Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft to Introduce Faster Security Disclosures

timothy posted more than 9 years ago | from the mistakes-were-made dept.

Security 101

Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."

cancel ×

101 comments

eh0d is my daddy to have faster first posts (1)

eh0d is my daddy (825041) | more than 9 years ago | (#12464067)

is it possible? is it really really true? .. .must bE!

CDBEE still sucks. really bad though.

Business Day? (4, Interesting)

republican gourd (879711) | more than 9 years ago | (#12464069)

Microsoft isn't open on weekends? Is that too much to ask a multi-billion dollar company?

Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.

Re:Business Day? (4, Insightful)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12464117)

Would IT technicians come back on weekends to fix their systems? If not, then making vulnerabilities public at that time only helps script kiddies.

Waiting until Monday ensures that IT guys get a rest too.

Re:Business Day? (3, Insightful)

Gabey (18874) | more than 9 years ago | (#12464208)

Would IT technicians come back on weekends to fix their systems?

A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.

Re:Business Day? (4, Insightful)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12464255)

Good IT technicians do what it takes to keep their systems secure, given their resources. But expecting them to slave over their systems, testing and rolling out every new patch as soon as it's out is ludicrous.

If coming in on a weekend isn't asking too much, where do you draw the line?

Re:Business Day? (4, Funny)

SnprBoB86 (576143) | more than 9 years ago | (#12464325)

"where do you draw the line?"

I'm not sure where you draw the line, but I can tell you that if you would take a bullet for a server... you've crossed it, wherever it is...

Re:Business Day? (1)

iordonez (717634) | more than 9 years ago | (#12466815)

Shouldn't matter, MS servers are supposed to be bullet proof... HAR HAR HAR

Re:Business Day? (1)

vsprintf (579676) | more than 9 years ago | (#12464683)

If coming in on a weekend isn't asking too much, where do you draw the line?

Major releases of business-related (not e-business) software are usually done on weekends, and (in my experience) the coders as well as the admins are there to iron out the kinks. It makes for a solid rollout. It's part of being an IT professional, and I've been there a number of times. Would you like some cheese to go with your whine about missing the Saturday morning cartoons?

Depends (2, Insightful)

Craig Ringer (302899) | more than 9 years ago | (#12465020)

I'll head in on a weekend for really critical problems - for example, an OpenSSH vunerability that I know will affect work's firewall. No way do I want to clean up the mess if I leave that unfixed - it sucks much less to go in on a weekend and fix it.

Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.

Of course, if the patch breaks something you need to go in, but in most cases it's really fuss-free.

Re:Business Day? (1)

Man in Spandex (775950) | more than 9 years ago | (#12465687)

where do you draw the line?

I can tell you where not to draw the line

*thinks of Simpsons* [jahozafat.com]

Homer: I'm drawing a line down the center of the house ala. I Love Lucy. You stay on your side and I'll stay on my side.... D'oh!

Re:Business Day? (0)

Anonymous Coward | more than 9 years ago | (#12466164)

So if you have a mission critical system go down on the weekend, one which will bankrupt your employer if it's down for more than a few hours, your opinion is that it should stay down until Monday? Because it occurs on the two magic days each week that you abandon responsibility?

That's the tack you're taking right? Weekends are sacrosanct, damn the result. That's the line you're taking.

Frankly this isn't a matter of an MS engineer coming in on his day off. If the exploit comes out on Friday evening, they're not going to wait until Monday to look at things. That's not how companies like MS work - I have to point that out since you obviously work outside the commercial software industry.

Just because financial institutions encourage a lackadaisical work ethic doesn't mean the rest of the world can operate that way.

Re:Business Day? (1)

FidelCatsro (861135) | more than 9 years ago | (#12464214)

I agree partly ,however .The weekend is also a peak time for skript kiddies what with no school/work and the servers being perhaps unatended .
A critical vunerability in a server needs to be seen to as soon as possible , waiting till monday may mean that we get a couple of days rest , It also means that our server is vunerable for those days .

Re:Business Day? (2, Insightful)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12464268)

Perhaps. However, this is the downside of people making their discoveries public at inappropriate times.

If a system was created where people who discovered the vulnerabilities were credited in the advisories, which would be made public after a solution was found, it would solve pretty much everything.

Then again, Orwell taught me that utopia isn't all it's cracked up to be.

Re:Business Day? (1)

FidelCatsro (861135) | more than 9 years ago | (#12464328)

Indeed , I look at it like this though .
I would rather spend at most a couple of hours at the weekend securing my systems , than spending a very stressfull monday(perhaps a few other days aswell) restoring a comprimised system or systems ...then having to deal with the PHBs.

Alot of the time these vunerabilitys are discoverd by Black-hats , so there is no real way of containing the info as it will slip into the community. So imediate disclosure of known vunerabilitys really does help.

