Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Opens Source Code To KGB's Successor Agency

Posted by timothy on from the we'll-trade-for-american-spyware dept.

Jack Spine writes "Microsoft has struck a deal with the Russian government which will give the FSB, successor to the KGB, access to the source code for Windows 7, among other products. The agreement is an extension of Microsoft's Government Security Program, according to a source with links to the UK government."

44 of 187 comments (clear)

  1. security holes of releasing source code by Anonymous Coward · · Score: 5, Insightful

    yay, so now the Russians will know all the holes in Windows 7 and how to exploit them, no?

    1. Re:security holes of releasing source code by TheRaven64 · · Score: 5, Interesting

      They've already provided it to the Chinese (and the British, not sure who else). That means that the Russians and Chinese can look for and exploit holes in Windows. Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      Basically, they get all of the disadvantages of open source security, but none of the advantages.

      --
      I am TheRaven on Soylent News
    2. Re:security holes of releasing source code by roystgnr · · Score: 5, Funny

      Yeah, but Russia probably signed the same "We promise to hack Google first" agreement that China did, so from Microsoft's perspective it's win/win.

    3. Re:security holes of releasing source code by cappp · · Score: 4, Informative

      Russia is just being added to a rather long list of countries in this regard. Playing a little link-hopping tells us that both NATO and 30 countries (including the UK) have made similar deals with Microsoft albeit in refence to older technology. I would assume that all of those entities have similar updates to their agreements.

    4. Re:security holes of releasing source code by Anonymous Coward · · Score: 2, Interesting

      The point of it is being able to review certain critical parts, for instance many of the governments require cryptographical reviews before an OS can be used by certain sections of the government and this sort of code access allows that. The intention is not for a government to go trawling through the entire source trees but to instead allow them review code that is necessary to follow whatever guidelines and legislation is applicable for that country. Do you really think most countries have any interest in reviewing all the code in windows? or even in linux or any other OS for that matter? the size of such a task would be beyond belief and a constantly moving target.

    5. Re:security holes of releasing source code by mlts · · Score: 4, Interesting

      Isn't it coincidental that the Chinese intelligence who received the source code suddenly had a lot of new Windows based 0-days and used them against US companies, Google mainly?

      The blackhats have the source and can look for bugs and errors that they can exploit at will. The whitehats have to guess or blindly firewall, hope that there are no remote exploits, and put a lot of resources into perimeter security.

      Maybe this is just another impetus for people and companies to move to UNIX based operating systems. Even a closed source offering like HP-UX or OS X (the pieces that are not open-sourced in Darwin or elsewhere) has been around such a long time that glaring show-stopper bugs are rare, and are usually limited to local exploits. This isn't to say things are perfect, but an exploit from remote like ssh is extremely rare on the UNIX side. To boot, UNIX variants have been getting a lot better at security, having ASLR, DEP, SELinux/AppArmor security policies, and other items to limit damage and spread of compromised code.

    6. Re:security holes of releasing source code by elrous0 · · Score: 2, Insightful

      so now the Russians will know all the holes in Windows 7 and how to exploit them, no?

      Them and every other hacker on the planet.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    7. Re:security holes of releasing source code by datapharmer · · Score: 3, Insightful

      i'd say a specific linux build for national security sensitive applications is in order

      Try setting SE Linux to "enabled".

      --
      Get a web developer
    8. Re:security holes of releasing source code by pandrijeczko · · Score: 3, Funny

      and the British, not sure who else

      Indeed, old chap. And we will tip our bowler hats at you when we've stopped having a jolly good laugh at it.

      "Gor blimey, luv-a-duck, Mary Poppins! 'av ya seen the state of those header files for Minesweeper!"

      --
      Gentoo Linux - another day, another USE flag.
    9. Re:security holes of releasing source code by NotBornYesterday · · Score: 2, Interesting

      I wondered why they bothered with Windows at all, given their previous movement towards Red Flag Linux. I wonder if they did so just to find the vulnerabilities ...

      --
      I prefer rogues to imbeciles because they sometimes take a rest.
    10. Re:security holes of releasing source code by dintech · · Score: 2, Funny

      Yes, but I'm looking forward to Vindows 7.

    11. Re:security holes of releasing source code by morgan_greywolf · · Score: 5, Insightful

      Do you really think most countries have any interest in reviewing all the code in windows?

      If you can't compile the code into a working binary using the same compiler that was used to produce the production binary because you're missing parts, then you can't be sure that the source code you have represents the binary you're using. You have take Microsoft's word for it, and it's not like the rep you're talking to is the actual guy who manages the build, so even he doesn't actually know for sure.

      An incomplete set of source is absolutely useless for a true security audit.

      --
      My blog
    12. Re:security holes of releasing source code by alexo · · Score: 3, Interesting

      the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      If I were in charge of an internal security agency, I would be more concerned about running an OS containing back doors or exploits than to try and exploit them myself. To that effect, I would insist on being able to build the OS from sources using a compiler that is known to be uncompromised (built it from source too). No other arrangement will guarantee that the copies I am running behave exactly like the source code says.

