Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Cites National Security to Justify Closed Source

timothy posted more than 12 years ago | from the so-bad-we-can't-display-it dept.

Microsoft 827

guacamolefoo writes: "It was recently reported in eWeek that "A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed." (Emphasis added.) The follow up from Microsoft is even better: As a result of the flaws, Microsoft has asked the court to allow a "national security" carve-out from the requirement that any code or API's be made public. Microsoft has therefore taken the position that their code is so bad that it must kept secret to keep people from being killed by it. Windows - the Pinto of the 21st century."

cancel ×

827 comments

Sorry! There are no comments related to the filter you selected.

Johnny (-1)

The Lyrics Guy (539223) | more than 12 years ago | (#3553877)

Squiggy - Johnny

This man isn't what he wanted
This man isn't what he thought of
This man isn't what he hoped to be
Get on with your life is what I told him
Your life could be so different
I wish there was some way to make him see
30 years old, he's unemployed
Thinks his life has been destroyed
Johnny, why can't you break free?

Johnny. I know you can make another day.

Jenny died and left him alone
Thinks his fate is carved in stone
Johnny I swear you'll have your day
I understand you've been abused
You think that you were born to lose
Johnny, I know it'll be OK
Don't you remember what they told you
No one can ever hold you
Johnny, it's time to be on your way

Johnny. I know you can make another day.

Not frost piss? (-1, Offtopic)

Big_Ass_Spork (446856) | more than 12 years ago | (#3553878)

Nope.

i am so smart (-1)

CmdrTaco (troll) (578383) | more than 12 years ago | (#3553883)

s m r t

War (5, Funny)

qslack (239825) | more than 12 years ago | (#3553886)

War is always the best excuse. One of my favorite cartoons on this is Mark Fiore's, at http://markfiore.com/animation/excuse.html [markfiore.com] . :)

Re:War (0)

Anonymous Coward | more than 12 years ago | (#3553939)

#34: War is good for business.

Re:War (0)

Anonymous Coward | more than 12 years ago | (#3553965)

#35: Peace is good for business.

420 Lewis!! #@ +1 ; Insightful @# (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3554039)

I am sitting here in my bunker and enjoying some
U.S. grown marijuana. Pax !

Courtesy of About 420 [phish.net]

Connotative Use/Meaning

420 is a phreak's (and not just a hippie's) favorite number for a
variety of reasons, or maybe for no reason at all, but colloquially
the number says pot -- let's smoke pot, or someone's smoking
pot, or gee, i really like pot, or time to smoke pot, either by
time (4:20 a.m. or p.m.), date (April 20th), or otherwise (e.g. State
Route 420). April 20th at 4:20 is marked by annual events in
Mount Tamalpais, CA (an informal gathering); Marin Conty, CA
(the 420 Hemp Fest); Ann Arbor, MI (the Hash Bash); and
Washington, D.C. (buildup towards the July 4th Smoke-In).

Original Source(s)

Conventional wisdom: The most common tale is that 420 is the
police radio code or criminal code (and therefore the police call)
in certain part(s) of California (e.g. in Los Angeles or San
Francisco) for having spotted someone consuming cannabis
publicly, i.e. pot smoking in progress; that local cannabis users
picked up on the code and began celebrating the number temporally
(esp. 4:20 a.m., 4:20 p.m., and April 20); that the number became
nationally popularized in the late 1980s and, more ferverently, in
the early- to mid-1990s; and is colloquially applied to a variety of
relaxed and/or inspired contexts, including not only pot
consumption but also a good time more generally (in contrast to
the drug war surrounding).

Conventions are legends: 420 is not police radio code for
anything, anywhere. Checks of criminal codes (including those of
the City of San Francisco, the City of Los Angeles, Los Angeles
County, the State of California, and the federal penal code) suggest
that the origin is neither Californian nor federal (the two best
guesses). For instance, California Penal Code 420 defines as a
misdemeanor the hindrance of use (obstructing entry) of public
lands, and California Family Code 420 defines what constitutes a
wedding ceremony (Marco). One state does come close: The
Illinois Department of Revenue classifies the Alcoholic Liquor Act
under Part 420, and the Cannabis and Controlled Substances Tax
Act are next, under Part 428. (RB 5/19/99)

True story?: According to Steven Hager, editor of High Times,
the term 420 originated at San Rafael High School, in 1971,
among a group of about a dozen pot-smoking wiseacres who
called themselves the Waldos. The term 420 was shorthand for the
time of day the group would meet, at the campus statue of Louis
Pasteur, to smoke pot. ``Waldo Steve,'' a member of the group who
now owns a business in San Francisco, says the Waldos would
salute each other in the school hallway and say ``420 Louis!'' The
term was one of many invented by the group, but it was the one
that caught on. ``It was just a joke, but it came to mean all kinds of
things, like `Do you have any?' or `Do I look stoned?' '' he said.
``Parents and teachers wouldn't know what we were talking about.''
The term took root, and flourished, and spread beyond San Rafael
with the assistance of the Grateful Dead and their dedicated cohort
of pot-smoking fans. The Waldos decided to assert their claim to
the history of the term after decades of watching it spread, mutate
and be appropriated by commercial interests. The Waldos contacted
Hager, and presented him with evidence of 420's history, primarily
a collection of postmarked letters from the early '70s with lots of
mention of 420. They also started a Web site, waldo420.com. ``We
have proof, we were the first,'' Waldo Steve said. ``I mean, it's not
like we wrote a book or invented anything. We just came up with a
phrase. But it's kind of an honor that this emanated from San
Rafael.'' Maria Alicia Gaura for the San Francisco Chronicle,
4/20/00 p. A19; and thanks to Noah Cole for the submission

Alternate explanations

There are a variety of other explanations, all much more interesting
than police code, and many plausible. Some are more likely uses
of the 420/hemp connection rather than sources of it, such as the
score for the football game in Fast Times at Ridgement High,
42-0.

