My experience with large enterprise is that there is no such thing as trust. Companies continue to do business with Microsoft because money.
posted by mcstayinskool at 10:42 AM on June 28, 2013 [11 favorites]

Ok, without being so snarky - the problem isn't MS. Or, more to the point, the problem isn't MS specifically. All the tech companies were implicated.

The problem isn't even that the government requested that data.

The problem is that what is happening on the ground is at odds with what the oversight in Congress thinks is happening, and all of this is happening inside multiple layers and veils of secrecy and obfuscation.

There is no good soundbite fix for this, and no simple cure, and no real political motivation to solve the myriad issues - as the program is varying degrees of popular as it stands. Ultimately, this means that the new normal is one where the government is secretly spying on you. We are living in the future.
posted by Pogo_Fuzzybutt at 10:43 AM on June 28, 2013 [2 favorites]

There is no good soundbite fix for this, and no simple cure, and no real political motivation to solve the myriad issues - as the program is varying degrees of popular as it stands. Ultimately, this means that the new normal is one where the government is secretly spying on you. We are living in the future.

but... we can't let this happen. And moreover, we can't allow this as something that allows a gradual increase in surveillance. I don't accept this culture or this reasoning. Period.
posted by hellslinger at 10:45 AM on June 28, 2013 [6 favorites]

Presumably, if I shouldn't trust Microsoft because they're cooperating with the US government, then I shouldn't trust the US government either. That second notion is a lot more frightening as it's the US government that has the drones, guns, and jails. I can just ignore Microsoft and go on with my life if I like, but the US government, not so much.
posted by tylerkaraszewski at 10:47 AM on June 28, 2013 [2 favorites]

Shouldn't the question be why did anybody trust Microsoft in the first place?
posted by adamvasco at 10:51 AM on June 28, 2013 [4 favorites]

I'm reading this article as being more of "How can British companies ever trust an American company not to let an American spy agency access to their systems?", which is a reasonable question, but kind of weird given that, as they point out in the article, there have been questions all along. As someone who doesn't have his own company, it's not of particular interest to me, because I haven't really trusted them for a while, and their attitude toward their end users--as seen in the recent debacles with Windows 8 and the XBox One--demonstrate that they're perfectly willing to screw their own customers over, unless they're publicly shamed out of it.
posted by Halloween Jack at 10:51 AM on June 28, 2013

Well hey, at least private companies are safe. It's not like the NSA is going to use their access to spy on them to help US business interests oh wait

According to a European Parliament report, published in 2001, America's National Security Agency (NSA) intercepted faxes and phone calls between Airbus, Saudi Arabian Airlines and the Saudi government in early 1994. The NSA found that Airbus agents were offering bribes to a Saudi official to secure a lion's share for Airbus in modernising Saudi Arabian Airlines' fleet. The planes were in a $6 billion deal that Edouard Balladur, France's then prime minister, had hoped to clinch on a visit to see King Fahd in January 1994. He went home empty-handed.

posted by mullingitover at 11:01 AM on June 28, 2013 [2 favorites]

There is no good soundbite fix for this

Open Source.
posted by lumpenprole at 11:21 AM on June 28, 2013 [10 favorites]

All the tech companies were implicated.

It seems unfair to single out Microsoft unless you are a competitor of MSFT. Huawei and ZTE have been accused of "security concerns" and the U.S. government not only bans them from supplying gear, but wants to bar them from any US mergers and acquisitions, according to a House Intelligence Committee report.

Isn't this just more corrupt lobbying by businesses who gain from banning the competition?
posted by three blind mice at 11:21 AM on June 28, 2013 [1 favorite]

Open Source is absolutely an answer to this kind of problem. It's not a software panacea – properly auditing code is not easy. And there's reasons to distrust US hardware, too. But if I were running a foreign military there's no way in hell I'd trust any OS other than Linux or FreeBSD.
posted by Nelson at 11:35 AM on June 28, 2013 [7 favorites]

I'm thoroughly outraged by the NSA revelations and *disclaimer* I work for Microsoft. But mullingitover's link notwithstanding, I would guess that most companies -- whether American or otherwise -- simply don't worry about the NSA spying on them. And as much as the American security establishment makes me nervous, I have to concede that there's no evidence of any kind of systematic abuse of the data they're capturing *SO FAR*. Contrast with Chinese intelligence, for which there's plenty of evidence that they regularly engage in industrial espionage.

