Microsoft Gets Help From NSA for Vista Security

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

Nothing new to NSA...

[daveschroeder]

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Re:Nothing new to NSA...

[temojen]

Also, there' no mention of how much of the NSA's advice MS has used and how much they've ignored.

Re:Nothing new to NSA...

[bbernard]

It's interesting to me to notice that at least some of the things the NSA has suggested for XP and 2003 are settings and options that need to be configured and are not pre-configured for "out-of-the-box" operation. For instance, password length and complexity. Perhaps that's a bad example, but it shows that Microsoft is willingly supplying their OS software configured in a way that they know provides sub-standard security. While I don't specifically blame them for that--can you imagine the home users that would jump to Mac if they had to "put up with" highly secure systems--I'd love to see an install option for "high security" or the like. Even 2003 server doesn't install with an NSA recommended configuration.

Re:Nothing new to NSA...

[bman08]

The problem is the question they asked. Not, "How can we make a secure product?" but "How can we make the product we have secure."

Re:Nothing new to NSA...

[novus+ordo]

Wouldn't be the first time.

wouldn't it be nice?

[yagu]

Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).

I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

</rant>

Re:wouldn't it be nice?

[DaveTuck]

Now lets see about increasing that H1B visa quota

What the hell have pencils got to do with it??!!

Re:wouldn't it be nice?

[bmajik]

A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

The article also states why the NSA thinks this is in their (and the countries) interest - the mandate has come down that procurement focus on COTS (commercial, off the shelf) for more and more things. If the security of the nation or the safety of a ship or soldier are going to be left to commercial software, the government should take a more active role in due dilligence and capability review of the products it is buying. The NSA is a logical choice for doing some of that work.

I am a little surprised that nobody has said "the NSA is hording vulnerability info on windows for their own evil purposes! Use Linux!" I'll leave it as an exercize to the reader as to why that is a non-issue. (Hint: does the NSA also get to review the linux code?)

Re:wouldn't it be nice?

[AndroidCat]

I don't see the problem.

For the same money as you paid for your hard drive 10 years ago, you get a drive with 500 to 1000 times more storage.
For the same money as you paid for Windows 10 years ago, you get a product that uses up 500 to 1000 times more storage.

Re:wouldn't it be nice?

[ScentCone]

Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

Do you really think that what Microsoft does and sells is the same thing as storage density? They have people, producing and supporting an enormous range of products and services. Unless you're suggesting that what it costs to employ and retain people has gone down by 500-1000 times over the last 10 years, I don't really think you're rationally comparing two useful things. Are you in IT? Have you reduced what you charge for you services by that much in the last 10 years?

Re:wouldn't it be nice?

[digitalchinky]

The Australian Defence Signals Directorate is also charted to undertake a similar role.

I'm not certain I follow your last sentence, though agencies that 'may' or 'may not' undertake active sigint would be wise (depending upon your moral guidance unit) to keep tabs on vulnerabilities. Not just in Microsoft products, but a very wide range of software and hardware systems. Including Linux. Yes, the NSA audits (just about) all external code before it is let loose inside. I say almost simply because viruses and the like have in the past been transported across the air gap.

There are many reasons to get chatty with commercial entities though.

Let me guess..

[scsirob]

.. They contributed "WIRETAP.DLL" and "TERRORSCAN.EXE" which are required components to pass the new-and-improved Windows Genuine Advantage test, right?!?

Re:Let me guess..

TERRORSCAN.EXE doesn't really conform to Microsoft naming conventions. You should probably be looking for terrscn.exe

Re:Let me guess..

[A_Non_Moose]

.. They contributed "WIRETAP.DLL" and "TERRORSCAN.EXE" which are required components to pass the new-and-improved Windows Genuine Advantage test, right?!?

(tinfoil hat mode = on)

No need, the backdoors are already in place, they just needed to strenghten the password to:

M0z1LLA3nG1n33r$aR3w33N13$

According to their own standards.

HTH

(/TFH off)

90% market share?

[Bohnanza]

"The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market"

Wow! And it's not even out yet!

Buy!

[jbeaupre]

I'm buying more stock in Alcoa, that is. With the surge in Reynolds Wrap sales, I'll make a fortune! My just buy a roll myself.

Good, the NSA does some useful things

[crush]

If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask OS in the form of GNU/Linux's SElinux.

The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.

Tip of the day

[pubjames]

Hey, here's a tip for all you foreign governments out there: Don't use Windows! I hope that helps!

Seriously, I can't believe that there isn't greater demand for other alternatives to Windows in foreign governments. I wonder if Mahmoud Ahmadinejad uses windows...

Re:Tip of the day

[Cheesey]

Not just foreign governments - entire nations as well. A modern economy could be totally disrupted if all the Windows machines stopped working. It might be a bad idea to allow a foreign power to execute arbitrary code on machines in your country, which is exactly what Windows Update does. Windows Update is a very powerful weapon, all the more so because few recognise it as such.

