Slashdot Mirror
US Security Services May 'Have Moles Within Microsoft,' Says Researcher
Barence writes "U.S. government officials could be working under cover at Microsoft to help the country's cyber-espionage programme, according to one leading security expert. According to Mikko Hypponen, chief research officer at security firm F-Secure, the claim is a logical conclusion to a series of recent discoveries and disclosures linking the U.S. government to 2010's Stuxnet attack on Iran and ties between Stuxnet and the recent Flame attack. 'It's plausible that if there is an operation under way and being run by a U.S. intelligence agency it would make perfect sense for them to plant moles inside Microsoft to assist in pulling it off, just as they would in any other undercover operation,' he said. 'It's not certain, but it would be common sense to expect they would do that.'"
... or they just paid/threatened Microsoft. Much simpler and easier.
The US Government has licenses for the Windows source code. Nothing we've seen those virii do have required anything more than that.
What would surprise me, is if the US thinks they're the only one.
dont forget security companies and firms... and yes it does make lots of sense.
I doubt Microsoft would balk at any requests at access. These are, after all, matters of national security, and are therefore paramount over all other concerns. No decent American (ahem) company could refuse.
They THINK there MIGHT be moles inside Microsoft. ("Definitive proof!" says Alex on his radio show.) That's nice. I think their might be moles inside everybody's backyards..... I haven't actually seen any, but let's publish it anyway and scare everyone.
1. Publish some random guy
2. Spin it to make it sound factual "evidence"
3. $profit$
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Seriously, they might be undercover from some but not the ones that do the hiring. That way they could get in just the right posisition to be in.
"Foreign government officials could be working under cover at Microsoft".
Since many/much of the actual development is overseas anyway.
Government: "Hello there, Microsoft. This here is a really big gun. We want your source code."
Microsoft: "Ummm, okay."
The End
What's this crap about a mole again? Moles are for when you can't just walk in the front door and take whatever you want.
#fuckbeta #iamslashdot #dicemustdie
Then obviously they don't really know for sure (so says Betteridge's Law of Headlines).
Stuxnet, duqu, flame all these malware is found by russian security companies.
My guess is that all western security companies are infiltrated by spooks
Now I'm not saying there are moles at Microsoft and Apple, but neither of them have reported back to me either way.
So, what are they hiding?
moderation undone.
Every major government around the world ALREADY has access to Windows source code. Starting in 2001, when Microsoft's security started being a major focus, they began a program to grant access to the code to interested parties.
http://www.microsoft.com/en-us/sharedsource/government-security-program.aspx
http://www.microsoft.com/en-us/sharedsource/
The security vulnerabilities used to get stuff on the network and computers themselves would be a microsoft issue. Most of the industrial control equipment software wouldn't even try and be secure.
Let's not beat around the bush! I say Microsoft has known USG agents working on the systems intentionally putting holes in the OS that can then be leveraged for zero-day attacks against other governments. Balmer is in cahoots I say! CAHOOTS!
You don't need a big gun to get the MS source code. It isn't some big fucking secret like all the ./ers seem to think. It isn't GPL, but plenty of institutions have copies. Basically any government that uses Windows does, huge surprise there. Also a lot of research universities. One such university I know that has it is ASU. Then there are copies in the hands of partners for better debugging/integration of their products.
Just because the source isn't on Sourceforge, doesn't mean it is some massive secret. A bit of Google would get you http://www.microsoft.com/en-us/sharedsource/default.aspx which is MS's page on their source sharing.
Having access to Microsoft's signing certs for updates and drivers would be a huge help. I imagine the US government has some involvement - even if they don't want the certs themselves, they also don't want an employee with access forced to leak them after agents for China/Iran/Other kidnap and threaten to murder his daughter. So it's in the best interests of the US to at the very least ensure Microsoft's internal security team is doing their job.
The question should be, whether these moles will lead to skin cancer, and if Microsoft should limit's exposure to the sun to counter balance them.
