Forgot your password?
typodupeerror
Government Microsoft Security IT

MS To Share Early Flaw Data With Governments 100

Posted by kdawson
from the for-your-eyes-only dept.
Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.
This discussion has been archived. No new comments can be posted.

MS To Share Early Flaw Data With Governments

Comments Filter:
  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Tuesday May 18, 2010 @04:49PM (#32257858) Homepage

    with governments

    Sounds like they don't need to tap. :P

    • My thoughts exactly. Aren't some of the bad people governments? Perhaps Microsoft should only disclose this information to governments with "proper" IP laws [slashdot.org].
      • by DJRumpy (1345787)

        That was my first thought. What about the issue with the Chinese hacking into Google due to inside information on their systems? This sort of plan just seems a bit foolish given how similar data has already been used.

      • Exactly - you're either for DMCA, or you're with the terrorists! :P

    • Re: (Score:3, Informative)

      by Moblaster (521614)

      Maybe MSFT is still sore about the 3rd NSA key http://bit.ly/avkiLe [bit.ly]

      Thank goodness we can still trust Apple because they make a lot of their computers in China.

    • by Anonymous Coward

      There are a lot of countries where the mob either runs the government or has strong ties to it. Letting the government in many countries in on vulnerabilities early also lets the mob in. This could be a bad thing.

  • by pilgrim23 (716938) on Tuesday May 18, 2010 @04:50PM (#32257878)
    and everyone KNOWS how well governments can keep secrets.
    • by poetmatt (793785)

      oh, you mean my computer isn't compromised?

      I thought I was just getting some free vi@gr@?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      It's certainly not about security. It's purely a PR scheme. MS wants to make government agencies feel important and special if they use their products. Nothing impresses government officials more than press releases that make every bullshit bing player happy.

      • by linzeal (197905) on Tuesday May 18, 2010 @05:37PM (#32258356) Homepage Journal
        Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.
        • Does it really help that much if the vendor gives you early access to security issues? Its not like they discover them all and probably 3rd parties are a large source of insight into their problems.

          ONE vendor won't be that great; and MS hasn't done well for a long time. Outside the vendors is probably more useful information and the organized criminals and governments probably know of more than the vendor does. The problem is the vendor is not told or fails to listen etc. Linux on the otherhand is not li

        • by _Sprocket_ (42527)

          Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.

          Oh. Directors. Well, of course - they're the ones who directly control the budget(s). Of course you want to get them on board.

          • by DrHex (142347)

            Decision makers who understand the Open Source Model will thrive when other's struggle to keep up in the long run.

            Whom do you trust with the keys to the data of your organization? How transparent are they? Maybe know some of what's talked about in non-vendor circles? Who are your competitors? Does competition have a purpose in the Open Source Community?

            How do companies differentiate themselves?

        • by psbrogna (611644)
          Are you saying you think its conceivable there are elitists pricks in the government? That can't be right.
      • by rtb61 (674572)

        Catch with that is, it will really blow up in their face. In dealing direct with governments, rather than in an open forum, the governments in question will no longer know if they get the same information at the same time. Obviously M$ would be in a perfect position to give different governments different information about specific security risks and vulnerabilities. No government will be able to corroborate that the same information was given to each government involved in the security risks and vulnerabi

    • This is great.
      I'll be able to patch my laptop using the government CD, on the train to London Waterloo.

    • by gmuslera (3436)
      I can see it. A top spy infiltrates a government, and steal his most precious secret: "Windows have bugs" The world is in danger after that.
  • WTF? (Score:4, Insightful)

    by Anonymous Coward on Tuesday May 18, 2010 @04:51PM (#32257884)

    Because governments would never help a company in their nation with industial espionage.....

    • Because governments would never help a company in their nation with industial espionage.....

      And also provide the patches to businesses based in their country.

      Who decides if some Senator's web site (hosted on a .gov address) is more important than a hospital's network? And why?

  • You mean governments, right?

    I mean, seriously, the NSA had it easy already. This must have caused more than a few giggles at more than a few government agencies.

  • by brian0918 (638904) <brian0918&gmail,com> on Tuesday May 18, 2010 @04:52PM (#32257898)
    Unfortunately for the government, the Omega program is only in alpha release.
  • by Pojut (1027544) on Tuesday May 18, 2010 @04:53PM (#32257900) Homepage

    Every person you tell makes the information that much less secured. That's why I advocate any sensitive data being destroyed upon inception or realization. Support your local Thought Police! Donate Today!

