Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software

← Back to Stories (view on slashdot.org)

Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software

Posted by timothy on Tuesday October 1, 2013 @02:46AM from the takes-one-to-know-one dept.

MojoKid writes "Microsoft's onetime Chief Privacy Advisor, Caspar Bowden, has come out with a vote of no-confidence in the company's long-term privacy measures and ability or interest to secure user data in the wake of the NSA's PRISM program. From 2002 — 2011, Bowden was in charge of privacy at Microsoft, and oversaw the company's efforts in that area in more than 40 countries, but claims to have been unaware of the PRISM program's existence while he worked at the company. In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source."

16 of 199 comments (clear)

Min score:

Reason:

Sort:

Now, also make it understandable by d33tah · 2013-10-01 02:50 · Score: 5, Funny

The next obvious step is not to use it unless you can understand it.
Good for him by techsoldaten · 2013-10-01 02:57 · Score: 5, Insightful

Without assigning any kind of reason to his shift in attitudes - it's refreshing to see a privacy officer come out like this. I can't think of a reason any CPOs should act differently.
1. Re:Good for him by bill_mcgonigle · 2013-10-01 06:50 · Score: 5, Insightful
  
  He seems to have gone a little too "tinfoil-hat" for my tastes. He doesn't carry a cell phone anymore. I think that says a lot more than becoming an open source user.
  If the government mandated that everybody carry a tracking device, keep it on at all times, and that they'd be storing the tracking data in perpetuity, there'd be a goddamn revolution.
  But when they do so voluntarily, and the NSA steals all that data - leading to the exact same end point - people are all like, "oh, look, Walter White is twerking again."
  At least this guy is being true to his privacy milieu.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Routing Connections from Point A to Point B by jiadran · 2013-10-01 03:05 · Score: 5, Interesting

The article mentions that a connection from one point to anohter within Europe would likely stay within Europe. Maybe technically... On a recent trip to Paris I did a traceroute to an e-mail server in Switzerland, and essentially what I saw was: Paris (F) -> London (UK) -> Paris (F) -> London (UK) -> Paris (F) -> Lyon (F) -> Geneva (CH). There might be good reasons why the connection would go through London, but twice, and then come back? Considering that the UK is closely collaborating with the US in its data gathering, I have a feeling that this routing was not entirely by accident.
1. Re:Routing Connections from Point A to Point B by StripedCow · 2013-10-01 03:21 · Score: 5, Funny
  
  There might be good reasons why the connection would go through London, but twice, and then come back?
  Perhaps the packet forgot its toothbrush?
  Never attribute to malice what can be adequately explained by stupidity.
  
  --
  If Pandora's box is destined to be opened, *I* want to be the one to open it.
2. Re:Routing Connections from Point A to Point B by SSpade · 2013-10-01 04:10 · Score: 4, Informative
  
  I'm pretty sure that you don't really know where the physical hardware using the intermediate IP addresses shown in the traceroute actually was. Reverse DNS tends to show who owns it, *not* which country it's in. And geoip services are doing well if they can identify the right country in Europe, let alone anything more accurate than that.
  Even if you did see routing like that, and it really did go to the cities you claim, it still wouldn't be that odd - when routing is optimized at all it's optimized for cost, rather than distance. For long-haul the two tend to go together, but for relatively short distances in the well-connected first world they don't.
The next obvious step is to ... by Taco+Cowboy · 2013-10-01 03:05 · Score: 5, Insightful

... use caution in everything we do.
There is no way we can understand everything. There are just too many things out there that we use daily - even software alone consist of so many layers ( from the spreadsheet software program that we use, to the device drivers, the OS, to the embedded firmwares residing inside the chips, to the myriad mix of software that keep the Net humming.
Yes, I know, it is no fun.
The paranoids have a point, after all --- BIG BROTHERS (plural) want to know everything about us.

