Thursday, December 5, 2013

Microsoft to harden networks, code against government snooping

from   arstechnica.com



Company will show code to prove there's no backdoors and to fight gag orders.

Microsoft's General Counsel Brad Smith meeting with Chinese vice minister of commerce Wang Chao earlier this month. Microsoft is seeking to assure customers like China that it's not handing NSA backdoors to their networks.
Google and Yahoo have already announced measures they are taking to secure user data in the wake of the revelations about the NSA surveillance of their internal networks and of external user Web traffic. Now Microsoft has joined in the trend, moving to expand the company's use of encryption for both its internal and external networks—promising cryptographic protection across the board by the end of 2014.
While Microsoft already encrypts much of its data, the move to be more transparent about measures to protect customer privacy comes as the US cloud industry faces losses of customers. The New York Times reports that Forrester Research projected that US cloud providers could lose as much as a quarter of their revenue—$180 billion—over the next three years as a result of the NSA revelations and a loss of confidence in American IT companies. And Yahoo's moves to protect its data have been largely criticized as too little and much too late, particularly as documents leaked by Edward Snowden showed that the company was at times the largest source of data for NSA surveillance.
Microsoft's announcement goes beyond beefing up its encryption. The company is also seeking to expand the legal measures in place to protect customer data, including doing more to fight gag orders placed on the company that prevent it from notifying customers when it receives FISA warrants or other legal orders associated with their data. And the company is "enhancing the transparency of our software code" to allow customers to verify the absence of backdoors, according to a blog post Wednesday evening by Brad SmithMicrosoft's general counsel and executive vice president for Legal and Corporate Affairs.
"Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures—and in our view, legal processes and protections—in order to surreptitiously collect private customer data," Smith wrote. "If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an 'advanced persistent threat,' alongside sophisticated malware and cyber attacks."
While Smith said there was "no direct evidence" that Microsoft's network had been breached by the NSA or other government agencies, the company is moving to expand its existing encryption efforts to encompass all its software-as-a-service and cloud developer platforms. In many cases, 2048-bit key cryptography is already in use, such as with the Office 365 service and Windows Azure storage. That encryption is applied between Microsoft and its customers and between Microsoft's own data centers. But the entirety of Microsoft's internal and external network communications will use crypto by the end of 2014. Smith added that Microsoft would also encrypt all "customer content" stored on its servers and offer the tools to do the same to developers building applications in the Windows Azure cloud.
Microsoft is also working to encrypt traffic passing between its services and those of other cloud providers—and other Web mail providers in particular—using Transport Layer Security.
The additional transparency promised by Microsoft does not mean that the company will be publishing its source code or giving all customers access to the code for review. Instead, the company will open "transparency centers" worldwide to expand its existing program to allow government customers to review its source code. "We’ll open these centers in Europe, the Americas, and Asia, and we’ll further expand the range of products included in these programs," Smith wrote.

No comments:

Post a Comment