Microsoft to Australian government: our kit has no back doors Microsoft has told an Australian Parliamentary Committee its cloud services and software contain no back doors. The issue arose last year in a committee of Australia's Senate, which like the US body of the same name is a house of review for legislation initiated in the House of Representatives. During a November 2013 meeting …
Why would there need to be a specific back door anyway - unpublished vulns are as effective as a backdoor and when found in use are easily deniable as a security bug. A specifically coded back door has no plausible deniability and would seriously damage your reputation when found.
A question to be asked that would leave less wriggle room, "do you share information on unpatched vulnerabilities with intelligence agencies?" I suggest an answer to this question would appear much more evasive :)
No back doors are necessary when working for the NSA and the law is your friend...
[snip]Data located in Australia but owned or operated by a US company could be accessed under a Patriot Act request, even if this violates National Privacy Principles, a legal expert has warned.[/snip]
http://www.computerworld.com.au/article/413379/australian-based_data_subject_patriot_act_lawyer/
Microsoft agreed with the above cited (thanks Vimes) legal opinion, in Europe;
EU cloud data can be secretly accessed by US authorities
US-owned companies bound by Patriot Act, says Microsoft
4th July 2011
http://www.theregister.co.uk/2011/07/04/eu_customer_cloud_data_may_be_handed_over_by_microsoft/
[...]
Microsoft is set to launch a new cloud service next week. It said it will allocate its customers a region where their information will be physically stored, but said it could not guarantee that it would tell EU customers' details if US authorities sought access to their data.
"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)," Microsoft said in its online data storage services' privacy policy.
"As a general rule, customer data will not be transferred to data centers outside that region," Microsoft said in an explanation about geographic boundaries for its new service.
"There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (eg, for technical support, troubleshooting, or in response to a valid legal subpoena)," the explanation said.
[...]
This has happened before. Microsoft representatives swore in court that there was no NSA back door shortly before the back door was public knowledge: http://www.theforbiddenknowledge.com/hardtruth/nsa_backdoor_windows.htm
Now we get another statement that there is no back door. Microsoft representatives were found guilty of lying under oath in federal court during the the abuse of monopoly trials. Microsoft can easily send a representative to court who does not know about any back doors. Even if Microsoft wanted to be honest, they can be required to lie for national security. The question is not if there is a back door, but how many are there, and who is able to exploit them.
The article you point at actually states "Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified crypto systems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors"."
So yes there was an NSAKEY label used within ADVAPI.DLL, however its actual use case and function has not been identified. As per TFA it could be "intended to let US government users of Windows run classified crypto systems on their machines" ∴ not a back-door
But if you were Microsoft, and if there was an explanation for the key that was innocent, and people were suggesting that your software had a direct tap for the NSA, and that suggestion was harming your business, wouldn't you explain what it was and not just say nothing about it and waffle on instead using words that don't rule it out?
"They - contrary to some people's beliefs - are not absolute morons."
"They" might not be, as a collective, but a chain is only as strong as it's weakest link. It only takes one low level code monkey to slip up and all your eggs are on the floor, never to be stuffed back up the arse of a chicken.
...It only takes one low level code monkey to slip up...
Like within the parts of the tech industry that make routers for example?
http://www.theregister.co.uk/2013/12/04/dlink_finally_slams_shut_joels_backdoor/
And that was only fixed after people complained about it. How do you complain about systems you don't even know exist, much less how they operate?
This post has been deleted by its author
Not to mention, do you think they would have used "NSA" as a secret key for the super secret back door?
Hmm, could have a couple of possible explanations:
1 - forgotten to rename the variable
2 - hiding in plain sight principle
Don't tell you haven't been wondering why there was a variable called "NSA" in that code AT ALL?
I agree with the thread OP that MS may have either sent someone with not enough knowledge, or may be acting under orders to keep their mouth shut.
Meanwhile, 15 years ago ..
The long, strong arm of the NSA (July 27, 1998)
http://edition.cnn.com/TECH/computing/9807/27/security.idg/
FORT MEADE, Maryland (IDG) -- Back in the days of the cold war, Washington insiders used to joke that NSA stood for "No Such Agency." The government denied the very existence of this group, which is dedicated to intercepting and decoding foreign communications.
