Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Prepares To Examine MS Windows Code

Posted by timothy on from the and-yours-too-if-you'd-like dept.

Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.

30 of 468 comments (clear)

  1. Whats the use? by zaroastra · · Score: 5, Interesting

    whats the use of inspecting some offsite code when you have ABSOLUTELY NO WARRANTY that the code you're looking at is the one that is delivered in your compiled version?
    In my language we have an expresion for that, that could be roughly tranlated to trying to stop the wind with a fork.

    --
    I'm trying to get modded "Interesting Flamebait Informative and Insightful Redundant Troll" *-* Please Help *-*
    1. Re:Whats the use? by ahfoo · · Score: 3, Funny

      Exactly. The security problem with the closed source model doesn't go away because they show you SOME source code. So what? They can show you whatever they please and you'll never be the wiser. The only way around that would be if they allowed the Chinese government to handle distribution as well. That would be interesting.
      Hmm. There ya go. Give the Chinese government the Windows source code and let them distribute it for free. And then, they could let people modify it and enhance it without costing Redmond a thing. It would be like a global coperative effort. We'll call it distributed source. No, something more like free source. No let's see there's got to be a good name for this.

    2. Re:Whats the use? by spektr · · Score: 3, Insightful

      Depending on the amount of source code provided you could ofcourse compile it and compare the resulting binaries.

      Microsoft doesn't give you a compilable version of their code. That's the point.

    3. Re:Whats the use? by rupe · · Score: 4, Interesting

      Even that is not enough. They code might require the use of Microsofts compiler.

      True example, the famous hole in cc, that whenever it noticed that it was compiling "login.c" would introduce a backdoor. Not only that but whenever it noticed it was compiling itself would reintroduce the same code, so that even by inspecting the compiler source you couldnt find the exploit.

      Details can be found on google.

    4. Re:Whats the use? by greenhide · · Score: 4, Informative

      You're talking about Ken Thompson's paper, "Reflections on Trusting Trust".

      I don't believe this ever was a "famous hole in cc". Instead, Ken Thomspon merely pointed out that trust in the code you were compiling was not enough; you would have to trust the compiler as well, which inherently meant you had to trust the compiler compiling that compiler, and so on. Essentially the only compiler you could trust is one you wrote yourself in machine code, otherwise you can't be sure what its compiled, binary form contains.

      Whether anyone ever acted on this potential exploit is up for further research, but for it to be effectively done in Open Source, it could only be executed on a per-machine basis. That is, they'd have to change the compiler on your machine, because if they put the exploit right in publically available source code, it wouldn't be too difficult to find it when the code was reviewed.

      What I find interesting is that this is listed as a "Classic" article, and that page is dated 1995! This idea has been out for a while.

      --
      Karma: Chevy Kavalierma.
    5. Re:Whats the use? by wawannem · · Score: 3, Insightful

      What you are referring to isn't a True example. It is a theoritical example.

      It is clearly presented in Ken Thompson's famous paper "Reflections on Trusting Trust." It is a very good point, how much can you trust, well, trust...

      I trust things to the extent that, if such exploits exist, I would be 0wn3d and there would be nothing I could do about it...

      However, so would everyone else, and I am sure there are much more interesting machines to r00t than mine. By the time the l337 haxx0rz got to my machine, the exploit would have been discovered and made headlines...

      I have spent a little time in IRC, and I read /. I know that doesn't make me an authority, but I have learned that most of these black hat types are so driven to earn karma from others that they couldn't keep a secret if their livelihood depended on it. To me that means, if they knew about it, so would everyone else in the world. Also, if they find out about the existence of any exploits like this, they would blab.

      Therefore, I don't lose any sleep over it, and I figure I'll deal with the problems as they are discovered, and not ponder how many ways a compiler can insert malicious code.

  2. Would You Trust a Chinese OS? by reallocate · · Score: 5, Insightful

    Don't know about any backdoors in Windows, but we all certainly have reason to distrust any OS sponsored by the Chinese government. They may have adopted a friendlier demeanor, but the folks who gave us Tiananmen still run the place.

    --
    -- Slashdot: When Public Access TV Says "No"
    1. Re:Would You Trust a Chinese OS? by dalutong · · Score: 4, Informative

      Well, Deng Xiaoping isn't, unfortunately. He was the greatest leader of China since independence.

      I spent seven years in China, from 1992 to 1999, on U.S. government orders. They have done more than a face-lift. They are not perfect, but they are doing a pretty good job of transitioning their country into modernity. I hope that someday a governmental model similar to ours will be applicable, but it just isn't right now.

      Every country has its own peculiarities. A government system can not be super-imposed. That is what led the the failure of the first communist government in China. This new version, a more malleable one, is close to the right thing. And if you want to speak about what is best while considering the past, this is it.

