Security
Microsoft, HURTING after NSA backdooring, vows to now
harden its pipe
Snooping
on private messages 'breach of the 4th Amendment'
Microsoft is scrambling to encrypt its data centers'
interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into
the cables and intercepted sensitive network traffic.
Documents obtained by the Washington Post from the
whistleblower show that Microsoft's Hotmail, Windows Live Messenger services
and Passport communications were scanned by software called Monkey Puzzle,
which was developed at the British snooping nerve-center GCHQ.
Reaching into the private unencrypted interlinks
allows both intelligence agencies to effectively spy on Microsoft customers,
and copy their messages and address books, it is claimed.
"These allegations are very disturbing. If they
are true these actions amount to hacking and seizure of private data and in our
view are a breach of the protection guaranteed by the Fourth Amendment to the
Constitution." Brad Smith, Microsoft's general counsel, said in an email
to The Register.
Smith, given his role as a legal eagle, also pointed
out that the documents don't constitute proof per se that the NSA is tapping
into its traffic surreptitiously. But he said the company's engineering teams
will be beefing up security, "including strengthening security against
snooping by governments."
Sources familiar with the matter say Microsoft will
get to work on shielding its network traffic in the coming days, and senior
executives are meeting to discuss the issue and plan a response. The Windows
giant is already smarting from the commercial and reputation hit it has taken
from the PRISM scandal and the latest situation just adds salt to the wound.
One email in Edward Snowden's leaked dossier, dated
November 2009, comes from a developer at GCHQ. It explains how the Monkey
Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport,
saying "the NSA can send us whatever realms they like right now."
Snowden also revealed PowerPoint decks rated top
secret showing that "metadata-rich" address books were downloaded and
stored on multiple databases. One showed the interception of a message on the
now-defunct Windows Live Messenger system.
The news comes a month after another leak from the
globetrotting whistleblower showing that the NSA was doing the same thing with
Google and Yahoo!'s interlinks. One Google engineer was moved to obscenity when
shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders
if Redmond CEO Ballmer is turning the air blue this morning.
Following the October leak, Yahoo! announced it will
begin encrypting its interlinks between data centers, and Google has been doing
so for some time. But Microsoft said it was holding off on such a move as
little as two weeks ago.
Based on the documents released so far, tapping
data-center interlinks appears to occur mostly overseas – where the NSA can
operate solely on presidential say-so alone rather than having to get
permission from the courts. The spooks are also reportedly going through
third-party companies to slurp the data.
"NSA's focus is on targeting the communications
of valid foreign intelligence targets, not on collecting and exploiting a class
of communications or services that would sweep up communications that are not
of bona fide foreign intelligence interest to the US government," the agency
told WaPo in a statement. ®