Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×

Microsoft Gets Help From NSA for Vista Security 233

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"
This discussion has been archived. No new comments can be posted.

Microsoft Gets Help From NSA for Vista Security

Comments Filter:
  • by daveschroeder ( 516195 ) * on Tuesday January 09, 2007 @10:56AM (#17522272)
    Information Assurance [nsa.gov] has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) [faqs.org] since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria [wikipedia.org] (TCSEC, the famous Rainbow Series [wikipedia.org] of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) [nsa.gov] of NSA and NIST.

    NSA's Information Assurance Directorate also provides public security configuration guides [nsa.gov] for many popular applications, operating systems, database servers, routers, and other networking equipment.

    Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) [nsa.gov] (FAQ [nsa.gov]).

    When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.
    • Re: (Score:3, Interesting)

      by temojen ( 678985 )
      Also, there' no mention of how much of the NSA's advice MS has used and how much they've ignored.
    • Re: (Score:3, Insightful)

      by bbernard ( 930130 )
      It's interesting to me to notice that at least some of the things the NSA has suggested for XP and 2003 are settings and options that need to be configured and are not pre-configured for "out-of-the-box" operation. For instance, password length and complexity. Perhaps that's a bad example, but it shows that Microsoft is willingly supplying their OS software configured in a way that they know provides sub-standard security. While I don't specifically blame them for that--can you imagine the home users tha
      • by wiredog ( 43288 ) on Tuesday January 09, 2007 @11:39AM (#17522862) Journal
        The longer and more complex it is, the more likely it is to be written down on a post it stuck to the side of the monitor. Especially if you have multiple passwords on different change cycles. "Must have a capital letter, special character, number, be at least 8 characters long, and change every 3 months" is probably, in the long run, no more secure than "must be at least 8 characters long, contain one or more non-alphabetic characters, and change twice a year".
        • Re: (Score:3, Interesting)

          by spun ( 1352 )
          There's an easy way to deal with complex password requirements. One place I worked required 8 characters with at least one capital letter, one lower case letter, one number, and one punctuation mark. Plus, they required a new one every month. To top it off, they kept track of the last three passwords and you couldn't reuse them. I just memorized a pattern on the keyboard (like e4r5t6y7) and hit the shift key a couple times. Then when I changed the password, I just shifted the pattern over one letter (r5t6y
        • by MarkusQ ( 450076 ) on Tuesday January 09, 2007 @12:12PM (#17523316) Journal

          It's a little more complex than that.

          "Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).

          But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."

          If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)

          --MarkusQ

          • But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."
            I thought most security incidents were usually inside jobs. e.g. a quick search brings up: Study: ID theft usually an inside job Up to 70 percent of cases start with employee heist [msn.com]
            • by Heembo ( 916647 )
              No, most security incidents result from a failure to develop software properly.
            • I suppose it depends on what you mean by incidents. While one system intrusion may net thousands of identities, it's still only one incident in terms of the password being compromised (if that is in fact how they get the data--insiders often have easier ways to get things than cracking passwords). While I would agree that attacks by insiders typically compromise more data, I would dispute that they are more frequent. Numerically, the majority of all computer security incidences are most probably bot-net

      • Re: (Score:3, Insightful)

        by novus ordo ( 843883 )
        Wouldn't be the first [networkworld.com] time.
    • The encryption cat is out of the bag, so if you can't own the communication channel, own the computers on either end.

      Sure, I'm just delusional. But then again, there was that WMF exploit that according to Security guy Steve Gibson (grc.com and the SecurityNow podcast) inferred that was deliberately put in the code by someone (though he didn't point the finger at MS, some contractor for MS, at the Gov't direction, or anyone else). Before it was patched, it allowed the execution of arbitrary code on a clien
      • by jafac ( 1449 ) on Tuesday January 09, 2007 @12:33PM (#17523606) Homepage
        Well, there's two things about this.

        First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
        Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.
        • by gad_zuki! ( 70830 ) on Tuesday January 09, 2007 @01:56PM (#17524858)
          An eight year old conspiracy theory. Even Bruce Schneier doesnt buy it
          Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

          I don't buy it.

