Forgot your password?
typodupeerror
Windows Government Microsoft Security

Microsoft Opens Source Code To KGB's Successor Agency 187

Posted by timothy
from the we'll-trade-for-american-spyware dept.
Jack Spine writes "Microsoft has struck a deal with the Russian government which will give the FSB, successor to the KGB, access to the source code for Windows 7, among other products. The agreement is an extension of Microsoft's Government Security Program, according to a source with links to the UK government."
This discussion has been archived. No new comments can be posted.

Microsoft Opens Source Code To KGB's Successor Agency

Comments Filter:
  • by Anonymous Coward on Friday July 09, 2010 @08:02AM (#32849244)

    yay, so now the Russians will know all the holes in Windows 7 and how to exploit them, no?

    • by TheRaven64 (641858) on Friday July 09, 2010 @08:05AM (#32849268) Journal

      They've already provided it to the Chinese (and the British, not sure who else). That means that the Russians and Chinese can look for and exploit holes in Windows. Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      Basically, they get all of the disadvantages of open source security, but none of the advantages.

      • Re: (Score:2, Insightful)

        by Vectormatic (1759674)

        Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

        What use is it anyway then? I gather the russians (and brits, americans, chinese) want to be able to fully review the software in order to clear it for national security, what would be the point of only getting 90% of the code, and being allowed to build from it?

        i'd say a specific linux build for national security sensitive applications is in order, in every country which might want to stop the US or MS from spying in their stuff (which is everyone, including the US themselves)

        • Re: (Score:2, Interesting)

          by Anonymous Coward
          The point of it is being able to review certain critical parts, for instance many of the governments require cryptographical reviews before an OS can be used by certain sections of the government and this sort of code access allows that. The intention is not for a government to go trawling through the entire source trees but to instead allow them review code that is necessary to follow whatever guidelines and legislation is applicable for that country. Do you really think most countries have any interest in
          • by morgan_greywolf (835522) on Friday July 09, 2010 @10:19AM (#32850324) Homepage Journal

            Do you really think most countries have any interest in reviewing all the code in windows?

            If you can't compile the code into a working binary using the same compiler that was used to produce the production binary because you're missing parts, then you can't be sure that the source code you have represents the binary you're using. You have take Microsoft's word for it, and it's not like the rep you're talking to is the actual guy who manages the build, so even he doesn't actually know for sure.

            An incomplete set of source is absolutely useless for a true security audit.

            • Nobody said you couldn't build a binary. Just that you can't build the complete Windows system. You can probably spray dlls all over the place and then just do a binary diff against the original to verify that they are identical other than the signature.

            • Well if I was able to look at the code and find a security flaw, then be able to use an exploit against that flaw. Then that would be good enough for me to say that the code was complete enough.
        • by PopeRatzo (965947) *

          i'd say a specific linux build for national security sensitive applications is in order, in every country which might want to stop the US or MS from spying in their stuff (which is everyone, including the US themselves)

          And what if you want to stop China, Russia or Google from "spying on your stuff"?

          • The same, i was implying that since MS is US based, the various TLAs from the US have the best chances of acquiring a back door into windows

            Sure, russia et all might be able to find a peephole in their limited view of the source, but if there are any real TLA backdoors, they will be in the parts the russians dont get

          • The NSA released the SE patches to the Linux kernel a few years back. Most distros allow you to use this. Refer to: http://en.wikipedia.org/wiki/Security-Enhanced_Linux [wikipedia.org]
        • by datapharmer (1099455) on Friday July 09, 2010 @09:08AM (#32849658) Homepage

          i'd say a specific linux build for national security sensitive applications is in order

          Try setting SE Linux to "enabled".

      • by cappp (1822388) on Friday July 09, 2010 @08:12AM (#32849318)
        Russia is just being added to a rather long list of countries in this regard. Playing a little link-hopping [zdnet.co.uk] tells us that both NATO and 30 countries (including the UK) have made similar deals with Microsoft albeit in refence to older technology. I would assume that all of those entities have similar updates to their agreements.
      • by mlts (1038732) * on Friday July 09, 2010 @08:41AM (#32849468)

        Isn't it coincidental that the Chinese intelligence who received the source code suddenly had a lot of new Windows based 0-days and used them against US companies, Google mainly?

