Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FSF Responds To Microsoft's Privacy and Encryption Announcement

Soulskill posted about 10 months ago | from the no-trust-without-verification dept.

Encryption 174

An anonymous reader writes "Microsoft announced yesterday their plans to encrypt customer data to prevent government snooping. Free Software Foundation executive director John Sullivan questions the logic of trusting non-free software, regardless of promises or even intent. He says, 'Microsoft has made renewed security promises before. In the end, these promises are meaningless. Proprietary software like Windows is fundamentally insecure not because of Microsoft's privacy policies but because its code is hidden from the very users whose interests it is supposed to secure. A lock on your own house to which you do not have the master key is not a security system, it is a jail. ... If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing. When we don't have that, back doors and privacy violations are inevitable.'"

cancel ×

174 comments

Sorry! There are no comments related to the filter you selected.

PR Stunt at best (5, Interesting)

jbmartin6 (1232050) | about 10 months ago | (#45618001)

How is encrypting data in motion going to help when they will simply provide the NSA the keys or otherwise provide access to the data. They are just another participant in the 'we never provided direct access' lie, when you simply provide everything on demand they don't need direct access, nor do they need to decrypt data off the wire.

Re:PR Stunt at best (5, Insightful)

twocows (1216842) | about 10 months ago | (#45618167)

Not just that, but what the FSF spokesman is saying here is essentially right (though I think they could do with a bit less imagery, it makes it seem like they're just pushing their agenda, not that I disagree with it). How are we supposed to verify that Microsoft is even keeping its promise if we don't have access to the source? They could just be paying it lip service and not really doing anything about it. Or, they could be incompetent (MS, incompetent? what a novel idea). Or they might just make a token attempt at getting things "kinda sorta" secure (or at least looking secure). Again, how can we trust that they're following through? If it was free software, there's the capacity for anyone to audit it and make sure it's secure (and if it's not, there are more ways to deal with it than "annoy MS until they fix it").

Re:PR Stunt at best (0)

Anonymous Coward | about 10 months ago | (#45618383)

Not just that, but what the FSF spokesman is saying here is essentially right (though I think they could do with a bit less imagery, it makes it seem like they're just pushing their agenda, not that I disagree with it). How are we supposed to verify that Microsoft is even keeping its promise if we don't have access to the source? They could just be paying it lip service and not really doing anything about it. Or, they could be incompetent (MS, incompetent? what a novel idea). Or they might just make a token attempt at getting things "kinda sorta" secure (or at least looking secure). Again, how can we trust that they're following through? If it was free software, there's the capacity for anyone to audit it and make sure it's secure (and if it's not, there are more ways to deal with it than "annoy MS until they fix it").

And how are you expecting to find out if you have access to the source? If a Linux distro is sharing keys with the NSA? Or even built in exploitable vulnerabilities. It's not like there's going to be a commented subroutine that stands out. A series of unrelated conditions that are hard to impossible to spot can be enough. Widely used OSS software have had undiscovered critical vulnerabilities for decades.

Read it. (0)

Anonymous Coward | about 10 months ago | (#45618961)

"And how are you expecting to find out if you have access to the source?"

Read it.

If you can't read it, then you haven't access to the source code.

Silly question (5, Insightful)

Runaway1956 (1322357) | about 10 months ago | (#45618975)

How would I find out, personally, that Linux Mint is sharing keys with the NSA? The likelihood that I would personally discover that secret is somewhere between slim to none. I can't read code well enough, nor am I likely to spend the time necessary to read every line of code in the programs.

My assurance stems from,

1. Thousands (at least) of other end users actually do peruse the code, looking for errors, back doors, exploits, etc.

2. My OS comes from a "trusted source" - one which I personally trust.

Yes, there is a weakness in there. That weakness is, I have to trust someone. At the same time, there is a strength hidden right beside the weakness. I get to CHOOSE who I trust.

What, exactly, has convinced you that you can actually trust Microsoft? Has MS invited you to personally examine their code, to satisfy yourself that there are no exploits in their system? No? I didn't think so.

Linux, on the other hand, invites me to read any or all of their source.

You choose what you want, I'll choose what I want, thank you very much.

Re:PR Stunt at best (2)

stackOVFL (1791898) | about 10 months ago | (#45618985)

And how are you expecting to find out if you have access to the source? If a Linux distro is sharing keys with the NSA? Or even built in exploitable vulnerabilities. It's not like there's going to be a commented subroutine that stands out. A series of unrelated conditions that are hard to impossible to spot can be enough. Widely used OSS software have had undiscovered critical vulnerabilities for decades.

I'm no crypto expert. I really know very little about it except there are keys that used to encrypt the information. But, would it be possible for the OS vendor/maker to simply allow the user to enter another key when installing the OS that, without that key, it would be very hard to decrypt the information? If I'm not completely bulloxed on this the NSA would have to get the owners key to make any sense of the data. I am assuming/trusting that the OS does apply the owners key to all user generated data. That's probably naive.

Re:PR Stunt at best (0)

Anonymous Coward | about 10 months ago | (#45619059)

And how are you expecting to find out if you have access to the source? If a Linux distro is sharing keys with the NSA? Or even built in exploitable vulnerabilities. It's not like there's going to be a commented subroutine that stands out. A series of unrelated conditions that are hard to impossible to spot can be enough. Widely used OSS software have had undiscovered critical vulnerabilities for decades.

If you are looking for it, then it is still esier when you have the source code around. Don't you understand such a simple thing?

Re:PR Stunt at best (2)

twocows (1216842) | about 10 months ago | (#45619371)

Are you implying those things aren't problems in proprietary software? I'm not saying free software is a panacea, I'm just saying that, unlike proprietary software, we can audit free software and have more options available in the case where we find that it's not up to scratch.