Author of TFA dreams up some impossible to falsify idea - offers no supporting evidence of any kind except to say it is plausable.
I love myself a good MS conspiracy and I'm sure there are plenty which actually do exist but lets not reward intellectual laziness.
Just two questions:
1. What do editors of PC Pro get paid to do?
2. What is it doing on slashdot?
Now if you'll excuse me my magic unicorn 'Flame' is hungry and wants a bowl of lucky charms before flying back to the land of lua to meet the angry birds.
I don't see how working at microsoft would give you any advantage at making Stuxnet or Flame. It's not like Microsoft put secret holes in their OS so people in MS can access everyone's computer. Probably my mom wrote that article.
Indeed, it was inside information from Siemens that was used in Stuxnet, and Siemens cooperated fully and completely.
...put a worm in apple?
The answer to headlines that end with a question mark:
No.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
1) The fact that it's common sense does not mean the government is doing it
2) If it's common sense, why is it worthy of news?
#Duh
I think it is a matter of time before US media is banned from reporting on the findings by computer security experts - especially the uncontrollable ones in Russia and Finland - under the guise that it aides and abets terrerists.
If it's truly beneficial to have moles in software companies, you can expect that China and maybe Russia also have them too.. The only benefit seems to be the certificates and access the update servers.
It's "plural", not "plutal". Pedantry Fail. Just a heads up so you don't look like such a clown in the future.
The man who dies rich dies disgraced. -- Andrew Carnegie
I thought it was peni?
There are two types of people in the world: Those who crave closure
Read more about what actually happened. Microsoft was using some keys with md5 hashing that weren't properly set to prohibit their use for code signing and those keys were signed by the Microsoft root. Using a collision attack they created a copy of a signed key and used that to sign their code.
Brief Explanation:
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
Detailed Explanation:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
Hotfix MS just published to speed up the revocation process:
http://blogs.technet.com/b/pki/archive/2012/06/12/announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx
http://support.microsoft.com/kb/2677070
Why would hte government bother with moles when it can just read the Microsoft engineers minds from it's spy satellites. It's common sense that they'd be doing this.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
is for the security and safety of other national interests to avoid using MS Windows at all, since it is most obviously being seeded with vulnerabilities.
"No good deed goes unpunished"
There are probably spies from every country on earth working inside M$. You'd be crazy not to try and get on the inside.
They're not exclusive and the government doesn't trust Microsoft either. Sure, pretend to partner with Microsoft and put in some explicit backdoors. Just make sure that there are a few Microsoft doesn't know about too.
Please do not read this sig. Thank you.
Imagine a government with access to a complex OS source code. Then imagine that they get data on all manner of security holes as they are discovered. Imagine also that this government has access to OS security update certifications. Finally, imagine that this same government has the ability to hack into server DNS tables to route targeted users to their alternative 'security updates'.
The penetration of any software company by undercover government operatives would hardly be surprising, but entirely unnecessary. Microsoft would hardly be alone as a target of such espionage -- every software company would be vulnerable, including OSS. There is also the issue with 'backdoors' hard-wired into computer hardware, including especially telecom systems. IIRC, this became an issue recently with news of backdoors alleged to exist in VLSI circuits manufactured in China. Older news alleged that Israel also puts backdoors into the telecom hardware they sell & ship, including to the USA government.
If virtually every government does such spying, including upon their own citizens, and any number of software & hardware companies do the same with their customers, any cautious user of such technology should be aware of the potential security breaches they expose themselves to every time they connect to the internet, or open their front door for that matter. Redundancy & breadth of security beats security through obscurity any day.
The phrases of the day are, "Trust no one", "Security in depth", and "If it can't be accessed remotely, it's more secure & less vulnerable". At that point, physical security & Tempest-hardening secure your valuable data. The rhetorical question is, "How valuable is your data if you cannot readily access it?" I found it humorous that the USA government recently wanted reporters to write their news stories on government-supplied computers, if only to avoid unwanted data leaks & stop potential whistleblowers in their tracks.
