- From: Norbert Bollow <nb@bollow.ch>
- Date: Tue, 20 Aug 2013 23:36:05 +0200
- To: "public-restrictedmedia@w3.org" <public-restrictedmedia@w3.org>
David Singer <singer@apple.com> wrote: > Breaking into each computer (which is what the article > claimed was possible -- the claimed 'back door' was from 1999) is > incredibly time-consuming unless it can be scripted. If the NSA is routinely informed about severe security bugs, that allow remote compromise, early enough in relation to the public release of the corresponding bugfix that the NSA is able develop and use exploits, then anything is possible and there is no credible assurance of privacy whatsoever _even_when_using_encryption_for_the_transmission_via_the_ _Internet_. It is of course true that for people who don't encrypt their communications, the communications can be snooped on without need to compromise computers. My point is that when a non-US person wants their human right to communications privacy to mean something in practice, one of the necessary steps is to avoid use of US-originating closed-source operating systems. Here's the relevant part of that article (I was not referring to the point about the claimed back door from 1999)... This part starts with a lengthy quotation in italics from a Bloomberg report dated 2013-06-14 http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html :: Microsoft Corp., the world’s largest software company, provides :: intelligence agencies with information about bugs in its popular :: software before it publicly releases a fix, according to two people :: familiar with the process. That information can be used to protect :: government computers and to access the computers of terrorists or :: military foes. :: :: Redmond, Washington-based Microsoft (MSFT) and other software or :: Internet security companies have been aware that this type of early :: alert allowed the U.S. to exploit vulnerabilities in software sold to :: foreign governments, according to two U.S. officials. Microsoft :: doesn’t ask and can’t be told how the government uses such tip-offs, :: said the officials, who asked not to be identified because the matter :: is confidential. :: :: Frank Shaw, a spokesman for Microsoft, said those releases occur in :: cooperation with multiple agencies and are designed to give :: government “an early start” on risk assessment and mitigation. [the quotation in italics ends here] :: :: So let's think about that for a moment. :: :: Companies and governments buy Microsoft's software, depending on the :: company to create programs that are secure and safe. No software is :: completely bug-free, and serious flaws are frequently found in :: Microsoft's code (and in open source, too, of course.) So the issue :: is not about whether software has flaws - every non-trivial piece of :: code does - but how the people who produce that code respond to them. :: :: What companies and governments want is for those flaws to be fixed as :: soon as possible, so that they can't be exploited by criminals to :: wreak damage on their systems. And yet we now learn that one of the :: first things that Microsoft does is to send information about those :: vulnerabilities to "multiple agencies" - presumably that includes the :: NSA and CIA. Moreover, we also know that "this type of early alert :: allowed the U.S. to exploit vulnerabilities in software sold to :: foreign governments". :: :: And remember that "foreign governments" mean those in EU countries as :: well as elsewhere (the fact that the UK government has been spying :: on "friendly" countries emphasises that everyone is doing it.) :: Moreover, it would be naïve to think that the US spy agencies are :: using these zero-day exploits purely to break into government :: systems; industrial espionage formed part of the older Echelon :: surveillance system, and there's no reason to think that the US will :: restrain itself nowadays (if anything, things have got far worse.) :: :: That means it's highly likely that vulnerabilities in Microsoft :: products are routinely being used to break into foreign governments :: and companies for the purpose of various kinds of espionage. So every :: time a company installs a new patch from Microsoft to fix major :: flaws, it's worth bearing in mind that someone may have just used :: that vulnerability for nefarious purposes. :: :: The implications of this are really rather profound. http://blogs.computerworlduk.com/open-enterprise/2013/06/how-can-any-company-ever-trust-microsoft-again/index.htm Greetings, Norbert
Received on Tuesday, 20 August 2013 21:36:21 UTC