Known Myths: It isn't police code (see above). There are 315
chemicals in marijuana, not 420. And although tea time in
Amsterdam is rumored to be 4:20, it is actually 5:30 (Gerhard
den Hollander).
Sixties Songs: For instance, Bob Dylan's famous Rainy Day
Women #12 and 35 is a possible reference, or source --
12x35=420. And Stephen Stills wrote (and Crosby Stills Nash
although it is possible to hypothesize that these
deaths, too, had their purpose, since 420 has been, since time
immemorial, the number associated with fraud, deception and
trickery. (Comet 2/14/98) Comet's best guess is that this
refers to something in Indian mythology or numerology, since
the book is set in India and frequently involves Indian history,
culture, and religion. Given the high interest in Eastern
religion among the phish/dead community, this seems a likely
origin of 420's current significance.
Temporal Significance: Hands on analog clock at 4:20 look
like position of doobie dangling from mouth Larry in
Tuscan and Alex Mack 5/19/99). Disruptive students are out
of detention and safetly away from school by 4:20, also
rumored to be the time that you should dose to be peaking
when the Dead went on stage Hart. The Waldos were a
group of teens back in the 70's that lived in San Rafael, CA.
420 was the way they talked about pot in front of teachers,
non-smoking family members etc. Also it was the time of day
they could just go relax, and get baked. (PhunkCellar)
Jamaicans purportedly worked till 4 then walked home then
lit up. They would talk 420 like our parents talked about after
5. That's when partying began Larry in Tuscan). Albert (not
Abbie) Hofmann supposedly first encountered LSD at 4:20
p.m. on 4/19/1943 (Bart Coleman citing Storming Heaven by
Jay Stevens, recommended by Mickey Hart in Planet Drum).
Surrealist painter Miro was born April 20, 1893. And
www.filmspeed.com says the propoganda film Reefer
Madness has a copyright date of April 20, 1936 (i.e. 4/20).
(Patrick Woolford)
Misc: Could be that it comes from hydroponics, the practice
of cultivating plants in water often used by indoor marijuana
cultivators, since 4 is used for H on a calculator (420/H20).
(Nick Lowe 3/30/00) The number 80 (eight) is quatre vingt
(pronounced cah-truh vahn), meaning four (times} twenty.
Dan Nijjar 1/27/00 (No connection yet between the number
80 and pot. A quarter pound is roughly 120 grams, rounding
quarter-ounces to 7.5.) The titanic was supposed to arrive
4/20/1912. (Thanks to RB.) Perhaps the heavy use of vt420
terminals in the Berkeley area is to blame? (BTW, 420 in
binary code is 110100100.)

Ubiquitous?

Now there's a 420 Pale Ale. One of the late-97/early-98 Got
Milk ads featured a character eating cookies without milk and
then passing a sign that reads Next Rest Area 420 miles (as Ross
Bruning). Reportedly, all of the clocks in the movie Pulp Fiction
are stuck on 4:20. Shirts with the number 420 on the red-and-blue
interstate highway shield (Interstate 420?) have show up on the
sitcom Will and Grace (Paul Risenhoover 5/14/99) and in several
videos. UPS' labelling software has a 420 postal code legend for
next-day/2-day deliveries (which is how Phish tickets are sent).
(Jack Lebowitz 10/3/98) MTV's 1997 Viewer's Choice Award (for
the MTV Video Awards) was decided by calls to
1-800-420-4MTV. And by May of 1998, the number was
appearing in so many ads (eg Copenhagen 5/14/98 Rolling Stone
p54, Corvette p55 5/98 Car -), Homer mentions to
Flanders that Barney's birthday is April 20th. Also, the jackpot sign
in one part of the casino says $420,000. There are a couple less
concrete ones, but these two have to be legit, especially since they
decided to air THAT particular episode on 4/20/99. (Submitted by
Matt Meehan 4/21/99) And (as of Fall '99) the 60 free minutes that
Working Assets Long Distance offers, at the 7 cents per minute
rate, is $4.20 free. There's even a band named 420, and another
names . In the first fifteen pages of Karel Capek's novel War with
the Newts, a man diving under wonder stayed down for four
minutes and twenty seconds. Grant Garstka 1/6/00 At the
suggested retail price ($3.96) and Michigan (6%) sales tax, a deck
of Uno cards costs $4.20. Nic Boris 4:20 marks the first downbeat
of the drums in Led Zeppelin's epic Stairway to Heaven. (Dan
Harris) The bill authorizing force after the World Trade Center
attacks of 9/11/01 passed 420 to 1, and news reports in following
months noted many times that there are (or were then, anyway) 420
airports in the U.S. Allan Morris And don't forget that Adolf Hitler
was born on April 20, macabely celebrated (or at least
referenced) via the Columbine High School shootings.

Phish-related Occurances

Whatever the origin, the number appears frequently... For the
summer 1997 tour, TicketMaster service charges were $4.20. In
the Fall 1997 Doniac Schvice Dry Goods section, a limited edition
Pollack poster printed on 100% hemp is order number 420P. The
Great Went was 420 miles from Boston (former home of Phish).
The official logo includes 4 gills and 20 bubbles (Gringo
11/12/98). As of 6/15/97, including covers and originals, Phish
had performed a total of 420 songs (thought its 486 by 4/24/98).
(David Steinberg). Lawnboy is 420megs of memory. Patrick
Walker Phish's The Vibration of Life underlies a whirling loop
with Seven Beats per second (which makes 420 beats per minute.)
Trey has used the altered line woke up at 4:20 in Makisupa
Policeman, which also often indirectly celebrates 420ing, e.g. by
mention of goo balls. One of the funniest shirts around takes light
jabs at both the 4:20 phenomenon and the rumored evolution
(collapse?) of the Phish.Net (especially rec.music.phish) from
being Gamehendge to Flamehendge, and beyond. The first day of
the Great Went started at 4:20 (with Makisupa Policeman. (The
second day started late, at 4:37.) Noah Cole The first single from
Slip Stitch and Pass was played on WBCN 10/14/97 at 4:20 pm.
An uproar at 12/31/96 can be heard on tape during the 2001, in
response to an enormous digital clock (which was counting down
to midnight) reaching 11:55:40 and reading -4:20. (Yoda)
During the 9-12-00 2001, Trey hits the first riff right at 4:20 into
the intro jam. (Cal 2/25/01) Some mail order tickets for the 1997
New Year's run were in section 420. The first Mass Pike toll
leaving Oswego was $4.20. (Camille Heath ) And the standard
shipping for The Phish Companion through Amazon was
originally $4.20.

