Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS To Share Early Flaw Data With Governments

kdawson posted more than 4 years ago | from the for-your-eyes-only dept.

Government 100

Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.

cancel ×

100 comments

The Bad Guys (4, Funny)

Arancaytar (966377) | more than 4 years ago | (#32257858)

with governments

Sounds like they don't need to tap. :P

Re:The Bad Guys (1)

iPhr0stByt3 (1278060) | more than 4 years ago | (#32257922)

My thoughts exactly. Aren't some of the bad people governments? Perhaps Microsoft should only disclose this information to governments with "proper" IP laws [slashdot.org] .

Re:The Bad Guys (1)

DJRumpy (1345787) | more than 4 years ago | (#32260006)

That was my first thought. What about the issue with the Chinese hacking into Google due to inside information on their systems? This sort of plan just seems a bit foolish given how similar data has already been used.

Re:The Bad Guys (1)

Arancaytar (966377) | more than 4 years ago | (#32260278)

Exactly - you're either for DMCA, or you're with the terrorists! :P

Re:The Bad Guys (0)

Anonymous Coward | more than 4 years ago | (#32257934)

It only needs some lobbyist to convince his friend inside the government to give him the secrets. This is harder with China and Russia, but just think about US.

Re:The Bad Guys (3, Informative)

Moblaster (521614) | more than 4 years ago | (#32258062)

Maybe MSFT is still sore about the 3rd NSA key http://bit.ly/avkiLe [bit.ly]

Thank goodness we can still trust Apple because they make a lot of their computers in China.

Re:The Bad Guys (1)

phantomcircuit (938963) | more than 4 years ago | (#32260440)

This man deserves to be modded down for nothing more than the bit.ly link. FOR SHAME.

Um... Hello. The Mob? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32258524)

There are a lot of countries where the mob either runs the government or has strong ties to it. Letting the government in many countries in on vulnerabilities early also lets the mob in. This could be a bad thing.

Re:Um... Hello. The Mob? (2, Funny)

Zaiff Urgulbunger (591514) | more than 4 years ago | (#32260378)

Nice comment you got there.... shame if someone mod'ed it down!

Re:Um... Hello. The Mob? (1)

psbrogna (611644) | more than 4 years ago | (#32263654)

Some days I wonder if we'd be better of letting the mob run the government, at least then it would be organized crime.

Re:The Bad Guys (1)

BillPalm (1621343) | more than 4 years ago | (#32261992)

First of all, do not Chanel Bags [purelife-bags.com] hurry when buying, Footwear is the matter of fashion and style. It is Prada bags [purelife-bags.com] advisable the online shop. You can even refer to magazines and fashion blogs to know what type of are in fashion. Gucci bags [purelife-bags.com] For instance, women choose strappy for summer Coach Bags [purelife-bags.com] and ankle for the winter. The price also play an Louis Vuitton Bags [purelife-bags.com] important role in shopping.

ah its for security (3, Insightful)

pilgrim23 (716938) | more than 4 years ago | (#32257878)

and everyone KNOWS how well governments can keep secrets.

Re:ah its for security (1)

poetmatt (793785) | more than 4 years ago | (#32257950)

oh, you mean my computer isn't compromised?

I thought I was just getting some free vi@gr@?

Re:ah its for security (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32258032)

It's certainly not about security. It's purely a PR scheme. MS wants to make government agencies feel important and special if they use their products. Nothing impresses government officials more than press releases that make every bullshit bing player happy.

Linux does this for everyone. (3, Insightful)

linzeal (197905) | more than 4 years ago | (#32258356)

Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.

It is not useful knowing what the vendor does (2, Insightful)

bussdriver (620565) | more than 4 years ago | (#32258760)

Does it really help that much if the vendor gives you early access to security issues? Its not like they discover them all and probably 3rd parties are a large source of insight into their problems.

