Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Prepares To Examine MS Windows Code

Posted by timothy on from the and-yours-too-if-you'd-like dept.

Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.

20 of 468 comments (clear)

  1. Whats the use? by zaroastra · · Score: 5, Interesting

    whats the use of inspecting some offsite code when you have ABSOLUTELY NO WARRANTY that the code you're looking at is the one that is delivered in your compiled version?
    In my language we have an expresion for that, that could be roughly tranlated to trying to stop the wind with a fork.

    --
    I'm trying to get modded "Interesting Flamebait Informative and Insightful Redundant Troll" *-* Please Help *-*
    1. Re:Whats the use? by rupe · · Score: 4, Interesting

      Even that is not enough. They code might require the use of Microsofts compiler.

      True example, the famous hole in cc, that whenever it noticed that it was compiling "login.c" would introduce a backdoor. Not only that but whenever it noticed it was compiling itself would reintroduce the same code, so that even by inspecting the compiler source you couldnt find the exploit.

      Details can be found on google.

    2. Re:Whats the use? by greenhide · · Score: 4, Informative

      You're talking about Ken Thompson's paper, "Reflections on Trusting Trust".

      I don't believe this ever was a "famous hole in cc". Instead, Ken Thomspon merely pointed out that trust in the code you were compiling was not enough; you would have to trust the compiler as well, which inherently meant you had to trust the compiler compiling that compiler, and so on. Essentially the only compiler you could trust is one you wrote yourself in machine code, otherwise you can't be sure what its compiled, binary form contains.

      Whether anyone ever acted on this potential exploit is up for further research, but for it to be effectively done in Open Source, it could only be executed on a per-machine basis. That is, they'd have to change the compiler on your machine, because if they put the exploit right in publically available source code, it wouldn't be too difficult to find it when the code was reviewed.

      What I find interesting is that this is listed as a "Classic" article, and that page is dated 1995! This idea has been out for a while.

      --
      Karma: Chevy Kavalierma.
  2. Would You Trust a Chinese OS? by reallocate · · Score: 5, Insightful

    Don't know about any backdoors in Windows, but we all certainly have reason to distrust any OS sponsored by the Chinese government. They may have adopted a friendlier demeanor, but the folks who gave us Tiananmen still run the place.

    --
    -- Slashdot: When Public Access TV Says "No"
    1. Re:Would You Trust a Chinese OS? by dalutong · · Score: 4, Informative

      Well, Deng Xiaoping isn't, unfortunately. He was the greatest leader of China since independence.

      I spent seven years in China, from 1992 to 1999, on U.S. government orders. They have done more than a face-lift. They are not perfect, but they are doing a pretty good job of transitioning their country into modernity. I hope that someday a governmental model similar to ours will be applicable, but it just isn't right now.

      Every country has its own peculiarities. A government system can not be super-imposed. That is what led the the failure of the first communist government in China. This new version, a more malleable one, is close to the right thing. And if you want to speak about what is best while considering the past, this is it.

      They need to continue to evolve base on the market and not on some odd 5 or 10-year plans, but they are doing that.

      --

      What comes first, finding a teacher or becoming a student?
  3. Can China regerate a standard build ? by Alain+Williams · · Score: 4, Interesting

    It would be interesting to see if the Chinese can type 'make' (or whatever is the MS Windows equivalent) and end up with something that is bit wise identical to what MS ships as part of a standard distribution. If they cannot do this, one has to question why not ? and we will be left with the suspicion that there is something that MS doesn't want the Chinese to see (be that different MS or NSA code).

    1. Re:Can China regerate a standard build ? by bazik · · Score: 5, Funny
      It would be interesting to see if the Chinese can type 'make'[...]

      Actually its
      ./configure --with-bugs --with-bsd-tcp --enable-features=bluescreen,solitaire,minesweeper && make && make kernel32.exe
      --


      --
      One by one the penguins steal my sanity...
  4. not going to help by lingqi · · Score: 4, Insightful
    1) as this post has pointed out, just because you get to look at the source does not mean it's secure. (the post is from Jeremy Allison on the security of Samba servers)

    2) Besides, being closed source and microsoft, are they going to be able to [practically] compile windows and compare it to the actual version? Why do I doubt it?

    3) even if you get to look at the source, then you'd have to look at the source of every security patch that comes your way too, because otherwise you can just put a hole in one of your patches and pretend it fixes such and such. I mean, it's not like this hasn't been done before (Germain police, Java Anonymous Proxy).

    But then again Microsoft is probably just doing this for show anyway - bribe a few key officials so that there are too few people with too tight a schedule to examine all-too-much of bloaty code, and there you have it - "oh the code was examined and was ok" even though it's just a formality.

    I say stay away from Microsoft on principle when you need to be sure that you are secure.

    --

    My life in the land of the rising sun.

    1. Re:not going to help by greppling · · Score: 4, Interesting
      As a point in favour of your reasoning: When there was the big debate in Germany about Linux use in the German parliament, there was also the question about Windows source code being made available to the German government.

      But the source code would never have been allowed to go to the BSI (Federal agency of IT security), which would be the only department of the government with

      • the resources
      • the competence
      for just a partial audit of the sources. So I agree all this shared-source is just a PR stunt.
  5. Backdoors by pubjames · · Score: 5, Funny

    reports have said that the search for backdoors installed by national intelligence agencies is also among the aims of the agreement.

