Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Microsoft Bug Security

China Prepares To Examine MS Windows Code 468

Posted by timothy from the and-yours-too-if-you'd-like dept.
Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.
This discussion has been archived. No new comments can be posted.

China Prepares To Examine MS Windows Code More

China Prepares To Examine MS Windows Code

Comments Filter:

  • Cool (Score:3, Interesting)

    by WindBourne ( 631190 ) on Tuesday September 30, 2003 @07:19AM (#7092413) Journal
    What do you bet that a new form of Wine/Linux will show up in China with much better capabilities!

  • Why on earth would... (Score:3, Funny)

    by Zog The Undeniable ( 632031 ) on Tuesday September 30, 2003 @07:19AM (#7092414)
    looking at Windows source code help with a Chinese version of Linux?

    • Re:Why on earth would... (Score:5, Funny)

      by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Tuesday September 30, 2003 @07:36AM (#7092500) Homepage Journal
      Why on earth would looking at Windows source code help with a Chinese version of Linux?

      Can anyone tell us what the Chinese symbols for "What not to do and how not to do it" are?

      • Actually, the NT kernel is considered a very advanced piece of technology. I'd heard many developers blast the Linux kernel in comparison. It's all the cruft written on top that sometimes causes problems (just like in Linux, amusingly).

    • Re:Why on earth would... (Score:4, Informative)

      by Zocalo ( 252965 ) on Tuesday September 30, 2003 @09:05AM (#7093085) Homepage
      I guess it's the Ying - Yang thing. ;)

      On a more serious note, I find this somewhat worrying given the allegations made by Taiwan about organized cyber attacks coming from the mainland. Whether this is being reciprocated or not, I can't help but get the feeling that this is akin to handing China the cyber equivalent of a fusion bomb to use against Taiwan. Who knows what other exploits are lurking in the Windows code waiting to be found by the Chinese hackers doing the code review?

      Of course, they could always surprise us and give Microsoft a respectable advance notice to issue fixes before coming up with a zero day full disclosure bug report. I guess time will tell as to which way the outcome is going to lean, towards a blessing or a curse, but it's going to be an interesting time finding out. Looks like that Chinese proverb is right again!

  • Whats the use? (Score:5, Interesting)

    by zaroastra ( 676615 ) on Tuesday September 30, 2003 @07:19AM (#7092419)
    whats the use of inspecting some offsite code when you have ABSOLUTELY NO WARRANTY that the code you're looking at is the one that is delivered in your compiled version?
    In my language we have an expresion for that, that could be roughly tranlated to trying to stop the wind with a fork.
    • Exactly. The security problem with the closed source model doesn't go away because they show you SOME source code. So what? They can show you whatever they please and you'll never be the wiser. The only way around that would be if they allowed the Chinese government to handle distribution as well. That would be interesting.
      Hmm. There ya go. Give the Chinese government the Windows source code and let them distribute it for free. And then, they could let people modify it and enhance it without costing Re
    • You would want the source, the compiler AND the settings used to compile the source.

      That would give roughly the same binary when you compile it again.

      I say roughly, because as fas as i know even the above mentioned variables don't always give exactly the same result.
      (something like the compiler using system settings for "random" values, or so...??)

      • Re:Whats the use? (Score:4, Interesting)

        by rupe ( 118491 ) on Tuesday September 30, 2003 @08:09AM (#7092686)
        Even that is not enough. They code might require the use of Microsofts compiler.

        True example, the famous hole in cc, that whenever it noticed that it was compiling "login.c" would introduce a backdoor. Not only that but whenever it noticed it was compiling itself would reintroduce the same code, so that even by inspecting the compiler source you couldnt find the exploit.

        Details can be found on google.

        • Re:Whats the use? (Score:5, Informative)

          by greenhide ( 597777 ) <`moc.ylkeewellivc' `ta' `todhsalsnadroj'> on Tuesday September 30, 2003 @10:29AM (#7093789)
          You're talking about Ken Thompson's paper, "Reflections on Trusting Trust" [acm.org].

          I don't believe this ever was a "famous hole in cc". Instead, Ken Thomspon merely pointed out that trust in the code you were compiling was not enough; you would have to trust the compiler as well, which inherently meant you had to trust the compiler compiling that compiler, and so on. Essentially the only compiler you could trust is one you wrote yourself in machine code, otherwise you can't be sure what its compiled, binary form contains.

