Microsoft Admits Its Datacenters Are Wide Open To NSA Attacks

from the uh,-guys... dept

When the NSA news started breaking this past summer, it was noted that Google quickly realized where the NSA might be hacking in, and rushed to encrypt the links that connect their data centers. While some may criticize this, it's easy to see why companies never bothered to encrypt these links. They're internal networks, with no direct access to the outside world. The threat likelihood was quite low... unless you're a giant government spying operation. That said, once it was revealed that, indeed, this is how the NSA hacks in, no company has an excuse for not encrypting such links. Some Google engineers stated a direct "fuck you" to the NSA, as they were making sure that those links were encrypted (they claimed the job was done, though Google officially has said it's an ongoing process, suggesting they may still be finishing up).

Unfortunately, it's not clear that other companies are following suit. When asked about this right after the infiltration was revealed, Yahoo gave a non-committal answer:
"We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."
Yeah, but that doesn't say they encrypt the links between data centers, or even that they're planning to do so. Since then, Yahoo has basically said nothing as far as I can tell. Over in Europe, however, Microsoft has now admitted that it still is not encrypting those links, and is only now investigating the idea.
Dorothee Belz, EMEA VP for Legal and Corporate Affairs made the remark when answering a question from Claude Moraes, MEP during a meeting at the European Parliament on Monday.

"Generally, what I can say today is server-to-server transportation is generally not encrypted," she said. "This is why we are currently reviewing our security system."
Sure, it's not something that can be done overnight, but large internet companies who use multiple data centers now need to assume that all of their data is compromised if they're not encrypting the links. Whether or not it's done yet, these companies have a responsibility to get that process started as soon as possible. Hell, they all probably should have started doing this as soon as the news broke that Google was rushing to do this, since it was pretty clear they'd figured out what was going on.

It's especially ironic that Microsoft is now admitting that it's not encrypting the data leaks, because the company has been on a rampage trying to present itself as protecting users privacy and that Google is a privacy nightmare. But, given these admissions, Microsoft has now basically said that its made all of your data available to the US government and it's still thinking about what to do about it, while Google has been rushing to protect its users privacy.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 4:04am

    Collen Kollar-Kotelly

    From Wikipedia, The Free Encyclopedia: Colleen Kollar-Kotelly
    Colleen Kollar-Kotelly (born 1943, New York, New York) is a judge for the United States District Court for the District of Columbia and was presiding judge of the Foreign Intelligence Surveillance Court (FISC). . . .

     . . . and later as Presiding Judge of the United States Foreign Intelligence Surveillance Court, where she served from 2002 to 2009. . . .

    Notable cases

    In August 2001, Kollar-Kotelly was assigned the United States v. Microsoft anti-trust case, after Judge Thomas Penfield Jackson was removed from the case. . . .


    The judge overseeing Microsoft was also the chief judge of the rubber-stamp court.

    Coinky-dink?

    Or an opportunity to twist arms—and make sure Microsoft cooperated satisfactorily with the government.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 15th, 2013 @ 4:11am

      Re: Collen Kollar-Kotelly

      Microsoft vs U.S. antitrust battle soon to be history”, by Diane Bartz, Reuters, April 27, 2011
      Thirteen years after the Justice Department filed an antitrust lawsuit against Microsoft, accusing the software giant of using its market power to pummel potential rivals, the case will soon be history.

      "And so May 12 will close an important chapter in the history of antitrust law," said Judge Colleen Kollar-Kotelly during the last oversight hearing on Wednesday . . . .

      Note the year: 2011.

      Rubber-stamp court Judge Kollar-Kotelly was actively supervising Microsoft during this period.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 4:16am

    With google you can add your own encryption to emails, and at least protect the contents. Can you do the same with the Online office suite, which for companies will likely contain much more interesting information than emails?
    While companies encrypting internal links is security 101, it only works until the government demands their keys with a gag order. Has Microsoft committed to software as a service just in time for it to go right out of favour due to governments demanding access to everything that traverses the net?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 15th, 2013 @ 4:36am

      Re:

      Actually, Outlook has encryption built in as well, either through SmartCards or Certificates. With MS, you usually purchase your own Certificate from a CA, so they would still need your private certificate.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Nov 15th, 2013 @ 4:48am

        Re: Re:

        Outlook has encryption built in as well
        Oh, yes, and this code has been audited for security. There are no backdoors, not even any accidental bugs.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Nov 15th, 2013 @ 5:08am

        Re: Re:

        Really?

