Clash of the Titans! Inside Microsoft’s Battle to Foil the NSA

Mark Russinovich. Photo: Josh Valcarcel/WIRED
After the NSA scandal broke this summer, revealing that the U.S. spy agency was eavesdropping wholesale on the most popular services on the web, Microsoft turned to five or six of its top engineers for help. One of them was Mark Russinovich.
Russinovich is a Microsoft Technical Fellow — a title reserved for the company’s most respected thinkers — and he now works as one of the lead architects of its new-age cloud service, Windows Azure. Before joining Microsoft in 2006, he made his name rooting out unseen flaws in popular computer software, including more than one security hole, and it’s no accident that when the NSA revelations trickled out this summer, Windows Azure was one of the Microsoft online services that was already encrypting data to protect against the sort of snooping the NSA was practicing on a massive scale. It was only natural that Russinovich ended up on the small team of engineers who would decide how Microsoft should respond to the documents leaked by former NSA contractor Edward Snowden.

‘It gave Microsoft a wake-up call, especially the revelation of tapping inter-data-center connections. The tapping of public wires going into a data center? That slide was shocking to me, because it’s just so flagrant’
— Mark Russinovich
“It gave Microsoft a wake-up call, especially the revelation of tapping inter-data-center connections,” Russinovich says, referring to an October Washington Post story that exposed an NSA sketch, or “slide,” showing that the agency is grabbing data from lines that run between the massive computer centers operated by the likes of Google and Yahoo. “The tapping of public wires going into a data center? That slide was shocking to me, because it’s just so flagrant.”
And, yes, he took particular issue with the little smiley face that some NSA staffer had apparently drawn on the slide.
Driven by Russinovich and others, Microsoft soon vowed to encrypt all information that moves between the data centers driving its most popular web services, to encode this information so that it can’t be read by interlopers. This is part of a massive shift among the giants of the web, with Google, Yahoo, and others making similar vows in the wake of the NSA revelations. But Russinovich warns that encryption only gets you so far. There are many other ways for state-sponsored programs to snoop on private web data, and Microsoft must assume that all of them are possible.
Companies such as Microsoft, Google, and Yahoo operate dozens of data centers across the globe, and in many cases, they’ve fashioned these information warehouses so that they can freely copy and move data among disparate locations, using high-speed fiber optic lines. In some cases, they lease these lines from telecom outfits. In others, they own them. But according to Russinovich, both types are vulnerable to eavesdropping. “Even if it’s our own,” he says, “somebody can tap the fiber.”
Russinovich says that he and his fellow Microsoft engineers considered setting up enormous network routers at the edge of each data center that would collect all information and encrypt it before sending it to another facility. But they eventually decided this setup was too costly and, ultimately, too vulnerable. “It’s hugely expensive, because these devices have to encrypt everything,” he says. “But it also creates a single point of weakness for your keys. You’ll essentially have a single key encrypting data.”
Instead, Microsoft will encrypt data every time it passes between the many small services that make up a sweeping online operation such as Windows Azure. In other words, it will encrypt information before it leaves individual servers inside the data center — whether that information is traveling to another data center or not. “You need a more distributed way of handling the problem: Every individual service — whenever it talks to another service — should encrypt that channel,” Russinovich explains. “Then the price for the encryption is paid for with the resources of the individual data centers.”
So, the thousands of servers inside the data center provide the processing power needed to encrypt — “you got all these servers sitting around and they’re not fully utilized anyway. Why not use their CPUs to do the encryption, rather than these monster routers?” — and encryption is spread across many different keys. Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute who has closely followed the NSA scandal, likes the argument, though he warns that there are still pitfalls.
“It’s a better way, but it’s a little more difficult,” he says. “It requires the right custom software — software that must be installed on every single machine — and it requires some extra computation, which is going to have some impact. Somehow, you have to soak up that burden.”
This is how Azure was operating before the NSA revelations — though it was using a weaker form of encryption. As detailed in a blog post from Microsoft general counsel Brad Smith, the company will now use encryption keys that span 2,048 bits and use “best-in-class industry cryptography.”
