Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
EU Government Microsoft Security

Microsoft Lets EU Governments Inspect Source Code For Security Issues 143

itwbennett writes: Microsoft has agreed to let European governments review the source code of its products to ensure that they don't contain security backdoors, at a transparency center in Brussels. The second of its kind, the new center follows on the heels of the first, built last June in Redmond, Washington. Part of Microsoft's Government Security Program, the company hopes the centers will create trust with governments that want to use Microsoft products. "Today's opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design," said Matt Thomlinson, Vice President of Microsoft Security.
This discussion has been archived. No new comments can be posted.

Microsoft Lets EU Governments Inspect Source Code For Security Issues

Comments Filter:
  • by Anonymous Coward on Friday June 05, 2015 @02:09AM (#49845983)

    Can they (the governments) compile from source?

    • by hughbar ( 579555 ) on Friday June 05, 2015 @02:24AM (#49846033) Homepage
      Yes, exactly. Being old and cynical that was my thought too. Show source 'A' but compile from source 'B'. Then we'll truly 'experience their committment to transparency' won't we?

      The good thing about this is that UK government has made some fairly strong statements about considering open source when purchasing, for example: https://www.gov.uk/service-man... [www.gov.uk] and I think they're a little concerned.
      • by Lennie ( 16154 )

        The question is:

        are they concerned about backdoors and such or are they just concerned about getting a better licensing deal ?

        • by hughbar ( 579555 )
          Sorry, should have been clearer, I think Microsoft are concerned that UK government is taking open source more 'seriously' than previously. I live in Newham [a London borough] that 'nearly' switched to Linux, however everyone felt that it was probably a bargaining position rather than a real initiative. Now I think they're somewhat 'ready'. The irony is that in Canary Wharf, amongst the investment banks, not exactly hippies therefore, are full of all kinds of open source tools.
          • by dbIII ( 701233 )
            An even larger irony is the linux based stuff that Halliburton have been selling to oil companies for close to twenty years.
      • Yes, exactly. Being old and cynical that was my thought too. Show source 'A' but compile from source 'B'. Then we'll truly 'experience their committment to transparency' won't we?

        It depends on the threat model that you care about. On the one hand, it is bad if there are intentionally and maliciously injected trojans. On the other hand, the Snowden disclosures have shown that this is rarely done - it's high risk and there are enough vulnerabilities in code that the NSA can exploit without needing to do anything active to the supply chain. Being able to find these and get MS to fix them is probably quite important.

        My main objection to this is that I don't like to see tax money be

      • by El Lobo ( 994537 ) on Friday June 05, 2015 @05:18AM (#49846567)

        Does that apply to your Ubuntu/Mint/Caldera....(add your fav distro here) as well? How can you be sure that the binaries you are using are compiled from the source they are distributing? Or do you compile your distro youself after reviwing every line of code? useful idiot!

        • by Teun ( 17872 )
          Sure, but then Linux with all it's variations is all but a monopoly.
        • "Or do you compile your distro youself after reviwing every line of code? useful idiot!"

          No need to be melodramatic about it. With the Unix/Linux model of security, you don't need to review every line of code yourself unless you're a non-American intelligence agency (at which point you also need to xray the CPU for "hard"-coded backdoors).

          Typically you need to "only" pore over the source code for the kernel and everything else that runs with root privileges (I know this is still a massive undertaking but si

        • by Anonymous Coward

          How can you be sure that the binaries you are using are compiled from the source they are distributing?

          apt-build world (debian; rebuilds all packages from source)
          emerge -e world (gentoo; rebuilds all packages from source)
          make world (freebsd; well, they recommend a diff procedure now, but this is easy to type)
          make world (openbsd)
          .
          .
          And, of course all make it trivial to build select packages from source.

          e.g., download source, compile it, build a package from it, and install it on Debian -
          apt-get -b source package-name
          dpkg -i the-package-file-we-just-created.deb

          useful idiot!

          So, you believe that the ability to validate sour

        • Does that apply to your Ubuntu/Mint/Caldera....(add your fav distro here) as well?

          Did you really just mention Caldera [wikipedia.org]?

      • by juancn ( 596002 )
        Even if the source were fine, they could have a backdoor in the compiler!
    • by koan ( 80826 )

      "Can they (the governments) compile from source?"

      I wager they can not, that takes control from M$.

