Microsoft lets EU governments inspect source code for security issues

Microsoft has opened a 'transparency' centre is Brussels (mainland Europe) on Wednesday so governments will be able to review the source code of Microsoft products to confirm they don’t contain security backdoors.

“Today’s opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design”

Participants include the governments of the U.K., Austria, the Czech Republic, Estonia, Finland, the Netherlands, Poland, Spain, and Sweden as well as organizations including the European Commission, the spokeswoman said.

Microsoft plans to expand the range of products included in these programs and to open other centers in Europe, the Americas, and Asia.

Now everyone can put their Tin-Foil hats down, and wear it when they are using Android.

I wonder if this means anything for the consumer version though. Clearly consumers wont get to see the source, but are the government copies different from the consumers ones at the core?

They aren't different. They difference between them is feature sets, that's about it. There is "One" Windows 10.

Ah I was just wondering as I saw windows XP is still getting updates if you are on a government or POS PC with that version of XP. You could unofficially change the consumer version to keep getting the updates but compatibility was not assured.

Yeah, there are some companies and businesses that won't get with the times. a lot of them Paid Microsoft for Continued Support of XP. which in my opinion i thought was a dumb move. simply because XP isn't secure anymore and horribly outdated.

Windows 10 will start have a Core and Pro version like Windows 8.

Though they aren't different source code wise like previous multi version releases of Windows, just some have additional features.

1 Like

yes, but they all function exactly the same. the only difference between them is "Feature" sets". like i said. the Pro version just has more security features than the "Core" edition does.

The government (was) paying Microsoft £5.5m a year for 1m XP machines to get an extra year of support.

So it's no longer paid for by Whitehall:

Which is idiotic as that'd get the best deal but I suppose they expect trusts and departments to upgrade since they 'balanced the books' to be able to budget for this (as if it was a surprise).

The Home and Pro versions of XP can have a registry 'hack' done to get Windows POSready 2009 updates however this was not what the government was doing.

Ah I see. I did not know the specifics, thanks for the info.

Really this doesnt mean anything as its very common for source code to be incomplete with these kind of things. Unless they can take this source code, compile it, and confirm its the same as what they buy this has minimal guarantees. Its one of the reasons the GPL has provisions for being able to take the code and run it.

Does that mean there hiding back-doors by not providing the full code.. who knows. But this doesn't guarantee that's not happening. It may mean some other security problems get fixed though.

And this will be great if the selected experts reviewing the code really are trustworthy. Nice move by Microsoft, let's now see how competent the governments are in selecting the experts. In my experience, a thousand slightly above average people tend to see better than a ten experts. Then, who are the ten experts that will be reviewing a million lines of code for ten years before we find out it is safe? Who will be reviewing the rolling updates?

Let me be cynical for one more second: how do we know that Microsoft doesn't just switch the code they don't want to show before compiling it? Nah, maybe I shouldn't be so cynical. Still very far from open source. And still very far from a peer review.

As for the government selecting the right experts you will find Snowden, as GCHQ recruitment will confirm, was a great tool for getting brighter people into public sector security.

Now for the source code access. Truth of the matter is it's better than no access at all.

You are right.

I too have little doubt that there are agencies with great and competent people worth of every admiration and respect, in both morals and skill. I would like to see this work for real, at least as a guarantee for each government sovereignty over the technology being used by said government. On the large scale, this is good enough - sovereignty is one of the most important principles of a government.

What did get me cynical to begin with is that on a personal scale I still want to know that I, as a private user and a citizen, will be informed of the reported findings by my government and be able to adjust my own actions accordingly. I have not seen any particular mention of how this inspection will be organized between the actual governments and the agencies (most likely a bit different in every country), and I am actually curious about what will turn out of this all in the end, but there will almost certainly be NDA all over it.

Sorry but in my opinion that doesn't change anything.
Either it's closed source or open source, there is not much in between.
What they plan to do is still close source, they just alter the circle of people who see the code.
Right now the code also is inspected and open to some people - employees of Microsoft.
After this action the code is open to the same people at Microsoft plus a handful of experts.
What does that really change?

In 2015 "governments" and their experts clearly don't represent an institution which most people trust on this topic.
I trust the worldwide programmer community as a whole which can look at open source code constantly, I don't trust Microsoft employees and governments.

Also from a technical side how often can they look at the code and changes, how does anybody know if the soled binaries are equivalent to the source code which was inspected at some point of time?

the difference is they leave the backdoor feature in the retail versions. duh!

1 Like

Hey now anarekist, let's be fair. This is way off base, and we should strive to be more accurate in our communications.

It's not a back door, it's a legal compliance door.

Asked about instances in which Microsoft built methods to bypass its
security and about backdoors generally, a company spokesperson told me
that Microsoft doesn’t consider complying with legitimate legal requests

I asked Microsoft if the company would be able to comply with unlocking a
BitLocker disk, given a legitimate legal request to do so. The
spokesperson told me they could not answer that question.