Countries might want to set up firewalls to intercept updates so that they can be screened for malicious code before anyone can access them. All major application update mechanisms will need to be checked.

Re:BWHAHA

[jrwr00]

here we go, i found what it really said

If Microsoft made toasters... Every time you bought a loaf of bread, you would have to buy a Microsoft toaster. You wouldn't have to take the toaster, but you'd still have to pay for it anyway. Its Toaster XP and its new Toaster Vista would take up so much counter space in your kitchen that you'd have to buy a larger kitchen, plus they would draw enough electricity to power a small city. Both models would claim to be the first toaster that let you control how light or dark you want your toast to be, and would secretly interrogate your other appliances to find out who made them. If the appliances were made by another company, the Microsoft toaster would send a signal through the electric wiring in your house to disable them. Everyone would hate Microsoft toasters, but would buy them anyway since most of the good bread only works with Microsoft toasters. Microsoft would claim that it doesn't have a monopoly on toasters, but stores that sold other toasters would have to pay a lot more for Microsoft's toasters.

If the NSA made toasters... Your toaster would have a secret trap door that only the NSA could access in case its agents needed to get at your toast for reasons of national security.

Interesting (or not)

[theskipper]

Unless I missed it, while reading the article I kept expecting there to be a mention about the possible inclusion of a backdoor. Maybe my tinfoil hat is too tight but it seems like a valid question these days when discussing the NSA and operating systems. Especially for an upcoming consumer OS given that the sixpack set is reading more and more about privacy and fourth ammendment concerns in the mainstream press.

Point being, it seems like something that the vendor would want to dispel pronto. (Yes, Apple and Novell also as they collaborate with the NSA per TFA).

Helping Microsoft or helping users?

[mi]

I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD). The NSA-funded SELinux is another example...

NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

Re:Helping Microsoft or helping users?

[crush]

I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users.

It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.

As it stands, this announcement is effectively the government giving free publicity to Microsoft and claiming without any evidence that Vista is secure in some way. (See all the "Good Housekeeping" seal-of-approval guff from the Microsoft spokesperson in the article.) In fact we have no idea from this whether they were helping to get Treacherous Computing debugged, so that "the users" don't control the software on their machines properly, or if they just tested a firewall, or what.

In any event, if the government wanted to help "the users" it would make it very clear as to what security criteria were met and whether or not Vista reaches it. It would publish a table with GNU/Linux, Mac OSX, Microsoft Vista etc results from their testing labs and make recommendations as to which should/should-not be used if we want to stop our economy being crippled (through wasted time, ID theft etc) by crappy software.

The fact that none of the above is done lends credence to the theory that this is the government lending a helping hand to a private monopoly, because the roll out of their latest software abortion is looking like a flop.

This is the equivalent of Microsoft jumping up and down beside the NSA and yelling "look, I'm with the trustworthy guy!". Shame on the NSA for either being used, or voluntarily abusing its position like this.

Security Enhanced Linux

[DaoudaW]

On one hand since the NSA has been helping with linux security for years with SELinux, it seems only fair that they would be willing to similarly assist M$. But my concern would be whether they are violating the GPL under which they released SELinux. If they are using concepts they developed for the open source SELinux in Vista, shouldn't M$ be required to open source at least those portions of Vista?

Re:Security Enhanced Linux

[Vegard]

In addition to the other comments: If it's their own code, and only theirs, they are free to license it under any license they will, even if it's already licensed under GPL. It's called dual-licensing, and is a well-known practise.

- Vegard

NSA

[Savage-Rabbit]

Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? To be fair to the NSA (and leaving aside for the moment any tin-foil-hat conspiracy theories about backdoors) they also gave Linux some security overhauls. So it's not as if they are picking sides here. The NSA also publishes Operating Systems Guides that any administrator or user can download and use to harden his/her OS. These are also available for multiple OS'es. I'm no fan of the NSA but sometimes they actually do good work.

Re:Tax Dollars

[Sancho]

Look at it this way: the NSA is helping to prevent zombies from spamming us all to hell. Even if you're not a Windows user, you have to live with 90% of the people on the Internets being Windows users.

Batting 500

[Gription]

"Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill)."

The NSA has many reasons to help MS. From the article it is obvious that they recognize that MS has a pervasive monopoly in desktop OSes and is expected to continue to. (Anyone hear the DOJ going EEK here?) If they secure this OS they make their lives easier and safer for the foreseeable future. Besides, they can get in on the development of the code and make sure that they will have the "behind the scenes" access that they want. (for your personal protection of course!)

"I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation."

Huh?

When does the NSA help Linux distros and Mac OS?

[joekampf]

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

Now thats SPYWARE!