          Whether anyone ever acted on this potential exploit is up for further research, but for it to be effectively done in Open Source, it could only be executed on a per-machine basis. That is, they'd have to change the compiler on your machine, because if they put the exploit right in publically available source code, it wouldn't be too difficult to find it when the code was reviewed.

          What I find interesting is that this is listed as a "Classic" article, and that page is dated 1995! This idea has been out for a while.

        • Re:Whats the use? (Score:4, Insightful)

          by wawannem ( 591061 ) on Tuesday September 30, 2003 @10:35AM (#7093847) Homepage
          What you are referring to isn't a True example. It is a theoritical example.

          It is clearly presented in Ken Thompson's famous paper "Reflections on Trusting Trust." It is a very good point, how much can you trust, well, trust...

          I trust things to the extent that, if such exploits exist, I would be 0wn3d and there would be nothing I could do about it...

          However, so would everyone else, and I am sure there are much more interesting machines to r00t than mine. By the time the l337 haxx0rz got to my machine, the exploit would have been discovered and made headlines...

          I have spent a little time in IRC, and I read /. I know that doesn't make me an authority, but I have learned that most of these black hat types are so driven to earn karma from others that they couldn't keep a secret if their livelihood depended on it. To me that means, if they knew about it, so would everyone else in the world. Also, if they find out about the existence of any exploits like this, they would blab.

          Therefore, I don't lose any sleep over it, and I figure I'll deal with the problems as they are discovered, and not ponder how many ways a compiler can insert malicious code.
      • Not only compiler-generated random stuff, but most likely also build dates and timestamps. The FreeBSD binary update project had to deal with these kinds of issues and have written a nice paper that discusses them (51k PDF [daemonology.net], Google HTML version [216.239.59.104]).

  • Would You Trust a Chinese OS? (Score:5, Insightful)

    by reallocate ( 142797 ) on Tuesday September 30, 2003 @07:21AM (#7092429)
    Don't know about any backdoors in Windows, but we all certainly have reason to distrust any OS sponsored by the Chinese government. They may have adopted a friendlier demeanor, but the folks who gave us Tiananmen still run the place.

    • Would You Trust an American OS? (Score:4, Insightful)

      by Anonymous Coward on Tuesday September 30, 2003 @07:50AM (#7092573)
      Don't know about any backdoors in Red Flag Linux, but we all certainly have reason to distrust any OS sponsored by the American government. They may have adopted a friendlier demeanor, but the folks who gave us Hiroshima, Nagasaki, Vietnam, the genocide of the First Nation, the CIA-sponsored overthrows of democratically elected governments in various South American states, the illegal invasions of Iraq and Afghanistan, and the lovely freedom of Guantanamo Bay still run the place.
      • the illegal invasions of Iraq and Afghanistan

        Any time someone dose something someone else dosen't like you'll find someone quoting laws that do not exist.

        IANAL but if there is any law forbidding war it can not possably be legal.

        I'd also like to say that the folks who established many of the sighted problems are in fact not in power anymore.
        Tell you what... Remove "illegal" and replace "the folks" with "the government" or better yet "the offical policy".
        Oh yeah and that line about "friendlier demeanor" y
      • Actually, no, the folks who gave us Hiroshima, Nagasaki, Vietnam, CIA sponsored overthrows of South American governments, and the genocide of the Amerinds are all dead or retired; while one of the fellows who came up with the idea of the Tiananmen Square massacre is himself head honcho in China. Read the Tiananmen Papers, for god's sake.
    • The only 100% secure os is one that you write and maintain yourself. Provided your computer is physically secure as well...

      So then you decide that you have to trust others in order to get an os. But who are you gonna trust? Governments like the Chinese? The EU? Multinationals like Microsoft? That doesn't sound secure to me. There is always the chance of compromise for various reasons, and you won't be able to find out.
      The only way around this is very well known. The source must be available for all to se

    • I wouldn't trust an OS produced by government, period. The Chinese government is arguably more oppressive than others, but they still have a lot more in common with other governments than a private organization. At the root, a non-criminal private organization operates on the principle of voluntary association. Government, by definition, operates on the principle of force.

