Slashdot Mirror
MS Cites National Security to Justify Closed Source
guacamolefoo writes: "It was recently reported in eWeek that "A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."
(Emphasis added.) The follow up from Microsoft is even better: As a result of the flaws, Microsoft has asked the court to allow a "national security" carve-out from the requirement that any code or API's be made public. Microsoft has therefore taken the position that their code is so bad that it must kept secret to keep people from being killed by it. Windows - the Pinto of the 21st century."
War is always the best excuse. One of my favorite cartoons on this is Mark Fiore's, at http://markfiore.com/animation/excuse.html. :)
qslack.com
When in doubt, raise concerns about terrorism, or inappropriately use 9/11 as a crutch. The new coin of Washington (both east and west it seems).
Nothing will ever be the same again indeed.
"Uhh, the judge is acting pissed. Did you see the way she looked at us when she said 'Obey the court'?"
"Yeah, how can we BS her on this?"
"Uhh, maybe we can find a link to terrorism?"
"YEA! That's it! We can't comply, because of National Security"
Harmph....
www.eFax.com are spammers
Worrying isn't it?
If the code is so bad as to be dangerous, shouldn't the government make them recall the code and return a properly functioning version?
If a car was dangerous enough to possibly cause death, wouldn't the government require a recall? Wouldn't the media jump on them like rabid wolves like they did Firestone? Wouldn't people avoid the things like they did Firestone?
The Pinto was never as dangerous as M$ products.
Well, at least I hope it doesn't. A comment like this from a Microsoft bigwig doesn't sound encouraging... Mid-air GPF anyone? *ouch*
From the story:
> The protocol, which is part of Message Queuing,
> contains a coding mistake that would threaten the
> security of enterprise systems using it if it were
> disclosed, Allchin said.
Then with all the billions and billions of dollars M$ has hanging out in the bank, why not hire someone and FIX THE PROBLEM. What's the problem with doing the things that make sense?!
Single best thing M$ could do to improve their product security is to adopt the 'patch often' mindset. Fix something, release a patch, everyone goes home happy.
The bi-annual (exaggeration) security patches they currently do ain't gonna do it.
(From a story posted here)
Peruvian Congressman David Villanueva Nuñez made exactly this argument:
To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*.
In the same way, our proposal strengthens the security of the citizens, both in their role as legitimate owners of information managed by the state, and in their role as consumers. In this second case, by allowing the growth of a widespread availability of free software not containing *spy code* able to put at risk privacy and individual freedoms.
The flaw here is that for windows code to posess the powers they imply, it would need to be a state secret. Perhaps it should be illegal to distribute mission critical osc across us boundaries? Windows code a state secret? I think not, anyone can reverse compile machine code.
Micro$oft should realize that governments do not like security threats they are not able to evaluate themselves. The NSA, for example, cannot sit and tinker with windoze's security holes the way they can with OSC (open source code)...
-Sean
I think that "National Security" here means "the NSA asked us to put xyz into our code, and they'd be unhappy if it had to be removed or became public".
Remember: Cryptanalysis has, and will, always come in fourth place after burglary, blackmail, and bribery.
Tarsnap: Online backups for the truly paranoid
Three things need to happen in order for people to start getting serious about software security and reliability:
1) A software system with 1 or more serious _known_ flaws must be used on a worldwide scale by a government agency or large company.
2) That software must then fail.
3) The failure must cause thousands of deaths or hundreds of billions of dollars in loss or damage.
The result will be like the 9/11 of software...when the world wakes up and realizes that we have become so dependent on software systems for our daily lives that we actually have to start caring whether or not they work correctly. We need to start taking an engineering approach to software and KNOW (not think) that it will operate as advertised.
I'm actually hoping that this will occur sooner than later. The later it happens, the more catastrophic the result will be and the less time we'll have to rectify the problem before it happens again.
At least that is the only explanation I can think of. Their systems are architecturally unsound and plagued by stupid design decisions, unstable interfaces and unsound implementation. It is quite obvious if you look at all the security, stability and usability (ever reinstalled Windoes?) problems they have. In addition they are still adding features like mad, thereby making the problem more serious all the time.
.NET and the motivations and real goals behind them.
My point is that they did not say anything new by admitting the problem. However by admiting it they also admit that they don't really care about security, as they certainly could have done significantly better! This casts a very bad light on other ventures like
So why are they admitting it anyway? In my opinion MS is scared to death that open APIs would also mean stable APIs (i.e. APIs that don't change all the time) and would enable others to make Windows compatible execution environments with relative ease. The sources are also important, because the API documentation MS would give (could?) away is not complete and correct enough. So while it takes a huge effort, competitiors would be able to really find out the complete API functionality and implement it in a way so that things that run on Windows would usually run on competing products without retesting or modifications.
