Slashdot Mirror
MS Cites National Security to Justify Closed Source
guacamolefoo writes: "It was recently reported in eWeek that "A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."
(Emphasis added.) The follow up from Microsoft is even better: As a result of the flaws, Microsoft has asked the court to allow a "national security" carve-out from the requirement that any code or API's be made public. Microsoft has therefore taken the position that their code is so bad that it must kept secret to keep people from being killed by it. Windows - the Pinto of the 21st century."
War is always the best excuse. One of my favorite cartoons on this is Mark Fiore's, at http://markfiore.com/animation/excuse.html. :)
qslack.com
When in doubt, raise concerns about terrorism, or inappropriately use 9/11 as a crutch. The new coin of Washington (both east and west it seems).
Nothing will ever be the same again indeed.
If the code is so bad as to be dangerous, shouldn't the government make them recall the code and return a properly functioning version?
If a car was dangerous enough to possibly cause death, wouldn't the government require a recall? Wouldn't the media jump on them like rabid wolves like they did Firestone? Wouldn't people avoid the things like they did Firestone?
The Pinto was never as dangerous as M$ products.
From the story:
> The protocol, which is part of Message Queuing,
> contains a coding mistake that would threaten the
> security of enterprise systems using it if it were
> disclosed, Allchin said.
Then with all the billions and billions of dollars M$ has hanging out in the bank, why not hire someone and FIX THE PROBLEM. What's the problem with doing the things that make sense?!
Single best thing M$ could do to improve their product security is to adopt the 'patch often' mindset. Fix something, release a patch, everyone goes home happy.
The bi-annual (exaggeration) security patches they currently do ain't gonna do it.
(From a story posted here)
Peruvian Congressman David Villanueva Nuñez made exactly this argument:
To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*.
In the same way, our proposal strengthens the security of the citizens, both in their role as legitimate owners of information managed by the state, and in their role as consumers. In this second case, by allowing the growth of a widespread availability of free software not containing *spy code* able to put at risk privacy and individual freedoms.
The flaw here is that for windows code to posess the powers they imply, it would need to be a state secret. Perhaps it should be illegal to distribute mission critical osc across us boundaries? Windows code a state secret? I think not, anyone can reverse compile machine code.
Micro$oft should realize that governments do not like security threats they are not able to evaluate themselves. The NSA, for example, cannot sit and tinker with windoze's security holes the way they can with OSC (open source code)...
-Sean
I think that "National Security" here means "the NSA asked us to put xyz into our code, and they'd be unhappy if it had to be removed or became public".
Remember: Cryptanalysis has, and will, always come in fourth place after burglary, blackmail, and bribery.
Tarsnap: Online backups for the truly paranoid
Three things need to happen in order for people to start getting serious about software security and reliability:
1) A software system with 1 or more serious _known_ flaws must be used on a worldwide scale by a government agency or large company.
2) That software must then fail.
3) The failure must cause thousands of deaths or hundreds of billions of dollars in loss or damage.
The result will be like the 9/11 of software...when the world wakes up and realizes that we have become so dependent on software systems for our daily lives that we actually have to start caring whether or not they work correctly. We need to start taking an engineering approach to software and KNOW (not think) that it will operate as advertised.
I'm actually hoping that this will occur sooner than later. The later it happens, the more catastrophic the result will be and the less time we'll have to rectify the problem before it happens again.
At least that is the only explanation I can think of. Their systems are architecturally unsound and plagued by stupid design decisions, unstable interfaces and unsound implementation. It is quite obvious if you look at all the security, stability and usability (ever reinstalled Windoes?) problems they have. In addition they are still adding features like mad, thereby making the problem more serious all the time.
.NET and the motivations and real goals behind them.
My point is that they did not say anything new by admitting the problem. However by admiting it they also admit that they don't really care about security, as they certainly could have done significantly better! This casts a very bad light on other ventures like
So why are they admitting it anyway? In my opinion MS is scared to death that open APIs would also mean stable APIs (i.e. APIs that don't change all the time) and would enable others to make Windows compatible execution environments with relative ease. The sources are also important, because the API documentation MS would give (could?) away is not complete and correct enough. So while it takes a huge effort, competitiors would be able to really find out the complete API functionality and implement it in a way so that things that run on Windows would usually run on competing products without retesting or modifications.
