Microsoft Gets Help From NSA for Vista Security

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

Nothing new to NSA...

[daveschroeder]

Information Assurance [nsa.gov] has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) [faqs.org] since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria [wikipedia.org] (TCSEC, the famous Rainbow Series [wikipedia.org] of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) [nsa.gov] of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides [nsa.gov] for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) [nsa.gov] (FAQ [nsa.gov]).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Re:

[temojen]

Also, there' no mention of how much of the NSA's advice MS has used and how much they've ignored.

Re:Nothing new to NSA...

[bman08]

The problem is the question they asked. Not, "How can we make a secure product?" but "How can we make the product we have secure."

Re:

[bbernard]

It's interesting to me to notice that at least some of the things the NSA has suggested for XP and 2003 are settings and options that need to be configured and are not pre-configured for "out-of-the-box" operation. For instance, password length and complexity. Perhaps that's a bad example, but it shows that Microsoft is willingly supplying their OS software configured in a way that they know provides sub-standard security. While I don't specifically blame them for that--can you imagine the home users tha

password length and complexity

[wiredog]

The longer and more complex it is, the more likely it is to be written down on a post it stuck to the side of the monitor. Especially if you have multiple passwords on different change cycles. "Must have a capital letter, special character, number, be at least 8 characters long, and change every 3 months" is probably, in the long run, no more secure than "must be at least 8 characters long, contain one or more non-alphabetic characters, and change twice a year".

Re:

[spun]

There's an easy way to deal with complex password requirements. One place I worked required 8 characters with at least one capital letter, one lower case letter, one number, and one punctuation mark. Plus, they required a new one every month. To top it off, they kept track of the last three passwords and you couldn't reuse them. I just memorized a pattern on the keyboard (like e4r5t6y7) and hit the shift key a couple times. Then when I changed the password, I just shifted the pattern over one letter (r5t6y

Local vs. Remote attacks

[MarkusQ]

It's a little more complex than that.

"Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).

But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."

If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)

--MarkusQ

Re:

[Danny Rathjens]

But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."

I thought most security incidents were usually inside jobs. e.g. a quick search brings up: Study: ID theft usually an inside job Up to 70 percent of cases start with employee heist [msn.com]

Re:

[Heembo]

No, most security incidents result from a failure to develop software properly.

Depends on what you mean by "incidents"

[MarkusQ]

I suppose it depends on what you mean by incidents. While one system intrusion may net thousands of identities, it's still only one incident in terms of the password being compromised (if that is in fact how they get the data--insiders often have easier ways to get things than cracking passwords). While I would agree that attacks by insiders typically compromise more data, I would dispute that they are more frequent. Numerically, the majority of all computer security incidences are most probably bot-net

Re:

[novus ordo]

Wouldn't be the first [networkworld.com] time.

Spook backdoor to Vista

[dougwhitehead]

The encryption cat is out of the bag, so if you can't own the communication channel, own the computers on either end.

Sure, I'm just delusional. But then again, there was that WMF exploit that according to Security guy Steve Gibson (grc.com and the SecurityNow podcast) inferred that was deliberately put in the code by someone (though he didn't point the finger at MS, some contractor for MS, at the Gov't direction, or anyone else). Before it was patched, it allowed the execution of arbitrary code on a clien

Re:Spook backdoor to Vista

[jafac]

Well, there's two things about this.

First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.

Re:Spook backdoor to Vista

[gad_zuki!]

An eight year old conspiracy theory. Even Bruce Schneier doesnt buy it

Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.

The fact that 'some security scans' consider something a threat doesnt mean it really is. This is real tin-foil stuff, especially considering if the NSA wanted to muscle MS then youd never know about it.

God you're an idiot.

[Ayanami Rei]

That WMF flaw is older than the commercial internet.
It was an artifact of supporting OLE in WMF and how thread control (hah) in Windows 3.1 worked... kept backwards compatible to this day.
It was a shitty design from the getgo, malice or "terrarist fightin' tool" have nothing to do with it. Also, Steve Gibson is a tool. Seriously, get your security news from ANYWHERE else.

Re:

[thewiz]

Leads one to wonder how much or how many features of SELinux ended up in Vista. I'm not trolling here, just wondering which security features SELinux and Vista now share.

Re:

[daveschroeder]

Nope. Just someone who happens to be a subscriber (which one would think is a good thing if one enjoys slashdot (???)), happened to see an article about to be posted, and wrote the same reply I'd have written regardless.

