China Prepares To Examine MS Windows Code

Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.

Cool

[WindBourne]

What do you bet that a new form of Wine/Linux will show up in China with much better capabilities!

Whats the use?

[zaroastra]

whats the use of inspecting some offsite code when you have ABSOLUTELY NO WARRANTY that the code you're looking at is the one that is delivered in your compiled version?
In my language we have an expresion for that, that could be roughly tranlated to trying to stop the wind with a fork.

Re:Whats the use?

[rupe]

Even that is not enough. They code might require the use of Microsofts compiler.

True example, the famous hole in cc, that whenever it noticed that it was compiling "login.c" would introduce a backdoor. Not only that but whenever it noticed it was compiling itself would reintroduce the same code, so that even by inspecting the compiler source you couldnt find the exploit.

Details can be found on google.

Re:Whats the use?

[zeds]

Background: I used to work at a government security testing / certification lab.

It's actually worse than the above posted stated.

If Microsoft is cooperating with the NSA in the name of national security, it will be nearly impossible for the chinese to detect any cleverly planted backdoors, even with full access to source code. Why?

1. Who said the source code is functionally equivalent to the binary?

2. Even if it is, if the source will only compile with a Microsoft supplied compiler, who says the compiler hasn't been subverted to insert backdoors into the source code? Ken Thompson (used this attack to put backdoors into Unix)

3. Access to the compiler source code? But if it only compiles itself, the binary compiler can still subvert the newly compiled one. So how do you verify source code / binary equivalence?

4. Even if the chinese have some magic way to solve the preceding points, detecting deliberately obfuscated backdoors in the source code can be made VERY VERY difficult. Imagine a backdoor[s] deliberately distributed across millions of lines of code.

5. Do the chinese realize how secure a default installation of windows is? Not very. So now you have to audit a continuing stream of updates, for the same clever subversions described earlier.

6. Even without deliberately planted backdoors, Windows is littered with holes. The level of sophistication of those that have been discovered and published (without access to source code) have been very basic. This strongly implies poor programming rigor on Microsoft's part from a security standpoint. So there are probably thousands, if not tens of thousands of security holes in Windows.

Unix was developed in the early 70s, it's been opensource for a while, and a community process has gradually discovered increasingly sophisticated class of security vulnerability. Windows doesn't have that community process. It enjoys access to the techniques developed by the security community, but not their effort.

7. The complexity of Windows is mindboggling, and it's very poorly designed from a security standpoint. Everything is overly complex and bloated. Even the security APIs are overly complex and bloated. And that's supposed to be a feature! Unless the chinese have secretly been developing magic auditing technologies far beyond the state of the art the rest of the world has, they have NO WAY of subduing that complexity and producing a secure version of Windows to use.

8. Since Windows is simply poorly designed (security-wise), producing a secure version would require substantial high-level changes. Doing that while keeping backwards compatibility, ease-of-use, etc. would be very expensive, even for Microsoft which has 40 billion spare cash lying around. Ain't gonna happen.

Conclusion: The chinese aren't stupid, they realize all of the above. So the real reason they're auditing Windows is:

1. to find security holes for their own nefarious purposes, in the OS the world's only superpower (not to mention the rest of the world) is using in military, government and commercial networks. I highly doubt the Chinese will publish anything they find on the security mailing lists.

2. Chinese intelligence could easily have gotten access to Windows source code before (spys, hackers, leaked Microsoft shared source initiatives). They could compare that with the official version given to them by Microsoft, assuming Microsoft and the NSA were stupid enough about editing the source code to remove the obvious NSA backdoor.

Then again, perhaps everything is just as innocent as it seems. Microsoft isn't cooperating with the NSA. The Chinese really do want to use Windows, and will publish everything they find in a friendly manner to the rest of us.

Right.

Can China regerate a standard build ?

[Alain+Williams]

It would be interesting to see if the Chinese can type 'make' (or whatever is the MS Windows equivalent) and end up with something that is bit wise identical to what MS ships as part of a standard distribution. If they cannot do this, one has to question why not ? and we will be left with the suspicion that there is something that MS doesn't want the Chinese to see (be that different MS or NSA code).

NATO and the United Kingdom

[fritz1968]

Microsoft has announced GSP agreements with Russia, NATO and the United Kingdom

hmmm. Last I checked, the UK was part of NATO. Unless, of course, they are talking about two separate organizations. IE, the NATO offices and the government offices of the UK.

Why would you think that?