ONE vendor won't be that great; and MS hasn't done well for a long time. Outside the vendors is probably more useful information and the organized criminals and governments probably know of more than the vendor does. The problem is the vendor is not told or fails to listen etc. Linux on the otherhand is not limited by be a specific vendor...

Re:Linux does this for everyone. (1)

_Sprocket_ (42527) | more than 4 years ago | (#32259054)

Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.

Oh. Directors. Well, of course - they're the ones who directly control the budget(s). Of course you want to get them on board.

Re:Linux does this for everyone. (1)

DrHex (142347) | more than 4 years ago | (#32261418)

Decision makers who understand the Open Source Model will thrive when other's struggle to keep up in the long run.

Whom do you trust with the keys to the data of your organization? How transparent are they? Maybe know some of what's talked about in non-vendor circles? Who are your competitors? Does competition have a purpose in the Open Source Community?

How do companies differentiate themselves?

Re:Linux does this for everyone. (1)

psbrogna (611644) | more than 4 years ago | (#32263676)

Are you saying you think its conceivable there are elitists pricks in the government? That can't be right.

Re:ah its for security (1)

rtb61 (674572) | more than 4 years ago | (#32264886)

Catch with that is, it will really blow up in their face. In dealing direct with governments, rather than in an open forum, the governments in question will no longer know if they get the same information at the same time. Obviously M$ would be in a perfect position to give different governments different information about specific security risks and vulnerabilities. No government will be able to corroborate that the same information was given to each government involved in the security risks and vulnerabilities or dare we say espionage and counter espionage 'er' software features.

Of course competitors can also rightfully complain, as a new government branch would need to be set up to create a joint office with M$ for M$ products to the exclusion of all other products. So M$ is working to force another lock in, government staff only trained to deal with M$ product lines along M$ software security communications lines.

Meh, stupid is as stupid does, there are real definitive reasons why product fault information is given to all customers at the same time, least of which is the spy vs spy crap, there are also competitive advantage disputes, purposeful misinformation and withholding of information to damage competitors and of course from M$ the inevitable product marketing lies about the number of, the nature of and, the age of all to frequent faults.

Re:ah its for security (1)

sakdoctor (1087155) | more than 4 years ago | (#32258642)

This is great.
I'll be able to patch my laptop using the government CD, on the train to London Waterloo.

Re:ah its for security (1)

gmuslera (3436) | more than 4 years ago | (#32260110)

I can see it. A top spy infiltrates a government, and steal his most precious secret: "Windows have bugs" The world is in danger after that.

WTF? (4, Insightful)

Anonymous Coward | more than 4 years ago | (#32257884)

Because governments would never help a company in their nation with industial espionage.....

Mod parent up. (1)

khasim (1285) | more than 4 years ago | (#32258716)

Because governments would never help a company in their nation with industial espionage.....

And also provide the patches to businesses based in their country.

Who decides if some Senator's web site (hosted on a .gov address) is more important than a hospital's network? And why?

That bad guys would love to tap into? (1)

chaboud (231590) | more than 4 years ago | (#32257892)

You mean governments, right?

I mean, seriously, the NSA had it easy already. This must have caused more than a few giggles at more than a few government agencies.

Unfortunately... (3, Funny)

brian0918 (638904) | more than 4 years ago | (#32257898)

Unfortunately for the government, the Omega program is only in alpha release.

Re:Unfortunately... (5, Funny)

Ethanol-fueled (1125189) | more than 4 years ago | (#32257920)

It's no surprise that they named it after Omega, the big gaping Goatse of Greek letters.

Re:Unfortunately... (2, Funny)

interkin3tic (1469267) | more than 4 years ago | (#32258010)

Unfortunately for the government, the Omega program is only in alpha release.

It's cool. Google's competing product (google search for "MS vulnerabilities"), has been in beta for 8 years now.

