Slashdot Mirror
Microsoft Gets Help From NSA for Vista Security
An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"
Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.
NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.
Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).
When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.
Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).
I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.
</rant>
.. They contributed "WIRETAP.DLL" and "TERRORSCAN.EXE" which are required components to pass the new-and-improved Windows Genuine Advantage test, right?!?
To Terminate, or not to Terminate, that's the question - SCSIROB
Wow! And it's not even out yet!
-----
Sorry, I'm only a 1336 h4x0r.
If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask OS in the form of GNU/Linux's SElinux.
The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.
Hey, here's a tip for all you foreign governments out there: Don't use Windows! I hope that helps!
Seriously, I can't believe that there isn't greater demand for other alternatives to Windows in foreign governments. I wonder if Mahmoud Ahmadinejad uses windows...
here we go, i found what it really said
If Microsoft made toasters... Every time you bought a loaf of bread, you would have to buy a Microsoft toaster. You wouldn't have to take the toaster, but you'd still have to pay for it anyway. Its Toaster XP and its new Toaster Vista would take up so much counter space in your kitchen that you'd have to buy a larger kitchen, plus they would draw enough electricity to power a small city. Both models would claim to be the first toaster that let you control how light or dark you want your toast to be, and would secretly interrogate your other appliances to find out who made them. If the appliances were made by another company, the Microsoft toaster would send a signal through the electric wiring in your house to disable them. Everyone would hate Microsoft toasters, but would buy them anyway since most of the good bread only works with Microsoft toasters. Microsoft would claim that it doesn't have a monopoly on toasters, but stores that sold other toasters would have to pay a lot more for Microsoft's toasters.
If the NSA made toasters... Your toaster would have a secret trap door that only the NSA could access in case its agents needed to get at your toast for reasons of national security.
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...
Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD). The NSA-funded SELinux is another example...
NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...
Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.
In Soviet Washington the swamp drains you.
The longer and more complex it is, the more likely it is to be written down on a post it stuck to the side of the monitor. Especially if you have multiple passwords on different change cycles. "Must have a capital letter, special character, number, be at least 8 characters long, and change every 3 months" is probably, in the long run, no more secure than "must be at least 8 characters long, contain one or more non-alphabetic characters, and change twice a year".
Best Slashdot Co
It doesn't sound like NSA helped write code - it sounds like their primary contribution was in testing:
."
"The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration
Also, Microsoft isn't the only company that NSA and other govt. agencies have helped with security. Besides SELinux, which others have mentioned, there's Apple:
"Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail."
So this isn't that big a deal, it's just that Microsoft is trying to capitalize on the relationship to counter the prevailing belief (or truth?) that Windows is insecure and that Vista is no big improvement.
No sig? Sigh...
They should ask for help to the Vatican, after all, is a miracle what they are looking for.
In addition to the other comments: If it's their own code, and only theirs, they are free to license it under any license they will, even if it's already licensed under GPL. It's called dual-licensing, and is a well-known practise.
- Vegard
When IBM invented DES, the NSA asked to review it before IBM started selling it. DES is an encryption algorithm that involves repeatedly permuting and shifting bits. The bit shifting phase is handled by sending the permuted bits through what are called s-boxes which basically say 'move this bit over there'. NSA "requested" two revisions to DES - shorten the key to 56 bits and re-arrange some of the s-box operations. NSA didn't say why that would be "better" but made it clear to IBM that if IBM didn't comply, IBM would run into difficulties selling DES. The kind of difficulties that governments are very adept at raising. So IBM complied and implemented NSA's "requests." The presumption has always been that NSA knew how to crack the revised version of DES.
I'm curious if NSA made similar "requests" to Microsoft.
It's a little more complex than that.
"Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).
But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."
If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)
--MarkusQ
Well, there's two things about this.
First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.