Microsoft Opens Source Code To KGB's Successor Agency 187
Jack Spine writes "Microsoft has struck a deal with the Russian government which will give the FSB, successor to the KGB, access to the source code for Windows 7, among other products. The agreement is an extension of Microsoft's Government Security Program, according to a source with links to the UK government."
security holes of releasing source code (Score:5, Insightful)
yay, so now the Russians will know all the holes in Windows 7 and how to exploit them, no?
Re:security holes of releasing source code (Score:5, Interesting)
They've already provided it to the Chinese (and the British, not sure who else). That means that the Russians and Chinese can look for and exploit holes in Windows. Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.
Basically, they get all of the disadvantages of open source security, but none of the advantages.
Re: (Score:2, Insightful)
Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.
What use is it anyway then? I gather the russians (and brits, americans, chinese) want to be able to fully review the software in order to clear it for national security, what would be the point of only getting 90% of the code, and being allowed to build from it?
i'd say a specific linux build for national security sensitive applications is in order, in every country which might want to stop the US or MS from spying in their stuff (which is everyone, including the US themselves)
Re: (Score:2, Interesting)
Re:security holes of releasing source code (Score:5, Insightful)
If you can't compile the code into a working binary using the same compiler that was used to produce the production binary because you're missing parts, then you can't be sure that the source code you have represents the binary you're using. You have take Microsoft's word for it, and it's not like the rep you're talking to is the actual guy who manages the build, so even he doesn't actually know for sure.
An incomplete set of source is absolutely useless for a true security audit.
Re: (Score:2)
Nobody said you couldn't build a binary. Just that you can't build the complete Windows system. You can probably spray dlls all over the place and then just do a binary diff against the original to verify that they are identical other than the signature.
Re: (Score:2)
Re: (Score:2)
And what if you want to stop China, Russia or Google from "spying on your stuff"?
Re: (Score:2)
The same, i was implying that since MS is US based, the various TLAs from the US have the best chances of acquiring a back door into windows
Sure, russia et all might be able to find a peephole in their limited view of the source, but if there are any real TLA backdoors, they will be in the parts the russians dont get
Re: (Score:2)
Re:security holes of releasing source code (Score:4, Insightful)
i'd say a specific linux build for national security sensitive applications is in order
Try setting SE Linux to "enabled".
Re: (Score:2)
Did you even read my comment?
Re:security holes of releasing source code (Score:5, Informative)
Re: (Score:3, Funny)
Yes, but I'm looking forward to Vindows 7.
Re:security holes of releasing source code (Score:4, Interesting)
Isn't it coincidental that the Chinese intelligence who received the source code suddenly had a lot of new Windows based 0-days and used them against US companies, Google mainly?
The blackhats have the source and can look for bugs and errors that they can exploit at will. The whitehats have to guess or blindly firewall, hope that there are no remote exploits, and put a lot of resources into perimeter security.
Maybe this is just another impetus for people and companies to move to UNIX based operating systems. Even a closed source offering like HP-UX or OS X (the pieces that are not open-sourced in Darwin or elsewhere) has been around such a long time that glaring show-stopper bugs are rare, and are usually limited to local exploits. This isn't to say things are perfect, but an exploit from remote like ssh is extremely rare on the UNIX side. To boot, UNIX variants have been getting a lot better at security, having ASLR, DEP, SELinux/AppArmor security policies, and other items to limit damage and spread of compromised code.
Re: (Score:3, Interesting)
Re: (Score:2)
I'm sure that MS wants the countries to both get tough on piracy, and sign onto ACTA, so throwing them a bone by giving them the source code access makes perfect sense.
Re: (Score:2)
Re: (Score:2)
we need open source by law (Score:2)
We should restrict copyright for software to require publication of the source code. You could still sell custom software without releasing the source code for everybody, but you'd be required to release the source code to your customers if you wanted copyright protections.
Re: (Score:2, Insightful)
Why? The copyright protects a specific binary implementation. Are you implying that Microsoft's copyright protection should be extended to the method they use? That's what it sounds like.
Re: (Score:2)
Why?
Re: (Score:2)
Copyright is designed to prevent that. I think you really meant patents, in which case every patent should come with the full (buildable) source of the product containing said patented item. After all, a patent has to describe how somethi
I said copyright & I meant copyright. (Score:2)
If you don't provide your customers with the source, then you should have implicitly revoked your claim of copyright, pure and simple.
