US Security Services May 'Have Moles Within Microsoft,' Says Researcher 228
Barence writes "U.S. government officials could be working under cover at Microsoft to help the country's cyber-espionage programme, according to one leading security expert. According to Mikko Hypponen, chief research officer at security firm F-Secure, the claim is a logical conclusion to a series of recent discoveries and disclosures linking the U.S. government to 2010's Stuxnet attack on Iran and ties between Stuxnet and the recent Flame attack. 'It's plausible that if there is an operation under way and being run by a U.S. intelligence agency it would make perfect sense for them to plant moles inside Microsoft to assist in pulling it off, just as they would in any other undercover operation,' he said. 'It's not certain, but it would be common sense to expect they would do that.'"
Ockham's razor (Score:5, Insightful)
Re:Ockham's razor (Score:4, Insightful)
... or they just paid/threatened Microsoft. Much simpler and easier.
And it has the added bonus of being legal. "Moles in MS" would be a big no-no, no?
Re:Ockham's razor (Score:4, Insightful)
Only if it were to ever be acknowledged, something that has zero possibility of ever happening.
Re: (Score:3)
I dunno about that.....of late, the Obama administration is been quite 'leaky' when it comes to secret/covert ops.....what we already know about Stuxnet comes to mind.
Re: (Score:3)
To further this idea, even if we were to have it confirmed, what would it change? The population is too pacified to really care.
Re: (Score:2)
Attack Microsoft!
Re: (Score:3)
I dunno about that.....of late, the Obama administration is been quite 'leaky' when it comes to secret/covert ops.....what we already know about Stuxnet comes to mind.
I'm not so sure knowing about stuxnet is really a leak. I seem to remember, when Iran started complaining about it, that pretty much everyone thought it was the US/Israel.
It really didn't appear to be anyone else, and it didn't appear like anyone else would really care - so confirming it was the US/Israel was about as revealing as someone telling me that it's possible the US might have invaded Iraq for oil-related reasons
Re:Ockham's razor (Score:5, Funny)
"Moles in MS" would be a big no-no, no?
Actually, it sounds like it'd be a runaway hit reality show.
"For the past year, we sent a Google developer deep undercover at Microsoft armed with an Android-powered hidden camera and an agenda to subtly promote open technologies. Now, we're going to show you the results. Sometimes hilarious, sometimes heartbreaking, sometimes horrifying; tune in starting this August on Slashdot TV for 'Moles in Microsoft' to see what happens when development ideologies collide in the real world."
Re: (Score:3)
It certainly would run afoul of our Moonlighting policies.
On the other hand, my life has just become awesome! The next coworker I talk to could be a spy.
Re:Ockham's razor (Score:5, Informative)
Or they just paid former microsoft employees with technical positions to come work for the government.
Didn't the NSA offer to help 'secure' windows 7 (http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development), they could just offer to help with 'collaboration' and then provide some security fixes and use some of the loopholes they find before anyone else does.
Now the israeli's. They have spies at microsoft. The US government probably not directly, at least not in the US, there are enough cheaper no risk ways to get what they want.
Re:Ockham's razor (Score:5, Insightful)
I'm not even sure they would have to do that. The technical details in TFA are a bit scarce, but enough exists for a better theory than the TFA presents.
Someone with some hefty CPU power broke the MS cert, which allowed them to create their own at will and spoof a MS cert.
The Government has the access to MS source code, and their methods. If you know where hooks get applied and how priorities work, you don't need to be from MS to write good code. You just need to be a good coder.
Spoofing Windows Update server really would not be that hard. Hell you don't even need a real man in the middle attack if you have a forged Cert and know the structure. You just need to spoof a DNS answer, the client will do everything else for you.
Having the fake key is huge! Write an application, sign as Genuine MS, put on a faked Windows update server, reroute a DNS call. Shazam! Of course there is other knowledge required, such as evading AV detection, etc.. but they had that figured out very well also.
It would take a good team, and time, but no need to have a mole. I would not be surprised if the US Government had moles in MS, but if they did it would primarily be for reasons other than Stuxnet and Flame, or any other computer espionage program.
