Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them
from the whoa dept
Bloomberg came out with quite a bombshell last night, discussing how lots of tech companies apparently work with the NSA and other government agencies, not to pass data on users over to the government, but to share exploit information, sometimes before it’s public or patched — in some cases so it can be useful for the US government to use proactively. Last month, we had written about how the feds were certainly collecting hacks and vulnerabilities for offensive purposes, but it wasn’t clear at the time that some of these exploits were coming directly from the companies themselves.
The report names one major participant: Microsoft:
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
That’s fairly incredible. You’d expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.
The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community — in which the telcos willingly and voluntarily hand over massive amounts of user data. There’s no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
The article later notes that the big telcos — AT&T, Verizon, Sprint, Level3 and CenturyLink — have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn’t make them liable for violating wiretapping laws.
Before they agreed to install the system on their networks, some of the five major Internet companies — AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). — asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.
Suddenly the “blanket immunity” clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.