That was then. Today the National Security Agency is well known, and spends a lot of time leaning on software, switch and router vendors, pushing them to re-tool their products. The agency's goal: to ensure that the government has access to encrypted data.
[...]
It's gotten to the point where no vendor hip to the NSA's power will even start building products without checking in with Fort Meade first. This includes even that supposed ruler of the software universe, Microsoft Corp. "It's inevitable that you design products with specific [encryption] algorithms and key lengths in mind," said Ira Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a "filter" between the NSA and Microsoft's design teams in Redmond, Wash. "Any time that you're developing a new product, you will be working closely with the NSA," he noted.
[…]
The responses from the Department of Parliamentary Services seem to suggest a very trusting attitude and an approach that says a threat doesn't exist if no-one has told them about it.
I didn't get the sense that they are pro-actively policing their networks, apart from slapping the usual appliances on them.
Documents leaked by Snowden there are things that the US won't even share with partners like the UK, let alone Australia (remember the NOFORN designation on some of the documents?).
Part of the information revealed under this designation told us that the US could end up spying on the UK even without the knowledge or consent of the UK authorities, and despite prior agreements that this would not happen.
http://www.nytimes.com/2013/11/21/us/united-states-can-spy-on-britons-despite-pact-nsa-memo-says.html?_r=0
You can bet that the US is doing the same with Australia too even though they are supposed to be in the 'Five eyes' club.
Then they can stop worrying about the NSA or others.
They could write their own system from scratch or they could use an alternative supplier, there must be loads because so many people hate MS that alternatives would have a massive customer base waiting.
However, I suspect that compromising any new system would be trivial - at the design stage or later. I also suspect that any other system in common use is/was as easy to compromise as anything MS supply. After all, the data storage can be compromised, any encryption used will be a standard encryption system and is not specific to a particular system. If no encryption is used then any system will be wide open obviously.
There isn't a backdoor because one isn't needed to access customer data.
The fact that Microsoft is a US company and subject to US law is a far bigger threat than anything contained within the code.
The existance - or lack thereof - of a backdoor is just a red herring aimed at distracting us from the laws in place within the US that give the authorities the right to demand access to data.
Of course there's a back door - it's the front door: Windows Update. Simply send a special update to specific machines.
No need for MS to confess to a feature that's always been there in the open. Even if they are not actually complicit in this, it would not be too hard to add a man in the middle additional service in the deployment tubes or mess around with what Akamai actually send down to a machine.
Pick your conspiracy.
Cheers
Jon
First of all, the Australian Parliament do not deserve any reprieve from NSA snooping if they use Microsoft servers as their back end. No sane organization or body should even consider a technology platform that has proven extremely vulnerable and unreliable as Microsoft Windows by every credible technology security organization, every Financial Stock Exchange, International banking system, The US NASA Space Agency and Dept. of Defense departments, as well as several cities and countries in the European (EU), countries in South America, especially Brazil and many other entities.
Furthermore, how does the Australian government know " with any certainty" that Windows does not have back doors, unless Microsoft provides the AU Government with the Windows "source code" which the government can then have their experts carefully examine, and if found "fairly secure", then compile the provided code themselves into a working Operating System (OS), much as can be easily done by professions with Linux or any of the BSD UNIX-like OS.
Unfortunately, many Australian Parliamentarians, like other politicians and business executives around the world are enamoured by Bill Gates' Wealth and the "legend" of Microsoft, and therefore accede all logical thinking and critical scrutiny practices of such matters as technology decisions to their love fest of fame and fortune.
Well as someone who has seen the code there were "points of entry" in the kernel of NT. Were these deliberate or simply exploitable bugs? But there were so many that one might ask if there were just a few too many for it to be accidental ..... I mean after all these were some of the best programmers in the world .... really ? .... that many bugs in core kernel code .... ? I suppose the question is whether the exploitable "bugs" were just "plausible deniability"! Don't ask .... don't tell.
One would have to assume that not a lot is different now. Keep in mind as MS do military work they are bound to obey the rules of the OS Act even it means not being entirely truthful.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
