[Infowarrior] - Microsoft involves NSA on Vista security

[Richard Forno]

For Windows Vista Security, Microsoft Called in Pros

By Alec Klein and Ellen Nakashima
Washington Post Staff Writers
Tuesday, January 9, 2007; D01
http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801
352_pf.html

When Microsoft introduces its long-awaited Windows Vista operating system
this month, it will have an unlikely partner to thank for making its
flagship product safe and secure for millions of computer users across the
world: the National Security Agency.

For the first time, the giant software maker is acknowledging the help of
the secretive agency, better known for eavesdropping on foreign officials
and, more recently, U.S. citizens as part of the Bush administration's
effort to combat terrorism. The agency said it has helped in the development
of the security of Microsoft's new operating system -- the brains of a
computer -- to protect it from worms, Trojan horses and other insidious
computer attackers.

"Our intention is to help everyone with security," Tony W. Sager, the NSA's
chief of vulnerability analysis and operations group, said yesterday.

The NSA's impact may be felt widely. Windows commands more than 90 percent
of the worldwide market share in desktop operating systems, and Vista, which
is set to be released to consumers Jan. 30, is expected to be used by more
than 600 million computer users by 2010, according to Al Gillen, an analyst
at market research firm International Data.

Microsoft has not promoted the NSA's contributions, mentioning on its Web
site the agency's role only at the end of its "Windows Vista Security
Guide," which states that the "guide is not intended for home users" but for
information and security specialists.

The Redmond, Wash., software maker declined to be specific about the
contributions the NSA made to secure the Windows operating system.

The NSA also declined to be specific but said it used two groups -- a "red
team" and a "blue team" -- to test Vista's security. The red team, for
instance, posed as "the determined, technically competent adversary" to
disrupt, corrupt or steal information. "They pretend to be bad guys," Sager
said. The blue team helped Defense Department system administrators with
Vista's configuration .

Microsoft said this is not the first time it has sought help from the NSA.
For about four years, Microsoft has tapped the spy agency for security
expertise in reviewing its operating systems, including the Windows XP
consumer version and the Windows Server 2003 for corporate customers.

With hundreds of thousands of Defense Department employees using Microsoft's
software, the NSA realizes that it's in its own interest to make the product
as secure as possible. "It's partly a recognition that this is a commercial
world," Sager said. "Our customers have spoken."

Microsoft also has sought the security expertise of other U.S. government
and international entities, including NATO. "I cannot mention any of the
other international agencies," said Donald R. Armstrong, senior program
manager of Microsoft's government security program, citing the wishes of
those agencies to remain anonymous.

Microsoft's concerns extend beyond the welfare of its software when it seeks
the security expertise of government agencies. "When you get into an
environment where a Microsoft product is used in a battlefield situation or
a government situation where if a system is compromised, identities could be
found out," and it could be a matter of life and death, Armstrong said.

Other software makers have turned to government agencies for security
advice, including Apple, which makes the Mac OS X operating system. "We work
with a number of U.S. government agencies on Mac OS X security and
collaborated with the NSA on the Mac OS X security configuration guide,"
said Apple spokesman Anuj Nayar in an e-mail.

Novell, which sells a Linux-based operating system, also works with
government agencies on software security issues, spokesman Bruce Lowry said
in an e-mail, "but we're not in a position to go into specifics of the who,
what, when types of questions."

The NSA declined to comment on its security work with other software firms,
but Sager said Microsoft is the only one "with this kind of relationship at
this point where there's an acknowledgment publicly."

The NSA, which provided its service free, said it was Microsoft's idea to
acknowledge the spy agency's role.

The NSA's primary mission is signals intelligence -- monitoring the
communications of foreign powers, terrorists and others. But its secondary
objection is "information assurance," under which the security of
Microsoft's operating system falls.

Industry observers suggest that both the NSA and Microsoft have good reason
to disclose their relationship. For Microsoft, the NSA's imprimatur may be
viewed as a vote of confidence in the operating system's security.

"I kind of call it a Good Housekeeping seal" of approval, said Michael
Cherry, a former Windows program manager who now analyzes the product for
Directions on Microsoft, a firm that tracks the software maker.

Cherry says the NSA's involvement can help counter the perception that
Windows is not entirely secure and help create a perception that Microsoft
has solved the security problems that have plagued it in the past.
"Microsoft also wants to make the case that [the new Windows] more secure
than its earlier versions," he said.

Armstrong, the Microsoft manager, said: "The entire crux of Vista was
security. . . . Security is at the forefront of our thoughts and our methods
in developments and is critically important to our customers."