csua.org/u/9px -> www.theregister.co.uk/2004/09/06/ams_goes_windows_for_warships/
John Lettice Published Monday 6th September 2004 13:15 GMT Almost three years ago the naval systems arm of major UK defence contract or BAE Systems took the decision to standardise future development on Mi crosoft Windows. an immediate effect was to commit BAE's joint venture C MS subsidiary, AMS, who specialise in naval Combat Management Systems, t o implementing a Windows 2000-based CMS system for the new Type 45 Destr oyer. But this prompted strong internal opposition from some of AMS' eng ineers, who had a sound background in Unix and who had, despite resource starvation and a companywide policy to standardise on Windows, been inv estigating open source alternatives as a foundation for future combat sy stems. Acting as spokesman for the concerned engineers Gerald W Wilso n compiled a 50 page dossier detailing the unsuitability of Windows as a foundation for a naval command system, and arguing that BAE's Unix hist ory and expertise made open source UN*X a logical and viable way forward . In May of this year Wilson reiter ated his concerns to the board of BAE Systems at the company's AGM, poin ting out that Windows is "proprietary technology owned by a foreign corp oration", has "many and continuing security flaws", and is not even warr anted by Microsoft itself for safety-related use. Why then, he asked, is AMS "shunning established engineering practice" by developing the Type 45's CMS on Windows.
announced, claiming as it did to be 'enc ouraging' open systems development, that Windows 2000 was "the current b aseline console" for Type 45 development. AMS supports this with copious documentation on the AMS approach to open systems, which can be summari sed as open, so long as it uses Windows.
on submarine HMS Torbay, together with plans to retrofit Windows to Vanguard class and other attack submarines. And in case you're wondering, the Vanguard class boats carry the UK's Tri dent thermo-nuclear intercontinental ballistic missiles. So some people think that's a heap of responsibility for Windows to carry. As The Register has noted in previous pieces on BAE's interesting Windows plans, this is no trivial matter. Whereas most previous naval deploymen ts of Microsoft Windows worldwide have been overhyped, and have dealt la rgely with non mission-critical, non-lethal installations, AMS really is committing the Royal Navy to Windows-based command, control and combat management systems. Having spoken up and lost his job for his pains, Ger ald Wilson has now contacted The Register. Gerald Wilson writes: I used to work for BAE Systems, within the division which developed Command Systems for naval warships. Four years ago, I s purred active debate about the future software foundations for these sys tems. As a long-time assessor of innovative technology, I advocated inve stigation of, and adoption of, open source UNIX foundations, such as BSD and GNU/Linux. Given that the companys command system products had alr eady been successfully migrated to run on proprietary UNIX, I viewed thi s as a natural strategic evolution, expected to be low in cost and risk. One consequence was that computer resources were owned and controlled by BAE's outsourci ng partner (Computer Sciences Corporation). CSC's published policy was t o standardise BAE's computers to use only Microsoft's proprietary softwa re. Deprived of equipment, it was difficult to investigate open source UNIX a s an alternative technology, despite BAE touting "Innovation and Technol ogy" as one of the company's core business values; ultimately, the only recourse was to buy equipment from private funds. The enforced conforman ce to Microsoft Windows influenced Engineering. In New Year 2002, it was decided that the Combat Management System, for the new Type 45 destroye r, would run on Microsoft Windows. Many of us raised in the discipline o f software engineering were alarmed, even shocked, to learn this, but la cked strong grounds for speaking against it; In Ap ril 2002, Bill Gates, acting as Microsoft's Chief Software Architect, ga ve extensive testimony under oath to the US Courts. Gates's testimony in cluded description of the current structure of Microsoft Windows. Snubbi ng fifty years of progress in computer science, the current structure of Windows abandoned the accepted principles of modular design and reverte d instead to the, much deprecated, entangled monolithic approach. If this is a flagship Operating System, then Dijkstra's life was in vain. Those of us who understood the implications of trying to use Windows as a foundation for a command sys tem saw the risk. As loyal officers of the company, we were obliged to a ttempt to convince management about the risk. Acting as spokesman for a phalanx of concerned engineers, I compiled a dossier to document the pro blem. The dossier provided a management summary, reinforced by some fift y pages of detailed analysis and rigorous argument; The dossier explaine d why Microsoft Windows could not form a safe and secure foundation for anaval command system; and why, given BAEs established use of proprieta ry UNIX for this purpose, open source UNIX was a sound successor. The do ssier was circulated within the division (now part of BAEs joint ventur e AMS) in summer 2002, and more widely within BAE Systems. For the publ ic record: the dossier was stored under the references JSWT/MRX/379 andJ SWT/MRX/471 within the standard electronic filing system used by command system developers. Hence it would be impossible for the company to los e these documents without calling into question its ability to manage p roject documents of any kind. Rather than respond to the concerns I had raised, the company terminated my employment. Whatever my failings, sloppiness of thought is not one of them . I felt that I had applied my mind to this issue on behalf of my employ er, but that my concerns had - echoing Mr Justice Sheen - been treated w ith derision. Although not (when written) protectively marked, these doc uments are, obviously, commercially sensitive, and remain the property o f the company. Consequently I would not be able to publish them even sup posing I had copies available. They can only come under public scrutiny if released by the company; although, realistically, I would expect the company to be reluctant to do that. Since leaving the company, I have repeated my concerns to various parties : to the management ofAMS, to MoD officials, to the heads of professiona l bodies (the BCS and the IEE), and to the board of BAE. So far, I have been unable to convince anyone to agree with my view. As far as I can te ll, BAE remains wedded to "Windows for Warships", and ignorant about ope n source alternatives. Despite BAEs wishful thinking, this issue will n ot go away. In the two years since I compiled the dossier, numerous secu rity problems have been discovered in Microsoft Windows and its ancillar y programs. Many of these have arisen precisely because of its non-modul ar structure, and in particular because of the complex entanglement betw een Internet Explorer and the rest of Windows. These continual problems demonstrate how, in practice, Windows proves inherently insecure by desi gn.
Greene di stinguishes how the structure of Windows (entangled, monolithic) necessa rily compromises its security when compared with the structure of open s ource UNIX (modular, scaleable). It is simple to infer which structure i s preferable for building a safe and secure foundation for an engineered system, such as a naval command system. A more recent example is this r ecommendation in a recent security advisory from the Computer Emergency Readiness Team, now part of the US Department of Homeland Security.
One solution recommended here is use a different web browser: "There are a number of significant vulnerabilities in technologies relati ng to the IE domain/zone security model, the DHTML object model, MIME ty pe determination, the graphical user interface(GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a differen t web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites...
|
http://csua.com/feed/