Slashdot Mirror
Early Warning For Microsoft Premium Customers
techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."
Kindof like the paid customers using slashdot who get a chance to read the clicky links before it dies.
The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.
Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)
Other juicy information from the article:
There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature.
So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.
The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...
While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.
Let me guess another potential revenue stream for MS?
Security through $$$
another Roadkill on the Information Superhighway
Company gives preferntial treatment to its higher profit customers!
I've just signed legislation that'll outlaw Russia forever. We'll begin bombing in five minutes.
*shrug*
Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).
I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.
Reality has a conservative bias: it conserves mass, energy, momentum...
I would re-write one sentence in the summary as:
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")
In a nutshell, is this not what MS is doing?
This seems perfectly valid practice to me. People who pay more should get better service. Think of the subscribers to /. they get better service than the rest...
You pay more, you get more.
This is extortion! You cannot force me to pay you more money to provide a warranty that I'm entitled to under law. Just try this logic in any other industry... Oh, you're car's got a major issue that could cause injury, but we won't tell you about it, until we tell our wealthy customers first.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?
I submitted this story last night, and it didn't get posted.
We are all equal, just some of us are more equal than others.
1. Become premium customer
2. Get early notification of new vulnerability
3. Write exploit to target non-premium customers
4. Profit!
This isn't so bad, it just means that the premium customers get to beta test the patches for the rest of us!
To the making of books there is no end, so let's get started
That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.
But just maybe, this might be logical, if you have to update everyone about a glitch in your software then that would take time*. If everyone starts to download patches at the same time you just might get slow downloads
It would be a Bad Thing for MS if their premium customers were the last ones to be notified (as in, turn the story around) or had to wait just as long as some John Doe who copied Windows, to get a patch or download it at some lame speed.
This is just economics, nothing to see here
*Especially if bugs are your business
Maybee I'm reading it wrong but I never read anything about having to pay for this "service" when they say Premium... do they just mean people who buy alot more of M$'s programs? i.e. Large Corprations, and is this just a notice to them because in a Large Corparation its alot harder to update 1000s of machines vs lets say a office of 15? They just send a e-mail stating that there will be a update, its not like it actually contains the update.
Loading Please Wait....
M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.
Does it seem like M$ is saying one thing and doing another?
You won't hate yourself in the morning if you don't get up before noon.
It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.
Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.
Those of us who are lucky enough to have no relationship with Microsoft may find ourselves at even lower risk than premium customers
-truth
I had a steady B+ in my AI class until I failed the Turing test...
I can see there's some genuine reasoning behind this: When they announce an exploit potential, they're serving warning to those who can actually generate the exploit. If they control WHO gets the information first, they can keep their "worst case scenario" customers happy.
Script kiddies aren't likely to subscribe, and if they were, it might make it easier to track them down or trap them.
I can see the logic in it. I don't know if it's a "good" solution, but it must be difficult when they become aware of a problem that has not been exploited yet. It's open season on the security hole thanks to reverse-engineering the patch, but if they don't announce it then their at fault for a "known hole"
I think anything where there's a working exploit out should be released immidiately to everyone, but non-exploited holes might be well served by slowly releasing it to clients that pay to have that information-- and therefore are more likely to listen up and patch their systems.
don't tell this to ./ crew.
they may think it's a good idea and provide news first for subscribers..
The only question is what it takes to become a "premium cusomter". Is it simply a matter of giving MS a few bucks, or is it up to them to choose their friends? MS has a monopoly on the ability to patch their operating systems; if they don't market it openly and fairly then perhaps they'll get another visit from the DoJ (well, I guess this depends on what happens in November...).
Disclaimer: I work for a company, but I don't speak for them.
Imagine if companies in the car industry worked the same way:
People wouldn't stand for it. Why do they hold software companies to such lower standards?
let me get this straight.
They put out a crappy product, them make you pay for the knowledge of knowing it's crappy?
I already knew that! I should sell this knowledge on ebay, if there's already paying customers out there, there's bound to be millions of other idiots who will bid on it.
seriously though, we already get the updates before microsoft, from symantec and buqtraq. This is very sad for whoever is dishing out money to them.
Runnin' On Empty
just came in his own pants.