What's especially humorous is that, as of the time you posted your childish reply, my post hadn't been modded up, down, or changed in any way.

Feel better now? Thanks for the troll, though!

Would you Prefer...

[Morosoph]

Useful, "Karma-Whoring" replies, or petty arguments that give no information, and give no leads to discover things for yourself?

The Karma system, here, is doing its job. That some people "abuse" it by responding to incentives is, I have to say, a bizzare position.

wouldn't it be nice?

[yagu]

Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).

I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

</rant>

Re:

[PingSpike]

You're paying for it because its for the good of the nation! Now lets see about increasing that H1B visa quota so Microsoft can increase the amount of indentured servants on its pay roll.

Re:wouldn't it be nice?

[DaveTuck]

Now lets see about increasing that H1B visa quota

What the hell have pencils got to do with it??!!

Re:

[somersault]

Err.. when has software's value ever been judged from the amount that the user can store? Unless you don't have a lot of space of course, but just because hard drives and processors are better and cheaper (or at least hold more and go faster) than they used to be, doesn't mean that the value of any software running on them decreases proportionally.

Anyway, other than that, even though it sucks for you guys who are paying for your government to do this, I'm quite happy that the US Gov will be helping to cu

Re:wouldn't it be nice?

[bmajik]

A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

The article also states why the NSA thinks this is in their (and the countries) interest - the mandate has come down that procurement focus on COTS (commercial, off the shelf) for more and more things. If the security of the nation or the safety of a ship or soldier are going to be left to commercial software, the government should take a more active role in due dilligence and capability review of the products it is buying. The NSA is a logical choice for doing some of that work.

I am a little surprised that nobody has said "the NSA is hording vulnerability info on windows for their own evil purposes! Use Linux!" I'll leave it as an exercize to the reader as to why that is a non-issue. (Hint: does the NSA also get to review the linux code?)

Re:

[99BottlesOfBeerInMyF]

A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

It's not surprising that Apple would be partnering with the NSA. They briefly announced then removed all mention of a framework in Leopard that implements the mandatory access controls the NSA developed for SELinux. I have no doubt that they would be a valuable resource in auditing such an implementation.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LehiNephi]

The NSA also works with many other businesses on the topic of computer security. This includes "critical infrastructure"--telecommunications, energy (oil, gas, coal, power generation), all that jazz. Some of these companies are making major efforts towards security. And it's not just "for the good of the country". If somebody hacks an oil platform and shuts it down, that's millions of dollars per day that the oil company loses. So the NSA and the "critical infrastructure" companies may have different g

Re:

[Locutus]

Maybe they should have thought about that 8 or so years ago when SOMEBODY decided that Windows was going to be the standard for ALL DoD systems. Sure some DoD engineers screamed at that and the document was changed to allow some embedded systems and realtime systems to use non-Microsoft operating systems. But it took no 'rocket scientist' then nor now to understand Microsoft is a marketing company above all else and that its operating system software designs were flawed.

Now, for the past 6 years they've fou

Helping Microsoft or helping users?

[mi]

I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD [trustedbsd.org]). The NSA-funded [nsa.gov] SELinux [wikipedia.org] is another example...

NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

Re:

[crush]

I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users.

It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.

As it stands, this announcement is effectively the government giving free publicity to Microsoft and claiming without any evidence that Vista is secure in some way. (See all the "G

Re:

[derrickh]

What exactly are you complaining about? Are you actually blaming Microsoft for the low cost of data storage? Or are you blaming Microsoft for seeking outside help? Or are you blaming the US government for helping secure the computers of 600 million users?

Are you upset at helping to pay for the filling the pothole outside my door? What about the FDA spending money to improve drugs for women that you'll never take? Or are you just mad that Microsoft seems to actually be trying to make Vista a decent OS?

You se

NSA

[Savage-Rabbit]

Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right?

To be fair to the NSA (and leaving aside for the moment any tin-foil-hat conspiracy theories about backdoors) they also gave Linux some security overhauls [wikipedia.org]. So it's not as if they are picking sides here. The NSA also publishes Operating Systems Guides [nsa.gov] that any administrator or user can download and use to harden his/her OS. These are also available for multiple OS'es. I'm no fan of the NSA but sometimes they actually do good work.

