host to complain.
posted by god hates math at 10:29 AM on January 23, 2009


THAT is why the White House is using old stuff. It's not stupidity. It's not incompetence. It's having to deal with a threat level that most of us will never see.

You might want to check that with any of the other high value targets around the world that aren't still running Office 2000. Pentagon, DIA, NSA... Buckingham Palace... I don't care where. Point is it can be done, and I think Obama the pragmatist is very much all about re-using perfectly good wheels despite where they come from.

I think it's far more likely to suggest that the archaic WH tech is not a result of security prescriptions, but rather a lack of concern. The whole point of the Bush Whitehouse was to AVOID communicating. Why keep up with the rest of the world when you are actively trying to shut them out?
posted by butterstick at 10:34 AM on January 23, 2009 [1 favorite]


malor:
I wouldn't trust XP with securing my underwear drawer. There are ways to do this, and do it right. Most major corporations have and continue to do this right. There is no reason the president of the united states can't kick it like the CEO of Super Megacorp with blackberries and wifi, and all that.

also: freebsd is not feelgood whizbang. It's what most banks run.
posted by Freen at 10:35 AM on January 23, 2009


IT people never want to update anything because it would force them to learn something new. It's not about security. I'm sure the IT guys at the White House spent the entirety of the Bush years telling people to restart their computers, and were very happy with those jobs.
posted by Astro Zombie at 10:37 AM on January 23, 2009


> And this is more important than the latest whizbang feel-good fun toys that Apple ships.

Just to point out, it isn't a case of old machines are more secure than new ones. Apple has released a guide to secure their machines to NSA / CERT standards.

While not saying they should throw out their systems, it is not that hard to integrate new clients into a secure network. A good network and firewall infrastructure will allow one to add new systems with it in due time (as in they should already know by now how to secure and integrate a non windows XP machine).

I think this is more of the fact that the prior administration didn't care about doing more with what they had, besides being able to access outside email servers, and route around the internal systems, which unless they carried two laptops to work, means that they were using those supposed 'hardened secure systems' to read outside email. Which defeats the entire purpose of all those security steps, because now you have an unmonitored vector someone could exploit. Since this continued for so long without anyone stopping it, or noticing it, one can go to two assumptions:

1) They did this under the radar without their own security teams knowledge. Which makes the security teams abilities suspect.
2) They did so with the approval of the security team, which means that said team had violated their own policy for political purposes and their abilities are still suspect for not realizing how dangerous that was to do.

In either case, it leaves one with little confidence in the existing IT team. Now they may have been severely curtailed and limited in what they could do by past administration to actually update and secure the systems, but also means anyone who was actually good at their job had probably long since left in disgust. Like most other offices under Bush, there was a brain drain where the folks who could get out did. The system may have been setup by the best and brightest, but I assure you, the folks who survived 8 years under Bush probably aren't.
posted by mrzarquon at 10:38 AM on January 23, 2009 [2 favorites]


First on the tech to-do list: Uninstall Jesux.
posted by Kirklander at 10:40 AM on January 23, 2009


So, there's a reference to the Queen's techno-savvy and wiring Buckingham Palace - anyone have any details? I'd love to think of the Queen as sneaking off to check her email.
posted by grapefruitmoon at 10:45 AM on January 23, 2009


And by secure network I mean 802.1x, RSA ID, crypt card network access, secure vlan, asset tracking, mac authentication, etc. Not "we have a windows group policy to keep people from installing spyware."
posted by mrzarquon at 10:46 AM on January 23, 2009 [1 favorite]


I dont think anyone here knows the specifics of the Bush Whitehouse IT setup. From what Ive read of the email controversy a little while back, its pretty modern. All anti-MS whining aside, I imagine its pretty secure as the WH can simply call up the best NSA people and be done with it. I wouldnt be surprised if the big issue is all the young corporate types getting their first job in a secure government position and seeing that the security officers just wont let you connect to exchange with your iphone's connector or let you plug in that USB drive.

