Feeds

back to article Microsoft: NSA snooping? Code backdoors? Our hands are clean!

Microsoft's isn't involved in mass spying or putting backdoors in its software, Redmond's VP of Trustworthy Computing Group Scott Charney told the RSA conference. Why? Because it's unethical and bad for business, he said. "We've not been concerned about the Snowden disclosures because we've been principled," he said. "We do …

COMMENTS

This topic is closed for new posts.
Silver badge

So the reason for binning Skype P2P and making it all run through central servers would be what, exactly?

Looking back on Microsoft's career; I have to say that 'ethical' is definitely not the first word that springs to mind.

"We do defense, not offence. We never do bulk data collection."

How then, could they list the exact number of zombies killed shortly after the XBox One launch? That's data; it's being collected and there seems to be quite a lot of it. Bulk. Data. Collection. That's the reason I'm not buying one...I love my 360 to bits; but it's not connected to the net because I don't want some fucker analysing my every action in order (and this is the kindest interpretation) to advertise at me.

21
1

This post has been deleted by its author

Bronze badge
WTF?

".. It has the Computer Online Forensic Evidence Extractor (COFEE) tool which can be installed on a USB key.."

For counting zombie killings, they are giving snooping software away on USBs on case to case basis.

0
0

Piffle

I remember the UK MS Marketing Director in the 90s saying in a magazine interview that MS would never break competitors products at a binary level, because to do so would be commercial suicide.

We all know how that turned out.

Don't believe a word MS say. They didn't become the worlds richest company by being ethical and honest.

6
0

I remember hearing the NSA was asking for a way to listen in on British owned Skype, and them telling them to get bent, then Microsoft buys them out and they stop asking. Hmm. I guess it could be a coincidence.

3
0
Bronze badge
Coffee/keyboard

BWA HA HA HA HA HA HA HA HA HA HA HA HA HA

HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA

Oooh, I wet 'em.

17
4
Big Brother

And what about services?

This so soon after news breaking out about Lumias sending info to Redmond. Nokia actually classified the OS as a third-party component when denying that Nokia violated privacy.

It's not so long ago since Microsoft accidentally implemented their Chinese censorship across the globe, too.

Of course, Microsoft tries to follow the laws in the companies where they do business. Even if they are draconian laws from totalitarian countries.

10
4

Re: And what about services?

@Decade

Did you read that article you linked to? Clickbait. Lumias, like all other manufacturers (and Windows, Internet Explorer, SQL Server, Visual Studio...) ask on startup if you'd like to share your location data, browsing history and so on to help improve their services. Some of the more benign (search queries for predictive search) are on by default. Just like Google does. Others are off by default.

But yeah, totes the end of the world, because when do we let facts get in the way of a good vent.

2
2
Silver badge
WTF?

Re: And what about services?

@ Spearchucker Jones

And did you read this:

Nokia emphasises that the user can, if he or she so desires, prevent the phone from communicating with foreign servers. This, however, requires that the user knows how this is done through the phone settings. Even this is not necessarily enough. Even though one would disable the data transfer of the phone’s features, the operating system is still in contact with foreign countries.

0
1

Re: And what about services?

@Lars

Go find a Windows Phone. Preferably a Nokia, because Drive and Maps also want to phone home. Reset the thing, and power it up. And after going through that process, come back here and we can have a conversation.

1
0

If there was a backdoor in Windows, it would presumably be a secret only known to a few people (with a certain amount of obfuscation needed to prevent the large number of Microsoft's developers who have access to most of the source code from seeing the bit where the back door was inserted). There is no reason why Scott Charney would know about it's existence; I would not expect him to have been told about it, if it existed.

Come to think about it, it would possibly be illegal for the people in the know to tell Charney about it, if they were subject to one of those court orders that forbids you from telling anyone except your lawyer about its existence.

22
1
Silver badge
Black Helicopters

@ SusanY

Or the code in question could just be a highly classified defense program. After all, how many people really knew the U.S. special forces actually had stealthicopters until they crashed one and left behind indisputable evidence during the Bin Laden raid!