Trust the USA government, or any government, or any corporation with an agenda? Why take that risk unmitigated? And who in Hades would put vulnerable sensitive SCADA systems in close proximity to the Internet except an idiot?
1. DUH
2. "May have". Yeah, that's news. Meaningless. They "may not have" too. Is there something specific somebody has to say, with something to back it up other than a closed circle of "may have"?
3. Speculation is fact on Slashdot. This warrants an article, why? Is there NEWS here, or are we going to see "space aliens MAY HAVE dressed up like call-boys and 'anally probed' the editorial staff"?
Wankers.
Everybody gets what the majority deserves.
"Moles" assumes they don't have permission. Years ago I hypothesized one of the reasons the government backed off anti-competitive lawsuits was MS agreed to aid the government in spying through OS backdoors.
Of course, starting to "donate" to politicians (the real reason behind the laws in the first place, regulators and attorneys general being classical "useful idiots") also helped too.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Please, don't be shy Anonymous Coward. I believe that you are onto something there.
When conspiracy theories ultimately are discovered to be conspiracy fact, the mainstream media will dismiss it as 'common sense everyone knew', 'nothing to see here', and then put the sheeple back to sleep. Causality doesn't equate to coincidence. Anyway, I don't believe that any chain of statistically improbable events conflates to mere coincidence. Mere coincidence is highly over-rated. It is stated, with some degree of proof, that only six degrees of separation exist between any two otherwise seemingly unrelated events. Accidents do happen, but not usually by pure accident.
And it is no accident that linux has been effectively kept off the desktop. You could blame that on Microsoft moles, or you could blame it on linux developers, or you could blame it on Microsoft moles posing as linux developers. The actual cause might even lay elsewhere, but you have presented one theory. Who the fuck are you, AC, that I might properly honor your brilliance?
If I had mod points, I would definitely mod your post up a few notches ...
Because in a casual conversation like a forum post, grammar Nazis add nothing to the actual conversation. It is usually a small mind that cant find anything else to say, so they hunt for grammar errors.
Good-bye
You know, when the discovery of an driving game in Excel 2000 was the earth-shattering revelation of the year. The current crop of hidden "features" kind a gives new meaning to the term "Easter egg", no?
Oh, and get off my lawn...
And here I thought that tin foil hats, or tin foil hats with a lead liner were the proper head-gear for conspiracy theorists.
Either I missed the memo, or that memo was nefariously diverted. I'm betting on the latter in this case.
http://www.youtube.com/watch?v=EkqrI3IibYI
Imagine a government with access to a complex OS source code.
Hmmmm.... I close my eyes and imagine that.... Um.. Not much help to me without the necessary tools to build said source into something and perhaps some documentation that explains how stuff is supposed to work... Oh, Well I suppose you could eventually figure out what tools you needed though trial and error, then developed your own documentation on the internal workings of Microsoft's code.. But make no mistake, it's NOT going to be an easy task to work through enough of this to even attempt to use the knowledge for anything useful.
Besides, it would be MUCH easier and cheaper to co-opt some hardware vendor's driver set and slip your stuff into that than risk doing the same at Microsoft.. Not that I'm saying it didn't happen, only that it seems easier other ways.....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Considering that probably 90% of the world's information is gathered, produced, or stored by Microsoft software, and that the US Security services are above all an information retrieval service, they would be completely incompetent if they did not have some sort of special 'relationship' with Microsoft.
Even with official channels, it is always better to have someone on the inside who can verify or enhance the publicly available information.
I would say that if they don't have moles in Microsoft, they aren't doing their jobs correctly.
This would amount to surveillance of a US person (U.S.-owned corporation in this case), and would be quite illegal. Believe it or not, that does actually make it unlikely. There is a good deal of mindfulness of law within these agencies - it's usually the outsider appointees/elected officials that don't have the same respect for u.s. citizens/law.
