back to article Microsoft FAILS to encrypt data centre links despite NSA snooping

Microsoft has admitted it doesn't yet encrypt "server-to-server" communications, although it plans to review its security arrangements in the wake of ongoing revelations about NSA spying. The non-cryption admission, made by a senior Microsoft legal officer during an EU inquiry, comes shortly after leaks by whistleblower Edward …

COMMENTS

This topic is closed for new posts.
  1. Graham Marsden
    Big Brother

    "all three repeated earlier denials...

    "...that they provided backdoor (i.e. direct) access to customer data to the NSA"

    Only because the NSA are walking through the Front door!

    1. Wzrd1 Silver badge

      Re: "all three repeated earlier denials...

      Well, a contract is a contract.

  2. Anonymous Coward
    Anonymous Coward

    Yes, but...

    They will be encrypting their connections with approved algorithm's listed by the US Department of Commerce. It is illegal to do otherwise by US law. So if you assume official encryption can be broken then this is just a shuffle of the deck and the NSA knows exactly where every card is.

    1. Gordon 10
      FAIL

      Re: Yes, but...

      Oh dear the application of apathy again. You're effectively shilling for the NSA whether you realise it or not. Its exactly the same as the "we cant change anything - so why bother" arguement that gets trotted out.

      Even if they are broken its still worth doing - every decrypt job they run will still consume bandwidth and cpu resources and we collectively have far more resources than even the NSA.

      Its not a binary Y/N equation - its an incremental one - we should take every tiny step to make their job as hard as possible.

    2. Anonymous Coward
      Anonymous Coward

      Re: Yes, but...

      There's enough truth in that to make it reality... what a shitty state of affairs.

      Right now I'd trust the N.Koreans and Chinese more than I'd trust the US.

      1. Wzrd1 Silver badge

        Re: Yes, but...

        "Right now I'd trust the N.Koreans and Chinese more than I'd trust the US."

        Actually, I trust every nation on this planet equally, including the US.

        But then, I'm retired US military and had the treat while preparing a briefing to happen upon automagic transcripts of my own morale call home. All magically scooped up, neatly bundled and packaged for anyone to review (interestingly enough, it was in an obscure location and the logs showed only one view, my own).

        We'll suffice it to say that my calls home after were G-rated...

        After that, I retired some time later and worked in information security. I learned who was up to what in detail.

        So, I trust no one. They're all up to the same game, from "America" (aka every nation on both continents and in between) to the smallest nation that has any decent communications capability.

        About the only nation I can say for certain that has no information warfare/espionage capability is Somalia.

        Iraq will eventually get an operational unit up, they had a bit of an upset in their government...

        Egypt has a program because Israel and Iran have a program.

        Even Cuba has a program!

        There *is* an upside. Spies keep everyone honest.

        Indeed, it was a spy that kept the USSR from firing their ICBM's at the US during an exercise that was rather stupidly planned, due to tensions at the time.

        Not championing it, only accepting that which I cannot change, nor can the lot of readers here change.

        It pisses me off, but so does government waste. So does having to take a shit when watching a good movie.

        It is what it is. It's not going to change.

        The only thing we can do is pressure the sensitive spots of our elected officials to ensure our privacy is respected.

        Well, a little bit, anyway.

        Because, Pandora's box has *long* been open. The information was spoken of before, but not as in depth until Snowden.

        The reality is that every nation with decent connectivity does it.

        I may not really *like* it, but I have to accept it as a law of the universe at present. I'm not terribly fond of gravity in the morning either, but I respect that law, lest it thump me to the floor and make already angry joints thoroughly enraged.

        The reality is, it's long been out there. It's as widespread as people are on the planet. One can only hope to succeed in some reasonable accommodation to one's laws, customs and society.

        As for Snowden, I personally met him while I was contracting. He was a prima donna then, he still is.

        He violated his NDA. That is what matters. He *could* have approached a sympathetic Congresscritter, he did not even attempt to do so. He instead went to where he could acquire the greatest attention, the foreign media.

        Now, many, many nations are responding to an embarrassment, knowing what was going on, but now having to save face.

        Meanwhile, the NSA director lied before Congress on national television, but went away unscathed. That tells me that Congress already knew quite well what was about.

        I also know that my teams received precise targeting information that could only have been electronically received. I also know that the Taliban wanted cell phone towers shut down at night.

        I also know why, as did they. If you don't, you're willfully ignorant.

        I have no tolerance for the willfully ignorant. I am up to my balls with them in the tea party here.

        But, the reality is, I've yet to have my door knocked on, knocked down, security clearance voided because I am a dirty old man with my wife. I have yet to hear a simmering compliant about my political views, which are across the spectrum, but overall middle of the road (but, worshiping the notion of universal healthcare and *real* respect for equality for all).

