Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's NSA 'Transparency' Push Remains Pretty Opaque

Posted by timothy on from the don't-worry-the-gov't-will-protect-you dept.

Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."

48 of 90 comments (clear)

  1. so what? by Xicor · · Score: 4, Insightful

    so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

    1. Re:so what? by zlives · · Score: 1

      all legal like so... only option ... do not cloud

    2. Re:so what? by Anonymous Coward · · Score: 5, Interesting

      so they encrypt it, giving people a false sense of security, while they have already given the decryption key to the NSA...

      Fixed. It's a pretty meaningless promise considering what they already do.

      Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

    3. Re:so what? by interkin3tic · · Score: 2

      Not sure why they don't just do what the NSA is doing: change nothing and wait for people to forget about- HEY LOOK! A CELEBRITY DEATH!!!

    4. Re:so what? by mpe · · Score: 1

      so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

      Or the NSA has checked the software to ensure that they already know/don't need that key.

    5. Re:so what? by Anonymous Coward · · Score: 3, Insightful

      This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.

      As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.

      At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put a stop to NSA antics would be a major seismic shift in US politics - not going to happen, but why risk it, especially if the main point of these mass captures of all network traffic are non-US persons anyway.

      Let's see how many years it will take until Google, Amazon and Microsoft realize how much this crap does damage to their business overseas.

  2. Re:HAHAHHAHAHAHA by zlives · · Score: 2

    actually where pretend tries rank... this is not a nice one at all.

  3. Morons and Oxymorons by jkrise · · Score: 4, Insightful

    Anyone who trusts Microsoft is a moron.
    Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re:Morons and Oxymorons by BringsApples · · Score: 1

      I trust Microsoft, but for reasons that you overlooked. I trust that they'll continuously change their products in a way that requires everyone that runs a business, that uses computers, to have an IT guy. That's me trusting that I'll always have a work load, being self employed.

      But yeah, if you trust that Microsoft will 'help' you 'stay silent' from the NSA, then you should read this. Because in reality, the NSA 'helped' Microsoft build Windows 7.

      --
      Politics; n. : A religion whereby man is god.
  4. Whee! by Anonymous Coward · · Score: 1

    Prince Humperdinck: Surrender.
    Westley: You mean you wish to surrender to me? Very well, I accept.

  5. Define "encryption"... by mlts · · Score: 4, Insightful

    Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.

    While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.

    Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.

    Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.

    Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.

    1. Re:Define "encryption"... by Anonymous Coward · · Score: 1

      Bitlocker is a Microsoft product. It has backdoors.

    2. Re:Define "encryption"... by Anonymous Coward · · Score: 1

      [Citation Needed.]

    3. Re:Define "encryption"... by mpe · · Score: 1

      Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack.

      Note that "cloud storage" along with "file sharing" can be a method of defeating filesystem encryption. Especially if the communication is itself encrypted so you can't easily tell what is being synchronised/shared.

    4. Re:Define "encryption"... by mpe · · Score: 2

      Bitlocker is a Microsoft product. It has backdoors.

      Historically propriatary software tends to be rather poor when it comes to cryptography. Cryptography is hard to get right, since even apparently trivial changes can have huge effects on the security of the code. Any requirement for "backdoors" is likely to make things even harder.

    5. Re:Define "encryption"... by mlts · · Score: 2

      I get the not-so-fresh feeling being devil's advocate here, but (and this is opinion here, so take it, leave it, or just laugh at it) BitLocker is something that MS did seem to make a decent effort at getting right.

      Unlike TrueCrypt, BitLocker is written not just for security, but for enterprise recoverability, so come e-Discovery time, one can recover the data on a laptop after an employee left.

      If MS did drop the ball with BitLocker, they would be in a world of hurt. There are many laptops lost out there, and having an encrypted HDD [1] is the difference between writing off some inventory shrinkage versus a major public disaster, with civil, regulatory, and perhaps criminal consequences. So, BitLocker is something that had major security issues, there will be big businesses wanting their pound of flesh, not just users.

      (Of course, after I write this, watch one of the next /. articles be about a backdoor found in BDE completely making what I stated irrelevant.)

      [1]: Of course, there are varying degrees of encryption. Having the recovery key for BitLocker stored someplace insecure is just as bad as having the TrueCrypt recovery CD with its password stored in a bad location. This is why BitLocker keys often wind up stored in AD... if AD gets compromised, the jig is up in the enterprise anyway.

    6. Re:Define "encryption"... by ozmanjusri · · Score: 1

      [Citation Needed.]

      Major data encryption software like TrueCrypt, Microsoft BitLocker, FileVault, BestCrypt etc have backdoors which allows access to data without the key.

