From Bloomberg: “Microsoft, the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.” The lid has officially been blown off.
So Windows is more “secure” only if you’re government. Any new government backdoors you’d like to tell us about, Microsoft?
I don’t normally care a whole lot about the pros and cons of proprietary vs. open source… but Microsoft just gave free and open source software one hell of a boost. Once again, I am amazed. Government (and paying corporations/partners) above literally everyone else.
Not at all. Unless you are going to examine every bit of code that goes on your machine, it’s entirely possible for open source software to have these backdoors just as much as, if not more than, proprietary software. Peer code review is easy enough to slip something by, especially if it manifests no obvious symptoms and considering how many various distributions patch their software in custom ways. Are you going to examine every patch? Every update? No? Then you could be just as vulnerable as anyone running Windows.
Vulnerable but not as vulnerable.
There are more people from different parts of the world looking at the code and commits. Sure, something could slip by but the chances is pretty slim. The chances the project will keep important security issues from you in order to appease the U.S government are also much smaller.
What is exactly what happens. Code like those of the Linux Kernel is permanently reviewed. No single patch goes in without multiple reviews from different people, without the patch being public available.
The nature, read license, also makes sure all distributors publish there patches, even try to get them proactive upstream.
That is whats happening, yes. There are 1000 times as much reviewers as coders and not everybody needs to cross-check everything again. A chain of trust and shared work. Get used to it, its the present and future cause this days software like a Kernel is to complex for individuals.
Edited 2013-06-15 11:43 UTC
This may come as a shock do you, but the term “backdoor” doesn’t actually refer to selective disclosure of security vulnerabilities. But hey, don’t let reality get in the way of your self-righteous posturing.
Sure, if you prefer to have your systems compromised by Russian/Chinese/Eastern European criminals:
http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-a…
A company prioritizing the needs of their most valuable/important customers? SHOCKING!!!
Uhhh…if you trust ANY OS then you honestly deserve what you get, or did you forget the stink a few years back about some NSA guys working on critical parts of BSD?
The moral of this story is don’t use IE, have a decent firewall, and pay attention to what is going on with your PC and network. MSFT can give first dibs to the king of the moon for all I care, they can slam into my firewall and join all the Chinese and Eastern EU hackers that slam against it every day, good luck.
You mean the bullshit thing were they supposedly put in backdoors in the IPSEC code?
Just like how you shouldn’t trust the OS you shouldn’t trust anything you read on the internet.
… it’s a feature. Well, for the NSA at least
Because i guessed this sort of stuff was happeing 3 years ago…
Not surprised and also don’t see the problem with it.
You don’t see the problem with deliberately delaying fixing security issues with a very widely-used OS?
And even ignoring that little security fact, it also raises the question: “If the company is willing to go that far to appease the government, then what else might they be doing for them?”
The security fact is that government has a lot more to loose than you do if they are caught with an un-patched but exploited vulnerability. I don’t see this as “appeas[ing] the government” but common sense.
They also have a lot more to gain than I do when attempting to breach security and infiltrate the computers of other worldwide governments, thanks to being the only people (besides Microsoft itself and likely a few other U.S. government organizations) to know about these zero-day exploits. Shit, all I would gain is “FELONY” on my record and a prison sentence.
I truly don’t know why the f*** non-U.S. governments continue to use Microsoft software at this point. I wonder if all this news since the data collection broke will eventually cause governments around the world to begin seriously considering non-U.S. alternatives. If so, well done again U.S. Government–you’re continuing to run your economy into the ground.
Edited 2013-06-15 00:56 UTC
Other governments and even large corporations are within their rights to demand the same from Microsoft as a condition of licensing their software. As individuals, it might not be easy or possible to demand the same, but there is nothing stopping you from trying.
If I were a foreign government, I would not trust for a second Microsoft to not have the deal in such a way that their own government–the U.S.–gets special privileges above all others. And what’s stopping the U.S. from demanding that? I wouldn’t trust them to give all governments a level playing field–clearly a large part of the reason for doing this (aside from security of their own systems) is to exploit other government systems. When that’s the case, do you really expect them to play fair?
Bullshit. My private data is more important for me then anything the government has (with exception of the copy of my private data NSA has maybe).
Windows is in use in by far more critical environments then those idiot NSA voyeurs.
Edited 2013-06-15 11:53 UTC
Yeah, because it’s not as if governments manage any kind of critical public infrastructure…. Facepalm.
…which isn’t actually a fact, or even remotely accurate for that mater…
ZOMG, those hypothetical bastards!!!
Instead of focusing only on Microsoft I would like to know what the other commercial OS vendors do.
Agree! And I’d also like to know what major open source vendors do. In a situation like this, one is no less vulnerable than the other and, as no one reviews the code of a full distribution in its entirety (that’s far too much code for one person), slipping a back door in would be child’s play for agents especially if said distribution (as most do) uses many custom patches.
