Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them
from the whoa dept
Bloomberg came out with quite a bombshell last night, discussing how lots of tech companies apparently work with the NSA and other government agencies, not to pass data on users over to the government, but to share exploit information, sometimes before it's public or patched -- in some cases so it can be useful for the US government to use proactively. Last month, we had written about how the feds were certainly collecting hacks and vulnerabilities for offensive purposes, but it wasn't clear at the time that some of these exploits were coming directly from the companies themselves.The report names one major participant: Microsoft:
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.That's fairly incredible. You'd expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community -- in which the telcos willingly and voluntarily hand over massive amounts of user data. There's no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.The article later notes that the big telcos -- AT&T, Verizon, Sprint, Level3 and CenturyLink -- have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn't make them liable for violating wiretapping laws.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.Suddenly the "blanket immunity" clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cyberattacks, cybersecurity, nsa, offensive cyberattacks, security, sharing, us government, zero day exploits
Companies: at&t, centurylink, level3, microsoft, sprint, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
Might help explain why Redmond was always so slow to patch.
[ link to this | view in thread ]
What a business strategy!
[ link to this | view in thread ]
What makes you believe the companies are not working contemporaneously to fix a bug?
As for a heads-up to federal agencies, perhaps you would prefer simply saying nothing to them. A utopian ideal to be sure, but also one that casts aside opportunities that may redound to enhanced national security.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Thanks
[ link to this | view in thread ]
Way to shoot yourself in the foot Microsoft. Bravo! *slow clap*
[ link to this | view in thread ]
Oh, my NON-surprise! Mike omitted GOOGLE'S part:
According to information provided by Snowden, Google, owner of the world’s most popular search engine, had at that point been a Prism participant for more than a year.
Google CEO Larry Page said in a blog posting June 7 that he hadn’t heard of a program called Prism until after Snowden’s disclosures and that the Mountain View, California-based company didn’t allow the U.S. government direct access to its servers or some back-door to its data centers. He said Google provides user data to governments “only in accordance with the law.” '
[ link to this | view in thread ]
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Scandalous!
[ link to this | view in thread ]
Re: Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
[ link to this | view in thread ]
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Oh wait, that's fox news...
[ link to this | view in thread ]
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
[ link to this | view in thread ]
Not really, this is one of the reasons I just moved on to greener pastures full of penguins everywhere.
DIY is my mantra.
[ link to this | view in thread ]
Thanks Microsoft!
I'm sure foreign governments who use Microsoft products are going to be thrilled. Just thrilled I tell you.
Surely they can trust the discretion of the US government? The US government wouldn't be handed a backdoor into your system after you paid monopoly prices to a foreign convicted monopolist?
[ link to this | view in thread ]
Not that surprising
It is particularly important when a government has, you know, a GIANT DATABASE FULL OF TRACKING INFORMATION AND COMMUNICATIONS. I'd kinda like them to patch up their security problem as quickly as possible. It would be nice if they didn't have that giant honeypot of information, but while they have it, I'd like their engineers to know about a problem with their software as quickly as possible.
[ link to this | view in thread ]
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Are you really reduced to just trying to whine and deflect in every article now? You guys have been serious uncreative this week, even by your meagre trolling standards.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Not that surprising
The purpose of giving the vulnerability information to the government can only be so that they can exploit it on foreign computers. Naturally, the NSA would never dream of hacking into domestic computers.
[ link to this | view in thread ]
[ link to this | view in thread ]
ya right....
Sure...."foreign" computers.
[ link to this | view in thread ]
Providing legal "permission slips" should be against the law
This should simply be illegal. For both parties. It should not be a valid defense to assert "I got a letter saying it was OK." And it should be illegal for any member of the executive or legislative branch to provide such an excuse. Where does it stop? Could one get a letter saying that killing someone is not murder?
I'm sure if the telcos had to ask their lawyers for permission, they would never hand the data over without a court order, and that's what we want.
[ link to this | view in thread ]
Plus when the so called bad guys find out about this vulnerability because it was used on them they turn around and use it on the unsuspecting public to harm them.
[ link to this | view in thread ]
Re: ya right....
"Any electronic equipment not inside the an NSA building is to be classified as "foreign""
:)
[ link to this | view in thread ]
Re: Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
[ link to this | view in thread ]
Immunity can't protect businesses from public backlash
And yet again, a US government becoming more and more like a dictatorship where citizens have no rights continues to do things to scare business away from the US.
[ link to this | view in thread ]
well well...
Totally unacceptable. I'm done. I don't care if I lose my job by not learning the latest Microsoft blah, it's time. I don't care if I miss out on games on the platform, I'm done. I'll put up with strange linux finickyness, because that is less hassle at this point. way, way less hassle.