In any event, 'moles' seem very unlikely, as Microsoft has a great relationship with U.S. intelligence agencies. There are patriots at MS who would likely be lining up to support the country's efforts.
The Russians, as well as the US, experimented with microwave technology that could beam sounds and presumably, voices into your head.
A plausible defense against such an attack? Metal headgear- a Faraday cage, as it were. If one found oneself short of a machine shop and metal working gear one may resort to using tin foil.
I wonder how effective foil would be at stopping tasers and/or microwave pain weapons? I christen the next generation: tinfoil torsos.
Life sure is funny.
This sig is not paradoxical or ironic.
For fuck's sake, Sheldon, the T and F are right next to each other. He's probably at work and forced to use IE 6 or 7, which don't have spell checkers.
Frag somebody for spelling "lose" with two "O"s, changing the meaning of the sentence, and you have a point. Otherwise the only point is on your head.
Free Martian Whores!
Why would the government of countries such as Iran, run closed source software from openly unfriendly countries such as the US?
They should either be writing their own, or at the very least using open source so they can thoroughly audit it.
Same applies to hardware, they don't need to develop their own hardware from scratch, just use published designs, inspect them and then manufacture their own.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
What matters, is that you can see and inspect their contributions, or even remove them if you want.
Sure, you may not have the skills, resources or desire to inspect the code, but governments certainly do, and certainly should for anything remotely important. Plus for an organisation the size of a national government, inspecting sourcecode once and then using it widely isn't even all that much of an overhead.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If you are sufficiently concerned about it, then you can inspect the sourcecode of linux and/or remove the parts you don't want...
You can't do that with windows.
If you're a national government, then you certainly have the resources to inspect linux, and you'd be foolish not to inspect the software you use for critical infrastructure.
Even if you can't or won't inspect the linux source, you at least gain some assurance from the fact that many independent people with differing goals are able to see the source. Again, this is something windows simply doesn't provide.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Destabilizers! Destabilizers! Destabilizers! Destabilizers!
I deny that I have not avoided attaining the opposite of that which I do not want.
All they have to do is walk up to Microsoft and tell them they WILL do xyz. And let them know if they reveal it, they are violating national security and will be jailed.
---- Booth was a patriot ----
I'm sure China would have more spies working inside MS than the US. Well MS is an international company with offices all over the world.
Besides, it would be MUCH easier and cheaper to co-opt some hardware vendor's driver set and slip your stuff into that than risk doing the same at Microsoft.. Not that I'm saying it didn't happen, only that it seems easier other ways.....
I agree. And there have been documented cases of this being done. One of the most famous was the worm installed in firmware of a printer shipped to Iraq that incapacitated big chunks of Saddam's air defense system, courtesy of the NSA.
And again regarding hardware: I wonder how many add-in PC cards like video or network that have back-doors built-in, or even hidden 'features' built into the firmware. I just threw out a serial/parallel ISA board so old that it was all TTL logic, no VLSI, no firmware.
Some wise-guy is going to install malware in a video card that 'steals' a miniscule number of clock cycles & memory that can compromise the entire contents of your fire-walled network. Almost anything that can be done with software can be done with 'solder', and a lot more difficult to deal with.
Article is misdirection. If you can not figure it out, you have not been paying attention.
You are being MICROattacked, from various angles, in a SOFT manner.
echo .. 'ol' ...
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
if this is not anti-propaganda its actually FrontPage ubuntu new cos the soft there gets checked by the whole community and moles would have a very slim chance of getting a snippet into the major distribution (as opposed to etcete)
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
Shortly after we loaded Microsoft's Command Navigation Program hotfix, we were out cruising in our Battlestar when, poof, all our systems went offline and, a few seconds later, in came the nukes...
geek. lawyer.
Have gnu, will travel.
Silly human =)
Quite honestly I have no idea what argument you were making. You don't seem to have made an argument. You had a some random gibberish and a link about a secure version of linux, which has nothing to do with what I was saying.