Also, specifically in regards to a "Linux distro sharing keys with the NSA," if you're that worried about it, fork it and take care of security yourself. Use your own keys. One of the major benefits of free software is that you're not forbidden from doing something your own way if you don't trust others with it. Now, that doesn't solve the problem of "built-in exploitable vulnerabilities" (though that is mitigated a bit by the ability for anyone to audit the code), but again, that's a problem that exists on proprietary software, as well (and only a select few can audit most proprietary code).

Re:PR Stunt at best (0)

Anonymous Coward | about 10 months ago | (#45618251)

If the fundamental core of your argument is that MS* will just give the Private keys to the government ... then what is to stop any company, open software stack or otherwise from being forced to do the same??

If the NSA comes knocking with that National Security letter that says ... "You will give us your private keys and you will not even tell anyone that we had this conversation (this is not the spy agency you are looking for)" ... then it doesn't matter if your software stack is open source or closed source, you will still be fully compromised.

At least with these statements MS is coming out and saying "Look we know our customer's are really concerned about this, so we are going to do everything we can within current technical and legal bounds to address this for them." Now we as the American people, if we are truly concerned about this need to step up and demand from our government more transparency ... so that no company can get that letter without people knowing about it.

* Full Disclosure - I am currently employed by MS as a support engineer for the Exchange Online service.

Re:PR Stunt at best (0)

Anonymous Coward | about 10 months ago | (#45618297)

Exactly. The only course is to host your own service, or use one that is outside US jurisdiction.

Re:PR Stunt at best (0)

Anonymous Coward | about 10 months ago | (#45618377)

"If the fundamental core of your argument is that MS* will just give the Private keys to the government ... then what is to stop any company, open software stack or otherwise from being forced to do the same??"

Nothing.

Now, having answered that, where were you thinking this would go? "Oh, well, I guess I'd better just trust Microsoft, then, eh?"?

No?

"If the NSA comes knocking with that National Security letter that says ... "You will give us your private keys and you will not even tell anyone that we had this conversation (this is not the spy agency you are looking for)" ... then it doesn't matter if your software stack is open source or closed source"

The code doesn't contain the key to open the encrypt, dumbass.

Well, MS's code may to, to ensure that the backdoor is ALWAYS in. Of course, you'd be better placed to say this.

However, a decrypt key in open source code, if it existed, would be no security breech: it's open source. You can change the key yourself.

So, the NSA ask you to hand them the decrypt keys and you refuse, because it's your key, not Microsofts, that they need.

Re:PR Stunt at best (5, Insightful)

jbmartin6 (1232050) | about 10 months ago | (#45618397)

we are going to do everything we can within current technical and legal bounds to address this for them

My point is that they are not doing everything they can, they are instead they are pursuing a cosmetic measure that will make no real difference to what customers are concerned about. How about, for example, providing me with the ability to use my own keys that are never stored on a MS system?

Re:PR Stunt at best (2)

K. S. Kyosuke (729550) | about 10 months ago | (#45618555)

If the fundamental core of your argument is that MS* will just give the Private keys to the government ... then what is to stop any company, open software stack or otherwise from being forced to do the same??

If the key management and use, by virtue of using open SW and trustworthy HW, is stifted to you (the end user), at least you know that someone is after you when a letter with the demand to give up the keys comes up in your mailbox.

Re:PR Stunt at best (1)

Vitriol+Angst (458300) | about 10 months ago | (#45619167)

Look, we are all worried over nothing; this encryption means that only one 256 bit Key will unlock your data, or a paperclip -- but it's merely coincidence that the encryption has a two locks on the door and one of them is always the same.

I'm waiting to see Clippie on an upcoming episode of "VH1; Where are they now?"

Who cares? (2, Insightful)

Anonymous Coward | about 10 months ago | (#45618011)

Who cares if the software is non-free? That's not even the issue.

"Microsoft announced yesterday their plans to encrypt customer data to prevent government snooping. "

And I bet Microsoft will just hand over the encryption keys / passwords to the NSA.

Re:Who cares? (5, Insightful)

Chrisq (894406) | about 10 months ago | (#45618023)

Who cares if the software is non-free? That's not even the issue.

You are correct, the issue is that it must be open source and build-able from source.

Re:Who cares? (2, Insightful)

Anonymous Coward | about 10 months ago | (#45618243)

Who cares if the software is non-free? That's not even the issue.

You are correct, the issue is that it must be free software and build-able from source.

FTFY.

Re:Who cares? (1, Troll)

unixisc (2429386) | about 10 months ago | (#45618981)

Stupid Stallmanesque semantics, as usual. In this case, the idea behind making the source code available is better software, not more liberated software. I mean, the NSA is only to happy to share backdoors w/ everybody

Re:Who cares? (0)

unixisc (2429386) | about 10 months ago | (#45619311)

too, not to

Re:Who cares? (1)

Kierthos (225954) | about 10 months ago | (#45618353)

Right. Because No Such Agency would never be able to find a way to read data encrypted by an open source program. Why, that's a magical band-aid for everything!

Re:Who cares? (4, Insightful)

Chrisq (894406) | about 10 months ago | (#45618547)

Right. Because No Such Agency would never be able to find a way to read data encrypted by an open source program. Why, that's a magical band-aid for everything!

