I am not really sure how I feel about this one. It’s a rather strange story. Here’s a snippet of what Computer Weekly recently posted:
“Microsoft has signed an agreement with Russia to share the source code of multiple products, according to US reports.
The agreement expands co-operation with Russia under Microsoft’s Government Security Program set up to help governments build more secure IT infrastructures.
According to Microsoft, more than 60 governments are eligible for the Government Security Program in which the UK, China and NATO are active members.”
From reports, they handed over source code for Microsoft Windows Server 2008 R2, Microsoft Office 2010, Microsoft SQL Server, Windows XP, Windows 2000 and Windows Server 2000, and, of course, Windows 7. I can’t take credit for noticing this, but when pointed out, I found it amusing that they didn’t ask for access to Windows Vista. Even the Russians had no interest in Vista.
Now correct me if I am wrong, but I noticed China listed here, and I can’t help but remember that China recently hacked Google and various other US tech companies via a hole in Internet Explorer 6.
The US also recently traded a group of Russian spies back to their homeland in exchange for the release of a few captured US spies. It all sounded very cold war-esque except for the technology slant to the story. Which, again, can bring us back to wondering if holes in any of this software allowed some of this to happen.
Curious to see what security experts were thinking I did a quick web search and came across this from Cambridge University’s Richard Clayton:
“If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it’s unclear whether access to the source code makes people better or worse off,” said Clayton.A number of different factors made the situation complicated, said Clayton. Access to the code could allow close analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run a fuzzing program which throws random data at parts of an operating system or software to find different vulnerabilities.”
And this one from ZDnet:
“Despite the security benefits, having access to a source code can also carry security implications.
“Having a number of different governments with access to Microsoft code meant it was possible that a government could find holes in the code and use it to exploit another nation-state’s systems,” a senior security source with links to the U.K. government told news source ZDNet.”
So, Microsoft makes it sound benign, security experts make it sound less so. There’s seems to be nothing from the US government, but I have to assume they allowed this to happen. And, I also have to assume that they vetted this and found no reason to put a halt to it. Hence I guess I won’t worry…yet.