Slashdot Mirror
Microsoft Opens 'Transparency Center' For Governments To Review Source Code
MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products:
As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
Governments shouldn't be using closed source garbage to begin with. It just locks them into a specific company and keeps them at their mercy, not to mention that even if the government reviews the source, the public can't do the same. Not a good message to send.
Ken Thompson on trusting trust. http://cm.bell-labs.com/who/ke...
Who cares if you can look at the code? What matters is what you're running.
Looking at the code gives you nothing if you can't compile it to the exact same binary that you are running.
And even if they let you do that... you still need to trust the compiler, and the compiler that compiled that compiler, etc.
Perfect Forward Secrecy? Why not call it Excessive Hubris Before Fuckup? Eventually something is going to be more "perfect" even if the thing is quite good.
As plain text on a US branded OS at the end of the fancy new encryption.
With all the legal obligations in the telco sector all products have to be wiretap-friendly.
CALEA obligations should be very clear to the rest of the world by now. The options presented under CISPA should have been noted too.
Your email, video chat, text, chat will end up as a neat industry standard format for law enforcement use. There will be no going dark on any US product shipped.
"FBI: We need wiretap-ready Web sites - now" (5 May 2012)
http://www.cnet.com/au/news/fb...
Domestic spying is now "Benign Information Gathering"
Don't force bloatware on hapless customers. XP was 1.2GB. XP with SP2 was about 2GB. XP with SP3 is about 7GB. And now Microsoft claims XP is so insecure it cannot be patched anymore, so customers have to buy a new OS which weighs in at 20GB.
Cut all the crap and come clean. Release the entire source code for XP if you are not going to patch it. Or keep quiet and prepare to be unbelieved even if you speak the truth.
If you keep throwing chairs, one day you'll break windows....
>> a place where governments who use Microsoft software can come to review the source code
Where's the proof that the source code you see is exactly the same as that which gets compiled to make the Windows you buy?
Also does anyone else find it as highly suspicious as me that this center is only open to governments?
So.. Microsoft let governments of the world look at the source code at your special center, and then double-dog-swears that there's nothing fishy going on between then, and compiling the source code, like say a patch applied somewhere in the build process? Riiiight.
If you WERE to put a backdoor in, that's probably how it'd be done. Would you really want a backdoor explicitly in the code for a developer to find? Of course not, you'd put in something only a few people know about. The secret to secret keeping is limiting the amount of people who know.
The other way to hide the backdoor is to make it a hard to find bug. Plausible deniability is quite high.
I have to believe this is good news though. It means a lot of foreign governments are suspicious of closed source software, to the point where Microsoft has had to announce a plan to make their code however less closed source.
AccountKiller
This is nothing more than security theater. We know of the NSA_KEY in Windows 95. All they need to do is to give Microsoft an NSA letter to install backdoors and they will do so. Just like Google and everyone else. I am surprised that anyone would fall for this.
That is a great PR move, since the US government has recently been as effective as the New Coke campaign at promoting US companies abroad.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Its the old crypto hardware trick. You can look at all the messages as sent you like. Its encryption perfection for that decade/generation. :)
The plain text is from the tempest (emission security) friendly keyboard.
The only magic is getting your gov to buy the system and then use it for years
ie buying the system is the way in. Every trapdoor and backdoor is crafted around what the buyer might be aware of.
Domestic spying is now "Benign Information Gathering"
1/ How can observers know that the source code shown results in the compiled binary sold.
Compile the code and compare the binaries?
2/ How can observers know that when compiled the compiler does not introduce vulnerabilities.
Same way you would for open source software: inspect the compiler code.
3/ Would not a malicious observer use the knowledge of the source to look for vulnerabilities for their intelligence agencies to exploit later.
Maybe.
4/ As a private citizen how can I be assured of or against all the above if I and a number of expert friends cannot also look at the source.