      (For those who haven't yet realized, everything and anything government does is bound to the principle of force. At a bare minimum, gove

    • Re:Would You Trust a Chinese OS? (Score:5, Informative)

      by dalutong ( 260603 ) <djtansey AT gmail DOT com> on Tuesday September 30, 2003 @08:58AM (#7093038)
      Well, Deng Xiaoping isn't, unfortunately. He was the greatest leader of China since independence.

      I spent seven years in China, from 1992 to 1999, on U.S. government orders. They have done more than a face-lift. They are not perfect, but they are doing a pretty good job of transitioning their country into modernity. I hope that someday a governmental model similar to ours will be applicable, but it just isn't right now.

      Every country has its own peculiarities. A government system can not be super-imposed. That is what led the the failure of the first communist government in China. This new version, a more malleable one, is close to the right thing. And if you want to speak about what is best while considering the past, this is it.

      They need to continue to evolve base on the market and not on some odd 5 or 10-year plans, but they are doing that.
    • But the folks who gave us Tiananmen still run the place.

      Actually they left at the last party congress, it's a whole new generation of leaders. Not that I trust the new ones either, but I do give them the benefit of doubt.

      But the whole 'See the source' thing looks more like a MS PR stunt to me. Chinese government gets to read, but not modify, some source. So what? They gain none of the real benefits of Open Source, and MS gets huge press...

    • The USA has also had it's share of killing student protesters, most notably the Kent [kent.edu] State [alancanfora.com] massacre [wikipedia.org] .

      I suggest you cast out the mote from your own eye before pointing out the mote in your brother's.

  • Then the entire security model rests in NSA translators knowing the traditioonal chinese word for RCP and the servers having enough bandwidth to support VNC or Terminal Server.

    The NSA won't bother with any backdoors beyond a possible inclusion of Systram translation software.
  • If you were concerned about intentional holes in Windows permitting sekrat U.S. government access, wouldn't a properly configured firewall make the point moot?
    • Firewalls are all great, but unless you want to shut your computer from the outside world, they won't work.

      Outgoing connexions are as much of a problem than incoming. If the software calls home to transmit information, there's not much you can do.
      It doesn't even have to be automatic, a properly crafter answer to a software update request could trigger the transmission of information, for instance.

      And even if the code the chinese govt sees doesn't have any hole, quid of the patches they WILL have to apply

      • The only solution to having a computer that can't spy on you is having full access to the code that's running on it, both at install time and after...

        You'd have to read and understand all the code, and then compile from that code. Something I am willing to bet very, very, few people do for every piece of software they run.

        Even then, you'd be vulernable to compiler based attacks, although I don't know if anyone has successfully pulled that off.

        Regarding firewalls, I hope you're aware that you can filter

        • You'd have to read and understand all the code, and then compile from that code. Something I am willing to bet very, very, few people do for every piece of software they run.

          Then again, very few people need the kind of security we're talking about

          Regarding firewalls, I hope you're aware that you can filter outgoing traffic as easily as incoming.

          I am aware that it is indeed possible, but what good is it to be wholly protected when you can't access or be accessed by anything?

          the only solution t

  • Can China regerate a standard build ? (Score:5, Interesting)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Tuesday September 30, 2003 @07:22AM (#7092436) Homepage
    It would be interesting to see if the Chinese can type 'make' (or whatever is the MS Windows equivalent) and end up with something that is bit wise identical to what MS ships as part of a standard distribution. If they cannot do this, one has to question why not ? and we will be left with the suspicion that there is something that MS doesn't want the Chinese to see (be that different MS or NSA code).

    • Re:Can China regerate a standard build ? (Score:5, Funny)

      by bazik ( 672335 ) <bazik AT gentoo DOT org> on Tuesday September 30, 2003 @07:30AM (#7092477) Homepage Journal
      It would be interesting to see if the Chinese can type 'make'[...]

      Actually its
      ./configure --with-bugs --with-bsd-tcp --enable-features=bluescreen,solitaire,minesweeper && make && make kernel32.exe

  • not going to help (Score:5, Insightful)

    by lingqi ( 577227 ) on Tuesday September 30, 2003 @07:23AM (#7092437) Journal
    1) as this post [slashdot.org] has pointed out, just because you get to look at the source does not mean it's secure. (the post is from Jeremy Allison on the security of Samba servers)

    2) Besides, being closed source and microsoft, are they going to be able to [practically] compile windows and compare it to the actual version? Why do I doubt it?

