Microsoft to Offer Patches to U.S. Govt. First

Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"

Haha

[26199]

So they're getting the government to beta-test their patches? Sweet.

Re:Haha

[danormsby]

What I find weird about this is that Microsoft write a patch to fix "serious security vulnerabilities", release to the US miliary but hold it back from the rest of the world for a month. Will this make the world a safer place?

Re:Haha

[TheSHAD0W]

If anything, it'll give the NSA a chance to write their own worms before the exploit is fixed.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Haha

[h4rm0ny]

If anything, it'll give the NSA a chance to write their own worms before the exploit is fixed.

Which is an anti-selling point to governments in the rest of the world. If you were the Japanese government, would you want to know that the US were getting preferential treatment?

So either Microsoft is giving up on fighting OSS for other governments, or this program will shortly be extended to other nations.

And if it's extended to other nations, then all those posters who were worried about the USAF staf

Re:Haha

[Total_Wimp]

If you were the Japanese government, would you want to know that the US were getting referential treatment?

If you were the Chinese government, would you want to know the US is getting free help from Microsoft to spy on you? Probably not.

If you were a concerned person living in another county who happens to find out about an exploit in Windows, would you want the US government getting a month-long head start on hacking/spying on the rest of the world, possibly even including the country you live in?

Microsoft has spent years trying to convince people who find exploits to "do the ethical thing" and tell them about it before letting the rest of the world know. If you happen to be a citizen of another country, this puts a very big question mark on whether giving MS the exploit is "the ethical thing" to do.

My best guess is that otherwise helpful security proffesionals who happen to live outside our borders will be posting more and more exploits directly to the web because of this policy. Ironically, that will end up making things _less_ secure for the Air Force in the long run.

TW

Re:Haha

[mikael]

It will stop the US military computers from being used as a 'botnet' but it won't stop the rest of the world from being used to launch DoS attacks.

My first thought

[einhverfr]

My initial reaction to this was that it must have something to do with electronic warfare concerns. I.e. this is not about making the public safer, but rather about making the US military more competitive in the event of a conflict.

Imagine for example that there is a conflict with China over Taiwan--- say they decide on a naval blockade. The US military could have a full month of inside knowledge regarding Windows vulnerabilities that they could try to use in an electronic warfare environment.

THis move

Re:Haha

[Fat Cow]

exactly. since the patch is new software, the only way the government is getting it early is if everyone else is getting it late.

it's also, bad on the government's part to be complicit in this witholding of security fixes - it makes the country less secure, not more secure.

Re:Haha

[smchris]

It isn't bad business psychology. You can just hear the salesmen saying, "Who's your daddy! Does linux offer priority access to security patches? I don't think so."

Sadly, the majority of poeple will answer back, "Well, gosh gee. You're right. Microsoft makes me feel special! Microsoft is so great."

Shiny thing catches the sunlight. Bargain. Today only. People are stupid.

Re:Haha

[marvin2k]

Sadly, the majority of poeple will answer back, "Well, gosh gee. You're right. Microsoft makes me feel special! Microsoft is so great."

No, the majority of people will say, "Well, gosh gee. You just handed out a security fix for a vulnerability to the government but you don't give it to me for another month so I my machines are now in grave danger even though they don't have to be. I think I'll try linux for a change, they don't have a "leave your customers hanging in the air" policy."

Re:Haha

[canwaf]

The average computer user would:

a) Not think that.
b) Not think of linux as a substitute for Windows.

Because the average computer user doesn't install security patches anyways!

Re:Haha

[Taladar]

The average computer user doesn't buy software for the US military either. What was your point?

Re:Haha

[op00to]

You must be a professional Windows administrator. And by professional, I mean you have a pirated WinXP box at home. If you don't see problems, then obviously NO ONE else would see problems... You know, because you're a professional and you know what you're talking about.

Re:Haha

[The-Bus]

It looks like you want to: Land the Plane
1. Don't land the plane
2. Open an audio file.
3. Shoot the base,


"Oh crap."

Re:Haha

[tonsofpcs]

More like:

C:\SYSTEM\PLANE\CONTROLS>LANDNOW.EXE
Error reading altitude.
[A]bort, [R]etry, [I]gnore, [F]ail?

Re:Haha

[jaavaaguru]

What is the difference between Abort and Fail?

Re:Haha

[rsborg]

What is the difference between Abort and Fail?

