Resisting exploitation of Microsoft 'Transparency Centres' through open-source

Since the much-publicized Bangladesh Bank hacking and catastrophic loss of 86 million dollars, it is natural that the government should be looking to improve cyber-security, and contacting various external companies and consultants to that end. However, government officials should be wary of being taken advantage of in the process.

On January 6th, Dhaka Tribune printed a long interview with Keshav Dhakad of Microsoft (http://www.dhakatribune.com/feature/2017/01/16/experts-analy...). The interview was notable for saying that Dhakad was discussing giving access to Microsoft code for security review by government programmers through its Tranparency Centre in Singapore. Apparently this is an arrangement which Microsoft has been making with various governments; especially since the Edward Snowden revelations of security backdoors in Microsoft Windows, which apparently allow US intelligence agencies to spy on other governments through Windows computers. Naturally, we can expect that in return for this access, Microsoft would request that the government stop piracy of Microsoft software and pay for licenses of Microsoft Windows and Microsoft Office on all government computers. After all, no one can expect access to Microsoft source code without paying for lots of Microsoft software licenses.

Let’s look at what this means. Microsoft software, like all software, inevitably has some bugs and security holes. Microsoft, through their Transparency Centre in Singapore, is thus giving governments an opportunity to look through Microsoft Windows code for security holes which could lead to both spying by foreign intelligence agencies as well as hacking/theft of data (from Bangladesh’s perspectives, these two are almost the same). However, if the government is going to employ a team of programmers to review Microsoft code for bugs, that is a quality assurance activity which has an economic value, and is in fact increasing the value of Microsoft software by identifying and correcting bugs and security holes in it. It would be appropriate for Microsoft to pay Bangladesh for that code review by Bangladeshi programmers. However, far from Microsoft paying Bangladeshi programmers to uncover bugs in their software, Microsoft would expect that Bangladesh pay for licenses to get the privelege of fixing bugs and security holes. This is a completely unfair arrangement.

The fact is that if the Bangladesh government engages programmers to fix code, that code should then be the property of the Bangladesh government. That is the only situation where it makes sense to perform such a quality control exercise. However, Microsoft is never going to give the government any kind of ownership of Microsoft code. So this seems like an impasse.

However, logically there is a way out. If the government is going to be in the business of checking code, then the government should only be using open-source code like the Linux (www.linux.com) operating system, Mozilla Thunderbird email software (https://www.mozilla.org/en-US/thunderbird/) and LibreOffice productivity software (www.libreoffice.org). Open-source software is effectively a public good and owned by everyone who uses it. So there is no conflict of interest in the Bangladesh government paying programmers to fix bugs and security holes in open-source software, because the Bangladesh government would be as much an owner of the software as anyone else, and benefit from the increased use-value of the improved software as much as any other user.

The above rational solution requires the government to make an important decision at this point; namely, to start replacing pirated Microsoft Windows and Microsoft Office with free/open-source software like Ubuntu Linux (www.ubuntu.com/desktop), LibreOffice and Thunderbird e-mail. In that case, it makes sense for the government to invest in a team of programmers to check the open-source software being used in its own computers for bugs and security holes. Such an economic case simply doesn’t exist for Microsoft software.

Full Story