
Why We Can No Longer Trust Microsoft - domdelimar
http://www.pcmag.com/article2/0,2817,2421733,00.asp
======
acqq
_This is a financial disaster waiting to happen. Microsoft is oblivious if it
is not doing something to divorce itself from the NSA.

Apple, on the other hand, could have come out smelling like a rose, but
following the death of Steve Jobs, who apparently refused to play ball with
the NSA, it stupidly jumped on board to join the PRISM club._

According to the Prism slides, it really looks so:

    
    
       "Dates when Prism collection began for each provider
    
       Microsoft 9/11/07
       Yahoo 3/12/08
       Google 1/14/09
       Facebook 6/3/09
       PalTalk  12/07/09
       YouTube 9/24/10
       Skype 2/6/11
       AOL 3/31/11
       Apple (added Oct 2012)"
    

Steve Jobs: February 24, 1955 – October 5, 2011.

If it's true, it's one reason more to deeply admire him.

And can you just imagine how much more sales Apple would get now for not being
on that list?

~~~
mtgx
That reminds me of Putin a little bit. Even if you think some leader is an
asshole, sometimes you need an asshole to stand up to an even bigger bully. I
just imagine someone like former president Medvedev (and with no Putin in
sight) would've offered Snowden to US government on a silver platter, just
like France, Spain, Portugal and Italy tried to do (fortunately
unsuccessfully). I remember I was very much against Putin when he fought the
US' anti-rocket shield, but over the past few years I've started to understand
why he would do that. No country should own the whole world.

~~~
fauigerzigerk
Don't mistake a former KGB guy's taunting for a principled stance. Here's how
Putin deals with whistleblowers:
[https://en.wikipedia.org/wiki/Alexander_Litvinenko_poisoning](https://en.wikipedia.org/wiki/Alexander_Litvinenko_poisoning)

~~~
rfctr
You certainly have a court decision or at least an official accusation to
support your claim? Just asking.

~~~
fauigerzigerk
You might find some of what you're looking for on the wikipedia page I linked
to. But courts are only very rarely the place where accusations against heads
of states are examined, especially when it comes to superpowers.

~~~
rfctr
I read it carefully. Name "Putin" is not mentioned anywhere in the
Investigation section.

Please stick to the facts.

~~~
fauigerzigerk
If the accused can prevent a proper investigation I will make my mind up based
on the clues that exist.

------
LinaLauneBaer
A couple of years ago at a Linux conference in Germany I had a discussion with
a Microsoft employee at their booth. At that time I was a 'hardcore' linux
user with no trust in Microsoft at all. The discussion with the employee went
like this:

    
    
      Me: "Hello. Could you tell me what Microsoft is doing at this Linux conference? I honestly want to know that."
      Him: "We are here to show how our products can work well together with Linux related products."
      Me: "Why would I as a Linux user use Windows or any other product from you? We all know that you spy on me - at least indirectly."
      Him: "Oh no. You are misinformed. We have a lot of business customers with very sensitive data. Can you imagine what would happen to us if they found out that we spy on them? Business users are very sensitive in that area. We were screwed. And we do not spy on regular users as well. You may also know that this would be totally illegal according to German law."
      Me: "So you are saying that you do not spy on businesses or other kind of users of your products?"
      Him: "Yes! We were screwed otherwise!" *giggle*
    

He had a smile on his face for the whole discussion. Maybe because he had this
discussion with those paranoid Linux users for the last couple of days of the
conference. Paranoid!

Microsoft is so screwed guys.

Edit: I was not rude to this guy. We had a beer together later that day. I am
sure he did not know anything about PRISM and was just doing his job.

~~~
duiker101
To me seems you were just kinda rude to some guy that was getting paid to do
his job.

~~~
tripzilch
Indeed the guy most certainly didn't know shit. On the _other_ hand, rude or
not, Lina turned out to be right and the MS-guy turned out to be ignorant of
the type of company he was working for, as well as defending.

Additionally these so-called "paranoid" questions didn't came out of thin air
either. 10-15 years ago I also was _very_ distrusting of Microsoft and what
they were doing (there _was_ a lot of anti-trust going on ...). But somehow
they starting doing a few things right, wrote some good software and OS in the
mean time and they "regained my trust" to the point I'd speak out against
senseless M$-bashing, and perceive it as something childish.