  • by Anonymous Coward

    How could they even understand the code if they don't have an expert capable enough to tell them how stupid this is? Unless the governments are allowed constant access to the source and also the possibility to compile any configuration they choose and need, this "inspection" serves absolutely no purpose.

    • by ron_ivi ( 607351 )
      And how will the governments know if the binaries (of every single Windows Update) delivered match the source code.
      • by gweihir ( 88907 )

        Compiling it by themselves, with compilers _not_ supplied by MS. That is actually the only way to do this. Of course, that will be impossible for the MS sources.

  • by tgv ( 254536 ) on Friday June 05, 2015 @02:21AM (#49846015) Journal

    So a few people can spend a bit of time looking through hundreds of millions of lines of code? How is that useful?

    • find . -type f -exec egrep -iH "backdoor|back door" {} \;

      easy peasy.
    • by gweihir ( 88907 )

      It is useful as a pure PR stunt. No other usefulness.

      Real code review, in particular for backdoors, is expected to be a lot more expensive than re-writing the code from scratch with trusted people. And that is if you can use your own tools and environment for the analysis. On large code-bases, review for backdoors becomes completely impossible, even with tool support.

  • by ebonum ( 830686 ) on Friday June 05, 2015 @02:26AM (#49846045)

    And who would trust MS not to show one version of the software and deliver something compiled from slightly different sources? Remember MS is more than happy to turn over dissidents' emails to the Chinese government. MS will say: "We follow all applicable laws in the countries where we operate." So what are the US laws about spying on anyone outside the country? I think it is required under NSL's.

  • Look but don't touch.

    Is this really the source code to the binaries we're using?

    hahaha, but of course it is!

    • by rtb61 ( 674572 )

      Now if you are going to have to spend all that money audit code that you then have to buy in binary form, why not simply invest the audit cost and that licence fee in managing free open source code instead. What possible benefit is there in throwing away money on licence fees only to have to spend huge sums of money to audit that code associated with those closed source binaries. In the end, still a hollow exercise because of course you are not compiling the code you audited and still have no idea at all,

      • Re:Just one rule (Score:4, Insightful)

        by gtall ( 79522 ) on Friday June 05, 2015 @05:47AM (#49846649)

        Errr...I'm certainly no MS apologist, but maybe companies insist on using MS because all their homegrown apps and store bought apps run on MS? If your organization has $1 Billion invested in MS Malware, it isn't an easy sell to shareholders or company execs than you need to spend another $1 Billion or more rebuilding just so you can feel at peace with FOSS. There needs to be a business case.

        Ah, but you say, invest the $1 Billion now and never have to pay MS again. Correct. Now put a money figure on precisely how much it will cost the company to do FOSS rather than MS? More importantly, how will doing this increase or decrease profits. Be specific, real figures are necessary to make a business case as well as documentation on the methodology used to do the analysis. BTW, is that analysis vetted? How good is it? How do we determine this? What will it cost to determine this?

        But, but, but....you can audit FOSS for free. Yes, now please staff up to audit FOSS and be able to explain how the findings will contribute to the success of your company. Please be sure to include the cost of the audit. And since you are into auditing, this is gift that keeps on giving, you'll be wanting to audit forever more.

        Most companies will just say screw it, hand me the MS Malware and let's get back to business.

        • But, but, but....you can audit FOSS for free. Yes, now please staff up to audit FOSS and be able to explain how the findings will contribute to the success of your company.

          Your argument exploded here. They're going to have to staff up to audit Windows, too. It's not like they are currently familiar with the internals of either OS. Right now they have the opportunity to switch to something cheaper if they're going to perform an audit anyway, because it will cost them at least as much to audit Windows as Linux. Probably more, in fact, since they may be able to borrow from others' code audits, if they were published.

          • by rtb61 ( 674572 )

            More specifically Companies can get their government to use all their publicly funded universities to do a fully public audit of free open source software and then can then get the audited software free from a secure location and have people fully trained in it's use. So many small contributions produce billions upon billions in savings, not only on licence fees but training and security cost savings.

  • This is nothing new. The Shared Source Initiative [microsoft.com] has gone on for years, and provides access to the source of Microsoft products to governments, OEMs, large customers etc.

    The difference here is that they are providing it at what they call a "transparency centre", which I suspect is to minimise the danger of the source getting released to the public so we all can inspect the code [thepiratebay.gd].

