It used to be you only had to worry about the accidental insecurities in Windows. Now Redmond’s giving away the keys to everything they sell. Microsoft is beginning to surprise even me and I thought I was beyond surprise.
I get it. I understand patriotism. I also understand legal obligation. The guys and gals in Redmond would want you to believe that their cooperation with the feds is based mostly on the later. Their story is they were forced to give access to their customer’s data by a loaded court order being held to their collective head.
My suspicion is that misguided patriotism had more to do with Microsoft’s cooperation with the NSA and other intelligence agencies than the niceties of law. I see Bill Gates looking something like Elvis trying to get the Nixon White House to give him a role as a narcotics officer for the FBI.
No matter what the reason, it’s done. In the process, a gaping hole has been discovered in the computer security of all governments and businesses that compete in any way with the United States. The name of that hole is “proprietary binaries.”
The news was damning three weeks ago when we discovered that Microsoft had been cluing-in federal intelligence agencies about unpatched security holes in their products, which our government would then use to compromise the computers of “terrorists” and “unfriendly governments.”
Now the Guardian has revealed that Microsoft’s involvement goes much deeper. They’ve been giving the spooks at No Such Agency encryption keys, access to SkyDrive and more:
- “Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
- “The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;
- “The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
- “Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;
- “In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
- “Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a ‘team sport’.”
Again, Microsoft claims they were only following orders, that they were legally bound to cooperate with demands put on them through FISA. “When we upgrade or update products we aren’t absolved from the need to comply with existing or future lawful demands,” they said in a statement. They also repeated the mantra that they provide customer data “only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers.”
This is probably true. It’s also true that Microsoft had a way out. They could have taken the fight public. They could have gone to the Guardian, the New York Times or to 60 Minutes and spilled the beans. United States security agencies are attempting, through legal means, to get us to compromise the security of the data of our clients that include sovereign nations.
This would’ve pissed the Obama administration off, as well as his Republican opponents, but it would have been the right thing to do.
Without a doubt, this path would’ve been risky. The folks at agencies like the NSA don’t play softball and in their league performance enhancing drugs have not been banned. There would be possible criminal repercussions. If that failed, bloated bodies might be found floating in Puget Sound as a warning to firms down in Silicon Valley. I’m not entirely kidding. As I say, these guys play hardball with rules only they know and which change from day to day, inning to inning, pitch to pitch.
No company would be willing to take such risks, of course, especially not Microsoft. For starters, their involvement wasn’t as unwilling as they would have us believe. Remember that other inconvenient truth–the sharing of unpatched security holes which doesn’t appear to have been done under court order.
Any foreign government with secrets to keep would be completely foolish to even consider ever again using any software with Micosoft’s name on it, unless they’re given the source code which they, themselves, compile and install. Maybe not even then.
Before this is all over, we’re going to discover that the NSA’s actions have damaged not only Microsoft, but the entire U.S. technology industry. It should not come as a surprise to anybody if we lose our position of global leadership in the tech sector.
What country or non U.S. based big business would feel comfortable with binaries from Oracle or Microsoft running on their iron. Who would want to trust their data to Amazon’s or Google’s clouds when the U.S. has already shown they don’t give a frack, they’ll have a subpoena rubber stamped in secret and take whatever info they deem they need, all in the name of the god of national security.
Granted, proprietary binaries from companies located on any country’s soil would be suspect as well. If you can’t trust software from the good ol’ U.S. of A, you’re probably not going to put much faith in the security of a data stack from Russia, India, China, Germany or the UK either.
There’s only one solution, copyleft open source software with absolutely no closed binaries in the mix. This means no Secure Boot, at least not the way UEFI does it now. International computing is a game of “whom do you trust.” The world can no longer be in denial. Companies selling proprietary closed source software can’t be trusted because their governments can’t be trusted.
If you want software you can trust, either write it yourself or use FOSS. As for the security issues involved using Skype or VoIP? As I’ve said before, the Internet is a party line.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
And finally the truth comes out! I KNEW there was something going on! and THIS is why I NEVER messed with all that “cloud computing”! I prefer to keep MY data with ME…safe and sound on a 2TB hard drive that can fit in my jacket pocket. is it as efficient as cloud storage? No. Does it sync my folders that are not online? No. Will it allow me access to my data from any device anywhere? No. But at LEAST I’ll know my data is safe from prying eyes and cannot be accessed all “willy-nilly” by ANY and EVERYONE! I cannot say I’m all that surprised, there had to be SOMETHING that Big Brother would use to keep tabs on everyone….but its just the nature of the Beast eh?…Spy ON or BE spied on! LoL!