Well, _that_ I am no longer going to do, lest I have to eat my words. That
"trust" is completely gone, and I feel kind of foolish for believing it
existed in the first place, "trust" is a kind of thing that happens between
two persons, not between a person and a gigantic corporation. The latter is
too volatile, there can be no build up or breakage, it's every moment again
different, dependent on who is in charge and which individual personalities
are involved in a decision. Rationally, one instant snapshot cannot make or
break the trust of the next one.

I do feel kind of foolish. I'm typing this on Win7, planning to install Linux
for a while now, but I had some crazy wild ideas for a dual-boot scenario in
mind that I never got around to and everything just worked so there was no
hurry.

Before next week I'll be back on Linux, maybe even sooner.

~~~
SideburnsOfDoom
> to the point I'd speak out against senseless M$-bashing

Senseless bashing - including intentional miss-$pellings and holding one
company (Microsoft) to different standards to others (Facebook, Google, Apple)
is still childish.

However, not all bashing is senseless - Microsoft has a lot of explaining to
do. Sure, so do Facebook, Google and Apple but that doesn't let MS off the
hook. It makes the case for installing a Linux instead a _lot_ stronger.

------
mikevm
Dvorak's article is a regurgitation of previous HN discussions on this topic.

I have said in the previous HN post and I will say it again here: don't pile
on Microsoft alone. These spying policies make every US-based services company
untrustworthy to whomever privacy is important. Come to think of it, I'm not
sure whether you can rely on European services either because it seems that
gov't surveillance is widespread.

On the other hand, maybe if we do pile on Microsoft, and stop using their
products for this reason alone (even though Google, Apple and others are in
the same boat), it will force them and their lobbyists to influence their
gov't shills to put a stop to these programs.

~~~
yuhong
Yea, remember that PRISM is designed to target _foreign_ communications, so if
you are an American, you might be actually safer.

~~~
bad_user
That's bullshit.

The problem that people like you don't seem to understand is that online
communications can be secure, unless the companies owning the servers
themselves cooperate and companies have to cooperate if they have to do so by
law.

It's only the US that has such a huge budget for spying on people's
communications and the US is also part of a select handful of countries going
to such great lengths to suppress the freedom of speech about it.

If I were to start a company in Romania (which is part of EU btw), the NSA can
suck my dick as there's absolutely nothing they could do to make me cooperate
and keep my mouth shut while doing it.

~~~
yuhong
True, but I am talking about the practical risk based on what is known about
the spying.

~~~
bad_user
What really bothers me about this is not the actual spying - I always assumed
that governments do engage in whatever spying they can get away with.

What really bothers me about this is that U.S. companies and individuals have
to keep their interactions with the NSA a secret, while obeying whatever
demands the NSA has, including the installing of back-doors.

Trust is a fragile thing and we rely on trust for conducting business and for
living our lives. My trust in U.S.-based companies has been shaken. Even if
the affected companies (such as Google, Microsoft, Apple) want to be
trustworthy for their customers, they can be coerced by law to obey whatever
the NSA demands and they must also keep it a secret, with absolutely no
transparency - they aren't even allowed to say " _yes, the NSA demanded some
things and we unfortunately complied_ ". Even worse, they can be coerced into
making public statements that are full of lies.

I can no longer trust any U.S. based company again.

For example, right now I'm using Skype. But what if the Skype client has a
backdoor allowing one to open and listen to my mike any time they want (it's a
proprietary blob, we'll never know). What if this backdoor gets hacked and
used by people that are not part of the U.S. government? So in spite of the
best intentions of the people working on Skype and the NSA; even if I've got "
_nothing to hide_ ", Skype is all of a sudden a security liability and nothing
(short of an open-source client that I can compile and run) can prove
otherwise, because Microsoft isn't allowed to be open about it. And I can no
longer rely on the fragile trust I've had for Microsoft, because Microsoft can
be coerced into being untrustworthy.

See how it goes? We'll see how this unfolds over the next years, however the
damage done to U.S. companies will prove to be massive.

~~~
yuhong
>however the damage done to U.S. companies will prove to be massive.