    • Re: (Score:1, Funny)

      by Anonymous Coward

      By raising Thought Police awareness you have created new ideas and are therefore guilty of Thought Crime, judgement will be dispatched in your area soon.

  • What a Waste (Score:2, Interesting)

    by thegdorf (1222548)
    This initiative is much too lame to warrant being called Omega.
    • Re: (Score:3, Funny)

      by sakdoctor (1087155)

      Microsoft Omega destroys internets, a chain reaction involving a handful of machines could devastate internet throughout an entire Class A. If that were to happen, p0rn browsing would become impossible. Fapping as we know it would cease to exist.

  • Not to worry (Score:3, Interesting)

    by ArhcAngel (247594) on Tuesday May 18, 2010 @04:54PM (#32257914)

    The government never reads the documents that cross their desk. They just see what their constiucorps want and vote yea or ney.

    • by pavon (30274)

      Hey now, there are a large number of hardworking individuals in the government who are not elected and don't cast a vote. They have to work a lot harder for their bribes, and third party security information would make their lives much easier.

  • The projects codename.. which means "the end" or the fact that now the gov't can rely on IMHO the absolute last people to know about the problem,and are at fault.. to give them early warning.
  • Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?

    • by _Sprocket_ (42527)

      Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?

      They're just replicating what's already going on in the private sector - from industry to counter-culture.

  • The program, codenamed Omega, ... /blockquote So, a program about being the first to know is named "Omega" (meaning "last")?

  • Aweful idea (Score:2, Insightful)

    by Anonymous Coward

    Thats just a terrible way to go about things in my opinion.

    We all know that between the massive list of "government entities" there are bound to be some (perhaps even many) bad apples (be it in official capacity or just a sole individual). The implementation of this program would mean these individuals would get notification ahead of time that allows them to do the usual shenanigans of reverse engineering the solution (or just analysing the problem the patch supposedly fixes), and then build&release an

  • Does this not give the gov't another way (with a limited time window) to peer into our personal affairs?
  • By Governments, I read this as all Government that use the product. How about only sharing with the governments that protect your home?

    Perhaps it be better to only use products that you can read and write the code your self. Should we keep the code under government control? would we be safer if We stoped the black box types of software.

    • > By Governments, I read this as all Government that use the product.

      No. All governments that pay the (no doubt substantial) fees to "join the program". And that's the upside: this makes finding "vulnerabilities" a revenue center.

      • this makes finding "vulnerabilities" a revenue center.

        Finding? Sounds like it makes not fixing vulnerabilities before release a revenue center...

      • by Stray7Xi (698337)

        No. All governments that pay the (no doubt substantial) fees to "join the program". And that's the upside: this makes finding "vulnerabilities" a revenue center.

        Finding new vulnerabilities is too expensive. They could reduce costs by developing them directly. This would keep the marginal cost of vulnerabilities stable by patching new vulnerabilities in as you patch old ones out!

  • Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.

    Not like anyone can really win a cyberwar, it will be decided by who owns more bots......

    • Re: (Score:1, Offtopic)

      Arguably, the real factor in a cyberwar has less to do with exactly how many bots you own, and more to do with how good your "passive defense" is. "Passive defense" being the defensive value of those activities that make up your way of life, the stuff you do by default.

      A nation of illiterate mud farmers wouldn't even know that a cyberwar had been declared. A nation that has been chasing automation, efficiency, and optimization for some decades would(barring truly incredible security) be completely fucked
    • by Culture20 (968837)

      Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.

      Actually, it's more an indication that everyone except .gov needs to ditch MS entirely. As this Anon-coward has pointed out, ordinary folk are made more vulnerable by this program. Just imagine if country X got a hold of the specifics of a wormable exploit with the assurance that ordinary folk in the U.S. won't get the patch until later. The U.S. govt would be potentially protected, but .coms, .nets, .edus ...
      http://it.slashdot.org/comments.pl?sid=1656658&cid=32257956 [slashdot.org]

  • "Bad Guys" (Score:2, Redundant)

    by John Hasler (414242)

    > There's a stream the bad guys would dearly love to tap into.

    RTFA. They already said they are sending it to governments.

