Slashdot Mirror
China Prepares To Examine MS Windows Code
Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.
What do you bet that a new form of Wine/Linux will show up in China with much better capabilities!
I prefer the "u" in honour as it seems to be missing these days.
looking at Windows source code help with a Chinese version of Linux?
When I am king, you will be first against the wall.
whats the use of inspecting some offsite code when you have ABSOLUTELY NO WARRANTY that the code you're looking at is the one that is delivered in your compiled version?
In my language we have an expresion for that, that could be roughly tranlated to trying to stop the wind with a fork.
I'm trying to get modded "Interesting Flamebait Informative and Insightful Redundant Troll" *-* Please Help *-*
Don't know about any backdoors in Windows, but we all certainly have reason to distrust any OS sponsored by the Chinese government. They may have adopted a friendlier demeanor, but the folks who gave us Tiananmen still run the place.
-- Slashdot: When Public Access TV Says "No"
Then the entire security model rests in NSA translators knowing the traditioonal chinese word for RCP and the servers having enough bandwidth to support VNC or Terminal Server.
The NSA won't bother with any backdoors beyond a possible inclusion of Systram translation software.
You can't judge a book by the way it wears its hair.
It would be interesting to see if the Chinese can type 'make' (or whatever is the MS Windows equivalent) and end up with something that is bit wise identical to what MS ships as part of a standard distribution. If they cannot do this, one has to question why not ? and we will be left with the suspicion that there is something that MS doesn't want the Chinese to see (be that different MS or NSA code).
2) Besides, being closed source and microsoft, are they going to be able to [practically] compile windows and compare it to the actual version? Why do I doubt it?
3) even if you get to look at the source, then you'd have to look at the source of every security patch that comes your way too, because otherwise you can just put a hole in one of your patches and pretend it fixes such and such. I mean, it's not like this hasn't been done before (Germain police, Java Anonymous Proxy).
But then again Microsoft is probably just doing this for show anyway - bribe a few key officials so that there are too few people with too tight a schedule to examine all-too-much of bloaty code, and there you have it - "oh the code was examined and was ok" even though it's just a formality.
I say stay away from Microsoft on principle when you need to be sure that you are secure.
My life in the land of the rising sun.
reports have said that the search for backdoors installed by national intelligence agencies is also among the aims of the agreement.
MS drone Bob: Did you remember to send those CDs of the source code to the Chinese?
MS drone Dave: Yes, I did it this morning. Posted it Express delivery!
MS drone Bob: You did remember to send the version with the backdoors taken out, didn't you?
MS drone Dave: D'oh! [Slaps forehead]
Microsoft has announced GSP agreements with Russia, NATO and the United Kingdom
hmmm. Last I checked, the UK was part of NATO. Unless, of course, they are talking about two separate organizations. IE, the NATO offices and the government offices of the UK.
It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.
Outgoing connexions are as much of a problem than incoming. If the software calls home to transmit information, there's not much you can do.
It doesn't even have to be automatic, a properly crafter answer to a software update request could trigger the transmission of information, for instance.
And even if the code the chinese govt sees doesn't have any hole, quid of the patches they WILL have to apply to their systems?
Bottom line: The only solution to having a computer that can't spy on you is having full access to the code that's running on it, both at install time and after...
One shall speak only if what one has to say is more beautiful than silence
With all that in mind, I'd say any advantage the NSA can get, it would take. And with THAT in mind, I think it's perfectly reasonable for the Chinese government to fully inspect any operating system it may run.
Luck favors the prepared, darling.
What about them running windows update with these machines. In 6 months time and after many security patches ;) the code is not going to be the same. So what is to stop MS coding something in a patch that restores any backdoors that they might have removed? Is the Chinese government going to examine the code for every critical update and service pack it installs?
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
And one assumes from this that the chinese government can infiltrate the NSA mainframes.
Does that make you feel safe?
>This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.
that was a GOOD thing, saving thousands of human lives who otherwise could not afford medicine. withholding a lifesaving medicine for your own profit is not a very nice thing to do.
