Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft's NSA 'Transparency' Push Remains Pretty Opaque

timothy posted about a year ago | from the don't-worry-the-gov't-will-protect-you dept.

Encryption 90

Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."

Sorry! There are no comments related to the filter you selected.

HAHAHHAHAHAHA (-1)

Anonymous Coward | about a year ago | (#45608781)

Nice try Microsoft.

Re:HAHAHHAHAHAHA (2)

zlives (2009072) | about a year ago | (#45608833)

actually where pretend tries rank... this is not a nice one at all.

Re:HAHAHHAHAHAHA (0)

Anonymous Coward | about a year ago | (#45608951)

It is indeed ridiculous... "hey, look at this tape of me sleeping... see, it is ten hours long, look at the timestamp - the date you were out of town. This is proof that I was not fucking your wife all night. Btw, I have this other tape, the date is next week, so don't worry, I'll not be fucking your wife again."

Re:HAHAHHAHAHAHA (0)

Anonymous Coward | about a year ago | (#45612291)

Personally I'd just show the tape of the fucking. Break the person. Don't bother fighting.

so what? (4, Insightful)

Xicor (2738029) | about a year ago | (#45608793)

so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

Re:so what? (1)

zlives (2009072) | about a year ago | (#45608841)

all legal like so... only option ... do not cloud

Re:so what? (5, Interesting)

Anonymous Coward | about a year ago | (#45609013)

so they encrypt it, giving people a false sense of security, while they have already given the decryption key to the NSA...

Fixed. [theguardian.com] It's a pretty meaningless promise considering what they already do.

Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

Re:so what? (-1)

Anonymous Coward | about a year ago | (#45610463)

MS is collaborating not only with US, but also Russian and Chinese governments, and others in spying on their citizens. For that MS get's government contracts and all they need to make Windows dominant. Ever wandered why the poorest countries use Windows instead of free Linux? It's like 99% home users are on MS Windows. Looks illogical, it's not because Windows is cheaper.

Re:so what? (0)

Anonymous Coward | about a year ago | (#45615311)

Looks illogical

yes your conspiracy theory does look illogical, say the governments all use Windows as do their citizens and you really think that the Russians, US and China would be continuing to use Windows knowing it has backdoors that allow foreign governments to spy on them just as you believe they do to their citizens? how fucking stupid are you really? if they knew of and were exploiting backdoors in Windows then they'd all be using Linux you fuckwit.

Re:so what? (0)

Anonymous Coward | about a year ago | (#45615229)

yes according to top secret documents seen by the guardian that nobody else has seen. same old shit, modded insightful because it is anti-microsoft but if it were google or apple people would want proof rather than third hand claims.

Re:so what? (2)

interkin3tic (1469267) | about a year ago | (#45609937)

Not sure why they don't just do what the NSA is doing: change nothing and wait for people to forget about- HEY LOOK! A CELEBRITY DEATH!!!

Re:so what? (1)

mpe (36238) | about a year ago | (#45610145)

so they encrypt it, giving people a false sense of security, while they give the decryption key to the NSA...

Or the NSA has checked the software to ensure that they already know/don't need that key.

Re:so what? (3, Insightful)

Anonymous Coward | about a year ago | (#45610835)

This. Who cares what they claim to do with encryption if they willingly co-operate with NSA giving everything away anyway.

As long as US Govt. considers every non-US person a perfectly legit target for any and all NSA surveillance (for any reason or for no reason), "cloud companies" in the US have a really really really bad problem.

At the same time NSA seems to be working hard to downplay any snooping of US persons (since they cannot legally justify that) and hey, that makes sense. Only way anyone could put a stop to NSA antics would be a major seismic shift in US politics - not going to happen, but why risk it, especially if the main point of these mass captures of all network traffic are non-US persons anyway.

Let's see how many years it will take until Google, Amazon and Microsoft realize how much this crap does damage to their business overseas.

Skype (0)

Burz (138833) | about a year ago | (#45611731)

Indeed, I thought that was the whole point of MS putting Skype on the NSA PRISM program.

Re:so what? (0)

Anonymous Coward | about a year ago | (#45614875)

That's fine, give them the key.

Just don't give them the algorithm.

Seriously, people have forgotten what encryption is.

Are we coders and engineers capable of creating reversible data mangling, or just helpless pawns floating on a sea of keys for other people's code?

Morons and Oxymorons (4, Insightful)

jkrise (535370) | about a year ago | (#45608867)

Anyone who trusts Microsoft is a moron.
Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

Re:Morons and Oxymorons (0)

Anonymous Coward | about a year ago | (#45608937)

"Anyone who trusts Microsoft is a moron."

I wonder how the Nokia fleshlight feels.

EEE - another pump and dump!

Re:Morons and Oxymorons (1)

BringsApples (3418089) | about a year ago | (#45614453)

I trust Microsoft, but for reasons that you overlooked. I trust that they'll continuously change their products in a way that requires everyone that runs a business, that uses computers, to have an IT guy. That's me trusting that I'll always have a work load, being self employed.

But yeah, if you trust that Microsoft will 'help' you 'stay silent' from the NSA, then you should read this [computerworld.com] . Because in reality, the NSA 'helped' Microsoft build Windows 7.

Re:Morons and Oxymorons (0)

Anonymous Coward | about a year ago | (#45616727)

Anyone who trusts Microsoft is a moron.
Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

Wall Street trusts Microsoft enough to take it to new 52 week highs.

