Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's NSA 'Transparency' Push Remains Pretty Opaque

Posted by timothy on from the don't-worry-the-gov't-will-protect-you dept.

Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."

8 of 90 comments (clear)

  1. so what? by Xicor · · Score: 4, Insightful

    so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

    1. Re:so what? by Anonymous Coward · · Score: 5, Interesting

      so they encrypt it, giving people a false sense of security, while they have already given the decryption key to the NSA...

      Fixed. It's a pretty meaningless promise considering what they already do.

      Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

    2. Re:so what? by Anonymous Coward · · Score: 3, Insightful

      This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.

      As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.

      At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put a stop to NSA antics would be a major seismic shift in US politics - not going to happen, but why risk it, especially if the main point of these mass captures of all network traffic are non-US persons anyway.

      Let's see how many years it will take until Google, Amazon and Microsoft realize how much this crap does damage to their business overseas.

  2. Morons and Oxymorons by jkrise · · Score: 4, Insightful

    Anyone who trusts Microsoft is a moron.
    Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

    --
    If you keep throwing chairs, one day you'll break windows....
  3. Define "encryption"... by mlts · · Score: 4, Insightful

    Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.

    While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.

    Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.

    Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.

    Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.

  4. In other words Microsoft's "transparency" ends by RLiegh · · Score: 3, Insightful

    ...where NSA contracts begin. Much to the surprise of absolutely no-one at all.

  5. What are people expecting? by PhrostyMcByte · · Score: 3, Interesting

    Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.

    Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?

  6. Re:They still exist? by cavreader · · Score: 3, Informative

    Nobody has ever shown any detailed proof of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.