Microsoft to Offer Patches to U.S. Govt. First 344
Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"
Haha (Score:5, Funny)
So they're getting the government to beta-test their patches? Sweet.
Re:Haha (Score:5, Insightful)
Re:Haha (Score:2, Insightful)
Re: (Score:3, Informative)
Re:Haha (Score:3, Interesting)
Which is an anti-selling point to governments in the rest of the world. If you were the Japanese government, would you want to know that the US were getting preferential treatment?
So either Microsoft is giving up on fighting OSS for other governments, or this program will shortly be extended to other nations.
And if it's extended to other nations, then all those posters who were worried about the USAF staf
Re:Haha (Score:5, Interesting)
If you were the Chinese government, would you want to know the US is getting free help from Microsoft to spy on you? Probably not.
If you were a concerned person living in another county who happens to find out about an exploit in Windows, would you want the US government getting a month-long head start on hacking/spying on the rest of the world, possibly even including the country you live in?
Microsoft has spent years trying to convince people who find exploits to "do the ethical thing" and tell them about it before letting the rest of the world know. If you happen to be a citizen of another country, this puts a very big question mark on whether giving MS the exploit is "the ethical thing" to do.
My best guess is that otherwise helpful security proffesionals who happen to live outside our borders will be posting more and more exploits directly to the web because of this policy. Ironically, that will end up making things _less_ secure for the Air Force in the long run.
TW
Re:Haha (Score:2)
My first thought (Score:3, Interesting)
Imagine for example that there is a conflict with China over Taiwan--- say they decide on a naval blockade. The US military could have a full month of inside knowledge regarding Windows vulnerabilities that they could try to use in an electronic warfare environment.
THis move
Re:Haha (Score:4, Interesting)
it's also, bad on the government's part to be complicit in this witholding of security fixes - it makes the country less secure, not more secure.
Re:Haha (Score:4, Insightful)
Sadly, the majority of poeple will answer back, "Well, gosh gee. You're right. Microsoft makes me feel special! Microsoft is so great."
Shiny thing catches the sunlight. Bargain. Today only. People are stupid.
Re:Haha (Score:5, Insightful)
Re:Haha (Score:4, Insightful)
a) Not think that.
b) Not think of linux as a substitute for Windows.
Because the average computer user doesn't install security patches anyways!
Re:Haha (Score:2)
Re:Haha (Score:2)
Re:Haha (Score:5, Funny)
1. Don't land the plane
2. Open an audio file.
3. Shoot the base,
"Oh crap."
Re:Haha (Score:3, Funny)
Re:Haha (Score:3, Funny)
Re:Haha (Score:4, Funny)
In this case, mabye a parachute?
Re:Haha (Score:3, Insightful)
The fact that most of their code sits around for like 2 years before actually getting in the download hopper is sickly amusing.
Shure this will push things ahead *just* a touch.
My only worry, is; what if this was the plan all along. Slowly just sort of start sending out patches quicker, maybe push all those product releases that have been int the "2yea
Safety First (Score:5, Insightful)
Re:Safety First (Score:5, Interesting)
Re:Safety First (Score:3, Insightful)
I mean, if industry insiders can supply movies to release groups ahead of time, I don't see any reason why government employees can't do the same. There's a decent chance that they'll bring the patches home to use on their own computer and probably also give it to friends.
Security isn't as tight as you would like to believe.
Re:Safety First (Score:2, Informative)
Re:Safety First (Score:2, Insightful)
Re:Safety First (Score:5, Insightful)
So the argument here is that because the USAF is using an NSA-designed build, they can guarantee a pretty stable environment. MS has a known quantity to test against, which lets them test faster (and presumably better), so they can afford to roll those patches out earlier. They then spend the next few weeks trying to make sure their patches work on Everything Else. One of the hopes cited in the article I read is that this will encourage other entities, like banks and such, to adopt the NSA's build (or at least model their own after it). That will, of course, enable Microsoft to expand its "early release" program, making them more money, but it may also lead to better security across the board. As we all know, a good sysadmin can secure anything, even a Windows box. Well, if you aren't a good sysadmin, maybe you can copy one and get similar effects, right?
That's their line. It does make sense, though I personally would rather see MS release all their patches after minimal QA, then a month (or so) later release "improved" versions. That way, if the patch breaks some third-party program, at least the folks who don't use that program can get the benefits. MS does this sometimes already. Of course, my expectation is that if they did this with every patch, that "month" wait would be closer to two or three months, and often the updated patch would never come out at all.
