MS To Share Early Flaw Data With Governments 100
Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.
ah its for security (Score:4, Insightful)
WTF? (Score:4, Insightful)
Because governments would never help a company in their nation with industial espionage.....
I don't know whats better (Score:2, Insightful)
Aweful idea (Score:2, Insightful)
Thats just a terrible way to go about things in my opinion.
We all know that between the massive list of "government entities" there are bound to be some (perhaps even many) bad apples (be it in official capacity or just a sole individual). The implementation of this program would mean these individuals would get notification ahead of time that allows them to do the usual shenanigans of reverse engineering the solution (or just analysing the problem the patch supposedly fixes), and then build&release an exploit before Microsoft releases the patch to the general public.
I'd say a program like this will not make it's participants (the government agencies) much more secure than they are now (some might even argue not at all), but will severely compromise the security of everyone else (the general public).
Re:ah its for security (Score:3, Insightful)
It's certainly not about security. It's purely a PR scheme. MS wants to make government agencies feel important and special if they use their products. Nothing impresses government officials more than press releases that make every bullshit bing player happy.
Oxymorons abound (Score:2, Insightful)
Critical infrastructure / Windows
Seems like it's long overdue to realize that those two concepts are mutually exclusive.
Linux does this for everyone. (Score:4, Insightful)
Um... Hello. The Mob? (Score:2, Insightful)
There are a lot of countries where the mob either runs the government or has strong ties to it. Letting the government in many countries in on vulnerabilities early also lets the mob in. This could be a bad thing.
A flawed perspective... (Score:3, Insightful)
So Microsoft has the flaws, the governments have the flaws, but we, the purchasers of windows software do not have the flaws. What is wrong with this model? Could it (cough) perhaps be that the software isn't open source (in which environments the flaws tend to be published openly on an extremely short time scale)?
IMO the last bastions of the purveyors of a flawed model would tend to recruit those in power to perpetuate said model. (Oh its OK that there is a flaw because the powers that be know about it and we are going to fix it... eventually...)
Please please somebody, study the serious flaw correction rate in closed source vs. open source software (i.e. time from flaw discovery until flaw correction availability). I would hope that if this has not already been done someone is attempting to do it.
And shame on a majority of city, state and U.S. governments for operating on closed source software and not having concrete data with respect to flaws and vulnerabilities. If you worked for a corporation (at least one which knew the value of open source perspectives) your head would be on on a "silver platter" for allowing the corporation to be open to be open to the vulnerabilities of closed source software.
Simple. Ask Microsoft to warranty its products to be free of defects. And if it does not do so you are most probably utilizing products which probably contain defects. And that is a sad situation -- we are running reality with no more knowledge than we have of that of a "can-o-worms" [1].
1. To the best of my knowledge the genome sequence of the common garden worm is not known and even if it were there are probably few if any systems biologists who could explain in detail how it really works. Programs that have worked for hundreds of millions of years (e.g. worms) are probably fairly safe (even if we cannot explain how they work). Programs which have operated for less than 30 years and are driven by monetary criteria (profit margins, ROI, etc.) are probably an open source for concern.
Comment removed (Score:4, Insightful)
It is not useful knowing what the vendor does (Score:3, Insightful)
Does it really help that much if the vendor gives you early access to security issues? Its not like they discover them all and probably 3rd parties are a large source of insight into their problems.
ONE vendor won't be that great; and MS hasn't done well for a long time. Outside the vendors is probably more useful information and the organized criminals and governments probably know of more than the vendor does. The problem is the vendor is not told or fails to listen etc. Linux on the otherhand is not limited by be a specific vendor...
License to hack! (Score:5, Insightful)
This is insanity! So the government of US, UK, Israel, China, etc. will get information on vulnerabilities before the general public? The obvious outcome isn't a more secure government server, it is that the intelligence agencies will get a headstart on exploiting public and private systems the world over. It is a license to hack, for either industrial espionage or government espionage purposes.
What is a system administrator to do? There is no way to prepare for this kind of thing, the attack vectors will be unknowable by the general public. My only thought is to switch as many systems away from Microsoft as fast as possible. This is a total security nightmare.
-molo
Re:This will not end good. (Score:1, Insightful)