It makes things more difficult for them. Instead of having a neat backdoor they either have to insert obfuscated code, which could be detected or replaced at any time or convince people to use weak algorithms. Being open source people can select any algorithm they want - AES, Twofish, Serpent, Elyptic Curve, or rot13. The chances are that not all of them will be compromised. (if they all are then open or closed source doesn't matter - you're screwed either way)

algorithms (2)

Runaway1956 (1322357) | about 10 months ago | (#45619067)

Not only can the end user choose which algorithm, they can come up with their own. The right to read and modify the source code ensures that the truly paranoid can modify that source code, in whatever way they choose, to actually ensure that their stuff is secure.

Little Joey Nerd decides that he really, really, REALLY doesn't want anyone to read his stuff. Three pass encryption results - first with Blowfish, then with his own home brewed encryption, and finally with AES. So, the attacker understands AES quite well, and manages to strip away one level of encryption. What is he left with? A garbled mess for which there is no documented decryption anywhere, except in Joey's head, or on his device.

You can tamper with Joey's device, or his head, but chances are he is going to know about it.

Re:Who cares? (0)

Anonymous Coward | about 10 months ago | (#45618527)

That was absolutely not the intention of my comment.

Re:Who cares? (1)

melikamp (631205) | about 10 months ago | (#45619393)

No, this is not enough. Not if you want an optimal level of privacy and security. If the software is open-source but non-free, then you can fix it all you want, but you cannot share your fix with others. So this is as good as closed source for almost everyone, including you, since you cannot fix all the bugs by yourself.

Re:Who cares? (0)

Anonymous Coward | about 10 months ago | (#45619577)

It matters that it is free, so there will *actually* be other eyes on the source.

If you publish a few million lines of source code publicly on your website, but prevent any redistribution or modification to that code, there will NOT be much, if any, code review.

Even if there was a kickstarter campaign to review that code one year, it is highly unlikely that there will be a successful kickstarter to repeat that review with a frequency likely to catch shenanigans.

If published with a free license, and it is something that is useful enough for a reasonable number of folks to be interested in it, you will get outside contributers who will become familiar with the code base, and, while not impossible, it will be much harder to hide malicious code.

So, free does matter.

Re:Who cares? (-1, Troll)

Anonymous Coward | about 10 months ago | (#45618195)

First, someone shut these FSF types up. They come up with some amazing bullshit. Yes, I feel like I am in jail because I am typing this on Windows. Not even a good car analogy.

Second, get it right. Microsoft WILL hand over a key for a specific user's data with the proper government requests. What this encryption is designed to prevent is the current government tapping of transmissions that get access to ALL data with no requests / warrants / whatever. Nobody really minds the "we have a warrant for anonymous coward's data for the last 3 years" type requests. We have a problem with the "all your data are belong to us" wire tapping that is going on now. Microsoft is doing good here, just as Google and others are.

Re:Who cares? (1)

kthreadd (1558445) | about 10 months ago | (#45618257)

The problem with Windows is not that you're in jail, the problem is that you don't know that you're in jail because you have no way to inspect the spurce code and make yourself and understanding about it.

Re:Who cares? (2)

LordLimecat (1103839) | about 10 months ago | (#45618323)

Must be in a jail when I use firefox, too, since i have no way to inspect that source code and have an understanding of it either (Im not a trained software dev qualified to analyze several million lines of code).

Yes, all non-programmers are in a jail, at all times.

Re:Who cares? (1)

hawkinspeter (831501) | about 10 months ago | (#45619207)

That would be more like a maze than a jail. If you spent time to train as a software dev and spent some time reading through the Firefox codebase, you would then be able inspect the source code and have an understanding of it.

There's a world of difference between a locked door and an open doorway.

Re:Who cares? (0)

Anonymous Coward | about 10 months ago | (#45619097)

You may be in fact trapped in a Tree and not in Jail if you are unable to read the "Spruce" code.

Re:Who cares? (0)

Anonymous Coward | about 10 months ago | (#45618331)

No - You THINK Microsoft does good, but there is no way you can be sure...
There is NO way you can check that what they say is real of just doubletalk..
You can't check anything, because it is all hidden for you behind close source...

Never heard of backdoors? Or that an company is not allowed to say anything if the NSA is demanding such a backdoor?

Are you really that naive? Incredible!

Re:Who cares? (4, Insightful)

jones_supa (887896) | about 10 months ago | (#45618265)

And I bet Microsoft will just hand over the encryption keys / passwords to the NSA.

Things like these are still a step forward, as NSA has to actually ask for the keys from companies, instead of just passively snooping everywhere it wants to.

Re:Who cares? (2)

tylikcat (1578365) | about 10 months ago | (#45618329)

Though it's worth noting that Microsoft has a history of being particularly inept in implementing encryption. Best intentions, sadly, does not make for secure code.

Re:Who cares? (1)

PPH (736903) | about 10 months ago | (#45618883)

And I bet Microsoft will just hand over the encryption keys / passwords to the NSA.

Why does Microsoft even need my private key? Take e-mail, for example. I have a private key locally and a public key that I share with those needing to correspond with me. Someone needs to send me a message, they look up my pubkey, encrypt their message and send it through the tubes. I decrypt it upon reciept using my privkey. Why is Microsoft not in the business of managing public keys for its users and forwarding messages? That's basically all we need. Its the founding principle of the Internet. Push all the intelligence out to the end nodes built around a dumb packet routing system.

Re:Who cares? (1)

unixisc (2429386) | about 10 months ago | (#45618953)

How is an FOSS encryption program the answer? Since it's open source, even NSA personnel will be able to read the encryption algorithms and design software to decrypt it, and snoop. Given that, the cure seems worse than the disease.

Re:Who cares? (3, Informative)

hawkinspeter (831501) | about 10 months ago | (#45619261)

You seem to be confusing good security design and security through obscurity. A good encryption algorithm is still a good encryption algorithm when it's generally known how it works as it would rely on a separate "secret" or "key". Like a house door - I can know how it works, but without the key it's not going to be easy to open.