In this case, mabye a parachute?

Re:Haha

[fshalor]

I have to admit, it's been a long time since an automatically installed m$ patch has fried a box. (I remember it happening regularly around win2k sp4 days).

The fact that most of their code sits around for like 2 years before actually getting in the download hopper is sickly amusing.

Shure this will push things ahead *just* a touch.

My only worry, is; what if this was the plan all along. Slowly just sort of start sending out patches quicker, maybe push all those product releases that have been int the "2yea

Safety First

[DogDaySunrise]

Sounds a lot more like "Microsoft will delay patches for a month after availability, except to the US Govt". Surely it'd be a lot safer for the US Govt Ltd. for M$ to supply patches to *everyone*, governments included, instead of allowing vulnerabilities to lie unpatched for a few weeks...?!?

Re:Safety First

[Rangataua]

I wonder how long it will be before someone creates a virus based on knowledge found in a patch that has only been released to the government.

Re:Safety First

[digidave]

Virus writers need to work somewhere, too.

I mean, if industry insiders can supply movies to release groups ahead of time, I don't see any reason why government employees can't do the same. There's a decent chance that they'll bring the patches home to use on their own computer and probably also give it to friends.

Security isn't as tight as you would like to believe.

Re:Safety First

[drooling-dog]

That was my first thought. Now my network is going to be exposed for a month after Microsoft tells a select class of customers about a vulnerability. Oh, well, not to worry: I'm sure they'll all be trustworthy types, and that's 30 days of bliss before I have to do anything about it...

Re:Safety First

[thecwin]

Maybe it's so that the US Govt can patch their systems before hackers get their hands on the patch and reverse engineer it to exploit others.

Re:Safety First

[ctr2sprt]

Well, remember that MS's products are used on hundreds of millions of computers worldwide, and after the OS leaves the box Microsoft has no control over it. People install all sorts of programs and make all sorts of "adjustments" to their computers. This makes QA for patches hideously difficult, since MS has to test against such a wide array of third-party apps.

So the argument here is that because the USAF is using an NSA-designed build, they can guarantee a pretty stable environment. MS has a known quantity to test against, which lets them test faster (and presumably better), so they can afford to roll those patches out earlier. They then spend the next few weeks trying to make sure their patches work on Everything Else. One of the hopes cited in the article I read is that this will encourage other entities, like banks and such, to adopt the NSA's build (or at least model their own after it). That will, of course, enable Microsoft to expand its "early release" program, making them more money, but it may also lead to better security across the board. As we all know, a good sysadmin can secure anything, even a Windows box. Well, if you aren't a good sysadmin, maybe you can copy one and get similar effects, right?

That's their line. It does make sense, though I personally would rather see MS release all their patches after minimal QA, then a month (or so) later release "improved" versions. That way, if the patch breaks some third-party program, at least the folks who don't use that program can get the benefits. MS does this sometimes already. Of course, my expectation is that if they did this with every patch, that "month" wait would be closer to two or three months, and often the updated patch would never come out at all.

Re:Safety First

[Znork]

"It does make sense"

It makes sense until you realize that the OSS crowds install even more sorts of programs and make even more adjustments to their computers, yet manage to get patches in a timely manner.

Which means that either Microsoft is terminally unable to create stable and clean APIs so everything affects everything else, causing an inordinate amount of breakage, or they're still not very serious about the patching thing.

Re:Safety First

[antiMStroll]

Right.... and this explains why my place of work is still struggling with the process for rolling out XP SP2 in our 100% MS OS shop because it breaks so many critical packages. I don't see Microsoft stepping up to our plate to assure compatibility.

Re:Safety First

[Zocalo]

Actually, since the article says "up to a month" I guess that all it *really* means is that the US Government will get patches as soon as they are ready while every one else gets to wait for Patch Tuesday. The wording is also vague enough that this does not preclude a particularly critical patch being released to the world at large out of cycle either. I suspect selected other parties might be afforded a similar arrangement too such as large companies, those responsible for critical national infrastructur

What about firms that host their sites

[gelfling]

We host many Gubmint sites. I wonder if we'll get special treatment. Somehow I think not.

Re:What about firms that host their sites

[Jacco de Leeuw]

Simple: they will outsource their webservers to the Airforce... :-)

What if...

[0x461FAB0BD7D2]

the patches screw up the systems, as has happened in the past?

