Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them
from the whoa dept
Bloomberg came out with quite a bombshell last night, discussing how lots of tech companies apparently work with the NSA and other government agencies, not to pass data on users over to the government, but to share exploit information, sometimes before it’s public or patched — in some cases so it can be useful for the US government to use proactively. Last month, we had written about how the feds were certainly collecting hacks and vulnerabilities for offensive purposes, but it wasn’t clear at the time that some of these exploits were coming directly from the companies themselves.
The report names one major participant: Microsoft:
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
That’s fairly incredible. You’d expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.
The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community — in which the telcos willingly and voluntarily hand over massive amounts of user data. There’s no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
The article later notes that the big telcos — AT&T, Verizon, Sprint, Level3 and CenturyLink — have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn’t make them liable for violating wiretapping laws.
Before they agreed to install the system on their networks, some of the five major Internet companies — AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). — asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.
Suddenly the “blanket immunity” clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.
Filed Under: cyberattacks, cybersecurity, nsa, offensive cyberattacks, security, sharing, us government, zero day exploits
Companies: at&t, centurylink, level3, microsoft, sprint, verizon
Comments on “Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them”
There were many reasons for my decision to move from IE to Firefox years ago, but by far the largest reason was that it was taking Microsoft on average of about three months to patch vulnerabilities, whereas it was taking Mozilla about three weeks on average.
Might help explain why Redmond was always so slow to patch.
What a business strategy!
As if we needed another reason to avoid M$… Seriously between the Xbox one, Windows 8, and this, they don’t seem to be doing too well.
“That’s fairly incredible. You’d expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.”
What makes you believe the companies are not working contemporaneously to fix a bug?
As for a heads-up to federal agencies, perhaps you would prefer simply saying nothing to them. A utopian ideal to be sure, but also one that casts aside opportunities that may redound to enhanced national security.
Re: Re:
Read the article properly. The point is that they send information to the government before they release the fix – not before they have the fix.
Plus, following your logic, why not release the details to other friendly governments and major corporate and educational clients?
As things stand they have just told such people to switch straight away to open source – or be hacked by the US government.
Re: Re: Re:
I guess you don’t follow release information much. A lot of bugs on US-CERT have no patches and just mitigation measures when released. This includes MS, Apple, Sun, Adobe, Cisco, Juniper, etc…. I would suggest checking out a CVE:
http://cve.mitre.org/data/downloads/allitems.html
Depending on how this is submitted to SCAP or directly would through some suspicion.
Re: Re:
What makes you believe the companies are not working contemporaneously to fix a bug?
As for a heads-up to federal agencies, perhaps you would prefer simply saying nothing to them. A utopian ideal to be sure, but also one that casts aside opportunities that may redound to enhanced national security.
Why are you bringing reason to the discussion? This is TD! Spread the FUD! Spread the hate! Spread the distrust! But NEVER EVER build bridges or discuss important issues on the merits! Yeah!
How are they going to get the Chinese to pay for Windows now?
Re: Re:
Pay for spyware? no thanks.
Re: Re: Re:
I you have ANY communications tech in your home or business you already have.
Re: Re: Re: Re:
Be careful with those absolutes. It is cheap and easy to put together your own equipment that is almost guaranteed not to have spyware in it.
But if you’re buying those “appliance” routers, firewalls, etc., then yes, you should assume they’re compromised.
Re: Re: Re:2 Re:
Wouldn’t somebody have noticed traffic going out if the “appliance” routers were compromised? They don’t need to check MY router. That’s way too inefficient when it’s already been noted that they just move into the building at AT&T headquarters and splice everyone’s traffic (including yours).
I wonder how many man in the middle certs they have that they play to both sides so they can get that “encrypted” traffic.
Re: Re: Re:3 Re:
Only if the (theoretical) back door were activated. And even then, the traffic could be easily disguised so as to look innocent.
Router backdoors and the like are intended to facilitate intrusion, which allows for a more intense level of surveillance than just capturing all the internet traffic.
That unknowable, of course, but they wouldn’t need very many. There are only a small number of root CAs that are commonly used.
That’s why, for maximum security, you shouldn’t use one of the commercial CAs. You should run your own. (As well as avoid web services, the cloud, and any other third party services as far as possible. Nobody can be trusted, by law.)
Re: Re: Re:
why pay? in soviet russia we download it for free(windows that is)
Re: Re:
The Chinese government is migrating to Ubuntu. They probably want a none MS OS to avoid this type of nonsense.
Back to Linux for me.
Thanks
But I didn’t need another reason to despise M$.