Re:Ockham's razor (Score:5, Insightful)
>
It would take a good team, and time, but no need to have a mole. I would not be surprised if the US Government had moles in MS, but if they did it would primarily be for reasons other than Stuxnet and Flame, or any other computer espionage program.
I would be surprised if the US doesn't have "spies" within Microsoft. Microsoft is huge, and hugely important in how the world handles data. I would be shocked if the US, China, India, Russia, and several other countries didn't have "spies" somewhere in Microsoft.
Re: (Score:2)
You agreed with what I said about them possibly having spies, but no other input. Do you really think they would be there to infect the OS and devise espionage schemes? I found that extremely unlikely. More like, they are making sure certain things don't get fixed, and making sure that the good people at Microsoft don't behave in corrupt ways that they are not known to act (Corrupt for the US is good, corrupt for China not so much). Maybe watching to make sure foreign influences don't hack espionage in
Re:Didn't the NSA offer to help 'secure' Linux? (Score:4, Insightful)
If you are sufficiently concerned about it, then you can inspect the sourcecode of linux and/or remove the parts you don't want...
You can't do that with windows.
If you're a national government, then you certainly have the resources to inspect linux, and you'd be foolish not to inspect the software you use for critical infrastructure.
Even if you can't or won't inspect the linux source, you at least gain some assurance from the fact that many independent people with differing goals are able to see the source. Again, this is something windows simply doesn't provide.
Re: (Score:2)
Quite honestly I have no idea what argument you were making. You don't seem to have made an argument. You had a some random gibberish and a link about a secure version of linux, which has nothing to do with what I was saying.
I wasn't alluding to anything. I said clearly that MS handed over everything to the NSA, and that the government can easily hire former MS employees. There's no secret that that would give them basically full access to windows. What they do with linux is a separate matter.
What educa
Re:Ockham's razor (Score:5, Interesting)
We can get even simpler and easier, MS already gives the military access to their source code so that it can be reviewed. This is a requirement for all the software used on the most secure systems.
It has always been viewed as a joke around here, because unless they are going to fix the bugs themselves, having the source isn't going to make windoze take extra care about your data.
So the simplest and most obvious answer is, they didn't need to sneak in, and they didn't need to make threats either.
Re:Ockham's razor (Score:5, Funny)
We can get even simpler and easier, MS already gives the military access to their source code so that it can be reviewed. This is a requirement for all the software used on the most secure systems.
It has always been viewed as a joke around here, because unless they are going to fix the bugs themselves, having the source isn't going to make windoze take extra care about your data.
So the simplest and most obvious answer is, they didn't need to sneak in, and they didn't need to make threats either.
That explains some of the mental breakdown of returning veterans...
Re: (Score:3)
Little known secret about Gitmo: Terrorists voluntarily spill the beans after they're forced to analyze the Windows source code for exploits. Everybody's led to believe it's waterboarding, but that's actually the lesser evil. There's a reason they don't send drones out for the engineers-turned-terrorists.
Re: (Score:2)
Not to belabor the obvious. This is one reason open source, over time, is more secure that closed source. Which would you rather rely on, software that has source code anybody can look at, or software that only the development company and the military of the world's sole superpower can look at?
Of course, nefarious elements can put subtle security bugs in open source projects, but one hopes over time that the community is able to find and eliminate them.
Re: (Score:3)
That is indeed the obvious advantage.
Another clear advantage to open source is that it is easy to obtain the source code from multiple different routes and run comparison checks, thus assuring that the source code you have is in fact the code everyone is using. If you are buying copies of closed source code on the black market, you have no assurance that the code is correct in all respects, and no way to assure that the seller is not an agent of the CIA, Mossad, MI5, or the French Foreign Legion.
Maybe you
Re: (Score:2)
Heck they probably got a pretty big pay off.
Yep. Because if they didn't share the code, then the software wouldn't have been allowed in. The "big pay off" was being allowed to sell the product to them.
Re: (Score:2)
Well, it's also highly likely that there are foreign government moles in MS too, given how widespread their software is foreign governments would be pretty foolish not to try and infiltrate them.
Re:Ockham's razor (Score:5, Insightful)
... or they just paid/threatened Microsoft. Much simpler and easier.
