Slashdot Mirror
Microsoft Opens Source Code To KGB's Successor Agency
Jack Spine writes "Microsoft has struck a deal with the Russian government which will give the FSB, successor to the KGB, access to the source code for Windows 7, among other products. The agreement is an extension of Microsoft's Government Security Program, according to a source with links to the UK government."
I'm more afraid of the FSB selling or having the code stolen from them by Russian hackers than the FSB actually doing anything. They are mostly incompetent hacks either leftover from the 90's or put there to be yes-men to Putin policy. Putin would not stack the deck against himself so he has cut out most of the intelligence in the intelligence agencies, that is why you get things like the recent spy swap debacle where they could not even penetrate a PTA meeting let alone the Pentagon.
An Education is the Font of All Liberty
The FSB is approximately a third of the total KGB capability, with the FSO and SVR being the other legs of the triumvirate. The FSB, being the replacement for the former First Chief Directorate, is mostly responsible for internal security (counterintelligence, counterterrorism, counterinsurgency, action against dissenters.) I don't see how this deal with Microsoft could possibly threaten the US or US interests, except possibly in a peripheral way.
They've already provided it to the Chinese (and the British, not sure who else). That means that the Russians and Chinese can look for and exploit holes in Windows. Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.
Basically, they get all of the disadvantages of open source security, but none of the advantages.
I am TheRaven on Soylent News
It will keep them tied up for years trying to find exploitable holes, when the real spies will use something else
The point of it is being able to review certain critical parts, for instance many of the governments require cryptographical reviews before an OS can be used by certain sections of the government and this sort of code access allows that. The intention is not for a government to go trawling through the entire source trees but to instead allow them review code that is necessary to follow whatever guidelines and legislation is applicable for that country. Do you really think most countries have any interest in reviewing all the code in windows? or even in linux or any other OS for that matter? the size of such a task would be beyond belief and a constantly moving target.
It is an interesting world in which a United States company trusts Russian spies more than it trusts United States citizens.
Stop-Prism.org: Opt Out of Surveillance
Isn't it coincidental that the Chinese intelligence who received the source code suddenly had a lot of new Windows based 0-days and used them against US companies, Google mainly?
The blackhats have the source and can look for bugs and errors that they can exploit at will. The whitehats have to guess or blindly firewall, hope that there are no remote exploits, and put a lot of resources into perimeter security.
Maybe this is just another impetus for people and companies to move to UNIX based operating systems. Even a closed source offering like HP-UX or OS X (the pieces that are not open-sourced in Darwin or elsewhere) has been around such a long time that glaring show-stopper bugs are rare, and are usually limited to local exploits. This isn't to say things are perfect, but an exploit from remote like ssh is extremely rare on the UNIX side. To boot, UNIX variants have been getting a lot better at security, having ASLR, DEP, SELinux/AppArmor security policies, and other items to limit damage and spread of compromised code.
I wondered why they bothered with Windows at all, given their previous movement towards Red Flag Linux. I wonder if they did so just to find the vulnerabilities ...
I prefer rogues to imbeciles because they sometimes take a rest.
And in which jurisdiction are you going to sue?
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I've always found that quote to be amusing. It like admitting that communism can't produce enough rope, only capitalism can, but they need rope so they deal with capitalists. Reminds me of all those stories about the price of car wipers and toilet paper in the USSR because their command economy 'geniuses' couldn't figure it out or couldn't turn capital into production.
>Nothing quite like putting quarterly profits above national security.
Lets not be too dramatic. The source code of Windows isn't some big trade secret. Several governments have it. Afterall, they want to see the source just like you do with linux and they have the buying power to demand it.
If I were in charge of an internal security agency, I would be more concerned about running an OS containing back doors or exploits than to try and exploit them myself. To that effect, I would insist on being able to build the OS from sources using a compiler that is known to be uncompromised (built it from source too). No other arrangement will guarantee that the copies I am running behave exactly like the source code says.
If the FSB agreed to the terms that you mentioned, they are not doing their work.
Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.
From what I heard, this transfer is for complete buildable code, and, indeed, the whole point is that FSB guys will strip out everything they don't need to minimize attack surface, and use the resulting build for their own systems.
Wasn't that how the image hacks started? A specially crafted BMP. There are more but this is one I recall off of the top of my head.
Man blir trött av att gå och göra ingenting.