by frog
The admission by the head of the SIS Warren Tucker about ten days ago that NZ Government computer systems had been hacked left a number of questions up in the air.
Apart from “was it China, as he may have (kind of) implied?” and “what has the Government said to them in response?”, there is another one concerning the Greens: Why are Parliamentary Services and Ministerial Services so committed to Microsoft, especially the combination of Windows and Internet Explorer?
The pairing of Windows and IE is notoriously prone to security breaches and a number of software products in the open source catalogue have been pretty well demonstrated to be more secure.
Yet my battles with Parliamentary Service just to be allowed (!!) to install Mozilla Firefox on my parliamentary desktop has demonstrated the active hostility towards open source solutions in the parliamentary environment. Despite the fact that IE kept crashing (along with my computer), was totally infested (and apparently irreparably so), it took a great deal of arguing and finally rank pulling further up the hierarchy to get acceptance that I could install Firefox (things installed without authority simply get removed by nameless ones in my experience). Even that was with a promise that I would get no support if I had any problems.
Well the recent attacks should have sharpened the minds of those responsible for these kinds of decisions. I have written to the Speaker (who is in charge of Parliamentary Services) and the Prime Minister (in charge of Ministerial Services) to ask them to have a look at the security benefits of running OS on parliament and government computers – even if that is just a few applications like Mozilla. That’s without even mentioning the cost benefits.
Worth noting that Ministerial Services is still running Windows 2000 and is about due for a change. A good time to try something new, methinks.
I’ll keep ya posted how we get on!
Published in Justice & Democracy | Society & Culture by frog on Fri, September 21st, 2007
Tags: environment
on the trolls and those who are unable to keep on topic
Loading...
Good luck, it utterly amazed me that government IT not only seem to have chosen the least secure setup they could find, but they seem to be doing their best to prevent anyone from choosing a better option themselves.
Not at all uncommon in NZ though, we’re very happy to believe the first multinational that shows us a shiny brochure.
Also illuminating would be the amount of money going overseas for IT products which could, instead, be going to paying locals to support open source equivalents.
Shows just how hollow the cries of “Knowledge Economy” and “Buy NZ Made” are.
On a related note, the Mozilla Firefox project was originally led by a NZer, and even today much of the work on it happens in NZ. If one is into national pride (and I’m not really), that’d be a shining example of something or other.
- MugginsM
Like or Dislike:
0 
0 (0)
Here’s a list of deployments for Open Office
http://wiki.services.openoffice.org/wiki/Major_OpenOffice.org_Deployments#Europe
Like or Dislike:
0 
0 (0)
Mugginsm,
This is not a specific trait of New Zealand government departments, I have seen the same thing overseas. My personal theory is that IT departments now days are often populated by people who have done short courses in computing, and all they know about is Microsoft. My other theory is that managers who know nothing about computing force their personal preferences upon everyone else.
Like or Dislike:
0 
0 (0)
Yeah, I work for a large university, and it’s Microsoft all the way. We academics have to fight just to get Open Source available for *research*, never mind actually using it for day to day work.
The decisions really don’t seem to get made by technical IT staff, only by IT managers who did a short computer course once and take the recommendations of salespeople over their own staff. I assume government is much the same.
- MugginsM
Like or Dislike:
0 
0 (0)
Its probably that they payed thousands of dollars to get this MS system up and running and they don’t want to look like they have wasted yet more of my tax dollars in allowing you to use a piece of software which is better and free than the one they decided on.
Yet again I am not surprised
Like or Dislike:
0 
0 (0)
It does not matter which OS or web browser you use, all systems are hackable.
Like the smug Mac users used to think they were so much safer then a PC user. That was until hackers started writing code to hack into Macs as easily as PC’s.
There is only one way to protect any valuable information and that is to have that information stored on a computer or external hard drive not connected to the web.
Not even on a LAN which is easily hackable as well.
So really smart people have their senitive information stored on a seperate computer. Use a USB flash drive to manually transfer files if you need to email them.
As a software developer I get fed up with Microsoft always changing their standards so that backwards capability is not there (ie Access 2000/XP/2003 programmes do not work in Access 2007).
But on the plus side of that is the fact that I have to do a billable call to each of my customers to update their custom software packages to run on Access 2007 if they upgrade.
A whole industry has evolved from the Microsoft upgrade process. Tap into it and you have a job for life. That is probably a bigger reason why IT proffesionals use Microsoft. You have unlimitted amount of work ahead.
