Home What's Brewing? From Redmond to Red Square

From Redmond to Red Square

Reading like a delinquent April Fool’s joke, an amateur spy novel, or a mock headline in The Onion humor magazine, this week’s Brewing column is steaming over news reports from networks as reputable as ZDNet and the TWIT Network’s Security Now with Steve Gibson.

According to ZDNet UK’’s Tom Espiner, Microsoft has turned over all its source code for Windows 7, along with its source for Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server to Russia’s Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii. The FSB is present-day Russia’s successor to the infamous Soviet-era KGB.

As Espiner reports, this is all about business, rather than state security. Microsoft’s Government Security Program does allow governments with limited access to its source code, ostensibly as part of the company’s various bids to sell software to international governments.

But from a security perspective, and in the context of current concerns by the U.S. defense department Google and others over cyber warfare, the act simply strains credulity. A Russian intelligence agency has access to Windows source code while most American IT operations do not?

“Not only does this give the Russians the opportunity to find gaps in Windows security — it gives them the opportunity to do so while most American companies and organizations don’t have the same opportunity to find the same gaps and plug them.”

Security expert Bruce Schneier had just seven choice words in response to the news. He writes in his blog, Schneieir on Security “I don’t this is a good idea!”

A better approach? If Microsoft is willing to turn over source code to Russia, we second ZD Net’s editorial opinion that it should release it to the public. Open source certainly hasn’t harmed Linux’ success and doing so would at least put American IT operators on a level playing field with the Russian secret service..

Microsoft’s Shared Source Initiative has been a step in this direction, but if reports are accurate, the program should be made system wide, and\ be made open to all. [24×7]