Software and business method patents should simply be eliminated outright of course.
Comment removed (Score:4, Funny)
Re: (Score:2)
They've already provided it to the Chinese (and the British, not sure who else).
I'm sure the US Govt has had it LONG since before those guys. One of those "but under the Patriot Act, we don't have to TELL you" kinds of things I'm sure. It's like a rootkit for the Constitution.
Re: (Score:2)
The idea isn't to find bugs, but to validate that there aren't back doors (at the behest of the NSA for example). However, without being able to build it, you can't tell if this really is the source code to the version of Windows you're running or not. A build test with a binary comparison would be a real assurance.
Re: (Score:2)
I don't really see how the non-buildable source can be generally useful. Certainly, some things can be examined on a printout. Perhaps most of interesting things.
But there are still some pieces of code where it's hard to reason about their execution paths without seeing them in action. Thus you really need to build them, hack them, run under debugger and see how they behave in action, and how they react to your changes.
Re:security holes of releasing source code (Score:4, Interesting)
If I were in charge of an internal security agency, I would be more concerned about running an OS containing back doors or exploits than to try and exploit them myself. To that effect, I would insist on being able to build the OS from sources using a compiler that is known to be uncompromised (built it from source too). No other arrangement will guarantee that the copies I am running behave exactly like the source code says.
If the FSB agreed to the terms that you mentioned, they are not doing their work.
Re: (Score:3, Insightful)
and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.
Oh noes, a license. That will stop em.
Re: (Score:2)
... the license does not permit building it, only reviewing it ...
To make it doubly secure Microsoft set the read-only bit to true and the compile bit to false on all the source files.
Re: (Score:3, Interesting)
Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.
From what I heard, this transfer is for complete buildable code, and, indeed, the whole point is that FSB guys will strip out everything they don't need to minimize attack surface, and use the resulting build for their own systems.
Not just governments, college students too (Score:2)
Re: (Score:2)
"and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws"
Right, the Russian former KGB is going to feel obligated to not build the code because they are not permitted to under license. The only way they wouldn't is if there was a bigger, more dastardly policeman out their to threaten to enforce that. Oh wait, the I.P. police, well I guess your right, they will abide by the licence.
Re: (Score:2)
Basically, they get all of the disadvantages of open source security, but none of the advantages.
?
People can find security holes and exploit them, but they can't find security holes and fix them. (They can, however, find security holes and report them, so...)
I guess that's why MS didn't give out the right to build from it's source. This denies governments to find flaws, fix it for their versions and exploit them on $enemy. This encourages governments to report found holes (unless they can be "fixed" without recompiling).
Re: (Score:2)
And I assume Microsoft would want to fix things if people reported them in.
And you would be wrong [techrights.org] a lot. (One of many; Google is your friend, finding others is an exercise left to the reader.)
Re: (Score:2)
Re: (Score:2)
Imho finding them / being aware of them would be an advantage
That's assuming that the FSB (for example) chooses to inform Microsoft of any holes they find. Why would they do that?
Re: (Score:2)
Imho finding them / being aware of them would be an advantage
That's assuming that the FSB (for example) chooses to inform Microsoft of any holes they find. Why would they do that?
That's also assuming that the FSB is capable of finding any holes and I think that's assuming alot. If the recent "sexy spy" debacle is any indication, the FSB has become the keystone kops of the espionage industry.
Re: (Score:2)
Careful there, the FSB just happened to have the right number of warm bodies spying for America/et-al hanging around behind bars to do the swap immediately after the debacle started.
Keystone kops or ready to extract 10 spies whose job is done and are ready to come home? Just a thought
Re: (Score:2)
Re:security holes of releasing source code (Score:5, Funny)
Yeah, but Russia probably signed the same "We promise to hack Google first" agreement that China did, so from Microsoft's perspective it's win/win.
Re: (Score:2)
Re: (Score:3, Insightful)
Them and every other hacker on the planet.
Available as a Torrent in 3... 2... 1... (Score:4, Insightful)
Available as a Torrent in 3... 2... 1...
Re:Available as a Torrent in 3... 2... 1... (Score:4, Informative)
Surprisingly, it didn't turn out to have any impact on anything, that I can tell.
Re:Available as a Torrent in 3... 2... 1... (Score:4, Interesting)
Re:Available as a Torrent in 3... 2... 1... (Score:4, Funny)
Re:Available as a Torrent in 3... 2... 1... (Score:4, Interesting)
And in which jurisdiction are you going to sue?
