Slashdot Mirror
Microsoft to Offer Patches to U.S. Govt. First
Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"
So they're getting the government to beta-test their patches? Sweet.
It's a wonderful day... FOR DOOM!
Laws are for people with no friends.
Sounds a lot more like "Microsoft will delay patches for a month after availability, except to the US Govt". Surely it'd be a lot safer for the US Govt Ltd. for M$ to supply patches to *everyone*, governments included, instead of allowing vulnerabilities to lie unpatched for a few weeks...?!?
We host many Gubmint sites. I wonder if we'll get special treatment. Somehow I think not.
the patches screw up the systems, as has happened in the past?
Also, how would other governments see this? Would they accept being 'second-class customers', no different in Microsoft's eyes to the Average Joe?
People in power love the idea of others sucking up to them. Even if they can get security fixes quicker via opens source, the idea that Microsoft is effectively prioritizing them ought to be incentive enough. You could give them good practical and logical reasons for going open source anyway, and they'd MAKE UP their own reasons for not doing it, because they'd LIKE the idea of having a position like this over Microsoft, and would go along with whatever rationalizing they'd have to do to accept it.
What's more satisfying? The idea of having some small company like Red Hat at your beck and call? Or Microsoft?
After this announcement, I bet their marketshare will go up!
I can just imagine it now: "Buy Windows, and get security patches for free, up to a month after they have been released!"
and speaks very favorabley of MS that they are not only taking all the nice things the Bush administration offered them, like forgetting about all this anti-trust bs, but also take the time to say thank you to their benefactors.
I love this company!
>Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"
::)
Yes, absolutely.
I see nothing wrong with this at all. They're a private business and they can do whatever they want. And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.
Must we jump on every single thing anyone does that could even slightly be interpreted as "bad"?
Prof. Frink: It's because the Government as the troops and the guns and the tanks and the fire falling from the sky with the burning people running amok in an orgy of blood and kicking and the biting with the metal teeth and the hurting and shoving...
That's why the Goverment is first.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
As a DoD Defense Contractor working on these systems, I think this will help tremendously. Currently, we only get patches when Microsoft posts them on their website. From there it needs to be thoroughly tested to ensure the patch will still allow critical software to continue functioning (the government can ill-afford downtime on some of these systems). Beyond that, it then needs to be applied to thousands of other machines on several differnet networks. Of course, we only have a small window to get this all completed. With an extra month to have this completed, we have a small advantage to have these systems patched.
Hmmm.
This seems crazy on a number of levels.
Is the airforce more important than say, nuclear power plant operators?
While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.
This, I predict, will cause more problems than it will solve.
--
Toby
Insert generic comment bemoaning the lack of security inherent to microsoft products, with optional blue screen of death joke. -saladami
The Military for having to Beta test MS' latest patches (they'll be the one whose systems crash most by having patches applied that haven't met the real world before), or Commerce, who suddenly realise that they're going to be getting cracked hard, by something MS knows about, has a fix, and just can't be bothered to give them a cure for..
Man, people really want Microsoft to become a footnote in history.
The Internet is full. Go Away!!!
http://jayceecorder.blogspot.com
So... the government will get an entire month where they can analyse the patches, see what vulnerabilities they fix, and develop exploits to use against those who haven't received the updates yet?
Not that they probably need much help to find holes in M$ software, but still, this stinks. If the government really was concerned about security, they wouldn't ask to get patches before everyone else; rather, they'd ask that patches be made available to *everyone* as soon as possible.
quidquid latine dictum sit altum videtur.
So majority has to wait for another month for the patch. Another month of defenseless machines.
In the US, we are government. It is "by the people, for the people".
The US goverment gets to know all about the vunribilities in microsofts operating system before the rest of the world does, anyone think that'll make the other goverments in the world trust microsoft software more?
Microsoft announces officially that all security holes will be UNPATCHED FOR A MONTH (except for the U.S. Gov. systems)
"They're a private business and they can do whatever they want."
I bet you think they are free to engage in monopolistic, uncompetitive, illegal practises as well. Go on, you're just one step stopping short of blurting it out.
No of course not, as this would be criticism. And we all know that the greatest innovation in america in the last few years was the abandonment of criticism.
Ok, before /. gets all in an uproar. Lets go ahead and explain this.
This is marketspeak. Marketspeak is nonsense. There is no such thing as well thought out marketspeak.
I'm sure that when the programmers heard this idea, they sat in a room and just collectively went "duh?!?" to themselves, then realized that marketting execs get paid more than they do, and laughed about it later around the water cooler.
Another reason for the EU, China and Korea to finally abandon Micro$oft software altogether. Now it is not only a risk of ordinary corporate lock-in but actually a treat to national security and sovereignty of Asian and European States (excluding Middle East states which are hardly sovereign to begin with) because it means that the US government (CIA, NSA and other *AA) will be able to easily reverse engineer Micro$oft patches and exploit the patched vulnerabilities in the parts of the world where there are no patches available so not only stupid people will have vulnerable systems but actually everyone. We can only hope that our European and Asian brothers and sisters are wiser than their American counterparts who will hopefully jump on the bandwagon as well and stop using Micro$oft software. That should mean a great increase in Linux market share during the first quarters of 2006, 2007 (such a serious transition is never done overnight, there are no miracles, we have to be patient). So paradoxically this is actually a good news because it will inevitably hurt Micro$oft in the long run. Instead of overreacting we should stay calm, discuss its implications maturely, and see what it means and how the rest of the world reacts. The most important parts of the world to focus on are: Europe, Asia, Australia, Africa, South America and Canada. Only time will tell what that decision really means and which F/OSS O/S will benefit the most where the national security is the top priority.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Let's have a modicum of sense here. We are all going to die sometime... Microsoft has all the earmarks of a company that will live to a ripe old age though.
