Meicrosoft opens source code to Russian secret service

[David Farber <dave () farber net>]

Begin forwarded message:

From: Newmedia () aol com
Date: July 16, 2010 7:03:22 AM EDT
To: dave () farber net
Subject: Re: [IP] Meicrosoft opens source code to Russian secret service

Dave:
 
As a part of its anti-trust settlement with the US government (i.e. circa 2000), Microsoft agreed to learn how to write 
secure code which could be able to comply with the NSA's "Common Criteria" guidelines. 
 
http://www.commoncriteriaportal.org/
 
According to an NSA employee who I spoke with at its booth at the final Comdex in 2003, that agreement involved a 
contingent of around 50 people from NSA who were posted on a rotating basis to Redmond to help in the effort.
 
This led to concerns that "backdoors" were being installed in what became Vista.  In turn, this led the Chinese and 
others to consider scrapping Windows for Linux.  The way that Microsoft addressed these concerns was to open up its 
source code to various governments.
 
Is this history not widely known?
 
Mark Stahlman
New York City
 
In a message dated 7/15/2010 8:28:45 P.M. Eastern Daylight Time, dave () farber net writes:




Begin forwarded message:

> From: Mike Liebhold <mnl () well com>
> Date: July 15, 2010 6:48:25 PM EDT
> To: Dave Farber <dave () farber net>
> Subject: Microsoft opens source code to Russian secret service
>
> For the list, at your discretion:
>
>
> Wow! I wonder if the US government reviewed and approved this:
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
> Microsoft opens source code to Russian secret service
>
> http://www.zdnet.co.uk/news/security/2010/07/08/microsoft-opens-source-code-to-russian-secret-service-40089481/
>
> " ...  
>
> Russian publication Vedomosti reported on Wednesday that Microsoft had also given the Russian Federal Security 
> Service (FSB) access to Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server source code, 
> with hopes of improving Microsoft sales to the Russian state.
>
> The agreement will allow state bodies to study the source code and develop cryptography for the Microsoft products 
> through the Science-Technical Centre 'Atlas', a government body controlled by the Ministry of Communications and 
> Press, according to Vedomosti.
>
> Microsoft Russia president Nikolai Pryanishnikov told Vedomosti that employees of Atlas and the FSB will be able to 
> share conclusions about Microsoft products.
>
> The agreement is an extension to a deal Microsoft struck with the Russian government in 2002 to share source code for 
> Windows XP, Windows 2000 and Windows Server 2000, said Vedomosti.
>
> A senior security source with links to the UK government told ZDNet UK on Wednesday that the 2002 deal was part of 
> Microsoft's Government Security Program. Nato also signed up, said the source. Having a number of different 
> governments with access to Microsoft code meant it was possible that a government could find holes in the code and 
> use it to exploit another nation-state's systems, said the source.
>
> Cambridge University security expert Richard Clayton told ZDNet UK on Thursday that opening up source code leads to a 
> complex security situation. While a view of the code could enable a government to find security holes that the state 
> could use to launch attacks against other nation states, it is possible to find holes in software without having 
> access to the source code, said Clayton.
>
> "If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit 
> them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.
>
> A number of different factors made the situation complicated, said Clayton. Access to the code could allow close 
> analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run 
> a fuzzing program which throws random data at parts of an operating system or software to find different 
> vulnerabilities.
>
> While access to the code can enable pre-emptive patching before an attack, nation states would be able to tell if 
> another government was patching its networks, said Clayton.
>
> "Should you immediately patch the system, in which case people will notice the Russians have patched their systems?" 
> said Clayton. "Or alternatively you could report the vulnerability to Redmond [Microsoft headquarters], or should you 
> use [the hole] to attack your enemies?"
>
> Clayton said that there were tens of thousands of bugs in Microsoft products, in part due to the sheer volume of 
> source code. A government could not hope to patch them all, said Clayton, while an attacker only has to find one hole 
> and exploit it successfully to gain access to systems.
>
> "It's completely asymmetrical," said Clayton.
>
> The Office of Cyber Security, which oversees the UK government cyber-attack and defence capability, had not responded 
> to a request for comment at the time of writing.
>
> A senior Whitehall source told ZDNet that Microsoft's decision to open its source code to various governments had 
> been a commercial decision.
>
> Microsoft said it had opened up code to the FSB as part of its ongoing Government Security Agreement with the Russian 
> state.
>
> "The agreement that we signed with the FSB is an extension of Microsoft’s Government Security Program (GSP)," 
> Microsoft said in a statement on Friday. "The purpose of the GSP is to increase trust with national governments. In 
> the case of the Russian agreement, GSP participation will facilitate the development of the next generation of 
> secured solutions for Russian government agencies based on the latest Microsoft technologies and Russian 
> cryptography."
Archives  | Modify Your Subscription | Unsubscribe Now          
=




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4
Powered by Listbox: http://www.listbox.com