Re:Safety First (Score:5, Insightful)
It makes sense until you realize that the OSS crowds install even more sorts of programs and make even more adjustments to their computers, yet manage to get patches in a timely manner.
Which means that either Microsoft is terminally unable to create stable and clean APIs so everything affects everything else, causing an inordinate amount of breakage, or they're still not very serious about the patching thing.
Re:Safety First (Score:5, Insightful)
Re:Safety First (Score:3, Insightful)
What about firms that host their sites (Score:2, Interesting)
Re:What about firms that host their sites (Score:2)
What if... (Score:5, Interesting)
Also, how would other governments see this? Would they accept being 'second-class customers', no different in Microsoft's eyes to the Average Joe?
Re:What if... (Score:5, Funny)
Some general 'accidentally' orders an airstrike on Redmond and blames it on buggy software.
Re:What if... (Score:2, Insightful)
Re:What if... (Score:2)
Re:What if... (Score:2)
I don't see how delaying security patches to the bulk of their customers will make anyone more secure.
Re:What if... (Score:2)
They can know exactly what computers the government has (most likely bought in bulk to the same company, even if several offices buy them from different places will still be a relatively small target to test on), while they would need to use a LOT more variety to test before they're sure it's safe for most people's computers out there (insert "you mean they test them???" joke here.. :))
I'm
Re:What if... (Score:2)
You shouldn't take any vendor at his word that the patch won't cause any issues.
Smart idea by Microsoft (Score:5, Insightful)
What's more satisfying? The idea of having some small company like Red Hat at your beck and call? Or Microsoft?
This is going to help (Score:2)
I can just imagine it now: "Buy Windows, and get security patches for free, up to a month after they have been released!"
This is obvious... (Score:5, Funny)
That's why the Goverment is first.
Re:This is obvious... (Score:4, Funny)
First 5 air-strikes a year for FREE!?
USAF endorsement of the Flight Simulator series?
A free G-Suit for Ballmer? (much more effective than that girdle he borrowed from Shatner, I bet).
We should be told...
Great idea. (Score:4, Interesting)
Re:Great idea. (Score:3, Insightful)
Re:Great idea. (Score:5, Insightful)
During your month of testing, your systems are still vulnerable. MS can't make the patches any faster, therefore you having them a month earlier than everyone else can only mean that they are delayed to everyone else who needs them. How could that possibly be a good thing. Banks, powerstations, hospitals - they all can ill-afford downtime.
Finally, "released to the government" means what? They post them on their website? Like they do now...
As far as I can see, this helps no-one.
Please explain.
Re:Great idea. (Score:5, Insightful)
Re:Great idea. (Score:2)
Infact...so Awsome I'd like to have the patches a month in advance as well. As I'm sure everybody else would.
Odd... WE don't have a problem :) (Score:4, Insightful)
My government computer runs Debian, and I don't recall having ANY problems like this
Actually, now that I think about it, I *did* need to train my spam filter to discard our security team's "Microsoft virus alert" messages
Re:Great idea. (Score:2)
Crazy, no? (Score:4, Insightful)
Is the airforce more important than say, nuclear power plant operators?
While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.
This, I predict, will cause more problems than it will solve.
--
Toby
Re:Crazy, no? (Score:3, Interesting)
Is the airforce more important than say, nuclear power plant operators?
While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.
It's not that the USAF needs those early patches more than anyone else, it's that the Air Force has standardized on nothing but Microsoft software for almost everything it
Re:Crazy, no? (Score:2)
> enough to be running Windows are unsafe?
I don't mean this to be rude, I mean this as a serious honest question; do you really mean that question, or are you being ironic?
--
Toby
Re:Crazy, no? (Score:2)
> Energy so utility company or not, I'm sure they'll
> get pataches early
This makes no sense to me.
If a patch is ready, what possible advantage is there in delaying the release of the patch to some of the userbase?
--
Toby
Re:Crazy, no? (Score:2)
Well, Microsoft may want to ship a service pack that's been fully integrated and tested, but allow individuals (the government) the opportunity to run integrated systems.
Microsoft doesn't want the nightmare of supporting:
Windows XP-.26.CK-Nitro-7
Windows XP-.12.Redhat+AC USB updates
etc..
When they can support Windows XP Sp 3 and tell everyone whos running Windows XP Sp 3 to install the latest service pack and see
Re:Crazy, no? (Score:2)
So, who do they upset most? (Score:5, Insightful)
Re:So, who do they upset most? (Score:2)
Article submitter biased? No, not on /. (Score:4, Informative)
Man, people really want Microsoft to become a footnote in history.
