Microsoft Delivers Secure China-Only Cut of Windows 10 (theregister.co.uk) 98
Earlier this week, CEO of Microsoft Greater China, Alain Crozier, told China Daily that the company is ready to roll out a version of Windows 10 with extra security features demanded by China's government. "We have already developed the first version of the Windows 10 government secure system. It has been tested by three large enterprise customers," Crozier said. The Register reports: China used Edward Snowden's revelations to question whether western technology products could compromise its security. Policy responses included source code reviews for foreign vendors and requiring Chinese buyers to shop from an approved list of products. Microsoft, IBM and Intel all refused to submit source code for inspection, but Redmond and Big Blue have found other ways to get their code into China. IBM's route is a partnership with Dalian Wanda to bring its cloud behind the Great Firewall. Microsoft last year revealed its intention to build a version of Windows 10 for Chinese government users in partnership with state-owned company China Electronics Technology Group Corp. There's no reason to believe Crozier's remarks are incorrect, because Microsoft has a massive incentive to deliver a version of Windows 10 that China's government will accept. To understand why, consider that China's military has over two million active service personnel, the nation's railways employ similar numbers and Microsoft's partner China Electronics Technology Group Corp has more than 140,000 people on its books. Not all of those are going to need Windows, but plenty will.
Re: (Score:1)
Re: (Score:2)
I blame you for technical treason, You terrorist!
Re:No need for Microsoft to spy on the Chinese (Score:5, Informative)
There aren't any Muslims in China, so they don't face the same terrorism issues that western national do.
Wrong [wikipedia.org], and wrong [wikipedia.org].
Re: (Score:1, Interesting)
You are correct. China does have an Islamic terrorism problem like most of the rest of the world. I was not far from this incident when it happened:
https://en.wikipedia.org/wiki/1997_Ürümqi_bus_boambings [wikipedia.org]
Nine people were killed and 74 more injured.
Re: (Score:2)
Slashdot completely mangled your URL. I had to search for "1997 Ürümqi bus bombings" on wikipedia to find it.
Maybe you mean this [wikipedia.org] URL. I am only using standard HTML coding [w3schools.com] which has been arround for years, afterall this is supposed to be a tech site.
Re: (Score:2)
True, true. And yet it's quite possibly the only tech site on the planet that doesn't support UTF, which rumour has it is also a standard.
Re: (Score:1)
Oh, and also, Muslims aren't terrorists as a group. The number of people who commit terrorist acts, (meaning acts meant to terrorize,) isn't especially higher in the subset of humans known as Muslims than any other arbitrarily chosen subset... people just think so because they've been spoon-fed a nonstop supply of lies and bullshit by corporate-owned and controlled, bigoted asshole media, which has a vested interest in you remaining in your home, eyes pealed, panicking and shitting yourself in fear, over w
Re: (Score:3)
There are Muslims in China. The largest concentration are the Uighurs who have clashed by the Chinese government for years.
The Chinese government also has an official policy that calls on people to report their neighbors, friends and relatives for âoeluring minors into religious activitiesâ in the province where the countryâ(TM)s largest Muslim population lives.
Re: (Score:3)
The real stumbling block is setting up an orderly approval process by the Chinese government for the 'recommended products' pop-ups on the Windows start pane so that Microsoft can push ads-in-all-but-name to Chinese users with the same frequency as users of thte regular versions do, and to arrange to fork all their telemetry transmissions to ensure that the Chinese government gets an automatic feed of every individual's use of Windows 10 without having to have pesky monitoring software installed.
Re: (Score:2)
Secure by name (Score:5, Interesting)
They call it secure, but provide no information about security features. From TFA:
The Register has asked Microsoft to explain the security features of Windows Red, but had not received a reply at the time of writing. You know the drill: we'll update this story if Microsoft sends any information.