As MS is not really having a good product, just an effective monopoly (by making cloning their API difficult), reasonable documentation of their APIs could kill them. At least that is what I think they believe.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
- reverse gravity
- send the tightly-controlled, stable market into a state of chaos
- put thousands of people out of work (how could MS pay its employees if they gave their products away?)
- bring back Elvis (in the form of MP3s distributed by the masses who were previously restricted by MS DRM)
- cause the judge's personal computer to automatically download pornography every day
Didn't we see this in Ghostbusters?Austria already has it.
Any U.S. University can apply for it now if they don't already have it.
Many of Microsoft's larger customers have it
I don't see why it would be difficult for any terrorist organization to get it. How can they legitimately argue that it may possible be keep it secret at this point? If it's a national security risk to make the code available, the damage can no longer be avoided.
Ryan Fenton
'When pressed for further details, Allchin said he did not want to offer specifics because Microsoft is trying to work on its reputation regarding security. "The fact that I even mentioned the Message Queuing thing bothers me," he said.'
I love that! 'It pains me to admit that our software is dangerously broken, because we're trying really, really hard to convince people that the reputation we have for foisting dangerously broken software on them is totally unfounded.'
I guess if there were trying to work on their actual security, rather than just the reputation, they might act a bit differently (like, by publishing their API's and then working with the security community to get them safe).
-Dan
I have written a truly remarkable operating system which this sig is too small to contain.
After supporting MS's statements that all source should be closed and hidden in order to maintain national security, the US government has agreed to hide all tall buildings. All tall buildings will now be covered with large black clothes. In order to maintain national security, anyone caught talking about these buildings will be arresting. Since terrorists will be unable to clearly see and hear about these buildings, they will no longer be able to attack them. Thank you and good night.
Outdoor digital photography, mostly in New Engl
Stupid job ads, weird spam, occasional insight at
They can name it something like 'Patch Lola Patch.'
I don't want knowledge. I want certainty. - Law, David Bowie
Microsoft's view:
If the software has security flaws, then the code and APIs cannot be made public.
Open source view:
If the code and APIs are made public, then the software does not have security flaws.
So, Microsoft, we are finally in agreement, yes?
To-do List: Receive telemarketing call during a tornado warning. Check.
This is a particularly absurd claim for application programmer interfaces (APIs) - by definition, APIs are disclosed to other developers, so the only reason to "hide" them is to prevent competition.
y TakeOverMachineinInvisibleMode()A ndSendPlaintextViaWirelessCard()
r it yAndGenerateVirusesWithGeneticAlgorithm()
Well, they may have a point though. Thier "hidden" APIs can be a big security risk, such as:
BecomeRootUserWithoutNeedingPassword()
Secretl
DecryptAllFiles
and, of course the one Outlook and Word uses:
MakeProgramsRun90PercentFasterButTurnOffAllSecu
"Your superior intellect is no match for our puny weapons!"
He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed.
Somehow, I think that if the US government forbade the use of any Microsoft applications within federal facilities, pending a code review by a neutral 3rd party to identify and fix potential security holes, you'd see Microsoft scramble to get their shyte in gear pretty damn quickly.
As somebody already stated in this thread, Peru has the right idea: open source allows people to public review code for potential security flaws, which is how most bugs are caught anyway -- a fresh pair of eyes takes a peek. Ultimately, there's no way that Microsoft can compete with this code development paradigm -- since there's so much Open Source code "out there", it might spread people's attention out a bit too thinly in places, but over time one would hope that Linux apps will only more secure / stable.
I work for a defense contractor and have had to put up with this for years. I suppose MS can go this route if they really want to. They're already bloated enough; add government security procedures to the mix and they'll become every bit as agile and responsive as any other constituent of the Military-Industrial Complex.
Boy, that'd be a hoot.
And the brethren went away edified.