Microsoft to Introduce Faster Security Disclosures 101
Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."
Business Day? (Score:4, Interesting)
Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.
Re:Business Day? (Score:5, Insightful)
Waiting until Monday ensures that IT guys get a rest too.
Re:Business Day? (Score:3, Insightful)
A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.
Re:Business Day? (Score:5, Insightful)
If coming in on a weekend isn't asking too much, where do you draw the line?
Re:Business Day? (Score:5, Funny)
I'm not sure where you draw the line, but I can tell you that if you would take a bullet for a server... you've crossed it, wherever it is...
Re:Business Day? (Score:1)
Re:Business Day? (Score:1)
Re:Business Day? (Score:2)
If coming in on a weekend isn't asking too much, where do you draw the line?
Major releases of business-related (not e-business) software are usually done on weekends, and (in my experience) the coders as well as the admins are there to iron out the kinks. It makes for a solid rollout. It's part of being an IT professional, and I've been there a number of times. Would you like some cheese to go with your whine about missing the Saturday morning cartoons?
Depends (Score:3, Insightful)
Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.
Of course, if the pa
Re:Business Day? (Score:2)
I can tell you where not to draw the line
*thinks of Simpsons* [jahozafat.com]
Homer: I'm drawing a line down the center of the house ala. I Love Lucy. You stay on your side and I'll stay on my side.... D'oh!
Re:Business Day? (Score:2)
A critical vunerability in a server needs to be seen to as soon as possible , waiting till monday may mean that we get a couple of days rest , It also means that our server is vunerable for those days
Re:Business Day? (Score:3, Insightful)
If a system was created where people who discovered the vulnerabilities were credited in the advisories, which would be made public after a solution was found, it would solve pretty much everything.
Then again, Orwell taught me that utopia isn't all it's cracked up to be.
Re:Business Day? (Score:2)
I would rather spend at most a couple of hours at the weekend securing my systems , than spending a very stressfull monday(perhaps a few other days aswell) restoring a comprimised system or systems
Alot of the time these vunerabilitys are discoverd by Black-hats , so there is no real way of containing the info as it will slip into the community. So imediate disclosure of known vunerabilitys really does help.
Re:Business Day? (Score:2)
A good sys admin -- properly appreciated by management $$$ -- would or at a minimum lock the systems down so that this isn't an issue.
Re:Business Day? (Score:2)
Waiting until Monday ensures that IT guys get a rest too.
Our sysadmins usually schedule upgrades, patches, etc., for the weekends so as not to disrupt normal business. Then, they get to take a day off during the week. What's wrong with your company?
Re:Business Day? (Score:2)
It's not so much about the weekend itself as it is about time off for admins and techies.
Also, many managers don't like giving admins time off during business days in case business is disrupted. They also have to minimize costs so they can't hire a shift team.
Re:Business Day? (Score:1)
However, the question is what if a vulnerability is made public on a day the admins have off?
If it was critical, some or all of our admins, being the professionals they are, would come in (or do the work from home) and take time off another day.
Also, many managers don't like giving admins time off during business days in case business is disrupted.
It sounds like you work for a pretty short-sighted company. They won't get the best results that way. It makes me happier about the place I work at. I ho
Re:Business Day? (Score:2)
I don't know where you live, but around here anybody who admins machines that are exposed to script kiddies tend to have things like cellphones and 24-7 coverage as part of their job description. Your line of reasoning just strikes me as weird, since security problems are one of the main reasons for nighttime visits and weekend upgrades (along with badly coded daemons/services that have to be babysat). I just don't get it.
Re:Business Day? (Score:2)
I can test and roll out a patch from the comfort of my armchair at home. Why can't you?
Re:Business Day? (Score:2)
It's about hypotheticals here.
Re:Business Day? (Score:1)
Re:Business Day? (Score:2)
Moreover, big companies can afford having a 24/7 security team and many actually do it.
Re:Business Day? (Score:2)
It's a connected globe.
If they think mon-fri is going to work. they will learn some new feelings about the weekends.
Businesses run their Windows machines on weekends? (Score:1)
Re:Business Day? (Score:1)
i hate to sound like a total dunce (Score:1)
Re:i hate to sound like a total dunce (Score:5, Funny)
Someone who can't decided on whether to be a black hat or a white hat. Kinda like Michael Jackson
Re:i hate to sound like a total dunce (Score:2)
A color blind RedHat user?