        I also hold an incredibly dim view of libertarianism, socialism, communism for its goal of achieving socialism, pure capitalism, pure any system. Reality is much more complex than stupid systems we devise as a single way of doing things.

        Regrettably, people are stupid as a group.

        Really large groups come to become a government.

        People distrust that which is different, it is a survival instinct.

        Hence, governments distrust that which is different.

        Stupidity reigns.

        Welcome to the real world.

        Where being *really* smart doesn't pay off very well.

        But, being a village idiot can get you on international TV (See Sarah Palin).

        Good night all. It's a quarter hour since I turned into a pumpkin again.

        I have to get up early and give a reading from The Book of Threats to a nursing home administrator, whose home is not bothering to properly care for my father during his rehabilitation.

        The Reading will include much of legal jargon, codified law, various abandonment laws, etc. It shan't be pleasant for any concerned, but it most certainly is necessary.

        As an example, I picked him up to take him to dialysis today. They lost his slippers upon admission x1 day. He apparently, per nurses report, was sitting in a wheelchair for 40 hours out of the previous 48 hours, as he refused to lay down and sleep. His feet would not fit into his shoes, due to CHF and his sitting for such an insane amount of time in a wheelchair (they refuse to let him use a walker to move about, in spite of his ability to do so). They lost three pairs of pants I sent with him.

        No, the Reading will include a dire threat as well.

        Utter ruin for the facility, its owner company, its stockholders, the staff, yeah unto the seventh generation shalt it be thus.

        Because, my lawyers are far better than their lawyers are. And they are my clients, as well as representatives.

        Sorry, had to vent.

        But not much.

        Damned futhermuckers.

    3. Robert Carnegie Silver badge

      I'm not a lawyer or an expert but,

      If it's compulsory to use government-approved data encryption, that doesn't say that you can't use a reliably secret encryption of your own as well. I assume that the compulsory encryption requirement is to keep customers' data private; this way, it will.

      1. Wzrd1 Silver badge

        Re: I'm not a lawyer or an expert but,

        There isn't.

        It's "guidelines". Some idiots think that that is codified law.

    4. Mooseman65

      Re: Yes, but...

      Exactly. All this concern over whether the NSA can see your stuff is silly. THEY CAN SEE YOUR STUFF. It doesn't matter if the links are encrypted or not. Now, others may not be able to see your stuff so it is good that MS is reviewing connectivity. But NOTHING they do will keep the government out. Not company held keys. Not encryption at rest. Not encryption in transit. The government gets in where it wants to.

      1. Wzrd1 Silver badge

        Re: Yes, but...

        Funny, I remember a Cisco IP telephony class where we were instructed on how to listen to message streams that were encrypted.

        But, that is now evil.

        Tough shit for you in the real world if your shit doesn't work.

        I'll not go into NSA bullshit or the EVERY NATION same bullshit.

        It's all about you.

        Reality check:

        Bitch about what is in your own nation.

        Or condemn the US, worship the PRC, Iran, Columbia, Cuba, shit, every nation on the fucking planet that has decent connectivity.

        Genius, the real world reality is, *every* nation that can does.

        You idiots target one that had the bad notion to trust a prima donna.

        Trust me, Snowden is. I met him during the 2008 cyberattack on the US DoD.

        I don't *like* it. But it is reality.

        I also don't *like* gravity in the morning. Osteoarthritis sucks. Still, I have to get up to eat and do my thing during the day.

  3. Anonymous Coward
    Anonymous Coward

    All these guys were (and still are for the most part) complicit in the NSA harvesting. Any protests they've made since this has come to light is simply to save their public appearance.

    1. Tom 35

      They same company

      That rebuilt Skype so that they could intercept calls with ease by making everything pass through a server they own.

  4. Dan 55 Silver badge
    Trollface

    "We do not give direct access to our server."

    The fact that the cables just down the road got cut last year is entirely coincidental. Our customers can rest easy.

  5. Stephen Channell
    Facepalm

    So now we need VPN aware TOE for server-to-server

    So we're going to have application SSL over company encrypted VPN over hosting providers encrypted VPN over Telco's encrypted VPN, with Akamai distribution for all static content (to compensate for the proxy caches that don't work anymore).. and you'll still get the odd Tory MP outing themselves (by blogging about google ads for sex toys) & millions of people giving the most sensitive info to the facebook.

    After spending millions putting TCP offload engines (TOE) everywhere, the political process & legislation will catch up and we'll all have to agreed to "fair usage agreements" that mean we have to agree that specific keywords {sarin, rape, murder, etc} will result in disconnection. Lawyers will make millions dealing with petty cases like "my internet was disconnected 'cus I made a charitable donation to the Rape Crisis Center".