420 Shows: Phish performed on April 20 in 1989, 1990, 1991,
1993, and 1994. The first day of the Great Went started at 4:20,
although that was called a soundcheck by Trey after three songs.
The Jazzfest Harry Hood 4-26-96 started at about 4:20 reported by
Trevor. At Big Cypress, David Bowie was playing at 4:20 a.m.
And the one event during the hiatus (10/8/00 - ?) featuring all
four members - for Jason Colton's wedding - was 12/1/01, 420
from: http://www.phish.net/faq/n420.html:

Nice (5, Interesting)

jayhawk88 (160512) | more than 12 years ago | (#3553887)

When in doubt, raise concerns about terrorism, or inappropriately use 9/11 as a crutch. The new coin of Washington (both east and west it seems).

Nothing will ever be the same again indeed.

Re:Nice (0)

Anonymous Coward | more than 12 years ago | (#3554037)

It is more likely that Gates is afraid that the world will discover the stolen GPL code in Windows.

That's brilliant (4, Funny)

sllort (442574) | more than 12 years ago | (#3553895)

By closing the source we can prevent Open Source Communism.

More proof that Bill Gates is just a more successful troll than me.

Re:OsamaAPI YourBoxenBelongsToAllah BGATES$$$ (0)

Anonymous Coward | more than 12 years ago | (#3553980)

Just got to wonder what other hidden APIS and Funtions are in the source code yeah Billy Gates your like a cheap whore that sells themself and their wares to the highest bidder.

FIRST POST, ASSHOLES! (-1, Offtopic)

Chronic Bluntt (579863) | more than 12 years ago | (#3553897)

You tried to stop me with your stupid registration process, but you FAILED!!!!!

The point of java (2, Troll)

CmdrTaco (editor) (564483) | more than 12 years ago | (#3553899)

"Microsoft has invested substantial time and resources in providing great interoperability between .Net and older technologies," Allchin said. "Sun's strategy of promoting '100 percent pure' Java applications discourages interoperability."

Color me crazy, but wasn't one of the most appealing points of java in fact its interoperability?

Re:The point of java (2, Funny)

RagManX (258563) | more than 12 years ago | (#3553927)

"Microsoft has invested substantial time and resources in providing great interoperability between .Net and older technologies," Allchin said.

You forgot to translate this:
We made sure .NET will crash as frequently as older Windows technologies, and contain a similar number of bugs per 1000 lines of code (allowing for a small deviation between blocks of code)


RagManX

Re:The point of java (0)

Anonymous Coward | more than 12 years ago | (#3553947)

yeah, java write once deploy and crash everywhere. Oh wait, that might need a different JVM! Thought only windoze had that problem.

Re:The point of java (0)

Anonymous Coward | more than 12 years ago | (#3554016)

> "Microsoft has invested substantial time and resources in providing great interoperability between .Net and older technologies," Allchin said. ...

Consider the source.

MS sweating... (4, Funny)

wowbagger (69688) | more than 12 years ago | (#3553902)

"Uhh, the judge is acting pissed. Did you see the way she looked at us when she said 'Obey the court'?"

"Yeah, how can we BS her on this?"

"Uhh, maybe we can find a link to terrorism?"

"YEA! That's it! We can't comply, because of National Security"

Harmph....

brilliant security strategy! (1)

neitzert (184856) | more than 12 years ago | (#3553903)

I guess that M$ will just prosecute anyone caught reverse engineering their binaries under the DMCA.

Code by Microsoft (0, Troll)

Haiku 4 U (580059) | more than 12 years ago | (#3553905)

can kill you, your family,
and maybe your dog.

Our Security (1)

Haiku 4 U (580059) | more than 12 years ago | (#3554012)

inversely proportional
Our Stupidity

He's Got the Whole World (0, Offtopic)

Haiku 4 U (580059) | more than 12 years ago | (#3554056)

in his hands a federal court
in his back pocket.

Information like this... (0)

Anonymous Coward | more than 12 years ago | (#3553908)

Makes one happy that there are open alternatives out there.

Even people who don't really follow computer software probably wouldn't have a hard time grasping this idea.

Don't pick on me! My software sucks! (1)

hellfire (86129) | more than 12 years ago | (#3553909)

Lets think...

Microsoft is resorting to desperation tactics... they know they've lost.

ABC/CNN needs to blast this on all their stations so that people get an eyefull and understand what they are running. It would go a long way to defeating this monopoly.

Re:Don't pick on me! My software sucks! (4, Funny)

CoolVibe (11466) | more than 12 years ago | (#3553948)

Just count your lucky stars that Microsoft software isn't guiding ICBMs to their target...

Well, at least I hope it doesn't. A comment like this from a Microsoft bigwig doesn't sound encouraging... Mid-air GPF anyone? *ouch*

Re:Don't pick on me! My software sucks! (0)

Anonymous Coward | more than 12 years ago | (#3554011)

Fortunately, most missiles don't have Internet Explorer installed.

You have the emphasis wrong. (2, Troll)

NoMoreNicksLeft (516230) | more than 12 years ago | (#3553912)

He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed.

Any fool knows that it is flawed to that magnitude. Only the fact that it was publically admitted by a M$ official is newsworthy.

