Slashdot Mirror
DRM Hole Sets Patch Speed Record For Microsoft
puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."
What's their excuse going to be the next time a user vulnerability that has exploits in the wild has to wait for the next release cycle?
is the phrase "it figures". Frankly, I'd expect nothing else from them.
'Quickest Patch Ever'... for Microsoft. Linux distros have definitely had patches available within 48 hours of a security hole being found. IIRC the samba team once fixed a hole within 24 hours and it was in most of the big distros within another 24.
And isn't it sad that the quickest patch they ever release is for a hole no user cares about? More proof that MS cares more about their corporate friends than users.
Developers: We can use your help.
I know it seems like semantics, but Schneier's piece is not an article. It's an editorial, an opinion piece -- even if it is based on some real event(s). We really should differentiate between the two, as I do prefer 'news for nerds', not 'opinions for nerds'. I've already got opinions o'plenty, and the comment section is where I like to see others' opinions. :)
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
fatal holes in the browser? whatever
allowing spyware to take over? who cares
DRM? we're on it!
The fast fix suggests that rapidness of response might be a function of "whose ox is being gored".
As TFA says, it's simple. A normal security hole costs the user money, not Microsoft. This "security hole" (indirectly) costs MS money so it gets fixed ASAP. MS is, if nothing, good at protecting its bottom line.
Microsoft is trying to sell their formats on the strength of the DRM. DRM is what record companies want. If the DRM is insecure and easily cracked, then it won't be used.
So this is going to be the least installed patch for windows ever. untill they make it mandatory
Actually, this is a very serious question: is the patch marked critical, or not? This is important, because:
1. If the patch is critical, it will get criticized for being, in effect, mandatory degradation of capability (by the tech-savvy). Also, this will make light of Microsoft's security policy, to call this sort of patch 'critical'.
2. If the patch is not critical, then - oh, the irony - by default, it will not be installable on computers failing WGA. Perhaps Microsoft will get around this. But, as WGA currently works, only critical patches are allowed to systems marked as 'non-genuine'. This would be amusing - pirated copies of Windows would not receive this unwanted patch, but paid-for copies would.
I can't find, in TFA or the sources it cites, any mention of the severity of the patch. Anyone know the answer to this?
Microsoft is serving its customers' best interests. Their customers are system builders such as Dell, purchasing managers at businesses, and media companies.
The guy at the keyboard of a Windows Vista box, using Microsoft Office at work, and Windows Media Player at home is not the customer, he is the product.
This sort of story indicates something about Microsoft's priorities. It doesn't mean they're evil and/or going to software hell. It just indicates something about their priorities.
My turnips listen for the soft cry of your love
So let me see if I get this right... they'll wait a month for normal patches, sometimes longer for some that've been well known but they either can't fix or don't see the potential risk... but in general, if a new vulnerability is found on the Wednesday after black Tuesday, they'll wait a month (at earliest) to release a patch even if an exploit is in the wild... yet when it comes to protecting their cash cow, they'll fix it right away. In other words, screw the consumer... we can just damn well wait for updates to critical vulnerabilities, but when it comes to protecting their own revenue stream, they'll fix something right away. Not sure why I would've thought they'd do any different... but it would seem they rushed to provide a "bug fix" to protect their revenue stream, but won't rush to creat "critical updates" that customers need. Amazing...
Normally. Microshaft ignores security problems for at LEAST a month, they they deny that a problem exists for at LEAST another month, then they "study" the issue for at LEAST another month, then they "work on the problem" for at LEAST another month, and finally release a patch that does not really address the original problem and breaks a half dozen other things (and apparently inflicts even more sadistically controlling DRM on Microshaft's victims).
There are DRM-ed WMA playing portable devices and online download services. It's in MS's interest to keep the DRM doing what it's supposed to do. Otherwise, everyone goes to iPod and iTunes, and that's not what MS wants.
This is a sig. It is appended to the end of comments I post.
The free market is EXACTLY how this should be fixed.
It's currently regulated so that the free market has NOTHING TO DO WITH THE PROBLEM.