Bad security uses "security through obscurity". Those types of systems become useless once you know how they work. Examples of this would include puzzle locks, ROT13 encryption etc.

The key isn't in the source code, moron. (0)

Anonymous Coward | about 10 months ago | (#45619479)

"Since it's open source, even NSA personnel will be able to read the encryption algorithms and design software to decrypt it"

Since there isn't the key that you need to decrypt the data in the algorithm, then even if it's open source, NSA personnel will be able to read the algorithms (that they already read from the primary literature, not souce code) but be completely unable to decrypt your stuff with that information.

EFF is tilting at a tank here. (1, Insightful)

Anonymous Coward | about 10 months ago | (#45618017)

Gutsy, they're basically pissing on the entire box-package software development industry, and no small number of hardware/firmware companies, when they say you can't trust closed-source.
It's right of course, but if truth and justice mattered enough to the people who make decisions about how large corporations and governments are run we wouldn't be in this mess now would we?

Re:EFF is tilting at a tank here. (4, Insightful)

MikeBabcock (65886) | about 10 months ago | (#45618097)

Welcome to the good fight -- the FSF has been at it for a long time, and now the EFF realizes that you can't have freedom without knowledge. That is after all why we believe in a free press in the west, right? Whether the press lives up to its obligations or not, the idea is that without full disclosure, people cannot make good decisions.

Re:EFF is tilting at a tank here. (0)

Anonymous Coward | about 10 months ago | (#45618109)

FSF, not EFF

Re:EFF is tilting at a tank here. (0)

Anonymous Coward | about 10 months ago | (#45618209)

Oh fuck all these TLAs, this late in the workday my eyes start getting blurry.
Apparently the EFF thinks that Microsoft is trying to help secure the web, that bullshit is more newsworthy than the FSF taking yet another opportunity to say FOSS good, not-FOSS bad. I'm really interested in their methodology there: How can you prove that Microsoft is meaningfully performing useful server encryption without backdoors?

https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what [eff.org]

Re:EFF is tilting at a tank here. (1)

Maury Markowitz (452832) | about 10 months ago | (#45618239)

"they're basically pissing on the entire box-package software development industry"

Based on an underlying argument that is entirely unrelated.

If MS decided to install encryption on their own telephone system, I'm sure the FSF would put out the same, equally unrelated, press release.

And /. would slavishly run it for them.

Trust (2)

SirGarlon (845873) | about 10 months ago | (#45618401)

I don't see what's unrelated about the FSF's argument. The debate pretty simple and it goes more or less like this:

MS: Trust us! We're good guys! We'll start using encryption, we promise.

EFF: People should trust what they can verify. Until you have the full details of MS's implementation in front of you, there is no way to be sure they've done it right. And until you have the right to modify the code for yourself, there is no way to be sure that security holes will get patched promptly and correctly.

As far as I can tell, the counter-arguments against FSF's position boil down to "well I trust {Microsoft, Google, Apple, Oracle} anyway, so there!" and "who cares if you can trust your computing infrastructure anyway, get over it!" If you have something more to add to those illuminating arguments, please do so.

Re:Trust (3, Insightful)

mjtaylor24601 (820998) | about 10 months ago | (#45618823)

As far as I can tell, the counter-arguments against FSF's position boil down to "well I trust {Microsoft, Google, Apple, Oracle} anyway, so there!" and "who cares if you can trust your computing infrastructure anyway, get over it!" If you have something more to add to those illuminating arguments, please do so.

In fairness I think the counter argument is a little more nuanced than you're representing it. It's more along the lines of: non-programmers are in no position to verify that things have been done correctly even if the program is open source. And even experienced programmers can't, as a practical matter, be expected to meticulously review the millions of lines of code that goes into the various programs they use, nor are they likely to build all of their own software from source all the time. So realistically, even if the software is open source you still have to trust some else to verify it. All open source does is change who the person is that your'e trusting from Microsoft to $YOUR_FAVOURITE_FREE_SOFTWARE_GROUP.

Now perhaps you trust the general open source community more than you trust Microsoft (or Google or Apple or whoever). That's perfectly fine. But I can certainly see how a reasonable person could look at that position and go "why should I trust random strangers on the internet if I'm not willing to trust Microsoft?". Now perhaps that's not good argument. But I think it's at least a little bit more substantive than the strawman you've presented.

Re:Trust (2)

SirGarlon (845873) | about 10 months ago | (#45619025)

Thank you for the insight into what until now seemed a baffling and unreasonable position.

I think the FSF (and my) argument would carry more weight, then, if we were to replace the phrase "random strangers on the Internet" with "independent experts." Everyone can appreciate the value of having independent experts review a system; and, the refusal of a company to expose its software to independent review should be grounds for suspicion.

Re:Trust (2)

mjtaylor24601 (820998) | about 10 months ago | (#45619585)

Agreed. But then there are the follow up considerations of

a) Is it the case that open source software is in fact being subject to subjected to scrutiny by independent experts? I would say that certainly some of it is, but I would hazard a guess that not all of it is.

b) How does an uninformed laymen differentiate between an "independent expert" and a "random stranger on the internet". In the absence of doing actual research it's much easier for people outside the field to simply trust the blue chip fortune 500 company.

In my (admittedly casual) experience, such arguments by the FSF rarely get into this level of detail, which causes people that don't really grok the whole open source thing, or people that are cynical about open source in general or the FSF in particular, to question whether the FSF is actually concerned with security or whether they are simply using this as an excuse to push their ideological agenda.

