Slashdot Mirror
Microsoft Lets EU Governments Inspect Source Code For Security Issues
itwbennett writes: Microsoft has agreed to let European governments review the source code of its products to ensure that they don't contain security backdoors, at a transparency center in Brussels. The second of its kind, the new center follows on the heels of the first, built last June in Redmond, Washington. Part of Microsoft's Government Security Program, the company hopes the centers will create trust with governments that want to use Microsoft products. "Today's opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design," said Matt Thomlinson, Vice President of Microsoft Security.
Can they (the governments) compile from source?
It took a while but Microsoft finally has come around to supporting open source!
How could they even understand the code if they don't have an expert capable enough to tell them how stupid this is? Unless the governments are allowed constant access to the source and also the possibility to compile any configuration they choose and need, this "inspection" serves absolutely no purpose.
Yeah, we promise this is the actual complete code that get's compiled.. Honest..
Not that I'm a conspiracy theorist, I have no opinion either way as to what Microsoft may have in their code, but seeing some source code does not help 'trust'. You'd need to be able to have the source code AND compile it yourself!
So a few people can spend a bit of time looking through hundreds of millions of lines of code? How is that useful?
Microsoft Shared Source is not new. Universities have been using genuine Windows source code in research projects for 14 years now.
And who would trust MS not to show one version of the software and deliver something compiled from slightly different sources? Remember MS is more than happy to turn over dissidents' emails to the Chinese government. MS will say: "We follow all applicable laws in the countries where we operate." So what are the US laws about spying on anyone outside the country? I think it is required under NSL's.
And of source we use that exact source code to build what we ship. promise.
Hurry up, guys, the code will escape to freedom as soon as it reaches the cloud!
Look but don't touch.
Is this really the source code to the binaries we're using?
hahaha, but of course it is!
Help build the anti-software-patent wiki
This is nothing new. The Shared Source Initiative has gone on for years, and provides access to the source of Microsoft products to governments, OEMs, large customers etc.
The difference here is that they are providing it at what they call a "transparency centre", which I suspect is to minimise the danger of the source getting released to the public so we all can inspect the code.
Are they going to be able to roll their own run of compiles of the inspected code for government use? No? Then how does inspecting the code that they claim is compiled to Windows prove there's no backdoor?
The first four-five words showed me there was nothing there to read, only a lot of words to do it. So I skipped completely.
How does it feel to have spent so much effort whinging to have it all wasted?
probably be finished sometime before the sun burns out
do these transparency centers use to assert that binaries delivered to end-users are not changed? Unless you can build the complete ISOs from these sources and compare them to the ISOs delivered to end-users, how can you be sure?
No, it's not free. Install it and after 30 days suddenly it locks you out. Want to keep using it? Must provide Microsoft with your identity.
Unless there is a way to audit everything, and I mean EVERYTHING, from within ones computer, there is hardly a point with doing an audit based only on trust is there?
Also, I guess, auditing code is not enough, you would have to make sure that Microsoft doesn't tamper with your system at any point in time, so that would require that you have complete oversight over what control Microsoft has from a distance as it connects with your Windows OS, and also requiring that you can keep track of EVERYTHING that connects with your computer.
Surely, this must be so?
And also I do not trust ANY European government to guarantee the the safety, security or privacy needs that I might have now or at some point in time onwards.
you mean lets EU governments add backdoors
First they squander my tax money by buying crap from (not only) Microsoft.
Then they squander my tax money by auditing source code Microsoft *says* was used to compile the binaries. As a collateral, they help Microsoft fixing bugs.
Mood: pretty pissed off.
Lets not forget Skype! It belongs to Microsfot and had backdoors added years ago. 2010, IIRC
It sure is strange, because those backdoors where confirmed years ago. Why is Skype still usable in EU?
For those who also hate the videobits, just add these 2 filter lines to your adblock plus filters.
slashdot.org##.units-12.river-group
slashdot.org##.vid-river-header
NSA has made deals to tap directly into the Hardware. This is nothing.
Facepalm.
