[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Muppets, loonies or what?

Found this posted on a forum I frequent.

Thought the railways thing was bad? They're talking about nuclear subs


OSS torpedoed: Royal Navy will run on Windows for Warships
By John Lettice
Published Monday 6th September 2004 13:15 GMT

Almost three years ago the naval systems arm of major UK defence contractor
BAE Systems took the decision to standardise future development on Microsoft
Windows. an immediate effect was to commit BAE's joint venture CMS subsidiary,
AMS, who specialise in naval Combat Management Systems, to implementing a
Windows 2000-based CMS system for the new Type 45 Destroyer. But this prompted
strong internal opposition from some of AMS' engineers, who had a sound
background in Unix and who had, despite resource starvation and a companywide
policy to standardise on Windows, been investigating open source alternatives
as a foundation for future combat systems.

They lost. Acting as spokesman for the concerned engineers Gerald Wilson
compiled a 50 page dossier detailing the unsuitability of Windows as a
foundation for a naval command system, and arguing that BAE's Unix history
and expertise made open source UN*X a logical and viable way forward. The 
company then made him redundant. In May of this year Wilson reiterated his
concerns to the board of BAE Systems at the company's AGM, pointing out
that Windows is "proprietary technology owned by a foreign corporation",
has "many and continuing security flaws", and is not even warranted by
Microsoft itself for safety-related use. Why then, he asked, is AMS "shunning
established engineering practice" by developing the Type 45's CMS on Windows.

But in July of this year AMS announced, claiming as it did to be 'encouraging'
open systems development, that Windows 2000 was "the current baseline console"
for Type 45 development. AMS supports this with copious documentation on the
AMS approach to open systems, which can be summarised as open, so long as it
uses Windows. Earlier AMS had announced the deployment of Windows on submarine
HMS Torbay, together with plans to retrofit Windows to Vanguard class and
other attack submarines.

And in case you're wondering, the Vanguard class boats carry the UK's Trident
thermo-nuclear intercontinental ballistic missiles. So some people think that's
a heap of responsibility for Windows to carry.

As The Register has noted in previous pieces on BAE's interesting Windows plans,
this is no trivial matter. Whereas most previous naval deployments of Microsoft
Windows worldwide have been overhyped, and have dealt largely with non
mission-critical, non-lethal installations, AMS really is committing the Royal
Navy to Windows-based command, control and combat management systems. Having
spoken up and lost his job for his pains, Gerald Wilson has now contacted The
Register. What follows is his story, in his own words.

Gerald Wilson writes: I used to work for BAE Systems, within the division which
developed Command Systems for naval warships. Four years ago, I spurred active
debate about the future software foundations for these systems. As a long-time
assessor of innovative technology, I advocated investigation of, and adoption 
of, open source UNIX foundations, such as BSD and GNU/Linux. Given that the 
companys command system products had already been successfully migrated to run
on proprietary UNIX, I viewed this as a natural strategic evolution, expected 
to be low in cost and risk. However, BAE had undergone several structural
changes. One consequence was that computer resources were owned and controlled 
by BAE's outsourcing partner (Computer Sciences Corporation). CSC's published 
policy was to standardise BAE's computers to use only Microsoft's proprietary 

Deprived of equipment, it was difficult to investigate open source UNIX as an 
alternative technology, despite BAE touting "Innovation and Technology" as one
of the company's core business values; ultimately, the only recourse was to buy
equipment from private funds. The enforced conformance to Microsoft Windows
influenced Engineering. In New Year 2002, it was decided that the Combat Management
System, for the new Type 45 destroyer, would run on Microsoft Windows. Many of us
raised in the discipline of software engineering were alarmed, even shocked, to
learn this, but lacked strong grounds for speaking against it; that is, until
April. In April 2002, Bill Gates, acting as Microsoft's Chief Software Architect,
gave extensive testimony under oath to the US Courts. Gates's testimony included 
description of the current structure of Microsoft Windows. Snubbing fifty years of
progress in computer science, the current structure of Windows abandoned the
accepted principles of modular design and reverted instead to the, much deprecated,
entangled monolithic approach. Paragraphs 207 to 223 are particularly revealing
about Microsoft's chosen approach (paragraph 216 is difficult to believe!).

* Anyone with elementary knowledge of computer science can see that Microsoft
Windows, as described here by Gates, is inherently insecure by design. If this
is a flagship Operating System, then Dijkstra's life was in vain.

Professional responsibility now took hold. Those of us who understood the 
implications of trying to use Windows as a foundation for a command system saw
the risk. As loyal officers of the company, we were obliged to attempt to convince
management about the risk. Acting as spokesman for a phalanx of concerned engineers,
I compiled a dossier to document the problem. The dossier provided a management
summary, reinforced by some fifty pages of detailed analysis and rigorous argument;
The dossier explained why Microsoft Windows could not form a safe and secure
foundation for anaval command system; and why, given BAEs established use of
proprietary UNIX for this purpose, open source UNIX was a sound successor. The
dossier was circulated within the division (now part of BAEs joint venture AMS) in
summer 2002, and more widely within BAE Systems. [For the public record: the dossier
was stored under the references JSWT/MRX/379 andJSWT/MRX/471 within the standard
electronic filing system used by command system developers. Hence it would be
impossible for the company to lose these documents without calling into question
its ability to manage project documents of any kind.]