          First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

          Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

          Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

          I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

          Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

          But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.
          The fact that 'some security scans' consider something a threat doesnt mean it really is. This is real tin-foil stuff, especially considering if the NSA wanted to muscle MS then youd never know about it.
      • That WMF flaw is older than the commercial internet.
        It was an artifact of supporting OLE in WMF and how thread control (hah) in Windows 3.1 worked... kept backwards compatible to this day.
        It was a shitty design from the getgo, malice or "terrarist fightin' tool" have nothing to do with it. Also, Steve Gibson is a tool. Seriously, get your security news from ANYWHERE else.
    • by thewiz ( 24994 ) *
      Leads one to wonder how much or how many features of SELinux ended up in Vista. I'm not trolling here, just wondering which security features SELinux and Vista now share.
  • by yagu ( 721525 ) * <`yayagu' `at' `gmail.com'> on Tuesday January 09, 2007 @10:57AM (#17522282) Journal

    Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).

    I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

    </rant>

    • You're paying for it because its for the good of the nation! Now lets see about increasing that H1B visa quota so Microsoft can increase the amount of indentured servants on its pay roll.
    • Err.. when has software's value ever been judged from the amount that the user can store? Unless you don't have a lot of space of course, but just because hard drives and processors are better and cheaper (or at least hold more and go faster) than they used to be, doesn't mean that the value of any software running on them decreases proportionally.

      Anyway, other than that, even though it sucks for you guys who are paying for your government to do this, I'm quite happy that the US Gov will be helping to cu
    • by bmajik ( 96670 ) <matt@mattevans.org> on Tuesday January 09, 2007 @11:19AM (#17522590) Homepage Journal
      A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

      The article also states why the NSA thinks this is in their (and the countries) interest - the mandate has come down that procurement focus on COTS (commercial, off the shelf) for more and more things. If the security of the nation or the safety of a ship or soldier are going to be left to commercial software, the government should take a more active role in due dilligence and capability review of the products it is buying. The NSA is a logical choice for doing some of that work.

      I am a little surprised that nobody has said "the NSA is hording vulnerability info on windows for their own evil purposes! Use Linux!" I'll leave it as an exercize to the reader as to why that is a non-issue. (Hint: does the NSA also get to review the linux code?)
      • A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

        It's not surprising that Apple would be partnering with the NSA. They briefly announced then removed all mention of a framework in Leopard that implements the mandatory access controls the NSA developed for SELinux. I have no doubt that they would be a valuable resource in auditing such an implementation.

      • Re: (Score:3, Interesting)

        Comment removed based on user account deletion
      • The NSA also works with many other businesses on the topic of computer security. This includes "critical infrastructure"--telecommunications, energy (oil, gas, coal, power generation), all that jazz. Some of these companies are making major efforts towards security. And it's not just "for the good of the country". If somebody hacks an oil platform and shuts it down, that's millions of dollars per day that the oil company loses. So the NSA and the "critical infrastructure" companies may have different g
      • by Locutus ( 9039 )
        Maybe they should have thought about that 8 or so years ago when SOMEBODY decided that Windows was going to be the standard for ALL DoD systems. Sure some DoD engineers screamed at that and the document was changed to allow some embedded systems and realtime systems to use non-Microsoft operating systems. But it took no 'rocket scientist' then nor now to understand Microsoft is a marketing company above all else and that its operating system software designs were flawed.

        Now, for the past 6 years they've fou
    • I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

      Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD [trustedbsd.org]). The NSA-funded [nsa.gov] SELinux [wikipedia.org] is another example...

      NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

      Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

      • Re: (Score:3, Insightful)

        by crush ( 19364 )

        I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users.

        It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.

        As it stands, this announcement is effectively the government giving free publicity to Microsoft and claiming without any evidence that Vista is secure in some way. (See all the "G

    • What exactly are you complaining about? Are you actually blaming Microsoft for the low cost of data storage? Or are you blaming Microsoft for seeking outside help? Or are you blaming the US government for helping secure the computers of 600 million users?

      Are you upset at helping to pay for the filling the pothole outside my door? What about the FDA spending money to improve drugs for women that you'll never take? Or are you just mad that Microsoft seems to actually be trying to make Vista a decent OS?

      You se
    • NSA (Score:3, Informative)

      Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right?

      To be fair to the NSA (and leaving aside for the moment any tin-foil-hat conspiracy theories about backdoors) they also gave Linux some security overhauls [wikipedia.org]. So it's not as if they are picking sides here. The NSA also publishes Operating Systems Guides [nsa.gov] that any administrator or user can download and use to harden his/her OS. These are also available for multiple OS'es. I'm no fan of the NSA but sometimes they actually do good work.