Re:Unfortunately... (1)

besalope (1186101) | more than 4 years ago | (#32258276)

Luckily a third-party group started to automate the process and bring it closer to release.

http://lmgtfy.com/?q=MS+vulnerabilities [lmgtfy.com]

Remember folks (2, Funny)

Pojut (1027544) | more than 4 years ago | (#32257900)

Every person you tell makes the information that much less secured. That's why I advocate any sensitive data being destroyed upon inception or realization. Support your local Thought Police! Donate Today!

Re:Remember folks (1, Funny)

Anonymous Coward | more than 4 years ago | (#32258022)

By raising Thought Police awareness you have created new ideas and are therefore guilty of Thought Crime, judgement will be dispatched in your area soon.

What a Waste (2, Interesting)

thegdorf (1222548) | more than 4 years ago | (#32257912)

This initiative is much too lame to warrant being called Omega.

Re:What a Waste (0)

Anonymous Coward | more than 4 years ago | (#32258354)

No, this is Microsoft's final step in their plan to destroy all governments, and to supplant them. Before Google does.

Re:What a Waste (2, Funny)

sakdoctor (1087155) | more than 4 years ago | (#32258574)

Microsoft Omega destroys internets, a chain reaction involving a handful of machines could devastate internet throughout an entire Class A. If that were to happen, p0rn browsing would become impossible. Fapping as we know it would cease to exist.

Not to worry (2, Interesting)

ArhcAngel (247594) | more than 4 years ago | (#32257914)

The government never reads the documents that cross their desk. They just see what their constiucorps want and vote yea or ney.

Re:Not to worry (1)

pavon (30274) | more than 4 years ago | (#32258694)

Hey now, there are a large number of hardworking individuals in the government who are not elected and don't cast a vote. They have to work a lot harder for their bribes, and third party security information would make their lives much easier.

I don't know whats better (2, Insightful)

retardpicnic (1762292) | more than 4 years ago | (#32257926)

The projects codename.. which means "the end" or the fact that now the gov't can rely on IMHO the absolute last people to know about the problem,and are at fault.. to give them early warning.

So what's the purpose? (1, Redundant)

calmofthestorm (1344385) | more than 4 years ago | (#32257930)

Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?

Re:So what's the purpose? (1)

_Sprocket_ (42527) | more than 4 years ago | (#32259076)

Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?

They're just replicating what's already going on in the private sector - from industry to counter-culture.

Secret decoder ring explodes... (1)

fahrbot-bot (874524) | more than 4 years ago | (#32257936)

The program, codenamed Omega, ... /blockquote So, a program about being the first to know is named "Omega" (meaning "last")?

Gar! They (some of them) R the bad guys (0)

Anonymous Coward | more than 4 years ago | (#32257948)

How are some governments not the bad guy? Thanks for doing me the consumer another disservice...

Aweful idea (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32257956)

Thats just a terrible way to go about things in my opinion.

We all know that between the massive list of "government entities" there are bound to be some (perhaps even many) bad apples (be it in official capacity or just a sole individual). The implementation of this program would mean these individuals would get notification ahead of time that allows them to do the usual shenanigans of reverse engineering the solution (or just analysing the problem the patch supposedly fixes), and then build&release an exploit before Microsoft releases the patch to the general public.

I'd say a program like this will not make it's participants (the government agencies) much more secure than they are now (some might even argue not at all), but will severely compromise the security of everyone else (the general public).

That's a good step 1... (0)

Anonymous Coward | more than 4 years ago | (#32257968)

Step 2: National firewalls around participating countries to firewall off those potential attacks (and any other undesirable material)

Just wait...

I'd be worried ... (1)

mrcubehead (693754) | more than 4 years ago | (#32257974)

Does this not give the gov't another way (with a limited time window) to peer into our personal affairs?

Omega seems to share too much (0, Offtopic)

bobs666 (146801) | more than 4 years ago | (#32257996)

By Governments, I read this as all Government that use the product. How about only sharing with the governments that protect your home?

Perhaps it be better to only use products that you can read and write the code your self. Should we keep the code under government control? would we be safer if We stoped the black box types of software.