The primary issue, and this is exactly out of Mr Schneier's playbook, is that Microsoft has no direct civil liability for their defects. It's exaclty as if you couldn't sue Ford becase your Pinto's gas tank exploded. Ford would have no reason to fix the defect. Well, the same problem here: if you buy defective software, you have no recourse to sue the manufacturer of the product. Remove that lack of liability and you'll start to see problems get fixed very very quickly.
If Microsoft was civilly liable for every piece of spam that was sent by a Windows zombie PC, there would very quickly be patches.
Less protection of corporations, and more market forces, would fix this problem. This is EXACTLY the kind of problem markets are very good at fixing. The problem is that the current regulation circumvents the market.
It's a good thing I have automatic updates turned off. However, automatic updates in Vista will be turned on by default. If I ever end up using Vista, that will be the first feature that I disable which is a shame since automatic updates are a good thing if you can trust the company that performs them.
Unfortunately, free markets lead to concentration of wealth. Concentration of wealth leads to concentration of power, which leads to control of the regulatory process. Free markets invariably become unfree because of a runaway feedback loop. At least in democracy we have checks and balances. Where are the checks and balances within a free market that will work to keep it free? there are none.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Not the desktop anyway. It's a monopoly. The actions of Microsoft are those of a monopolist.
Deleted
And isn't it sad that the quickest patch they ever release is for a hole no user cares about? More proof that MS cares more about their corporate friends than users.
Is it proof that MS doesn't care enough about users, or is it (by extension) proof that users don't care much about OS vulnerabilities? Sure, they may complain, but do they actually take action and demonstrate that they care, by switching to more secure OS's (by moving to Apple or Linux)?
After all, MS reacts to what its customers and business partners care about. The music companies go apeshit over stuff like this, but users (both corporate and personal) haven't really demonstrated that they'd rather take their business somewhere else, so why should MS give them anything more than lip service?
Stop by my site where I write about ERP systems & more
Not all fixes pose the same risks or require the same amount of testing.
A patch for a DRM component surely involves much less code churn, risk, and testing than a change to a core OS component (such as network stack or IE) would require.
Furthermore, as the original post indicated, no end-users are going to care about this patch or badmouth it in the press if it doesn't perfectly close the hole. And partner businesses aren't going to abandon their deep investments in Microsoft's platform just b/c of one hole. This scenario actually presents less pressure on Microsoft to have to get the fix right compared to other scenarios, meaning they can afford to do less up-front testing.
* I know someone will want to reply to this post to say: This is Slashdot, and you're looking for fairness?!? HahaaHAhaAHA! I know this is Slashdot, and so I know better than to expect to see fair reporting around here. Still, there's no harm in trying to raise the bar a bit.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
People seem to be overlooking who the customer REALLY is here. The bottom line lies in corporate back scratching for multi-$$$$ contracts and agreements
One business contract with a large label, Dell, or Sony is worth more than the mutterings and begrudging updates from Windows consumers. Most of us are not the customers, we're the consumers. Most people don't buy windows from microsoft, they buy it from Dell, or Gateway, or whoever else sold them their computer. The Dells, Gateways, etc are the customers. The game companies writing for xbox 360s, the phone vendors embedding wince, they're the customers.
Bottom line, If you're bitching about this update, you're a consumer. If you think it's a good thing, then you're the customer.
No, free markets create problems like this. In a truly free market, you have no legal recourse if you are sold a defective product, and as Windows demonstrates, market forces do not stop poor-quality products from dominating the market. What is needed is less protection of corporations, as you said -- and more protection of consumers. Microsoft should be legally obligated to immediately patch any bugs that are reported. Unfortunately, singling out Microsoft wouldn't solve the problem, and a general solution to the problem would ruin the open source movement. The only actual solution to this problem is better education -- so that consumers are educated enough to choose the best software available, which would force publishers (including FOSS publishers) to patch quickly, or lose market share. Standards help, too.