Re:Business Day? (0)

Anonymous Coward | more than 9 years ago | (#12464454)

Apparently you are unaware that the "vuln" can come from anywhere and at any time. Maybe from Microsoft or an independent firm or some kid in his basement. Arguing any level of with-holding important information is just asking for trouble from Murphy's Law.

Re:Business Day? (1)

Spoing (152917) | more than 9 years ago | (#12464566)

Would IT technicians come back on weekends to fix their systems?

A good sys admin -- properly appreciated by management $$$ -- would or at a minimum lock the systems down so that this isn't an issue.

Re:Business Day? (1)

vsprintf (579676) | more than 9 years ago | (#12464603)

Waiting until Monday ensures that IT guys get a rest too.

Our sysadmins usually schedule upgrades, patches, etc., for the weekends so as not to disrupt normal business. Then, they get to take a day off during the week. What's wrong with your company?

Re:Business Day? (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12466612)

If they get time off for their work, that's great. However, the question is what if a vulnerability is made public on a day the admins have off?

It's not so much about the weekend itself as it is about time off for admins and techies.

Also, many managers don't like giving admins time off during business days in case business is disrupted. They also have to minimize costs so they can't hire a shift team.

Re:Business Day? (1)

vsprintf (579676) | more than 9 years ago | (#12470103)

However, the question is what if a vulnerability is made public on a day the admins have off?

If it was critical, some or all of our admins, being the professionals they are, would come in (or do the work from home) and take time off another day.

Also, many managers don't like giving admins time off during business days in case business is disrupted.

It sounds like you work for a pretty short-sighted company. They won't get the best results that way. It makes me happier about the place I work at. I hope you find a better employer someday.

Re:Business Day? (1)

rhizome (115711) | more than 9 years ago | (#12464649)

Cracktastic!

I don't know where you live, but around here anybody who admins machines that are exposed to script kiddies tend to have things like cellphones and 24-7 coverage as part of their job description. Your line of reasoning just strikes me as weird, since security problems are one of the main reasons for nighttime visits and weekend upgrades (along with badly coded daemons/services that have to be babysat). I just don't get it.

Re:Business Day? (1)

wdd1040 (640641) | more than 9 years ago | (#12464657)

If you really have to "come back on weekends" to patch your systems then you're not much of a admin.

I can test and roll out a patch from the comfort of my armchair at home. Why can't you?

Re:Business Day? (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12466604)

If you can, that's fine. The OP was talking about coming back on weekends, i.e. the ability to patch remotely doesn't exist.

It's about hypotheticals here.

Re:Business Day? (1)

dantheman82 (765429) | more than 9 years ago | (#12465272)

Now if we could only implement a policy so that hackers only operate during normal business hours. Also, it would be helpful if they stick to Eastern Daylight time, rather than Russia Standard Time or whatever.

Re:Business Day? (1)

dago (25724) | more than 9 years ago | (#12466565)

When it's the week-end in Seattle, it doesn't mean it's the same everywhere else due to different timezones, religions, working times. IIRC, the normal work week begins on Saturday at 2300PST.

Moreover, big companies can afford having a 24/7 security team and many actually do it.

Re:Business Day? (1)

conteXXt (249905) | more than 9 years ago | (#12464441)

= all 7 of them.

It's a connected globe.
If they think mon-fri is going to work. they will learn some new feelings about the weekends.

Businesses run their Windows machines on weekends? (1)

bayerwerke (513829) | more than 9 years ago | (#12464889)

I think the easiest way to deal with this would be to just put one of those lamp timers on your Windows box to cut AC power on Friday 5 pm and switch it back on Monday at 9 am, saves on unnecessary tape usage too.

Re:Business Day? (1)

jpickett (877858) | more than 9 years ago | (#12477156)

If you're an IT admin and are actually vulnerable to most of the security holes in their OS's, I would have a hard time sleeping ANY weekend. Make users just that, USERS, and you remove several attack vector's and might, just might, be able to wait until Monday. Or Tuesday... Or sometime else down the road.

OMG I DID NOT FAIL IT FIRST P0ST (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12464070)

I AM IN CHARGE

i hate to sound like a total dunce (1)

Neitokun (882224) | more than 9 years ago | (#12464071)

but what is a grey hat?

Re:i hate to sound like a total dunce (5, Funny)

filtur (724994) | more than 9 years ago | (#12464096)

but what is a grey hat?

Someone who can't decided on whether to be a black hat or a white hat. Kinda like Michael Jackson

Re:i hate to sound like a total dunce (0)

Anonymous Coward | more than 9 years ago | (#12464316)

but what is a grey hat?

Someone who breaks into your Windows box and prints out a step-by-step guide to setting up a firewall on your Epson.

Re:i hate to sound like a total dunce (1)

Prof.Phreak (584152) | more than 9 years ago | (#12464432)

but what is a grey hat?

A color blind RedHat user?

