Background: I used to work at a government security testing / certification lab.
It's actually worse than the above posted stated.
If Microsoft is cooperating with the NSA in the name of national security, it will be nearly impossible for the chinese to detect any cleverly planted backdoors, even with full access to source code. Why?
1. Who said the source code is functionally equivalent to the binary?
2. Even if it is, if the source will only compile with a Microsoft supplied compiler, who says the compiler hasn't been subverted to insert
backdoors into the source code? Ken Thompson (used this attack to put backdoors into Unix)
3. Access to the compiler source code? But
if it only compiles itself, the binary compiler can still subvert the newly compiled one. So how do you verify source code / binary equivalence?
4. Even if the chinese have some magic way to
solve the preceding points, detecting deliberately obfuscated backdoors in the source code can be made VERY VERY difficult. Imagine
a backdoor[s] deliberately distributed across
millions of lines of code.
5. Do the chinese realize how secure a default installation of windows is? Not very. So now you have to audit a continuing stream of updates, for the same clever subversions described earlier.
6. Even without deliberately planted backdoors, Windows is littered with holes. The level of sophistication of those that have been discovered and published (without access to source code) have been very basic. This strongly implies poor programming rigor on Microsoft's part from a security standpoint. So there are probably thousands, if not tens of thousands of security holes in Windows.
Unix was developed in the early 70s, it's been opensource for a while, and a community process has gradually discovered increasingly sophisticated class of security vulnerability. Windows doesn't have that community process. It enjoys access to the techniques developed by the security community,
but not their effort.
7. The complexity of Windows is mindboggling,
and it's very poorly designed from a security standpoint. Everything is overly complex and bloated. Even the security APIs are overly complex and bloated. And that's supposed to be a feature! Unless the chinese have secretly been
developing magic auditing technologies far beyond the state of the art the rest of the world has, they have NO WAY of subduing that complexity and producing a secure version of Windows to use.
8. Since Windows is simply poorly designed (security-wise), producing a secure version would
require substantial high-level changes. Doing that while keeping backwards compatibility, ease-of-use, etc. would be very expensive, even for Microsoft which has 40 billion spare cash lying around. Ain't gonna happen.
Conclusion: The chinese aren't stupid, they realize all of the above. So the real reason
they're auditing Windows is:
1. to find security holes for their own nefarious purposes, in the OS the world's only
superpower (not to mention the rest of the world) is using in military, government and commercial networks. I highly doubt the Chinese
will publish anything they find on the security mailing lists.
2. Chinese intelligence could easily have gotten access to Windows source code before (spys, hackers, leaked Microsoft shared source initiatives). They could compare that with the official version given to them by Microsoft, assuming Microsoft and the NSA were stupid enough about editing the source code to remove the obvious NSA backdoor.
Then again, perhaps everything is just as innocent as it seems. Microsoft isn't cooperating with the NSA. The Chinese really do want to use Windows, and will publish everything
they find in a friendly manner to the rest of us.
The New scientist writer clearly has no understanding of how TCP/IP or the Internet work in general and how Caltech's FAST could improve data transfer efficiency. His sensationalist claims that this could enable downloading a dvd in seconds are so much ignorant crap. 6000x faster than broadband? That has more to do with the fact they used an INCREDIBLY FAT PIPE (a 10gigabit connection), probably in a laboratory setting, than any of FAST's optimizations. It's true TCP/IP's efficiency maxes out at a certain rate, but that doesn't really matter in the real world, because nobody is actually downloading movies from dedicated 10gigabit links to the backbone. Not to mention that you won't see anyone serving anything at these speeds for the next decade or so. I wonder what this suggests about the accuracy of articles on subjects I know nothing about. It's an academic curiosity folks.
Slashdot Mirror
It's actually worse than the above posted stated.
If Microsoft is cooperating with the NSA in the name of national security, it will be nearly impossible for the chinese to detect any cleverly planted backdoors, even with full access to source code. Why?
1. Who said the source code is functionally equivalent to the binary?
2. Even if it is, if the source will only compile with a Microsoft supplied compiler, who says the compiler hasn't been subverted to insert backdoors into the source code? Ken Thompson (used this attack to put backdoors into Unix)
3. Access to the compiler source code? But if it only compiles itself, the binary compiler can still subvert the newly compiled one. So how do you verify source code / binary equivalence?
4. Even if the chinese have some magic way to solve the preceding points, detecting deliberately obfuscated backdoors in the source code can be made VERY VERY difficult. Imagine a backdoor[s] deliberately distributed across millions of lines of code.
5. Do the chinese realize how secure a default installation of windows is? Not very. So now you have to audit a continuing stream of updates, for the same clever subversions described earlier.
6. Even without deliberately planted backdoors, Windows is littered with holes. The level of sophistication of those that have been discovered and published (without access to source code) have been very basic. This strongly implies poor programming rigor on Microsoft's part from a security standpoint. So there are probably thousands, if not tens of thousands of security holes in Windows.
Unix was developed in the early 70s, it's been opensource for a while, and a community process has gradually discovered increasingly sophisticated class of security vulnerability. Windows doesn't have that community process. It enjoys access to the techniques developed by the security community, but not their effort.
7. The complexity of Windows is mindboggling, and it's very poorly designed from a security standpoint. Everything is overly complex and bloated. Even the security APIs are overly complex and bloated. And that's supposed to be a feature! Unless the chinese have secretly been developing magic auditing technologies far beyond the state of the art the rest of the world has, they have NO WAY of subduing that complexity and producing a secure version of Windows to use.
8. Since Windows is simply poorly designed (security-wise), producing a secure version would require substantial high-level changes. Doing that while keeping backwards compatibility, ease-of-use, etc. would be very expensive, even for Microsoft which has 40 billion spare cash lying around. Ain't gonna happen.
Conclusion: The chinese aren't stupid, they realize all of the above. So the real reason they're auditing Windows is:
1. to find security holes for their own nefarious purposes, in the OS the world's only superpower (not to mention the rest of the world) is using in military, government and commercial networks. I highly doubt the Chinese will publish anything they find on the security mailing lists.
2. Chinese intelligence could easily have gotten access to Windows source code before (spys, hackers, leaked Microsoft shared source initiatives). They could compare that with the official version given to them by Microsoft, assuming Microsoft and the NSA were stupid enough about editing the source code to remove the obvious NSA backdoor.
Then again, perhaps everything is just as innocent as it seems. Microsoft isn't cooperating with the NSA. The Chinese really do want to use Windows, and will publish everything they find in a friendly manner to the rest of us.
Right.
See caltech's press release on FAST for an article that actually makes sense.
Also, could someone please explain to me why boringly predictable stereotypical slashdot feedback is being modded up?
"Whoa! Faster pr0n!"
"Imagine a beowolf cluster of these!"
-Insert completely unrelated Microsoft bashing post here-
-Insert completely unrelated technobabble from some geek posting out of their ass (without reading the article first)-
News for nerds. Stuff that matters. Discussion that doesn't.