July 27, 2013

How Microsoft handed the NSA access to encrypted messages

 

• Secret files show scale of Silicon Valley co-operation on Prism
• Outlook.com encryption unlocked even before official launch
• Skype worked to enable Prism collection of video calls
• Company says it is legally compelled to comply

 
 
Skype logo

Skype worked with intelligence agencies last year to allow Prism to collect video and audio conversations. Photograph: Patrick Sinkel/AP

Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian.

The files provided by Edward Snowden illustrate the scale of co-operation between Silicon Valley and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;

• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;

• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

The latest NSA revelations further expose the tensions between Silicon Valley and the Obama administration. All the major tech firms are lobbying the government to allow them to disclose more fully the extent and nature of their co-operation with the NSA to meet their customers’ privacy concerns. Privately, tech executives are at pains to distance themselves from claims of collaboration and teamwork given by the NSA documents, and insist the process is driven by legal compulsion.

In a statement, Microsoft said: “When we upgrade or update products we aren’t absolved from the need to comply with existing or future lawful demands.” The company reiterated its argument that it provides customer data “only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers”.

In June, the Guardian revealed that the NSA claimed to have “direct access” through the Prism program to the systems of many major internet companies, including Microsoft, Skype, Apple, Google, Facebook and Yahoo.

Blanket orders from the secret surveillance court allow these communications to be collected without an individual warrant if the NSA operative has a 51% belief that the target is not a US citizen and is not on US soil at the time. Targeting US citizens does require an individual warrant, but the NSA is able to collect Americans’ communications without a warrant if the target is a foreign national located overseas.

Since Prism’s existence became public, Microsoft and the other companies listed on the NSA documents as providers have denied all knowledge of the program and insisted that the intelligence agencies do not have back doors into their systems.

Microsoft’s latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: “Your privacy is our priority.”

Similarly, Skype’s privacy policy states: “Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content.”

But internal NSA newsletters, marked top secret, suggest the co-operation between the intelligence community and the companies is deep and ongoing.

The latest documents come from the NSA’s Special Source Operations (SSO) division, described by Snowden as the “crown jewel” of the agency. It is responsible for all programs aimed at US communications systems through corporate partnerships such as Prism.

The files show that the NSA became concerned about the interception of encrypted chats on Microsoft’s Outlook.com portal from the moment the company began testing the service in July last year.

Within five months, the documents explain, Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on Outlook.com chats

A newsletter entry dated 26 December 2012 states: “MS [Microsoft], working with the FBI, developed a surveillance capability to deal” with the issue. “These solutions were successfully tested and went live 12 Dec 2012.”

Two months later, in February this year, Microsoft officially launched the Outlook.com portal.

Another newsletter entry stated that NSA already had pre-encryption access to Outlook email. “For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption.”

Microsoft’s co-operation was not limited to Outlook.com. An entry dated 8 April 2013 describes how the company worked “for many months” with the FBI – which acts as the liaison between the intelligence agencies and Silicon Valley on Prism – to allow Prism access without separate authorization to its cloud storage service SkyDrive.

The document describes how this access “means that analysts will no longer have to make a special request to SSO for this – a process step that many analysts may not have known about”.

The NSA explained that “this new capability will result in a much more complete and timely collection response”. It continued: “This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established.”

A separate entry identified another area for collaboration. “The FBI Data Intercept Technology Unit (DITU) team is working with Microsoft to understand an additional feature in Outlook.com which allows users to create email aliases, which may affect our tasking processes.”

The NSA has devoted substantial efforts in the last two years to work with Microsoft to ensure increased access to Skype, which has an estimated 663 million global users.

One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” it says.

Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.

According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.

The NSA was able to start tasking Skype communications the following day, and collection began on 6 February. “Feedback indicated that a collected Skype call was very clear and the metadata looked complete,” the document stated, praising the co-operation between NSA teams and the FBI. “Collaborative teamwork was the key to the successful addition of another provider to the Prism system.”

ACLU technology expert Chris Soghoian said the revelations would surprise many Skype users. “In the past, Skype made affirmative promises to users about their inability to perform wiretaps,” he said. “It’s hard to square Microsoft’s secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google.”

The information the NSA collects from Prism is routinely shared with both the FBI and CIA. A 3 August 2012 newsletter describes how the NSA has recently expanded sharing with the other two agencies.

The NSA, the entry reveals, has even automated the sharing of aspects of Prism, using software that “enables our partners to see which selectors [search terms] the National Security Agency has tasked to Prism”.

The document continues: “The FBI and CIA then can request a copy of Prism collection of any selector…” As a result, the author notes: “these two activities underscore the point that Prism is a team sport!”

In its statement to the Guardian, Microsoft said:

We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes.

Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate.

Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.

In a joint statement, Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, said:

The articles describe court-ordered surveillance – and a US company’s efforts to comply with these legally mandated requirements. The US operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy.

They added: “In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate.”