Re:i hate to sound like a total dunce (0)

Anonymous Coward | more than 9 years ago | (#12466284)

<Insert joke about MJ and script kiddies here>

Re:i hate to sound like a total dunce (1)

Anonamused Cow-herd (614126) | more than 9 years ago | (#12466704)

Someone who can't decided on whether to be a black hat or a white hat. Kinda like Michael Jackson

I believe the color you are looking for there is a nice shade of ass for that hat.

Re:i hate to sound like a total dunce (0)

Anonymous Coward | more than 9 years ago | (#12467139)

unlike you, he just ain't into slavery.

jackson is more Man than you'll ever be.

Re:i hate to sound like a total dunce (4, Informative)

YouCanCallMeAl (773817) | more than 9 years ago | (#12464097)

Gray Hat [wikipedia.org] Somewhere between a "good guy" and a "bad guy" in terms of computer security.

Re:i hate to sound like a total dunce (3, Funny)

commodoresloat (172735) | more than 9 years ago | (#12464113)

It's a big cone shaped hat you have to put on before you sit in the corner.

Re:i hate to sound like a total dunce (2, Insightful)

vsprintf (579676) | more than 9 years ago | (#12464736)

It's a big cone shaped hat you have to put on before you sit in the corner.

Okay, can we get the PC police over here? That is no longer allowed because it might damage the self-esteem of people who have no reason to have any. Take the poster away, and book him.

Re:i hate to sound like a total dunce (4, Informative)

m50d (797211) | more than 9 years ago | (#12464118)

A hacker/cracker who does illegal stuff but not unethical things.

Re:i hate to sound like a total dunce (1)

AstroDrabb (534369) | more than 9 years ago | (#12464172)

What "illegal" things can a Grey Hat do that is not unethical? From what I have read, a Grey Hat is neutral, and doesn't care about corporate profits. So generally, a Grey Hat will not withhold a vulnerability just so some corp can spin it how they want.

What exactly can a Grey Hat do that is illegal? Is disclosing a vulnerability without getting the consent of some big corp "illegal"?

Re:i hate to sound like a total dunce (1)

m50d (797211) | more than 9 years ago | (#12464236)

Break into an interesting system to take a look around?

Re:i hate to sound like a total dunce (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12464260)

What "illegal" things can a Grey Hat do that is not unethical?

A greyhat just turned eighteen. His seventeen year old boyfriend will turn eighteen in two weeks. So the greyhat offers up his asshole for a ravaging and it is illegal but it is not unethical.

It happens everyday.

Re:i hate to sound like a total dunce (2, Interesting)

DeityAvatar (804062) | more than 9 years ago | (#12464125)

Like a True-Neutral alignment in D&D terminology. They're a kit of the Hacker class, focused on searching out and exposing security vulnerabilities in software, and releasing that information to the public at large. Lawful-Good White Hats would be more likely to send in the information to the company without public exposure. Chaotic-Evil Black Hats (crackers) are the types more likely to exploit the vulnerabilities for their own nefarious purposes. Grey Hats are quite cool.

Re:i hate to sound like a total dunce (0)

Anonymous Coward | more than 9 years ago | (#12464503)

Wow!

That was quite the nerdiest answer I've read in some time - even on Slashdot :)

Re:i hate to sound like a total dunce (0)

Anonymous Coward | more than 9 years ago | (#12465562)

perhaps. but you know you understood everything he said. =P

Re:i hate to sound like a total dunce (0)

Anonymous Coward | more than 9 years ago | (#12465581)

here are my greyhat hacker stats:

name: thor0n
sex: male
age: 25
class: hacker
alignment: chaotic neutral

str: 9
dex: 10
int: 16
wis: 17
cha: 13

equipment
*********
ibm thinkpad G
linux global domination shirt
cargo pants
sandals
tcp/ip illustrated vol. 3

Re:i hate to sound like a total dunce (1)

anandpur (303114) | more than 9 years ago | (#12464184)

"Gray hat" is a skilled hacker who sometimes acts legally and in good will and sometimes not.

http://en.wikipedia.org/wiki/Gray_hat [wikipedia.org]

Re:i hate to sound like a total dunce (1)

Abreu (173023) | more than 9 years ago | (#12464250)

...but what is a grey hat?

Its an aluminum foil cover for your thoughts... You should never leave home without it in today's insecure world.

Microsoft will surely start selling them soon, although, like most of their security measures, it is released almost too late.

Re:i hate to sound like a total dunce (1)

fbjon (692006) | more than 9 years ago | (#12464804)

Don't forget the large security holes.

From wikipedia... (2, Informative)

gahzinia (816336) | more than 9 years ago | (#12464475)

http://en.wikipedia.org/wiki/Gray_hat [wikipedia.org]

In the computer security community, a "Gray hat" is a skilled hacker who sometimes acts legally and in good will and sometimes not. They are a hybrid between white and black hat hackers. They hack for no personal gain, and do not have malicious intentions, but commit crimes. For example, attacking corporate businesses with unethical practices could be regarded as highly ethical and yet would normally be tagged with the title of Blackhat activity. However, to a Gray hat, it may not appear bad even though it is against that local law. So instead of tagging it Black hat, it is a Gray hat hack.

