In order to continue selling Microsoft products to the Russian government, the Redmond Washington software company granted various agencies of the Russian government access to source code for Windows 7, Server 2008, and other products.

The government agencies listed in the agreement include the former KGB.  The source code access will help the Russian government to find security flaws in Microsoft products.  What the Russians do with this knowledge is unclear.

Ten percent of Microsoft’s $1 billion Russian business revenue comes from the Russian government, according to a Bloomberg web article.

This isn’t the first time that Microsoft has allowed foreign governments access to their source code.   They have a Government Security Program to grant source code level access to Microsoft products.  GSP started in January of 2003 as a more formal name for their Shared Source Initiative which started in 2001.

According to the GSP home page:

Microsoft offers eligible, participating national governments no-cost, online smart-card access to source code for the most current versions and service packs of Windows Client, Windows Server, Windows Embedded CE, and Office. In addition, subject to such requirements as U.S. export approval, qualified GSP participants may also obtain access to cryptographic code and development tools. The GSP also provides transparency through disclosure of Microsoft technical information. This engineering-level view of Windows architectural design provides greater insight regarding the platform’s integrity and enhances national governments’ ability to design and build more secure computing infrastructures.

The recent Russian spy story makes this a little sensitive for Microsoft as ghosts of the Cold War resurfaced in the news this week.  I wonder who else has access.  The GSP web pages touts that this no-cost partnership is available in 65 geographic markets.

Data Breach Exposes RAF Staff to Blackmail

Posted using ShareThis

Executive summary of the article: Audio recordings of security clearance interviews are stored on an un-encrypted hard drive that goes missing…

This illustrates a break down in not just one system, but several. The obvious failure to protect physical security is bad. The hard drive should have been a controlled item, with proper labeling, and inventoried with the rest of the equipment.

The infosec controls were bad. You’ve got sensitive data on a drive, you should encrypt the drive.

The admin controls were also bad. Why is the material recorded? Why are the recordings kept?

All this badness combines to create a really horrible problem for the RAF. Someone, somewhere, now has audio of RAF employees that can be used to discredit the service or to exploit the individuals. Even if the RAF pulls the clearances and re-assigns the employees, now the RAF has to scramble to replace people in trusted positions. It’s a bad day for the RAF…