Microsoft to Introduce Faster Security Disclosures 101
Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."
Re:Business Day? (Score:5, Insightful)
Waiting until Monday ensures that IT guys get a rest too.
Interesting Strategy? (Score:5, Insightful)
If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?
I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.
My favorite line (Score:5, Insightful)
Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.
Gotta love these articles. Nice spin make the researchers look like the bad guys...
At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.
Re:Business Day? (Score:3, Insightful)
A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.
Re:Security Through Selective Publicity (Score:3, Insightful)
MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".
Give me a call when MS becomes a _real_ company and just owns up to the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it. The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit. These notifications shouldn't have to go through a bunch of bean-counter.
Re:Business Day? (Score:5, Insightful)
If coming in on a weekend isn't asking too much, where do you draw the line?
Re:Business Day? (Score:3, Insightful)
If a system was created where people who discovered the vulnerabilities were credited in the advisories, which would be made public after a solution was found, it would solve pretty much everything.
Then again, Orwell taught me that utopia isn't all it's cracked up to be.
99% marketing, 1% useful, I'm sure (Score:2, Insightful)
I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...
MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.
Re:i hate to sound like a total dunce (Score:2, Insightful)
It's a big cone shaped hat you have to put on before you sit in the corner.
Okay, can we get the PC police over here? That is no longer allowed because it might damage the self-esteem of people who have no reason to have any. Take the poster away, and book him.
Depends (Score:3, Insightful)
Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.
Of course, if the patch breaks something you need to go in, but in most cases it's really fuss-free.
Re:There is still a problem ... (Score:2, Insightful)
I couldn't disagree more.
Who's to say that a flaw discovered by MS employees wasn't discovered months ago by the bad guys who have been running rampant over MS-powered sites lo these many months?
If there is a flaw, tell me about it. Then I can make an informed decision to deal with it, which could include shutting down some services, installing patches, doing stuff in a different way that is less exposed to the flaw, or you-name-it. Even pulling the plug.
But if I'm kept in the dark and don't even know that a flaw exists, how am I to deal with it?