Bwahaha, it’s Stuxnet all over again! Looks like this will probably speed up the entire worlds transition away from Microsoft operating systems, and towards Linux adoption.
Way to shoot yourself in the foot Microsoft. Bravo! *slow clap*
Oh, my NON-surprise! Mike omitted GOOGLE'S part:
‘Following an attack on his company by Chinese hackers in 2010, Sergey Brin, Google?s co-founder, was provided with highly sensitive government intelligence linking the attack to a specific unit of the People?s Liberation Army, China?s military, according to one of the people, who is familiar with the government?s investigation. Brin was given a temporary classified clearance to sit in on the briefing, the person said.
According to information provided by Snowden, Google, owner of the world?s most popular search engine, had at that point been a Prism participant for more than a year.
Google CEO Larry Page said in a blog posting June 7 that he hadn?t heard of a program called Prism until after Snowden?s disclosures and that the Mountain View, California-based company didn?t allow the U.S. government direct access to its servers or some back-door to its data centers. He said Google provides user data to governments ?only in accordance with the law.? ‘
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
It’s shocking that Mike omitted a blurb about Google that has nothing to do with handing zero-day exploits to the government from an article about handing zero-day exploits to the government.
Scandalous!
Re: Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
It’s almost as his name is an indication of how he plans to troll.
Re: Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Oh well no worries at least it’s not as bad as out_of_the_blue who goes from I love Jesus to Hail Satan to I need a unit in my mouth like it’s going out of style.
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Truly outrageous indeed sir. Back in my day bloggers normally went “off the rails” into “batshit insane off topic discussions” mid stream.
Oh wait, that’s fox news…
Re: Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Current and last administration does that too. must say, Obama is doing a bang-up job continuing the Bush/Cheney mega-corp agenda
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
Dude, they better be paying you a lot…
Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:
He didn’t mention protests in Turkey or the Japanese eyeball licking story either. I’ll leave it up to your deficient brain to work out why (hint: they have the same amount to do with the subject of the article).
Are you really reduced to just trying to whine and deflect in every article now? You guys have been serious uncreative this week, even by your meagre trolling standards.
Re: Re: It's a little relevant
How much value is it to patch up your computer when you have google profiling everything you do on it and handing that data over?
Google has a much richer profile on you, your habits, searches, purchases, etc. than Microsoft has. They’ve been the most successful at creating the kind of online profiles and silent tracking of the kind of info crooked governments would be after. Just think if the Nazi’s had a list of every website you went to, search you did, and everywhere you went and what you bought. That is google’s bread & butter & why they offer so much “free” stuff. Your info is the coin they trade in.
Re: Re: Re: It's a little relevant
Yes, let’s ignore this issue because your favourite conspiracy theory is more important! Ignore all the evidence because people can only be concerned about the actions one company at a time!
/moron
I am shocked! shocked! I tell ya.
Not really, this is one of the reasons I just moved on to greener pastures full of penguins everywhere.
DIY is my mantra.
Re: Re:
You would think foreign governments would have learned from that story over a decade ago when NSA Key was found hidden in Microsoft code. It was discussed to death on Slashdot.
Re: Re: Re:
They learned alright, why do you think the US government had to intervene to stop open source adoption everywhere threatening economic sanctions?
Also the US government is well aware of the problems with allowing others to produce critical stuff as the Hauwei bro-ha-ha showed everyone, not only that but all governments that can try to produce everything they need that includes but is not limited to GPS systems.
Now the people, well we are another story we allow companies to produce the things we need without acquiring the capabilities to do so if abuse happens, we allow monopolies that would stop us even if we tried and so we become slaves to masters that will hurt us all.
This is why, I don’t want a SSN, I don’t want the government being the sole responsible for my retirement and healthcare, I don’t want to allow only pharmaceutical companies to produce medicine, I don’t want to let copyright and patents fuck my world anymore, so I decided to do it myself.
I am intelligent, I am capable and I sure can learn, but most importantly I can pass that knowledge to others.
I see how piracy have thrived under the most harsh conditions possible and I am marveled by how it survives and thrives its resilience to adversity if for nothing else aside moral quandaries, that alone is just amazing. Could we do it to other parts of our lifes?
I am betting that we can, pirates survive and thrive because everyone knows how to copy those things, how can we apply that to healthcare, retirement, food, clothes, education and anything else we need?
I want to see a healthcare system that will be robust and resilient as pirates are and that only will happen if everybody knows how to produce medicine and equipment, if you knew you could build a home anywhere from scraps would you be afraid to be homeless? Taking that fear away is liberating, learning bushcraft taught me a lot about self sufficiency and the importance of it, something that all governments know by instinct and don’t want to allow their population to realize, that they got the power to lift themselves when things get hard.
