
Microsoft helped the NSA bypass encryption, new Snowden leak reveals - psibi
http://rt.com/usa/microsoft-nsa-snowden-leak-971/
======
nr0mx
Puts this in an entirely different light, doesn't it:

Even when ostensibly not functioning, the Xbox One can run in a low-powered
state, ready to be snapped on at a moment's notice. That's something Microsoft
was showing off last week as an asset. The only on-switch Microsoft showed for
waking the machine from its low-power state was a voice command... "Xbox On."
The Xbox One could only hear that if the Kinect was already, always listening.
The idea that the Kinect might always be listening got people reaching for
their tin foil or vowing to not let an Xbox One into their home.

Microsoft is now seeking to calm concerns that the new Kinect might spy. "We
are designing the new Kinect with simple, easy methods to customize privacy
settings, provide clear notifications and meaningful privacy choices for how
data will be used, stored and shared," the Microsoft rep told me.

"We know our customers want and expect strong privacy protections to be built
into our products, devices and services, and for companies to be responsible
stewards of their data. Microsoft has more than ten years of experience making
privacy a top priority. Kinect for Xbox 360 was designed and built with strong
privacy protections in place and the new Kinect will continue this commitment.
We’ll share more details later."

[http://kotaku.com/xbox-ones-kinect-can-turn-off-microsoft-
sa...](http://kotaku.com/xbox-ones-kinect-can-turn-off-microsoft-says-
noting-510100564)

Not sure I'd want the Xbox One in my house after this fiasco.

~~~
kabdib
Since the Xbox camera is connected to the console via a cable, you can verify
whether data going over the wire. If the Xbox is off, you shouldn't see
traffic. It's a /bunch/ different from traffic in a data center, which is
essentially untraceable and can be cloned at many points.

Frankly I'd be more concerned about the microphones contained in ubiquitous
and nearly unexaminable devices such as cell phones, and to a lesser degree
laptops. (I imagine that many laptop mics are USB devices, so their traffic
should be visible to drivers, the drawback being that once the traffic is on
the mainboard, where it goes is less traceable).

~~~
sharpneli
In addition to what was stated by RexRollman it can easily store video/audio
to be sent only at the next start of the xbox. "Downloading update" or
"Syncing savegames" and no-one is going to notice the encrypted few megabytes
of MP3 compressed audio.

------
pavs
I feel so stupid and so ashamed of myself for all the time I have thought of
everything Richard Stallman had to say about privacy and security concern as a
"neck-beard, tin-foil hat, nutjob".

He was right all along, it was us who didn't care enough to understand what he
was saying and its importance.

~~~
ds9
No need to feel bad, I used to get a lot of snarking for being a Stallman fan.

It is a basic principle of security to assume that any power an adversary has,
will be used against one's interests. People misunderstand this; I have seen
it called a fallacy. But it's not a claim that it's always true, rather that
it's what one must assume in order to have the best practicable assurance of
security /privacy.

I also used to get arguments like "MS/GOogle/$_BIG_TECH_CO wouldn't use their
power against customers, it would be bad for business" or "...it would be
illegal" or similar. The correct answer is that prudence dictates assuming the
worst. Well, maybe I was too cynical, but it's hard to keep up with how bad
things really are.

------
RexRollman
This whole thing makes me very suspicious of Apple's and Microsoft's whole
disk encryption technologies. I can't help but wonder if back doors have been
inserted into the products.

~~~
Osmium
Not impossible, but some smart people have been looking, at least for Apple's
FileVault 2:

[http://www.schneier.com/blog/archives/2012/08/an_analysis_of...](http://www.schneier.com/blog/archives/2012/08/an_analysis_of.html)

Paper here:

[http://eprint.iacr.org/2012/374.pdf](http://eprint.iacr.org/2012/374.pdf)

Currently, there seem to be three vectors:

1) Weak passwords

2) If you opt-in to store a recovery key with Apple

3) If attacker has physical access to machine, and machine is powered on
(direct memory access via Thunderbolt or Firewire) (Edit: seems like this is
not the case, see below)

But no backdoor has been found (yet!)

~~~
dmix
> 3) If attacker has physical access to machine, and machine is powered on
> (direct memory access via Thunderbolt or Firewire)

I'm curious if this could be addressed with software protections somehow?
Something that triggers memory wipes and automatic shutdowns?

~~~
sil3ntmac
FileVault 2 is supposed to be secure against this* when the machine is powered
on and locked or sleeping.