You don't even need EU to verify the lack of backdoors. Microsoft itself strives to create a product without backdoors. If one would be found, it would greatly hurt their business.
Has there ever been a backdoor in Windows or other Microsoft products? No.
I'm just tired of the paranoid attitude that all commercial software provides automatically want to screw you. No. They want to create a product that you want to buy. I'm sure you don't want to buy a product that has backdoors.
The main reason for going with closed source is not hiding malicious stuff, but that it allows making money with software. Open source works only if you have something else to sell along it.
Microsoft has agreed to let European governments review the source code of its products to assure that they don't contain security backdoors, at a transparency center in Brussels.
Open source software has agreed to let anyone review the source code to ensure that they don't contain security back doors, at transparency centers everywhere.
As if I'd trust my government to be sure the software I use doesn't have the back doors they paid to have put in.
Let alone the fact that you can't be assured that the source code you get to see is actually the one they use to build the final product, i'm also left with the question of 3th party software that is included in MS products. Will these have their source code also available for inspection? Can't imagine those companies will allow MS to do that. And if you can't look at those products source code, how can you be sure there is nothing going on in those?
On a long enough timeline, the survival rate for everyone drops to zero.
The cynic in me thinks the NSA/GCHQ will use this as an oppurtunity to engineer more 0-day malware for their own use. Much easier if you can have eyes on the code...
A picture is worth exactly 1024 words.
From recent revelations, it's more likely the governments are looking for easier ways to break into citizens' computers.
I just sent an Email to Bruce Schneier on this issue and I guess it makes sense to add it to this discussion:
Hello Bruce,
I see you recently take part in the crypto and cyber war discussion.
I think it is important to look at history: Military Intelligence/General Staffs have been covertly reading letters probably since letters were sent by courier. Something like 1550 A.D. or probably earlier. The U.S. general staff were reading telegrams since the 1920s. The Austrian Empire had a "black chamber" for covertly opening and re-sealing letters 200 years ago. So did the British and the Russians. Maria Stuart was sentenced to death on the basis of an opened letter sent to an agent provocateur. The U.S. gained a superior negotiating position by reading ciphered japanese telegrams in the 1920s in the fleet size limitation talks.
Now, I am quite positive we COULD design+build un-hackable operating systems, CPUs, USB-like interfaces, ethernet interfaces, RAMs and so on. See the L4 operating system, which attempts to prove correct the entire operating system kernel. INRIA has attempted to mathematically prove correct a C compiler.
Also, we need to get rid of using the C language ASAP. In practical use it is a hellhole of insecurity. Both Apple and Mozilla are doing excellent work with the Swift and Rust languages. These languages are "memory safe", which eliminates about 50% of exploits in the CVE database.
BUT - if there were a truely secure computer/OS/compiler on the free market, this would enable everybody to build encrypted communications endpoints aka. "cipher machines". The U.S. general staff would be mightily offended by millions of arabs having a "strong" cipher machine in their homes. So they currently facilitate the subversion of the Windows, Linux, OSX, iOS, Solaris kernels by covert means (double-paid software engineers in these projects).
We all know this is a dangerous thing and the "cyber war domain" is essentially un-controllable.
Still, we need to address the "strong cipher machine" issue, or they (governments/general staffs) will continue to subvert commercial IT systems.
So maybe "key escrow" would not be a too bad thing after all. Because that would enable the respective(!) national intelligence/police agencies to look into communications without having to resort to making operating systems and hardware insecure.
For example, if you make an HTTPS connection from America to Egypt, both NSA and Egypt intelligence would get a copy of your HTTPS session key. It would be encrypted once with the public key of NSA and once with the public key of egypt's intelligence service. Both key-cryptograms would be sent along with the HTTPS session.
If you sent a message inside Germany, only the BND or BKA (something like the FBI) would receive your HTTPS session key.
As long as the IT thinkers are dogmatic about this issue, the government will simply run over our interests.
Kind regards
XXXXXXXXXXXX
I can see it now - EU gets a nice clean shiny new OS from Microsoft. The next Tuesday a patch is released, MSNSAUS-007 Critical. In the fine print:
"This patch will allow a friendly U.S. operator to cause code to execute on the computer of a user. Such code could take any action that the user himself could take, including but not limited to creating, changing or deleting data, or communicating with an external web site."
