Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS To Share Early Flaw Data With Governments

Posted by kdawson on from the for-your-eyes-only dept.

Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.

27 of 100 comments (clear)

  1. The Bad Guys by Arancaytar · · Score: 4, Funny

    with governments

    Sounds like they don't need to tap. :P

    1. Re:The Bad Guys by Moblaster · · Score: 3, Informative

      Maybe MSFT is still sore about the 3rd NSA key http://bit.ly/avkiLe

      Thank goodness we can still trust Apple because they make a lot of their computers in China.

  2. ah its for security by pilgrim23 · · Score: 3, Insightful

    and everyone KNOWS how well governments can keep secrets.

    --
    - Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
  3. WTF? by Anonymous Coward · · Score: 4, Insightful

    Because governments would never help a company in their nation with industial espionage.....

  4. Unfortunately... by brian0918 · · Score: 3, Funny

    Unfortunately for the government, the Omega program is only in alpha release.

    1. Re:Unfortunately... by Ethanol-fueled · · Score: 5, Funny

      It's no surprise that they named it after Omega, the big gaping Goatse of Greek letters.

    2. Re:Unfortunately... by interkin3tic · · Score: 2, Funny

      Unfortunately for the government, the Omega program is only in alpha release.

      It's cool. Google's competing product (google search for "MS vulnerabilities"), has been in beta for 8 years now.

  5. Remember folks by Pojut · · Score: 2, Funny

    Every person you tell makes the information that much less secured. That's why I advocate any sensitive data being destroyed upon inception or realization. Support your local Thought Police! Donate Today!

    --
    Living With a Nerd
  6. What a Waste by thegdorf · · Score: 2, Interesting

    This initiative is much too lame to warrant being called Omega.

    1. Re:What a Waste by sakdoctor · · Score: 2, Funny

      Microsoft Omega destroys internets, a chain reaction involving a handful of machines could devastate internet throughout an entire Class A. If that were to happen, p0rn browsing would become impossible. Fapping as we know it would cease to exist.

  7. Not to worry by ArhcAngel · · Score: 2, Interesting

    The government never reads the documents that cross their desk. They just see what their constiucorps want and vote yea or ney.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  8. I don't know whats better by retardpicnic · · Score: 2, Insightful

    The projects codename.. which means "the end" or the fact that now the gov't can rely on IMHO the absolute last people to know about the problem,and are at fault.. to give them early warning.

    --
    sig loading.......
  9. Aweful idea by Anonymous Coward · · Score: 2, Insightful

    Thats just a terrible way to go about things in my opinion.

    We all know that between the massive list of "government entities" there are bound to be some (perhaps even many) bad apples (be it in official capacity or just a sole individual). The implementation of this program would mean these individuals would get notification ahead of time that allows them to do the usual shenanigans of reverse engineering the solution (or just analysing the problem the patch supposedly fixes), and then build&release an exploit before Microsoft releases the patch to the general public.

    I'd say a program like this will not make it's participants (the government agencies) much more secure than they are now (some might even argue not at all), but will severely compromise the security of everyone else (the general public).

  10. Re:ah its for security by Anonymous Coward · · Score: 3, Insightful

    It's certainly not about security. It's purely a PR scheme. MS wants to make government agencies feel important and special if they use their products. Nothing impresses government officials more than press releases that make every bullshit bing player happy.

  11. people by crsuperman34 · · Score: 4, Interesting

    As every black hat knows: you will not need to compromise the software. You just have to compromise one of the people working for the government in question.

  12. Re:WIKILEAKS by fredc97 · · Score: 3, Funny

    Actually an early information about security patches from Microsoft looks like that:

    Product Affected: all versions of windows
    Risk: Remote code execution
    Rating: Critical
    Reboot required: You betcha

    Description: This vulnerability is even more serious than the previous 10 000 other Critical software updates, if 0 were the highest priority on a scale 1 to 10, this one would rate -10 000, see that's like super duper uber hyper critical times 3.

  13. Sounds like kind of a rip-off by ivandavidoff · · Score: 5, Informative

    MS will provide information only "after our investigative and remediation cycle is completed..." In other words, after the vulnerability is discovered and fixed, and the patch is ready to roll out.