For instance the issue with the blackberry is an interesting one. Is all their BES traffic going through Waterloo? Is 256-bit AES enough to protect the president's communications from key cracking server farms in China, Europe, Russia? How much do we know about foriegn intelligence services ability to compromise BB traffic? Are there flaws with the implementation?

I dont know the answer to these questions, but someone in the government is working on this. It must really be an interesting time in federal IT and NSA right now. I hope they release some of their findings to the public so we can all benefit.


IT people never want to update anything because it would force them to learn something new.

That's an ugly and ignorant stereotype.
posted by damn dirty ape at 10:50 AM on January 23, 2009 [2 favorites]


Unless Microsoft is giving the White House a special same-day patch deal that they aren't giving their regular consumers, I think it's safe to say that a switch from XP to OS X is favorable from a security standpoint.

Government and big corps have the full source to the OS and perform their own auditing and sometimes roll their own patches. They remove or add whatever they want and all use custom distros. Its a bit more complex than "DUDE SWITCH TO APPLE ITS KEWL!"
posted by damn dirty ape at 10:52 AM on January 23, 2009 [1 favorite]


That's an ugly and ignorant stereotype.

Not ALL IT people. Some IT people. The ones I work with.
posted by Astro Zombie at 10:54 AM on January 23, 2009 [1 favorite]


Oh, and RIM has shown itself to be an untrustworthy partner and willing to give up whatever keys it controls. This makes the BB issue much more thorny. Not to mention its Canadian owned and resistant to the demands of the US government. I trust them less than I trust MS, and I dont really trust MS.
posted by damn dirty ape at 10:58 AM on January 23, 2009


IT people never want to update anything because it would force them to learn something new.

I'm sure that was only intended to include IT people who primarily choose Windows.
posted by Chuckles at 11:04 AM on January 23, 2009


(As a side note, I wonder if there are wonky complications with the government using YouTube. Could one of their competitors complain that YouTube is being favored, without any of the proper government contract protocols being followed? Does it matter that it is free? But really the value is to Youtube, giving them more traffic, so is it really free?)

There was a (blown out of proportion( slashdot article in the past few days touching on youtube a bit. Apparently the embedded youtube videos set tracking cookies, which legally the government isn't allowed to do. So the administration waived some rule or something to allow those cookies, so that they could continue to use youtube.
posted by inigo2 at 11:06 AM on January 23, 2009


IT people never want to update anything because it would force them to learn something new.
That's an ugly and ignorant stereotype.

Also about 92% accurate, at least in my experience working with about 300 IT people over the years. Generally, the bigger the company, the more likely they fear change.

It's a stereotype that good IT people should be fighting.
posted by rokusan at 11:06 AM on January 23, 2009 [1 favorite]


what they're running may be old and outdated, but it's probably pretty sewed up pretty damn tight.

Right. They can't even find their email.

The first and foremost function of White House computing: it has to be trusted. And this is more important than the latest whizbang feel-good fun toys that Apple ships.

Uh, no. OSX is a BSD variant and it's had the shit audited out of it by the best minds in the industry, for years. There's no OS that is more hardenable. Windows is a hideous barge of kludge that even their own people don't understand.

If I had to secure OSX for the White House there is a vast amount of expertise available to tap, and with Al Gore on the board don't tell me Apple wouldn't send a few people as well. If I had to secure Windows for the White House I'd just commit suicide then and there to save time.
posted by George_Spiggott at 11:09 AM on January 23, 2009 [1 favorite]


When a word processing document can format your hard drive, that's a problem. When it can read data off your drive and phone home to China, that's a disaster.

As has been widely reported, China hacked the President's White House e-mail years ago. Summary here.
posted by rokusan at 11:09 AM on January 23, 2009 [1 favorite]


RIM has shown itself to be an untrustworthy partner...

wha? Untrustworthy because they obey the rule of law in countries where they operate? Would you prefer they flaunt the law and tell the governments of the world to get stuffed? Pretty unlikely and frankly, a lot worse.
posted by GuyZero at 11:13 AM on January 23, 2009


damn dirty ape, the first hit on that search says RIM is not cooperating with the Indian governments intention to spy internally, and the comment there suggests that they've designed the system in such a way that they couldn't cooperate even if they wanted to?!?!
posted by Chuckles at 11:14 AM on January 23, 2009


Also about 92% accurate, at least in my experience working with about 300 IT people over the years. Generally, the bigger the company, the more likely they fear change.