Hostile take over attempt. (Score:3, Funny)
Exploits? (Score:3, Insightful)
Not that they probably need much help to find holes in M$ software, but still, this stinks. If the government really was concerned about security, they wouldn't ask to get patches before everyone else; rather, they'd ask that patches be made available to *everyone* as soon as possible.
Meanwhile the rest of the world... (Score:2)
In other words..... (Score:2, Insightful)
Marketspeak (Score:3, Funny)
This is marketspeak. Marketspeak is nonsense. There is no such thing as well thought out marketspeak.
I'm sure that when the programmers heard this idea, they sat in a room and just collectively went "duh?!?" to themselves, then realized that marketting execs get paid more than they do, and laughed about it later around the water cooler.
Great (Score:5, Insightful)
Re:Great (Score:2)
That only leaves the USA which this article is largely about and Antarctica which AFAIK is owned by everyone and doesn't have its own government that may require Microsoft software.
Re:Great (Score:2)
Re:Great (Score:2)
Re:Great (Score:2, Interesting)
Yes, governmetn transition doesn't happen overnight. 2006 - 2007 is a very short time for that, you should increase that to 2007 - 2009 or something like that.
To cite a real case, Brazil started its transition in 2002. Today there has been no significant mode to Linux yet. Instead, almost al the public douments have been translated from M$ ofice to a more open format. A lot of time was spent discussing what is a 'open format' and generating policies. To make the long story short, 2 years after the decisio
Impending Doom? (Score:3, Insightful)
Machiavelli (Score:5, Insightful)
So, if you're a foreign government, the US government has one month to break into your unpatched systems. Or, if you're anyone the US government doesn't like, the CIA, FBI, HLS, etc., has a month to hack your unpatched systems.
I give Microsoft credit for possessing at least a basic understanding of Machiavelli.
Microsoft Liability ? (Score:5, Insightful)
New Microsoft 'Buddy' called Patches (Score:2, Funny)
'Patches' is a mean son'ova' gun who uses rattle snakes as condoms and pisses napalm. I for one am glad to have this online hero on our side.
Back-handed insult (Score:2)
BWAHAHAHAHAHA!!!! (Score:2, Funny)
The logical conclusions (Score:2, Insightful)
A) They deliver beta-patches to the DoD
or
B) They deliver final patches to the DoD and delay them for a month before public release
Obviously both cases are a desaster:
A) We all know how buggy Microsoft's final software is, I can't imagine how someone can use their beta patches in a critical desaster.
B) Telling the government about security issues first and delaying patches for the general public is bound to cause an uproar. They are already quite slow when it comes to releasing patch
I don't understand what good this will do (Score:2)
If a patch is good, and reliable, send it to everybody. The more people that are patched, the better.
If a patch is bad, do we want military computers testing the fix first?
In other words (Score:2)
Military use of Windows and other OS's (Score:2)
Does the military use OS X? It would seem to me that OS X would be a great alternative to Windows based systems since most of their software is custom anyhow.
Could 0wned admins sue MS? (Score:5, Interesting)
This would likely vary from jurisdiction to jurisdiction. Anyone got an amateur/professional legal opinion?
The US Taxpayer will pay... (Score:2, Insightful)
for doing Microsoft's work of verifying stability...
No small amount at Government charge-out rates, at some factor higher than "normal" copnstractor rates. Imagine the thousands of Gov. admins spending their time, your dollar, to do MS's work, for what they charge the Gov., us, a premium.
And I happen to be OK with Microsoft...
Could...... (Score:2)
Translate to:
Microsoft confirm that businesses are second rate customers. Seriously, if it was a case of MS to reveal details of vulnerabilities to US Military first I could understand it but giving them the patches first? When a new virus is released that exploits a hole I suspect the military are the least likely to bee the ones who end up DDoS'ing or spamming people as
Another win for Linux (Score:2)
Doesn't that just add to the proof that MS treat their regular users like bitches.
Yet another justification that anyone with a choice should be running Linux.
I Know Why! (Score:2)
The reason they are doing this is really obvious: One of the obvious advantages to most Linux distributions is that they usually come out with patches within a day of vulnerabilities, and the patches are available immediately. Windows, on the other hand, patches once a week or once a month. Ovbiously, Linux looks better here. By offering the government a faster patch cycle, they are trying to compete with the Linux distributions and make themselves look better again.
