Slashdot Mirror
MS To Share Early Flaw Data With Governments
Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.
Sounds like they don't need to tap. :P
and everyone KNOWS how well governments can keep secrets.
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
Because governments would never help a company in their nation with industial espionage.....
You mean governments, right?
I mean, seriously, the NSA had it easy already. This must have caused more than a few giggles at more than a few government agencies.
Unfortunately for the government, the Omega program is only in alpha release.
Every person you tell makes the information that much less secured. That's why I advocate any sensitive data being destroyed upon inception or realization. Support your local Thought Police! Donate Today!
Living With a Nerd
This initiative is much too lame to warrant being called Omega.
The government never reads the documents that cross their desk. They just see what their constiucorps want and vote yea or ney.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
The projects codename.. which means "the end" or the fact that now the gov't can rely on IMHO the absolute last people to know about the problem,and are at fault.. to give them early warning.
sig loading.......
Is this so the government can more easily infiltrate vulnerable systems or so it can protect itself if it's using MS products?
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
It must have been something you assimilated. . . .
How are some governments not the bad guy? Thanks for doing me the consumer another disservice...
oh, you mean my computer isn't compromised?
I thought I was just getting some free vi@gr@?
Thats just a terrible way to go about things in my opinion.
We all know that between the massive list of "government entities" there are bound to be some (perhaps even many) bad apples (be it in official capacity or just a sole individual). The implementation of this program would mean these individuals would get notification ahead of time that allows them to do the usual shenanigans of reverse engineering the solution (or just analysing the problem the patch supposedly fixes), and then build&release an exploit before Microsoft releases the patch to the general public.
I'd say a program like this will not make it's participants (the government agencies) much more secure than they are now (some might even argue not at all), but will severely compromise the security of everyone else (the general public).
Step 2: National firewalls around participating countries to firewall off those potential attacks (and any other undesirable material)
Just wait...
Does this not give the gov't another way (with a limited time window) to peer into our personal affairs?
By Governments, I read this as all Government that use the product. How about only sharing with the governments that protect your home?
Perhaps it be better to only use products that you can read and write the code your self. Should we keep the code under government control? would we be safer if We stoped the black box types of software.
Time to move .gov off of Microsoft entirely. This negates some of the protection afforded by our nation in the event of a cyberwar.
Not like anyone can really win a cyberwar, it will be decided by who owns more bots......
Self Defense - A Human Right www.a-human-right.com
> There's a stream the bad guys would dearly love to tap into.
RTFA. They already said they are sending it to governments.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Because the best place for a secure critical infrastructure is on windows platforms. How else are you going to protect against Word Macro viruses?
The ______ Agenda
It's certainly not about security. It's purely a PR scheme. MS wants to make government agencies feel important and special if they use their products. Nothing impresses government officials more than press releases that make every bullshit bing player happy.
As every black hat knows: you will not need to compromise the software. You just have to compromise one of the people working for the government in question.
This information is going to cross a lot of government desks before someone can action it. Will every desk be secure?
Gives them a bit of advanced notice to more effectively spy on their(and other countries) citizens. Any guesses on which countries gov't will get first crack/juiciest? BTW MS trolls I haven't had to use the CLI to use linux in like ages and the latest Ubuntu has worked with all the hardware i've thrown at it.
WIKILEAKS!!! Here is your next big thing to publish. If anyone can get that info out to the public to protect our rights, they can do it.
And giving the information to which governments will guarantee the "bad guys" don't get it? Does no one recognize that all these entities play for keeps and telling them about a vulnerability before anyone else is like throwing a bloodied sheep into a tank full of sharks? The sharks may get scratched up a bit, but they're used to it; the sheep will just get slaughtered.
What do you mean they cut the power? How can they cut the power, man? They're animals!
Critical infrastructure / Windows
Seems like it's long overdue to realize that those two concepts are mutually exclusive.
Some days it's just not worth
chewing through my restraints.
MS will provide information only "after our investigative and remediation cycle is completed..." In other words, after the vulnerability is discovered and fixed, and the patch is ready to roll out.
Then, "disclosure will happen just prior to our security update release cycles."
So the disclosure amounts to this:
"Tomorrow's MS Windows Update contains a security patch that fixes a serious vulnerability in your system. Oh, by the way, you have a serious vulnerability in your system."
Bad guys like China? Aren't they a government of some sort in South America or Australia?
Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.