Sarcastic physician, heal thyself (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3553913)

Damn you, cruel irony, for giving a /. 404 on a MS taunting post.

Oh Ziggy, will you ever win?

Now what are they trying to hide? (4, Interesting)

CoolVibe (11466) | more than 12 years ago | (#3553917)

Microsoft code and national security? Hmm... Interesting :) Also another good question is: whose national security, als lots of foreign governments use Microsoft software.

Worrying isn't it?

Re:Now what are they trying to hide? (2, Interesting)

edrugtrader (442064) | more than 12 years ago | (#3554033)

so if afghanistan uses MS... wouldn't releasing the source code allow us to end afghan terrorism by crippling their computer systems?

Hypocrits (5, Interesting)

Telastyn (206146) | more than 12 years ago | (#3553918)

If the code is so bad as to be dangerous, shouldn't the government make them recall the code and return a properly functioning version?

If a car was dangerous enough to possibly cause death, wouldn't the government require a recall? Wouldn't the media jump on them like rabid wolves like they did Firestone? Wouldn't people avoid the things like they did Firestone?

Re:Hypocrits (0)

Anonymous Coward | more than 12 years ago | (#3553941)

function government() {
var operatingSystem = call microsoft();
}

function microsoft() {
var newWindows = getOS();
newWindows.versionNumber++;
return newWindows;
}

someone mod this up (1)

Unknown Poltroon (31628) | more than 12 years ago | (#3553950)

i wish i hadnt used up all my mod points.

Modesty (0)

Anonymous Coward | more than 12 years ago | (#3553972)

"... all my mod points."

How are the ankles.

Re:Hypocrits (1)

Triskaidekaphobia (580254) | more than 12 years ago | (#3553988)

And if the government hasn't got the guts to do a recall, while MS have the morals to send everyone, free of charge, a CD containing a copy of the fixed code (if they fix it).

windowsupdate is all very well (actually, it isn't) but having something physical arrive in the mail might make more people install the fixes.

Re:Hypocrits (3, Funny)

pjt48108 (321212) | more than 12 years ago | (#3554005)

The problem here is that M$ is proprietary, and won't release their code. Therefore, government agencies cannot verify such claims of bad code. Also, one must agree not to disclose bugs in M$ software or face prosecution. In the end, the governmetn shuld do what the gov't of Chile has done, and require the use of free (...of proprietary code, etc.) software in all gov't operations.

But, I agree... I'd love to see the gov't return MS stuff and REQUIRE working code. Watch M$ reply with a RedHat CD.

Re:Hypocrits (0)

Anonymous Coward | more than 12 years ago | (#3554078)

But if they had to go back and fix bugs, how could they inovate ;)

Pintos should be offended... (5, Funny)

cansas (530086) | more than 12 years ago | (#3553919)

The Pinto was never as dangerous as M$ products.

Re:Pintos should be offended... (1)

CoolVibe (11466) | more than 12 years ago | (#3553975)

Just wait until you crash in a Pinto. ;)

unsafe at any build (2)

EccentricAnomaly (451326) | more than 12 years ago | (#3554035)

Are Microsoft's product really so vital that national security would be impacted if their security were compromised? This sounds like the Y2K hoopla all over again. There are alternatives to any microsoft product. Even if a microsoft app were so compromised that Microsoft couldn't release a bug fix -- it would only take a week or two for any orginization to migrate to new software. Sure it would be expensive, but not a threat to national security.

Their Next Move Will Be... (0, Offtopic)

rootmon (203439) | more than 12 years ago | (#3553920)

Their next move will be lobbying Fritz Hollings to sponsor OSPA, Open Source Prohibition Act: making it illegal to publish your APIs so the "terrorists" can't exploit them. As if terrorists could code :-)

hrmm (1)

lowtekneq (469145) | more than 12 years ago | (#3553926)

Now how about they crack open the source to the hurds of open source programmers and fix some of the errors.. oh yeah then everyone would have to update.. gasp!

Equality (3, Interesting)

jaavaaguru (261551) | more than 12 years ago | (#3553929)

So they think that just because they are Microsoft, they deserve to be treated differently? If they made crap software that is full of bugs, and it gets released to other companies who my possibly take advantage of those bugs, then it's their own fault. If a product is meant to be remotely secure, the software company should employ QA teams to *TRY* and break into it, at the VERY LEAST. Writing poor code is no excuse for avoiding your punishment, MS. Perhaps those using the buggy software should be informed of this, and given a grace period to switch to another system before MS is made to open their source.

I can see it now (1)

heff (24452) | more than 12 years ago | (#3553933)

I can see it now, the new threat will be al queda cells training to get comp. sci degrees in US universities.

it's scary that it has come to this, I guess the real question is to find out exactly which parts are the flawed ones and start reverse engineering them and replacing them with secured versions.

One thing MS seemed to overlook is the added advantage of open sourcing.. you get access to an entire world of programmers who will help create a secure distriution (see also Linux).

just my two cents.

Fodder for ads (5, Insightful)

sulli (195030) | more than 12 years ago | (#3553934)

Okay Linux junkies, particularly ones with big ad budgets: if this isn't in your ads (pref. full-page display ads in the Wall Street Journal) by next week, you massively, massively suck.

Think about it from Microsoft's point of view... (5, Insightful)

Arcanix (140337) | more than 12 years ago | (#3553935)

It's obvious the only way to keep this country secure is to hide these flaws. A cash-strapped company like Microsoft can't afford to correct the flaws in their code and it's not as if they have thousands of programmers that could fix it.

Re:Think about it from Microsoft's point of view.. (0)

MikeD83 (529104) | more than 12 years ago | (#3554041)

Microsoft is not a cash-strapped company. We have already heard about how they have 50 billion in cash ready for anything.

MS Flight Sim (2, Funny)

selderrr (523988) | more than 12 years ago | (#3553940)

um... how does this reasoning relate to bugs in MS Flight simulator... With amateur pilots training themselves to fly AROUND buildings, this whole software-based learning is jeopardised.

