US Security Services May 'Have Moles Within Microsoft,' Says Researcher 228
Barence writes "U.S. government officials could be working under cover at Microsoft to help the country's cyber-espionage programme, according to one leading security expert. According to Mikko Hypponen, chief research officer at security firm F-Secure, the claim is a logical conclusion to a series of recent discoveries and disclosures linking the U.S. government to 2010's Stuxnet attack on Iran and ties between Stuxnet and the recent Flame attack. 'It's plausible that if there is an operation under way and being run by a U.S. intelligence agency it would make perfect sense for them to plant moles inside Microsoft to assist in pulling it off, just as they would in any other undercover operation,' he said. 'It's not certain, but it would be common sense to expect they would do that.'"
Re:not only operating systems (Score:3, Interesting)
Don't forget that the US Department of Homeland Security maintains a giant list of security flaws. It's called the Common Vulnerabilities Enumeration [mitre.org].
Check the fine print at the bottom of the page: "CVE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security."
So that means the government doesn't even need to go looking for holes - security companies send them to the government directly to be listed!
No mole required, just a "friendly" email informing them that they're going to keep silent for a bit and "forgetting" to post the alert publicly.
More baseless nonsense please (Score:3, Interesting)
Author of TFA dreams up some impossible to falsify idea - offers no supporting evidence of any kind except to say it is plausable.
I love myself a good MS conspiracy and I'm sure there are plenty which actually do exist but lets not reward intellectual laziness.
Just two questions:
1. What do editors of PC Pro get paid to do?
2. What is it doing on slashdot?
Now if you'll excuse me my magic unicorn 'Flame' is hungry and wants a bowl of lucky charms before flying back to the land of lua to meet the angry birds.
Re:Ockham's razor (Score:5, Interesting)
We can get even simpler and easier, MS already gives the military access to their source code so that it can be reviewed. This is a requirement for all the software used on the most secure systems.
It has always been viewed as a joke around here, because unless they are going to fix the bugs themselves, having the source isn't going to make windoze take extra care about your data.
So the simplest and most obvious answer is, they didn't need to sneak in, and they didn't need to make threats either.
Re:Doesn't really make sense to me (Score:4, Interesting)
Imagine a government with access to a complex OS source code. Then imagine that they get data on all manner of security holes as they are discovered. Imagine also that this government has access to OS security update certifications. Finally, imagine that this same government has the ability to hack into server DNS tables to route targeted users to their alternative 'security updates'.
The penetration of any software company by undercover government operatives would hardly be surprising, but entirely unnecessary. Microsoft would hardly be alone as a target of such espionage -- every software company would be vulnerable, including OSS. There is also the issue with 'backdoors' hard-wired into computer hardware, including especially telecom systems. IIRC, this became an issue recently with news of backdoors alleged to exist in VLSI circuits manufactured in China. Older news alleged that Israel also puts backdoors into the telecom hardware they sell & ship, including to the USA government.
If virtually every government does such spying, including upon their own citizens, and any number of software & hardware companies do the same with their customers, any cautious user of such technology should be aware of the potential security breaches they expose themselves to every time they connect to the internet, or open their front door for that matter. Redundancy & breadth of security beats security through obscurity any day.
The phrases of the day are, "Trust no one", "Security in depth", and "If it can't be accessed remotely, it's more secure & less vulnerable". At that point, physical security & Tempest-hardening secure your valuable data. The rhetorical question is, "How valuable is your data if you cannot readily access it?" I found it humorous that the USA government recently wanted reporters to write their news stories on government-supplied computers, if only to avoid unwanted data leaks & stop potential whistleblowers in their tracks.
Trust the USA government, or any government, or any corporation with an agenda? Why take that risk unmitigated? And who in Hades would put vulnerable sensitive SCADA systems in close proximity to the Internet except an idiot?