    3) even if you get to look at the source, then you'd have to look at the source of every security patch that comes your way too, because otherwise you can just put a hole in one of your patches and pretend it fixes such and such. I mean, it's not like this hasn't been done before (Germain police, Java Anonymous Proxy).

    But then again Microsoft is probably just doing this for show anyway - bribe a few key officials so that there are too few people with too tight a schedule to examine all-too-much of bloaty code, and there you have it - "oh the code was examined and was ok" even though it's just a formality.

    I say stay away from Microsoft on principle when you need to be sure that you are secure.

    • Re:not going to help (Score:5, Interesting)

      by greppling ( 601175 ) on Tuesday September 30, 2003 @07:50AM (#7092576)
      As a point in favour of your reasoning: When there was the big debate in Germany about Linux use in the German parliament, there was also the question about Windows source code being made available to the German government.

      But the source code would never have been allowed to go to the BSI (Federal agency of IT security), which would be the only department of the government with

      • the resources
      • the competence
      for just a partial audit of the sources. So I agree all this shared-source is just a PR stunt.

  • Backdoors (Score:5, Funny)

    by pubjames ( 468013 ) on Tuesday September 30, 2003 @07:24AM (#7092442)
    reports have said that the search for backdoors installed by national intelligence agencies is also among the aims of the agreement.

    MS drone Bob: Did you remember to send those CDs of the source code to the Chinese?

    MS drone Dave: Yes, I did it this morning. Posted it Express delivery!

    MS drone Bob: You did remember to send the version with the backdoors taken out, didn't you?

    MS drone Dave: D'oh! [Slaps forehead]
  • Microsoft has announced GSP agreements with Russia, NATO and the United Kingdom

    hmmm. Last I checked, the UK was part of NATO. Unless, of course, they are talking about two separate organizations. IE, the NATO offices and the government offices of the UK.

  • and if they steal it? (Score:2, Informative)

    by Shivetya ( 243324 )
    or use parts of it to make similar products who is going to stop them?

    I don't have a problem with countries being allowed to inspect the code of software being used by their government agencies, I do have a problem when it is done by a government that has not proven it can be trusted with another's IP... or worse, one with nearly no respect for another's IP.

    This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned

    • Re:and if they steal it? (Score:5, Insightful)

      by radja ( 58949 ) on Tuesday September 30, 2003 @07:48AM (#7092562) Homepage
      >This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.

      that was a GOOD thing, saving thousands of human lives who otherwise could not afford medicine. withholding a lifesaving medicine for your own profit is not a very nice thing to do.

    • I do have a problem when it is done by a government that has not proven it can be trusted with another's IP... or worse, one with nearly no respect for another's IP.

      This crap was modded Informative? MS has been fined heavily many times for stealing "IP" of other companies, I guess it is OK because they are a US company?

      This is not very different from certain South American and African countries that demanded and received the formulae to certain drugs and then turned around and started making their own.

  • "Yeah, all of these security problems are there because the ... N ... S ... A? Yeah, the NSA asked us to put them in." -- Discussion about submitting a story to Slashdot at a Microsoft PR Board Meeting

  • What about changes made by Windows Update? (Score:4, Interesting)

    by a.koepke ( 688359 ) on Tuesday September 30, 2003 @07:42AM (#7092530)
    What about them running windows update with these machines. In 6 months time and after many security patches ;) the code is not going to be the same. So what is to stop MS coding something in a patch that restores any backdoors that they might have removed? Is the Chinese government going to examine the code for every critical update and service pack it installs?
    • I'm sure all admins running highly critical Windows machines (the fools) just hook their boxes up to the internet and hit windowsupdate.com (or whatever the URL is).

      More likely they have a test network, run the patches on those machines for ages, make notes of all the md5sums of dlls, etc, and finally, when they are sure that they need to update, burn to a CD and run the patches manually.

  • Hows this... (Score:2, Insightful)

    by MaestroSartori ( 146297 )
    1) MS shows Windows source to China, then produces kick-ass version of Linux. Kick-assedness taken back into mainstream Linux, thanks to the GPL.

    2) MS has a look at shiny new-kick-assedness Linux source (hey, its open!), spots something similar to the code they showed China (or similar enough to please a finned lawyer-shark), sues everyone who ever used Linux, everyone who ever met them, and some people who look like them.

    3) Profit!!! (by destroying, or at least hurting, many Linux vendors, and setting ba
    • Well, I'm not sure about having MS protocols built in Linux. However, what could happens is that you might be able to buy a CD on the street, for 5 RMB (less than $1), containing the full source code of Windows.