The problem with the claim put forward in the article is that it is *not* the logical conclusion of what we know about Stuxnet and Flame. What we know about Flame is that (i) it's the most advanced piece of malware ever created (that we know about), (ii) it has connections to Stuxnet, (iii) it's primarily targeting Iran, but it's also targeting Syria, Palestine, Egypt, Saudi Arabia. That information tells us a lot about who was behind it.
Okay, so first off, Flame is very large and extremely advanced. That implies a country with an advanced cyber-warfare program. That list is fairly short, and the big names on it are the United States, Russia, China, and Israel.
Second, the people behind Flame were also involved in Stuxnet. The people analyzing Stuxnet came to the conclusion that it was the work of two different countries, with suspicion falling on the U.S. and Israel. In the New York Times article, it's reported that Stuxnet is designed by the U.S., but the Israelis helped out. The Obama Administration has not denied anything published in that article.
Third, Flame is primarily targeting Iran, again that points to the U.S. and Israel, Iran's primary enemies. However, Flame's secondary targets are all areas that are potential threats to Israel (Syria, Palestine, Egypt, Saudi Arabia) but this list does not include countries that pose security threats to the U.S. but not to Israel (Afghanistan, Iraq, North Korea). Finally, there are also some Flame infections in Israel itself. Given that one of the purposes of an intelligence organization is (unfortunately) to spy on their own citizens, that also fits the idea that Flame is written by the Israelis.
If Flame is Israeli, then the idea that the U.S. is planting spies in Microsoft is not the "logical conclusion" of the facts at all. So does this mean that the Mossad has penetrated Microsoft? Well, I suppose it's possible. It would antagonize the U.S. to learn that our ally has spies in our corporations, but it's also been alleged that Israel has moles in the Pentagon, so it wouldn't be entirely surprising, either.
Re: (Score:2)
Neither GCC or the Linux kernel are products of "individuals/small foundations". Both GCC and the Linux kernel have tons of money behind them, with contributions by paid developers from large corporations like IBM, Oracle, HP, Intel, etc.. Red Hat also employs a number of kernel and GCC developers, and they certainly are not small. In fact, very little in GCC or the kernel is done by any non-paid developers.
The thing is, the complexity of software like Flame pretty much guarantees someone was paid to writ
Re: (Score:2)
Or they just have smart enough people that can figure out how Windows works without actually having to be an employee. Much simpler too to just have a cheap summer hire save up all the source code on a thumb drive.
Re: (Score:2)
Bill Gates, the inventor of punk rock
HUH????
Re: (Score:2)
Thanks for that correction, good gawd everyone knows that Al Gore invented punk rock right before the internet!
They don't need them... (Score:4, Insightful)
The US Government has licenses for the Windows source code. Nothing we've seen those virii do have required anything more than that.
Re:They don't need them... (Score:5, Insightful)
Re: (Score:2)
Read TFA, it states specifically that the Cert was broken so they could face MS certificates with ease.
Re: (Score:2)
Unlike some Yahoo...
http://www.pcworld.com/article/256182/yahoo_leaks_private_key_allows_anyone_to_build_yahoosigned_chrome_extensions.html [pcworld.com]
Re: (Score:2)
Re: (Score:2)
For fuck's sake, Sheldon, the T and F are right next to each other. He's probably at work and forced to use IE 6 or 7, which don't have spell checkers.
Frag somebody for spelling "lose" with two "O"s, changing the meaning of the sentence, and you have a point. Otherwise the only point is on your head.
Re: (Score:2)
For fuck's sake, Sheldon, the T and R are right next to each other. He's probably at work and forced to use IE 6 or 7, which don't have spell checkers.
Since we're making corrections.. FTFY
Re: (Score:2)
I thought it was peni?
Re: (Score:2)
Wouldn't surprise me. (Score:5, Insightful)
not only operating systems (Score:3, Insightful)
Re: (Score:3, Interesting)
Don't forget that the US Department of Homeland Security maintains a giant list of security flaws. It's called the Common Vulnerabilities Enumeration [mitre.org].
Check the fine print at the bottom of the page: "CVE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security."
So that means the government doesn't even need to go looking for holes - security companies send them to the government directly to be listed!
No mole required, just a "friendly" email informing them that they
Re: (Score:2, Informative)
Don't forget that the US Department of Homeland Security maintains a giant list of security flaws. It's called the Common Vulnerabilities Enumeration [mitre.org].