• This article was amended on 11 July 2013 to reflect information from Microsoft that it did not make any changes to Skype to allow Prism collection on or around July 2012.

Permalink • Print • Comment

July 25, 2011

Trillian – version 5

Click here to download Trillian v5.x!

Permalink • Print • Comment

June 2, 2011

10 add-ins that make Outlook easier to use

May 26, 2011, 8:00 AM PDT

Takeaway: If you can’t do something in Outlook, chances are there’s an add-in that can. Susan Harkins lists some handy add-ins that close a few feature gaps.

Outlook is a winner in the add-in department, with so many good ones available. Of course, not all add-ins deliver on their promises — and some slow down an already performance-challenged program. But there are plenty of Outlook add-ins that expand functionality or enhance existing features. Here are 10 of my favorites.

 

1: RecoverMyEmail

Outlook is a great management tool, but it’s prone to corruption errors. Usually, a corrupt PST file is the culprit, and the result is lost information. If you’re lucky, Microsoft’s pst repair tool can recover everything. But in my experience, it doesn’t.

 

RecoverMyEmail can repair a broken PST (and DBX) file and recover emails. Figure A shows the add-in at work; the process can take a while. This add-in can also undelete email after you’ve emptied your Deleted Items folder. It’s easy to implement and use. Unfortunately, it won’t recover or undelete anything but email items. You’ll have to look elsewhere for help recovering contacts and calendar items.

Click Open Email File to start the recovery process.
  • Windows 2000, XP, 2003, and Vista
  • Outlook 2000, 2002, 2003, and 2007 (and Outlook Express)
  • $99.95
  • Free trial

2: E-mail Follow-up

Outlook lets you assign a reminder when you send email and then adds the reminder to your To-do list. If you need more (like me), try E-mail Follow-up. This add-in lets you set a response time when you send an email, as shown in Figure B. If the recipient doesn’t respond within the allotted time, the add-in will remind you that you’re still waiting on a response.

 

Set a response time and let E-mail Follow-up do the remembering for you.
  • Windows 2000, XP, 2003, Vista, and 7
  • Outlook 2000, XP, 2003, 2007, and 2010
  • $24 (single user) up to $1200 (for 100 users)
  • Free trial

3: Lookeen

Despite improvements in Outlook’s search features, many users are still turning to Lookeen. It quickly finds Outlook items, email, contacts, appointments, and so on, that contain your search string. Even attachments are searched. Results are easy to work with and provide an additional management tool for previewing, moving, and deleting.

 

Type in the search string and Lookeen finds every item that contains that string.
  • Windows XP, Vista, and 7
  • Outlook 2003, 2007, and 2010
  • $39.80 (single user) with volume discount
  • Free trial

4: Xobni

It happens to all of us: I know John changed the meeting time after Mary said she couldn’t make it… but you can’t find the message with the new time. And when you finally find it, you realize that John’s assistant, and not John, responded with the new time. Xobni works alongside your mail window to display recent conversations, exchanged files (Figure D), and related emails from people in the copy line. You can also view statistics and graphs that will tell you about your email habits.

 

View people and attached files related to a specific email.
  • Windows XP, Vista, and 7
  • Outlook 2003, 2007, and 2010
  • $7.99 a month
  • Free trial

5: SimplyFile

Despite my best efforts, my Inbox stays crowded. I can drag messages to categorized folders, but I have many folders and I’m good at dropping messages into the wrong folder. SimplyFile does what Outlook does, but a bit more efficiently. After a little training (SimplyFile, not you), a single click to the SimplyFile group, shown in Figure E, will move messages. As you use this add-in, its ability to choose the right folder improves. (This add-in doesn’t support Google Docs and has known issues with Gmail.)

 

With SimplyFile, filing is a single click away.
  • Windows XP, Vista, and 7
  • Outlook 2003, 2007, and 2010
  • $49.95
  • Free trial

6: Email Scheduler

Outlook offers a bare-bones scheduling feature. You specify a day and time, and Outlook won’t send the message before the allotted time. If you’re scheduling messages frequently, you’ll probably want more options. Email Scheduler fully automates scheduling delayed messages and sending messages. You can attach files and even whole folders. Although this is a handy add-in, be sure to check its restrictions before purchasing — it doesn’t work with Outlook Express or Exchange Client.

  • Windows 2000, XP, 2003, Vista, and 7
  • Outlook 2000, XP, 2003, and 2007
  • $24 (single user) up to $1200 (100 users)
  • Free trial

7: Sent Item Organizer

Occasionally, I run into an add-in that doesn’t add functionality, it just lets me do what I want to do more efficiently. Sent Item Organizer lets your organize your sent messages by filing them in specific folders. This add-in is more flexible than Outlook’s built-in rules. You can use keywords or email addresses to trigger the move. This add-in is also good for users who need more control but are unfamiliar with Outlook features.