Re:Secure by name (Score:4, Interesting)
Role-based administration and privilege separation. Linux still sucks in this area. With windows you get a security token that gives you permission to do just what you need, on Linux you need to suid yourself to root to do just about anything, which allows you to do absolutely everything. The massive whitelist that is selinux is a backwards way of implementing security.
Re: (Score:1)
Role-based administration and privilege separation. Linux still sucks in this area. With windows you get a security token that gives you permission to do just what you need, on Linux you need to suid yourself to root to do just about anything, which allows you to do absolutely everything. The massive whitelist that is selinux is a backwards way of implementing security.
I suggest you read up on what sudo [wikipedia.org] is capable off. You can easily setup sudo via its configuration file (/etc/sudoers) that will allow users that require elevated privileges (eg. Database and Web Administrators) to do their work without needing root access.
Unix has had Access Control Lists from early late 1980 going into the early 1990's. Linux got ACL's also in the early 1990's.
As for SELinux. I would be nice if you had a program that could understand "intent" but it is far easier to know what is re
Re:Secure by name (Score:4, Interesting)
I know what sudo does. I know about filesystem capabilities. I know about NFSv4 ACLs.
But look at e.g. passwd - it needs to be suid so it can update your password hash. It doesn't just get a token that gives it permission to update your password hash, it gets permission to do whatever the fuck it wants on your system. Then you have a whitelist of what it's supposed to be able to do in SELinux that should hopefully stop it from doing anything besides updating a password hash, but there's nothing to stop it updating the password hash for a user other than the one who ran it, or blowing away the password hashes entirely or something. Without SELinux, a bug in passwd has the potential to totally pwn your system, and with SELinux it a bug could still wreak havoc with the password hash database.
By comparison, on Windows when you want to change your password, the program can get a security token that just gives it permission to change your password. It doesn't need to escalate all the way to root privileges, you don't need a separately maintained whitelist for what this program can do. A bug in a password change utility on Windows can at worst change your password to something stupid.
That's not to say that Windows is perfect, or that applications will always only request the rights they need (plenty of "enterprise" tools grab all the rights they can all the time because it's easier for developers), but fundamentally security tokens are a better model than the *NIX approach of suid and hope it doesn't have an exploitable bug.
Different level (Score:5, Informative)
I suggest you read up on what sudo [wikipedia.org] is capable off. You can easily setup sudo via its configuration file (/etc/sudoers) that will allow users that require elevated privileges (eg. Database and Web Administrators) to do their work without needing root access.
The parent poster was referring to a different approach to security.
with sudo, you set up a list of commands that a database or web admin can run.
you limit user access by restricting which commands the user can run. But said commands will be run with root privileges.
In case of a bug in the command, you could use it for privileges escalations (*you* were only restricted to run this command. but *this command* runs as root and could do anything).
what the parent refers to is more closely related to the various "CAP_*" capabilities used in the linux kernel.
i.e.: even if you run a command as root, that command would never, even in the case of a bug, reconfigure the network interface, because the corresponding CAP_{blah} capability isn't enabled.
By carefully crafting a very precise set of capabilities that you hand out to administrative programs, you make sure that they only do what they are supposed to do, even if an attacker manage to find a way to force a program running as root to do arbitrary actions.
(It's a bit similar like how some smartphone apps come with a whitelist of API calls that you need to validate before installing : "can access your contacts list", "can access your webcam", etc. Even if the weather app get hacked, it can never be used to spy on you, because it's not whitelisted to access your mic and your cam... Well except that nowadays every single last app seems to be obliged to ask access for nearly anything (Hey, now your Weather app can automatically recognise the city you're travelling into simply by flashing the QR code of your travel ticket ! Needs cam privileges !).
Under Linux the same granularity exists, except that this done at the kernel API level, instead of the Java user libraries like on Android)
In the past few years Windows has been implementing similar restrictions. That's what the poster was referring to.
