Slashdot Mirror
Microsoft's NSA 'Transparency' Push Remains Pretty Opaque
Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."
so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...
actually where pretend tries rank... this is not a nice one at all.
Anyone who trusts Microsoft is a moron.
Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.
If you keep throwing chairs, one day you'll break windows....
Prince Humperdinck: Surrender.
Westley: You mean you wish to surrender to me? Very well, I accept.
....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.
I mean, nobody here's going to give them the tiniest lick of credit for it, but such is /.
It is indeed ridiculous... "hey, look at this tape of me sleeping... see, it is ten hours long, look at the timestamp - the date you were out of town. This is proof that I was not fucking your wife all night. Btw, I have this other tape, the date is next week, so don't worry, I'll not be fucking your wife again."
Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.
While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.
Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.
Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.
Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.
...where NSA contracts begin. Much to the surprise of absolutely no-one at all.
You went above and beyond to sell out your own fucking customers. Nothing you can do can remove that stain for good reason!
Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.
Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?
building on our long-standing program that provides government customers with an appropriate ability to review our source code
Well, of course, we wouldn't expect you to allow anyone in with an inappropriate ability to review your source code.
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
>> it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources
I'm genuinely surprised that apparently some people still exist that think Microsoft might actually not be providing the government with backdoors and feeds of everything that goes anywhere near their products and/or servers.
You know, with all this anti-NSA-surveillance related encryption, think of the extra cost in terms of CPU and power consumption to implement the protections. Imagine the increased coding complexities and human resources directed at it, and all the extra service calls and maintenance when something goes wrong, et cetera.
The NSA is effectively spending billions of taxpayer dollars to make US businesses less energy efficient and less competitive, not to mention businesses that will simply leave the country because of the perceived and real risks. It's all for the sake of security, which apparently trumps everything else.
Saying that it is encrypted is one thing, but a whole lot more is needed to be confident in security. What if the encyption algorithms have problems, or the key generation produces an effective length of less than 2048, etc, etc.
Microsoft would be really smart if it released its security related code under some ''you can view this and try to break it but cannot sell/... license''. This need not be incompatible with keeping the rest of its code base proprietary. It would really boost confidence if people could independently rebuild the security DLLs. On the other hand if Microsoft does not do this we need to ask the question: what has it got to hide ?
Just throw some magic encryption sprinkles on it.
If only "embrace, extend, extinguish" worked on the NSA, Microsoft would get some serious Karma points.
In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products."
They'll be offering free massages, hors d'oeuvres and a 30 minute guided tour of the most "important bits".
So if Microsoft does not really belive in transparency/privacy...whats the point of all this initiatives?
Secret World Domination Agenda?
http://en.wikipedia.org/wiki/NSAKEY
... even achieving transparency between departments is difficult. When I used to work there you should have seen what we went through to get code from other teams. In spite of the fact that the company rewards cross-group collaboration (which was the main reason we were doing it).
I seem to remember that was the case.
...who wouldn't know a principal if it bit them in the ass and sang "Yankee Doodle." They will bend over with a smile the moment any government agency wants them to do anything and ask if they'd like anything else. Encryption. Feh. All PR, smoke and mirrors. This is an attempt to change public perception. Nothing more.
Please do not read this sig. Thank you.
The moment they receive a National Security Letter, the backdoor is added and pushed out in a regular software update. Or, on the server side, they add a tap anywhere they touch plaintext. Or they hand over keys.
Every US corporation is an arm of the NSA, except for those that follow Lavabit and choose to shut down rather than cooperate.
Coming from a company that puts a pretty god damn small max-size on passwords.
Any company that does that is automatically crap.
Indeed, I thought that was the whole point of MS putting Skype on the NSA PRISM program.
Principle*
Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.
None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.
Every time I create a word document, I feel the need to jazz it up a bit.