I'm done. It was nice to be lazy and make money. But no longer.
[ link to this | view in thread ]
Re: ya right....
[ link to this | view in thread ]
Re:
Plus, following your logic, why not release the details to other friendly governments and major corporate and educational clients?
As things stand they have just told such people to switch straight away to open source - or be hacked by the US government.
[ link to this | view in thread ]
Re:
Why do you think everyone who cans is developing their own GPS systems?
This should be a pretty good indication of how those people really think, they will exploit anything, moral, immoral, right or wrong. After exploiting everything they will come up with excuses to justify the deed and try to dress it pretty just in case somebody sees it, which brings me to the point of secrecy, they of course will try to hide it from everyone.
This is exactly why transparency, whistleblowers, anonymity and even competition are important for a democratic free society.
We need to shine light on those rodents.
[ link to this | view in thread ]
Not much choice for M$
"Now now don't fret comrade. I'm sure if you provide us with the necessary backdoor exploits then we'll make sure that you have no further trouble with the DOJ."
[ link to this | view in thread ]
Re:
As for a heads-up to federal agencies, perhaps you would prefer simply saying nothing to them. A utopian ideal to be sure, but also one that casts aside opportunities that may redound to enhanced national security.
Why are you bringing reason to the discussion? This is TD! Spread the FUD! Spread the hate! Spread the distrust! But NEVER EVER build bridges or discuss important issues on the merits! Yeah!
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: well well...
I'm glad that you reached this conclusion, but I'm curious... why was this the final straw? This was already common knowledge (in the industry, anyhow), and is a trivial matter compared to the other ways that Microsoft has been helping the NSA for years (building back doors, etc.)
There's a reason that so many governments avoid using Microsoft products.
[ link to this | view in thread ]
Re: Not much choice for M$
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
http://cve.mitre.org/data/downloads/allitems.html
Depending on how this is submitted to SCAP or directly would through some suspicion.
[ link to this | view in thread ]
Bat shit fucking crazy may be only a slight exaggeration.
A fascist, phobiocratic, authoritarian, totalitarian and kleptocratic cocktail of a republic.
Could we please see the constitution for the government actually operating right now please. It would prove most helpful.
[ link to this | view in thread ]
Re: well well...
I alway used to joke to people that Microsoft's messed up OS was good for business.
Now installing Linux will be good for business.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
[ link to this | view in thread ]
that and a nickel will get you...
Would be nice to see Microsoft, Google, Facebook and the telcos finding themselves similarly under the gun in the future. Even though congress passed a law stating that the corporations have immunity (and retroactively, at that!), it would be far from the first time that a law has been overturned when it was found to be unconstitutional.
Well, I can dream, right?
[ link to this | view in thread ]
Re: that and a nickel will get you...
[ link to this | view in thread ]
Re: Re: Re:
But if you're buying those "appliance" routers, firewalls, etc., then yes, you should assume they're compromised.
[ link to this | view in thread ]
Re: Re: Re: Re:
I wonder how many man in the middle certs they have that they play to both sides so they can get that "encrypted" traffic.
[ link to this | view in thread ]
Re: Immunity can't protect businesses from public backlash
Now I never see foreigners anymore, even at National Parks or Disneyland. And then they wonder why we are in a recession.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Moving to Linux
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Only if the (theoretical) back door were activated. And even then, the traffic could be easily disguised so as to look innocent.
Router backdoors and the like are intended to facilitate intrusion, which allows for a more intense level of surveillance than just capturing all the internet traffic.
That unknowable, of course, but they wouldn't need very many. There are only a small number of root CAs that are commonly used.
That's why, for maximum security, you shouldn't use one of the commercial CAs. You should run your own. (As well as avoid web services, the cloud, and any other third party services as far as possible. Nobody can be trusted, by law.)
[ link to this | view in thread ]
Re: Re: Not that surprising
There are plenty of exploits that have workarounds or can be monitored before they are patched. Knowing something is a problem can be just as important as fixing it.
[ link to this | view in thread ]
Re: Immunity can't protect businesses from public backlash
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Moving to Linux
[ link to this | view in thread ]
Re: Re:
Also the US government is well aware of the problems with allowing others to produce critical stuff as the Hauwei bro-ha-ha showed everyone, not only that but all governments that can try to produce everything they need that includes but is not limited to GPS systems.
Now the people, well we are another story we allow companies to produce the things we need without acquiring the capabilities to do so if abuse happens, we allow monopolies that would stop us even if we tried and so we become slaves to masters that will hurt us all.
