Yea, I work in the security industry and I don't really agree. I hear what you're saying about considering each application and you're not wrong, but I think the potential benefits of this easily outweigh the negatives. It will apply pressure to companies who really do need to encrypt their data and just cannot get the will from the business to do it.

Its not a magic bullet, but especially in the absence of any legitimate way to wipe data from databases in a secure manner it's a reasonable compensating control to put in place. It really depends on the actual implementation whether or not the encryption will help if the server is compromised while it's running. If companies encrypt at the database or table level and implement things decently then at least it's not just a matter of compromising the server and copying the entire database off to get the information. Web based attacks are probably going to compromise the database's security, but at least information secured in this way would be safe(er) from network based worms and other malware. That is not a trivial or uncommon attack vector, and I think it's worth serious consideration.

The other aspect of this is that it would force a lot of companies to implement real key management procedures in order to not lose access to their data. Once they need to do that to maintain the business, they'll be much more receptive to rotating and expiring keys, etc. because it's a low hanging fruit. Right now key management is kind of a nightmare and not something I see a lot of companies handling effectively. If you have to deal with key management in order not to take down your entire business being more selective about who has access to those keys, split knowledge, etc. become a much more realistic proposition. That will demonstrably increase security as well as compliance with other regs/standards.

I'm both a Libertarian and a security professional...I am suspicious of government regs but I think they are needed in this case. The industry is not keeping up with the security landscape well enough, and this stuff is far enough out of the public's line of view that it has the potential to negatively impact their lives out of nowhere, and there is no ability for them to audit or verify a companies security measures before engaging with them. I think that is a threat to the public welfare, and something that does fall within the role of government. Implementing encryption in this way is not going to be that onerous, and it will have a tremendous impact on people who really REALLY do need to encrypt their data at the price of a bit of a hassle for those who don't. As this becomes more widespread key management and implementation of encryption will also become easier, making it less onerous for people who don't necessarily need extremely tight security.

'Even following the general principle of secret-keeping, it should not have been linked to the Internet.'"

You think so??? Really? This is a novel concept to our American Information Security Industry, please, tell us more! Surely you don't mean that power plants and water treatment facilities and power grids and other sensitive facilities should not be linked to the internet...HOW THE FUCK ARE THE OPERATORS GOING TO GET TO FACEBOOK IF WE DISCONNECT THEM!?!?!?!?

...and so it begins.

At best, their excuse for this is that they just had too much information to process and could not sift out the relevant information.

And yet they continue to delve further and further into sources of information which wouldn't have identified any attack on us that's ever taken place. They just keep increasing their surveillance powers with no concrete justification and, in fact, most likely to the detriment of their ability to predict attacks.

At first, this was due to the culture of "doing something about something" which pervades politics now. An invisible solution that solves the problem doesn't get politicians reelected. A solution which is visible, controversial, and inconvenient allows pols to send the message that they're, "getting tough on _______". Most people in America are pretty stupid, shortsighted, and fearful so they go right along with this.

Now surveillance has become an end in and of itself. The legal framework for collecting basically any communications at all times has been laid and there's no more political capital to be gained from it. Now the paranoid, the statists, the contractors who need contracts have taken over the fight. They have the legislative framework already, so it's best to keep their operations as quiet as possible to avoid scrutiny of both the obvious unconstitutionality of their actions, and the immense budgets they are getting with no real justification or goals at all. The politicians benefit from the campaign contributions paid for by the tax dollars they funnel in to these companies, and so they keep towing the line.

I work in infosec, and you can even see this mentality at a corporate level when you have poor security management. More tools! More information! More money! Never mind that the quality of information keeps declining, the need for additional analysts to handle that information keeps increasing and that the incidents these systems are identifying are almost entirely the most trivial and inconsequential events which the organization experiences. Meanwhile, the tools fail to identify really serious issues because they're too immature to do so, and all the analysts are too busy chasing nonsense to have the time to look at the big picture. Policy and product-impacting security measures which would make a real difference are never implemented, because they're too much of a pain in the ass for the people holding the purse strings who, by the way, know absolutely nothing about security and even the regulatory framework in which they operate.

It's a failing of humans in general. You can see it pretty clearly in US foreign policy since WWII. We escalate conflicts we're ostensibly trying to avoid. We arm and fund people who will eventually become our enemies and cost us even more lives and money to eradicate.

The government has been wrangling this legislation since (at least) the first iteration of the Patriot Act. There are no 4th amendment protections on electronic communications. None. People need to realize that. Since phone calls all traverse digital networks now, even those are subject to eavesdropping without a warrant.