You can't, but then you can't practically do it in the open source world either, at some point you have to trust somebody, if you don't then the simple answer is don't use the product. I inspect a lot of open source software but it's mostly for interest sake, I don't pretend to understand the full scope of it, much less the 3rd party libraries or the compilers or OS I run it on or the drivers for the hardware or the physical hardware or the microcode within that hardware (where I can even get to it), you have to trust far to many people to consider things safe even when using open source software.
To give some context into user's response to Microsoft's products, Windows 8 market share just decreased. Comparative figures showed that Windows XP share went up. That's right, the just discontinued OS is doing better then they current system.
I can't help but point that this is one of a painful series of mistakes that all happen when Ballmer was in charge. The question for the future of Microsoft is whether he was in command so long that they will never recover.
Why is Snark Required?
Never give anyone so much as a glimpse of your source code unless you are writing open source software and you are part of an open source program. It's just not clever for a business person to do. You are throwing away the crown jewels! Let them guess. Let them “eat static.”
The purpose of existence is to make money.
Who the hell is going to sit down and scan a few million lines of source code with Microsoft looking over your shoulder and hope to spot a backdoor or two in the process?
Even then, how can you be sure that the source code they show you is the stuff you're actually running?
What a PR stunt this is!
1. Government shouldn't use anything proprietary and the US should follow its own rules (AMD exists because gov't rules requirements, why not Microsoft compatible-competitors?)
2. Vendor lock-in always leads to over-pricing and government waste (also, see #1)
3. Microsoft did a deal with the devil (US Government) and now wants to regain trust. Sorry Microsoft. Not going to work.
And did anyone miss the work facebook has been doing with government? Holy crap. Not only is their censorship completely to the left, they are conducting psych experiments at the request of the US government. I personally avoid the social networking sites and [almost] always have.
(I have used LinkedIn due in no small part to my previous employer reducing its staff by over 90% Oh yeah, now I can talk about it too! Turns out the Fukushima incident and subsequent lies, deception, inaccuracies and omissions run pretty deep and even found its way to my former employer, a Mitsubishi company. Anyway, LinkedIn... i was checking that from my mobile device and it made mobile pages unusable through CSS and insisted I use an app. I loaded the app and agreed to whatever and the next thing I knew LinkedIn grabbed my whole addressbook and pulled it into their servers. I can't say whether they used the data to spam others, but I can say they used it to "suggest links" to my profile. That's pretty dirty and disgusting.)
Trust is a difficult thing these days... a fragile thing. And I hope companies everywhere, large and small, learn that lesson. They can learn the hard way or they can be good and decent people asking themselves "would I want someone doing this to me?!" (Just like government gun confiscation -- the answer is NO. The government wouldn't allow the citizens to take their guns, so why should the citizens allow government to take theirs?) Of course, too few people care about golden rules of morality because the world is run by psychopaths. Psychopaths think they can just buy trust. That may have been true, but the pendulum has reached its furthest point and is about to swing back the other way. Microsoft and others are only now figuring that out.
You can't compare binaries for Microsoft's attempt at a C compiler. If you use the /GS (IIRC) flag, Microsoft will insert a different random value just before the return address of a function so any buffer overrun will change it.
/GS only allocates space for a random value, the random value isn't computed at compile time.
For smaller governments, below he the bottom three or more, you would be quite right. In total though, they have to trust whatever the fuck they use.
This is nothing but a feel-good publicity stunt, designed to offset international suspicions that Microsoft works a little too closely with the NSA.
Pick your favorite product: Windows 7? Office? SQL Server? IIS? It doesn't matter, you are talking about millions of lines of source code. No government, or government contractor will have the expertise, time an money to analyze such a mass of code. They will be utterly dependent on Microsoft to point them to the core routines responsible for whatever they're interested in. Say, email encryption.
However, there is no way they will be able to verify that the code provided is really the code used, than no code called before or after it compromises the security, etc, etc.. It is also unlikely that they will update or repeat the audit with every new release, patch or update of the product.
Microsoft must be feeling the pinch - a few too many international contracts being cancelled...