(Icon is most appropriate in this case. Maybe it is time to decamp from Silicon Valley to a mountaintop bunker!)

6
0

The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

Easy to laugh at but having an actual -secret tunnel into the US presidents' oval office- kind of backdoor which could be identified as such would indeed be really stupid. Too many people capable of reverse engineering out there in the wild. Yet MS using it's unique position thats an entirely different story. Having insight into the source code of Windows and all it's affiliated products and not knowing about a bunch of -yet to be discovered by the outside world- security flaws? Highly unlikely! They even let friendly governments have a peek at it so I think it's quite clear where we stand...

Even though James Bond type of movies are fun to watch I think reality is different, simpler, without evil villains telling Mr. Bond their plans before he is supposed to die ;-)

4
3

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

And you don't think they could have a few versions of the code ? One for your gov to see and one we use for the NSA.

14
0

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

If I remember correctly the code given out for review is not complete. You cannot build it, you cannot compare the executable/installer to that Windows DVD you bought, so the whole exercise is a bit of a joke really.

15
0

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

Its too bad you can't run some similar software...you know, have an OS and other programs that you can compile yourself and verify if "backdoors" are there or not. Someone should really come up with some kind of open alternative to Windows.

12
1
Anonymous Coward

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

Anon because you're not supposed to make it known that you've done this kind of work....

During security certification, the complete source code is supplied to the UK's Ministry of Defence (I can't speak for other national institutions but it's probably the same deal).

It compiles. It runs. You can compare checksums against the windows SKU you're certifying for installation. And every module - to use the security checking team's term - is both tested for security and unit tested.

It takes forever and it's boring as all hell.

1
2
Silver badge

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

> Its too bad you can't run some similar software...you know, have an OS and other programs that

> you can compile yourself and verify if "backdoors" are there or not.

Let's take a minimized debian netinstall from CDs. Strip out everything and what you've got is 209.7MB of binaries on your hard drive after install.

Now, that's compiled binary code. The actual source that compiled down to the 209.7MB is going to run to more like about 4.2GB or, to put it in terms that actually make sense to a human being, about 4,200,000,000 characters of C++ which taking an arbitrary 180 characters per line (and whitespace is extra so I'm ignoring it) will be approximately 52,500,000 lines of code to read through and fully understand the operation of in context to every other line and obviously, a complete encyclopaedic knowledge of the relevant RFCs and where relevant, cryptographic algorithms to know whether or not you have a secure system. With no GUI or any userland programs installed.

People talk about how open source is safe because it's open. It's not safe unless you both read and understand it. Relying on somebody else to do that for you is the absolute inherent basic root of insecurity. If you do it yourself, then you can say it's secure but why should I believe you? Are you infallible?

4
3
Silver badge

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

Oops, did I challenge the orthodoxy and ruffle some fanboys with those irritating facts?

What a shame.

4
2

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

>> People talk about how open source is safe because it's open. It's not safe unless you both read and understand it. Relying on somebody else to do that for you is the absolute inherent basic root of insecurity. If you do it yourself, then you can say it's secure but why should I believe you? Are you infallible?

> Oops, did I challenge the orthodoxy and ruffle some fanboys with those irritating facts?

Well, I haven't downvoted you but...

I don't agree with your claim that there's only value in open source being fully auditable when you entirely audit it yourself. The fact that everyone can and many do have a look and voice their concerns, from University students to security experts and that even I could if I wanted to do my bit, does give me a stronger confidence in the security of open source solutions than closed ones. The crowd-funded audit of Truecrypt is a good example.

I think your point does hold though in the sense that the necessary complexity of software and the lack of a large body of independent auditors and the existence of agencies such as the NSA and GCHQ who are actively working to subvert systems means that you cannot really trust any piece of software.

Given that, I feel more comfortable with open source. Not using software at all is not a really option for me.

2
0
Silver badge

@ Pseudonymous Coward

That was a minor rant which had been coming for a while, I'm afraid.