The company's action was swift, but disappointing. Rather than respond to the
concerns I had raised, the company terminated my employment. I was dismayed. 
Whatever my failings, sloppiness of thought is not one of them. I felt that I
had applied my mind to this issue on behalf of my employer, but that my concerns
had - echoing Mr Justice Sheen - been treated with derision. Although not (when 
written) protectively marked, these documents are, obviously, commercially 
sensitive, and remain the property of the company. Consequently I would not be
able to publish them even supposing I had copies available. They can only come
under public scrutiny if released by the company; although, realistically, I 
would expect the company to be reluctant to do that.

Since leaving the company, I have repeated my concerns to various parties: to
the management ofAMS, to MoD officials, to the heads of professional bodies 
(the BCS and the IEE), and to the board of BAE. So far, I have been unable to
convince anyone to agree with my view. As far as I can tell, BAE remains wedded
to "Windows for Warships", and ignorant about open source alternatives. Despite
BAEs wishful thinking, this issue will not go away. In the two years since I 
compiled the dossier, numerous security problems have been discovered in Microsoft
Windows and its ancillary programs. Many of these have arisen precisely because of
its non-modular structure, and in particular because of the complex entanglement 
between Internet Explorer and the rest of Windows. These continual problems
demonstrate how, in practice, Windows proves inherently insecure by design.
There are many public descriptions of this issue: but a succinct summary is
found here: (Does open source software enhance security? - The Register) Although
partisan, Greene's analysis is accurate. Greene distinguishes how the structure of
Windows (entangled, monolithic) necessarily compromises its security when compared
with the structure of open source UNIX (modular, scaleable). It is simple to infer
which structure is preferable for building a safe and secure foundation for an
engineered system, such as a naval command system. A more recent example is this
recommendation in a recent security advisory from the Computer Emergency Readiness
Team, now part of the US Department of Homeland Security. (US-CERT Vulnerability
Note VU#713878, 9th June 2004 Microsoft Internet Explorer does not properly 
validate source of redirected frame).

One solution recommended here is use a different web browser:

"There are a number of significant vulnerabilities in technologies relating to
the IE domain/zone security model, the DHTML object model, MIME type determination,
the graphical user interface(GUI), and ActiveX. It is possible to reduce exposure 
to these vulnerabilities by using a different web browser, especially when browsing
untrusted sites. Such a decision may, however, reduce the functionality of sites 
that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that
using a different web browser will not remove IE from a Windows system, and other
programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering 
engine (MSHTML)." (italics are mine)

CERT's analysis explains why this is a chronic problem. For the time being, CERT
limits its advice to that of avoiding use of Internet Explorer, rather than
avoiding Windows as a whole. However: CERT confirms that, as others have already
found, IE cannot be removed from Windows, and its presence can still leave
vulnerabilities in the system even if IE is never used as an application showing
again how Windows remains inherently insecure by design. In an operating system,
the combination of closed source and entangled structure makes for a deadly
cocktail. I am pleased that the US DHS is now recognising and warning about the
risks which I and others have highlighted for more than two years. However, I 
shall only sleep soundly once I know that Windows has been banned from the 
command systems of the Royal Navys warships for good. 

* We've had several requests for the location of transcripts of Gates' testimony,
links from the period now being largely broken. It isn't where it used to be at 
microsoft.com, but is still in the company's legal archive, here. It should be 
somewhere on the DoJ site, but the Microsoft section of the watchdog's 
operations now seems a wreck of broken links (moral here somewhere), and we
can't readily find it. It's Exhibit 1507, should anybody want to try to hunt
it down, but there's a copy here, and a Google of Gates, testimony, 1507 and
PDF may net you a couple of other hosts.

As regards the offending paragraph 216, it goes like this, and is indeed
breathtaking: "In a purely theoretical world, one could imagine developing
modest software programs in such a way that any module could be swapped out
in favor of a similar module developed by a third party. The replacement module
would need to conform identically to the interfaces expected by all of the
modules with which it interacts. In the commercial world, it is hard to see
what value such replace-ability would provide even if it could be achieved.
For Netscape Navigator to suffice as a replacement for Internet Explorer, for
example, developers at Netscape would have to devote enormous effort to
matching the functions of Internet Explorer and enabling those functions to
perform in precisely the same way as Internet Explorer. When they were done,
they would have software that is nearly identical to Internet Explorer (a 
'clone'), providing little or nothing in the way of new value." - John 


Be kind to pigeons
Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F

Attachment: signature.asc
Description: Digital signature

Reply to: