Apple, on the other hand, could have come out smelling like a rose, but following the death of Steve Jobs, who apparently refused to play ball with the NSA, it stupidly jumped on board to join the PRISM club.
According to the Prism slides, it really looks so:
"Dates when Prism collection began for each provider
Microsoft 9/11/07
Yahoo 3/12/08
Google 1/14/09
Facebook 6/3/09
PalTalk 12/07/09
YouTube 9/24/10
Skype 2/6/11
AOL 3/31/11
Apple (added Oct 2012)"
If it's true, it's one reason more to deeply admire him.
And can you just imagine how much more sales Apple would get now for not being on that list?
What you're seeing in Putin is the ability to be independent. He gets to enjoy watching the Americans squirm at low cost. What's the US going to do to Russia? Our diplomats will be rude to each other, maybe we won't attend the Russian summer ball and snub the Russian ambassador, each country will declare some spies persona non grata.
At the end of the day, the areas in which the Russians and Americans cooperate are areas that they have a mutual interest to do so.
Others, like the Germans or Spain are different. They piss off the US, we cut off the faucet of intelligence, money, privileges, etc.
Not that it would be necessary in an obvious case like this, but each one of Microsoft/Skype, Google/Youtube, Apple and Facebook could easily have hired the nation's best and brightest one thousand lawyers at $1,000 an hour, full time for 10 years to defend privacy. It would have been well within their means. Yet, each of them chose to back down. Each of them chose to fail their users' trust.
I don't think its due to cowardice. If these organisations cared the slightest bit they would have acted to protect their users. Not in the wildest scenario would the US government have jailed the leaders of Apple, Google or Microsoft. My best guess is they got something in return.
http://www.wired.com/threatlevel/2013/06/yahoo-failed-fisa-f...
It's possible that there's as-yet undisclosed legal action with some of the others; the secrecy around just about any proceeding in the FISC makes it very hard to tell.
That may be naive. Most people have skeletons in their closets. The government would use these to pressure those leaders to acquiesce. I suspect the most dangerous skeletons are ones which seem harmless to you, but cast in the proper light they can be used as a justification for punishment. E.g. Something which seems harmless now can retroactively be used to claim you were doing insider trading. Few people would step up to defend you, even if the charges are baseless, because recently it's been fashionable to hate capitalists, and trading stocks is the epitome of capitalism. So it'd be very much "obey us or we will litigate you into bending your knee anyway."
Jobs was immune because he was the CEO equivalent of a rockstar. To try to pull baseless charges against him would outrage the public. Yet I'd imagine the public would get grim satisfaction out of seeing Ballmer punished, even if the charges were baseless, because most people don't like him. It's shallow, but it seems true.
That means if you fight, they put a server in your shop.
It was just not worth it until now. That's going to be the real legacy of the Snowden leaks.
Barely any change at all, I'd bet. And not worth the legal hassle they could have been up against if it came to a knock-down, drag-out battle with the US Government over <spins the dial>.
That's not the Steve Jobs I read about. Like him or not, he was a man of principle.
everything is worth a fight.
This reminds everyone to look at different angles when we criticize people/companies and understand that, even now, an individual makes a lot of difference.
http://www.wired.com/threatlevel/2012/06/steve-jobs-security...
I find it hard to believe that the NSA didn't see one of the most valuable and popular companies in the world as a priority until 2012. I bet they were salivating as soon as the first iPhone launched.
Apple not being a priority for NSA until Oct 2012? Pfft.
Me: "Hello. Could you tell me what Microsoft is doing at this Linux conference? I honestly want to know that."
Him: "We are here to show how our products can work well together with Linux related products."
Me: "Why would I as a Linux user use Windows or any other product from you? We all know that you spy on me - at least indirectly."
Him: "Oh no. You are misinformed. We have a lot of business customers with very sensitive data. Can you imagine what would happen to us if they found out that we spy on them? Business users are very sensitive in that area. We were screwed. And we do not spy on regular users as well. You may also know that this would be totally illegal according to German law."
Me: "So you are saying that you do not spy on businesses or other kind of users of your products?"
Him: "Yes! We were screwed otherwise!" *giggle*
Microsoft is so screwed guys.
Edit: I was not rude to this guy. We had a beer together later that day. I am sure he did not know anything about PRISM and was just doing his job.
Additionally these so-called "paranoid" questions didn't came out of thin air either. 10-15 years ago I also was very distrusting of Microsoft and what they were doing (there was a lot of anti-trust going on ...). But somehow they starting doing a few things right, wrote some good software and OS in the mean time and they "regained my trust" to the point I'd speak out against senseless M$-bashing, and perceive it as something childish.
Well, that I am no longer going to do, lest I have to eat my words. That "trust" is completely gone, and I feel kind of foolish for believing it existed in the first place, "trust" is a kind of thing that happens between two persons, not between a person and a gigantic corporation. The latter is too volatile, there can be no build up or breakage, it's every moment again different, dependent on who is in charge and which individual personalities are involved in a decision. Rationally, one instant snapshot cannot make or break the trust of the next one.
I do feel kind of foolish. I'm typing this on Win7, planning to install Linux for a while now, but I had some crazy wild ideas for a dual-boot scenario in mind that I never got around to and everything just worked so there was no hurry.
Before next week I'll be back on Linux, maybe even sooner.
You can't expect a show rep to know about anything like prism though - that information would have been "classified" and available only to those well above his pay grade.
The company I work for has absolutely no intent of dropping Microsoft products in lieu of the NSA leaks, even with large amounts of sensitive customer data. I can't imagine many large companies would. It would require such a vast amount of work it's unfathomable to even imagine most companies considering it unless they were about to lose nearly all of their customers.
Caveat: customers do not care, at this stage in the game.
I have said in the previous HN post and I will say it again here: don't pile on Microsoft alone. These spying policies make every US-based services company untrustworthy to whomever privacy is important. Come to think of it, I'm not sure whether you can rely on European services either because it seems that gov't surveillance is widespread.
On the other hand, maybe if we do pile on Microsoft, and stop using their products for this reason alone (even though Google, Apple and others are in the same boat), it will force them and their lobbyists to influence their gov't shills to put a stop to these programs.
Yahoo Google Facebook PalTalk YouTube Skype AOL Apple
Who have also been mentioned as complicit in this whole scandal.
Just to be fair :-)
By the way, I actually agree with you and have been slowly switching all my home stuff to linux and trying to get away from Google Dependence (although I type this in Chrome on a Win 8 laptop... damn work computer)
The problem that people like you don't seem to understand is that online communications can be secure, unless the companies owning the servers themselves cooperate and companies have to cooperate if they have to do so by law.
It's only the US that has such a huge budget for spying on people's communications and the US is also part of a select handful of countries going to such great lengths to suppress the freedom of speech about it.
If I were to start a company in Romania (which is part of EU btw), the NSA can suck my dick as there's absolutely nothing they could do to make me cooperate and keep my mouth shut while doing it.
The only proper answer to that is to stop using American products (at least until the US government can prove with extreme oversight from Europeans and Latin Americans and others, that they aren't abusing their spying power anymore).
That was entirely a lie. From day one their system has been targeting Americans. The proof is overwhelming at this point.
There's often a critical distinction between what gets claimed and what actually occurs in government. With a government that is so undeserving of trust, that's a very important distinction to keep in mind.
The real question isn't about whether you can trust Microsoft. It's can you even trust Intel?
"The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."
Free, open software and hardware are less likely to have secret 'back doors' installed or embedded in them because their innards are under constant public review by multiple eyes -- out in the open, not behind closed doors.
--
Edit: added last sentence.
Open source communities have no membership committee or state-funded security apparatus. Contributions are accepted based on trust and trust is established by technical merit. The means the three-letter agencies used against Microsoft and other corporations are not the only strategies they have available.
Maybe Linus doesn't have a price. I hope so and I trust him. But regardless of my trust and hope, there is no verification. My trust still acknowledges that no one is scanning Swiss accounts for activity which might be linked to him - and even if there were someone doing so, what would be my basis for trusting them?
Again, I'm not saying I don't trust in the integrity of Linus, but it's hard for me to trust everyone contributing to my Linux distro. Patriots and mercenaries can contribute to open-source just as well as anarchists and Samaritans.
Microsoft's closed source model required a more transparent method to subvert [more transparent than a black operation]. Subverting open source requires little more than a clever branch and merge with a veneer of social engineering. The fruit is so low hanging that merely singing the Open-Source Internationale, will get one street cred. Anyone who thinks they are immune, isn't. This is state level resources - put a man on the moon and bring down communism scale.
However, the fact that Linux source is available for review does make it more secure on a relative basis. Sure, it is naive to think a zero day couldn't be buried in there, but at least there is the opportunity for review. With a closed-source OS, we don't even have the luxury of a false sense of security.
Not to get all tin foily, but I'd be more concerned about hardware exploits if you're thinking in terms of "man on the moon" resources... where are all those chips made again?
If you didn't build your OS, you'd better trust the person/people that did.