Like many other web giants, Microsoft will also encrypt data using what’s called “Perfect Forward Secrecy,” where keys are discarded after they’re used. This means that if attackers gain access to a key, they can’t use it to unlock data they’ve collected in the past.
All this, Smith says in the post, will be in place on Microsoft’s most popular online services by the end of 2014, including Outlook.com, Office 365, SkyDrive, and Windows Azure.
According to another story from The Washington Post, Google is moving toward a similar setup where data is encrypted from “end-to-end,” meaning it’s never transmitted in the clear, even when traveling between machines in the same data center. (A Google spokesperson declined to elaborate on the company’s methods.)
But security researchers warn that companies must be careful with the types of encryption they use and how they use it. Other revelations from Snowden have indicated that the NSA has ways of defeating some encryption systems or slipping backdoors into widely used crypto-technology. “There was a whole bunch of other stuff published in September about encryption devices being subverted and suborned by the NSA,” Green says. “If you’re really trying to build something that’s secure against the NSA, you have a tough road to follow.”
Even Russinovich will tell you that encryption only gets you so far. There are ways the NSA can get at Microsoft’s data without tapping lines between data centers. The possibility remains that the agency could work hand-in-hand with someone inside Microsoft who has access to its services — someone who’s charged with operating machines inside a data center, for instance. This might be someone the agency plants inside the data center or someone the NSA coerces in some way. “An inside threat? That’s the scariest one,” Russinovich says. “They could spear-phish him or blackmail him or maybe he’s just sympathetic to their cause.”
Amid the Snowden revelations, many pundits have also wondered whether the Microsoft brain trust — the people who run the company — have actively worked with the NSA to provide access to data. More than a decade ago, privacy geeks questioned Microsoft’s relationship with the agency when a researcher discovered a variable called “_NSAKEY” buried in the Windows operating system. More recently, Snowden’s leaked documents reportedly show that Microsoft cooperated with the FBI to make sure the government — including the NSA — could access Outlook.com e-mail.
‘There was a whole bunch of other stuff published in September about encryption devices being subverted and suborned by the NSA. If you’re really trying to build something that’s secure against the NSA, you have a tough road to follow’
— Matthew Green
But Russinovich says the NSAKEY controversy was a red-herring, and he believes that Microsoft would only be hurting itself if it cozied up to the NSA. “I can’t say for sure that that hasn’t happened, but I will say that I’m really skeptical that it could. The risk to the business is monumental,” he says. “Without trust, there is no cloud. You’re asking customers to give you their data to manage, and if they don’t trust you, there’s no way they’re going to give it to you. You can screw up trust really easily. You can screw it up just by showing incompetence. But if you show intentional undermining of trust, your business is done.”
Microsoft’s tools aren’t just used by consumers. Cloud services such as Azure are ways for big businesses to store their data and run many of their own online applications, and there’s a real danger that these businesses will retreat into their own data centers if they think Microsoft is exposing their private information.
Green says that, although Microsoft and Google are compelled, by law, to comply with search warrants and national security letters and other court orders, he believes the companies are unlikely to provide unregulated backdoors into their services — at least not now. “These companies are realizing that cloud services are some huge percentage of their future revenue,” he explains, “and they’re saying: ‘We can’t be caught collaborating with the government.’”
As Green says, many companies are already starting to question their use of internet services. But Russinovich argues that the threat to the cloud is greatly exaggerated, citing a story from the IDG News Service in which 20 corporate information officers indicate they will move ahead with efforts to hoist data and applications onto services like Windows Azure.
Russinovich acknowledges that Microsoft is a “juicy target,” because it houses data and software for tens of thousands of customers. “You don’t have to go compromise each one of them,” Russinovich says. “You can compromise lots of them by compromising [cloud] infrastructure.” But that’s why, in the wake of the NSA revelations, Microsoft is taking a new approach to security. As Russinovich puts it, the scandal forced the company to take stock, to start over, to say to itself: “Let’s not assume anything. Let’s take a clean look at what we’re doing and what we should be doing — and make sure we’re doing the right thing, the best thing.” LINK