First Post?! (-1, Troll)

orionware (575549) | more than 9 years ago | (#12464072)

First Post!

No. (0, Redundant)

dejavudeux (855613) | more than 9 years ago | (#12464077)

(See subject)

Good! (0)

Anonymous Coward | more than 9 years ago | (#12464073)

Its about time MS did something like this. Hopefully they will keep honest about it.

Ask Slashdot: does getting sucked count? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12464078)

I've got this gay friend-of-a-friend who says he wants to suck me off. I told him that I am not gay and he says he knows that - but he also says that getting sucked off by another man is not really gay sex so I don't have to worry. I'm not going to turn into a fag or something.

I still don't know about it. I mean I know it shouldn't feel any different if I get sucked by a guy or a girl, but having a dude fondling my wiener still kind of creeps me out.

What do you think?

Re:Ask Slashdot: does getting sucked count? (0, Offtopic)

orionware (575549) | more than 9 years ago | (#12464087)

If you need to consider it, then you are already gay :)

Re:Ask Slashdot: does getting sucked count? (0)

Anonymous Coward | more than 9 years ago | (#12466867)

It doesn't count as gay if you make him wear a nice hat and some ladies shoes.

Security Through Selective Publicity (3, Funny)

Doc Ruby (173196) | more than 9 years ago | (#12464093)

Microsoft will now announce that Microsoft will announce security alerts within one business day of their reporting to Microsoft. Microsoft announces that any security holes not announced by Microsoft must therefore not exist. It's the industry standard: "We [wired.com] have a policy that we are not being hacked."

Re:Security Through Selective Publicity (3, Insightful)

AstroDrabb (534369) | more than 9 years ago | (#12464239)

While a lot of mods modded you up Funny, this is exactly what will happen. MS will just announce the exploits they want. Those exploits will be the ones they have a quick-fix for. MS is all about marketing. MS wants to be able to say, "See, we fixed XXX number of bugs/holes this past year and we fixed each one in 24 hours of "notification"" or less.

MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".

Give me a call when MS becomes a _real_ company and just owns up to the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it. The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit. These notifications shouldn't have to go through a bunch of bean-counter.

nice try! (1)

Erris (531066) | more than 9 years ago | (#12466388)

... the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it.

Very subtle. Admit that M$ junk is full of holes. Admit that M$ will never be able to fix them and that this announcement is just another PR stunt from the kings of marketing BS. Then, slip - o - change - o, spout that other M$ company line, "no software is better than ours."

Not all bugs are created equal. Give me a call when you find a few holes in OpenBSD. You might find one in the next decade. Give me a call when Linux boxes are responsible for 1/100th the spam, extortion and other malice that floods out of broken M$ members of the Botnet. I don't think so, ever, not even when M$ is driven down to the legacy 10% of the market they deserve. It's not that people are not trying to break high profile free software run sites, it's that they can't. Fortune 500 companies, such as yours, lavish more money per function on Winblows boxes than they do on *nix, so it's not because Winblows is not as well maintained. Desktop linux users are all over the place, where are the automated worms? It's not happening.

The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit.

I think they should just give up and go away.

Re:Security Through Selective Publicity (1)

Pollardito (781263) | more than 9 years ago | (#12464480)

the alternative is that they'd just issue a weekly announcement that a buffer overflow was found, and then within hours they'd be proven correct. disclosures don't come faster than that

Re:Security Through Selective Publicity (1)

failedlogic (627314) | more than 9 years ago | (#12465303)

I think it is a PR move. With a Paul Thurott review of the most recent Longhorn build leaving him unimpressed and saying that OS X Tiger is far superior, what better way for MS to rebuild its image than to announce faster security resonses.

It is true, in fairness, that MS left a lot out of the most recent public Longhorn build. Still, it must have struck a chord for more PR.

Re:Security Through Selective Publicity (2, Interesting)

Doc Ruby (173196) | more than 9 years ago | (#12465363)

It's interesting that MS has been unable to address so many longstanding, and critically serious, problems with Windows. Big ones like security holes/notices/patches, and little ones like "DB filesystem". And all manner between. With their huge financial and labor resources, so comfortably insulated from really compelling competitive pressure, they'd probably solve (or at least meaningfully address) those problems with real action by now, rather than mere marketing prattle, if they could. If they haven't, they probably can't - organizationally, not technically prohibited. Which is the death knell for a large corporation. The bigger they are, the harder they fall. Though with so much of our economy, industry, and even national security dependent on them, it's hard to feel good about them finally getting out of the way sometime, in such a style.

Re:Security Through Favored Customers (0)

Anonymous Coward | more than 9 years ago | (#12466559)

Wonder how this fits in with their policy that Governments get the patches before businesses [informationweek.com]

Oh great (0)

Anonymous Coward | more than 9 years ago | (#12464130)

And I bet a lot of their answers will include either "disconnect the computer from the network" and "stop using the computer"

Interesting Strategy? (4, Insightful)

lecithin (745575) | more than 9 years ago | (#12464135)

"Advisories will be issued within one business day of a publicly reported security hole"

If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?