That’s why there is not only one person reviewing code in open source.
That very much depends on the project.
Remind me, how’s that approach been working out lately?
http://www.osnews.com/story/27065/Large_number_of_security_issues_i…
http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-a…
Are they actaully delaying fixing the security issues, or are they just informing intelligence agencies of the exploits while they work to fix them?
If it is the former, shame on them, if the latter…well I suppose it would motivate the more privacy conscientious Microsoft employees to work hard to fix the problem faster.
EDIT: I would like to clarify that I frown on both behaviors. I just think that delaying fixing security exploits is the worse of the two options.
Edited 2013-06-14 20:52 UTC
How does advanced notification equate to delaying fixing?
The information is only something worth if it can be used. Flame and Stuxnet, both NSA products but sure there are many more, where using plenty Windows zero-day exploits for years. Now we know the story behind.
Edited 2013-06-15 12:07 UTC
How does advanced notification equate to delaying fixing? [/q]
In the same way that “trolling” equates to expressing any strong opinion, or in the same way that “patent trolling” equates to any litigation related to patents, or in the same way that “shill” equates to making any statement in defense of an unpopular company, etc etc etc….
This is what online debate has become: the dilution of the meaning of well-defined terms, due to deliberate “linguistic escalation.” Someone calls you a fanboy? Then you call them a troll… then they retaliate by calling you a a shill, so you call them an astroturfer, ad infinitum.
The object is to find the most damning label you can think of, and to hell with accuracy!
And where does the article say anything about Microsoft delaying the public release of security fixes? Hint: it doesn’t, you’re just conflating “early alert” with deliberate delays in providing security fixes.
Makes you wonder how many companies out there are directly consulting the US goverment. Google? Apple? Also, what about hardware exploits/backdoors?
But goverment agencies use Windows, they are on the same risk, something is fishi.
Well, gov agencies monitor the gov, other agencies and there own people too to prevent/identify whistle blowers for example or collect dirty material in case of …
to give info about bugs to their own government, even if update is not yet ready. And if they are more important then ordinary customer? Good for them.
This makes me wonder if China knew about this, given the fact that they have / are moving government machines to Ubuntu Kylin. I feel like this has been an ongoing practice for a while now.
More likely it was done to make it difficult for other countries to retaliate in-kind for the China’s state-sponsored cyber attacks:
http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/
http://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chine…
Shoring up your own defenses before going on the offense against others? Well that’s just common sense.
Edited 2013-06-15 18:10 UTC
Funny how the US Govt says Huawei is a threat to national security and makes a big deal of it, but when US companies give US agencies Zero days that is somehow okay…
NSA to Public: If you’ve doing nothing wrong there is nothing to worry about us looking at your communications.
Public to NSA: We want more transparency, if *you’re* doing nothing wrong you won’t mind.
ANSWER(Pubic back to NSA): Tough! You have NO right to eaves drop on our communications. None!
(and I hope eventually one day the tools will exist and made ‘simple’ and that then the public at large will start using onion routers, hidden services, distributed DNS alternatives, encryption, perhaps even some ‘alternative routing’ of some traffic ‘off the mainline internet’..e.g. over city wide wifi networks or similar.
Before then, I hope some smart-asses start a viral phenomenon of using SEO inspired tools/ ‘apps’ to INSERT AI driven and grammatically correct/functional ‘naughty keywords’ – all the kinds of obvious things I’m not going to mention here that might be likely to be spied upon INTO EVERY TRIVIAL non-sensical, and umimportant email, social network, blog post, message board etc.. as they can stomach …i.e. make and awful lot of the little bits of the hay in the stack look like needles… it’s what they deserve!
ANSWER(NSA back to Public): stoney echoey silence. (not a hint of regret, remorse or mutual open discussion ) ;
you’re just Apes like the rest of us Mr Government and Mr NSA – you’re not special. You have NO more rights. Even if you ‘granted them to yourselves’ !
useful links:
http://prism-break.org/
Huawei is a threat to US national security and the power of US foreign intelligence agencies outside of US.(I’m so sorry Ausies, but it seems that your government is deep in US’s foreign intelligence pocket)
There is a security bug triggered when you perform operation A.
1) you tell the government quickly so they workaround it because compromised government machines are supposedly a national security problem.
2) you hide the security bug from the public until a fix is found/issues because you don’t want the bug to be intentionally exploited in civilian/public computers.
That is at least their reasoning which makes sense to me.
Whether it OMG! ruins everyone’s ideals and stuff is a totally different story.
Edit: keep in mind that this is closed source software. End users can’t fix bugs
Edited 2013-06-14 21:28 UTC
Well put. I’d like to add that even in FOSS the end user usually lacks the knowledge or tools to fix security vulnerabilities.