The 4th amendment doesn't apply to communications, and barely applies to your personal spaces. This is the world we live in, the world which we have allowed to come about through our own laziness, ignorance, and fear. This should surprise no one.

Absolutely right.

Windows also incorporates centralized management features that either don't exist or are not as easy to use in other operating systems. It's all standardized, easy to implement, and relatively seamless. These traits allow relatively low-skilled people to support Windows.

I was having some authentication issues and didn't have the permissions to remove and readd my computer to the domain (pretty sure the machine password was out of sync). The tech that came to my computer didn't know how to run a command in DOS, but she did know how to remove my computer from the domain, rename it, and re-add it. Is this a good thing for the computing environment? Definitely not. But it's definitely good for companies' bottom line because they don't have to pay people who really know what they're doing and are highly educated.

Unfortunately the ability for low-skilled people to keep the lights on extends to servers too. No doubt Windows can develop some REALLY complex problems, but by and large getting services up and running isn't that big of a deal.

Software support is definitely critical too. Legacy applications are the bane of my security-focused existence. They cause all sorts of problems, but they keep the work going.

There are just no realistic alternatives at this point. You can point to one OS or another as having some of the desirable traits needed in an enterprise OS, but the point is that none of them have ALL of those desirable traits. Application support goes way way beyond a word processor, spreadsheet, and power point...there are thousands of specialized applications that are critical for businesses to run. Companies like hospitals have made HUGE investments in software to manage EMRs and issues with the user interface of one version of windows are not going to cause them to abandon that investment overnight.

So don't use the product.

I am very big on privacy, but we're developing this culture of "inevitable consumerism" where we view these devices as something we MUST have, MUST use, and MUST take advantage of all the features of, rather than something we can choose to use.

It's true that for many professions having a smartphone or other similar technology is more or less mandatory, but there are other ways to earn a living and you can always "vote" by choosing employers which are not so stringent about connectedness. I just don't like this paradigm we're developing where all technological advancement is mandatory to continue to exist. We have the power to resist these devices, but we choose not to. Sacrificing privacy for convenience/features is a trade off that most people are obviously willing to make, so they are getting the technology they deserve.

There's nothing stopping anyone from going out and making devices which do support real privacy. I'm sure it would be well received by the market. The only problem is that it has to be a product which recognizes the market's desire for ease of use, simplicity and features. These are not typically goals which privacy advocates are willing to submit to, but these goals and privacy are hardly mutually exclusive. The trick is finding a simple way to give people choices about how their information is used.

Either way, we should focus our efforts on preventing the *government* from gaining access to and misusing our personal information.

How many articles have I seen on this on Slashdot?

The answer is that, yes, you can tell the difference and your ability to tell the difference increases with how discerning a listener you are and how good your audio equipment is. We don't need to debate this any more.

So, go make a better product then.

I saw a fair number of products in process that may have provided a better experience in particular areas, but none that seemed to have the same goals as Windows had in mind. OS X is a pretty good example on the desktop. In some contexts it is a better product, but it's not enterprise focused.

We can cry foul all day, but that's the way life goes. Move forward.

You're obviously very young or have worked for smaller companies, which is why you think that their status as "convicted monopolist" makes any difference to anyone. If their products didn't fill a need which there was not a better product available to fill, trust me, they wouldn't retain the business they do.

No one cares about ideology or even ethics. What they care about is making money. Windows fits into some big but very specific niches, and it performs that role extremely well. That's why it's still around.

That's also why it's been pushed out of certain segments of the market: because it *doesn't* do certain things very well. The key is the evaluation of the requirements of the project to determine what is the best fit.

Working in security, I deal with it all, all the time. I would say that operating system is probably the least important factor in judging the success of an implementation. One company I worked for had a network that was divided in half. Half the network was the officially supported infrastructure and included both windows and linux. Windows was 100% of the desktop infrastructure, and a mixture of OSes powered the server infrastructure. It worked amazingly. It accommodated extreme-novice users, who had way more important things to worry about than what OS was on their desktop, extremely well. Once they got their patching routine down, it was surprisingly resistant to worms and viruses. It was actually extremely impressive.

Then there was the other side of the network which ran from datacenters in closets and servers under peoples desks. It was a mixture of windows and linux and I would say a solid 60% of it was dismally run. Constant compromises and virus infections. Extreme resistance to common sense security precautions. Blatant outrage when servers were taken offline because they were affecting other life-and-death critical machines, etc. No patching at all. A complete lack of understanding of what they were even running, much less what version. I could go on and on.

