Another Security Risk from China?

Bruce Schneier writes:

China is getting a copy of the Windows source code. I’ve already written about the security risks of open-source versus proprietary software. One of the problems with open source is that the bad guys get to look at the code. One of the good things about open source is that the good guys get to look at the code, too. If I were the Chinese government, I’d turn that code upside down looking for vulnerabilities, and then not tell anyone about them. This seems like a huge security risk to me, even though Microsoft might consider it a smart business move.

Good point. Microsoft probably sees China as just another customer, but from a security standpoint we should be wary. If there is any advantage to be gained here, the Chinese government will take it. The fact that we habitually view a technology as benign does not preclude someone else from using that technology as a weapon. (See, in this regard, Lex’s recent post about China’s space program.)

21 thoughts on “Another Security Risk from China?”

  1. Jon’s right.

    Let’s keep our eyes open about the Chicoms. Drudge has this about the recent manned flight:

    “The single-astronaut spacecraft carried an infrared camera that conducted photographic spying. The camera was mounted outside the craft and has a resolution of 1.6 meters, meaning something as small as 5 feet wide can be distinguished. The space spying highlights China’s plans to use space for military purposes, primarily to develop missiles and sensors, and to blind or cripple U.S. communications and intelligence systems in any conflict over Taiwan. ”

    http://www.washtimes.com/national/inring.htm

    The point is not that war which China is inevitable, but that it is increasingly probable and we should respond early and often to preserve a strong, credible deterrent force in all areas where they might challenge us — whether in space, at sea, in the air, under the waves, or in our computer code.

    The British failed twice to treat the German threat seriously, especially before 1914, thinking that the hostile talk and gestures and actions couldn’t be serious. After all, the Germans were Britain’s biggest trading partners, they were sensible people, there were so many cordial cultural and business and educational ties between the two countries. And all those good sentiments, genuine ones, died in the mud of WWI because the Germans thought they could get away with their power-grab and because the British failed to create and maintain a credible deterrent. This is a particular risk where an undemocratic government must seek and maintain legitimacy by cultivating an appearance or even a reality of foreign threats, so any demand for liberty can be denounced as a security threat. The Chinese communists play this card all the time.

    Let’s not repeat the mistakes made in 1900-14.

    Dan, as to “buy a Mac” — at this point, like it or not, Windows is infrastructure.

  2. more on china
    and it’s “spacious” ambitions

    from a Globe and Mail article:

    “At the press conference, shortly after Col. Yang had safely landed, Chinese space engineers disclosed a detailed vision of the future: another launch of a manned space flight within the next one or two years, followed by further space missions to practise the art of spacewalking and orbital docking between two space capsules, and then a permanently inhabited space station in orbit around Earth.

    Although they didn’t confirm it this time, the Chinese dream goes beyond that. It includes a mission to the moon, a lunar colony and even a manned flight to Mars. It would take China up to the limits of human exploration and beyond, into uncharted territory.”

    full article:

    http://www.globeandmail.com/servlet/story/RTGAM.20031017.coyork17/BNStory/International/

    very interesting, especially in light of that “unrestricted warfare” essay, which sounded more like a manifesto..

  3. I have nothing against Microsoft and actually believe they have made great contributions to our society on many levels. However, when I first heard about this I was very troubled. Does DoD have access to the source code? What about the security people at the NYSE? Again, I don’t want to bash MS but we have seen what random assholes can do by exploiting back doors. What could people with effectively an infinite amount of money and time do?

  4. Unrestricted Warfare is an eye-opener.

    There is a passage in Hap Arnold’s memoirs, where he is a young Army officer travelling on a passenger ship circa 1910. There are German officers on board. They are openly talking about how Britain’s day as an arrogant, world-dominating power is over, that Britain is too soft and materialistic to defend the empire it seized during a period when Germany was disorganized and unable to asserts its rights, and that they and their generation would rectify this situation by force if necessary. That generation went to war and held off the armed might of the whole world for four years, dragging European civilization down with them, and ending the previous era of classical liberalism and globalization.

