Microsoft Lets EU Governments Inspect Source Code For Security Issues

itwbennett writes: Microsoft has agreed to let European governments review the source code of its products to ensure that they don't contain security backdoors, at a transparency center in Brussels. The second of its kind, the new center follows on the heels of the first, built last June in Redmond, Washington. Part of Microsoft's Government Security Program, the company hopes the centers will create trust with governments that want to use Microsoft products. "Today's opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design," said Matt Thomlinson, Vice President of Microsoft Security.

Can they compile from source?

[Anonymous Coward]

Can they (the governments) compile from source?

Re:Can they compile from source?

[Anonymous Coward]

Nope. They have to consult the code on dedicated workstations and it is forbidden to bring in a laptop or mobile phone.

Source: Belgian public television website (in Dutch) [deredactie.be]

Re:Can they compile from source?

[Tatarize]

Can they compile it on site and get the hash codes from it, or export the compiled binaries back somewhere to check them out?

Because if not, this is entirely bullshit.

Just remove the backdoors from the source and show them the source without all the backdoors. See, no backdoors, or reason to suspect the compiled binaries you get are the ones compiled from that source.

Re:

[michelcolman]

Also, good luck finding the back doors if they were written by contestants in the underhanded code contest [xcott.com].

Re:

[mystikkman]

That applies to open source too.

There some in plain sight in some of the most popular server software in the world like OpenSSL that were found really late.

Re:

[gweihir]

Which just shows that doing code review for security aspects is very, very hard. Under the condition MS offers, it is impossible in practice. Also take into account that a real code security review will often recommend doing some things differently without having identified a definite vulnerability, but just some potential risk, as doing it any other way usually is prohibitive effort-wise. Same goes for style and interfaces. A purely passive code review is almost never done, as it is extremely hard, causes

Re:

[dinfinity]

Wow, the most popular attacks of 2013 were pretty much all about exploiting the quirks of C.

Not trying to start a fight here, but the attacks I'm seeing would not be possible in Java (for instance). I'm also not implying that an OS should be written in Java (obviously). I was and am interested to what extent such underhanded code can be written in 'modern' higher-level languages. I found this when Googling:
http://incompleteness.me/blog/... [incompleteness.me]

Re:

[ei4anb]

Even then it would be easy to inject the backdoor when compiling as explained in the classic paper "KEN THOMPSON - 1984 - Reflections on trusting trust" https://www.ece.cmu.edu/~gange... [cmu.edu]

Re:

[david_thornley]

If you can compile the suspect compiler with another compiler (which doesn't have to be trusted, just independently suspicious), you can figure out whether the compiler implements Ken Thompson's trick.

Re:

[UnixUnix]

Mod parent up please; I was about to give this K. Thompson reference. _ Generally, a body of results stemming from the Unsolvability of the Halting Problem indicates no nontrivial program property can be algorithmically established with full certainty, surely not absence of backdoors. Anyway I should think injecting hooks into USB and hard drive firmware beats trying to do your dirty work in a Windows environment -- even Government gumshoes shouldn't be subjected to cruel and unusual punishment.

Re:

[NotInHere]

It only has to convince the average politician who has heard from OSS activists that with OSS you can "inspect" the source code, not the average slashdot user.

Re:

[sinij]

It took how many years of "inspections" to detect Heartbleed backdoor? Sure, theoretically OSS is harder to backdoor and harder to keep it secret, but in practice it isn't any different.

Re:

[gweihir]

Actually, it is. Because "years of inspection" would not have found that problem in closed source.

Re:

[sinij]

It would, by black box analysis. Sooner or later someone would detect strange behavior or specialized code in the malware and document it.

Key point I was trying to make - when detection is measured in YEARS, both systems fail. At that point, saying that Train Wreck A wasn't quite wreck-y when compared to Train Wreck B is a moot point.

Re:

[gweihir]

First, for "black box analysis" (which is not done in reality, far too inefficient) would have taken centuries at the same intensity for a problem of this nature. And second, creating mature software takes "years", and sometimes decades. The system did not fail, it is just that some people (like you) have completely unrealistic expectations.

Re:

[Anonymous Coward]

You have totally misunderstood the aim.

In order for open source to work to make source code secure you need "many eyes" looking at it, deliberately fixing buOpenand sharing what they find. Even in a true open source environment that's rare and happens only for the biggest projects (like Linux) or the one that care (OpenBSD / OpenSSH etc.). Windows is too big and Monolithic for the technique to work in any case.

