Slashdot Mirror

← Back to Stories (view on slashdot.org)

FSF Responds To Microsoft's Privacy and Encryption Announcement

Posted by Soulskill on from the no-trust-without-verification dept.

An anonymous reader writes "Microsoft announced yesterday their plans to encrypt customer data to prevent government snooping. Free Software Foundation executive director John Sullivan questions the logic of trusting non-free software, regardless of promises or even intent. He says, 'Microsoft has made renewed security promises before. In the end, these promises are meaningless. Proprietary software like Windows is fundamentally insecure not because of Microsoft's privacy policies but because its code is hidden from the very users whose interests it is supposed to secure. A lock on your own house to which you do not have the master key is not a security system, it is a jail. ... If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing. When we don't have that, back doors and privacy violations are inevitable.'"

7 of 174 comments (clear)

  1. PR Stunt at best by jbmartin6 · · Score: 5, Interesting

    How is encrypting data in motion going to help when they will simply provide the NSA the keys or otherwise provide access to the data. They are just another participant in the 'we never provided direct access' lie, when you simply provide everything on demand they don't need direct access, nor do they need to decrypt data off the wire.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:PR Stunt at best by twocows · · Score: 5, Insightful

      Not just that, but what the FSF spokesman is saying here is essentially right (though I think they could do with a bit less imagery, it makes it seem like they're just pushing their agenda, not that I disagree with it). How are we supposed to verify that Microsoft is even keeping its promise if we don't have access to the source? They could just be paying it lip service and not really doing anything about it. Or, they could be incompetent (MS, incompetent? what a novel idea). Or they might just make a token attempt at getting things "kinda sorta" secure (or at least looking secure). Again, how can we trust that they're following through? If it was free software, there's the capacity for anyone to audit it and make sure it's secure (and if it's not, there are more ways to deal with it than "annoy MS until they fix it").

    2. Re:PR Stunt at best by jbmartin6 · · Score: 5, Insightful

      we are going to do everything we can within current technical and legal bounds to address this for them

      My point is that they are not doing everything they can, they are instead they are pursuing a cosmetic measure that will make no real difference to what customers are concerned about. How about, for example, providing me with the ability to use my own keys that are never stored on a MS system?

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  2. Re:Who cares? by Chrisq · · Score: 5, Insightful

    Who cares if the software is non-free? That's not even the issue.

    You are correct, the issue is that it must be open source and build-able from source.

  3. Re:Predictable by MikeBabcock · · Score: 5, Insightful

    No, Microsoft *claims* to do something nobody could object to -- you're missing the whole point of the statement.

    If Microsoft told you they were implementing security and it turned out they were using DES with a key hashed from the word 'Scroogled', would you be pleased? What if they're using good encryption but the keys never rotate? What if the keys rotate but they're on a fixed loop of 16 keys? How would you know?

    As an everyday non-programmer, a casual user wouldn't know the difference either way. If however that user is on a fully open source operating system, they at least know that -some- others using that system have had a peek under the hood and still trusted it.

    --
    - Michael T. Babcock (Yes, I blog)
  4. Re:Predictable by Jawnn · · Score: 5, Insightful

    So, Microsoft finally does something no geek could object to...

    I see what you did there. You tried to insert a faulty premise to support your argument. Any geek worth the title understands that any encryption technology that can not be vetted is, by definition, not trustworthy. So this latest PR stunt by Microsoft is just that, a PR stunt.

  5. Silly question by Runaway1956 · · Score: 5, Insightful

    How would I find out, personally, that Linux Mint is sharing keys with the NSA? The likelihood that I would personally discover that secret is somewhere between slim to none. I can't read code well enough, nor am I likely to spend the time necessary to read every line of code in the programs.

    My assurance stems from,

    1. Thousands (at least) of other end users actually do peruse the code, looking for errors, back doors, exploits, etc.

    2. My OS comes from a "trusted source" - one which I personally trust.

    Yes, there is a weakness in there. That weakness is, I have to trust someone. At the same time, there is a strength hidden right beside the weakness. I get to CHOOSE who I trust.

    What, exactly, has convinced you that you can actually trust Microsoft? Has MS invited you to personally examine their code, to satisfy yourself that there are no exploits in their system? No? I didn't think so.

    Linux, on the other hand, invites me to read any or all of their source.

    You choose what you want, I'll choose what I want, thank you very much.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br