Enjoy life! This is not a dress rehearsal.
Microsoft is still operating under NSL restraints. That means the NSA has the keys anyway.
TLS doesn't work that way, the implementation trusts, and uses, whatever keys it's told to trust (via certificates). And that's the problem, while most implementations will allow you to manage your own certs, for example by creating self-signed certs, the Windows implementation will only trust certs from commercial CAs. You know, Diginotar, Trustwave, Comodo, those sorts of guys. So you can't just generate and manage your own keys and certs but are forced to pay, and trust hundreds of external CAs to manage your certs (and by extension keys) for you.
The summary's description of PFS is a complete clusterfuck, of course (this is /. so *obviously* the summary is going to be technically inaccurate, right?). Yours (LordLimecat) is more accurate, but the full concept isn't that hard so I'll explain it below.
First, some quick basics of TLS (I'm leaving out a lot of details; do *NOT* try to implement this yourself!):
Here's the scenario where PFS matters, and why it is "perfect":
Here's where it gets interesting:
It is this property, where the secrets needed to recover an encryption key are destroyed and cannot be recovered even if one party cooperates with the attacker, which is termed Perfect Forward Secrecy. Note that PFS doesn't make any guarantees if the crypto is attacked while a session is in progress (in this case, the attacker could simply steal the symmetric key) or if the attacker compromises one side before the session begins (in which case they can impersonate that party, typically the server). It is only perfect secrecy going forward.
There's no place I could be, since I've found Serenity...
1/ How can observers know that the source code shown results in the compiled binary sold.
You don't. You never do. What you do is build a system on trust. However in the legal world there is a difference. If I give you a closed source binary with a back door I have all sorts of excuses for you. "Our code review system broke down." "It was an unpatched bug." "We assume no liability, you accepted our licence agreement, right?"
But if you look at the source code and determine yourself it's not backdoored, and yet I put a back door in the final product, that would be an incredibly clear cut case of criminal fraud.
Microsoft is giving other governments the possibility to install their own backdoors by cooperating in special "transparency centers", provided they pay for it and are buying enough Microsoft products instead of switching to open source alternatives.
Correct! It would be a remarkably stupid stack canary (which is a security measure) otherwise. Since the value would be the same on everybody's computer, you'd only need to find it once and then when you overflow the buffer be sure to write the canary value back as it was!
Instead, getting past stack canaries is considerably more difficult than that. It's possible, of course, with the right vulnerabilities... but it's *harder* and sometimes a program that would be exploitable without them (using the vulnerabilities known at the time) just isn't exploitable with them.
There's no place I could be, since I've found Serenity...
For highly reliable code, knowing that the code you review is the code you compile with is vital both for stability and security. This can't be done by visual inspection: it requires good provenance at every stage of the game.
This is actually a security problems with many opensource and freeware code repositories. The authors fail to provide GPG signatures for their tarballs, or to GPG sign tags for their code. So anyone who can steal access can alter the code at whim. And anyone who can forge an SSL certificate can replace the HTTPS based websites and cause innocent users to download corrupted, surreptitiously patched code or tarballs.
I'm actually concerned for the day that someone sets up a proxy in front of github.com for a localized man-in-the-middle attack to manipulate various targeted projects.
Just like with "wired equivalent privacy" that we laugh at now? I'd say both have the stench of marketing and excessive hubris.
By itself, that doesn't create a backdoor, but anything compiled using the tainted binary could potentially have a backdoor secretly added, even though the source code for both that code and the compiler would appear to be perfectly clean.
...And solutions against this do exist:
A. Deterministic building.
All software were security is important (Tor, Truecrypt, Bitcoin, to mention a few who practicise this approach) have clear procedures designed to compile a binary in a perfectly repeatable form. A rogue compiler would be easy to detect, because it won't create the same binary as everybody else.
B. Comparing compilers.
Use a small collection of different compilers (a few version of GCC, a few other of LLVM, etc) to compile a compiler whose source you trust (say, a security-reviewed and approved GCC 4.9).
From this point on, you can already compare the output of each of these "GCC 4.9-as-compiled-by-other" by compiling a few test code and see if they matches. Look if any of the test codes has backdoors injected.
- Now you already know which compiler you can trust
Then use that compiler (I mean the multiple versions produced by the various compilers of the first step) to bootstrap it self (you end-up with several version of "GCC 4.9 as compiled by GCC 4.9", each with a different starting point).
Normally all these last step compilers should be more or less similar (see "deterministic" building to reduce the amount of random differences). A rogue compiler will notably stand out.
- Now you have trusted environment, compiled by a trusty compiler.
Seems complicated, but as I've said, people in critical niches (Tor, Truecrypt, Bitcoin) are already doing exactly that.
That raises tremendously the bar of what the governments need to back-door software (virtually any modern compiled need to be compromised, as well as numerous tools around them. Forget one obscure thing somewhere, and someday a researcher or hobbyist will notice discrepencies)
I think most of us are already familiar with this sort of attack, but it's worth repeating, since it's exactly the sort of thing that Microsoft's "Transparency Centers" don't address, and exactly the sort of thing we'd be expecting a government to be doing.
Yup. The first most important thing is to determine a clear procedure how to take the official source and rebuild the same binaries that everybody is having.
(i.e.: you should be able to check out the source, hit recompile and end-up with an installation CD that is indistinguishable from the retail one. So you know you're actually check the real source, and not some decoy put here for you, while a different backdoor-infested version is getting distributed to your government).
And as you say that excatly NOT what microsoft is doing.
Also, having only 2 centers world-wide, where only government mandated devs are invited severly limits the research exposure of the code.
I'm ready to predict that the only real results will be.
- Big security people who don't happen to be sent by a government won't have a look at the code, and probably several shortcomings will never get seen. The end result won't be as secure as if you let the OpenBSD devs create a LibreDows(*) fork with a "Valhalla Rampage" treatment on it.
- Some black hat will manage to slip through the checks, leak the source. It will get passed around on under ground dark nets, and the next week you'll see an abominable explosion of 0-day exploits traded on the shadiest parts of the net.
---
(*): Only works when built on system with massive security counter-measures in their default C library. Like OpenBSD. Secured wrappers provided for Linux (those blissfully ignorant people). Go fuck yourself if you use some outdated os like old-school VMS (pre OpenVMS). Or if you use an outdated compiler like Visua... Oops. Damn!
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
/ How can observers know that the source code shown results in the compiled binary sold.
Compile the code and compare the binaries?
On your own hardware.
But, I guess, MS won't let them download the source code to their laptops, or these laptops would have to be destroyed after the review process.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
The main advantages of free/libre open-source software is:
- source is available to review and hack upon for a WAY MUCH LARGER audience. It's "a few security reviewers cherry picked by a government" vs. "virtually anybody who has the time and resource to invest in it".
So you have a bigger pool from which to pick somebody who "is going to understand everything at every layer", or at least understand big enough parts of it, at a large enough number of layers, with enough overlap with the other "somebodies".
- the whole echo system is open. You can review lots of other stuff (compilers, libraries, etc.) You can have deterministic building to check if you really have the code that really produced the official binaries (that's already something that Tor, Truecrypt, Bitcoin, etc. are doing).
There's lot of things that you can do to check every piece of software that you need to trust.
Well of course, that's a lot work required. So in the end, you'll end up having to trust multiplt other people anyway. But at least, with opensource, that's a choice, and in any case you can do the checks your serlf (or more reallistically: ask someone you actually trust to do it for you. As in the current ongoing review of TrueCrypt, for example).
Whereas, no matter how motivated, with closed source software you'll always hit a wall. (Well microsoft gives you a peek at the windows code, but not necessarily all the rest needed to check full security).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
"Microsoft isn't implying that. They trying to convince customers they don't have NSA backdoors."
