Microsoft informs the NSA of bugs in Windows before fixing them – archived source

How Can Any Company Ever Trust Microsoft Again?

Glyn Moody – Published 14:34, 17 June 13

Irrespective of the details of the current revelations about US spying being provided by Edward Snowden in the Guardian, there is already a huge collateral benefit. On the one hand, the US government is falling over itself to deny some of the allegations by offering its own version of the story. That for the first time gives us official details about programmes that before we only knew through leaks and rumours, if at all. Moreover, the unseemly haste and constantly-shifting story from the US authorities is confirmation, if anyone still needed it, that what Snowden is revealing is important – you don’t kick up such a fuss over nothing.

But perhaps even more crucially, other journalists have finally been shamed into asking some of the questions they ought to have asked years and even decades ago. This has resulted in a series of extremely interesting stories about NSA spying, many of which contain ancillary information that is just as important as the main story. Here’s a great example that appeared over the weekend on the Bloomberg site.

Among other things, it is about Microsoft, and the extent to which it has been helping the NSA spy on the world. Of course, that’s not a new fear. Back in 1999, it was asserted that backdoors had been built into Windows:

A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA “help information” trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

More recently, there has been concern about Skype, bought by Microsoft in May 2011. In 2012, there were discussions about whether Microsoft had changed Skype’s architecture in order to make snooping easier (the company even had a patent on the idea.) The recent leaks seems to confirm that those fears were well founded, as Slate points out:

There were many striking details in the Washington Post’s scoop about PRISM and its capabilities, but one part in particular stood out to me. The Post, citing a top-secret NSA PowerPoint slide, wrote that the agency has a specific “User’s Guide for PRISM Skype Collection” that outlines how it can eavesdrop on Skype “when one end of the call is a conventional telephone and for any combination of ‘audio, video, chat, and file transfers’ when Skype users connect by computer alone.”

But even that pales into insignificance compared to the latest information obtained by Bloomberg:

Microsoft Corp., the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government “an early start” on risk assessment and mitigation.

So let’s think about that for a moment.

Companies and governments buy Microsoft’s software, depending on the company to create programs that are secure and safe. No software is completely bug-free, and serious flaws are frequently found in Microsoft’s code (and in open source, too, of course.) So the issue is not about whether software has flaws – every non-trivial piece of code does – but how the people who produce that code respond to them.

What companies and governments want is for those flaws to be fixed as soon as possible, so that they can’t be exploited by criminals to wreak damage on their systems. And yet we now learn that one of the first things that Microsoft does is to send information about those vulnerabilities to “multiple agencies” – presumably that includes the NSA and CIA. Moreover, we also know that “this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments”.

And remember that “foreign governments” mean those in EU countries as well as elsewhere (the fact that the UK government has been spying on “friendly” countries emphasises that everyone is doing it.) Moreover, it would be naïve to think that the US spy agencies are using these zero-day exploits purely to break into government systems; industrial espionage formed part of the older Echelon surveillance system, and there’s no reason to think that the US will restrain itself nowadays (if anything, things have got far worse.)

That means it’s highly likely that vulnerabilities in Microsoft products are routinely being used to break into foreign governments and companies for the purpose of various kinds of espionage. So every time a company installs a new patch from Microsoft to fix major flaws, it’s worth bearing in mind that someone may have just used that vulnerability for nefarious purposes.

The implications of this are really rather profound. Companies buy Microsoft products for many reasons, but they all assume that the company is doing its best to protect them. The latest revelations shows that is a false assumption: Microsoft consciously and regularly passes on information about how to break into its products to US agencies. What happens to that information thereafter is, of course, a secret. Not because of “terrorism”, but because almost certainly illegal attacks are being made against countries outside the US, and their companies.

That is nothing less than a betrayal of the trust that users place in Microsoft, and I wonder how any IT manager can seriously recommend using Microsoft products again now that we know they are almost certainly vectors of attacks by US spy agencies that potentially could cause enormous losses to the companies concerned (as happened with Echelon.)

But there’s another interesting angle. Although not much has been written about it – including by me, to my shame – a new legislative agreement dealing with online attacks is being drawn up in the EU. Here’s one aspect of it:

The text would require member states to set their maximum terms of imprisonment at not less than two years for the crimes of: illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences.

“Illegally accessing or interfering with information systems” seems to be precisely what the US government is doing to foreign systems, presumably including those in the EU too. So that would indicate that the US government will fall foul of these new regulations. But maybe Microsoft will too, since it is clearly making the “illegal access” possible in the first place.

And there’s another aspect. Suppose that the US spies used flaws in Microsoft’s software to break into a corporate system and to spy on third parties. I wonder whether companies might find themselves accused of all sorts of crimes about which they know nothing, and face prosecution as a result. Proving innocence here would be difficult, since it would be true that the company’s systems were used for spying.

At the very least, that risk is yet another good reason never to use Microsoft’s software, along with all the others that I have been writing about here for years. Not just that open source is generally cheaper (especially once you take into account the cost of lock-in that Microsoft software brings with it), better written, faster, more reliable and more secure, but that above all, free software respects its users, placing them firmly in control.

It thus frees you from concerns that the company supplying a program will allow others secretly to turn the software you paid good money for against you to your detriment. After all, most of the bug-fixing in open source is done by coders that have little love for top-down authority, so the likelihood that they will be willing to hand over vulnerabilities to the NSA on a regular basis, as Microsoft does, must be vanishingly small.