Re:Morons and Oxymorons (0)

Anonymous Coward | about a year ago | (#45623037)

Anyone who trusts Microsoft is a moron.
Microsoft Transparency is an Oxymoron; unless we are talking about Aero Glass transparency.

Anyone who trusts Microsoft, Google, Apple, Cisco, Facebook, Twitter, Intel, AMD, HP, Dell, Sony, Verizon, AT&T, Spring, Cox, Comcast, etc. is a moron.

It amuses me how Apple and Google are equally as guilty as Microsoft, yet they largely get a free pass because people see something shiny and forget all about it.

Whee! (1)

Anonymous Coward | about a year ago | (#45608907)

Prince Humperdinck: Surrender.
Westley: You mean you wish to surrender to me? Very well, I accept.

Given that... (0)

mythosaz (572040) | about a year ago | (#45608939)

....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.

I mean, nobody here's going to give them the tiniest lick of credit for it, but such is /.

Re:Given that... (1, Insightful)

Anonymous Coward | about a year ago | (#45609413)

....given that Microsoft isn't going to open their source to the world, this seems a reasonable step from them.

Spoken like a true Microsoft apologist. Here let me put it into perspective for you, since you couldn't be bothered to read TFA summary:

"transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors."

So "government customers" can "review" the source code. Not you or me or the rest of the world. Not that "government customers" care, or have the manpower and technical skills to actually hunt through a big messy blob of source code to find back doors. The only government customers capable of knowing what a back door looks like are the government customers who ordered it put there.

This is all spin speak for "we're doing absolutely nothing but claiming that we are".

But hey, feel free to consider this a reasonable step from Microsoft. Such is /.

Re:Given that... (0)

Anonymous Coward | about a year ago | (#45615291)

Spoken like a true Microsoft apologist. Here let me put it into perspective for you, since you couldn't be bothered to read TFA summary

And because you're too ignorant to read TFA you didn't see that:
In addition, Microsoft plans on opening a network of “transparency centers” where customers can go to “assure themselves of the integrity of Microsoft’s products.”

But by all means continue to rant on that everybody supportive of a move to something more transparent is an apologist.

So "government customers" can "review" the source code. Not you or me or the rest of the world.

You think all the world's governments are collaborating in some big conspiracy against everybody who isn't part of a government somewhere? You think the US and Chinese governments for example would both use Windows if they both knew about backdoors in the system that could be used for spying? Or all computers of all governments of the world that have Windows have special patches to close these backdoors? If Microsoft is truly giving the US the means to decrypt communications using Windows then you actually believe the Chinese would be using it?

Of course the unthinking masses like yourself want a sense of sentience and so believe any conspiracy theory they come across, even when it makes utterly no sense whatesoever.

Define "encryption"... (4, Insightful)

mlts (1038732) | about a year ago | (#45608973)

Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack. Scale that up to the enterprise, and having a low level PowerPath driver encrypt what hits a LUN doesn't matter much if the host machine gets breached.

While I do have faith that BitLocker and other items are not obviously backdoored, my eyes glaze over when companies say that they will just encrypt stuff, all problems over.

Encryption just makes the amount of sensitive data move from the data to how keys are stored, and attackers will just start hitting the key management system, either bribing/coercing an admin, or use basic social engineering techniques to get access to stored keys.

Even hardware key storage devices are not 100%. One can always hack a user account on one of those to sign/decrypt data even without access to the key material itself.

Encryption is just one piece. It can be equated to use of a safe. However, safecrackers tend to care less about the safe itself than the lock on the safe, and the key management is what makes or breaks security.

Re:Define "encryption"... (1)

Anonymous Coward | about a year ago | (#45609123)

Bitlocker is a Microsoft product. It has backdoors.

Re:Define "encryption"... (1)

Anonymous Coward | about a year ago | (#45609823)

[Citation Needed.]

Re:Define "encryption"... (1)

ozmanjusri (601766) | about a year ago | (#45614557)

[Citation Needed.]

Major data encryption software like TrueCrypt, Microsoft BitLocker, FileVault, BestCrypt etc have backdoors which allows access to data without the key.

This was disclosed as per a presentation leaked @ http://cryptome.org/ [cryptome.org] which was given by Detective Michael Smith. Computer Crimes & Computer Forensics, Linn County Sheriff’s Office.

Although NCMEC (National Center for Missing and Exploited Children) says that they use it for detecting child pornography but the discloser itself is sufficient to raise doubts on NSA-corporate bond again

http://hackingly.org/nsa/backdoor-in-truecrypt-bitlocker-filevault-281.html [hackingly.org]

I'm With Stu Pitt (0)

Anonymous Coward | about a year ago | (#45617137)

Did you actually read "the presentation leaked @ cryptome" [cryptome.org]

4 September 2013

This document is claimed to be a hoax by Hacker News, the page follows.

The original document:

http://cryptome.org/2013/09/computer-forensics-2013-hoax.pdf [cryptome.org]

The authentic document upon which it is allegedly based:

http://cryptome.org/2013/09/computer-forensics-2012.pdf [cryptome.org]

For fuck's sake, didn't the presenters' names tip you off? "Detective Stu Pitt and Detective Laughlin Foo"

PS: Oh, and the presentation it was based on is linked from the last slide of the "super-sikret leak" itself, and is a pretty interesting read in itself.