It doesn’t need all end users to have the knowledge to fix, one is enough. And it works very well!
*User who is not a usual end user.
Of course we all know how “very well” this works for some FOSS.
http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in…
You missed an important step.
1.5 issue an advisory with details on the exploit and how users can protect themselves and what workarounds are available, if any.
This should be done no more than a week after step 1.
What you’re not taking into account is:
3) The US can use the zero day exploits against other nations.
People’s trust in US companies is taking a beating at the moment. The US government’s heavy handed approach could actually be a great reason to look into open source solutions.
That’s surely the angle on this, surprised so many missed it.
So, in other words… 2013 will be the “Year of Linux on the (non-US government) Desktop”(tm)? Can’t wait!
Very funny, but no. Not in those words.
Certainly they can. So can anyone else who gets early notification.
But where did that zero day exploit come from? Some of them come from code inspection, fuzzing and white-hat hackers. But most of them come from inspection of hacked machines which means that zero-day exploit is already out there being used by the bad guys.
The notification delay is so that the exploit is only used by a few bad guys instead of the entire Internet.
End users can, however, mitigate the issues raised by those vulnerabilities.
Motherfuckers!
Here, here! I’m not sure that’s strong enough for how I feel about this, but at the same time, I hope no one is actually surprised. Most of us have probably suspected this for a while.
We all thought computers would make our lives easier, instead they could potently allow governments worldwide to enslave us by spying and knowing the back-doors to our info anytime they so choose..
The US government considers big corporations to be undercover cops – they can blatantly break most laws (tax evasion, IT theft, anti-competive behavior) as long as they provide a steady stream of “essential” information.
Now we know one of the reasons they created it, and why many on USA were so pissed-off about that.
Buwahahahaha! Riiiiiiiiiiiight, the GFW is purely a defensive measure… I’m sure it has nothing to do with China being one of the most censorship-happy regimes in the industrialized world, not to mention their history of draconian control over what information their citizens can access. After all, we know that people in China can easily access sites with information about Tienanmen Square, or Tibetan/Taiwanese independence… oh, wait.
Congrats, you’ve posted what has to be the dumbest, most absurd claim I’ve seen in this entire thread. And that’s saying something, given the stiff competition.
The inconvenient facts:
Tibet has been considered a part of China for over 2500 years. The Tibetan llamas ran a brutally repressive feudal system. Western supporters of Tibetan independence are essentially useful idiots. [In public the Dalai Llama hides his true opinions such as his absolute hatred of homosexuality.]
Chinese citizens can travel freely to many Western countries.
There are daily flights between Taiwan and mainland China.
Hundreds of thousands of Chinese students study at western universities.
Six million Chinese citizens in Hong Kong have uncensored internet access.
There is a great deal of robust online discussion and social networking in China.
You might want to substantiate your “facts”.
Red herring, that doesn’t actually address any of the points I made or the ridiculous claim that I was responding to.
Many of the original inhabitants of North & South America were just as brutal (if not more so, ritual human sacrifice and all that)… and because of that, you would be OK if the US government blocked their citizens from accessing information about, say, the Trail of Tears?
Relevance?
Oh, and you left out another interesting fact: China is also second only to Russia when it comes to turning a blind eye to actual cybercrime, (just as long the crimes are only committed against westerners).
In other words: the only way for Chinese citizens to avoid internet censorship is to live somewhere other than China. Noted.
What part of “ONE of the reasons” you missed? What I left subtle on my comment and, unluckily, one thing that strongly ties USA and China governments is that them both are paranoid states where the powerful elite are more than willing to sacrifice the liberty and privacy of their citizens to justify the maintaining of the status-quo.
They label and treat their own people and other countries under suspicion flag and as so they prepare the communication infra-structure with barriers and traps, frequently overstepping their own legal systems. This is what USA did as also China. They both went to extreme extents on that. USA, China, Russia and some other countries have power circles that are way too poisonous.
What I left tacit is not that China already did know about PRISMA but that paranoid countries act on presumption and that they use all available disinformation techniques to gain some advantage. Specifically, on USA case, many politicians and members of the government went public to criticize the GFC when they probably already knew about the USA spy efforts. I guess, it is too much to assume the all readers will infer that. Well, I hope your self-confidence on your cognitive abilities do not get affected.
Please. It really doesn’t matter hether you claim it as one reason, or the sole reason – it’s still an absurd, completely unsubstantiated claim. Bullshit is still bullshit, the quantity doesn’t change that.
I hate to use this twice in one month, but…
http://en.wikipedia.org/wiki/False_equivalence
False equivalence, once again – you do realize that spying is not the same thing as censorship, right?
Wow. I hope you used plenty of lubricant, wouldn’t want you to get chafed from stroking your own ego so enthusiastically.
Let me see, it is bullshit because you said so?