[Nijika]

While I'm sure that the NSA is no slouch when it comes to computer infiltration, I've never been one to believe that they've got some magical super powers outside the realm of known technical limitations. Let's not forget that most of what any government says it can do is a large percentage smoke and mirrors to keep the public feeling safe (PATRIOT missles) or unsafe (PATRIOT act) as it may be. On top of that the Chinese have never been pushovers when it comes to technology. They're in the asia pacific region, which is undoubtably a world hotspot for technological advances. Hell, the PC you're using right now is probably 60% chinese and 90% asian in manufacture and design.

With all that in mind, I'd say any advantage the NSA can get, it would take. And with THAT in mind, I think it's perfectly reasonable for the Chinese government to fully inspect any operating system it may run.

What about changes made by Windows Update?

[a.koepke]

What about them running windows update with these machines. In 6 months time and after many security patches ;) the code is not going to be the same. So what is to stop MS coding something in a patch that restores any backdoors that they might have removed? Is the Chinese government going to examine the code for every critical update and service pack it installs?

Re:NSA

[CaffeineFreak]

And one assumes from this that the chinese government can infiltrate the NSA mainframes.

Does that make you feel safe?

Funniest line in the article

[Mark_in_Brazil]

Haw haw... Sorry, but there's a throwaway line in the article that just made me laugh:

China--potentially a huge market for Microsoft, once the problem of software piracy is solved--

Riiiiiiiight. And when, exactly will "the problem of software piracy" be solved? And how?
I haven't seen anything reported on Slashdot or anywhere else that would "solve the problem of software piracy" and make China a huge market for Microsoft at the same time...

--Mark

Re:not going to help

[greppling]

As a point in favour of your reasoning: When there was the big debate in Germany about Linux use in the German parliament, there was also the question about Windows source code being made available to the German government.

But the source code would never have been allowed to go to the BSI (Federal agency of IT security), which would be the only department of the government with

• the resources
• the competence

for just a partial audit of the sources. So I agree all this shared-source is just a PR stunt.

India doesn't want it?

[krishy]

Interestingly, rediff is reporting that the India govt. has not shown any interest in the offer made to it

Atleast so far:)...

Nope... it's something ELSE

[mgessner]

I'm going to beat on the conspiracy drum just a little bit... I think so far all the comments I've read missed this little tidbit:

Given the source, and given their manpower, and given all the recent news in security forums about how full of holes Windows is... if *you* got access to the source of the OS that the U.S. Federal Government is using, wouldn't YOU be spending every waking moment of all YOUR software hackers trying to find ways to exploit vulnerabilities in Windows? It would not take more than a few infected computers and poof! there go parts of the U.S. Government... and the British and any other country fool enough to trust Microsoft "security."

Admittedly, they have a tough job ahead of them, since nothing like the security they need has ever been seen on such a scale before in all of human histor... oh wait a minute, I forgot about the BSDs... whoops! Sorry about that! (Yes, I know they've got their holes, too, but those holes are much fewer and far between!)

Given the sheer numbers of the computers that have Windows on them that the government uses, the probability that *all* of them are secure and protected from attack via an email or a web viewing with IE is absolutely zero.

I know this *sounds* a bit kooky... but it's also realistic enough to be believable.

I read the article and noted that other governments are also talking with Microsoft... but China appears that it's going to be the first, and this concerns me.

Re:Couple of questions

[The_DOD_player]

It would be extremely bad, if China were to do such a thing. Microsoft would have all the best ammo imaginable against the OS movement (communism, destuction of intellectual property etc..)

Microsoft migth not be able to do very much against China, but rest assured that they WOULD do a lot of damage to anyone else using the code ripped of by China.

This would effectively fork Linux, and possibly a lot of other OSS projects in a China version and a "rest of the world" version.

Bad bad bad!!!

Is the US Government to Inspect the code too?

[Zarf]

I thought that the US Government didn't get to inspect the code. Why does MicroSoft allow China to inspect that which the US can't? Isn't this essentially giving the Chinese goverment insight into Windows that even the NSA doesn't have? Doesn't that essentially give them an advantage for dealing with windows? Has Apple computer signed a simmilar agreement? Why doesn't China just switch to OSX?

Rumors said that...

[2Bits]

A couple of posts already mentioned that MS is not gonna give China compilable code, etc. Here's what I heard.

[Disclaimer: I'm not involved in any negotiation or anything, just heard this from someone whose boss is an insider. So take this with a big grain of salt!]

