MS Cites National Security to Justify Closed Source

guacamolefoo writes: "It was recently reported in eWeek that "A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed." (Emphasis added.) The follow up from Microsoft is even better: As a result of the flaws, Microsoft has asked the court to allow a "national security" carve-out from the requirement that any code or API's be made public. Microsoft has therefore taken the position that their code is so bad that it must kept secret to keep people from being killed by it. Windows - the Pinto of the 21st century."

Nice

[jayhawk88]

When in doubt, raise concerns about terrorism, or inappropriately use 9/11 as a crutch. The new coin of Washington (both east and west it seems).

Nothing will ever be the same again indeed.

Now what are they trying to hide?

[CoolVibe]

Microsoft code and national security? Hmm... Interesting :) Also another good question is: whose national security, als lots of foreign governments use Microsoft software.

Worrying isn't it?

Hypocrits

[Telastyn]

If the code is so bad as to be dangerous, shouldn't the government make them recall the code and return a properly functioning version?

If a car was dangerous enough to possibly cause death, wouldn't the government require a recall? Wouldn't the media jump on them like rabid wolves like they did Firestone? Wouldn't people avoid the things like they did Firestone?

Equality

[jaavaaguru]

So they think that just because they are Microsoft, they deserve to be treated differently? If they made crap software that is full of bugs, and it gets released to other companies who my possibly take advantage of those bugs, then it's their own fault. If a product is meant to be remotely secure, the software company should employ QA teams to *TRY* and break into it, at the VERY LEAST. Writing poor code is no excuse for avoiding your punishment, MS. Perhaps those using the buggy software should be informed of this, and given a grace period to switch to another system before MS is made to open their source.

This is big news...

[3Suns]

The DOJ was pressuring MS to release it's APIs etc., in the interest of fair trade. Now MS claims that doing that would put national security at risk.

What's the solution for the DOJ (who holds the reigns now)?? Simple: force MS to adopt open standards and open code modules in the future. Given that the MS business model is based on leveraging its "secret" elements, this could force them to abandon nearly all of their anticompetitive practices.

Playing both sides of the fence

[jackaroe]

"We'll security is our top priority (http://slashdot.org/article.pl?sid=02/01/17/02592 34&mode=thread&tid=109) but until it improves, our source is a threat to national security"

Fear the future...

[Dr. Bent]

Three things need to happen in order for people to start getting serious about software security and reliability:

1) A software system with 1 or more serious _known_ flaws must be used on a worldwide scale by a government agency or large company.

2) That software must then fail.

3) The failure must cause thousands of deaths or hundreds of billions of dollars in loss or damage.

The result will be like the 9/11 of software...when the world wakes up and realizes that we have become so dependent on software systems for our daily lives that we actually have to start caring whether or not they work correctly. We need to start taking an engineering approach to software and KNOW (not think) that it will operate as advertised.

I'm actually hoping that this will occur sooner than later. The later it happens, the more catastrophic the result will be and the less time we'll have to rectify the problem before it happens again.

Re:Now what are they trying to hide?

[edrugtrader]

so if afghanistan uses MS... wouldn't releasing the source code allow us to end afghan terrorism by crippling their computer systems?

An interesting point?

[binaryDigit]

Though I know the knee-jerk reaction is to scoff, M$'s statement does bring up an interesting issue. Given how porous M$ security is, just how much worse would/could it be if the source code were available? To be honest, and flame away if you must, I think that M$ does have an interesting practical point (not that I agree with how their applying it, but that doesn't make their point any less valid).

So the obvious question arises, is Linux/BSD (and any other software that has source available) more exposed to "serious" attacks. By "serious" I mean being launched by somebody who knew enough to be able to look at the source and find security flaws, vs a script kiddie who takes a virus toolkit and modifies the virus name and subject line. Theoretcially, it should be more vunerable than a picece of closed source software that was written with a similar level of "quality".

Again, I AM NOT DEFENDING OR SUPPORTING M$'S POSITION, only bringing up what I think is an interesting question.

They may argue themselves back to a breakup?

[ClarkEvans]

They may just confirm Judge Jackson's assertion that any sort of compromise short of a breakup will be insufficient. Here's hoping that Kollar-Kotelly's nose is as good as Jackson's.

Re:Of course our security lies in...

[Midnight Thunder]

Would I be allowed to share *my* copy of *my* love letter, or am I steeling from myself and endangering national security? Maybe the MPAA wants me sign up with them first?