And you do realize that they are not mutually exclusive do you? USA has been doing censorship and spying since forever. You do not believe me right? So, what do you think are the so called “classified information” that is all over the place? Also, go and read history facts about human tragedies triggered by USA actions all around the globe. No that big difference to me between USA government elite and the their bad pals around the globe.
And please, stop projecting your own sexual fantasies on others, keep them to yourself, there are some things that are better to maintain private. 😉
Now you’re just being deliberately obtuse. It’s bullshit because it’s directly contradicted by numerous, widely known facts about the GFC. And it’s bullshit because you haven’t provided a single source or shred of evidence to substantiate up your claim. Hell, you haven’t even provided any reason to believe that the GFC would actually be EFFECTIVE in preventing spying.
So I guess we can also add “burden of proof” to the list of intellectual concepts that you fail to grasp.
Stop riding my coattails, kid – get your own material.
False equivalence combined with confirmation bias – find me a single country in the world that DOESN’T classify information.
And you’re seriously trying to pretend that classifying sensitive information (for security purposes) is the same things as GFC-style censorship of politically-inconvenient information? People don’t resort to such blatant intellectual-dishonesty if they any valid argument left – your de facto admission of defeat is noted.
More unsubstantiated claims. I’d challenge you to provide examples, but we both know that you either don’t have any – or you would just toss out some more red herrings that didn’t actually have anything to do with your claims. But hey, anything to justify your irrational, knee-jerk hatred of the US, right?
An “I know you are, but what am I” flame, really? Tell you what, because I’m such a nice guy, I’ll give you a do-over. Maybe you’ll be able to come up with something a little less pathetic this time.
This is really getting ridiculous. I did not say that China did it because they already knew about PRISM, you created this in your own obtuse mind, I said that one of the reasons they probably did it was because paranoid states try to act preventively and, as you probably know, one of the nice functionalities of firewalls is to protect against external threats, and PRISM is clearly one. I said also that many public figures of USA power complained about GFC and that they probably already knew about PRISM, this is well documented, just google for it, and this is the same as a neighbor that likes to walk on others flowers complain that putting a fence makes the neighborhood ugly. You are the one arguing that China did it ONLY to prevent their citizens to get information abroad. A big and narrow minded assumption if you ask me. So burden of proof applies very well to your case.
Please! I never said that other countries do not do that, what I said, again, is that paranoid government are more inclined to do so and that they can even do it in ways that do not follow their own legal systems.
I guess you only studied history on USA books. USA invaded Iraq on false premises or, even worst, already knowing that the claims were false. Where are the mass destruction weapons? All that after, some years before, they tried to undermine Iran giving weapons to Saddam Hussein to act as proxy. What about the innocent people killed on Afghanistan by the many and documented irresponsible actions? The military of many South American nations actively overthrew legitimate democratic chosen leaders with USA help. Killings, torture and other forms of human rights violations were abound on all that cases and USA elite power has their fingers dirt with blood because of these. Ignoring history is really one option.
Note also that I never said the American people should be accountable for the bad things. I visited many times the country and I really like the place and the many friends I have there, but sure enough many from the elite should be lawfully punished.
The rest of your arguments are all alike, just nonsense ramblings or full of assumptions about not said things.
What? Where did I ever state otherwise? (Hint: I didn’t). If you’re really that incapable of basic reading comprehension, that would explain a few things…
Hey look, I have my own personal copycat – how adorable.
In your next reply, be sure to include something along the lines of “no, YOU have bad reading comprehension” (if you’re going to be lazy and witless, then you might as well be consistent about it).
You really are fond of the “I know you are, but what am I” schtick, aren’t you? Hate to break it to you, but I never actually claimed that domestic censorship was the only reason for the GFC – just the primary reason. And 3 posts in, you STILL haven’t provided anything to back up your claims, other than vague supposition.
Also, burden of proof doesn’t work that way. You made the initial claim, you failed to substantiate it in any way, so the burden of proof was (and still IS) yours.
Too bad I’m not actually an American, genius. I was waiting for someone to make that lazy assumption – and you were the first one gullible enough to take the bait, congrats!
Right, that must be why your counter-“arguments” have consisted of nothing more than dodging, backpedaling, and willful ignorance.
Again, more of your assumptions, over which we can not be sure about. Perhaps you have some form of insider information. As I said, mine are suppositions about pattern behavior of paranoid states.
You again jumping on assumptions. I never said you had American citizenship, only that you where “following lessons” from “American books” for whatever reason. This is a big difference, but as I said, you like to put your thoughts on others minds.
Not at all, you asked me to back my argument that USA and China elites are alike on the way they treat their citizens, granted, USA may not be as bad, but both are not examples of respect to privacy, liberty and human rights, as I have illustrated by history facts on USA case.
If you bother reading the article, it points out:
If “you” think this is some kind of conspiracy against the people, you’re a total moron.