As MS is not really having a good product, just an effective monopoly (by making cloning their API difficult), reasonable documentation of their APIs could kill them. At least that is what I think they believe.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
It's already been revealed that some attacker got into Microsoft's network. Also, CD's with Microsoft's source have been released for various reasons over time. I have no trouble believing that some "bad guys" already have the source code. So, how do the rest of us protect ourselves from these bad guys with the source code? And from the bad guys to come who don't have it yet... but will?
As noted in Secure Programming for Linux and Unix HOWTO, section 2.4.2, closing off source code doesn't actually halt attacks anyway. Here's the quote:
- David A. Wheeler (see my Secure Programming HOWTO)
- reverse gravity
- send the tightly-controlled, stable market into a state of chaos
- put thousands of people out of work (how could MS pay its employees if they gave their products away?)
- bring back Elvis (in the form of MP3s distributed by the masses who were previously restricted by MS DRM)
- cause the judge's personal computer to automatically download pornography every day
Didn't we see this in Ghostbusters?Austria already has it.
Any U.S. University can apply for it now if they don't already have it.
Many of Microsoft's larger customers have it
I don't see why it would be difficult for any terrorist organization to get it. How can they legitimately argue that it may possible be keep it secret at this point? If it's a national security risk to make the code available, the damage can no longer be avoided.
Ryan Fenton
'When pressed for further details, Allchin said he did not want to offer specifics because Microsoft is trying to work on its reputation regarding security. "The fact that I even mentioned the Message Queuing thing bothers me," he said.'
I love that! 'It pains me to admit that our software is dangerously broken, because we're trying really, really hard to convince people that the reputation we have for foisting dangerously broken software on them is totally unfounded.'
I guess if there were trying to work on their actual security, rather than just the reputation, they might act a bit differently (like, by publishing their API's and then working with the security community to get them safe).
-Dan
I have written a truly remarkable operating system which this sig is too small to contain.
After supporting MS's statements that all source should be closed and hidden in order to maintain national security, the US government has agreed to hide all tall buildings. All tall buildings will now be covered with large black clothes. In order to maintain national security, anyone caught talking about these buildings will be arresting. Since terrorists will be unable to clearly see and hear about these buildings, they will no longer be able to attack them. Thank you and good night.
Outdoor digital photography, mostly in New Engl
Stupid job ads, weird spam, occasional insight at
They can name it something like 'Patch Lola Patch.'
I don't want knowledge. I want certainty. - Law, David Bowie
Microsoft's view:
If the software has security flaws, then the code and APIs cannot be made public.
Open source view:
If the code and APIs are made public, then the software does not have security flaws.
So, Microsoft, we are finally in agreement, yes?
To-do List: Receive telemarketing call during a tornado warning. Check.
"Microsoft has invested substantial time and resources in providing great interoperability between .Net and older technologies," Allchin said. "Sun's strategy of promoting '100 percent pure' Java applications discourages interoperability."
So, according to Microsoft, it is better to have one company provide (ie control) the degree of interoperability between systems than to have another company promote a single standard for the whole industry to use and share.
I can't imagine that line of thinking going over very well with military officials used to building redundancy into everything.
You might also paraphase the above statements as follows:
"Microsoft has choosen to ignore freely available and already established standards and instead has wasted substantial time and resources needlessly reinventing the wheel by developing our own internal standards (that we won't share and that we admit are not really very good) so that we can control the degree of interoperability between our proprietary new product, and our former (and soon to be former) competitor's technologies"
"Sun's strategy of creating and sharing a standard that encourages 100% interoperability between all systems discourages interoperability (but only in respect to our systems, because ours are made to be incompatible with the accepted standard that everyone else uses)."
Oh boy, can I please buy your systems for my Army?
My next sig will be ready soon, but friends can beat the rush!
Your Honor, we at Microsoft believe that if we ever revealed the source code for MS Windows, more children would immediately start taking drugs. Husbands would start to beat their wives. Small animals would become uncontrollable, staining many expensive carpets. Certain food-groups would become more perishable. 2nd law of thermodynamics would be repealled. Finally, a giant hole would open up in space time, causing the end of the universe.
Your honor, it is a matter or national security, no international security, no galactic security, that we be allowed to continue our profitable monopoly.
Think she'll buy it?
=brian
Seems to me that either Allchin suffered some stroke or brain damage while in court, or this is all a big red herring.
...
You just don't get to Allchin's level and "accidentally" let slip something like a fundamental vulnerability in a protocol. M$ officials may make mistakes, but not like this. Not in a public forum. Not in front of a judge. Not where every news medium in the world will be covering the story.
My feeling is that this is all a distraction from something else. Every black hat on the planet is now probably checking out the Messaging protocol. My guess is that there's no smoking gun there. But maybe another protocol has problems.
Furthermore, it just doesn't make sense. An API exposes only what you want it to. It doesn't show you the vulnerabilities that exist "under the covers" unless they're titanically, apocalyptically stupid.