Let all other countries run software that can be easily attacked. Guess by whom.
Before someone starts the tinfoil hat yadda yadda, the US Govt. has already been caught spying EU nations and corporations.
So, if you're a foreign government, the US government has one month to break into your unpatched systems. Or, if you're anyone the US government doesn't like, the CIA, FBI, HLS, etc., has a month to hack your unpatched systems.
I give Microsoft credit for possessing at least a basic understanding of Machiavelli.
And the way they will do this is delay the fix to their other dupes, no I mean customers.
If they are able to take one month less to produce a patch for important vulnerabilities, it's great!
Why not make it available for all ?
For important stuff: the sooner, the better, no ?
that's "preferential." nice try, though.
Does this not open M$ to the charge of willfully withholding security patches from everyone else by a month ?
Whoah slow down there people I think when Microsoft mean 'Patches' I think they mean their new cyber buddy aka 'Rambo-Clippy' but with new and improved PTBSD (Post Traumatic Blue Screen Disorder). Patches is gonna open up a whole lotta online whoop-ass on hackers and other terrorists.
'Patches' is a mean son'ova' gun who uses rattle snakes as condoms and pisses napalm. I for one am glad to have this online hero on our side.
This merely insults everyone else... perhaps adding to the incentive to look elsewhere for their computing needs.
seriously though, this is further dividing the windows world into 1st and 2nd class users...
I hope I didn't brain my damage.
I feel sorry for Uncle Sam. They get to experience the bugs of Microsoft's patches first and we'll probobly get less screwed up patches. Brilliant.
so does this mean that we the normal users have to delay for a month to get these patches, or are they acctually always ready a month before they reach windowsupdate?
Move sig!
So how will they or it?
A) They deliver beta-patches to the DoD
or
B) They deliver final patches to the DoD and delay them for a month before public release
Obviously both cases are a desaster:
A) We all know how buggy Microsoft's final software is, I can't imagine how someone can use their beta patches in a critical desaster.
B) Telling the government about security issues first and delaying patches for the general public is bound to cause an uproar. They are already quite slow when it comes to releasing patches.
This just sounds like a very bad decision either way...
Other than stroking some Air Force egos, what does this accomplish?
If a patch is good, and reliable, send it to everybody. The more people that are patched, the better.
If a patch is bad, do we want military computers testing the fix first?
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Yet Another Reason For Other Countries To Use OSS
The US Military will beta test Microsoft security patches.
Keep the Classic Slashdot.
I see nothing wrong with this at all. They're a private business and they can do whatever they want. And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.
I would agree with this if it wasn't the internet. It doesn't cost Microsoft to do anything else different to just release the patch. If they really want to give the govt priority go ahead and create dedicated servers or something. There is no reason to with hold patches from everyone else.
This is not like an actual security company giving the government first dips on a new type of lock. Ths is software. Downloaded software. You might even have an argument if updates were released on CD or some sort of physical media.
To go off on a tangent:
in the 80s noone cared about pirating music because they were using tapes. Everyone cares now because people are making exact duplicates at no cost. Reverse Analogous--
The Wolfkin
A bit off topic...we know the military uses LINX and all sorts of UNIX.
Does the military use OS X? It would seem to me that OS X would be a great alternative to Windows based systems since most of their software is custom anyhow.
This would likely vary from jurisdiction to jurisdiction. Anyone got an amateur/professional legal opinion?
Everybody's a libertarian 'till their neighbour's becomes a crack house.
Given all the press about the lack of adequate security mesaures on many U.S. government networks maybe Microsoft executives were seeking a more accepting audince for their latest efforts?
Anyone who has never made a mistake has never tried anything new.
Scenario 1) Patches are not yet stable to be release to general public but we will give them to AirForce. This sucks
Scenario 2) Patches are stable and tested but we will delay them for several weeks before giving them to general public. This sucks
I am not saying that private company cannot decide for themselves. Sure they can. But I do see a lot of things that are wrong with this, private company or not. There are other types of "wrong" than just "against the law".
You all are missing the point! Microsoft is not delaying patches to everyone else for a month so they can kiss the DoD's huge ass to prevent future Justice Department action against them for their crappy security. Microsoft has to test their patches, often for months, before releasing them. What they are doing is releasing patches to the DoD before they have finished testing them. The sad part is the DoD will think Microsoft is kissing their huge ass but in reality Microsoft is getting a US Government subsidy to assist them in testing their security patches. I don't have much problem with my tax money being used to shoot Iraq's begging to be killed. But I'm damned if I'm happy to have my tax money being used to subsidize Microsoft! They're already rolling in cash! Let them spend MORE OF IT on testing their code.
so did you also think if you outside the US its 5 minutes befor 12 to move away from microsoft. my 2 cent
You're assuming that anyone is going to enjoy greater security by delaying patches to most other users. I have to question this. And never mind about "entertainment centers"; what about the systems that process your credit cards or medical records?
for patches that don't work, work properly, or goes "boing."
for doing Microsoft's work of verifying stability...
