Slashdot Mirror
Microsoft Opens 'Transparency Center' For Governments To Review Source Code
MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products:
As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
Ken Thompson on trusting trust. http://cm.bell-labs.com/who/ke...
At least then its your own countries option. No colonial box or product to buy, then rent support for and beg for fixes.
A domestic IT project at least offers your best experts to set standards and review the code.
Other nations do not all fail at complex math, code, design or funding.
Other nations may try to keep 5+ other countries out of a networked product as delivered.
Domestic spying is now "Benign Information Gathering"
re Where's the proof that the source code you see is exactly the same as that which gets compiled to make the Windows you buy?
Your experts compile/test the code as they wish over time at the site. The end result is then known.
A magic number is then produced as to the tested product on site. The application/suit as shipped then matches that same end test numbers.
ie the applications do not have ~extra code added.
Domestic spying is now "Benign Information Gathering"
Governments shouldn't be using closed source garbage to begin with. It just locks them into a specific company and keeps them at their mercy, not to mention that even if the government reviews the source, the public can't do the same. Not a good message to send.
Actually, the _real_ point here is that Microsoft is now implying, quite strongly, that open-source software is preferable for security, privacy, and other sensitive purposes.
I hope the governments and other entities that this program targets are smart enough to read between the lines.
It is dangerous to be right when the government is wrong.
If you want to buy 20 machines today with a Windows OS, the only choice is Windows 8. Even though almost a billion PCs run XP, it is not possible to get a new machine with a legal licensed copy of XP without jumping through numerous hoops and shelling out loads of cash.
Microsoft wants us to trust their word that it is not feasible to offer or support XP on new machines. This is not believable. Opening up the source code is the only way to prove or disprove Microsoft's version of the facts.
Whether you agree or not is not important. Hundreds of legacy code developed for Windows platform using Windows development tools run only on XP and are not supported by 7 or 8. Customers are left with no choice but to rewrite code at great expense, often impossible since the vendors are no longer in business. In my view this represents a lock-in, whereby customers are forced to shell out large sums of money to obtain support for XP legally on new systems by investing in Enterprise Volume License Agreements and associated costs.
If you keep throwing chairs, one day you'll break windows....
Microsoft isn't implying that. They trying to convince customers they don't have NSA backdoors.
This is nothing but a feel-good publicity stunt, designed to offset international suspicions that Microsoft works a little too closely with the NSA.
Pick your favorite product: Windows 7? Office? SQL Server? IIS? It doesn't matter, you are talking about millions of lines of source code. No government, or government contractor will have the expertise, time an money to analyze such a mass of code. They will be utterly dependent on Microsoft to point them to the core routines responsible for whatever they're interested in. Say, email encryption.
However, there is no way they will be able to verify that the code provided is really the code used, than no code called before or after it compromises the security, etc, etc.. It is also unlikely that they will update or repeat the audit with every new release, patch or update of the product.
Microsoft must be feeling the pinch - a few too many international contracts being cancelled...
Enjoy life! This is not a dress rehearsal.
If you ask any IT team lead, the real reason is the usability and it-just-works qualities of the software.
If you ask most IT team leads, the real reason is that they know that users in general treat computers like voodoo - perform a particular ritual a particular way, and you get the desired outcome. This lack of mental flexibility means that when someone learns a particular GUI they are not keen to change to a new one - which is the reason you get exactly the same inertia about switching to a new version of MS Office (vis: all that Ribbon hoo-hah) that you do for switching to another OS (with it's other applications with other GUIs).
This is the "usability" part of that statement. That's the reason that people railed so heaviliy against Windows 8. Why do you think MS invest so heavily in giving copies of their software to schools? Get those GUI rituals in peoples heads.
As for it-just-works... MS software does plenty of infuriating and irritating does-not-just-work things.
* Linux : I can move a file while I have it open in an editor, and saving the file in the editor saves to the new location
* Windows : Won't let you move the file
Microsoft would solely have to lean on selling support and consultation services after that.
I can imagine that terrifies them ; presently, even if you pay for support, you get very little. You get better support for Windows and other MS software from the community. With popular OSS projects, you typically get good support from both the community and the authors, AND you get the ability to look at the source code to understand your problem better or even fix it (or hire a contractor to do this). This is one of the cornerstones of why I use OSS wherever possible in my technology stack - the larger the software company gets, the less my problems matter to them. IBM manages just fine in this model.
Windows works today, out of the box.
This is so untrue on so many levels.
When I install Linux, it usually takes about 20 minutes, with no driver downloads (because I do my homework and buy compatible hardware). Most distro's leave you with a machine that has a bunch of useful applications, out of the box.
With Windows, I've had to hunt for drivers, download drivers, slipstream special drivers into special install disk images (so that the install can proceed far enough for the real drivers to be installed...). This is for machines that were sold with Windows and provided with install images. It literally took me all night to reinstall my wife's laptop (reboot! reboot! reboot!) after her office decided that because the Linux install didn't support their proprietary disk encryption program it wasn't suitable (never mind that it had perfectly good encryption on it anyway). And that's just for the core OS, never mind the vast list of applications that you have to add to make it even marginally useful.
At that moment, the Linux guy will still be applying various fancy patches and trying out different distro and desktop environment combinations to see which works best.
I use Linux for all my real, productive work on a daily basis, use stock packages for the vast majority of things, use the standard Ubuntu image, again, out of the box, without doing anything to it bar installing packages and configuring a few of the options a little.
Unlike Windows, I don't need to tweak my install ; If I move to another machine (say, a hardware replacement cycle), I can literally move the disk from one machine to another and keep on trucking - Windows throws the most epic tantrum imaginable if you try that. If I want to go crazy and upgrade to a new version of the OS, I back up my home folder, install the new OS, install the packages I had before with a single command, restore my home folder and move over most of my files and config folders... and I'm off again. Again, if you try that on Windows, you're screwed, because mo