      They need to continue to evolve base on the market and not on some odd 5 or 10-year plans, but they are doing that.

      --

      What comes first, finding a teacher or becoming a student?
    2. Re:Would You Trust a Chinese OS? by FuzzyBad-Mofo · · Score: 3, Informative

      The USA has also had it's share of killing student protesters, most notably the Kent State massacre .

      I suggest you cast out the mote from your own eye before pointing out the mote in your brother's.

  3. if Chinese government servers run Windows by SHEENmaster · · Score: 3, Insightful

    Then the entire security model rests in NSA translators knowing the traditioonal chinese word for RCP and the servers having enough bandwidth to support VNC or Terminal Server.

    The NSA won't bother with any backdoors beyond a possible inclusion of Systram translation software.

    --
    You can't judge a book by the way it wears its hair.
  4. Can China regerate a standard build ? by Alain+Williams · · Score: 4, Interesting

    It would be interesting to see if the Chinese can type 'make' (or whatever is the MS Windows equivalent) and end up with something that is bit wise identical to what MS ships as part of a standard distribution. If they cannot do this, one has to question why not ? and we will be left with the suspicion that there is something that MS doesn't want the Chinese to see (be that different MS or NSA code).

    1. Re:Can China regerate a standard build ? by bazik · · Score: 5, Funny
      It would be interesting to see if the Chinese can type 'make'[...]

      Actually its
      ./configure --with-bugs --with-bsd-tcp --enable-features=bluescreen,solitaire,minesweeper && make && make kernel32.exe
      --


      --
      One by one the penguins steal my sanity...
  5. not going to help by lingqi · · Score: 4, Insightful
    1) as this post has pointed out, just because you get to look at the source does not mean it's secure. (the post is from Jeremy Allison on the security of Samba servers)

    2) Besides, being closed source and microsoft, are they going to be able to [practically] compile windows and compare it to the actual version? Why do I doubt it?

    3) even if you get to look at the source, then you'd have to look at the source of every security patch that comes your way too, because otherwise you can just put a hole in one of your patches and pretend it fixes such and such. I mean, it's not like this hasn't been done before (Germain police, Java Anonymous Proxy).

    But then again Microsoft is probably just doing this for show anyway - bribe a few key officials so that there are too few people with too tight a schedule to examine all-too-much of bloaty code, and there you have it - "oh the code was examined and was ok" even though it's just a formality.

    I say stay away from Microsoft on principle when you need to be sure that you are secure.

    --

    My life in the land of the rising sun.

    1. Re:not going to help by greppling · · Score: 4, Interesting
      As a point in favour of your reasoning: When there was the big debate in Germany about Linux use in the German parliament, there was also the question about Windows source code being made available to the German government.

      But the source code would never have been allowed to go to the BSI (Federal agency of IT security), which would be the only department of the government with

      • the resources
      • the competence
      for just a partial audit of the sources. So I agree all this shared-source is just a PR stunt.
  6. Backdoors by pubjames · · Score: 5, Funny

    reports have said that the search for backdoors installed by national intelligence agencies is also among the aims of the agreement.

    MS drone Bob: Did you remember to send those CDs of the source code to the Chinese?

    MS drone Dave: Yes, I did it this morning. Posted it Express delivery!

    MS drone Bob: You did remember to send the version with the backdoors taken out, didn't you?

    MS drone Dave: D'oh! [Slaps forehead]

  7. Re:Why on earth would... by richie2000 · · Score: 4, Funny
    Why on earth would looking at Windows source code help with a Chinese version of Linux?

    Can anyone tell us what the Chinese symbols for "What not to do and how not to do it" are?

    --
    Money for nothing, pix for free
  8. Why would you think that? by Nijika · · Score: 5, Interesting
    While I'm sure that the NSA is no slouch when it comes to computer infiltration, I've never been one to believe that they've got some magical super powers outside the realm of known technical limitations. Let's not forget that most of what any government says it can do is a large percentage smoke and mirrors to keep the public feeling safe (PATRIOT missles) or unsafe (PATRIOT act) as it may be. On top of that the Chinese have never been pushovers when it comes to technology. They're in the asia pacific region, which is undoubtably a world hotspot for technological advances. Hell, the PC you're using right now is probably 60% chinese and 90% asian in manufacture and design.

    With all that in mind, I'd say any advantage the NSA can get, it would take. And with THAT in mind, I think it's perfectly reasonable for the Chinese government to fully inspect any operating system it may run.

    --
    Luck favors the prepared, darling.
  9. What about changes made by Windows Update? by a.koepke · · Score: 4, Interesting

    What about them running windows update with these machines. In 6 months time and after many security patches ;) the code is not going to be the same. So what is to stop MS coding something in a patch that restores any backdoors that they might have removed? Is the Chinese government going to examine the code for every critical update and service pack it installs?