No small amount at Government charge-out rates, at some factor higher than "normal" copnstractor rates. Imagine the thousands of Gov. admins spending their time, your dollar, to do MS's work, for what they charge the Gov., us, a premium.
And I happen to be OK with Microsoft...
Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software
Translate to:
Microsoft confirm that businesses are second rate customers. Seriously, if it was a case of MS to reveal details of vulnerabilities to US Military first I could understand it but giving them the patches first? When a new virus is released that exploits a hole I suspect the military are the least likely to bee the ones who end up DDoS'ing or spamming people as I'd hope they'd have mechanisms in place to monitor that kind of thing. Most of the damage is done by SME's and individuals who think a patch is something that nictine addicts use. Best solution is still to test properly and release to all at the same time in as easy a way to deploy manner as possible. Also seems a bit odd that the first people to get a new patch and possibly suffer the unforseen side effects are the ones who need security the most.
Hmmmmmm..... Deep fried and look like Squirrel.
There's two ways this will "work":
1: The patches are complete and tested (as well as can be expected from MS, anyway) before being deployed to Air Force systems.
2: The patches are untested when they go to the Air Force.
Assuming the second case is true for a moment, I don't think the powers-that-be in the Air Force will be so happy about this. As noted earlier in this thread, Air Force systems will be used by MS for what is, essentially, beta testing. We're also ignoring the fact that the *really* critical systems in the U.S. Air Force are proprietary systems that run some custom flavor of Unix designed during the Reagan administration (before MS had any significant government contracts with anyone, if any). Most/All nukes should be safe from any *direct* harm an untested Windows patch would cause or would otherwise facilitate. Indirect harm, on the other hand, is a completely different story as there's nothing publicly available that says how these systems are/aren't connected to any others that *might* run some version of Windows. It's entirely possible that an improperly patched Windows system could be exploited to gain access to the "nuke" systems, but only Air Force staff (possibly contractors?) would be able to answer that with any authority.
Now, let's assume the first case is true. Why would Microsoft hold back a patch from the general public knowing that it's best to get a vulnerability fixed ASAP? There must be some hidden benefits to MS for possibly alienating their business and retail customers. We can only speculate, but I think someone earlier in this thread has a good point - This might make those that oversee government contracts feel like MS is doing the government a favor, thereby tipping the decision between choosing MS and non-MS solutions in their favor. MS would probably wind up taking a small hit in revenue from it's retail customers but would make it up in spades from the potential government contract gains.
No matter which way you slice this up, it's bad for everyone. Patches for vulnerabilities should be issued to *everyone* as soon as they're tested and ready. Knowingly holding them back from the public for a month only gives potential attackers an easy one-month run at unpatched systems. Those systems that could be compromised wind up being a threat to the patched systems, as well.
Something tells me that the technical people at MS understand this, but the sales/marketing departments are just trying to drum up more sales.
My sources are unreliable, but their information is fascinating. -- Ashleigh Brilliant
Maybe it's so that the US Govt can patch their systems before hackers get their hands on the patch and reverse engineer it to exploit others.
Yes good idea.. protect the government and leave banks and hospitals wide open. As I said before if it costs more I would agree with the practice but I don't so I will not.--
The Wolfkin
As so many others have said, this is almost certainly a marketing thing. The real question, I think, is why they are doing it now? Could it be that it is time for the US Air Force to renew licenses or buy upgrades, and they are thinking of buying something not Microsoft?
/ The Arrow
"How lovely you are. So lovely in my straightjacket..." - Nny
But that means Microsoft won't release perfectly good patches to anyone else for a whole month.
Doesn't that just add to the proof that MS treat their regular users like bitches.
Yet another justification that anyone with a choice should be running Linux.
What exactly are they going to patch in the government?
Patent reform first, what's next?
Personally I'm waiting for Government 2008, it's supposed to be a whole new version.
The reason they are doing this is really obvious: One of the obvious advantages to most Linux distributions is that they usually come out with patches within a day of vulnerabilities, and the patches are available immediately. Windows, on the other hand, patches once a week or once a month. Ovbiously, Linux looks better here. By offering the government a faster patch cycle, they are trying to compete with the Linux distributions and make themselves look better again.
Tired of free iPod sigs? Subscribe to my blacklist
You all are missing the point! Microsoft is not delaying patches to everyone else for a month so they can kiss the DoD's huge ass to prevent future Justice Department action against them for their crappy security. Microsoft has to test their patches, often for months, before releasing them. What they are doing is releasing patches to the DoD before they have finished testing them
Many people have pointed out that one of two explainations is true of the article. We're all in collective agreement that either instance is stupid.--
The Wolfkin
So does this mean there'll be another month delay in getting patches to consumers?
Scenario: - [zerohour] Exploit gains recognition
- [+1 month] Microsoft releases patch to USAF
- [+2 month] Microsoft releases patch to US Consumers
Greeaaaat...
Informatus Technologicus
Once the patch exists there is no reason to stagger the release. It is not as if the military patches their systems from MSFT servers and would have to wait if those servers were Slashdotted. .mil servers, however, so the effect of staggered release is that government employees could be working at home on unpatched machines.
I'm in the Air Force, BTW, and it is perfectly legal for us to do unclassified work on our home computers. Antivirus software is even offered as a free download so we don't infect government machines when we bring files back.
Microsoft HUP also allows us to buy Office 2003 for twenty bucks (at least in Air Combat Command).
