Slashdot Mirror
Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software
MojoKid writes "Microsoft's onetime Chief Privacy Advisor, Caspar Bowden, has come out with a vote of no-confidence in the company's long-term privacy measures and ability or interest to secure user data in the wake of the NSA's PRISM program. From 2002 — 2011, Bowden was in charge of privacy at Microsoft, and oversaw the company's efforts in that area in more than 40 countries, but claims to have been unaware of the PRISM program's existence while he worked at the company. In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source."
The next obvious step is not to use it unless you can understand it.
Without assigning any kind of reason to his shift in attitudes - it's refreshing to see a privacy officer come out like this. I can't think of a reason any CPOs should act differently.
The article mentions that a connection from one point to anohter within Europe would likely stay within Europe. Maybe technically... On a recent trip to Paris I did a traceroute to an e-mail server in Switzerland, and essentially what I saw was: Paris (F) -> London (UK) -> Paris (F) -> London (UK) -> Paris (F) -> Lyon (F) -> Geneva (CH). There might be good reasons why the connection would go through London, but twice, and then come back? Considering that the UK is closely collaborating with the US in its data gathering, I have a feeling that this routing was not entirely by accident.
... use caution in everything we do.
There is no way we can understand everything. There are just too many things out there that we use daily - even software alone consist of so many layers ( from the spreadsheet software program that we use, to the device drivers, the OS, to the embedded firmwares residing inside the chips, to the myriad mix of software that keep the Net humming.
Yes, I know, it is no fun.
The paranoids have a point, after all --- BIG BROTHERS (plural) want to know everything about us.
Muchas Gracias, Señor Edward Snowden !
Snowden? If your name is *owden, you are automatically privacy-minded, apparently.
Recent history teaches us that he knows things that he is not allowed to talk about. This is his way of legally signalling that all is not well.
We have congresscritters trying to send the same message, without being labeled "traitors". See http://www.wyden.senate.gov/news/press-releases/wyden-udall-statement-on-reports-of-compliance-violations-made-under-nsa-collection-programs
Prove anything by multiplying Huge Number times Tiny Number
that itself is more newsworthy. At first glance I thought Piracy Advisor; who suggests making things difficult to pirate.
Why would MS appoint somebody to advise them on privacy of their customer's data? How does it benefit the shareholders?
If you keep throwing chairs, one day you'll break windows....
News at 11.
There is plenty of closed source software that is very easy to verify (assuming you know how to read assembly, of course).
Do you even lift?
These aren't the 'roids you're looking for.
Now that he's opened his mouth he's on their radar for sure.
#define P(X)j=write(1,X,1)
#define C 39
int M[5000]={2},*u=M,N[5000],R=22,a[4],l[]={0,-1,C-1,-1},m[]={1,-C,-1,C},*b=N,
*d=N,c,e,f,g,i,j,k,s;main(){for(M[i=C*R-1]=24;f|d>=b;){c=M[g=i];i=e;for(s=f=0;
s=0&&k=16!=M[k]>=16))a[f++
]=s;if(f){f=M[e=m[s=a[rand()/(1+2147483647/f)]]+g];j=jb++?b[-1]:e;}P(" ");for(s=C;--s;P("_")
)P(" ");for(;P("\n"),R--;P("|"))for(e=C;e--;P("_ "+(*u++/8)%2))P("| "+(*u/4)%2
);}
shapiro.c from IOCC 1985
Has he also gotten rid of any Speedpass toll device he has ?
Has he gotten rid of any tire pressure monitoring system in his vehicles ?
Has he gotten rid of his license plates which are read by numerous cameras
in any weather, day or night, and which allow his movements to be added to
a database ?
Has he gotten rid of all his bank accounts and credit cards ?
Has he quit using any internet tools for any communications ?
The above is merely the basics. Switching to open source OS doesn't
give real privacy any more than watertight doors guaranteed the Titanic
would not sink.
/
That is true, but there is usually too much work involved to make it feasible in practice.
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
Both AC and disposable60 were trying to explain to you the concept outlined by Mr. Thompson.
Read, and ponder.
Muchas Gracias, Señor Edward Snowden !
There is plenty of closed source software that is very easy to verify (assuming you know how to read assembly, of course).
It is easier said, than done.
As an ASM programmer myself (and I have been doing assembly and machine language since the 1970's) I can tell you that not all programs can be successfully dis -assembled.
Muchas Gracias, Señor Edward Snowden !
Last week, Caspar Bowden testified at a hearing in the European Parliament, and presented a report on the NSA surveillance to the European Parliament's Committee for Fundamental Rights LIBE.
