Microsoft thumbs nose at NSA, hardens crypto for Outlook, OneDrive Microsoft has flipped the switch to activate stronger encryption on its OneDrive and Outlook.com cloud services as part of a broader effort to make it harder for the NSA and other spying agencies to snoop on its customers' data. Specifically, Outlook.com now supports TLS encryption on all connections to its servers, both …
"makes it harder for eavesdroppers to decrypt communications because it never sends the secret session key in full over the network."
Really the main benefit is that the users private key is not used to encrypt the traffic and a unique key is derived per session. So moving forward, each session needs to be uniquely attacked and decrypted, regardless of if you know the private key or not.
Actually, PFS doesn't involve any user keys, just server keys, at least in the implementations discussed for Microsoft. These connections all rely on servers to have public/private key combinations. User private/public key combinations are optional, depending on the security requirements, though I haven't seen many instances where it's used for anything other than authentication.
"PFS doesn't involve any user keys, just server keys, at least in the implementations discussed for Microsoft"
PFS involves generating new (temporary) keys and dumping them when the connection is terminated. There's still keys each side, they just won't get you the temp key if they're compromised.
This is all dependant on your stuff not being backdoored day one, which frankly I'm not going to put any trust in without peer review.
>>Just Curious... Why the thumb down ?
Probably someone took your post as not sufficiently condemning Microsoft. There's some round here who see that as reason to downvote even purely factual posts. (Now lets see who downvotes this post and proves my point!)
Anyway, I think we can thank Edward Snowden for this. Microsoft don't really do this modern faux-friendly faux-free evil, yet. They're just good old-fashioned greed for your money type of evil. It used to be that toadying up to the government got you the juicy contracts. But the landscape has changed and privacy is what lots of the public are demanding (whilst using Facebook, but only Economists believe in the rational market ;). And the public represent more money than the NSA. It is also a slight edge they can exploit over Google as MS still have a business model that isn't primarily about data harvesting. So they can take a hit to advertising revenues if it helps them position themselves ahead of Google.
Call me cynical (and technically ignorant) if you will but, when we are talking about the NSA the snooping part of the US Government apparatus, given a large/useful chunk of the world's certificate authorities could be secretly compelled to hand over (or may even have had their root certs stolen) does this really matter? I mean, can the NSA not already MITM most connections setup with such trusted certs? Isn't the major problem these days that the trust is compromised and hence the emails need to be encrypted rather than just the pipe which presumably shields the metadata?
"given a large/useful chunk of the world's certificate authorities could be secretly compelled to hand over"
Cert authorities only *attest* (counter-sign) *public* keys. Nobody ever sends a private key to a cert authority. Sure they can generate new ones and usurp your traffic (a flaw that's been discussed very often and there are people testing the certs of large orgs to look out for this) - but nothing about lets say the CIA getting into say Comodo is going to get them *your* private keys. PKI is built like this for a good reason, both foreseeing this very issue and that it wouldn't be safe to send them over the wire anyway.
Also this is what PFS is for - if they capture your traffic, then later break into your server and grab the private keys - it won't allow them to decrypt the old traffic. It will of course allow them to decrypt any new traffic as it goes over the wire.
TLS (Transport Layer Security) - even with PFS - only encrypts the connection that transfers messages from the sender's mail server to the recipient's mail server. It does not address encryption of messages while they are stored on the server. Unless additional measures not discussed in the article are in place (such as S/MIME with appropriate key management), an adversary with access to the mail provider's systems and/or cooperation from the provider can still read people's messages regardless of whether TLS was used to transfer them.
>>"NSA will have to get a bit of paper rubber stamped and pay MS to provide the data, not just suck up the data for free from one of their taps."
You do your best to make this sound like it has no impact, but having to go through the court process (even if the courts are very friendly) at least creates a paper trail of who and how much the NSA are spying on and forces them to seek judicial oversight (and political climates DO change).
Furthermore, adding a financial cost to this makes a big difference in that they have to be selective. Look at spam - there's a tonne of it because it doesn't even cost pennies to send tens of thousands. With junkmail there's still more than everybody wants, but they have to at least restrict themselves to cases where they expect to get more return on the actual per-letter investment rather than the trivial cost per email of spam. And so with the NSA they have to actually pick who they want to investigate rather than just engage in massive fishing exercises.
Finally, much like the previous point but for more technical reasons, it means that they have to investigate select groups of people they already exist rather than batch-search through everyone's emails looking for particular word groups or sender-recipient combinations.
As I said, you did your best to trivialize it, but this is a significant thing that I welcome.
These people are naive in thinking the USA tech industry industry is crumbling because of the spying and that it might have been " an issue that needed to be addressed but might blow over ".
Nothing happens in a vaccuum. The US tech industry has been losing ground for ages and has been doing so perfectly well without the spies dragging them down. All the spying has done is erode the FUD that was keeping the market going for a bit longer. Net result, the spying has only changed timescales by a few months - a year at the outside. The outcome has not changed.