Hey, now that I think of it, perhaps this wasn't a terrorist attack after all ?

Re:MS Flight Sim (0)

Anonymous Coward | more than 12 years ago | (#3554075)

:-)
funny. i woulda modded you up, but i wasted my mod points elsewhere. too bad you'll probably get modded to -1

It's a matter of national security... so... (1, Redundant)

Gunfighter (1944) | more than 12 years ago | (#3553942)

The government should take this into consideration. As such, all of the intelligence entities should modify their IT policies and prohibit the use of any and all Microsoft products. How else can we ensure the safety of our country's precious secrets?

Of course our security lies in... (4, Insightful)

csguy314 (559705) | more than 12 years ago | (#3553944)

him how many APIs would be exempt, Allchin said he did not know the exact number, but it would include APIs that deal with anti-piracy and digital rights management.

Yes, those are the integral parts for security. Who cares about information being stolen. As long as no one can rip a copy of your cd, everything is kosher...
Everyone knows terrorists rely on warez!

Microsoft products = crap admitted in court (1)

fayd (143105) | more than 12 years ago | (#3553946)

Now that it's on public record by a senior M$ exec, what do you supposed Civic/Government leaders are going to do?

I've got my money on nothing. Anyone want to bet against me?

Figures... (1)

Otaku Link (543536) | more than 12 years ago | (#3553949)

I always figured Windows would turn into something even stupider as it went along... =3 Hehe, the pinto of the Home PC... I like that title. ^^

er, (5, Insightful)

Xzzy (111297) | more than 12 years ago | (#3553951)

From the story:

> The protocol, which is part of Message Queuing,
> contains a coding mistake that would threaten the
> security of enterprise systems using it if it were
> disclosed, Allchin said.

Then with all the billions and billions of dollars M$ has hanging out in the bank, why not hire someone and FIX THE PROBLEM. What's the problem with doing the things that make sense?!

Single best thing M$ could do to improve their product security is to adopt the 'patch often' mindset. Fix something, release a patch, everyone goes home happy.

The bi-annual (exaggeration) security patches they currently do ain't gonna do it.

TEST (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3553952)

this is a test.

Please click me. [208.62.253.191]

we are at war (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3553954)

loose lips sink ships

traitors!

This is big news... (2, Interesting)

3Suns (250606) | more than 12 years ago | (#3553955)

The DOJ was pressuring MS to release it's APIs etc., in the interest of fair trade. Now MS claims that doing that would put national security at risk.

What's the solution for the DOJ (who holds the reigns now)?? Simple: force MS to adopt open standards and open code modules in the future. Given that the MS business model is based on leveraging its "secret" elements, this could force them to abandon nearly all of their anticompetitive practices.

Ridiculous argument! (0)

Anonymous Coward | more than 12 years ago | (#3553956)

Even if it was true that closed windows source is important for national security, microsoft itself shares the windows source with many companies and many, many universities.

I really doubt that all these people have a top secret clearance.

Re:Ridiculous argument! (2, Insightful)

jhoger (519683) | more than 12 years ago | (#3554055)

Agreed... the most security on their Shared Source stuff is at the level of a non-disclosure agreement.

I think the judge will see through this ploy.

Re:Ridiculous argument! (3, Funny)

Rick the Red (307103) | more than 12 years ago | (#3554066)

Yes, but they've signed Non Disclosure Agreements, so it's OK.

EULA? (1)

pjdepasq (214609) | more than 12 years ago | (#3553957)

Does this mean that they (MSFT) will have to change their EULA to warn that their product is dangerous to my health and that if I die using Windows, or some other MSFT product, it's not their fault?

I smell a few lawsuits for those who drop dead using their products.

Isn't this securty by obscurity, (1)

reschly (565800) | more than 12 years ago | (#3553958)

and isn't security by obscurity a horribly way of writing software?

Patches? (1)

CTho9305 (264265) | more than 12 years ago | (#3553960)

The article states one known bug in the Message Queuing protocol is very severe. If they know what the "coding mistake" is, can't they patch it and then release the source of the now-secure component?

More Lawsuits Now? (2, Insightful)

Asikaa (207070) | more than 12 years ago | (#3553961)

If Ford were to say that they couldn't disclose their new transmission design because if they did it might get people killed, surely they would have to either redesign it, recall it or face a HUGE class-action lawsuit.

All we need is some documented evidence of a MS exploit resulting in injury or death. :)

not so evil? (-1, Insightful)

tps12 (105590) | more than 12 years ago | (#3553964)

I'm sure I am with slashdot readers as a whole when I say that my first reaction was, "how evil can you get? Exploiting the War on Terrorism to fight open source?!?"

But then I reconsidered. WAIT: before you mod me down, please consider my opinion objectively.
I know I'm risking some karma here, but I think this is an issue that strikes right to the heart of all that we hold dear.

Now, like it or don't, the fact is that security through obscurity has been with us since the origins of Unix. IIRC, the original "shell" commands, such as rm and chmod were designed to be difficult to remember, for the very reason that untrained n00bs could quickly bring a system to its knees by misusing them. This explains why innocuous commands (like touch and finger) have easy-to-remember and provocative names, while the more dangerous ones (like ld and vi) are "secure" through their "obscure" names.

Microsoft copied from the best when it put these kinds of features into their flagship OS, "Windows". They went a step further, and did the same for API's and protocols. They also left in a few memory leaks to easily monitor potential hackers. Linux has done similar things, even going so far as using the original Unix commands (yes, even vi!).

To open up the source to Windows at this point would open a literal can of proverbial worms. And you can't put this insecure genie back into the bottle of obscurity once he has been oncorked.

It's my opinion that MS should be given 4 or 5 years in which to "lock down" their OS before exposing it to every "dark hatted" haxer on the Internet.

