Closed Microsoft inevitably leads to unclosable back doors: FSF

Closed Microsoft inevitably leads to unclosable back doors: FSF

Summary: The foundation behind the promotion of free and open source software says it is impossible to have a true chain of trust without the ability for users to fix back doors themselves.


The Free Software Foundation has lashed out at announcements out of Microsoft yesterday that Redmond was committing itself to increased encryption of user data and legal transparency.

Last night, the software giant confirmed that by the end of 2014, it would have added 2048-bit encryption to the links between its data centres, and encrypted all user data that Microsoft stored.

John Sullivan, executive director of the Free Software Foundation, called the Microsoft announcements meaningless and added that the company had made promises on security before.

"Proprietary software like Windows is fundamentally insecure not because of Microsoft's privacy policies but because its code is hidden from the very users whose interests it is supposed to secure," he said in a statement.

"A lock on your own house to which you do not have the master key is not a security system, it is a jail."

Sullivan said that any system which does not allow for code review and modification, inevitably leaves itself open to back doors and privacy violations, and even questioned Microsoft's definition of a vulnerability.

"While the Microsoft announcement does promise "transparency" to reassure people that there are no back doors in Windows, this is no solution," said Sullivan.

"Microsoft has demonstrated time and time again that its definition of a 'back door' will not be the same as yours. Noticing that the back door is wide open will do you no good if you are forbidden from shutting it."

In its announcement yesterday, Microsoft said that many of its new security moves are already in place, and that the company would be using the courts to fight gag orders preventing the company from notifying customers when governments seek their data.

Writing in a blog post, Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs, said that the company believes that governments should gain access to information and data in the same way it did before IT moved to the cloud, by going directly to Microsoft's customers, and that the company should only be propelled to disclose data in "the most limited circumstances".

Redmond's increased focus on encryption follows the public learning of the Muscular program conducted by the NSA and GCHQ that allowed the spy agencies to tap the traffic moving between Google and Yahoo data centres.

Google and Yahoo have already made similar encryption announcements.

Topics: Security, Microsoft, Open Source, Privacy


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No surprise

    This has been the FSF's position for as long as there has been a public Internet. In the end, users have to decide how much they trust their proprietary software vendors, but unless you can inspect the code yourself and know what you're looking at, then trust is all there is.
    John L. Ries
    • Microsoft increased security, then it gave the NSA the key

      The Free Software Foundation said:
      "A lock on your own house to which you do not have the master key is not a security system."

      But there's something worse than not having the master key to your house. That's when Microsoft gives your house master key to the NSA.

      Anyone who doesn't believe that Microsoft has given the NSA a back door should read the Edward Snowden reports in The Guardian newspaper:

      Corporations that need to protect their data from eavesdropping should in fact drop Windows, and move to Linux and open-source software. Then you know what is there.
      • Open Source Doesn't Mean Secure

        Just because you can read source code doesn't mean it's well written. The NSA and other organizations can read the code and find what potential vulnerabilities exist but there are also too many distributions of Linux for enough researchers to follow.
        • But...

          ...there isn't all that much variance in the packages included in a Linux distro, and they all use the Linux kernel and glibc. So, if you're running a web server on the Linux side, for example, you're probably running Apache, which is based on the same publicly available codebase no matter what OS it's running under. It is therefore unsurprising that security researchers pay much more attention to specific network-enabled programs and systems that run under Linux than they do to Linux distros.

          And even badly written source code can be analyzed; it just takes more work.
          John L. Ries
          • But...

            Most of the snooping the NSA has done in the United States seems to be either unencrypted data flowing from server to server, or data stored on a server that the NSA supposedly has a warrant for. It doesn't matter that you're running Linux if your email is stored on a Google server, for example.

            Second, why would I believe that Windows has a 'back door' and Ubuntu doesn't? Because someone on the internet said so? I find that the comments posted in sites like this are from people that have no idea what they're talking about (not necessarily you). They like their own favorite thing, and if someone else doesn't agree then they are obviously wrong. This is idiot thinking, and it's very common 'round these parts.

            I'll take your word for it that *NIX (pick a flavor) doesn't have a 'back door'. But I don't believe Windows has one, either. The people saying it does sound a lot like the people that used to say Apple computers were invulnerable to malware. They were foolish and wrong. And I'm not paranoid enough to think there IS a 'back door' just because I can't study the code.

            Really though, most of us put our personal information out there in our browsers, or we post it on Space Book or My Face (whatever). Just about everything someone wants to know about me could be found in my Cookies folder, which faces outward by default. It's one of the things that make the internets so seamless. It doesn't matter what OS you use, because it's your browser that is the 'back door'.

            It really doesn't matter, though. It's the people in congress that created all this. And if the NSA says they are being locked out of something by encryption, then they'll ask congress to change the law about encryption and warrants. Again. And they will.