And I think Obama has proven himself exceptionally good at managing change, which is really what this comes down to. In IT in particular, and change brings with it very real COST, which is often hard to quantify as you try to weigh it against it's benefit. That's where the fear of change comes from. Mix in a couple of changes implemented by inexperienced techs and you breed a sort of permanent gun-shyness about IT.

So yes, good techs can change successfully, but they usually need to prove that over time to the fearful ones. Obama is probably calming down a hyperventilating IT manager at the White House with one hand while dialing the director at NSA with the other.
posted by butterstick at 11:16 AM on January 23, 2009


I have it on good authority that, up until Tuesday, 30 percent of the hits on this site came from the White House.
posted by Astro Zombie at 11:19 AM on January 23, 2009 [1 favorite]


Generally, the bigger the company, the more likely they fear change.

More like the bigger the company, the more disruptive the effects of ill-thought out change can be, and the IT guys know this. There are plenty of bad IT guys but you want the ones who'll push back when asked to do trendy, pointless, disruptive things by managers who don't know what they're talking about. You don't want to be a user on a large, complex network that's run by people who aren't both careful and conservative.
posted by George_Spiggott at 11:23 AM on January 23, 2009 [4 favorites]


I'd fear change too if it caused my help desk volume to go up by 50% and meant I had to work all weekend.
posted by smackfu at 11:26 AM on January 23, 2009


Not ALL IT people. Some IT people

I dont hate all you INSERT_MINORITY, you is one of the good ones!

Also about 92% accurate, at least in my experience working with about 300 IT people over the years. Generally, the bigger the company, the more likely they fear change.

Without going in specifics thats a meaningless whine. You dont want your IT director to be some brand zealot or a "we need the newest greatest right now" kind of person. Ive worked under both and theyre both terrible. Stability trumps all, as it should. End users see this as "incompetent IT" but that's okay cause theyre able to sit down and do work.
posted by damn dirty ape at 11:30 AM on January 23, 2009 [1 favorite]


Oh, come on. IT people aren't a despised minority. Jesus Christ, what's the matter with you?
posted by Astro Zombie at 11:40 AM on January 23, 2009 [1 favorite]


Unless Microsoft is giving the White House a special same-day patch deal that they aren't giving their regular consumers, I think it's safe to say that a switch from XP to OS X is favorable from a security standpoint.

What makes you think they're not?

I wouldn't trust XP with securing my underwear drawer. There are ways to do this, and do it right. Most major corporations have and continue to do this right. There is no reason the president of the united states can't kick it like the CEO of Super Megacorp with blackberries and wifi, and all that.

Ugh, that's ridiculous. Those blackberry emails go across international borders (to Canada, where RIM is) totally unencrypted, through 3rd party servers. "Most Major corporations" are not actively involved in wars and dealing with intelligence on other countries. Do you think the NSA would have much trouble getting at Mr Megacorp CEO's blackberry? So what about the Chinese equivalent of the NSA?

Most people have no idea how vulnerable stuff is. Both the Obama and McCain campaigns had their machines hacked by some foreign government. Rocking the "quick and dirty CEO Style" has already gotten them hacked. It would get them hacked again if they did things the same way.

If you think some thrown together ruby on rails app or quick and dirty network or 3rd party email system is going to be secure against foreign governments you're just an idiot. There is a huge difference between secure against viruses or browser exploits and being secure against individual hackers targeting a network.
posted by delmoi at 11:41 AM on January 23, 2009 [3 favorites]


Will it have WiFi?

I hope not. Wireless networking is great for a cafe or a home but it simply does not belong in an environment that needs security like the White House.
posted by cmonkey at 11:43 AM on January 23, 2009 [1 favorite]


words hurt astrozombie that is why we deleted your email account

no more words

no more hurt

:(
posted by boo_radley at 11:46 AM on January 23, 2009 [1 favorite]


End users see this as "incompetent IT" but that's okay cause theyre able to sit down and do work.