Link to the report: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/briefingnote_/briefingnote_en.pdf
Link to the Youtube-video with Bowden's statement and the following Q&A (63 min): http://youtu.be/qa83l2_ZzEo
Christian Engström, Former Member of the European Parliament 2009-2014 for The Pirate Party, Sweden
He doesn't have too, it appears that the Key exchange protocols were weakened and it's not necessary to break AES but extract the keys during KEP negoitiation. http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/
You also have to remember that it's a negotiation and unless you set your browsers up and websites to use more secure protocols you could default to say RC4-RSA under SSLv2.0. There's acknowledged flaws in TLS 1.0 (SSLv3.0) but it wasn't until a couple of months ago that Firefox supported TLS 1.1 and it still doesn't support TLS 1.2. Chrome (Version 30+) and IE (9+) support TLS 1.1 and TLS 1.2. So you should see more and more websites turning on TLS 1.2 support and turning off TLS 1.0 and 1.1 if they can. http://en.wikipedia.org/wiki/Transport_Layer_Security
I've already had change requests come in from customers to get away from AES and to push more TLS 1.2 out there and you're already seeing companies and other government agencies distancing themselves from NIST blessed standards and that's lamentable but the credibility of the organization has been irreparably compromised by NSA influence. As a result, may see more ChaCha or more TwoFish implementations start to come into the mix over this, which is a good thing because it means that we have diversity in ciphers and less reliance on NIST and its standards processes.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
It's utopian, and silly, to think that 1. everyone can so carefully inspect all software they use that you can keep snoopers out and 2. that this makes any difference anyway. There's nothing in what he says that will do anything to protect his privacy, nor will following his example protect yours. Repeat after me: this is not an engineering/programming/technical problem, it's a political problem.
Recall Ubuntu's Mark Shuttleworth (http://www.markshuttleworth.com/archives/1182):
"Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community."
I trust Debian, even if the server breaches from ten years ago had me "worried" (http://www.internetnews.com/dev-news/article.php/3112551):
"Within the past 36 hours, four of the Debian Project's main Web servers for bug tracking, mailing lists, security and Web searches were breached, the open-source group said. Joey Schulze, Debian Project stable release manager, e-mailed members of the organization's discussion list explaining that the machines were being taken down. The Debian Project servers run on its own operating system, version 3.0/i386, with current security updates. Some services provided by the servers have been mirrored at other sites, but Schulze told internetnews.com he doesn't expect the original machines to be running before Monday, with the possible exception of the security.debian.org and master servers."
Here is the Slashdot story http://linux.slashdot.org/story/03/11/28/050232/more-info-on-debianorg-security-breach
Maybe there have been more. How would we know?
However, those insistent on trashing open source will still forget that the issue is a solved one for anyone willing to do a little work.
I guess it's the entitlement culture in the USA and spread by their international business globally that insists that everything be known by them without having to put any effort into it.
Pretty much sums it up. Unless you can analyse the CPU microcode and block diagram, sorry, but you're boned.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I know that word, and I do not think it means what you think it means.
"I opened my eyes, and everything went dark again"
Do you trust them to audit their random number generator?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
So, Microsoft's been scroogling us all along. Funny how these things work out.
This ought to lay everyone's concerns to rest:
Azure certified by DOD
Obviously, this guy is just disgruntled. Nothing to see here..
The following statement is true: The previous statement is false.
Um, and if I'm a citizen, I'm protected from prism? Nuh uh.
- First they ignore you, then they laugh at you, then ???, then profit.
The ENIGMA system is so complicated that no-one will be able to break it.
May the Maths Be with you!
Is it that if something requires more effort than merely wishing on a star that not only will you not do it, you will refuse to believe anyone will?
The technology may some day exist to decompile a binary into a set of comprehensible source files that elicidates the architecture of an arbitrarily complex code base, but today that does not exist.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I am not, and never will be, a programmer or one that is able to go through the source code and assure myself that all is well. I do have to depend on the Thousands of people out there that have this ability, to get my peace of mind with my chosen OS and the Software that runs on it! This is a lot more assurance than anyone using a closed source OS can say! Not perfect for me, but way better than the alternatives!
I don't remember the exact string of characters, but I think your reply should include in part 'NO CARRIER' :)
+++
ATH0
Jesus was all right but his disciples were thick and ordinary. -John Lennon
There and he just now wakes up 17 years behind me on open source. I dont understand how it can be.
Yeah 2 years is ok between vulnerability introduction by the maintainer and the fix, right? It's not like openSSL is used for anything important?
Open source is peer reviewed and secure, right?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Immature? You're the one that believes everything he reads on the internet. Prove it or get back in your hole troll.
Embedding a 3g chip / SIM / carrier selection technology... i'm sure there's a few obstacles i'm missing too, would be at technological marvel on a processor, i'd be putting my proc into any device i want internet on. It doesn't make sense from a commercial or power consumption process either. I think someone mistook wake on lan for 3g in some of these articles and then it spread like internet troll stories often do.