But big biz leaders never want to admit the rot of their industry. They always want something else to blame. They did it in 2001 and they're doing it now.
Exactly the same thing happened in 2001 with dot.bomb. The US market imposion was largely blames on Sept 11. However the industry was on the skids already. Sept 11 might have accelerated things by a month or three, but the trajectory was already set.
We've seen the upsurge of Huawei etc for a few years now. That they were coming along to eat everyone's lunch was obvious long ago. Microsoft has been rolling about in its own excrement for years.
All of this predates spies, but the spies five them a nice little scapegoat when the share holders get uppity.
>>These people are naive in thinking the USA tech industry industry is crumbling because of the spying and that it might have been " an issue that needed to be addressed but might blow over ".
I know for a fact of two large companies that have recently lost out on big contracts explicitly because of inability to reassure against snooping by the US government. Don't just write things because you think contradicting the article will make you sound more informed / insightful. I also personally recommended to a client against Azure in one instance because of US hosting not meeting EU data protection requirements for them. It happens and it's a significant thing. Do you really think Microsoft of all companies would go against the Three Letters if there weren't a monetary incentive for doing so? If you don't trust article writers or posts such as mine, surely you can at least trust in Microsoft's greed?
"also personally recommended to a client against Azure in one instance because of US hosting not meeting EU data protection requirements for them"
Why didn't they simply use EU based Azure - which does meet EU data protection requirements? There are 2 European regions to choose from.
WOW! I'd never thought I'd hear such enduser friendly language from microsoft.
You'd never catch face(mindcontrol)book, or goo(collect everything)gle attempting to massage public opinion by shoring up the pipes(please ignore the back door).
Oh.... Hang on.... DOH! I get it now. NSA isnt paying microsoft for tapping the traffic OUTSIDE the data center!
Mircosoft change...LOL..silly me.
Exactly. A properly implemented OTP defeats the spies utterly. The spies know this, the terrorists know this. Which makes me wonder why terrorism is even mentioned, hell, they couldn't/didn't stop the Boston Marathon bombers even with some advance knowledge.
The NSA et.al. spying has little to do with the stated purpose of said data collection...
Wait, didn't Microsoft make it so that it was much easier for the NSA spy on users Onedrive, email etc. Even when MS changed their encryption when moving from Hotmail they let the NSA know and were able to provide them the knowledge that is was easier to get round the encryption. Unless they have completely changed their stance on this I find this hard to believe.
"Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day," Thomlinson wrote. "This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data." Microsoft Corporation statement
Microsoft is a (the first, since 2007) NSA Prism provider. In respect of the NSA Prism program, you can figure out in general how it works by looking at the slides released by The Guardian newspaper and Le Monde, from the material Edward Snowden provided to them.
You can believe this, if you can believe the authenticity of the US Top Secret documents that have been provided by European journalists, In fact, it is extremely hard to believe anything that is in variance with these documents, certainly not a statement from Microsoft Corporation.
1. Every "Prism provider" - NSA designation (P1-Microsoft, P2-Yahoo, P3-Google, P4-Facebook, P5-PalTalk, P6-YouTube [now Google], P7-Skype [now MS], P8-AOL, PA-Apple - maybe others we don't know about), has, directly connected to their company servers and databases, in one or more private locations on their company premises, a "Data Intercept Technology Unit - DITU", property of the US government, controlled and operated by FBI personnel.
2. Each FBI DITU has a direct connection with the NSA, and CIA, and FBI. I intepret this to mean that there is a direct connection to the Prism Provider's servers, not an Internet connection. An Ethernet connection.
3. There are two types of situations at the DITU.
a) "surveillance" the individual Prism provider client is "under surveillance". This means that every action in which they participate, login, e-mail, voice, videoconference, file transfer, image transfer, etc. is automatically provided to the DITU and transferred to NSA (and, optionally, "dual routing", to the CIA and/or FBI in real time.
I think it takes a FISA court order to put someone under surveillance, but I don't know that. Seems to me the statistics about government requests that some of the Prism providers supply are about "surveillance"
.
b) "Stored Comms" the NSA analyst sends a request to "poke around" in the information (about anyone "Target") that the Prism provider has in their stored database with an association to the targeted client. (e-mails, web pages, uploads, voice, videos, "friends", etc.). In routing the NSA request to the DITU for "Stored Comms", the NSA request is first filtered through an FBI "Electronic Communications Surveillance Unit - ECSU", which filters out the requests pertaining to individuals (presumably only those not under "surveilllance") known by the FBI to be "US Persons", before the request is sent to the DITU. This is done, presumably, to adhere to the 4th Amendment, though I don't think it does very well. For instance, If I "friend" or send an e-mail to a targeted non -"US person", the NSA would get that...
You can look at the slides and see if you agree with my thoughts about this. Incidentally, the Wikipedia site says these slides were released by Edward Snowden, though, of course, Snowden has not released them, to my knowledge, at least.
So, some Prism providers' statements, to the effect that they provide no information directly to the NSA are technically correct, though such statements seem to me to be deliberately misleading.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