No, people say "incompetent IT" because they can't get their work done.
posted by Brandon Blatcher at 11:47 AM on January 23, 2009 [1 favorite]


explosion: Unless Microsoft is giving the White House a special same-day patch deal that they aren't giving their regular consumers, I think it's safe to say that a switch from XP to OS X is favorable from a security standpoint.

Uh, no. OS X is not as widely exploited, which is not at all the same as security. It doesn't pay very well to make OS X trojans, so bad guys don't generally bother. That does not mean OSX is inherently more secure on its own merits.

If enemies know that White House staff are running OS X, they can create custom attack vectors just for that OS. In the case of a target of that value, there is no benefit to a non-mainstream OS, unless it's so far out of the mainstream that there's no knowledge about it at all. In fact, it can be argued that a partially open-source system may be somewhat less secure in that environment. The Unix security model, though relatively simple, is quite strong, but most of the code is available for inspection. Even though it probably has fewer, possibly far fewer, bugs, truly determined attackers are likely to be able to find a much greater percentage.

Plus, many of the underpinnings of OS X were written in the NeXT days, when security was pretty much an afterthought. There were some truly mind-bogglingly stupid security decisions in early versions of OS X, and it's not likely that they've gotten everything yet. Retrofitting security is a lot like trying to use scotch tape to make cheesecloth waterproof. Eventually, it can be done, but it's slow, awkward, and leaks like hell for a long time.

Remember: people aren't going after you specifically, they're going after you as a member of a larger group, "Internet users". The threat model for anonymous internet users is entirely different than the threat model for the White House. Enemy teams are going to know everything about many of the individual staffers, in some cases even more than OUR government knows. This means they can craft specific attacks aimed at specific people. This is called "spear phishing", and it's a hell of a lot more effective than the normal sort.

Obviously, I don't know that they've actually done this yet, but they could, and it should therefore be thought about and mitigated ahead of time.

freen: There is no reason the president of the united states can't kick it like the CEO of Super Megacorp with blackberries and wifi, and all that.

Different threat model. If a corporate network gets hacked, people lose money. If the White House gets hacked, people can die. Possibly a great number of people, depending on how bad the penetration is. When the cost of failure can be so extraordinary, even a small chance of failure is difficult to accept.

mrzarquon: Now they may have been severely curtailed and limited in what they could do by past administration to actually update and secure the systems, but also means anyone who was actually good at their job had probably long since left in disgust.

That's a series of excellent points, which I hadn't considered. They might have air-gapped it, which would be better than nothing, but overall, the fact that outside email was being used means that security was probably pretty bad. That's rather frightening, actually. And you're probably right that anyone good would have bailed. But the good practices are likely to still be KNOWN, even if they aren't understood very well by those who stayed.

George_Spiggott: Uh, no. OSX is a BSD variant and it's had the shit audited out of it by the best minds in the industry, for years. There's no OS that is more hardenable. Windows is a hideous barge of kludge that even their own people don't understand.

True of FreeBSD, but remember that Apple has a whole layer of stuff on top of that, a lot of which was brought over from NeXT. When I was digging around in OS X, back around 10.1 or 10.2, the stupid security decisions were everywhere. Just as an example, the 'nidump' utility, running as the nobody user, would happily spit out every encrypted password on the system. This is exactly equivalent to world-readable /etc/passwd, which is, um... suboptimal.

I don't think they're using that anymore, but I guarantee there's more cruft left over in that OS that you wouldn't see in FreeBSD. And Apple may claim that it's NSA hardened, but they ship an awful lot of security patches every few months.

Also note that there are multiple NSA security specs, and meeting the lowest of those is not very difficult. NT, 2K and XP were all rated to the C2 security level.
posted by Malor at 12:20 PM on January 23, 2009 [3 favorites]


...turns out my browser was just showing me its cached copy of the Executive Orders page from Wednesday, and they have actually added the ones that he's made since then.
posted by moss at 12:26 PM on January 23, 2009


OS X has been out eight years. If its security is as bad as Windows, then we would have seen millions of zombie OS X boxes out there, as we do with Windows. Since we don't, since we're not in the "is Applez bankruptz yet?!" days anymore, we can infer that OS X is relatively secure.
posted by Blazecock Pileon at 12:27 PM on January 23, 2009


"Most Major corporations" are not actively involved in wars and dealing with intelligence on other countries.

