Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Opens 'Transparency Center' For Governments To Review Source Code

Posted by Soulskill on from the proof-is-in-the-proprietary-pudding dept.

MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products: As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.

13 of 178 comments (clear)

  1. What's the point? by Anonymous Coward · · Score: 5, Insightful

    Governments shouldn't be using closed source garbage to begin with. It just locks them into a specific company and keeps them at their mercy, not to mention that even if the government reviews the source, the public can't do the same. Not a good message to send.

    1. Re:What's the point? by Anonymous Coward · · Score: 2, Insightful

      The alternative is for governments to use open source software and manage software development and maintenance themselves (or contract it out). Looking at fumbling attempts at any IT project from just about any government I wouldn't trust their competence enough to extend them more responsibilities.

    2. Re:What's the point? by Anonymous Coward · · Score: 0, Insightful

      >Governments shouldn't be using closed source garbage to begin with.

      Yeah, they should be using buggy open sourced garbage instead, like OpenSSL and Heartbleed.

    3. Re:What's the point? by jeIlomizer · · Score: 1, Insightful

      Whether you know it or not (And frankly, if you don't know that Microsoft's products are buggy and full of security holes, you're profoundly ignorant.), the same is true of proprietary software. In fact, it's probably worse, since it's much more difficult to see the code and fix it. At any rate, using a single example and holding it against open source in general is extremely idiotic.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re: What's the point? by cyber-vandal · · Score: 3, Insightful

      Some of the most expensive IT failures in history have come from contracting it out to the amazingly efficient do no wrong private sector.

    5. Re:What's the point? by Dr_Barnowl · · Score: 4, Insightful

      And who says they build their binaries from those sources? The backdoors are probably kept in a separate branch and merged with the release branch at build time...

    6. Re:What's the point? by donaldm · · Score: 3, Insightful

      Providing the source code for Microsoft software to governments, sounds like a PR exercise. You would need the appropriate government representatives to be able to understand the source code for starters as well as being able to test it and to certify that a specific build and updates are actually from that source code. Personally I can't see that actually happening especially if said representatives have to sign a None Disclosure Contract.

      Still I am quite sure Microsoft PR will state that this is our source code and "Trust Us" this compiles to make the binaries you are using and I am quite sure many government representatives will will be quite satisfied with this since they are effectively "locked in" to using Microsoft products anyway and it (to them) is a better alternative to using that "Communist" Linux thingy :)

      --
      There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
  2. Code vs Binaries: Big Difference by Anonymous Coward · · Score: 5, Insightful

    Who cares if you can look at the code? What matters is what you're running.

    Looking at the code gives you nothing if you can't compile it to the exact same binary that you are running.

    And even if they let you do that... you still need to trust the compiler, and the compiler that compiled that compiler, etc.

  3. ...and.. by JustNiz · · Score: 4, Insightful

    >> a place where governments who use Microsoft software can come to review the source code

    Where's the proof that the source code you see is exactly the same as that which gets compiled to make the Windows you buy?

    Also does anyone else find it as highly suspicious as me that this center is only open to governments?

  4. How to prove the source code maps to the binary? by Vellmont · · Score: 4, Insightful

    So.. Microsoft let governments of the world look at the source code at your special center, and then double-dog-swears that there's nothing fishy going on between then, and compiling the source code, like say a patch applied somewhere in the build process? Riiiight.

    If you WERE to put a backdoor in, that's probably how it'd be done. Would you really want a backdoor explicitly in the code for a developer to find? Of course not, you'd put in something only a few people know about. The secret to secret keeping is limiting the amount of people who know.

    The other way to hide the backdoor is to make it a hard to find bug. Plausible deniability is quite high.

    I have to believe this is good news though. It means a lot of foreign governments are suspicious of closed source software, to the point where Microsoft has had to announce a plan to make their code however less closed source.

    --
    AccountKiller
  5. Re:Intended Consequence? by exomondo · · Score: 2, Insightful

    1/ How can observers know that the source code shown results in the compiled binary sold.

    Compile the code and compare the binaries?

    2/ How can observers know that when compiled the compiler does not introduce vulnerabilities.

    Same way you would for open source software: inspect the compiler code.

    3/ Would not a malicious observer use the knowledge of the source to look for vulnerabilities for their intelligence agencies to exploit later.

    Maybe.

    4/ As a private citizen how can I be assured of or against all the above if I and a number of expert friends cannot also look at the source.

    You can't, but then you can't practically do it in the open source world either, at some point you have to trust somebody, if you don't then the simple answer is don't use the product. I inspect a lot of open source software but it's mostly for interest sake, I don't pretend to understand the full scope of it, much less the 3rd party libraries or the compilers or OS I run it on or the drivers for the hardware or the physical hardware or the microcode within that hardware (where I can even get to it), you have to trust far to many people to consider things safe even when using open source software.

  6. Seriously? by NewtonsLaw · · Score: 4, Insightful

    Who the hell is going to sit down and scan a few million lines of source code with Microsoft looking over your shoulder and hope to spot a backdoor or two in the process?

    Even then, how can you be sure that the source code they show you is the stuff you're actually running?

    What a PR stunt this is!

  7. Re:Better way for Microsoft to earn trust by exomondo · · Score: 5, Insightful

    Hundreds of legacy code developed for Windows platform using Windows development tools run only on XP and are not supported by 7 or 8.

    So not only have you tied yourself to a particular version of a proprietary OS that - as we all know from previous experience - has a limited lifetime but you chose to do that by using proprietary software that won't run on anything else and you didn't think there might be a problem with that? Seriously? If you cut corners then you're going to get burned.