Microsoft opens source code to Russian secret service

NEWS

Microsoft has signed a deal to open its Windows 7 source code up to the Russian intelligence services.

Russian publication Vedomosti reported on Wednesday that Microsoft had also given the Russian Federal Security Service (FSB) access to Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server source code, with hopes of improving Microsoft sales to the Russian state.

The agreement will allow state bodies to study the source code and develop cryptography for the Microsoft products through the Science-Technical Centre 'Atlas', a government body controlled by the Ministry of Communications and Press, according to Vedomosti.

Microsoft Russia president Nikolai Pryanishnikov told Vedomosti that employees of Atlas and the FSB will be able to share conclusions about Microsoft products.

The agreement is an extension to a deal Microsoft struck with the Russian government in 2002 to share source code for Windows XP, Windows 2000 and Windows Server 2000, said Vedomosti.

A senior security source with links to the UK government told ZDNet UK on Wednesday that the 2002 deal was part of Microsoft's Government Security Program. Nato also signed up, said the source. Having a number of different governments with access to Microsoft code meant it was possible that a government could find holes in the code and use it to exploit another nation-state's systems, said the source.

ZDNet UK blogs

Sentry Posts Blog

Insights and information on data threats, risks, privacy, fixes and network security.

Cambridge University security expert Richard Clayton told ZDNet UK on Thursday that opening up source code leads to a complex security situation. While a view of the code could enable a government to find security holes that the state could use to launch attacks against other nation states, it is possible to find holes in software without having access to the source code, said Clayton.

"If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.

A number of different factors made the situation complicated, said Clayton. Access to the code could allow close analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run a fuzzing program which throws random data at parts of an operating system or software to find different vulnerabilities.

While access to the code can enable pre-emptive patching before an attack, nation states would be able to tell if another government was patching its networks, said Clayton.

"Should you immediately patch the system, in which case people will notice the Russians have patched their systems?" said Clayton. "Or alternatively you could report the vulnerability to Redmond [Microsoft headquarters], or should you use [the hole] to attack your enemies?"

Clayton said that there were tens of thousands of bugs in Microsoft products, in part due to the sheer volume of source code. A government could not hope to patch them all, said Clayton, while an attacker only has to find one hole and exploit it successfully to gain access to systems.

"It's completely asymmetrical," said Clayton.

The Office of Cyber Security, which oversees the UK government cyber-attack and defence capability, had not responded to a request for comment at the time of writing.

A senior Whitehall source told ZDNet that Microsoft's decision to open its source code to various governments had been a commercial decision.

Microsoft said it had opened up code to the FSB as part of its ongoing Government Security Agreement with the Russian state.

"The agreement that we signed with the FSB is an extension of Microsoft’s Government Security Program (GSP)," Microsoft said in a statement on Friday. "The purpose of the GSP is to increase trust with national governments. In the case of the Russian agreement, GSP participation will facilitate the development of the next generation of secured solutions for Russian government agencies based on the latest Microsoft technologies and Russian cryptography."

Talkback

Noiteht 9 July, 2010 18:49 Reply

Having a look at free OS doesn't make things clearer, since the situation is different. In the case of free OS, everybody has the sources, and everybody can find bugs and can patch the system. In the case of proprietary software, giving the source to one entity (or a small number of entities) gives them an advantage. Now, not only the NSA and US government can hack your Microsoft computers, but the Russian government too, and nobody can help you patching Microsoft system to prevent it! (Don't count on Microsoft, they're either unwilling or too slow to do so).

informatimago 10 July, 2010 15:32 Reply

The devil will be in the details of the agreement, but for the most point this seems like an agreement to make some Russian bureaucrat "feel good".

(1) If the Russians are trying to see if the binary code they are given has any trapdoors or other malware in it, then it is very hard to see that the binary code that they receive from Microsoft was generated by the sources that they are looking at.

(2) If the Russians do wish to make sure their code has no issues, then they would probably not only need the sources for the code in question, but the entire build environment that Microsoft uses so they can build their own binaries. There was a very famous UNIX exploit where the code that allowed the code for the exploit was in the "C" compiler, not in the operating system. When the "C" compiler compiled a particular module, it inserted the exploit into that module. You could have looked at the sources for that module your entire life and not have seen the exploit.

(3) If the Russians are looking to create better security and encryption algorithms as the article states, then they should know that probably those security and encryption algorithms would be best developed outside of mixing them with any of Microsoft's code (i.e. develop it more as a layered product or dynamically loaded module). Otherwise the Russians would be at the whim of either Microsoft or the U.S. State Department as to whether Microsoft would ever distribute the code the Russians developed. Of course the Russians could implement and distribute their code mixed with the Microsoft sources themselves, but then then the Russians would need the entire tool chain (see #2)

(4) "The government" may have access to the source code, but I doubt if it goes beyond that. What happens if "the government" wants to have a university help them with developing these algorithms? What hoops have to be jumped through to get the universities access to the sources?

Compare this agreement and these thoughts to doing the same type of work using a distribution like Gentoo Linux. Is it any wonder why the NSA chose Linux for their SELinux project?