      All it takes is one person ignoring the security policy, sneaks out a copy and it would be all over the place.

      But don't be too excited yet though, I'm sure MS would make sure that proper security policies are in place, and a good audit trail system to track any access.
      • But don't be too excited yet though, I'm sure MS would make sure that proper security policies are in place, and a good audit trail system to track any access.

        Yes they probably would. But the Linux codeauditors will be aware of this too and will no doubt take extra care over code submissions from China, the UK and other countries that get access to the Windows code. Even if genuine, SCO's claims would be small beer compared to Windows code getting into Linux. I suppose if there is real doubt you could

    • Hey hey hey--this isn't the SCO story.

  • Funniest line in the article (Score:5, Interesting)

    by Mark_in_Brazil ( 537925 ) on Tuesday September 30, 2003 @07:49AM (#7092567)
    Haw haw... Sorry, but there's a throwaway line in the article that just made me laugh:
    China--potentially a huge market for Microsoft, once the problem of software piracy is solved--
    Riiiiiiiight. And when, exactly will "the problem of software piracy" be solved? And how?
    I haven't seen anything reported on Slashdot or anywhere else that would "solve the problem of software piracy" and make China a huge market for Microsoft at the same time...

    --Mark

  • Couple of questions (Score:5, Insightful)

    by tsetem ( 59788 ) <tsetem@gmai[ ]om ['l.c' in gap]> on Tuesday September 30, 2003 @07:51AM (#7092583)
    Considering China's respect of Intellectual Property, and their desire to create a custom version of Linux to break the Microsoft monopoly, What is to prevent China from looking at the Windows Source, and then taking the good parts out and inserting them into Linux (or derivative utilities). What if they saw how the whole Active Directory authentication stuff worked, and enhanced Samba?

    I mean that could really be interesting. Genuine MS protocols in the Linux kernel. Microsoft would be pissed because of IP theft (ala SCO). But what could Microsoft do? Sue China?
    • It would be extremely bad, if China were to do such a thing. Microsoft would have all the best ammo imaginable against the OS movement (communism, destuction of intellectual property etc..)

      Microsoft migth not be able to do very much against China, but rest assured that they WOULD do a lot of damage to anyone else using the code ripped of by China.

      This would effectively fork Linux, and possibly a lot of other OSS projects in a China version and a "rest of the world" version.

      Bad bad bad!!!

    • Sorry to say but Samba is a better implementation than Windows. These guys even report bugs to Microsoft engineers.

    • I don't think it matters. MS is looking at a situation where it's products are being rejected by large portions of the world. The only reason that MS can use close standards and be so firm on copyrights is because they own most of the OS on all of the computers that matter. If the world standardizes on another OS, then MS will have to open up it's software just so the west can do business with the east.

      So this probably poses no net loss to them. If the source ploy works then they win because the gover

    • Re:Couple of questions (Score:2, Funny)

      by Anonymous Coward
      "But what could Microsoft do? Sue China?"

      I bet that doesn't seem as ludicrous to Bill Gates.
  • Microsoft presents "sources of windows" to China.
    Source gets examined. No backdoors are found. Code is accepted.
    Microsoft sells binaries to China.
    Difference between what appears after compilation of presented sources and what is in the binaries gets blamed on compilers... Backdoors are present on all copies that were sold as binary and not compiled from the "cleared source" by the chineese themselves.
  • You can tell much of the FUD about looking at Windows source and integrating it into Linux comes from a Flock of Psycho Chickens and their non-programming brothers. How in the name of all that is holy will the Chinese look at the source code and create their own Linux? Can anyone, from a programmer point of view, enlighten me on the subject?
    • In theory, you'd get a sense of "how it's done" from the code. Then you'd go write a better Wine or Samba... meaning better "GNU/Linux" not better Linux as in the Kernel ... I guess ... This technique of coding is called a "rip off" I believe. It can't be "Reverse Engineering" because you have the source, it's not a "Virgin" creation because you've already seen the source.

      So you can't look at the code for something then code another thing just like it and not call it a "rip off" I'm afraid... now, a code

  • India doesn't want it? (Score:2, Interesting)

    by krishy ( 461184 )
    Interestingly, rediff [rediff.com] is reporting that the India govt. has not shown any interest in the offer made to it

    Atleast so far:)...