      This was disclosed as per a presentation leaked @ http://cryptome.org/ which was given by Detective Michael Smith. Computer Crimes & Computer Forensics, Linn County Sheriff’s Office.

      Although NCMEC (National Center for Missing and Exploited Children) says that they use it for detecting child pornography but the discloser itself is sufficient to raise doubts on NSA-corporate bond again

      http://hackingly.org/nsa/backdoor-in-truecrypt-bitlocker-filevault-281.html

      --
      "I've got more toys than Teruhisa Kitahara."
  6. In other words Microsoft's "transparency" ends by RLiegh · · Score: 3, Insightful

    ...where NSA contracts begin. Much to the surprise of absolutely no-one at all.

  7. What are people expecting? by PhrostyMcByte · · Score: 3, Interesting

    Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.

    Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?

  8. Does it also build synergy with best-practices? by TWiTfan · · Score: 2

    building on our long-standing program that provides government customers with an appropriate ability to review our source code

    Well, of course, we wouldn't expect you to allow anyone in with an inappropriate ability to review your source code.

    --
    The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
  9. Re:Too Late by RLiegh · · Score: 2

    Who do you imagine are their customers, and what is it that you imagine that they're selling?
    You're probably wrong on both counts.

  10. They still exist? by JustNiz · · Score: 1, Interesting

    >> it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources

    I'm genuinely surprised that apparently some people still exist that think Microsoft might actually not be providing the government with backdoors and feeds of everything that goes anywhere near their products and/or servers.

    1. Re:They still exist? by cavreader · · Score: 3, Informative

      Nobody has ever shown any detailed proof of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.

    2. Re:They still exist? by cavreader · · Score: 1

      I really hope you are joking. How do you prove a negative? "We can't find something therefore it must exist!".

    3. Re:They still exist? by chihowa · · Score: 1

      The absence of evidence of wrongdoing isn't evidence of the absence of wrongdoing.

      Even the credible belief of a backdoor in a closed source security program should be taken seriously.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    4. Re:They still exist? by JustNiz · · Score: 1

      In this case it would be easy.
      Microsoft could just open up ALL their source code to the EFF instead of only allowing the government to see it. They must already realise that asking the gov to check for backdoors is like asking the fox to guard the hen house.
      The government are probably interested in the code but just to confirm that their backdoors are actually still in place, and to maybe add some more.

  11. Sorry, not quite good enough by Alain+Williams · · Score: 2

    Saying that it is encrypted is one thing, but a whole lot more is needed to be confident in security. What if the encyption algorithms have problems, or the key generation produces an effective length of less than 2048, etc, etc.

    Microsoft would be really smart if it released its security related code under some ''you can view this and try to break it but cannot sell/... license''. This need not be incompatible with keeping the rest of its code base proprietary. It would really boost confidence if people could independently rebuild the security DLLs. On the other hand if Microsoft does not do this we need to ask the question: what has it got to hide ?

  12. Re:Given that... by Anonymous Coward · · Score: 1, Insightful

    ....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.

    Spoken like a true Microsoft apologist. Here let me put it into perspective for you, since you couldn't be bothered to read TFA summary:

    "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors."

    So "government customers" can "review" the source code. Not you or me or the rest of the world. Not that "government customers" care, or have the manpower and technical skills to actually hunt through a big messy blob of source code to find back doors. The only government customers capable of knowing what a back door looks like are the government customers who ordered it put there.

    This is all spin speak for "we're doing absolutely nothing but claiming that we are".

    But hey, feel free to consider this a reasonable step from Microsoft. Such is /.

  13. Microsoft vs NSA by bob_super · · Score: 1

    If only "embrace, extend, extinguish" worked on the NSA, Microsoft would get some serious Karma points.

  14. Re:So whats the point? by LordThyGod · · Score: 1

    So if Microsoft does not really belive in transparency/privacy...whats the point of all this initiatives?

    Secret World Domination Agenda?

    Its called follow the leader. See what the leaders in your industry are doing, and to not look like a boob, you do your own variation so people think you know how to play the game. Its a perception thing only, which only needs to work for a certain uninformed market segment (IE their customers).

  15. Score:5, Informative by Anonymous Coward · · Score: 1, Informative

    http://en.wikipedia.org/wiki/NSAKEY

    1. Re:Score:5, Informative by SpaceLifeForm · · Score: 1, Troll
      Exactly. This is a PR move to make it appear as though they are not in the same bed together.

      Imagine if they had NOT announced these (late) changes.
      After a while, people would observe what is going on:
      "Hey, Microsoft is not doing what Google and Yahoo did, I wonder why? "

      Microsoft *had* to do this in order to try to hide their real colours.

