Microsoft opens source code to Russian secret service

Microsoft opens source code to Russian secret service

Summary: Microsoft's decision to give the Russian intelligence services access to products including Windows 7 was commercial, according to a Whitehall source

SHARE:
TOPICS: Security
11

Microsoft has signed a deal to open its Windows 7 source code up to the Russian intelligence services.

Russian publication Vedomosti reported on Wednesday that Microsoft had also given the Russian Federal Security Service (FSB) access to Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server source code, with hopes of improving Microsoft sales to the Russian state.

The agreement will allow state bodies to study the source code and develop cryptography for the Microsoft products through the Science-Technical Centre 'Atlas', a government body controlled by the Ministry of Communications and Press, according to Vedomosti.

Microsoft Russia president Nikolai Pryanishnikov told Vedomosti that employees of Atlas and the FSB will be able to share conclusions about Microsoft products.

The agreement is an extension to a deal Microsoft struck with the Russian government in 2002 to share source code for Windows XP, Windows 2000 and Windows Server 2000, said Vedomosti.

A senior security source with links to the UK government told ZDNet UK on Wednesday that the 2002 deal was part of Microsoft's Government Security Program. Nato also signed up, said the source. Having a number of different governments with access to Microsoft code meant it was possible that a government could find holes in the code and use it to exploit another nation-state's systems, said the source.

ZDNet UK blogs

Sentry Posts Blog

Insights and information on data threats, risks, privacy, fixes and network security.

Read more+

Cambridge University security expert Richard Clayton told ZDNet UK on Thursday that opening up source code leads to a complex security situation. While a view of the code could enable a government to find security holes that the state could use to launch attacks against other nation states, it is possible to find holes in software without having access to the source code, said Clayton.

"If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.

A number of different factors made the situation complicated, said Clayton. Access to the code could allow close analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run a fuzzing program which throws random data at parts of an operating system or software to find different vulnerabilities.

While access to the code can enable pre-emptive patching before an attack, nation states would be able to tell if another government was patching its networks, said Clayton.

"Should you immediately patch the system, in which case people will notice the Russians have patched their systems?" said Clayton. "Or alternatively you could report the vulnerability to Redmond [Microsoft headquarters], or should you use [the hole] to attack your enemies?"

Clayton said that there were tens of thousands of bugs in Microsoft products, in part due to the sheer volume of source code. A government could not hope to patch them all, said Clayton, while an attacker only has to find one hole and exploit it successfully to gain access to systems.

"It's completely asymmetrical," said Clayton.

The Office of Cyber Security, which oversees the UK government cyber-attack and defence capability, had not responded to a request for comment at the time of writing.

A senior Whitehall source told ZDNet that Microsoft's decision to open its source code to various governments had been a commercial decision.

Microsoft said it had opened up code to the FSB as part of its ongoing Government Security Agreement with the Russian state.

"The agreement that we signed with the FSB is an extension of Microsoft’s Government Security Program (GSP)," Microsoft said in a statement on Friday. "The purpose of the GSP is to increase trust with national governments. In the case of the Russian agreement, GSP participation will facilitate the development of the next generation of secured solutions for Russian government agencies based on the latest Microsoft technologies and Russian cryptography."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • "If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.
    ------
    Take a look at FreeBSD, OpenBSD, NetBSD, and Linux if it's unclear to you.
    Noiteht
  • Having a look at free OS doesn't make things clearer, since the situation is different. In the case of free OS, everybody has the sources, and everybody can find bugs and can patch the system. In the case of proprietary software, giving the source to one entity (or a small number of entities) gives them an advantage. Now, not only the NSA and US government can hack your Microsoft computers, but the Russian government too, and nobody can help you patching Microsoft system to prevent it! (Don't count on Microsoft, they're either unwilling or too slow to do so).
    informatimago
  • The devil will be in the details of the agreement, but for the most point this seems like an agreement to make some Russian bureaucrat "feel good".

    (1) If the Russians are trying to see if the binary code they are given has any trapdoors or other malware in it, then it is very hard to see that the binary code that they receive from Microsoft was generated by the sources that they are looking at.

    (2) If the Russians do wish to make sure their code has no issues, then they would probably not only need the sources for the code in question, but the entire build environment that Microsoft uses so they can build their own binaries. There was a very famous UNIX exploit where the code that allowed the code for the exploit was in the "C" compiler, not in the operating system. When the "C" compiler compiled a particular module, it inserted the exploit into that module. You could have looked at the sources for that module your entire life and not have seen the exploit.

