Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Offer Patches to U.S. Govt. First

Posted by ryuzaki0 on from the preferencial-treatment dept.

Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"

33 of 344 comments (clear)

  1. Haha by 26199 · · Score: 5, Funny

    So they're getting the government to beta-test their patches? Sweet.

    1. Re:Haha by danormsby · · Score: 5, Insightful

      What I find weird about this is that Microsoft write a patch to fix "serious security vulnerabilities", release to the US miliary but hold it back from the rest of the world for a month. Will this make the world a safer place?

      --
      Omnis amans amens
    2. Re:Haha by smchris · · Score: 3, Insightful

      It isn't bad business psychology. You can just hear the salesmen saying, "Who's your daddy! Does linux offer priority access to security patches? I don't think so."

      Sadly, the majority of poeple will answer back, "Well, gosh gee. You're right. Microsoft makes me feel special! Microsoft is so great."

      Shiny thing catches the sunlight. Bargain. Today only. People are stupid.

    3. Re:Haha by marvin2k · · Score: 4, Insightful
      Sadly, the majority of poeple will answer back, "Well, gosh gee. You're right. Microsoft makes me feel special! Microsoft is so great."
      No, the majority of people will say, "Well, gosh gee. You just handed out a security fix for a vulnerability to the government but you don't give it to me for another month so I my machines are now in grave danger even though they don't have to be. I think I'll try linux for a change, they don't have a "leave your customers hanging in the air" policy."
    4. Re:Haha by canwaf · · Score: 4, Insightful

      The average computer user would:

      a) Not think that.
      b) Not think of linux as a substitute for Windows.

      Because the average computer user doesn't install security patches anyways!

    5. Re:Haha by The-Bus · · Score: 4, Funny

      It looks like you want to: Land the Plane
      1. Don't land the plane
      2. Open an audio file.
      3. Shoot the base,

      "Oh crap."

      --

      Small potatoes make the steak look bigger.

    6. Re:Haha by Total_Wimp · · Score: 5, Interesting

      If you were the Japanese government, would you want to know that the US were getting referential treatment?

      If you were the Chinese government, would you want to know the US is getting free help from Microsoft to spy on you? Probably not.

      If you were a concerned person living in another county who happens to find out about an exploit in Windows, would you want the US government getting a month-long head start on hacking/spying on the rest of the world, possibly even including the country you live in?

      Microsoft has spent years trying to convince people who find exploits to "do the ethical thing" and tell them about it before letting the rest of the world know. If you happen to be a citizen of another country, this puts a very big question mark on whether giving MS the exploit is "the ethical thing" to do.

      My best guess is that otherwise helpful security proffesionals who happen to live outside our borders will be posting more and more exploits directly to the web because of this policy. Ironically, that will end up making things _less_ secure for the Air Force in the long run.

      TW

    7. Re:Haha by rsborg · · Score: 3, Funny
      What is the difference between Abort and Fail?

      In this case, mabye a parachute?

      --
      Make sure everyone's vote counts: Verified Voting
    8. Re:Haha by Fat+Cow · · Score: 3, Interesting

      exactly. since the patch is new software, the only way the government is getting it early is if everyone else is getting it late.

      it's also, bad on the government's part to be complicit in this witholding of security fixes - it makes the country less secure, not more secure.

      --
      stay frosty and alert
  2. Safety First by DogDaySunrise · · Score: 5, Insightful

    Sounds a lot more like "Microsoft will delay patches for a month after availability, except to the US Govt". Surely it'd be a lot safer for the US Govt Ltd. for M$ to supply patches to *everyone*, governments included, instead of allowing vulnerabilities to lie unpatched for a few weeks...?!?

    1. Re:Safety First by Rangataua · · Score: 5, Interesting

      I wonder how long it will be before someone creates a virus based on knowledge found in a patch that has only been released to the government.

    2. Re:Safety First by ctr2sprt · · Score: 5, Insightful
      Well, remember that MS's products are used on hundreds of millions of computers worldwide, and after the OS leaves the box Microsoft has no control over it. People install all sorts of programs and make all sorts of "adjustments" to their computers. This makes QA for patches hideously difficult, since MS has to test against such a wide array of third-party apps.

      So the argument here is that because the USAF is using an NSA-designed build, they can guarantee a pretty stable environment. MS has a known quantity to test against, which lets them test faster (and presumably better), so they can afford to roll those patches out earlier. They then spend the next few weeks trying to make sure their patches work on Everything Else. One of the hopes cited in the article I read is that this will encourage other entities, like banks and such, to adopt the NSA's build (or at least model their own after it). That will, of course, enable Microsoft to expand its "early release" program, making them more money, but it may also lead to better security across the board. As we all know, a good sysadmin can secure anything, even a Windows box. Well, if you aren't a good sysadmin, maybe you can copy one and get similar effects, right?