Re:Omega seems to share too much (1)

John Hasler (414242) | more than 4 years ago | (#32258052)

> By Governments, I read this as all Government that use the product.

No. All governments that pay the (no doubt substantial) fees to "join the program". And that's the upside: this makes finding "vulnerabilities" a revenue center.

Re:Omega seems to share too much (1)

KronosReaver (932860) | more than 4 years ago | (#32258352)

this makes finding "vulnerabilities" a revenue center.

Finding? Sounds like it makes not fixing vulnerabilities before release a revenue center...

Re:Omega seems to share too much (1)

Stray7Xi (698337) | more than 4 years ago | (#32258936)

No. All governments that pay the (no doubt substantial) fees to "join the program". And that's the upside: this makes finding "vulnerabilities" a revenue center.

Finding new vulnerabilities is too expensive. They could reduce costs by developing them directly. This would keep the marginal cost of vulnerabilities stable by patching new vulnerabilities in as you patch old ones out!

National Cybersecurity Undermined (1, Flamebait)

birukun (145245) | more than 4 years ago | (#32258000)

Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.

Not like anyone can really win a cyberwar, it will be decided by who owns more bots......

Re:National Cybersecurity Undermined (0, Offtopic)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32258300)

Arguably, the real factor in a cyberwar has less to do with exactly how many bots you own, and more to do with how good your "passive defense" is. "Passive defense" being the defensive value of those activities that make up your way of life, the stuff you do by default.

A nation of illiterate mud farmers wouldn't even know that a cyberwar had been declared. A nation that has been chasing automation, efficiency, and optimization for some decades would(barring truly incredible security) be completely fucked.

Re:National Cybersecurity Undermined (0)

Culture20 (968837) | more than 4 years ago | (#32258486)

Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.

Actually, it's more an indication that everyone except .gov needs to ditch MS entirely. As this Anon-coward has pointed out, ordinary folk are made more vulnerable by this program. Just imagine if country X got a hold of the specifics of a wormable exploit with the assurance that ordinary folk in the U.S. won't get the patch until later. The U.S. govt would be potentially protected, but .coms, .nets, .edus ...
http://it.slashdot.org/comments.pl?sid=1656658&cid=32257956 [slashdot.org]

"Bad Guys" (1, Redundant)

John Hasler (414242) | more than 4 years ago | (#32258002)

> There's a stream the bad guys would dearly love to tap into.

RTFA. They already said they are sending it to governments.

Re:"Bad Guys" (0)

natophonic (103088) | more than 4 years ago | (#32258106)

What? You think they weren't already sharing the info with select multi-national conglomerates whose CEOs say "exxxxcellent!" while tenting their fingertips?

"Securing critical infrastructure?" (0, Flamebait)

cgenman (325138) | more than 4 years ago | (#32258024)

Because the best place for a secure critical infrastructure is on windows platforms. How else are you going to protect against Word Macro viruses?

Re:"Securing critical infrastructure?" (1)

dissy (172727) | more than 4 years ago | (#32259354)

Well you know what they say - The only true secure computer, is one encased in cement with no cables to the outside.

I guess a blue screened server is as close as one can get using software ;}

Pretty sneaky there Microsoft, one-uping Linux on security!

Microsoft SECURITY is an (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32258028)

( for the benefit of those who don't know):

OXYMORON [wikipedia.org] .

Anyone who believes Microslops crap about security needs serious medical attention.

Yours In Smolensk,
Kilgore Trout, C.E.O.

people (4, Interesting)

crsuperman34 (1599537) | more than 4 years ago | (#32258044)

As every black hat knows: you will not need to compromise the software. You just have to compromise one of the people working for the government in question.

Re:people (1)

alexhs (877055) | more than 4 years ago | (#32258800)

You just have to compromise one of the people working for the government

You don't even need to do that.
Economic espionnage, someone ?

Re:people (0)

Anonymous Coward | more than 4 years ago | (#32259974)

I'm hoping for recognition as Dictator of teh Interwebz. Wonder if they'll share the stream with me?