KEEP TELLING YERSELF THAT SHEEPLE
posted by ROU_Xenophobe at 12:27 PM on January 23, 2009 [3 favorites]


> I don't think they're using that anymore, but I guarantee there's more cruft left over in that OS that you wouldn't see in FreeBSD. And Apple may claim that it's NSA hardened, but they ship an awful lot of security patches every few months.

Everyone ships security patches every few months. It is just what happens. Almost all of them are local code exploits, that require execution on your machine, and very few have found a way to do a privilege escalation (the ARDAgent being the most recent one that was patched).

My friends write about Apple security as part of their job. It has a very solid security foundation now, but Apple's biggest roadblock to getting more accepted is some of their own attitude towards updates. But they've been called out and shamed a lot for it, and have shown to be much more responsive in a shorter time that Microsoft has. One could argue that they were able to get away with what they have done because they built some proper tools to begin with. Could they be lazy, yes, but they atleast have a much more solid foundation than what you get with XP, so you have a better starting off point.

And securing a machine first requires understanding what is the machines purpose. Is it a glorified terminal, or does the machine have access to launch codes? In one role I would trust an OS X machine (with proper modifications), in another, I would only trust a custom rolled *nix box with a full code audit. The trick is ensuring that one isn't the backdoor to the other.

Remember the TJ Maxx break in that was brought up again with the Heartland Systems breakin. They compromised a store Wifi network, then a store desktop machine on the wired network, then the router, and then finally, got to the credit card processing system. Remember, a Firewall isn't meant to keep the fire from just getting into your building, it is meant to keep the fire from spreading from room to room.
posted by mrzarquon at 1:00 PM on January 23, 2009


What are you talking about? It IS being updated! He made some new exec orders yesterday...and bam, they are on the site.

Its not going to have new graphics and pictures everyday...cuz you know...this administration is about substance over style...or perceived style.
posted by hal_c_on at 1:21 PM on January 23, 2009


NT, 2K and XP were all rated to the C2 security level.

My recollection was that the C2 certification was only for non-networked NT 3.5 boxes:

In their rush to embrace Windows NT, which is less expensive than similar UNIX-based systems, Curry suggested many government procurement officers may be either ignoring or misunderstanding the product's C2 rating. Microsoft may also be glossing over the fact that the C2 rating only applies to a now-obsolete version of Windows NT, version 3.5, running on a machine that is unplugged from a network. - Wired, 1998

XP may be better but I expect whatever rating it has only applies when it's running off batteries inside a Faraday cage.
posted by GuyZero at 1:53 PM on January 23, 2009 [1 favorite]


I won't be satisfied until Obama is writing his speeches in vi running on OpenBSD.
posted by sonic meat machine at 1:56 PM on January 23, 2009 [1 favorite]


vi? Man, you got suckered. Obama rolls with the emacs crew.

C-x C-O : be so awesome
posted by boo_radley at 2:03 PM on January 23, 2009


Looked through the thread and didn't see this posted so far - looks like Obama might not get a 'blackberry' per se, its more of $3,000 phone from General Dynamics.
posted by jourman2 at 2:20 PM on January 23, 2009


A properly configured wirless network is no less secure than a wired network. And in many cases is more secure since there is usually more thought to how a person gains initial access.

Anyone who would say that any medium size to large networked environment could run on OSX is a joke. Regardless of how secure you think it is, the majority of enterprise applications and programs would not opearate with it.

I help drive the technology of over 100 different banks, none of them use any OS variation other than Windows.

Newer software although can be buggy are generally built with security in mind and usually have better abillities to be more secure.