Palm trees and 8
So basically, plugging a computer into a network opens you up to the RIAA-style legal blackmail - after all, finding out if your computer was "sufficiently patched and configured" to clear you of negligence charges is going to make file sharing cases seem simple. Oh, and does running some non-mainstream program - such as Firefox - make you negligent ? After all, an obscure program could well have obscure bugs in it; in other words: "No one ever got sued (or at least convicted) for running Microsoft".
Besides, if your computer or network got damaged from traffick coming from my hijacked computer, then clearly you have been at least as negligent as I, since you failed to adequately secure your computer before plugging it to the network. So, given that you got damaged because of your own negligence, why should I pay for it ? Or, more to the point: why should I be responsible for my negligence but you not responsible for yours ?
No; the culprit here is the guy who hijacked my machine, not me. I cannot be blamed for you failing to adequately protect yourself from damage, anymore than I could be blamed if someone walked over my lawn to break into your house, or a hostage could be blamed for aiding terrorists since he didn't exercise enough caution to avoid being captured by them. The whole concept is absurd and totally unjust, and will also make running any new or non-mainstream program an unacceptable risk, since you never know if that program has any obscure security bugs that could make you liable for potentially infinite damages. It will grind software development to halt and disintegrate computer networks since plugging your computer into them becomes the financial equivalent of grabbing a high-tension wire. Even the US Government can't possibly be stupid enough to pass this law.
Yeah, go after the guy who hijacks people's machines in the first place, don't blame his victims for failing to defend themselves. Your whole idea is basically the same as throwing a serial rapist's first victim to jail because she failed to stop him and is therefore, by your twisted logic, responsible for every rape he does afterwards.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Just like the bozos in congress that attach totally unrelated garbage to a bill trying to get passed, Microsoft will probably just attach it to another update that people will actually install...
DEAD DEAD DEAD DELETE ME
And there's no concentration of wealth and power now, in our democracy? Maybe you've missed the consistent erosion of our rights lately, and fail to realize that the people eroding those rights also have the power to use force (as in they can lock you up and/or kill you) to further their ends AND it's perfectly legal so long as the right people are paid off (or themselves coerced.)
Concentration of wealth leads to concentration of power, which leads to control of the regulatory process.
Except that in a truly free market, there is no regulatory process to control. This shows exactly why government-imposed regulations can end up hurting more than they help: they can get corrupted and abused easily, despite the best of intentions.
Microsoft's level of quality in the Windows software offerings is similar to GM's level of quality in their car offerings -- good enough for most. Then they both put further efforts toward matching the competition's features and product line.
Finally, just talk a good game about quality to your sales people and the general public. New car buyers don't follow advice from professional drivers or mechanics, any more than consumers listen to IT pros or technicians about what OS to install.
"Don't deal with the RIAA" sounds good, but it's just not practical in the real world.
Fixing this 'vulnerability' is in the company's best interest; never mind the customer.
Are people really this brain dead? Of course this is necessary for the customer. If DRM doesn't work then record labels will not distribute in Microsoft format. They will find a method that works in such a way that their music stays secure. The article is silly with its anti-Microsoft, anti-DRM rhetoric without even considering that there wouldn't even be online music sales without some kind of promise of secure DRM.
I love my sig.
The amount of testing needed for any patch, as variable or fixed as it may be, does not in itself justify the "second Tuesday of the month" approach.
I fully understand that there may be very critical patches that may take a few weeks to develop and test properly. I also fully agree that MicroSoft should not release those prematurely. However, it is not because one critical patch isn't ready that others that are ready must be queued up for up to a month. After all, if said critical one doesn't make the deadline, do they then also postpone publishing the others for an extra month? No. So why postpone at all the first time round? MicroSoft should just release each patch when it is ready, testing included. Not sooner, but also not later.
Linux user since early January 1992.
Its all about money. The DRM is key to their relationship with media partners. If DRM is broken then all Windows users will suddenly, uncontrollably start pirating their media; we can't help it, apparently, and without the DRM firmly in place, we mind end up like Sweden.
I'm sure they're more "worried" about DRM breaking than the everyday security holes that merely allow someone to glom your computer onto their botnet, since there's money and contracts that depend on the DRM. The EULA is probably the only agreement that might be impacted by a security flaw, but we all know those are meaningless.
blog