    • What? You think they weren't already sharing the info with select multi-national conglomerates whose CEOs say "exxxxcellent!" while tenting their fingertips?

  • Because the best place for a secure critical infrastructure is on windows platforms. How else are you going to protect against Word Macro viruses?

    • by dissy (172727)

      Well you know what they say - The only true secure computer, is one encased in cement with no cables to the outside.

      I guess a blue screened server is as close as one can get using software ;}

      Pretty sneaky there Microsoft, one-uping Linux on security!

  • people (Score:4, Interesting)

    by crsuperman34 (1599537) on Tuesday May 18, 2010 @05:05PM (#32258044)
    As every black hat knows: you will not need to compromise the software. You just have to compromise one of the people working for the government in question.
    • by alexhs (877055)

      You just have to compromise one of the people working for the government

      You don't even need to do that.
      Economic espionnage, someone ?

    • by tehcyder (746570)

      As every black hat knows: you will not need to compromise the software. You just have to compromise one of the people working for the government in question.

      As opposed to having to compromise one of the people working for the company in question (Microsoft)?

      Anyway, I thought we didn't believe in security by obscurity?

  • WIKILEAKS!!! Here is your next big thing to publish. If anyone can get that info out to the public to protect our rights, they can do it.
    • Re: (Score:3, Funny)

      by fredc97 (963879)

      Actually an early information about security patches from Microsoft looks like that:

      Product Affected: all versions of windows
      Risk: Remote code execution
      Rating: Critical
      Reboot required: You betcha

      Description: This vulnerability is even more serious than the previous 10 000 other Critical software updates, if 0 were the highest priority on a scale 1 to 10, this one would rate -10 000, see that's like super duper uber hyper critical times 3.

      • by whoever57 (658626)

        Product Affected: all versions of windows
        Risk: Remote code execution
        Rating: Minimal
        Reboot required: You betcha

        Corrected that for you!

  • Bad Guys (Score:1, Redundant)

    by devnullkac (223246)

    There's a stream the bad guys would dearly love to tap into.

    And giving the information to which governments will guarantee the "bad guys" don't get it? Does no one recognize that all these entities play for keeps and telling them about a vulnerability before anyone else is like throwing a bloodied sheep into a tank full of sharks? The sharks may get scratched up a bit, but they're used to it; the sheep will just get slaughtered.

  • Oxymorons abound (Score:2, Insightful)

    by oDDmON oUT (231200)

    Critical infrastructure / Windows

    Seems like it's long overdue to realize that those two concepts are mutually exclusive.

  • by ivandavidoff (969036) on Tuesday May 18, 2010 @05:29PM (#32258266)
    MS will provide information only "after our investigative and remediation cycle is completed..." In other words, after the vulnerability is discovered and fixed, and the patch is ready to roll out.

    Then, "disclosure will happen just prior to our security update release cycles."

    So the disclosure amounts to this:

    "Tomorrow's MS Windows Update contains a security patch that fixes a serious vulnerability in your system. Oh, by the way, you have a serious vulnerability in your system."
  • Bad guys like China? Aren't they a government of some sort in South America or Australia?
  • Looking at this situation I see Microsoft warding off yet another assault on their software stack. European governments have been making some high profile conversions off of the Microsoft stack (Germany comes to mind). One of the many reasons offered for those transitions has been the transparency of OSS, especially in relation to security issues. The creation of Omega looks like another acknowledgement from Microsoft that their competitors have better offerings, and Microsoft seems to be playing catchup

  • If it's 3 days advance notice on patches like Microsoft's biggest customers get this is no big deal. If it's "Here are details on a vulnerability that we might patch next year with service pack 16", I'm afraid, very afraid.
  • by bradbury (33372) <(Robert.Bradbury) (at) (gmail.com)> on Tuesday May 18, 2010 @06:08PM (#32258636) Homepage

    So Microsoft has the flaws, the governments have the flaws, but we, the purchasers of windows software do not have the flaws. What is wrong with this model? Could it (cough) perhaps be that the software isn't open source (in which environments the flaws tend to be published openly on an extremely short time scale)?

    IMO the last bastions of the purveyors of a flawed model would tend to recruit those in power to perpetuate said model. (Oh its OK that there is a flaw because the powers that be know about it and we are going to fix it... eventually...)