Box-package? (0)

Anonymous Coward | about 10 months ago | (#45618399)

> Gutsy, they're basically pissing on the entire box-package software development industry [...]
Now, now. I remember buying a boxed package of SuSE Linux back then. It gave me the power to recompile every bit of software in the box :-)

Re:EFF is tilting at a tank here. (2)

K. S. Kyosuke (729550) | about 10 months ago | (#45618609)

Gutsy, they're basically pissing on the entire box-package software development industry, and no small number of hardware/firmware companies, when they say you can't trust closed-source.

That's not gutsy, that's being Captain Obvious. I won't shed any tears for the "box-package software development industry", though; that's never been the major part of the SW industry, unlike custom-built systems. It's not like there would be massive unemployment if that went away.

Predictable (3, Insightful)

donscarletti (569232) | about 10 months ago | (#45618031)

So, Microsoft finally does something no geek could object to and the FSF's response is "even if this looks like a good thing, this can't be a good thing because it's proprietary". It just makes me wonder why they bother making a statement; it's proprietary, it always is and it always has been.

Re:Predictable (3, Insightful)

Sockatume (732728) | about 10 months ago | (#45618081)

"Without access, you can only take them on trust" would seem to be the FSF's actual argument. I don't honestly believe that people would actually compile all their tools from source code they've reviewed personally to check for security holes, but at least represent their argument accurately.

Re:Predictable (4, Interesting)

JustNiz (692889) | about 10 months ago | (#45618413)

>> I don't honestly believe that people would actually compile all their tools from source code they've reviewed personally to check for security holes

We do use some open source in our aviation products. We are required to heavily review literally every line of source code (both ours and open source) in order to get our product certified for aircraft use.

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45618101)

Shill. You're avoiding the point entirely. The reason we are in this mess is because of private interests caving to political pressure instead of doing the right thing. Predictable indeed.

AC

Re:Predictable (0)

jbmartin6 (1232050) | about 10 months ago | (#45618371)

private interests caving to political pressure instead of doing the right thing

You do that every time you pay your taxes instead of going to jail.

Re:Predictable (1)

Dan Ost (415913) | about 10 months ago | (#45619063)

I pay my taxes because I benefit from things like roads and schools and fire departments and such.

Do you get zero benefit from the things your taxes pay for?

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45619151)

roads, schools and fire departments are paid by local or state taxes.
I get zero benefit from Federal Taxes I pay. In addition my representation in the Senate to confirm presidential nominees was just taken away by the DNC, so I have even less representation that I had at the beginning of the year.

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45618107)

They made a statement because the Snowden revelations have detailed that the large scale US software and hardware people have been complying silently with nearly every request made by the NSA. A lot of IT-purchasing people didn't like the sound of that, so Microsoft initiated some damage control to discourage people from abandoning their products.
I mean duh, why else would Microsoft press flaks say anything at all? It's all about the bottom line for Microsoft, one way or another. If it weren't then Microsoft would have been obliged to liquidate those offices and pass out their budget as shareholder dividends.

Re:Predictable (2)

smpoole7 (1467717) | about 10 months ago | (#45618121)

> So, Microsoft finally does something no geek could object to and the FSF's response is "even if this looks like a good thing, this can't be a good thing because it's proprietary".

Ah, I finally get to use a car analogy!

Your car has broken down and you can't fix it, because you don't have a machine that will interpret the failure codes. The manufacturer will only provide those codes to their own shops.

After complaints, the manufacturer offers free roadside assistance.

That's laudable. Give them snaps for that. But I'd still rather have the service information so that I can go to Autozone, buy the parts myself and fix it myself, if I choose to do so.

Re:Predictable (2)

Maury Markowitz (452832) | about 10 months ago | (#45618351)

"Ah, I finally get to use a car analogy!"

Umm, why is the car in your analogy *used*? At no point is this a requirement.

"Your car has broken down and you can't fix it"

Apparently you haven't *actually read* what MS is doing.

MS is securing their communications infrastructure. This has nothing to do with their products or software.The FSF complaint is *completely bogus*.

A somewhat better analogy might be "My neighbour's house was broken into because they had poor quality locks on the door, so I'm going to change my locks for better models." The quality of your silverware is unrelated to the actions being taken.

Re:Predictable (5, Insightful)

MikeBabcock (65886) | about 10 months ago | (#45618123)

No, Microsoft *claims* to do something nobody could object to -- you're missing the whole point of the statement.

If Microsoft told you they were implementing security and it turned out they were using DES with a key hashed from the word 'Scroogled', would you be pleased? What if they're using good encryption but the keys never rotate? What if the keys rotate but they're on a fixed loop of 16 keys? How would you know?

As an everyday non-programmer, a casual user wouldn't know the difference either way. If however that user is on a fully open source operating system, they at least know that -some- others using that system have had a peek under the hood and still trusted it.

Re:Predictable (0)

Desler (1608317) | about 10 months ago | (#45618177)

What does having access to Windows source code have to do with Microsoft encrypting data that It stores? The two things have no relation at all. Even if all those servers ran Linux how would reading the Linux source code tell you anything about how Microsoft is storing data on their servers?

Re:Predictable (1)

Anonymous Coward | about 10 months ago | (#45618285)

It doesn't even matter if microsoft encrypts the data or not.
When asked by the NSA they will hand over the keys just the same.

Why is MS encrypting your stuff? (0)

Anonymous Coward | about 10 months ago | (#45618529)

If you encrypt with your own code, then the NSA can ask MS all they want, MS do not have the decrypt code.

