Slashdot Mirror
China Prepares To Examine MS Windows Code
Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.
Don't know about any backdoors in Windows, but we all certainly have reason to distrust any OS sponsored by the Chinese government. They may have adopted a friendlier demeanor, but the folks who gave us Tiananmen still run the place.
-- Slashdot: When Public Access TV Says "No"
Then the entire security model rests in NSA translators knowing the traditioonal chinese word for RCP and the servers having enough bandwidth to support VNC or Terminal Server.
The NSA won't bother with any backdoors beyond a possible inclusion of Systram translation software.
You can't judge a book by the way it wears its hair.
2) Besides, being closed source and microsoft, are they going to be able to [practically] compile windows and compare it to the actual version? Why do I doubt it?
3) even if you get to look at the source, then you'd have to look at the source of every security patch that comes your way too, because otherwise you can just put a hole in one of your patches and pretend it fixes such and such. I mean, it's not like this hasn't been done before (Germain police, Java Anonymous Proxy).
But then again Microsoft is probably just doing this for show anyway - bribe a few key officials so that there are too few people with too tight a schedule to examine all-too-much of bloaty code, and there you have it - "oh the code was examined and was ok" even though it's just a formality.
I say stay away from Microsoft on principle when you need to be sure that you are secure.
My life in the land of the rising sun.
Depending on the amount of source code provided you could ofcourse compile it and compare the resulting binaries.
Microsoft doesn't give you a compilable version of their code. That's the point.
Outgoing connexions are as much of a problem than incoming. If the software calls home to transmit information, there's not much you can do.
It doesn't even have to be automatic, a properly crafter answer to a software update request could trigger the transmission of information, for instance.
And even if the code the chinese govt sees doesn't have any hole, quid of the patches they WILL have to apply to their systems?
Bottom line: The only solution to having a computer that can't spy on you is having full access to the code that's running on it, both at install time and after...
One shall speak only if what one has to say is more beautiful than silence
>This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.
that was a GOOD thing, saving thousands of human lives who otherwise could not afford medicine. withholding a lifesaving medicine for your own profit is not a very nice thing to do.
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
1) MS shows Windows source to China, then produces kick-ass version of Linux. Kick-assedness taken back into mainstream Linux, thanks to the GPL.
2) MS has a look at shiny new-kick-assedness Linux source (hey, its open!), spots something similar to the code they showed China (or similar enough to please a finned lawyer-shark), sues everyone who ever used Linux, everyone who ever met them, and some people who look like them.
3) Profit!!! (by destroying, or at least hurting, many Linux vendors, and setting back the 'political' progress Linux has made with big business.
Clearly a level of exaggeration in there, but I wouldn't put it past those wily scoundrels at MS to be hoping for something like this...
Game dev and music blog
Don't know about any backdoors in Red Flag Linux, but we all certainly have reason to distrust any OS sponsored by the American government. They may have adopted a friendlier demeanor, but the folks who gave us Hiroshima, Nagasaki, Vietnam, the genocide of the First Nation, the CIA-sponsored overthrows of democratically elected governments in various South American states, the illegal invasions of Iraq and Afghanistan, and the lovely freedom of Guantanamo Bay still run the place.
Considering China's respect of Intellectual Property, and their desire to create a custom version of Linux to break the Microsoft monopoly, What is to prevent China from looking at the Windows Source, and then taking the good parts out and inserting them into Linux (or derivative utilities). What if they saw how the whole Active Directory authentication stuff worked, and enhanced Samba?
I mean that could really be interesting. Genuine MS protocols in the Linux kernel. Microsoft would be pissed because of IP theft (ala SCO). But what could Microsoft do? Sue China?
Just out of interest, have you ever used VS.NET? Say what you will about their OSes, but VS is an amazingly well built IDE.
Mother is the best bet and don't let Satan draw you too fast.
Don't y'all get it? The next cut of Windows will sell for $30 in China while selling for $300 here. Just take a look at what the drug manufacturers, clothes manufacturers, and book publishers are doing. It's very frustrating when your classmates show up with their Prentice-Hal textbooks that cost $6 in India while you paid over $60 in the USA and the only difference is theirs says "International Edition" and "Not for sale in the USA".
In fact, I'll bet the deal went more like this:
MSFT: Let us sell windows.
China: We want the money.
MSFT: You can get a cut, call it tax.
China: Our people don't have much money.
MSFT: We'll charge whatever the market will bear.
So, now Gates have to make a "Chinese" version that cannot be made to run with the English language to avoid people selling $30 chinese windows for use in the USA.