Re:Define "encryption"... (2)

mpe (36238) | about a year ago | (#45610403)

Bitlocker is a Microsoft product. It has backdoors.

Historically propriatary software tends to be rather poor when it comes to cryptography. Cryptography is hard to get right, since even apparently trivial changes can have huge effects on the security of the code. Any requirement for "backdoors" is likely to make things even harder.

Re:Define "encryption"... (2)

mlts (1038732) | about a year ago | (#45611829)

I get the not-so-fresh feeling being devil's advocate here, but (and this is opinion here, so take it, leave it, or just laugh at it) BitLocker is something that MS did seem to make a decent effort at getting right.

Unlike TrueCrypt, BitLocker is written not just for security, but for enterprise recoverability, so come e-Discovery time, one can recover the data on a laptop after an employee left.

If MS did drop the ball with BitLocker, they would be in a world of hurt. There are many laptops lost out there, and having an encrypted HDD [1] is the difference between writing off some inventory shrinkage versus a major public disaster, with civil, regulatory, and perhaps criminal consequences. So, BitLocker is something that had major security issues, there will be big businesses wanting their pound of flesh, not just users.

(Of course, after I write this, watch one of the next /. articles be about a backdoor found in BDE completely making what I stated irrelevant.)

[1]: Of course, there are varying degrees of encryption. Having the recovery key for BitLocker stored someplace insecure is just as bad as having the TrueCrypt recovery CD with its password stored in a bad location. This is why BitLocker keys often wind up stored in AD... if AD gets compromised, the jig is up in the enterprise anyway.

Ancient Password Storage Secret (2, Interesting)

Anonymous Coward | about a year ago | (#45612321)

I use an 80-year-old monk with a photographic memory to store my password. He does not feel pain. He does not feel greed. He will only quietly unlock what I need unlocked.

Re:Ancient Password Storage Secret (1)

Anonymous Coward | about a year ago | (#45614371)

Ever read Freedom(TM)? A mercenary is put in an fMRI scanner and has intelligence extracted from him even though he remains completely silent. They just ask a serious of questions and narrow down the answer. "Does your name begin with the letter A? B? C? D?..." Try as he might, he can't help but produce measurable brain responses when he sees information he knows to be correct and eventually reveals all his personal details and for whom he works.

Re:Define "encryption"... (1)

mpe (36238) | about a year ago | (#45610337)

Encryption is not a one size fits all solution. I can say that I use encryption for everything because my HDDs use FDE (BitLocker, FileVault, and LUKS.) However, encrypting everything that hits the platters doesn't give any protection against remote attack.

Note that "cloud storage" along with "file sharing" can be a method of defeating filesystem encryption. Especially if the communication is itself encrypted so you can't easily tell what is being synchronised/shared.

In other words Microsoft's "transparency" ends (3, Insightful)

RLiegh (247921) | about a year ago | (#45608977)

...where NSA contracts begin. Much to the surprise of absolutely no-one at all.

Too Late (0)

Anonymous Coward | about a year ago | (#45608983)

You went above and beyond to sell out your own fucking customers. Nothing you can do can remove that stain for good reason!

Re:Too Late (2)

RLiegh (247921) | about a year ago | (#45609029)

Who do you imagine are their customers, and what is it that you imagine that they're selling?
You're probably wrong on both counts.

Re:Too Late (0)

Anonymous Coward | about a year ago | (#45609327)

Customers probably includes things like people, corporations, and NGOs.
They sell off everything they find right down to the bones much like how Native Americans used the Buffalo.

What are people expecting? (3, Interesting)

PhrostyMcByte (589271) | about a year ago | (#45609023)

Short of encrypting data before it hits the server, using a private key that is managed only by the user, there really isn't anything these big companies can do to improve your security.

Protecting data in transport? HTTPS's key management is compromised so that's not going to protect against the NSA. Are they going to overhaul that system?

Does it also build synergy with best-practices? (2)

TWiTfan (2887093) | about a year ago | (#45609025)

building on our long-standing program that provides government customers with an appropriate ability to review our source code

Well, of course, we wouldn't expect you to allow anyone in with an inappropriate ability to review your source code.

They still exist? (1, Interesting)

JustNiz (692889) | about a year ago | (#45609057)

>> it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources

I'm genuinely surprised that apparently some people still exist that think Microsoft might actually not be providing the government with backdoors and feeds of everything that goes anywhere near their products and/or servers.

Re:They still exist? (0)

Anonymous Coward | about a year ago | (#45610415)

The NSA snooping thingy might have been Microsoft's idea way back when they were being investigated as a monopoly. "Hey, I got an idea. What if we give access ..." Case dismissed.

This justifies my Office naming scheme. (0)

Anonymous Coward | about a year ago | (#45611911)

Every time I create a word document, I feel the need to jazz it up a bit.

Instead of:
2013-12-5_FinancialReport.docx

Perhaps:
2013-12-5_FinancialReport-PlanToKillThousands.docx
2013-12-5_FinancialReport-3StepGuideToBombMaking.docx
2013-12-5_FinancialReport-RapingTheInnocent.docx
2013-12-5_FinancialReport-BioweaponryForDummies.docx
2013-12-5_FinancialReport-JihadForAll.docx
2013-12-5_FinancialReport-MassShootingSpreesAreTheyForYou.docx
2013-12-5_FinancialReport-MapsOfUSMilitaryInstallations.docx
2013-12-5_FinancialReport-DirtyBombDiagrams.docx

Re:They still exist? (3, Informative)

cavreader (1903280) | about a year ago | (#45613559)

Nobody has ever shown any detailed proof of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.