        The blackhats have the source and can look for bugs and errors that they can exploit at will. The whitehats have to guess or blindly firewall, hope that there are no remote exploits, and put a lot of resources into perimeter security.

        Maybe this is just another impetus for people and companies to move to UNIX based operating systems. Even a closed source offering like HP-UX or OS X (the pieces that are not open-sourced in Darwin or elsewhere) has been around such a long time that glaring show-stopper bugs are rare, and are usually limited to local exploits. This isn't to say things are perfect, but an exploit from remote like ssh is extremely rare on the UNIX side. To boot, UNIX variants have been getting a lot better at security, having ASLR, DEP, SELinux/AppArmor security policies, and other items to limit damage and spread of compromised code.

      • We should restrict copyright for software to require publication of the source code. You could still sell custom software without releasing the source code for everybody, but you'd be required to release the source code to your customers if you wanted copyright protections.

        • Re: (Score:2, Insightful)

          by Bing Tsher E (943915)

          Why? The copyright protects a specific binary implementation. Are you implying that Microsoft's copyright protection should be extended to the method they use? That's what it sounds like.

        • by h4rm0ny (722443)

          We should restrict copyright for software to require publication of the source code.

          Why?

        • by tlhIngan (30335)

          We should restrict copyright for software to require publication of the source code. You could still sell custom software without releasing the source code for everybody, but you'd be required to release the source code to your customers if you wanted copyright protections.

          Copyright is designed to prevent that. I think you really meant patents, in which case every patent should come with the full (buildable) source of the product containing said patented item. After all, a patent has to describe how somethi

          • If you don't provide your customers with the source, then you should have implicitly revoked your claim of copyright, pure and simple.

            Software and business method patents should simply be eliminated outright of course.

      • by pandrijeczko (588093) on Friday July 09, 2010 @09:19AM (#32849768)

        and the British, not sure who else

        Indeed, old chap. And we will tip our bowler hats at you when we've stopped having a jolly good laugh at it.

        "Gor blimey, luv-a-duck, Mary Poppins! 'av ya seen the state of those header files for Minesweeper!"

      • by v1 (525388)

        They've already provided it to the Chinese (and the British, not sure who else).

        I'm sure the US Govt has had it LONG since before those guys. One of those "but under the Patriot Act, we don't have to TELL you" kinds of things I'm sure. It's like a rootkit for the Constitution.

      • The idea isn't to find bugs, but to validate that there aren't back doors (at the behest of the NSA for example). However, without being able to build it, you can't tell if this really is the source code to the version of Windows you're running or not. A build test with a binary comparison would be a real assurance.

      • by tibit (1762298)

        I don't really see how the non-buildable source can be generally useful. Certainly, some things can be examined on a printout. Perhaps most of interesting things.

        But there are still some pieces of code where it's hard to reason about their execution paths without seeing them in action. Thus you really need to build them, hack them, run under debugger and see how they behave in action, and how they react to your changes.

      • by alexo (9335) on Friday July 09, 2010 @11:18AM (#32850956) Journal

        the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

        If I were in charge of an internal security agency, I would be more concerned about running an OS containing back doors or exploits than to try and exploit them myself. To that effect, I would insist on being able to build the OS from sources using a compiler that is known to be uncompromised (built it from source too). No other arrangement will guarantee that the copies I am running behave exactly like the source code says.

        If the FSB agreed to the terms that you mentioned, they are not doing their work.

      • Re: (Score:3, Insightful)

        by suso (153703) *

        and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

        Oh noes, a license. That will stop em.

      • by Muad'Dave (255648)

        ... the license does not permit building it, only reviewing it ...

        To make it doubly secure Microsoft set the read-only bit to true and the compile bit to false on all the source files.