    --


    (\(\
    (^.^)
    (")")
    *This is the cute bunny virus, please copy this into your sig so it can spread
  10. Re:NSA by CaffeineFreak · · Score: 4, Interesting

    And one assumes from this that the chinese government can infiltrate the NSA mainframes.

    Does that make you feel safe?

  11. Re:and if they steal it? by radja · · Score: 4, Insightful

    >This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.

    that was a GOOD thing, saving thousands of human lives who otherwise could not afford medicine. withholding a lifesaving medicine for your own profit is not a very nice thing to do.

    --

    No one can understand the truth until he drinks of coffee's frothy goodness.
    --Sheikh Abd-Al-Kadir, 1587
  12. Funniest line in the article by Mark_in_Brazil · · Score: 5, Interesting
    Haw haw... Sorry, but there's a throwaway line in the article that just made me laugh:
    China--potentially a huge market for Microsoft, once the problem of software piracy is solved--
    Riiiiiiiight. And when, exactly will "the problem of software piracy" be solved? And how?
    I haven't seen anything reported on Slashdot or anywhere else that would "solve the problem of software piracy" and make China a huge market for Microsoft at the same time...

    --Mark
    --
    "It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
  13. Would You Trust an American OS? by Anonymous Coward · · Score: 4, Insightful

    Don't know about any backdoors in Red Flag Linux, but we all certainly have reason to distrust any OS sponsored by the American government. They may have adopted a friendlier demeanor, but the folks who gave us Hiroshima, Nagasaki, Vietnam, the genocide of the First Nation, the CIA-sponsored overthrows of democratically elected governments in various South American states, the illegal invasions of Iraq and Afghanistan, and the lovely freedom of Guantanamo Bay still run the place.

    1. Re:Would You Trust an American OS? by kalidasa · · Score: 3, Interesting

      Actually, no, the folks who gave us Hiroshima, Nagasaki, Vietnam, CIA sponsored overthrows of South American governments, and the genocide of the Amerinds are all dead or retired; while one of the fellows who came up with the idea of the Tiananmen Square massacre is himself head honcho in China. Read the Tiananmen Papers, for god's sake.

    2. Re:Would You Trust an American OS? by Mr.+Show · · Score: 3, Insightful

      From the CIA world factbook entry on the USA:

      International organization participation: AfDB, ANZUS, APEC, ARF (dialogue partner), AsDB, ASEAN (dialogue partner), Australia Group, BIS, CE (observer), CERN (observer), CP, EAPC, EBRD, ECE, ECLAC, ESCAP, FAO, G-5, G-7, G- 8, G-10, IADB, IAEA, IBRD, ICAO, ICC, ICCt (signatory), ICFTU, ICRM, IDA, IEA, IFAD, IFC, IFRCS, IHO, ILO, IMF, IMO, Interpol, IOC, IOM, ISO, ITU, MINURSO, MIPONUH, NAM (guest), NATO, NEA, NSG, OAS, OECD, OPCW, OSCE, PCA, SPC, UN, UN Security Council, UNCTAD, UNHCR, UNIKOM, UNITAR, UNMEE, UNMIBH, UNMIK, UNMISET, UNMOVIC, UNOMIG, UNRWA, UNTSO, UNU, UPU, WCL, WCO, WHO, WIPO, WMO, WTrO, ZC
      From here you can do your own research into which international laws the US is bound by. Or am I being overly optimistic?

      Yeah, but what does this dump of acronyms prove exactly? Did the World Health Organization, just to pick one, pass some kind of resolution that said the US could not invade Iraq? You have to understand the specific international laws relevant to Iraq, and have at least a loose understanding of how law works generally. Simply citing that the US is a member of ASEAN does not make your case. For example, the US argued with some merit (regardless of whether you agree with it) that Iraq stood in violation of some 12 or 13 UN resolutions requiring it to "disarm," including the most recent resolution 1441 passed unanimously by the Security Council last February (if memory serves). That resolution warned of "serious consequences" if Iraq did not disarm, and at the time of the invasion, the US government was making the case that Iraq had not disarmed and therefore "serious consequences" would ensue.

      It does not matter whether or not you agree with this interpretation. What matters is that the language was sufficiently vague to allow for this interpretation. The language was also sufficiently vague for countries that opposed the war to plausibly argue that the US needed more explicit authorization from the Security Council before resorting to force. But given the "serious consequences" mentioned in 1441, and given the previous 12 years of UN resolutions demanding certain action by Iraq (which no one in a position of authority in any country seriously believes they ever obeyed), the US would probably be acquitted if brought before an international court, assuming standards of proof similar to those in US courts (beyond a reasonable doubt). But you have to understand that in February, when 1441 was passed, the US knew it was going to invade Iraq almost regardless of what they did to disarm. Therefore why would the US write a resolution (and it wrote 1441 itself) that it knew it was going to probably break in a few months? No, instead it gave itself enough flexibility in the language to do what it wanted to do "within the law." Such is the nature of international relations, and such is the way it will probably always be.