Re:i hate to sound like a total dunce (Score:1)
I believe the color you are looking for there is a nice shade of ass for that hat.
Re:i hate to sound like a total dunce (Score:4, Informative)
Re:i hate to sound like a total dunce (Score:4, Funny)
Re:i hate to sound like a total dunce (Score:2, Insightful)
It's a big cone shaped hat you have to put on before you sit in the corner.
Okay, can we get the PC police over here? That is no longer allowed because it might damage the self-esteem of people who have no reason to have any. Take the poster away, and book him.
Re:i hate to sound like a total dunce (Score:5, Informative)
Re:i hate to sound like a total dunce (Score:2)
What exactly can a Grey Hat do that is illegal? Is disclosing a vulnerability without getting the consent of some big corp "illegal"?
Re:i hate to sound like a total dunce (Score:2)
Re:i hate to sound like a total dunce (Score:2, Interesting)
Re:i hate to sound like a total dunce (Score:1)
http://en.wikipedia.org/wiki/Gray_hat [wikipedia.org]
Re:i hate to sound like a total dunce (Score:1)
Its an aluminum foil cover for your thoughts... You should never leave home without it in today's insecure world.
Microsoft will surely start selling them soon, although, like most of their security measures, it is released almost too late.
Re:i hate to sound like a total dunce (Score:2)
From wikipedia... (Score:2, Informative)
In the computer security community, a "Gray hat" is a skilled hacker who sometimes acts legally and in good will and sometimes not. They are a hybrid between white and black hat hackers. They hack for no personal gain, and do not have malicious intentions, but commit crimes. For example, attacking corporate businesses with unethical practices could be regarded as highly ethical and yet would normally be tagged with the title of Blackhat activity. However, to a Gray hat
Security Through Selective Publicity (Score:3, Funny)
Re:Security Through Selective Publicity (Score:3, Insightful)
MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".
Give me a
nice try! (Score:2)
Very subtle. Admit that M$ junk is full of holes. Admit that M$ will never be able to fix them and that this announcement is just another PR stunt from the kings of marketing BS. Then, slip - o - change - o, spout that other M$ company line, "no software is better than ours."
Not all bugs are created eq
Re:Security Through Selective Publicity (Score:1)
Re:Security Through Selective Publicity (Score:2)
It is true, in fairness, that MS left a lot out of the most recent public Longhorn build. Still, it must have struck a chord for more PR.
Re:Security Through Selective Publicity (Score:3, Interesting)
Interesting Strategy? (Score:5, Insightful)
If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?
I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.
Re:Interesting Strategy? (Score:2, Interesting)
Then once enough people catch on to this, create a press-release saying "we're on the ball, we're looking into this, and we're doing all of this because that's what customers want and we do what our customers ask for."
Sounds like standard "Trustworthy Computing" practice to me.
Re:Interesting Strategy? (Score:2)
"I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive."
Exactly. Hasn't MS in the past tried to get people to sign NDAs re: bugs that a person has discovered? If they can succeed in keeping the knowledge out of the public eye, then by this policy they could bottle it up, avoid announcing it, and still claim they're being proactive.
"Perhaps I am the only one that thinks that Microsoft is evil."
Not by a long shot.
Re:Interesting Strategy? (Score:1)
Yes, for people that don't read the article that publishes the problem. Granted, news of the problem will be spread all over the net very rapidly, but Microsoft admitting that it is a flaw and not a feature carries a little more weight than joe hacker posting on some blog.
Re:Interesting Strategy? (Score:2)
Perhaps I am the only one that thinks that Microsoft is evil.
You've got to be kidding. New poll topic:
Microsoft is:
Re:Interesting Strategy? (Score:2)
For a vulnerability to be "public" it needn't be all that public - most admins don't read bugtraq and FD on a daily basis, so they don't find out about the vulnerabilities when they become "public". They hear
Re:Interesting Strategy? (Score:2, Interesting)
And no, you did not misread my statement. I "hate" them. Passionately. And I feel entirely justified. If you dealt with some of the internal mail I've dealt with, any of you with a conscience would never get another hour of sleep.