Just imagine your only phone call from you jail cell: "Sorry, I tried writing a st-valentines letter to you, but the 400 year old poem that I included was considered copyright and my computer called the cops."

Re:They must be getting desperate...

[malakai]

I'm curious. As someone who's been programming against the win32 API for a long time now, what precisely in your opinion is not properly documented by any of the SDK's?

Granted I don't use all aspects of the API, so perhaps parts of it are poor, but the parts I use are highly documented, examples given, and all sorts of other goodies. This is what dragged me, and many hundreds of thousands of other developers into the MS world where we make a good living building solutions to business problems.

-me

Re:Hypocrits

[Asicath]

Say a car company was in the same position as microsoft: They are being sued for creating a monopoly on cup holders. Their cars come with cup holders installed and therefore 3rd party cupholder manufacturers are going out of buisness. Now the car company says they cant possibly remove the cupholders from the cars design because it they are essential for making the car run (a lie, but they've got enough money to back it up).

Now on this car there is a secret button that unlocks the cars doors and starts the engine. It can only be found by maticulously taking the car completly apart 200 times or by reading the blueprint.

If this car makes up 90% of all the cars owned in america, should they make this blueprint public over a small issue like a cupholder?

What about...

[coats]

Then why isn't Microsoft being charged with felony computer crime for the way all of its OS upgrades surreptitiously inistall Outlook preferences over the existing mail agent preferences, in ways that are very hard to undo.

In this pleading, Microsoft themselves admit that their stuff is widely installed on Federal Interest Computers.

Microsoft's use of so-called operating system patches to disable user mail applications and replace them with the Outlook mail server application is unauthorized hacking of Federal Interest Computers, a Federal felony under US Code Title 18 Section 1030 (the COMPUTER FRAUD AND ABUSE STATUTE: see http://www.cpsr.org/cpsr/privacy/crime/fraud.act.t xt [cpsr.org]).

Microsoft's pervasive practice of using their upgrade/patch excuse for hacking Federal computers and replacing relatively secure software like Eudora with nightmares like Outlook (which is itself responsible for something like 80% of the viruses and worms on the net!)is a violation by my reading of the Act (but IANAL). I think that Paragraph (b)(1)(B) ought to be applied!

Whose Your God Daddy?

[djmoore]

Microsoft is resorting to desperation tactics... they know they've lost.

Actually, this is entirely consistent with MS's strategy all along: it has been arguing that it and its products are so profoundly important to the American economy and security that any remedy which interferes with its ability to act as it pleases should be struck down by the court. Otherwise, everyone will suffer at least as much as MS will.

It's the exact equivalent of a mob boss saying that he shouldn't be imprisoned for running a protection racket, because then he wouldn't be able to protect his customers. Moreover, he wouldn't be able to provide for his innocent wife and children (even though it's been shown he abuses them as well).

Microsoft isn't at all desperate; they're just so arrogant, and so blind to basic security principles, that they don't really see a problem with what they're saying.

Staggering

[johnos]

Let me get this straight. The product that Microsoft's monopoly rests upon, the monopoly that they illegally maintained and expanded, is so flawed that it threatens US national security. Did someone from Microsoft REALLY say this? If so, it is clear they have gone mad in Redmond. What do they expect the millions of companies and government agencies to do? Wait until Longhorn, or whatever is ready? And hope all the holes are fixed by then?

"Uhh, sorry Mr. President, the NSA can no longer monitor international communications. Our systems are just too vunerable to hacking to be used. Jim Allchin assured us that a comprehensive fix would be available within 18 months."

"In other news, the US Navy has ordered all AGEIS cruisers into port indefinatley. The AGEIS computer systems were deemed too risky for combat use. The Pentagon would not comment on reports the entire US fleet would require software overhauls before any offensive combat operations could be contemplated."

"World stock markets are today in freefall as most major international corporations raced to secure information systems based on Microsoft's Windows operating system. Some experts estimate that the expense of fixing or replacing mission critical software to provide an adequate level of security would dampen the World economy for a decade."

This goes so far beyond a computer industry issue. Its a staggering admission of guilt. What CIO would be caught dead installing an MS system unless they have absolutly no alternative?

There is also the legal issue. If someone has sustained an economic loss due to "flawed code", that they are using because MS illegally supressed competitive alternatives, then they have a really good case for compensation. And the hardest part, proving that MS illegally manipulated the market, is already done. And they have some tens of billions just sitting around, waiting for the right lawyer to just take away.