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
1) MS shows Windows source to China, then produces kick-ass version of Linux. Kick-assedness taken back into mainstream Linux, thanks to the GPL.
2) MS has a look at shiny new-kick-assedness Linux source (hey, its open!), spots something similar to the code they showed China (or similar enough to please a finned lawyer-shark), sues everyone who ever used Linux, everyone who ever met them, and some people who look like them.
3) Profit!!! (by destroying, or at least hurting, many Linux vendors, and setting back the 'political' progress Linux has made with big business.
Clearly a level of exaggeration in there, but I wouldn't put it past those wily scoundrels at MS to be hoping for something like this...
Game dev and music blog
I haven't seen anything reported on Slashdot or anywhere else that would "solve the problem of software piracy" and make China a huge market for Microsoft at the same time...
--Mark
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
Don't know about any backdoors in Red Flag Linux, but we all certainly have reason to distrust any OS sponsored by the American government. They may have adopted a friendlier demeanor, but the folks who gave us Hiroshima, Nagasaki, Vietnam, the genocide of the First Nation, the CIA-sponsored overthrows of democratically elected governments in various South American states, the illegal invasions of Iraq and Afghanistan, and the lovely freedom of Guantanamo Bay still run the place.
Considering China's respect of Intellectual Property, and their desire to create a custom version of Linux to break the Microsoft monopoly, What is to prevent China from looking at the Windows Source, and then taking the good parts out and inserting them into Linux (or derivative utilities). What if they saw how the whole Active Directory authentication stuff worked, and enhanced Samba?
I mean that could really be interesting. Genuine MS protocols in the Linux kernel. Microsoft would be pissed because of IP theft (ala SCO). But what could Microsoft do? Sue China?
Interestingly, rediff is reporting that the India govt. has not shown any interest in the offer made to it
Atleast so far:)...
I'm going to beat on the conspiracy drum just a little bit... I think so far all the comments I've read missed this little tidbit:
Given the source, and given their manpower, and given all the recent news in security forums about how full of holes Windows is... if *you* got access to the source of the OS that the U.S. Federal Government is using, wouldn't YOU be spending every waking moment of all YOUR software hackers trying to find ways to exploit vulnerabilities in Windows? It would not take more than a few infected computers and poof! there go parts of the U.S. Government... and the British and any other country fool enough to trust Microsoft "security."
Admittedly, they have a tough job ahead of them, since nothing like the security they need has ever been seen on such a scale before in all of human histor... oh wait a minute, I forgot about the BSDs... whoops! Sorry about that! (Yes, I know they've got their holes, too, but those holes are much fewer and far between!)
Given the sheer numbers of the computers that have Windows on them that the government uses, the probability that *all* of them are secure and protected from attack via an email or a web viewing with IE is absolutely zero.
I know this *sounds* a bit kooky... but it's also realistic enough to be believable.
I read the article and noted that other governments are also talking with Microsoft... but China appears that it's going to be the first, and this concerns me.
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
Did anyone else notice that it was soon after Balmer testified in the anti-trust sit-com about how revealing Microsoft's source code would be a national security threat, that China and several eastern European countries bought into Microsoft's Shared Source inititive?
The only solution to having a computer that can't spy on you is having full access to the code that's running on it, both at install time and after...
You'd have to read and understand all the code, and then compile from that code. Something I am willing to bet very, very, few people do for every piece of software they run.
Even then, you'd be vulernable to compiler based attacks, although I don't know if anyone has successfully pulled that off.
Regarding firewalls, I hope you're aware that you can filter outgoing traffic as easily as incoming. Regarding the malicious service masquerading as a legitimate one, the only solution to that is cryptographic signing for authentication, and even then, you are still trusting the party to not do anything malicious, the signing just proves that the person is who you think it is.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I thought that the US Government didn't get to inspect the code. Why does MicroSoft allow China to inspect that which the US can't? Isn't this essentially giving the Chinese goverment insight into Windows that even the NSA doesn't have? Doesn't that essentially give them an advantage for dealing with windows? Has Apple computer signed a simmilar agreement? Why doesn't China just switch to OSX?
