It used to be you only had to worry about the accidental insecurities in Windows. Now Redmond’s giving away the keys to everything they sell. Microsoft is beginning to surprise even me and I thought I was beyond surprise.
I get it. I understand patriotism. I also understand legal obligation. The guys and gals in Redmond would want you to believe that their cooperation with the feds is based mostly on the later. Their story is they were forced to give access to their customer’s data by a loaded court order being held to their collective head.
My suspicion is that misguided patriotism had more to do with Microsoft’s cooperation with the NSA and other intelligence agencies than the niceties of law. I see Bill Gates looking something like Elvis trying to get the Nixon White House to give him a role as a narcotics officer for the FBI.
No matter what the reason, it’s done. In the process, a gaping hole has been discovered in the computer security of all governments and businesses that compete in any way with the United States. The name of that hole is “proprietary binaries.”
The news was damning three weeks ago when we discovered that Microsoft had been cluing-in federal intelligence agencies about unpatched security holes in their products, which our government would then use to compromise the computers of “terrorists” and “unfriendly governments.”
Now the Guardian has revealed that Microsoft’s involvement goes much deeper. They’ve been giving the spooks at No Such Agency encryption keys, access to SkyDrive and more:
- “Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
- “The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;
- “The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
- “Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;
- “In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
- “Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a ‘team sport’.”
Again, Microsoft claims they were only following orders, that they were legally bound to cooperate with demands put on them through FISA. “When we upgrade or update products we aren’t absolved from the need to comply with existing or future lawful demands,” they said in a statement. They also repeated the mantra that they provide customer data “only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers.”This is probably true. It’s also true that Microsoft had a way out. They could have taken the fight public. They could have gone to the Guardian, the New York Times or to 60 Minutes and spilled the beans. United States security agencies are attempting, through legal means, to get us to compromise the security of the data of our clients that include sovereign nations.
This would’ve pissed the Obama administration off, as well as his Republican opponents, but it would have been the right thing to do.
Without a doubt, this path would’ve been risky. The folks at agencies like the NSA don’t play softball and in their league performance enhancing drugs have not been banned. There would be possible criminal repercussions. If that failed, bloated bodies might be found floating in Puget Sound as a warning to firms down in Silicon Valley. I’m not entirely kidding. As I say, these guys play hardball with rules only they know and which change from day to day, inning to inning, pitch to pitch.
No company would be willing to take such risks, of course, especially not Microsoft. For starters, their involvement wasn’t as unwilling as they would have us believe. Remember that other inconvenient truth–the sharing of unpatched security holes which doesn’t appear to have been done under court order.
Any foreign government with secrets to keep would be completely foolish to even consider ever again using any software with Micosoft’s name on it, unless they’re given the source code which they, themselves, compile and install. Maybe not even then.
Before this is all over, we’re going to discover that the NSA’s actions have damaged not only Microsoft, but the entire U.S. technology industry. It should not come as a surprise to anybody if we lose our position of global leadership in the tech sector.
What country or non U.S. based big business would feel comfortable with binaries from Oracle or Microsoft running on their iron. Who would want to trust their data to Amazon’s or Google’s clouds when the U.S. has already shown they don’t give a frack, they’ll have a subpoena rubber stamped in secret and take whatever info they deem they need, all in the name of the god of national security.
Granted, proprietary binaries from companies located on any country’s soil would be suspect as well. If you can’t trust software from the good ol’ U.S. of A, you’re probably not going to put much faith in the security of a data stack from Russia, India, China, Germany or the UK either.
There’s only one solution, copyleft open source software with absolutely no closed binaries in the mix. This means no Secure Boot, at least not the way UEFI does it now. International computing is a game of “whom do you trust.” The world can no longer be in denial. Companies selling proprietary closed source software can’t be trusted because their governments can’t be trusted.
If you want software you can trust, either write it yourself or use FOSS. As for the security issues involved using Skype or VoIP? As I’ve said before, the Internet is a party line.
Latest posts by Christine Hall (see all)
- WordGrinder: Distraction-Free Writing From the Command Line - March 20, 2017
- The Great Debian Iceweasel/Icedove Saga Comes to an End - February 27, 2017
- No, OpenSUSE and SUSE Downloads Haven’t Been Hacked - February 13, 2017