      • Their Windows guides were influential enough that when Microsoft published its own guide for Windows 2003, NSA decided that it was good enough that they didn't have to write their own. It was at its core a rewrite of the NSA's Windows 2000 guide, but introduced more scenarios and was slightly less sleep-inducing.
      • > (and leaving aside for the moment any tin-foil-hat conspiracy theories about backdoors)

        I guess everyone has forgotten about nsakey and !seineewerasreenigneepacsten by now, although I admit that there was doubt about whether nsakey was actually nefarious. I don't remember that issue ever really being resolved.
    • Batting 500 (Score:2, Insightful)

      by Gription ( 1006467 )
      "Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill)."

      The NSA has many reasons to help MS. From the article it is obvious that they recognize that MS has a pervasive monopoly in desktop OSes and is exp
    • Re: (Score:3, Funny)

      by AndroidCat ( 229562 )

      I don't see the problem.

      For the same money as you paid for your hard drive 10 years ago, you get a drive with 500 to 1000 times more storage.
      For the same money as you paid for Windows 10 years ago, you get a product that uses up 500 to 1000 times more storage.

    • If you're a government agency that's supposed to be looking out for national security... the security of an operating system used by the vast majority of citizens, corporations and the government is probably of interest...
    • by 1u3hr ( 530656 )
      Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

      But the size of MS's OS has increased from a few hundred k; DOS 3, runnable from a 360k floppy, to a few GB, installed from a DVD, for Vista. Probably at least three orders of magnitude. So actually you are getting more OS for your dollar now.

    • Re: (Score:3, Informative)

      by ScentCone ( 795499 )
      Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

      Do you really think that what Microsoft does and sells is the same thing as storage density? They have people, producing and supporting an enormous range of products and services. Unless you're suggesting that what it costs to employ and retain people
    • by jafac ( 1449 )
      I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it?

      It's a public safety issue.

      YOU are better off if 90% of the desktops in the world have a good security posture, than you are if they have a weak security posture which enables botnets (which are currently responsible for about 70% of the spam in the world).

      The real question is;
      Will the spammers and hackers learn their way around the tighter security? (making the effort and tax dollars a waste) - or will t
    • Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft..

      "Federal Government Provides Technical Assistance To Trade, Industry and Agriculture"

      Breaking News. In 1790.

      Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs o

    • Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

      Wow, what a crap argument. Technology has allowed for the storage of the same amount of data in a smaller area, more refined machine tools.

      Do you think programmer salaries are also decreasing at this rate? If the company you work for discovers more eff
    • by Locutus ( 9039 )
      THIS is definately going to be a problem for anybody who thought that Linux and/or opensource was going to rise to the top because of better design and security.

      With the US government is so 'bent' on sticking with( and paying Microsoft for ) running its systems on Microsoft software, they are willing to lend their experts to Microsoft in order to improve the systems design and security as a way to improve the governments already poor security rating.

      Such a shame. Where is the free market cause I don't see i
  • by account_deleted ( 4530225 ) on Tuesday January 09, 2007 @10:58AM (#17522302)
    Comment removed based on user account deletion
    • Re: (Score:3, Funny)

      by Anonymous Coward
      TERRORSCAN.EXE doesn't really conform to Microsoft naming conventions. You should probably be looking for terrscn.exe
      • Heh. In the past few years, MS has gotten a little less stupid about implementing backwards compatibility at all the wrong layers. I guess someone finally realized that Ye Olde FAT16 was put out of its misery ten years ago, and they were using an emulator [wikipedia.org] for DOS compatibility anyway. I'll bet that typing c:\progra~1 in Explorer on Vista still works, though. *shudder*
    • Re: (Score:3, Funny)

      by A_Non_Moose ( 413034 )
      .. They contributed "WIRETAP.DLL" and "TERRORSCAN.EXE" which are required components to pass the new-and-improved Windows Genuine Advantage test, right?!?

      (tinfoil hat mode = on)

      No need, the backdoors are already in place, they just needed to strenghten the password to:

      M0z1LLA3nG1n33r$aR3w33N13$

      According to their own standards.

      HTH

      (/TFH off)
  • ...For Corporate Work
  • by Bohnanza ( 523456 ) on Tuesday January 09, 2007 @11:00AM (#17522342)
    "The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market"

    Wow! And it's not even out yet!

