Microsoft Signs Renewed Cybersecurity Agreement With NATO

An anonymous reader writes: Microsoft and NATO have renewed a cybersecurity partnership. The agreement is part of Microsoft's Government Security Program (GSP) which allows worldwide federal bodies controlled access to Microsoft source code. PCWorld reports: "Since its inception, the GSP has grown to encompass a bunch of other types of information, especially over the past few years. With the new agreement, NATO will get controlled online access to source code for key Microsoft products including Windows and Office; information about Microsoft's cloud services, and intelligence about cybersecurity threats."

SEE!

And that boys and girls is another example of why you should NEVER trust Microsoft or governments.

Re:SEE!

[NoZart]

But when i KNOW what an entity does, then i can trust in that and act accordingly.

It's way worse when some entity does NOT disclose such behaviour.

Re:SEE!

Governments also have access to Linux source code, so I guess we shouldn't trust Linux either?

Re:SEE!

[Chrisq]

And that boys and girls is another example of why you should NEVER trust Microsoft or governments.

I would be interested to see (if not classified) what the Nato recommended settings for Windows are. I have just taken the "free Windows 10" upgrade and took the "detailed" rather than the "quick settings" options and was amazed at the number of different data collection options I had to turn off. I say "had to", the truth is it probably doesn't matter, I dual boot and use Windowsa two or three time a year to run things like the update for my satnav

Re:SEE!

Oh please.

Re:SEE!

[Bert64]

The point is that we also have access to linux source code, so we're all on a level playing field.
Closed source code is only available to select groups, and is also in the hands of blackhats. Legitimate security researchers have no access to it.

Re:SEE!

Governments also have access to Linux source code, so I guess we shouldn't trust Linux either?

The code is open for anyone to see if you have the will and skills. That's how dirty code by the Feds was spotted in BSD and pulled out.
Tell me Microsoft shill can the public see the code in the Windows OS?
Didn't think so.

While Linux is far from perfect it is still a better option than Microsoft spyware called Windows 10.

Re:SEE!

And that boys and girls is another example of why you should NEVER trust Microsoft or governments.

NATO become irrelevant the moment the Cold War ended as further evidenced by new countries allowed to be members including Al Quaeda protecting Turkey.

Re:SEE!

[Type44Q]

Legitimate security researchers have no access to it.

Legitimate security researchers have no legal access to it. FTFY.

Re:SEE!

[plcurechax]

I would be interested to see (if not classified) what the Nato recommended settings for Windows are.

The US's NSA (with NIST - US National Institute of Standards and Technology) and Canada's CSE(C) (with the Treasury Board / Public Works) publish guidelines for civilian government security policies and recommendations on their public web sites. I believe other (counter-)intelligence agencies do the same as well.

Re:SEE!

Two rules about Windows 10, or previous versions of windows with the telemetry patches:

1: Run the version of Windows in a virtual machine. Only things that can't really be virtualized are items that need specialized hardware or games, since Valve will insta-ban (VAC) people using VMs and Sony/Daybreak will do the same. Have network communication from it go to a virtualized NIC on its own vSwitch.

2: Put a PfSense firewalling router appliance on the same vSwitch as the Windows VM, drop all telemetry hosts, ad sites, behavioral tracking sites, and other wonders of the modern world. There are websites which offer constantly updated IP blacklists for ad sites and malware.

Now, the Windows VM is fairly well isolated, and one can use the Edge browser fairly safely.

Re:SEE!

[frovingslosh]

Microsoft "security" is a perfect way for any government organization to waste public tax money. Of course, we could use the money to import more Syrian terrorists, but I'm sure that we can find the money somewhere to do that too.

Re:SEE!

[Ravaldy]

Not all data collection has vile intentions. A lot of the data collected is used to understand user behavior or the sequence of events that lead to a failure. Some of the data collection is simply to do with the errors themselves.

By default they leave it on because they want to improve their OS.

The good thing is you have an option to opt out.

Re:SEE!

I think win XP was the last version that was officially qualified for use by banks in the Netherlands. Now win 7 is more or less allowed, but it didn't qualify, it was just the least bad option, after ending support on win XP.

Re:SEE!

[Edis+Krad]

I can't help but to wonder how many of those switches are nothing but disconnected flickering UI elements.

Re:SEE!

[Bert64]

That's the whole point, legitimate security researchers don't want to break the law...

Re: SEE!

[Type44Q]

No. The law is entirely orthogonal to the matter; an illegitimate security researcher would be looking to for vulnerabilities to exploit and a legitimate security researcher would be looking for vulnerabilities to patch.

"Legitimate" != "legal"

Re: SEE!

[Type44Q]

Unless, that is, you're a koolaid-drinking little sheep with an IQ no higher than 120 or so... ;)

Wait..

They allowed access to their source code and found exploits. Being ethical, they of course tried to fix them...

And then I woke up... It was just a dream.

Re:Wait..

While you are still asleep:
NATO really cares about being hacked, so now they have the code, they are working very hard to check/fix it, so after all these years, they can soon start to use Microsoft products.

Another win for Open Source!

It's fantastic to see Microsoft opening its source code up to more and more people. This is a win for all of us!

FOSS FTW!

Re:Another win for Open Source!

You jest, but as Snowden has taught us - what the Government knows today, everybody knows tomorrow.

Re:Another win for Open Source!

[Gadget_Guy]

It is hardly new that they share their code. They have had a Shared Source Initiative since 2001 to enable "source code access for customers, partners and educators, by making enterprise systems integrators (SIs) eligible to receive access to Microsoft Windows source code" (Source).

