Microsoft's NSA 'Transparency' Push Remains Pretty Opaque 90
Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."
Re: (Score:3)
actually where pretend tries rank... this is not a nice one at all.
so what? (Score:5, Insightful)
Re: (Score:2)
all legal like so... only option ... do not cloud
Re:so what? (Score:5, Interesting)
so they encrypt it, giving people a false sense of security, while they have already given the decryption key to the NSA...
Fixed. [theguardian.com] It's a pretty meaningless promise considering what they already do.
Re: (Score:3)
Re: (Score:2)
Or the NSA has checked the software to ensure that they already know/don't need that key.
Re: (Score:3, Insightful)
This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.
As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.
At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put
Skype (Score:1)
Indeed, I thought that was the whole point of MS putting Skype on the NSA PRISM program.
Morons and Oxymorons (Score:5, Insightful)
Anyone who trusts Microsoft is a moron.
Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.
Re: (Score:2)
But yeah, if you trust that Microsoft will 'help' you 'stay silent' from the NSA, then you should read this [computerworld.com]. Because in reality, the NSA 'helped' Microsoft build Windows 7.
Whee! (Score:1)
Prince Humperdinck: Surrender.
Westley: You mean you wish to surrender to me? Very well, I accept.
Given that... (Score:1)
....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.
I mean, nobody here's going to give them the tiniest lick of credit for it, but such is /.
Re: (Score:1, Insightful)
....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.
Spoken like a true Microsoft apologist. Here let me put it into perspective for you, since you couldn't be bothered to read TFA summary:
"transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors."
So "government customers" can "review" the source code. Not you or me or the rest of the world. Not that "government customers" care, or have the manpower and technical skills to actually hunt through a big messy blob of source code to find back doors. The only government customers capable of knowing what a back door looks like are the government customers who ordered i
Define "encryption"... (Score:5, Insightful)
Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.
While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.
Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.
Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.
Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.
Re: (Score:1)
Bitlocker is a Microsoft product. It has backdoors.
Re: (Score:1)
[Citation Needed.]
Re: (Score:2)
[Citation Needed.]
Major data encryption software like TrueCrypt, Microsoft BitLocker, FileVault, BestCrypt etc have backdoors which allows access to data without the key.
This was disclosed as per a presentation leaked @ http://cryptome.org/ [cryptome.org] which was given by Detective Michael Smith. Computer Crimes & Computer Forensics, Linn County Sheriff’s Office.
Although NCMEC (National Center for Missing and Exploited Children) says that they use it for detecting child pornography but the discloser itself is sufficient to raise doubts on NSA-corporate bond again
http://hackingly.org/nsa/backdoor-in-truecrypt-bitlocker-filevault-281.html [hackingly.org]
Re: (Score:3)
Historically propriatary software tends to be rather poor when it comes to cryptography. Cryptography is hard to get right, since even apparently trivial changes can have huge effects on the security of the code. Any requirement for "backdoors" is likely to make things even harder.
Re: (Score:3)
I get the not-so-fresh feeling being devil's advocate here, but (and this is opinion here, so take it, leave it, or just laugh at it) BitLocker is something that MS did seem to make a decent effort at getting right.
Unlike TrueCrypt, BitLocker is written not just for security, but for enterprise recoverability, so come e-Discovery time, one can recover the data on a laptop after an employee left.
If MS did drop the ball with BitLocker, they would be in a world of hurt. There are many laptops lost out there,
Ancient Password Storage Secret (Score:2, Interesting)
I use an 80-year-old monk with a photographic memory to store my password. He does not feel pain. He does not feel greed. He will only quietly unlock what I need unlocked.
Re: (Score:1)
Ever read Freedom(TM)? A mercenary is put in an fMRI scanner and has intelligence extracted from him even though he remains completely silent. They just ask a serious of questions and narrow down the answer. "Does your name begin with the letter A? B? C? D?..." Try as he might, he can't help but produce measurable brain responses when he sees information he knows to be correct and eventually reveals all his personal details and for whom he works.
Re: (Score:2)
Note that "cloud storage" along with "file sharing" can be a method of defeating filesystem encryption. Especially if the communication is itself encrypted so you can't easily tell what is being synchronised/shared.
In other words Microsoft's "transparency" ends (Score:4, Insightful)
...where NSA contracts begin. Much to the surprise of absolutely no-one at all.
Re: (Score:3)
Who do you imagine are their customers, and what is it that you imagine that they're selling?
You're probably wrong on both counts.
What are people expecting? (Score:4, Interesting)
Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.
Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?
Does it also build synergy with best-practices? (Score:3)
building on our long-standing program that provides government customers with an appropriate ability to review our source code
Well, of course, we wouldn't expect you to allow anyone in with an inappropriate ability to review your source code.
They still exist? (Score:2, Interesting)
>> it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources
I'm genuinely surprised that apparently some people still exist that think Microsoft might actually not be providing the government with backdoors and feeds of everything that goes anywhere near their products and/or servers.
Re:They still exist? (Score:4, Informative)
Nobody has ever shown any detailed proof of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.
Re: (Score:1)
Nobody has ever shown any detailed proof of non-existence of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.
Re: (Score:2)
I really hope you are joking. How do you prove a negative? "We can't find something therefore it must exist!".
Re: (Score:2)
In this case it would be easy.
Microsoft could just open up ALL their source code to the EFF instead of only allowing the government to see it. They must already realise that asking the gov to check for backdoors is like asking the fox to guard the hen house.