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
They should make the source available via an ftp server, much cheaper than this fancy Brussels center and then you get the 'many eyes' advantage too.
B.t.w, in part of Brussels it's likely called a 'centre'.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Reading that last sentence I sprayed coffee all over my desk. Secure by design?? Are you fucking kidding me? How does that munchkin explain the cottage industry that's sprung up around exploiting "flaws" in compiled Microsoft code; more to the point, the other cottage industry that's sprung up to dealing with those "flaws"? And I'm not talking about AV/AM exclusively here, I'm talking about those whose mantle they've adopted as troubleshooters, whose only job is damage limitation when what ostensibly doesn't exist (Security holes galore) hoses a day, or a week, or a month worth of data.
(don't think Apple or the GNU community have been let off here either, I'll mention them because they're as guilty but they're not the subject under discussion).
Is this really about back-doors or bugs exposing entrances?
In any case are the representatives of governments really the ones you should be showing your source code too? Seems to me that some of these people have a vested interest in keeping any exploits they find secret to their own intelligence agencies to be used later in targets (possibly their own citizens) to intrude and exploit.
I think I've said this before, if they really want to gain our confidence they need to let the users choose someone to inspect their source and demonstrate its validity against published binaries.
nah, you've got it wrong
1. Nobody except the Greeks will give a major fuck if Greece defaults. The impact on global economy will be as minimal as the impact of Greece economy on the rest of the world. The people of Greece will be screwed, though.
2. You forgot to mention that the Greeks recently elected an incompetent government consisting mostly of morons. If Greece defaults, then this will be so despite all efforts by the EU to the contrary (and boy, they are trying...) and primarily because of nonexistent negotiation and bargaining skills of the Greek government.
I very much hope that Greece does not default. Just sayin'...
Viewing the source is one thing... But if you can't build your own version with the source you monitor, then it useless to have the source before hand except finding bugs.
See subject: Exploits on ANDROID (a Linux) anyone?
There's a decade++ of them out there after all!
* Funny now you all can't "hide" behind "security-by-obscurity" anymore since SmartPhones using ANDROID brought you all out into the "hacker/cracker spotlight" so-to-speak, eh?
(NOW - you DO *truly* make an interesting case-in-point for me as well with your 'business-case' being made - the ONLY case for ANDROID being used is keeping COSTS PER UNIT of each smartphone down, nothing more... & that IS about it + the truth itself, even according to your lights!)
APK
P.S.=> All those YEARS of Anti-MS "FUD" from the "Open SORES" crew around here came CRASHING DOWN AROUND YOUR EARS what-with the years of "Windows != Secure, Linux = Secure" OUTRIGHT LIES spouted here after the above FACT in my subject... apk
...the relevant back-door code just have to have an EXPORT license required of it such that the binary can be shipped but the code itself can't be reviewed.
Put it in a required portion, and you have a great calamity set up. Of course, it'll also be evident that something is being hidden.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
I mean with a restrict license that most people would not classify as open-source? Something like "you can download the source and build the OS, but you can not use it without paying us"? Or maybe just open-source some core components (the kernel, the drivers, all security-sensitive stuff) without the stuff that makes it usable (the GUI and the CLI) with the same conditions as I mentioned before?
I am serious here, I want to know what would be the implications.
there is something cool about this: ... one could even go as far as saying that manufacturer is "giving a helping hand" ^_^
with closed-source products a Zer0 day gets it's own "vault". it is not fixable except by manufacturer. the monetizizing period is historically longer.
makes sense to invest (your time) in finding zer0-days in closed-source software if you're criminally inclined
While bashing Microsoft is fun on Slashdot, this is standard operating procedure for most companies. Sign an NDA with entity X (government, military, whatever), make preparations for onsite visit, assign one of your lead developers and project managers to do a dog and pony show while representatives from said entity are onsite.
Am I missing something here?
.. adding the backdoors after the inspection?