An Education is the Font of All Liberty
Looking at this situation I see Microsoft warding off yet another assault on their software stack. European governments have been making some high profile conversions off of the Microsoft stack (Germany comes to mind). One of the many reasons offered for those transitions has been the transparency of OSS, especially in relation to security issues. The creation of Omega looks like another acknowledgement from Microsoft that their competitors have better offerings, and Microsoft seems to be playing catchup. It wouldn't surprise me if their sales people are getting hammered during negotiations and Omega was conceived simply to address the complaints of customers.
Given the sheer size of Microsoft, incremental changes like this are the best that anybody can hope for. Pressure from end users (when those end users are large enough) will force the organization to change. The nonstop onslaught of security issues for the last decade has finally worn down people who previously never really cared about such things. An organization smaller than Microsoft would probably crumble as people searched for and found alternatives. Microsoft benefits from their size and locked in user base. They can leverage that forced patience to change more gradually.
In the end, I think Microsoft will continue to improve and become more customer centric. They simply have to. As more and more of the population becomes tech savvy, they will lean on Microsoft. Across the entire computing landscape, from Grandma Jane who gets tired of getting her Windows machine owned and ends up switching to OSX, to Fortune 500 companies looking to cut costs and improve their operations, there will always be people looking for a better way to get things done.
CIA, NSA, or whatever you have in the US (or MS loses its tax cuts). ...and that is only after MS noticed the flaw was found in the wild!
some parties close to MS.
governments (or they will go FLOSS).
some other parties less close to MS.
technet subscribers (the need some incentive to buy MSDN, since on the FLOSS side that stuff is free).
the general public.
There are a lot of countries where the mob either runs the government or has strong ties to it. Letting the government in many countries in on vulnerabilities early also lets the mob in. This could be a bad thing.
If it's 3 days advance notice on patches like Microsoft's biggest customers get this is no big deal. If it's "Here are details on a vulnerability that we might patch next year with service pack 16", I'm afraid, very afraid.
So Microsoft has the flaws, the governments have the flaws, but we, the purchasers of windows software do not have the flaws. What is wrong with this model? Could it (cough) perhaps be that the software isn't open source (in which environments the flaws tend to be published openly on an extremely short time scale)?
IMO the last bastions of the purveyors of a flawed model would tend to recruit those in power to perpetuate said model. (Oh its OK that there is a flaw because the powers that be know about it and we are going to fix it... eventually...)
Please please somebody, study the serious flaw correction rate in closed source vs. open source software (i.e. time from flaw discovery until flaw correction availability). I would hope that if this has not already been done someone is attempting to do it.
And shame on a majority of city, state and U.S. governments for operating on closed source software and not having concrete data with respect to flaws and vulnerabilities. If you worked for a corporation (at least one which knew the value of open source perspectives) your head would be on on a "silver platter" for allowing the corporation to be open to be open to the vulnerabilities of closed source software.
Simple. Ask Microsoft to warranty its products to be free of defects. And if it does not do so you are most probably utilizing products which probably contain defects. And that is a sad situation -- we are running reality with no more knowledge than we have of that of a "can-o-worms" [1].
1. To the best of my knowledge the genome sequence of the common garden worm is not known and even if it were there are probably few if any systems biologists who could explain in detail how it really works. Programs that have worked for hundreds of millions of years (e.g. worms) are probably fairly safe (even if we cannot explain how they work). Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.
This is great.
I'll be able to patch my laptop using the government CD, on the train to London Waterloo.
the book of FLOSS guys. all your customers need to promptly know when you find flaws, not just the governments with the ability to restrict your sales and service. Im talking about banks, schools, hospitals, and power plants.
Good people go to bed earlier.
And also provide the patches to businesses based in their country.
Who decides if some Senator's web site (hosted on a .gov address) is more important than a hospital's network? And why?
Does it really help that much if the vendor gives you early access to security issues? Its not like they discover them all and probably 3rd parties are a large source of insight into their problems.
ONE vendor won't be that great; and MS hasn't done well for a long time. Outside the vendors is probably more useful information and the organized criminals and governments probably know of more than the vendor does. The problem is the vendor is not told or fails to listen etc. Linux on the otherhand is not limited by be a specific vendor...
Democracy Now! - uncensored, anti-establishment news
This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.
What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.
-molo
Maybe it's just me, but it occurs to me that the hackers governments are worried about are pretty darn likely to be working for another government.
Isn't this just giving government-sponsored hackers the edge?
This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.
What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.
-molo
Using your sig line to advertise for friends is lame.
XML Feed of Security Vulnerabilities now available at microsoft.com.
Feed does not pass validation.
