• United States



Is Microsoft an enemy of the internet by helping the NSA undermine encryption?

Sep 06, 20135 mins
Data and Information SecurityEncryptionEnterprise Applications

Two cryptographers warned that commercial encryption likely includes backdoors for the NSA; one expert warned that Microsoft is the most likely suspect in weakening encryption systems.

For the past decade, the NSA has been busy thwarting encryption that millions of netizens count on to guard the privacy of their electronic communications. Based on NSA documents from whistleblower Edward Snowden, the New York Times, The Guardian and ProPublica published details of how the NSA has cracked, circumvented, or formed covert partnerships with software and hardware vendors to have backdoors built into their products.

After reading “hundreds of top-secret NSA documents,” cryptographer Bruce Schneier gave five pieces of advice on how to best keep your electronic communication secure against the NSA. One of the most alarming revelations is that he felt the need to buy a new computer that “has never been connected to the internet” to use as an air gap. To transfer a file from his secure PC and his internet computer, he uses a USB stick.

You should still encrypt, even Snowden said it works before he added, “Properly implemented strong crypto systems are one of the few things that you can rely on.”

Schneier agreed but also warned us to “be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well.”

Meanwhile, cryptographer Matthew Green suggested the commercial encryption code that we should be most concerned about being weakened belongs to Microsoft. “If we’re talking about commercial encryption code, the lion’s share of it uses one of a small number of libraries. The most common of these are probably the Microsoft CryptoAPI (and Microsoft SChannel) along with the OpenSSL library.” Green added:

Of the libraries above, Microsoft is probably due for the most scrutiny. While Microsoft employs good (and paranoid!) people to vet their algorithms, their ecosystem is obviously deeply closed-source. You can view Microsoft’s code (if you sign enough licensing agreements) but you’ll never build it yourself. Moreover they have the market share. If any commercial vendor is weakening encryption systems, Microsoft is probably the most likely suspect.forty percent of the SSL servers! Moreover, even third-party encryption programs running on Windows often depend on CAPI components, including the random number generator. That makes these programs somewhat dependent on Microsoft’s honesty.

And this is a problem because Microsoft IIS powers around 20% of the web servers on the Internet — and nearly

The Guardian previously reported that the NSA worked with Microsoft to allow the interception of users’ private communications. The NSA obtained “pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service,” added the New York Times. “Microsoft asserted that it had merely complied with ‘lawful demands’ of the government, and in some cases, the collaboration was clearly coerced. Some companies have been asked to hand the government the encryption keys to all customer communications, according to people familiar with the government’s requests.”

In a different article, “The US government has betrayed the internet,” Schneier wrote:

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

He said we need to take the internet back and called for engineers with insider knowledge to turn into whistleblowers. If you know about the NSA subverting products or protocols, Schneier asks you to come forward and tell the truth about such unethical activity. He has heard from five people, but he needs to hear from 50. “There’s safety in numbers, and this form of civil disobedience is the moral thing to do.”

Schneier also calls on people to innovate, “to re-engineer the internet to prevent wholesale spying,” and to “make surveillance expensive again.” In closing, he added, “To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.”

Image credit: TechFlash Todd via ResourceSpace

Like this? Here’s more posts:

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.