  • probably be finished sometime before the sun burns out
  • by jones_supa ( 887896 ) on Friday June 05, 2015 @05:17AM (#49846561)

    You don't even need EU to verify the lack of backdoors. Microsoft itself strives to create a product without backdoors. If one would be found, it would greatly hurt their business.

    Has there ever been a backdoor in Windows or other Microsoft products? No.

    I'm just tired of the paranoid attitude that all commercial software provides automatically want to screw you. No. They want to create a product that you want to buy. I'm sure you don't want to buy a product that has backdoors.

    The main reason for going with closed source is not hiding malicious stuff, but that it allows making money with software. Open source works only if you have something else to sell along it.

    • I'm just tired of the paranoid attitude that all commercial software provides automatically want to screw you.

      Microsoft was convicted of abuse of their monopoly position and in fact a whole assortment of illegally anticompetitive behavior, some of which was related to the way they employed functions, for example some of the functions that Office didn't use were literally just the same function Office did use plus a sleep. And the slower function is the one that Microsoft documented.

      Microsoft has been proven to "want to screw you" and those of us who have not forgotten this are looking at you in disgust, like when y

      • Yes, but that's a bit different discussion than backdoors.
        • Yes, but that's a bit different discussion than backdoors.

          So what's the difference between a known bug with a coded exploit, and a back door?

      • So was google. Do you look at android the same way?

        And a large number of people that contributed to linux also worked at companies that were convicted of abuse of monopoly power. Oh, I guess that doesn't count cause it'd interfere with your views.

    • by timq ( 240600 )

      Has there ever been a backdoor in Windows or other Microsoft products? No.

      Yes, there have indeed been numerous opportunities to get complete access to Windows systems from outside. It appears that you simply prefer not to call them backdoors -- perhaps "vulnerabilites" is the first word to come to your mind. The difference is intent, and that is impossible to judge.

  • Let alone the fact that you can't be assured that the source code you get to see is actually the one they use to build the final product, i'm also left with the question of 3th party software that is included in MS products. Will these have their source code also available for inspection? Can't imagine those companies will allow MS to do that. And if you can't look at those products source code, how can you be sure there is nothing going on in those?

  • by worip ( 1463581 ) on Friday June 05, 2015 @05:49AM (#49846659)
    The cynic in me thinks the NSA/GCHQ will use this as an oppurtunity to engineer more 0-day malware for their own use. Much easier if you can have eyes on the code...
  • by DoofusOfDeath ( 636671 ) on Friday June 05, 2015 @06:04AM (#49846695)

    From recent revelations, it's more likely the governments are looking for easier ways to break into citizens' computers.

  • I can see it now - EU gets a nice clean shiny new OS from Microsoft. The next Tuesday a patch is released, MSNSAUS-007 Critical. In the fine print:

    "This patch will allow a friendly U.S. operator to cause code to execute on the computer of a user. Such code could take any action that the user himself could take, including but not limited to creating, changing or deleting data, or communicating with an external web site."

  • They should make the source available via an ftp server, much cheaper than this fancy Brussels center and then you get the 'many eyes' advantage too.
    B.t.w, in part of Brussels it's likely called a 'centre'.
  • Is this really about back-doors or bugs exposing entrances?

    In any case are the representatives of governments really the ones you should be showing your source code too? Seems to me that some of these people have a vested interest in keeping any exploits they find secret to their own intelligence agencies to be used later in targets (possibly their own citizens) to intrude and exploit.

    I think I've said this before, if they really want to gain our confidence they need to let the users choose someone to inspe

    • they need to let the users choose someone ...

      You mean like we should be able to vote on someone to represent us? They can then appoint someone or a team to then inspect it?

      Seems that sounds like a democratic form of government.

  • ...the relevant back-door code just have to have an EXPORT license required of it such that the binary can be shipped but the code itself can't be reviewed.

    Put it in a required portion, and you have a great calamity set up. Of course, it'll also be evident that something is being hidden.
  • I mean with a restrict license that most people would not classify as open-source? Something like "you can download the source and build the OS, but you can not use it without paying us"? Or maybe just open-source some core components (the kernel, the drivers, all security-sensitive stuff) without the stuff that makes it usable (the GUI and the CLI) with the same conditions as I mentioned before?

    I am serious here, I want to know what would be the implications.

Your own mileage may vary.

Working...