"Patch previews" from Microsoft

[unixronin]

Microsoft has launched a pilot program for governments and critical infrastructure providers to gain access to in-depth technical information about operating system patches before they are released on the second Tuesday of each month.

I find this bothers me.  What makes the government so special that they should get this information but I shouldn't be able to access it?

Make the information available, or not.  But making it available just to the government and "critical infractructure providers" Because They're Somehow Special is silly.  My infrastructure is crucial to me.  How come I don't rate access to the information?  Who gets to decide whose infrastructure is "crucial"?

Comments

[ithildae]

It is to allow the Chinese better information to attack our infrastructure, while teaching them how to harden theirs from attack. Micro$oft really WANTS to capture the Chinese market with PAID copies of Windows. The alternative is unthinkable.

[unixronin]

I really have to wonder at the massive level of delusion it must take for Microsoft to think the PRC regime is EVER going to respect Western copyrights and IP law. I don't think they understand China at all.

[ithildae]

The flip answer is: Who Does? China is just far more disciplined and patient than we, in the west, can fathom. China is content for their grandchildren to be dominant. All international accommodations are subservient to that goal. They are far closer than we give them credit for. They are, perhaps, five years away from control of the western Pacific. Military bases in South America will follow quickly. All western technology is a tool to achieve those ends. They will never agree to pay for it.

[guppiecat]

You're confusing the marketing explanation with the business reality.

What's going on is that a few months ago, MS released a patch to a problem that was being actively exploited. However, due to malware activity, applying the patch caused blue screens all over the place. It's not really MS's fault*, as the patch worked fine on non-compromised hosts. However, it's not really the business's fault*, as they couldn't protect against exploitation before MS released the patch. It sucked all around.

So what can you do about? You can't not patch, and you don't have time to test. The governments have the clout to pressure MS and get some advance notice, so they used it. They win 'cause they're big. We lose 'cause we're small. Of course, it's easier for us to use other solutions, like *nix instead of Windows, so there is a balance... just not an ideal one.

* Realistically, I think it's everyone's fault, as if they had managed the risk better, the problem wouldn't have happened... but reality and business seldom coincide.

[unixronin.livejournal.com]

As noted in my reply to ratseal below, the question I'm really asking here is, if they're making that advance technical information available to the government and to whoever Microsoft thinks is a "crucial" service provider who needs it, does it really cost any more to just give everyone access to it?

[guppiecat]

The detailed technical information is enough for attackers to craft exploits from. That's why they want to keep it as secret as possible. While I question the belief that "friendly governments are safe", it is a very common belief in the IT security space.

It doesn't cost more in terms of dollars. It costs more in terms of perceived risk.

What makes you different?

[novel-tharkun.livejournal.com]

Multi-million (billion?) dollar support contracts and practical guarantees that they'll not be cancelled long into the future.

Also, the ability to set, by fiat or by regulation, the rules by which most business & citizen interactions will occur with each other, including which formats and methods are acceptable, unacceptable, or simply unsupported.

[ratseal.livejournal.com]

There are several weapons, sensor and C3I systems in the US DoD which operate, I kid you not, on MSFT OS, going as far back as XP.

For this kind of app, I am ok with the govt getting the patches first.

[unixronin.livejournal.com]

There are several weapons, sensor and C3I systems in the US DoD which operate, I kid you not, on MSFT OS, going as far back as XP.

Yeah, I know. I've always found that kind of worrying, honestly.

As far as I know, they're not getting the patches early, just advance technical information. Really, the question I'm asking here is, if they're making that advance technical information available to the government and to whoever Microsoft thinks is a "crucial" service provider who needs it, does it really cost any more to just give everyone access to it?

[freetrav.livejournal.com]

Does it cost more, in $? Probably not; it depends on the method chosen to distribute the information. However...

The easier it is for N. E. Miscellaneous-Sysadmin to get the advance info on the patch, the easier it is for I. M. A. Malicious-Bastard to get it and use it to circumvent it, especially in the case of patches that correct security exploits, which seem to be the vast majority of patches that MS releases - even for Windows Seven.

Given that Certain Not Openly Hostile Governments But We Know Better, Don't We have been implicated in cyberattacks on Governments Not Considered Hostile But Maybe We Still Know Better, well... I can't really say that it's the wrong thing to do.

[ratseal.livejournal.com]

I don't think it would - but is any advantage gained by limiting access to patches to US interests, at least for a period?

[unixronin.livejournal.com]

Honestly, I doubt it.

[selfishgene.livejournal.com]

More proof that MS still doesn't understand security by obscurity is bad.