I see the Redmond hordes have mod points today. Go ahead and waste them on AC's, jackasses.
The first time I read that headline, my brain completely omitted the word "data" without skipping a beat.
It sounded par for the course, I guess.
Presidents, Prime Ministers, Your Excellencies:
Welcome! We call this our Omega Stronghold. From here, we conduct Omega operations around the globe ....
I thought Microsoft already issued the list of deliberately inserted "software vulnerabilities" to the NSA as soon as they were made?
Oh wait, I get it! Now they are warning them in advance before plugging those backdoors.
Yeah, like the NSA encryption key they found in windows years ago. Scary stuff.
http://www.darkgovernment.com/news/remembering-the-nsakey/
Omega?????
Isn't OMEGA one of those names given to dangerous science fiction "black ops program" gadgets that malfunctions and destroys the earth?
Isn't OMEGA the operation that ends the world in spy novels????
This can't end well.
I can see it. A top spy infiltrates a government, and steal his most precious secret: "Windows have bugs" The world is in danger after that.
Theres no change to the release strategy, e.g properly penetration testing their software before it's released. Which seems to be the obvious first step.
I guess they just cant afford the costs of the extra layer of testing...
Nice. Chinese hackers are cracking their knuckles in anticipation.
Using Microsoft's alphabetical contact list in Outlook, the information will reach the People's Republic of China, before it will reach the USA government.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Nice comment you got there.... shame if someone mod'ed it down!
Back when Vista was being developed, they shared the code with the NSA in order to detect vulnerabilities.
So obviously what did NSA do? They found X vulnerabilities - and told Microsoft about X minus Y vulnerabilities.
Now Microsoft wants Mossad, an organization known for conducting massive espionage - both political, military and economic - against the US to have the same capability.
Dumbest mofo's in industry.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Propriatry humbug with no backward compatability.
In 5 years time no one except Linux geeks will be able to access anything Microsoft.
Office Mark 13: In Armageddon file Format.
It nukes it's self to stop forward compatability.
In the light that our computers are completely out of control, one might ask, "Can we live without these things?". Well no. Not if you want to do business. UPS requires you to have Windows if you expect to ship............ In 1984,(the book), big brother watched you using a television with a camera. Many people said, "Oh that would never happen". Well most new computers have webcams, are generally attached to the Internet all the time. The only thing that stands between this ugly fictional reality and our real-world situation is the security of the software we run on our computers. Now the company whose operating system seems to be entirely woven out of vulnerabilities has a program wherein they give the information about these vulnerabilities, not the public, which includes computer scientists capable of writing defensive code, but rather to the governments of the world, most of which don't like us. Given that the US government uses Windows, I would think this would be treason. If we didn't have a reason before, I think we have a reason now to consider getting off WIndows and on to almost anything else, except maybe RedFlag.
with governments around the world
You mean like Chinese government? Well, it is certainly going to appreciate your help, Microsoft, with hacking Google...
Some days I wonder if we'd be better of letting the mob run the government, at least then it would be organized crime.
Why is any gov't willing to settle for an arrangement where a vendor agrees to provide specifics regarding the nature of a product's flaws rather than questioning why to use the product at all? And mind you, this is after two decades of a lot of knowledgable people saying said product is flawed by design, by implementation & both to such a degree that it can never be safe.
[IANAL] If a company is compromised due to a flaw in a MS product that MS was aware of but had not disclosed to the company (and gov't would have proof of the failure to disclose via Omega), isn't MS liable for the cost of the incident because they had the knowledge to prevent the compromise but failed to alert the company?
Catch with that is, it will really blow up in their face. In dealing direct with governments, rather than in an open forum, the governments in question will no longer know if they get the same information at the same time. Obviously M$ would be in a perfect position to give different governments different information about specific security risks and vulnerabilities. No government will be able to corroborate that the same information was given to each government involved in the security risks and vulnerabilities or dare we say espionage and counter espionage 'er' software features.
Of course competitors can also rightfully complain, as a new government branch would need to be set up to create a joint office with M$ for M$ products to the exclusion of all other products. So M$ is working to force another lock in, government staff only trained to deal with M$ product lines along M$ software security communications lines.
Meh, stupid is as stupid does, there are real definitive reasons why product fault information is given to all customers at the same time, least of which is the spy vs spy crap, there are also competitive advantage disputes, purposeful misinformation and withholding of information to damage competitors and of course from M$ the inevitable product marketing lies about the number of, the nature of and, the age of all to frequent faults.
Chaos - everything, everywhere, everywhen