Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Opens Source Code To KGB's Successor Agency

Posted by timothy on from the we'll-trade-for-american-spyware dept.

Jack Spine writes "Microsoft has struck a deal with the Russian government which will give the FSB, successor to the KGB, access to the source code for Windows 7, among other products. The agreement is an extension of Microsoft's Government Security Program, according to a source with links to the UK government."

26 of 187 comments (clear)

  1. security holes of releasing source code by Anonymous Coward · · Score: 5, Insightful

    yay, so now the Russians will know all the holes in Windows 7 and how to exploit them, no?

    1. Re:security holes of releasing source code by TheRaven64 · · Score: 5, Interesting

      They've already provided it to the Chinese (and the British, not sure who else). That means that the Russians and Chinese can look for and exploit holes in Windows. Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      Basically, they get all of the disadvantages of open source security, but none of the advantages.

      --
      I am TheRaven on Soylent News
    2. Re:security holes of releasing source code by roystgnr · · Score: 5, Funny

      Yeah, but Russia probably signed the same "We promise to hack Google first" agreement that China did, so from Microsoft's perspective it's win/win.

    3. Re:security holes of releasing source code by cappp · · Score: 4, Informative

      Russia is just being added to a rather long list of countries in this regard. Playing a little link-hopping tells us that both NATO and 30 countries (including the UK) have made similar deals with Microsoft albeit in refence to older technology. I would assume that all of those entities have similar updates to their agreements.

    4. Re:security holes of releasing source code by mlts · · Score: 4, Interesting

      Isn't it coincidental that the Chinese intelligence who received the source code suddenly had a lot of new Windows based 0-days and used them against US companies, Google mainly?

      The blackhats have the source and can look for bugs and errors that they can exploit at will. The whitehats have to guess or blindly firewall, hope that there are no remote exploits, and put a lot of resources into perimeter security.

      Maybe this is just another impetus for people and companies to move to UNIX based operating systems. Even a closed source offering like HP-UX or OS X (the pieces that are not open-sourced in Darwin or elsewhere) has been around such a long time that glaring show-stopper bugs are rare, and are usually limited to local exploits. This isn't to say things are perfect, but an exploit from remote like ssh is extremely rare on the UNIX side. To boot, UNIX variants have been getting a lot better at security, having ASLR, DEP, SELinux/AppArmor security policies, and other items to limit damage and spread of compromised code.

    5. Re:security holes of releasing source code by datapharmer · · Score: 3, Insightful

      i'd say a specific linux build for national security sensitive applications is in order

      Try setting SE Linux to "enabled".

      --
      Get a web developer
    6. Re:security holes of releasing source code by pandrijeczko · · Score: 3, Funny

      and the British, not sure who else

      Indeed, old chap. And we will tip our bowler hats at you when we've stopped having a jolly good laugh at it.

      "Gor blimey, luv-a-duck, Mary Poppins! 'av ya seen the state of those header files for Minesweeper!"

      --
      Gentoo Linux - another day, another USE flag.
    7. Re:security holes of releasing source code by morgan_greywolf · · Score: 5, Insightful

      Do you really think most countries have any interest in reviewing all the code in windows?

      If you can't compile the code into a working binary using the same compiler that was used to produce the production binary because you're missing parts, then you can't be sure that the source code you have represents the binary you're using. You have take Microsoft's word for it, and it's not like the rep you're talking to is the actual guy who manages the build, so even he doesn't actually know for sure.

      An incomplete set of source is absolutely useless for a true security audit.

      --
      My blog
    8. Re:security holes of releasing source code by alexo · · Score: 3, Interesting

      the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

      If I were in charge of an internal security agency, I would be more concerned about running an OS containing back doors or exploits than to try and exploit them myself. To that effect, I would insist on being able to build the OS from sources using a compiler that is known to be uncompromised (built it from source too). No other arrangement will guarantee that the copies I am running behave exactly like the source code says.

      If the FSB agreed to the terms that you mentioned, they are not doing their work.

  2. Available as a Torrent in 3... 2... 1... by Xtense · · Score: 4, Insightful

    Available as a Torrent in 3... 2... 1...

    --
    "We are the music makers, and we are the dreamers of dreams [...]."
    1. Re:Available as a Torrent in 3... 2... 1... by arivanov · · Score: 3, Interesting

      And in which jurisdiction are you going to sue?