You certainly could not compromise a base as large as the number of Windows users, but you could target your efforts on distributions that have key infrastructure roles, like servers, routers, firewalls...
Another vector used to compromise free software is to participate in it. Paid agents can actively participate in open source projects and allow clever exploits that could pass as bugs if uncovered.
"We" get pre-built packages from repositories, but only because "we" don't value our privacy enough.
http://cm.bell-labs.com/who/ken/trust.html
For security conscious the prefect state is the OS which changes very, very slowly, fixing only security bugs and having binaries used by as many people as possible and which change so seldom that more people can even check them by disassembling them. You don't want to only check sources, you want to disassemble the binaries and decide if they match the sources.
And only then you want to be sure that all configurations are what they should be. Not easy at all.
Well, how well can you trust the commercial ones ? At least with open source, you can look into it more easily and eventually find security holes. It's a step towards trust. There is no trust to gain with commercial solutions, but at least with open source, it's at least possible.
The fact that proprietary agrees with a sound market economy makes it somehow more functional and more attractive, but when you're concerned about ethics, it's a totally other concern.
Not that that will help much.
Abundant resources and mutual distrust should ensure a rather secure OS.
Is there any indication that software running on the client is at risk? The article goes to great hyperbole but unless you're using Skydrive, I don't see how Office files are at risk with the recent revelations.
Not that they aren't, it's just that I didn't see any information that they are.
I don't think storing information in the cloud using FOSS software is going to magically protect your information.
E.g. How does using Thunderbird to access Gmail afford greater protection than using Outlook to access Gmail?
Yes, Microsoft shares all of Windows vunerability with the NSA long before fixing them.
> I don't think storing information in the cloud using FOSS software is going to magically protect your information.
And you are right, it won't. Anything you send to 3rd party severs is gone.
To keep data private, you must keep it at your computers, run only audited FOSS that you compiled with a trusted compiler, encrypt it all the times it goes into a network (even your LAN), and hope that there isn't a firmware or hardware backdoor in your computer.
People want the ease of computing not secure computing. The polls show it. In the US everyone but the geeks are OK with the NSA. Sad.
The system is going to have to change to federated data. Email, Social media, everything. Appliances owned by the individual. Either located in the home or small server appliances "rented" at a colocation facility and every user's info on their appliance. Any warrants are served to the individual not the "processing" or interpreting host that parses the data in their UI or service. The host, whether Facebook, Google, Yahoo, Microsoft, etc would notify the requester that that info is on a server rented solely by the user and they have no standing to grant or honor the warrant as they are the wrong party.
Please note I use voice typing due to fine motor control and this comment may contain errors.
These people remind me of the Austrian writer Karl Kraus: "The secret of the demagogue is to make himself as stupid as his audience so that they believe they are as clever as he."
The fact is that for almost all big corporations there is so much money, training and culture involved in MS platforms that a shift away from it is just to hard to do, unfortunatelly.
No John, unfortunately it is not really an option to move 57,000 employees and a headquarters out of the United States. That is what would need to be done. None of the people making statements for these large corporations are lying voluntarily.
And Microsoft is evil, I mean in Google's sense of evil and even Microsoft admit it.
But What about the one who claim them self do no evil and itself being so righteous. Joined Prism on 1/14/09?
And I would really love if the Movie could add bits on Prism agents coming in like some fucking retard, and Steve would tell him to Fk off.
NewsPaper and Media, intentionally or not trying to diversify the hate and focus on PRISM away from Government.
They are ultimately the one to be blamed.
That's exactly what I'm hoping will happen. It may be the only way to actually roll back most of this shameless and abusive mass spying of everything and everyone. I'm not sure what else would stop it. Americans protesting it? I'm not holding my breath for that one, and even if they do, they'll only try to fix the spying internally, as they couldn't care less what they do to the world as long as the government keeps telling them "it's to keep them safe" (which obviously trumps everyone else' rights).
You know... Up until this whole NSA/PRISM thing got uncovered, Microsoft had actually rather successfully started to rebuild the perception and image of its cloud-service Azure.
It had shown the world that in less than a year, it was well on its way to catch up with Amazon Web Services. It was going from an experiment to serious business. Something the company invested in. Even more so than the traditional parts of the business.
As someone who once looked at Azure and laughed it off, I was coming around, actually considering it. I don't have any inside info on this, but I would guess/assume Azure was just about to take off. All those investments, finally about to pay off.
Then the whole NSA/PRISM thing came about. Now there's no chance in hell I'm going there. Not that I expect AWS to be any better in that regard either. I'm currently pulling out my data from Google. I trust them even less.