Re:

[Martin Blank]

Their Windows guides were influential enough that when Microsoft published its own guide for Windows 2003, NSA decided that it was good enough that they didn't have to write their own. It was at its core a rewrite of the NSA's Windows 2000 guide, but introduced more scenarios and was slightly less sleep-inducing.

Re:

[Xenographic]

> (and leaving aside for the moment any tin-foil-hat conspiracy theories about backdoors)

I guess everyone has forgotten about nsakey and !seineewerasreenigneepacsten by now, although I admit that there was doubt about whether nsakey was actually nefarious. I don't remember that issue ever really being resolved.

Batting 500

[Gription]

"Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill)."

The NSA has many reasons to help MS. From the article it is obvious that they recognize that MS has a pervasive monopoly in desktop OSes and is exp

Re:

[AndroidCat]

I don't see the problem.

For the same money as you paid for your hard drive 10 years ago, you get a drive with 500 to 1000 times more storage.
For the same money as you paid for Windows 10 years ago, you get a product that uses up 500 to 1000 times more storage.

Re:

[KarmaMB84]

If you're a government agency that's supposed to be looking out for national security... the security of an operating system used by the vast majority of citizens, corporations and the government is probably of interest...

Re:

[1u3hr]

Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

But the size of MS's OS has increased from a few hundred k; DOS 3, runnable from a 360k floppy, to a few GB, installed from a DVD, for Vista. Probably at least three orders of magnitude. So actually you are getting more OS for your dollar now.

Re:

[ScentCone]

Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

Do you really think that what Microsoft does and sells is the same thing as storage density? They have people, producing and supporting an enormous range of products and services. Unless you're suggesting that what it costs to employ and retain people

Re:

[jafac]

I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it?

It's a public safety issue.

YOU are better off if 90% of the desktops in the world have a good security posture, than you are if they have a weak security posture which enables botnets (which are currently responsible for about 70% of the spam in the world).

The real question is;
Will the spammers and hackers learn their way around the tighter security? (making the effort and tax dollars a waste) - or will t

Re:

[westlake]

Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft..

"Federal Government Provides Technical Assistance To Trade, Industry and Agriculture"

Breaking News. In 1790.

Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs o

Re:

[LurkerXXX]

Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

Wow, what a crap argument. Technology has allowed for the storage of the same amount of data in a smaller area, more refined machine tools.

Do you think programmer salaries are also decreasing at this rate? If the company you work for discovers more eff

Re:

[Locutus]

THIS is definately going to be a problem for anybody who thought that Linux and/or opensource was going to rise to the top because of better design and security.

With the US government is so 'bent' on sticking with( and paying Microsoft for ) running its systems on Microsoft software, they are willing to lend their experts to Microsoft in order to improve the systems design and security as a way to improve the governments already poor security rating.

Such a shame. Where is the free market cause I don't see i

Re:

[fotbr]

But its worth a lot more if you can claim you see $diety in the mold thats growing on it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

TERRORSCAN.EXE doesn't really conform to Microsoft naming conventions. You should probably be looking for terrscn.exe

Re:

[Nasarius]

Heh. In the past few years, MS has gotten a little less stupid about implementing backwards compatibility at all the wrong layers. I guess someone finally realized that Ye Olde FAT16 was put out of its misery ten years ago, and they were using an emulator [wikipedia.org] for DOS compatibility anyway. I'll bet that typing c:\progra~1 in Explorer on Vista still works, though. *shudder*

Re:

[A_Non_Moose]

.. They contributed "WIRETAP.DLL" and "TERRORSCAN.EXE" which are required components to pass the new-and-improved Windows Genuine Advantage test, right?!?

(tinfoil hat mode = on)

No need, the backdoors are already in place, they just needed to strenghten the password to:

M0z1LLA3nG1n33r$aR3w33N13$

According to their own standards.

HTH

(/TFH off)

Good Enough

[SRA8]

...For Corporate Work

90% market share?

[Bohnanza]

"The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market"

Wow! And it's not even out yet!

Re:

[darkmeridian]

The article probably made a typo, but all the OEM machines are already loaded with their operating systems. It seems certain that at least 90% of Dells, Gateways, HPs, and similar desktops are being preloaded with Windows Vista.

Re:

[geeber]

Fair enough, but 90% of the Dells, Gateways, and HPs currently preloaded with Vista still doesn't constitute 90% of the current machines out there in operation.

