Microsoft Corp. (MSFT), the world’s largest software company, provides
intelligence agencies with information about bugs in its popular software
before it publicly releases a fix, according to two people familiar with the
process. That information can be used to protect government computers and to
access the computers of terrorists or military foes.
Microsoft gives US military hackers and the NSA zero days to go hack people with.
I think this helps explain Google's 7-day disclosure. Also, fuck microsoft. Running your mouth and trying to blackball people who don't give you 60 days while (presumably selling) those exploits to governments? Just amazing.
Edit: here [1] is discussion of Tavis Ormandy / Google's new 7 day policy. I really wonder if this was partially driven by eg Microsoft's abhorrent behavior.
Or, they have a MAPP[1] subscription. You too could have information about bugs in Microsoft software before the fix has been released, if you could become a MAPP partner or subscriber.
"The Government" is a huge employer with a massive installation base of Windows systems, many of which contain sensitive information wanted by well motivated attackers. They would be keenly interested in new threats to those systems, the same way that any large corporation with a similar installation base and threat model would.
Ask yourself, if you receive information via MAPP, you have some information which could be turned into an exploit, but it will not be useful towards a goal of hacking other peoples computers for long because, by definition, it is going to be patched soon. "Make hay while the sun shines" perhaps? The same window of opportunity is open to governments and corporations around the world (many Chinese companies are MAPP subscribes, the one leak of a MAPP exploit happened perhaps because of a Chinese company).
That just says you can't publish exploits derived from the ones they've told you about until they've published the original ones themselves. It doesn't say you can't use, abuse and defend against them yourself. You're effectively buying zero days.
Every foreign government and overseas company handling potentially sensitive information should immediately sue Microsoft, in U.S. and foreign courts, for damages.
Well, I don't think this is as bad as you make it out to be. This is fairly standard practice for firms, releasing the knowledge of security holes to customers, especially if a patch isn't prepared.
See the entire Heroku/Postgres for another, less insidious example.
You know what surprisingly I am not that outraged by it. Why? Because I was expecting far worse. Installing backdoor for the govt and purposefully leaving an exploit open.. etc. So the govt get a head start with the vulnerabilities that Microsoft knows? Okay.. I am guessing there are far more undisclosed ones in the black market that they can buy off.
Playing devil's advocate, keep in mind that domestic computer security is part of the NSA's charter. Remember the rainbow books?
It would be completely legitimate for MSFT to warn NSA about vulnerabilities in the most common desktop operating systems in the USA if the warning were intended to aid in preventing a larger attack.
The head of NSA is also the head of the US military's cybercommand and offensive operations are definitely part of their bottom line.
This intersection between protecting civilians and attacking our military enemies should absolutely worry you, the worst nightmare of 'responsible disclosure' has just been revealed: security updates aren't being rolled out as a matter of official policy, for the explicit purpose of military offensive operations.
Since the head of the NSA is a senior military officer, they are likely to be the most qualified to head the military's computer offense capabilities.
Theoretically, there is presidential and congressional oversight to prevent them from overstepping their bounds. Unfortunately, we've largely squandered the threat of congressional inquiry on blue dresses and cigars.
What I find confusing is that, ultimately, you have to follow the money. How has MSFT been benefiting from a conspiracy to exploit their own software in overseas markets?
They know that embarrassing information will get out eventually. They also have a distant planning horizon regarding continued existence. Whatever they get in return has to have been perceived as worth the loss of any trust and goodwill as a result of the eventual disclosure.
The EFF notably feels[1] that 'zero-day' exploits should be front and center in cybersecurity debates.
Their stance is that they directly oppose 'green hats' who are selling exploits to customers that don't intend on fixing the flaws (buying a hacker's silence) and selling to governments whom intend on using the exploits for clandestine operations.
"You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine. You will never be safe whatever protections you put in place."
–Edward Snowden
"As of 2008 there were reportedly eight million Americans listed in the database as possible threats, often for trivial reasons, whom the government may choose to track, question, or detain in a time of crisis."
We are more than half way in the road to serfdom and tyranny.
Recently a friend was writing a screenplay for a nuclear terrorism thriller. To help him out, I did a lot of research on nuclear weapons manufacture. Lots of googling, reading particular research papers and so on.
I joked that he'd better appreciate the lists I was willing to put myself on for him, but maybe it wasn't that much of a joke.
We are more than half way in the road to serfdom and tyranny.
This is a good time to re-read Book 8 of the Republic (Socrates by way of Plato). The current political situation of the world is being decribed as if they were teleported 2000+ years, then went back to write what they saw.
Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said."
This will make the ACLU's law suit 1000% more interesting as a legal battle.
Verizon doesn't just sit around and think to themselves "hey, if we're going to work with the NSA we should do some CYA". They have entire legions of smart lawyers who mulled this whole NSA business over (substantially I hope) and came to the conclusion that "this is most certainly a violation of the law and we need complete documented assurance from the government that our actions can never be prosecuted in court".
> I don't understand how the executive branch can guaranty immunity from civil action in the judicial branch.
The letters from the AG are protection from criminal action, and probably government civil action, that extend beyond the term of the administration issuing them (wiretap laws have criminal as well as civil provisions, and there are cases where the government can bring civil prosecutions.) For criminal laws, ignorance of the law is not a defense, but reasonable reliance on an interpretation provided by the public authority responsible for enforcing the law usually is a defense. For civil actions, reliance on the representation of the party bringing the action likewise can be a defense.
For civil action by a third party, unless there is a specific provision that makes this a defense for the particular offense at issue (which there may be, but I'm not aware of one), I don't think this would be particularly useful under any generally applicable principal.