    • The article probably made a typo, but all the OEM machines are already loaded with their operating systems. It seems certain that at least 90% of Dells, Gateways, HPs, and similar desktops are being preloaded with Windows Vista.
      • by geeber ( 520231 )
        Fair enough, but 90% of the Dells, Gateways, and HPs currently preloaded with Vista still doesn't constitute 90% of the current machines out there in operation.
        • by hesiod ( 111176 )
          > > the OS still has a 90 percent lock on the PC market
          > doesn't constitute 90% of the current machines out there in operation


          I don't know the true statistics either, but there is a HUGE difference between "machines in operation" and "machines ready to be sold now."
    • by symbolic ( 11752 )
      I hope the words "90 percent lock" set off some alarms....that's the problem. Until Microsoft is forced to publish complete specifications for its "proprietary" document and file system formats, as well as other "proprietary" protocols so that other players are *able* to attain 100% compatibility, nothing will change. Switching an operating or an application should be painless and completely transparent to the user, but due to Microsoft's "lock," it's everything *but* painless and transparent.
      • Screw the Office and filesystem formats, those have been mostly reverse [openoffice.org] engineered [ntfs-3g.org]. What they could do is publish complete API documentation, so it doesn't take Wine years to catch up.
  • Buy! (Score:2, Funny)

    by jbeaupre ( 752124 )
    I'm buying more stock in Alcoa, that is. With the surge in Reynolds Wrap sales, I'll make a fortune! My just buy a roll myself.
  • by crush ( 19364 ) on Tuesday January 09, 2007 @11:04AM (#17522398)

    If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask [nsa.gov] OS in the form of GNU/Linux's SElinux [redhat.com].

    The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.

    • Considering how big of a job it is to make Windows secure, when the hell did the NSA find the time to tap the phone calls of Americans and "terrorists?" Something about this story sounds fishy....
  • Tip of the day (Score:4, Interesting)

    by pubjames ( 468013 ) on Tuesday January 09, 2007 @11:05AM (#17522404)

    Hey, here's a tip for all you foreign governments out there: Don't use Windows! I hope that helps!

    Seriously, I can't believe that there isn't greater demand for other alternatives to Windows in foreign governments. I wonder if Mahmoud Ahmadinejad uses windows...

    • Re: (Score:2, Interesting)

      by Cheesey ( 70139 )
      Not just foreign governments - entire nations as well. A modern economy could be totally disrupted if all the Windows machines stopped working. It might be a bad idea to allow a foreign power to execute arbitrary code on machines in your country, which is exactly what Windows Update does. Windows Update is a very powerful weapon, all the more so because few recognise it as such.

      Countries might want to set up firewalls to intercept updates so that they can be screened for malicious code before anyone can acc
    • by alexhs ( 877055 )

      I wonder if Mahmoud Ahmadinejad uses windows...
      I bet he does ! And doors too ! :)
  • Unless I missed it, while reading the article I kept expecting there to be a mention about the possible inclusion of a backdoor. Maybe my tinfoil hat is too tight but it seems like a valid question these days when discussing the NSA and operating systems. Especially for an upcoming consumer OS given that the sixpack set is reading more and more about privacy and fourth ammendment concerns in the mainstream press.

    Point being, it seems like something that the vendor would want to dispel pronto. (Yes, Appl
  • "For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.
    • "For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.

      Except that some of those "talented amateurs" were in fact NSA employees, working to make Linux more secure, as part of a project called Security-Enhanced Linux [nsa.gov]...which has been incorporated into the mainline 2.6 kernel tree.
      • "For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.

        Except that some of those "talented amateurs" were in fact NSA employees, working to make Linux more secure, as part of a project called Security-Enhanced Linux...which has been incorporated into the mainline 2.6 kernel tree.

        The percentage

  • by DaoudaW ( 533025 ) on Tuesday January 09, 2007 @11:21AM (#17522612)
    On one hand since the NSA has been helping with linux security for years with SELinux [nsa.gov], it seems only fair that they would be willing to similarly assist M$. But my concern would be whether they are violating the GPL under which they released SELinux. If they are using concepts they developed for the open source SELinux in Vista, shouldn't M$ be required to open source at least those portions of Vista?
  • "For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version..."

    Jeez. If I were either MS or NSA I wouldn't even admit that given the XP home security record.

  • When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!
  • lol

    Actually, its kinda creepy...
  • Read TFA (Score:5, Interesting)

    by Anonymous Codger ( 96717 ) on Tuesday January 09, 2007 @11:39AM (#17522868)
    It doesn't sound like NSA helped write code - it sounds like their primary contribution was in testing:

    "The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration ."