I just get so sick of the commentards claiming that open == trustworthy when you know, I know and most of them know (if they'd actually admit it) that the number of people who make that claim is several orders of magnitude larger than the number of people who actually do read F/OSS code or, heaven forbid, understand it.

I am willing to bet that exactly nobody (besides me and perhaps the anon who was involved in sec clearing code) in this comment thread has ever done a bare-metal install with code compiled on an isolated box, compared checksums or made any commits to a major F/OSS project.

Why? Because it's a lot of work for very little reward. Given that assumption and further, given the knowledge that a lot of closed-source code IS security certified and used by the very entities we suspect of spying on us, we can be relatively certain that the openness of the codebase is at best a placebo.

2
0

Re: The internet is fixated on this 'secret tunnel' type of backdoor idea which is pointless...

"which could be identified as such would indeed be really stupid. Too many people capable of reverse engineering "

Well, yes. Except for that pesky DMCA which government attorneys can, will, and already have used to threaten people and companies into silence. Go ahead and reverse engineer. Just don't tell anyone, 'cause if you get caught, it's Guantanamo Bay and rendition . . .

0
0
Bronze badge
FAIL

WGA ?

full software list back to Redmond, every day. No, thats not data collection. Earlier commentard correct, trust is now so eroded no-one except fanbois believe anything from anyone. This could be interesting if advertising effectiveness falls.

14
2
Silver badge
Unhappy

I rather think that MS is right and they haven't inserted a back door in their code

But that doesn't mean I am SURE of that, or that they haven't been backdoored without their knowledge by some number of national SigInt agencies....

2
0
Bronze badge

As is mentioned in the end of the article, there's no reason to believe anything a US company says about what it does and does not do to and with data, because we know that they could be required by law to lie about it.

What we don't know - and seemingly have no plausible way of finding out - is how often and to what extent such orders are given. As it seems they aren't hard to come by though, one would assume that more than a couple of those orders have been handed out (National Security Letter is the name, right?)

9
1
Silver badge

Microsoft has a long and rich history of doing what they now claim would be 'economic suicide'.

It started with an early version of windows that sent your entire directly tree structure down the line when you connected to the internet. Covertly.

Apparently, doing that doesn't count as 'economic suicide' either.

11
1
Silver badge
Childcatcher

I need a reference on this.

0
0
Silver badge

So what they are saying is

That when the NSA came to them with a secret security letter demanding a backdoor to protect the homeland from terrorists they told them to to fsck off AND the US government quietly went away deeply apologetic and didn't do anything in revenge?

11
0
Bronze badge
Black Helicopters

Re: So what they are saying is

the US government quietly went away deeply apologetic and didn't do anything in revenge?

Qwest.

1
0
Anonymous Coward

Guru here, I SAID A GURU HERE!!!

> "The best Microsoft can say is that we are secure except for the vulnerabilities that we don't know about and the ones we are prohibited by law from telling you about"

Thank you captain obvious. Isn't this how most software companies function - secure against everything they know of?

4
6
Silver badge
Black Helicopters

Re: Guru here, I SAID A GURU HERE!!!

That's your POV. Mine is that Mr. Schneier managed to tell us exactly what the real problem is, in a single phrase and without breaking any US Law.

Any American company -that can receive one of those 'National Security Letters'- can't be trusted, by definition.

11
1
Silver badge

Re: Guru here, I SAID A GURU HERE!!!

Or any foreign company with a US office/subsiduary, or any British company who is subject to a "friendly chat" from the chaps at MI5/GCHQ.

2
0

As someone who used to work in law enforcement, Scott Charney should know that compliance with court orders is not optional.

If you're a small company, and the cops turn up with a valid court order that lets them sieze your computers as evidence of some crime or other, saying "but that would bankrupt my company" will not necessarily stop them taking your computers away.

In principle, at least, a court order or National Security Letter can compel Microsoft employees to do something that has the side-effect of bankrupting the company (and also enables them to lie to Microsoft's shareholders about what they're done, because of the secrecy provisions in the court order). A company the size of Microsoft can afford a decent legal department, so you'ld kind of expect them to have gone to court to challenge such an order, if it existed. This court case would in all likelihood have occured in secret, and it would be illegal for Microsoft to tell us that they lost.

