MS Cites National Security to Justify Closed Source 827
guacamolefoo writes: "It was recently reported in eWeek that "A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."
(Emphasis added.) The follow up from Microsoft is even better: As a result of the flaws, Microsoft has asked the court to allow a "national security" carve-out from the requirement that any code or API's be made public. Microsoft has therefore taken the position that their code is so bad that it must kept secret to keep people from being killed by it. Windows - the Pinto of the 21st century."
Fodder for ads (Score:5, Insightful)
Think about it from Microsoft's point of view... (Score:5, Insightful)
Of course our security lies in... (Score:4, Insightful)
Yes, those are the integral parts for security. Who cares about information being stolen. As long as no one can rip a copy of your cd, everything is kosher...
Everyone knows terrorists rely on warez!
er, (Score:5, Insightful)
> The protocol, which is part of Message Queuing,
> contains a coding mistake that would threaten the
> security of enterprise systems using it if it were
> disclosed, Allchin said.
Then with all the billions and billions of dollars M$ has hanging out in the bank, why not hire someone and FIX THE PROBLEM. What's the problem with doing the things that make sense?!
Single best thing M$ could do to improve their product security is to adopt the 'patch often' mindset. Fix something, release a patch, everyone goes home happy.
The bi-annual (exaggeration) security patches they currently do ain't gonna do it.
More Lawsuits Now? (Score:2, Insightful)
All we need is some documented evidence of a MS exploit resulting in injury or death.
not so evil? (Score:-1, Insightful)
But then I reconsidered. WAIT: before you mod me down, please consider my opinion objectively.
I know I'm risking some karma here, but I think this is an issue that strikes right to the heart of all that we hold dear.
Now, like it or don't, the fact is that security through obscurity has been with us since the origins of Unix. IIRC, the original "shell" commands, such as rm and chmod were designed to be difficult to remember, for the very reason that untrained n00bs could quickly bring a system to its knees by misusing them. This explains why innocuous commands (like touch and finger) have easy-to-remember and provocative names, while the more dangerous ones (like ld and vi) are "secure" through their "obscure" names.
Microsoft copied from the best when it put these kinds of features into their flagship OS, "Windows". They went a step further, and did the same for API's and protocols. They also left in a few memory leaks to easily monitor potential hackers. Linux has done similar things, even going so far as using the original Unix commands (yes, even vi!).
To open up the source to Windows at this point would open a literal can of proverbial worms. And you can't put this insecure genie back into the bottle of obscurity once he has been oncorked.
It's my opinion that MS should be given 4 or 5 years in which to "lock down" their OS before exposing it to every "dark hatted" haxer on the Internet.
I hope you see where I'm coming from.
*Yawn* I think someone from Peru said it best ... (Score:5, Insightful)
Peruvian Congressman David Villanueva Nuñez made exactly this argument:
To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*.
In the same way, our proposal strengthens the security of the citizens, both in their role as legitimate owners of information managed by the state, and in their role as consumers. In this second case, by allowing the growth of a widespread availability of free software not containing *spy code* able to put at risk privacy and individual freedoms.
The flaw here is that for windows code to posess the powers they imply, it would need to be a state secret. Perhaps it should be illegal to distribute mission critical osc across us boundaries? Windows code a state secret? I think not, anyone can reverse compile machine code.
Micro$oft should realize that governments do not like security threats they are not able to evaluate themselves. The NSA, for example, cannot sit and tinker with windoze's security holes the way they can with OSC (open source code)...
-Sean
National Security means... (Score:5, Insightful)
Remember: Cryptanalysis has, and will, always come in fourth place after burglary, blackmail, and bribery.
DRM and national security (Score:2, Insightful)
Terrorism = File Sharing
someonce call the RIAA and tell them the great news!
Wow that's bold (Score:3, Insightful)
If it happened in any other industry (auto, aviation, train, commerce, weaponry, etc) the Government would drop their product like a dead rat (and more probably force the manufacturer into a recall). Yet Microsoft is willing to use it as a defense?
Re:Ridiculous argument! (Score:2, Insightful)
I think the judge will see through this ploy.