Re:They still exist? (0)

JustNiz (692889) | about a year ago | (#45614059)

Nobody has ever shown any detailed proof of non-existence of government backdoors in their products. But hey facts really have nothing to do with today's shallow thinking.

Re:They still exist? (0)

Anonymous Coward | about a year ago | (#45614187)

Next up: God

Re:They still exist? (1)

cavreader (1903280) | about a year ago | (#45614559)

I really hope you are joking. How do you prove a negative? "We can't find something therefore it must exist!".

Re:They still exist? (0)

Anonymous Coward | about a year ago | (#45614891)

I really hope you are joking. You only need to examine the code to see if something fishy is going on. "We can't find something if we don't have the code to search for it!".

Negatives are proved all the time. It's a basic premise of scientific study. Prove something doesn't exist and can rule it out as a possibility.

But face it, you're not posting here to discuss facts are you.

Re:They still exist? (1)

JustNiz (692889) | about a year ago | (#45618963)

In this case it would be easy.
Microsoft could just open up ALL their source code to the EFF instead of only allowing the government to see it. They must already realise that asking the gov to check for backdoors is like asking the fox to guard the hen house.
The government are probably interested in the code but just to confirm that their backdoors are actually still in place, and to maybe add some more.

Re:They still exist? (1)

chihowa (366380) | about a year ago | (#45618811)

The absence of evidence of wrongdoing isn't evidence of the absence of wrongdoing.

Even the credible belief of a backdoor in a closed source security program should be taken seriously.

The very high costs of the spying business (0)

Anonymous Coward | about a year ago | (#45609109)

You know, with all this anti-NSA-surveillance related encryption, think of the extra cost in terms of CPU and power consumption to implement the protections. Imagine the increased coding complexities and human resources directed at it, and all the extra service calls and maintenance when something goes wrong, et cetera.

The NSA is effectively spending billions of taxpayer dollars to make US businesses less energy efficient and less competitive, not to mention businesses that will simply leave the country because of the perceived and real risks. It's all for the sake of security, which apparently trumps everything else.

Sorry, not quite good enough (2)

Alain Williams (2972) | about a year ago | (#45609135)

Saying that it is encrypted is one thing, but a whole lot more is needed to be confident in security. What if the encyption algorithms have problems, or the key generation produces an effective length of less than 2048, etc, etc.

Microsoft would be really smart if it released its security related code under some ''you can view this and try to break it but cannot sell/... license''. This need not be incompatible with keeping the rest of its code base proprietary. It would really boost confidence if people could independently rebuild the security DLLs. On the other hand if Microsoft does not do this we need to ask the question: what has it got to hide ?

Re:Sorry, not quite good enough (0)

Anonymous Coward | about a year ago | (#45609857)

> What if the encyption algorithms have problems [...]

No. That's not the problem. As long as the data can be decrypted by your provider (Microsoft, in this case), they're toast. No matter how well the algrithms and protocols are designed.

The only way to be secure is *you*, the client, have exclusively the decryption key (and your computer isn't backdoored).

security is so simple (0)

Anonymous Coward | about a year ago | (#45609267)

Just throw some magic encryption sprinkles on it.

Microsoft vs NSA (1)

bob_super (3391281) | about a year ago | (#45609603)

If only "embrace, extend, extinguish" worked on the NSA, Microsoft would get some serious Karma points.

Transparency Centers? (0)

Anonymous Coward | about a year ago | (#45609743)

In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products."

They'll be offering free massages, hors d'oeuvres and a 30 minute guided tour of the most "important bits".

Re:Transparency Centers? (1)

Bosconian (158140) | about a year ago | (#45619557)

Cute - I was thinking something more along the lines of:

"Hello, and welcome to Microsoft Software Security Assurance Enterprise, Small Business, Government, and Education Transparency Center number 6!

You'll notice that there's a beautiful and fluid whiteboard set up over here to the right. These lines represent our data flow between all of our convenient and secure value-adding services to our customers, and these dots with arrows pointing to an unlabeled blue box are transfer nodes, which Microsoft has decided are not applicable to this Transparency Center presentation.

Now, if you'll look directly in front of you, there's a window that you're free to gaze through to observe Microsoft's server operations for a period of 32 minutes. Please don't touch the glass, and thank you for visiting Microsoft Transparency Center, or as we on the the Security Assurance team lovingly refer to it, 'MSTC6.' Please visit us again soon, and don't forget to accept a complimentary Microsoft gift bag including some enticing software discounts!"

So whats the point? (0)

Anonymous Coward | about a year ago | (#45609761)

So if Microsoft does not really belive in transparency/privacy...whats the point of all this initiatives?

Secret World Domination Agenda?

Re:So whats the point? (1)

LordThyGod (1465887) | about a year ago | (#45609973)

So if Microsoft does not really belive in transparency/privacy...whats the point of all this initiatives?

Secret World Domination Agenda?

Its called follow the leader. See what the leaders in your industry are doing, and to not look like a boob, you do your own variation so people think you know how to play the game. Its a perception thing only, which only needs to work for a certain uninformed market segment (IE their customers).

Score:5, Informative (1, Informative)

Anonymous Coward | about a year ago | (#45610103)

Re:Score:5, Informative (1, Troll)

SpaceLifeForm (228190) | about a year ago | (#45613981)

Exactly. This is a PR move to make it appear as though they are not in the same bed together.