Will?

~~~
Ygg2
It probably already has, in lieu of current European rattling.

I don't expect that GOOG or MSFT will suffer any damage in short term. But in
long term they have proved unreliable. This erodes confidence. And if it keeps
eroding, it will eventually cause them to collapse.

I'll be doing my earnest to move away from any non-OS tool. And will advocate
others to do so as well.

------
xiaoma
This reminds me of Ken Thompson's famous Turing Award paper from 1984. In that
paper, he described a malicious compiler that added security holes to properly
written C programs.

The real question isn't about whether you can trust Microsoft. It's can you
even trust Intel?

 _" The moral is obvious. You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like me.) No
amount of source-level verification or scrutiny will protect you from using
untrusted code. In demonstrating the possibility of this kind of attack, I
picked on the C compiler. I could have picked on any program-handling program
such as an assembler, a loader, or even hardware microcode. As the level of
program gets lower, these bugs will be harder and harder to detect. A well
installed microcode bug will be almost impossible to detect."_

[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

------
cs702
GNU/Linux, and Free software and hardware in general, look to be the BIG
winners out of the NSA brouhaha, because all non-US governments, businesses,
organizations, and individuals around the planet who need to safeguard their
private or confidential information now have reason to mistrust proprietary
(unauditable) software and hardware.

Free, open software and hardware are less likely to have secret 'back doors'
installed or embedded in them because their innards are under constant public
review by multiple eyes -- out in the open, not behind closed doors.

\--

Edit: added last sentence.

~~~
astrodust
Mistrust of commercial solutions does not translate into trust for open-source
ones. Have you audited the crypto code of all your packages? Would you even
know how?

~~~
acqq
Exactly. Even more interesting, all of the source code can be OK and just some
subtle configuration tweaks can be enough to compromise you. Or just some
build flag that you don't even see in sources. Often you don't know the build
flags of every binary as soon as you use binaries. You also don't know if the
compiler is tweaked to do some preprocessing you don't know about (see
_Reflections on Trusting Trust_ by Ken Thompson):

[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

For security conscious the prefect state is the OS which changes very, very
slowly, fixing only security bugs and having binaries used by as many people
as possible and which change so seldom that more people can even check them by
disassembling them. You don't want to only check sources, you want to
disassemble the binaries and decide if they match the sources.

And only then you want to be sure that all configurations are what they should
be. Not easy at all.

~~~
dllthomas
You _can_ (which is not, necessarily, to say _do_ ) know if the compiler is
tweaked: [http://www.dwheeler.com/trusting-
trust](http://www.dwheeler.com/trusting-trust)

This only works if you are building things yourself or trust the group
building things, of course, but it's way easier than audit by disassembling
binaries.

~~~
flyinRyan
How does this deal with [1]? Also, how do you know that your disassembler
isn't compromised?

[1] [http://programmers.stackexchange.com/questions/184874/is-
ken...](http://programmers.stackexchange.com/questions/184874/is-ken-
thompsons-compiler-hack-still-a-threat)

~~~
acqq
Disassemblers produce assembly code, not the HLL code, so they are many orders
of magnitude easier to write from the scratch than modern compilers. They
typically expect human involvement as soon as there's non-trivial assembly-
level engineered self-modifying code. Hopefully there's no much of such code
in the results of the compilers we use.

Also if you check the whole discussion you'll see I already discussed Ken's
work.

~~~
flyinRyan
Ok, I appreciate this information (and I'm trying to follow the discussion but
I didn't see you talking of Ken's work).

But I'm still curious; even though you can write the disassembler by hand, how
can you be sure that you're compiling it with a non-compromised compiler? Or
do you mean write it in e.g. ELF format directly (and that's assuming the OS
isn't involved in filtering offending code, though it seems extraordinarily
unlikely that the OS could be generally modified in such away without
detection)?

~~~
dllthomas
The more general and diverse the tools you use, the less likely they are all
compromised in the same way, and the more likely any compromise will show up
in other contexts. Using tools at different meta-levels may also be worthwhile
(machine-code vs. interpreter).

------
p37307
I think it is time to rethink everything, Not just Microsoft. Cloud computing
is at risk now too. From Amazon to Google Drive, Gmail, etc. Shared hosting is
not even secure any longer. Our connections from our isp can be the source of
their spying.

People want the ease of computing not secure computing. The polls show it. In
the US everyone but the geeks are OK with the NSA. Sad.

