Slashdot Mirror
Microsoft to Offer Patches to U.S. Govt. First
Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"
Sounds a lot more like "Microsoft will delay patches for a month after availability, except to the US Govt". Surely it'd be a lot safer for the US Govt Ltd. for M$ to supply patches to *everyone*, governments included, instead of allowing vulnerabilities to lie unpatched for a few weeks...?!?
People in power love the idea of others sucking up to them. Even if they can get security fixes quicker via opens source, the idea that Microsoft is effectively prioritizing them ought to be incentive enough. You could give them good practical and logical reasons for going open source anyway, and they'd MAKE UP their own reasons for not doing it, because they'd LIKE the idea of having a position like this over Microsoft, and would go along with whatever rationalizing they'd have to do to accept it.
What's more satisfying? The idea of having some small company like Red Hat at your beck and call? Or Microsoft?
>Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"
::)
Yes, absolutely.
I see nothing wrong with this at all. They're a private business and they can do whatever they want. And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.
Must we jump on every single thing anyone does that could even slightly be interpreted as "bad"?
This seems crazy on a number of levels.
Is the airforce more important than say, nuclear power plant operators?
While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.
This, I predict, will cause more problems than it will solve.
--
Toby
Insert generic comment bemoaning the lack of security inherent to microsoft products, with optional blue screen of death joke. -saladami
The Military for having to Beta test MS' latest patches (they'll be the one whose systems crash most by having patches applied that haven't met the real world before), or Commerce, who suddenly realise that they're going to be getting cracked hard, by something MS knows about, has a fix, and just can't be bothered to give them a cure for..
So... the government will get an entire month where they can analyse the patches, see what vulnerabilities they fix, and develop exploits to use against those who haven't received the updates yet?
Not that they probably need much help to find holes in M$ software, but still, this stinks. If the government really was concerned about security, they wouldn't ask to get patches before everyone else; rather, they'd ask that patches be made available to *everyone* as soon as possible.
quidquid latine dictum sit altum videtur.
So majority has to wait for another month for the patch. Another month of defenseless machines.
In the US, we are government. It is "by the people, for the people".
Microsoft announces officially that all security holes will be UNPATCHED FOR A MONTH (except for the U.S. Gov. systems)
You're right, a big part of the testing a patch is releasing the beta version to the public. This might not seems as important for small security leak, but I can't imagine them releasing big patches that haven't been fully tested. I also fail to see how they can "get the patch up to a month before they are available to other". A month is more then enough time for a security leak to exploit many many windows users. If the patch is done, why don't they release it to the general public? Only so the Government is "happy" and buys microsoft products? Nice tradeoff, Make the government happy, and let all other windows users wait for the already done patch. This would most likely incourage "normal" users to seek an alternative...
Another reason for the EU, China and Korea to finally abandon Micro$oft software altogether. Now it is not only a risk of ordinary corporate lock-in but actually a treat to national security and sovereignty of Asian and European States (excluding Middle East states which are hardly sovereign to begin with) because it means that the US government (CIA, NSA and other *AA) will be able to easily reverse engineer Micro$oft patches and exploit the patched vulnerabilities in the parts of the world where there are no patches available so not only stupid people will have vulnerable systems but actually everyone. We can only hope that our European and Asian brothers and sisters are wiser than their American counterparts who will hopefully jump on the bandwagon as well and stop using Micro$oft software. That should mean a great increase in Linux market share during the first quarters of 2006, 2007 (such a serious transition is never done overnight, there are no miracles, we have to be patient). So paradoxically this is actually a good news because it will inevitably hurt Micro$oft in the long run. Instead of overreacting we should stay calm, discuss its implications maturely, and see what it means and how the rest of the world reacts. The most important parts of the world to focus on are: Europe, Asia, Australia, Africa, South America and Canada. Only time will tell what that decision really means and which F/OSS O/S will benefit the most where the national security is the top priority.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Let's have a modicum of sense here. We are all going to die sometime... Microsoft has all the earmarks of a company that will live to a ripe old age though.
Let all other countries run software that can be easily attacked. Guess by whom.
Before someone starts the tinfoil hat yadda yadda, the US Govt. has already been caught spying EU nations and corporations.
So, if you're a foreign government, the US government has one month to break into your unpatched systems. Or, if you're anyone the US government doesn't like, the CIA, FBI, HLS, etc., has a month to hack your unpatched systems.
I give Microsoft credit for possessing at least a basic understanding of Machiavelli.
Sorry, but just because you're a DoD contractor doesn't mean that there aren't hundreds of thousands of other businesses needing to test patches before deployment.