  14. Couple of questions by tsetem · · Score: 5, Insightful

    Considering China's respect of Intellectual Property, and their desire to create a custom version of Linux to break the Microsoft monopoly, What is to prevent China from looking at the Windows Source, and then taking the good parts out and inserting them into Linux (or derivative utilities). What if they saw how the whole Active Directory authentication stuff worked, and enhanced Samba?

    I mean that could really be interesting. Genuine MS protocols in the Linux kernel. Microsoft would be pissed because of IP theft (ala SCO). But what could Microsoft do? Sue China?

    1. Re:Couple of questions by fermion · · Score: 3, Insightful
      I don't think it matters. MS is looking at a situation where it's products are being rejected by large portions of the world. The only reason that MS can use close standards and be so firm on copyrights is because they own most of the OS on all of the computers that matter. If the world standardizes on another OS, then MS will have to open up it's software just so the west can do business with the east.

      So this probably poses no net loss to them. If the source ploy works then they win because the government will use windows and therefore the citizens will be more comfortable using widows as well.

      If the chinese government looks at the source and copies the protocols into their linux, MS still wins. MS will be able to keep the standards closed in the west, where they make most of the money, while still be able to advertise that the systems will communicate with those in the east.

      If the chinese government releases the linux source with the borrowed MS protocols, the MS wins doubly. There is no way that those enhancements will be included in a western Linux, and it would be very difficult to independently engineer the enhancements in such a way that there would not be significant copyright issues.

      In any case, MS can change the protocol at any time, as it did with it's IM service, or even purposefully create messages that will break the competing service, as it did to Navigator.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  15. Timing by Nishi-no-wan · · Score: 4, Insightful

    Did anyone else notice that it was soon after Balmer testified in the anti-trust sit-com about how revealing Microsoft's source code would be a national security threat, that China and several eastern European countries bought into Microsoft's Shared Source inititive?

  16. Rumors said that... by 2Bits · · Score: 4, Interesting
    A couple of posts already mentioned that MS is not gonna give China compilable code, etc. Here's what I heard.

    [Disclaimer: I'm not involved in any negotiation or anything, just heard this from someone whose boss is an insider. So take this with a big grain of salt!]
    Actually, it's not exactly true. Here are a few of the conditions that have been brought up by China, the main reasons being that China must be able to verify what MS claims.
    • MS must provide the compilable source code
    • China must send a team to MS (to the Redmond campus actually, not sure if they would be allowed to get into the building of Windows engineering team) to learn how to build it, and have some training about the Windows internals
    • MS must show how to do the build and a way to compare the final binary with the binary distributed by MS

    I've not asked about the issues about the patches, as I consider it to be a waste of time, and China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.
  17. NSA backdoors? by Erwos · · Score: 3, Interesting

    I've never understood the kind of schiznophrenia that /.'ers approach NSA with.

    On one hand, they wrote SELinux, which _no one_ has been able to find any deliberate backdoors in. It is exactly what they said it was: a security-enhanced, hardened Linux.

    Yet, on the other hand, we accuse NSA of rigging Windows with backholes for them. Can we at least make up our minds on whether NSA believes in deliberate backdoors or not? It strikes me that the only "evidence" of an NSA backdoor in Windows was the infamous NSAkey brouhaha, but this is _hardly_ hard proof of anything.

    If NSA can use a backdoor, then so, theoretically, can enemy governments. That's hardly good security, and if there's one thing that NSA knows, it's good security.

    -Erwos

    --
    Plausible conjecture should not be misrepresented as proof positive.
  18. Re:Why on earth would... by Zocalo · · Score: 3, Informative
    I guess it's the Ying - Yang thing. ;)

    On a more serious note, I find this somewhat worrying given the allegations made by Taiwan about organized cyber attacks coming from the mainland. Whether this is being reciprocated or not, I can't help but get the feeling that this is akin to handing China the cyber equivalent of a fusion bomb to use against Taiwan. Who knows what other exploits are lurking in the Windows code waiting to be found by the Chinese hackers doing the code review?

    Of course, they could always surprise us and give Microsoft a respectable advance notice to issue fixes before coming up with a zero day full disclosure bug report. I guess time will tell as to which way the outcome is going to lean, towards a blessing or a curse, but it's going to be an interesting time finding out. Looks like that Chinese proverb is right again!

    --
    UNIX? They're not even circumcised! Savages!