Microsoft Gets Help From NSA for Vista Security

An anonymous reader writes "The Washington Post is reporting that Microsoft received help from the National Security Agency in protecting the Vista operating system from worms and viruses. The Agency aimed to help as many people as they could, and chose to assist Vista with good reason: the OS still has a 90 percent lock on the PC market, with some 600 million Vista users expected by 2010. From the article: 'The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system ... Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers.'"

Tax Dollars

[Underfunded]

So our Taxes (for us US residents) are going to the Government (NSA included) to help secure Vista so Microsoft can sell it to us Taxpayers and make more money. What do you say that Microsoft should mark down the price of each Vista copy sold by $1 until the monetary value of the NSA's help is repaid?

Tip of the day

[pubjames]

Hey, here's a tip for all you foreign governments out there: Don't use Windows! I hope that helps!

Seriously, I can't believe that there isn't greater demand for other alternatives to Windows in foreign governments. I wonder if Mahmoud Ahmadinejad uses windows...

Re:Nothing new to NSA...

[temojen]

Also, there' no mention of how much of the NSA's advice MS has used and how much they've ignored.

Interesting (or not)

[theskipper]

Unless I missed it, while reading the article I kept expecting there to be a mention about the possible inclusion of a backdoor. Maybe my tinfoil hat is too tight but it seems like a valid question these days when discussing the NSA and operating systems. Especially for an upcoming consumer OS given that the sixpack set is reading more and more about privacy and fourth ammendment concerns in the mainstream press.

Point being, it seems like something that the vendor would want to dispel pronto. (Yes, Apple and Novell also as they collaborate with the NSA per TFA).

Security Enhanced Linux

[DaoudaW]

On one hand since the NSA has been helping with linux security for years with SELinux [nsa.gov], it seems only fair that they would be willing to similarly assist M$. But my concern would be whether they are violating the GPL under which they released SELinux. If they are using concepts they developed for the open source SELinux in Vista, shouldn't M$ be required to open source at least those portions of Vista?

Re:Tip of the day

[Cheesey]

Not just foreign governments - entire nations as well. A modern economy could be totally disrupted if all the Windows machines stopped working. It might be a bad idea to allow a foreign power to execute arbitrary code on machines in your country, which is exactly what Windows Update does. Windows Update is a very powerful weapon, all the more so because few recognise it as such.

Countries might want to set up firewalls to intercept updates so that they can be screened for malicious code before anyone can access them. All major application update mechanisms will need to be checked.

When does the NSA help Linux distros and Mac OS?

[joekampf]

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

Read TFA

[Anonymous Codger]

It doesn't sound like NSA helped write code - it sounds like their primary contribution was in testing:

"The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration ."

Also, Microsoft isn't the only company that NSA and other govt. agencies have helped with security. Besides SELinux, which others have mentioned, there's Apple:

"Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail."

So this isn't that big a deal, it's just that Microsoft is trying to capitalize on the relationship to counter the prevailing belief (or truth?) that Windows is insecure and that Vista is no big improvement.

Spook backdoor to Vista

[dougwhitehead]

The encryption cat is out of the bag, so if you can't own the communication channel, own the computers on either end.

Sure, I'm just delusional. But then again, there was that WMF exploit that according to Security guy Steve Gibson (grc.com and the SecurityNow podcast) inferred that was deliberately put in the code by someone (though he didn't point the finger at MS, some contractor for MS, at the Gov't direction, or anyone else). Before it was patched, it allowed the execution of arbitrary code on a client computer, caused by merely visiting a website that had a WMF icon/image in it.

Sure sound like a useful tool to fight terrorists who communicate on the internet (or anyone else).

Re:password length and complexity

[spun]

There's an easy way to deal with complex password requirements. One place I worked required 8 characters with at least one capital letter, one lower case letter, one number, and one punctuation mark. Plus, they required a new one every month. To top it off, they kept track of the last three passwords and you couldn't reuse them. I just memorized a pattern on the keyboard (like e4r5t6y7) and hit the shift key a couple times. Then when I changed the password, I just shifted the pattern over one letter (r5t6y7u8) Never had to write it down and I didn't forget.

NSA and DES

[jmichaelg]

When IBM invented DES, the NSA asked to review it before IBM started selling it. DES is an encryption algorithm that involves repeatedly permuting and shifting bits. The bit shifting phase is handled by sending the permuted bits through what are called s-boxes which basically say 'move this bit over there'. NSA "requested" two revisions to DES - shorten the key to 56 bits and re-arrange some of the s-box operations. NSA didn't say why that would be "better" but made it clear to IBM that if IBM didn't comply, IBM would run into difficulties selling DES. The kind of difficulties that governments are very adept at raising. So IBM complied and implemented NSA's "requests." The presumption has always been that NSA knew how to crack the revised version of DES.

I'm curious if NSA made similar "requests" to Microsoft.

Uh huh . . .

[Orange Crush]

Microsoft Gets Help From NSA for Vista Security

Isn't this a bit like chickens getting help from a pack of wolves for their security needs?

Perhaps I'm being too cynical, as both MS and the NSA have just stellar track records on their concern for an individual's privacy . . .

Comment removed

[account_deleted]

Comment removed based on user account deletion

Turn to God or to people?

[Anonymous Coward]

Why do you think that the vatican could make miracles?

Why don't you turn to God directly?

God and the church are very, very different things. Church bosses often talk as if they were mandated by God, which they are not, and indeed they often talk and act like charlatans. We all have to take on ourselves to live according to the Word. Then we ourselves will be the miracles.

Re:Spook backdoor to Vista

[gad_zuki!]

An eight year old conspiracy theory. Even Bruce Schneier doesnt buy it

Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.

The fact that 'some security scans' consider something a threat doesnt mean it really is. This is real tin-foil stuff, especially considering if the NSA wanted to muscle MS then youd never know about it.