The system is going to have to change to federated data. Email, Social media,
everything. Appliances owned by the individual. Either located in the home or
small server appliances "rented" at a colocation facility and every user's
info on their appliance. Any warrants are served to the individual not the
"processing" or interpreting host that parses the data in their UI or service.
The host, whether Facebook, Google, Yahoo, Microsoft, etc would notify the
requester that that info is on a server rented solely by the user and they
have no standing to grant or honor the warrant as they are the wrong party.

Please note I use voice typing due to fine motor control and this comment may
contain errors.

~~~
igravious
I agree, something like this needs to be done. It will take a lot of work. I
think the free software/ open-source movement is robust enough that we can
turn our attention to this. Copyleft and free software licenses are social
hacks that work in tandem with the free software model. We perhaps need a
social hack to underpin this federated data model.

------
diego_moita
John Dvorak sounds like a tech version of those economic & political
loudmouths that spread definitive and absolute truths with very little
evidence (Rush Limbaugh, Bill O'Reilly, Ann Coulter). That's because their
purpose is not to generate light but to generate heat; to cause controversy
instead of inform. It is the journalism equivalent of the Rolling Stones and
Madonna: scandal as a marketing tactic.

These people remind me of the Austrian writer Karl Kraus: "The secret of the
demagogue is to make himself as stupid as his audience so that they believe
they are as clever as he."

The fact is that for almost all big corporations there is so much money,
training and culture involved in MS platforms that a shift away from it is
just to hard to do, unfortunatelly.

~~~
mikegioia
Not all businesses are big corporations. There are a great number of small
companies that can much more easily implement Linux for their employees to
use. I think the point to be made here is that moving forward, (a) a lot of
people can really do all of their computing on Linux now, and (b) an
increasing amount of software is being written for the modern web so MS/IE
lock-in is going away.

------
polarix
"Microsoft is oblivious if it is not doing something to divorce itself from
the NSA"

No John, unfortunately it is not really an option to move 57,000 employees and
a headquarters out of the United States. That is what would need to be done.
None of the people making statements for these large corporations are lying
voluntarily.

~~~
ygra
I wonder how much pressure the NSA can and does exert on corporations that
refuse to coöperate in this manner. And whether those on the list really had
an actual choice in that manner. I guess a large government organisation has
plenty of leverage if need be.

~~~
dendory
You mean would the NSA bring up the CEO of the company on random charges after
he says no, put him in jail, and get someone more agreeable to run the
company? They've done it before! Look up Qwest.

------
ksec
To be honest I dont blame too much on Microsoft. Being a business they needed
to survive. It is not like they have a choice and government could very well
bring another antitrust trial. Microsoft refuse to play balls to US government
at first and they were nearly spitted into 3 different companies. So like any
big cooperation they have to pay money for lobbying to buy them safety.

And Microsoft is evil, I mean in Google's sense of evil and even Microsoft
admit it.

But What about the one who claim them self do no evil and itself being so
righteous. Joined Prism on 1/14/09?

And I would really love if the Movie could add bits on Prism agents coming in
like some fucking retard, and Steve would tell him to F __k off.

NewsPaper and Media, intentionally or not trying to diversify the hate and
focus on PRISM away from Government.

They are ultimately the one to be blamed.

------
mtgx
> "With that said, do you really want to buy a Microsoft product? Do you want
> to buy anything that gives easy access to snoops poking around at their
> leisure? If you'd think twice about this, then why would a foreign
> government rely on Microsoft Office with any confidence? Personally, if I
> were any foreign government or corporation, I'd stop using all Microsoft
> products immediately for fear of America spying on me. Nothing can be
> secret."