      That's their line. It does make sense, though I personally would rather see MS release all their patches after minimal QA, then a month (or so) later release "improved" versions. That way, if the patch breaks some third-party program, at least the folks who don't use that program can get the benefits. MS does this sometimes already. Of course, my expectation is that if they did this with every patch, that "month" wait would be closer to two or three months, and often the updated patch would never come out at all.

    3. Re:Safety First by Znork · · Score: 4, Insightful

      "It does make sense"

      It makes sense until you realize that the OSS crowds install even more sorts of programs and make even more adjustments to their computers, yet manage to get patches in a timely manner.

      Which means that either Microsoft is terminally unable to create stable and clean APIs so everything affects everything else, causing an inordinate amount of breakage, or they're still not very serious about the patching thing.

    4. Re:Safety First by antiMStroll · · Score: 4, Insightful

      Right.... and this explains why my place of work is still struggling with the process for rolling out XP SP2 in our 100% MS OS shop because it breaks so many critical packages. I don't see Microsoft stepping up to our plate to assure compatibility.

  3. What if... by 0x461FAB0BD7D2 · · Score: 5, Interesting

    the patches screw up the systems, as has happened in the past?

    Also, how would other governments see this? Would they accept being 'second-class customers', no different in Microsoft's eyes to the Average Joe?

    1. Re:What if... by lxs · · Score: 4, Funny

      What if the patches screw up the systems

      Some general 'accidentally' orders an airstrike on Redmond and blames it on buggy software.

  4. Smart idea by Microsoft by aendeuryu · · Score: 5, Insightful

    People in power love the idea of others sucking up to them. Even if they can get security fixes quicker via opens source, the idea that Microsoft is effectively prioritizing them ought to be incentive enough. You could give them good practical and logical reasons for going open source anyway, and they'd MAKE UP their own reasons for not doing it, because they'd LIKE the idea of having a position like this over Microsoft, and would go along with whatever rationalizing they'd have to do to accept it.

    What's more satisfying? The idea of having some small company like Red Hat at your beck and call? Or Microsoft?

  5. This is obvious... by sgant · · Score: 4, Funny

    Prof. Frink: It's because the Government as the troops and the guns and the tanks and the fire falling from the sky with the burning people running amok in an orgy of blood and kicking and the biting with the metal teeth and the hurting and shoving...

    That's why the Goverment is first.

    --

    "Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
    1. Re:This is obvious... by displaced80 · · Score: 3, Funny
      But what's Microsoft getting in return, that's what I'd like to know...

      First 5 air-strikes a year for FREE!?

      USAF endorsement of the Flight Simulator series?

      A free G-Suit for Ballmer? (much more effective than that girdle he borrowed from Shatner, I bet).

      We should be told...

      --
      What's the frequency, Kenneth?
  6. Great idea. by Mz6 · · Score: 4, Interesting

    As a DoD Defense Contractor working on these systems, I think this will help tremendously. Currently, we only get patches when Microsoft posts them on their website. From there it needs to be thoroughly tested to ensure the patch will still allow critical software to continue functioning (the government can ill-afford downtime on some of these systems). Beyond that, it then needs to be applied to thousands of other machines on several differnet networks. Of course, we only have a small window to get this all completed. With an extra month to have this completed, we have a small advantage to have these systems patched.

    --
    Hmmm.
    1. Re:Great idea. by martinX · · Score: 4, Insightful

      A small advantage over whom?

      During your month of testing, your systems are still vulnerable. MS can't make the patches any faster, therefore you having them a month earlier than everyone else can only mean that they are delayed to everyone else who needs them. How could that possibly be a good thing. Banks, powerstations, hospitals - they all can ill-afford downtime.

      Finally, "released to the government" means what? They post them on their website? Like they do now...

      As far as I can see, this helps no-one.

      Please explain.

      --
      When they came for the communists, I said "He's next door. Take him away. Goddam commies."
    2. Re:Great idea. by CdBee · · Score: 4, Insightful

      I find it a little disquieting that the USAF's primary systems may be running Windows. Windows is good for a lot of jobs, but the frontline defence of the world's most - well - controversial nation possibly ought to be on something a bit more resilient.

      --
      I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  7. Crazy, no? by Toby+The+Economist · · Score: 3, Insightful

    This seems crazy on a number of levels.

    Is the airforce more important than say, nuclear power plant operators?

