Microsoft's NSA 'Transparency' Push Remains Pretty Opaque 90
Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."
so what? (Score:5, Insightful)
Morons and Oxymorons (Score:5, Insightful)
Anyone who trusts Microsoft is a moron.
Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.
Define "encryption"... (Score:5, Insightful)
Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.
While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.
Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.
Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.
Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.
In other words Microsoft's "transparency" ends (Score:4, Insightful)
...where NSA contracts begin. Much to the surprise of absolutely no-one at all.
Re:Given that... (Score:1, Insightful)
....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.
Spoken like a true Microsoft apologist. Here let me put it into perspective for you, since you couldn't be bothered to read TFA summary:
"transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors."
So "government customers" can "review" the source code. Not you or me or the rest of the world. Not that "government customers" care, or have the manpower and technical skills to actually hunt through a big messy blob of source code to find back doors. The only government customers capable of knowing what a back door looks like are the government customers who ordered it put there.
This is all spin speak for "we're doing absolutely nothing but claiming that we are".
But hey, feel free to consider this a reasonable step from Microsoft. Such is /.
Re:so what? (Score:3, Insightful)
This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.
As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.
At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put a stop to NSA antics would be a major seismic shift in US politics - not going to happen, but why risk it, especially if the main point of these mass captures of all network traffic are non-US persons anyway.
Let's see how many years it will take until Google, Amazon and Microsoft realize how much this crap does damage to their business overseas.