Microsoft Gets Help From NSA for Vista Security

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

Nothing new to NSA...

[daveschroeder]

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Re:wouldn't it be nice?

[bmajik]

A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

The article also states why the NSA thinks this is in their (and the countries) interest - the mandate has come down that procurement focus on COTS (commercial, off the shelf) for more and more things. If the security of the nation or the safety of a ship or soldier are going to be left to commercial software, the government should take a more active role in due dilligence and capability review of the products it is buying. The NSA is a logical choice for doing some of that work.

I am a little surprised that nobody has said "the NSA is hording vulnerability info on windows for their own evil purposes! Use Linux!" I'll leave it as an exercize to the reader as to why that is a non-issue. (Hint: does the NSA also get to review the linux code?)

Re:Security Enhanced Linux

[Vegard]

In addition to the other comments: If it's their own code, and only theirs, they are free to license it under any license they will, even if it's already licensed under GPL. It's called dual-licensing, and is a well-known practise.

- Vegard

Re:Spook backdoor to Vista

[jafac]

Well, there's two things about this.

First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.