[netsfr]

lol

Actually, its kinda creepy...

password length and complexity

[wiredog]

The longer and more complex it is, the more likely it is to be written down on a post it stuck to the side of the monitor. Especially if you have multiple passwords on different change cycles. "Must have a capital letter, special character, number, be at least 8 characters long, and change every 3 months" is probably, in the long run, no more secure than "must be at least 8 characters long, contain one or more non-alphabetic characters, and change twice a year".

Re:password length and complexity

[spun]

There's an easy way to deal with complex password requirements. One place I worked required 8 characters with at least one capital letter, one lower case letter, one number, and one punctuation mark. Plus, they required a new one every month. To top it off, they kept track of the last three passwords and you couldn't reuse them. I just memorized a pattern on the keyboard (like e4r5t6y7) and hit the shift key a couple times. Then when I changed the password, I just shifted the pattern over one letter (r5t6y7u8) Never had to write it down and I didn't forget.

Read TFA

[Anonymous+Codger]

It doesn't sound like NSA helped write code - it sounds like their primary contribution was in testing:

"The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration ."

Also, Microsoft isn't the only company that NSA and other govt. agencies have helped with security. Besides SELinux, which others have mentioned, there's Apple:

"Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail."

So this isn't that big a deal, it's just that Microsoft is trying to capitalize on the relationship to counter the prevailing belief (or truth?) that Windows is insecure and that Vista is no big improvement.

Wrong helper

[gmuslera]

They should ask for help to the Vatican, after all, is a miracle what they are looking for.

Re:Wrong helper

[ColdWetDog]

I've always thought an exorcism might help my XP box. God knows I've tried everything else. Something is weird in there.

Spook backdoor to Vista

[dougwhitehead]

The encryption cat is out of the bag, so if you can't own the communication channel, own the computers on either end.

Sure, I'm just delusional. But then again, there was that WMF exploit that according to Security guy Steve Gibson (grc.com and the SecurityNow podcast) inferred that was deliberately put in the code by someone (though he didn't point the finger at MS, some contractor for MS, at the Gov't direction, or anyone else). Before it was patched, it allowed the execution of arbitrary code on a client computer, caused by merely visiting a website that had a WMF icon/image in it.

Sure sound like a useful tool to fight terrorists who communicate on the internet (or anyone else).

Re:Spook backdoor to Vista

[jafac]

Well, there's two things about this.

First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.

Re:Spook backdoor to Vista

[gad_zuki!]

An eight year old conspiracy theory. Even Bruce Schneier doesnt buy it

Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.

The fact that 'some security scans' consider something a threat doesnt mean it really is. This is real tin-foil stuff, especially considering if the NSA wanted to muscle MS then youd never know about it.

Re:When does the NSA help Linux distros and Mac OS

[NullProg]

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

http://www.nsa.gov/selinux/

Its only fair that the NSA helps Microsoft.

Enjoy,

NSA and DES

[jmichaelg]

When IBM invented DES, the NSA asked to review it before IBM started selling it. DES is an encryption algorithm that involves repeatedly permuting and shifting bits. The bit shifting phase is handled by sending the permuted bits through what are called s-boxes which basically say 'move this bit over there'. NSA "requested" two revisions to DES - shorten the key to 56 bits and re-arrange some of the s-box operations. NSA didn't say why that would be "better" but made it clear to IBM that if IBM didn't comply, IBM would run into difficulties selling DES. The kind of difficulties that governments are very adept at raising. So IBM complied and implemented NSA's "requests." The presumption has always been that NSA knew how to crack the revised version of DES.

I'm curious if NSA made similar "requests" to Microsoft.

Re:NSA and DES

To my knowledge, the change to the s-boxes was to protect against differential cryptoanalysis, which at the time, wasn't even a method known by anyone, except the NSA. When differential came out, everyone was surprised that DES mysteriously was already immune.

Local vs. Remote attacks

[MarkusQ]

It's a little more complex than that.

"Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).

But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."

If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)

--MarkusQ

Uh huh . . .

[Orange+Crush]

Microsoft Gets Help From NSA for Vista Security

Isn't this a bit like chickens getting help from a pack of wolves for their security needs?

Perhaps I'm being too cynical, as both MS and the NSA have just stellar track records on their concern for an individual's privacy . . .

Would you Prefer...

[Morosoph]

Useful, "Karma-Whoring" replies, or petty arguments that give no information, and give no leads to discover things for yourself?

The Karma system, here, is doing its job. That some people "abuse" it by responding to incentives is, I have to say, a bizzare position.

Re:Tax Dollars

[Underfunded]

So our Taxes (for us US residents) are going to the Government (NSA included) to help secure Linux so Red Hat can sell it to us Taxpayers and make more money. What do you say that Red Hat should mark down the price of each RHEL copy sold by $1 until the monetary value of the NSA's help is repaid?

Actually, yes. I do think that when the government in some way subsidizes a company the company has the obligation to pass the savings on to the taxpayers until repaid.