Software patches for end users are not offered from
Hmm, yeah, I think that's everyone else. Except perhaps those few in Antarctica. Just leave them out in the cold yet again....
Deciding unilaterally that US military forces deserve a better service than other customers (read European govt agencies) can be actually labelled as "bad". It can. I wonder what the genial theoreticians from the WTO think about that ? This is free-market US style. Anyway. Nothing surprising.
--
Go Debian!
First everybody (really, mostly IT professionals trying to balance benefit of patching versus risk and cost of patching) berated Microsoft for releasing patches too often. So, Microsoft responds and releases them once a month. OF COURSE that means they are holding onto patches for up to a month. The number of ignorant posts here that seem to think that this is an announcement that they are going to START delaying patches is just unbelievable. The industry already made them do that.
This is just the natural next step in the social evolution of the situation. Now we've got the users who have a different benefit/risk equation demanding release of patches as soon as they are available. Its just the Air Force now, but it will eventually become a selectable option so that we can all choose our own poison.
Personally, I've never had a problem with applying a Microsoft patch despite having 100s of applications on my machines including several large suites and a large proportion of open source. The problems seem to come mostly to people using low quality drivers or applications from a few companies that have questionable SW design practices like replacing core DLLs. I'd like the Air Force's option and suspect I'll eventually get it.
Hmmm...
:)
;)
My government computer runs Debian, and I don't recall having ANY problems like this
Actually, now that I think about it, I *did* need to train my spam filter to discard our security team's "Microsoft virus alert" messages
That way they can say oh we had a fix for that exploit 30 days ago but only the goverment could get it.
Sure......
Think ill try this excuse at work. Oh I had that done 30 days ago.
What about the goverment and people of other countries? They are not giving early patches to the "Government of The World", they are giving it only to USA. So now, all the US military system will be secure while the non-US military systems will be vulnerable. Although unintentional (or who knows), Microsoft is giving military advantage to USA and militarily deceiving (if that's a valid term) all other countries. I would want my country's goverment to consider Microsoft to be a military ally of USA giving USA a military advantage and to be weakening our country's defence on purpose (by delaying patches). I'm sure there are some defence related laws in most countries against this and this must be considered as treason. (OK, treason might not be the correct word, but you get the point. English is not my mother tongue)
OK.. I can see what they are thinking, I just don't know if it is right.
I would deduce that they are thinking is this: Malicious H4x0rBoyz and script-kiddies don't do the real work of discovering vulnerbilities (real security professionals mostly do that), but just wait for MS to issue a patch or advisory and then build an expolit by reverse engineering the patch. Once the patch is announced, a race starts between crackers and admins to see who will test and deploy their respective patches-vs-exploits before the other guy strikes first.
So if you consider Government systems to be uber-important (down-time means people die or massive economic disruption when people don't get their Social Security checks), then you want them to be patched up before the crackers even know a vulnerbility is possible. Headstart on ZeroDay.
Cute wording too; nobody is getting it "early" - they're delivering it late to the majority. Unless one wants to believe that they have a practice of holding products ready to ship for a month in order to further tarnish their own reputation.
Yout point about the one-month vulnerability window is well taken, but I think misses the mark slightly. I suspect one of the larger underlying reasons is to afford the government a window during which they're patched but those they wish to spy on are not. At the expense of a lot of innocents, but who the fuck cares about the unwashed masses? Certainly few people in this Administration.
Of course anyone who objects will be met with "Oh! So you want Osama (or whoever the current bogeyman may be) to be patched current? You must be a terrorist [ communist | socialist | anti-Jesus | pro-abortion | anti-marriage ] sympathizer!"
Oh please, stop your whining and try to inform yourself.
The Justice Department under the Bush administration chose to no longer pursue the anti-trust case against MS, but instead to settle with MS on very favorable terms for the company especially when one takes into consideration what could have happened to the company had the trials run their course.
So again, the Bush Justice Department decided to settle, noone else, none of those oh so bad liberal judges was involved.
Well, patches are in limited supply for MS products anyway. I think, in the defense of this country, it's important for the government to get the first crack at eggs, cheese, and patches.
And only when they have what they need should we concern ourselves with divided the remaining patches up amongst ourselves....
I've heard some company (I think some embedded software company) spread FUD that the enemies of USA might purposefully introduce security holes in Linux to gain advantage over USA, so using Linux is not good for USA. But what's actually happening is almost the opposite. MS is giving patches early to USA so the systems of US enemies will still be vulnerable (but US goverment systems will be secure) and now USA will have the knowledge of how to exploit those systems. A reason for most countries not to use MS software (and who knows, maybe in the future, software of other US companies). Just like always. USA (government) cries that "bad guys" are going to do a certain "bad thing" to USA, but in reality it's USA who is the first one to do it and probably the only one to do it (nuclear bombs).
ignoring the fact that the *really* critical systems in the U.S. Air Force are proprietary systems
Granted the servers are running some version of Unix (I think I have seen Solaris. But I know some of the US client machines are running Windows on a couple of their classified networks. At that level the client machines are considered critical as well as if the user cannot get onto a client machine it doesn't matter if the server is up.
That would make MS very happy to have the US gov prosecute any disclosers - it was probably born in a brainstorming session about "How can MS reduce the number of vulnerabilities in our software", one genius says "Well, the easiest way is to stop people from revealing them..." Cue the dancing monkeys.