      • Re: (Score:3, Interesting)

        Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

        From what I heard, this transfer is for complete buildable code, and, indeed, the whole point is that FSB guys will strip out everything they don't need to minimize attack surface, and use the resulting build for their own systems.

      • It's not just governments. Microsoft gives some college faculty and students complete access to Windows source code. They have to be part of a research team doing something Microsoft finds interesting, sign NDAs, etc. Microsoft gets access to their work but there are no restrictions on publishing. A friend was on such a team when he was a grad student.
      • "and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws"

        Right, the Russian former KGB is going to feel obligated to not build the code because they are not permitted to under license. The only way they wouldn't is if there was a bigger, more dastardly policeman out their to threaten to enforce that. Oh wait, the I.P. police, well I guess your right, they will abide by the licence.

    • Yep. And you don't because you are not given the source. Giving the source to some people is considerably more dangerous than not giving it to anybody, because the ones with the source have an advantage over everybody else in finding exploits and particular reason to disclose them...
    • Yeah, but Russia probably signed the same "We promise to hack Google first" agreement that China did, so from Microsoft's perspective it's win/win.

    • Re: (Score:3, Insightful)

      by elrous0 (869638) *

      so now the Russians will know all the holes in Windows 7 and how to exploit them, no?

      Them and every other hacker on the planet.

  • by Xtense (1075847) <[xtense] [at] [o2.pl]> on Friday July 09, 2010 @08:03AM (#32849248) Homepage

    Available as a Torrent in 3... 2... 1...

  • by linzeal (197905) on Friday July 09, 2010 @08:03AM (#32849252) Homepage Journal
    I'm more afraid of the FSB selling or having the code stolen from them by Russian hackers than the FSB actually doing anything. They are mostly incompetent hacks either leftover from the 90's or put there to be yes-men to Putin policy. Putin would not stack the deck against himself so he has cut out most of the intelligence in the intelligence agencies, that is why you get things like the recent spy swap debacle where they could not even penetrate a PTA meeting let alone the Pentagon.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I tend to agree with your take on Putin.

      And, wtf. Those poor Russians just can't seem to get a break. They've gone from totalitarian monarchy to communism. Yay, workers paradise, except when the revolutionary dust settled they were still under totalitarian rule.

      And now that the confetti from the democratization celebration has blown away we are still looking at something remarkably similar to a dictatorship.

      • When you ask a russian his opinion on some leader (either russian or otherwise), whenever he wants to praise that leader, he'll always add 'he's a strong leader'. It seems that russians only recognize leadership when it is associated with strength, so do not be surprised that they go from dictatorship to dictatorship. It's mostly self-inflicted.
        • People were genuinely supporting democracy and liberalism back in late 80s and in early 90s. That's what made the transition to democratic rule possible in the first place. It's also why the hardcore commie attempt at a coup d'etat failed in 1991.

          The problem was that people's trust in those things was undermined by those very politicians who were pushing for them, once they got in power. Yeltsin was a horrible president, both as a person (drunkard, slow-thinking, dishonest) and as a ruler (autocratic, bad m

        • The poor Russian we are, suffering under a bloody KGB regime, why don't you come here and bring us some of you freedoms? And do not forget winter clothes, it can get bloody cold over here.
          • The poor Russian we are, suffering under a bloody KGB regime, why don't you come here and bring us some of you freedoms? And do not forget winter clothes, it can get bloody cold over here.

            No, we only spread freedom to countries with plenty of oil and other natural resources ... oh wait.

  • by the linux geek (799780) on Friday July 09, 2010 @08:04AM (#32849258)
    The FSB is approximately a third of the total KGB capability, with the FSO and SVR being the other legs of the triumvirate. The FSB, being the replacement for the former First Chief Directorate, is mostly responsible for internal security (counterintelligence, counterterrorism, counterinsurgency, action against dissenters.) I don't see how this deal with Microsoft could possibly threaten the US or US interests, except possibly in a peripheral way.
  • Brilliant Idea (Score:1, Insightful)

    by Anonymous Coward

    Giving the OS source code to the Russians... what could go wrong?

