MS To Share Early Flaw Data With Governments 100
Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.
The Bad Guys (Score:5, Funny)
Sounds like they don't need to tap. :P
Re: (Score:1)
Re: (Score:2)
That was my first thought. What about the issue with the Chinese hacking into Google due to inside information on their systems? This sort of plan just seems a bit foolish given how similar data has already been used.
Re: (Score:2)
Exactly - you're either for DMCA, or you're with the terrorists! :P
Re: (Score:3, Informative)
Maybe MSFT is still sore about the 3rd NSA key http://bit.ly/avkiLe [bit.ly]
Thank goodness we can still trust Apple because they make a lot of their computers in China.
Re: (Score:2)
This man deserves to be modded down for nothing more than the bit.ly link. FOR SHAME.
Um... Hello. The Mob? (Score:2, Insightful)
There are a lot of countries where the mob either runs the government or has strong ties to it. Letting the government in many countries in on vulnerabilities early also lets the mob in. This could be a bad thing.
Re: (Score:3, Funny)
Re: (Score:2)
ah its for security (Score:4, Insightful)
Re: (Score:2)
oh, you mean my computer isn't compromised?
I thought I was just getting some free vi@gr@?
Re: (Score:3, Insightful)
It's certainly not about security. It's purely a PR scheme. MS wants to make government agencies feel important and special if they use their products. Nothing impresses government officials more than press releases that make every bullshit bing player happy.
Linux does this for everyone. (Score:4, Insightful)
It is not useful knowing what the vendor does (Score:3, Insightful)
Does it really help that much if the vendor gives you early access to security issues? Its not like they discover them all and probably 3rd parties are a large source of insight into their problems.
ONE vendor won't be that great; and MS hasn't done well for a long time. Outside the vendors is probably more useful information and the organized criminals and governments probably know of more than the vendor does. The problem is the vendor is not told or fails to listen etc. Linux on the otherhand is not li
Re: (Score:2)
Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.
Oh. Directors. Well, of course - they're the ones who directly control the budget(s). Of course you want to get them on board.
Re: (Score:1)
Decision makers who understand the Open Source Model will thrive when other's struggle to keep up in the long run.
Whom do you trust with the keys to the data of your organization? How transparent are they? Maybe know some of what's talked about in non-vendor circles? Who are your competitors? Does competition have a purpose in the Open Source Community?
How do companies differentiate themselves?
Re: (Score:2)
Re: (Score:2)
Catch with that is, it will really blow up in their face. In dealing direct with governments, rather than in an open forum, the governments in question will no longer know if they get the same information at the same time. Obviously M$ would be in a perfect position to give different governments different information about specific security risks and vulnerabilities. No government will be able to corroborate that the same information was given to each government involved in the security risks and vulnerabi
Re: (Score:2)
This is great.
I'll be able to patch my laptop using the government CD, on the train to London Waterloo.
Re: (Score:2)
WTF? (Score:4, Insightful)
Because governments would never help a company in their nation with industial espionage.....
Mod parent up. (Score:2)
And also provide the patches to businesses based in their country.
Who decides if some Senator's web site (hosted on a .gov address) is more important than a hospital's network? And why?
That bad guys would love to tap into? (Score:2)
You mean governments, right?
I mean, seriously, the NSA had it easy already. This must have caused more than a few giggles at more than a few government agencies.
Unfortunately... (Score:4, Funny)
Re:Unfortunately... (Score:5, Funny)
Re: (Score:3, Funny)
Unfortunately for the government, the Omega program is only in alpha release.
It's cool. Google's competing product (google search for "MS vulnerabilities"), has been in beta for 8 years now.
Re: (Score:2)
Luckily a third-party group started to automate the process and bring it closer to release.
http://lmgtfy.com/?q=MS+vulnerabilities [lmgtfy.com]
Remember folks (Score:3, Funny)
Every person you tell makes the information that much less secured. That's why I advocate any sensitive data being destroyed upon inception or realization. Support your local Thought Police! Donate Today!
Re: (Score:1, Funny)
By raising Thought Police awareness you have created new ideas and are therefore guilty of Thought Crime, judgement will be dispatched in your area soon.
What a Waste (Score:2, Interesting)
Re: (Score:3, Funny)
Microsoft Omega destroys internets, a chain reaction involving a handful of machines could devastate internet throughout an entire Class A. If that were to happen, p0rn browsing would become impossible. Fapping as we know it would cease to exist.
Not to worry (Score:3, Interesting)
The government never reads the documents that cross their desk. They just see what their constiucorps want and vote yea or ney.