How will the Law of Unintended Consequences manifest itself first?
1) Honest government employees will upload patches to warez sites; private sysadmins will have to turn to piracy to protect their networks.
2) Dishonest government employees will upload trojaned patches to warez sites; private sysadmins will have no way to compare them to the real MS patches until it's too late.
3) Honest government employees will post exploit information to white-hat security lists; private sysadmins will have to make choices like "Turn off the known broken service for weeks" or "Run a known exploitable service for weeks".
4) Dishonest government employees will post exploit code to black-hat security lists; private sysadmins will be hit by attacks before they've even been told there's a problem.
5) All of the above.
You see it as ego.
I see a bribe and lock in!
DRM? No thanks, I'll just get it somewhere else...
because patches are getting twice larger every two years, but compression technology does not keep up.
In other news: Intel acknowledges the biggest treat to it's leading position on marked is free processors; calls everyone using them communist.
Does this mean they will write patches faster and the general public will get them in around the same time they do now, or that they will write patches at the same speed and the public will just have to wait an extra month? Either way, open source communities will probably patch things faster and important organisations can hire extra staff to patch things faster still.
This comment does not represent the views or opinions of the user.
I didn't know Microsoft Software had serious security vulnerabilities. This is news to me.
when will this microsoft madness stop. they are nothing but greedy folks - capitalism at its best and the our wonderful government just encourages them.
I am so sick of this big business crap that I also deal with at work - just because some god dam company labels something as enterprise ready the suits jump on the bandwagon.
I say bullshit - I would put any linux desktop up against microsoft anyday (I prefer Ubuntu) and call it more than enterprise ready. We already know the servers are enterprise ready. People who want microsoft can learn to support their crap on their own - I for one will not support their crap anymore or any other "enterprise ready" system. What the fuck does a secretary need a $500.00 dollar office suite when open office or even gnome office will do what she needs to do. To all the execs out there - stop the fucking madnes and save some jobs by going to open source.
Does it mean that MS has the patch ready one month before it goes public? That is not in line with their statements proclaiming how fast they deliver patches. For sure that is way behind what FOSS can deliver.
There are lots of non-US-government systems that a re critical: hospitals, banks, air traffic control, etc.
And anyways, the important patches non-a-days relate to keeping out Internet intruders. Hopefuly the miltary systems aren't on the public net!
I understand that EULAS can change from time to time and that your continued use makes you agree to the new terms. But, this is a pretty significant change. Many people might argue they would never have bought Windows if they were not going to receive security updates in a "timely" and unabated manner. Can I get my money back?
The real deal isn't that they're offering these updates to the government first, but rather, that they're DELAYING it from everyone else.
This makes no sense, since a patch is a patch. Sure M$ might earn some brownie points from the government entities that get this priority, but the resulting backlash from everyone else will be worse.
eTrade SUCKS
There are other types of "wrong" than just "against the law".
But they're working on it.
KFG
Don't forget Poland :)
Very funny but no, as a matter of fact he didn't forget Poland, because you see, Poland is in Europe. In case you didn't notice, Poland is one of the most important forces in Europe fighting against software patents in the European Union. Poland is not only a very important state in EU but is also in the very center of Europe. You might take a look at the map sometimes. Good luck.
...either M$ will give patches to the govt. before they are fully tested and finished, or they will delay finished patches to the rest of the world despite a known vulnerability
So which is it, Bill? And will you offer the same treatment to other governments worldwide? or will you tell them that you are deliberatly leaving them twisting in the wind with the rest of us, while the US Govt gets preferential treatment?
Ignorance is the root of all evil.
Since it seems that we have thoroughly beaten the horse to death I won't take any more swings at it but I will offer this article as a reference point (my apologies if someone else posted it). ZD Net reported on 1 March about businesses and even governments migrating away from Microsoft's products http://news.zdnet.co.uk/software/applications/0,39 020384,39189585,00.htm.
It's interesting to see how Microsoft has panicked and tried to reverse those decisions. Perhaps the U.S. Government should really rethink this one. It seems like there is a parallel in the sports world when a team signs an older free agent. Either it turns out that, half way through the season, he really is old and gets injured or he turns out to be the athlete who has trained hard and is still successful. This could prove true if Microsoft corrects some of their major problems, but we could also see Microsoft futher decline in quality and security and find that the government is taking the hit for it.
How can MS possibly justify holding back the patches to anyone? What does letting the rest of the world twist in the wind gain them, or even the government? This is obviously a ploy to gain favor with some stupid bureaucrats who can't tell that this adds absolutely no security to anyone. Because its realities have no other possible redeeming value, and a great deal of cost.
--
make install -not war
I guess Microsoft is moving to user-pays security. In the future, if you want the latest patches, you will have to pay extra. The plebs that don't will have to to face the black hats unprotected. It will be a nice little earner. In fact it's brilliant - instead of providing better security by default, Microsoft will make you pay for it.
Many non-US governments are considering defecting to linux. Knowing that m$ gives the US government a security advantage over them, will surely give them another good reason to switch.
War doesn't prove who's right, just who's left.
Is it possible that you wouldn't have gotten the patch any earlier? Maybe testing it against known government configurations, getting it to the government and continuing on business as usual testing for the moving target that is the typical Windows desktop?