Re:people (1)

tehcyder (746570) | more than 4 years ago | (#32265898)

As every black hat knows: you will not need to compromise the software. You just have to compromise one of the people working for the government in question.

As opposed to having to compromise one of the people working for the company in question (Microsoft)?

Anyway, I thought we didn't believe in security by obscurity?

number of desks times security risk = (0)

Anonymous Coward | more than 4 years ago | (#32258056)

This information is going to cross a lot of government desks before someone can action it. Will every desk be secure?

Go MS foot gun!!!! GNU/Linux FTW (0)

Anonymous Coward | more than 4 years ago | (#32258072)

Gives them a bit of advanced notice to more effectively spy on their(and other countries) citizens. Any guesses on which countries gov't will get first crack/juiciest? BTW MS trolls I haven't had to use the CLI to use linux in like ages and the latest Ubuntu has worked with all the hardware i've thrown at it.

Early (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32258094)

Is that early Washington state time or early Washington DC time?

WIKILEAKS (1)

aarenz (1009365) | more than 4 years ago | (#32258102)

WIKILEAKS!!! Here is your next big thing to publish. If anyone can get that info out to the public to protect our rights, they can do it.

Re:WIKILEAKS (3, Funny)

fredc97 (963879) | more than 4 years ago | (#32258252)

Actually an early information about security patches from Microsoft looks like that:

Product Affected: all versions of windows
Risk: Remote code execution
Rating: Critical
Reboot required: You betcha

Description: This vulnerability is even more serious than the previous 10 000 other Critical software updates, if 0 were the highest priority on a scale 1 to 10, this one would rate -10 000, see that's like super duper uber hyper critical times 3.

Re:WIKILEAKS (1)

whoever57 (658626) | more than 4 years ago | (#32258620)

Product Affected: all versions of windows
Risk: Remote code execution
Rating: Minimal
Reboot required: You betcha

Corrected that for you!

Bad Guys (0, Redundant)

devnullkac (223246) | more than 4 years ago | (#32258184)

There's a stream the bad guys would dearly love to tap into.

And giving the information to which governments will guarantee the "bad guys" don't get it? Does no one recognize that all these entities play for keeps and telling them about a vulnerability before anyone else is like throwing a bloodied sheep into a tank full of sharks? The sharks may get scratched up a bit, but they're used to it; the sheep will just get slaughtered.

This will not end good. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32258202)

I am so glad I use a non-MS operating system and by extension, non-MS everything else. This is going to get ugly.

Re:This will not end good. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32259122)

I see the Redmond hordes have mod points today. Go ahead and waste them on AC's, jackasses.

Oxymorons abound (1, Insightful)

oDDmON oUT (231200) | more than 4 years ago | (#32258264)

Critical infrastructure / Windows

Seems like it's long overdue to realize that those two concepts are mutually exclusive.

Sounds like kind of a rip-off (5, Informative)

ivandavidoff (969036) | more than 4 years ago | (#32258266)

MS will provide information only "after our investigative and remediation cycle is completed..." In other words, after the vulnerability is discovered and fixed, and the patch is ready to roll out.

Then, "disclosure will happen just prior to our security update release cycles."

So the disclosure amounts to this:

"Tomorrow's MS Windows Update contains a security patch that fixes a serious vulnerability in your system. Oh, by the way, you have a serious vulnerability in your system."

"There's a stream the bad guys would dearly love" (1)

Culture20 (968837) | more than 4 years ago | (#32258302)

Bad guys like China? Aren't they a government of some sort in South America or Australia?

Shoring up the defenses (0)

dave562 (969951) | more than 4 years ago | (#32258394)

Looking at this situation I see Microsoft warding off yet another assault on their software stack. European governments have been making some high profile conversions off of the Microsoft stack (Germany comes to mind). One of the many reasons offered for those transitions has been the transparency of OSS, especially in relation to security issues. The creation of Omega looks like another acknowledgement from Microsoft that their competitors have better offerings, and Microsoft seems to be playing catchup. It wouldn't surprise me if their sales people are getting hammered during negotiations and Omega was conceived simply to address the complaints of customers.