I hope you see where I'm coming from.

Re:not so evil? (2)

CoolVibe (11466) | more than 12 years ago | (#3554045)

Quoteth the poster:

> This explains why innocuous commands (like touch and finger) have easy-to-remember and provocative names, while the more dangerous ones (like ld and vi) are "secure" through their "obscure" names

And pray tell... how exactly is vi(1) dangerous? I'd call emacs a bigger violation though, but hey, I'm biased. Heck, every editor on a UNIX system should have a "secure" name then. That logic doesn't really fly.

Runs off, before it turns in yet another editor flamefest (which is not what I am intending).

Microsoft Windows NS? (1)

Meat Blaster (578650) | more than 12 years ago | (#3553969)

Drape each box in one of our flags, and trademark the phrase "So powerful the source is a national secret." The PR alone should rake in enough cash for Microsoft to cover their end of the lawsuit.

haha, mod this up (0)

Anonymous Coward | more than 12 years ago | (#3554067)

this 'patriotic company' shit has gone too far, this is just another example of a business trying to sell their stuff using our national pride, except now they're trying to sell us a line of crap instead of software.

also (1)

redballz (580548) | more than 12 years ago | (#3553971)

M$ is so concerned with National security , they have created many many security holes in both IE and outlook. for security of course!

*Yawn* I think someone from Peru said it best ... (5, Insightful)

smoondog (85133) | more than 12 years ago | (#3553974)

(From a story posted here [slashdot.org] )

Peruvian Congressman David Villanueva Nuñez made exactly this argument:

To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*.

In the same way, our proposal strengthens the security of the citizens, both in their role as legitimate owners of information managed by the state, and in their role as consumers. In this second case, by allowing the growth of a widespread availability of free software not containing *spy code* able to put at risk privacy and individual freedoms.


The flaw here is that for windows code to posess the powers they imply, it would need to be a state secret. Perhaps it should be illegal to distribute mission critical osc across us boundaries? Windows code a state secret? I think not, anyone can reverse compile machine code.

Micro$oft should realize that governments do not like security threats they are not able to evaluate themselves. The NSA, for example, cannot sit and tinker with windoze's security holes the way they can with OSC (open source code)...

-Sean

God forbid (0)

Anonymous Coward | more than 12 years ago | (#3553978)


God forbid we should open source something that is that badly written.

Missle carriers everywhere, none a blue screen to be found.

They would be towing them back from all over the gulf.

I think Win should be in all consumer devices. It would be like effective remote terrorism the likes of which we haven't seen since Maximum Overdrive.

Hehehe

Disclosure of Code Flaws (1)

dlur (518696) | more than 12 years ago | (#3553979)

The fact that they(MS) admit there are issues with their currently closed-source model that involve flaws that are so bad that even stating which modules they are involved with is a potential compromise to National Security reinforces in me the fact that an open atmosphere is much better in that numerous persons and groups can review the code such that alarmingly fatal flaws such as these don't get released the to the public or the government in the first place. If even a few outside of Microsoft's company had reviewed or had access to these modules, I think it would be only a matter of time before these bugs were squished, probably even before the software was released in the first place. What better reasoning for the states to continue fighting for the disclosure of MS's cruddy source to the states, and certain other peoples than the hope that flaws such as these don't end up in a finished product that people actually pay money for in the first place.

National Security Reason To Open Source? (0)

Anonymous Coward | more than 12 years ago | (#3553983)

As a matter of national security, the source code should be opened so that the flaws can be found and systems important to national security that are currently running with vulnerabilities be shut down until they are fixed. Microsoft is going to get itself in a world of trouble when a vulnerability they are aware of, but fail to disclose immediately, is exploited before they release a patch.

The bottom line is that system adminstrators need to know if there are flaws, especially with "national security" at risk, even if, in the absence of a fix, their only option is to shut the affected services or systems down.

oh as if! (0, Flamebait)

kennedy (18142) | more than 12 years ago | (#3553985)

BWAHAHAHAHAHAHAAHAHAHAAH!!!!!!!!!!

no wait seriosuly though....

BWAHAHAHAHAHAHAHAAHAHAHAHAHAAHHAH!!!!!!!!

Playing both sides of the fence (2, Interesting)

jackaroe (224777) | more than 12 years ago | (#3553992)

"We'll security is our top priority (http://slashdot.org/article.pl?sid=02/01/17/02592 34&mode=thread&tid=109) but until it improves, our source is a threat to national security"

admittance? (1)

Profe55or Booty (540761) | more than 12 years ago | (#3553994)

As a result of the flaws, Microsoft has asked the court to allow a "national security" carve-out from the requirement that any code or API's be made public.

it seems to me that by this statement they are admitting that they have a monopoly over the OS market... that is, if it's a national security risk, that means that the nation is running their software.

greg

Figgures (1)

dopefish3 (251821) | more than 12 years ago | (#3553995)

I think thet they're hiding something...
(Cough!) Stolen source! (Cough!)

The flawed bit ... (1)

Miqlo (201386) | more than 12 years ago | (#3553996)

int main (int argc, char* argv[]) { ... }
:)

National Security means... (5, Insightful)

cperciva (102828) | more than 12 years ago | (#3553999)

I think that "National Security" here means "the NSA asked us to put xyz into our code, and they'd be unhappy if it had to be removed or became public".

Remember: Cryptanalysis has, and will, always come in fourth place after burglary, blackmail, and bribery.

DRM and national security (2, Insightful)

grung0r (538079) | more than 12 years ago | (#3554000)

"but it would include APIs that deal with anti-piracy and digital rights managment"

Terrorism = File Sharing

someonce call the RIAA and tell them the great news!

Impede the war effort? Too late (-1)

Chinese Karma Whore (560174) | more than 12 years ago | (#3554003)

This statement further encourages L33T AL QUEDA HAX0RS to hop on to their commodore 64's and start cracking government computers. Great job, MS, you just blew our cover.