      If the FSB agreed to the terms that you mentioned, they are not doing their work.

    13. Re:security holes of releasing source code by suso · · Score: 2, Insightful

      and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      Oh noes, a license. That will stop em.

    14. Re:security holes of releasing source code by shutdown+-p+now · · Score: 2, Interesting

      Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      From what I heard, this transfer is for complete buildable code, and, indeed, the whole point is that FSB guys will strip out everything they don't need to minimize attack surface, and use the resulting build for their own systems.

  2. Available as a Torrent in 3... 2... 1... by Xtense · · Score: 4, Insightful

    Available as a Torrent in 3... 2... 1...

    --
    "We are the music makers, and we are the dreamers of dreams [...]."
    1. Re:Available as a Torrent in 3... 2... 1... by arivanov · · Score: 3, Interesting

      And in which jurisdiction are you going to sue?

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    2. Re:Available as a Torrent in 3... 2... 1... by timeOday · · Score: 3, Informative
      Don't you remember the big leak of Windows source code a few years ago?

      Surprisingly, it didn't turn out to have any impact on anything, that I can tell.

    3. Re:Available as a Torrent in 3... 2... 1... by bigredradio · · Score: 3, Funny

      Hax0r: Ha! I have windows source code!!! (10 mins later) Hax0r: Humm.. now what?

      --
      Flexible bare-metal recovery for Linux/UNIX
    4. Re:Available as a Torrent in 3... 2... 1... by theArtificial · · Score: 3, Interesting

      Wasn't that how the image hacks started? A specially crafted BMP. There are more but this is one I recall off of the top of my head.

      --
      Man blir trött av att gå och göra ingenting.
  3. I'm sure this will turn out well by linzeal · · Score: 5, Interesting

    I'm more afraid of the FSB selling or having the code stolen from them by Russian hackers than the FSB actually doing anything. They are mostly incompetent hacks either leftover from the 90's or put there to be yes-men to Putin policy. Putin would not stack the deck against himself so he has cut out most of the intelligence in the intelligence agencies, that is why you get things like the recent spy swap debacle where they could not even penetrate a PTA meeting let alone the Pentagon.

    --
    An Education is the Font of All Liberty
    1. Re:I'm sure this will turn out well by Anonymous Coward · · Score: 2, Interesting

      I tend to agree with your take on Putin.

      And, wtf. Those poor Russians just can't seem to get a break. They've gone from totalitarian monarchy to communism. Yay, workers paradise, except when the revolutionary dust settled they were still under totalitarian rule.

      And now that the confetti from the democratization celebration has blown away we are still looking at something remarkably similar to a dictatorship.

    2. Re:I'm sure this will turn out well by dargaud · · Score: 3, Insightful

      When you ask a russian his opinion on some leader (either russian or otherwise), whenever he wants to praise that leader, he'll always add 'he's a strong leader'. It seems that russians only recognize leadership when it is associated with strength, so do not be surprised that they go from dictatorship to dictatorship. It's mostly self-inflicted.

      --
      Non-Linux Penguins ?
  4. FSB is not "the" successor to the KGB by the+linux+geek · · Score: 5, Interesting

    The FSB is approximately a third of the total KGB capability, with the FSO and SVR being the other legs of the triumvirate. The FSB, being the replacement for the former First Chief Directorate, is mostly responsible for internal security (counterintelligence, counterterrorism, counterinsurgency, action against dissenters.) I don't see how this deal with Microsoft could possibly threaten the US or US interests, except possibly in a peripheral way.

    1. Re:FSB is not "the" successor to the KGB by Divide+By+Zero · · Score: 2, Funny

      Certainly they won't give it to whatever directorate's in charge of conducting espionage. Spies are the most honorable government officials there are, and nobody in Moscow's looking to get ahead by bending any rules.

      --
      Dare to Hope. Prepare to be Disappointed.
    2. Re:FSB is not "the" successor to the KGB by Rogerborg · · Score: 2, Funny

      Whoa, whoa, whoa, let's put it in terms we can all understand, shall we? Are you saying that the FSB is like the Klingon ISF, while the FSO and SVR are the equivalent of the DSF?

      --
      If you were blocking sigs, you wouldn't have to read this.
  5. In Soviet Russia... by yanyan · · Score: 5, Funny

    I give up. This is too easy.

    1. Re:In Soviet Russia... by dimethylxanthine · · Score: 2, Funny

      FSB caught your tongue?

  6. This is actually good by Chrisq · · Score: 3, Interesting

    It will keep them tied up for years trying to find exploitable holes, when the real spies will use something else

  7. Trust, Interesting World by Bob9113 · · Score: 4, Interesting

    It is an interesting world in which a United States company trusts Russian spies more than it trusts United States citizens.