I'd like to know what it was that he's distracting us from
Eloi, Eloi, lema sabachtani?
www.fogbound.net
Microsoft is resorting to desperation tactics... they know they've lost.
Actually, this is entirely consistent with MS's strategy all along: it has been arguing that it and its products are so profoundly important to the American economy and security that any remedy which interferes with its ability to act as it pleases should be struck down by the court. Otherwise, everyone will suffer at least as much as MS will.
It's the exact equivalent of a mob boss saying that he shouldn't be imprisoned for running a protection racket, because then he wouldn't be able to protect his customers. Moreover, he wouldn't be able to provide for his innocent wife and children (even though it's been shown he abuses them as well).
Microsoft isn't at all desperate; they're just so arrogant, and so blind to basic security principles, that they don't really see a problem with what they're saying.
In the wrong hands, sanity is a dangerous weapon.
Let me get this straight. The product that Microsoft's monopoly rests upon, the monopoly that they illegally maintained and expanded, is so flawed that it threatens US national security. Did someone from Microsoft REALLY say this? If so, it is clear they have gone mad in Redmond. What do they expect the millions of companies and government agencies to do? Wait until Longhorn, or whatever is ready? And hope all the holes are fixed by then?
"Uhh, sorry Mr. President, the NSA can no longer monitor international communications. Our systems are just too vunerable to hacking to be used. Jim Allchin assured us that a comprehensive fix would be available within 18 months."
"In other news, the US Navy has ordered all AGEIS cruisers into port indefinatley. The AGEIS computer systems were deemed too risky for combat use. The Pentagon would not comment on reports the entire US fleet would require software overhauls before any offensive combat operations could be contemplated."
"World stock markets are today in freefall as most major international corporations raced to secure information systems based on Microsoft's Windows operating system. Some experts estimate that the expense of fixing or replacing mission critical software to provide an adequate level of security would dampen the World economy for a decade."
This goes so far beyond a computer industry issue. Its a staggering admission of guilt. What CIO would be caught dead installing an MS system unless they have absolutly no alternative?
There is also the legal issue. If someone has sustained an economic loss due to "flawed code", that they are using because MS illegally supressed competitive alternatives, then they have a really good case for compensation. And the hardest part, proving that MS illegally manipulated the market, is already done. And they have some tens of billions just sitting around, waiting for the right lawyer to just take away.
He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed.
Somehow, I think that if the US government forbade the use of any Microsoft applications within federal facilities, pending a code review by a neutral 3rd party to identify and fix potential security holes, you'd see Microsoft scramble to get their shyte in gear pretty damn quickly.
As somebody already stated in this thread, Peru has the right idea: open source allows people to public review code for potential security flaws, which is how most bugs are caught anyway -- a fresh pair of eyes takes a peek. Ultimately, there's no way that Microsoft can compete with this code development paradigm -- since there's so much Open Source code "out there", it might spread people's attention out a bit too thinly in places, but over time one would hope that Linux apps will only more secure / stable.
One is sort of chunky and ugly, and she won't let you see her naked, and you pretty much know already that you wouldn't really enjoy it if she did. The other has a slim, beautiful body, and when she takes off her clothes and parades it around, all the men ooh and ahh over it. That's the analogy I like to use. Maybe it isn't 100% correct, but that's the impression I get when you've got MS saying "No, no, you don't want to see our source code!" and meanwhile, you've got these open source softwares that are taking it all off, and saying "hey, baby, look at THESE!" Microsoft is NOT sexy. Linux, apache, and all of those wonderful open source projects ARE. But this is just how I see it. I mean, if I was to go on a date with a woman, and she proudly told me that she has an MCSA certification, I'd probably politely nod, but secretly be planning on my escape (maybe run away after telling her I had to use the restroom). On the other hand, if she told me that she had her own php based website, and that her text editor of choice was vim, then I'd be all weak-kneed and googly-eyed, and I'd want her to have my children. But again, that's just me. I don't know how it is for other people. I mean, I may not really UNDERSTAND beautiful women, but I sure like to look at them. So, I don't think there's any action required, as in "let's get rid of Microsoft." I think that it's really just a matter of educating the masses that there's an alternative, and it looks good naked. Or as you might say, it's a lot safer because the code can be (and is) made public without compromising national security.
I work for a defense contractor and have had to put up with this for years. I suppose MS can go this route if they really want to. They're already bloated enough; add government security procedures to the mix and they'll become every bit as agile and responsive as any other constituent of the Military-Industrial Complex.
Boy, that'd be a hoot.
And the brethren went away edified.
>The basic fact of religion is that God has
... 1st person evidence please.
>stated many times that He doesn't want to be
>easily found--hence, no fact should be hard to
>accept for anyone of a religious mind.
prove that "god" "said" this.
i'll accept *.wav's or *.mp3's or *.ogg's
... hi bingo