    While it's concieveable there could sometimes be some advantage in releasing a beta version of a security fix, there is no advantage whatsoever in merely delaying the general release of a patch, so MS must have agreed to supply early versions of patches to the USAF.

    This, I predict, will cause more problems than it will solve.

    --
    Toby

  8. So, who do they upset most? by malkavian · · Score: 4, Insightful

    The Military for having to Beta test MS' latest patches (they'll be the one whose systems crash most by having patches applied that haven't met the real world before), or Commerce, who suddenly realise that they're going to be getting cracked hard, by something MS knows about, has a fix, and just can't be bothered to give them a cure for..

  9. Article submitter biased? No, not on /. by 3770 · · Score: 3, Informative

    Yet another attempt to fight off impending doom, by trying to keep the government away from open source?


    Man, people really want Microsoft to become a footnote in history.

    --
    The Internet is full. Go Away!!!
  10. Hostile take over attempt. by jwcorder · · Score: 3, Funny
    They are giving them the patches first, so when all their systems are down from a bad update, they have the ability to TAKE OVER THE WORLD!!

    --
    http://jayceecorder.blogspot.com
  11. Great by Pan+T.+Hose · · Score: 5, Insightful

    Another reason for the EU, China and Korea to finally abandon Micro$oft software altogether. Now it is not only a risk of ordinary corporate lock-in but actually a treat to national security and sovereignty of Asian and European States (excluding Middle East states which are hardly sovereign to begin with) because it means that the US government (CIA, NSA and other *AA) will be able to easily reverse engineer Micro$oft patches and exploit the patched vulnerabilities in the parts of the world where there are no patches available so not only stupid people will have vulnerable systems but actually everyone. We can only hope that our European and Asian brothers and sisters are wiser than their American counterparts who will hopefully jump on the bandwagon as well and stop using Micro$oft software. That should mean a great increase in Linux market share during the first quarters of 2006, 2007 (such a serious transition is never done overnight, there are no miracles, we have to be patient). So paradoxically this is actually a good news because it will inevitably hurt Micro$oft in the long run. Instead of overreacting we should stay calm, discuss its implications maturely, and see what it means and how the rest of the world reacts. The most important parts of the world to focus on are: Europe, Asia, Australia, Africa, South America and Canada. Only time will tell what that decision really means and which F/OSS O/S will benefit the most where the national security is the top priority.

    --
    Sincerely,
    Pan Tarhei Hosé, PhD.
    "Homo sum et cogito ergo odi profanum vulgus et libido."
  12. Machiavelli by bitswapper · · Score: 5, Insightful


    So, if you're a foreign government, the US government has one month to break into your unpatched systems. Or, if you're anyone the US government doesn't like, the CIA, FBI, HLS, etc., has a month to hack your unpatched systems.

    I give Microsoft credit for possessing at least a basic understanding of Machiavelli.

  13. Microsoft Liability ? by Alain+Williams · · Score: 4, Insightful

    Does this not open M$ to the charge of willfully withholding security patches from everyone else by a month ?

  14. Could 0wned admins sue MS? by fuzzy12345 · · Score: 4, Interesting
    I've wondered about the legality of such behaviour. At the point where a company knows its product has a vulnerability, has a fix for that vulnerability, and deliberately withholds the fix from customers, knowing that some of them are likely to be hacked and suffer losses, is it not negligent?

    This would likely vary from jurisdiction to jurisdiction. Anyone got an amateur/professional legal opinion?

    --

    Everybody's a libertarian 'till their neighbour's becomes a crack house.
  15. Re:Yet another attempt to fight off impending doom by drooling-dog · · Score: 4, Insightful
    And I'm sorry if you have ego issues with the Air Force having a higher priority than your entertainment center.

    You're assuming that anyone is going to enjoy greater security by delaying patches to most other users. I have to question this. And never mind about "entertainment centers"; what about the systems that process your credit cards or medical records?

  16. Odd... WE don't have a problem :) by DoofusOfDeath · · Score: 3, Insightful

    Hmmm...

    My government computer runs Debian, and I don't recall having ANY problems like this :)

    Actually, now that I think about it, I *did* need to train my spam filter to discard our security team's "Microsoft virus alert" messages ;)

  17. delays by Jesus+IS+the+Devil · · Score: 3, Insightful

    The real deal isn't that they're offering these updates to the government first, but rather, that they're DELAYING it from everyone else.

    This makes no sense, since a patch is a patch. Sure M$ might earn some brownie points from the government entities that get this priority, but the resulting backlash from everyone else will be worse.

    --

    eTrade SUCKS