`Committing officer`? wtf is this? Subpoena these guys. They have immunity, so why not make them talk?
If necessary, a company executive, known as a “committing officer,” is given
documents that guarantee immunity from civil actions resulting from the
transfer of data. The companies are provided with regular updates, which may
include the broad parameters of how that information is used.
How much of a role did the requirement for complete secrecy play in this scenario? Secrecy mean the recipients of such orders were isolated, thinking they were by themselves in this. Such a person will be much less likely to disobey orders.
Now that the dam has sprung a leak, and the full extent is becoming evident, people will begin to realise that they are not alone, and it is safe to talk. There is safety in numbers. One gets the feeling that the whole scheme is unravelling, and this is the trickle before the dam bursts.
> While companies are offered powerful inducements to cooperate with U.S. intelligence, many executives are motivated by patriotism or a sense they are defending national security, the people familiar with the trusted partner programs said.
Their fervent patriotism certainly didn't stop them from demanding immunity as a prerequisite.
Considering all the tax sheltering that the corporations engage in and the government doesn't aggressively pursue, I think they already get great financial breaks.
(My contacts at IRS said they are warned to avoid "poking" into certain institutions actions without highest authorization. So they go after the small fry and leave the big fish alone. Fucking game of life is rigged.)
Then you would likely be surprised about how many nationalists we have that think the USA and its agencies can do no wrong. I know many business owners who would likely provide that information just because it would give them a sense of being special and helping the cause.
Frankly I would still assume that anyone who didn't do it out of some stupid patriotic pride definitely got paid, and they likely got paid through a shell company giving special contracts, or help with some government issues (environmental regulation, building approval, etc). Tax breaks or other direct cash methods don't really hide much for publicly traded companies.
I'd love to read a book that went over all the links between carriers and the government from an outsider's perspective. Unfortunately, I have no ideal how anyone could ever write that book, because every carrier I've worked with has been as opaque about the simplest aspects of their operation as the NSA has been about this spying scandal.
Wow, this scandal just keeps getting bigger and bigger. Good to see some light finally being shined into what had been darkness. A free and open society, based on classical liberal / Enlightenment ideals of individual freedom, is NOT compatible with secret governments, secret laws, secret courts, mass surveillance of the public and all of the things the US government is doing. Now we know, and now - if the people have any spine or backbone left - we can force some change.
Should be self explanatory. What would companies in say the manufacturing industry want? ... access to sensitive foreign competitors data stored on the cloud.
Industrial espionage plain and simple. It's in the interest of both the US government (to increase domestic economic activity) and said business to share this information.
Baffle them with bullshit or dazzle them with details.
I think we are against an effort to tranquilize us with tyranny!
Where we are just overwhelmed with outrageous actions such as to desensitize us to the fact that "well, holy shit, this is so pervasive and so entrenched, what is there to be done? I mean, my life was great for the last three years and this has been going on, at such great lengths, for so many years -- how bad can it be??"
This is a test as to how much we will take. They want action - they want an excuse to really show us what debt slaves we are.
To me, this is the scariest part though not that surprising:
"That metadata includes which version of the operating system, browser and
Java software are being used on millions of devices around the world,
information that U.S. spy agencies could use to infiltrate those computers
or phones and spy on their users."
A database that contains the specific versions of installed software for millions of computers world-wide is a very powerful tool. For any given target--if their machine is in the database--compromising their system is a trivial matter! It's a "what exploit would you like to use today?" situation.
Assuming they gather this information from Internet backbones--I'm OK with that. Good for them for skimming data off the public Internet and shame on the software that makes it too easy.
On the other hand, if they're obtaining this data from the likes of Microsoft (or McAfeee or any other incredibly popular vendor with an item in everyone's systray) that is an incredibly scary proposition. No target stands a snowball's chance in hell at not being (trivially) compromised. It's one of those situations where, "you'd better not use that company's products!"
I can't even imagine the sheer destruction that could occur if such information fell into the wrong hands. Imagine if some "fuck the world" anarchist hacker got his hands on a database that contained precisely the information he needed to, say, compromise (and just plain erase; 'rm -rf *') just about every banking computer that happened to be listed. It would be like, ARMAGEDDON.
> If necessary, a company executive, known as a “committing officer,” is given documents that guarantee immunity from civil actions resulting from the transfer of data.
While it makes sense for US carriers to want immunity from civil lawsuit, I'm not sure that would make sense for Google, Microsoft, et al - as obviously any US guarantee wouldn't protect them from civil lawsuits in other countries such as EU ones which have much stronger laws around data protection.
Well, they could give data 'personhood' such that it's an individual in the eyes of the law and covered by the US constitution. No more changes required, except that the NSA would grind to a halt on all of these programs.
Wait, can someone explain to me what's so bad about this? I'm a security company and I go from company to company, trying to patch up holes in their systems. I'm basically a network plumber/exterminator. Sounds like the NSA is just telling me what the bugs and leaky pipes look like so I can fix them in companies around the world.
And other systems. Amazing how much demographic data is available to third parties alone. Spend some time with a skip tracer or good bail bonds person and you realize how easy it is to get almost any data of significance on a individual.
I think this helps explain Google's 7-day disclosure. Also, fuck microsoft. Running your mouth and trying to blackball people who don't give you 60 days while (presumably selling) those exploits to governments? Just amazing.
Edit: here [1] is discussion of Tavis Ormandy / Google's new 7 day policy. I really wonder if this was partially driven by eg Microsoft's abhorrent behavior.
[1] http://www.theverge.com/2013/5/30/4379004/google-to-make-cri...