joshmccormack's Journal: Department of Homeland Security chooses Microsoft

The Department of Homeland Security had the opportunity with it's recent selection of a provider of desktop and server software to set an example for choices based on the security of a providers offerings, and to show the American public that they weren't yet another bureaucratic money pit. With their selection of Microsoft to the tune of $90 million they failed in both respects.

The poor security of Microsoft products across the board has been shown time and again. Nearly every major exploit, virus and penetration due to software weakness has only affected Microsoft operating systems and software. In the last week alone the DirectX vulnerability was found, Swiss researchers found a way to hack Windows passwords in seconds, the MS DCOM buffer overflow vulnerability and the HTML to RTF conversion vulnerability.

In the July 21st, 2003 article in eWeek on this decision vice president and chief security counsel at Solutionary, Inc. of Omaha, Nebraska suggested that now that Microsoft has been given this contract they will improve the security of their software, and that there really was no other choice - "Were they going to go out and buy Linux? I don't think so," Rasch is recorded saying.

First, the selection of a company widely seen as being deficient in security, possibly with an idea that this will encourage them to be more focused on security is both ridiculous and offensive. Instead of being encouraged to change Microsoft will likely use this contract as an endorsement when marketing the security of their products. And is the DHS in the job of selecting unsuitable vendors in the hopes they will take advantage of this opportunity and improve?

And what about Mr. Rasch's question on why the DHS apparently had no other vendors to choose from? I question whether due diligence was done in choosing between vendors, and I would be interested in finding out what the criteria for the selection of those vendors were.

The DHS needs could most likely have been met in the form of several operating systems, all of them with better security than MS offerings, and many of them at a better price.

Most likely the general software needs of the DHS are a word processor, spreadsheet, presentation software, browser and email client. Solaris or MacOSX could have been selected for both desktop and server needs and satisfied these needs, while having a much better reputation for security. These are commercial offerings and would be available with a comparable set of guarantees, warranties and training programs as whatever MS is offering.

Of course the DHS could have chosen Linux, or FreeBSD on the desktop and OpenBSD on the server. And while some money would be wisely spent in encouraging development and getting things together in just the right way, I'm sure the bill would be less than a tenth of what MS is being paid. And the security of these options, especially OpenBSD, is without question superior to those of MS. Additionally, the DHS could have looked for help and guidance to another government agency, the NSA, which is sponsoring development of a secure Linux called SELinux.