Re:er,

[Anonymous Coward]

IBM did something similar with the input queue on OS/2. They had a design problem that was part of a bad design from the very start. Everyone knew it. Why wasn't it fixed? It was going to require user programs to be fixed as part of the fix. It was a critical architectural failure when they started OS/2 2.0 under duress, they had some hard and critical deadlines to meet and they botched that piece of the equation. What's the alternative? You require a huge number of apps to be, at the very least, recompiled? That's barely practical with something like Linux, have any idea it takes to get full distribution up an running on a different architecture? Long enough that the biggest Linux companies still only support a handful of what GNU/Linux runs on. IBM didn't fix it, in fact some very good software engineers resorted to doing some fairly cheap hacks to try and get around it. When you start putting bandaids on the core, things are getting bad and it's only a matter of time, you've started to calcify the product. It's a bitch, what else do you do?

How many of you kids remember a.out to elf? Or the switch from libc to glibc? Any of you try to upgrade through that yourself without reinstalling a new distribution? Think of both of those, multiply it by 10000 and throw a couple major security holes in that the entire world may not be privy to. Then you are starting to scratch the surface of how large this problem is. On top of that why not factor in some bullying from the MS sales force, how many larger MS customers have been bullied at one point or other? Probably enough that if they were told they have to replace everything some of them would get really pissed off and seriously think about shopping elsewhere.

MS fucked up and they fucked up bigtime. They need more time too, they've got .NET in the pipe and they're porting their apps to it but they will need to rebuild the platform. I think the NT platform is starting to get to a good time when it's fair to look at complete rewrite or some kind of major overhaul but they need to time it right so that linux doesn't hurt them too badly and they are also going to need a culture change, you have to build large systems with lot's of abstraction and heirarchy, they want to put too much into kernel land and it's only going to make security problems harder to solve down the road and open up more parts of the OS to different kinds of attacks. 10 to 1 the queue holes involve sending messages as if an aplication has passed a security boundary and that they allow you almost free reign, it's something that almost doesn't apply to other platforms.

Tools for Terrorism..

[mchummer]

A long time ago I had a sig line -
__________
Microsoft - The Number One Manufacturer of 'Tools for Terrorism (tm)'.
__________
This was inspired by the then almost weekly anouncements about security problems with the design of and use of Active-X, macro-viruses, IIS, etc.
Now their lawyers have concurred.
Guess I was right all along !

- Mchummer
__________
... I'll have grounds
More relative than this: the play's the thing
Wherein I'll catch the conscience of the king.
Hamlet. Act ii. Scene 2
__________

Re:Nice

[1010011010]

"Because of politics, some things are being forced on us that without political pressure we might not do, like Windows NT," Ron Redman, deputy technical director of the Fleet Introduction Division of the Aegis Program Executive Office is quoted as saying. "If it were up to me I probably would not have used Windows NT in this particular application. If we used Unix, we would have a system that has less of a tendency to go down."

Another person at the Naval Air Warfare Center, who also requests anonymity, says: "In my view, and this is only my opinion, the move [IT 21] is not only illegal, but wrong. Moving the Navy completely towards a proprietary computer (a memo quoted states only 'Intel' computers could be purchased) and a proprietary OS (Windows) is against Navy procurement standards requiring OPEN competition. If anything, the Navy should stress compatibility, and open standards. MS Windows is not an open standard.

David Kastrup of the Institut fur Neuroinformatik in Bochum, Germany observed last year that "The specifications call for use of Windows NT 5.0 [now Windows 2000] when available, without any prior tests for usability or whatever. This means that the military is signing a blank cheque of trust to Microsoft to deliver what their marketing hype promises.

Re:Nice

[bmajik]

I agree with you (code shouldn't kill people).

I don't see how thats microsofts problem. The government decided they wanted to use off the shelf computer equipment and software. They got sick of developing a computer system and maintaining it for 30 years. You realize that in the 80s there were software engineers that were maintaining code for submarines that had ferrous-core memory systems.

The navy wanted to get away from that.

So, its nice that you're mad about the navy's choice of computing infrastructure. The fact that it happened to fail has nothing whatsoever to do with microsoft, and you're being irrational about being upset with them over this.

Not that there aren't other things to be upset with them about :)

Re:Microsoft products = crap admitted in court

[UncleFluffy]

I don't know, but M$ has just admitted to selling the government millions of dollars worth of a product that they knew to be faulty at the time of shipping.

Ho hum, might just turn interesting...