Given the sheer size of Microsoft, incremental changes like this are the best that anybody can hope for. Pressure from end users (when those end users are large enough) will force the organization to change. The nonstop onslaught of security issues for the last decade has finally worn down people who previously never really cared about such things. An organization smaller than Microsoft would probably crumble as people searched for and found alternatives. Microsoft benefits from their size and locked in user base. They can leverage that forced patience to change more gradually.

In the end, I think Microsoft will continue to improve and become more customer centric. They simply have to. As more and more of the population becomes tech savvy, they will lean on Microsoft. Across the entire computing landscape, from Grandma Jane who gets tired of getting her Windows machine owned and ends up switching to OSX, to Fortune 500 companies looking to cut costs and improve their operations, there will always be people looking for a better way to get things done.

Slashdot Correction Alert: +5, Jalapeno Special (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32258416)

"There's a stream the bad guys would dearly love to tap into."

should read "There's a stream the bad guys HAVE tapped into.".

Now go ahead. Mod this post DOWN, lamerz !

Yours In Odessa,
Kilgore T., C.I.O.

NSA already has the list? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32258428)

I thought Microsoft already issued the list of deliberately inserted "software vulnerabilities" to the NSA as soon as they were made?

Oh wait, I get it! Now they are warning them in advance before plugging those backdoors.

Re:NSA already has the list? (0)

Anonymous Coward | more than 4 years ago | (#32259412)

I thought Microsoft already issued the list of deliberately inserted "software vulnerabilities" to the NSA as soon as they were made?

Oh wait, I get it! Now they are warning them in advance before plugging those backdoors.

Yeah, like the NSA encryption key they found in windows years ago. Scary stuff.

http://www.darkgovernment.com/news/remembering-the-nsakey/

speculating who's "first"... (0)

Anonymous Coward | more than 4 years ago | (#32258440)

CIA, NSA, or whatever you have in the US (or MS loses its tax cuts).
some parties close to MS.
governments (or they will go FLOSS).
some other parties less close to MS.
technet subscribers (the need some incentive to buy MSDN, since on the FLOSS side that stuff is free).
the general public. ...and that is only after MS noticed the flaw was found in the wild!

What is the nature of the data being shared? (2, Interesting)

WaveMotion (1810322) | more than 4 years ago | (#32258562)

If it's 3 days advance notice on patches like Microsoft's biggest customers get this is no big deal. If it's "Here are details on a vulnerability that we might patch next year with service pack 16", I'm afraid, very afraid.

A flawed perspective... (2, Insightful)

bradbury (33372) | more than 4 years ago | (#32258636)

So Microsoft has the flaws, the governments have the flaws, but we, the purchasers of windows software do not have the flaws. What is wrong with this model? Could it (cough) perhaps be that the software isn't open source (in which environments the flaws tend to be published openly on an extremely short time scale)?

IMO the last bastions of the purveyors of a flawed model would tend to recruit those in power to perpetuate said model. (Oh its OK that there is a flaw because the powers that be know about it and we are going to fix it... eventually...)

Please please somebody, study the serious flaw correction rate in closed source vs. open source software (i.e. time from flaw discovery until flaw correction availability). I would hope that if this has not already been done someone is attempting to do it.

And shame on a majority of city, state and U.S. governments for operating on closed source software and not having concrete data with respect to flaws and vulnerabilities. If you worked for a corporation (at least one which knew the value of open source perspectives) your head would be on on a "silver platter" for allowing the corporation to be open to be open to the vulnerabilities of closed source software.

Simple. Ask Microsoft to warranty its products to be free of defects. And if it does not do so you are most probably utilizing products which probably contain defects. And that is a sad situation -- we are running reality with no more knowledge than we have of that of a "can-o-worms" [1].