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently."
Assholes.
No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.
At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?
Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.
For the record, we are an enterprise customer.
My company gets the premium support advanced warnings.
Honestly, they are vague to the point of useless...other than "don't make any plans on this day" when the notices to everyone are released.
... GM announced today that a new "premium" warranty is available for it's vehicles. Vehicle owners who purchase this new warranty (Only $500, NDA required) will receive recall notices regarding vehicle roll-overs and potential explosions a full month before vehicle owners that do not have the new warranty option.
Had no choice, try finding a portable without Windows!
We don't have a monopoly. We have market share. There's a difference. - Steve Ballmer
Slashdot is giving early previews of stories to paying customers. Those of us who aren't lucky enough to have such a relationship with Slashdot may find ourselves at greater risk of missing the story than premium customers as a result."
Tech, life, family, faith: Give me a visit
Pay us or we WON'T tell you about the next worm/vulnerability.
Wait, that's not terrorism, that's extorsion.
I don't mind them witholding premium services as long as there are no safety issues with doing that.
For example, a hospital that ISN'T paying Microsoft through the nose for these "heads-ups" can have it's medical data destroyed because of it.
For SHAME, Microsoft, for shame.
I don't know the meaning of the word 'don't' - J
i work in pharmaceutical research. my machines dose clinical trial volunteers, and record trial data, which then goes for clinical submission to create new drugs. of course faulty software can be lethal.
by Max Barry
http://www.maxbarry.com/jennifergovernment/
It gives an interesting look at a hypercapitalist world. It's also a highly entertaining read.
What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.
Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.
The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.
Last January, research firm Next Generation Security Software (NGSS) severed ties with the federally funded US-CERT and accused the organization of selling early access to vulnerability warnings long before vendor fixes are made available.
At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available. "The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued.
They are not giving patches away early, nor details of the vulnerabilities. So this won't mean we'find ourselves at greater risk than premium customers'. I don't expect most people to read the article before posting, and it is apparant that the editors stopped reading them ages ago too, but now even the guy submitting it hasn't read it?
Posts claiming it's extortion are way off-base.
If you need advance notice that a patch might be coming for, say, Outlook, pay for it. It sounds like a service of dubious value, as you won't be able to test the patch any sooner. I guess you can make sure your crack team of roll-out testers aren't all on vacation that day, but that's about it
RTFA!
Mark
Liked this comment? Why not buy me something nice
http://www.mtholyoke.edu/~rzdalea/cs100/software_
http://www.baselinemag.com/article2/0,1397,154440
Also google for Therac-25
How does one become a "premium customer"?
Dedicated Cthulhu Cultist since 4523 BC.
All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.
There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.
You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.
Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.
--R.
I can only wonder: MS really is in quite deep trouble with their customers, especially those, who have paid big bucks to have the right to upgrades of their products. Since Longhorn is a long way out, and any upgrades (OS or Office) seem not hugely attractive, why is anyone paying the maintenance fees, which were designed to save you money on product upgrades?
MS has made their staunchest customers (i.e. the executives and managers having talked their companies into spending the extra money on maintenance) look absolutely foolish. So now, they desprately need to give those folks a story to tell their bosses, why they should not get fired for such a wanton waste of their companies' money.
Playing this security card shows an amazing act of desparation by a wounded giant. If even Gartner starts to critisize MS, there is a lot going wrong in the belly of the beast.
what part of "fuck you! pay me!" didn't you understand
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
That's not fair, slashdot should give their information out freely to everyone...
Oh wait, they do, they just treat their paying customers a little better...
I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?
According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.
Microsoft isn't issuing patches to Premium Customers first. They're just letting them know when a patch is coming out and what's in it. You get an early warning. Your analogy assumes Microsoft isn't issuing patches to regular users simultaneously, which isn't true. But, this is Slashdot, therefore such is implied in the article summary for maximum bash-Microsoft effect in the discussion threads.
Pay us lots of money and we will give you advanced warning of vulnerabilities to protect you from the rest of our customers and their owned boxen?
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
It's an early *warning*
If you can show me a virus writer who can take advantage of a hole by reading about it in a very generalised security bulletin, then I'd hire him on the spot.