Hell, at this point, the only viable option privacy-vice seems to be open-source software, deployed by me, to an account I control, hosted on a service-provider outside the US's reach.
It may not be immune to unauthorized, illegal snooping, but it will be off the main grid, take a bit more effort and it wont be done automatically 24/7.
If I become paranoid enough to put in the effort, I'll just get a VPS instead and encrypt the shit out of it.
(Disclaimer: Not a US citizen.)
I don't use the hate word often, but I HATE Microsoft now.
Just for the record, I think Dvorack is bang on with this article. Couldn't agree more.
;-)
Seriously though, if you don't play ball with the NSA, they come after you, your business, and your family with the full weight of the US government. Your wealth or status means nothing against it.
Which means, as a parent, I can relate.
Yes, you and I can sit here on my keyboard and say we would have stood our ground, but when you have a children and a mortgage, suddenly things are very different. Suddenly, you think that maybe fighting this one particular fight isn't worth the damage to you and your family.
That, my HN friends, is why the whole NSA PRISM thing is so evil and why it outrages us: Even those normally beyond the law (the rich and famous) are suddenly victims like the rest of us.
With that said, do you really want to buy a Microsoft product?
Notice the words appears and apparently. Until there is specific evidence to take those two words away from those sentences, hardly anything will change.
PS. It's *buntu that spins my propeller.
PPS. I'd be interested in what RMS has to say, not just about MS in this case but the whole PRISM/NSA thing in general - he has been warning us.
Each time you visting a page, IE sends the URL over to be "checked" by Microsoft.
Each update, a summery of all installed packages are collected and sent to Microsoft in order to "improve the experience".
WAT collects your hardware specification, including the serial number of your hard drive.
Each time you connect your operative system to the Internet, it calls home to a Microsoft server to check if the connect works. Its doubtful that they throw away the logs from this.
Microsoft can forceable push new executable code as updates, regardless if settings has turn of updates.
Microsoft word (and Outlook?) do also collect information, but it is supposed to be optional. I don't remember if its on by default, but I am rather sure it is.
Then we have semi-native application such as massager or skype. Both has messages being "scanned".
Some of the sources: https://office.microsoft.com/en-us/word-help/privacy-stateme..., http://redmondmag.com/articles/2010/07/01/what-does-microsof...
Huh? Are you talking about hashes being sent for malware check similar to the ones in Chrome or Firefox? If not its a serious privacy issue.
The ones you mentioned about Updates is also true for Chrome updates. [1]
>Microsoft can forceable push new executable code as updates, regardless if settings has turn of updates.
Any source on this?
>Microsoft word (and Outlook?) do also collect information.
With Office 365, this is more or less a reality.
>Then we have semi-native application such as massager or skype. Both has messages being "scanned".
Are you talking about URL scanning? So does FB, Gchat etc. Expect your messages to scanned or stored no matter what 3rd party service you use. Always use client-side encryption for secure communication.
The most important one you left out is SkyDrive. I remember installing it on my computer and then signing onto the web interface to find out I could even access files outside of my sync directory. Sure you can turn "off" the feature, but I promptly uninstalled it instead.
I don't trust Microsoft with privacy in the cloud but neither do I with any other 3rd party.
[1]https://www.google.com/intl/en-US/chrome/browser/privacy/
True, but what about Windows Phone vs. Android (with Google's apps, not just a FOSS build like Replicant) vs. Apple? Which is the lesser evil for your privacy?
- low-level crypto APIs (the 'DLLs' referred to obliquely in the article); these are more interesting. I imagine they could be compromised for weak session key generation or other leakage of key / plaintext, or generate the session key in such a way that the mythical 'NSAKEY' can decrypt it. Huge impact, if so, but only to certain software; AFAIK Mozilla doesn't use the Windows crypto API / certificate key store (but Chrome does).
- SSL certificate generation (built-in CA for Windows Server builds); certificates stored and replicated via Active Directory; does anyone actually use this? In fact, does anyone actually use client SSL? It is likely also used for domain peer replication, which could potentially be over an external network (but why would you not use a VPN there?)
- Encrypted File System; already contains an escrow key-recovery mechanism to allow administrators (including domain admins) to recover a lost user key. Only likely to be relevant if hard disk or backup images seized, so less impact.
- BitLocker drive encryption; similar to EFS but uses a hardware TPM and is per-machine rather than per-user. Fairly sure escrow key recovery at the domain level is possible here too. Again, only likely to be relevant if hardware or backups seized.