  • Nope... it's something ELSE (Score:3, Interesting)

    by mgessner ( 46612 ) * <mgssnr@gma i l . com> on Tuesday September 30, 2003 @08:03AM (#7092654) Journal
    I'm going to beat on the conspiracy drum just a little bit... I think so far all the comments I've read missed this little tidbit:

    Given the source, and given their manpower, and given all the recent news in security forums about how full of holes Windows is... if *you* got access to the source of the OS that the U.S. Federal Government is using, wouldn't YOU be spending every waking moment of all YOUR software hackers trying to find ways to exploit vulnerabilities in Windows? It would not take more than a few infected computers and poof! there go parts of the U.S. Government... and the British and any other country fool enough to trust Microsoft "security."

    Admittedly, they have a tough job ahead of them, since nothing like the security they need has ever been seen on such a scale before in all of human histor... oh wait a minute, I forgot about the BSDs... whoops! Sorry about that! (Yes, I know they've got their holes, too, but those holes are much fewer and far between!)

    Given the sheer numbers of the computers that have Windows on them that the government uses, the probability that *all* of them are secure and protected from attack via an email or a web viewing with IE is absolutely zero.

    I know this *sounds* a bit kooky... but it's also realistic enough to be believable.

    I read the article and noted that other governments are also talking with Microsoft... but China appears that it's going to be the first, and this concerns me.
    • That doesn't concern me at all. If US and UK gov't computers get 0wNz0R3d 8Y c41N33z h4X0rZ, then maybe that will be the call they need to wake the fuck up and realize how insecure Microsoft software is, and switch to a better alternative. And as for whatever potential damage will be done, honestly, it's not likely to be any worse than what the George & Tony Show is already doing.
  • ...it will just put them into its back pocket, and save them for the next time it wants to shut down the State Department [slashdot.org].
  • Microsoft has announced GSP agreements with Russia, NATO and the United Kingdom.

    I predict the appearance of the windows source code on some .da.ru site very soon ... or at least in some of the more popular p2p networks :)

  • Timing (Score:5, Insightful)

    by Nishi-no-wan ( 146508 ) on Tuesday September 30, 2003 @08:17AM (#7092764) Homepage Journal
    Did anyone else notice that it was soon after Balmer testified in the anti-trust sit-com about how revealing Microsoft's source code would be a national security threat, that China and several eastern European countries bought into Microsoft's Shared Source inititive?
  • i think most of the posts here are missing something. if the chinese government is not trustworthy enough to follow the microsoft nda's, then why should we expect they would follow the gpl? if they do decide to make a home-grown linux-based os, what would require them to publish their sources? which court would you sue them in? the hague?

  • Is the US Government to Inspect the code too? (Score:3, Interesting)

    by Zarf ( 5735 ) on Tuesday September 30, 2003 @08:25AM (#7092822) Journal
    I thought that the US Government didn't get to inspect the code. Why does MicroSoft allow China to inspect that which the US can't? Isn't this essentially giving the Chinese goverment insight into Windows that even the NSA doesn't have? Doesn't that essentially give them an advantage for dealing with windows? Has Apple computer signed a simmilar agreement? Why doesn't China just switch to OSX?

  • Rumors said that... (Score:5, Interesting)

    by 2Bits ( 167227 ) on Tuesday September 30, 2003 @08:28AM (#7092846)
    A couple of posts already mentioned that MS is not gonna give China compilable code, etc. Here's what I heard.

    [Disclaimer: I'm not involved in any negotiation or anything, just heard this from someone whose boss is an insider. So take this with a big grain of salt!]
    Actually, it's not exactly true. Here are a few of the conditions that have been brought up by China, the main reasons being that China must be able to verify what MS claims.
    • MS must provide the compilable source code
    • China must send a team to MS (to the Redmond campus actually, not sure if they would be allowed to get into the building of Windows engineering team) to learn how to build it, and have some training about the Windows internals
    • MS must show how to do the build and a way to compare the final binary with the binary distributed by MS

    I've not asked about the issues about the patches, as I consider it to be a waste of time, and China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.
    • China should be concentrating money and energy on improving Linux, or heck, if we don't want to release the code changes, we can take one of the BSDs too.
      You don't have to release changes you make to a GPL'd program. The GPL only affects the terms you can release changes under.
    • Something few people have considered though with the compilation.

