Microsoft Gives Source Code to Chinese Government

Monday, June 13, 2011

Danny Lieberman

959779642e6e758563e80b5d83150a9f

Sold down the river. A phrase meaning to be betrayed by another.

Originated during the slave trade in America, selling a slave "down the river" would uproot the slave from their from spouses, children, parents, siblings and friends.

For example:

"I can't believe that Microsoft gave their source code to the Chinese in a pathetic attempt to get them to buy more MS Office licenses. Boy-were we sold down the river!"

In the euphemistically worded press release Microsoft and China Announce Government Security Program Agreement, we learn that China joins over 30 other countries as recipients of access to Windows operating system source code.

I bet all that yummy, ecumenical, international  cooperation gave someone at the BSA warm and fuzzy feelings. Either that or Ballmer told them to keep quiet.

Hold on. That announcement was in 2003.

Fast forward to 2011. Searching on Google for "Chinese attacks on US on US" yields 57 million hits. After the RSA breach, China is linked to attacks on US Defense contractors and US Congresswoman condemns attack on change.org

In 2011, Steve Ballmer is saying that China is doing 5 percent of the revenue that it should be doing because  of pirated software. See the article  Microsoft’s Chinese revenue 5% of what it could be

The BSA (Business Software Alliance), an industry lobby group, has some interesting figures to fuel Ballmer’s comments:

  • Four of five software programs installed on PCs are pirated
  • This amounts to “commercial theft” of close to $8 billion a year
  • Piracy in 2010 cost the software industry $59 billion in revenue

I would not take BSA numbers at face value. The BSA estimates are guesses multiplied several times without providing any independent empirical data. They start off by assuming that each unit of copied software represents a direct loss of sale for Microsoft, a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That’s called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn’t change with price.

A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia article on price elasticity of demand ).

See my essay on the economics of software piracy.

Back to Microsoft and their highly ineffective strategy to sell more licenses in China.

Clearly, Microsoft's strategy to induce the Chinese to buy more Microsoft software licenses by sharing Windows source code has not gotten any traction in the past 8 years.

Au contraire, from a software engineering perspective, it is a fair assumption that having access to Windows source code has made it easier for Chinese cyber attackers to write attack code to penetrate and compromise US defense contractors, critical infrastructure and activist groups like change.org - who all still use  highly vulnerable Windows monoculture products.

This is where we need to explain to the people who drink Microsoft Koolade about the difference between "controlled access" to source code with countries who are  potential enemies with the notion of Open source - where everyone and anyone can look at the source code - where lots of eyeballs help the developers make the operating system more robust.

From a security perspective, the number of eyeballs looking at Linux make it more secure than Windows.

But more significantly, from a commercial perspective, note how abortive Microsoft strategy really is in this case study from  the Harvard Business School on Red Flag Software.

In 2005, just five years after its formal launch, Beijing-based Red Flag Software was the world's second-largest distributor of the Linux operating system and was expecting its first annual profit. On a unit basis, Red Flag led the world in desktops (PCs) shipped with Linux and was No. 4 in installed servers. On a revenue basis, Red Flag was fourth overall. Within China, Red Flag held just over half of the Linux market and ran key applications for the postal system, large state-owned enterprises, and more than a million PCs. The Chinese government supported Linux as an alternative to Microsoft's Windows operating system to avoid royalty payments to foreign firms and dependence on foreign technology.

Since the Chinese government have been open about their support of Linux for years, it certainly makes the release of Windows source code look like a very bad idea.  I would hope that this does not go unnoticed in US Congress.

Possibly Related Articles:
21175
Network->General
Information Security
Microsoft China malware Attacks Source Code Business Software Alliance
Post Rating I Like this!
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Dan, you have to remember the source code given to China has been changed so much and MANY attackers are constantly bombarding MS with all sorts of exploits leading to patches, then to SEH, then to ASLR/SEH and so on.

With that said, I could see China or other countries exploiting licensing however, remotely exploitable "heavy hitter" exploits are almost sure to be cross-stumbled upon by a variety of researchers. You need to be aware and or remember, programs like ZDI will often pay an exploit researcher a decent amount of money for weaponized exploits. This leads to patches, etc., and if you're in any country, money talks most of the times. This means, its more "beneficial" for a security researcher to earn anywhere from 1k - 100k for a working "heavy hitter exploit" than it would be for them to sit on it via some voodoo "APT" nonsense.

Now when it comes to Linux versus Windows on the market in China, I am unsure of the usage however, from the "red teamer" security perspective, I can tell you that there are PLENTY of vulnerable pre XP Windows machines saturing China's allocation of APNIC ranges. ShodanHQ can attest to that statement.
1307990849
959779642e6e758563e80b5d83150a9f
Danny Lieberman J
Excellent points, really.

For sure there are multiple channels to obtain information and operating system sources and for sure, that particular program, if it released w2k code is not particularly relevant today. But - it may have given a leg up to a few people back when....

Regarding Red Flag and other Linux flavors in the Chinese market, I think that the point regarding Microsoft is that instead of trying to convince the Chinese to use Windows and therefore Office (which is still a revenue mainstay for Microsoft) - it would make much more commercial sense to provide a Chinese version of Office for Red Flag Linux in an OEM bundle with the operating system and provide low cost unbundeled licensing for $25-30. With the numbers on the Chinese market - MSFT would be doing much better.
1308025169
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.