China Prepares To Examine MS Windows Code

Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.

Would You Trust a Chinese OS?

[reallocate]

Don't know about any backdoors in Windows, but we all certainly have reason to distrust any OS sponsored by the Chinese government. They may have adopted a friendlier demeanor, but the folks who gave us Tiananmen still run the place.

if Chinese government servers run Windows

[SHEENmaster]

Then the entire security model rests in NSA translators knowing the traditioonal chinese word for RCP and the servers having enough bandwidth to support VNC or Terminal Server.

The NSA won't bother with any backdoors beyond a possible inclusion of Systram translation software.

not going to help

[lingqi]

1) as this post has pointed out, just because you get to look at the source does not mean it's secure. (the post is from Jeremy Allison on the security of Samba servers)

2) Besides, being closed source and microsoft, are they going to be able to [practically] compile windows and compare it to the actual version? Why do I doubt it?

3) even if you get to look at the source, then you'd have to look at the source of every security patch that comes your way too, because otherwise you can just put a hole in one of your patches and pretend it fixes such and such. I mean, it's not like this hasn't been done before (Germain police, Java Anonymous Proxy).

But then again Microsoft is probably just doing this for show anyway - bribe a few key officials so that there are too few people with too tight a schedule to examine all-too-much of bloaty code, and there you have it - "oh the code was examined and was ok" even though it's just a formality.

I say stay away from Microsoft on principle when you need to be sure that you are secure.

Re:Whats the use?

[spektr]

Depending on the amount of source code provided you could ofcourse compile it and compare the resulting binaries.

Microsoft doesn't give you a compilable version of their code. That's the point.

Re:and if they steal it?

[radja]

>This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.

that was a GOOD thing, saving thousands of human lives who otherwise could not afford medicine. withholding a lifesaving medicine for your own profit is not a very nice thing to do.

Would You Trust an American OS?

Don't know about any backdoors in Red Flag Linux, but we all certainly have reason to distrust any OS sponsored by the American government. They may have adopted a friendlier demeanor, but the folks who gave us Hiroshima, Nagasaki, Vietnam, the genocide of the First Nation, the CIA-sponsored overthrows of democratically elected governments in various South American states, the illegal invasions of Iraq and Afghanistan, and the lovely freedom of Guantanamo Bay still run the place.

Re:Would You Trust an American OS?

[Mr.+Show]

From the CIA world factbook entry on the USA:

International organization participation: AfDB, ANZUS, APEC, ARF (dialogue partner), AsDB, ASEAN (dialogue partner), Australia Group, BIS, CE (observer), CERN (observer), CP, EAPC, EBRD, ECE, ECLAC, ESCAP, FAO, G-5, G-7, G- 8, G-10, IADB, IAEA, IBRD, ICAO, ICC, ICCt (signatory), ICFTU, ICRM, IDA, IEA, IFAD, IFC, IFRCS, IHO, ILO, IMF, IMO, Interpol, IOC, IOM, ISO, ITU, MINURSO, MIPONUH, NAM (guest), NATO, NEA, NSG, OAS, OECD, OPCW, OSCE, PCA, SPC, UN, UN Security Council, UNCTAD, UNHCR, UNIKOM, UNITAR, UNMEE, UNMIBH, UNMIK, UNMISET, UNMOVIC, UNOMIG, UNRWA, UNTSO, UNU, UPU, WCL, WCO, WHO, WIPO, WMO, WTrO, ZC

From here you can do your own research into which international laws the US is bound by. Or am I being overly optimistic?

Yeah, but what does this dump of acronyms prove exactly? Did the World Health Organization, just to pick one, pass some kind of resolution that said the US could not invade Iraq? You have to understand the specific international laws relevant to Iraq, and have at least a loose understanding of how law works generally. Simply citing that the US is a member of ASEAN does not make your case. For example, the US argued with some merit (regardless of whether you agree with it) that Iraq stood in violation of some 12 or 13 UN resolutions requiring it to "disarm," including the most recent resolution 1441 passed unanimously by the Security Council last February (if memory serves). That resolution warned of "serious consequences" if Iraq did not disarm, and at the time of the invasion, the US government was making the case that Iraq had not disarmed and therefore "serious consequences" would ensue.

