Comment Re:Whats the use? (Score 2, Interesting) 468
It's actually worse than the above posted stated.
If Microsoft is cooperating with the NSA in the name of national security, it will be nearly impossible for the chinese to detect any cleverly planted backdoors, even with full access to source code. Why?
1. Who said the source code is functionally equivalent to the binary?
2. Even if it is, if the source will only compile with a Microsoft supplied compiler, who says the compiler hasn't been subverted to insert backdoors into the source code? Ken Thompson (used this attack to put backdoors into Unix)
3. Access to the compiler source code? But if it only compiles itself, the binary compiler can still subvert the newly compiled one. So how do you verify source code / binary equivalence?
4. Even if the chinese have some magic way to solve the preceding points, detecting deliberately obfuscated backdoors in the source code can be made VERY VERY difficult. Imagine a backdoor[s] deliberately distributed across millions of lines of code.
5. Do the chinese realize how secure a default installation of windows is? Not very. So now you have to audit a continuing stream of updates, for the same clever subversions described earlier.
6. Even without deliberately planted backdoors, Windows is littered with holes. The level of sophistication of those that have been discovered and published (without access to source code) have been very basic. This strongly implies poor programming rigor on Microsoft's part from a security standpoint. So there are probably thousands, if not tens of thousands of security holes in Windows.
Unix was developed in the early 70s, it's been opensource for a while, and a community process has gradually discovered increasingly sophisticated class of security vulnerability. Windows doesn't have that community process. It enjoys access to the techniques developed by the security community, but not their effort.
7. The complexity of Windows is mindboggling, and it's very poorly designed from a security standpoint. Everything is overly complex and bloated. Even the security APIs are overly complex and bloated. And that's supposed to be a feature! Unless the chinese have secretly been developing magic auditing technologies far beyond the state of the art the rest of the world has, they have NO WAY of subduing that complexity and producing a secure version of Windows to use.
8. Since Windows is simply poorly designed (security-wise), producing a secure version would require substantial high-level changes. Doing that while keeping backwards compatibility, ease-of-use, etc. would be very expensive, even for Microsoft which has 40 billion spare cash lying around. Ain't gonna happen.
Conclusion: The chinese aren't stupid, they realize all of the above. So the real reason they're auditing Windows is:
1. to find security holes for their own nefarious purposes, in the OS the world's only superpower (not to mention the rest of the world) is using in military, government and commercial networks. I highly doubt the Chinese will publish anything they find on the security mailing lists.
2. Chinese intelligence could easily have gotten access to Windows source code before (spys, hackers, leaked Microsoft shared source initiatives). They could compare that with the official version given to them by Microsoft, assuming Microsoft and the NSA were stupid enough about editing the source code to remove the obvious NSA backdoor.
Then again, perhaps everything is just as innocent as it seems. Microsoft isn't cooperating with the NSA. The Chinese really do want to use Windows, and will publish everything they find in a friendly manner to the rest of us.
Right.