Also, how would other governments see this? Would they accept being 'second-class customers', no different in Microsoft's eyes to the Average Joe?

Re:What if...

[lxs]

What if the patches screw up the systems

Some general 'accidentally' orders an airstrike on Redmond and blames it on buggy software.

Re:What if...

[Misroi]

You're right, a big part of the testing a patch is releasing the beta version to the public. This might not seems as important for small security leak, but I can't imagine them releasing big patches that haven't been fully tested. I also fail to see how they can "get the patch up to a month before they are available to other". A month is more then enough time for a security leak to exploit many many windows users. If the patch is done, why don't they release it to the general public? Only so the Government

Re:What if...

[KarmaMB84]

They only have to test against known government configurations. The next month is testing against as many of the near infinite number of possible configurations as they can.

Re:What if...

[drooling-dog]

Would they accept being 'second-class customers'

I don't see how delaying security patches to the bulk of their customers will make anyone more secure.

Re:What if...

[LocoMan]

To be fair (yeah, I know, fair to Microsoft, must be new here.. :)) it may be related to the testing of the patches.

They can know exactly what computers the government has (most likely bought in bulk to the same company, even if several offices buy them from different places will still be a relatively small target to test on), while they would need to use a LOT more variety to test before they're sure it's safe for most people's computers out there (insert "you mean they test them???" joke here.. :))

I'm

Re:What if...

[rikkards]

Then fire the admin who didn't take due diligence in testing against known configurations. I worked for Canadian Forces for a couple years until my contract got cut due to the project being on time underbudget and a major success and prior to any hotfix thorough testing was done by the Testing center as well as us prior to push to the site's servers.

You shouldn't take any vendor at his word that the patch won't cause any issues.

Smart idea by Microsoft

[aendeuryu]

People in power love the idea of others sucking up to them. Even if they can get security fixes quicker via opens source, the idea that Microsoft is effectively prioritizing them ought to be incentive enough. You could give them good practical and logical reasons for going open source anyway, and they'd MAKE UP their own reasons for not doing it, because they'd LIKE the idea of having a position like this over Microsoft, and would go along with whatever rationalizing they'd have to do to accept it.

What's more satisfying? The idea of having some small company like Red Hat at your beck and call? Or Microsoft?

This is going to help

[lachlan76]

After this announcement, I bet their marketshare will go up!

I can just imagine it now: "Buy Windows, and get security patches for free, up to a month after they have been released!"

This is obvious...

[sgant]

Prof. Frink: It's because the Government as the troops and the guns and the tanks and the fire falling from the sky with the burning people running amok in an orgy of blood and kicking and the biting with the metal teeth and the hurting and shoving...

That's why the Goverment is first.

Re:This is obvious...

[displaced80]

But what's Microsoft getting in return, that's what I'd like to know...

First 5 air-strikes a year for FREE!?

USAF endorsement of the Flight Simulator series?

A free G-Suit for Ballmer? (much more effective than that girdle he borrowed from Shatner, I bet).

We should be told...

Great idea.

[Mz6]

As a DoD Defense Contractor working on these systems, I think this will help tremendously. Currently, we only get patches when Microsoft posts them on their website. From there it needs to be thoroughly tested to ensure the patch will still allow critical software to continue functioning (the government can ill-afford downtime on some of these systems). Beyond that, it then needs to be applied to thousands of other machines on several differnet networks. Of course, we only have a small window to get this all completed. With an extra month to have this completed, we have a small advantage to have these systems patched.

Re:Great idea.

[jacksonj04]

Sorry, but just because you're a DoD contractor doesn't mean that there aren't hundreds of thousands of other businesses needing to test patches before deployment.

Re:Great idea.

[martinX]

A small advantage over whom?

During your month of testing, your systems are still vulnerable. MS can't make the patches any faster, therefore you having them a month earlier than everyone else can only mean that they are delayed to everyone else who needs them. How could that possibly be a good thing. Banks, powerstations, hospitals - they all can ill-afford downtime.

Finally, "released to the government" means what? They post them on their website? Like they do now...

As far as I can see, this helps no-one.

Please explain.

Re:Great idea.

[CdBee]

I find it a little disquieting that the USAF's primary systems may be running Windows. Windows is good for a lot of jobs, but the frontline defence of the world's most - well - controversial nation possibly ought to be on something a bit more resilient.