There's a quote that's been making the rounds recently, purportedly from a former Stasi department head: “It is the height of naivete to think that once collected this information won’t be used. This is the nature of secret government organizations. The only way to protect the people’s privacy is not to allow the government to collect their information in the first place.”

To that, I would add that there should be stricter controls on the kinds of information that ISPs, Google, Facebook -- and yes, Microsoft -- should be allowed to collect about us. Because it's altogether too easy for the government to use pressure to collect this information from private parties, even when such collection is potentially illegal.
posted by Slothrup at 11:51 AM on June 28, 2013

Slothrop I rather think that is closing the stable door after the horse has bolted.
Who is to say the law would be kept anyway.
The larger the corporation the less sanctions/fines mean because those at the top are never accountable because fines are meaningless. Look at the Banksters. So really I think the Stasi chief is correct.
posted by adamvasco at 11:59 AM on June 28, 2013

I'm kind of weirded out by the ZOMG NSA GETS EVERYTHING which, yeah, potential for abuse but meantime I can't go looking at something on even Amazon without that browse haunting me to the end of the Internet on ad servers. Corporations are doing shifty things with that same data and haha! Nobody cares!
posted by Ogre Lawless at 12:00 PM on June 28, 2013

So really I think the Stasi chief is correct.

All that data just sitting there is the gun in the first act. It's just waiting to be used. Matter of time until someone uses it for political advantage, if they haven't already.

And it sort of kills me that nobody cares - or as one friend on FB said to me - "I'd rather have the government reading my emails than have another 9/11".

But, we live in a democracy - and well, Britney spears had several number 1 songs for reasons not based on their merit. Our only real hope is getting the judiciary to agree, I don't think this is a problem that is solvable legislatively.
posted by Pogo_Fuzzybutt at 12:06 PM on June 28, 2013 [3 favorites]

Any company that has been OK with MS until 2013 isn't going to be scared off by anything now.
posted by DU at 12:22 PM on June 28, 2013 [1 favorite]

Like Halloween Jack points out, this is an article at a UK website, and a UK company is going to have a different relationship with and set of expectations of the government of the U.S. than an American citizen.
posted by benito.strauss at 12:47 PM on June 28, 2013

: "And it sort of kills me that nobody cares - or as one friend on FB said to me - "I'd rather have the government reading my emails than have another 9/11"."

You can have both! Fun fact: the 9/11 planners didn't use the internet or phone calls to communicate about their plans.
posted by mullingitover at 1:11 PM on June 28, 2013 [3 favorites]

Open Source.

Serious question: Like Windows, aren't Linux and open-source services only as safe as people apply patches for zero-day exploits? OpenSSH is one notable example, I'd think, where people don't always keep things up-to-date, but still rely on SSH to reliably secure traffic, right? I wouldn't argue that it isn't better, but I don't know that it is the ultimate solution.

And isn't there a popular CS lecture, where the speaker showed how you can't trust software of any kind, because the chain of tools used to compile software can itself be corrupted?
posted by Blazecock Pileon at 1:37 PM on June 28, 2013

There seems a lot of confusion as to what had been going on, when and for how long it has been going on, who knew what about what was going on, and who is not helping it to go on.
The answers to a lot of this is out there to get hold of and to read if you spend the time.

As for "I am not worried because I do nothing to attract the attention of the govt."--fine, but then there is the published piece by a former NSA guy who said part of what he did was to get hold of phone conversations of congress people, including calls from a new young senator named Obama.

What can be done?There will be a growing movement--it has already begun--to get as many people as possible to get in touch with their elected officials to tell them they must do something to protect privacy and if they do not, they will not get electoral support any longer.
posted by Postroad at 1:53 PM on June 28, 2013 [1 favorite]

And isn't there a popular CS lecture, where the speaker showed how you can't trust software of any kind, because the chain of tools used to compile software can itself be corrupted?

You might be thinking of Ken Thompson's ACM lecture from almost 30 years ago.

Things have no doubt gotten a lot woolier since then. For example, what lies within that encrypted, flashable microcode inside every modern Intel CPU? I don't know, but I'd wager that there's a good reason China is working on their own CPU designs.
posted by RobotVoodooPower at 2:05 PM on June 28, 2013 [2 favorites]

You might be thinking of Ken Thompson's ACM lecture from almost 30 years ago.