Re:Interesting Strategy? (Score:1)
The impression I had was that they were found guilty, but ninjas came in the night and removed the spines of the entire Justice Department....so MS was never properly punished.
There is still a problem ... (Score:4, Interesting)
Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.
So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.
I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.
Re:There is still a problem ... (Score:1)
Re:There is still a problem ... (Score:2, Insightful)
I couldn't disagree more.
Who's to say that a flaw discovered by MS employees wasn't discovered months ago by the bad guys who have been running rampant over MS-powered sites lo these many months?
If there is a flaw, tell me about it. Then I can make an informed decision to deal with it, which could include shutting down some services, installing patches, doing stuff in a different way that is less exposed to the flaw
Re:There is still a problem ... (Score:2)
It information cuts both ways, it protects those who know how to secure, and sacrifices those who do not know how to secure.
There is no one good way to release vulnerability information, no matter what you will sacrifice someones needs. The best you can do is to keep the majority in mind.
Re:There is still a problem ... (Score:2)
Can you give an example? I can't think of one OSS project that handles security issues like Microsoft -- either in the past or if there is any meat to this new proposal.
My favorite line (Score:5, Insightful)
Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.
Gotta love these articles. Nice spin make the researchers look like the bad guys...
At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.
Re:no, they're completely right... (Score:1)
But that's precisely because the good PR for the security company is bad PR for MS, since MS PR has constantly been pushing the belief that the time between exploits being public and patching is really small. The fact is, the security company not releasing the exploit information earlier was a favor to MS. The actual exploit was MS's fault and existed regardles
Re:good PR isn't worth people getting hacked... (Score:2, Interesting)
If by okay you mean it should be legal, yes. If by okay you mean it should be encouraged, sure. I'd appreciate it if a proper advisory was published at least a day before the exploit was released. But like I said, it's okay legally to print it anytime.
And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in t
99% marketing, 1% useful, I'm sure (Score:2, Insightful)
I seriously doubt that this will make any difference, except to CTOs who are gett
Wow! (Score:1, Funny)
Faster than they currently do? (Score:1, Interesting)
Woo hoo.
I can hardly contain my excitement.
Dateline: Redmond, Washington 2010 AD (Score:3, Funny)
Gates also outlined several points which he says gives Microsoft an advantage over "Open Source Software" such as the ubiquitous Linux operating system and the Apache web server which runs more than 92% of all internet sites. Among these points were: advisories addressing publicly reported security vulnerablities within one business day, free usage of Microsoft software by anyone (the Microsoft patented Pay-only-for-support model), and remarkable stability since there is no pressure from Marketing to release an unready version just to realize a revenue stream.
'These policies combine synergistically to leverage Microsoft over Open Sores Software', said Gates. 'The American system of patents and copyright clearly works. It gives people the freedom to choose. Because of this, almost half of all computer owners choose Microsoft Windows to be their desktop operating system. And the American jobs it creates may be yours. Recently after hiring 58,000 Bangledeshi software engineers, we created over 100 new jobs for Americans to proofread those engineer's milestone reports.'
'And if it weren't for our trusted copyright system, the Walt Disney Corporation would have had to lay off many of the foreigners they import from third world countries to sell snow-cones and wear that suit that makes them look like a certain mouse character whose name I'm not currently licensed to say in public, Gates continued nervously, 'but you know the one I'm talking about.'
Investors reacted positively to the news as Microsoft shares rose fifty cents breaking the five dollar barrier which had kept Microsft in danger of being delisted from the NASDAQ as a penny stock. Only a 3 for 1 reverse split had kept it listed since the company was warned last September. The former billionairre left the building in a hail of applause stopping briefly only to ask the time since his MS WinWatch had blue-screened and to ask several bystanders for a ride to the bus station.
microsoft sucking less (Score:4, Funny)
Re:microsoft sucking less (Score:1)
Re:Quote at bottom of screen (Score:1)
You came in to a thread looking for praise. And when the comments you found didn't meet your expectations, you labled it all as "groupthink". How convenient.
Microsoft has improved over the years. But it se
In other news... (Score:1)
Fast disclosures (Score:1)
Did anybody else mis-read this as... (Score:2)
I did...