They're not all they're cracked up to be. Our desktop reimage rate has gone up 10 fold since the CS community started fosting this crap on us with SMS. I've got a collection of screen shots of various error message that greet users when they login in the mornings and it's beginning to get quite long. Even windows own file protection features insist on reloading original files from the installation media... why? either the patches are issued untrusted or someone doesn't know how to run SMS. Probably both.
My guess is that the CS community thinks they're special and Microsoft does too (in the "rides the short bus to school" kind of way). I guess it's bill's little way of getting back for all those years of court cases.
I'm quite sure that the idea of "shooting down The Twins in N.Y." sounded unlikely few years ago too.
hany
It makes no sense...
The government is most likely their largest customer, so why not give them preferred treatment?
And score brownie points in the process...
---- Booth was a patriot ----
Bill Gates on "South Park" movie
Circumcision is child abuse.
The Air Force beta tests ECERYTHING that comes out of Redmond *extensively* before allowing systems administrators to install, at least a year. In fact we are only just now completing our deployment of XP to replace Win2k, and XP Service Pack Two deployment is still a good six months away. So, this "extra" month will do absolutely NOTHING for us here in the Air Force. Nothing.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
modded back up, because this is a very legitimate point and it's not flamebait. You would think the spooks would want first crack at any newly discovered exploitability. It's not like they ignore them or anything.
Maybe, but in that case they should release it as soon as it's been validated. Promising the government 30 days - or any fixed time - implies that they'll have to hold it at least that long whether it's ready or not. It doesn't make much sense from a security POV, unless perhaps they want a window of time in which to exploit vulnerabilities themselves (but that would be the cynical view).
Thank you to the US government for offering to beta-test security patches for the rest of us. Thank you to Microsoft for waiting a month before releasing those patches to everybody else. I'm so glad you don't risk fixing security holes in the general public before you have thoroughly tested the fixes with government machines. It makes me feel all warm and fuzzy knowing that I'm safe because George W. Bush's PC is running your latest software before mine is. (If I ran Windows, that is.)
you are basing that assumption on two things, that the entire government list of people who could get their hands on the patches (authorised or not) are all whitehats, or that the government in general is "whitehat" in nature.
Great! Microsoft found a way to make us, taxpayers, to pay for their beta testers.. what a good deal! nice job, microsoft!
"And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center."
And if I paid more for my desktop software than the USAF paid for a single XP workstation? Those of us who buy the full, retail, non-OEM version of their OS are the ones subsidizing the on-the-cheap installs they give to big customers like the DOD. The fact that they're getting even more for money they didn't spend pisses me off: they're getting the service that I paid for (even before you get into taxes).
So long as we live in the capitalistic society you alluded to, I'm allowed to be pissed that my PC is put on a lower priority.
I wonder how long it will take for some competitor (or any congresscritter outside of Washington State) to accuse the U.S. gov't of subsidizing Microsoft by donating testing resources?
This just plays right into the hands of the Chinese goverment who always said that Microsoft made special provisions for the US gov't in Windows.
Either Microsoft has been withholding patches from their paying customers and has decided to let a small segment (the federal government) go ahead and have them once they're ready, or they're foisting incomplete and buggy code onto the government, including the IRS.
If you get audited this year, blame Microsoft.
Does this not open M$ to the charge of willfully withholding security patches from everyone else by a month ?
My guess: Not according to their EULA which you accepted by installing the OS.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
Here's a dismal thought. At sometime in the future we're at war with some nasty dictatorship and they win because our military is paralyzed by a dreadful Windows bug our foe developed thanks to access to the code offered by Microsoft when it was courting their business. (That's happening now.) They aren't affected because their military and economy are running their own variation of Linux.
Someone should make that the theme of a major movie. It might wake up a few of the Pentagon's more dim-witted generals, particularly the sort who suck up to wealthy corporations in what Ike aptly termed the "military-industrial complex."
My initial reaction to this was that it must have something to do with electronic warfare concerns. I.e. this is not about making the public safer, but rather about making the US military more competitive in the event of a conflict.
:-D
Imagine for example that there is a conflict with China over Taiwan--- say they decide on a naval blockade. The US military could have a full month of inside knowledge regarding Windows vulnerabilities that they could try to use in an electronic warfare environment.
THis move will do nothing except drive more governments around the world to Linux and open soruce. Thank you Microsoft
LedgerSMB: Open source Accounting/ERP
> Why do you think this is an ego issue?
j html?articleID=159401297&tid=13692
Because people are saying "I deserve what they get." Regardless of the fact that you don't know all the details, and it may very well bomb every version of XP home out there.
>Scenario 1) Patches are not yet stable to be release to general public but we will give them to AirForce. This sucks
Had you actually bothered to read any material on the matter, you'd know that they're giving them a CLOSED BETA VERSION. They're not putting it on every darn computer, they're testing it. *1
"Advance testing will make it possible for government agencies to install the patches as soon as Microsoft releases the final versions."
I find it funny that my previous post is considered trolling, yet it's one of the most informed ones. Just goes to show that content doesn't matter.
*1 http://www.informationweek.com/story/showArticle.
A quick google news found that one.
Are you forgetting the NT machines that cuased problems in control systems for Navy Ships.
Now it appears that Air Force that is gettting these first... not the Navy.
So planes or missle will not fall from the sky... but a ship will be stopped.
Well, it sort of depends on what you mean by "primary systems". Do you mean target acquisition systems, communication systems, supply/order systems, personnel requsition systmes,etc.
... Or with the WRONG ammo. Troops arrive with only summer uniforms in winter weather. I could go on all day.
