

Microsoft Makes Moves To Protect Customers From Government Eyes - techinsidr
http://www.securityweek.com/microsoft-makes-big-moves-protect-customers-government-eyes

======
drzaiusapelord
Has anyone coined 'crypto theater' yet? Telling us you use SSL between web
requests is nice and all, but if various government agencies have PRISM-like
access to unencrypted data then you're really not protecting anyone. I imagine
all these recent "we're using stronger keys and ssl now" PR stunts are to keep
foreign customers happy and to help kill the Snowden story.

~~~
tedunangst
Dropbox. They use stronger than usual language to assure you that nobody can
ever read your data. Unless there's a "glitch" that lets anyone login with no
password at all.

~~~
iwwr
Bug-based backdoors offer full deniability as part of an ass-covering
strategy. All software has bugs, all software therefore has backdoors.

------
fiatmoney
They were also paid a bunch of money to buy Skype and rearchitect it to enable
wiretapping. It's not like they've "seen the light", depending on their
incentives their actions change.

~~~
GotAnyMegadeth
Do you have a link for that, or is it still speculation?

~~~
gecko
It's still speculation, and one of Skype's lead engineers wrote a completely
sane explanation of how the centralization had to happen if Skype was going to
work well on mobile, since you're not exactly going to be getting tons of
supernodes on iPhones. You're welcome to believe that they _also_ did it for
government reasons, but there are definitely sane technological reasons, too.
I'll update this comment with a link in a few minutes if I find it.

~~~
hfsktr
Something like this: [http://www.zdnet.com/skype-ditched-peer-to-peer-
supernodes-f...](http://www.zdnet.com/skype-ditched-peer-to-peer-supernodes-
for-scalability-not-surveillance-7000017215/)

------
mratzloff
_" While we have no direct evidence that customer data has been breached by
unauthorized government access, we don't want to take any chances and are
addressing this issue head on."_

Technically, he didn't lie. He did say "unauthorized", after all!

~~~
Zoomla
also didn't say authorized by who I guess...

------
ivanplenty
tl;dr pr piece:

> · Customer content moving between customers and Microsoft will be encrypted
> by default.

> · All of Microsoft’s key platform, productivity and communications services
> will encrypt customer content as it moves between Microsoft data centers.

> · Strong cryptography to protect these channels, including Perfect Forward
> Secrecy and 2048-bit key lengths.

Microsoft already does each of these today (for sure Exchange and SQL, which I
know the best), and they have done them for years now. Nothing changes. The
more important question is how Microsoft manages the keys for this encryption,
because when I was there the keys were still based on NSA-approved root
keys...

------
Qworg
I'm not a security guy, but isn't this just "cryptowashing" if there's a man
from the NSA on the inside?

~~~
danbruc
Not necessarily - if you do the encryption on the client and only ever
transmit encrypted data, then even an insider can not learn much about your
data. But this may be difficult and/or impractical. You can not easily search
your emails if Microsoft only stores an encrypted copy. It might work better
for storing your files on SkyDrive. What we really need is practical fully
homomorphic encryption [1].

[1]
[http://en.wikipedia.org/wiki/Homomorphic_encryption](http://en.wikipedia.org/wiki/Homomorphic_encryption)

~~~
RyanZAG
As long as the source is closed, you'd never know if the private key is
transmitted or not to the server.

------
contextual
The NSA needs to put people back at ease, to make the Snowden story go away.
What better way than to have Microsoft, Google and others make a statement
like this?

