Microsoft Gets Help From NSA for Vista Security

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

Nothing new to NSA...

[daveschroeder]

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Re:Spook backdoor to Vista

[jafac]

Well, there's two things about this.

First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.