Microsoft Gets Help From NSA for Vista Security

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

Nothing new to NSA...

[daveschroeder]

Information Assurance [nsa.gov] has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) [faqs.org] since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria [wikipedia.org] (TCSEC, the famous Rainbow Series [wikipedia.org] of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) [nsa.gov] of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides [nsa.gov] for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) [nsa.gov] (FAQ [nsa.gov]).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Re:wouldn't it be nice?

[bmajik]

A cursory glance at the article would reveal that the spooks also work with Apple and that Novel also works with "somebody" in the govt.

The article also states why the NSA thinks this is in their (and the countries) interest - the mandate has come down that procurement focus on COTS (commercial, off the shelf) for more and more things. If the security of the nation or the safety of a ship or soldier are going to be left to commercial software, the government should take a more active role in due dilligence and capability review of the products it is buying. The NSA is a logical choice for doing some of that work.

I am a little surprised that nobody has said "the NSA is hording vulnerability info on windows for their own evil purposes! Use Linux!" I'll leave it as an exercize to the reader as to why that is a non-issue. (Hint: does the NSA also get to review the linux code?)

NSA

[Savage-Rabbit]

Wouldn't it be nice to be a company so large and dominant in it's industry yet so inept in delivering a code-complete product it gets help (I'm assuming for free) from government agencies to try and get it right?

To be fair to the NSA (and leaving aside for the moment any tin-foil-hat conspiracy theories about backdoors) they also gave Linux some security overhauls [wikipedia.org]. So it's not as if they are picking sides here. The NSA also publishes Operating Systems Guides [nsa.gov] that any administrator or user can download and use to harden his/her OS. These are also available for multiple OS'es. I'm no fan of the NSA but sometimes they actually do good work.

Re:When does the NSA help Linux distros and Mac OS

[NullProg]

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

http://www.nsa.gov/selinux/ [nsa.gov]

Its only fair that the NSA helps Microsoft.

Enjoy,

Re:Security Enhanced Linux

[Vegard]

In addition to the other comments: If it's their own code, and only theirs, they are free to license it under any license they will, even if it's already licensed under GPL. It's called dual-licensing, and is a well-known practise.

- Vegard

Re:NSA and DES

[Anonymous Coward]

To my knowledge, the change to the s-boxes was to protect against differential cryptoanalysis, which at the time, wasn't even a method known by anyone, except the NSA. When differential came out, everyone was surprised that DES mysteriously was already immune.

Re:NSA and DES

[Anonymous Coward]

You forgot an important part in your story. Years after DES came to light, differential cryptanalysis was discovered by Biham and Shamir. The NSA knew about this technique and it was shown that the NSA-modified S-Box was actually pretty resistent to the attack. The NSA wanted to make sure DES was secure (because they expected differential cryptanalysis to be independantly discovered somewhere and that DES was supposed to because THE encryption standard in the US for commercial applications). They made the change to the S-Box, but they couldn't say WHY they were doing it.

As for the 56 bits for the "exportable" version of the algo, it's probably because the NSA expected to be able to brute-force it if needed.

Re:Spook backdoor to Vista

[jafac]

Well, there's two things about this.

First, there's the mysterious NSAKey API that was in IE 4.0 (don't know if it was in later versions).
Then, there's the regkey for tcpip maxhalfopenretries, or is it maxhalfopenretires? Nobody seems to know. Yet the "retires" version is in the Win2k template supplied by the NSA. And if you run that template, this setting shows up as a vulnerability on security scans. It's a hell of a bad back door, if it's a back door, (because the vulnerability is a DoS, not very useful for snooping) but I don't understand how this mistake could just sit there, in plain text, in a freely downloadable template, without anyone trying to address it for so many years.

Re:NSA and DES

[Anonymous Coward]

I like a good conspiracy theory as much as the next guy, but I think it has been shown that the Agency actually increased the security of DES by modifying the S-boxes. It is also demonstrates that they knew about differential cryptography before this was later "discovered" publicly.

http://en.wikipedia.org/wiki/Data_Encryption_Stand ard#NSA.27s_involvement_in_the_design [wikipedia.org]

Re:wouldn't it be nice?

[ScentCone]

Consider that the drive I bought at Costco 10 years ago (500MB) costs on the order of 500 to 1000 times more (that's almost two magnitudes) than storage today, and that Microsoft continues to charge at the same rate -- they even seem to adjust for inflation.

Do you really think that what Microsoft does and sells is the same thing as storage density? They have people, producing and supporting an enormous range of products and services. Unless you're suggesting that what it costs to employ and retain people has gone down by 500-1000 times over the last 10 years, I don't really think you're rationally comparing two useful things. Are you in IT? Have you reduced what you charge for you services by that much in the last 10 years?

Re:NSA and DES

[Anonymous Coward]

From the wikipedia article on DES [wikipedia.org]:

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique back in the 1970s. This was indeed the case--in 1994, Don Coppersmith published the original design criteria for the S-boxes. According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret. Coppersmith explains, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it". Shamir himself commented, "I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened."

(Emphasis added)

The change from 64 to 56 bits was to include an 8-bit checksum. Whether or not that was a good idea is more debatable than the changes to the S-Boxes, but is far from a HUGE GOVERNMENT CONSPIRACY. Sorry for the diversion, go back to coating your walls with tinfoil.

Would you Prefer...

[Morosoph]

Useful, "Karma-Whoring" replies, or petty arguments that give no information, and give no leads to discover things for yourself?

The Karma system, here, is doing its job. That some people "abuse" it by responding to incentives is, I have to say, a bizzare position.