Re:

[hesiod]

> > the OS still has a 90 percent lock on the PC market
> doesn't constitute 90% of the current machines out there in operation

I don't know the true statistics either, but there is a HUGE difference between "machines in operation" and "machines ready to be sold now."

Re:

[symbolic]

I hope the words "90 percent lock" set off some alarms....that's the problem. Until Microsoft is forced to publish complete specifications for its "proprietary" document and file system formats, as well as other "proprietary" protocols so that other players are *able* to attain 100% compatibility, nothing will change. Switching an operating or an application should be painless and completely transparent to the user, but due to Microsoft's "lock," it's everything *but* painless and transparent.

Re:

[Nasarius]

Screw the Office and filesystem formats, those have been mostly reverse [openoffice.org] engineered [ntfs-3g.org]. What they could do is publish complete API documentation, so it doesn't take Wine years to catch up.

Buy!

[jbeaupre]

I'm buying more stock in Alcoa, that is. With the surge in Reynolds Wrap sales, I'll make a fortune! My just buy a roll myself.

Good, the NSA does some useful things

[crush]

If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask [nsa.gov] OS in the form of GNU/Linux's SElinux [redhat.com].

The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.

Re:

[parvenu74]

Considering how big of a job it is to make Windows secure, when the hell did the NSA find the time to tap the phone calls of Americans and "terrorists?" Something about this story sounds fishy....

Re:

[AndersOSU]

I think they used some sort of distributed computing system on every windows machine.

Tip of the day

[pubjames]

Hey, here's a tip for all you foreign governments out there: Don't use Windows! I hope that helps!

Seriously, I can't believe that there isn't greater demand for other alternatives to Windows in foreign governments. I wonder if Mahmoud Ahmadinejad uses windows...

Re:

[Cheesey]

Not just foreign governments - entire nations as well. A modern economy could be totally disrupted if all the Windows machines stopped working. It might be a bad idea to allow a foreign power to execute arbitrary code on machines in your country, which is exactly what Windows Update does. Windows Update is a very powerful weapon, all the more so because few recognise it as such.

Countries might want to set up firewalls to intercept updates so that they can be screened for malicious code before anyone can acc

Re:

[alexhs]

I wonder if Mahmoud Ahmadinejad uses windows...

I bet he does ! And doors too ! :)

Interesting (or not)

[theskipper]

Unless I missed it, while reading the article I kept expecting there to be a mention about the possible inclusion of a backdoor. Maybe my tinfoil hat is too tight but it seems like a valid question these days when discussing the NSA and operating systems. Especially for an upcoming consumer OS given that the sixpack set is reading more and more about privacy and fourth ammendment concerns in the mainstream press.

Point being, it seems like something that the vendor would want to dispel pronto. (Yes, Appl

Wow - everyone is bad at their job

[gelfling]

"For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.

Re:

[Kadin2048]

"For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.

Except that some of those "talented amateurs" were in fact NSA employees, working to make Linux more secure, as part of a project called Security-Enhanced Linux [nsa.gov]...which has been incorporated into the mainline 2.6 kernel tree.

Re:

[drinkypoo]

"For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.

Except that some of those "talented amateurs" were in fact NSA employees, working to make Linux more secure, as part of a project called Security-Enhanced Linux...which has been incorporated into the mainline 2.6 kernel tree.

The percentage

Security Enhanced Linux

[DaoudaW]

On one hand since the NSA has been helping with linux security for years with SELinux [nsa.gov], it seems only fair that they would be willing to similarly assist M$. But my concern would be whether they are violating the GPL under which they released SELinux. If they are using concepts they developed for the open source SELinux in Vista, shouldn't M$ be required to open source at least those portions of Vista?

Re:Security Enhanced Linux

[Vegard]

In addition to the other comments: If it's their own code, and only theirs, they are free to license it under any license they will, even if it's already licensed under GPL. It's called dual-licensing, and is a well-known practise.

- Vegard

Re:

[megaditto]

The government is above the law. Remember?

Not in US it isn't. Not even the President is above the law, believe it or not!
At least for as long as we have this tiny thing called Constitution of the United States [emory.edu]

Well THAT worked, eh?

[jpellino]

"For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version..."

Jeez. If I were either MS or NSA I wouldn't even admit that given the XP home security record.

When does the NSA help Linux distros and Mac OS?

