Microsoft Opens Source Code To KGB's Successor Agency

Jack Spine writes "Microsoft has struck a deal with the Russian government which will give the FSB, successor to the KGB, access to the source code for Windows 7, among other products. The agreement is an extension of Microsoft's Government Security Program, according to a source with links to the UK government."

security holes of releasing source code

yay, so now the Russians will know all the holes in Windows 7 and how to exploit them, no?

Re:security holes of releasing source code

[TheRaven64]

They've already provided it to the Chinese (and the British, not sure who else). That means that the Russians and Chinese can look for and exploit holes in Windows. Last I heard (which, admittedly, was around 2002), the source code that they provide is not enough to build a complete Windows system, and the license does not permit building it, only reviewing it, so this only lets you find (but not fix) accidental flaws, not malicious ones.

Basically, they get all of the disadvantages of open source security, but none of the advantages.

Re:security holes of releasing source code

[roystgnr]

Yeah, but Russia probably signed the same "We promise to hack Google first" agreement that China did, so from Microsoft's perspective it's win/win.

Re:security holes of releasing source code

[cappp]

Russia is just being added to a rather long list of countries in this regard. Playing a little link-hopping tells us that both NATO and 30 countries (including the UK) have made similar deals with Microsoft albeit in refence to older technology. I would assume that all of those entities have similar updates to their agreements.

Re:security holes of releasing source code

[mlts]

Isn't it coincidental that the Chinese intelligence who received the source code suddenly had a lot of new Windows based 0-days and used them against US companies, Google mainly?

The blackhats have the source and can look for bugs and errors that they can exploit at will. The whitehats have to guess or blindly firewall, hope that there are no remote exploits, and put a lot of resources into perimeter security.

Maybe this is just another impetus for people and companies to move to UNIX based operating systems. Even a closed source offering like HP-UX or OS X (the pieces that are not open-sourced in Darwin or elsewhere) has been around such a long time that glaring show-stopper bugs are rare, and are usually limited to local exploits. This isn't to say things are perfect, but an exploit from remote like ssh is extremely rare on the UNIX side. To boot, UNIX variants have been getting a lot better at security, having ASLR, DEP, SELinux/AppArmor security policies, and other items to limit damage and spread of compromised code.

Re:security holes of releasing source code

[morgan_greywolf]

Do you really think most countries have any interest in reviewing all the code in windows?

If you can't compile the code into a working binary using the same compiler that was used to produce the production binary because you're missing parts, then you can't be sure that the source code you have represents the binary you're using. You have take Microsoft's word for it, and it's not like the rep you're talking to is the actual guy who manages the build, so even he doesn't actually know for sure.

An incomplete set of source is absolutely useless for a true security audit.

Available as a Torrent in 3... 2... 1...

[Xtense]

Available as a Torrent in 3... 2... 1...

I'm sure this will turn out well

[linzeal]

I'm more afraid of the FSB selling or having the code stolen from them by Russian hackers than the FSB actually doing anything. They are mostly incompetent hacks either leftover from the 90's or put there to be yes-men to Putin policy. Putin would not stack the deck against himself so he has cut out most of the intelligence in the intelligence agencies, that is why you get things like the recent spy swap debacle where they could not even penetrate a PTA meeting let alone the Pentagon.

FSB is not "the" successor to the KGB

[the+linux+geek]

The FSB is approximately a third of the total KGB capability, with the FSO and SVR being the other legs of the triumvirate. The FSB, being the replacement for the former First Chief Directorate, is mostly responsible for internal security (counterintelligence, counterterrorism, counterinsurgency, action against dissenters.) I don't see how this deal with Microsoft could possibly threaten the US or US interests, except possibly in a peripheral way.

In Soviet Russia...

[yanyan]

I give up. This is too easy.

Trust, Interesting World

[Bob9113]

It is an interesting world in which a United States company trusts Russian spies more than it trusts United States citizens.

Successor agency

[TrixX]

Shouldn't the successor to KGB be called LHC... oh!

Re:Buildable?

[Shados]

Probably not. It is not all that uncommon for Microsoft to open its source. I mean, it doesn't happen everyday, but they have special facilities for that purpose alone.

It may have changed, but back when i saw it, it was basically a web based code browser that doesn't allow the more simple copying features (like no export and stuff obviously).

If its still what they use, then it definitely cannot (realistically) be built.

As Stalin said

[gillbates]

Wasn't it Stalin who said, "The capitalists will sell us the rope we use to hang them."

Nice to know that Microsoft, after complaining for years that open source was insecure because anyone could see the code, is now providing same to Russia. Nothing quite like putting quarterly profits above national security.

Re:Buildable?

[tibman]

How can the russians trust the source code to a binary if they can't compile and compare the binaries?