Microsoft Gets Help From NSA for Vista Security 233
An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"
wouldn't it be nice? (Score:5, Insightful)
Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right? So, my tax dollars at work for Microsoft... (the article does mention Microsoft gets this help for free, I can only assume then "we" foot the bill).
I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.
</rant>
Good, the NSA does some useful things (Score:5, Insightful)
If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask [nsa.gov] OS in the form of GNU/Linux's SElinux [redhat.com].
The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.
Re:Nothing new to NSA... (Score:2, Insightful)
What's especially humorous is that, as of the time you posted your childish reply, my post hadn't been modded up, down, or changed in any way.
Feel better now? Thanks for the troll, though!
Re:Nothing new to NSA... (Score:3, Insightful)
Helping Microsoft or helping users? (Score:5, Insightful)
I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...
Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD [trustedbsd.org]). The NSA-funded [nsa.gov] SELinux [wikipedia.org] is another example...
NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...
Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.
Re:Tax Dollars (Score:3, Insightful)
Batting 500 (Score:2, Insightful)
The NSA has many reasons to help MS. From the article it is obvious that they recognize that MS has a pervasive monopoly in desktop OSes and is expected to continue to. (Anyone hear the DOJ going EEK here?) If they secure this OS they make their lives easier and safer for the foreseeable future. Besides, they can get in on the development of the code and make sure that they will have the "behind the scenes" access that they want. (for your personal protection of course!)
"I'm not saying Microsoft shouldn't collaborate with external organizations, but why am I paying for it? Even more reason to be upset about their usurious rates for their new OS. Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation."
Huh?
password length and complexity (Score:5, Insightful)
Re:Helping Microsoft or helping users? (Score:3, Insightful)
I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users.
It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.
As it stands, this announcement is effectively the government giving free publicity to Microsoft and claiming without any evidence that Vista is secure in some way. (See all the "Good Housekeeping" seal-of-approval guff from the Microsoft spokesperson in the article.) In fact we have no idea from this whether they were helping to get Treacherous Computing [gnu.org] debugged, so that "the users" don't control the software on their machines properly, or if they just tested a firewall, or what.
In any event, if the government wanted to help "the users" it would make it very clear as to what security criteria were met and whether or not Vista reaches it. It would publish a table with GNU/Linux, Mac OSX, Microsoft Vista etc results from their testing labs and make recommendations as to which should/should-not be used if we want to stop our economy being crippled (through wasted time, ID theft etc) by crappy software.
The fact that none of the above is done lends credence to the theory that this is the government lending a helping hand to a private monopoly, because the roll out of their latest software abortion is looking like a flop.
This is the equivalent of Microsoft jumping up and down beside the NSA and yelling "look, I'm with the trustworthy guy!". Shame on the NSA for either being used, or voluntarily abusing its position like this.
Re:Nothing new to NSA... (Score:5, Insightful)
Local vs. Remote attacks (Score:5, Insightful)
It's a little more complex than that.
"Good" passwords (which, as you note, are more likely to get written down) are much better against remote attacks but often no better or even worse (because they get written down) against local attacks. It all comes down to what you are trying to protect against. If the majority of the people you are worried about have access to the sticky notes on your monitor, long passwords that need to be written down are not going to help much (unless you make a habit of writing them down incorrectly).
But for most net-connected resources these days, strong passwords are probably better simply because there are more bad guys "out there" than "in here."
If this is not the case for you--if, in other words, there are more bad guys within your office than outside it--you may want to change jobs and report your present employer to the authorities. (Unless of course your present employer is "the authorities", in which case you should probably also start carrying a Geiger counter as soon as you quit.)
--MarkusQ
Re:Nothing new to NSA... (Score:3, Insightful)
Re:Tax Dollars (Score:2, Insightful)
Actually, yes. I do think that when the government in some way subsidizes a company the company has the obligation to pass the savings on to the taxpayers until repaid.