That's exactly what I'm hoping will happen. It may be the only way to actually
roll back most of this shameless and abusive mass spying of everything and
everyone. I'm not sure what else would stop it. Americans protesting it? I'm
not holding my breath for that one, and even if they do, they'll only try to
fix the spying internally, as they couldn't care less what they do to the
world as long as the government keeps telling them "it's to keep them safe"
(which _obviously_ trumps everyone else' rights).

~~~
josteink
> "With that said, do you really want to buy a Microsoft product? Do you want
> to buy anything that gives easy access to snoops poking around at their
> leisure?

You know... Up until this whole NSA/PRISM thing got uncovered, Microsoft had
actually rather successfully started to rebuild the perception and image of
its cloud-service Azure.

It had shown the world that in less than a year, it was well on its way to
catch up with Amazon Web Services. It was going from an experiment to serious
business. Something the company _invested_ in. Even more so than the
traditional parts of the business.

As someone who once looked at Azure and laughed it off, I was coming around,
actually considering it. I don't have any inside info on this, but I would
guess/assume Azure was just about to take off. All those investments, finally
about to pay off.

Then the whole NSA/PRISM thing came about. Now there's no chance in hell I'm
going there. Not that I expect AWS to be any better in that regard either. I'm
currently pulling out my data from Google. I trust them even less.

Hell, at this point, the only viable option privacy-vice seems to be open-
source software, deployed by me, to an account I control, hosted on a service-
provider outside the US's reach.

It may not be immune to unauthorized, illegal snooping, but it will be off the
main grid, take a bit more effort and it wont be done automatically 24/7.

If I become paranoid enough to put in the effort, I'll just get a VPS instead
and encrypt the shit out of it.

(Disclaimer: Not a US citizen.)

~~~
twentyfourseven
Exactly. Microsoft were making a comeback and I moved my email and online
storage from Google to Microsoft. Now I feel back-stabbed.

I don't use the hate word often, but I HATE Microsoft now.

Just for the record, I think Dvorack is bang on with this article. Couldn't
agree more.

~~~
yuhong
Personally, I would not go that far. I mean, what is the practical risk?

------
pydanny
Wait a second... they trusted Microsoft?

;-)

Seriously though, if you don't play ball with the NSA, they come after you,
your business, and your family with the full weight of the US government. Your
wealth or status means nothing against it.

Which means, as a parent, I can relate.

Yes, you and I can sit here on my keyboard and say we would have stood our
ground, but when you have a children and a mortgage, suddenly things are very
different. Suddenly, you think that maybe fighting this one particular fight
isn't worth the damage to you and your family.

That, my HN friends, is why the whole NSA PRISM thing is so evil and why it
outrages us: Even those normally beyond the law (the rich and famous) are
suddenly victims like the rest of us.

------
mbesto
_Microsoft, despite denials, appears to be in bed with the NSA. Apparently all
encryption and other methods to keep documents and discussions private are
bypassed and accessible by the NSA and whomever it is working with._

 _With that said, do you really want to buy a Microsoft product?_

Notice the words _appears_ and _apparently_. Until there is specific evidence
to take those two words away from those sentences, hardly anything will
change.

------
69_years_and
I don't think native MS apps running on a local machine are a risk, I imagine
(with a little nieviety) that if MS apps/OS were phoning home on a regular
basis with the content of ones documents - someone would have noticed and
raised a flag (or did I miss it). Nor is exchange BCC a copy to the NSA -
again someone would have noticed. Cloud services excluded.

PS. It's *buntu that spins my propeller.

PPS. I'd be interested in what RMS has to say, not just about MS in this case
but the whole PRISM/NSA thing in general - he has been warning us.

~~~
MSvsGOOG
>Nor is exchange BCC a copy to the NSA - again someone would have noticed.

True, but what about Windows Phone vs. Android (with Google's apps, not just a
FOSS build like Replicant) vs. Apple? Which is the lesser evil for your
privacy?

~~~
marcosdumay
> Which is the lesser evil for your privacy?

Cyanogen.

~~~
MSvsGOOG
_With_ Google's apps? I've already mentioned Replicant
([http://replicant.us/](http://replicant.us/)) in my original post. Replicant
is a fully-FOSS Android distribution based on CyanogenMod.

------
jrabone
But WHAT, exactly, can't we trust? I've seen NO technical detail to any of
these discussions, yet there are a number of sub-systems that might be
compromised:

\- low-level crypto APIs (the 'DLLs' referred to obliquely in the article);
these are more interesting. I imagine they could be compromised for weak
session key generation or other leakage of key / plaintext, or generate the
session key in such a way that the mythical 'NSAKEY' can decrypt it. Huge
impact, if so, but only to certain software; AFAIK Mozilla doesn't use the
Windows crypto API / certificate key store (but Chrome does).