Imagine if they had NOT announced these (late) changes.
After a while, people would observe what is going on:
"Hey, Microsoft is not doing what Google and Yahoo did, I wonder why? "

Microsoft *had* to do this in order to try to hide their real colours.

In any organization as large as Microsoft ... (1)

serutan (259622) | about a year ago | (#45610877)

... even achieving transparency between departments is difficult. When I used to work there you should have seen what we went through to get code from other teams. In spite of the fact that the company rewards cross-group collaboration (which was the main reason we were doing it).

Wan't MS enthusiastically supporting the NSA? (1)

Anonymous Coward | about a year ago | (#45610927)

I seem to remember that was the case.

America's corporate managers spineless wussies... (1)

gestalt_n_pepper (991155) | about a year ago | (#45611229)

...who wouldn't know a principal if it bit them in the ass and sang "Yankee Doodle." They will bend over with a smile the moment any government agency wants them to do anything and ask if they'd like anything else. Encryption. Feh. All PR, smoke and mirrors. This is an attempt to change public perception. Nothing more.

Re:America's corporate managers spineless wussies. (0)

Anonymous Coward | about a year ago | (#45611833)

Principle*

What's the point? (1)

roca (43122) | about a year ago | (#45611289)

The moment they receive a National Security Letter, the backdoor is added and pushed out in a regular software update. Or, on the server side, they add a tap anywhere they touch plaintext. Or they hand over keys.

Every US corporation is an arm of the NSA, except for those that follow Lavabit and choose to shut down rather than cooperate.

Microsoft Encryption. (0)

Anonymous Coward | about a year ago | (#45611303)

Coming from a company that puts a pretty god damn small max-size on passwords.
Any company that does that is automatically crap.

Re:Microsoft Encryption. (1)

mlts (1038732) | about a year ago | (#45611963)

127 characters is low?

It used to be 16 characters, but that was back in the days of Windows 98, and NT 4.0 service pack 6a, well before AD forests and trees were in common use.

Re:Microsoft Encryption. (0)

Anonymous Coward | about a year ago | (#45616683)

127 characters is low?

It used to be 16 characters, but that was back in the days of Windows 98, and NT 4.0 service pack 6a, well before AD forests and trees were in common use.

I think GP is referring to this: Why can't my Microsoft account password have more than 16 characters? [microsoft.com]

Only Microsoft? (2)

PrimeNumber (136578) | about a year ago | (#45611857)

Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

Re:Only Microsoft? (2)

genner (694963) | about a year ago | (#45612531)

Replace "Microsoft" with the name of any company that suddenly got religion and is now working so hard to protect our privacy. How long did it take Google to finally get around using https and secure logins? A long fucking time, but we can't say anything about Google - because they do nifty shit like flying WiFi balloons in Africa. Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information. FFS -- enough with the slamming Microsoft shit already, the 90's have been over for a long time now. Go back to trolling on The Verge or Apple Insider.

Who is Bill Gates again? Oh right he';s the guy who doesn't run Microsoft.
Remind me how many people Ballmer helped?

Re:Only Microsoft? (0)

Anonymous Coward | about a year ago | (#45614853)

Name one other company that's used its monopoly for 20 years to not just ignore but actively push against these needs.

Re:Only Microsoft? (0)

Anonymous Coward | about a year ago | (#45615011)

enough with the slamming Microsoft shit already, the 90's have been over for a long time now.

And yet Microsoft keeps pulling the same shit they've been doing since the 90's. Maybe they haven't been slammed hard enough yet.

Re:Only Microsoft? (0)

Anonymous Coward | about a year ago | (#45615887)

Meanwhile, Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way. But we still have to slam Microsoft, because Billy boy and his minions are so evil.

It appeared that Gates had become (at least) less evil, but then, facts show that some things just don't change-- it appears even the Gates charity is evil, making more money on the suffering of the folks they are nominally helping, than what they are giving:

http://www.latimes.com/news/la-na-gatesx07jan07,0,2533850.story [latimes.com]

Gates + Foundation is also pushing to destroy public schools, and replace them with private, for profit, mc wages for teachers schools.

Of course, trying to get his partner to sign away his part of the Microsoft empire while in the hospital (and presumed dying) was probably the height of class for Gates.

He and his company have the worst business practices that have been matched by few, but never surpassed.

Microsoft got their start exclusively selling stuff they stole (msdos [digital], flight simulator, disk doubler [stack electronics], windows NT [digital] etc.), and used the courts and their war chest of $$ to destroy those that tried to fight back. And, if that didn't work, MS would counter-sue their victims. And if that didn't work, they would buy the company, and fire everybody (Stack). Or in the case of Digital, just keep fucking with them, until the founder commits suicide, and in his suicide note names Gates.

At the same time they put fake error messages in their products that were displayed randomly when competitors products [by Digital, for example] were used (even xor encrypt the code behind it, to make it harder to tell in a disassembly).

Also that build of win2k that was accidentally released with debugging symbols that had that variable named "NSA_KEY" which held a key that was automatically trusted for code signing. That NSA_KEY variable was added in win98. Under Gate's watch. So, (just guessing you use windows) your copy of windows is likely facilitating NSA spying on you and your family.

Yeah, Billy boy did all of that. He is a scumbag.

You need to review your history (and present day facts) a bit.