    (3) If the Russians are looking to create better security and encryption algorithms as the article states, then they should know that probably those security and encryption algorithms would be best developed outside of mixing them with any of Microsoft's code (i.e. develop it more as a layered product or dynamically loaded module). Otherwise the Russians would be at the whim of either Microsoft or the U.S. State Department as to whether Microsoft would ever distribute the code the Russians developed. Of course the Russians could implement and distribute their code mixed with the Microsoft sources themselves, but then then the Russians would need the entire tool chain (see #2)

    (4) "The government" may have access to the source code, but I doubt if it goes beyond that. What happens if "the government" wants to have a university help them with developing these algorithms? What hoops have to be jumped through to get the universities access to the sources?

    Compare this agreement and these thoughts to doing the same type of work using a distribution like Gentoo Linux. Is it any wonder why the NSA chose Linux for their SELinux project?

    I think what happened is that someone in the Russian government said "We can not use Microsoft because we can not see if the USA had put any spy-ware in it" and Microsoft said "No problem, we will show you the source code." So now the Russian bureaucrat feels better.

    maddog
    maddoghall
  • http://cm.bell-labs.com/who/ken/trust.html

    As maddog pointed out, very apropos here.
    treed-f4e6d
  • Having a look at free OS doesn't make things clearer, since the situation is different. In the case of free OS, everybody has the sources, and everybody can find bugs and can patch the system. In the case of proprietary software, giving the source to one entity (or a small number of entities) gives them an advantage. Now, not only the NSA and US government can hack your Microsoft computers, but the Russian government too, and nobody can help you patching Microsoft system to prevent it! (Don't count on Microsoft, they're either unwilling or too slow to do so).
    Adnan Ahmed-6d326
  • "Should you immediately patch the system, in which case people will notice the Russians have patched their systems?"
    I'm curious as to what the government networks are that another government can see the patch status of? I don't think it's at all likely that any government is going to find a way to attack another through this program, but if they did, how would any other government know they had patched their systems for protection? I'm sure the governments aren't getting access to the MS Build system so they're not compiling the source code, they're just using it for reference (if I was a government developing my crypto system, I would want to see the source code it would be integrating with, not just the API) so it's not as if there's some common build tree that they'll all have access to. If NATO's spies are so good they know whether the FSB PCs have been updated after the latest patch Tuesday, how come the US took so long to find the Russian sleeper spies?
    M
    Simon Bisson and Mary Branscombe
  • Giving advantage to FSB is like giving advantage to the Mafia. I do not understand how brain dead this is. First the bootleg every known piece of software in the World and sell $10000 dollars worth of software for the price of the disk plus a couple of bucks. Next you arm the enemy with weapons you don't have access to! I would suggest anyone even thinking now using Windows OS abandon ship quickly. Obviously they should of sent someone to Russia to live for a couple of months as a tourist and they would of realized the corruption (if they strayed off the beaten path).
    davidclarsen
  • "Now, not only the NSA and US government can hack your Microsoft computers, but the Russian government too...“

    Wow, that is really dangerous! What do you think the Russian government will do with your data!? Why do you think they need your data!? Cold war is over - Ahmed!!
    Russian are not interested in growth of empire, in resources, they have their own and are busy to keep their territory in current borders, as a huge amount of own local problems to solve.
    jonnni
  • best pragmatic commment on this site!!
    --> respect maddoghall!!
    jonnni
  • really funny this comments!
    look at this comments of "informatimago", "Adnan Ahmed"..
    -> "Now, not only the NSA and US government can hack your Microsoft computers, but the Russian government too, "

    What is the sence of this anti russian propoganda, I can't understand!?

    Maybe one of you can scartch the brain a bit.. try to explan the "worst case scanario"!?
    jonnni
  • .. and what's about you "daveclarsen"?
    FSB and Mafia?
    What's about Scotland Yard and CIA? Nowadays it is not a secret, how they act and with whom cooperate!? All they are acting, behind the law... Why do you thing they are better?

    In my opinion we don't need such kind of organization at all, UNO + ICJ (without outside - pressure of course) its enough to create a better world. ;-)
    jonnni