All this does is allows EU governments to develop the same kind of spying techniques that are us

Re:

[istartedi]

Came here for this. Just one thing to add. Back-doors can come from places other than the source. You need to be able to inspect the compiler too, and build it from source. You need to be able to audit MS's complete build system as well. The code has to be in the millions of lines. Even if MS gives them everything they need, I doubt these governments have the time, money, and expertise to pull off such an audit.

Oh, and the day a patch goes out, all bets are off again.

Re:

[istartedi]

Forgot to mention--no discussion of this is complete without bringing up Ken Thompson [c2.com]

Re:

[Z00L00K]

Unless they can throw a machine analysis on the code as well as manual inspection it's useless.

Re:

[gweihir]

In other words, conditions under which it is completely impossible to review code of any size larger than trivial. Review of code for not well hidden backdoors is already very hard if you have your own equipment and tools. Looking for well-hidden backdoors is usually considered impossible or at the very least much more costly than re-writing the code from scratch with trusted people and that is when you have your own tools and environment to do the job.

This "opportunity" is no such thing, as purely by eye-b

Re:

[sodul]

How does that help? If the backdoor is hardcoded to be added in VS then you will not find the backdoor by scraping the 'disclosed' source code.
http://scienceblogs.com/goodma... [scienceblogs.com]

Re:

[Lennie]

Not only that a lot of source code isn't even reproducible, you can't just check the hash of the resulting file:

http://stackoverflow.com/quest... [stackoverflow.com]

Re:

[darkain]

Just to add a very specific note on the Visual C++ compiler: it uses multi-threading to compile. That is, one thread per CPU core, each thread is parsing a separate C/C++ source file from the tree. In this scenario, there is zero guarantee that each thread completes in a consistent order on a single machine, let along across different machines with different thread counts and architectures.

Re:

[spongman]

> Utter bullshit

actually, the compiler front-end (parser, etc...) is multi-threaded inside cl.exe which is usually passed multiple source files in one execution.

the back-end of the compiler (code-gen), which is actually run inside link.exe is also multi-threaded.

this is not parallel make, you get both levels of multi-threadedness from a single compiler command-line instantiation. Visual Studio does have project-level parallelism, but that's in addition to what's in the compiler/linker.

however, i do belie

Re:

[Lonewolf666]

Visual Studio being free is nice, but that alone won't help here.

At the very least, one would have to
1) audit the source code for back doors
2) compile the applications and Windows versions to be checked for backdoors from that source
3) and then
-either distribute the self-compiled programs within the organization
-or compare the hash values of the self-compiled programs to those bought from official sources.

Re:

[david_thornley]

What's Visual C++ written in? You'd need to compile it with another compiler avoid the Ken Thompson trick.

Visual Studio Community Edition not free

[Anonymous Coward]

No, it's not free. Install it and after 30 days suddenly it locks you out. Want to keep using it? Must provide Microsoft with your identity.

Re:

[KingMotley]

That is still free.

Re:Can they compile from source?

[hughbar]

Yes, exactly. Being old and cynical that was my thought too. Show source 'A' but compile from source 'B'. Then we'll truly 'experience their committment to transparency' won't we?

The good thing about this is that UK government has made some fairly strong statements about considering open source when purchasing, for example: https://www.gov.uk/service-man... [www.gov.uk] and I think they're a little concerned.

Re:

[Lennie]

The question is:

are they concerned about backdoors and such or are they just concerned about getting a better licensing deal ?

Re:

[hughbar]

Sorry, should have been clearer, I think Microsoft are concerned that UK government is taking open source more 'seriously' than previously. I live in Newham [a London borough] that 'nearly' switched to Linux, however everyone felt that it was probably a bargaining position rather than a real initiative. Now I think they're somewhat 'ready'. The irony is that in Canary Wharf, amongst the investment banks, not exactly hippies therefore, are full of all kinds of open source tools.

Re:

[dbIII]

An even larger irony is the linux based stuff that Halliburton have been selling to oil companies for close to twenty years.

Re:

[TheRaven64]

Yes, exactly. Being old and cynical that was my thought too. Show source 'A' but compile from source 'B'. Then we'll truly 'experience their committment to transparency' won't we?

It depends on the threat model that you care about. On the one hand, it is bad if there are intentionally and maliciously injected trojans. On the other hand, the Snowden disclosures have shown that this is rarely done - it's high risk and there are enough vulnerabilities in code that the NSA can exploit without needing to do anything active to the supply chain. Being able to find these and get MS to fix them is probably quite important.