Re: (Score:2)
Hey now, there are a large number of hardworking individuals in the government who are not elected and don't cast a vote. They have to work a lot harder for their bribes, and third party security information would make their lives much easier.
I don't know whats better (Score:2, Insightful)
So what's the purpose? (Score:2, Redundant)
Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?
Re: (Score:2)
Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?
They're just replicating what's already going on in the private sector - from industry to counter-culture.
Secret decoder ring explodes... (Score:2)
Aweful idea (Score:2, Insightful)
Thats just a terrible way to go about things in my opinion.
We all know that between the massive list of "government entities" there are bound to be some (perhaps even many) bad apples (be it in official capacity or just a sole individual). The implementation of this program would mean these individuals would get notification ahead of time that allows them to do the usual shenanigans of reverse engineering the solution (or just analysing the problem the patch supposedly fixes), and then build&release an
I'd be worried ... (Score:1)
Omega seems to share too much (Score:1, Offtopic)
By Governments, I read this as all Government that use the product. How about only sharing with the governments that protect your home?
Perhaps it be better to only use products that you can read and write the code your self. Should we keep the code under government control? would we be safer if We stoped the black box types of software.
Re: (Score:2)
> By Governments, I read this as all Government that use the product.
No. All governments that pay the (no doubt substantial) fees to "join the program". And that's the upside: this makes finding "vulnerabilities" a revenue center.
Re: (Score:2)
this makes finding "vulnerabilities" a revenue center.
Finding? Sounds like it makes not fixing vulnerabilities before release a revenue center...
Re: (Score:2)
No. All governments that pay the (no doubt substantial) fees to "join the program". And that's the upside: this makes finding "vulnerabilities" a revenue center.
Finding new vulnerabilities is too expensive. They could reduce costs by developing them directly. This would keep the marginal cost of vulnerabilities stable by patching new vulnerabilities in as you patch old ones out!
National Cybersecurity Undermined (Score:1, Flamebait)
Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.
Not like anyone can really win a cyberwar, it will be decided by who owns more bots......
Re: (Score:1, Offtopic)
A nation of illiterate mud farmers wouldn't even know that a cyberwar had been declared. A nation that has been chasing automation, efficiency, and optimization for some decades would(barring truly incredible security) be completely fucked
Re: (Score:1)
Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.
Actually, it's more an indication that everyone except .gov needs to ditch MS entirely. As this Anon-coward has pointed out, ordinary folk are made more vulnerable by this program. Just imagine if country X got a hold of the specifics of a wormable exploit with the assurance that ordinary folk in the U.S. won't get the patch until later. The U.S. govt would be potentially protected, but .coms, .nets, .edus ...
http://it.slashdot.org/comments.pl?sid=1656658&cid=32257956 [slashdot.org]
"Bad Guys" (Score:2, Redundant)
> There's a stream the bad guys would dearly love to tap into.
RTFA. They already said they are sending it to governments.
Re: (Score:1)
What? You think they weren't already sharing the info with select multi-national conglomerates whose CEOs say "exxxxcellent!" while tenting their fingertips?
"Securing critical infrastructure?" (Score:1, Flamebait)
Because the best place for a secure critical infrastructure is on windows platforms. How else are you going to protect against Word Macro viruses?
Re: (Score:2)
Well you know what they say - The only true secure computer, is one encased in cement with no cables to the outside.
I guess a blue screened server is as close as one can get using software ;}
Pretty sneaky there Microsoft, one-uping Linux on security!
people (Score:4, Interesting)
Re: (Score:2)
You just have to compromise one of the people working for the government
You don't even need to do that.
Economic espionnage, someone ?
Re: (Score:2)
As opposed to having to compromise one of the people working for the company in question (Microsoft)?
Anyway, I thought we didn't believe in security by obscurity?
WIKILEAKS (Score:1)
Re: (Score:3, Funny)
Actually an early information about security patches from Microsoft looks like that:
Product Affected: all versions of windows
Risk: Remote code execution
Rating: Critical
Reboot required: You betcha
Description: This vulnerability is even more serious than the previous 10 000 other Critical software updates, if 0 were the highest priority on a scale 1 to 10, this one would rate -10 000, see that's like super duper uber hyper critical times 3.
Re: (Score:2)
Corrected that for you!
Bad Guys (Score:1, Redundant)
And giving the information to which governments will guarantee the "bad guys" don't get it? Does no one recognize that all these entities play for keeps and telling them about a vulnerability before anyone else is like throwing a bloodied sheep into a tank full of sharks? The sharks may get scratched up a bit, but they're used to it; the sheep will just get slaughtered.
Re: (Score:1, Insightful)
Oxymorons abound (Score:2, Insightful)
Critical infrastructure / Windows
Seems like it's long overdue to realize that those two concepts are mutually exclusive.