* Source [http://security.stackexchange.com/questions/18720/how-secure...](http://security.stackexchange.com/questions/18720/how-secure-is-filevault-2-while-the-computer-is-in-sleep-mode)

~~~
dmix
Interesting. Apparently LUKS/dmcrypt on Linux is also protected from DMA
attacks (firewire/thunderbolt devices).

> If you enable LUKS root, DMA attack mitigation is also
> enabled(boot.initrd.luks.mitigateDMAAttacks ). It consists of blacklisting
> firewire drivers.

Edit: still at risk of the "Evil Maid Attack"
[http://www.aspecrypt.com/evil_maid_attack.html](http://www.aspecrypt.com/evil_maid_attack.html)

------
peteri
Sorry this is news folks? Really? See this from 2011/12

from [http://www.infolaw.co.uk/newsletter/2012/01/microsoft-
office...](http://www.infolaw.co.uk/newsletter/2012/01/microsoft-
office-365-for-lawyers/)

However, the Patriot Act, introduced to protect US national security, can
require that any US company (wherever data is held) must disclose data on
demand to the US Government without the knowledge of the owner of the data,
which is contrary to the UK Data Protection Act. Microsoft has been up-front
in acknowledging that they cannot give that guarantee and this applies to data
held in all their hosted solutions. As a result, in December 2011, BAE ditched
plans to adopt Office365 because Microsoft could not guarantee the company’s
data would not leave Europe, in spite of operating a data centre in Dublin.

------
iuguy
The sad thing about all of this is that Microsoft were pretty much forced into
this position (so we're told) by the authorities.

In the process these leaks have just destroyed pretty much any credibility
Microsoft's online services had, which form large parts of their strategy
(according to the recent Ballmer memo).

It also makes you wonder about the OS and other software they produce, which
isn't a good place for MS to be in.

~~~
mikevm
I'm not sure why you're picking on Microsoft. The credibility of pretty much
every large US-based tech services company is probably destroyed. The fact
that we only saw the big service providers (MS, Google, etc...) on those
slides doesn't mean that the other companies are free from the hands of the
NSA.

Do you think that the NSA has no access to Dropbox?

~~~
brudgers
Enterprise relies on companies such as RedHat and Oracle to some extent in
lieu of conducting code analysis and to certain types of security testing.

It would be rather surprising if they were not at least approached by Federal
agencies such as NSA and FBI.

To put it another way, because Microsoft has a closed source model, the
intelligence agencies took the approach described in the article. From that,
it may be a mistake to conclude that the strategy pursued with Microsoft was
the only strategy pursued. It just happens to be one that would pass across
the desk of an analyst, rather than someone on the operations side.

Viewed as an intelligence operation, it would be grossly unprofessional of
such agencies not to have placed moles within the open source community, or
for those moles to be seen as highly skilled contributors on open source
projects. The three letter agencies have decades of experience infiltrating
both commercial organizations and those motivated by something other than
money.

I suspect it is easier to turn an open source hacker than a diplomat - not
just ideologically but because the open source community lacks a state funded
organized counter-intelligence apperatus.

~~~
flyinRyan
If there were backdoors in the distributed Redhat code, how many people would
even be able to know this? And that's if the code were blatantly obvious if
you were allowed to see what was actually compiled. If the compiler itself is
compromised then it would be possible that no one at Redhat would know.

------
xedarius
Then I start thinking about when Microsoft were being dragged through the
competition and monopolies commission in the US, was this the US Government
showing Microsoft what would happen if they didn't cooperate.

~~~
Sharlin
A half-serious conspiracy theory: The feds "encouraged" Microsoft to acquire
Skype so as to obtain decrypted access to the communications.

~~~
walls
It happened before MS acquired them.

[http://www.networkworld.com/community/blog/project-chess-
hel...](http://www.networkworld.com/community/blog/project-chess-helped-nsa-
snoop-your-skype-communications)

------
geuis
Maybe I'm missing the source, but where's the source? These people keep
writing stories about what's being revealed and "according to secret
documents" this and that is shown. So where are these leaked documents?

If these media outlets are holding on to them to dribble and drab them out to
make a buck, there's a huge problem with that. Everything should be out on a
torrent or wikileaks for all to see.