They already did share their code with partners like Mainsoft, who was the source of the leaked Windows code for NT4 and 2000 that happened in 2004.

Interestingly, Mainsoft was "one of the main providers for the Microsoft Windows Interface Source Environment (WISE) program, a licensing program from Microsoft which allowed developers to recompile and run Windows-based applications on UNIX and Macintosh platforms. Before WINE there was WISE!

Gubment 0-day's

Gotta keep access to the source open for government agencies to find those 0-days!
It is funny because, since the NSA's mission is to hack other countries only, and since they'll all have the same access too...the only practical use for this is to hack those who don't have access to the source....like say private citizens/companies.

Fuck you Microsoft. Seriously.

Re: Gubment 0-day's

This is so all countries can hack their (and each other's) citizens. Governments would be crazy to actually use Windows on their own servers.

Viewing code means nothing; can they build it ?

Viewing the source code means nothing here.

The critical thing is: can they build that instance of the source code and use it in production ?

If not, then this is just a PR exercise because you have no way of knowing that your production binaries are built from this instance of the source code.

Re:Viewing code means nothing; can they build it ?

[eibhear]

Spot on.
Microsoft could prove the value of the programme if it implemented something like the the Reproducible Builds project by Debian: https://wiki.debian.org/Reprod...
'Course, that would probably be an openness too far for them...

Re:Viewing code means nothing; can they build it ?

[blackwizard]

They don't need to build it. They'll be able to analyze it for security issues and keep the 0-day exploits they find to themselves. And they'll get notified in advance when Microsoft spots the same issue, so they'll have time to switch tactics.

Dear NATO:

[Type44Q]

Dear NATO:

In the interests of keeping our world safe, we hereby promise not to sell you any of our products. We do hope you appreciate the gesture.

Sincerely yours,

Microsoft

Re:Dear NATO:

They tried, but the NSA wouldn't let them.
But no worries, things may change sooner than you would expect. Microsoft will keep it's desktop monopoly, but most desktops will be a minority, and users are quickly getting used to learning ans switching between several operating systems. How many people would have paid for upgrading to Windows 10 if it's wasn't free? How many fiscal quarters would it take until all of today’s win 8.1 computers became unusable slow? How many Win XP machines are there remaining that (after vista, 7 and 8) would suddenly decide they want to upgrade to win 10? Companies are already experiencing and dealing with tons of incompatible shit, fearmongering about incompatibilities doesn't scare them any more, they now have budgets for that.
Look up why consumers and companies choose microsoft products 10 or even 5 years ago, those reasons are not cut in store any more.

Linux lacks in other areas + ANDROID "security"

Linux != better if you can't do things on it Windows does like http://yro.slashdot.org/commen...

For board driver support Windows wins again since board manufacturers/oems have an economic incentive to produce solid working drivers for Windows and probably won't for Linux or other OS as readily due to that.

This is the MAIN reason why Linux, BSD variants etc. are always in last place in the eyes of the majority of the buying public.

Android (a Linux) also shows you how insecure other OS are once they've had potshots taken at them since they are most used on a particular platform (Windows rules PC desktops + Servers combined, ANDROID rules the smartphone world afaik as well). Most used = most targetted by malicious online "ne'er-do-wells".

Now, I am SURE I'm going to hear something about "kernels", right? Kernels are NOT the OS in its entirety - only the core. You need MORE to call it a complete Operating System.

Android's ONLY BEGINNING (well, for a decade++ now actually & STILL being taken advantage of) to see what Windows has had done to it for decades.

Nice part of this "bad" thing is that they get stronger for it on the security front @ least. In fact, that's the SINGLE "GOOD" thing hacker/cracker types do - they show where the weaknesses are, & them oem's of various OS + wares shore them up once they're discovered.

APK

Re:Linux lacks in other areas + ANDROID "security"

The actual penetrations are still less than 1% of the installed base.

Windows? 20% or higher.

Citations/Proofs? apk

See subject: What we ALL know is Android (a Linux) gets bushwhacked nearly daily!

So that said?

Let's see YOUR "proofs" of your statement from reputable sources, ok?

Not that they matter - we all see the security news daily, which proves MY point on "Linux security" via ANDROID - Linux has been HIDING BEHIND Security-By-Obscurity/lack of widespead use, until the smartphone... which they HAD to pursue since they lost in the PC desktop + Server market COMBINED

FACT (since beancounters REALLY control things in companies):

ONLY REASON LINUX WAS USED, REALLY, on SmartPhones? It keeps "per unit cost" down on each smartphone - not because it was "better" (it's not - see the results on PC desktops + drivers availability I noted that Windows gets vs. all others...).

APK

P.S.=> I notice you won't TOUCH my statements on device driver availability either - "Gosh - why's that?" (not)... apk

Confused

Does this mean Microsoft will be able to change setting on updates and have access to all NATO's data?

Like (from their EULA), "...Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device."

What kind of security is Microsoft offering?

but can they compile it and use it

Otherwise it means crap

Just don't

Just don't use microsoft products for anything critical. Having access to the source code to some version of some microsoft products is only useful if you want to use the bugs to break into somebody else’s system. The fact that it is or isn't a "key" microsoft product has no meaning, other than it could be considered something critical, and therefore should not be used in the first place.
Personally, I think microsoft source code should be locked up miles below ground, and be nuked after each (odd) OS release build completes. Then start from scratch.

the text of the agreement..

"i scratch your back, you scratch mine... and psst. don't tell anyone what we're wearing."