Except if MS have a backdoor into their software that stores the plaintext key and encrypts that with an MS master key, in which case, MS can be asked for the key to your data. Then again, if it were open source, everyone would see what they were doing and remove the backdoor, meaning it's pointless asking MS for the key to your stuff again.

That is why MS's claims are bullshit and the FSF claims about it being so are spot on.

Re:Why is MS encrypting your stuff? (1)

Desler (1608317) | about 10 months ago | (#45618705)

Then again, if it were open source, everyone would see what they were doing and remove the backdoor, meaning it's pointless asking MS for the key to your stuff again.

Unless it's done server-side. Again, having the source code to the OS, etc. tells you nothing about how data is stored or being used on their servers.

Which again is a problem with trusting MS (0)

Anonymous Coward | about 10 months ago | (#45619145)

If it's done server side, then you must be being forbidden from doing it client side. Which can only be the case if you are unable, technically, to run your own client that can encrypt then send that encrypt to the server.

So, yet again, you fail to show why your fatalism means we should just accept the shaft.

PS way to non-sequitur, dude.

I say: Except if MS have a backdoor into their software that stores the plaintext key and encrypts that with an MS master key

You say:Unless it's done server-side.

What you said has zero concordance with what I said. If they have a backdoor into their software that stores the plaintext key, then if it's done server side, all that changes is they don't need to encrypt their storage of your key. It still doesn't address the reason why you need to have source code before you can consider trust.

Re:Predictable (1)

Desler (1608317) | about 10 months ago | (#45618677)

Yes, which was my point. Having access to source code means jack and shit to how data is stored or shared.

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45618407)

This reminds me of some closed source software I worked with at a previous company [1] that said it was generating a 4096 bit key. However, upon closer inspection, it generated 64 keys of 64 bits each, so in reality, you had 69 bits of protection at most, and with RSA-512 fallen, it would be trivial for an attacker to obtain the keys. It was closed source, but upon running a debugger, it showed the multiple RSA calls for the small keys. Apparently, this was done because big O with RSA is O(n^3), so the consultant who wrote it thought he was saving on speed with the RSA operations.

[1]: Thank $DEITY it was internal software used for encrypting files moved between offices back in the days of using E-mail for most everything, and never let outside the firm. When I pointed out the flaws and recommended PGP or gnuPG for the internal stuff, I got told from management only "criminals care how security should work. This is just like the stupid teenager who finds out how to yank an anti-shoplifting device off a purse." Needless to say, I moved on.

Re:Predictable (3, Insightful)

foma84 (2079302) | about 10 months ago | (#45618147)

Yes, I immagine that from an anti-open perspective it does sound like that.
Good thing that you don't actually need to be particularly pro-open to see that they have a point. No closed software can be considered secure, ever; no steps to assure more security "regardless of promises or even intent" can change that.
"Even if this looks like a good thing, this can't be a good thing because it's proprietary". How can you disagree? They bother making the statement, because it's their mission, and to warn off non tech-savvy people who might fall for it.

Re:Predictable (3, Insightful)

marcello_dl (667940) | about 10 months ago | (#45618169)

> So, Microsoft finally does something no geek could object to...

A PR exercise, you mean?

Did I get it wrong or the NSA or some other agency can force a business to reveal its costumers' data AND keep silent about it?
If so, every privacy and encryption statement should include this fact. It doesn't? Then it's a PR exercise.

Do you NOT object to PR exercise about something as delicate as online security? I do.

Re:Predictable (5, Insightful)

Jawnn (445279) | about 10 months ago | (#45618211)

So, Microsoft finally does something no geek could object to...

I see what you did there. You tried to insert a faulty premise to support your argument. Any geek worth the title understands that any encryption technology that can not be vetted is, by definition, not trustworthy. So this latest PR stunt by Microsoft is just that, a PR stunt.

Re:Predictable (2)

LordLimecat (1103839) | about 10 months ago | (#45618393)

How a datacenter encrypts its data is never going to be something the average user can vet, ever. No user should even have access to that data, which is why it wasnt encrypted to begin with: You need to have some pretty solid connections to manage getting access to that stuff.

Theres also no way to vet whether the keys are being provided to a third party, whether or not the backend software is FOSS or not. If Red Hat made the same announcement, there would be no reason the same "objection" couldnt apply.

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45618901)

Do you understand the lock on your house's front door? Have you inspected every mechanical element to ensure it cannot be compromised? Do you routinely check it for tampering?

No, you say? You've evidently put some trust in a locksmith. You sad, sad fool.

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45618375)

So, Microsoft finally does something no geek could object to and the FSF's response is "even if this looks like a good thing, this can't be a good thing because it's proprietary". It just makes me wonder why they bother making a statement; it's proprietary, it always is and it always has been.

Predictable and wrong. Enterprise partners (of which there are many) do indeed get a look at Microsoft's source code. It's not as Free as the Free Software Foundation would like it to be (go figure) but it is scrutinized by many. Just because you might not trust them, does not mean you have the right to disparage their work. How do you know you can trust everyone who has had their hand in the Open SSH source? FOSS projects have grown so much over the past 10 years that the old notion of "if there is bad code someone would see it and report it" can not at all be assumed.

Re:Predictable (1)

Dan Ost (415913) | about 10 months ago | (#45619129)

How do they know the code they've been given is the actual code used to generate the shipped binaries?

Can those Enterprise partners compile the code they've been given in order to compare the binaries with the binaries that MS ships?

Kittens (0)

Anonymous Coward | about 10 months ago | (#45618489)

They bypassed the encryption on their own cloud service to let the NSA have access. So all those company secrets you trusted are now in the hands of a spy agency whose job includes industrial spying.

But hey, they gave us a kitten, so we're cool!