How many people can read hex if only you and dead people can read hex?
Does this not open M$ to the charge of willfully withholding security patches from everyone else by a month ?
A small advantage over whom?
During your month of testing, your systems are still vulnerable. MS can't make the patches any faster, therefore you having them a month earlier than everyone else can only mean that they are delayed to everyone else who needs them. How could that possibly be a good thing. Banks, powerstations, hospitals - they all can ill-afford downtime.
Finally, "released to the government" means what? They post them on their website? Like they do now...
As far as I can see, this helps no-one.
Please explain.
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
I find it a little disquieting that the USAF's primary systems may be running Windows. Windows is good for a lot of jobs, but the frontline defence of the world's most - well - controversial nation possibly ought to be on something a bit more resilient.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
So how will they or it?
A) They deliver beta-patches to the DoD
or
B) They deliver final patches to the DoD and delay them for a month before public release
Obviously both cases are a desaster:
A) We all know how buggy Microsoft's final software is, I can't imagine how someone can use their beta patches in a critical desaster.
B) Telling the government about security issues first and delaying patches for the general public is bound to cause an uproar. They are already quite slow when it comes to releasing patches.
This just sounds like a very bad decision either way...
I have to admit, it's been a long time since an automatically installed m$ patch has fried a box. (I remember it happening regularly around win2k sp4 days).
The fact that most of their code sits around for like 2 years before actually getting in the download hopper is sickly amusing.
Shure this will push things ahead *just* a touch.
My only worry, is; what if this was the plan all along. Slowly just sort of start sending out patches quicker, maybe push all those product releases that have been int the "2year" range to the 1"year " range, and viola! Instomagic improvment and it didn't cost them much if anything.
Arg...
-=fshalor
What I find weird about this is that Microsoft write a patch to fix "serious security vulnerabilities", release to the US miliary but hold it back from the rest of the world for a month. Will this make the world a safer place?
Omnis amans amens
I see nothing wrong with this at all. They're a private business and they can do whatever they want. And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.
I would agree with this if it wasn't the internet. It doesn't cost Microsoft to do anything else different to just release the patch. If they really want to give the govt priority go ahead and create dedicated servers or something. There is no reason to with hold patches from everyone else.
This is not like an actual security company giving the government first dips on a new type of lock. Ths is software. Downloaded software. You might even have an argument if updates were released on CD or some sort of physical media.
To go off on a tangent:
in the 80s noone cared about pirating music because they were using tapes. Everyone cares now because people are making exact duplicates at no cost. Reverse Analogous--
The Wolfkin
You're assuming that anyone is going to enjoy greater security by delaying patches to most other users. I have to question this. And never mind about "entertainment centers"; what about the systems that process your credit cards or medical records?
for patches that don't work, work properly, or goes "boing."
for doing Microsoft's work of verifying stability...
No small amount at Government charge-out rates, at some factor higher than "normal" copnstractor rates. Imagine the thousands of Gov. admins spending their time, your dollar, to do MS's work, for what they charge the Gov., us, a premium.
And I happen to be OK with Microsoft...
It isn't bad business psychology. You can just hear the salesmen saying, "Who's your daddy! Does linux offer priority access to security patches? I don't think so."
Sadly, the majority of poeple will answer back, "Well, gosh gee. You're right. Microsoft makes me feel special! Microsoft is so great."
Shiny thing catches the sunlight. Bargain. Today only. People are stupid.
If anything, it'll give the NSA a chance to write their own worms before the exploit is fixed.
Hmmm...
:)
;)
My government computer runs Debian, and I don't recall having ANY problems like this
Actually, now that I think about it, I *did* need to train my spam filter to discard our security team's "Microsoft virus alert" messages
The average computer user would:
a) Not think that.
b) Not think of linux as a substitute for Windows.
Because the average computer user doesn't install security patches anyways!
The real deal isn't that they're offering these updates to the government first, but rather, that they're DELAYING it from everyone else.
This makes no sense, since a patch is a patch. Sure M$ might earn some brownie points from the government entities that get this priority, but the resulting backlash from everyone else will be worse.
eTrade SUCKS
How can MS possibly justify holding back the patches to anyone? What does letting the rest of the world twist in the wind gain them, or even the government? This is obviously a ploy to gain favor with some stupid bureaucrats who can't tell that this adds absolutely no security to anyone. Because its realities have no other possible redeeming value, and a great deal of cost.
--
make install -not war
Really, would it be so much trouble to just release it on Windows Update and let the government download from there? I've never seen Microsoft's site go down, but if it really is that big of a bandwidth problem, they could just create a new page with a server dedicated to serving the government patches...