1. To the best of my knowledge the genome sequence of the common garden worm is not known and even if it were there are probably few if any systems biologists who could explain in detail how it really works. Programs that have worked for hundreds of millions of years (e.g. worms) are probably fairly safe (even if we cannot explain how they work). Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.

Re:A flawed perspective... (0)

Anonymous Coward | more than 4 years ago | (#32260210)

Simple. Ask Microsoft to warranty its products to be free of defects.

I know as an AC I'll probably be ignored, but to the best of my knowledge no open source project gives me a warranty either. Does 'free' mean that they need not give a warranty? Can any shop give out 'harmful' samples?

Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.

My, you do like typing 'open' whenever you can don't you ;)
Also, monetary criteria aren't the only dangerous ones. So is a program by someone doing it as a hobby. Sure they care about it today, but just wait till they decide that fishing is their new hobby. Just because I have the source doesn't mean I have the inclination or abilities to read through the source code and fix things myself, or the resources to hire someone to do it for me (as an individual - since you use your argument to all 'purchasers of windows'). Open source doesn't really matter to most people. The source code is useless to me, as a consumer. I don't think you'd care for my Matlab code for a real-time controller that goes onto embedded systems for a sensor - atleast most of my company's clients don't.They pay for a solution and don't care about the insides.

take a page out of (3, Insightful)

nimbius (983462) | more than 4 years ago | (#32258702)

the book of FLOSS guys. all your customers need to promptly know when you find flaws, not just the governments with the ability to restrict your sales and service. Im talking about banks, schools, hospitals, and power plants.

License to hack! (0)

Anonymous Coward | more than 4 years ago | (#32258782)

This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.

What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.

-molo

Fixing the wrong problem. (0)

Anonymous Coward | more than 4 years ago | (#32258796)

Maybe it's just me, but it occurs to me that the hackers governments are worried about are pretty darn likely to be working for another government.

Isn't this just giving government-sponsored hackers the edge?

License to hack! (5, Insightful)

molo (94384) | more than 4 years ago | (#32258818)

This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.

What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.

-molo

Re:License to hack! (1)

_Sprocket_ (42527) | more than 4 years ago | (#32259128)

What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.

And how is any of this different today? You think the whole malware-as-a-service industry just popped up out of nowhere? There are already knowledgeable entities out there working to compromise your environment. Some of them may already be Governments. Waiting for input from Microsoft on what's a viable attack vector is coming late to the party.

Re:License to hack! (1)

thoth (7907) | more than 4 years ago | (#32259448)

This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public?

That's all you're worried about? The heck with vulnerabilities, Microsoft already shared their source code with China, Russia, and some NATO members... all to open markets of course, not for virus/rootkit writers. ;)
http://www.microsoft.com/presspass/press/2003/feb03/02-28gspchinapr.mspx [microsoft.com]

XML feed (0)

Anonymous Coward | more than 4 years ago | (#32259006)

XML Feed of Security Vulnerabilities now available at microsoft.com.

Feed does not pass validation.

You know you've been reading /. too much... (3, Funny)

Anachragnome (1008495) | more than 4 years ago | (#32259224)

The first time I read that headline, my brain completely omitted the word "data" without skipping a beat.

It sounded par for the course, I guess.

Re:You know you've been reading /. too much... (2, Funny)

eulernet (1132389) | more than 4 years ago | (#32263870)

In my case, I though that "Flaw Data" was a new product from Microsoft.

Omega? give me a fucking break (0)

Anonymous Coward | more than 4 years ago | (#32259398)

Presidents, Prime Ministers, Your Excellencies:

Welcome! We call this our Omega Stronghold. From here, we conduct Omega operations around the globe ....

...And this, too, shall fail (0)

Anonymous Coward | more than 4 years ago | (#32259532)

Omega?????

Isn't OMEGA one of those names given to dangerous science fiction "black ops program" gadgets that malfunctions and destroys the earth?

Isn't OMEGA the operation that ends the world in spy novels????