In time of war those are ALL mission-critical, systems. Given the nature of the overall mission that also makes them life-critical, even if they wouldn't be in other contexts than military.
For instance: A keystroke-logger snagging an order for toilet papaer can expose troop movements and enable an enemy to prepare an ambush. This can change a successful surprise attack into a rout. Turning a battle can turn a war - and will certainly turn many family histories. If it's YOUR toilet-paper order that got intercepted, it's YOUR side that gets to order more body bags.
Ditto for office supplies (location and size of field HQ), food (location and number of military personnel), spare parts (location and size of repair depot, type of weapons to be used and amount of use - and thus wear and repair - expected), or just about anything else. Ditto for forwarding addresses. Ditto for just about anything else.
That's just interception. Think about what happens with malfunctions: Troops arrive witout their ammo, food, toilet paper, radio batteries,
This is not theoretical. It has happened repeatedly - in the paper analogy, or through decision-making foulups - for essentially all of the recorded history of war, and preparation for war. (Summer uniforms in winter happens a lot. For instance: the first winter of the Korean engagement.) Even in training. (Rumored recent examples: War games: Guy in charge of one color-army doesn't like latrines and orders a portapotty for his headquarters site from a local commercial supplier. Other side intercepts his cellphone call, learns the location of his HQ, and pounces. Pizza orders ditto.)
The military doesn't make every little bit of paperwork secret, and treat it like the survival of the country depends on its security and accuracy, just for the hell of it (or to make busywork for office clerks or hide official malfesance). It does this stuff in this way because it's necessary to save lives and win wars.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
But if I were a business, I should be realizing that MS is more than happy to burn me in order to gain a few bucks from the US. Gov.
I prefer the "u" in honour as it seems to be missing these days.
It was simply a priority for folks in the 90's, but not for those in 2000.
I prefer the "u" in honour as it seems to be missing these days.
"I'm allowed to be pissed that my PC is put on a lower priority"
It's a free country. You're allowed to be pissed about it just like I'm allowed to think you're an idiot for being pissed about it.
Ain't it grand?
Another downside to this is that it will make the government bureaus leak like a sieve.
With patches for critical bugs being distributed internally, while they're unavailable for a month outside, large numbers of people througout government will be faced with temptation:
Take it home and protect your own computer. And your family members' computers. And your friends. And the neighbor who offers you a few bucks. One neighbor? Heck: Look at the SIZE of the potential black market.
But this is SUPPOSED to be kept secret until Microsoft releases it.
Oops!
One thing both interrogators and spy recruiters know: Getting that first, qualitative, break is that hard part. That first answer to a question, that first act that breaks a rule. Once you're over that hump it's all qualitative. You can ease up the slope to more important and more revealing things and there's no clear place for your victim to draw the line. (And if he somehow DOES draw the line, you can use his previous, smaler, exposures as a lever to cut him off from his suppport network and blackmail him into going ever further.)
This policy would create thousands of leakers - and thousands of people who can potentially be "turned" to espionage. It does it by devaluing the perception of responsibility for keeping information confidential, creating a financial incentive to leak, and encouraging acts that can be used as blackmail material by hostile intelligence recruiters.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The patches wil get out, giving hackers time to review and release exploits before MS can release the patch to the public. I'm sure they talked about this, but the politics of trying to fight off OSS forces them to do this.
Call me paranoid, but it seems to me that if they are distributing patches (and accompanying information) to the US military up to a month early, then the US military has information regarding security vulnerability before others.
This means that in a conflict, they can attempt to 0wnz the computer infrastructure relating to enemy operations, communication, etc. So it seems to me that this is all about electronic warfare.
While this is not surprising, what is surprising is that this information is now publically available and will provide other governments with the incentive to move their critical infrastructure from MS Windows.
LedgerSMB: Open source Accounting/ERP
So, the US Gov will become aware first of exploits which it can use against other Governments.
...
Clever marketing from Billy
Okay, so my government, as well as everyone else in the world will always be at least a month behind the US government's spooks, when it comes to windows updates. I think that Microsoft just gave every other government in the world good reason to switch IMMEDIATELY to Linux!
Every non-US or multinational corporation too. It's common knowlege that the CIA spies on foreign businesses in order to give USA based businesses a competitive edge. So unless that company's headquarters is on USA soil, that company would be smart to switch to something other than MS for security purposes.
Well, at least some Slashdotters can rejoice. MS just shot themselves in the foot, and soon will soon just be an incompatible regional OS, instead of a global one. I mean honestly, how much hardware gets built in the US anymore? Imagine if Asian hardware manufacturers pay MS the same attention that they used to pay Linux?
Rejoice!
The end cometh!
> And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.
I assume that your insulting tone means you want idiots who think nuclear power control plants are more important than the US Air Force, to shut up, because you think every intelligent person understand that the US Air Force is more important than all those little operations like nuclear power plant control centers?
Another robot spewing Roveian piss and vinegar diversionary bullshit. What's it like to not be in control of your own brain?
I remember that story, but it was actually just a buggy application written by the US Navy. It had been running on NT, and probably on an x86 CPU, but neither the OS nor the CPU was relevant.
In other words, a vague article has once again led to rampant and incorrect speculation on slashdot.
Maybe It's just me, but it appears MS is giving preference to the US govt? Maybe in a sense gifting for return of favorable judgements in future lawsuits? I don't know... but it seems the US govt is an interesting choice for MS to choose to get patches first. What about its paying home and enterprise clients? Since they make up the bulk of its business, shouldn't they be the ones getting patches first???