[joekampf]

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

Re:When does the NSA help Linux distros and Mac OS

[NullProg]

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

http://www.nsa.gov/selinux/ [nsa.gov]

Its only fair that the NSA helps Microsoft.

Enjoy,

Now thats SPYWARE!

[netsfr]

lol

Actually, its kinda creepy...

Read TFA

[Anonymous Codger]

It doesn't sound like NSA helped write code - it sounds like their primary contribution was in testing:

"The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration ."

Also, Microsoft isn't the only company that NSA and other govt. agencies have helped with security. Besides SELinux, which others have mentioned, there's Apple:

"Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail."

So this isn't that big a deal, it's just that Microsoft is trying to capitalize on the relationship to counter the prevailing belief (or truth?) that Windows is insecure and that Vista is no big improvement.

Wrong helper

[gmuslera]

They should ask for help to the Vatican, after all, is a miracle what they are looking for.

Re:

[ColdWetDog]

I've always thought an exorcism might help my XP box. God knows I've tried everything else. Something is weird in there.

ob Penny Arcade

[mike2R]

You can't uninstall evil [penny-arcade.com].

NSA and DES

[jmichaelg]

When IBM invented DES, the NSA asked to review it before IBM started selling it. DES is an encryption algorithm that involves repeatedly permuting and shifting bits. The bit shifting phase is handled by sending the permuted bits through what are called s-boxes which basically say 'move this bit over there'. NSA "requested" two revisions to DES - shorten the key to 56 bits and re-arrange some of the s-box operations. NSA didn't say why that would be "better" but made it clear to IBM that if IBM didn't comply, IBM would run into difficulties selling DES. The kind of difficulties that governments are very adept at raising. So IBM complied and implemented NSA's "requests." The presumption has always been that NSA knew how to crack the revised version of DES.

I'm curious if NSA made similar "requests" to Microsoft.

Re:

[Anonymous Coward]

To my knowledge, the change to the s-boxes was to protect against differential cryptoanalysis, which at the time, wasn't even a method known by anyone, except the NSA. When differential came out, everyone was surprised that DES mysteriously was already immune.

Uh huh . . .

[Orange Crush]

Microsoft Gets Help From NSA for Vista Security

Isn't this a bit like chickens getting help from a pack of wolves for their security needs?

Perhaps I'm being too cynical, as both MS and the NSA have just stellar track records on their concern for an individual's privacy . . .

Hi, we' re from the Government,

[arthurpaliden]

we are here to help.

Right....

Corporate Welfare Threats

[Doc Ruby]

Of course I want the NSA I pay for and depend on to protect me working to make Vista safer. Because Vista is part of the security environment, eventually the biggest part. It's such a threat to Americans' security that NSA should be able to require MS to let NSA help secure it.

The problem is that NSA costs money to operate. Tax money. Tax money that Microsoft doesn't pay [google.com]. Microsoft cuts costs by ignoring security whenever it can (most of the time). While raking in literally untold $BILLIONS in profits. Now

Microsoft does pay taxes

[donutello]

I hate to dampen your outrage but MSFT has paid an average of $4.7 Billion in income taxes over the last 3 years on income averaging $15.7 Billion over the same period of time: http://finance.yahoo.com/q/is?s=MSFT&annual [yahoo.com]

Re:

[Doc Ruby]

I hate to burn your satisfaction, but MS had annual income much more than $15.7BILLION the past 4 years. It took in an average over $40B, paying under $4.7B, or under 8.6% in taxes. In the late 1990s, MS paid practically no taxes.

Outrageous.

so will Linux code end up in M$

[josepha48]

Well since the NSA released SELinux a few years ago, or I believe it was them. I have to wonder if any of the same code will end up in M$, or will they be helping them with code?

If this did happen, how would anyone other than M$ and NSA know?

Of course, Its time for the new backdoor

[Phrogman]

I am quite serious. Windows Vista will be going all over the world in some form or another, I would think it was remiss of them if the NSA *didn't* tell MS that they were adding a backdoor to Vista and hand them the code. I bet they will be more cautious about placing it than the last time they added one, but it will be there. I am sure in compensation they help MS tighten up the rest of the security to ensure foreign governments can't crack it as effectively as the NSA.

I am sure this will be modded paranoi

This is what our government should be doing

[MarkWatson]

As a USA taxpayer, I believe that this is an example of what our government should be doing.

Before the politically motivated "war on terror", I remember seeing news articles about our FBI working with foreign governments to break up foreign hacking rings. Since 911 I don't recall hearing about this anymore.