Yes this smells more like a PR move than anything else. Any government serious about security will roll out its own software stack, which unlike hardware costs practicallly nothing after the initial development. This will limit the attack vector to rogue chips.
...and just run on top of the Linux open source stack. Leave the kernel and security to the seasoned experts in the open source community. Contribute to Wayland or run your own graphical subsystem. (It can be closed source, not everyone is an opensource zealot.).
IMO the windows desktop is all anyone cares about - port it to Linux.
I don't see a problem with this.
It'd be interesting to see a non-US government try to convict Microsoft of criminal fraud for putting in a back-door. I'd imagine Microsoft could just wave away any lawsuit by declaring national security or "NSA made us do it, but we can't legally show you any proof".
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
...multiple international companies... Like Nokia, Skype, Visio ...?
Puteulanus fenestra mortis
The real cost is the inability to contribute to any open-source project that covers similar ground.
I've been thinking about this whole security issue be it residential, commercial, government or other ...
The problem I see is that there is hardly any negative impact on the source of the breach, be it Microsoft's code, the incorrect implementation of their products, lack of diligence on IT departments, etc.
Recalling the Target hack, accusation from Congress that China hacked some computers, other major incidences, I don't see where those armed with hoes and rakes and torches are storming the source in an effort to identify culpability.
If this keeps up, it might be a boon to the United States Postal Service (and equivalent in other countries), fax machine sales, and mechanical credit card readers, as we begin to switch back to proven, low-tech solutions.
It little behooves the best of us to comment on the rest of us.
The secret to secret keeping is limiting the amount of people who know.
Not much of a secret now, is it?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
It's a good PR attempt, to address what they must perceive as a significant problem, but...
Good luck convincing companies to trust your cloud infrastructure with their data, when they know for a fact that the US government (and probably other governments) could compel you to grant them secret access at any time, regardless of whatever client-access protections are in place. If MS could solve that massive security flaw, I'd be impressed; anything less is just polishing the proverbial turd.
The other way to hide the backdoor is to make it a hard to find bug. Plausible deniability is quite high.
Reading a huge codebase is an unlikely way to spot backdoors anyway. After a few thousand lines the reader's eyes would glaze over, and anything subtle would be missed. This isn't as easy as looking for two-digit year fields a la Y2K reviews.
Besides, the Heartbleed bug should have been a clue that open source alone doesn't make security issues "transparent". Somebody has to both read and understand the code to detect these things, and an OS like WIndows is so huge that nobody can understand the whole thing. Even a relatively small, specialized module like OpenSSL slid by for years without anybody noticing the problem.
Have you read my blog lately?
Unless they let you compile your own binaries and distribute them, this is utterly useless.
:-)
No text.
"Flyin' in just a sweet place,
Never been known to fail..."
This is why I now only use open source.
Yeah, because it's not like there have been any major security flaws found lying around for years in open source software lately.
If it's the government's job to review code, why not use OSS and have control as well as peace of mind? If they have experts capable of reviewing/understanding code, then wouldn't it be more productive to be using OSS so they could make changes that benefit themselves? Or BSD so they could own the solution? Being forced to review code to make sure it's safe pretty much eliminates the benefit* of the closed source software anyway.
*The benefit being that someone else is supposedly reliably curating the code for you, and you pay for that service
Twinstiq, game news
Unless governments can rebuild the released version of Microsoft products with said source code, they'll be fed a sanitized version of that source code, but not the original full code base needed to build the final binaries. Backdoors could still be added later at build time, so what's the point?
cpghost at Cordula's Web.
On trusting trust - K. Thompson, Bell labs. A classic.
Help stamp out iliturcy.
You don't need to convict. You just need to ban. Thinking that because Microsoft is a US based company makes them somehow immune is a ignoring the fact that they have been taken to task by foreign governments before, and have lost. Or have we forgotten why there was an "N" version of Windows XP?
I was giving an example of a name that became inappropriate and reading between the lines beyond that is a fools game.