Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's NSA 'Transparency' Push Remains Pretty Opaque

Posted by timothy on from the don't-worry-the-gov't-will-protect-you dept.

Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."

18 of 90 comments (clear)

  1. so what? by Xicor · · Score: 4, Insightful

    so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

    1. Re:so what? by Anonymous Coward · · Score: 5, Interesting

      so they encrypt it, giving people a false sense of security, while they have already given the decryption key to the NSA...

      Fixed. It's a pretty meaningless promise considering what they already do.

      Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

    2. Re:so what? by interkin3tic · · Score: 2

      Not sure why they don't just do what the NSA is doing: change nothing and wait for people to forget about- HEY LOOK! A CELEBRITY DEATH!!!

    3. Re:so what? by Anonymous Coward · · Score: 3, Insightful

      This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.

      As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.

      At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put a stop to NSA antics would be a major seismic shift in US politics - not going to happen, but why risk it, especially if the main point of these mass captures of all network traffic are non-US persons anyway.

      Let's see how many years it will take until Google, Amazon and Microsoft realize how much this crap does damage to their business overseas.

  2. Re:HAHAHHAHAHAHA by zlives · · Score: 2

    actually where pretend tries rank... this is not a nice one at all.

  3. Morons and Oxymorons by jkrise · · Score: 4, Insightful

    Anyone who trusts Microsoft is a moron.
    Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

    --
    If you keep throwing chairs, one day you'll break windows....
  4. Define "encryption"... by mlts · · Score: 4, Insightful

    Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.

    While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.

    Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.

    Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.

    Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.

    1. Re:Define "encryption"... by mpe · · Score: 2

      Bitlocker is a Microsoft product. It has backdoors.

      Historically propriatary software tends to be rather poor when it comes to cryptography. Cryptography is hard to get right, since even apparently trivial changes can have huge effects on the security of the code. Any requirement for "backdoors" is likely to make things even harder.

    2. Re:Define "encryption"... by mlts · · Score: 2

      I get the not-so-fresh feeling being devil's advocate here, but (and this is opinion here, so take it, leave it, or just laugh at it) BitLocker is something that MS did seem to make a decent effort at getting right.

      Unlike TrueCrypt, BitLocker is written not just for security, but for enterprise recoverability, so come e-Discovery time, one can recover the data on a laptop after an employee left.

      If MS did drop the ball with BitLocker, they would be in a world of hurt. There are many laptops lost out there, and having an encrypted HDD [1] is the difference between writing off some inventory shrinkage versus a major public disaster, with civil, regulatory, and perhaps criminal consequences. So, BitLocker is something that had major security issues, there will be big businesses wanting their pound of flesh, not just users.

      (Of course, after I write this, watch one of the next /. articles be about a backdoor found in BDE completely making what I stated irrelevant.)

      [1]: Of course, there are varying degrees of encryption. Having the recovery key for BitLocker stored someplace insecure is just as bad as having the TrueCrypt recovery CD with its password stored in a bad location. This is why BitLocker keys often wind up stored in AD... if AD gets compromised, the jig is up in the enterprise anyway.

  5. In other words Microsoft's "transparency" ends by RLiegh · · Score: 3, Insightful

    ...where NSA contracts begin. Much to the surprise of absolutely no-one at all.

  6. What are people expecting? by PhrostyMcByte · · Score: 3, Interesting

    Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.

    Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?

  7. Does it also build synergy with best-practices? by TWiTfan · · Score: 2

    building on our long-standing program that provides government customers with an appropriate ability to review our source code

    Well, of course, we wouldn't expect you to allow anyone in with an inappropriate ability to review your source code.

    --
    The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
  8. Re:Too Late by RLiegh · · Score: 2

    Who do you imagine are their customers, and what is it that you imagine that they're selling?
    You're probably wrong on both counts.

  9. Sorry, not quite good enough by Alain+Williams · · Score: 2

    Saying that it is encrypted is one thing, but a whole lot more is needed to be confident in security. What if the encyption algorithms have problems, or the key generation produces an effective length of less than 2048, etc, etc.

    Microsoft would be really smart if it released its security related code under some ''you can view this and try to break it but cannot sell/... license''. This need not be incompatible with keeping the rest of its code base proprietary. It would really boost confidence if people could independently rebuild the security DLLs. On the other hand if Microsoft does not do this we need to ask the question: what has it got to hide ?

  10. Only Microsoft? by PrimeNumber · · Score: 2

    Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

    None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

    1. Re:Only Microsoft? by genner · · Score: 2

      Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

      None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

      Who is Bill Gates again? Oh right he';s the guy who doesn't run Microsoft.
      Remind me how many people Ballmer helped?

  11. Ancient Password Storage Secret by Anonymous Coward · · Score: 2, Interesting

    I use an 80-year-old monk with a photographic memory to store my password. He does not feel pain. He does not feel greed. He will only quietly unlock what I need unlocked.

  12. Re:They still exist? by cavreader · · Score: 3, Informative

    Nobody has ever shown any detailed proof of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.