    • Microsoft is a company of 80k people. I would expect several hundred, at least, to have direct access to Windows source (and probably more like several thousand).

      Do you seriously think that it would be hard for any foreign intelligence agency worth its salt to bribe, or otherwise hook, one or more of them, and steal the source code to whatever MS products they desire?

      This is without even mentioning that there are quite a few people from ex-USSR working in MS.

  • by yanyan (302849) on Friday July 09, 2010 @08:06AM (#32849280)

    I give up. This is too easy.

  • by Chrisq (894406) on Friday July 09, 2010 @08:09AM (#32849296)
    It will keep them tied up for years trying to find exploitable holes, when the real spies will use something else [darkreading.com]
    • Yeah , but can you play games on it. Everyone knows that it will never make it into the desktop market unless you can play games on it.
  • by Bob9113 (14996) on Friday July 09, 2010 @08:26AM (#32849358) Homepage

    It is an interesting world in which a United States company trusts Russian spies more than it trusts United States citizens.

    • Re: (Score:3, Interesting)

      It is a world operating completely as expected when a multinational corporation cares more about satisfying the requests of large customers than it does small ones.
      • by Bob9113 (14996)

        It is a world operating completely as expected when a multinational corporation cares more about satisfying the requests of large customers than it does small ones.

        Well said. Thanks for truthing my post. :)

        We would do well to remember that they are American In Name Only the next time they whine about taxes or H1Bs.

  • by Linker3000 (626634) on Friday July 09, 2010 @08:27AM (#32849366) Journal
    Has anyone else just got the email from Microsoft regarding a critical security update that should be downloaded and installed immediately from windowsupdate.micros0ft.ru?
  • I wonder if the scope of code to be provided allows building it to a working copy of Windows 7.

    • Re:Buildable? (Score:5, Informative)

      by Shados (741919) on Friday July 09, 2010 @08:52AM (#32849534)

      Probably not. It is not all that uncommon for Microsoft to open its source. I mean, it doesn't happen everyday, but they have special facilities for that purpose alone.

      It may have changed, but back when i saw it, it was basically a web based code browser that doesn't allow the more simple copying features (like no export and stuff obviously).

      If its still what they use, then it definitely cannot (realistically) be built.

  • by TrixX (187353) on Friday July 09, 2010 @08:30AM (#32849396) Homepage Journal
    Shouldn't the successor to KGB be called LHC... oh!
    • Re: (Score:3, Insightful)

      by glwtta (532858)
      Holy shit, that just completely blew my mind!
  • If I were in charge of this give away, some fake back door honey-pots would be put into Windows. That way, if they found and exploited back doors and security holes, Microsoft would know about it.

    How to provide a hole that is not a hole at a deeper level would be an interesting exercise in computer science. Of course, if a hole is planned, a patch can be sitting ready to go as soon as it is exploited, which would help some.

  • Am I the only one who thought of the text-a-question [wikipedia.org] service? I mean, I could see Microsoft trying to get in on that action. I suppose the Agency portion of the title should've given it away.
  • I am open to negotiating a deal with Russia or any other government interested in offering me reasonable terms and a nominal fee in exchange for a copy of Linux source code.

    -

    • by Trelane (16124)
      For an extra dispensation, I bet you'd be willing to give them the remaining 90% and let them build and use it too!
  • As Stalin said (Score:5, Insightful)

    by gillbates (106458) on Friday July 09, 2010 @09:29AM (#32849878) Homepage Journal

    Wasn't it Stalin who said, "The capitalists will sell us the rope we use to hang them."

    Nice to know that Microsoft, after complaining for years that open source was insecure because anyone could see the code, is now providing same to Russia. Nothing quite like putting quarterly profits above national security.

    • Re: (Score:2, Informative)

      by m93 (684512)

      That was actually a Lenin quote.
    • Re: (Score:3, Interesting)

      by gad_zuki! (70830)

      I've always found that quote to be amusing. It like admitting that communism can't produce enough rope, only capitalism can, but they need rope so they deal with capitalists. Reminds me of all those stories about the price of car wipers and toilet paper in the USSR because their command economy 'geniuses' couldn't figure it out or couldn't turn capital into production.