Ugh (2)

BlackGriffen (521856) | more than 12 years ago | (#3554006)

There's no way, if Windows was open source, that people would be able to find the flaws for themselves and patch the code. After all, only a malicious hacker would want to look at Windows source code ;), and only a fool would try to step through that labyrinth that would make Daudalus green with envy...

BlackGriffen

Rebuttle (1, Funny)

Anonymous Coward | more than 12 years ago | (#3554007)

What if Terrorist Destroy Microsoft, (e.g. Crash a 747 into Microsoft, or develop worm to destroy Microsoft source code)? What will happen then?
For reasons of National of Security, all of Microsoft code should be made open source! At the very mininum Microsoft should hand over all of it to the NSA or some other agency of the US government to ensure that the code is available in after an attack against Microsoft.

Wow that's bold (3, Insightful)

Kraegar (565221) | more than 12 years ago | (#3554013)

To stand in front of not only a customer, but your Government, and declare that your product is so dangerously flawed that it could cost lives.

If it happened in any other industry (auto, aviation, train, commerce, weaponry, etc) the Government would drop their product like a dead rat (and more probably force the manufacturer into a recall). Yet Microsoft is willing to use it as a defense?

Fear the future... (5, Interesting)

Dr. Bent (533421) | more than 12 years ago | (#3554015)

Three things need to happen in order for people to start getting serious about software security and reliability:

1) A software system with 1 or more serious _known_ flaws must be used on a worldwide scale by a government agency or large company.

2) That software must then fail.

3) The failure must cause thousands of deaths or hundreds of billions of dollars in loss or damage.

The result will be like the 9/11 of software...when the world wakes up and realizes that we have become so dependent on software systems for our daily lives that we actually have to start caring whether or not they work correctly. We need to start taking an engineering approach to software and KNOW (not think) that it will operate as advertised.

I'm actually hoping that this will occur sooner than later. The later it happens, the more catastrophic the result will be and the less time we'll have to rectify the problem before it happens again.

I hoped they canceled that one seminar (-1)

CmdrTaco (troll) (578383) | more than 12 years ago | (#3554020)


1001 uses for gets()

Conversion Factor (1)

mr. phantastik (202943) | more than 12 years ago | (#3554024)

Its sad, but I think this may be the "straw that broke the camels back" for me so to speak. Reading this article actually makes me want to format and install Linux RIGHT NOW. I just pray to Linus that it isn't too late.

Stop worrying about MS (0)

Anonymous Coward | more than 12 years ago | (#3554025)

and get back to work on programming for linux! (or the HURD)

Lazy programmers!

Sorry mom, I can't clean my room! (1)

stefanlasiewski (63134) | more than 12 years ago | (#3554027)

Sorry mom, I can't clean my room! The terrorists might find all the girlie magazines that I have hidden under the covers; and that would be bad for National Security.

Are you a COMM^h^h^h^hTERRORIST mom?

break out the tinfoil hats (0)

Anonymous Coward | more than 12 years ago | (#3554046)


I can't wait to see wait the conspiracy theorists have to say about this...

National Security threatened by releasing MS source code? Does the U.S. government have "spyware" built right into the MS products? secret NSA backdoors?

What they mean by threatening the U.S. war effort in Afghanistan? Maybe Osama should install Linux?

Lawsuit (2)

unformed (225214) | more than 12 years ago | (#3554051)

Has anyone considered filing a suit due to being "hacked" ( know it's not the correct term, but it gets the message across) due to a hole in MS software.

Sure, the license makes all warranty void, but what about when they knowingly distributed insecure software.

This offers a perfect fact for your case.

from one perspective ... (1)

dlasley (221447) | more than 12 years ago | (#3554053)

this looks like typical micro$oft, but consider this: though their software tends to be bug-ridden, exploitable, unstable, exploitable, bloated, exploitable etc etc etc, i doubt you'll find too many workstations in the respective security agencies of the US running anything other than some flavor of windows. do we really want those terrorists who have the means and the skills zooming around hacked PCs all over the Pentagon checking satellite fly-over schedules and watching realtime deployments of troops in the field?

don't get me wrong, i am a linux user and very happy about it (ditto for solaris and hpux) and i love watching the evil empire squirm, but let's excoriate micro$oft for the injustices they already do to _this_ country, and limit the exposure of the code to competitors that can keep the knowledge secure ... at least for now.

So, if their code is so broken (0)

Anonymous Coward | more than 12 years ago | (#3554054)

that revealing it places our national security at risk, then it's time to switch to a superior software base.

News Flash!!! (2, Funny)

eyegor (148503) | more than 12 years ago | (#3554058)

Washington
(NAPI)- John Ashcruft today warned that al-Qaida terrorists have infiltrated several "Learning Tree" facilities over the past few months and have obtained illicit "MCSE" certificates. "With the imtimate knowledge they now have, no one who runs the Windows Operating System is safe" quavered Professor M. Druel of the University of North Dakota at Hoople. "Given the flaws we were warned of, why didn't we listen to that guy back during the trail?" Linux users (and other users of the soon-to-be banned "open-source" software) spent the days chuckling.

They must be getting desperate... (5, Insightful)

gweihir (88907) | more than 12 years ago | (#3554060)

At least that is the only explanation I can think of. Their systems are architecturally unsound and plagued by stupid design decisions, unstable interfaces and unsound implementation. It is quite obvious if you look at all the security, stability and usability (ever reinstalled Windoes?) problems they have. In addition they are still adding features like mad, thereby making the problem more serious all the time.

My point is that they did not say anything new by admitting the problem. However by admiting it they also admit that they don't really care about security, as they certainly could have done significantly better! This casts a very bad light on other ventures like .NET and the motivations and real goals behind them.

