Linked by Thom Holwerda on Fri 14th Jun 2013 17:32 UTC
Microsoft From Bloomberg: "Microsoft, the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes." The lid has officially been blown off.
Thread beginning with comment 564751
To read all comments associated with this story, please click here.
easy answer is:
by hussam on Fri 14th Jun 2013 21:27 UTC
hussam
Member since:
2006-08-17

There is a security bug triggered when you perform operation A.
1) you tell the government quickly so they workaround it because compromised government machines are supposedly a national security problem.
2) you hide the security bug from the public until a fix is found/issues because you don't want the bug to be intentionally exploited in civilian/public computers.

That is at least their reasoning which makes sense to me.
Whether it OMG! ruins everyone's ideals and stuff is a totally different story.

Edit: keep in mind that this is closed source software. End users can't fix bugs ;)

Edited 2013-06-14 21:28 UTC

Reply Score: 6

RE: easy answer is:
by bentoo on Fri 14th Jun 2013 23:37 in reply to "easy answer is:"
bentoo Member since:
2012-09-21

Well put. I'd like to add that even in FOSS the end user usually lacks the knowledge or tools to fix security vulnerabilities.

Reply Parent Score: 4

RE[2]: easy answer is:
by cdude on Sat 15th Jun 2013 12:16 in reply to "RE: easy answer is:"
cdude Member since:
2008-09-21

It doesn't need all end users to have the knowledge to fix, one is enough. And it works very well!

Reply Parent Score: 3

RE: easy answer is:
by Soulbender on Sat 15th Jun 2013 06:00 in reply to "easy answer is:"
Soulbender Member since:
2005-08-18

You missed an important step.
1.5 issue an advisory with details on the exploit and how users can protect themselves and what workarounds are available, if any.
This should be done no more than a week after step 1.

Reply Parent Score: 3

RE: easy answer is:
by Shane on Sat 15th Jun 2013 06:17 in reply to "easy answer is:"
Shane Member since:
2005-07-06

What you're not taking into account is:

3) The US can use the zero day exploits against other nations.

People's trust in US companies is taking a beating at the moment. The US government's heavy handed approach could actually be a great reason to look into open source solutions.

Reply Parent Score: 7

RE[2]: easy answer is:
by BushLin on Sat 15th Jun 2013 10:56 in reply to "RE: easy answer is:"
BushLin Member since:
2011-01-26

That's surely the angle on this, surprised so many missed it.

Reply Parent Score: 3

RE[2]: easy answer is:
by BallmerKnowsBest on Sat 15th Jun 2013 18:03 in reply to "RE: easy answer is:"
BallmerKnowsBest Member since:
2008-06-02

What you're not taking into account is:

3) The US can use the zero day exploits against other nations.

People's trust in US companies is taking a beating at the moment. The US government's heavy handed approach could actually be a great reason to look into open source solutions.


So, in other words... 2013 will be the "Year of Linux on the (non-US government) Desktop"(tm)? Can't wait!

Reply Parent Score: 2

RE[2]: easy answer is:
by zlynx on Mon 17th Jun 2013 16:52 in reply to "RE: easy answer is:"
zlynx Member since:
2005-07-20

What you're not taking into account is:

3) The US can use the zero day exploits against other nations.

Certainly they can. So can anyone else who gets early notification.

But where did that zero day exploit come from? Some of them come from code inspection, fuzzing and white-hat hackers. But most of them come from inspection of hacked machines which means that zero-day exploit is already out there being used by the bad guys.

The notification delay is so that the exploit is only used by a few bad guys instead of the entire Internet.

Reply Parent Score: 2

RE: easy answer is:
by JAlexoid on Sat 15th Jun 2013 11:12 in reply to "easy answer is:"
JAlexoid Member since:
2009-05-19

keep in mind that this is closed source software. End users can't fix bugs

End users can, however, mitigate the issues raised by those vulnerabilities.

Reply Parent Score: 4