Slashdot Mirror
Microsoft to Introduce Faster Security Disclosures
Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."
Microsoft isn't open on weekends? Is that too much to ask a multi-billion dollar company?
Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.
but what is a grey hat?
Its about time MS did something like this. Hopefully they will keep honest about it.
(See subject)
If you need to consider it, then you are already gay :)
Karma means nothing to me, so suck it...
Microsoft will now announce that Microsoft will announce security alerts within one business day of their reporting to Microsoft. Microsoft announces that any security holes not announced by Microsoft must therefore not exist. It's the industry standard: "We have a policy that we are not being hacked."
--
make install -not war
And I bet a lot of their answers will include either "disconnect the computer from the network" and "stop using the computer"
"Advisories will be issued within one business day of a publicly reported security hole"
If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?
I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.
It could be worse, it could be Monday.
Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.
So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.
I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.
when researchers jump the gun and release vulnerability details before a patch is available.
Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.
Gotta love these articles. Nice spin make the researchers look like the bad guys...
At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.
I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...
I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...
MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.
I forgot who, but a couple months ago, a company gave MS details about an exploit. They then kept quiet for months, but then inexplicably released exploit info two days before MS released the fix.
/. account so I can't search for my post) and if I were Microsoft I would have been very angry that a security company had clearly released security hole information strictly for the PR value.
It is well known that MS releases the fixes on certain days of the month, and they would have known MS was about to release the fix, since they work with MS to fix it.
So in this case, there is no other explanation other tham this company figured they'd get a ton of press by releasing the exploit info before it was fixed instead of after.
I searched for the link, but I can't find the story, I'm sorry.
But I posted about it at the time (sadly, I don't have
So we'll have them in under 5 years?!?! NO WAY!
Your skill in reading has increased by one point!
In the computer security community, a "Gray hat" is a skilled hacker who sometimes acts legally and in good will and sometimes not. They are a hybrid between white and black hat hackers. They hack for no personal gain, and do not have malicious intentions, but commit crimes. For example, attacking corporate businesses with unethical practices could be regarded as highly ethical and yet would normally be tagged with the title of Blackhat activity. However, to a Gray hat, it may not appear bad even though it is against that local law. So instead of tagging it Black hat, it is a Gray hat hack.
That could be nothing more than moving up from snail races to tortoise races. It's not like Microsoft is fast about these things to begin with anyway.
Woo hoo.
I can hardly contain my excitement.
Much better than their current process. Still a ways to go in my opinion. Mitigation advice should be given as soon as it's available - even if - they don't give details about what is being protected against. Just a simple, turn of 'x'. Or, change the value of a to b.
I should not be left at the mercy of black hats while MS sits on information that could have protected me.
But as much as I dislike MS this is a positive move.
I think the easiest way to deal with this would be to just put one of those lamp timers on your Windows box to cut AC power on Friday 5 pm and switch it back on Monday at 9 am, saves on unnecessary tape usage too.
At a Microsoft press conference today, aging software tycoon William Gates III touted his company's new "Accessible Code" policy whereby developers may examine the uncompiled routines which make up the Windows operating system and modify it to suit their needs provided they publicly release their changes under the same MSAC license.
Gates also outlined several points which he says gives Microsoft an advantage over "Open Source Software" such as the ubiquitous Linux operating system and the Apache web server which runs more than 92% of all internet sites. Among these points were: advisories addressing publicly reported security vulnerablities within one business day, free usage of Microsoft software by anyone (the Microsoft patented Pay-only-for-support model), and remarkable stability since there is no pressure from Marketing to release an unready version just to realize a revenue stream.
'These policies combine synergistically to leverage Microsoft over Open Sores Software', said Gates. 'The American system of patents and copyright clearly works. It gives people the freedom to choose. Because of this, almost half of all computer owners choose Microsoft Windows to be their desktop operating system. And the American jobs it creates may be yours. Recently after hiring 58,000 Bangledeshi software engineers, we created over 100 new jobs for Americans to proofread those engineer's milestone reports.'
'And if it weren't for our trusted copyright system, the Walt Disney Corporation would have had to lay off many of the foreigners they import from third world countries to sell snow-cones and wear that suit that makes them look like a certain mouse character whose name I'm not currently licensed to say in public, Gates continued nervously, 'but you know the one I'm talking about.'
Investors reacted positively to the news as Microsoft shares rose fifty cents breaking the five dollar barrier which had kept Microsft in danger of being delisted from the NASDAQ as a penny stock. Only a 3 for 1 reverse split had kept it listed since the company was warned last September. The former billionairre left the building in a hail of applause stopping briefly only to ask the time since his MS WinWatch had blue-screened and to ask several bystanders for a ride to the bus station.