"Remember, a Firewall isn't meant to keep the fire from just getting into your building, it is meant to keep the fire from spreading from room to room"

You are confusing a firewall with an intrusion protection system. And they are different, A firewall generally only has capabilities of allowing or disallowing packets, once a packet is allowed it won't go and do anything about it. This is where an IPS system would come into play.
posted by LouieLoco at 2:26 PM on January 23, 2009


No, that's old news - he gets a crackberry for "personal" use (see the update at the bottom), although everything gets logged for presidential records. For official use he'll either have to use that monstrosity but I expect he'll do what most presidents do and simply tell his staff to do stuff and they'll send the messages via whatever.
posted by GuyZero at 2:28 PM on January 23, 2009


I help drive the technology of over 100 different banks, none of them use any OS variation other than Windows.

Oh good grief. I'm a peon at a major internet service you've used and if God himself made Windows vanish tomorrow not one employee would be inconvenienced for more than half a day. And not a single user would notice.

Additionally, Apple themselves run a pretty significant business using Apple boxes almost exclusively. (I'd bet they run Exchange though, unfortunately). It's not that hard.
posted by GuyZero at 2:31 PM on January 23, 2009


A properly configured wirless network is no less secure than a wired network.

What? A wireless network you can join from a car parked across the street is no less secure than one you need physical access to?

Anyone who would say that any medium size to large networked environment could run on OSX is a joke.

Seriously? It's impossible to let, say, the web design department hook up a few Macbooks? This is the kind of crap that makes people talk trash about IT guys.
posted by designbot at 2:46 PM on January 23, 2009


LouieLoco, could you expound on what makes a wireless network "properly configured" and therefore secure? Is it WPA-PSK or similar, strong keys and the the like?
posted by boo_radley at 2:55 PM on January 23, 2009


Most likely the wireless interface would just give them internet or edge access and they would get into the network via VPN. Arguably, thats the same as using the VPN anywhere else, except youre not dragging a cable everywhere. A wireless compromise would be the same as someone attacking from the internet. They arent past the firewalls.
posted by damn dirty ape at 3:01 PM on January 23, 2009


I help drive the technology of over 100 different banks, none of them use any OS variation other than Windows.

I love it when windows-only IT guys reveal the fact that they have zero exposure to the world outside their fishtank.
posted by ook at 3:03 PM on January 23, 2009 [3 favorites]


Anyone who would say that any medium size to large networked environment could run on OSX is a joke.

Would you care to provide a single shred of evidence supporting that claim?

Regardless of how secure you think it is, the majority of enterprise applications and programs would not opearate with it.

This has nothing to do with inherent security advantages or disadvantages of OS X, Windows, or any other operating system.

I help drive the technology of over 100 different banks, none of them use any OS variation other than Windows.

This, by itself, says absolutely nothing about the relative security of Windows compared to other operating systems.

Please don't pretend that being able to throw jargon around mostly in the correct context means you have the slightest clue what you're talking about.
posted by oaf at 3:04 PM on January 23, 2009 [1 favorite]


While most bank desktops are running windows, that does not mean the bank runs on windows. Usually it just hosts a terminal session to a *nix server in the background.

Wireless is just a method of connecting two devices. The difference between wireless and wired is that in wireless you have no assumptions of line security (ie, someone has to physical tap into my fiber to sniff traffic vs know where to point an antenna). You could easily just initiation an IPSec vpn over wireless also, because you just assume wireless is unsafe, even if it is 'internal.'

Many medium sized business do run on OS X, some just using windows terminal server to host the one application that they need. Apple does not run on exchange, they actually use meeting maker still, and probably one of the reasons why CalDAV CardDAV and other such technologies are going to see some refinement is they are committing to using them in house.

Regarding firewalls, it was a point to show that you still have internal separation of services. So you have one between servers and clients, and between subnets assigned to floors if you want, replicated physical security in network security. What good is it if your servers are behind locked doors if your waiting room has a network port that allows unfettered access to them. IPS is good tech also, but having clearly defined maps of what machines need what access, and just assuming that because you have a firewall against the outside world does not mean you are invulnerable. You just can't assume that the network will magically tell you when your workstations are being compromised and stop it, most of the time it requires heuristic data to be able to identify an attack anyway, so if it's new, it wont set off any alarms. Segmenting the networks is one way to contain an outbreak when it does happen. It is a balance between functionality and security, and there is never a simple or clear best practice that encompasses every scenario.