Check the fine print at the bottom of the page: "CVE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security."
So that means the government doesn't even need to go looking for holes - security companies send them to the government directly to be listed!
No mole required, just a "friendly" email informing them that they're going to keep silent for a bit and "forgetting" to post the alert publicly.
CVE doesn't work that way. From the FAQ:
Isn’t CVE just another vulnerability database?
No. CVE is not a vulnerability database. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. As such, CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories.
The project arose because different vendors were assigning different names and ids to vulnerabilities and generally just confusing the hell out of everyone. CVE just provides a standard id that all of the different security researchers can use to refer to the same issue.
In practice, researchers typically contact MITRE or other software vendors participating in the program to obtain a CVE ID, possibly before the assessment of the vulnerability is complete. Then they
Why would the US government need moles? (Score:4, Insightful)
Re:Why would the US government need moles? (Score:5, Insightful)
There are just some sacrifices that are too great to bear...
Re: (Score:3)
Hmmmm... then even if I use TrueCrypt, there's no way to trust it.
I'm guessing this is where stories about the Chinese government rolling their own Linux distro come from.
Re: (Score:2)
No decent American (ahem) company could refuse.
As opposed to Kaspersky? Some Russian spook was in K's offices 10 minutes after the announcement was made that K had discovered Flame.
And the PRC? They've got patriotic countrymen in every tech firm in the US and Europe.
When did /. become Infowars? (Score:5, Informative)
They THINK there MIGHT be moles inside Microsoft. ("Definitive proof!" says Alex on his radio show.) That's nice. I think their might be moles inside everybody's backyards..... I haven't actually seen any, but let's publish it anyway and scare everyone.
1. Publish some random guy
2. Spin it to make it sound factual "evidence"
3. $profit$
Glenn Beck reporting style. (Score:3)
Now I'm not saying there are moles at Microsoft and Apple, but neither of them have reported back to me either way.
So, what are they hiding?
Re: (Score:2)
And Rachel Maddow. And Ed Schultz. And .....
But Beck usually backs-up his stuff with documents. Quoting Bill Ayers or Cloward-Piven from the 70s saying, "We will blow-up government buildings and take over through force," is pretty damning. Quoting the FBI Agent who infiltrated the organization and confirms they were prepared to kill to achieve their ends is also pretty damning.
Re: (Score:2)
You forgot Rush and O'Reilly.
Beck is a hack. Actually, all of them are, Maddow, Limbaugh, etc...
The "news" attack style he and his counterparts use are so filled with holes and fallacies you could drive an entire interstate highway worth of trucks through them.
Re: (Score:2, Offtopic)
But that is how conspiracies work. The more information you don't have the stronger the evidence that it must be real.
I mean a while back they took a mixed race baby born in a different country, paid the hospital to lie to publish a new paper reports, and an other insider generated false documents to prove he was born in the United States, Pay for a team of actors to say they knew this child when they were children, all in the offshoot that perhaps this child (where the culture at the time figured had near
Re: (Score:2)
But that is how conspiracies work. The more information you don't have the stronger the evidence that it must be real. I mean a while back they took a mixed race baby born in a different country, paid the hospital to lie to publish a new paper reports, and an other insider generated false documents to prove he was born in the United States, Pay for a team of actors to say they knew this child when they were children, all in the offshoot that perhaps this child (where the culture at the time figured had near 0 chance of major success in life) would become president and support the Socialist Cause....
Yea, and the moon landings where faked too.... Seriously, there are just some things that do not make sense to keep beating and this whole birther thing is a long dead horse, as is the idea that the moon landings were faked or 9/11 was an inside job. Besides, there are more effective arguments you can use to use that don't involve wild conspiracies where you have to suspend all reason.
It's usually better to not think of things as conspiracies anyway. Folks are usually not that good at cooking up such com
Re: (Score:2)
Are you sure? Hell if I had a few trillion dollars like some of them guys and no real job, I'd probably sit around scheming all day. I have morals, so doubt my scheming would be in the same lines as theirs, but still..
Re: (Score:2)
Numbered what, like twenty-seven bazillion?