Re:Great idea.

[Danathar]

Awsome idea.

Infact...so Awsome I'd like to have the patches a month in advance as well. As I'm sure everybody else would.

Odd... WE don't have a problem :)

[DoofusOfDeath]

Hmmm...

My government computer runs Debian, and I don't recall having ANY problems like this :)

Actually, now that I think about it, I *did* need to train my spam filter to discard our security team's "Microsoft virus alert" messages ;)

Re:Great idea.

[the_pooh_experience]

as another DoD defense employee, I would say that this is a mechanism for trying to get back some of the lag in patches. There is nominally a month delay in patches getting pushed to our user computers due to testing, somesuch... This brings the USAF up to the same point as the rest of the civilian world! Gov't bureaucracy at work

Crazy, no?

[Toby The Economist]

This seems crazy on a number of levels.

Is the airforce more important than say, nuclear power plant operators?

While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.

This, I predict, will cause more problems than it will solve.

--
Toby

Re:Crazy, no?

[Eil]

Is the airforce more important than say, nuclear power plant operators?

While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.

It's not that the USAF needs those early patches more than anyone else, it's that the Air Force has standardized on nothing but Microsoft software for almost everything it

Re:Crazy, no?

[Toby The Economist]

> Why do you think nuclear power plants modern
> enough to be running Windows are unsafe?

I don't mean this to be rude, I mean this as a serious honest question; do you really mean that question, or are you being ironic?

--
Toby

Re:Crazy, no?

[Toby The Economist]

> Nuclear power plants are regulated by the Dept. of
> Energy so utility company or not, I'm sure they'll
> get pataches early

This makes no sense to me.

If a patch is ready, what possible advantage is there in delaying the release of the patch to some of the userbase?

--
Toby

Re:Crazy, no?

[oliverthered]

what possible advantage is there in delaying the release of the patch to some of the userbase?

Well, Microsoft may want to ship a service pack that's been fully integrated and tested, but allow individuals (the government) the opportunity to run integrated systems.

Microsoft doesn't want the nightmare of supporting:
Windows XP-.26.CK-Nitro-7
Windows XP-.12.Redhat+AC USB updates
etc..
When they can support Windows XP Sp 3 and tell everyone whos running Windows XP Sp 3 to install the latest service pack and see

Re:Crazy, no?

[rikkards]

My question is if these computers are super critical, why is there a direct path to the Internet? Why aren't they on their own network with very limited access to introducing external data?

So, who do they upset most?

[malkavian]

The Military for having to Beta test MS' latest patches (they'll be the one whose systems crash most by having patches applied that haven't met the real world before), or Commerce, who suddenly realise that they're going to be getting cracked hard, by something MS knows about, has a fix, and just can't be bothered to give them a cure for..

Re:So, who do they upset most?

[rikkards]

Chances are DoD does their own testing of fully blessed patches from MS anyways. This will probably give them a little more time to test than it would before.

Article submitter biased? No, not on /.

[3770]

Yet another attempt to fight off impending doom, by trying to keep the government away from open source?

Man, people really want Microsoft to become a footnote in history.

Hostile take over attempt.

[jwcorder]

They are giving them the patches first, so when all their systems are down from a bad update, they have the ability to TAKE OVER THE WORLD!!

Exploits?

[slavemowgli]

So... the government will get an entire month where they can analyse the patches, see what vulnerabilities they fix, and develop exploits to use against those who haven't received the updates yet?

Not that they probably need much help to find holes in M$ software, but still, this stinks. If the government really was concerned about security, they wouldn't ask to get patches before everyone else; rather, they'd ask that patches be made available to *everyone* as soon as possible.

Meanwhile the rest of the world...

[NoMercy]

The US goverment gets to know all about the vunribilities in microsofts operating system before the rest of the world does, anyone think that'll make the other goverments in the world trust microsoft software more?

In other words.....

[galdur]

Microsoft announces officially that all security holes will be UNPATCHED FOR A MONTH (except for the U.S. Gov. systems)

Marketspeak

[NitsujTPU]

Ok, before /. gets all in an uproar. Lets go ahead and explain this.

This is marketspeak. Marketspeak is nonsense. There is no such thing as well thought out marketspeak.

I'm sure that when the programmers heard this idea, they sat in a room and just collectively went "duh?!?" to themselves, then realized that marketting execs get paid more than they do, and laughed about it later around the water cooler.