They must be getting desperate... (Score:5, Insightful)
My point is that they did not say anything new by admitting the problem. However by admiting it they also admit that they don't really care about security, as they certainly could have done significantly better! This casts a very bad light on other ventures like
So why are they admitting it anyway? In my opinion MS is scared to death that open APIs would also mean stable APIs (i.e. APIs that don't change all the time) and would enable others to make Windows compatible execution environments with relative ease. The sources are also important, because the API documentation MS would give (could?) away is not complete and correct enough. So while it takes a huge effort, competitiors would be able to really find out the complete API functionality and implement it in a way so that things that run on Windows would usually run on competing products without retesting or modifications.
As MS is not really having a good product, just an effective monopoly (by making cloning their API difficult), reasonable documentation of their APIs could kill them. At least that is what I think they believe.
Re:er, (Score:4, Insightful)
That's great in theory, but the real world doesn't work like that. In the real world, it is very hard to get everyone to apply patches, and the software vendor gets blamed even when they've made the patches available months earlier; Code Red is a perfect example of this.
In the context of system administrators who forget to patch their boxes, you actually end up with better security if you release a large patch every month than if you release small patches every few days.
Re:er, (Score:5, Insightful)
Microsoft is all about perception. They learned long ago that they can release pure shite as long as the general public perceives it as good. And that can be accomplished through Marketing, which is much easier to craft and control than Coding....
Re:Hypocrits (Score:3, Insightful)
I'm a recall coordinator. My job is to apply the formula....
Take the number of vehicles in the field, (A), and multiply it by the probable rate of failure, (B), then multiply the result by the average out-of-court settlement, (C). A times B times C equals X...
If X is less than the cost of a recall, we don't do one.
In other words, if it is cheaper to pay off everyone neccessary to prevent a recall than to actually do one, they don't do one.
Best Quote from Story (Score:5, Insightful)
'When pressed for further details, Allchin said he did not want to offer specifics because Microsoft is trying to work on its reputation regarding security. "The fact that I even mentioned the Message Queuing thing bothers me," he said.'
I love that! 'It pains me to admit that our software is dangerously broken, because we're trying really, really hard to convince people that the reputation we have for foisting dangerously broken software on them is totally unfounded.'
I guess if there were trying to work on their actual security, rather than just the reputation, they might act a bit differently (like, by publishing their API's and then working with the security community to get them safe).
-Dan
Re:MS sweating... (Score:2, Insightful)
Basically, who seems to be winning over the judge so far? I realize the judge is going to avoid showing any emotion at all, since if the judge indicates that she has any opinon at all on the case this displays "bias" or something, but how is she acting within the case? Is she reprimanding MS when they do fucked up shit?
Class Action ? (Score:2, Insightful)
Re:Now what are they trying to hide? (Score:2, Insightful)
Disgusting.
Re:er, (Score:2, Insightful)
But Sun isn't peddling their software to Joe Blogg's grandmother either.
Perception is important in marketing; in fact, it's about the only thing that really is important when you get right to the basics. And MS wants to avoid fostering the perception that their software is "not right" in the minds of the average man-on-the-street. Frequent patches would undermine this effort.
"It made a difference for that one starfish." (Score:3, Insightful)
Given that MS is admitting in court that they are selling defective products, demand that your local government sue MS for fraud. Politicians don't keep up to date on every legal battle going on everywhere, but if you send them the relevant portions they at least can't claim they didn't know.
While you're at it, forward this onto the local newspaper and tv stations. "poor security" is a big boogyman these days.
Another thing; Send this onto the people at your company who make buying decisions, if MS is going to admit their products have the security of swiss cheese, does your company really want to expose itself to that kind of danger?
Proof that Microsoft needs to go... (Score:3, Insightful)
Let's say that this message queueing vulnerability that was spoken of in the article is a pretty substantial hole that could be a true threat to national security. What makes anybody think that because Microsoft refuses to talk about it hasn't already slipped out to all the wrong people. If some high level executive at Microsoft knows about it, you can guarantee that probably hundreds if not thousands of people within the orgnization know about the problem already. The more people that know about it, the better the odds that somebody nefarious will get a hold of that information.
If I were the intelligence service of some devious foreign power you can bet I'd have a few operatives working in Microsoft. I mean if you want to fight a war with the US, what would be better than an opening shot that can harm >90% of the computers in the country. So you have a few operatives finding what holes they can and slowly relay them back. Then you just sit and wait for the day when you need a real threat in your arsenal.