So why are they admitting it anyway? In my opinion MS is scared to death that open APIs would also mean stable APIs (i.e. APIs that don't change all the time) and would enable others to make Windows compatible execution environments with relative ease. The sources are also important, because the API documentation MS would give (could?) away is not complete and correct enough. So while it takes a huge effort, competitiors would be able to really find out the complete API functionality and implement it in a way so that things that run on Windows would usually run on competing products without retesting or modifications.

As MS is not really having a good product, just an effective monopoly (by making cloning their API difficult), reasonable documentation of their APIs could kill them. At least that is what I think they believe.

Open source and security - some references (4, Informative)

dwheeler (321049) | more than 12 years ago | (#3554062)

Ah yes, the "our APIs and code must be secret or the U.S. will crumble" defense. This is a particularly absurd claim for application programmer interfaces (APIs) - by definition, APIs are disclosed to other developers, so the only reason to "hide" them is to prevent competition. Oddly enough, the products where source code (not just the APIs) is visible have lots of quantitative evidence that they're more secure [dwheeler.com] .

It's already been revealed that some attacker got into Microsoft's network. Also, CD's with Microsoft's source have been released for various reasons over time. I have no trouble believing that some "bad guys" already have the source code. So, how do the rest of us protect ourselves from these bad guys with the source code? And from the bad guys to come who don't have it yet... but will?

As noted in Secure Programming for Linux and Unix HOWTO [dwheeler.com] , section 2.4.2 [dwheeler.com] , closing off source code doesn't actually halt attacks anyway. Here's the quote:

It's been argued that a system without source code is more secure because, since there's less information available for an attacker, it should be harder for an attacker to find the vulnerabilities. This argument has a number of weaknesses, however, because although source code is extremely important when trying to add new capabilities to a program, attackers generally don't need source code to find a vulnerability.

First, it's important to distinguish between ``destructive'' acts and ``constructive'' acts. In the real world, it is much easier to destroy a car than to build one. In the software world, it is much easier to find and exploit a vulnerability than to add new significant new functionality to that software. Attackers have many advantages against defenders because of this difference. Software developers must try to have no security-relevant mistakes anywhere in their code, while attackers only need to find one. Developers are primarily paid to get their programs to work... attackers don't need to make the program work, they only need to find a single weakness. And as I'll describe in a moment, it takes less information to attack a program than to modify one.

Generally attackers (against both open and closed programs) start by knowing about the general kinds of security problems programs have. There's no point in hiding this information; it's already out, and in any case, defenders need that kind of information to defend themselves. Attackers then use techniques to try to find those problems; I'll group the techniques into ``dynamic'' techniques (where you run the program) and ``static'' techniques (where you examine the program's code - be it source code or machine code).

In ``dynamic'' approaches, an attacker runs the program, sending it data (often problematic data), and sees if the programs' response indicates a common vulnerability. Open and closed programs have no difference here, since the attacker isn't looking at code. Attackers may also look at the code, the ``static'' approach. For open source software, they'll probably look at the source code and search it for patterns. For closed source software, they might search the machine code (usually presented in assembly language format to simplify the task) for essentially the same patterns. They might also use tools called ``decompilers'' that turn the machine code back into source code and then search the source code for the vulnerable patterns (the same way they would search for vulnerabilities in open source software). See Flake [2001] for one discussion of how closed code can still be examined for security vulnerabilities (e.g., using disassemblers). This point is important: even if an attacker wanted to use source code to find a vulnerability, a closed source program has no advantage, because the attacker can use a disassembler to re-create the source code of the product.

Non-developers might ask ``if decompilers can create source code from machine code, then why do developers say they need source code instead of just machine code?'' The problem is that although developers don't need source code to find security problems, developers do need source code to make substantial improvements to the program. Although decompilers can turn machine code back into a ``source code'' of sorts, the resulting source code is extremely hard to modify. Typically most understandable names are lost, so instead of variables like ``grand_total'' you get ``x123123'', instead of methods like ``display_warning'' you get ``f123124'', and the code itself may have spatterings of assembly in it. Also, _ALL_ comments and design information are lost. This isn't a serious problem for finding security problems, because generally you're searching for patterns indicating vulnerabilities, not for internal variable or method names. Thus, decompilers can be useful for finding ways to attack programs, but aren't helpful for updating programs.

Thus, developers will say ``source code is vital'' (when they intend to add functionality), but the fact that the source code for closed source programs is hidden doesn't protect the program very much.

Actually, if MS really wants to help... (1)

csguy314 (559705) | more than 12 years ago | (#3554070)

they should sell their software to terrorists at a discounted price.
Make the NSA's job really easy...

Microsoft's not dead yet (1)

codingbytes (577572) | more than 12 years ago | (#3554072)

Microsoft still has some of the most talented minds in the industry - they know what they're doing with this tactic. What they're doing seems to be the equivalent of reverse psychology. "No, don't make us show the world our source code. Anything but that" - **snicker**. The world doesn't gain a whole lot from being able to go through Microsoft's code (this "punishment" is just a slap on the wrist). Microsoft could even remove all of the most critical proprietary components of the Windows source code and it would take thousands of man hours to even be able to tell the difference.

./cwide

That's what you get (0)

Anonymous Coward | more than 12 years ago | (#3554073)

for not getting over 9/11. And for having a hypocritical government that likes to forget facts, as do most of you Americans. Your nation was found on terrorist acts such as the Boston Tea Party and Boston Massacre. So suck it up and get over it. Innocent people die everyday all over the world. And this will get modded down becaused Goddess forbid anybody say anything against the perfect United States.

So how many of you linux advocates (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3554074)

Would put your ass on the line if Linux were entrusted to perform security functions ? You see, Linux is just as shit as Windows when it comes to security, and it has nothing to do with the openness or otherwise of the source.


OpenBSD would be a better bet if security is your aim.

too subtle (0)

Anonymous Coward | more than 12 years ago | (#3554076)

bill is just a monty python fan after all. since he's not funny, he made a code version of the joke that can kill.

he's just misunderstood. [quiet guy, kept to himself.]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>