--
Muchas Gracias, Señor Edward Snowden !
1. Re:The next obvious step is to ... by Fnord666 · 2013-10-01 03:21 · Score: 5, Insightful
  
  even software alone consist of so many layers ( from the spreadsheet software program that we use, to the device drivers, the OS, to the embedded firmwares residing inside the chips, to the myriad mix of software that keep the Net humming.
  Don't forget the compilers and linkers that build the software. The source may look fine, but where did the compiler come from?
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
2. Re:The next obvious step is to ... by Anonymous Coward · 2013-10-01 03:31 · Score: 5, Informative
  
  There's still the trick described by Ken Thompson which involves a compiler taking the source code of a compiler but also injecting a backdoor into the binary at the same time. This means that there can be a trojan replicating itself over multiple generations even though it never shows up in the source.
3. Re:The next obvious step is to ... by Thanshin · 2013-10-01 03:39 · Score: 5, Funny
  
  Open source compilers... that compile themselves.
  It's compilers all the way down.
4. Re:The next obvious step is to ... by Pope · 2013-10-01 04:10 · Score: 4, Funny
  
  Open source compilers... that compile themselves.
  It's compilers all the way down.
  My god, it's even worse: Turtle Logo compilers!
  
  --
  It doesn't mean much now, it's built for the future.
Message received by Tokolosh · 2013-10-01 03:07 · Score: 5, Insightful

Recent history teaches us that he knows things that he is not allowed to talk about. This is his way of legally signalling that all is not well.
We have congresscritters trying to send the same message, without being labeled "traitors". See http://www.wyden.senate.gov/news/press-releases/wyden-udall-statement-on-reports-of-compliance-violations-made-under-nsa-collection-programs

--
Prove anything by multiplying Huge Number times Tiny Number
1. Re:Message received by turgid · 2013-10-01 03:33 · Score: 4, Insightful
  
  You're not thinking cynically enough.
  With my Slashdot ubiquitous Microsoft Shill hat on consider the following.
  If you don't like/trust/use Microsoft, you are immature and stupid and a stinking long-haired communist FOSS hippy.
  Someone from the company you HATE leaves the company and announces that they don't trust their former employer which also happens to be the company you HATE, and that they have converted to the FOSS way.
  That means what you suspected all along is true! Right?
  Ah but, it's a trap! You see, the FOSS is back-doored to high heaven as well and all this is a psychological trick to make you feel secure and validated in your own mind.
  Muhahahhahahhahah! Elop will soon rule the galaxy.
  
  --
  Stick Men
I'm surprised MS had a Chief Privacy Advisor... by jkrise · 2013-10-01 03:07 · Score: 5, Funny

that itself is more newsworthy. At first glance I thought Piracy Advisor; who suggests making things difficult to pirate.
Why would MS appoint somebody to advise them on privacy of their customer's data? How does it benefit the shareholders?

--
If you keep throwing chairs, one day you'll break windows....
Caspar Bowdens testimony in the EU Parliament by Christian+Engstrom · 2013-10-01 03:47 · Score: 4, Informative

Last week, Caspar Bowden testified at a hearing in the European Parliament, and presented a report on the NSA surveillance to the European Parliament's Committee for Fundamental Rights LIBE.
Link to the report: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/briefingnote_/briefingnote_en.pdf
Link to the Youtube-video with Bowden's statement and the following Q&A (63 min): http://youtu.be/qa83l2_ZzEo

--
Christian Engström, Former Member of the European Parliament 2009-2014 for The Pirate Party, Sweden
Re:Worthless by Virtucon · 2013-10-01 03:47 · Score: 4, Informative

He doesn't have too, it appears that the Key exchange protocols were weakened and it's not necessary to break AES but extract the keys during KEP negoitiation. http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/
You also have to remember that it's a negotiation and unless you set your browsers up and websites to use more secure protocols you could default to say RC4-RSA under SSLv2.0. There's acknowledged flaws in TLS 1.0 (SSLv3.0) but it wasn't until a couple of months ago that Firefox supported TLS 1.1 and it still doesn't support TLS 1.2. Chrome (Version 30+) and IE (9+) support TLS 1.1 and TLS 1.2. So you should see more and more websites turning on TLS 1.2 support and turning off TLS 1.0 and 1.1 if they can. http://en.wikipedia.org/wiki/Transport_Layer_Security
I've already had change requests come in from customers to get away from AES and to push more TLS 1.2 out there and you're already seeing companies and other government agencies distancing themselves from NIST blessed standards and that's lamentable but the credibility of the organization has been irreparably compromised by NSA influence. As a result, may see more ChaCha or more TwoFish implementations start to come into the mix over this, which is a good thing because it means that we have diversity in ciphers and less reliance on NIST and its standards processes.

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"