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
  16. In any organization as large as Microsoft ... by serutan · · Score: 1

    ... even achieving transparency between departments is difficult. When I used to work there you should have seen what we went through to get code from other teams. In spite of the fact that the company rewards cross-group collaboration (which was the main reason we were doing it).

  17. Wan't MS enthusiastically supporting the NSA? by Anonymous Coward · · Score: 1

    I seem to remember that was the case.

  18. America's corporate managers spineless wussies... by gestalt_n_pepper · · Score: 1

    ...who wouldn't know a principal if it bit them in the ass and sang "Yankee Doodle." They will bend over with a smile the moment any government agency wants them to do anything and ask if they'd like anything else. Encryption. Feh. All PR, smoke and mirrors. This is an attempt to change public perception. Nothing more.

    --
    Please do not read this sig. Thank you.
  19. What's the point? by roca · · Score: 1

    The moment they receive a National Security Letter, the backdoor is added and pushed out in a regular software update. Or, on the server side, they add a tap anywhere they touch plaintext. Or they hand over keys.

    Every US corporation is an arm of the NSA, except for those that follow Lavabit and choose to shut down rather than cooperate.

  20. Only Microsoft? by PrimeNumber · · Score: 2

    Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

    None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

    1. Re:Only Microsoft? by genner · · Score: 2

      Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

      None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

      Who is Bill Gates again? Oh right he';s the guy who doesn't run Microsoft.
      Remind me how many people Ballmer helped?

    2. Re:Only Microsoft? by swillden · · Score: 1

      How long did it take Google to finally get around using https and secure logins? A long fucking time

      You don't know what you're talking about.

      Google provided the option for SSL on all Google services back in 2008. At that point in time it was considered infeasible for large web services to do always-on SSL, because it would increase the load too much; SSL was only used for login pages, pages where financial information was entered, etc. In 2010 Google turned it on by default for all users for Gmail and other key services, long before any other major webmail providers did. In 2011 they turned it on by default for everything, including search. Google did this long before any of the other big web companies... heck Yahoo and Bing still don't use SSL for search.

      Google was also the first major web service to provide two-factor authentication, in 2010. Yahoo didn't do it until 2012, and Microsoft didn't offer it for Outlook until little more than six months ago. AFAIK, Google is still the only major webmail provider to offer and use secure SMTP when communicating with other mail servers. Most SMTP traffic to and from Google is unencrypted, but only because the other end won't do encryption.

      Google also designed SPDY without any unencrypted mode at all. The W3C committee standardizing SPDY as HTTP/2.0 is struggling a little bit with that, though it appears they're going to accept it as encrypted-only. Google's next-gen web protocol, QUIC, not only doesn't have a unencrypted mode, but encryption is baked so deeply into the protocol that when it gets to standardization there will be no question about removing it... you'd have to completely redesign the protocol.

      Google has been serious about encrypting everything for a long time and has consistently led the industry.

      Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way

      The work of the Gates foundation is fantastic, I completely agree. However, I disagree that providing universal access to useful information, which is Google's stated mission, doesn't "improve peoples' lives in a meaningful way". In fact, I'd say that universal Internet access is one of the most powerful tools we can offer the developing world, enabling them access to the information needed to lift themselves out of poverty and corruption. Of course, Internet access doesn't help when you're dying of malaria, so eradicating, or at least suppressing, disease is critical.

      None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information.

      You can debate about whether or not they would have without it (I argue they would), but Google has had to care seriously about user privacy for years now, because privacy assurance, including annual privacy audits performed by a third-party auditor, are required by the FTC consent decree. If there's any hint that some design or implementation detail threatens to expose user data, or even put it where it shouldn't be, the privacy team comes down with both feet until it's fixed. I really think that would be the case even without the consent decree, though because of it the privacy team is supervised by legal which undoubtedly gives it even more clout than it would have otherwise.

      I realize that /. groupthink paints Google as an enemy of privacy, because the bulk of its business model is based on targeted advertising which means that Google's users give Google permission to learn about them and target ads to them (unless they opt out), but I doubt there are any companies of substantial size that care more or work harder to protect user privacy, precisely because Google's business model places it in such a precarious position. If there were ever any leaks of user data from Google, or if there were any reports of Google employees misusing user data, it would severely damage the company.

      (Disclaimer: I'm a Google engineer. I work on the security infrastructure, which is related to but not the same as the privacy infrastructure.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Only Microsoft? by swillden · · Score: 1

      heck Yahoo and Bing still don't use SSL for search

      Out of curiosity I just went and tried it. Not only do they not use SSL by default, but you can't use SSL at all for searches on either site. Yahoo will serve the home page via HTTPS, but trying to search from it gives you first a big error message from your browser due to a certificate name mismatch, and if you click through that you get a 403. If you try to go to http://www.bing.com/ you get a blank page.