      To verify that the code provided is the same as that used in the OS, Microsoft will have to compile with the same compilers that they use. Which afaik are their proprietary compilers.

      Now, all MS has to do is make the compiler "add" a file or two to the compilation, and then they don't have to show China or whoever all of the code, they can convieniently remove some files, and just say, "you have to use our compiler to get matching results.

  • national security risk (Score:3, Interesting)

    by codepunk ( 167897 ) on Tuesday September 30, 2003 @08:40AM (#7092918)
    I cannot even begin to think how large a US national security risk this is. Our military is highly dependant on MS systems. To have foreign nationals peering at the code that runs your military systems is just simply unnaceptable. Having source to the system does not necessarily cause a breach but it sure does help. Proprietary operating systems are a national security risk and should be treated as such.
  • Can all this fuss surrounding Red Flag linux just be a ploy to get MS to give China full and compilable source code that checks against the stuff in the stores? Many companies have been playing the "well we're thinking of linux for our servers" game to get discounts from MS.

    How real is red flag linux and how serious are the Chinese about making it their national OS?
  • Does any country REALLY think they are getting the full source code? Hmm, lets look at some of the steps of the MS OS govt. release procedures

    1. Remove nsa.c
    2. Remove sendMSInfo.c
    3. Remove ...

    MS said that "some" code is removed for "security" reason. So any govt. that looks at the code and gives it the OK, does not really know what that missing code is doing when they use the commercial OS. Now if the govt. was allowed to build their own version of MS Windows based on the code the were given, th
  • It is called Red Flag Linux [redflag-linux.com] and has been around for a couple of years.

  • NSA backdoors? (Score:4, Interesting)

    by Erwos ( 553607 ) on Tuesday September 30, 2003 @08:58AM (#7093032)
    I've never understood the kind of schiznophrenia that /.'ers approach NSA with.

    On one hand, they wrote SELinux, which _no one_ has been able to find any deliberate backdoors in. It is exactly what they said it was: a security-enhanced, hardened Linux.

    Yet, on the other hand, we accuse NSA of rigging Windows with backholes for them. Can we at least make up our minds on whether NSA believes in deliberate backdoors or not? It strikes me that the only "evidence" of an NSA backdoor in Windows was the infamous NSAkey brouhaha, but this is _hardly_ hard proof of anything.

    If NSA can use a backdoor, then so, theoretically, can enemy governments. That's hardly good security, and if there's one thing that NSA knows, it's good security.

    -Erwos
  • Oh, the Chinese government are looking into Windows code for exploitable holes, and I've no doubt that they're looking to increase security for their own version, but don't count out the possibility that they're looking for those exploitable holes to launch electronic attacks at the US and other democratic, capitalist nations. China has a long history of using American technology to prevent the spread of ideas and democratic ideals -- for instance their custom-built -- by Cisco of all companies -- filter/f
  • As with the AMD Elan - China I'm sure, will be taking copious notes on the design of the windows operating system. China has in the past attempted to create their own windows 98. Lacking 10 years of development time to bring China 98 to market - they will do the next best thing... or maybe they just want to see if it really IS spagetti code.

  • ... China laughs.

    Bill Gates would be like, "it wasn't supposed to be funny!"

    But it is.

    j.
  • Until China can take the source code, compile into binaries and distribute, they should NOT trust the creators of the programs to deliver them the "real" and "true" source code for what they may be running.

    Would YOU trust someone who says "here's the program" and then "here's the source code, but you can't do anything with it other than just look at it"?!

  • Are the Chinese sure they'll be looking at the version of the source code that compiles to the shipped software? Or might they get a peek at the cleaned up code without the security holes.

    OK, conspiracy theorists! Start your engines!

  • the NSA does not need Microsoft to create holes... (Score:3, Insightful)

    by The Lynxpro ( 657990 ) <[moc.liamg] [ta] [orpxnyl]> on Tuesday September 30, 2003 @04:52PM (#7097633)
    Why would the NSA rely on Microsoft to create security holes in Windows? If Microsoft cannot be trusted to patch holes they mistakenly placed in the OS, how can the NSA trust them to actually produce reliable security holes for breaching? I'm sure the NSA has viewed Microsoft code long before. All it would take would be to use Echelon's combined computing power for probably a couple of minutes and they could find all the hidden BSD code buried deep within...

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close