China Prepares To Examine MS Windows Code

Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.

Whats the use?

[zaroastra]

whats the use of inspecting some offsite code when you have ABSOLUTELY NO WARRANTY that the code you're looking at is the one that is delivered in your compiled version?
In my language we have an expresion for that, that could be roughly tranlated to trying to stop the wind with a fork.

Re:Whats the use?

[rupe]

Even that is not enough. They code might require the use of Microsofts compiler.

True example, the famous hole in cc, that whenever it noticed that it was compiling "login.c" would introduce a backdoor. Not only that but whenever it noticed it was compiling itself would reintroduce the same code, so that even by inspecting the compiler source you couldnt find the exploit.

Details can be found on google.

Can China regerate a standard build ?

[Alain+Williams]

It would be interesting to see if the Chinese can type 'make' (or whatever is the MS Windows equivalent) and end up with something that is bit wise identical to what MS ships as part of a standard distribution. If they cannot do this, one has to question why not ? and we will be left with the suspicion that there is something that MS doesn't want the Chinese to see (be that different MS or NSA code).

Why would you think that?

[Nijika]

While I'm sure that the NSA is no slouch when it comes to computer infiltration, I've never been one to believe that they've got some magical super powers outside the realm of known technical limitations. Let's not forget that most of what any government says it can do is a large percentage smoke and mirrors to keep the public feeling safe (PATRIOT missles) or unsafe (PATRIOT act) as it may be. On top of that the Chinese have never been pushovers when it comes to technology. They're in the asia pacific region, which is undoubtably a world hotspot for technological advances. Hell, the PC you're using right now is probably 60% chinese and 90% asian in manufacture and design.

With all that in mind, I'd say any advantage the NSA can get, it would take. And with THAT in mind, I think it's perfectly reasonable for the Chinese government to fully inspect any operating system it may run.

What about changes made by Windows Update?

[a.koepke]

What about them running windows update with these machines. In 6 months time and after many security patches ;) the code is not going to be the same. So what is to stop MS coding something in a patch that restores any backdoors that they might have removed? Is the Chinese government going to examine the code for every critical update and service pack it installs?

Re:NSA

[CaffeineFreak]

And one assumes from this that the chinese government can infiltrate the NSA mainframes.

Does that make you feel safe?

Funniest line in the article

[Mark_in_Brazil]

Haw haw... Sorry, but there's a throwaway line in the article that just made me laugh:

China--potentially a huge market for Microsoft, once the problem of software piracy is solved--

Riiiiiiiight. And when, exactly will "the problem of software piracy" be solved? And how?
I haven't seen anything reported on Slashdot or anywhere else that would "solve the problem of software piracy" and make China a huge market for Microsoft at the same time...

--Mark

Re:not going to help

[greppling]

As a point in favour of your reasoning: When there was the big debate in Germany about Linux use in the German parliament, there was also the question about Windows source code being made available to the German government.

But the source code would never have been allowed to go to the BSI (Federal agency of IT security), which would be the only department of the government with

• the resources
• the competence

for just a partial audit of the sources. So I agree all this shared-source is just a PR stunt.

Rumors said that...

[2Bits]

A couple of posts already mentioned that MS is not gonna give China compilable code, etc. Here's what I heard.

[Disclaimer: I'm not involved in any negotiation or anything, just heard this from someone whose boss is an insider. So take this with a big grain of salt!]

Actually, it's not exactly true. Here are a few of the conditions that have been brought up by China, the main reasons being that China must be able to verify what MS claims.

• MS must provide the compilable source code
  
• China must send a team to MS (to the Redmond campus actually, not sure if they would be allowed to get into the building of Windows engineering team) to learn how to build it, and have some training about the Windows internals
  
• MS must show how to do the build and a way to compare the final binary with the binary distributed by MS
  

I've not asked about the issues about the patches, as I consider it to be a waste of time, and China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.