Before using any Microsssoft product again, remember the parable of the Indian
and the Snake:
[http://instereo92087.tripod.com/indiansnake.html](http://instereo92087.tripod.com/indiansnake.html)

~~~
frik
good parable.

btw. oh wow, tripod is still around, nice to see some old websites

------
islon
Microsoft is like the cheating boyfriend/girlfriend that always come back
saying "I'm different now, I've changed!"

------
pnathan
This is a good move - it increases overall security from illegal and
quasilegal actors. "A rising tide lifts all boats". While it might prevent
certain kinds of switcharoo ("let's exchange data on each other's citizens
since we can't legally spy on our _own_ citizens" maneuvers might be
hampered), it still doesn't deal with an overly broad court order (c.f. Third
Party doctrine). This does nothing against a duly authorized order from a
legal entity. Those are threats that are very hard to deal with, in general.
In order to ensure that privacy is maintained against overly broad and
unreasonable _legal_ searches, a non-technical (that is, political/legal)
solution must be implemented.

edit: Microsoft has been one of the voices calling for legal reform. I respect
that. It might be a PR move, but still... I'll take it. :-)

------
siculars
"Code Transparency

In addition, Microsoft said it would enhance the transparency of its software
code, helping to convince customers its products do not contain back doors.
The company said it would go as far as opening a network of “transparency
centers” designed to provide customers with greater ability to assure
themselves of the integrity of Microsoft’s products. The centers will be
opened across Europe, the Americas and Asia, Microsoft said."

Transparency centers, eh? Is that like a Microsoftian Ministry of Truth where
inquisitors go to be reeducated?

------
ISL
What is a "transparency center", and what does it do?

Is that an office where you can sign an NDA and then read source code all day?

Is there a way that a company with closed source and proprietary
infrastructure can prove that it's not up to any funny business?

Spideroak can, but only by opening up the client-side source code.

~~~
xradionut
"Is there a way that a company with closed source and proprietary
infrastructure can prove that it's not up to any funny business?"

No.

------
msantos
Anytime Microsoft comes up with their fake privacy promises one particular
case always comes to mind: Mordechai Vanunu
[http://en.wikipedia.org/wiki/Mordechai_Vanunu#cite_note-55](http://en.wikipedia.org/wiki/Mordechai_Vanunu#cite_note-55)

Microsoft is running an anti-Gmail campaign blasting Google for snooping on
emails in order to serve ads. [http://betanews.com/2013/11/05/microsoft-is-at-
it-again-new-...](http://betanews.com/2013/11/05/microsoft-is-at-it-again-new-
campaign-targets-googles-email-scanning/)

------
amaks
Microsoft first should make Bing to support, not even use by default, HTTPS.

------
davexunit
Increase your security by trusting proprietary software to protect your data!
Don't worry about the big, bad government. We'll make sure that we are the
only ones spying on you.

------
forgottenpaswrd
words, just words.

It is not that complex, it is called "End the Patriot Act" or lobby for that.
Until just telling your customer that they are being watched is against the
law and they could go to jail for that, nobody should trust ANY American
corporation.

And no, not all countries in the world have this kind of totalitarian laws.
Yes, companies could give info about you to the government, but under court
order, and those are public or private only for a small amount of time.

------
randomfool
Any word on when outlook.com will send/receive encrypted emails? Currently any
time an email passes to/from the outlook.com domain it's in plaintext.

------
Theodores
I don't know why Microsoft are bothering with this. The 'I have nothing to
hide' crowd could not care less and those that are quite fascinated by
everything NSA are not going to ever believe that Microsoft are anything but
evil.

The funniest Microsoft story for me was the one regarding their former
security chief. Nowadays he won't use Microsoft products or anything else
where he can't see the source code. Until such time as Microsoft open source
the stuff they churn out then all one can do is 'believe' them to be good and,
after finding out how in bed they are with the military-industrial-complex, I
just do not trust them.

~~~
chaostheory
This may be a marketing campaign to reassure their international customers, in
particular governments and other large organizations.

~~~
bilbo0s
But those are exactly the customers who won't believe you anyway???

I'm not saying that these customers don't have justification for their
paranoia... just saying that there is an extremely high probability that
Brazil, or Indonesia, or Statoil are planning to phase out use of American
software over time in any case. In fact, it's so plainly evident that surely
American tech companies should already be factoring it into their strategic
planning???

Why not try to create some new customers? Or do something that doesn't rely on
foreign organizations to trust, or use your software?

I don't know what that would look like... but that's why they get paid the big
bucks.

------
salient
Ok...more protection against breaches, but what about the stuff they are
giving _willingly_? Until any of these big companies start getting serious
about _end to end_ encryption, I can't take them seriously. It's just PR at
this point - or rather PR _damage control_ , after the leaks.

Another big change for me would be if Microsoft announced that they stopped
giving NSA lists of fresh Windows vulnerabilities before they even start
working on them. Until they stop doing that, this is all pointless.

Their policy should be: "either everyone knows about the vulnerability, or
_nobody does_.". Whatever argument they had before about "responsible"
disclosure, is all moot now that we know they're disclosing those bugs to NSA
in secret anyway.

~~~
Zoomla
Encryption does not mean anything until you reign-in law enforcement powers.