I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.

Re:Interesting Strategy? (2, Interesting)

Eberlin (570874) | more than 9 years ago | (#12464191)

Here's the general idea: first be adamantly pissed off when people release bug information publicly (not telling the story that the same folks notified MS about it eons ago only to find Microsoft ignoring them)

Then once enough people catch on to this, create a press-release saying "we're on the ball, we're looking into this, and we're doing all of this because that's what customers want and we do what our customers ask for."

Sounds like standard "Trustworthy Computing" practice to me.

Re:Interesting Strategy? (0)

Anonymous Coward | more than 9 years ago | (#12464240)

Yes... you are the only one who thinks they are evil. Now stop it.

Re:Interesting Strategy? (1)

MooseByte (751829) | more than 9 years ago | (#12464263)


"I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive."

Exactly. Hasn't MS in the past tried to get people to sign NDAs re: bugs that a person has discovered? If they can succeed in keeping the knowledge out of the public eye, then by this policy they could bottle it up, avoid announcing it, and still claim they're being proactive.

"Perhaps I am the only one that thinks that Microsoft is evil."

Not by a long shot.

Re:Interesting Strategy? (1)

gahzinia (816336) | more than 9 years ago | (#12464522)

If it is already public, does it matter?

Yes, for people that don't read the article that publishes the problem. Granted, news of the problem will be spread all over the net very rapidly, but Microsoft admitting that it is a flaw and not a feature carries a little more weight than joe hacker posting on some blog.

Re:Interesting Strategy? (1)

vsprintf (579676) | more than 9 years ago | (#12464833)

Perhaps I am the only one that thinks that Microsoft is evil.

You've got to be kidding. New poll topic:
Microsoft is:

  • The best thing since white bread (pablum is good also)
  • The only way to protect our IP (hand over heart)
  • The capitalist software of choice (no dirty pinkos allowed)
  • The only secure way to use a computer (obscurity is very good)
  • Evil incarnate (The courts have to be right occassionally)

Re:Interesting Strategy? (1)

scruffyMark (115082) | more than 9 years ago | (#12466261)

Microsoft would of course prefer people who find vulns to contact them directly, then they can work on a patch, and people can release the information after the patch is out. Read full-disclosure the week after Microsoft's monthly patch-release day, and you'll see that a great deal of that happens.

For a vulnerability to be "public" it needn't be all that public - most admins don't read bugtraq and FD on a daily basis, so they don't find out about the vulnerabilities when they become "public". They hear about them when Microsoft issues a patch and advisory. Mostly that's shortly before the posting with the exploit code hits the mailing lists.

I guess until now they weren't acknowledging that a vulnerability existed until the Appointed Day. I'm not sure when they introduced this monthly pill business, but it seems they're backing off somewhat. The "There are no 0days. All exploits are coded by reverse-engineering our patches" routine was getting ridiculous.

Re:Interesting Strategy? (2, Interesting)

DaedalusHKX (660194) | more than 9 years ago | (#12466270)

No, I have the same issue, and I've worked for a microsoft partner recently. They do way too much PR and lie entirely too much. I hate M$ and their lies with a passion, even if, beforehand, I had thought people were unjustly hateful of microsoft. Now I know why, firsthand.

And no, you did not misread my statement. I "hate" them. Passionately. And I feel entirely justified. If you dealt with some of the internal mail I've dealt with, any of you with a conscience would never get another hour of sleep. I am fortunate my conscience was on hold for a few months before I woke up and made up my mind to leave that place. What disgusts me more than anything is the way they tell people that IE, or exchange or server 2003 is such a pearl. Heh. Oh yes... it *really* cuts down on the costs. Right. I've sent some hefty bills out in recent months. I cannot read those "lower TCO" "facts" any longer without feeling my stomach tighten painfully. I've seen that "lower TCO". Unless someone does work outside of billable hours, Windows and Microsoft cannot stand on their own. If one reads the content of their filings in the antitrust case they've somehow been acquitted of, one can see that they never could. (I am too lazy to seek out the links, but I've read through it all once before to "disprove" to a customer that MS had lied in court.)

Re:Interesting Strategy? (1)

taboo959 (651104) | more than 9 years ago | (#12468745)

Ummm....why do you say acquitted?

The impression I had was that they were found guilty, but ninjas came in the night and removed the spines of the entire Justice Department....so MS was never properly punished.

There is still a problem ... (3, Interesting)

El Cubano (631386) | more than 9 years ago | (#12464146)

Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.

So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.

I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.

Re:There is still a problem ... (1)

sourabhkothari (847285) | more than 9 years ago | (#12464206)

Once a security flaw is detected u never know how much time it'll take to address it. That is to release the necessary patch for it. So if a threat is detected by MS's own engineers it makes sense to not make it public coz it might not be possible to counter that flaw without a patch rather than making it public and falling prey to the hackers who might try to abuse that flaw.