On Linux, the facility to apply this king of control exist in the kernel too (the various capabilities). But there aren't many software using them. I only know of SELinux and AppArmor. And they are not used system-wide, but only to put specific software into cages (those software for which they have rulesets).
I think this is dues to the fact that the basic user/group access rights of Unix can provide already quite some security if you take the time to organise enough granularity in your groups and memberships, instead of making everything restricted to root-only and needing thus to be root for nearly any action.
(Because of the Unix philosophy, lots of things are represented in unix as files. Therefore, lots of the actions controlled by capability can be mapped to file accesses (e.g.: to device files in /dev/ ). Putting correct group access on files can acheive the same results.
e.g.: a virtual machine might need USB passthrough. One way would be to grant the corresponding capability to it.
The way VirtualBox does it, is that it runs as "vbox" goup, and there's a script that hands out USB devices nodes with that as group access)
In practice, distributions such as Debian have been using tons of specific groups to control access to specific resources precisely, years before SELinux was a thing.
To do just about anything... (Score:2)
on Linux you need to suid yourself to root to do just about anything,
...said the guy who used to run Windows XP. You know, this OS where the user has admin rights by default, so even normal everyday tasks are done with admin privileges.
Re: (Score:2)
...on Linux you need to suid yourself to root to do just about anything, which allows you to do absolutely everything.
Please don't ever get within spitting distance of any of my Linux systems.
Re: (Score:3)
Windows NT was developed with better security than Unix from scratch. The permission mechanism is very powerful (too powerful according to some) compared to the basic Unix mechanism (root all powerful, users are members of groups, RWX rights, wheel to patch that up some). So no, not _always_ a late adopter. Compared to Unix that is - which I assume is what you like to compare to? Multics did a lot of security work back in the days but was mostly derided by the Unixians. Keykos with its capability system was
Re:Secure by name (Score:5, Interesting)
What I'll find really ironic, though, is if they just end up with the China version of Windows 10 stripping out all the privacy invasion and ad related crap. If that's the case, I might just have to see if I can get my hands on a Chinese copy of Win 10 instead.
Re:Secure by name (Score:5, Insightful)
What I'll find really ironic, though, is if they just end up with the China version of Windows 10 stripping out all the privacy invasion and ad related crap.
Hardly. They'll just redirect all the telemetry to the Chinese government.
FTFY (Score:2)
...the company is ready to roll out a version of Windows 10 with extra """""security features"""""
FTFY.
Whoa! (Score:5, Insightful)
So quickly shills, exapand on this. Tell us why there is no spying by Microsoft, yet despite no spying, they produced a version that doesn't spy less on us than the version that already doesn't spy on us. Inquiring minds want to know.
Re: (Score:2)
I'll bet you a dollar they changed where the keylogging and other spying information goes from Microsoft to the Chinese government, and changed the splash screens, and that's it.
Re: (Score:2)
I love it when zealots like you troll by calling other people shills. This is about source code review, you clueless dolt.
Try to follow the conversation. The only people I'm calling shills atr the shills who denied all the shit Microsoft does. Thanks for playing though.
Re: (Score:1)
"Score:5, Insightful" - yeah right. Way to not understand anything of the article...
The rest of your post is so ludicrous I'll not take time to point out how you can't understand anything else either...
Re: (Score:2)
The rest of your post is so ludicrous I'll not take time to point out how you can't understand anything else either...
I will take the time to point out that you took the time to point out how I cannot understand anything else, which you said you wouldn't take the time to do, but then did take the time to do. Do do
Large numbers law (Score:4, Insightful)
Re: (Score:2)
That's democracy at work.
Re: (Score:2)
How about the rest of us? (Score:5, Interesting)
So let's take MS's claims of a more secure Windows at face value.
This means two things. First of all, the Windows they released to the market is unnecessarily insecure, and MS knows that.
Secondly, why would they only offer this enhanced security to the Chinese, and not to the rest of the world?