And as for OS X security? My friends at defcon this year keep seeing more and more folks with macbooks, and most of them still running os x. However less folks running Windows for full time work (instead of code / vulnerability testing).
posted by mrzarquon at 3:57 PM on January 23, 2009


There are a few things that aren't available to White House staffers at all. Instant messaging is out, both for security reasons and because the Bush team wasn't able to find a way to archive all IMs, as required under PRA. - from Nelson's FOX News link

Speaking as the guy who implemented the IM archive and audit backend for an investment bank not any more! a bank holding company you all know well, this is pathetic. If you have enough influence, AOL and MSN will help you proxy their traffic and open their protocols. Right here we have a strong indication that the Bush IT team were jokers.
posted by nicwolff at 4:37 PM on January 23, 2009 [1 favorite]


OS X is incredibly secure for the reason that it's kind of expensive or a hassle to get a hackintosh going. For that reason, you will see very very few macs in China, Russia, and Eastern Europe — where many of the viruses/hacks come out of.

But whenever you're talking about mission-critical systems like the Whitehouse, software security should be nothing more than an afterthought (assuming you've locked down the network well enough). The main area of concern is with physical security and the people touching the machines.
posted by amuseDetachment at 5:01 PM on January 23, 2009


Anyone who would say that any medium size to large networked environment could run on OSX is a joke.

I think you've pretty much demonstrated that you don't know anything about OSX. The only difference between OSX and the the industrial-grade unixes that run the the essential internet infrastructure that we all rely on from one second to the next is that OSX has a nicer UI.
posted by George_Spiggott at 5:56 PM on January 23, 2009 [1 favorite]


But they aren't updating the blog, which kind of defeats the point of having one.

Actually, that's exactly why I have one.
posted by Enema Bag Jones at 6:30 PM on January 23, 2009 [1 favorite]


I think you've pretty much demonstrated that you don't know anything about OSX. The only difference between OSX and the the industrial-grade unixes that run the the essential internet infrastructure that we all rely on from one second to the next is that OSX has a nicer UI.

Here's the deal: Linux, BSD, and Solaris all have associated projects that do serious code review (look up OpenBSD and Trusted Solaris). MS has started doing similar work on Windows, but only very recently. These projects have found hundreds of bugs, often really crazy interactions between multiple components that would be impossible to predict without auditing the source code. Apple's source code is closed, and it hasn't (apparently) had the inclination to do any serious security review. Since we can't expect Apple programmers to be magically smarter than other programmers, and they are using pretty much the same tools (C programming language), we can infer that there are probably dozens of undiscovered bugs in OS X. Will they ever be found? Maybe they'll be found by your enemy first.

That said, the security of the operating system is not critical. Security people long ago realized that any piece of software longer than a few tens of thousands of lines can't be trusted (especially if it's written in C, like pretty much every major operating system is). That's why we recommend defense in depth: firewalls and VPNs and physical security and intrusion detection and careful human monitoring. I imagine the White House is so well protected, you could plug a Windows 95 box into the wall and never have any worries.
posted by miyabo at 1:11 AM on January 25, 2009


Malor, you make the leap that old secured technology is better than new technology a priori. But the new technology reflects (among many other things) the unfixable security holes in the old stuff. I'd rather have off the shelf latest OS X than the most locked down version of XP.

And don't we have bright guys working for us? What the fuck, Bush administration. Wifi is a no-go, of course (though I like to imagine Obama surfs in bed too). But the machines and software should be bleeding edge *and* secure. It's the fucking white house.

What are we, the US or something?
posted by fourcheesemac at 8:39 AM on January 25, 2009


> we can infer that there are probably dozens of undiscovered bugs in OS X. Will they ever be found?