\- SSL certificate generation (built-in CA for Windows Server builds);
certificates stored and replicated via Active Directory; does anyone actually
use this? In fact, does anyone actually use client SSL? It is likely also used
for domain peer replication, which could potentially be over an external
network (but why would you not use a VPN there?)

\- Encrypted File System; already contains an escrow key-recovery mechanism to
allow administrators (including domain admins) to recover a lost user key.
Only likely to be relevant if hard disk or backup images seized, so less
impact.

\- BitLocker drive encryption; similar to EFS but uses a hardware TPM and is
per-machine rather than per-user. Fairly sure escrow key recovery at the
domain level is possible here too. Again, only likely to be relevant if
hardware or backups seized.

\- Office document encryption; did anyone SERIOUSLY think this was worth using
anyway? There are so many key recovery services out there for this (Elcomsoft
et al)

\- Communications applications (Skype et al); again, did anyone SERIOUSLY
think this wasn't already being monitored, even before Skype became a
Microsoft product?

\- Some other OS-level 'phoning-home' behaviour. I simply don't believe that
no-one has spotted this happening, if it's there - we can do traffic analysis
too, and there are plenty of people running Wireshark on their own networks.

~~~
flyinRyan
How do you know Wireshark isn't compromised? Further, MS _does_ phone home all
the time to check for updates and so on. If something extra was hidden in
there would we know?

~~~
jrabone
Build it from audited source?

As for updates, I imagine if you set up a domain you can run your own WSUS
update server, MITM the connection, etc. - and then compare the behaviour with
a "regular" home PC.

The problem really is how deep the hole goes - as per Ken Thompson
"Reflections on Trusting Trust", 1984.

------
sounds
Any serious discussion of moving US businesses off Microsoft stalls when it
reaches the "non technical" departments.

I put "non technical" in quotes because many of the people in HR, Accounting,
Marketing, etc. are very tech-savvy. Marketing folks, for example, would love
an all-Mac office setup, but they generally have to have Windows PCs for
Powerpoint, Visio, and CRMs, to name a few. HR needs their IE6 in-house apps.
Accounting can't even hire anybody who wants to try getting their work done on
a Mac.

I realize I'm not even talking about Linux here; I think that just underscores
my point.

Does anyone have a counterexample? Because I would pay top dollar for a Linux
solution to these problems, but haven't seen anything worth buying.

~~~
Spearchucker
Your problem isn't technical, it's financial. Moving away from Windows and
Office means converting all the organisation's documents to another format,
re-training users in the new OS and productivity suite, re-writing VBA scripts
(which often doesn't work well).

Then you'd have to de-couple the entire organisation from Active Directory.
And refactor (at best) or re-write (at worst) all custom in-house apps that
rely on either Windows or Active Directory.

It's just too expensive.

------
josteink
Someone on reddit asked a very interesting question with regard to all this
information about US snooping...

What about UEFI? Should that be assumed fundamentally insecure from this point
on?

------
areski
Linux for all the things! That's the only viable solution

~~~
rasur
One wonders how tainted Linux is, if one considers systems including SELinux.
Yes, I realise the point of SELinux is to make it more secure, but the
association with the NSA (they created it) makes it very difficult to trust.

~~~
klearvue
What can you possibly mean? It's open source i.e. code is available to
anyone's inspection.

~~~
blots
But who does inspect it, not me for sure. So, how safe actually is Linux? And
how safe is any distribution?

~~~
reidrac
The fact that it is available for everyone to inspect means it can be peer
reviewed:
[http://en.wikipedia.org/wiki/Peer_review](http://en.wikipedia.org/wiki/Peer_review)

That doesn't mean you're supposed to review it or that it is reviewed at all,
but it is a requirement for the open source development model.

About the Linux kernel, see this example:
[http://kernelnewbies.org/UpstreamMerge](http://kernelnewbies.org/UpstreamMerge)

From Quality control section: "Some of the world's best developers will be
going over your source code with a fine comb. This may be embarrassing for a
few days or weeks, but in the end the code tends to work better and be more
easily maintained. In some cases the upstream developers have made network and
storage drivers 30% faster, making the hardware more attractive to customers."

~~~
blots
It's definitely better then not open source, but still I'd love to know more
about those "world's best" developers and who pays them.