Sorry for the rant.
Food for thought:
We may not even need central governments to create functional societies, bees and ants can do it, why can’t we, are we less capable?
Thanks Microsoft!
Wow. I feel more secure already.
I’m sure foreign governments who use Microsoft products are going to be thrilled. Just thrilled I tell you.
Surely they can trust the discretion of the US government? The US government wouldn’t be handed a backdoor into your system after you paid monopoly prices to a foreign convicted monopolist?
Not that surprising
I am sure MS is not the only company that notifies the government of the country in which they operate immediately upon the discovery of a security flaw in software that millions of people use.
It is particularly important when a government has, you know, a GIANT DATABASE FULL OF TRACKING INFORMATION AND COMMUNICATIONS. I’d kinda like them to patch up their security problem as quickly as possible. It would be nice if they didn’t have that giant honeypot of information, but while they have it, I’d like their engineers to know about a problem with their software as quickly as possible.
Re: Not that surprising
You don’t seem to understand. Very likely no party, including the government, can fix the vulnerability faster than Microsoft. Microsoft can distribute the fix to government users very quickly and I’m sure they do.
The purpose of giving the vulnerability information to the government can only be so that they can exploit it on foreign computers. Naturally, the NSA would never dream of hacking into domestic computers.
Re: Re: Not that surprising
That’s not correct.
There are plenty of exploits that have workarounds or can be monitored before they are patched. Knowing something is a problem can be just as important as fixing it.
and people are still going to buy the new XBox? you must be out of your fucking minds! what do you think is going to happen to all the video and voice messages the console hoovers up? what about any of the touch screen devices and O/S that Microsoft has brought out? do you honestly think those devices are under your control every minute? get outta here!! and as for having to connect to the ‘net at least once every 24 hours, what do you think that’s for? to ensure what is on and in the console is genuine etc etc. it’s so if you happen to have anything a bit hooky, they will know immediately when it ‘pings back’ to Microsoft and whoever else may be interested, like the entertainment industries! you will then be deep in it. the whole aim is to maintain control over people who do buy the console and take away your choice of what you do with something you bought and paid for. this is exactly the huge mistake Sony made with the PS3. notice how they have not made the same mistake again!! they know what will happen! shame Microsoft still thinks so little of it’s customers as to want to have it’s control over them!
ya right....
“That’s fairly incredible. You’d expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.”
Sure….”foreign” computers.
Re: ya right....
NSA definition of “foreign”
“Any electronic equipment not inside the an NSA building is to be classified as “foreign””
🙂
Re: ya right....
Well as long as there is at least a 51% chance that it’s a ‘foreign’ computer, that’s good enough for the NSA.
Providing legal "permission slips" should be against the law
This should simply be illegal. For both parties. It should not be a valid defense to assert “I got a letter saying it was OK.” And it should be illegal for any member of the executive or legislative branch to provide such an excuse. Where does it stop? Could one get a letter saying that killing someone is not murder?
I’m sure if the telcos had to ask their lawyers for permission, they would never hand the data over without a court order, and that’s what we want.
“The purpose of giving the vulnerability information to the government can only be so that they can exploit it on foreign computers.”
Plus when the so called bad guys find out about this vulnerability because it was used on them they turn around and use it on the unsuspecting public to harm them.
Re: Re:
Well why do you think they made all that brow-ha-ha about Hauwei?
Why do you think everyone who cans is developing their own GPS systems?
This should be a pretty good indication of how those people really think, they will exploit anything, moral, immoral, right or wrong. After exploiting everything they will come up with excuses to justify the deed and try to dress it pretty just in case somebody sees it, which brings me to the point of secrecy, they of course will try to hide it from everyone.
This is exactly why transparency, whistleblowers, anonymity and even competition are important for a democratic free society.
We need to shine light on those rodents.
Immunity can't protect businesses from public backlash
Immunity can’t protect companies from backlash of the public, like foreign nations deciding to ditch all American made hardware and software to protect themselves.
And yet again, a US government becoming more and more like a dictatorship where citizens have no rights continues to do things to scare business away from the US.
Re: Immunity can't protect businesses from public backlash
And tourism. When I was younger, it was not uncommon to see tourists around Southern California at restaurants, theme parks, etc.
Now I never see foreigners anymore, even at National Parks or Disneyland. And then they wonder why we are in a recession.
Re: Immunity can't protect businesses from public backlash
If Hugo Chavez were still alive, the entire remainder of the Latin America would never hear the end of it all. Dude forked the Linux back in 2006 and created a Venezuelan version arguing exactly this sort of thing, and managed to convince the Brazilian Government to adopt a similar project, that got a reasonable success. Irony at its finest.
well well...