[signature]
[Disclaimer: I'm not involved in any negotiation or anything, just heard this from someone whose boss is an insider. So take this with a big grain of salt!]
Actually, it's not exactly true. Here are a few of the conditions that have been brought up by China, the main reasons being that China must be able to verify what MS claims.
I've not asked about the issues about the patches, as I consider it to be a waste of time, and China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.
I cannot even begin to think how large a US national security risk this is. Our military is highly dependant on MS systems. To have foreign nationals peering at the code that runs your military systems is just simply unnaceptable. Having source to the system does not necessarily cause a breach but it sure does help. Proprietary operating systems are a national security risk and should be treated as such.
Got Code?
It is called Red Flag Linux and has been around for a couple of years.
I've never understood the kind of schiznophrenia that /.'ers approach NSA with.
On one hand, they wrote SELinux, which _no one_ has been able to find any deliberate backdoors in. It is exactly what they said it was: a security-enhanced, hardened Linux.
Yet, on the other hand, we accuse NSA of rigging Windows with backholes for them. Can we at least make up our minds on whether NSA believes in deliberate backdoors or not? It strikes me that the only "evidence" of an NSA backdoor in Windows was the infamous NSAkey brouhaha, but this is _hardly_ hard proof of anything.
If NSA can use a backdoor, then so, theoretically, can enemy governments. That's hardly good security, and if there's one thing that NSA knows, it's good security.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
... China laughs.
Bill Gates would be like, "it wasn't supposed to be funny!"
But it is.
j.
We should try not to forget that during the MS antitrust trial, MS VP for Windows Jim Allchin testified that it would be a threat to US national security for the code to Windows to be revealed:
A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed.
Now, they are showing this same code to the Chinese government? Has anyone asked them why this should be OK? Are they trying to endanger US interests with a fierce competitor? Or were they blatantly lying at the trial? And in either case, is anybody going to do anything about it?
We're too busy playing "enlightened liberal" and trying to feel superior because we're against the grain by being overly critical of American actions and ignoring the atrocities of foreign countries! Stopping WWII after being attacked out of the blue (so much for isolationist America) is now an aggressive evil.
It's okay for Saddam to have stayed in power and continued torturing and stealing from his own people, because then we wouldn't have gone in "illegally" to overthrow their government.
"Sufferin' succotash."
Having worked closely with Chinese developers (and companies) in China, Hong Kong, and Singapore over the last ten years I can tell you right now what the outcome of this inspection will be: "We can do it better!"
They have absolutely no intention whatsoever to buy or use Windows. They will develop their own OS (probably based on Linux) and copy anything and everything they can from Windows while proudly proclaiming that they did it all themselves, and that it's much better than that "imperialist crap" from the West.
Obviously he was exaggerating to make a point, but the argument could be made (and has been in many other posts under other stories), that the US government does in a way 'sponsor' Windows. They certainly use a lot of it, they let them off the hook on that whole Sherman act thing, etc... no, they didn't write it, but they have the effect of promoting it.
For your second comment, I note that you left out the part about illegal invasions (illegal by international law for those who are confused). Seems to me that part alone is plenty to be comparable to Tianaman square.
It may be true that people trivialize the brutality of the Chinese, but I'd argue that even more people trivialize the brutality the US has shown. I'm not making a comparison between the two, because really how can you? Both are horrible in their own separate ways. And as an American, I'm personally MUCH more concerned with the actions of my own government than those of a foreign power. Really, who are we to complain to the Chinese, or anyone else for that matter, if we can't keep ourselves in check?
Why would the NSA rely on Microsoft to create security holes in Windows? If Microsoft cannot be trusted to patch holes they mistakenly placed in the OS, how can the NSA trust them to actually produce reliable security holes for breaching? I'm sure the NSA has viewed Microsoft code long before. All it would take would be to use Echelon's combined computing power for probably a couple of minutes and they could find all the hidden BSD code buried deep within...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*