The allegations that came with the Edward Snowden revelations of Microsoft’s cooperation with U.S. spy agencies is evidently still a problem for Redmond, if a blog item posted yesterday by security VP Matt Thomlinson is any indication. It seems the company has opened a second Transparency Center, this one in Brussels. The news comes eleven months after the announcement of the first such center on the company’s Redmond campus.
At the height of the media frenzy that developed around Snowden’s initial revelations, there were allegations that Microsoft had not only built back doors in its software for the NSA and other government agencies to use against foreign businesses and governments, but that it was cooperating with U.S. authorities in other ways as well. For example, one report indicated that the company was passing along details of unpatched security vulnerabilities in Windows to the NSA, effectively adding temporary tools to the spy agency’s cyber arsenal.
The Transparency Center concept was meant to allay fears that might cause foreign governments to consider options other than Microsoft (read: Linux and FOSS), by granting them unprecedented access to source code:
The Transparency Center initiative is a cornerstone of our long-standing Government Security Program (GSP), which offers participating governmental agencies the opportunity to review the source code of Microsoft products, access information on cybersecurity threats and vulnerabilities, and benefit from the expertise and insight of Microsoft security professionals. This extends to important security documentation about our Azure and Office365 cloud services.
“Benefit from the expertise and insight of Microsoft security professionals”? Isn’t that a bit like getting a tour of hen house security conducted by foxes?
As you might expect, these centers appear to be more opaque than transparent. The company is allowing access to 10 key products, but is doing so in an environment completely controlled by Microsoft. Access is available only within the walls of the security center. Diagnostic tools are available, but they’re tools supplied by Microsoft. Inspection of source code, and use of diagnostic tools, will almost certainly be entirely on Microsoft’s computers for reasons that should be obvious.
Is this any way to inspect source code? If you already have doubts about the company supplying an application (which you must, if you find the Transparency Center necessary), would you trust it to be honest with you in an environment it completely controls?
The place to inspect source code of an application for intentional security vulnerabilities is at your own lab, or at the lab of a trusted independent security partner who is not part of the company or organization that’s developing and marketing the application. The code should be inspected on machines that are under your control, and it should be compiled after inspection with the resulting binaries compared with the binary being offered by the organization marketing the application — as Flip Wilson’s Geraldine used to say, you wan to make sure that “what you see is what you get.”
This is, of course, how it’s done in the FOSS world, where we take free and open access to all FOSS applications’ source code for granted. Certainly, major tech companies that rely heavily on FOSS, thoroughly vet all FOSS software before use in a production environment — meaning that the IBMs of this world can have much more confidence in Linux, Red Hat’s stack or anything from SUSE than they can ever have in Windows, MS Office or Oracle’s software.
Let the buyer beware. Trusting Microsoft in this case is very much akin to trusting…well, read my comment above about the fox led security tour.
The Microsoft Transparency Centers are made from tinted glass.
I’ll leave you with my take on the security measures being taken around the new Microsoft Transparency Center in Brussels. Once safely inside the center, visitors will, no doubt, be treated to the infamous Cone of Silence:
We need you to help us make FOSS Force even better. If you enjoyed this article, please visit our IndieGoGo page and make a small contribution to our fundraising campaign. Every little bit helps.