Re:Predictable (0)

Anonymous Coward | about 10 months ago | (#45618575)

Only a wop could be this fucking retarded.

Re:Predictable (1)

wispoftow (653759) | about 10 months ago | (#45619437)

Maybe you don't understand the issues at hand. Let me employ a metaphor:

Imagine a man who wants to have sex with a woman, but not get her pregnant. So, he goes and gets a vasectomy, but only ties one tube.

OS projects should accept SRC contributions only (0)

Anonymous Coward | about 10 months ago | (#45618049)

Linux and other OS projects have the same issue because they accept binary contributions. These projects should accept source contributions only

#badbios - probing for deeper looks at (0)

Anonymous Coward | about 10 months ago | (#45618073)

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html [radioreference.com]

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html [sysinternals.com]

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf [unodc.org]

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/ [hacker10.com]

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193 [schneier.com]

NSA (1)

jones_supa (887896) | about 10 months ago | (#45618193)

If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing. When we don't have that, back doors and privacy violations are inevitable.

No, they have not taught us that. Most of the NSA revelations have been about snooping telecommunications networks. Using open source software would not have made it any different.

not entire accurate (0)

Anonymous Coward | about 10 months ago | (#45618335)

If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing

furthermore, all what would be needed is for one trusted person to be able to compile the source and verify that it matches the current copy being distributed. i recall an article previously posted here that someone had successfully compiled truecrypt to match the binary being distributed and thats terrific.

its important not only to have the source, but to verify that the software that people are using, is in fact being derived from the source code.

if we can have that then im happy.

Why is free software immune? (3, Insightful)

mi (197448) | about 10 months ago | (#45618421)

must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing

Though I agree, that a corporation can be forced by an authoritarian government to put a backdoor into their product, I don't believe, open-source software is immune against backdoors either.

There are scores [stackexchange.com] of people with commit-access to Linux kernel, for example. If the NSA — or its counterpart from any other rich country in the world — put their mind to it, they could use any one (or more) of them to weaken the security functionality in there.

It does not need to be obvious — making the /dev/random's output slightly less random, for example, may reduce the time it takes to tap an ssh or ssl connection with this host from many years down to days. Same goes for PGP-keys generated on the affected host... Nor does it need to involve blatant coercion — the committer may simply receive a patch by e-mail with a fix to some other bug or an improvement, and fail to spot the weakening.

It could, in fact, have already been done years ago for all we know. Who knows, if this little problem [slashdot.org] was not deliberately introduced? And even if it was not — who knows, whether various security agencies exploited it from 2006 to 2013 the way Alan Turing et al exploited mistakes of the German radio-operators during WW2 [wikipedia.org] ?

Is it easier to plant a backdoor into an open-source project than a closed-source one — and keep it there for a useful period of time? I'm not at all sure, what I'd bet on, to be perfectly honest. Both can done and, by all appearances, both have been done...

Re:Why is free software immune? (0)

Anonymous Coward | about 10 months ago | (#45618621)

How many times does this shit have to be trotted out before you idiots can understand the difference?! Honestly....

What's easier to spot... a backdoor in software where you can see the source, or one where you can't?

Shall we break this down into even simpler pieces for you?

Is it easier to see the light through a window or a brick wall?

Re:Why is free software immune? (0)

Anonymous Coward | about 10 months ago | (#45618685)

What's easier to spot... a backdoor in software where you can see the source, or one where you can't?

Try it for yourself. [xcott.com] The difference is equivalent to the difference in the odds of winning a lottery with or without buying a ticket.

Re:Why is free software immune? (1)

PPH (736903) | about 10 months ago | (#45618775)

Is it easier to plant a backdoor into an open-source project than a closed-source one â" and keep it there for a useful period of time?

That's a good question. The methods used would necessarily be different. Keeping it there would depend on delaying its discovery and inhibiting its repair, once found. Leaving the discovery issue aside for the moment (number of eyes on the code, etc.), it is much easier to prevent the removal of a back door when the code base is owned by a private organization with identifiable representatives. Should the NSA lean on both the Microsoft and Linux communities to maintain an exploit, Microsoft can be pressured to comply*. In the Linux community, being international, such pressure would be more difficult to apply.

I wouldn't be surprised if Microsoft is aware of various government sanctioned exploits from their inception. Not just those created by the NSA, but by each government where Microsoft wishes to do business.

*Its interesting to note that Microsoft's anti trust settlement was negotiated and overseen by a member of the FISA court. The mandate to open APIs and source probably stopped short of revealing all the built-in back doors.

Re:Why is free software immune? (1)

ducomputergeek (595742) | about 10 months ago | (#45619075)

People seem to miss that there are employees, in particular field service employees, at all the major vendors who earn a nice second pay check from 3 letter agencies and their employer is none the wiser.

My dad spent a 30 year career in the finance and accounting area of one of the big defense contractors. His areas dealt with a lot of high security clearance stuff and there were always FBI and spooks in their office. They knew they were there, but they had no idea who the spook or agent was. They paid the people a salary just like anyone else. Was it the computer geek? The Janitor? The Facilities guy? One of the engineers? An office cleft? Or the guy/gal standing next to them? They never knew.

There are contributors to open source projects who work for these agencies either directly or as assets paid or otherwise.

PR Campaing (-1)

Anonymous Coward | about 10 months ago | (#45618449)

Slashdot itself doesn't encrypt its homepage by default, as the expense of the privacy of its users, in order to worship the mighty dollar.

US Tech companies in general, especially telecom and cloud-based providers are losing business by the billions.

For example, yandex has been see big growth in email accounts sign-ups, at the cost of Outlook.com and Gmail addresses.

