Forgot your password?
typodupeerror
Encryption Cloud Communications Government Microsoft Security

Microsoft's NSA 'Transparency' Push Remains Pretty Opaque 90

Posted by timothy
from the don't-worry-the-gov't-will-protect-you dept.
Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."
This discussion has been archived. No new comments can be posted.

Microsoft's NSA 'Transparency' Push Remains Pretty Opaque

Comments Filter:
  • so what? (Score:5, Insightful)

    by Xicor (2738029) on Thursday December 05, 2013 @11:41AM (#45608793)
    so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...
    • by zlives (2009072)

      all legal like so... only option ... do not cloud

    • Re:so what? (Score:5, Interesting)

      by Anonymous Coward on Thursday December 05, 2013 @11:58AM (#45609013)

      so they encrypt it, giving people a false sense of security, while they have already given the decryption key to the NSA...

      Fixed. [theguardian.com] It's a pretty meaningless promise considering what they already do.

      Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

    • Not sure why they don't just do what the NSA is doing: change nothing and wait for people to forget about- HEY LOOK! A CELEBRITY DEATH!!!
    • by mpe (36238)
      so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

      Or the NSA has checked the software to ensure that they already know/don't need that key.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.

      As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.

      At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put

    • by Burz (138833)

      Indeed, I thought that was the whole point of MS putting Skype on the NSA PRISM program.

  • by jkrise (535370) on Thursday December 05, 2013 @11:48AM (#45608867) Journal

    Anyone who trusts Microsoft is a moron.
    Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

    • I trust Microsoft, but for reasons that you overlooked. I trust that they'll continuously change their products in a way that requires everyone that runs a business, that uses computers, to have an IT guy. That's me trusting that I'll always have a work load, being self employed.

      But yeah, if you trust that Microsoft will 'help' you 'stay silent' from the NSA, then you should read this [computerworld.com]. Because in reality, the NSA 'helped' Microsoft build Windows 7.
  • by Anonymous Coward

    Prince Humperdinck: Surrender.
    Westley: You mean you wish to surrender to me? Very well, I accept.

  • ....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.

    I mean, nobody here's going to give them the tiniest lick of credit for it, but such is /.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      ....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.

      Spoken like a true Microsoft apologist. Here let me put it into perspective for you, since you couldn't be bothered to read TFA summary:

      "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors."

      So "government customers" can "review" the source code. Not you or me or the rest of the world. Not that "government customers" care, or have the manpower and technical skills to actually hunt through a big messy blob of source code to find back doors. The only government customers capable of knowing what a back door looks like are the government customers who ordered i

  • by mlts (1038732) * on Thursday December 05, 2013 @11:56AM (#45608973)

    Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.

    While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.

    Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.

    Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.

    Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.

    • by Anonymous Coward

      Bitlocker is a Microsoft product. It has backdoors.

      • by Anonymous Coward

        [Citation Needed.]

        • [Citation Needed.]

          Major data encryption software like TrueCrypt, Microsoft BitLocker, FileVault, BestCrypt etc have backdoors which allows access to data without the key.

          This was disclosed as per a presentation leaked @ http://cryptome.org/ [cryptome.org] which was given by Detective Michael Smith. Computer Crimes & Computer Forensics, Linn County Sheriff’s Office.

          Although NCMEC (National Center for Missing and Exploited Children) says that they use it for detecting child pornography but the discloser itself is sufficient to raise doubts on NSA-corporate bond again

          http://hackingly.org/nsa/backdoor-in-truecrypt-bitlocker-filevault-281.html [hackingly.org]

      • by mpe (36238)
        Bitlocker is a Microsoft product. It has backdoors.

        Historically propriatary software tends to be rather poor when it comes to cryptography. Cryptography is hard to get right, since even apparently trivial changes can have huge effects on the security of the code. Any requirement for "backdoors" is likely to make things even harder.
        • by mlts (1038732) *

          I get the not-so-fresh feeling being devil's advocate here, but (and this is opinion here, so take it, leave it, or just laugh at it) BitLocker is something that MS did seem to make a decent effort at getting right.

          Unlike TrueCrypt, BitLocker is written not just for security, but for enterprise recoverability, so come e-Discovery time, one can recover the data on a laptop after an employee left.

          If MS did drop the ball with BitLocker, they would be in a world of hurt. There are many laptops lost out there,

          • by Anonymous Coward

            I use an 80-year-old monk with a photographic memory to store my password. He does not feel pain. He does not feel greed. He will only quietly unlock what I need unlocked.

            • by Anonymous Coward

              Ever read Freedom(TM)? A mercenary is put in an fMRI scanner and has intelligence extracted from him even though he remains completely silent. They just ask a serious of questions and narrow down the answer. "Does your name begin with the letter A? B? C? D?..." Try as he might, he can't help but produce measurable brain responses when he sees information he knows to be correct and eventually reveals all his personal details and for whom he works.

    • by mpe (36238)
      Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack.

      Note that "cloud storage" along with "file sharing" can be a method of defeating filesystem encryption. Especially if the communication is itself encrypted so you can't easily tell what is being synchronised/shared.
  • by RLiegh (247921) on Thursday December 05, 2013 @11:56AM (#45608977) Homepage Journal

    ...where NSA contracts begin. Much to the surprise of absolutely no-one at all.

  • by PhrostyMcByte (589271) <phrosty@gmail.com> on Thursday December 05, 2013 @11:59AM (#45609023) Homepage

    Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.

    Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?

  • by TWiTfan (2887093) on Thursday December 05, 2013 @11:59AM (#45609025)

    building on our long-standing program that provides government customers with an appropriate ability to review our source code

    Well, of course, we wouldn't expect you to allow anyone in with an inappropriate ability to review your source code.

