Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Gets Help From NSA for Vista Security

Posted by ryuzaki0 on from the keeping-them-from-getting-into-mischief dept.

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

14 of 233 comments (clear)

  1. Nothing new to NSA... by daveschroeder · · Score: 5, Informative

    Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

    NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

    Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

    When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

    1. Re:Nothing new to NSA... by bman08 · · Score: 4, Insightful

      The problem is the question they asked. Not, "How can we make a secure product?" but "How can we make the product we have secure."

  2. wouldn't it be nice? by yagu · · Score: 5, Insightful

    Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).

    I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

    </rant>

    1. Re:wouldn't it be nice? by DaveTuck · · Score: 5, Funny
      Now lets see about increasing that H1B visa quota
      What the hell have pencils got to do with it??!!
      --
      Launch each 'sig'.
  3. Let me guess.. by scsirob · · Score: 4, Funny

    .. They contributed "WIRETAP.DLL" and "TERRORSCAN.EXE" which are required components to pass the new-and-improved Windows Genuine Advantage test, right?!?

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
  4. 90% market share? by Bohnanza · · Score: 4, Funny
    "The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market"

    Wow! And it's not even out yet!

    --

    -----

    Sorry, I'm only a 1336 h4x0r.

  5. Good, the NSA does some useful things by crush · · Score: 4, Insightful

    If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask OS in the form of GNU/Linux's SElinux.

    The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.

  6. Helping Microsoft or helping users? by mi · · Score: 4, Insightful

    I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

    Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD). The NSA-funded SELinux is another example...

    NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

    Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

    --
    In Soviet Washington the swamp drains you.
  7. password length and complexity by wiredog · · Score: 4, Insightful

    The longer and more complex it is, the more likely it is to be written down on a post it stuck to the side of the monitor. Especially if you have multiple passwords on different change cycles. "Must have a capital letter, special character, number, be at least 8 characters long, and change every 3 months" is probably, in the long run, no more secure than "must be at least 8 characters long, contain one or more non-alphabetic characters, and change twice a year".

    --

    Best Slashdot Co
  8. Read TFA by Anonymous+Codger · · Score: 4, Interesting

    It doesn't sound like NSA helped write code - it sounds like their primary contribution was in testing:

    "The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration ."

    Also, Microsoft isn't the only company that NSA and other govt. agencies have helped with security. Besides SELinux, which others have mentioned, there's Apple:

    "Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail."

    So this isn't that big a deal, it's just that Microsoft is trying to capitalize on the relationship to counter the prevailing belief (or truth?) that Windows is insecure and that Vista is no big improvement.

    --
    No sig? Sigh...
  9. Wrong helper by gmuslera · · Score: 5, Funny

    They should ask for help to the Vatican, after all, is a miracle what they are looking for.

  10. Local vs. Remote attacks by MarkusQ · · Score: 4, Insightful

    It's a little more complex than that.

    "Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).

    But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."

    If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)

    --MarkusQ

  11. Re:Spook backdoor to Vista by jafac · · Score: 4, Informative

    Well, there's two things about this.

    First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
    Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.

    --

    These are my friends, See how they glisten. See this one shine, how he smiles in the light.
  12. Re:Spook backdoor to Vista by gad_zuki! · · Score: 4, Interesting
    An eight year old conspiracy theory. Even Bruce Schneier doesnt buy it
    Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

    I don't buy it.

    First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

    Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

    Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

    I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

    Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

    But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.
    The fact that 'some security scans' consider something a threat doesnt mean it really is. This is real tin-foil stuff, especially considering if the NSA wanted to muscle MS then youd never know about it.