    Substitute Britain for the US and Germany for China, and substitute British command of the seas for US control of space — and put the authors of Unrestricted Warfare in the role of those young German officers.

    History does not repeat itself. But it seems to have a limited number of themes which recur again and again.

    Peace will be preserved by strength and deterrence and realism about real dangers.

  5. This concern goes back at least three or four years… not being a windows guy I didn’t follow it very closely.. anyway, one or another ‘new’ version of windows (2000? NT? 1998?) was going to have an encryption function, one assumes with the requirement that it be fairly lowtech, and there was a rumour (true?) that MS had designed in two keys without anyone being clear on what the second key was for exactly. Of course, there was probably a simple explaination that I’ve forgotten, but you can guess at the range of conspiracy tossed about… NIS bombed, and the NSA was frantic.. Bill Gates wanted MS to have a magical backdoor to better steal everyone elses business plan ideas…. programming short cut… aliens… etc. If I remember correctly there was a half-hearted attempt on the part of various foreign goverments to move over to open source (I wonder if the Sun hacks started the rumour?) to ward off scary American domination of the “New Economy”. All good geeky fun.

    Link farm of wet dreams…. I recommend the Cambridge bonanza to get ones teeth around what’s reputable and well researched… great work.

    http://www.press.nu/pgut001/links/link_farms.html

    Everything and then some regarding security, systems, PGP plus some, and an all around orgy of obscure minds from every corner of the globe.

  6. I share your fear Lex, but what we gonna do about it?
    IMHO there is nothing what you can do that thus not stir controversy. Even if you sneaky trying to stop the competitive proces of the chinese, they find a way to go around this.
    China is to far with technology as with becoming a major power; that can’t be stopped.
    They outmatch us in 20 years and the only thing we can do is look in their brown eyes and hope that they don’t become devious.
    Bottemline is that we try to disestablish the communist reign.
    So that China becomes a democratic chosen state.
    Consumptionhunger people will do the rest.
    So that will proberly stop a war with China, but will not stop us from losing our competitive advantage as the nr.1 economic power.
    That’s a different story!

  7. Guys,

    I’d like to offer a different perspective regarding China’s manned launch….

    First, congradulations to the whole Chinese team that sweated the process through in order to cross that hurdle. Chinese officialdom, including the Party cadres &etc., are running dog confusianists to the depths of their non-existant Maoist souls, and risk-adverse beyond any possible understanding or english terms ability to describe… I bet this launch has been going back and forth from one Central Comittee members assistants protege’s planning advisors desk to another since the days when the Chairman was still getting it on… Seriously! The risk of loss of face should the damn thing go wrong probably made it safer for any offical to not even try without written orders from above who would themselves need something down from on high… and of course who in their right mind would insult the Boss by asking Him such a thing directly! His harmony might be disturbed, which would suggest an inauspicious element was still somewhere in the planning, which in turn would suggest a further review was in order. Maybe the next time a lucky year arrives would be prudent…

    Yet it went off perfectly… notice how the number of orbits was just right? The world press was complimentary. The US was suitably gripped with paranoia as well as flattering overassesments of China’s space program that everyone else in the world will take as gospel. There’s no question that as the third great space faring nation China can comfortably claim a seat at any great power conferences above both the Japanese and Indians and Europeans… right with Russia and the US, which gives their diplomats and functionaires more status.

    What does it really mean to the US? They’ve had the ability and tech for manned missions for decades, as does India, Brazil, ESA, and Japan. They haven’t changed their nukes from a reprisal/second strike posture. And it’s unlikely that the NSS is going to change just because the PRC got around to sending someone up for a couple orbits. It will certainly put a lot of pressure on Japan to move faster on missle defense and rocketry, and as they’re doing it jointly with the US we’ll probably benefit from Chinas launch for that reason alone (Japan is considered the only country to possess the tech to be within a decade of the US).

