Microsoft and the U.S. Department of Energy are disputing claims that bugs in Microsoft's database software threatened nuclear security in the United States and Russia.
Earlier this month, Bruce Blair, president of the Center for Defense Information, a nonprofit military research organization based in Washington, D.C., wrote that Russian nuclear scientists last year found a bug in Microsoft's SQL Server database software that threatened the security not only of Russian nuclear weapons materials, but also of U.S. nuclear materials.
Microsoft executives and Energy Department representatives scoff at the charge, saying Blair is making too much of a trivial matter. They say that the two bugs were never a threat, that no data was ever lost, and that the issues Russia had with the software have been resolved. U.S. nuclear data was never at risk, they say.
At issue was software that the laboratory gave Russian researchers to help them protect their country's nuclear materials. Blair, in a column published in The Washington Post, said the Russians found a bug that caused some files to become invisible, though they remained in the database. The fear was that insiders could trace the invisible files and divert nuclear materials for dangerous ends, Blair wrote. Russian scientists alerted Los Alamos lab to the problem for fear that American nuclear materials were at risk, he wrote.
The problem was found in SQL Server 6.5. Russian scientists subsequently upgraded to SQL Server 7.0, a newer release of the database software, to help solve the problem. The scientists discovered that the same bug existed in the newer version, although in a less serious form, along with a new security flaw that could give unauthorized people easy access to information stored in the database, Blair told CNET News.com in an interview Friday.
"There was a dropped item for every 1,000 transactions" in SQL Server 6.5, said Blair, who has uploaded on his organization's Web site e-mail messages from Russian scientists detailing the problems. "With (version) 7.0, (the problem) was reduced in order of magnitude, but it was still a serious problem with dropped files."
Not so, say Microsoft executives and Los Alamos representatives.
They say the bug that caused data to become invisible did exist, but was limited to one Russian facility that customized accounting software the lab had donated. The bug surfaced only in the customized accounting software running on SQL Server and did not appear at other customer sites, said Steve Murchie, Microsoft's group product manager for SQL Server.
Microsoft offered to create a bug fix last year, but the Russian scientists didn't want it, said Murchie.
"We heard this customer application was running some complex (software) code against 6.5 and was returning different results under different circumstances," he said. "We looked at it and offered to create a fix. No data was ever lost."
To solve the problem, the lab suggested that the Russian scientists upgrade to SQL Server 7.0, according to Los Alamos' Ambrosiano. The Russian scientists moved to 7.0 and found a new bug that they said could allow unauthorized users to gain access to information.
Murchie said the bug was a minor problem in Microsoft's instructions for using the software and has been resolved. "It was not a product flaw. Only under circumstances (where) the site (had) no password could anybody get to it," he said. "If normal policies were in place, there's no impact."
Murchie also takes issue with Blair's assertion that someone could have diverted the nuclear information while it was "invisible." Regardless of the software or the system, a knowledgeable insider could attempt to steal or alter information, but the blame would belong to a breakdown in the management of computing systems, not to the software, Microsoft contends.
"The fact of the matter is, any insider with access to an application can corrupt software and divert anything for their own nefarious purpose," Murchie said.
Lab officials said Russia's custom software was never used in the United States and that the United States was never vulnerable to the same problem.
"To our knowledge, there has been no Russian nuclear information lost or any diversion of Russian nuclear material due to the flaw," lab representatives said in a statement. "U.S. nuclear material accountability systems are rigorously tested and have demonstrated capability for tracking all accountable nuclear materials."
Microsoft, which competes against Oracle and IBM in the database software market, sells a new version of its database, called SQL Server 2000.
Geez, this is like news story necro big time. They need to set something to block news articles over a month old from being allowed to be in the top news list.
Glad some readers took note of the date as I was much more scared to hear those institutes are running SQL Server 6.7 and 7.0 (which are now 16-12 years old) then the reported bug.
I do hope they upgraded ever since as I doubt today they can get any bug fix to that software.
CNET - remove the link and stop the panic. Did we move away from making up headlines to recycle bad headlines?
"Microsoft and the U.S. Department of Energy are disputing claims that bugs in Microsoft's database software threatened nuclear security in the United States and Russia."
OMG, they trusted this level of security to Microsoft technology? That is really scary. Maybe Microsoft will be the cause of the demise of the USA?
Did you read the article publishing date like the rest or you just hate microsoft? This article was published in 2001 and SQL server 7.0 was obsolete 10 years ago.
For another fact - Microsoft may be blamed for bugs but it gets work done and puts money on 70% of computer users pockets
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
AstrologyDating.com is a new site that tries to find you your perfect love on the basis of birth date, birth time, and birthplace. But will it tell you the truth? Well, it asks you to pay only per match. So I tried it.
The Web fulminates when it is revealed that executives from VEVO--vehement music industry antipirates--played a pirated stream of an NFL playoff game at a party. VEVO claims it left its Wi-Fi unsupervised. Have we heard that argument before?
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
iPhones and Angry Birds aside, the arcade endures. Crave pays a visit--and offers up an homage to games and gamers of years past and a tribute to the possibly endangered, but not yet dead, atmosphere of the arcade itself.
Glad some readers took note of the date as I was much more scared to hear those institutes are running SQL Server 6.7 and 7.0 (which are now 16-12 years old) then the reported bug.
I do hope they upgraded ever since as I doubt today they can get any bug fix to that software.
CNET - remove the link and stop the panic. Did we move away from making up headlines to recycle bad headlines?
OMG, they trusted this level of security to Microsoft technology?
That is really scary.
Maybe Microsoft will be the cause of the demise of the USA?
For another fact - Microsoft may be blamed for bugs but it gets work done and puts money on 70% of computer users pockets