I think what happened is that someone in the Russian government said "We can not use Microsoft because we can not see if the USA had put any spy-ware in it" and Microsoft said "No problem, we will show you the source code." So now the Russian bureaucrat feels better.

maddog

maddoghall 10 July, 2010 18:16 Reply

http://cm.bell-labs.com/who/ken/trust.html

As maddog pointed out, very apropos here.

treed 18 July, 2010 07:45 Reply

Adnan Ahmed 20 July, 2010 14:13 Reply

"Should you immediately patch the system, in which case people will notice the Russians have patched their systems?"
I'm curious as to what the government networks are that another government can see the patch status of? I don't think it's at all likely that any government is going to find a way to attack another through this program, but if they did, how would any other government know they had patched their systems for protection? I'm sure the governments aren't getting access to the MS Build system so they're not compiling the source code, they're just using it for reference (if I was a government developing my crypto system, I would want to see the source code it would be integrating with, not just the API) so it's not as if there's some common build tree that they'll all have access to. If NATO's spies are so good they know whether the FSB PCs have been updated after the latest patch Tuesday, how come the US took so long to find the Russian sleeper spies?
M

Simon Bisson and Mary Branscombe 29 July, 2010 18:12 Reply

Post your comment

In order to post a comment you need to be registered and logged in

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

@apexwm >> "They can save maybe up to 1% of their IT costs" > I'd like to know how you propose this number? MS Office costs hundreds > per copy,...

1 minute ago by Jack Schofield on Late starters to Windows 7 migration may find it more costly, says Gartner

@apexwm > I would be curious to know what exactly they mean by "mini-notebooks are > less-than-perfect substitutes for standard low-end laptops"....

26 minutes ago by Jack Schofield on While PC shipments will grow to a million per day, netbooks are in decline

Digital Britain author attacks the government for delaying the 2Mbps universal service commitment http://bit.ly/ciAS2s

29 minutes ago on Twitter by superglaze

Researchers at Norwegian and German institutes claim to have successfully cracked quantum cryptography equipment http://bit.ly/bfQQRt

3 hours ago on Twitter by LarsTS

Quantum crypto detectors cracked by researchers http://tinyurl.com/32orrr8 @schneierblog - your thoughts?

3 hours ago on Twitter by benrothke

Suse Linux Enterprise Server for VMware ships: By Jack Clark, ZDNet UK, 2 September, 2010 17:11 VMware and Novell ... http://bit.ly/bL9BMy

3 hours ago on Twitter by dominic_victor

RT @ZDNetUK_News: Dell abandons battle to buy 3Par: HP has won the short, sharp race to add the data storage management company to i... http://bit.ly/aLg1tA

4 hours ago on Twitter by Bhackett10

Suse Linux Enterprise Server for VMware ships: Businesses that buy vSphere licences will get SLES free of charge, ... http://bit.ly/adlav5

4 hours ago on Twitter by ZDNetUK_News

Dell abandons battle to buy 3Par http://bit.ly/920Spv

4 hours ago on Twitter by superglaze

RT @ZDNetUK_News: iOS 4.2 available for iPad in November: The operating system update will allow wireless printing and audio and vid... http://bit.ly/azstPx

4 hours ago on Twitter by qbspchelp

@gruber @daringfireball It's here, but will it get used? Universal wireless charger standard gets public release http://bit.ly/doJO2u

5 hours ago on Twitter by superglaze

Universal wireless charger standard gets public release http://bit.ly/cCdlZv

5 hours ago on Twitter by ZDNetUK_News

#IPv6 repost RT @pixeladdikt: RT @RIPE_NCC: ~"IPv6 news: using #IPv6 to connect everything http://bit.ly/dtJvh3 " ... http://bit.ly/aRkCNT

5 hours ago on Twitter by IP_v6

Windows Phone 7 released to manufacturers http://bit.ly/addml7

5 hours ago on Twitter by paulallen77

Windows Phone 7 released to manufacturers http://bit.ly/b9oigT

5 hours ago on Twitter by ImGoneBuzzirk

RT @pixeladdikt: RT @RIPE_NCC: ~"IPv6 news: using #IPv6 to connect everything http://bit.ly/dtJvh3 " +ArchRock :)

6 hours ago on Twitter by trejrco

Carter attacks coalition over 2Mbps delay http://bit.ly/aPTmax | #Droid #Android

6 hours ago on Twitter by Droid_Phone

Windows Phone 7 released to manufacturers http://bit.ly/9rL0sc | #Droid #Android

6 hours ago on Twitter by Droid_Phone

Tony - on the 28th, Hotmail EAS on iPhone didn't work because it wasn't publicly available then. Ignore the email, which was part of the internal...

6 hours ago by First Take on Hotmail Exchange ActiveSync

RT @RIPE_NCC: Exciting IPv6 news: using #IPv6 to connect everything from people's homes to the smart grid http://bit.ly/dtJvh3 (by @mlamonica)

6 hours ago on Twitter by BrenoVale

Featured white papers

The benefits of email archiving

Bloor Research

Email archiving lowers the risk of being unable to find important documents and help in achieving regulatory compliance and answering litigation requests.

Download now