Microsoft to Offer Patches to U.S. Govt. First

Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"

What about firms that host their sites

[gelfling]

We host many Gubmint sites. I wonder if we'll get special treatment. Somehow I think not.

What if...

[0x461FAB0BD7D2]

the patches screw up the systems, as has happened in the past?

Also, how would other governments see this? Would they accept being 'second-class customers', no different in Microsoft's eyes to the Average Joe?

I think it is a nice touch

and speaks very favorabley of MS that they are not only taking all the nice things the Bush administration offered them, like forgetting about all this anti-trust bs, but also take the time to say thank you to their benefactors.

I love this company!

Re:Safety First

[Rangataua]

I wonder how long it will be before someone creates a virus based on knowledge found in a patch that has only been released to the government.

Great idea.

[Mz6]

As a DoD Defense Contractor working on these systems, I think this will help tremendously. Currently, we only get patches when Microsoft posts them on their website. From there it needs to be thoroughly tested to ensure the patch will still allow critical software to continue functioning (the government can ill-afford downtime on some of these systems). Beyond that, it then needs to be applied to thousands of other machines on several differnet networks. Of course, we only have a small window to get this all completed. With an extra month to have this completed, we have a small advantage to have these systems patched.

Could 0wned admins sue MS?

[fuzzy12345]

I've wondered about the legality of such behaviour. At the point where a company knows its product has a vulnerability, has a fix for that vulnerability, and deliberately withholds the fix from customers, knowing that some of them are likely to be hacked and suffer losses, is it not negligent?

This would likely vary from jurisdiction to jurisdiction. Anyone got an amateur/professional legal opinion?

Re:Great

[marcosdumay]

Yes, governmetn transition doesn't happen overnight. 2006 - 2007 is a very short time for that, you should increase that to 2007 - 2009 or something like that.

To cite a real case, Brazil started its transition in 2002. Today there has been no significant mode to Linux yet. Instead, almost al the public douments have been translated from M$ ofice to a more open format. A lot of time was spent discussing what is a 'open format' and generating policies. To make the long story short, 2 years after the decision, most of governments computers use Windows, but you have acces to the public services from a Linux computer.

The Chinese were right!

[jfb3]

This just plays right into the hands of the Chinese goverment who always said that Microsoft made special provisions for the US gov't in Windows.

This means either one of two things

[JeffTL]

Either Microsoft has been withholding patches from their paying customers and has decided to let a small segment (the federal government) go ahead and have them once they're ready, or they're foisting incomplete and buggy code onto the government, including the IRS.

If you get audited this year, blame Microsoft.

Re:Crazy, no?

[Eil]

Is the airforce more important than say, nuclear power plant operators?

While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.

It's not that the USAF needs those early patches more than anyone else, it's that the Air Force has standardized on nothing but Microsoft software for almost everything it does. Trust me on this, I'm *in* the Air Force. Even the PDAs and systems which handle classified information run plain old Windows. They forbid you from using any software that isn't installed by an admin (even stuff as benign as Firefox), and go to great lengths these days to explain that piracy is bad and that you'll go to federal pound-me-in-the-ass prison for taking that copy of Word home with you.

No, it wouldn't surprise me at all if the USAF was indeed Microsoft's biggest customer, period. Getting open source software in there to replace any Microsoft offering is going to be like convincing conservatives that it would be a really great idea to hold state-sponsored orgies in all capitol buildings on Sunday afternoons. It could happen in theory, but never in practice.

Re:Haha

[h4rm0ny]

If anything, it'll give the NSA a chance to write their own worms before the exploit is fixed.

Which is an anti-selling point to governments in the rest of the world. If you were the Japanese government, would you want to know that the US were getting preferential treatment?

So either Microsoft is giving up on fighting OSS for other governments, or this program will shortly be extended to other nations.

And if it's extended to other nations, then all those posters who were worried about the USAF staff having advanced knowledge of vulnerabilities, can go into total panic now. ;)

My first thought

[einhverfr]

My initial reaction to this was that it must have something to do with electronic warfare concerns. I.e. this is not about making the public safer, but rather about making the US military more competitive in the event of a conflict.

Imagine for example that there is a conflict with China over Taiwan--- say they decide on a naval blockade. The US military could have a full month of inside knowledge regarding Windows vulnerabilities that they could try to use in an electronic warfare environment.

THis move will do nothing except drive more governments around the world to Linux and open soruce. Thank you Microsoft :-D

Re:Haha

[Total_Wimp]

If you were the Japanese government, would you want to know that the US were getting referential treatment?

If you were the Chinese government, would you want to know the US is getting free help from Microsoft to spy on you? Probably not.

If you were a concerned person living in another county who happens to find out about an exploit in Windows, would you want the US government getting a month-long head start on hacking/spying on the rest of the world, possibly even including the country you live in?

Microsoft has spent years trying to convince people who find exploits to "do the ethical thing" and tell them about it before letting the rest of the world know. If you happen to be a citizen of another country, this puts a very big question mark on whether giving MS the exploit is "the ethical thing" to do.

My best guess is that otherwise helpful security proffesionals who happen to live outside our borders will be posting more and more exploits directly to the web because of this policy. Ironically, that will end up making things _less_ secure for the Air Force in the long run.

TW

Re:Haha

[Fat+Cow]

exactly. since the patch is new software, the only way the government is getting it early is if everyone else is getting it late.

it's also, bad on the government's part to be complicit in this witholding of security fixes - it makes the country less secure, not more secure.