Feeds

Microsoft, HURTING after NSA backdooring, vows to now harden its pipe

Snooping on private messages 'breach of the 4th Amendment'

Choosing a cloud hosting partner with confidence

Microsoft is scrambling to encrypt its data centers' interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic.

Documents obtained by the Washington Post from the whistleblower show that Microsoft's Hotmail, Windows Live Messenger services and Passport communications were scanned by software called Monkey Puzzle, which was developed at the British snooping nerve-center GCHQ.

Reaching into the private unencrypted interlinks allows both intelligence agencies to effectively spy on Microsoft customers, and copy their messages and address books, it is claimed.

"These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution." Brad Smith, Microsoft's general counsel, said in an email to The Register.

Smith, given his role as a legal eagle, also pointed out that the documents don't constitute proof per se that the NSA is tapping into its traffic surreptitiously. But he said the company's engineering teams will be beefing up security, "including strengthening security against snooping by governments."

Sources familiar with the matter say Microsoft will get to work on shielding its network traffic in the coming days, and senior executives are meeting to discuss the issue and plan a response. The Windows giant is already smarting from the commercial and reputation hit it has taken from the PRISM scandal and the latest situation just adds salt to the wound.

One email in Edward Snowden's leaked dossier, dated November 2009, comes from a developer at GCHQ. It explains how the Monkey Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport, saying "the NSA can send us whatever realms they like right now."

Snowden also revealed PowerPoint decks rated top secret showing that "metadata-rich" address books were downloaded and stored on multiple databases. One showed the interception of a message on the now-defunct Windows Live Messenger system.

The news comes a month after another leak from the globetrotting whistleblower showing that the NSA was doing the same thing with Google and Yahoo!'s interlinks. One Google engineer was moved to obscenity when shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders if Redmond CEO Ballmer is turning the air blue this morning.

Following the October leak, Yahoo! announced it will begin encrypting its interlinks between data centers, and Google has been doing so for some time. But Microsoft said it was holding off on such a move as little as two weeks ago.

Based on the documents released so far, tapping data-center interlinks appears to occur mostly overseas – where the NSA can operate solely on presidential say-so alone rather than having to get permission from the courts. The spooks are also reportedly going through third-party companies to slurp the data.

"NSA's focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the US government," the agency told WaPo in a statement. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.