(From the article: "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk." )
you, being a 16-year old over-achiever, register yourself with Microsoft as a preferred customer using your daddy's company credit card. At that point, you learn of the impending vulnerabilities and release one hell of a worm virus on the net. Stick a fork in me, I'm done...
-- Game Developers: Stop porting badly-textured games from crappy console systems!
Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.
The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.
May we never see th
Everyday they don't never come correct
You can ask my man right here with the broken neck
He's a witness to the job never bein' done
He would've been in full in 8 9-11
Was a joke 'cause they always jokin'
They the token to your life when it's croakin'
They need to be in a pawn shop on a
911 is a joke we don't want 'em
I call a cab 'cause a cab will come quicker
The doctors huddle up and call a flea flicker
The reason that I say that 'cause they
Flick you off like fleas
They be laughin' at ya while you're crawlin' on your knees
And to the strength so go the length
Thinkin' you are first when you really are tenth
You better wake up and smell the real flavor
Cause 911 is a fake life saver
So get up, get, get get down
911 is a joke in yo town
Get up, get, get, get down
Late 911 wears the late crown
- Public Enemy
...The National Weather Service has announced it will offer early warnings for natural
disasters such as tornadoes and earthquakes to subscribers of its new "Stay Alive Platinum" service.
So Microsoft is profiting out of:
1. Building a necessity to be informed because of failuires in thier software
2. Making these failuires so deadly that quick action must be taken to save money
3. Screw up all thier patching, and take time to patch vunerabilities they do patch
So, the more they do the above, the more money they can take from those companies now learning the meaning of being 'tied to a large metamorphic rock plunging happily down into the Mariana trench'.
Microsoft - a monopoly in profiting from failiure, fear, and fraud.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Microsoft has been releasing early warnings for months, and they have regularly leaked to the press. The contents of the warning includes very little information: the number of vulnerabilities, the severity level, and the products affected. You might be able to infer which people you have to force to do overtime (Microsoft patches aren't released during business hours in all parts of the world), but apart from that, the information is not very useful.
Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.
All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
I am offering a low-cost service to users of Microsoft products. For a mere $5, you will receive a notice that says:
WARNING -- Your product is riddled with security holes!
There, now people can be warned.
Hurry, send in your money now! Otherwise you won't receive notice that Microsoft products are vulnerable!
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
A car company recalls their last car model for defective brakes only to their higher profit customer.
The warning for the normal customer will be issued 2 weeks later...
</joke>
Every company has the right to give "preferential treatment" to its higher profit customer.. but we're not talking about discount or special offers.. we're talking about defects and vulnerabilities and I guess all the customer have the same right to know it they're using an unsafe environment.
On the other side, as stated on the article, it makes perfect sense to warn "critical infrastructure company" before releasing information that could be used by malicious users.
This message doesn't need a sig
What is the next logical step for MS?, intentionally introduce more bugs to get more customers to sign up for the premium service?
Or needlessly delay the release of patches for the same reason?
This is almost a strong-armed shakedown.
MS is basically saying "..Yo buddy, we knows you gotch yer license, but see it's like this, Billie boy says youse gotta cough up a little more dough, or things just ain't gonna work out the way you planned..."
C'mon M$, if your customer's already have a license for your product, and your product is broken, then it is YOUR (Microsoft's) responsibility to FIX it........
The poster clearly doesn't know what s/he's talking about, and is obviously just looking for something to cry about. Same old /. FUD.
/. is at least informed and grounded in reality. This is totally reactionary, underinformed cry-babyism.
The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.
And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.
Most of the anti-MS FUD on
That depends on what side you are. If you are the one who pays, or the one to whom the info leaked to, regardless of the color of your hat, you have an advantage against the ones who aren't.
Which puts to disadvantage all the ones who aren't members of (or friendly with) big corporations or e-crime rings. For a small admin of a small network it means just that the adversaries have more time to write worms and that the time between a vulnerability getting known and a vulnerability getting exploited shrunk again, at least for the ones who didn't play the advance-info racket (who will pay for it once more, indirectly, in the form of bandwidth wasted by worms from even more machines patched too lately).
Luckily, as some other posts suggest, the advance information is in this case next to worthless anyway.