- Office document encryption; did anyone SERIOUSLY think this was worth using anyway? There are so many key recovery services out there for this (Elcomsoft et al)
- Communications applications (Skype et al); again, did anyone SERIOUSLY think this wasn't already being monitored, even before Skype became a Microsoft product?
- Some other OS-level 'phoning-home' behaviour. I simply don't believe that no-one has spotted this happening, if it's there - we can do traffic analysis too, and there are plenty of people running Wireshark on their own networks.
As for updates, I imagine if you set up a domain you can run your own WSUS update server, MITM the connection, etc. - and then compare the behaviour with a "regular" home PC.
The problem really is how deep the hole goes - as per Ken Thompson "Reflections on Trusting Trust", 1984.
I put "non technical" in quotes because many of the people in HR, Accounting, Marketing, etc. are very tech-savvy. Marketing folks, for example, would love an all-Mac office setup, but they generally have to have Windows PCs for Powerpoint, Visio, and CRMs, to name a few. HR needs their IE6 in-house apps. Accounting can't even hire anybody who wants to try getting their work done on a Mac.
I realize I'm not even talking about Linux here; I think that just underscores my point.
Does anyone have a counterexample? Because I would pay top dollar for a Linux solution to these problems, but haven't seen anything worth buying.
Then you'd have to de-couple the entire organisation from Active Directory. And refactor (at best) or re-write (at worst) all custom in-house apps that rely on either Windows or Active Directory.
It's just too expensive.
I've seen about 10-20% Linux use and about 0% Mac use in industry (Finance - Buy and Sell side). YMMV.
Linux is incredibly popular because people claim (rightly or wrongly) that they can have a lower latency setup. R-Project is very popular with people because they can have engineers customise it in ways not possible with Mat Lab.
But at the end of the day it all falls back down to MS Excel.
Apple don't have any enterprise ready tools for managing a system of 50,000+ client PCs and 30,000+ servers. So they don't get a look in, save the few iPads that are just perks and never used for any work that I've noticed.
What about UEFI? Should that be assumed fundamentally insecure from this point on?
RedHat / Fedora ship with SELinux.
It's sorta a big deal.
It's practically been the operative description of Microsoft for decades that they're interested in profits (and potential profits in certain circles disjoint from the end users), not the privacy or security of their users.
Seems like Microsoft has a lot of issues to worry about. Doing a reorg when the company is struggling just to put an agency person in charge seems like a lot of work. Why not just put them in charge in a small internally announced move?
Google is not actually blocked by the firewall. Gmail is slow, occasionally lots of dropped packets, and other passive-aggressive behavior, but not blocked. Search generally works ok, unless, say, you are a tourist searching for information about a certain popular tourist destination in the center of Beijing. Groups, Docs, and other free exchange of information services are blocked, though.
This seems to imply using Office, like in Word/Excel?, somehow poses a privacy risk. Is that true? And how exactly?
That is a very close minded way to look at things. Closed Source does not always = Evil and Opensource does not always = Secure. Competition and choices should always be sought for. Without competition, stagnation is as prevalent in open-source community as in closed source. I rather have the right to choose between a Mac, Windows or a Linux variant than someone making the choice for me.
So the problem is perpetuated - windows is the only platform that is basically guarenteed to have a market. So as a user of software, you'd stick to windows, and as a maker of software, you'd stick to making software for windows. Other platform is almost an afterthought. Unless web based software radically changes (i need to unzip a file - what web based software will do that for me?), this will not change.
There are probably other services/tools, because technically, there's nothing stopping you from unzipping files in the cloud, or in web based software. It's just the matter of uploading something and then downloading the content after it's been unzipped on the remote server. So it's just more expensive in terms of network traffic.
The availability of the tools that do that, other than Google Docs, is another thing. Honestly wouldn't know, don't recall ever needing it before.
/me checks byline.
Holy crap. Yeah, I remember when Dvorak was quite the Microsoft fanboi.
My how times change.
I have a feeling had Apple been first on board rather than last the journalist would argue that Microsoft were evil for not complying with a government request and that Apple clearly had the vision to help the nation's security, but maybe that's just me?
The problem here is the divide between national government and international corporations, where the corporations' actions influence far more people than the direct actions of the national government.
I cannot exert any influence over a government that isn't mine, but I can decide which companies I support and entrust with my data and business. Your dichotomy of government vs company is therefore not correct. I can (and should) be upset about both.
Crazy. I've been trusting Microsoft all this time, and now, what to do!?!
LOL. Who was dumb enough to have ever trusted them?