The government are probably interested in the code but just to confirm that their backdoors are actually still in place, and to maybe add some more.
Re: (Score:2)
The absence of evidence of wrongdoing isn't evidence of the absence of wrongdoing.
Even the credible belief of a backdoor in a closed source security program should be taken seriously.
Sorry, not quite good enough (Score:3)
Saying that it is encrypted is one thing, but a whole lot more is needed to be confident in security. What if the encyption algorithms have problems, or the key generation produces an effective length of less than 2048, etc, etc.
Microsoft would be really smart if it released its security related code under some ''you can view this and try to break it but cannot sell/... license''. This need not be incompatible with keeping the rest of its code base proprietary. It would really boost confidence if people could independently rebuild the security DLLs. On the other hand if Microsoft does not do this we need to ask the question: what has it got to hide ?
Microsoft vs NSA (Score:2)
If only "embrace, extend, extinguish" worked on the NSA, Microsoft would get some serious Karma points.
Re: (Score:2)
Cute - I was thinking something more along the lines of:
"Hello, and welcome to Microsoft Software Security Assurance Enterprise, Small Business, Government, and Education Transparency Center number 6!
You'll notice that there's a beautiful and fluid whiteboard set up over here to the right. These lines represent our data flow between all of our convenient and secure value-adding services to our customers, and these dots with arrows pointing to an unlabeled blue box are transfer nodes, which Microsoft has de
Re: (Score:2)
So if Microsoft does not really belive in transparency/privacy...whats the point of all this initiatives?
Secret World Domination Agenda?
Its called follow the leader. See what the leaders in your industry are doing, and to not look like a boob, you do your own variation so people think you know how to play the game. Its a perception thing only, which only needs to work for a certain uninformed market segment (IE their customers).
Score:5, Informative (Score:1, Informative)
http://en.wikipedia.org/wiki/NSAKEY [wikipedia.org]
Re: (Score:2, Troll)
Imagine if they had NOT announced these (late) changes.
After a while, people would observe what is going on:
"Hey, Microsoft is not doing what Google and Yahoo did, I wonder why? "
Microsoft *had* to do this in order to try to hide their real colours.
In any organization as large as Microsoft ... (Score:2)
... even achieving transparency between departments is difficult. When I used to work there you should have seen what we went through to get code from other teams. In spite of the fact that the company rewards cross-group collaboration (which was the main reason we were doing it).
Wan't MS enthusiastically supporting the NSA? (Score:1)
I seem to remember that was the case.
America's corporate managers spineless wussies... (Score:2)
...who wouldn't know a principal if it bit them in the ass and sang "Yankee Doodle." They will bend over with a smile the moment any government agency wants them to do anything and ask if they'd like anything else. Encryption. Feh. All PR, smoke and mirrors. This is an attempt to change public perception. Nothing more.
What's the point? (Score:2)
The moment they receive a National Security Letter, the backdoor is added and pushed out in a regular software update. Or, on the server side, they add a tap anywhere they touch plaintext. Or they hand over keys.
Every US corporation is an arm of the NSA, except for those that follow Lavabit and choose to shut down rather than cooperate.
Re: (Score:2)
127 characters is low?
It used to be 16 characters, but that was back in the days of Windows 98, and NT 4.0 service pack 6a, well before AD forests and trees were in common use.
Only Microsoft? (Score:3)
Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.
None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.
Re: (Score:3)
Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.
None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.
Who is Bill Gates again? Oh right he';s the guy who doesn't run Microsoft.
Remind me how many people Ballmer helped?
Re: (Score:2)
How long did it take Google to finally get around using https and secure logins? A long fucking time
You don't know what you're talking about.
Google provided the option for SSL on all Google services back in 2008. At that point in time it was considered infeasible for large web services to do always-on SSL, because it would increase the load too much; SSL was only used for login pages, pages where financial information was entered, etc. In 2010 Google turned it on by default for all users for Gmail and other key services, long before any other major webmail providers did. In 2011 they turned it on by
Re: (Score:2)
heck Yahoo and Bing still don't use SSL for search
Out of curiosity I just went and tried it. Not only do they not use SSL by default, but you can't use SSL at all for searches on either site. Yahoo will serve the home page via HTTPS, but trying to search from it gives you first a big error message from your browser due to a certificate name mismatch, and if you click through that you get a 403. If you try to go to http://www.bing.com/ [bing.com] you get a blank page.
I didn't try either site while logged in, so it's possible that you can do secure searches if you
The Story of The Source Tree and the Root (Score:2)
Where oh where is the source tree.
Look, this is dumb.
Why don't they through up their hands, and say: "In all honesty people, we're fucked as much
as you are. Let's work together, in openness, to solve the problem at its root".
There Is Only One Question For Any Company (Score:1)
Will you or will you not cooperate with the NSA when they demand access?
We need to build mandatory encryption into our network protocols and remove the responsibility for complying with demands to compromise security from corporations and service providers entirely.
Only for communications? (Score:2)
Feeling the pressure. (Score:2)
The pressure from the International markets is only a smidgen of what MS deserves for helping the NSA all theses years starting when they got the pork handouts to port Omnivore away from Unix (Solaris) to MS's systems in 1998, and create Carnivore [wikipedia.org] -- despite everyone else in the military, etc. having POSIX requirements... And despite Linux existing in 1998 if "miniaturization" (PCs) were what they were shooting for. Yeah, MS has been in the thick of this shit for a good while. Snowden's privilege escalati