Instead of:
2013-12-5_FinancialReport.docx
Perhaps:
2013-12-5_FinancialReport-PlanToKillThousands.docx
2013-12-5_FinancialReport-3StepGuideToBombMaking.docx
2013-12-5_FinancialReport-RapingTheInnocent.docx
2013-12-5_FinancialReport-BioweaponryForDummies.docx
2013-12-5_FinancialReport-JihadForAll.docx
2013-12-5_FinancialReport-MassShootingSpreesAreTheyForYou.docx
2013-12-5_FinancialReport-MapsOfUSMilitaryInstallations.docx
2013-12-5_FinancialReport-DirtyBombDiagrams.docx
Personally I'd just show the tape of the fucking. Break the person. Don't bother fighting.
I use an 80-year-old monk with a photographic memory to store my password. He does not feel pain. He does not feel greed. He will only quietly unlock what I need unlocked.
But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives.
It's clear that the only reason we have privacy at all is because there's a market demand for it.
Governments are now flamboyantly demonstrating that have no interest in providing us with privacy.
And the commercial sector clearly has no interest in providing us with privacy except if they can make a profit from doing so.
If you feel that you have (or deserve) a "right" to privacy, it's obvious that those in power strongly disagree with you.
I have been living in the flood of post-Snowden NSA hysteria for a few months now, just like everyone else. Unfortunately, instead of actually forcing change and reining in these subversive and sweeping data pirates, the consumer-humping media at large - and a tragically vast number of Apple fanboys and Google drones - seem content to sensationalize every supposition and rumor in the most slanted excuse for journalism see in years.
Apple does X that is bad (like, oh..say, routing ALL of your data through their own servers now, even to back up your iDevice on your own network target):
"Gee, they have made that SO much more convenient and reliable for all of us. Best thing EV-ER.. well.. ever since the phones that you couldn't hold in your hand AND talk on at the same time - but that wasn't a design flaw, it was fashion. Praise Jobs!"
Google drops 40% of it's previously Free and unbound services over the last five years, sneaks full-time location data monitoring into the latest Android bake, and wants ALL your Base to belong to Them, forcing you to sign into any service they've "acquired" using their One-Login-to-Rule-Them-All:
"But their motto...? They wouldn't do anything bad, would they? It's for our own good and convenience. Google is here to SAVE us!"
Yahoo decides to start encrypting (sometime over the next 2 years) AFTER being around for ever and a day. And apparently not worrying much about the security of their Users' data for a decade or two. Nice google-clone interface and new logo though:
"Yahoo is taking great strides to make sure those NSA baddies are foiled from here on out..er..from whenever we get they encryption implemented.. or something like that. Yay Yahoo!"
Facebook security..
Do I really even need to go there? And yet millions of idiots have compromised what security many other services HAD, just for the convenience of using Facebook Login to access EVERYTHING.
"Yay, so easy! And look - my dead grandpa is in my targeted ad for shoe spray!"
Microsoft issues a press release to say "Hey, we may have been compromised at some point. There's no way to tell, so here's what we're doing about it."
"That Microsoft! They is the devil! Ohhh, if only Jobs were here to save the day!. Evil! Bad Microsoft! And that Gates guy giving away billions is just showing off to cover his tracks! Mnyah!"
Yes: Microsoft admits they may have been tapped at some points in their infrastructure. Considering the fact that it seems Everyone has been - knowingly or unknowingly - it would be dumb to deny it. And I'm NOT being pro-Microsoft (or pro-anything) here when I say that while Apple, Yahoo, Facebook, Twitter, the Google empire, etc are ALL in the same damn boat, yet when THEY admit they hadn't encrypted all their lines they are praised as saviors of the Internet. Why? Because they are NOW beginning the same total encryption process that Microsoft is as well.
Wake up: They are ALL businesses, NONE of them got to where they are without stepping on a few necks, and if the NSA says so they will ALL bend over and smile while they share the keys to your now-encrypted data.
The reason I'm taking the time to vent my spleen on this subject is simply this:
ALL of these companies do great things and rotten things. Always have, always will. None of them will fight the government - outside of peppy soundbites that mean nothing, except to appease the masses.