      I didn't try either site while logged in, so it's possible that you can do secure searches if you have an account.

      My understanding with Google was that it was always SSL for all logged-in searches, but that logged-out users could still use via HTTP. At some point that appears to have changed, because signed in or signed out, regardless of browser, any attempt to go to google.com via HTTP gets redirected to HTTPS. If you construct a query like http://www.google.com/search?q=foo you can force Google to receive your query terms over HTTP, but it still immediately redirects to HTTPS rather than returning any data. I suppose if you used a browser that indicated it could not handle HTTPS, Google would probably allow you to do searches over HTTP.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  21. Re:Microsoft Encryption. by mlts · · Score: 1

    127 characters is low?

    It used to be 16 characters, but that was back in the days of Windows 98, and NT 4.0 service pack 6a, well before AD forests and trees were in common use.

  22. Ancient Password Storage Secret by Anonymous Coward · · Score: 2, Interesting

    I use an 80-year-old monk with a photographic memory to store my password. He does not feel pain. He does not feel greed. He will only quietly unlock what I need unlocked.

    1. Re:Ancient Password Storage Secret by Anonymous Coward · · Score: 1

      Ever read Freedom(TM)? A mercenary is put in an fMRI scanner and has intelligence extracted from him even though he remains completely silent. They just ask a serious of questions and narrow down the answer. "Does your name begin with the letter A? B? C? D?..." Try as he might, he can't help but produce measurable brain responses when he sees information he knows to be correct and eventually reveals all his personal details and for whom he works.

  23. The Story of The Source Tree and the Root by Mister+Liberty · · Score: 1

    Where oh where is the source tree.
    Look, this is dumb.

    Why don't they through up their hands, and say: "In all honesty people, we're fucked as much
    as you are. Let's work together, in openness, to solve the problem at its root".

  24. There Is Only One Question For Any Company by Anonymous Coward · · Score: 1

    Will you or will you not cooperate with the NSA when they demand access?

    We need to build mandatory encryption into our network protocols and remove the responsibility for complying with demands to compromise security from corporations and service providers entirely.

  25. Only for communications? by manu0601 · · Score: 1

    Do I understand the thing right? They encrypt for communication but store the data in plain text on their server? That does not look very efficient to guard against the NSA, especially since MS is part of the PRISM program.

  26. Feeling the pressure. by VortexCortex · · Score: 1

    The pressure from the International markets is only a smidgen of what MS deserves for helping the NSA all theses years starting when they got the pork handouts to port Omnivore away from Unix (Solaris) to MS's systems in 1998, and create Carnivore -- despite everyone else in the military, etc. having POSIX requirements... And despite Linux existing in 1998 if "miniaturization" (PCs) were what they were shooting for. Yeah, MS has been in the thick of this shit for a good while. Snowden's privilege escalation makes a hell of a lot of sense if ECHELON, PRISM, etc are running on Microsoft Windows, eh? If a contractor like Snowden can do it, then state sponsored enemy spies can get at even more.

    Oh, MS is going to show the governments the source code so they can be sure that there are no back doors in the compiled code they sell them -- AND UPDATE REMOTELY? Hell, even if they never installed updates and gave them compilers to build the code with they'd be subject to the Ken Thompson Hack. Might as well just write, "Promise there's no backdoors -- Love, Billy and Ballzy" on a post-it note. The code only gives the governments another way to look for exploits.

    MS? Openness? What, they'll publish one set of encryption protocols and use a slightly different algorithm? Like when they made their Office document format open?

    Screw me once, MS, shame on me. Actively screw me continually for the past two decades? For Shame.

    "They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety and get IE6 instead."
    - Benjamin Franklin's Grave Rolling Ghost.

  27. Re:Transparency Centers? by Bosconian · · Score: 1

    Cute - I was thinking something more along the lines of:

    "Hello, and welcome to Microsoft Software Security Assurance Enterprise, Small Business, Government, and Education Transparency Center number 6!

    You'll notice that there's a beautiful and fluid whiteboard set up over here to the right. These lines represent our data flow between all of our convenient and secure value-adding services to our customers, and these dots with arrows pointing to an unlabeled blue box are transfer nodes, which Microsoft has decided are not applicable to this Transparency Center presentation.

    Now, if you'll look directly in front of you, there's a window that you're free to gaze through to observe Microsoft's server operations for a period of 32 minutes. Please don't touch the glass, and thank you for visiting Microsoft Transparency Center, or as we on the the Security Assurance team lovingly refer to it, 'MSTC6.' Please visit us again soon, and don't forget to accept a complimentary Microsoft gift bag including some enticing software discounts!"

    --
    Scarce, scared, scarred, sacred... -Col. Bruce Hampton