Actually, it's not exactly true. Here are a few of the conditions that have been brought up by China, the main reasons being that China must be able to verify what MS claims.

• MS must provide the compilable source code
  
• China must send a team to MS (to the Redmond campus actually, not sure if they would be allowed to get into the building of Windows engineering team) to learn how to build it, and have some training about the Windows internals
  
• MS must show how to do the build and a way to compare the final binary with the binary distributed by MS
  

I've not asked about the issues about the patches, as I consider it to be a waste of time, and China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.

Re:Would You Trust an American OS?

Where international statue did the US violate?

The one which says it's illegal to invade another country without a UN mandate?

national security risk

[codepunk]

I cannot even begin to think how large a US national security risk this is. Our military is highly dependant on MS systems. To have foreign nationals peering at the code that runs your military systems is just simply unnaceptable. Having source to the system does not necessarily cause a breach but it sure does help. Proprietary operating systems are a national security risk and should be treated as such.

NSA backdoors?

[Erwos]

I've never understood the kind of schiznophrenia that /.'ers approach NSA with.

On one hand, they wrote SELinux, which _no one_ has been able to find any deliberate backdoors in. It is exactly what they said it was: a security-enhanced, hardened Linux.

Yet, on the other hand, we accuse NSA of rigging Windows with backholes for them. Can we at least make up our minds on whether NSA believes in deliberate backdoors or not? It strikes me that the only "evidence" of an NSA backdoor in Windows was the infamous NSAkey brouhaha, but this is _hardly_ hard proof of anything.

If NSA can use a backdoor, then so, theoretically, can enemy governments. That's hardly good security, and if there's one thing that NSA knows, it's good security.

-Erwos

Get ready for the Chinese UberHackers

[TrebleJunkie]

Oh, the Chinese government are looking into Windows code for exploitable holes, and I've no doubt that they're looking to increase security for their own version, but don't count out the possibility that they're looking for those exploitable holes to launch electronic attacks at the US and other democratic, capitalist nations. China has a long history of using American technology to prevent the spread of ideas and democratic ideals -- for instance their custom-built -- by Cisco of all companies -- filter/firewall devices.

This should have been a red flag -- no pun intended -- to everyone the minute they bought the code.

(How exactly does one punish the largest software company in the world for treason?)

Re:Would You Trust an American OS?

[kalidasa]

Actually, no, the folks who gave us Hiroshima, Nagasaki, Vietnam, CIA sponsored overthrows of South American governments, and the genocide of the Amerinds are all dead or retired; while one of the fellows who came up with the idea of the Tiananmen Square massacre is himself head honcho in China. Read the Tiananmen Papers, for god's sake.

Re:Where's the comparison to Hitler?

[ImpTech]

Obviously he was exaggerating to make a point, but the argument could be made (and has been in many other posts under other stories), that the US government does in a way 'sponsor' Windows. They certainly use a lot of it, they let them off the hook on that whole Sherman act thing, etc... no, they didn't write it, but they have the effect of promoting it.

For your second comment, I note that you left out the part about illegal invasions (illegal by international law for those who are confused). Seems to me that part alone is plenty to be comparable to Tianaman square.

It may be true that people trivialize the brutality of the Chinese, but I'd argue that even more people trivialize the brutality the US has shown. I'm not making a comparison between the two, because really how can you? Both are horrible in their own separate ways. And as an American, I'm personally MUCH more concerned with the actions of my own government than those of a foreign power. Really, who are we to complain to the Chinese, or anyone else for that matter, if we can't keep ourselves in check?

Re:Would You Trust an American OS?

[G+Samsonoff]

Why is it that other countries somehow feel this smug superiority to the US when it comes to "international diplomacy". Is this based on a demonstrated record of success, or is it some cultural bias thing?

Sort of reminds me of all the talk in the International Press about how we would never prevail in Afghanistan, did not understand what we were up against, etc, etc. Yeah, right...

I beleive we know a good deal about how well international deplomacy works, and how sometimes it doesn't. Thats why we're the ones that took the risk in Iraq (along with the UK, Spain, and others), while the UN sat on the sidelines wringing their hands and figuring out new ways to appease Saddam and the Bathists...

I think its time that the international community accepted the fact that some people only understand force, diplomacy does not always work. Since we and our coalition partners had the means to remove Saddam, we had a moral duty to do so while the conditions were right...

History will be the best judge of who was right.