Take the products and services you like from each, but have no illusions about ANY of them having the moral high ground.
Use your own judgment, prudence, and assume that They are All "in on it" :) Cause they probably are - or not - to whatever extent it facilitates separating You from your cash. End of story.
And it would be nice if, at least SOME of the time, the so-called Tech media would actually report on facts equally, fairly, and unbiased. Wouldn't it be nice if we skipped the yellow digital journalism, the brand-waving sponsored opinions of every self-proclaimed "Gadget Guy Reporter", and simply made informed decisions about what works best for each of us?
Oh wait. That would require effort and thought...
I love it when Apple and Google sheep declare that anyone who says Microsoft might not be the devil is an Apologist. LOL
They'll gladly give their Chosen Brand their data, their personal information, and their firstborn - no matter what suspect thing that company has done in the past or lately, but if someone doesn't vilify Microsoft for doing the exact same thing as their own personal Brand Jesus..."You Sir, are a Microsoft Apologist!"
Crazy.
Where oh where is the source tree.
Look, this is dumb.
Why don't they through up their hands, and say: "In all honesty people, we're fucked as much
as you are. Let's work together, in openness, to solve the problem at its root".
Bill Gates hardly attempts to hide his agendas, but relies on the fact that YOU, the sheeple, get almost everything you THINK you know from mainstream media sources.
Did you know that Bill Gates personally partnered with Rupert (Fox News) Murdoch to create the 'inBloom' (corporate name chosen because of paedophile slang referring to under-age victims since before Victorian times) FULL SURVEILLANCE child database, designed to track every single aspect of every child's life in the USA, including sexual development. Did you know that Gates has a program of extra payments to teachers who offer to enter special 'sensitive' data about children they observe and monitor during school-time? Why is the deplorable inBloom system never mentioned here? Need I even ask.
Gates' involvement with 'Common Core' gets a little more public coverage, but the concept of "he who controls the education of children owns their minds as adults" as famously espoused by Jesuits and Hitler, to name but two atrocities, is ignored.
No, for most of you, the daily significance of Bill Gates' sickening initiatives is when back-doors specifically programmed into Windows for the use of the NSA hit the 'wild', causing incredible amounts of inconvenience and expense for ordinary users and businesses. Certain programming practices are forbidden in Microsoft's core products, because they would gradually reduce the possibilities (and usefulness) of the methods used to insert NSA back-doors in the code. Yes, Microsoft keeps its coding practices purposely crappy for 'plausible deniability' reasons. Just as the locks ordinary people have access to on the market are all trivial to 'pick', and the home alarm systems from all corporations have easily activated by-passes. Your masters do NOT care about your needs for security- they only care about the ease with which they can side-step the security measures taken by any target.
Of course, Microsoft has to respond to public disquiet. What is the point of Bill Gates riddling a Microsoft product with NSA systems if no-one buys that product in the first place. Look at all the back-tracking Gates did with his Xbone (originally you had to have an ALWAYS-ON internet connection, and Kinect II had to always be attached to the Xbone and 'calibrated' for ANY Xbone user function to work, including single-player, non-kinect games). Today, Gates rests assured that 99.9% of the morons that bought his vastly inferior console WILL leave it connected to the Internet day and night, and WILL have the NSA Kinect sensor bar permanently connected, and optimally positioned to spy on the room.
Will you or will you not cooperate with the NSA when they demand access?
We need to build mandatory encryption into our network protocols and remove the responsibility for complying with demands to compromise security from corporations and service providers entirely.
After 20 years of not just actively ignoring but openly discouraging all requests for openness, proper security, or basically anything their customers want, they now want to win back some market share.
No, this will not make me go and buy a Surface. I hope their journey to the bottom is extremely painful (trying to gain some attention by making an announcement like this is a good sign of that) but not too long - the sooner these assholes and every idiot that's ever worked for them are gone, the better computers will be.
Forget about Ballmer, Gates, and the other personalities for a minute. Microsoft is losing badly to Google, Apple, and Amazon right now. And cloud computing threatens to hang a... well, black cloud over the future of a company that's always made most of its money selling software licenses installed on customer property.