My main objection to this is that I don't like to see tax money be

Re:

[TheRaven64]

The NSA or GCHQ (or any similar intelligence agency) almost certainly could insert a backdoor into MS software. Doing the same any other piece of proprietary software developed by people that they could easily blackmail would also be easy. There are a number of approaches that would work for open source too - there was a recent story about a lot of contributors to prominent projects hosted on GitHub having weak SSH keys, so compromising one of these from someone who hasn't committed in a long time and put

Re:Can they compile from source?

[El Lobo]

Does that apply to your Ubuntu/Mint/Caldera....(add your fav distro here) as well? How can you be sure that the binaries you are using are compiled from the source they are distributing? Or do you compile your distro youself after reviwing every line of code? useful idiot!

Re:

[Teun]

Sure, but then Linux with all it's variations is all but a monopoly.

Re:

[aNonnyMouseCowered]

"Or do you compile your distro youself after reviwing every line of code? useful idiot!"

No need to be melodramatic about it. With the Unix/Linux model of security, you don't need to review every line of code yourself unless you're a non-American intelligence agency (at which point you also need to xray the CPU for "hard"-coded backdoors).

Typically you need to "only" pore over the source code for the kernel and everything else that runs with root privileges (I know this is still a massive undertaking but si

Re:

[Anonymous Coward]

How can you be sure that the binaries you are using are compiled from the source they are distributing?

apt-build world (debian; rebuilds all packages from source)
emerge -e world (gentoo; rebuilds all packages from source)
make world (freebsd; well, they recommend a diff procedure now, but this is easy to type)
make world (openbsd)
.
.
And, of course all make it trivial to build select packages from source.

e.g., download source, compile it, build a package from it, and install it on Debian -
apt-get -b source package-name
dpkg -i the-package-file-we-just-created.deb

useful idiot!

So, you believe that the ability to validate sour

Re:

[mu51c10rd]

Does that apply to your Ubuntu/Mint/Caldera....(add your fav distro here) as well?

Did you really just mention Caldera [wikipedia.org]?

Re:

[juancn]

Even if the source were fine, they could have a backdoor in the compiler!

Re:

[koan]

"Can they (the governments) compile from source?"

I wager they can not, that takes control from M$.

Yeah, problem solved...

[Anonymous Coward]

How could they even understand the code if they don't have an expert capable enough to tell them how stupid this is? Unless the governments are allowed constant access to the source and also the possibility to compile any configuration they choose and need, this "inspection" serves absolutely no purpose.

Re:

[ron_ivi]

And how will the governments know if the binaries (of every single Windows Update) delivered match the source code.

Re:

[gweihir]

Compiling it by themselves, with compilers _not_ supplied by MS. That is actually the only way to do this. Of course, that will be impossible for the MS sources.

Re:

[jcwayne]

On a system you build from the silicon up with audited firmware and chip design.

Re:

[HiThere]

Well, trust isn't a single bit operation. More nearly a float. Actually, trust along a single dimension is reasonably considered a float, but there are multiple dimensions.

Yes, it's safer if you use your own trusted compiler. But it's also safer if you build your own CPU, and the rest of your computer. And I doubt that MS would have bothered to build a custom compiler that would hide back doors when it was compiling the MSWind OS. It clearly *could*, it's just unlikely. Of course, how unlikely you con

Useful, or an empty gesture?

[tgv]

So a few people can spend a bit of time looking through hundreds of millions of lines of code? How is that useful?

Re:

[NoNonAlphaCharsHere]

find . -type f -exec egrep -iH "backdoor|back door" {} \;

easy peasy.

Re:

[tgv]

Come on!

$ grep -riH "back ?door" .

Re:

[Anonymous Coward]

You must check the windows too.

Re:

[gweihir]

It is useful as a pure PR stunt. No other usefulness.

Real code review, in particular for backdoors, is expected to be a lot more expensive than re-writing the code from scratch with trusted people. And that is if you can use your own tools and environment for the analysis. On large code-bases, review for backdoors becomes completely impossible, even with tool support.

Re:

[gweihir]

Indeed. Yet there is no other way to do it or rather all other ways are a lot worse.

Delivered versus reviewed

[ebonum]

And who would trust MS not to show one version of the software and deliver something compiled from slightly different sources? Remember MS is more than happy to turn over dissidents' emails to the Chinese government. MS will say: "We follow all applicable laws in the countries where we operate." So what are the US laws about spying on anyone outside the country? I think it is required under NSL's.