Great

[Pan T. Hose]

Another reason for the EU, China and Korea to finally abandon Micro$oft software altogether. Now it is not only a risk of ordinary corporate lock-in but actually a treat to national security and sovereignty of Asian and European States (excluding Middle East states which are hardly sovereign to begin with) because it means that the US government (CIA, NSA and other *AA) will be able to easily reverse engineer Micro$oft patches and exploit the patched vulnerabilities in the parts of the world where there are no patches available so not only stupid people will have vulnerable systems but actually everyone. We can only hope that our European and Asian brothers and sisters are wiser than their American counterparts who will hopefully jump on the bandwagon as well and stop using Micro$oft software. That should mean a great increase in Linux market share during the first quarters of 2006, 2007 (such a serious transition is never done overnight, there are no miracles, we have to be patient). So paradoxically this is actually a good news because it will inevitably hurt Micro$oft in the long run. Instead of overreacting we should stay calm, discuss its implications maturely, and see what it means and how the rest of the world reacts. The most important parts of the world to focus on are: Europe, Asia, Australia, Africa, South America and Canada. Only time will tell what that decision really means and which F/OSS O/S will benefit the most where the national security is the top priority.

Re:Great

[amembleton]

Parent: "The most important parts of the world to focus on are: Europe, Asia, Australia, Africa, South America and Canada."

That only leaves the USA which this article is largely about and Antarctica which AFAIK is owned by everyone and doesn't have its own government that may require Microsoft software.

Re:Great

[xoboots]

Strangely, he left out Mexico.

Re:Great

[Rayonic]

We can only hope that our European and Asian brothers and sisters...

...care about our interests as much as you care about theirs. :-P

Re:Great

[marcosdumay]

Yes, governmetn transition doesn't happen overnight. 2006 - 2007 is a very short time for that, you should increase that to 2007 - 2009 or something like that.

To cite a real case, Brazil started its transition in 2002. Today there has been no significant mode to Linux yet. Instead, almost al the public douments have been translated from M$ ofice to a more open format. A lot of time was spent discussing what is a 'open format' and generating policies. To make the long story short, 2 years after the decisio

Impending Doom?

[PepeGSay]

Let's have a modicum of sense here. We are all going to die sometime... Microsoft has all the earmarks of a company that will live to a ripe old age though.

Machiavelli

[bitswapper]

So, if you're a foreign government, the US government has one month to break into your unpatched systems. Or, if you're anyone the US government doesn't like, the CIA, FBI, HLS, etc., has a month to hack your unpatched systems.

I give Microsoft credit for possessing at least a basic understanding of Machiavelli.

Microsoft Liability ?

[Alain Williams]

Does this not open M$ to the charge of willfully withholding security patches from everyone else by a month ?

New Microsoft 'Buddy' called Patches

[CHESTER COPPERPOT]

Whoah slow down there people I think when Microsoft mean 'Patches' I think they mean their new cyber buddy aka 'Rambo-Clippy' but with new and improved PTBSD (Post Traumatic Blue Screen Disorder). Patches is gonna open up a whole lotta online whoop-ass on hackers and other terrorists.

'Patches' is a mean son'ova' gun who uses rattle snakes as condoms and pisses napalm. I for one am glad to have this online hero on our side.

Back-handed insult

[erroneus]

This merely insults everyone else... perhaps adding to the incentive to look elsewhere for their computing needs.

BWAHAHAHAHAHA!!!!

[NanotechLobster]

I feel sorry for Uncle Sam. They get to experience the bugs of Microsoft's patches first and we'll probobly get less screwed up patches. Brilliant.

The logical conclusions

[TheIndividual]

So how will they or it?
A) They deliver beta-patches to the DoD
or
B) They deliver final patches to the DoD and delay them for a month before public release

Obviously both cases are a desaster:
A) We all know how buggy Microsoft's final software is, I can't imagine how someone can use their beta patches in a critical desaster.

B) Telling the government about security issues first and delaying patches for the general public is bound to cause an uproar. They are already quite slow when it comes to releasing patch

I don't understand what good this will do

[tkrotchko]

Other than stroking some Air Force egos, what does this accomplish?

If a patch is good, and reliable, send it to everybody. The more people that are patched, the better.

If a patch is bad, do we want military computers testing the fix first?