            Keep that in mind the next time someone on CSPAN says he's shocked (Shocked!!) about all this spying by the NSA.
        • Re: Open Source Doesn't Mean Secure

          "Just because you can read source code doesn't mean it's well written."

          No, but it does mean that people with a lot of money, interest and effort can effectively audit it. That's what's been happening with, say, TrueCrypt and Bitcoin. And, it's why they are trusted by many.
          • And the OpenBSD Project since 1996 with its code auditing team

            How many other open source software projects even come close to OpenBSD's code auditing efforts. Install, a desktop environment (Gnome, KDE, Xfce), open source web browser (Firefox, Chromium), open source email client (Thunderbird), open source media player (VLC Media player), open source office suite (LibreOffice, OpenOffice), etc. on OpenBSD and it's a whole new ball game.

            Ditto with server software, sshd excepted as it ships with OpenBSD.

            P.S. OpenBSD's code auditing team is comprised of 8 to 12 individuals that know what they're doing. Translation -> It's not 'many eyes'.
            Rabid Howler Monkey
        • All enterprise customer use enterprise Linus

          You are wrong. All enterprise customers either use RedHat or CentOS. That is not too many for researcher to read. Plus between releases one only needs to inspect the difference between releases. Not all the code as the parts of the code which are unaltered were already inspected. Furthermore, only those modules which execute as root need inspecting. This narrows the inspection down so that researches can inspect it and keep up with it.
          Tim Jordan
          • Two words.

            Prove it.
            Sam Wagner
          • Sorry wrong

            Sam Wagner
      • Vbitrate, you could look at that code all day and never have a clue

        as to whether it's secure enough, or isn't.

        I guess that means you would need to "trust' someone who would know, right?

        The rest of your post is nonsense, as the Guardian has never offered any proof to their claims when asked, so many already have dismissed it.

        And I'd trust Windows over Linux any day of the week for the simple reason that who is going to work harder and put more effort into producing a quality product, the person that gets paid, or the one that doesn't?
        • William, Open Source people so get paid. Linus Torvalds gets paid

          The people who you talk about are Google programmers, IBM programmers, Oracle programmers, RedHat programmers, Amazon programmers. Who told you we don't get paid. What, do you think that we are all independently wealthy?
          Tim Jordan
    • thats the problem with open source as well

      you put it perfectly


      sure with OSS you can look at it, but considering the vulnarabilities not found, it is clear that yes, many can look at it, but few do and even less "know what to look for"

      And I am absolutely sure MS does code reviews all the time, its a standard QA practice for all software development.
      • They'd better, because no-one else can!

        "And I am absolutely sure MS does code reviews all the time, its a standard QA practice for all software development."

        Unfortunately, the strength of your conviction doesn't have any weight. Particularly given the number of "zero day" bugs found in Windows and IE recently.
      • Others review the code as well

        Microsoft provides access to the source for others to review as well. So the 'many eyes' thing applys equally to Windows. And those that do, are people who know what they are doing.
    • Isn't that true with everything?

      You don't inspect the airplane yourself, you trust the mechanics did.

      But who says your open source software is secure? I'm no coder nor is anyone at our company. I would have to "trust" the outside specialist I have to hire to let me know yes or no if it is.

      So it's all about trust, as I doubt many here examining the code would have a clue as to whether it is or isn't, so they would need to trust someone who supposedly is.
  • mindless talking points

    The free software foundation is like that terrible cover band that only knows one song, gets onstage, and plays it over and over and over again.

    Windows is largely irrelevant to this discussion, since most of what this is about is its cloud services and Azure. and there are very very very few websites that have their code under an Affero license, if it made much of a difference anyway.
    • If the FSF is right...

      ...then the number of times the point is repeated is irrelevant. All that matters here is whether the claim is true, not who says it, or who is advantaged or disadvantaged by it.
      John L. Ries
      • Neither are they right for their much repeating

        There is a reason BlackBerry has so many public squabbles with various world governments, and it is their indecipherable security that is the reason for that.

        Coming back to the main point, the fact remains that none of this has anything to do with the piece of software that they "the comment – which is windows. Droning on about an irrelevant subject certainly doesn't make them right, today.

        The application that all of this does concern, is Azure, and the other cloud services that Microsoft produces. And while it is true that these are not under a GPL Affero license, neither is Google Amazon AWS, or iCloud. So all of the usual clanging of gongs with respect to anybody but Microsoft is irrelevant.
        • If you want to refute the claim, then do so.

          Blackberry is a reasonable counterexample, but it's not doing all that well commercially at the moment. Are MS and Apple equally good counterexamples? I doubt it.

          Regardless, who makes a claim, the number of times its repeated, and whose ox is gored have nothing whatever to do with whether it's true. And in practice, while I think a publicly auditable codebase is a good thing from a security perspective, it's only one piece of the puzzle (and in the end, it's all about trust).
          John L. Ries