I wasn't alluding to anything. I said clearly that MS handed over everything to the NSA, and that the government can easily hire former MS employees. There's no secret that that would give them basically full access to windows. What they do with linux is a separate matter.
What educational institutions, or governments have source code to windows? As far as I know even Waterloo students can't get important windows source code. You *can* get pieces of windows source if you have a project. We had a guy here who got access to some source related to their UI for a disabilities device project, but I'm not sure how much of that is available elsewhere (or whether any of that code could even have security vulnerabilities that would matter), I would think it's all stuff that's available with their usual developer licences. But as far as I know we couldn't get source to anything important in windows if we asked for it.
That was clear, I was just extending a few thoughts to what you wrote :D
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
You are making it way way way to complex!
1. Develop virus
2. Break MS MD5 certs (NSA has enough compute power to have done this, but many others as well).
3. Set up server running web services mimicking MS Update. Really not that difficult with ASP pages.
4. Intercept clients DNS request for MS update, send IP of your fake server.
5. Send "Update" which contains Virus
The virus in this case was extremely complex, but the rest is really script kiddie territory.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Wrong with your first statement, the majority of the worlds data is on Unix or Unix like systems. Desktop files (.doc, .xls, etc..) are an extremely small portion of the worlds data. The rest of your statement is agreeable.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I believe they are one of the biggest lobbyist companies, so in a way that would be correct.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
For fuck's sake, Sheldon, the T and R are right next to each other. He's probably at work and forced to use IE 6 or 7, which don't have spell checkers.
Since we're making corrections.. FTFY
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Why do coward tell lies? Virii
You can find the same definition in numerous sources. It may not be in Websters or Oxford but it has been acceptable for nearly 2 decades as slang for the plural of virus.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Intercepting DNS would risk easy detection. Better to just intercept the TCP connection by IP address - trivial to do, anyone who has ever set up a transparent proxy knows how - and use that. You need to be upstream of your target, but plenty of easy uses for that. For example, the government of China is well-known to use industrial espionage on behalf of Chinese companies - how about putting the update-hacker in hotels, to snare the laptops of business travelers? All the trojan need do is transmit the documents folder back to the attacker's server and then destroy all evidence of it's own existence. Grab the contents of enough laptops, and you're sure to get something juicy. And it shouldn't need saying that this would be an excellent way for government forces to get a spy trojan into citizen's laptops, whether that be a police force gathering evidence against a drug dealer network or an oppressive state spying on dissidents for anything that can publicly justify some jail time or reveal their contacts.
The point is that anyone can read/modify the linux sourcecode...
Windows sourcecode is only available to certain organisations, i doubt the government of iran has it and it's certainly not available to the general public.
Also as far as i know, the "shared source" agreement only provides source you can read through, you are not allowed to modify it and i don't believe you can even compile it. What assurance do recipients of the source have that it is the exact same source used to build the binaries they are running?
The development process of windows is also far less open, with linux you can see exactly who submitted a patch.
Whichever way you look at it, linux provides better access to the sourcecode.. How much better varies depending on how much microsoft trusts you.
Whoever you are, you have a better chance of finding unwanted code inserted by a third party like the NSA, you have a better chance of identifying who put it there and you have a better chance of building a version which excludes the code in question.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Duh Of The Week.
OK so everyone already knew this was true only because it's stands to reason. So let's play a game. Why was this :story released as "news"?
Here's my guess. The government is trying to send a message to young geeks. Hey kids- don't think that your hacker skills or career path are orthogonal to becoming a spy! We're very interested in your skills and you can be part of something that really matters.
Just my guess.
woosh...
Free Martian Whores!
It cant be Jack Bauer, he uses a Mac....
I am extremely pedantic by nature, (my nickname IRL is "CorrectnessMan) so I fight the impulse constantly, on and off-line. Some times, in certain contexts, it may be helpful to point out an error. I like to think that I can tell the difference. I've certainly learned that it annoys people any time.