Liberals call everyone Nazis yet they are the closest thing to it.
I'll head in on a weekend for really critical problems - for example, an OpenSSH vunerability that I know will affect work's firewall. No way do I want to clean up the mess if I leave that unfixed - it sucks much less to go in on a weekend and fix it.
Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.
Of course, if the patch breaks something you need to go in, but in most cases it's really fuss-free.
You actually think it's okay for a company to release exploit info if they're going to get sufficient PR for it?
The issue here is a company didn't release the info until just BEFORE MS released the fix. They knew MS already had fixed it, just hadn't rolled it out yet (was going to happen in two days). By releasing this info early, they didn't spur MS to fix anything, they had already fixed it. Instead, they just got more glory for themselves. And at what risk? Only everyone who has a computer running MS software...
This just plain greed by this company, not some kind of social service.
And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in their advisories, like explicit steps to exploit.
I believe MS is doing what they can, it takes time to fix software and release it, and be sure you didn't do more harm than good. MS in general (not always) is responsive to reports of exploits.
And the company not releasing the exploit info earlier wasn't a favor to MS, it was a favor to us all. A big favor to those who use MS machines and smaller favor to others who would have been affected by a worm circulating the internet or more spam from owned machines.
Either way, keeping silent two days before the fix is just greedy. It's a PR grab, get the thunder before it goes away. This kind of "I'll get mine, others be damned" hurts us all.
Maybe they could do better, but releasing info that will allow the script kiddies to create havoc isn't the right way to go about improving the situation.
Does anyone else get a sinking feeling in their tummy every time Microsoft does something right, something better, or something intelligent? I like hating them. If I can't hate them, I'll have to hate something else. And I haven't been paying much attention to worthy targets over the past few years. I'm afraid I might have to turn my hate inwards if they improving. And that can't be good.
The quote at the bottom of the screen was "Hate is like acid. It can damage the vessel in which it is stored as well as destroy the object on which it is poured." I think it's kinda pertinent to posts like this on /..
Where is /. as a blog/news source heading? What is its purpose? This is a serious question because I came into this thread expecting maybe a glimmer of pat on the backs to Microsoft for finally doing something about security. Instead we have posts bashing M$ and/or saying that this is merely a marketing plan (as if to say a marketing plan is inherently evil). The quote above reflects this. There is a massive amount of hatred that is spewed out onto anything that doesn't conform with /. groupthink and it is destroying /.'s insides like an emotional contagion.
In the last week we had a huge surge of comments on evolution/ID theory yet this article gets hardly any and the comments that are here are typical group-think. Many /.'ers will state that /. shouldn't be taken seriously as a news source. Well then why do you post here? It's supposed to be a sense of nerdish community instead we get half-baked tripe articles and group-think commentary. Then I had an epiphany.
Microsoft and /. are in many ways similar. You are both adamant in your ways that you are right. You both fear change that goes against your world view. Finally, but most importantly, /. is a marketing machine just like Microsoft. I have a sneaking suspicion that savvy marketers have targeted your iconoclastic demographic for monetary exploitation. That's what /. purpose is. In some way or another they're leeching money and attention off your group hatred.
Very subtle. Admit that M$ junk is full of holes. Admit that M$ will never be able to fix them and that this announcement is just another PR stunt from the kings of marketing BS. Then, slip - o - change - o, spout that other M$ company line, "no software is better than ours."
Not all bugs are created equal. Give me a call when you find a few holes in OpenBSD. You might find one in the next decade. Give me a call when Linux boxes are responsible for 1/100th the spam, extortion and other malice that floods out of broken M$ members of the Botnet. I don't think so, ever, not even when M$ is driven down to the legacy 10% of the market they deserve. It's not that people are not trying to break high profile free software run sites, it's that they can't. Fortune 500 companies, such as yours, lavish more money per function on Winblows boxes than they do on *nix, so it's not because Winblows is not as well maintained. Desktop linux users are all over the place, where are the automated worms? It's not happening.
The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit.
I think they should just give up and go away.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Hell freezes over.
Wonder how this fits in with their policy that Governments get the patches before businesses
It doesn't count as gay if you make him wear a nice hat and some ladies shoes.
Give it up. If I kept up with all the friggin updates and service packs and hotfixes and reinstalling of software that I already do, that's all I would spend my time doing all day.
Join the Slashcott! Feb 10 thru Feb 17!
"Microsoft to Introduce Faster Security Flaws"?
I did...
Is Capitalism Good for the Poor?