Some cat stole my tongue... (Score:2)
Scenario: - [zerohour] Exploit gains recognition
- [+1 month] Microsoft releases patch to USAF
- [+2 month] Microsoft releases patch to US Consumers
Greeaaaat...
Natural evolution of thought (Score:3, Informative)
First everybody (really, mostly IT professionals trying to balance benefit of patching versus risk and cost of patching) berated Microsoft for releasing patches too often. So, Microsoft responds and releases them once a month. OF COURSE that means they are holding onto patches for up to a month. The number of ignorant posts here that seem to think that this is an announcement that they are going to START delaying patches is just unbelievable. The industry already made them do that.
This is just the natural next step in the social evolution of the situation. Now we've got the users who have a different benefit/risk equation demanding release of patches as soon as they are available. Its just the Air Force now, but it will eventually become a selectable option so that we can all choose our own poison.
Personally, I've never had a problem with applying a Microsoft patch despite having 100s of applications on my machines including several large suites and a large proportion of open source. The problems seem to come mostly to people using low quality drivers or applications from a few companies that have questionable SW design practices like replacing core DLLs. I'd like the Air Force's option and suspect I'll eventually get it.
What about other countries? (Score:2)
Headstart on ZeroDay (Score:2)
I would deduce that they are thinking is this: Malicious H4x0rBoyz and script-kiddies don't do the real work of discovering vulnerbilities (real security professionals mostly do that), but just wait for MS to issue a patch or advisory and then build an expolit by reverse engineering the patch. Once the patch is announced, a race starts between crackers and admins to see who will test and deploy their respective patches-vs-exploits bef
Holes in open source (Score:2)
Place your bets (Score:2)
1) Honest government employees will upload patches to warez sites; private sysadmins will have to turn to piracy to protect their networks.
2) Dishonest government employees will upload trojaned patches to warez sites; private sysadmins will have no way to compare them to the real MS patches until it's too late.
3) Honest government employees will post exploit information to white-hat security lists; private sysadmins will have to make choic
Banks, etc (Score:2)
And anyways, the important patches non-a-days relate to keeping out Internet intruders. Hopefuly the miltary systems aren't on the public net!
delays (Score:4, Insightful)
This makes no sense, since a patch is a patch. Sure M$ might earn some brownie points from the government entities that get this priority, but the resulting backlash from everyone else will be worse.
Two possibilities... (Score:2)
So which is it, Bill? And will you offer the same treatment to other governments worldwide? or will you tell them that you are deliberatly leaving them twisting in the wind with the rest of us, while the US Govt gets preferential treatment?
Doublethink (Score:3, Insightful)
This means either one of two things (Score:3, Interesting)
If you get audited this year, blame Microsoft.
Re:Yet another attempt to fight off impending doom (Score:3, Insightful)
In the US, we are government. It is "by the people, for the people".
Re:Yet another attempt to fight off impending doom (Score:2)
1: The patches are complete and tested (as well as can be expected from MS, anyway) before being deployed to Air Force systems.
2: The patches are untested when they go to the Air Force.
Assuming the second case is true for a moment, I don't think the powers-that-be in the Air Force will be so happy about this. As noted earlier in this thread, Air Force systems will be used by MS for what is, essentially, beta testing. We're also ignoring the fact that the *really* criti
Re:Yet another attempt to fight off impending doom (Score:2)
Cute wording too; nobody is getting it "early" - they're delivering it late to the majority
Re:Yet another attempt to fight off impending doom (Score:2)
Granted the servers are running some version of Unix (I think I have seen Solaris. But I know some of the US client machines are running Windows on a couple of their classified networks. At that level the client machines are considered critical as well as if the user cannot get onto a client machine it doesn't matter if the server is up.
Re:Yet another attempt to fight off impending doom (Score:5, Insightful)
You're assuming that anyone is going to enjoy greater security by delaying patches to most other users. I have to question this. And never mind about "entertainment centers"; what about the systems that process your credit cards or medical records?
Re:Yet another attempt to fight off impending doom (Score:2)
Deciding unilaterally that US military forces deserve a better service than other customers (read European govt agencies) can be actually labelled as "bad". It can. I wonder what the genial theoreticians from the WTO think about that ? This is free-market US style. Anyway. Nothing surprising.
--
Go Debian!
Re:Yet another attempt to fight off impending doom (Score:2)
I see a bribe and lock in!