    Another consideration is North Korea, which the US would like to see China take responsibility for controlling, at least enough to de-nuke. I can’t personally grasp the east asian countries maneuvering regarding status (face) between themselves… but as I understand North Korea’s relationship to China, the suggestion that Taiwan might get the nukes it wants would mean a degree of trouble for the Chinese that makes invading N. Korea themselves to convince them to give up their nukes. It’s hard to tell what’s rumour and what’s for-real.

  8. The concerns with giving China Windows source code is an economnic threat, not a security threat. Windows has so many security leaks now, why worry about the possibility China will find additional ones. If it wanted to, it could exploit the known issues. The real threat is China could take over the lucrative windows apps market, possibly even developing the next pc standard operating system.

  9. James,

    I hope that you are right. But I have a question: why would Chinese software development pose a threat to us? I would think the added competition would be a boon.

  10. I agree. And as in India, high-tech is the one industry that can raise living standards the fastest and expand the middle class. Usually a good thing.

  11. I’d like to paraphrase Sylvain on that one and say that if China is involved, the truth can only be ugly. The Chinese are, of course, fundamentally bad. And they’re out to annihilate mankind by reverse-engineering Windows source code. Of course.

  12. some guy,

    To paraphrase means to restate in other words. That’s the opposite of what you just did. You invoked the word “paraphrase” as a dodge to attribute to Sylvain assertions that he never made. Were you trying to be funny or sarcastic? If so, you need more practice. Meanwhile I’ll leave your comment up because it makes you look like an ass. You are welcome to participate here if you want to discuss facts and ideas, but we won’t tolerate ad hominems or other cheap shots.

  13. Jonathan,

    I find it strangely amusing that while you say you won’t tolerate cheap shots, you still refer to a person with an opposing view as “an ass”. I was merely using Sylvain’s words in another context – which does not amount to attributing anything to him. Anyways, I’d like to leave it at that. But still, I fully agree with you when you ask why Chinese software development would pose a threat to us.

  14. Not so fast. You put words into someone else’s mouth and tried to deflect blame by mischaracterizing your personal swipe as a “paraphrase.” And now that you have mischaracterized my response as being to your “opposing view,” you’d like to let the matter go. That’s nice of you, but maybe, if you’d spend a little more time dealing with the substance of the arguments on this site, you’d find that opposing views are the last thing that any of us objects to.

  15. Hey, some guy, what is this stuff: “The Chinese are, of course, fundamentally bad.”

    You know damn well not even I have ever said anything like that here, and I am the paranoid person on this blog.

    Read, if necessary re-read, understand what was actually said, then think, then type.

    One little point. If someone makes a degrading and innaccurate innuendo about one of our colleagues, calling that commenter an “ass” is a pretty minimal response. But you knew that. You’d just rather pigeonhole anyone who disagrees with you, put your label on them, and respond to that. A fun game for you maybe. But a waste of everybody else’s time.

    But don’t despair. Jonathan and Sylvain are very patient. If we can get you suitably well-behaved, I don’t rule out your having something worthwhile to add to the conversation. Seriously. Try to actually engage what we say, be alert to humor which is meant as humor, and respond again as the spirit moves you. We will follow Rodney King’s admonition and try to all get along.

    The comments section of this site is becoming like a kindergarten to teach people who disagree with us basic courtesy. That in itself may be a valuable service.

  16. First of all, I wasn’t refering to anybody from this blog when I said that thing about China. I was rather refering about what is being said by some pundits (a la Bill Gertz). But then again, I take it this wasn’t clear in my original post. And I was merely using Sylvain’s words in another context, and not trying to be degrading to him or to insult him or anybody. I didn’t put words in anybody’s mouth. I just disliked being called an “ass” based on misperceptions. I didn’t mean to be offending to anyone.