In other words

[Monoman]

The US Military will beta test Microsoft security patches.

Military use of Windows and other OS's

[Danathar]

A bit off topic...we know the military uses LINX and all sorts of UNIX.

Does the military use OS X? It would seem to me that OS X would be a great alternative to Windows based systems since most of their software is custom anyhow.

Could 0wned admins sue MS?

[fuzzy12345]

I've wondered about the legality of such behaviour. At the point where a company knows its product has a vulnerability, has a fix for that vulnerability, and deliberately withholds the fix from customers, knowing that some of them are likely to be hacked and suffer losses, is it not negligent?

This would likely vary from jurisdiction to jurisdiction. Anyone got an amateur/professional legal opinion?

The US Taxpayer will pay...

[awfar]

for patches that don't work, work properly, or goes "boing."

for doing Microsoft's work of verifying stability...

No small amount at Government charge-out rates, at some factor higher than "normal" copnstractor rates. Imagine the thousands of Gov. admins spending their time, your dollar, to do MS's work, for what they charge the Gov., us, a premium.

And I happen to be OK with Microsoft...

Could......

[mormop]

Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software

Translate to:

Microsoft confirm that businesses are second rate customers. Seriously, if it was a case of MS to reveal details of vulnerabilities to US Military first I could understand it but giving them the patches first? When a new virus is released that exploits a hole I suspect the military are the least likely to bee the ones who end up DDoS'ing or spamming people as

Another win for Linux

[JustNiz]

But that means Microsoft won't release perfectly good patches to anyone else for a whole month.

Doesn't that just add to the proof that MS treat their regular users like bitches.

Yet another justification that anyone with a choice should be running Linux.

I Know Why!

[MooseGuy529]

The reason they are doing this is really obvious: One of the obvious advantages to most Linux distributions is that they usually come out with patches within a day of vulnerabilities, and the patches are available immediately. Windows, on the other hand, patches once a week or once a month. Ovbiously, Linux looks better here. By offering the government a faster patch cycle, they are trying to compete with the Linux distributions and make themselves look better again.

Some cat stole my tongue...

[HaloZero]

So does this mean there'll be another month delay in getting patches to consumers?

Scenario: - [zerohour] Exploit gains recognition
- [+1 month] Microsoft releases patch to USAF
- [+2 month] Microsoft releases patch to US Consumers

Greeaaaat...

Natural evolution of thought

[RhettLivingston]

First everybody (really, mostly IT professionals trying to balance benefit of patching versus risk and cost of patching) berated Microsoft for releasing patches too often. So, Microsoft responds and releases them once a month. OF COURSE that means they are holding onto patches for up to a month. The number of ignorant posts here that seem to think that this is an announcement that they are going to START delaying patches is just unbelievable. The industry already made them do that.

This is just the natural next step in the social evolution of the situation. Now we've got the users who have a different benefit/risk equation demanding release of patches as soon as they are available. Its just the Air Force now, but it will eventually become a selectable option so that we can all choose our own poison.

Personally, I've never had a problem with applying a Microsoft patch despite having 100s of applications on my machines including several large suites and a large proportion of open source. The problems seem to come mostly to people using low quality drivers or applications from a few companies that have questionable SW design practices like replacing core DLLs. I'd like the Air Force's option and suspect I'll eventually get it.

What about other countries?

[northcat]

What about the goverment and people of other countries? They are not giving early patches to the "Government of The World", they are giving it only to USA. So now, all the US military system will be secure while the non-US military systems will be vulnerable. Although unintentional (or who knows), Microsoft is giving military advantage to USA and militarily deceiving (if that's a valid term) all other countries. I would want my country's goverment to consider Microsoft to be a military ally of USA giving U

Headstart on ZeroDay

[HighOrbit]

OK.. I can see what they are thinking, I just don't know if it is right.

I would deduce that they are thinking is this: Malicious H4x0rBoyz and script-kiddies don't do the real work of discovering vulnerbilities (real security professionals mostly do that), but just wait for MS to issue a patch or advisory and then build an expolit by reverse engineering the patch. Once the patch is announced, a race starts between crackers and admins to see who will test and deploy their respective patches-vs-exploits bef

Holes in open source

[northcat]

I've heard some company (I think some embedded software company) spread FUD that the enemies of USA might purposefully introduce security holes in Linux to gain advantage over USA, so using Linux is not good for USA. But what's actually happening is almost the opposite. MS is giving patches early to USA so the systems of US enemies will still be vulnerable (but US goverment systems will be secure) and now USA will have the knowledge of how to exploit those systems. A reason for most countries not to use MS

Place your bets

[roystgnr]

How will the Law of Unintended Consequences manifest itself first?

