A lot of information regarding the National Security Agency (NSA) has come to light in the last few weeks but none of the information we’ve seen so far as been as disturbing as this:
The National Security Agency (NSA) has used sensitive data on network threats and other classified information as a carrot to gain unprecedented access to information from thousands of companies in technology, telecommunications, financial, and manufacturing companies, according to a report by Michael Riley of Bloomberg. And that data includes information on “zero-day” security threats from Microsoft and other software companies, according to anonymous sources familiar with the data-swapping program.
In the security industry this is what we would call bad news. Having early access to otherwise unknown zero-day exploits would give the NSA an window of opportunity to attack systems before the owner’s knew a problem existed. Effectively, the NSA could do anything from take down a network controlled by Microsoft systems to installing back doors into networks controlled by Microsoft systems. Beyond receiving information regarding zero-day exploits the NSA may have even more influence over Micorsoft.
This information, combined with the information that Microsoft was the first company to sign onto the PRISM system, makes me wonder how much influence the NSA has over that company. Could the NSA convince Microsoft to hold back patches that fix exploits that the NSA is currently using to attack systems?
I’m also curious how many other companies are giving this type of preferential treatment to the NSA. Is Apple giving the NSA information regarding exploits? Are the lead developers of Linux? Things could become very interesting in the next couple of weeks.