Meanwhile, I'm not sure that Google is "for good, rainbows, and ponies" but Google hasn't even begun to approach the level of evil of Gates and Microsoft.

All that said, I fully agree with you on this bit, but MS and Gates really do deserve the hate (forever):

None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information.

Re:Only Microsoft? (1)

swillden (191260) | about a year ago | (#45618647)

How long did it take Google to finally get around using https and secure logins? A long fucking time

You don't know what you're talking about.

Google provided the option for SSL on all Google services back in 2008. At that point in time it was considered infeasible for large web services to do always-on SSL, because it would increase the load too much; SSL was only used for login pages, pages where financial information was entered, etc. In 2010 Google turned it on by default for all users for Gmail and other key services, long before any other major webmail providers did. In 2011 they turned it on by default for everything, including search. Google did this long before any of the other big web companies... heck Yahoo and Bing still don't use SSL for search.

Google was also the first major web service to provide two-factor authentication, in 2010. Yahoo didn't do it until 2012, and Microsoft didn't offer it for Outlook until little more than six months ago. AFAIK, Google is still the only major webmail provider to offer and use secure SMTP when communicating with other mail servers. Most SMTP traffic to and from Google is unencrypted, but only because the other end won't do encryption.

Google also designed SPDY without any unencrypted mode at all. The W3C committee standardizing SPDY as HTTP/2.0 is struggling a little bit with that, though it appears they're going to accept it as encrypted-only. Google's next-gen web protocol, QUIC, not only doesn't have a unencrypted mode, but encryption is baked so deeply into the protocol that when it gets to standardization there will be no question about removing it... you'd have to completely redesign the protocol.

Google has been serious about encrypting everything for a long time and has consistently led the industry.

Bill Gates is on the ground giving billions to eradicate disease -- something that actually improves peoples' lives in a meaningful way

The work of the Gates foundation is fantastic, I completely agree. However, I disagree that providing universal access to useful information, which is Google's stated mission, doesn't "improve peoples' lives in a meaningful way". In fact, I'd say that universal Internet access is one of the most powerful tools we can offer the developing world, enabling them access to the information needed to lift themselves out of poverty and corruption. Of course, Internet access doesn't help when you're dying of malaria, so eradicating, or at least suppressing, disease is critical.

None of the major IT companies gave a rats ass about user privacy until Snowden leaked his information.

You can debate about whether or not they would have without it (I argue they would), but Google has had to care seriously about user privacy for years now, because privacy assurance, including annual privacy audits performed by a third-party auditor, are required by the FTC consent decree. If there's any hint that some design or implementation detail threatens to expose user data, or even put it where it shouldn't be, the privacy team comes down with both feet until it's fixed. I really think that would be the case even without the consent decree, though because of it the privacy team is supervised by legal which undoubtedly gives it even more clout than it would have otherwise.

I realize that /. groupthink paints Google as an enemy of privacy, because the bulk of its business model is based on targeted advertising which means that Google's users give Google permission to learn about them and target ads to them (unless they opt out), but I doubt there are any companies of substantial size that care more or work harder to protect user privacy, precisely because Google's business model places it in such a precarious position. If there were ever any leaks of user data from Google, or if there were any reports of Google employees misusing user data, it would severely damage the company.

(Disclaimer: I'm a Google engineer. I work on the security infrastructure, which is related to but not the same as the privacy infrastructure.)

Re:Only Microsoft? (1)

swillden (191260) | about a year ago | (#45618789)

heck Yahoo and Bing still don't use SSL for search

Out of curiosity I just went and tried it. Not only do they not use SSL by default, but you can't use SSL at all for searches on either site. Yahoo will serve the home page via HTTPS, but trying to search from it gives you first a big error message from your browser due to a certificate name mismatch, and if you click through that you get a 403. If you try to go to http://www.bing.com/ [bing.com] you get a blank page.

I didn't try either site while logged in, so it's possible that you can do secure searches if you have an account.

My understanding with Google was that it was always SSL for all logged-in searches, but that logged-out users could still use via HTTP. At some point that appears to have changed, because signed in or signed out, regardless of browser, any attempt to go to google.com via HTTP gets redirected to HTTPS. If you construct a query like http://www.google.com/search?q=foo [google.com] you can force Google to receive your query terms over HTTP, but it still immediately redirects to HTTPS rather than returning any data. I suppose if you used a browser that indicated it could not handle HTTPS, Google would probably allow you to do searches over HTTP.

Only market demand can provide privacy (0)

Anonymous Coward | about a year ago | (#45612677)

But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives.

It's clear that the only reason we have privacy at all is because there's a market demand for it.

Governments are now flamboyantly demonstrating that have no interest in providing us with privacy.

And the commercial sector clearly has no interest in providing us with privacy except if they can make a profit from doing so.

If you feel that you have (or deserve) a "right" to privacy, it's obvious that those in power strongly disagree with you.

Fanboys Say Baaaa! (0, Interesting)

Anonymous Coward | about a year ago | (#45612985)

I have been living in the flood of post-Snowden NSA hysteria for a few months now, just like everyone else. Unfortunately, instead of actually forcing change and reining in these subversive and sweeping data pirates, the consumer-humping media at large - and a tragically vast number of Apple fanboys and Google drones - seem content to sensationalize every supposition and rumor in the most slanted excuse for journalism see in years.