Re:There is still a problem ... (2, Insightful)

innocent_white_lamb (151825) | more than 9 years ago | (#12466496)

So if a threat is detected by MS's own engineers it makes sense to not make it public

I couldn't disagree more.

Who's to say that a flaw discovered by MS employees wasn't discovered months ago by the bad guys who have been running rampant over MS-powered sites lo these many months?

If there is a flaw, tell me about it. Then I can make an informed decision to deal with it, which could include shutting down some services, installing patches, doing stuff in a different way that is less exposed to the flaw, or you-name-it. Even pulling the plug.

But if I'm kept in the dark and don't even know that a flaw exists, how am I to deal with it?

Re:There is still a problem ... (1)

badriram (699489) | more than 9 years ago | (#12464379)

Why not treat opensource the same way too. Most opensource projects have similar rules like closed source vendors.
It information cuts both ways, it protects those who know how to secure, and sacrifices those who do not know how to secure.

There is no one good way to release vulnerability information, no matter what you will sacrifice someones needs. The best you can do is to keep the majority in mind.

Re:There is still a problem ... (1)

Spoing (152917) | more than 9 years ago | (#12464762)

Why not treat opensource the same way too. Most opensource projects have similar rules like closed source vendors. It information cuts both ways, it protects those who know how to secure, and sacrifices those who do not know how to secure.

Can you give an example? I can't think of one OSS project that handles security issues like Microsoft -- either in the past or if there is any meat to this new proposal.

oh fuck (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12464157)

In short this is Microsofts way of going "oh fuck!" because OSS is starting to take away a large percent of it's market or will soon.

MS are pulling loads of "inovative projects" out of their arses and going "look, we're doing new stuff! just hold on we'll fix it!"

My favorite line (5, Insightful)

portwojc (201398) | more than 9 years ago | (#12464197)

when researchers jump the gun and release vulnerability details before a patch is available.

Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.

Gotta love these articles. Nice spin make the researchers look like the bad guys...

At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.

no, they're completely right... (0)

Anonymous Coward | more than 9 years ago | (#12464323)

I forgot who, but a couple months ago, a company gave MS details about an exploit. They then kept quiet for months, but then inexplicably released exploit info two days before MS released the fix.

It is well known that MS releases the fixes on certain days of the month, and they would have known MS was about to release the fix, since they work with MS to fix it.

So in this case, there is no other explanation other tham this company figured they'd get a ton of press by releasing the exploit info before it was fixed instead of after.

I searched for the link, but I can't find the story, I'm sorry.

But I posted about it at the time (sadly, I don't have /. account so I can't search for my post) and if I were Microsoft I would have been very angry that a security company had clearly released security hole information strictly for the PR value.

Re:no, they're completely right... (1)

10101001 10101001 (732688) | more than 9 years ago | (#12464690)

if I were Microsoft I would have been very angry that a security company had clearly released security hole information strictly for the PR value

But that's precisely because the good PR for the security company is bad PR for MS, since MS PR has constantly been pushing the belief that the time between exploits being public and patching is really small. The fact is, the security company not releasing the exploit information earlier was a favor to MS. The actual exploit was MS's fault and existed regardless of if the security company had said anything. The fact is, MS should have released an advisory and patch as soon as possible to mitigate damage for users (in your example the advisory would have made the security company's announcement moot).

If MS and MS PR worked harder to do what was best for the user, there'd likely be a lot less bitching by /. geeks, including me. Stats look good the PHB, and that's all MS PR really seems to care about. Is it any wonder why /. geeks might be a little upset about how little truth the stats really convey or have little sympathy when MS complains as if someone else is to blame for them not stepping up and dealing with problems as soon as possible, be-damned how bad the stats might look.

good PR isn't worth people getting hacked... (0)

Anonymous Coward | more than 9 years ago | (#12465231)

You actually think it's okay for a company to release exploit info if they're going to get sufficient PR for it?

The issue here is a company didn't release the info until just BEFORE MS released the fix. They knew MS already had fixed it, just hadn't rolled it out yet (was going to happen in two days). By releasing this info early, they didn't spur MS to fix anything, they had already fixed it. Instead, they just got more glory for themselves. And at what risk? Only everyone who has a computer running MS software...

This just plain greed by this company, not some kind of social service.

And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in their advisories, like explicit steps to exploit.

I believe MS is doing what they can, it takes time to fix software and release it, and be sure you didn't do more harm than good. MS in general (not always) is responsive to reports of exploits.

And the company not releasing the exploit info earlier wasn't a favor to MS, it was a favor to us all. A big favor to those who use MS machines and smaller favor to others who would have been affected by a worm circulating the internet or more spam from owned machines.

Either way, keeping silent two days before the fix is just greedy. It's a PR grab, get the thunder before it goes away. This kind of "I'll get mine, others be damned" hurts us all.