Like or Dislike:
0 
0 (0)
Gerrit
They are all hackable, yes… but as you know they aren’t all equally vulnerable.
Hack into the MS model and the monolithic nature of the beast means it is ALL yours. Hack a linux or Solaris system and for the most part you can get the user’s files, and in all likelihood can’t open a service port. The underlying models are very different and the flaw is fundamental to the model.
Not everyone can afford to run security the way they do on a stealth project out at Edwards AFB. Which is entirely NOT connected. The balance between usability and security has to be struck and MS chose its point of balance quite far towards “usability” and now anyone can use your computer… whether you like it or not
I prefer the more loosely coupled applications with the tighter security of the various +ix implementations. Most security conscious folks do, and not because there’s fewer hacks for the beasts but because the underlying model permits better security.
In defense of the IT guys, until the last 2-3 years (which is a short short time in terms of major IT investments in things like OS and Office suites) the Linux *way* was not a path everyone could choose. The improvements in OO and the new support coming from IBM (adding to RH and Sun) means that they can get support guarantees. The new level of installability provided by Ubuntu and RH mean that it is no harder and usually easier, to set up a user on a +ix box with OO than it is to set him/her up on windows.
The problem is that that is a very recent thing. It will start to bite over the next decade. It was not true in the last decade. Tech-savvy folk may decry the lack of adoption but the question is, could your Mom use it? With Ubuntu and RH where they are now she could. Even 5 years ago I’d have to say no-way.
Nandor – If you want some help in this I may have some ability to contribute.
Gerrit is correct though. The SIS has to apply standards very similar to the ones used at my former place of employment on its critical systems.
JPL used to run a lot of Solaris and +ix boxes… and DID NOT HAVE an institutional firewall until 2001 or 2002… every single machine there was protected simply by virtue of the user/administrator’s competence and the fact that it was usually running solaris or some other +ix. Maybe 10 thousand machines and JPL is a favored target. An unprotected machine on the lab net would last less than 15 minutes. It is NOT safe out there. Visit the SANS Storm Center http://isc.sans.org/
NASA tried to stuff MS down the throats of the labs and the labs fought back. They still have and use the +ix services. The administration secretaries now however, are able to use Windows as they’ve put in the firewalls and cut off the free and easy access that used to enable us to share things easily.
respectfully
BJ
[[ Former US Naval Officer. Former System Administrator at Edwards AfB ( B2 project ) and the NASA Jet Propulsion Laboratory. Currently Identity Management Specialist with Hyro Ltd. ]]
Like or Dislike:
0 
0 (0)
Totally agree BJ,
Just pointing out that there is only one perfect system (not connecting – as you point out) and even that system is fallable to physical intrusion and hard drive theft or copy.
Agree that MS is retail orientated but point out that as such meets the needs of 90% (?) of users.
I suggest that the security Nandor is talking and worrying about is contained in the user files (information stored on the computer)
This information is suseptable under either model of OS.
It is difficult to “hijack” a linux computer on line agreed.
As my customers are 100% MS users I havent had the need to look at the Open Source Software options availables.
However as I need to protect my code (so I can put bread on the table) I tend to work in closed sourced software options. Knowing full well that with a great deal of effort someone could crack my MDE files of the Access software (getting the forms and tables is easy, the underlying VBA code and SQL statements much more difficult) I sell.
However the cost of the cracking would be considerably higher then the selling price of the specialist applications (Time Clock, Job + Time Sheet, Project Tracking, Strategic Planning, etc software) I market.
I guess that is why developers of software ( as opposed to system admins) prefer closed software option.
The Open office suite works well for users but not for developers. If you have to make money out of selling software, open source is no good.
Like or Dislike:
0 
0 (0)
I don’t fully disagree with the views expressed here, but it is worth pointing out the other side of the coin – allowing users to install anything they like can create huge support, stability and security issues for the IT team.
If users expect zero support when they install software that causes conflicts or crashes with other software (although the employer would no doubt agree that having them spend hours resolving the issue was not what they were hired for), that would almost be fine – but users can also introduce security threats and software conflicts as well.
It isn’t always a case of ‘just install the software’ and it all works, because there are dependencies on certificates being installed, firewall configuration, common macros and templates being used, records standards to be respected, automated software updates to be applied safely and the right of the business unit to manage the information to maximize sharing and re-use.