They feared that it could be used to suppress protest or support unpopular rule.
The plural of medical viruses is viruses, so I would interpret the OP's use of the term on a biological noun (government personnel) as being incorrect. YMMV.
They feared that it could be used to suppress protest or support unpopular rule.
.. as a full time vendor and I've never seen any under cover federal agents. This must be a false flag news story of some kind.
You are completely misreading what i said, so i will spell it out in simple terms for you:
1, It is easier for people to get access to Linux source than Windows.
2, Many more people and organisations have access to Linux source than Windows.
Therefore "linux provides better access to the sourcecode" as i said.
"If you are sufficiently concerned about it, then you can inspect the sourcecode of linux and/or remove the parts you don't want..." This applies to ANYONE... Only certain organisations have READ access to windows source under restrictive terms, which means they can't make themselves a modified build with unwanted code removed.
For many organisations and individuals, access to windows source would simply not be available at all via any legal channels, what do you expect people or organisations which fall into this group to do?
"Even if you can't or won't inspect the linux source, you at least gain some assurance from the fact that many independent people with differing goals are able to see the source. Again, this is something windows simply doesn't provide."
Organisations with access to windows source have to sign all manner of NDAs, they are not impartial and are bound by contracts which limit what they can disclose to the public. Linux has no such limitations.
"If you're a national government, then you certainly have the resources to inspect linux, and you'd be foolish not to inspect the software you use for critical infrastructure."
Do you think microsoft provide sourcecode of windows to governments such as iran? I severely doubt it, in which case the fact that microsoft provide sourcecode to someone else is irrelevant as far as the iranian government is concerned. Linux on the other hand provides source to anyone who wants it.
Your providing irrelevant links does not change the facts.
Also, answer these direct questions:
1, Do YOU have access to windows source code? And if so, what can you do with it (inspect, build, modify, distribute)?
2, Do YOU have access to linux source code? And if so, what can you do with it (inspect, build, modify, distribute)?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
NSA has to work with Microsoft in order to insert the zero day exploits of their own design. With Linux they are free to modify the code to include back doors and bugs needed to infiltrate PC's of desire. I would love to do a diff on the NSA kernel source code on linux between the one available to the public and the one they use to compile kernels for their own agents. I bet the differences would reavel the holes inserted by the NSA.
1.) I showed that many independent people with differing goals are able to see the source!
And your examples are not truly independent because they are all beholden to the (rather restrictive) agreement under which they receive the source, so my original statement still applies.
Have you actually read the terms an organisation has to agree with in order to qualify for the shared source program?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
"Even if you can't or won't inspect the linux source, you at least gain some assurance from the fact that many independent people with differing goals are able to see the source. Again, this is something windows simply doesn't provide."
I will rephrase this yet again:
If you are under an NDA then you are not independent. Your ability to work with the source (eg publish any bad things you find in it) are controlled by the company with whom you have the NDA.
That you are independent of other organisations that have the source is irrelevant, you are not truly independent of the organisation that supplied the source since you are beholden to them under contract.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I'm sure that this happens very often. Hotels are notorious for espionage, hence most companies require VPN and recommend you don't use a Hotel's service. When I worked at the DOD we had to use encrypted satellite cards on travel, using any public internet was strictly not allowed.
Outside of the DOD, cheap is the name of the game. Cheap is always far from secure.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
You are not independent of a company you have a contract with in respect of anything covered by said contract, to suggest otherwise is just ridiculous.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Independent of one another in any other field is irrelevant, they cannot act independently of microsoft with the source.
I may be independent of you in most fields, but neither of us are able to directly post pictures here because slashdot doesn't allow that, so we are both dependent on slashdot in this case.
Your mention of hackers is grasping... Microsoft never intentionally made source available to them and they can only use it for further nefarious means as anyone who published a vulnerability they found in illegally acquired sourcecode would be running serious risk.
What it does show however, is that a closed source model provides significant advantages to the blackhats at the expense of legitimate researchers and end users.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!