Open source is the necessary but not the sufficient condition. It needs to be
reviewed by independent people, otherwise the open source part is useless.

~~~
rasur
It's also safe to say that the NSA are not completely stupid. Any nefarious
code would unlikely be completely obvious, even to top developers.

------
joshuaheard
The same thing is happening at Facebook, Google, Yahoo, and other tech
companies. Why single out Microsoft?

~~~
josteink
Because statistically unless you're in a clear minority, Microsoft makes the
OS which you do all your work and process all your data on.

It's sorta a big deal.

~~~
rxp
Sure, but all the leaks so far are about cases where your data is already
going through Microsoft services. If there were any evidence that there was a
backdoor in Windows itself, or in any Microsoft software, then you'd have a
point.

------
jpkeisala
Actually, why nobody mention anything about Intel and Cisco? I would image it
would be much more effective to build backdoor to network appliances if you
want to spy someone.

~~~
rbanffy
True, but if the network traffic between you and, say Office 365, is
encrypted, the NSA would need to decrypt that. It'd be so much easier if
Microsoft just handed over the actual, unencrypted, files. I can easily
imagine the NSA login screen for Microsoft's PRISM interface with a "Yes, I
have a proper court order" checkbox under the password field.

------
yason
Uh, I might sound like a clichy old grumper but is this really _any news_
since the 90's which is when Microsoft found the internet?

It's practically been the operative description of Microsoft for decades that
they're interested in profits (and potential profits in certain circles
disjoint from the end users), not the privacy or security of their users.

------
mathattack
"So the first news I see regarding Microsoft today is that Ballmer refuses to
talk about the company's wearable computing strategy. My first thought was,
"This is its priority? Wearable computers? So it can spy on your day-to-day
activities?" The next story I read was about how Microsoft is going to
reshuffle the organization, which prompted me to wonder, "Re-org? Why? So it
can put some intelligence agency folks in charge?""

Seems like Microsoft has a lot of issues to worry about. Doing a reorg when
the company is struggling just to put an agency person in charge seems like a
lot of work. Why not just put them in charge in a small internally announced
move?

------
leopoldfreeman
The reason is obvious in China. Google is blocked by GFW, but Bing is not. So,
there must be some dirty business between Microsoft and government of China.
If Microsoft can do this in China, they can do this anywhere, even in USA.

~~~
prewett
The dirty business is that Microsoft is willing to cooperate with the Chinese
government and censor its search results. Google publicly pulled out of China
precisely because it was unwilling to do that. Even so, China did renew
Google's Internet license, and they do run ditu.google.cn (un-offsetted maps,
possibly only accessible from within China).

Google is not actually blocked by the firewall. Gmail is slow, occasionally
lots of dropped packets, and other passive-aggressive behavior, but not
blocked. Search generally works ok, unless, say, you are a tourist searching
for information about a certain popular tourist destination in the center of
Beijing. Groups, Docs, and other free exchange of information services are
blocked, though.

~~~
leopoldfreeman
Censor its search results? You mean Microsoft cope with the government to
filter the result. Great! Today they filter the results. Tomorrow they will
share the user data with government. You are right, Google is not actually
blocked by GFW. If you search something the government think it's sensitive
(just they think), they will block you from Google for serveal minutes. After
that, you can connect to Google again. I say, what the hell is that? Fuck the
government.

------
bradbenvenuti
The fact that the url of this article ends in .asp kind of makes me laugh a
little. Although I would love to see movement away from Microsoft products,
its clearly much more difficult than the article makes it out to be.

------
quackerhacker
I'm a fan of Steve Jobs and Bill Gates, so it's sad to see when a company's
founder steps down. I feel like the ambition and drive sometimes
disappear...then bottom line and dividends matter over pride.

------
Fice
No longer? Like if there were not enough reasons not to trust them (or any
other proprietary software vendor) before.

------
stinos
_rely on Microsoft Office with any confidence_

This seems to imply using Office, like in Word/Excel?, somehow poses a privacy
risk. Is that true? And how exactly?