Just one rule

[ciaran2014]

Look but don't touch.

Is this really the source code to the binaries we're using?

hahaha, but of course it is!

Re:

[rtb61]

Now if you are going to have to spend all that money audit code that you then have to buy in binary form, why not simply invest the audit cost and that licence fee in managing free open source code instead. What possible benefit is there in throwing away money on licence fees only to have to spend huge sums of money to audit that code associated with those closed source binaries. In the end, still a hollow exercise because of course you are not compiling the code you audited and still have no idea at all,

Re:Just one rule

[gtall]

Errr...I'm certainly no MS apologist, but maybe companies insist on using MS because all their homegrown apps and store bought apps run on MS? If your organization has $1 Billion invested in MS Malware, it isn't an easy sell to shareholders or company execs than you need to spend another $1 Billion or more rebuilding just so you can feel at peace with FOSS. There needs to be a business case.

Ah, but you say, invest the $1 Billion now and never have to pay MS again. Correct. Now put a money figure on precisely how much it will cost the company to do FOSS rather than MS? More importantly, how will doing this increase or decrease profits. Be specific, real figures are necessary to make a business case as well as documentation on the methodology used to do the analysis. BTW, is that analysis vetted? How good is it? How do we determine this? What will it cost to determine this?

But, but, but....you can audit FOSS for free. Yes, now please staff up to audit FOSS and be able to explain how the findings will contribute to the success of your company. Please be sure to include the cost of the audit. And since you are into auditing, this is gift that keeps on giving, you'll be wanting to audit forever more.

Most companies will just say screw it, hand me the MS Malware and let's get back to business.

Re:

[drinkypoo]

But, but, but....you can audit FOSS for free. Yes, now please staff up to audit FOSS and be able to explain how the findings will contribute to the success of your company.

Your argument exploded here. They're going to have to staff up to audit Windows, too. It's not like they are currently familiar with the internals of either OS. Right now they have the opportunity to switch to something cheaper if they're going to perform an audit anyway, because it will cost them at least as much to audit Windows as Linux. Probably more, in fact, since they may be able to borrow from others' code audits, if they were published.

Re:

[rtb61]

More specifically Companies can get their government to use all their publicly funded universities to do a fully public audit of free open source software and then can then get the audited software free from a secure location and have people fully trained in it's use. So many small contributions produce billions upon billions in savings, not only on licence fees but training and security cost savings.

Continuation of the Shared Source Initiative

[Gadget_Guy]

This is nothing new. The Shared Source Initiative [microsoft.com] has gone on for years, and provides access to the source of Microsoft products to governments, OEMs, large customers etc.

The difference here is that they are providing it at what they call a "transparency centre", which I suspect is to minimise the danger of the source getting released to the public so we all can inspect the code [thepiratebay.gd].

time estimate

[Limitless_Potential]

probably be finished sometime before the sun burns out

It's not an interest for Microsoft either

[jones_supa]

You don't even need EU to verify the lack of backdoors. Microsoft itself strives to create a product without backdoors. If one would be found, it would greatly hurt their business.

Has there ever been a backdoor in Windows or other Microsoft products? No.

I'm just tired of the paranoid attitude that all commercial software provides automatically want to screw you. No. They want to create a product that you want to buy. I'm sure you don't want to buy a product that has backdoors.

The main reason for going with closed source is not hiding malicious stuff, but that it allows making money with software. Open source works only if you have something else to sell along it.

Re:

[drinkypoo]

I'm just tired of the paranoid attitude that all commercial software provides automatically want to screw you.

Microsoft was convicted of abuse of their monopoly position and in fact a whole assortment of illegally anticompetitive behavior, some of which was related to the way they employed functions, for example some of the functions that Office didn't use were literally just the same function Office did use plus a sleep. And the slower function is the one that Microsoft documented.

Microsoft has been proven to "want to screw you" and those of us who have not forgotten this are looking at you in disgust, like when y

Re:

[jones_supa]

Yes, but that's a bit different discussion than backdoors.

Re:

[drinkypoo]

Yes, but that's a bit different discussion than backdoors.

So what's the difference between a known bug with a coded exploit, and a back door?

Re:

[jones_supa]

The other one is intentional.

Re:

[drinkypoo]

The other one is intentional.

Now go forth and prove that Microsoft hasn't left intentional bugs which produce the effect of a back door.

Re:

[KingMotley]

So was google. Do you look at android the same way?

