Full Disclosure mailing list archives

Microsoft Coding / National Security Risk

From: "Richard Hatch" <r.hatch () eris qinetiq com>
Date: Wed, 24 Mar 2004 10:10:28 -0000

Hi all,

Microsoft have stated that to make the source code for Windows publically
available would be a risk to National Security.
Microsoft also took 9 months to produce a fix for the ASN.1 problem.

As much as some people may regret it, Western civilisation runs on Microsoft
software.  Imagine the panic that would ensue if the next slammer worm
infected 10 machines then formatted hard drives, or scrambled random parts
of random files.
This is not news, some old DOS viruses set file lengths to zero, rather than
deleting files that could be recovered.

So my idea is this:
Take a team of really really good C/C++ coders with excellent security
vulnerability knowledge and have them go through the source code for windows
(starting with the core functionality and internet facing functionality
maybe).  Find these bugs (including methodical black-box testing against the
binaries) and fix them.

These people would be fully supported by Microsoft (including full access to
all technical documentation, Microsoft technical advisors, etc), and backed
by the NSA or other Government agency.  Microsoft could impose whatever
NDA's they want, but they should fund the bug hunt.
Not only can they afford it, they created the problem code.  Fresh insight
into how Windows functions is required to identify the less obvious
vulnerabilities.

Microsoft Windows is not just another piece of software, it has become a
fundamental part of businesses and governments.

Oh, can anyone suggest a reason why disclosing the source to Windows would
be a National Security risk, yet Microsoft is happy to provide the same
source code to ceratin third-parties (I assume this means any company that
has enough cash and signs the right paperwork).

Folks, simply reacting to 0days just doesn't work.

R. Hatch



---
'The mirrors have grown vast and beautiful and very very *hungry*' 

The views and comments expressed in this email are the personal views and
opinions of the author and should in no way be considered an official
statement/release of QinetiQ.

Neither the author or QinetiQ can be held liable for actions taken based on
the information contained within this email.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Microsoft Coding / National Security Risk Richard Hatch (Mar 24)
- Re: Microsoft Coding / National Security Risk Luke Norman (Mar 24)
- RE: Microsoft Coding / National Security Risk joe (Mar 24)
  - RE: Microsoft Coding / National Security Risk Frank Knobbe (Mar 24)
    - RE: Microsoft Coding / National Security Risk joe (Mar 26)
- Re: Microsoft Coding / National Security Risk John Sage (Mar 24)
  - RE: Microsoft Coding / National Security Risk joe (Mar 26)
    - Re: Microsoft Coding / National Security Risk Valdis . Kletnieks (Mar 26)
- Re: Microsoft Coding / National Security Risk Valdis . Kletnieks (Mar 24)
- Re: Microsoft Coding / National Security Risk martin f krafft (Mar 24)
- <Possible follow-ups>
- Re: Microsoft Coding / National Security Risk borg (Mar 24)

(Thread continues...)