    We'll spend millions and get no more privacy, no more protection, and no more security

    1. sabroni Silver badge
      Facepalm

      Re: So now we need VPN aware TOE for server-to-server

      And your suggestion would be what? We should shut up and bend over?

      1. Stephen Channell
        Big Brother

        Re: So now we need VPN aware TOE for server-to-server

        My grandfather was a desert-rat in WW2; my daughter did a project on him, reading all his love letters with big red "censor approved" stamps on them. We're going to visit his grave in Salerno, but can't visit Tripoli, Benghazi (where he was hospitalised) or Egypt because some Islamists think they're at war.. " your suggestion would be what?" ... get over yourself, you're really not that interesting.

        Consider this: comment on you weight on the facebook, and you'll get adds for diet pills that an NHS doctor would advise you to avoid; search google for anything, and you'll get targeted for ads; buy a postal subscription for "the economist" with a credit card and get telephone calls for "the time" newspaper; but lookup travel to Libya & accommodation in Benghazi, chances are, nothing..

        1. sabroni Silver badge
          WTF?

          Re: get over yourself, you're really not that interesting.

          What the fuck are you on about?

        2. Anonymous Coward
          Facepalm

          Re: So now we need VPN aware TOE for server-to-server

          @Stephen Channell

          AGAIN, there is a HUGE difference between data that is volunteered as a part of commercial relationship which the customer is free to sever, and on the other hand being the unwilling sponsor of state surveillance (which is essentially looking at your political reliability.) Through your taxes and perhaps your participation through compliance with secret warrants or clandestine interception of other people's data you may be shepherding in some manner.

          1. Stephen Channell
            Big Brother

            HUGE difference between data that is volunteered

            When I started using: google, there were no ads (2000); the facebook, there were no ads (2003); Visa, there were no list sales; BT, there was no list sales.. at no time have I volunteered data, so I don't see a big difference between commercial or government snooping, given the warnings "searching for fertiliser bomb recipes may lead to police attention" or "facebooking in-a-relationship may lead to insurance being declined in 20 years" would help get a sense of proportion.

            If I'd gone to Benghazi (Lance Corporal Gerald Fleming, Grenadier Guards RIP Salerno 22-sep-1943 was there), GCHQ would use every snoop to stop me being beheaded, but the facebook wouldn't even ban the video

  6. herman

    PPTP or L2TP

    So, either the Microsoft data centre staff thought that their own PPTP or L2TP software are insecure and a waste of time, or they were incompetent and couldn't comprehend their own KB articles such as http://support.microsoft.com/kb/305550, or maybe they felt that while the VPN software works, there are so many other vulnerabilities in Windows servers that it won't make a difference...

    1. Suricou Raven

      Re: PPTP or L2TP

      This is datacenter-to-datacenter. Multi-gigabit traffic flows. Encryption isn't a matter of ticking a box, you need to install very expensive appliances at each end. Small change for microsoft, though.

  7. Anonymous Coward
    Anonymous Coward

    Safely Use the NSA-GCHQ Cloud

    Yeah, they have catapulted all of us back into the 1930s:

    http://scherbius2014.de

    In short, the cipher machine must never connect to infested networks. Then you can use hotmail and gmail or the USENET to safely txmit private messages. Exchange keys over a beer. Prost !

  8. Mooseman65

    The government sees your data... encrypted or not

    So for people to get bent out of shape about which encryption is used means nothing as far as government looking. Now for other people looking, that matters. But the NSA can break any encryption. So what something is encrypted with or who holds the keys means nothing in a discussion about whether the government sees data.

    1. Anonymous Coward
      Anonymous Coward

      What a Cute Litte $hill Here !

      So your paymasters can "break any encryption". Have any proof ?

      If you actually could break "any" encryption, your bosses would not need to hire thousands of software engineers to subvert software. Because when you can "break any encryption" then you can A) read all transmissions and B) inject all the malicious stuff you need into transmissions to achieve your objectives.

      So, what you can "break" might be the will of docile followers of one of the mid-east religions. One of these where a single jealous god threatens every independet thought and will.

      Tell the Imperator that some people will NEVER cave in.

      http://de.wikipedia.org/wiki/Arminius

  9. Dodgy Geezer Silver badge

    There is a fundamental problem here...

    ... and it's NOT about NSA. Or GCHQ.

    We seem to be taking it for granted that the Western Intelligence Services will spy on all citizens intrusively, even though there is no real justification for this. Now, the intelligence services do not exist on their own. They are supposed to be under the control of governments. If they are doing something wrong, we should NOT be just looking to defend ourselves against them - we should be looking at the bodies responsible for controlling them, and asking what's wrong with the control structure.

    I see the same problem with the energy sector in the UK. The companies are being blamed for incompetence and high prices. but NO ONE is complaining that the regulator has failed to regulate them properly.

    I wonder why not...?

This topic is closed for new posts.

Other stories you might like