Yep, that's the one.
posted by Blazecock Pileon at 2:06 PM on June 28, 2013

Things have no doubt gotten a lot woolier since then.

Yeah, the line between hardware and software has gotten a lot blurrier since the days of ROM.
posted by Blazecock Pileon at 2:07 PM on June 28, 2013

I got a new laptop that came with MS 8. when I got home last night, I burned my Ubuntu disc, flipped on the new computer, and was deeply annoyed that the damn OS wouldn't let me skip giving them an email account during set up (this would be the first and only time I booted into MS).

creepy and intrusive.
posted by jpe at 2:49 PM on June 28, 2013

Saying "this guy's British, so what he's saying doesn't apply to me" strikes me as very weak tea.
posted by telstar at 2:54 PM on June 28, 2013 [2 favorites]

Fun fact: the 9/11 planners didn't use the internet or phone calls to communicate about their plans.

Fun fact: I'm pretty sure that's not true
posted by jacalata at 2:58 PM on June 28, 2013 [1 favorite]

> You might be thinking of Ken Thompson's ACM lecture from almost 30 years ago.

Yep, that's the one.

You shouldn't get the article from that link. They've changed a few words here and there and it conveys slightly different ideas from the original.
posted by benito.strauss at 3:08 PM on June 28, 2013 [3 favorites]

aren't Linux and open-source services only as safe as people apply patches for zero-day exploits?

Well sure. But people are actively and swiftly patching bugs in Linux; much faster than Windows and MacOS get patches.

More importantly the folks who run Linux aren't sneaking in deliberate back doors for US government agencies that no one can see. And it'd be much harder to create a hidden back door in the first place, because the code is open. Yes in theory you can do that entirely in software, as Thompson's brilliant talk highlights. In practice it's just as likely to be the hardware or firmware that's compromised. Anyway, with an open source OS at least one major attack vector is a lot harder to exploit.

The NSAKEY incident of 1999 referenced in the fine article here may or may not have been a deliberate Microsoft back door or just a poorly named debugging references. Now we have new evidence that Microsoft is deliberately holding open other doors for the US government. Maybe the door was created by accident in the first place, but does it really matter?
posted by Nelson at 3:38 PM on June 28, 2013 [1 favorite]

I got a new laptop that came with MS 8. when I got home last night, I burned my Ubuntu disc, flipped on the new computer, and was deeply annoyed that the damn OS wouldn't let me skip giving them an email account during set up (this would be the first and only time I booted into MS).

creepy and intrusive.

This actually is just another data point to illustrate how skeevy MS is.

You DON'T HAVE TO SUPPLY YOUR EMAIL ADDRESS when initially logging into Win8. You can set up a local user only account, but the option is all but hidden.
posted by Benny Andajetz at 3:48 PM on June 28, 2013 [1 favorite]

what lies within that encrypted, flashable microcode inside every modern Intel CPU?

Well it can't do much without the OS's cooperation - such as access the network or disk, or reserve blocks system RAM. It's not realistic for it to contain a huge amount of extra storage either. And if the OS is complicit in the attack, the CPU doesn't need to do anything special. So IMO the most plausible threat here is that there could be some secret opcodes that gives specially written software a free way to elevate its access level. That's bad, for sure, but it's the sort of thing that can often be done by exploiting more mundane OS bugs, and is one reason why "don't run untrusted code" is a very popular security policy.
posted by aubilenon at 4:41 PM on June 28, 2013 [1 favorite]

Pogo_Fuzzybutt: "All that data just sitting there is the gun in the first act. It's just waiting to be used. Matter of time until someone uses it for political advantage, if they haven't already."

Checkhov's Data?
posted by symbioid at 4:48 PM on June 28, 2013

What would it take for some large organization(say, the NSA or some other spooky organization) to work on some form of modular software that goes in as separate patches/modules that on their own don't do anything, but synergistically are able to create a higher order system that IS capable of doing data tracking type things?

I think it would be quite hard to pull of, but I think this might be an interesting concept to pursue. The beauty of it is, that as you piece it all in slowly, and it comes from different plant/sources, it's not quite so obvious what the deal is.

That said, I'm sure Linus and Theo de Raadt and all those OS Geeks have plenty of profiling systems in place that could work on detecting aberrant behavior from modules and see anything out of whack like this via testing. I dunno...
posted by symbioid at 4:54 PM on June 28, 2013

The main reason I dumped Ubuntu in favor of Debian is because Canonical is a private corporation while Debian is a democracy. I'm far more inclined to trust that nothing shady is going on in Debian's repos than in Canonical's.
posted by flabdablet at 9:56 PM on June 28, 2013 [1 favorite]

Ok, without being so snarky - the problem isn't MS. Or, more to the point, the problem isn't MS specifically. All the tech companies were implicated.

