Bonum Certa Men Certa

Wikileaks/Cablegate Reveals That Microsoft Gave Windows Source Code to TOPSEC, Which Trains and Employs Chinese Cyberspies

Kevin Mitnick
Putting Windows source code in the hands
of the Kevin Mitnicks of China



Summary: Microsoft equips private companies -- not just governments -- with just what they need to intrude all Windows-running computers, namely a key to potential remote access without liability

NOT just incompetence and negligence [1, 2, 3] are the cause of Microsoft's security problems. Based on Cablegate leaks, it is possible that Microsoft's secret (and poorly audited) code is exploited so often in China because Microsoft gives them access to this source code (which security researchers in the West cannot see and scrutinise prior to release in binary form).



Several days ago we showed some Egypt cables (prior to Wikileaks being targeted by censors) and it helped show just how closely Microsoft works with governments on 'security'. The Guardian noticed this independently from us and highlighted the following block (filed under "US embassy cables: China uses access to Microsoft source code to help plot cyber warfare, US fears"):

56. (S//NF) CTAD comment: Additionally, CNITSEC enterprises has recruited Chinese hackers in support of nationally-funded "network attack scientific research projects." From June 2002 to March 2003, TOPSEC employed a known Chinese hacker, Lin Yong (a.k.a. Lion and owner of the Honker Union of China), as senior security service engineer to manage security service and training. Venus Tech, another CNITSEC enterprise privy to the GSP, is also known to affiliate with XFocus, one of the few Chinese hacker groups known to develop exploits to new vulnerabilities in a short period of time, as evidenced in the 2003 release of Blaster Worm (See CTAD Daily Read File (DRF) April 4, 2008). 57. (S//NF) CTAD comment: While links between top Chinese companies and the PRC are not uncommon, it illustrates the PRC's use of its "private sector" in support of governmental information warfare objectives, especially in its ability to gather, process, and exploit information. As evidenced with TOPSEC, there is a strong possibility the PRC is harvesting the talents of its private sector in order to bolster offensive and defensive computer network operations capabilities. (Appendix sources 51-52)


So, not just governments are getting access to source code. The "agreement with Microsoft... allowed select companies such as TOPSEC access to MICROSOFT source code in order to secure the Windows platform." Here it is in raw form. "TOPSEC that trains most of china cyberspys," Oiaohm quotes from it. "It's in that cable," he says. He then gives another direct quote from the cable: "TOPSEC provides services and training for the PLA and has recruited hackers in the past." On this one he remarks: "Then latter on in the cable to says they have been granted access to MS source code." The remainder can be read in our latest IRC logs, which make operation of this Web site entirely transparent, unlike governments. "Security by obscurity is that you don't give the source code to the people attacking your system," Oiaohm adds and "[i]If you are not using Security by obscurity you might as well publish the source code for everyone to see... At least then you have a better chance that truful ones will tell you where the flaws are." (typos corrected)

“Proper obscurity can be done with open source”
      --Oiaohm
He continues: "that cable is a security research document in what the hell has gone wrong... That the USA was being breached so much... Also if you dig deeper the USA side is doing the same thing... Both are trying to use closed source to give them a cyberadvantage while both have access to the source code... Proper obscurity can be done with open source... Each system must be able to have many different combinations in its security system to attacker is not quite sure what he will be walking into... So attacks take longer to develop... MS Windows where most installs have basically the same security config... Basically have a obscurity level of nothing."

Another cable speaks of an "invitation for a private meeting with a named DoS employee. The attached Microsoft Word document was a malicious". Microsoft is mostly mentioned negatively (for security reasons) in Cablegate, at least thus far. What will be revealed in the remaining 99% of Cablegate (the part which has not been published yet)?

In actual security news (not leaks of old confidential reports), Vista 7 is being bricked by software which claims to improve Windows security:

THOSE WHO ARE RUNNING 64-bit Windows 7 systems should not download the update for AVG Technologies' AV software.

AVG has withdrawn the update after complaints that the update completely bricked systems by forcing computers to go into an infinite crash loop.


Users of GNU/Linux and BSD never have such problems. Why won't the US government encourage adoption of Free software, whose transparency makes it secure? It's the same fallacy about secrecy which toppled both Windows security and now the US government. It arguably censors Wikileaks more zealously than other governments.