Yes -- exactly! Since Open Source projects offer everyone the same "priority" access to updated code, users can get quicker protection from security vulnerabilities. They can even mod the code themselves if a patch is not yet available.
Microsoft customers, OTOH, generally must wait for the next monthly hotfix release day. This will soon become harder to bear since these customers will know (or suspect) that critical security hotfixes are ready but being withheld by Microsoft from public distribution. (I would think that any patch that is deemed good enough for the USAF would be of high enough quality for public consumption as well.)
Also, I think it is very likely that information on the nature of the hotfixes, and even the hotfixes themselves, will "leak" out to the rest of us (or at least the underground) quickly. This would facilitate the creation of exploits prior to the public release of the security updates. More incentive for Microsoft users to seek out alternatives.
"Yet another attempt to fight off impending doom, by trying to keep the government away from open source."
Of course they're fighting against open source. We're their biggest competition. What do you expect them to be doing? Allow open source to gain an even larger market share? The government is a huge customer. Of course they're going to want to keep their business.
With an extra month to have this completed, we have a small advantage to have these systems patched .
:
:
:
Yes, an extra month of work
So, correct me if I get it wrong
- MS release a first version of a security patch to the US gvt.
- You, as a DoD Defense Contractor working on these systems, work hard to apply the patch.
- MS has still one month to improve the patch.
Gess what happens one month later
- After a month, I'm pretty sure the MS devs would have improved the patch, even just a little.
- They'll release a NEW and improved version of the patch.
So, here you have your new extra patch to apply.
"impending doom" ... Jeez, slashdotters and their consistent anti-Microsoft bias. Get a life.
1. New patch is announced. 2. 14 months later govt worker checks for new patches. 3. submits form asking for approval to patch systems with new patch. 4. 28 months later receives approval letter authorizing patch installation. 5. goes on vacation. 6. comes back and puts it on his list. 7. 11 months later begins patch installation. Public has now had patch installed for 3.5 years.
Telecommuting! What about socialization?
That quote still has me laughing out loud. Oh man the lack of any basis in reality that is portrayed by a statement like that is hilarious. Hint: Big companies don't die they are sold off in pieces or bought in their entirety by another entity. And with the headway that Microsoft is making outside of the shortsited zealots world means they are here to stay for much much longer.
Leave it to the same company that found a way to get beta testers to pay them for the chance to find bugs in their software, and then to find away to build even a stronger company making millions on offering "preferred" (read $$$) customers security patch notification a few days before the general public....
And now the tri-fecta -- The Government will get notification and patches even quicker. How would it be to have enough power and knowledge to make billions of dollars on your own security holes?
(+1 Funny) only if I laugh out loud.
I thought the goal was to create software without any security holes at all.
So.. I should be putting holes in my software so I can give preferential treatment to certain customers by giving them the fixes first?
Is the software industry really this fucked up?
It's like telling governments of other countries: "Don't use Microsoft products, because you will have insecure systems all the time".
AC
"Advance testing will make it possible for government agencies to install the patches as soon as Microsoft releases the final versions."
;-) And if so, my second piont is, how do you imagine such testing? CLOSED=NO DEBUG. Testing on production machines = high risc, testing on striped machines = good for nothing, testing on production clones = veeeery expensive.
If I got this right, then testing with potentially unstable CLOSED BETA versions on taxpayers behalf will speed up the development of a commercial application. Very nice
I don't think this will save the US Government or help them in any way, other than provide a honeypot where hackers, eager to get at the latest versions will attempt to hack away.
Of course this could be just as bad as if it were never updated, which it probably won't be until two months after the hackers and the rest of the world gets it. After all -- we're talking the US Government here. I bet any one of the Fed IT guys would tell you it takes at least three months or longer before anyone agrees it's okay to install a new update.
"Love is like pi - natural, irrational, and very important." (Lisa Hoffman)
They will be sooo sued if they withhold important security patches for a month and some company's (or other government's!) computers get hacked. The EULA cannot withstand that kind of negligence.
Nor should the US gov't allow such tactics.
Hey, when all the computers in Washington break down and cause widespread panic, you'll know not to get the next update.
I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
If the US government gets patches first, they have a month to figure out exploits for each vulnerability. Given the frequency that vulnerabilities are found, the US government will always have the means to hack into PC's running Windows all around the world, with the help of Microsoft.
I'm sure people will predict that this will lead to a worldwide flood of converts from Windows to other operating systems, but only time will tell if governments and other people really care about these sorts of things.
...is that I've paid more for my OEM copy of XP (as forcibly bundled with my machine despite my wishes) than any government has paid for any one copy of their OS, and yet I'm the poor beggar boy in the story.
Since Microsoft gives massive discounts to governmental and other institutions and gains more income from the poor saps who buy a prefab pc just because they lack the knowledge to assemble their own from components, surely this is another kick in the teeth from MS to MS?
Look after the pennies, and the pounds can f**k off...?
"Psst! I got an advance copy of a MS security patch. I can get it for you for next to nothing."
Would you trust a stolen security patch? After all, if it can be stolen, it can be modified.
"Just download it and install. If your virus scanner complains, just ignore it. It is part of the patch."
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
<pedantic mode>
I think you mean "hallmarks", though.
</pendantic mode>