Sounds like kind of a rip-off (Score:5, Informative)
Then, "disclosure will happen just prior to our security update release cycles."
So the disclosure amounts to this:
"Tomorrow's MS Windows Update contains a security patch that fixes a serious vulnerability in your system. Oh, by the way, you have a serious vulnerability in your system."
"There's a stream the bad guys would dearly love" (Score:2)
Shoring up the defenses (Score:1)
Looking at this situation I see Microsoft warding off yet another assault on their software stack. European governments have been making some high profile conversions off of the Microsoft stack (Germany comes to mind). One of the many reasons offered for those transitions has been the transparency of OSS, especially in relation to security issues. The creation of Omega looks like another acknowledgement from Microsoft that their competitors have better offerings, and Microsoft seems to be playing catchup
What is the nature of the data being shared? (Score:2, Interesting)
A flawed perspective... (Score:3, Insightful)
So Microsoft has the flaws, the governments have the flaws, but we, the purchasers of windows software do not have the flaws. What is wrong with this model? Could it (cough) perhaps be that the software isn't open source (in which environments the flaws tend to be published openly on an extremely short time scale)?
IMO the last bastions of the purveyors of a flawed model would tend to recruit those in power to perpetuate said model. (Oh its OK that there is a flaw because the powers that be know about it and we are going to fix it... eventually...)
Please please somebody, study the serious flaw correction rate in closed source vs. open source software (i.e. time from flaw discovery until flaw correction availability). I would hope that if this has not already been done someone is attempting to do it.
And shame on a majority of city, state and U.S. governments for operating on closed source software and not having concrete data with respect to flaws and vulnerabilities. If you worked for a corporation (at least one which knew the value of open source perspectives) your head would be on on a "silver platter" for allowing the corporation to be open to be open to the vulnerabilities of closed source software.
Simple. Ask Microsoft to warranty its products to be free of defects. And if it does not do so you are most probably utilizing products which probably contain defects. And that is a sad situation -- we are running reality with no more knowledge than we have of that of a "can-o-worms" [1].
1. To the best of my knowledge the genome sequence of the common garden worm is not known and even if it were there are probably few if any systems biologists who could explain in detail how it really works. Programs that have worked for hundreds of millions of years (e.g. worms) are probably fairly safe (even if we cannot explain how they work). Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.
Comment removed (Score:4, Insightful)
License to hack! (Score:5, Insightful)
This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.
What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.
-molo
Re: (Score:2)
What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.
And how is any of this different today? You think the whole malware-as-a-service industry just popped up out of nowhere? There are already knowledgeable entities out there working to compromise your environment. Some of them may already be Governments. Waiting for input from Microsoft on what's a viable attack vector is coming late to the party.
Re: (Score:2)
This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public?
That's all you're worried about? The heck with vulnerabilities, Microsoft already shared their source code with China, Russia, and some NATO members... all to open markets of course, not for virus/rootkit writers. ;)
http://www.microsoft.com/presspass/press/2003/feb03/02-28gspchinapr.mspx [microsoft.com]
You know you've been reading /. too much... (Score:4, Funny)
The first time I read that headline, my brain completely omitted the word "data" without skipping a beat.
It sounded par for the course, I guess.
Re: (Score:3, Funny)
In my case, I though that "Flaw Data" was a new product from Microsoft.
Alphabetical contact list (Score:2)
Nice. Chinese hackers are cracking their knuckles in anticipation.
Using Microsoft's alphabetical contact list in Outlook, the information will reach the People's Republic of China, before it will reach the USA government.
One More Demonstration of Microsoft's Total Idiocy (Score:2)
Back when Vista was being developed, they shared the code with the NSA in order to detect vulnerabilities.
So obviously what did NSA do? They found X vulnerabilities - and told Microsoft about X minus Y vulnerabilities.
Now Microsoft wants Mossad, an organization known for conducting massive espionage - both political, military and economic - against the US to have the same capability.
Dumbest mofo's in industry.
I love my country, most of us do, but... (Score:2)
Step Back (Score:2)
Legality & Liability of Failure to Disclose (Score:2)
Re: (Score:2)
Not if they disclaimed all liability in the shrink wrap EULA. Which they do. Read one sometime, it'll be enlightening. Your windows based home control program could die due to a windows update, shutting off the power to grandma's iron lung, and MSFT would be free of claim. So, you'd be exactly in the same place as if you used Linux.
To the general point, for this crowd, MSFT can truly do nothing good. Giving the authorities a heads up once bad news is know is a bad thing? It sounds reasonable to me, an