Spare some thought for the people required to work towards a 100% uptime target that also ensures information is properly tracked, stored, shared and secured across the entire organisation.
Like or Dislike:
0 
0 (0)
Yet my battles with Parliamentary Service just to be allowed (!!) to install Mozilla Firefox on my parliamentary desktop has demonstrated the active hostility towards open source solutions in the parliamentary environment.
Are you sure it isn’t an active hostility towards allowing people to add new applications to the mix and not be sure of the effects? I’m all in favour of FireFox use, and in this particular instance Parliamentary Service appear to be a little heavy handed – but maybe there are internal applications dependent on ActiveX controls?
Even if you went open source over microsoft, an organisation would still be better off standardising the choice, rather than allowing “any” open source products to be used.
There are training, support, compatibility with other organisations, maturity of the product, the range of applications, etc and a whole raft of issues that need to be addressed – so going to open source just because it seems good isn’t in itself a great business decision basis for an organisation.
As an MP you should well be aware of the huge number of laws you pass that you require departments like Parliamentary Service to respect. The Public Records Act 2005, specifically the Electronic Recordkeeping Standard (just to name one example) requires a fair amount of effort to adhere to, that impacts on user responsibilities and software usage decisions.
Maybe you need to be aware of the consequences of the continual process of adding legislative requirements to organisations and businesses, and take your experience as a sign that the impact is on the freedom of individuals
On the other hand, if Internet Explorer was indeed crashing for you and IT could not provide a well tested SOE machine, then installing FireFox as a workaround would seem prudent if it helped you do your work with less interruption.
In general, I know a lot of Govt Departments are mindful of open standards and doing their best to choose products that can ‘run anywhere’. The company I work for has also made the decision to ensure all current and future development is standards based and os neutral, so choices will expand over time, and Firefox will no doubt be welcomed in more organisations over time. Stay strong!
Like or Dislike:
0 
0 (0)
*sigh*
Hi Bj,
your post was a welcome ray of light here.
I know I’ve said this before, but what the hell, here goes again:
MS is evil, and deserves to be burned, thoroughly, by OSS forms such as linux, ubuntu, and mozilla Firefox; it is a marketing exec’s product, which as Gerrit says, is a guaranteed 6-monthly recall for installers, who are constantly on look-up to get their customers upgraded with the latest patches.
It is not a coder’s product, it is not a *researcher’s* product.
It is certainly not the choice of intelligent IT users, anywhere.
But the marketing gurus had a field day in the late 90′s, and turned it into the product of choice to mass-market to non-industry PC-users, thus locking the global market into a shoddy system with constant upgrades, open to hacking and prone to service failures.
Emperor’s new clothes, anybody? Time to see Bill Gates as he really is.
And no, I’m not championing Steve Jobs, by return.
Mac has it’s own client service issues, and it’s own global arrogance.
I just regard MacOS as slightly more secure than MS, and I won’t install MS on my own hardware. That’s what internet cafeĚ?s are for!
Who does the largest spying institution in the world use to provide software?
Well, I’ve never signed the contract, but IBM and MS between them supply most of the spy geekfest; it’s to the US advantage if the ROTW use a product with known security holes, which the CIA, NSA, and FBI can exploit.
Just look at Telco software providors. Black Birch and Waihopai have no problem getting telco signals for sigint analysis by US intelligence.
Err, guess we’re never gonna catch up for that coffee now, eh BJ???
Like or Dislike:
0 
0 (0)
Zen
The likelihood of installing software on a linux or solaris box that crashes other software on that box is, in my experience as near nil as one can responsibly hope to see. That only seems to happen in Windows, and for reasons very much related to the same monolithic security and integration model that makes all of windows so accessible once any part of it is penetrated.
+++
On Windows boxes it takes only moments of consideration to recognize that the combination of Open Office and Firefox is just as stable as IE and Word and more secure in the bargain.
Your point about “open slather” is well enough taken and no IT department I know of allows that – - on windows. On Solaris and +ix boxes however, I know that the lab permitted users anything that didn’t violate the labs usage policy… basically no porn, no hosting your own business site… no malware.
There’s an aspect of this that needs to be laid out clearly. The +ix users on the lab basically have ALWAYS run their own boxes. If a project had enough users and requirements it’d hire its own sysadmin to maintain the larger servers, but the box on your desk, if it was linux or solaris, belonged to you and you needed to do the maintenance or find someone to do it. That level of self-support is not something that the average user of Windows in the Beehive or anywhere else, is capable of doing. It has to be something you can hand your Mom and expect her to be OK with it…. and that ability has only recently arrived in some Linux distros. Not everyone can cope with gentoo. Not everyone is interested in what is actually happening under the hood.
