Hi Bill, Thanks for sharing that article. I wrote a rather lengthy comment to it, but will duplicate the comment here:
The devil will be in the details of the agreement, but for the most point this seems like an agreement to make some Russian bureaucrat "feel good". (1) If the Russians are trying to see if the binary code they are given has any trapdoors or other malware in it, then it is very hard to see that the binary code that they receive from Microsoft was generated by the sources that they are looking at. (2) If the Russians do wish to make sure their code has no issues, then they would probably not only need the sources for the code in question, but the entire build environment that Microsoft uses so they can build their own binaries. There was a very famous UNIX exploit where the code that allowed the code for the exploit was in the "C" compiler, not in the operating system. When the "C" compiler compiled a particular module, it inserted the exploit into that module. You could have looked at the sources for that module your entire life and not have seen the exploit. (3) If the Russians are looking to create better security and encryption algorithms as the article states, then they should know that probably those security and encryption algorithms would be best developed outside of mixing them with any of Microsoft's code (i.e. develop it more as a layered product or dynamically loaded module). Otherwise the Russians would be at the whim of either Microsoft or the U.S. State Department as to whether Microsoft would ever distribute the code the Russians developed. Of course the Russians could implement and distribute their code mixed with the Microsoft sources themselves, but then then the Russians would need the entire tool chain (see #2) (4) "The government" may have access to the source code, but I doubt if it goes beyond that. What happens if "the government" wants to have a university help them with developing these algorithms? What hoops have to be jumped through to get the universities access to the sources? Compare this agreement and these thoughts to doing the same type of work using a distribution like Gentoo Linux. Is it any wonder why the NSA chose Linux for their SELinux project? I think what happened is that someone in the Russian government said "We can not use Microsoft because we can not see if the USA had put any spy-ware in it" and Microsoft said "No problem, we will show you the source code." So now the Russian bureaucrat feels better. maddog _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