Our NSA has in the past also donated Linux security enhancements. Excellent! Protecting our national infrastructure.

A little off topic, but this issue has me fairly angry: our government should spend mone

government

[kisak]

Seems to be a good example of the government doing a better job than a private company manages. I guess some ideologies does not allow for that.

Of course, one cannot make the stronger statement that the government is doing a better job than the free market, since MS has a monopoly in desktop computers. Maybe it is an example of the extra burden that falls on a government does not deal with anti-competitive monopolies in the market place?

Warning Will Robinson, Warning

[HermMunster]

This is a wake up call to those who don't see this following a theme that could lead to the NSA, DHS, or other organization from having direct access to your computer, your use of that computer, without you knowing it.

Microsoft managed to get he DHS to tell everyone to upgrade to SP2 because SP2 had certain features that allowed Microsoft to more easily determine things about your computer. It also aided them in determining if you are a pirate. The DHS has to have received something in return. In my humb

Re:

[jrwr00]

here we go, i found what it really said

If Microsoft made toasters... Every time you bought a loaf of bread, you would have to buy a Microsoft toaster. You wouldn't have to take the toaster, but you'd still have to pay for it anyway. Its Toaster XP and its new Toaster Vista would take up so much counter space in your kitchen that you'd have to buy a larger kitchen, plus they would draw enough electricity to power a small city. Both models would claim to be the first toaster that let you control how light or

Re:

[clickclickdrone]

>If Sony made toasters:
You forgot: * And if it ever went wrong you'd not see your toaster for 6 months and have to pay $100 for someone to even look at it even though it only cost $80.
* It only works with Sony bread which is twice as expensive but has slightly smaller slices

Bah

[ColdWetDog]

Just to show everyone that there is goodness in every evil corporation, no matter how far down the road to to hell they've gone (and I'm not talking about Microsoft today) - let me bring out Just One More Anecdote:

My 3 year old Sony TVR-38 video recorder died a few weeks ago. Looked up Sony Service on Google, got directed to the Sony website without any fuss. They offered to fix it for $240 which I thought was reasonable given that it's worked quite well and hard for the time I've owned it. Shipped it o

Re:

[Timesprout]

Not to add fuel to the fire, but where's Apple in all of this

Well if you bothered to RTFA you would have seen that Apple (and others) are getting the same sort of assistance in securing their products from the NSA.

Re:

[westlake]

How convoluted is this- that the same government that fines MS for anti-trust issues grants them "advice" and tech.

It is business as usual. Cases are settled. Life goes on.

Re:

[Sancho]

Look at it this way: the NSA is helping to prevent zombies from spamming us all to hell. Even if you're not a Windows user, you have to live with 90% of the people on the Internets being Windows users.

Re:

[0racle]

So our Taxes (for us US residents) are going to the Government (NSA included) to help secure Linux so Red Hat can sell it to us Taxpayers and make more money. What do you say that Red Hat should mark down the price of each RHEL copy sold by $1 until the monetary value of the NSA's help is repaid?

What's good for the goose is good for the gander, either SELinux was a good use of the NSA's resources or it was a waste. If it was a good use because of all the security benefits then the government should not fav

Re:

[Underfunded]

So our Taxes (for us US residents) are going to the Government (NSA included) to help secure Linux so Red Hat can sell it to us Taxpayers and make more money. What do you say that Red Hat should mark down the price of each RHEL copy sold by $1 until the monetary value of the NSA's help is repaid?

Actually, yes. I do think that when the government in some way subsidizes a company the company has the obligation to pass the savings on to the taxpayers until repaid.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[SnarfQuest]

This doesn't sound like a major code review.

i can imagine the final report:

Your code is as secure as a building made from:

[ ] 12' thick titanium walls.
[ ] 6' thick steel walls.
[ ] Concrete.
[ ] Brick.
[ ] Wood.
[ ] Tin foil.
[ ] Paper.
[X] Applesauce.

Re:

[LurkerXXX]

Yeah, Linux folks would never think of working with a SPY agency either. Oh, wait... [nsa.gov]

Re:

[LurkerXXX]

A more secure internet? Less SPAM to worry about sorting?

The NSA gets more secure windows boxes in their office, along with the more secure SELinux boxes they have. You know that Linux distro that they also must have had 'strings attached' to somehow in your mind.