Imagine how nice it would be if you are some nefarious foreign power in tense negotiations with the US and you can walk in, and them a floppy disk and tell them to give in or else. I mean even if they find out what the vulnerability is, can they deploy a response to it fast enough that it matters? Nothing like the threat of having the electronic economy slagged to make you amicable to a bad deal.
I think that if Microsoft's the threat they seem to imply, the judge should order them to turn over the source code to the FBI to begin dissecting these problems. Do we really want to trust a private corporation with our national security? I don't think so...
Seems to me (Score:4, Insightful)
You just don't get to Allchin's level and "accidentally" let slip something like a fundamental vulnerability in a protocol. M$ officials may make mistakes, but not like this. Not in a public forum. Not in front of a judge. Not where every news medium in the world will be covering the story.
My feeling is that this is all a distraction from something else. Every black hat on the planet is now probably checking out the Messaging protocol. My guess is that there's no smoking gun there. But maybe another protocol has problems.
Furthermore, it just doesn't make sense. An API exposes only what you want it to. It doesn't show you the vulnerabilities that exist "under the covers" unless they're titanically, apocalyptically stupid.
I'd like to know what it was that he's distracting us from
Re:Hypocrits (Score:2, Insightful)
Going back to your first statement:
Add the words "when used improperly", and your argument falls apart. All software can be dangerous (erase hard drives, destroy financial records, DoS some ISP) when used improperly. And yes, I mean all software. I have yet to see a program that does anything non-trivial that is completely secure. So no, the government shouldn't request a recall.However, there are regulations about manufacture of automobiles which help to prevent them from doing damage when used improperly, such as seatbelts and crash resistance regs, and so on. I see no reason similar regs shouldn't be enforceable, i.e. give teeth to warranties of merchantability for software. If Microsoft could get sued because their software caused unreasonable downtime (because of the warranty), you'd see security improve. And yes, getting cracked qualifies as unreasonable under the contract between you and Microsoft. If you don't like it, buy something else.
Re:They must be getting desperate... (Score:3, Insightful)
Perhaps the best basis for my concerns is the plans of MS to withold interfaces. In the past they have given these interfaces to selected people and not to others, so they where being used by some software. For an application developer that is not a problem unless he needs the specific API. For someone wanting to make a clone of Windows that is a killer.
The part about the sources being needed is my own dark suspicion. But I again, I did think of somebody else tryong to offer a compatible API, not somebody just using what the documentation he has says is there.
As an example think of MS-Office using additional API functionality that is not documented in the public documentation. While that does not bother somebody like you, this is catastrophic for somebody creating a MS compatible execution environment.
Re:Hypocrits (Score:2, Insightful)
Closed source wastes money and people on marketing and advertising and all that bullshit, but creates a profit in the end, from selling the software.
Open source keeps things clean by only requiring developers/artists/a manager. No marketing, little waste. But you don't make any profit other than the use of your own software.
Either way, programmers are being paid. The difference is that for closed source you have one ugly prick sitting on top of the company getting rich from doing absolutely nothing.
Indeed, open source looks alot like communism from the dollar bill's point of view, whereas closed source is rooted deeply in capitalism, i.e. the rich getting richer at the expense of the poor.
The solution to this dilemma obviously depends on which end of the social hierarchy you're closest to.
Re:Hypocrits (Score:4, Insightful)
Microsoft _can't_ fix it? (Score:5, Insightful)
Somehow, I think that if the US government forbade the use of any Microsoft applications within federal facilities, pending a code review by a neutral 3rd party to identify and fix potential security holes, you'd see Microsoft scramble to get their shyte in gear pretty damn quickly.
As somebody already stated in this thread, Peru has the right idea: open source allows people to public review code for potential security flaws, which is how most bugs are caught anyway -- a fresh pair of eyes takes a peek. Ultimately, there's no way that Microsoft can compete with this code development paradigm -- since there's so much Open Source code "out there", it might spread people's attention out a bit too thinly in places, but over time one would hope that Linux apps will only more secure / stable.
They don't know what they're getting into here (Score:5, Insightful)
I work for a defense contractor and have had to put up with this for years. I suppose MS can go this route if they really want to. They're already bloated enough; add government security procedures to the mix and they'll become every bit as agile and responsive as any other constituent of the Military-Industrial Complex.