All software ought to be as secure as possible. If there are security enhancements available, a vendor ought to roll them out to all their users. Here MS is failing in both: Windows can be (much) more secure than it is, and they're not releasing this improvement to the rest of their users.
That, or MS is lying through their teeth to get into China. That may be possible, but while you can say a lot of bad things about the Chinese government, their people by and large are definitely not stupid so there has to be at least some weight to the claims of MS.
Re: (Score:2)
Do you want the more secure Windows 10 ?
They you must make sure your goverment wants it too. So it can demand it.
Re: (Score:3, Insightful)
They bothered to ask. They demanded not to be spied on and voted with their wallets. We on the other hand are all convinced Big Brother only has our best interests at heart, so we accept his surveillance like sheep.
Jesus, I remember when we'd mock the great firewall... Post snowden it just seems like genius: block American spyware like Facebook and Google while stimulating the Chinese economy as y
Re: (Score:2)
the Windows they released to the market is unnecessarily insecure, and MS knows that.
Given the amount of noise made over W10's telemetry, everybody knows that, at least on /. To me the conclusion is obvious: W10 Red has telemetry disabled.
*facepalm* (Score:4, Interesting)
You know, if anyone was going to ditch Windows because of secret backdoors, I figured it would have been the Chinese government. Besides, isn't Linux the ideal model for communism? I know they are communists in name only but you would figure they would at least try to keep up the appearance of objecting to capitalism.
They tried with Linux. (Score:2)
Their flavour was called "Red Flag Linux".
Sadly their attempt was NOT sucessful.
https://www.theregister.co.uk/... [theregister.co.uk]
If you do not like "The Register"'s take on the matter, feel free to use Google for alternative info. But bear in mind that this submission uses TheReg as the main source.
Re: (Score:2)
China has a home grown version of Linux that they prefer, but for some stuff Windows is a necessary evil.
The report from ArsTechnica (Score:3)
... here:
https://arstechnica.com/inform... [arstechnica.com]
Especulates that:
***The custom version developed under the joint venture is essentially a custom image of Windows 10 at its core, with a set of policy settings hard-coded for government users. It's not clear if additional code is being added to the image.***
So, they changed some Registry Keys and Group Policies, and you do not have to play wack-a-mole every time an update comes...
Also, please remember that:
*** The Chinese government, like the US government, has been permitted source code review for security purposes in a secured lab at Microsoft's China Information Technology Security Certification Center in Beijing since 2003.***
So, most likely, the chinese already reviewed the telemerty and deemed it non threathening (or negotiated with microsoft to get a copy of it ;-) ).
But5 at this point, all is especulation, only time will tell...
Re: (Score:2)
Yes, I made a typo, it happens from time to time. Particularly when I write in a language which is not my own.
My ToEFL was 296/300 in 2005. How much was your DELE and when did you took it?
I also speak french, but never took the DELF or DALF. Do yo speak other languages beyond english and spanish?
Doesn't add up (Score:1)
They are fooling themselves (Score:2)
Have they considered that unless they trust the compiler, they can't trust that the final product will do what the source code says? What if they are given the source to the compiler, how are they going to trust the compiler they use to compile that? I suppose they could move to an open source compiler, which maybe can be trusted, but of course they won't, they'll use Microsoft's compiler won't they. And if the NSA was really deeply embedded in MS, they could have this all stitched up so that the source co
For the rest, an insecure version (Score:2)
TRANSLATION (Score:2)
"...the company is ready to roll out a version of Windows 10 with extra security features demanded by China's government."
TRANSLATION:
"...the company is ready to roll out a version of Windows 10 with extra spying features demanded by China's government."
Uhhh.... (Score:2)
Earlier this week, CEO of Microsoft Greater China, Alain Crozier, told China Daily that the company is ready to roll out a version of Windows 10 with extra security features demanded by China's government.
It should come with a Dalai Lama desktop pic that can't be changed. Or maybe a rotation with the Tianammen square guy and the tanks. Yeah, that's it.