Frankly, damnit, this security hole is a consequence of the military's preference for COTS (Commercial Off-the-Shelf)... I see a lot of stuff go out "on the cheap" that has not been sufficiently secured or sufficiently integrated on the basis of "the marketplace will provide."

And no cyberczar can fix the procurement system; it's doubtful any cyberczar will even get a vote in DoD/Intel Community policies and acquisitions.

But in some respects it's appropriate to have a former employee of Microsoft as cyberczar, given how -much- Microsoft has contributed to our current state of insecurity.

Microsoft has always been a crutch for the insecurity of software systems. The reality is that they all suck...for example, the only real reason why Apple is better (this is separate from usability, simplicity, and overall integration) is that it has a lower market share, and malware makers are businesses too! Why make a piece of badware for only 7% of the market when you can screw 88%?

But some of the insecurity is incredible. When I first got cable internet back in 1999, Windows had "easy networking" that was so easy that if you clicked two checkmarks in a setting in Windows 98...basically all your files were accessible on the net like a server...and some police departments made this mistake...I called TCI (cable company) at the time and they yelled at ME! No good deed goes unpunished...The context is that all consumer Windows before Windows 2000 was designed for closed networks, not the internet...sometimes it is by design and not by goof!

Personally, I find this all a bit weird... after all it was the DoD who pushed many technologies such as spread spectrum for communications, and being obsessed with cyber-security. I remember reading about this in the 1980's, for example. Perhaps it's an example of how big bureaucracies work (or don't). I wouldn't blame COTS equipment, as I'm sure that COTS helps reduce the costs a lot. And it's not as if security isn't a concern for us mere mortal non-military types. After all, I use SSH2, TLS, and WPA2 as part of my daily cyber-life. And their video feeds had *nothing*??? My kids are better protected downloading Jonas Bros episodes from YouTube! The technology is there and available off-the-shelf. Perhaps the procurement process is so slow and convoluted that people designing this stuff can't just grab what they need and use it. I know some aspects of military software can be extremely conservative --- I met some people a few years ago who were still programming avionics in the JOVIAL programming language which was designed in 1959, which I had thought had died a perfectly natural death several decades ago. After all, this old software needs to be maintained, I guess....

Considering today's consumer electronics (IC driven) are obsolete when you open the box, to create a system that flies and commands drone aircraft on the other side of the planet from the pilot, almost guarantees newer technologies that will be available to all who desire to play in the game . .

Quantum jumps in technology are in the marketplace in less than six months from discovery today. Just a few years ago, it took "a few years" . . to get to the same marketplace . . And the time it takes to take a military application from plan to dispersal is horrendously slow, still . .

The "Apples don't get viruses because of market share" is an old canard that has been well challenged elsewhere, but I'll just add this thought: If most of the high-end laptops are Macs, aren't these a similar target for cyber-theves as Mercedes, etc. are for carjackers?

On the procurement business, I see a lot of schizophrenia on the part of the procurement world. Half the time they set requirements that can't be met, and the other half they just say "go buy COTS; we have no unique requirements." But the big enemy of big systems, COTS or custom, is schedule pressure. More than anything else, that's what causes our problems on the acquisition side. We don't allow the time to do it right the first time (including tech maturation), and when the overly compressed program fails, we jump the other direction and just buy a bunch of stuff and throw at Soldiers, etc, to integrate. In the end, it takes more time and money to fix that approach, than it would to have spent a bit more time and money to get it right the first time.

The bad guys have geeks in their ranks too.To tempting a hack to not at least try it and they have nothing to lose.

All you need to do to compare the security (not the most rigorous way, since advisories severity differ, but a good way) advisories on Secunia, a private Danish Company that tracks security holes on ALL software.So here is my challenge in the defense of the "old canard!"Vista all time: 79 advisories, 145 vulnerabilitiesOSX all time: 137 advisories, 1101 vulnerabilities

http://secunia.com/advisories/product/96/?task=advisorieshttp://secunia.com/advisories/product/13223/?task=advisories