Microsoft Lets EU Governments Inspect Source Code For Security Issues

itwbennett writes: Microsoft has agreed to let European governments review the source code of its products to ensure that they don't contain security backdoors, at a transparency center in Brussels. The second of its kind, the new center follows on the heels of the first, built last June in Redmond, Washington. Part of Microsoft's Government Security Program, the company hopes the centers will create trust with governments that want to use Microsoft products. "Today's opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design," said Matt Thomlinson, Vice President of Microsoft Security.

Can they compile from source?

Can they (the governments) compile from source?

Re:Can they compile from source?

[hughbar]

Yes, exactly. Being old and cynical that was my thought too. Show source 'A' but compile from source 'B'. Then we'll truly 'experience their committment to transparency' won't we?

The good thing about this is that UK government has made some fairly strong statements about considering open source when purchasing, for example: https://www.gov.uk/service-man... and I think they're a little concerned.

Re:Can they compile from source?

Nope. They have to consult the code on dedicated workstations and it is forbidden to bring in a laptop or mobile phone.

Source: Belgian public television website (in Dutch)

Re:Can they compile from source?

[Lonewolf666]

Visual Studio being free is nice, but that alone won't help here.

At the very least, one would have to
1) audit the source code for back doors
2) compile the applications and Windows versions to be checked for backdoors from that source
3) and then
-either distribute the self-compiled programs within the organization
-or compare the hash values of the self-compiled programs to those bought from official sources.

Re:Can they compile from source?

[Tatarize]

Can they compile it on site and get the hash codes from it, or export the compiled binaries back somewhere to check them out?

Because if not, this is entirely bullshit.

Just remove the backdoors from the source and show them the source without all the backdoors. See, no backdoors, or reason to suspect the compiled binaries you get are the ones compiled from that source.

Re:Can they compile from source?

[michelcolman]

Also, good luck finding the back doors if they were written by contestants in the underhanded code contest.

Re:Can they compile from source?

[El+Lobo]

Does that apply to your Ubuntu/Mint/Caldera....(add your fav distro here) as well? How can you be sure that the binaries you are using are compiled from the source they are distributing? Or do you compile your distro youself after reviwing every line of code? useful idiot!

Re:Can they compile from source?

[Z00L00K]

Unless they can throw a machine analysis on the code as well as manual inspection it's useless.

Useful, or an empty gesture?

[tgv]

So a few people can spend a bit of time looking through hundreds of millions of lines of code? How is that useful?

Re:Useful, or an empty gesture?

[tgv]

Come on!

$ grep -riH "back ?door" .

Delivered versus reviewed

[ebonum]

And who would trust MS not to show one version of the software and deliver something compiled from slightly different sources? Remember MS is more than happy to turn over dissidents' emails to the Chinese government. MS will say: "We follow all applicable laws in the countries where we operate." So what are the US laws about spying on anyone outside the country? I think it is required under NSL's.

Re:Just one rule

[rtb61]

Now if you are going to have to spend all that money audit code that you then have to buy in binary form, why not simply invest the audit cost and that licence fee in managing free open source code instead. What possible benefit is there in throwing away money on licence fees only to have to spend huge sums of money to audit that code associated with those closed source binaries. In the end, still a hollow exercise because of course you are not compiling the code you audited and still have no idea at all, about what is in binaries, just the claimed source code.

This all in the hope that the NSA/CIA back doors will say NSA/CIA back door insert password here, rather than be a complex hidden bug 'er' feature that can be exploited to achieve that back door. This in turn purposefully planted by NSA/CIA agents working inside of M$ and every other major software company (whether full timers or paid contractors or extorted criminals).

It's not an interest for Microsoft either

[jones_supa]

You don't even need EU to verify the lack of backdoors. Microsoft itself strives to create a product without backdoors. If one would be found, it would greatly hurt their business.

Has there ever been a backdoor in Windows or other Microsoft products? No.

I'm just tired of the paranoid attitude that all commercial software provides automatically want to screw you. No. They want to create a product that you want to buy. I'm sure you don't want to buy a product that has backdoors.

The main reason for going with closed source is not hiding malicious stuff, but that it allows making money with software. Open source works only if you have something else to sell along it.

Re:It's not an interest for Microsoft either

[jones_supa]

No, they don't think otherwise. The main income for those Linux companies comes from support and deployment services.

Re:Just one rule

[gtall]

Errr...I'm certainly no MS apologist, but maybe companies insist on using MS because all their homegrown apps and store bought apps run on MS? If your organization has $1 Billion invested in MS Malware, it isn't an easy sell to shareholders or company execs than you need to spend another $1 Billion or more rebuilding just so you can feel at peace with FOSS. There needs to be a business case.

Ah, but you say, invest the $1 Billion now and never have to pay MS again. Correct. Now put a money figure on precisely how much it will cost the company to do FOSS rather than MS? More importantly, how will doing this increase or decrease profits. Be specific, real figures are necessary to make a business case as well as documentation on the methodology used to do the analysis. BTW, is that analysis vetted? How good is it? How do we determine this? What will it cost to determine this?

But, but, but....you can audit FOSS for free. Yes, now please staff up to audit FOSS and be able to explain how the findings will contribute to the success of your company. Please be sure to include the cost of the audit. And since you are into auditing, this is gift that keeps on giving, you'll be wanting to audit forever more.

Most companies will just say screw it, hand me the MS Malware and let's get back to business.

The NSA will be drooling...

[worip]

The cynic in me thinks the NSA/GCHQ will use this as an oppurtunity to engineer more 0-day malware for their own use. Much easier if you can have eyes on the code...

Re:The NSA will be drooling...

[silas_moeckel]

What makes you think they do not have it now?

Headline is totally wrong

[DoofusOfDeath]

From recent revelations, it's more likely the governments are looking for easier ways to break into citizens' computers.