        > Outlook.com encryption unlocked even before official launch

        > Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal

        > The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

        > Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases

        > Within five months, the documents explain, Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on Outlook.com chats

        So please, do tell me more about how "secure" Outlook is. As you can see, even if private CA's, Microsoft helped NSA get the data BEFORE being encrypted.

        http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Jay (profile), Nov 15th, 2013 @ 4:23am

    Dumbass Microsoft

    This is a helluva lot bigger than people should be expecting. Microsoft is asking for customer's data on their Xbox One. Now you're telling the same people that if they give their addresses and their other products, that's basically going to harm their reputation.

    There is NO point to get the Xbone. They take money from private marketers to make more money.

    And now you're telling me that as a company, that has multiple products, you can't get your bean counters to work to make the user experience better?

    Microsoft, quit messing up!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 4:25am

    Encryption at the transport layer is not a trivial matter depending on the links that connect the DCs. I honestly don't know of even 1 manufacturer that is doing encryption on 100Gb links and it'll probably take a separate ASIC system to handle the load. My guess is that Google engineers designed their applications for end to end encryption at the application layer, but didn't implement it for power savings and well you don't expect the US government to be hacking into US companies....

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 15th, 2013 @ 2:20pm

      Re:

      Agreed about this process being non-trivial.

      Thank about how much data they have to transfer between their data centers.

      Then think about what it takes to process(by encryption and decryption) all that data.

      Now think about how much power you need to do all that processing.

      That would be an interesting article just to see the methods and numbers involved.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 4:31am

    Microsoft was already giving NSA all the data they needed, pre-encryption, while telling their users that their data is "encrypted and safe". That's the only reason NSA wasn't hacking them like they hacked Google. They didn't need to.

    http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    me@me.net, Nov 15th, 2013 @ 4:32am

    Love Google or hate Google

    They are addressing the issue, whereas Microsoft has very likely known about this the entire time and gone along with it. Microsoft once again striking one for it's crapfest of a record for security.

    Al Qaeda may be one enemy, the NSA is another.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    James, Nov 15th, 2013 @ 5:05am

    So have we heard from Amazon yet if they collaborate with the NSA, or have protection against their fibre being sniffed?

     

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 15th, 2013 @ 5:40am

    Years after internet taps were known to me: "Google quickly realized"!

    This is actually one of Mike's pro-Google pieces. Just note the several positive mentions of Google and the spin as I explain:

    "they [Google engingeers] claimed the [encrypting] job was done, though Google officially has said it's an ongoing process," -- And so the Google engineers were LYING, as one commenter here pointed out: you just don't put encryption at huge scale into place with one click. [PS: that was ME, kids. You all, including Mike at the time, just swallowed that whole.]

    "Google has been rushing to protect its users privacy" -- BUT until the last few days, was EXACTLY same place as Microsoft! AND we know from the above that first statements from Google about encryption in place were LIES. YET, after exposing here the known lies from Google, Mike goes on to assert that Google is ever so much more trustworthy than Microsoft, because Microsoft hasn't put out any comforting lies. Now, that's spin done the Mike way.

    If Microsoft weren't so evil for so long and so well-known as evil, it'd be difficult to show Google as better in comparison.

    Besides that, Google's business is SPYING! It's a bit difficult to claim it's better for privacy! Mike attempts it, even so!

    Here's this official piece from the globalist Council on Foreign Relations again:

    Privacy Pretense

    How Silicon Valley Helped the NSA

    http://www.foreignaffairs.com/articles/140246/abraham-newman/privacy-pretense


    When you think surveillance or spying or snooping, think Google!

    01:39:01[b-522-1]

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Duncan, Nov 15th, 2013 @ 6:07am

      Re: Years after internet taps were known to me: "Google quickly realized"!

      Hi out_of_the_blue,

      I hope you are able to help me with something, but if not - no worries.

      I see your posts on Techdirt a LOT, and it appears you don't like the site at all. Because of this I am honestly really fascinated to know why you keep visiting. I't difficult for me to understand this, and to help me get some sort of picture of you, can you maybe tell me something about you?

      I'd love to know a few general things like: what job you do, what other sites you visit, how old you are, what you studied, and the reason you keep coming to this site. I'd understand if you're not keen to divulge this - I'm not big on giving details out on the internet either (I studied philosphy but am in IT), but I'd seriously just love to know.