Boy, that'd be a hoot.
Re:The point of java (Score:4, Insightful)
The point was portability, not interoperability.
So Sun claims: "you can run your code anywhere", implying "as long as it is Java-code". Microsoft claims: "your code can talk to anyone", implying that your code runs on Windows.
You can choose what you like/don't like more.
Re:True, and... (Score:3, Insightful)
For example, if any inconvenient fact looks like it might support Creationism, there are those who immediately impugn it as being `War on Science'. (-:
Of course the other side uses the same tactic as well. It's opportunism at its best. It takes a lot of integrity to resist using such tactics, especially when your opposition isn't reluctant to use them. I wish we could see more integrity in the world.
Missing the point (Score:2, Insightful)
Desperate Defense! (Score:2, Insightful)
Since they won't elaborate on any of the possible bugs [which by their statments might lead to Armageddon], it seems everyone must simply comply and exempt such APIs as M$ deems fit.
I find it incredible that national security stems into Digital Rights Management (DRM). Can someone elaborate on how the two are even remotely connected? Also, are there any /. people using Message Queuing which might have some feedback on what this will do to their current plans?
Re:Nice (Score:5, Insightful)
Dick Cheney said sunday something to the effect "there is a certainty they will attack us" and then said it could be any time maybe even a year from now. How brilliant is that? An infinite war. Of course he went on to say that the administration should never be investigatged or critized while we are fighting this war. Fucking brilliant. This administration has done a masterful job of shutting down dissent, much better then any two bit dictator or strongman.
Re:Nice (Score:3, Insightful)
I don't care whose code broke...the fact that a software problem could cripple a ship is unconscionable.
Re:Seems to me (Score:3, Insightful)
Maybe he made this statement knowing every black hat is going to check the Messaging protocol.
Two days later, a major exploit is released, and Allchin says to the judge "see what I mean, THIS is exactly why we must keep it all closed"
It could be a bullshit ploy.
Comment removed (Score:3, Insightful)
Re:ahah (Score:3, Insightful)
Unfortunately for Microsoft, the emphasis is on getting to market first (when you can't crush them otherwise with FUD or other methods). This accellerates the coding process and puts demands on quality, leading to shortcuts and an emphasis on new features over bug fixes.
It's all finally coming to roost at Microsoft. You can't put out crap all the time. More and more people I talk to are getting frustrated. Ask anyone who understands the software environment , the only reason anyone uses Microsoft is because of the availability of apps, not because it's stable or of high quality.
This is what's letting Linux and OSX in the door.
Re:Whose Your God Daddy? (Score:1, Insightful)
You are exactly right. This was the premise that Microsoft originally said you couldn't sue them as a monopoly because the economic impact would ruin WallStreet.
Well I think that if anyone is so powerful that they can dictate the movements of the free market world so absolutely then it is more important to remove them and risk the repercussions than to continue to scrap around under their shadow.
Isn't that was the basis of freedom is all about? The ability to choose our own happiness, miser, destination. Self-determination!!
Re:Microsoft source code is already available... (Score:1, Insightful)
"Microsoft's Shared Source Initiative represents one further step towards enhancing the transparency of the Windows source code and also serves to boost the user's confidence with respect to software security."
They can't have it both ways can they?
People don't think that about games, video drivers (Score:3, Insightful)
Welcome back to reality. (Score:3, Insightful)
First off, "retaliate against Afghanistan" is funny wording. 1) The Taliban was recognised in few places as the official government of Afghanistan. They were foreign invaders who conquered Afghanistan and have had virtual control of it for several years. Seems kind of funny that Afghanistan soldiers did most of the attacking against "Afghanistan" 2) Retaliation? The Taliban had harbored Bin Laden while he orchestrated multiple terrorist attacks in the past, including a previous attempt to destroy the world trade center. These latest murders was the last 3,000 straws, so to speak. The U.S. gave them a choice, and the Taliban chose not to hand him over.
It's sad if oil really was involved, but even if it was, the U.S. did the Afghans a big favor by kicking out the invading Taliban. And it was definitely in the interest of the U.S. after so many attacks on American lives.
Re:Nice (Score:3, Insightful)
Thank you in advance.
Re:Wrong! Power is in words, not wars! (Score:3, Insightful)
This is just one example.