    Please please somebody, study the serious flaw correction rate in closed source vs. open source software (i.e. time from flaw discovery until flaw correction availability). I would hope that if this has not already been done someone is attempting to do it.

    And shame on a majority of city, state and U.S. governments for operating on closed source software and not having concrete data with respect to flaws and vulnerabilities. If you worked for a corporation (at least one which knew the value of open source perspectives) your head would be on on a "silver platter" for allowing the corporation to be open to be open to the vulnerabilities of closed source software.

    Simple. Ask Microsoft to warranty its products to be free of defects. And if it does not do so you are most probably utilizing products which probably contain defects. And that is a sad situation -- we are running reality with no more knowledge than we have of that of a "can-o-worms" [1].

    1. To the best of my knowledge the genome sequence of the common garden worm is not known and even if it were there are probably few if any systems biologists who could explain in detail how it really works. Programs that have worked for hundreds of millions of years (e.g. worms) are probably fairly safe (even if we cannot explain how they work). Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.

  • by nimbius (983462) on Tuesday May 18, 2010 @06:18PM (#32258702) Homepage
    the book of FLOSS guys. all your customers need to promptly know when you find flaws, not just the governments with the ability to restrict your sales and service. Im talking about banks, schools, hospitals, and power plants.
  • License to hack! (Score:5, Insightful)

    by molo (94384) on Tuesday May 18, 2010 @06:29PM (#32258818) Journal

    This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.

    What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.

    -molo

    • by _Sprocket_ (42527)

      What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.

      And how is any of this different today? You think the whole malware-as-a-service industry just popped up out of nowhere? There are already knowledgeable entities out there working to compromise your environment. Some of them may already be Governments. Waiting for input from Microsoft on what's a viable attack vector is coming late to the party.

    • by thoth (7907)

      This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public?

      That's all you're worried about? The heck with vulnerabilities, Microsoft already shared their source code with China, Russia, and some NATO members... all to open markets of course, not for virus/rootkit writers. ;)
      http://www.microsoft.com/presspass/press/2003/feb03/02-28gspchinapr.mspx [microsoft.com]

  • by Anachragnome (1008495) on Tuesday May 18, 2010 @07:21PM (#32259224)

    The first time I read that headline, my brain completely omitted the word "data" without skipping a beat.

    It sounded par for the course, I guess.

  • Nice. Chinese hackers are cracking their knuckles in anticipation.

    Using Microsoft's alphabetical contact list in Outlook, the information will reach the People's Republic of China, before it will reach the USA government.

  • Back when Vista was being developed, they shared the code with the NSA in order to detect vulnerabilities.

    So obviously what did NSA do? They found X vulnerabilities - and told Microsoft about X minus Y vulnerabilities.

    Now Microsoft wants Mossad, an organization known for conducting massive espionage - both political, military and economic - against the US to have the same capability.

    Dumbest mofo's in industry.

  • In the light that our computers are completely out of control, one might ask, "Can we live without these things?". Well no. Not if you want to do business. UPS requires you to have Windows if you expect to ship............ In 1984,(the book), big brother watched you using a television with a camera. Many people said, "Oh that would never happen". Well most new computers have webcams, are generally attached to the Internet all the time. The only thing that stands between this ugly fictional reality and o
  • Why is any gov't willing to settle for an arrangement where a vendor agrees to provide specifics regarding the nature of a product's flaws rather than questioning why to use the product at all? And mind you, this is after two decades of a lot of knowledgable people saying said product is flawed by design, by implementation & both to such a degree that it can never be safe.
  • [IANAL] If a company is compromised due to a flaw in a MS product that MS was aware of but had not disclosed to the company (and gov't would have proof of the failure to disclose via Omega), isn't MS liable for the cost of the incident because they had the knowledge to prevent the compromise but failed to alert the company?
    • Not if they disclaimed all liability in the shrink wrap EULA. Which they do. Read one sometime, it'll be enlightening. Your windows based home control program could die due to a windows update, shutting off the power to grandma's iron lung, and MSFT would be free of claim. So, you'd be exactly in the same place as if you used Linux.

      To the general point, for this crowd, MSFT can truly do nothing good. Giving the authorities a heads up once bad news is know is a bad thing? It sounds reasonable to me, an

Optimism is the content of small men in high places. -- F. Scott Fitzgerald, "The Crack Up"

Working...