10
0

> But Redmond would not participate in illegal searches, Charney said, and would fight in the courts against such orders.

That'd be mildly reassuring if the general understanding was that what the NSA do/demand is partly illegal.

6
0
Bronze badge
Facepalm

Who you gonna believe?

Me: "Who are you, sneaking about in my house?

Them: "Home inspectors"

Me: What are those bags over your shoulders?

Them: "What bags?"

Me: "Those big black bags full of my stuff!"

Them: "What stuff?"

Me: "That stuff! My stuff in those bags ... those bag's over your shoulders!"

Them (easing toward the front door) "Sir, you are sadly mistaken. We are Home Safety Inspectors, here to assure you of a satisfactory home experience!"

Me: "You look like burglars!"

Them: (running out the door) "Oh, no, sir. Trust us! Your home is quite safe with us!"

Me: (scratching head) "So they say. But everytime they visit, I'm missing bags of stuff!"

10
1

SO is this like the UK Government's GCHQ looks over the code, finds a flaw, tells Micro$oft but ALSO lets the USA's NSA in on the flaw so it can be exploited? Very reassuring indeed.

"In order to reassure foreign governments that Microsoft's code is secure from such shenanigans, Redmond makes its source code available to other country's governments for checking. If they find flaws, they are fixed at Microsoft, but it's another way of reassuring customers."

4
1
Silver badge

Someone really looked at the source code?

The terms and conditions that come with it are that if you could have glimpsed some Microsoft code, and you write some software, Microsoft can sue you for copying it. No programmer capable of reading a non-disclosure agreement would touch that with a barge pole.

Next up, you cannot compile Microsoft's source code - it is not all there and the terms and conditions say you can't. In real life, to understand a huge pile of source code, you have to insert some extra code to print out the internal state in the areas you are looking at to be certain the code is called when you expect and does what you expect.

This 'governments can review the source code' statement is just PR.

4
3

Re: Someone really looked at the source code?

There is probably (at least on other platforms there is) a program that turns executables into source code. At least on one platform its called a disassembler. Even though you got the "source" it is terribly difficult (in most cases) to figure out exactly what the damn thing is doing let alone insert code. So in order to insert "hooks" you really have to know exactly what the input and the output(s) of the program to do anything sinister.

Having said the above MS would *HAVE* to give the NSA basic information about any module before any code could be inserted.

MS can also deny everything since they have the get out of jail free card as they have the "letter".

2
0

What history teaches us about MicroSoft...

..is this:

http://www.theregister.co.uk/1999/11/05/how_ms_played_the_incompatibility/

6
0
Anonymous Coward

MS doesn't need to put a backdoor in for the NSA. It has already been shown that the NSA use Microsoft crash reports to find ways to penetrate the system.

3
0
Childcatcher

Backdoors like WPAD?

For starters,

WPAD: The Internet Explorer Security Flaw that Threatens all UK Microsoft Users

https://nodpi.org/2013/05/09/wpad-the-internet-explorer-security-flaw-that-exposes-all-microsoft-users-in-the-uk/

3
1
Silver badge

Why is it when I hear a bit of Microsoft Marketing...

I'm immediately inclined to believe the exact opposite.

5
0

Bitlocker

So law enforcement has just been somehow cracking all the computers that the seize running Bitlocker? Right. Just like there isn't a master CMOS password for most laptops.

0
0
Silver badge

"Because it's unethical and bad for business, he said"

So, given what I remember of Microsoft business behaviour in the past, if it's unethical and good for business, then it's go! go! go!

You just gotta love it when a Microsoft spokesvole mentions the word "ethics". It sounds so schizophrenic.

1
0

From $260 bn to zero overnight

"...put a backdoor in our product, our market capitalization goes from $260bn to zero overnight."

This is only a persuasive argument if you're dealing with a board of directors and company executives who don't believe in gravity-free zones.

That's certainly not Microsoft (or almost any other big tech company you can name).

0
0
This topic is closed for new posts.