This is why, I don't want a SSN, I don't want the government being the sole responsible for my retirement and healthcare, I don't want to allow only pharmaceutical companies to produce medicine, I don't want to let copyright and patents fuck my world anymore, so I decided to do it myself.
I am intelligent, I am capable and I sure can learn, but most importantly I can pass that knowledge to others.
I see how piracy have thrived under the most harsh conditions possible and I am marveled by how it survives and thrives its resilience to adversity if for nothing else aside moral quandaries, that alone is just amazing. Could we do it to other parts of our lifes?
I am betting that we can, pirates survive and thrive because everyone knows how to copy those things, how can we apply that to healthcare, retirement, food, clothes, education and anything else we need?
I want to see a healthcare system that will be robust and resilient as pirates are and that only will happen if everybody knows how to produce medicine and equipment, if you knew you could build a home anywhere from scraps would you be afraid to be homeless? Taking that fear away is liberating, learning bushcraft taught me a lot about self sufficiency and the importance of it, something that all governments know by instinct and don't want to allow their population to realize, that they got the power to lift themselves when things get hard.
Sorry for the rant.
Food for thought:
We may not even need central governments to create functional societies, bees and ants can do it, why can't we, are we less capable?
[ link to this | view in thread ]
Just thinking out loud here
I mean, considering that the US Government's new boogeyman meme is "CYBERTERRORISM! OH TEH NOES!", allow me to point out something that's being overlooked in the quoted text:
Considering that China's been so brazenly hack-happy lately against the U.S.' private sector, it's not surprising that Microsoft's tipping off it's home government and not anyone else. While it may not exactly trust the U.S. government (depending on your viewpoint) they certainly favor the government who's more likely to protect their intellectual property (trade secrets/copyright infringement) than the government who's more likely to actively steal their trade secrets, reverse engineer it, and then claim they built it on their own[China].
As for not telling the general public, well, I'm betting that that Microsoft thinks malicious state-sponsored hacker groups don't really care what John Q. Public has on his computer.
Now could groups like the NSA use these zero-day exploits for nefarious purposes? Yes they could.
Would they?
I'd say the chance of that (percentage-wise) is about the same percentage they use for determining a subject's "foreignness". 'Course, I'm being a little optimistic on that.
As the Zen Master says, "We'll see."
[ link to this | view in thread ]
The problem, as I see it, is that they don't give that same info out to the public.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Moving to Linux
I'm thinking of creating a conversion package for foreign nations. So many potential customers..
[ link to this | view in thread ]
"But I don't want to!"
Then it's your fault.
[ link to this | view in thread ]
I now have another reason
After 35 years in the business, since 1975, with 20 as a windows administrator and programmer, and 10 on Linux systems, I can only advise all non Americans who value their privacy and security to switch to a Linux based operating system.
[ link to this | view in thread ]
So What
[ link to this | view in thread ]
Next generation OS from Microsoft
Next Generation OS will produced by Microsoft or Sco Unix or Linux.... any networked based Web OS... will solve all the space as well as user life computing in future...
imobilitics.com
[ link to this | view in thread ]
It's a little relevant
Google has a much richer profile on you, your habits, searches, purchases, etc. than Microsoft has. They've been the most successful at creating the kind of online profiles and silent tracking of the kind of info crooked governments would be after. Just think if the Nazi's had a list of every website you went to, search you did, and everywhere you went and what you bought. That is google's bread & butter & why they offer so much "free" stuff. Your info is the coin they trade in.
[ link to this | view in thread ]
Also, the NSA actually might be able to write up a security wall faster than Microsoft could, because the the folks at the NSA are probably pretty well acquainted with their machines. Microsoft releases patches slower than they should, but to be fair, they do have to make sure that their patch works on every version of every computer in the world.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Almost right
[ link to this | view in thread ]
Almost right
[ link to this | view in thread ]
Re: So What
[ link to this | view in thread ]
Re: It's a little relevant
/moron
[ link to this | view in thread ]
Re:
Much of which they have no busi9ness holding.
"They use some Windows computers."
If security is such an issue with the use of that software, maybe they shouldn't. Those concerns simply highlight the danger of using a closed proprietary system for anything requiring high levels of security.
"Also, the NSA actually might be able to write up a security wall faster than Microsoft could, because the the folks at the NSA are probably pretty well acquainted with their machines"
Really? You're OK with a government agency using your tax dollars to fix the security fuck ups of a private company who charge you directly for the use of their software? Because you think they're more familiar with it than the people who made the buggy crap in the first place? Astounding.
[ link to this | view in thread ]
Get real
[ link to this | view in thread ]
This explains one thing
[ link to this | view in thread ]