Apple does X that is bad (like, oh..say, routing ALL of your data through their own servers now, even to back up your iDevice on your own network target):
"Gee, they have made that SO much more convenient and reliable for all of us. Best thing EV-ER.. well.. ever since the phones that you couldn't hold in your hand AND talk on at the same time - but that wasn't a design flaw, it was fashion. Praise Jobs!"

Google drops 40% of it's previously Free and unbound services over the last five years, sneaks full-time location data monitoring into the latest Android bake, and wants ALL your Base to belong to Them, forcing you to sign into any service they've "acquired" using their One-Login-to-Rule-Them-All:
"But their motto...? They wouldn't do anything bad, would they? It's for our own good and convenience. Google is here to SAVE us!"

Yahoo decides to start encrypting (sometime over the next 2 years) AFTER being around for ever and a day. And apparently not worrying much about the security of their Users' data for a decade or two. Nice google-clone interface and new logo though:
"Yahoo is taking great strides to make sure those NSA baddies are foiled from here on out..er..from whenever we get they encryption implemented.. or something like that. Yay Yahoo!"

Facebook security..
Do I really even need to go there? And yet millions of idiots have compromised what security many other services HAD, just for the convenience of using Facebook Login to access EVERYTHING.
"Yay, so easy! And look - my dead grandpa is in my targeted ad for shoe spray!"

Microsoft issues a press release to say "Hey, we may have been compromised at some point. There's no way to tell, so here's what we're doing about it."
"That Microsoft! They is the devil! Ohhh, if only Jobs were here to save the day!. Evil! Bad Microsoft! And that Gates guy giving away billions is just showing off to cover his tracks! Mnyah!"

Yes: Microsoft admits they may have been tapped at some points in their infrastructure. Considering the fact that it seems Everyone has been - knowingly or unknowingly - it would be dumb to deny it. And I'm NOT being pro-Microsoft (or pro-anything) here when I say that while Apple, Yahoo, Facebook, Twitter, the Google empire, etc are ALL in the same damn boat, yet when THEY admit they hadn't encrypted all their lines they are praised as saviors of the Internet. Why? Because they are NOW beginning the same total encryption process that Microsoft is as well.

Wake up: They are ALL businesses, NONE of them got to where they are without stepping on a few necks, and if the NSA says so they will ALL bend over and smile while they share the keys to your now-encrypted data.

The reason I'm taking the time to vent my spleen on this subject is simply this:
ALL of these companies do great things and rotten things. Always have, always will. None of them will fight the government - outside of peppy soundbites that mean nothing, except to appease the masses.
Take the products and services you like from each, but have no illusions about ANY of them having the moral high ground.

Use your own judgment, prudence, and assume that They are All "in on it" :) Cause they probably are - or not - to whatever extent it facilitates separating You from your cash. End of story.

And it would be nice if, at least SOME of the time, the so-called Tech media would actually report on facts equally, fairly, and unbiased. Wouldn't it be nice if we skipped the yellow digital journalism, the brand-waving sponsored opinions of every self-proclaimed "Gadget Guy Reporter", and simply made informed decisions about what works best for each of us?

Oh wait. That would require effort and thought...

Boo! Hisss! (0)

Anonymous Coward | about a year ago | (#45613187)

I love it when Apple and Google sheep declare that anyone who says Microsoft might not be the devil is an Apologist. LOL
They'll gladly give their Chosen Brand their data, their personal information, and their firstborn - no matter what suspect thing that company has done in the past or lately, but if someone doesn't vilify Microsoft for doing the exact same thing as their own personal Brand Jesus..."You Sir, are a Microsoft Apologist!"
Crazy.

The Story of The Source Tree and the Root (1)

Mister Liberty (769145) | about a year ago | (#45613407)

Where oh where is the source tree.
Look, this is dumb.

Why don't they through up their hands, and say: "In all honesty people, we're fucked as much
as you are. Let's work together, in openness, to solve the problem at its root".

MS built the Xbox One with the NSA (0)

Anonymous Coward | about a year ago | (#45613437)

Bill Gates hardly attempts to hide his agendas, but relies on the fact that YOU, the sheeple, get almost everything you THINK you know from mainstream media sources.

Did you know that Bill Gates personally partnered with Rupert (Fox News) Murdoch to create the 'inBloom' (corporate name chosen because of paedophile slang referring to under-age victims since before Victorian times) FULL SURVEILLANCE child database, designed to track every single aspect of every child's life in the USA, including sexual development. Did you know that Gates has a program of extra payments to teachers who offer to enter special 'sensitive' data about children they observe and monitor during school-time? Why is the deplorable inBloom system never mentioned here? Need I even ask.

Gates' involvement with 'Common Core' gets a little more public coverage, but the concept of "he who controls the education of children owns their minds as adults" as famously espoused by Jesuits and Hitler, to name but two atrocities, is ignored.

No, for most of you, the daily significance of Bill Gates' sickening initiatives is when back-doors specifically programmed into Windows for the use of the NSA hit the 'wild', causing incredible amounts of inconvenience and expense for ordinary users and businesses. Certain programming practices are forbidden in Microsoft's core products, because they would gradually reduce the possibilities (and usefulness) of the methods used to insert NSA back-doors in the code. Yes, Microsoft keeps its coding practices purposely crappy for 'plausible deniability' reasons. Just as the locks ordinary people have access to on the market are all trivial to 'pick', and the home alarm systems from all corporations have easily activated by-passes. Your masters do NOT care about your needs for security- they only care about the ease with which they can side-step the security measures taken by any target.