Maybe they could do better, but releasing info that will allow the script kiddies to create havoc isn't the right way to go about improving the situation.

Re:good PR isn't worth people getting hacked... (2, Interesting)

10101001 10101001 (732688) | more than 9 years ago | (#12466468)

You actually think it's okay for a company to release exploit info if they're going to get sufficient PR for it?

If by okay you mean it should be legal, yes. If by okay you mean it should be encouraged, sure. I'd appreciate it if a proper advisory was published at least a day before the exploit was released. But like I said, it's okay legally to print it anytime.

And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in their advisories, like explicit steps to exploit.

You obviously don't understand what an advisory is. A proper advisory list steps to avoid being exploited. This might be as simple as blocking a port or as deep as disabling a service which one needs. As such, a proper advisory by MS would mean that those who took steps to avoid being exploited would not be exploited even if the security company released details about the exploit. Of course, for those unwilling to disable services the release of the exploit doesn't help them, though it might not hurt them any if the exploit is already well known by black hats or other exploits exist which are more convenient to use.

And the company not releasing the exploit info earlier wasn't a favor to MS, it was a favor to us all. A big favor to those who use MS machines and smaller favor to others who would have been affected by a worm circulating the internet or more spam from owned machines.

Just because it was a big favor to everyone doesn't mean it wasn't a favor to MS. MS PR uses the public exploit to patch time as a statistic to try to make their software look better. At the same time, if the company hadn't release the exploit ever there's nothing to have kept MS from silently patching the exploit (like I'm sure it silently patches exploits it finds) without ever making it known there was ever a problem.

Either way, keeping silent two days before the fix is just greedy. It's a PR grab, get the thunder before it goes away. This kind of "I'll get mine, others be damned" hurts us all.

No doubt it's a PR grab, just as sleazy as MS PR. You don't see me calling for an end to MS PR, do you? That doesn't mean I don't criticize MS and MS PR for not doing a better job in the first place to mitigate risk for people. Having stated that, I would love to see the security company releasing a proper advisory and possibly advise replacement software such that the exploit would be moot. If you have any other suggestions on ways the security company could have maximized the security of users, I'm all ears. Obscurity, in this situation, doesn't maximize security.

99% marketing, 1% useful, I'm sure (2, Insightful)

devitto (230479) | more than 9 years ago | (#12464292)

I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...

I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...

MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.

Re:99% marketing, 1% useful, I'm sure (0)

Anonymous Coward | more than 9 years ago | (#12466888)

Well I recently went on a training course which was run by someone with a connection to MS (no details etc. to protect identities). And he made the most telling point I've heard about MS.

"What you've got to realise is that Microsoft aren't primarily a software company. They're actually a marketing company who happen to market software".

Too fucking true and explains why Windows is such a piece of unstable, insecure, badly programmed shit.

Wow! (2, Funny)

Primal_theory (859040) | more than 9 years ago | (#12464399)

So we'll have them in under 5 years?!?! NO WAY!

Faster than they currently do? (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12464588)

That could be nothing more than moving up from snail races to tortoise races. It's not like Microsoft is fast about these things to begin with anyway.

Woo hoo.

I can hardly contain my excitement.

Getting better (0)

Anonymous Coward | more than 9 years ago | (#12464768)

Much better than their current process. Still a ways to go in my opinion. Mitigation advice should be given as soon as it's available - even if - they don't give details about what is being protected against. Just a simple, turn of 'x'. Or, change the value of a to b.

I should not be left at the mercy of black hats while MS sits on information that could have protected me.

But as much as I dislike MS this is a positive move.

Dateline: Redmond, Washington 2010 AD (2, Funny)

craXORjack (726120) | more than 9 years ago | (#12464946)

At a Microsoft press conference today, aging software tycoon William Gates III touted his company's new "Accessible Code" policy whereby developers may examine the uncompiled routines which make up the Windows operating system and modify it to suit their needs provided they publicly release their changes under the same MSAC license.

Gates also outlined several points which he says gives Microsoft an advantage over "Open Source Software" such as the ubiquitous Linux operating system and the Apache web server which runs more than 92% of all internet sites. Among these points were: advisories addressing publicly reported security vulnerablities within one business day, free usage of Microsoft software by anyone (the Microsoft patented Pay-only-for-support model), and remarkable stability since there is no pressure from Marketing to release an unready version just to realize a revenue stream.

'These policies combine synergistically to leverage Microsoft over Open Sores Software', said Gates. 'The American system of patents and copyright clearly works. It gives people the freedom to choose. Because of this, almost half of all computer owners choose Microsoft Windows to be their desktop operating system. And the American jobs it creates may be yours. Recently after hiring 58,000 Bangledeshi software engineers, we created over 100 new jobs for Americans to proofread those engineer's milestone reports.'

'And if it weren't for our trusted copyright system, the Walt Disney Corporation would have had to lay off many of the foreigners they import from third world countries to sell snow-cones and wear that suit that makes them look like a certain mouse character whose name I'm not currently licensed to say in public, Gates continued nervously, 'but you know the one I'm talking about.'