I do not say this lightly, because it’s my career to support and install Microsoft, and has been for almost two decades, but this basically is the final straw to move my entire life away from Microsoft.
Totally unacceptable. I’m done. I don’t care if I lose my job by not learning the latest Microsoft blah, it’s time. I don’t care if I miss out on games on the platform, I’m done. I’ll put up with strange linux finickyness, because that is less hassle at this point. way, way less hassle.
I’m done. It was nice to be lazy and make money. But no longer.
Re: well well...
I’m glad that you reached this conclusion, but I’m curious… why was this the final straw? This was already common knowledge (in the industry, anyhow), and is a trivial matter compared to the other ways that Microsoft has been helping the NSA for years (building back doors, etc.)
There’s a reason that so many governments avoid using Microsoft products.
Re: well well...
True.
I alway used to joke to people that Microsoft’s messed up OS was good for business.
Now installing Linux will be good for business.
Not much choice for M$
I’m not happy with M$. But I don’t think they had much choice. I’m sure it was either said or strongly implied that the Government said something like this to M$:
“Now now don’t fret comrade. I’m sure if you provide us with the necessary backdoor exploits then we’ll make sure that you have no further trouble with the DOJ.”
Re: Not much choice for M$
They were helping the NSA in unseemly ways before the antitrust problems. I suspect it has more to do with Microsoft’s desire for juicy federal contracts.
So…… Linux anyone?
Re: Re:
http://en.wikipedia.org/wiki/Canaima_(operating_system)
Oh, is that why it takes Oracle months to fix Java exploits.
Re: Re:
JAVA: Just Another Vulnerability Announcement
To say that this is all very much out of control would not be an exaggeration.
Bat shit fucking crazy may be only a slight exaggeration.
A fascist, phobiocratic, authoritarian, totalitarian and kleptocratic cocktail of a republic.
Could we please see the constitution for the government actually operating right now please. It would prove most helpful.
I use linux, I thought you GNU.
that and a nickel will get you...
Perhaps an interesting parallel. In the run-up to the Whitey Bulger trial, he wanted to use as a defense that the FBI authorized him to commit murder. The judge responded that it didn’t matter whether they did so or not, because it would not have been legal for them to make such a commitment. Therefor, regardless of what he may have been promised by the FBI, he can be prosecuted for the murders.
Would be nice to see Microsoft, Google, Facebook and the telcos finding themselves similarly under the gun in the future. Even though congress passed a law stating that the corporations have immunity (and retroactively, at that!), it would be far from the first time that a law has been overturned when it was found to be unconstitutional.
Well, I can dream, right?
Re: that and a nickel will get you...
You can dream, yes. I’d say that sifting through what is and what is not constitutional is of the utmost importance. Overturning that immunity is one of the few lights in the tunnel we currently find ourselves entering (in?).
How long before NSA says “Hey Microsoft, don’t fix that particular bug just yet”?
Moving to Linux
This makes the decision to stay with Tux the Penguin a no-brainer; not that I was leaving. And it makes recommending Linux to others more of a no-brainer. I have would recommend to anyone move Linux and forget any MS software.
Re: Moving to Linux
Recommending Linux is a no-brainer even aside from this point. Linux works better, and is easier to use, than Windows.
Re: Re: Moving to Linux
Even allies such as England I’m sure are thrilled to hear that the US can snoop on their computers with the knowledge of their OS software vendor.
I’m thinking of creating a conversion package for foreign nations. So many potential customers..
Just thinking out loud here
But assuming that the US government’s computer systems are mostly Windows, it’s not exactly that surprising that Microsoft would warn the Feds about the zero-day exploits and not the general public.
I mean, considering that the US Government’s new boogeyman meme is “CYBERTERRORISM! OH TEH NOES!”, allow me to point out something that’s being overlooked in the quoted text:
Considering that China’s been so brazenly hack-happy lately against the U.S.’ private sector, it’s not surprising that Microsoft’s tipping off it’s home government and not anyone else. While it may not exactly trust the U.S. government (depending on your viewpoint) they certainly favor the government who’s more likely to protect their intellectual property (trade secrets/copyright infringement) than the government who’s more likely to actively steal their trade secrets, reverse engineer it, and then claim they built it on their own[China].
As for not telling the general public, well, I’m betting that that Microsoft thinks malicious state-sponsored hacker groups don’t really care what John Q. Public has on his computer.
Now could groups like the NSA use these zero-day exploits for nefarious purposes? Yes they could.