The flip side of Zen’s point is that they’ve established a “monoculture” and it is as vulnerable as any other monoculture. That was always the other part of the lab defense in depth approach. If something attacked a particular program or variant it could not bring down the lab net. The worst virus attacks in computer history did little more than register as a sort of denial of service from the rest of the world.
But the point Zen brings up is a valid consideration and the balance that is required is not something that can be casually decided. It has to be considered quite carefully.
The problem here is that someone or several someones in the parliamentary service are apparently using this as an excuse for establishing a dictatorship. They don’t want to consider anything carefully. They don’t want to know about it.
That makes them fools or worse, because Open Office and Firefox and Linux could save them quite a lot of money and time… and could (with a little retraining on the part of users) give everyone FAR more security.
One wonders if there is someone at SIS who might be persuaded to make this point more clear. I have to believe that they DO have competent people in their computer group and no competent software engineer is going to tell you that Windows is the most secure system.
respectfully
BJ
Like or Dislike:
0 
0 (0)
Katie is right in that commercially MS have scored a king hit.
Going back to Nandors problem of IE crashing on a regular basis is a mystery to me (not having had a single IE crash on my home network or the seperate factory network).
However the biggest cause of software program crashes is the opertors use of the red X in the top right hand corner instead of the file close command.
Most program’s require a bit of code to run to close correctly and using the dreaded red X bypasses this. If Microsoft got rid of the red X a lot of crashes would not occur. (which is why all my software at start up runs code to immobalise the red X)
So while we worry about network security (which is easily overcome by not being on a network) the real problem of application crashes is one of software design that enables users to close applications incorrectly.
And the lack of training to tell people that the red x is a last resort close before trying the even worse application shut down procedure of control alt delete (which should have been programmed with an automatic reboot procedure).
Like or Dislike:
0 
0 (0)
Gerrit, are you serious? I’d have a little more difficulty getting off the Parliamentary Services network than even installing Firefox!
“So while we worry about network security (which is easily overcome by not being on a network)”
Zen Tiger, I’m sure there is something in your comment “Are you sure it isn’t an active hostility towards allowing people to add new applications to the mix and not be sure of the effects?” However, having made numerous complaints to computer services and having them even bring me up a new CPU cos they couldn’t get rid of the problem, I would expect that if they are not prepared to allow me a functioning, more secure browser that they should provide a functioning alternative.
In any case, my main point is that Mozilla shouldn’t be an add on for people with malfunctioning computers. It should BE the standard issue browser.
Like or Dislike:
0 
0 (0)
Hey BJ,
“One wonders if there is someone at SIS who might be persuaded to make this point more clear. I have to believe that they DO have competent people in their computer group and no competent software engineer is going to tell you that Windows is the most secure system.”
Err, my ex-husband used to be in that team as a contractor (ICL/Fujitsu, then Solnet.)
On the basis of what-I-shouldn’t-know, and the fact that my ex was a total sell-out to MS in that time, I’ll go;
No, they really aren’t going to facilitate anything that stops the higher powers from being able to surveil/hack our systems. Kinda ANZUS-friendly?
Just enough security to stop the average NZ-based hacker from gaining access to any useful information about our lives here, though.
As you say, the big server-sets in the US run Solaris, and have far more power and database analysis capability than anything we have here can fend off.
Nandor -
Yes! Mozilla is the best browser, it’s what I installed when I first took my laptop up to uni 2 years ago, and it has securely navigated the wireless network up there without issues for all that time.
And that’s in comparison to the very reasonable Safari browser shipped with my little iBook, which is also a fairly nice piece of software.
I like being able to choose to run both, as MacOSX allows me to.
Try working that on a Dell PC running MS…. the default sale to most students, due to over-marketing by Edu computers on campus.
Like or Dislike:
0 
0 (0)
I worked in an NZ Govt. Dept. for a wee while way back when. Our ‘standard’ was Netscape Navigator 4.7 and Windows IIS servers.
Say what you want about IE, but Navigator deserved to loose the browser wars. IIS deserve to loose the server wars. So why not use them together? Must have been a committee,
Like or Dislike:
0 
0 (0)