Re: (Score:2)
And you do realize that many of those theories came out to be correct right? Such is the nature of conspiracies, if theories are correct then they show themselves. Search for TCP ACK, Tread milling applications, and monopoly for a start. Then compare many of those posts to the US vs. MS, Iowa vs. MS, Novel vs. MS, etc.. etc...
Of course there is always some chatting and opinion tossing in threads as well, but that is the nature of any forum. It's very odd that a company that people talking about a compan
Re: (Score:2)
Wow, must be way passed my bed time. '''It's very odd that a company that people talking about a company that has been found guilty of illegal monopolistic practices is considered FUD by you. Do you have any idea how many times they have been found guilty? ''' haha, sorry. Let me try that again with English
It's very odd that you believe it's FUD when people talk poorly of MS. They have been found guilty of abusing their monopoly power many many times. Any guess at how many times? It is a large number,
They may just ask (Score:2)
Seriously, they might be undercover from some but not the ones that do the hiring. That way they could get in just the right posisition to be in.
You might as well title this differently (Score:3, Insightful)
"Foreign government officials could be working under cover at Microsoft".
Since many/much of the actual development is overseas anyway.
Moles? What the fuck. (Score:2)
Government: "Hello there, Microsoft. This here is a really big gun. We want your source code."
Microsoft: "Ummm, okay."
The End
What's this crap about a mole again? Moles are for when you can't just walk in the front door and take whatever you want.
No need for the gun (Score:2)
Every major government around the world ALREADY has access to Windows source code. Starting in 2001, when Microsoft's security started being a major focus, they began a program to grant access to the code to interested parties.
http://www.microsoft.com/en-us/sharedsource/government-security-program.aspx [microsoft.com]
http://www.microsoft.com/en-us/sharedsource/ [microsoft.com]
Re: (Score:2)
Make an obvious show of force, and fifty people know about it. When one of them talks, you have no idea who spilled the beans, and in fact, you really can't tell if anyone did or if it's an outsider just speculating that you leaned on Microsoft. The quietest way is to plan in advance. Find a young guy in your agency who has what it takes to become just the right employee in the right position a few years down the road, and pay him* to get really good at what you think Microsoft will want by then. The second
Sigh. (Score:5, Informative)
You don't need a big gun to get the MS source code. It isn't some big fucking secret like all the ./ers seem to think. It isn't GPL, but plenty of institutions have copies. Basically any government that uses Windows does, huge surprise there. Also a lot of research universities. One such university I know that has it is ASU. Then there are copies in the hands of partners for better debugging/integration of their products.
Just because the source isn't on Sourceforge, doesn't mean it is some massive secret. A bit of Google would get you http://www.microsoft.com/en-us/sharedsource/default.aspx [microsoft.com] which is MS's page on their source sharing.
Re: (Score:2)
I know you're new around here, but please, everybody else has known for years and years that the US Government already has a license to MS source code. Even countries like India have that license. What is in the source isn't secret, and the files have even been broadly published for example on torrent networks. It is highly restricted, but not unknown or unknownable.
And in the general case, any company that is providing software for use in the most secure military installations gave access to their code yea
Re: (Score:3)
"Government: "Hello there, Microsoft. This here is a really big gun. We want your source code."
Microsoft: "Ummm, okay." "
That's a terrifying abuse of government power! I hope they don't extort source from the Linux community.
The article asks a question? (Score:2)
Go full Tin-foil Hat! (Score:4, Funny)
New Monkey Dance (Score:3)
Destabilizers! Destabilizers! Destabilizers! Destabilizers!
Skin Cancer (Score:2)
The question should be, whether these moles will lead to skin cancer, and if Microsoft should limit's exposure to the sun to counter balance them.
Re: (Score:2)
The question should be, whether these moles will lead to skin cancer, and if Microsoft should limit's exposure to the sun to counter balance them.
Why do you think Microsoft is headquartered in the Seattle area?
Coincidence? I should think not.
More baseless nonsense please (Score:3, Interesting)
Author of TFA dreams up some impossible to falsify idea - offers no supporting evidence of any kind except to say it is plausable.
I love myself a good MS conspiracy and I'm sure there are plenty which actually do exist but lets not reward intellectual laziness.