Not twitter!

I'm reading this article as being more of "How can British companies ever trust an American company not to let an American spy agency access to their systems?",

The reason they can trust them is because the US and UK are part of the Five Eyes surveillance network. I mean Snowden was able to pull top-secret information about Britain spying on G20 diplomats. So I mean, using a local supplier wouldn't make any difference.

Isn't this just more corrupt lobbying by businesses who gain from banning the competition?

Yeah, corrupt lobbying by the evil Big Open Source cartel. Look out, they are totally the most powerful lobby out there.

The NSAKEY incident of 1999 referenced in the fine article here may or may not have been a deliberate Microsoft back door or just a poorly named debugging references.

From what I remember, it wasn't actually a backdoor, it didn't actually let the NSA do anything except install their own crypto drivers that would work with the same APIs. It wouldn't have made anything easier to hack, since they could just install a rootkit and get everything anyway if they wanted to hack something.
posted by delmoi at 3:21 AM on June 29, 2013

The main reason I dumped Ubuntu in favor of Debian is because Canonical is a private corporation while Debian is a democracy. I'm far more inclined to trust that nothing shady is going on in Debian's repos than in Canonical's.

Good point. One can still access the code for everything in Ubuntu very easily. 'apt-get source unity-lens-shopping' will give you source code, even for the most reviled package in Ubuntu's repos. Of course, we have debian to thank for 'apt-get source'...
posted by hellslinger at 11:11 PM on June 29, 2013 [1 favorite]

So much easier feeling no niggling desire to compile everything myself, though.
posted by flabdablet at 11:15 PM on June 29, 2013

Before the NSA leaks hit, MS publicly said that they wanted to extend the window on fixing bugs that had been reported to them, causing Google to say that they would report holes in windows after a shorter period to force MS to deal with them.

Now I wonder how much of this was driven by the NSA wanting to keep 0-days active for as long as possible, and MS going along with it. Sorry for the lack of links
posted by stratastar at 1:21 PM on June 30, 2013 [1 favorite]

Blazecock Pileon: Open Source.

Serious question: Like Windows, aren't Linux and open-source services only as safe as people apply patches for zero-day exploits? OpenSSH is one notable example, I'd think, where people don't always keep things up-to-date, but still rely on SSH to reliably secure traffic, right? I wouldn't argue that it isn't better, but I don't know that it is the ultimate solution.

And isn't there a popular CS lecture, where the speaker showed how you can't trust software of any kind, because the chain of tools used to compile software can itself be corrupted?

Serious answers:

Open-source services can be inspected for malicious code. That doesn't make them any less vulnerable to zero-day exploits (or malware in general, actually), except that there are potentially more eyes available to look for weaknesses (all the programmers in the world-at-large >> all the programmers hired by Microsoft). But the intentional insertion of malicious code is far more detectable in open-source code; that is the reason for trusting it over private products.

And the same argument applies to the chain-of-tools argument. Trustworthy code can be compiled by multiple compilers, any one of which can be corrupted, but all of them being corrupted identically is nearly impossible.
posted by IAmBroom at 9:43 PM on June 30, 2013

Pogo_Fuzzybutt:
And it sort of kills me that nobody cares - or as one friend on FB said to me - "I'd rather have the government reading my emails than have another 9/11".

For the record: 9/11 is far less worrying than a police state, for me. 10x as many people died of the goddamned flu in 2011 as died from the terrorist attack, to say nothing of those who died for lies the government spread to get us into war with Iraq. The amount of evil that could be achieved by a Stalin/Pol Pot/Mao/Franco/Pinochet/Amin/Senator Joe McCarthy dwarfs what all of Al Qaeda together could reasonably achieve. IMO. And giving the government the tools to achieve that evil makes it a statistical certainty that such evil will be attempted.
posted by IAmBroom at 9:53 PM on June 30, 2013 [1 favorite]

This interview with Chris Soghian is really good.
posted by stratastar at 7:00 PM on July 19, 2013

Not trusting Microsoft is so ten years ago.
posted by telstar at 3:43 AM on July 20, 2013