Did anyone else notice that it was soon after Balmer testified in the anti-trust sit-com about how revealing Microsoft's source code would be a national security threat, that China and several eastern European countries bought into Microsoft's Shared Source inititive?
The only solution to having a computer that can't spy on you is having full access to the code that's running on it, both at install time and after...
You'd have to read and understand all the code, and then compile from that code. Something I am willing to bet very, very, few people do for every piece of software they run.
Even then, you'd be vulernable to compiler based attacks, although I don't know if anyone has successfully pulled that off.
Regarding firewalls, I hope you're aware that you can filter outgoing traffic as easily as incoming. Regarding the malicious service masquerading as a legitimate one, the only solution to that is cryptographic signing for authentication, and even then, you are still trusting the party to not do anything malicious, the signing just proves that the person is who you think it is.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Just out of interest, have you ever used VS.NET? Say what you will about their OSes, but VS is an amazingly well built IDE.
Yes, I use it all day, every day, and I just don't see what the big deal is. Those who have confined themselves to the VB ghetto the past ten years are wowed; ditto those who have been using textpad, but having used other IDEs in the past 5-10 years (Delphi, Eclipse, JBuilder), I just don't see the big deal. It's well-built, but it's a rehash of other products. I wouldn't call it "amazing". The web service tools are the only really impressive part I've found that differentiates it from other IDEs. And I hate that I am confined to one OS for every piece of software that I ever write with this thing. I certainly wouldn't use it if I wasn't getting paid to.
Take a look at Eclipse, and I will put money that VS 2005 (or whatever) will "innovate" many features of that IDE, like the very nice lightbulb feature. And those who only get their news from MSDN emails will praise Microsoft for being so fresh and innovative.
Assuming that software is made more secure because access to the source code is restricted is a bad policy as it is just another form of security by obscurity. Even if the Chinese government didn't have the source code to Windows there would be nothing to stop them from reverse-engineering it. It would take them longer, but if they wanted to find holes then I'm sure they could.
In fact, you could even argue that closed-source favours the "bad guys" because only someone who stands to gain personally would want to invest their time in reverse-engineering and decompiling proprietary code. A better option is to design your software well and make the source code available to everyone, that way you're making it easier for people to find bugs and are more likely to get told about them when they do.
Indeed...Actually, the NT kernel is considered a very advanced piece of technology. I'd heard many developers blast the Linux kernel in comparison. It's all the cruft written on top that sometimes causes problems (just like in Linux, amusingly).
"Sufferin' succotash."
We're too busy playing "enlightened liberal" and trying to feel superior because we're against the grain by being overly critical of American actions and ignoring the atrocities of foreign countries! Stopping WWII after being attacked out of the blue (so much for isolationist America) is now an aggressive evil.
It's okay for Saddam to have stayed in power and continued torturing and stealing from his own people, because then we wouldn't have gone in "illegally" to overthrow their government.
"Sufferin' succotash."
What you are referring to isn't a True example. It is a theoritical example.
/. I know that doesn't make me an authority, but I have learned that most of these black hat types are so driven to earn karma from others that they couldn't keep a secret if their livelihood depended on it. To me that means, if they knew about it, so would everyone else in the world. Also, if they find out about the existence of any exploits like this, they would blab.
It is clearly presented in Ken Thompson's famous paper "Reflections on Trusting Trust." It is a very good point, how much can you trust, well, trust...
I trust things to the extent that, if such exploits exist, I would be 0wn3d and there would be nothing I could do about it...
However, so would everyone else, and I am sure there are much more interesting machines to r00t than mine. By the time the l337 haxx0rz got to my machine, the exploit would have been discovered and made headlines...
I have spent a little time in IRC, and I read
Therefore, I don't lose any sleep over it, and I figure I'll deal with the problems as they are discovered, and not ponder how many ways a compiler can insert malicious code.
Having worked closely with Chinese developers (and companies) in China, Hong Kong, and Singapore over the last ten years I can tell you right now what the outcome of this inspection will be: "We can do it better!"
They have absolutely no intention whatsoever to buy or use Windows. They will develop their own OS (probably based on Linux) and copy anything and everything they can from Windows while proudly proclaiming that they did it all themselves, and that it's much better than that "imperialist crap" from the West.
Why would the NSA rely on Microsoft to create security holes in Windows? If Microsoft cannot be trusted to patch holes they mistakenly placed in the OS, how can the NSA trust them to actually produce reliable security holes for breaching? I'm sure the NSA has viewed Microsoft code long before. All it would take would be to use Echelon's combined computing power for probably a couple of minutes and they could find all the hidden BSD code buried deep within...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*