Of course, Microsoft has to respond to public disquiet. What is the point of Bill Gates riddling a Microsoft product with NSA systems if no-one buys that product in the first place. Look at all the back-tracking Gates did with his Xbone (originally you had to have an ALWAYS-ON internet connection, and Kinect II had to always be attached to the Xbone and 'calibrated' for ANY Xbone user function to work, including single-player, non-kinect games). Today, Gates rests assured that 99.9% of the morons that bought his vastly inferior console WILL leave it connected to the Internet day and night, and WILL have the NSA Kinect sensor bar permanently connected, and optimally positioned to spy on the room.

There Is Only One Question For Any Company (1)

Anonymous Coward | about a year ago | (#45613801)

Will you or will you not cooperate with the NSA when they demand access?

We need to build mandatory encryption into our network protocols and remove the responsibility for complying with demands to compromise security from corporations and service providers entirely.

Too little too late (0)

Anonymous Coward | about a year ago | (#45614827)

After 20 years of not just actively ignoring but openly discouraging all requests for openness, proper security, or basically anything their customers want, they now want to win back some market share.

No, this will not make me go and buy a Surface. I hope their journey to the bottom is extremely painful (trying to gain some attention by making an announcement like this is a good sign of that) but not too long - the sooner these assholes and every idiot that's ever worked for them are gone, the better computers will be.

A few words in Microsoft's defense (0)

Anonymous Coward | about a year ago | (#45615155)

Forget about Ballmer, Gates, and the other personalities for a minute. Microsoft is losing badly to Google, Apple, and Amazon right now. And cloud computing threatens to hang a... well, black cloud over the future of a company that's always made most of its money selling software licenses installed on customer property.

But now, the NSA/Snowden revelations have *finally* pushed privacy into the forefront where people are starting to care about it. And guess how Google makes its money... by delivering impressive services, sure, but by trampling over everyone's privacy in the process. And so does Facebook, LinkedIn and Amazon. So does Apple, although they could probably afford not to.

So Microsoft could be reshaped as the most pro-privacy of the top vendors, because Microsoft wants to sell software that customers install in their own data centers, and not rely on a public cloud. Personally, for example, I would rather use a shared spreadsheet that was served off our company's own servers, and not have to log in to Google to use Google Docs.

Respecting customers' privacy - relatively speaking, not talking about getting RMS' seal of approval - could be a strategic opportunity for Microsoft.

It's funny, I'm in Google's corner against MSFT and IBM on patents, in Amazon's corner for consumer-centric innovation, and in Microsoft's corner against Google and Amazon for privacy.

Only for communications? (1)

manu0601 (2221348) | about a year ago | (#45615393)

Do I understand the thing right? They encrypt for communication but store the data in plain text on their server? That does not look very efficient to guard against the NSA, especially since MS is part of the PRISM program.

MS won't lean; stop contributing your dollars! (0)

Anonymous Coward | about a year ago | (#45615537)

It's really that simple. There are solutions out there which will generally work if your willing to take the time to actually make the switch. Even the ones which aren't perfect (like Ubuntu) have at least most of the code included available for review. While Ubuntu isn't perfect (see https://fixubuntu.com/) it's still at least a much better solution.

What I think people should remember though is it isn't all about the software. There are hardware-related concerns like the BIOS. These are also proprietary components we should be concerned about. There are very few companies focused on fixing this problem (that of proprietary firmware).

I would suggest looking at fsf.org/ryf and ThinkPenguin for a start. Ones a project to certify that hardware respects your freedom and the other is a company focused on releasing hardware that respects your freedom. Sadly there are only two companies thus far that have products which respect ones freedom, although the catalog from ThinkPenguin is pretty large and would entirely or almost entirely pass the ryf process.

Feeling the pressure. (1)

VortexCortex (1117377) | about a year ago | (#45616269)

The pressure from the International markets is only a smidgen of what MS deserves for helping the NSA all theses years starting when they got the pork handouts to port Omnivore away from Unix (Solaris) to MS's systems in 1998, and create Carnivore [wikipedia.org] -- despite everyone else in the military, etc. having POSIX requirements... And despite Linux existing in 1998 if "miniaturization" (PCs) were what they were shooting for. Yeah, MS has been in the thick of this shit for a good while. Snowden's privilege escalation makes a hell of a lot of sense if ECHELON, PRISM, etc are running on Microsoft Windows, eh? If a contractor like Snowden can do it, then state sponsored enemy spies can get at even more.

Oh, MS is going to show the governments the source code so they can be sure that there are no back doors in the compiled code they sell them -- AND UPDATE REMOTELY? Hell, even if they never installed updates and gave them compilers to build the code with they'd be subject to the Ken Thompson Hack [bell-labs.com] . Might as well just write, "Promise there's no backdoors -- Love, Billy and Ballzy" on a post-it note. The code only gives the governments another way to look for exploits.

MS? Openness? What, they'll publish one set of encryption protocols and use a slightly different algorithm? Like when they made their Office document format open?

Screw me once, MS, shame on me. Actively screw me continually for the past two decades? For Shame.

"They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety and get IE6 instead."
- Benjamin Franklin's Grave Rolling Ghost.

By Design (0)

Anonymous Coward | about a year ago | (#45616313)

NSA is the biggest $$$$$$ Cash Cow M$ has and will be for at least two decades; write it up.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?