      Regards,
      Duncan

       

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
         
        identicon
        Anonymous Coward, Nov 15th, 2013 @ 9:39am

        Re: Re: Years after internet taps were known to me: "Google quickly realized"!

        well Duncan, he is probably sick and tired of Masnicks constant abuse of the truth, in support for his precious Goolag that pays him his small wage.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      weneedhelp (profile), Nov 15th, 2013 @ 8:23am

      Re: Years after internet taps were known to me: "Google quickly realized"!

      Ha ha ha at YOU... Blue.
      Blue Bait:
      "It's especially ironic that Microsoft is now admitting that it's not encrypting the data leaks, because the company has been on a rampage trying to present itself as protecting users privacy and that Google is a privacy nightmare. But, given these admissions, Microsoft has now basically said that its made all of your data available to the US government and it's still thinking about what to do about it, while Google has been rushing to protect its users privacy."
      -
      Ha ha ha Blue... YOU got trolled.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 5:45am

    then Microsoft needs to close the door securely, not just to the NSA but to all agencies worldwide!
    as if Microsoft hasn't got a bad enough name already. Jeez!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 5:50am

    "...Microsoft is now admitting that it's not encrypting the data leaks, ..."

    I see what you did there!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Me, Nov 15th, 2013 @ 6:57am

    It is all just so stupid of US tech companies....

    I have a *paid* Skydrive folder. While I encrypt what I put in it, it's just not worth it giving my money to a company that willingly and easily allows the NSA to spy on me.

    I have another SpiderOak account that will get my bucks for the next year, not SkyDrive.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Joseph M. Durnal, Nov 15th, 2013 @ 7:52am

    Encryption should have been standard

    In the e-mail world where I do most of my work, I've been encrypting traffic between internal e-mail servers for many years, STARTTLS isn't a tough concept, internal network or not.

    My employer does more with network than systems, and they've made encryption standard for our customers for many years as well. Anything on the outside of a router that is under our customer's control, would be encrypted. Perhaps it helps that our network guys had a lot of experience in the Telco world and knew better than to trust Verizon, Century Link, AT&T, etc. with our customers' data.

    Of course, as consultants, we pride ourselves in doing the right thing for our customers. We've been skeptical of this whole public cloud thing, explaining exactly these sorts of risks to our customers and letting them choose. Basically, once your data exists on a system you don't control, you cannot assume that your data is secure unless it is encrypted with keys that are not shared with the provider.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Rekrul, Nov 15th, 2013 @ 10:01am

    Microsoft was always a follower, not a leader.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 10:34am

    Of course

    They've already sold out their customers by delaying bugfixes for the NSA so why the hell would you trust them with your data? To say that they're whores of the NSA would be an insult to prostitutes everywhere.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 15th, 2013 @ 11:00am

    These cheap companies don't want to spend the money on upgrading their servers, to handle the increased processing load encryption causes.

    I imagine when you have a fiber optic line pushing 10Gbps of encrypted traffic, some kind of AES accelerated co-processor is going to be necessary to reduce the load on the server's CPU.

     

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 15th, 2013 @ 12:28pm

    Well, well. Maybe Mike was offsetting pro-Microsoft "news":

    Microsoft shows off digital-crime-fighting center

    Microsoft offered a glimpse inside its new center that’s devoted to combating cybercrime.

    http://seattletimes.com/html/businesstechnology/2022261760_microsoftcybercrimexml.html.

    ht tp://seattletimes.com/html/businesstechnology/2022261760_microsoftcybercrimexml.html

    So looks like Mike is against "combating cybercrime"! And WHERE is Google's new center, huh?

    [ Note to the innocent who might wander in here: I'm again mocking Mike's actually pro-Google piece disguised under headline having "Microsoft". Of course, actually both mega-corporations are fully co-operating with NSA; "direct" access according to Snowden.]

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      AC Unknown (profile), Nov 15th, 2013 @ 4:24pm

      Re: Well, well. Maybe Mike was offsetting pro-Microsoft "news":

      Get off your high horse, Blue. What the NSA is doing WEAKENS CYBER-SECURITY. It does so by placing backdoors into crucial internet services. Do you really think an identity thief would pass up a backdoor placed into a bank by the NSA?

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This