Corporations only do something once it hits their pocket book.

They made their bed, now they must sleep in it.

Lock argument doesn't hold (4, Insightful)

t'mbert (301531) | about 10 months ago | (#45618463)

Let's face it: as far as we know, the door lock manufacturers also have a master key to all our houses. The schematics and design of the lock are not publicly available, and most people lack the skills to know if the schematics they are looking at are secure or not. It's the same with an OS. And while I *could* take the lock apart and figure out how it works, I still wouldn't know if my particular lock were secure or not, because I have not seen enough locks to know if this particular one is good or not.

Anytime this condition arises, we replace our own lack of knowledge with a trust in experts. We have to defer the judgement of security worthiness to an expert we trust, in which case we are again disinter-mediated from knowing if the lock is actually secure or not. We all trust *someone* with very specific knowledge to help us make decisions, whether that be medical, scientific, security or otherwise, and in each of those cases, we can find examples of where the expert has let us down.

Re:Lock argument doesn't hold (0)

Anonymous Coward | about 10 months ago | (#45618573)

Your logic is flawed or incomplete. The master key for one cylinder would not open all locks, but the master digital key will open all locks.

Re:Lock argument doesn't hold (0)

Anonymous Coward | about 10 months ago | (#45618689)

Um, yeah it would, that's what "master key" means ...

Re:Lock argument doesn't hold (0)

Anonymous Coward | about 10 months ago | (#45618923)

Unless the lock has been specially manufactured to actually allow the use of one master key on everything. Or can be easily picked with simple tools and special knowledge.

This could very well be the case. You have to trust someone at some point. Securing everything yourself is a fantasy.

Re:Lock argument doesn't hold (3, Insightful)

whoever57 (658626) | about 10 months ago | (#45619625)

Let's face it: as far as we know, the door lock manufacturers also have a master key to all our houses. The schematics and design of the lock are not publicly available, and most people lack the skills to know if the schematics they are looking at are secure or not.

Flawed comparison. In fact, locks are much more like open-source software.

Locks can be disassembled and people can review the design. Much like open source software, most people would not be able to tell if a lock design was secure, but enough independent experts can disassemble a lock and review its security.

Yes, you are reliant on experts for the truth about lock security, but you are not reliant solely on the manufacturer's assertions, which is the case with clsoed-source software.

Too many preachers open source code = nanny state (1, Interesting)

pigsycyberbully (3450203) | about 10 months ago | (#45618481)

I was on the Linux desktop KDE, and somebody sent me a link when I clicked on the link the file was a torrent file and KDE torrent file program opened up and with a pop-up message it calls tips it give me a lecture about copyright. I quickly deleted KDE.. I've never had a desktop even a Windows desktop or an apples desktop lecture me about copyright and call it tips. I'm such a stubborn free minded person KDE was obviously never going to work on me I hate social manipulation.

Re:Too many preachers open source code = nanny sta (0)

Anonymous Coward | about 10 months ago | (#45618593)

->>>The mental condition is not working on this one. Quick quick, get a cross, put up a some stakes, he can contaminate the rest of the minds.

Re:Too many preachers open source code = nanny sta (1)

jones_supa (887896) | about 10 months ago | (#45618625)

Vim also has an introductory message which suggests to donate for poor children in Uganda. That's probably not a bad idea, but it's a bit awkward to have that text at that spot.

FSF is full of themself (1, Insightful)

Lawrence_Bird (67278) | about 10 months ago | (#45618643)

It really is arrogant of FSF to imply that a user trusting one or a small group of individuals running an opensource project is somehow better off and more secure than microsoft.

Unless a user audits the code, compiles the code (with a known to be good compiler) and manages all elements of the server and routing, there is NO assurance of security or privacy. And never mind the fact that few users even compile from source anymore.

Offtopic: why am I being sent to the beta site to post comments? Very annoying as it does not remember my login credentials and noscript is reporting XSS issues.

Re:FSF is full of themself (1)

Sockatume (732728) | about 10 months ago | (#45619265)

Arrogant, but accurate. Sounds like the FSF to me.

Re:FSF is full of themself (4, Insightful)

whoever57 (658626) | about 10 months ago | (#45619685)

Unless a user audits the code, compiles the code (with a known to be good compiler) and manages all elements of the server and routing, there is NO assurance of security or privacy. And never mind the fact that few users even compile from source anymore.

Security isn't a binary function. Open source is more secure than closed source because many independent people can download the source and review it, many people can build binaries, etc..

OS vs CS (0)

Anonymous Coward | about 10 months ago | (#45619447)

Seriously though, an operating system is a set of orders to your processor (and other components thereon) to do all that we do on PCs. Microsoft is defending the position to be able to whisper to your processor so you don't know what they said. I agree that there may be trade secrets until competitors catch up not to mention open source also goes overlooked, and could even lead to a worse if you think you're free there is no escape possible scenario for the lazy but still at least with open source anyone can, so it would require bawls the size of Texas to put backdoors in opensource software.

Think a little folks, we did all this before, just not with computers. What is ownership? When we buy something, what rights does the seller retain over the item? If any?

A horrible analogy (2)

cyberchondriac (456626) | about 10 months ago | (#45619621)

A lock on your own house to which you do not have the master key is not a security system, it is a jail.

I get his overall point regarding source, I do, and I agree; but it would help his case if he didn't use such broken analogies. If I have a key, and the landlord has a master key, it does not mean I'm in "jail"; he's not going to lock me into my own home because I have a key of my own, just not a master key. It's just that the landlord can get into my home too. It's more like easy-peasy burglary, but "jail" was a rather stupid way to put it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?