    So, I’m pleased to bring you (back) to our feature presentation: Just like Jonathan put it, I hardly see how the fact that the Chinese have access to the Windows source code can somehow pose a threat to another country, except economically, of course. And, quite frankly, the Chinese do have a whole lot of catching-up to do before they get to where the USA is in terms of space exploration/use. But apparently, their space food tastes good.

  17. “I hardly see how the fact that the Chinese have access to the Windows source code.”

    Look at the Chinese essay on Unresticted Warfare.
    http://ftp.die.net/mirror/cryptome/cuw01.htm
    http://ftp.die.net/mirror/cryptome/cuw02.htm

    These officers expressly and repeatedly cite to hacking into an adversary’s computers as a way to wage war by indirection. Here’s one example.

    War in the age of technological integration and globalization has eliminated the right of weapons to label war and, with regard to the new starting point, has realigned the relationship of weapons to war, while the appearance of weapons of new concepts, and particularly new concepts of weapons, has gradually blurred the face of war. Does a single “hacker” attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? Did CNN’s broadcast of an exposed corpse of a U.S. soldier in the streets of Mogadishu shake the determination of the Americans to act as the world’s policeman, thereby altering the world’s strategic situation? And should an assessment of wartime actions look at the means or the results?

    There is a lot more like this. The essay is very interesting.

    We have not yet seen what a hacking attack financed and organized by a foreign enemy as a weapon at a moment of their choosing as part of a whole scheme would look like. It would be one facet of a larger campaign.

    Maybe I’m “paranoid” — fearing an imaginary danger. I don’t think so. I don’t see why we should be allowing a military adversary access to key details about our economic infrastructure, especially where that adversary has telegraphed in advances some of the steps it will take to attack us.

    The point, again, is to have credible deterrence by not leaving ourselves open to attack. Failing to do so invites attack.

  18. To the extent the Chinese deploy and use Windows as well – and they do already, and they will even more – I’d say they are as exposed as we are to whatever they find in the source code.

    But should they choose to impose a different OS on their user community, and succeed, that is also, to some extent, a competitive disadvantage since they will have no or little access to the wealth of software we have.

    Sure, this could be a boon to Linux, for instance, but if you think you’re going to make more money on Linux in China than was made in the US (very little) you’re dreaming. China is, and will remain a hotbed of software piracy, giving few incentives to develop commercial software for their market.

    The language barrier also implies most of the effort would have to be homegrown. I’m not arguing it can’t succeed but reinventing every single wheel is neither cheap nor efficient.

    As a matter of fact, I am most positive about Chinese students being given software and PCs. The more they know about Windows, Unix and hacking, the easier for them to bypass state firewalls and reach the outside world without supervision and control, the better. Computers give them a way to see their country from the outside, without a passport. Never will so many gain this privilege so quickly.

    If the Chinese authorities want to open that Pandora’s box, let them at it. The risks and short-term costs might be worth the potential consequences.

    And yeah, one of those could be my losing my job to one of them. So be it.

  19. Thanks to Lex and Sylvain for the explanations. And Lex, I guess I do understand the whole point better now. It all makes sense when (as the short note prior to the essay states) electronic warfare is considered to be used for lack of other means. But what about the whole strategic balance / balance of threat issue? As I see it, there won’t be any incentive for the Chinese to use any form of warfare against the USA (for instance) in the near future.

    (Thanks for the links, I’m looking forward to reading the essay.)

  20. There’s an article on the BBC that reports that a official estimate of the percentage of Chinese computing systems infected with viruses or worms to be a whopping 85%. Doesn’t this seem, if true, to be a reasonable concern of the Chinese government? They already restrict WWW access to their fledgling non-party business class, which disproportionally uses off ‘unofficial’ versions of software (pirates or cracks) that don’t allow them to keep up with the steady stream of patches and upgrades that Windows is famous for. Probably the Chinese are more concerned with hacking their own people using personal computing for “subversive” activities than they are with getting an OS’s to antagonize the US’s IW community.

    Check the link farm I posted above for authorities regarding Windows security.

Comments are closed.