Comments

Recent Techrights' Posts

[Meme] Objective Objection at the EPO
No more quality control
EPO Staff Explains Why It Cannot Issue EPC-Compliant European Patents (in Other Words, Why Many Fake Patents Get Issued)
chaos inside
Links 24/02/2024: More Sanctions Against BRICS, Software Patents Squashed
Links for the day
Microsoft's Demise on the Server Side Continues Unabated This Month
Netcraft says so
Bonnie B. Dalzell Explains Her Experience With Richard Stallman
new essay
Gemini Links 24/02/2024: OpenBSD Advocacy and Nonfree Firmware Debated
Links for the day
Mark Shuttleworth & Debian Day Volunteer Suicide cover-up
Reprinted with permission from Daniel Pocock
IRC Proceedings: Friday, February 23, 2024
IRC logs for Friday, February 23, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Links 24/02/2024: EA Planning Layoffs and 'Liquor Regulators Are Seeking Revenge on Bars That Broke Pandemic Rules'
Links for the day
Gemini Links 24/02/2024: In Defense of Boilerplate and TinyWM Broke
Links for the day
Microsoft's Pearls of Wisdom: Layoffs Are Growth
Microsoft boss: layoffs are "long-term growth."
[Meme] Hide the Bodies
hiding EPO's role in funding Lukashenko
Josef Kratochvíl and All the European Patent Organisation's Chiefs (at the Administrative Council Too) Notified That Over 1,000 Members of Staff Demand Action on Patent Quality and Compliance (Industry Too is Alarmed That Many Invalid Patents Get Granted)
Huge corruption
Microsoft Lacks a Solid Strategic Plan Other Than Buying Its Own Stock (and Paying Staff in Shares)
Beware and be cautious of bubbles
Debian trademark canceled
Debian trademark canceled
Links 23/02/2024: Feed Aggregator and 2 Years of Invasion, Alexei Navalny’s Mother Blackmailed
Links for the day
Gemini Links 23/02/2024: Getting 'Sick' of Modern Tech and Deletion of One's Reddit Account
Links for the day
Links 23/02/2024: 227 Microsoft Layoffs Noted in Santa Clara and Disaster in Rivian
Links for the day
IRC Proceedings: Thursday, February 22, 2024
IRC logs for Thursday, February 22, 2024
Over at Tux Machines...
GNU/Linux news for the past day
[Meme] It's NOT Your PC
losing control of hardware
Microsoft's Chatbot Strategy Resulted in Massive Losses, So Now It's Trying to Reinvent Itself as 'Hardware Company' (Once Again, Years After XBox, KIN, Windows Phone and Surface Failed Miserably)
revenues associated with Windows has fallen sharply
Gemini Links 22/02/2024: Removing Radio Ads and Being Seen on the Internet
Links for the day
Mark Shuttleworth and the Question of Liability (Debian Volunteers He Pressured Before the Suicides)
Humanity for me
Mark Shuttleworth's (MS) Canonical Running Microsoft (MS) Ads, Mischaracterising Mass Surveillance as 'Confidential' (the Usual Lie)
The money talks, so the facts are absent
Ads as 'Articles'
Money buys perception manipulation (or reputation laundering) campaigns
Abraham Raji & Debian, DebConf kayak death: search abandoned, evading liability
Reprinted with permission from Daniel Pocock
Links 22/02/2024: Chatbots Failing 'Big Time' and More Condemnations Appear of Bill Gates
Links for the day
There May be Close to 100,000,000 Laptops and Desktops Running GNU/Linux Around the World in 2024
hard to track the number
Search Engine Market Share Worldwide Shows How Badly Microsoft's Chatbot Strategy (Hopes) and Vapourware Have Failed
Bing, which was marketed as the forefront "product" for chatbots (Microsoft paid the media a lot of money for hype campaigns), gained nothing at Google's expense
[Meme] Demoralising and Putting Down Your Staff
unproductive and dangerous approach
This Week's Letter to António Campinos About Mean-Spirited Line Managers at the European Patent Office (EPO)
Seems like a way to get rid of staff. Some will resign in anger.
Software in the Public Interest (SPI) & Debian obfuscated structure fooled suicide victim's family: the ultimate example of bad faith
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, February 21, 2024
IRC logs for Wednesday, February 21, 2024
Gemini Links 22/02/2024: What We Pass On and HTTP Header Viewer
Links for the day