...and MICROSOFT (secured computing at its finest) is doing this???

This can't end well.

No change to the release strategy (0)

Anonymous Coward | more than 4 years ago | (#32260168)

Theres no change to the release strategy, e.g properly penetration testing their software before it's released. Which seems to be the obvious first step.

I guess they just cant afford the costs of the extra layer of testing...

Alphabetical contact list (1)

flyingfsck (986395) | more than 4 years ago | (#32260376)

Nice. Chinese hackers are cracking their knuckles in anticipation.

Using Microsoft's alphabetical contact list in Outlook, the information will reach the People's Republic of China, before it will reach the USA government.

One More Demonstration of Microsoft's Total Idiocy (1)

Master of Transhuman (597628) | more than 4 years ago | (#32260542)

Back when Vista was being developed, they shared the code with the NSA in order to detect vulnerabilities.

So obviously what did NSA do? They found X vulnerabilities - and told Microsoft about X minus Y vulnerabilities.

Now Microsoft wants Mossad, an organization known for conducting massive espionage - both political, military and economic - against the US to have the same capability.

Dumbest mofo's in industry.

MS - security..... (0)

Anonymous Coward | more than 4 years ago | (#32261290)

Propriatry humbug with no backward compatability.

In 5 years time no one except Linux geeks will be able to access anything Microsoft.

Office Mark 13: In Armageddon file Format.

It nukes it's self to stop forward compatability.

I love my country, most of us do, but... (1)

Douglas Goodall (992917) | more than 4 years ago | (#32261960)

In the light that our computers are completely out of control, one might ask, "Can we live without these things?". Well no. Not if you want to do business. UPS requires you to have Windows if you expect to ship............ In 1984,(the book), big brother watched you using a television with a camera. Many people said, "Oh that would never happen". Well most new computers have webcams, are generally attached to the Internet all the time. The only thing that stands between this ugly fictional reality and our real-world situation is the security of the software we run on our computers. Now the company whose operating system seems to be entirely woven out of vulnerabilities has a program wherein they give the information about these vulnerabilities, not the public, which includes computer scientists capable of writing defensive code, but rather to the governments of the world, most of which don't like us. Given that the US government uses Windows, I would think this would be treason. If we didn't have a reason before, I think we have a reason now to consider getting off WIndows and on to almost anything else, except maybe RedFlag.

around the world? (0)

Anonymous Coward | more than 4 years ago | (#32261970)

with governments around the world

You mean like Chinese government? Well, it is certainly going to appreciate your help, Microsoft, with hacking Google...

Step Back (1)

psbrogna (611644) | more than 4 years ago | (#32263734)

Why is any gov't willing to settle for an arrangement where a vendor agrees to provide specifics regarding the nature of a product's flaws rather than questioning why to use the product at all? And mind you, this is after two decades of a lot of knowledgable people saying said product is flawed by design, by implementation & both to such a degree that it can never be safe.

Legality & Liability of Failure to Disclose (1)

psbrogna (611644) | more than 4 years ago | (#32263856)

[IANAL] If a company is compromised due to a flaw in a MS product that MS was aware of but had not disclosed to the company (and gov't would have proof of the failure to disclose via Omega), isn't MS liable for the cost of the incident because they had the knowledge to prevent the compromise but failed to alert the company?

Re:Legality & Liability of Failure to Disclose (1)

Alpha830RulZ (939527) | more than 4 years ago | (#32274746)

Not if they disclaimed all liability in the shrink wrap EULA. Which they do. Read one sometime, it'll be enlightening. Your windows based home control program could die due to a windows update, shutting off the power to grandma's iron lung, and MSFT would be free of claim. So, you'd be exactly in the same place as if you used Linux.

To the general point, for this crowd, MSFT can truly do nothing good. Giving the authorities a heads up once bad news is know is a bad thing? It sounds reasonable to me, and a prudent strategy for the company. I wonder if they give the US guys a little extra notice on the QT.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...