But now, the NSA/Snowden revelations have *finally* pushed privacy into the forefront where people are starting to care about it. And guess how Google makes its money... by delivering impressive services, sure, but by trampling over everyone's privacy in the process. And so does Facebook, LinkedIn and Amazon. So does Apple, although they could probably afford not to.
So Microsoft could be reshaped as the most pro-privacy of the top vendors, because Microsoft wants to sell software that customers install in their own data centers, and not rely on a public cloud. Personally, for example, I would rather use a shared spreadsheet that was served off our company's own servers, and not have to log in to Google to use Google Docs.
Respecting customers' privacy - relatively speaking, not talking about getting RMS' seal of approval - could be a strategic opportunity for Microsoft.
It's funny, I'm in Google's corner against MSFT and IBM on patents, in Amazon's corner for consumer-centric innovation, and in Microsoft's corner against Google and Amazon for privacy.
Do I understand the thing right? They encrypt for communication but store the data in plain text on their server? That does not look very efficient to guard against the NSA, especially since MS is part of the PRISM program.
It's really that simple. There are solutions out there which will generally work if your willing to take the time to actually make the switch. Even the ones which aren't perfect (like Ubuntu) have at least most of the code included available for review. While Ubuntu isn't perfect (see https://fixubuntu.com/) it's still at least a much better solution.
What I think people should remember though is it isn't all about the software. There are hardware-related concerns like the BIOS. These are also proprietary components we should be concerned about. There are very few companies focused on fixing this problem (that of proprietary firmware).
I would suggest looking at fsf.org/ryf and ThinkPenguin for a start. Ones a project to certify that hardware respects your freedom and the other is a company focused on releasing hardware that respects your freedom. Sadly there are only two companies thus far that have products which respect ones freedom, although the catalog from ThinkPenguin is pretty large and would entirely or almost entirely pass the ryf process.
The pressure from the International markets is only a smidgen of what MS deserves for helping the NSA all theses years starting when they got the pork handouts to port Omnivore away from Unix (Solaris) to MS's systems in 1998, and create Carnivore -- despite everyone else in the military, etc. having POSIX requirements... And despite Linux existing in 1998 if "miniaturization" (PCs) were what they were shooting for. Yeah, MS has been in the thick of this shit for a good while. Snowden's privilege escalation makes a hell of a lot of sense if ECHELON, PRISM, etc are running on Microsoft Windows, eh? If a contractor like Snowden can do it, then state sponsored enemy spies can get at even more.
Oh, MS is going to show the governments the source code so they can be sure that there are no back doors in the compiled code they sell them -- AND UPDATE REMOTELY? Hell, even if they never installed updates and gave them compilers to build the code with they'd be subject to the Ken Thompson Hack. Might as well just write, "Promise there's no backdoors -- Love, Billy and Ballzy" on a post-it note. The code only gives the governments another way to look for exploits.
MS? Openness? What, they'll publish one set of encryption protocols and use a slightly different algorithm? Like when they made their Office document format open?
Screw me once, MS, shame on me. Actively screw me continually for the past two decades? For Shame.
"They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety and get IE6 instead."
- Benjamin Franklin's Grave Rolling Ghost.
NSA is the biggest $$$$$$ Cash Cow M$ has and will be for at least two decades; write it up.
Did you actually read "the presentation leaked @ cryptome"
4 September 2013
This document is claimed to be a hoax by Hacker News, the page follows.
The original document:
http://cryptome.org/2013/09/computer-forensics-2013-hoax.pdf
The authentic document upon which it is allegedly based:
http://cryptome.org/2013/09/computer-forensics-2012.pdf
For fuck's sake, didn't the presenters' names tip you off? "Detective Stu Pitt and Detective Laughlin Foo"
PS: Oh, and the presentation it was based on is linked from the last slide of the "super-sikret leak" itself, and is a pretty interesting read in itself.