Re: (Score:2)
I'm sure this will turn out well (Score:5, Interesting)
Re: (Score:2, Interesting)
I tend to agree with your take on Putin.
And, wtf. Those poor Russians just can't seem to get a break. They've gone from totalitarian monarchy to communism. Yay, workers paradise, except when the revolutionary dust settled they were still under totalitarian rule.
And now that the confetti from the democratization celebration has blown away we are still looking at something remarkably similar to a dictatorship.
Re:I'm sure this will turn out well (Score:4, Insightful)
Re: (Score:2)
People were genuinely supporting democracy and liberalism back in late 80s and in early 90s. That's what made the transition to democratic rule possible in the first place. It's also why the hardcore commie attempt at a coup d'etat failed in 1991.
The problem was that people's trust in those things was undermined by those very politicians who were pushing for them, once they got in power. Yeltsin was a horrible president, both as a person (drunkard, slow-thinking, dishonest) and as a ruler (autocratic, bad m
Re: (Score:2)
By "old way" I mean what people remembered as good times compared to where they ended up in the 90s.
But, since you ask - there has been quite a resurgence of various monarchist organizations in Russia in 90s, and quite a few of them are of ultra-conservative type advocating absolutism, Orthodoxy as a state religion etc - in general, anti-liberalism - and opposing that to the "lying and treacherous liberals who have robbed the country". They mainly appeal to those people who think that commies were okay, exc
Re: (Score:2)
Re: (Score:2)
The poor Russian we are, suffering under a bloody KGB regime, why don't you come here and bring us some of you freedoms? And do not forget winter clothes, it can get bloody cold over here.
No, we only spread freedom to countries with plenty of oil and other natural resources ... oh wait.
FSB is not "the" successor to the KGB (Score:5, Interesting)
Re: (Score:3, Funny)
Re: (Score:2)
Certainly they won't give it to whatever directorate's in charge of conducting espionage. Spies are the most honorable government officials there are, and nobody in Moscow's looking to get ahead by bending any rules.
I smell sarcasm.
Re: (Score:2)
Not one bit.
Maybe this will help the russian spies. (Score:2, Troll)
It will help with their IT troubles now that they will be given the complete sourcecode to Windows 7. This just goes to show me that Microsoft is evil. Stick to Open Source software. If It isn't open for everyone then something is wrong with that.
Re: (Score:3, Funny)
Brilliant Idea (Score:1, Insightful)
Giving the OS source code to the Russians... what could go wrong?
Re: (Score:2)
Microsoft is a company of 80k people. I would expect several hundred, at least, to have direct access to Windows source (and probably more like several thousand).
Do you seriously think that it would be hard for any foreign intelligence agency worth its salt to bribe, or otherwise hook, one or more of them, and steal the source code to whatever MS products they desire?
This is without even mentioning that there are quite a few people from ex-USSR working in MS.
In Soviet Russia... (Score:5, Funny)
I give up. This is too easy.
Re: (Score:2, Funny)
This is actually good (Score:4, Interesting)
Re: (Score:2)
Trust, Interesting World (Score:5, Interesting)
It is an interesting world in which a United States company trusts Russian spies more than it trusts United States citizens.
Re: (Score:3, Interesting)
Re: (Score:2)
It is a world operating completely as expected when a multinational corporation cares more about satisfying the requests of large customers than it does small ones.
Well said. Thanks for truthing my post. :)
We would do well to remember that they are American In Name Only the next time they whine about taxes or H1Bs.
Update email (Score:4, Funny)
Re: (Score:2)
Re:Buildable? (Score:5, Informative)
Probably not. It is not all that uncommon for Microsoft to open its source. I mean, it doesn't happen everyday, but they have special facilities for that purpose alone.
It may have changed, but back when i saw it, it was basically a web based code browser that doesn't allow the more simple copying features (like no export and stuff obviously).
If its still what they use, then it definitely cannot (realistically) be built.
Re:Buildable? (Score:5, Insightful)
How can the russians trust the source code to a binary if they can't compile and compare the binaries?
Successor agency (Score:5, Funny)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Honey Pots ? (Score:2)
If I were in charge of this give away, some fake back door honey-pots would be put into Windows. That way, if they found and exploited back doors and security holes, Microsoft would know about it.