Ok, while i don’t dispute the issue of ‘you can’t trust proprietary software’ (since you don’t have the code), you seem to have neglected to mention google, which is also claimed to have provided access to certain agencies and which runs linux on its servers. Nor did you mention the issue of network taps in US telcos – if they tab your fibre, they don’t need access to your servers (at least not for unencrypted data)
Oh wait…this whole article is just another excuse to bash M$ without examining other players, cause M$ is totally evil and no user of FLOSS would do such things right?. Ok, Carry on.
Microsoft has never earned the title of “being trustworthy”, either through it’s innate inability to adequately secure it’s products against even low level intrusions, or the many and widely reported actions the company has taken over the years that subvert any integrity in transactions with other technology companies, particularly direct competitors and those potential competitors exhibiting great innovation that is destined to disrupt the Redmond money machine.
The one aspect of Microsoft that I have always found puzzling is the tremendous admiration it receives toward Bill Gates, Steve Ballmer and the company as a whole based on totally false premise that Microsoft is “innovative” and a true pioneer of great technology, when quite the opposite is quite true – as by historical fact.
Just last week me and some friends were laughing hysterically at a Microsoft advert on TV that started..
“At Microsoft we take your privacy very seriously!”
OMG talk about advertizing BS and hypocrisy at its worst!
I rather doubt that the NSA or any other agency would have resorted to “bloated bodies might be found floating in Puget Sound”. With the feds buying literally billions of dollars worth of software from Microsoft, a simple hint that they might start considering open source would be more than enough to get Redmond to cave. Remember the first rule of business: NEVER piss your biggest customer off!
What do you think of Security-enhanced Linux, which was made by NSA? Or the FBI backdoor even on FreeBSD. I think they are everywhere.
She did mention Amazon and Google: “Who would want to trust their data to Amazon’s or Google’s clouds,” both of which use Linux in their cloud platforms. This is not a one-sided MS free for all.
“…they provide customer data ‘only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers.’ ”
I wonder if they respond to similar “legal” requests from other countries. Is there a secret Chinese or Iranian court giving Microsoft orders to turn over similar data?
The Microsoft / Google / Amazon comparison is flawed here. Microsoft is the author of the operating system and has the source code and does as they please with it. Google, Microsoft & Amazon have your personal information and do as they please with it. The operating system @ Google and Amazon are unrelated to what they do with your personal data. You can use a Linux based operating system and not use Google. You cannot use a Windows operating system and not use Microsoft.
[…] – Fossforce GA_googleFillSlot("468x60_linuxadictos"); […]
Microsoft is not the only company releasing details about its users. It’s a LOT of ISPs as well. The fact is, you cannot trust them. I do however agree that open source software IS definitely the way to go. Not only for this reason, but for other reasons as well, like total freedom of your computer. Microsoft, Apple, and others are locking down your computer and limiting what you can do with it. Unlock those chains and get on to GNU/Linux and be done with it.
[…] one blogger put it, Microsoft is the biggest vulnerability in IT, based on this analysis: This is probably true. It’s also true that Microsoft had a way out. They could have taken the […]
The commenter “SEBA” is supremely naive and ignorant about these two Free/Open Source Software (FOSS) Operating systems (OS) to think that SELinux has ‘back doors” or some imaginary FBI ‘back door’ in FreeBSD.
While the US government is free- as in freedom – to implement ‘back doors’ in the FOSS OS that they use “internally” nothing similar is feasible in FOSS OS’s “controlled” and published by the Not-for-Profit foundations.
I recommend that readers of FOSS Force become significantly more competent and knowledgeable about the true technical nature and status of FOSS, especially if there come from the proprietary Microsoft environment.
@W. Anderson I think FOSS Force probably has about the same mix of readership that you’d find at any FOSS Site. Just because someone who posts here isn’t yet completely knowledgeable about about open source and and the importance of visible source code doesn’t mean we put them down or are rude to them. That’s not very welcoming. I’m sure there was a time when you were an overeager newbie too, Mr. Anderson.
I don’t particularly like high horses, no matter who’s riding them.
Comments are closed.