Just two questions:
1. What do editors of PC Pro get paid to do?
2. What is it doing on slashdot?
Now if you'll excuse me my magic unicorn 'Flame' is hungry and wants a bowl of lucky charms before flying back to the land of lua to meet the angry birds.
Why not... (Score:2)
Could US cyberspies have moles inside Microsoft? (Score:2)
The answer to headlines that end with a question mark:
No.
but it would be common sense (Score:2)
1) The fact that it's common sense does not mean the government is doing it
2) If it's common sense, why is it worthy of news?
Hashtag (Score:2)
Countdown Clock (Score:2)
Not just US (Score:2)
No. (Score:3, Informative)
Read more about what actually happened. Microsoft was using some keys with md5 hashing that weren't properly set to prohibit their use for code signing and those keys were signed by the Microsoft root. Using a collision attack they created a copy of a signed key and used that to sign their code.
Brief Explanation:
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
Detailed Explanation:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
Hotfix MS just published to speed up the revocation process:
http://blogs.technet.com/b/pki/archive/2012/06/12/announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx
http://support.microsoft.com/kb/2677070
Why bother? (Score:3)
Why would hte government bother with moles when it can just read the Microsoft engineers minds from it's spy satellites. It's common sense that they'd be doing this.
Probably both moles and covert agreements (Score:2)
They're not exclusive and the government doesn't trust Microsoft either. Sure, pretend to partner with Microsoft and put in some explicit backdoors. Just make sure that there are a few Microsoft doesn't know about too.
Meaningless. (Score:2)
1. DUH
2. "May have". Yeah, that's news. Meaningless. They "may not have" too. Is there something specific somebody has to say, with something to back it up other than a closed circle of "may have"?
3. Speculation is fact on Slashdot. This warrants an article, why? Is there NEWS here, or are we going to see "space aliens MAY HAVE dressed up like call-boys and 'anally probed' the editorial staff"?
Wankers.
Re: (Score:2)
3. Speculation is fact on Slashdot. This warrants an article, why? Is there NEWS here, or are we going to see "space aliens MAY HAVE dressed up like call-boys and 'anally probed' the editorial staff"?
-1. You do realize that Slashdot does not write the articles right? Discussion is Slashdot members, and your number 1 and number 2 have been stated a few dozen times.
Odd that you seemingly fail to grasp the basic concept of -1 and call others wankers.
I miss the old days... (Score:2)
Oh, and get off my lawn...
Foolish countries... (Score:2)
Why would the government of countries such as Iran, run closed source software from openly unfriendly countries such as the US?
They should either be writing their own, or at the very least using open source so they can thoroughly audit it.
Same applies to hardware, they don't need to develop their own hardware from scratch, just use published designs, inspect them and then manufacture their own.
Why bother hiding? (Score:2)
All they have to do is walk up to Microsoft and tell them they WILL do xyz. And let them know if they reveal it, they are violating national security and will be jailed.
All backwards (Score:2)
It's true... (Score:2)
Shortly after we loaded Microsoft's Command Navigation Program hotfix, we were out cruising in our Battlestar when, poof, all our systems went offline and, a few seconds later, in came the nukes...
Ever wonder why ... (Score:2)
hehe, and he thinks they aren't at F-Secure? (Score:2)
Silly human =)
Re: (Score:2)
Re: (Score:2)
The security vulnerabilities used to get stuff on the network and computers themselves would be a microsoft issue. Most of the industrial control equipment software wouldn't even try and be secure.
Re: (Score:2)
Re:Doesn't really make sense to me (Score:4, Interesting)
Imagine a government with access to a complex OS source code. Then imagine that they get data on all manner of security holes as they are discovered. Imagine also that this government has access to OS security update certifications. Finally, imagine that this same government has the ability to hack into server DNS tables to route targeted users to their alternative 'security updates'.
The penetration of any software company by undercover government operatives would hardly be surprising, but entirely unnecessary. Microsoft would hardly be alone as a target of such espionage -- every software company would be vulnerable, including OSS. There is also the issue with 'backdoors' hard-wired into computer hardware, including especially telecom systems. IIRC, this became an issue recently with news of backdoors alleged to exist in VLSI circuits manufactured in China. Older news alleged that Israel also puts backdoors into the telecom hardware they sell & ship, including to the USA government.
