Tuesday, September 07, 2004

Oh Sh!t, CSC & BAE Systems Scupper UK Nuclear Deterrent
From this morning's edition of online news site The Register. Royal Navy's capability neutered by stealth. What is really scarey about this is that the political parties have not made any comment. Maybe this has something to do with the millions that Microsoft spends on public affairs and bailing Labour out of the potential white elephant of the Commonwealth Games in Manchester, which at the time threatened to be as big a disaster as the Millenium Dome. Orginal article here, interesting bits below

"Almost three years ago the naval systems arm of major UK defence contractor BAE Systems took the decision to standardise future development on Microsoft Windows. an immediate effect was to commit BAE's joint venture CMS subsidiary, AMS, who specialise in naval Combat Management Systems, to implementing a Windows 2000-based CMS system for the new Type 45 Destroyer."

"Acting as spokesman for the concerned engineers Gerald Wilson compiled a 50 page dossier detailing the unsuitability of Windows as a foundation for a naval command system, and arguing that BAE's Unix history and expertise made open source UN*X a logical and viable way forward. The company then made him redundant. In May of this year Wilson reiterated his concerns to the board of BAE Systems at the company's AGM, pointing out that Windows is "proprietary technology owned by a foreign corporation", has "many and continuing security flaws", and is not even warranted by Microsoft itself for safety-related use. Why then, he asked, is AMS "shunning established engineering practice" by developing the Type 45's CMS on Windows."

"AMS supports this with copious documentation on the AMS approach to open systems, which can be summarised as open, so long as it uses Windows. Earlier AMS had announced the deployment of Windows on submarine HMS Torbay, together with plans to retrofit Windows to Vanguard class and other attack submarines."

Vanguard class boats carry Trident nuclear missiles!

"BAE had undergone several structural changes. One consequence was that computer resources were owned and controlled by BAE’s outsourcing partner (Computer Sciences Corporation). CSC’s published policy was to standardise BAE’s computers to use only Microsoft’s proprietary software."
So this decision was based on the fact that the company outsources its PC helpdesks to CSC!

"In April 2002, Bill Gates, acting as Microsoft’s Chief Software Architect, gave extensive testimony under oath to the US Courts. Gates’s testimony included description of the current structure of Microsoft Windows. Snubbing fifty years of progress in computer science, the current structure of Windows abandoned the accepted principles of modular design and reverted instead to the, much deprecated, entangled monolithic approach. Paragraphs 207 to 223 are particularly revealing about Microsoft’s chosen approach (paragraph 216 is difficult to believe!). Anyone with elementary knowledge of computer science can see that Microsoft Windows, as described here by Gates, is inherently insecure by design."
"These continual problems demonstrate how, in practice, Windows proves inherently insecure by design. There are many public descriptions of this issue: but a succinct summary is found here: (Does open source software enhance security? - The Register) Although partisan, Greene's analysis is accurate. Greene distinguishes how the structure of Windows (entangled, monolithic) necessarily compromises its security when compared with the structure of open source UNIX (modular, scaleable). It is simple to infer which structure is preferable for building a safe and secure foundation for an engineered system, such as a naval command system. A more recent example is this recommendation in a recent security advisory from the Computer Emergency Readiness Team, now part of the US Department of Homeland Security. (US-CERT Vulnerability Note VU#713878, 9th June 2004 Microsoft Internet Explorer does not properly validate source of redirected frame)."

Gives the blue screen of death a whole new meaning.