    MS drone Bob: Did you remember to send those CDs of the source code to the Chinese?

    MS drone Dave: Yes, I did it this morning. Posted it Express delivery!

    MS drone Bob: You did remember to send the version with the backdoors taken out, didn't you?

    MS drone Dave: D'oh! [Slaps forehead]

  6. Re:Why on earth would... by richie2000 · · Score: 4, Funny
    Why on earth would looking at Windows source code help with a Chinese version of Linux?

    Can anyone tell us what the Chinese symbols for "What not to do and how not to do it" are?

    --
    Money for nothing, pix for free
  7. Why would you think that? by Nijika · · Score: 5, Interesting
    While I'm sure that the NSA is no slouch when it comes to computer infiltration, I've never been one to believe that they've got some magical super powers outside the realm of known technical limitations. Let's not forget that most of what any government says it can do is a large percentage smoke and mirrors to keep the public feeling safe (PATRIOT missles) or unsafe (PATRIOT act) as it may be. On top of that the Chinese have never been pushovers when it comes to technology. They're in the asia pacific region, which is undoubtably a world hotspot for technological advances. Hell, the PC you're using right now is probably 60% chinese and 90% asian in manufacture and design.

    With all that in mind, I'd say any advantage the NSA can get, it would take. And with THAT in mind, I think it's perfectly reasonable for the Chinese government to fully inspect any operating system it may run.

    --
    Luck favors the prepared, darling.
  8. What about changes made by Windows Update? by a.koepke · · Score: 4, Interesting

    What about them running windows update with these machines. In 6 months time and after many security patches ;) the code is not going to be the same. So what is to stop MS coding something in a patch that restores any backdoors that they might have removed? Is the Chinese government going to examine the code for every critical update and service pack it installs?

    --


    (\(\
    (^.^)
    (")")
    *This is the cute bunny virus, please copy this into your sig so it can spread
  9. Re:NSA by CaffeineFreak · · Score: 4, Interesting

    And one assumes from this that the chinese government can infiltrate the NSA mainframes.

    Does that make you feel safe?

  10. Re:and if they steal it? by radja · · Score: 4, Insightful

    >This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.

    that was a GOOD thing, saving thousands of human lives who otherwise could not afford medicine. withholding a lifesaving medicine for your own profit is not a very nice thing to do.

    --

    No one can understand the truth until he drinks of coffee's frothy goodness.
    --Sheikh Abd-Al-Kadir, 1587
  11. Funniest line in the article by Mark_in_Brazil · · Score: 5, Interesting
    Haw haw... Sorry, but there's a throwaway line in the article that just made me laugh:
    China--potentially a huge market for Microsoft, once the problem of software piracy is solved--
    Riiiiiiiight. And when, exactly will "the problem of software piracy" be solved? And how?
    I haven't seen anything reported on Slashdot or anywhere else that would "solve the problem of software piracy" and make China a huge market for Microsoft at the same time...

    --Mark
    --
    "It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
  12. Would You Trust an American OS? by Anonymous Coward · · Score: 4, Insightful

    Don't know about any backdoors in Red Flag Linux, but we all certainly have reason to distrust any OS sponsored by the American government. They may have adopted a friendlier demeanor, but the folks who gave us Hiroshima, Nagasaki, Vietnam, the genocide of the First Nation, the CIA-sponsored overthrows of democratically elected governments in various South American states, the illegal invasions of Iraq and Afghanistan, and the lovely freedom of Guantanamo Bay still run the place.

  13. Couple of questions by tsetem · · Score: 5, Insightful

    Considering China's respect of Intellectual Property, and their desire to create a custom version of Linux to break the Microsoft monopoly, What is to prevent China from looking at the Windows Source, and then taking the good parts out and inserting them into Linux (or derivative utilities). What if they saw how the whole Active Directory authentication stuff worked, and enhanced Samba?

    I mean that could really be interesting. Genuine MS protocols in the Linux kernel. Microsoft would be pissed because of IP theft (ala SCO). But what could Microsoft do? Sue China?

  14. Timing by Nishi-no-wan · · Score: 4, Insightful

    Did anyone else notice that it was soon after Balmer testified in the anti-trust sit-com about how revealing Microsoft's source code would be a national security threat, that China and several eastern European countries bought into Microsoft's Shared Source inititive?

  15. Rumors said that... by 2Bits · · Score: 4, Interesting
    A couple of posts already mentioned that MS is not gonna give China compilable code, etc. Here's what I heard.

    [Disclaimer: I'm not involved in any negotiation or anything, just heard this from someone whose boss is an insider. So take this with a big grain of salt!]
    Actually, it's not exactly true. Here are a few of the conditions that have been brought up by China, the main reasons being that China must be able to verify what MS claims.
    • MS must provide the compilable source code
    • China must send a team to MS (to the Redmond campus actually, not sure if they would be allowed to get into the building of Windows engineering team) to learn how to build it, and have some training about the Windows internals
    • MS must show how to do the build and a way to compare the final binary with the binary distributed by MS

    I've not asked about the issues about the patches, as I consider it to be a waste of time, and China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.