The point is, shitty administrators make for shitty implementations regardless of OS. Good administrators make for good implementations, regardless of OS. Good administrators choose the best tool for the job and use it. Shitty administrators are ideologues who will force a tool to do a job that it's not that good at.

My response is that of an engineer who has run into multiple instances where open source software was tried in enterprise scale implementations and there were serious issues which we were not able to get a resolution for. Posting a message about performance problems with an agent running on domain controllers for an 80,000 node network and hoping that someone will eventually get around to fixing it is not what most companies consider, "support". They are looking for someone's feet to hold to the fire. Not that that model works 100% of the time, either (I'm looking at you Cisco!), but for the most part it does. It also provides a company with (some) assurance that the project isn't going to just die and leave them in the lurch.

Meanwhile, I continue to see heavy use of open source operating systems which are supported by various vendors in areas where it makes sense to use them. Sometimes commercial closed source products work better, sometimes they don't.

There has been a failure (in some areas, but not others) to respond to what the market has asked for with open source products. In many cases this is probably because the originators of the project really aren't seeking worldwide market domination, which is an extremely laudable way of going about things. In others, it's because the community doesn't acknowledge what is important, or isn't aiming to accommodate certain levels of implementations. Writing products for small to medium businesses is a lot easier than writing them for titanic enterprises. There's nothing wrong with making that distinction, and there's nothing wrong with leaving those markets for closed source projects to jump on.

What there is something wrong with is making the decision an ideological black and white choice and ignoring the requirements of the project completely.

Not really. Your implication is that your opinion on the matter trumps what companies spending millions and millions of dollars believe is valuable.

Most enterprises run both Windows and open source operating systems these days. They do this because each is better suited to different tasks, not because of some ideological crusade.

1.) You aren't allowed to use open source software because there's often no support or "community" support for it. With closed source products you can also require the company selling the software to have an independent code review done and (depending on your clout) provide some version of the results to you for review. If you could use open source, you would cost an enormous amount of money doing code review on someone else's code. No one wants to spend the money to do this, because it would only prevent a tiny minority of compromises.

If you "trust" all the software you install, whether it's open or closed source, you have already lost the battle.

2.) The symptoms of this malware would be readily apparent. TeamViewer traffic was picked up and flagged by default in the last signature based IDS I had access to. Why do you think it's impossible to install malware on open source products? Are you going to do a complete code review every time a new version or patch comes out? Are you running HIDS software on every single machine in your organization to prevent modification of the binary after its installed? What are you doing to prevent phishing and spear-phishing attacks which are the means that most attackers use to get a foothold in an organization and have been for more than 40 years now?

Your notion of "trust" is wide eyed and unrealistic. Security must be layered and standardized. It also must be practical, effective, financially reasonable, and comprehensive. This notion of open source software as the magic bullet that would have prevented this is incredibly silly.

Most companies don't have the resources to do really good code review on their own software, much less on every piece of software that comes in the door. The government has (unfortunately) many more resources, and they also have the clout to get source code or request independent code reviews on software which they buy. Actually, independent code reviews and penetration testing are becoming a part of most customer contracts now anyway, even between two regular businesses.

Support. That's why companies and government agencies choose closed source. Open source products which you can get support for can usually get a decent foothold. Open source products for which there is no support or "community" support won't be able to become as widely adopted. It's really not this complex ideological war.

I have no idea why the comments in this article are so focused on open source. Well, yes I do, it's Slashdot....but this breach could have been prevented or detected any number of ways. I've seen suspicious TeamViewer traffic in IDS consoles before. Why were these agencies not implementing basic security controls?

Using open source software isn't the magic bullet to prevent compromises. Even in closed source environments phishing and spearphishing are widely used to gain a foothold on a network. This technique is suddenly impossible because of a financially impractical code review procedure for every piece of software that comes in the door? C'mon.

The answer to these compromises is the same as it's always been. Layered security, standardized procedures, visibility into network traffic and systems, preventing employees from installing non-supported non-auditable remote access software, monitoring and auditing, etc. If these agencies somehow have the resources to do code review on every piece of software in their environment then, sure, that's an awesome layer to add to the process...but it's an expensive layer and one that addresses a problem that isn't a big risk in the grand scheme of things.

Because there's not really a great financial incentive to make the changes. The OS works well enough for what it is. The OS works well enough to garner pretty good market share. It could be better, but its pretty stable...stable enough to do its job.

It all comes down to money in the end.