If virtually every government does such spying, including upon their own citizens, and any number of software & hardware companies do the same with their customers, any cautious user of such technology should be aware of the potential security breaches they expose themselves to every time they connect to the internet, or open their front door for that matter. Redundancy & breadth of security beats security through obscurity any day.
The phrases of the day are, "Trust no one", "Security in depth", and "If it can't be accessed remotely, it's more secure & less vulnerable". At that point, physical security & Tempest-hardening secure your valuable data. The rhetorical question is, "How valuable is your data if you cannot readily access it?" I found it humorous that the USA government recently wanted reporters to write their news stories on government-supplied computers, if only to avoid unwanted data leaks & stop potential whistleblowers in their tracks.
Trust the USA government, or any government, or any corporation with an agenda? Why take that risk unmitigated? And who in Hades would put vulnerable sensitive SCADA systems in close proximity to the Internet except an idiot?
Re: (Score:2)
Imagine a government with access to a complex OS source code.
Hmmmm.... I close my eyes and imagine that.... Um.. Not much help to me without the necessary tools to build said source into something and perhaps some documentation that explains how stuff is supposed to work... Oh, Well I suppose you could eventually figure out what tools you needed though trial and error, then developed your own documentation on the internal workings of Microsoft's code.. But make no mistake, it's NOT going to be an easy task to work through enough of this to even attempt to use the k
Re: (Score:2)
Besides, it would be MUCH easier and cheaper to co-opt some hardware vendor's driver set and slip your stuff into that than risk doing the same at Microsoft.. Not that I'm saying it didn't happen, only that it seems easier other ways.....
I agree. And there have been documented cases of this being done. One of the most famous was the worm installed in firmware of a printer shipped to Iraq that incapacitated big chunks of Saddam's air defense system, courtesy of the NSA.
And again regarding hardware: I wonder how many add-in PC cards like video or network that have back-doors built-in, or even hidden 'features' built into the firmware. I just threw out a serial/parallel ISA board so old that it was all TTL logic, no VLSI, no firmware.
Some w
Re: (Score:2)
You are making it way way way to complex!
1. Develop virus
2. Break MS MD5 certs (NSA has enough compute power to have done this, but many others as well).
3. Set up server running web services mimicking MS Update. Really not that difficult with ASP pages.
4. Intercept clients DNS request for MS update, send IP of your fake server.
5. Send "Update" which contains Virus
The virus in this case was extremely complex, but the rest is really script kiddie territory.
Re: (Score:2)
I don't see how working at microsoft would give you any advantage at making Stuxnet or Flame. It's not like Microsoft put secret holes in their OS so people in MS can access everyone's computer. Probably my mom wrote that article.
Indeed, it was inside information from Siemens that was used in Stuxnet, and Siemens cooperated fully and completely.
Re: (Score:2)
Please, don't be shy Anonymous Coward. I believe that you are onto something there.
When conspiracy theories ultimately are discovered to be conspiracy fact, the mainstream media will dismiss it as 'common sense everyone knew', 'nothing to see here', and then put the sheeple back to sleep. Causality doesn't equate to coincidence. Anyway, I don't believe that any chain of statistically improbable events conflates to mere coincidence. Mere coincidence is highly over-rated. It is stated, with some degree o
Re: (Score:2)
And here I thought that tin foil hats, or tin foil hats with a lead liner were the proper head-gear for conspiracy theorists.
Either I missed the memo, or that memo was nefariously diverted. I'm betting on the latter in this case.
Re: (Score:2)
What matters, is that you can see and inspect their contributions, or even remove them if you want.
Sure, you may not have the skills, resources or desire to inspect the code, but governments certainly do, and certainly should for anything remotely important. Plus for an organisation the size of a national government, inspecting sourcecode once and then using it widely isn't even all that much of an overhead.
Re: (Score:2)
That was clear, I was just extending a few thoughts to what you wrote :D
Re: (Score:2)
Wrong with your first statement, the majority of the worlds data is on Unix or Unix like systems. Desktop files (.doc, .xls, etc..) are an extremely small portion of the worlds data. The rest of your statement is agreeable.
Re: (Score:2)
I believe they are one of the biggest lobbyist companies, so in a way that would be correct.