And a large number of people that contributed to linux also worked at companies that were convicted of abuse of monopoly power. Oh, I guess that doesn't count cause it'd interfere with your views.

Re:

[timq]

Has there ever been a backdoor in Windows or other Microsoft products? No.

Yes, there have indeed been numerous opportunities to get complete access to Windows systems from outside. It appears that you simply prefer not to call them backdoors -- perhaps "vulnerabilites" is the first word to come to your mind. The difference is intent, and that is impossible to judge.

Re:

[jones_supa]

No, they don't think otherwise. The main income for those Linux companies comes from support and deployment services.

Re:

[jones_supa]

Selling support for a software product is different from directly selling that particular software product.

Re:

[jones_supa]

I can't think of any scenario where intentionally introducing backdoors would make customers more interested in buying a product.

3th party?

[sad_]

Let alone the fact that you can't be assured that the source code you get to see is actually the one they use to build the final product, i'm also left with the question of 3th party software that is included in MS products. Will these have their source code also available for inspection? Can't imagine those companies will allow MS to do that. And if you can't look at those products source code, how can you be sure there is nothing going on in those?

The NSA will be drooling...

[worip]

The cynic in me thinks the NSA/GCHQ will use this as an oppurtunity to engineer more 0-day malware for their own use. Much easier if you can have eyes on the code...

Re:

[silas_moeckel]

What makes you think they do not have it now?

Headline is totally wrong

[DoofusOfDeath]

From recent revelations, it's more likely the governments are looking for easier ways to break into citizens' computers.

Patch Tuesdays?

[Irate Engineer]

I can see it now - EU gets a nice clean shiny new OS from Microsoft. The next Tuesday a patch is released, MSNSAUS-007 Critical. In the fine print:

"This patch will allow a friendly U.S. operator to cause code to execute on the computer of a user. Such code could take any action that the user himself could take, including but not limited to creating, changing or deleting data, or communicating with an external web site."

An ftp server would be cheaper

[Teun]

They should make the source available via an ftp server, much cheaper than this fancy Brussels center and then you get the 'many eyes' advantage too.
B.t.w, in part of Brussels it's likely called a 'centre'.

Back-door or Bug-door?

[ramriot]

Is this really about back-doors or bugs exposing entrances?

In any case are the representatives of governments really the ones you should be showing your source code too? Seems to me that some of these people have a vested interest in keeping any exploits they find secret to their own intelligence agencies to be used later in targets (possibly their own citizens) to intrude and exploit.

I think I've said this before, if they really want to gain our confidence they need to let the users choose someone to inspe

Re:

[KingMotley]

they need to let the users choose someone ...

You mean like we should be able to vote on someone to represent us? They can then appoint someone or a team to then inspect it?

Seems that sounds like a democratic form of government.

Easy to defeat...

[TemporalBeing]

...the relevant back-door code just have to have an EXPORT license required of it such that the binary can be shipped but the code itself can't be reviewed.

Put it in a required portion, and you have a great calamity set up. Of course, it'll also be evident that something is being hidden.

Why doesn't Microsoft open source windows?

[Daniel Hoffmann]

I mean with a restrict license that most people would not classify as open-source? Something like "you can download the source and build the OS, but you can not use it without paying us"? Or maybe just open-source some core components (the kernel, the drivers, all security-sensitive stuff) without the stuff that makes it usable (the GUI and the CLI) with the same conditions as I mentioned before?

I am serious here, I want to know what would be the implications.

Re:

[Teun]

Because it is fine for casual talk.
Just don't use it for sensitive political, business and lawyer subjects.

Re:

[aaaaaaargh!]

Because its the only VOIP solution that actually is usable?

Re:

[Guildor]

I agree! I know that mobile phones are based on old model technology when connecting, and have heard they the old codes that could be sent over a model to estabilsh connections are still there, and can still be abused, to a point where they can turn your phone into a listening device for "them" to hear what ever the phone can pick up, and the OS of the phone won't pick up on this activity either.

But more to the point of this article, I think Microsoft has made massive changes in the way they're dealing

Re:

[Jeremy Allison - Sam]

This, this, a thousand times this.

You can look at the source code all you like, but unless you can *use* that source code to build your own binaries and redistribute them, then that means absolutely nothing in terms of security.

The products you buy off the shelf may or may not have any relation to the code you looked at.

That's why Free Software is so important for security-sensitive applications. Not only do you get to look, you get to modify it and redistribute.