------
kirualex
Well that puts their whole "We don't exploit your data like Google do" into
perspective.

~~~
maaaats
Does it? This isn't Microsoft exploiting data for their own benefit, not
comparable. (Not that I like MS sharing the data)

------
tootie
What do they mean by bypass encryption? If I use outlook.com (or gmail.com or
whatever) over https, then it's encrypted over the wire, but it's obviously
decrypted on their servers. It's the only way that search could work. I assume
if you are PGP encrypting your messages or something equivalent, it's still
unbreakable.

------
SonicSoul
going to try for devil's advocate angle.

could there be a case where the parties in a conversation are legitimate
suspects? in such a case, why does it matter if it's Microsoft or some other
private company that the NSA hires to break encryption?

it seems that the article is presenting the Microsoft / NSA relationship, and
later states _“If you look at what happened when Bush, Cheney and General
Hayden – who was head of the NSA at the time – deliberately violated the law
to eavesdrop on Americans without a warrant "_ which hints at a vague
conclusion that Microsoft is helping to spy on citizens without a warrant.

possibly i missed something, so is the point that Microsoft (or any private
company) should not do any work for NSA, or that it should not do it without a
warrant, or that we can't trust it with anything because it did some work for
the NSA? Or is that the details are still not disclosed so it's pure
speculation?

~~~
tootie
Of course. If you are a legitimate suspect, any local police department can
get a warrant to go inside your house and put your underpants in plastic bags
and take them away. For that matter, they can cuff you and put you in jail.
The question is what is the NSA doing without a warrant or rubber-stamped,
secret, blanket warrants.

~~~
SonicSoul
correct. i'm just having a hard time with the point (or lack there of) in this
post.. as far as i can tell it's something like: NSA = PRISM, therefore any
company doing work for NSA = evil.

~~~
tootie
The NSA is skating on very thin constitutional ice, but honestly they haven't
really done anything that even qualifies as evil. The KGB did this kind of
spying, but they did for the express purpose of sending dissenters to gulag. I
haven't seen so much as a credible accusation that the NSA are doing anything
other than their duly authorized mission.

~~~
fetbaffe
This is the same as the British Stamp Act from the American Revolutionary War.
If the Stamp Act was an argument for revolution because it was evil, this is
too.

~~~
tootie
The difference is that the colonists had no recourse. "No taxation without
representation" and all that. Without sending delegates to parliament, they
had no channels to complain through, so rebellion was the only option. We
could end the NSA completely by voting for candidates who support that.

~~~
fetbaffe
I can't vote in the US as a resident in Sweden, so I'm in the exact same
positions as the first colonists in America.

I guess my only option now is to rebel.

But sure for those living in the US they can do that. And they did that with
Obama. However that just increased the surveillance.

------
Arnor
"It's hard to square Microsoft's secret collaboration with the NSA with its
high-profile efforts to compete on privacy with Google."

I think it squares quite nicely. Set your standards low enough...

------
insuffi
I find it interesting that no USA-based news source is covering this.

~~~
tzs
Among US-based news sources covering this: The New York Times, NBC News, New
York Daily News, CBS News, NPR, Chicago Tribune, ABC.

~~~
insuffi
Huh.

My apologies, for some reason the only sites google showed on this issue were
.co.uk.

~~~
mkhaytman
Google personalizes results quite extensively these days, largely based on
your location. Google believes based on that, and probably your previous
searching and browsing habits, that those .co.uk sites are more relevant to
your interests. After all, this is the company that has patented and is
developing the idea of "Parameterless Searches", where they assume what you
want to know before you even ask... (more info
[http://www.seobythesea.com/2013/07/google-parameterless-
sear...](http://www.seobythesea.com/2013/07/google-parameterless-searches/))

------
herf
[https://en.wikipedia.org/wiki/Telescreen](https://en.wikipedia.org/wiki/Telescreen)

------
FridayWithJohn
Yet another reason to stick to open source.

~~~
rimantas
Ok, I have full open-source stack and run a cloud service on it. I also give
NSA full access to my servers. How does open-source helps there?

~~~
hypercube
Why does the NSA have full access to your servers? Even if they manually
wiretap your server it would require manual intervention, and is thus a good
protection against blanket surveillance.

~~~
a3n
"Why does the NSA have full access to your servers?"

Because they ordered him to give it, and he elected not to go to jail.

~~~
TsiCClawOfLight
He means "how". Open-source protects against software backdoors (though
obviously not against key-sharing et alii)

~~~
throwit1979
What? Open source in a cloud service stack means that if the NSA thugs show up
and order you to insert intercepts into your software on pain of being
"disappeared", it's far EASIER to change the source and recompile than it is
with proprietary software.

rimantas is referring to _using_ open source in a cloud service, not authoring
and distributing it.