How to provide a hole that is not a hole at a deeper level would be an interesting exercise in computer science. Of course, if a hole is planned, a patch can be sitting ready to go as soon as it is exploited, which would help some.
Am I the only one (Score:2)
Reasonable Terms and a Nominal Fee (Score:2)
I am open to negotiating a deal with Russia or any other government interested in offering me reasonable terms and a nominal fee in exchange for a copy of Linux source code.
-
Re: (Score:2)
As Stalin said (Score:5, Insightful)
Wasn't it Stalin who said, "The capitalists will sell us the rope we use to hang them."
Nice to know that Microsoft, after complaining for years that open source was insecure because anyone could see the code, is now providing same to Russia. Nothing quite like putting quarterly profits above national security.
Re: (Score:2, Informative)
That was actually a Lenin quote.
Re: (Score:3, Interesting)
I've always found that quote to be amusing. It like admitting that communism can't produce enough rope, only capitalism can, but they need rope so they deal with capitalists. Reminds me of all those stories about the price of car wipers and toilet paper in the USSR because their command economy 'geniuses' couldn't figure it out or couldn't turn capital into production.
>Nothing quite like putting quarterly profits above national security.
Lets not be too dramatic. The source code of Windows isn't some big
Re: (Score:2)
It is actually nothing like that. The saying implies that capitalists care about money so much that they would sell weapons which will destroy them to their enemies.
Re: (Score:2)
Read 1984 closely enough and you'll see this in effect. The despairing ending which everybody remembers is the future imagined as a boot stamping on a human face forever. But what was the first example we saw of the Party's information control in action? Why, it was our hero Winston Smith editing the figures for boot production.
For example, the Ministry of Plenty's forecast
Re: (Score:2)
I'd like to respond to this in two halves
You should assume that anyone in Russia or anywhere else that wants the windows code for naughty reasons already has it.
This brings up the more interesting half of my response.
What is Microsoft's obligation to US national security interests?
Microsoft (last i heard) had 40% of its revenue from outside the US. One
Re: (Score:2)
I hold the (unpopular) view that Corporations have no moral obligations whatsoever.
Perhaps this isn't the way things should be. But it is the way things are, with few notable exceptions. When the public at large understands that a corporation *can't* possess a moral compass in the same way a human can, then we can have a productive debate on the value of capitalism, and the appropriate regulatory framework to prevent abuses from happening.
All too many people fail to realize that a corporation - esp
The conversation... (Score:3, Funny)
Exporting software (Score:2)
Priceless! (Score:2)
How the worm turns.... (Score:3, Insightful)
It wasn't all that long ago when dear old Bil Gates et al were claiming in front of the DoJ that giving anyone (their competitors) access to Windows code would be a threat to national security. Fast forward to now and it appears that either the truth changed a whole lot or for some reason national security interests are served by giving China and Russia and who knows, maybe even the French access to Windows source.
The new Windows, our most secure OS ever!! Well...
Re: (Score:3, Insightful)
They changed even faster than that. IIRC, it was Jim Allchin that said releasing the source code for a portion of Windows (the message queue), would have serious US national security implications. This was in 2002, during the post-DOJ lawsuit cleanup where some states filed a separate lawsuit.
Less that a year later in early 2003, Microsoft entered into a broad source code sharing arrangement, with Russia, China, and many NATO members.
http://www.microsoft.com/presspass/press/2003/feb03/02-28GSPChinaPR.mspx [microsoft.com]
Don't blame me... (Score:2)
I voted for kotos!"
Jokes aside, I could very easily go into all the reasons why I use the Mac OS...but it's not proper to dance on another's grave :)
Just the latest... (Score:2)
... in the almost innumerable reasons to avoid using Microsoft products.
Shouldn't something like this have been reviewed and approved by U.S. security agencies? And if it was, you gotta wonder whose side they're on.
Re: (Score:1, Offtopic)
In Soviet Russia, you beat you to it!
Re: (Score:2, Informative)
I think it's ironic that we're reading an article about MS releasing source code and the /. community is busting their balls. Just sayin'.
Maybe you should think some more and consider that
1/ MS are releasing the source code to potentially hostile foreign governments (China, Russia), but *not* to (say) security researchers etc. who might get something useful out of it for the benefit of Windows users in general.
2/ MS are not releasing buildable or complete source, there is no way to tell if the source accura