    Then, "disclosure will happen just prior to our security update release cycles."

    So the disclosure amounts to this:

    "Tomorrow's MS Windows Update contains a security patch that fixes a serious vulnerability in your system. Oh, by the way, you have a serious vulnerability in your system."

  14. Linux does this for everyone. by linzeal · · Score: 3, Insightful

    Doesn't Linux already do this, for everyone? The only people who are going to be fooled by this in the government are elitist pricks.

    --
    An Education is the Font of All Liberty
  15. Um... Hello. The Mob? by Anonymous Coward · · Score: 2, Insightful

    There are a lot of countries where the mob either runs the government or has strong ties to it. Letting the government in many countries in on vulnerabilities early also lets the mob in. This could be a bad thing.

  16. What is the nature of the data being shared? by WaveMotion · · Score: 2, Interesting

    If it's 3 days advance notice on patches like Microsoft's biggest customers get this is no big deal. If it's "Here are details on a vulnerability that we might patch next year with service pack 16", I'm afraid, very afraid.

  17. A flawed perspective... by bradbury · · Score: 2, Insightful

    So Microsoft has the flaws, the governments have the flaws, but we, the purchasers of windows software do not have the flaws. What is wrong with this model? Could it (cough) perhaps be that the software isn't open source (in which environments the flaws tend to be published openly on an extremely short time scale)?

    IMO the last bastions of the purveyors of a flawed model would tend to recruit those in power to perpetuate said model. (Oh its OK that there is a flaw because the powers that be know about it and we are going to fix it... eventually...)

    Please please somebody, study the serious flaw correction rate in closed source vs. open source software (i.e. time from flaw discovery until flaw correction availability). I would hope that if this has not already been done someone is attempting to do it.

    And shame on a majority of city, state and U.S. governments for operating on closed source software and not having concrete data with respect to flaws and vulnerabilities. If you worked for a corporation (at least one which knew the value of open source perspectives) your head would be on on a "silver platter" for allowing the corporation to be open to be open to the vulnerabilities of closed source software.

    Simple. Ask Microsoft to warranty its products to be free of defects. And if it does not do so you are most probably utilizing products which probably contain defects. And that is a sad situation -- we are running reality with no more knowledge than we have of that of a "can-o-worms" [1].

    1. To the best of my knowledge the genome sequence of the common garden worm is not known and even if it were there are probably few if any systems biologists who could explain in detail how it really works. Programs that have worked for hundreds of millions of years (e.g. worms) are probably fairly safe (even if we cannot explain how they work). Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.

  18. take a page out of by nimbius · · Score: 3, Insightful

    the book of FLOSS guys. all your customers need to promptly know when you find flaws, not just the governments with the ability to restrict your sales and service. Im talking about banks, schools, hospitals, and power plants.

    --
    Good people go to bed earlier.
  19. It is not useful knowing what the vendor does by bussdriver · · Score: 2, Insightful

    Does it really help that much if the vendor gives you early access to security issues? Its not like they discover them all and probably 3rd parties are a large source of insight into their problems.

    ONE vendor won't be that great; and MS hasn't done well for a long time. Outside the vendors is probably more useful information and the organized criminals and governments probably know of more than the vendor does. The problem is the vendor is not told or fails to listen etc. Linux on the otherhand is not limited by be a specific vendor...

    --
    Democracy Now! - uncensored, anti-establishment news
  20. License to hack! by molo · · Score: 5, Insightful

    This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.

    What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.

    -molo

    --
    Using your sig line to advertise for friends is lame.
  21. You know you've been reading /. too much... by Anachragnome · · Score: 3, Funny

    The first time I read that headline, my brain completely omitted the word "data" without skipping a beat.

    It sounded par for the course, I guess.

    1. Re:You know you've been reading /. too much... by eulernet · · Score: 2, Funny

      In my case, I though that "Flaw Data" was a new product from Microsoft.

  22. Re:Um... Hello. The Mob? by Zaiff+Urgulbunger · · Score: 2, Funny

    Nice comment you got there.... shame if someone mod'ed it down!