1) Honest government employees will upload patches to warez sites; private sysadmins will have to turn to piracy to protect their networks.

2) Dishonest government employees will upload trojaned patches to warez sites; private sysadmins will have no way to compare them to the real MS patches until it's too late.

3) Honest government employees will post exploit information to white-hat security lists; private sysadmins will have to make choic

Banks, etc

[hey]

There are lots of non-US-government systems that a re critical: hospitals, banks, air traffic control, etc.
And anyways, the important patches non-a-days relate to keeping out Internet intruders. Hopefuly the miltary systems aren't on the public net!

delays

[Jesus IS the Devil]

The real deal isn't that they're offering these updates to the government first, but rather, that they're DELAYING it from everyone else.

This makes no sense, since a patch is a patch. Sure M$ might earn some brownie points from the government entities that get this priority, but the resulting backlash from everyone else will be worse.

Two possibilities...

[still cynical]

...either M$ will give patches to the govt. before they are fully tested and finished, or they will delay finished patches to the rest of the world despite a known vulnerability

So which is it, Bill? And will you offer the same treatment to other governments worldwide? or will you tell them that you are deliberatly leaving them twisting in the wind with the rest of us, while the US Govt gets preferential treatment?

Doublethink

[Doc Ruby]

How can MS possibly justify holding back the patches to anyone? What does letting the rest of the world twist in the wind gain them, or even the government? This is obviously a ploy to gain favor with some stupid bureaucrats who can't tell that this adds absolutely no security to anyone. Because its realities have no other possible redeeming value, and a great deal of cost.

This means either one of two things

[JeffTL]

Either Microsoft has been withholding patches from their paying customers and has decided to let a small segment (the federal government) go ahead and have them once they're ready, or they're foisting incomplete and buggy code onto the government, including the IRS.

If you get audited this year, blame Microsoft.

Re:Yet another attempt to fight off impending doom

[jackb_guppy]

So majority has to wait for another month for the patch. Another month of defenseless machines.

In the US, we are government. It is "by the people, for the people".

Re:Yet another attempt to fight off impending doom

[racermd]

There's two ways this will "work":

1: The patches are complete and tested (as well as can be expected from MS, anyway) before being deployed to Air Force systems.

2: The patches are untested when they go to the Air Force.

Assuming the second case is true for a moment, I don't think the powers-that-be in the Air Force will be so happy about this. As noted earlier in this thread, Air Force systems will be used by MS for what is, essentially, beta testing. We're also ignoring the fact that the *really* criti

Re:Yet another attempt to fight off impending doom

[andreMA]

I wonder too if the deliberate denial of critical fixes to product flaws rises to the level of egregious behavior, opening them to liability suits from the majority of their customers? It's my (likely flawed) understanding that they're generally well shielded from such unless their conduct is so ethically outrageous that that their protections from product liability law (under law, and under the EULA) are deemed void.

Cute wording too; nobody is getting it "early" - they're delivering it late to the majority

Re:Yet another attempt to fight off impending doom

[rikkards]

ignoring the fact that the *really* critical systems in the U.S. Air Force are proprietary systems
Granted the servers are running some version of Unix (I think I have seen Solaris. But I know some of the US client machines are running Windows on a couple of their classified networks. At that level the client machines are considered critical as well as if the user cannot get onto a client machine it doesn't matter if the server is up.

Re:Yet another attempt to fight off impending doom

[drooling-dog]

And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.

You're assuming that anyone is going to enjoy greater security by delaying patches to most other users. I have to question this. And never mind about "entertainment centers"; what about the systems that process your credit cards or medical records?

Re:Yet another attempt to fight off impending doom

[file-exists-p]

Deciding unilaterally that US military forces deserve a better service than other customers (read European govt agencies) can be actually labelled as "bad". It can. I wonder what the genial theoreticians from the WTO think about that ? This is free-market US style. Anyway. Nothing surprising.

--
Go Debian!

Re:Yet another attempt to fight off impending doom

[MeNeXT]

You see it as ego.

I see a bribe and lock in!