Meicrosoft opens source code to Russian secret service

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Mike Liebhold <mnl () well com>
> Date: July 15, 2010 6:48:25 PM EDT
> To: Dave Farber <dave () farber net>
> Subject: Microsoft opens source code to Russian secret service

> For the list, at your discretion:
>
>
> Wow! I wonder if the US government reviewed and approved this:
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
> Microsoft opens source code to Russian secret service
>
> http://www.zdnet.co.uk/news/security/2010/07/08/microsoft-opens-source-code-to-russian-secret-service-40089481/
>
> " ...  
>
> Russian publication Vedomosti reported on Wednesday that Microsoft had also given the Russian Federal Security 
> Service (FSB) access to Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server source code, 
> with hopes of improving Microsoft sales to the Russian state.
>
> The agreement will allow state bodies to study the source code and develop cryptography for the Microsoft products 
> through the Science-Technical Centre 'Atlas', a government body controlled by the Ministry of Communications and 
> Press, according to Vedomosti.
>
> Microsoft Russia president Nikolai Pryanishnikov told Vedomosti that employees of Atlas and the FSB will be able to 
> share conclusions about Microsoft products.
>
> The agreement is an extension to a deal Microsoft struck with the Russian government in 2002 to share source code for 
> Windows XP, Windows 2000 and Windows Server 2000, said Vedomosti.
>
> A senior security source with links to the UK government told ZDNet UK on Wednesday that the 2002 deal was part of 
> Microsoft's Government Security Program. Nato also signed up, said the source. Having a number of different 
> governments with access to Microsoft code meant it was possible that a government could find holes in the code and 
> use it to exploit another nation-state's systems, said the source.
>
> Cambridge University security expert Richard Clayton told ZDNet UK on Thursday that opening up source code leads to a 
> complex security situation. While a view of the code could enable a government to find security holes that the state 
> could use to launch attacks against other nation states, it is possible to find holes in software without having 
> access to the source code, said Clayton.
>
> "If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit 
> them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.
>
> A number of different factors made the situation complicated, said Clayton. Access to the code could allow close 
> analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run 
> a fuzzing program which throws random data at parts of an operating system or software to find different 
> vulnerabilities.
>
> While access to the code can enable pre-emptive patching before an attack, nation states would be able to tell if 
> another government was patching its networks, said Clayton.
>
> "Should you immediately patch the system, in which case people will notice the Russians have patched their systems?" 
> said Clayton. "Or alternatively you could report the vulnerability to Redmond [Microsoft headquarters], or should you 
> use [the hole] to attack your enemies?"
>
> Clayton said that there were tens of thousands of bugs in Microsoft products, in part due to the sheer volume of 
> source code. A government could not hope to patch them all, said Clayton, while an attacker only has to find one hole 
> and exploit it successfully to gain access to systems.
>
> "It's completely asymmetrical," said Clayton.
>
> The Office of Cyber Security, which oversees the UK government cyber-attack and defence capability, had not responded 
> to a request for comment at the time of writing.
>
> A senior Whitehall source told ZDNet that Microsoft's decision to open its source code to various governments had 
> been a commercial decision.
>
> Microsoft said it had opened up code to the FSB as part of its ongoing Government Security Agreement with the Russian 
> state.
>
> "The agreement that we signed with the FSB is an extension of Microsoft’s Government Security Program (GSP)," 
> Microsoft said in a statement on Friday. "The purpose of the GSP is to increase trust with national governments. In 
> the case of the Russian agreement, GSP participation will facilitate the development of the next generation of 
> secured solutions for Russian government agencies based on the latest Microsoft technologies and Russian 
> cryptography."



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4
Powered by Listbox: http://www.listbox.com