Investors reacted positively to the news as Microsoft shares rose fifty cents breaking the five dollar barrier which had kept Microsft in danger of being delisted from the NASDAQ as a penny stock. Only a 3 for 1 reverse split had kept it listed since the company was warned last September. The former billionairre left the building in a hail of applause stopping briefly only to ask the time since his MS WinWatch had blue-screened and to ask several bystanders for a ride to the bus station.

microsoft sucking less (4, Funny)

poor_boi (548340) | more than 9 years ago | (#12465376)

Does anyone else get a sinking feeling in their tummy every time Microsoft does something right, something better, or something intelligent? I like hating them. If I can't hate them, I'll have to hate something else. And I haven't been paying much attention to worthy targets over the past few years. I'm afraid I might have to turn my hate inwards if they improving. And that can't be good.

Re:microsoft sucking less (0)

Anonymous Coward | more than 9 years ago | (#12466716)

Don't worry. They'll screw something else up and you can hate them all over again. It's their nature.

Re:microsoft sucking less (0)

Anonymous Coward | more than 9 years ago | (#12466724)

Nice. This is like overhearing a KKK meeting, where one jokes to the rest of them that if they keep lynching niggers, they might run out, and then what'll they do.

You joke about it with your fellow sick fucks, but it's not really funny, it's just sad. Believe it or not, normal people aren't hate-centric.

Re:microsoft sucking less (1)

poor_boi (548340) | more than 9 years ago | (#12466777)

I've found that people live their lives with much more ease having a scape-goat in their lives. It's centrally dishonest, but allows the everyman to carry on with his life without having to come to terms with his own inadequacies. In other words: my goat sucks, not me.

Re:microsoft sucking less (0)

Anonymous Coward | more than 9 years ago | (#12467396)

There's always someone to hate for something :)

(I hate everybody).

Other corporations worthy of hate, if you want: Halliburton, Disney, Fox, Sony, Walmart, HP (they still haven't atoned for Carly), anything owned by Rupert Murdoch...

That should hold you for now :)

Quote at bottom of screen (0)

Anonymous Coward | more than 9 years ago | (#12465670)

The quote at the bottom of the screen was "Hate is like acid. It can damage the vessel in which it is stored as well as destroy the object on which it is poured." I think it's kinda pertinent to posts like this on /..

Where is /. as a blog/news source heading? What is its purpose? This is a serious question because I came into this thread expecting maybe a glimmer of pat on the backs to Microsoft for finally doing something about security. Instead we have posts bashing M$ and/or saying that this is merely a marketing plan (as if to say a marketing plan is inherently evil). The quote above reflects this. There is a massive amount of hatred that is spewed out onto anything that doesn't conform with /. groupthink and it is destroying /.'s insides like an emotional contagion.

In the last week we had a huge surge of comments on evolution/ID theory yet this article gets hardly any and the comments that are here are typical group-think. Many /.'ers will state that /. shouldn't be taken seriously as a news source. Well then why do you post here? It's supposed to be a sense of nerdish community instead we get half-baked tripe articles and group-think commentary. Then I had an epiphany.

Microsoft and /. are in many ways similar. You are both adamant in your ways that you are right. You both fear change that goes against your world view. Finally, but most importantly, /. is a marketing machine just like Microsoft. I have a sneaking suspicion that savvy marketers have targeted your iconoclastic demographic for monetary exploitation. That's what /. purpose is. In some way or another they're leeching money and attention off your group hatred.

Re:Quote at bottom of screen (1)

Anonymous Coward | more than 9 years ago | (#12469291)

This is a serious question because I came into this thread expecting maybe a glimmer of pat on the backs to Microsoft for finally doing something about security. Instead we have posts bashing M$ and/or saying that this is merely a marketing plan (as if to say a marketing plan is inherently evil).

You came in to a thread looking for praise. And when the comments you found didn't meet your expectations, you labled it all as "groupthink". How convenient.

Microsoft has improved over the years. But it seems to be kicking and screaming all the way. And even those small steps have been very recent. You'll have to excuse those of us who are critical of Microsoft for not immediately excusing Microsoft's history over one of their latest baby steps.

Microsoft will deserve your praise not only if they manage to continue improvement, but if they manage to maintain the new policy over time. That's when they'll be able to counter their lack-luster history.

In other news... (1)

kernelistic (160323) | more than 9 years ago | (#12466515)

Hell freezes over.

Fast disclosures (1)

sl4shd0rk (755837) | more than 9 years ago | (#12467294)

Give it up. If I kept up with all the friggin updates and service packs and hotfixes and reinstalling of software that I already do, that's all I would spend my time doing all day.

Did anybody else mis-read this as... (1)

Money for Nothin' (754763) | more than 9 years ago | (#12472273)

"Microsoft to Introduce Faster Security Flaws"?

I did...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...