    Also, Microsoft isn't the only company that NSA and other govt. agencies have helped with security. Besides SELinux, which others have mentioned, there's Apple:

    "Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail."

    So this isn't that big a deal, it's just that Microsoft is trying to capitalize on the relationship to counter the prevailing belief (or truth?) that Windows is insecure and that Vista is no big improvement.
  • by gmuslera ( 3436 ) on Tuesday January 09, 2007 @11:43AM (#17522940) Homepage Journal
    They should ask for help to the Vatican, after all, is a miracle what they are looking for.
  • NSA and DES (Score:4, Interesting)

    by jmichaelg ( 148257 ) on Tuesday January 09, 2007 @12:11PM (#17523302) Journal
    When IBM invented DES, the NSA asked to review it before IBM started selling it. DES is an encryption algorithm that involves repeatedly permuting and shifting bits. The bit shifting phase is handled by sending the permuted bits through what are called s-boxes which basically say 'move this bit over there'. NSA "requested" two revisions to DES - shorten the key to 56 bits and re-arrange some of the s-box operations. NSA didn't say why that would be "better" but made it clear to IBM that if IBM didn't comply, IBM would run into difficulties selling DES. The kind of difficulties that governments are very adept at raising. So IBM complied and implemented NSA's "requests." The presumption has always been that NSA knew how to crack the revised version of DES.

    I'm curious if NSA made similar "requests" to Microsoft.
    • Re: (Score:2, Informative)

      by Anonymous Coward
      To my knowledge, the change to the s-boxes was to protect against differential cryptoanalysis, which at the time, wasn't even a method known by anyone, except the NSA. When differential came out, everyone was surprised that DES mysteriously was already immune.
  • Uh huh . . . (Score:3, Interesting)

    by Orange Crush ( 934731 ) on Tuesday January 09, 2007 @12:13PM (#17523324)
    Microsoft Gets Help From NSA for Vista Security

    Isn't this a bit like chickens getting help from a pack of wolves for their security needs?

    Perhaps I'm being too cynical, as both MS and the NSA have just stellar track records on their concern for an individual's privacy . . .

  • we are here to help.

    Right....

  • Of course I want the NSA I pay for and depend on to protect me working to make Vista safer. Because Vista is part of the security environment, eventually the biggest part. It's such a threat to Americans' security that NSA should be able to require MS to let NSA help secure it.

    The problem is that NSA costs money to operate. Tax money. Tax money that Microsoft doesn't pay [google.com]. Microsoft cuts costs by ignoring security whenever it can (most of the time). While raking in literally untold $BILLIONS in profits. Now
  • Well since the NSA released SELinux a few years ago, or I believe it was them. I have to wonder if any of the same code will end up in M$, or will they be helping them with code?

    If this did happen, how would anyone other than M$ and NSA know?

  • I am quite serious. Windows Vista will be going all over the world in some form or another, I would think it was remiss of them if the NSA *didn't* tell MS that they were adding a backdoor to Vista and hand them the code. I bet they will be more cautious about placing it than the last time they added one, but it will be there. I am sure in compensation they help MS tighten up the rest of the security to ensure foreign governments can't crack it as effectively as the NSA.

    I am sure this will be modded paranoi
  • As a USA taxpayer, I believe that this is an example of what our government should be doing.

    Before the politically motivated "war on terror", I remember seeing news articles about our FBI working with foreign governments to break up foreign hacking rings. Since 911 I don't recall hearing about this anymore.

    Our NSA has in the past also donated Linux security enhancements. Excellent! Protecting our national infrastructure.

    A little off topic, but this issue has me fairly angry: our government should spend mone
  • Seems to be a good example of the government doing a better job than a private company manages. I guess some ideologies does not allow for that.

    Of course, one cannot make the stronger statement that the government is doing a better job than the free market, since MS has a monopoly in desktop computers. Maybe it is an example of the extra burden that falls on a government does not deal with anti-competitive monopolies in the market place?

  • This is a wake up call to those who don't see this following a theme that could lead to the NSA, DHS, or other organization from having direct access to your computer, your use of that computer, without you knowing it.

    Microsoft managed to get he DHS to tell everyone to upgrade to SP2 because SP2 had certain features that allowed Microsoft to more easily determine things about your computer. It also aided them in determining if you are a pirate. The DHS has to have received something in return. In my humb

You can measure a programmer's perspective by noting his attitude on the continuing viability of FORTRAN. -- Alan Perlis

Working...