  • They still exist? (Score:2, Interesting)

    by JustNiz (692889)

    >> it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources

    I'm genuinely surprised that apparently some people still exist that think Microsoft might actually not be providing the government with backdoors and feeds of everything that goes anywhere near their products and/or servers.

    • Re:They still exist? (Score:4, Informative)

      by cavreader (1903280) on Thursday December 05, 2013 @05:34PM (#45613559)

      Nobody has ever shown any detailed proof of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.

      • by JustNiz (692889)

        Nobody has ever shown any detailed proof of non-existence of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.

        • I really hope you are joking. How do you prove a negative? "We can't find something therefore it must exist!".

          • by JustNiz (692889)

            In this case it would be easy.
            Microsoft could just open up ALL their source code to the EFF instead of only allowing the government to see it. They must already realise that asking the gov to check for backdoors is like asking the fox to guard the hen house.
            The government are probably interested in the code but just to confirm that their backdoors are actually still in place, and to maybe add some more.

      • by chihowa (366380) *

        The absence of evidence of wrongdoing isn't evidence of the absence of wrongdoing.

        Even the credible belief of a backdoor in a closed source security program should be taken seriously.

  • by Alain Williams (2972) <addw@phcomp.co.uk> on Thursday December 05, 2013 @12:09PM (#45609135) Homepage

    Saying that it is encrypted is one thing, but a whole lot more is needed to be confident in security. What if the encyption algorithms have problems, or the key generation produces an effective length of less than 2048, etc, etc.

    Microsoft would be really smart if it released its security related code under some ''you can view this and try to break it but cannot sell/... license''. This need not be incompatible with keeping the rest of its code base proprietary. It would really boost confidence if people could independently rebuild the security DLLs. On the other hand if Microsoft does not do this we need to ask the question: what has it got to hide ?

  • If only "embrace, extend, extinguish" worked on the NSA, Microsoft would get some serious Karma points.

  • Score:5, Informative (Score:1, Informative)

    by Anonymous Coward
    • Re: (Score:2, Troll)

      by SpaceLifeForm (228190)
      Exactly. This is a PR move to make it appear as though they are not in the same bed together.

      Imagine if they had NOT announced these (late) changes.
      After a while, people would observe what is going on:
      "Hey, Microsoft is not doing what Google and Yahoo did, I wonder why? "

      Microsoft *had* to do this in order to try to hide their real colours.

  • ... even achieving transparency between departments is difficult. When I used to work there you should have seen what we went through to get code from other teams. In spite of the fact that the company rewards cross-group collaboration (which was the main reason we were doing it).

  • I seem to remember that was the case.

  • ...who wouldn't know a principal if it bit them in the ass and sang "Yankee Doodle." They will bend over with a smile the moment any government agency wants them to do anything and ask if they'd like anything else. Encryption. Feh. All PR, smoke and mirrors. This is an attempt to change public perception. Nothing more.

  • The moment they receive a National Security Letter, the backdoor is added and pushed out in a regular software update. Or, on the server side, they add a tap anywhere they touch plaintext. Or they hand over keys.

    Every US corporation is an arm of the NSA, except for those that follow Lavabit and choose to shut down rather than cooperate.

  • by PrimeNumber (136578) <PrimeNumber@exci t e . c om> on Thursday December 05, 2013 @03:05PM (#45611857) Homepage

    Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

    None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

    • by genner (694963)

      Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

      None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

      Who is Bill Gates again? Oh right he';s the guy who doesn't run Microsoft.
      Remind me how many people Ballmer helped?

    • by swillden (191260)

      How long did it take Google to finally get around using https and secure logins? A long fucking time

      You don't know what you're talking about.

      Google provided the option for SSL on all Google services back in 2008. At that point in time it was considered infeasible for large web services to do always-on SSL, because it would increase the load too much; SSL was only used for login pages, pages where financial information was entered, etc. In 2010 Google turned it on by default for all users for Gmail and other key services, long before any other major webmail providers did. In 2011 they turned it on by

      • by swillden (191260)

        heck Yahoo and Bing still don't use SSL for search

        Out of curiosity I just went and tried it. Not only do they not use SSL by default, but you can't use SSL at all for searches on either site. Yahoo will serve the home page via HTTPS, but trying to search from it gives you first a big error message from your browser due to a certificate name mismatch, and if you click through that you get a 403. If you try to go to http://www.bing.com/ [bing.com] you get a blank page.

        I didn't try either site while logged in, so it's possible that you can do secure searches if you

  • Where oh where is the source tree.
    Look, this is dumb.

    Why don't they through up their hands, and say: "In all honesty people, we're fucked as much
    as you are. Let's work together, in openness, to solve the problem at its root".

  • by Anonymous Coward

    Will you or will you not cooperate with the NSA when they demand access?

    We need to build mandatory encryption into our network protocols and remove the responsibility for complying with demands to compromise security from corporations and service providers entirely.

  • Do I understand the thing right? They encrypt for communication but store the data in plain text on their server? That does not look very efficient to guard against the NSA, especially since MS is part of the PRISM program.
  • The pressure from the International markets is only a smidgen of what MS deserves for helping the NSA all theses years starting when they got the pork handouts to port Omnivore away from Unix (Solaris) to MS's systems in 1998, and create Carnivore [wikipedia.org] -- despite everyone else in the military, etc. having POSIX requirements... And despite Linux existing in 1998 if "miniaturization" (PCs) were what they were shooting for. Yeah, MS has been in the thick of this shit for a good while. Snowden's privilege escalati

The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov

Working...