It does not matter whether or not you agree with this interpretation. What matters is that the language was sufficiently vague to allow for this interpretation. The language was also sufficiently vague for countries that opposed the war to plausibly argue that the US needed more explicit authorization from the Security Council before resorting to force. But given the "serious consequences" mentioned in 1441, and given the previous 12 years of UN resolutions demanding certain action by Iraq (which no one in a position of authority in any country seriously believes they ever obeyed), the US would probably be acquitted if brought before an international court, assuming standards of proof similar to those in US courts (beyond a reasonable doubt). But you have to understand that in February, when 1441 was passed, the US knew it was going to invade Iraq almost regardless of what they did to disarm. Therefore why would the US write a resolution (and it wrote 1441 itself) that it knew it was going to probably break in a few months? No, instead it gave itself enough flexibility in the language to do what it wanted to do "within the law." Such is the nature of international relations, and such is the way it will probably always be.

Couple of questions

[tsetem]

Considering China's respect of Intellectual Property, and their desire to create a custom version of Linux to break the Microsoft monopoly, What is to prevent China from looking at the Windows Source, and then taking the good parts out and inserting them into Linux (or derivative utilities). What if they saw how the whole Active Directory authentication stuff worked, and enhanced Samba?

I mean that could really be interesting. Genuine MS protocols in the Linux kernel. Microsoft would be pissed because of IP theft (ala SCO). But what could Microsoft do? Sue China?

Re:Couple of questions

[fermion]

I don't think it matters. MS is looking at a situation where it's products are being rejected by large portions of the world. The only reason that MS can use close standards and be so firm on copyrights is because they own most of the OS on all of the computers that matter. If the world standardizes on another OS, then MS will have to open up it's software just so the west can do business with the east.

So this probably poses no net loss to them. If the source ploy works then they win because the government will use windows and therefore the citizens will be more comfortable using widows as well.

If the chinese government looks at the source and copies the protocols into their linux, MS still wins. MS will be able to keep the standards closed in the west, where they make most of the money, while still be able to advertise that the systems will communicate with those in the east.

If the chinese government releases the linux source with the borrowed MS protocols, the MS wins doubly. There is no way that those enhancements will be included in a western Linux, and it would be very difficult to independently engineer the enhancements in such a way that there would not be significant copyright issues.

In any case, MS can change the protocol at any time, as it did with it's IM service, or even purposefully create messages that will break the competing service, as it did to Navigator.

Timing

[Nishi-no-wan]

Did anyone else notice that it was soon after Balmer testified in the anti-trust sit-com about how revealing Microsoft's source code would be a national security threat, that China and several eastern European countries bought into Microsoft's Shared Source inititive?

Re:Whats the use?

[wawannem]

What you are referring to isn't a True example. It is a theoritical example.

It is clearly presented in Ken Thompson's famous paper "Reflections on Trusting Trust." It is a very good point, how much can you trust, well, trust...

I trust things to the extent that, if such exploits exist, I would be 0wn3d and there would be nothing I could do about it...

However, so would everyone else, and I am sure there are much more interesting machines to r00t than mine. By the time the l337 haxx0rz got to my machine, the exploit would have been discovered and made headlines...

I have spent a little time in IRC, and I read /. I know that doesn't make me an authority, but I have learned that most of these black hat types are so driven to earn karma from others that they couldn't keep a secret if their livelihood depended on it. To me that means, if they knew about it, so would everyone else in the world. Also, if they find out about the existence of any exploits like this, they would blab.

Therefore, I don't lose any sleep over it, and I figure I'll deal with the problems as they are discovered, and not ponder how many ways a compiler can insert malicious code.