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    2. Re:Available as a Torrent in 3... 2... 1... by timeOday · · Score: 3, Informative
      Don't you remember the big leak of Windows source code a few years ago?

      Surprisingly, it didn't turn out to have any impact on anything, that I can tell.

    3. Re:Available as a Torrent in 3... 2... 1... by bigredradio · · Score: 3, Funny

      Hax0r: Ha! I have windows source code!!! (10 mins later) Hax0r: Humm.. now what?

      --
      Flexible bare-metal recovery for Linux/UNIX
    4. Re:Available as a Torrent in 3... 2... 1... by theArtificial · · Score: 3, Interesting

      Wasn't that how the image hacks started? A specially crafted BMP. There are more but this is one I recall off of the top of my head.

      --
      Man blir trött av att gå och göra ingenting.
  3. I'm sure this will turn out well by linzeal · · Score: 5, Interesting

    I'm more afraid of the FSB selling or having the code stolen from them by Russian hackers than the FSB actually doing anything. They are mostly incompetent hacks either leftover from the 90's or put there to be yes-men to Putin policy. Putin would not stack the deck against himself so he has cut out most of the intelligence in the intelligence agencies, that is why you get things like the recent spy swap debacle where they could not even penetrate a PTA meeting let alone the Pentagon.

    --
    An Education is the Font of All Liberty
    1. Re:I'm sure this will turn out well by dargaud · · Score: 3, Insightful

      When you ask a russian his opinion on some leader (either russian or otherwise), whenever he wants to praise that leader, he'll always add 'he's a strong leader'. It seems that russians only recognize leadership when it is associated with strength, so do not be surprised that they go from dictatorship to dictatorship. It's mostly self-inflicted.

      --
      Non-Linux Penguins ?
  4. FSB is not "the" successor to the KGB by the+linux+geek · · Score: 5, Interesting

    The FSB is approximately a third of the total KGB capability, with the FSO and SVR being the other legs of the triumvirate. The FSB, being the replacement for the former First Chief Directorate, is mostly responsible for internal security (counterintelligence, counterterrorism, counterinsurgency, action against dissenters.) I don't see how this deal with Microsoft could possibly threaten the US or US interests, except possibly in a peripheral way.

  5. In Soviet Russia... by yanyan · · Score: 5, Funny

    I give up. This is too easy.

  6. This is actually good by Chrisq · · Score: 3, Interesting

    It will keep them tied up for years trying to find exploitable holes, when the real spies will use something else

  7. Trust, Interesting World by Bob9113 · · Score: 4, Interesting

    It is an interesting world in which a United States company trusts Russian spies more than it trusts United States citizens.

    --
    Stop-Prism.org: Opt Out of Surveillance
  8. Update email by Linker3000 · · Score: 3, Funny

    Has anyone else just got the email from Microsoft regarding a critical security update that should be downloaded and installed immediately from windowsupdate.micros0ft.ru?

    --
    AT&ROFLMAO
  9. Successor agency by TrixX · · Score: 5, Funny

    Shouldn't the successor to KGB be called LHC... oh!

  10. Re:Buildable? by Shados · · Score: 4, Informative

    Probably not. It is not all that uncommon for Microsoft to open its source. I mean, it doesn't happen everyday, but they have special facilities for that purpose alone.

    It may have changed, but back when i saw it, it was basically a web based code browser that doesn't allow the more simple copying features (like no export and stuff obviously).

    If its still what they use, then it definitely cannot (realistically) be built.

  11. As Stalin said by gillbates · · Score: 5, Insightful

    Wasn't it Stalin who said, "The capitalists will sell us the rope we use to hang them."

    Nice to know that Microsoft, after complaining for years that open source was insecure because anyone could see the code, is now providing same to Russia. Nothing quite like putting quarterly profits above national security.

    --
    The society for a thought-free internet welcomes you.
  12. Re:Buildable? by tibman · · Score: 4, Insightful

    How can the russians trust the source code to a binary if they can't compile and compare the binaries?

    --
    http://soylentnews.org/~tibman
  13. How the worm turns.... by zkiwi34 · · Score: 3, Insightful

    It wasn't all that long ago when dear old Bil Gates et al were claiming in front of the DoJ that giving anyone (their competitors) access to Windows code would be a threat to national security. Fast forward to now and it appears that either the truth changed a whole lot or for some reason national security interests are served by giving China and Russia and who knows, maybe even the French access to Windows source.

    The new Windows, our most secure OS ever!! Well...