Should the DoD be used as the metric by which to judge security?

I'm in a browser security debate with someone who works in the DoD. He seems to be of the mind that the DoD is right by default.
Here's a breakdown of what he's said:
IE8 is far more secure than Firefox, Opera or Chrome. ActiveX is a security concern, but Firefox has existing problems that make it worse than ActiveX.

The DoD runs Windows, not OpenBSD. This is because Windows is more secure.
Windows and IE are more secure than OpenBSD and Firefox which are both open source.

Microsoft is under contract to fix security flaws as they come out, and open source just fix problems whenever they feel like it, making MS's updates more timely and robust.


So, I'm about _ this close to calling this guy a buffoon.
Am I perhaps wildly wrong, and he is in fact correct that IE and Windows trounce Firefox and OpenBSD?

 

Well i'd be careful about

ActiveX is a security nightmare, not just a concern

I've read that DoD/NSA etc have contracts with MS, whereby MS ships them with the OS and IE specially preconfigured in a much safer way than the public receives them.

Also -

Guides when securing Windows http://www.nsa.gov/applications/search/index.cfm?q=windows

Also MS has a close working relationship with them. In fact MS and the NSA worked together on parts of Vista and W7

NSA Helps Microsoft with Windows Vista http://www.schneier.com/blog/archives/2007/01/nsa_helps_micro_1.html

NSA Helping with Windows 7 Security http://www.tomshardware.com/news/NSA-Windows-Microsoft-Security-OS,9118.html

Not sure about DOD, but the NSA do use a version of Linux

Securing The X Window System With SELinux http://www.nsa.gov/research/_files/publications/securing_xwindow.pdf

 

he is not correct simply for claiming superiority of one over the other. Both combinations can be and often are made as secure as each other.

 

I call absolute bull. Windows is a general purpose OS. OpenBSD is a veryspecialized OS designed for servers, firewalls, and geeks with a security obsession. OpenBSD developers do a crazy level of code auditing, and have implemented exploit protection (for a long time!) that makes DEP and the like look pathetic.

The big problem with OpenBSD is that it does not have half the functionality Windows has as a workstation OS. Tons of software simply can't work on it - software that the DoD might happen to need. Also it has no dynamic device nodes; until recently had no support for WPA (though I sure hope the DoD doesn't need that )... Basically it's still rather primitive.

IE8 on Windows Vista/7 probably is more secure than Firefox (sandboxing and all), but I think that's all your friend got right.

BTW, if you think OpenBSD is secure check out OpenVMS, which is entirely immune to buffer overflow bugs. Again, it's largely unused due to lack of modern features and software support.

It could very well be that hardened Windows is the best fit for the DoD (though I find it hard to convince myself of that). But the idea that it's the most secure, especially compared to OSes designed from the ground up for security, is ludicrous.

 

LOL

double LOL

ROFL

Double ROFL

Please God don't let your friend be someone within the DoD tasked with protecting computer systems. If so, we are in big trouble. The guy knows nothing about security.

 

NSA invented SELinux! And it is not a "version" of Linux -- it is a kernel patch the NSA developed to provide Mandatory Access Controls (MAC) and a Multilevel Security (MLS) framework. It is now a part of the Linux kernel and can be used with almost any distro.

The difference in this and what NSA did with M$ is that SELinux is 100% open-source and can be inspected for any funny business. Windows cannot be (unless you are the government and sign an NDA).

 

@chronomatic

They did, right thanks

 

IE8 is more secure than Firefox, even inside of Sandboxie?? I had never heard that IE8 was more secure. I had always heard that Firefox was far superior to IE.

 

Not my friend
I should ask him what his job is.
He's actually saying that because DoD uses IE8 and Windows, all end users concerned about security should do so as well. Using Firefox is opening yourself up to more viruses and various other problems.

This is great, lol. You wouldn't happen to know if that's the primary OS for them? And if they use Firefox too(I have to assume), that would be perfect.
NSA > DoD on security measures.

 

Sandboxie is a whole other matter. I'd guess that most browsers are pretty equal when sandboxed that way. But IE has sandboxing by default on Windows and Firefox doesn't. Disable the sandboxing on IE and Firefox is probably more secure, but that's not the point.

(Likewise, Firefox on Ubuntu with the AppArmor sandbox activated is probably at least as secure as sandboxed IE on Windows 7.)

Re the NSA, SELinux (as chronomatic said) is something they contributed to the FOSS community, not necessarily what they use. And no, I've no idea what they use. It might be some kind of super-hardened Linux or BSD, it might be a custom OS they contracted someone to design for them... I've no idea, and at any rate it's probably classified.

 

The DoD probably uses Windows in certain workstation scenarios because that's all their workers know how to use. It doesn't mean it's the best solution. And I am pretty sure the DoD gets full source code access to Windows and has their own specialized hacked, stripped down version. What they use is not what you'd get in a retail version.