Would they?
I’d say the chance of that (percentage-wise) is about the same percentage they use for determining a subject’s “foreignness”. ‘Course, I’m being a little optimistic on that.
As the Zen Master says, “We’ll see.”
We live in an age where vulnerabilities are routinely found by many people, simultaneously, and where it’s generally true that if the company is aware of a vulnerability in a released product, then so are the bad guys. Given that, I don’t see any problem at all with MS giving vulnerability info to the government.
The problem, as I see it, is that they don’t give that same info out to the public.
Thankfully, I don’t have my internet service with any of those companies- nor will I ever.
What’s interesting about this is that the defenders of Microsoft’s policy ignore the fact that Microsoft does not even ask the government what it does with the information, let alone extract a promise from them not to use it offensively. The government might well break such a promise but at least Microsoft would have done their due diligence vis-a-vis their customers. The fact that MS doesn’t do this is very telling.
Start using Linux.
“But I don’t want to!”
Then it’s your fault.
I now have another reason
why I will never so long as I breath use windows again. This is just another reason for moving entirely to a Free Software operating system,for all my computers.
After 35 years in the business, since 1975, with 20 as a windows administrator and programmer, and 10 on Linux systems, I can only advise all non Americans who value their privacy and security to switch to a Linux based operating system.
So What
So what? Everybody knows that and if can’t figure it out you are pretty much an idiot. There is no privacy on internet just face it and stop bothering other people with pointless discussions or at least shut down the comments on such posts.
Re: So What
There is privacy on internet it’s just harder to get.
Next generation OS from Microsoft
Yes!
Next Generation OS will produced by Microsoft or Sco Unix or Linux…. any networked based Web OS… will solve all the space as well as user life computing in future…
imobilitics.com
I don’t see why people are falling so easily to the sensationalism of this article. The NSA holds some of the nation’s most valuable information. They use some Windows computers. Microsoft doesn’t want to be held liable for the NSA being hacked. Therefore, Microsoft informed the NSA of the zero-day exploit so that they is forewarned. This is a very self-serving rationale for the security tip-off, but it makes perfect sense for Microsoft as a business. Being blamed for the loss of national intelligence would damage Microsoft far more than thousands of articles like these and millions of comments like these.
Also, the NSA actually might be able to write up a security wall faster than Microsoft could, because the the folks at the NSA are probably pretty well acquainted with their machines. Microsoft releases patches slower than they should, but to be fair, they do have to make sure that their patch works on every version of every computer in the world.
Re: Re:
“The NSA holds some of the nation’s most valuable information.”
Much of which they have no busi9ness holding.
“They use some Windows computers.”
If security is such an issue with the use of that software, maybe they shouldn’t. Those concerns simply highlight the danger of using a closed proprietary system for anything requiring high levels of security.
“Also, the NSA actually might be able to write up a security wall faster than Microsoft could, because the the folks at the NSA are probably pretty well acquainted with their machines”
Really? You’re OK with a government agency using your tax dollars to fix the security fuck ups of a private company who charge you directly for the use of their software? Because you think they’re more familiar with it than the people who made the buggy crap in the first place? Astounding.
Of course if you really want a conspiracy theory how do we know that the zero day “vulnerabilities” aren’t deliberate?
There are “a lot” of leaks about US intelligence becoming almost tyrannic in it’s capabilities and that’s bad. Feel lucky I am not American, although in today’s world everything is related…BUT America is not the only superpower out there, and I think not the biggest anymore…And it’s quite concerning there are no disclosures on the others, especially China(or maybe I am not aware of them). And I bet u the Chinese spooks are a hell lot more ruthless.So really, the quite ones are the ones to be most concerned about. So I say, let China buy Windows and only Windows(in gov facilities), maybe that way some info will get to NSA and then hopefully leak to us.
Almost right
This is a brilliant article with a flaw. The stated assumption that this tech exploit is used on “foreign” computers. View through a Prism and try again.
Almost right
This is a brilliant article with a flaw. The stated assumption that this tech exploit is used on “foreign” computers. View through a Prism and try again.
Get real
Please. Get head out of sand. This strikes you as “incredible?” Nobody bothered to read about HB Gary Federal’s work in this area and connect the dots? There’s a huge market for this sort of stuff. Of COURSE you can ASSUME the government and other players have tons of zero-day exploits that MS doesn’t even know about! Use some common sense! Really about the only way to communicate securely may be to call your buddy via modem directly and use encryption over the link.
This explains one thing
The horrible delay it takes to release a patch for severe security bugs in Windows… They need to give the NSA time to play with it before