------
Fuxy
Windows should be banned in all countries except America. Open source OS is
the only way to go. I'm not saying Linux since it's not exactly the most non
technical friendly OS for people requiring more than basic usage but windows
definitely isn't the OS for the future and it needs to die.

~~~
chii
unfortunately, the inertia is too big for any single organization to stop. If
you have a business selling software, it would be borderline insane to not
target windows as a platform. You may target others, but you _must_ target
windows, or basically, get no business. If, or when your resources are
limited, you only target windows.

So the problem is perpetuated - windows is the only platform that is basically
guarenteed to have a market. So as a user of software, you'd stick to windows,
and as a maker of software, you'd stick to making software for windows. Other
platform is almost an afterthought. Unless web based software radically
changes (i need to unzip a file - what web based software will do that for
me?), this will not change.

~~~
domdelimar
If you upload a .zip file (don't know about the other formats) to Google Docs,
it can access its content.

There are probably other services/tools, because technically, there's nothing
stopping you from unzipping files in the cloud, or in web based software. It's
just the matter of uploading something and then downloading the content after
it's been unzipped on the remote server. So it's just more expensive in terms
of network traffic.

The availability of the tools that do that, other than Google Docs, is another
thing. Honestly wouldn't know, don't recall ever needing it before.

------
puma1
I don't think any large company has any choice in the matter. And this article
targeting Microsoft. Apple is doing the same exact thing, who cares if they
signed on afterwards? All the major tech companies are, and no one is going to
stop using any of them. Get real.

------
dredmorbius
/me reads article.

/me checks byline.

Holy crap. Yeah, I remember when Dvorak was quite the Microsoft fanboi.

My how times change.

~~~
yuhong
I think he wrote about the MS OS/2 2.0 fiasco, including the unethical
"Microsoft Munchkins" attacks.

------
JohnLBevan
When a company does what's asked of it by a government and people are upset
with the company something's seriously wrong. A company's main priority is
typically to make money within the bounds of the law. A government's should be
to improve the quality of life and uphold the moral values of its citizens.

I have a feeling had Apple been first on board rather than last the journalist
would argue that Microsoft were evil for not complying with a government
request and that Apple clearly had the vision to help the nation's security,
but maybe that's just me?

~~~
rmk2
Be that as it may, _I_ cannot change _your_ government. I can, however, stop
relying on any of the companies who are complicit in spying on me.

The problem here is the divide between national government and international
corporations, where the corporations' actions influence far more people than
the direct actions of the national government.

I cannot exert any influence over a government that isn't mine, but I can
decide which companies I support and entrust with my data and business. Your
dichotomy of government vs company is therefore not correct. I can (and
should) be upset about both.

~~~
JohnLBevan
Fair point well made. Opinion updated.

------
robmclarty
Question: when did we _start_ trusting MS that we now can no longer?

------
xradionut
Trust or not, I'm still writing code today for the 95% of people that are
running Windows and Office. The irony is that the code interfaces to
PGP/GPG...

------
abdel
I don't remember last time I used bill's products.

------
rodolphoarruda
AFAIK, if you control the layer 1 fiber lines, it doesn't matter the OS, the
vendor or the application in question. NSA will intercept your data while on
transit. Of course, if you can have DLLs packaging everything the way you
like, appending the right file extensions and cleaning all the metadata...
that's more than welcome.

------
skc
The more interesting discussion for me would be around which large IT players
we actually _can_ trust?

------
TheCondor
Hubris:
[http://m.youtube.com/watch?v=v_lrohZ_1rU&desktop_uri=%2Fwatc...](http://m.youtube.com/watch?v=v_lrohZ_1rU&desktop_uri=%2Fwatch%3Fv%3Dv_lrohZ_1rU)

------
tigroferoce
So, after SElinux, another big push form NSA to open source community?

------
ferdo
I want to know who trusted Microsoft to begin with.

------
jmaddox
"Why We Can No Longer Trust Microsoft" Are you kidding when did anybody
trusted microsoft.

------
njharman
Trust no longer!? You shouldn't trust any corporation to do anything other
than maximize profits.

------
_ak
We never really could. NSAKEY, anyone?

------
j2d3
We can _no longer_ trust Microsoft?

Crazy. I've been trusting Microsoft all this time, and now, what to do!?!

------
nfoz
Someone trusted them before?

------
likeclockwork
When could we trust them?

------
timbrooke
> Why We Can No Longer Trust Microsoft

LOL. Who was dumb enough to have ever trusted them?