      >Nothing quite like putting quarterly profits above national security.

      Lets not be too dramatic. The source code of Windows isn't some big

      • It is actually nothing like that. The saying implies that capitalists care about money so much that they would sell weapons which will destroy them to their enemies.

      • It like admitting that communism can't produce enough rope, only capitalism can, but they need rope so they deal with capitalists.

        Read 1984 closely enough and you'll see this in effect. The despairing ending which everybody remembers is the future imagined as a boot stamping on a human face forever. But what was the first example we saw of the Party's information control in action? Why, it was our hero Winston Smith editing the figures for boot production.

        For example, the Ministry of Plenty's forecast

    • by bmajik (96670)

      I'd like to respond to this in two halves

      Wasn't it Stalin who said, "The capitalists will sell us the rope we use to hang them."

      You should assume that anyone in Russia or anywhere else that wants the windows code for naughty reasons already has it.

      Nothing quite like putting quarterly profits above national security.

      This brings up the more interesting half of my response.

      What is Microsoft's obligation to US national security interests?

      Microsoft (last i heard) had 40% of its revenue from outside the US. One

      • by gillbates (106458)

        I hold the (unpopular) view that Corporations have no moral obligations whatsoever.

        Perhaps this isn't the way things should be. But it is the way things are, with few notable exceptions. When the public at large understands that a corporation *can't* possess a moral compass in the same way a human can, then we can have a productive debate on the value of capitalism, and the appropriate regulatory framework to prevent abuses from happening.

        All too many people fail to realize that a corporation - esp

  • by lattyware (934246) <gareth@lattyware.co.uk> on Friday July 09, 2010 @09:35AM (#32849942) Homepage Journal
    Microsoft: So, we are agreed, you get access to our source code. FSA: Yes... we just have to add one question to our polygraph test for people reviewing the code? Microsoft: Yes. "Have you ever contributed, or plan to contribute, to open source software..."
  • I once signed up for a license to distribute the Acrobat Reader on a CD-ROM my organization was using as a give-away, and I had to agree not to let the program end up in places like Cuba. Now, in the same week I learn about Russian spies being arrested and swapped with the USA, I hear that Microsoft is giving out the source code to Windows 7 to the Russian spy agency. Wow.
  • I'll just sit and wait for the torrent to appear!
  • by zkiwi34 (974563) on Friday July 09, 2010 @10:59AM (#32850768)

    It wasn't all that long ago when dear old Bil Gates et al were claiming in front of the DoJ that giving anyone (their competitors) access to Windows code would be a threat to national security. Fast forward to now and it appears that either the truth changed a whole lot or for some reason national security interests are served by giving China and Russia and who knows, maybe even the French access to Windows source.

    The new Windows, our most secure OS ever!! Well...

    • Re: (Score:3, Insightful)

      by thoth (7907)

      They changed even faster than that. IIRC, it was Jim Allchin that said releasing the source code for a portion of Windows (the message queue), would have serious US national security implications. This was in 2002, during the post-DOJ lawsuit cleanup where some states filed a separate lawsuit.

      Less that a year later in early 2003, Microsoft entered into a broad source code sharing arrangement, with Russia, China, and many NATO members.
      http://www.microsoft.com/presspass/press/2003/feb03/02-28GSPChinaPR.mspx [microsoft.com]

  • I voted for kotos!"

    Jokes aside, I could very easily go into all the reasons why I use the Mac OS...but it's not proper to dance on another's grave :)

  • ... in the almost innumerable reasons to avoid using Microsoft products.

    Shouldn't something like this have been reviewed and approved by U.S. security agencies? And if it was, you gotta wonder whose side they're on.

Thus spake the master programmer: "After three days without programming, life becomes meaningless." -- Geoffrey James, "The Tao of Programming"

Working...