Well, you are a little off there. OS X's core is opensourced, and a good chunk of the important stuff (kernel, core security model) tends to be released also. I am not saying it is invulnerable, but there are rare cases where you can have a remote code execution and a privileged escalation because of how the system was designed. Security in 10.4+ is not just an afterthought, and there are serious internal partitions to keep things in check. Not on the level of a secure linux or openbsd, but possibly a good deal ahead of Windows in some respects.

But I think we can all agree that: Bush's Whitehouse IT team was probably not the best in the business if they: Couldn't prevent (or allowed) outside email systems to be used, and couldn't implement an IM logging system. Also, with a property security team, there is no reason why Obama could not have a macbook running OS X on his desk for work and surfing the web.
posted by mrzarquon at 10:23 AM on January 25, 2009


I imagine the White House is so well protected, you could plug a Windows 95 box into the wall and never have any worries.

Yes, given their consistent emphasis on competence over all else in their hiring and appointments1, and their proactive approach to anticipated dangers2 I have no doubt they've been doing a heckuva job.

1 No ideological litmus test or preference for graduates of a particular bible college, for example
2 After all, nobody could have predicted the levees would break, or that Al Qaeda might be "determined to attack targets in the U.S.", or might want to hack the White House...
posted by George_Spiggott at 12:35 PM on January 25, 2009


wow, you mac guys sure are sensitive. Last time I checked mac has about 4 percent market share and probably less than 2 percent in the work place. And a lot of those are virtualizing xp to run applications.

"Please don't pretend that being able to throw jargon around mostly in the correct context means you have the slightest clue what you're talking about."

"I love it when windows-only IT guys reveal the fact that they have zero exposure to the world outside their fishtank."

Considering I'm a Senior Network Engineer working for one the top five integrations firms in my area that has a client list of 500 plus companies/agencies I would like to disagree with these statements.

Btw, I'm not saying that OSX isn't secure, it has a lot of inherent security features that I appreciate, and the majority of virus' are written to attack microsoft os's and applications. But the majority of business applications are written for Microsoft OS's. If you don't understand that then I can't help you.


With the combination of a NAC, RSA or some type of Key authentication, encrypting traffic with the use of VPN, an IPS in place, a wireless network is as secure as a wired network.

mrzarquon - you're confusing Firewalls and VLan'd switches. You generally won't have a firewall between network segments.

Many medium sized business do run on OS X- If what you mean is many medium sized companies have macs running in their environment then I will agree. If you mean that many medium sized companies run on Mac servers and all their desktops are macs then we have a major disagreement about the use of "many".


Whoever keeps bringing up that ISP's could operate no problem without Window's I would like to disagree with you on that. What about your call center? What about the billing department? What about HR, what about every other facet of the business besides the NOC?

Lou
MCITP, CCNA, CCSP, CCISP, Security +
posted by LouieLoco at 3:16 PM on January 25, 2009


the majority of business applications are written for Microsoft OS's

You realize, of course, that this says nothing about how secure an OS Windows is, either absolutely or compared to OS X or Linux.

But go ahead and pretend that your certifications make you correct about everything in your first comment in the thread.
posted by oaf at 8:34 PM on January 25, 2009


The only thing I can add here is my friend used to run Apple federal sales and sold large numbers of OS X and OS X Server boxen to sensitive U.S. government departments. Note that for a long time, Army.MIL was running off NetStar (né WebStar) on Macs.

Do not take this as a suggestion that even U.S. Army security is comparable to White House security. But it is evidence that OS X is adequate for many high- if not highest-level security applications in government.
posted by joeclark at 9:23 PM on January 25, 2009


"Microsoft OS's"

$1 hotdog's - Baker's apostrophe.
posted by jaduncan at 1:14 AM on January 26, 2009


Well, as obnoxious as Mr. Loco is, jaduncan, “OS's” is not technically a "baker's apostrophe." The situation surrounding the pluralization of acronyms is a murky one, and at present is governed by personal preference and house style. Granted, it looks horrible with the apostrophe.
posted by sonic meat machine at 10:04 PM on January 26, 2009


« Older Request Comics: A reader submits a theme, and Ben ...  |  "It would be naïve t... Newer »


This thread has been archived and is closed to new comments