    --
    Stop-Prism.org: Opt Out of Surveillance
    1. Re:Trust, Interesting World by fuzzyfuzzyfungus · · Score: 2, Interesting

      It is a world operating completely as expected when a multinational corporation cares more about satisfying the requests of large customers than it does small ones.

  8. Update email by Linker3000 · · Score: 3, Funny

    Has anyone else just got the email from Microsoft regarding a critical security update that should be downloaded and installed immediately from windowsupdate.micros0ft.ru?

    --
    AT&ROFLMAO
  9. Successor agency by TrixX · · Score: 5, Funny

    Shouldn't the successor to KGB be called LHC... oh!

    1. Re:Successor agency by glwtta · · Score: 2, Insightful

      Holy shit, that just completely blew my mind!

      --
      sic transit gloria mundi
  10. Re:Buildable? by Shados · · Score: 4, Informative

    Probably not. It is not all that uncommon for Microsoft to open its source. I mean, it doesn't happen everyday, but they have special facilities for that purpose alone.

    It may have changed, but back when i saw it, it was basically a web based code browser that doesn't allow the more simple copying features (like no export and stuff obviously).

    If its still what they use, then it definitely cannot (realistically) be built.

  11. As Stalin said by gillbates · · Score: 5, Insightful

    Wasn't it Stalin who said, "The capitalists will sell us the rope we use to hang them."

    Nice to know that Microsoft, after complaining for years that open source was insecure because anyone could see the code, is now providing same to Russia. Nothing quite like putting quarterly profits above national security.

    --
    The society for a thought-free internet welcomes you.
    1. Re:As Stalin said by m93 · · Score: 2, Informative


      That was actually a Lenin quote.

    2. Re:As Stalin said by gad_zuki! · · Score: 2, Interesting

      I've always found that quote to be amusing. It like admitting that communism can't produce enough rope, only capitalism can, but they need rope so they deal with capitalists. Reminds me of all those stories about the price of car wipers and toilet paper in the USSR because their command economy 'geniuses' couldn't figure it out or couldn't turn capital into production.

      >Nothing quite like putting quarterly profits above national security.

      Lets not be too dramatic. The source code of Windows isn't some big trade secret. Several governments have it. Afterall, they want to see the source just like you do with linux and they have the buying power to demand it.

  12. The conversation... by lattyware · · Score: 2, Funny

    Microsoft: So, we are agreed, you get access to our source code. FSA: Yes... we just have to add one question to our polygraph test for people reviewing the code? Microsoft: Yes. "Have you ever contributed, or plan to contribute, to open source software..."

    --
    -- Lattyware (www.lattyware.co.uk)
  13. Re:we need open source by law by Bing+Tsher+E · · Score: 2, Insightful

    Why? The copyright protects a specific binary implementation. Are you implying that Microsoft's copyright protection should be extended to the method they use? That's what it sounds like.

  14. Re:Buildable? by tibman · · Score: 4, Insightful

    How can the russians trust the source code to a binary if they can't compile and compare the binaries?

    --
    http://soylentnews.org/~tibman
  15. How the worm turns.... by zkiwi34 · · Score: 3, Insightful

    It wasn't all that long ago when dear old Bil Gates et al were claiming in front of the DoJ that giving anyone (their competitors) access to Windows code would be a threat to national security. Fast forward to now and it appears that either the truth changed a whole lot or for some reason national security interests are served by giving China and Russia and who knows, maybe even the French access to Windows source.

    The new Windows, our most secure OS ever!! Well...

    1. Re:How the worm turns.... by thoth · · Score: 2, Insightful

      They changed even faster than that. IIRC, it was Jim Allchin that said releasing the source code for a portion of Windows (the message queue), would have serious US national security implications. This was in 2002, during the post-DOJ lawsuit cleanup where some states filed a separate lawsuit.

      Less that a year later in early 2003, Microsoft entered into a broad source code sharing arrangement, with Russia, China, and many NATO members.
      http://www.microsoft.com/presspass/press/2003/feb03/02-28GSPChinaPR.mspx

      From "serious US national security issues" to "here you go Russia and China" in less than a year.

  16. Re:Damned if they do, damned if they dont... by mikechant · · Score: 2, Informative

    I think it's ironic that we're reading an article about MS releasing source code and the /. community is busting their balls. Just sayin'.

    Maybe you should think some more and consider that
    1/ MS are releasing the source code to potentially hostile foreign governments (China, Russia), but *not* to (say) security researchers etc. who might get something useful out of it for the benefit of Windows users in general.
    2/ MS are not releasing buildable or complete source, there is no way to tell if the source accurately reflects the actual distributed binaries.
    3/ MS has been doing this for years and it is clearly not in any way a path, stepping stone or partial move towards open source or anything like it.

    So maybe you'd be able to explain why it's 'ironic' that they are being criticised in the light of the above?