Forgot your password?
typodupeerror

Microsoft Gets Help From NSA for Vista Security 233

Posted by Zonk
from the keeping-them-from-getting-into-mischief dept.
An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"
This discussion has been archived. No new comments can be posted.

Microsoft Gets Help From NSA for Vista Security

Comments Filter:
  • by yagu (721525) * <yayagu@@@gmail...com> on Tuesday January 09, 2007 @10:57AM (#17522282) Journal

    Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).

    I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

    </rant>

  • by crush (19364) on Tuesday January 09, 2007 @11:04AM (#17522398)

    If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask [nsa.gov] OS in the form of GNU/Linux's SElinux [redhat.com].

    The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.

  • by daveschroeder (516195) * on Tuesday January 09, 2007 @11:07AM (#17522440)
    Nope. Just someone who happens to be a subscriber (which one would think is a good thing if one enjoys slashdot (???)), happened to see an article about to be posted, and wrote the same reply I'd have written regardless.

    What's especially humorous is that, as of the time you posted your childish reply, my post hadn't been modded up, down, or changed in any way.

    Feel better now? Thanks for the troll, though!
  • by bbernard (930130) on Tuesday January 09, 2007 @11:12AM (#17522508)
    It's interesting to me to notice that at least some of the things the NSA has suggested for XP and 2003 are settings and options that need to be configured and are not pre-configured for "out-of-the-box" operation. For instance, password length and complexity. Perhaps that's a bad example, but it shows that Microsoft is willingly supplying their OS software configured in a way that they know provides sub-standard security. While I don't specifically blame them for that--can you imagine the home users that would jump to Mac if they had to "put up with" highly secure systems--I'd love to see an install option for "high security" or the like. Even 2003 server doesn't install with an NSA recommended configuration.
  • by mi (197448) <slashdot-2012@virtual-estates.net> on Tuesday January 09, 2007 @11:21AM (#17522604) Homepage

    I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

    Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD [trustedbsd.org]). The NSA-funded [nsa.gov] SELinux [wikipedia.org] is another example...

    NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

    Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

  • Re:Tax Dollars (Score:3, Insightful)

    by Sancho (17056) * on Tuesday January 09, 2007 @11:26AM (#17522680) Homepage
    Look at it this way: the NSA is helping to prevent zombies from spamming us all to hell. Even if you're not a Windows user, you have to live with 90% of the people on the Internets being Windows users.
  • Batting 500 (Score:2, Insightful)

    by Gription (1006467) on Tuesday January 09, 2007 @11:28AM (#17522714)
    "Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill)."

    The NSA has many reasons to help MS. From the article it is obvious that they recognize that MS has a pervasive monopoly in desktop OSes and is expected to continue to. (Anyone hear the DOJ going EEK here?) If they secure this OS they make their lives easier and safer for the foreseeable future. Besides, they can get in on the development of the code and make sure that they will have the "behind the scenes" access that they want. (for your personal protection of course!)

    "I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation."

    Huh?
  • by wiredog (43288) on Tuesday January 09, 2007 @11:39AM (#17522862) Journal
    The longer and more complex it is, the more likely it is to be written down on a post it stuck to the side of the monitor. Especially if you have multiple passwords on different change cycles. "Must have a capital letter, special character, number, be at least 8 characters long, and change every 3 months" is probably, in the long run, no more secure than "must be at least 8 characters long, contain one or more non-alphabetic characters, and change twice a year".
  • by crush (19364) on Tuesday January 09, 2007 @11:56AM (#17523116)

    I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users.

    It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.

    As it stands, this announcement is effectively the government giving free publicity to Microsoft and claiming without any evidence that Vista is secure in some way. (See all the "Good Housekeeping" seal-of-approval guff from the Microsoft spokesperson in the article.) In fact we have no idea from this whether they were helping to get Treacherous Computing [gnu.org] debugged, so that "the users" don't control the software on their machines properly, or if they just tested a firewall, or what.

    In any event, if the government wanted to help "the users" it would make it very clear as to what security criteria were met and whether or not Vista reaches it. It would publish a table with GNU/Linux, Mac OSX, Microsoft Vista etc results from their testing labs and make recommendations as to which should/should-not be used if we want to stop our economy being crippled (through wasted time, ID theft etc) by crappy software.

    The fact that none of the above is done lends credence to the theory that this is the government lending a helping hand to a private monopoly, because the roll out of their latest software abortion is looking like a flop.

    This is the equivalent of Microsoft jumping up and down beside the NSA and yelling "look, I'm with the trustworthy guy!". Shame on the NSA for either being used, or voluntarily abusing its position like this.

  • by bman08 (239376) on Tuesday January 09, 2007 @12:09PM (#17523272)
    The problem is the question they asked. Not, "How can we make a secure product?" but "How can we make the product we have secure."
  • by MarkusQ (450076) on Tuesday January 09, 2007 @12:12PM (#17523316) Journal

    It's a little more complex than that.

    "Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).

    But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."

    If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)

    --MarkusQ

  • by novus ordo (843883) on Tuesday January 09, 2007 @12:48PM (#17523802) Journal
    Wouldn't be the first [networkworld.com] time.
  • Re:Tax Dollars (Score:2, Insightful)

    by Underfunded (1039600) on Tuesday January 09, 2007 @01:49PM (#17524754)
    So our Taxes (for us US residents) are going to the Government (NSA included) to help secure Linux so Red Hat can sell it to us Taxpayers and make more money. What do you say that Red Hat should mark down the price of each RHEL copy sold by $1 until the monetary value of the NSA's help is repaid?

    Actually, yes. I do think that when the government in some way subsidizes a company the company has the obligation to pass the savings on to the taxpayers until repaid.

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming

Working...