  • Windows XP, Vista, and 7
  • Outlook 2000, XP, 2003, 2007, and 2010
  • $29.95
  • Free trial

8: Easy2Add

The coolest stuff comes sometimes comes in the smallest package. Easy2Add displays a small icon in your task tray. When you want to add a new item to Outlook, click the icon and enter the item. That’s all you see, but behind the scenes, it creates a new item in Outlook even if Outlook is closed. Want to add a quick lunch meeting? You don’t have to launch Outlook and wait for all those add-ins to load — just use Easy2Add, enter the details (Figure F), and you’re done. You’ll have to follow a few rules about the text you enter, but they’re simple. (Note: The documentation doesn’t list Outlook 2010, but so far, so good; just keep that in mind if you use it with 2010.)

 

Enter item details without launching Outlook.
  • Windows XP and Vista
  • Outlook 2002, 2003, and 2007
  • Free

9: PocketKnife Peek

PocketKnife Peek lets you view HTML messages in plain text without the potential danger of executing a malicious script. After installing this add-in, you’ll find a Peek button on the standard toolbar in Outlook 2000 through 2007. In Outlook 2010, it’s on the Add-In tab. Select the email item and click Peek. Figure G shows an issue of the Office For Mere Mortals newsletter in plain text. (No, I wasn’t really worried about the newsletter. OfMM has been around for ages and is clean and informative!

 

Click the tabs to view an HTML email in plain text.
  • Windows XP, Vista, and 7
  • Outlook 2000, XP, 2003, 2007, and 2010
  • Free

10: SMS

Microsoft’s SMS add-in lets you send SMS text messages through most mobile phones. In addition, you can save a draft, send to groups, print the SMS, and forward a message as SMS or email. You can lookup contacts and use Spellcheck. Connect your mobile phone via Infrared, Bluetooth, or even a USB cable and you’re ready to go.

  • Windows Server 2003, XP, Vista
  • Outlook 2003 and 2007
  • Free
Permalink • Print • Comment

Nine guidelines for writing effective email messages

May 26, 2011, 11:02 AM PDT

Takeaway: If you want people to pay more attention to your email, perhaps you should pay more attention to your email!

In elementary school, we learned how to compose a business letter by including the date, a return address, a greeting, and so on. Those rules still serve us well for letters. Unfortunately, there are no such guidelines for email.

We want recipients of our email to treat our message seriously, yet we often give little thought to the message we send, because it’s quick and easy, at least from a technical perspective. It’s up to us to apply common sense and good taste to the messages we send. Here are a few guidelines you might find helpful, whether you’re using Outlook, Outlook Express, or a web client:

  • Keep it brief: I never make it through a long email. I find myself scanning, and I miss important details. You’re not writing a book or a love letter, you’re sharing information. Share the information and move on. If you write more than two or three paragraphs, a face-to-face meeting or conference call might be better.
  • Include a succinct subject: Long subject lines are as bad as no subject at all. Pinpoint a few keywords that convey the email’s purpose.
  • Check your spelling and grammar: Your email client has tools for checking your spelling and grammar so use them. Many people are sensitive to misspelled words and poor grammar. They see it as a lack of concern. If you don’t care, why should they?
  • Don’t use emoticons and acronyms: Emoticons and acronyms are fine for personal email, but don’t use them in your professional correspondence.
  • Don’t use ALL CAPS: ALL CAPS is the email equivalent of angry shouting. You wouldn’t use ALL CAPS in a professional letter, so don’t use them in email.
  • Limit copies: Only copy those who absolutely need to be in the loop. Otherwise, colleagues will start ignoring your email.
  • Greet your recipients: Use a short greeting to acknowledge your reader; include their name if you can.
  • Include a closing: Let the reader know you’re done by including a complimentary closing and signature.
  • Retain the thread: When responding to an email, include previous messages and add your response to the top. That way, the recipient is privy to all the information that you already have.

In short, show some courtesy and don’t take your reader for granted.

Permalink • Print • Comment

May 29, 2011

Your email address says more about you than you think

It sounds simple enough, but I do worry that many of my generation don’t quite see things from a prospective employer’s perspective. I can, in all honesty, because to me an email address guarantees somebody’s relationship with a company, and can be used to prove an identity on behalf of an organisation.

Email has not gone out of fashion with the younger generation. Devices such as the iPhone and the BlackBerry have brought email directly into the hands of already-digitised young adults. Social networking increases, but email has remained steady and will increase exponentially throughout their university timeline – and onto their careerpath.

It’s the first thing they see

But more often than not, when you apply for a job, your name won’t stick out but your email address will. It’s the first public information they will see and first impressions count more than most would lead you to believe.

Email addresses can be used like social statuses. To have a *.gov.* email address signifies political importance, whereas certain *.edu addresses can automatically show academic credit. The domain you use shows who you are and what you do. If you’ve worked hard to get to the position where you have such an email address, then use it to your advantage.

Your email can pre-determine the outcome

There is no doubt you would have experienced the, “oh, you only go to Yale? Yah, darling, I go to Harvard Law” (and it by no means just applies to the products you use or buy). My university is a world leader in criminology and my degree will be far more in credit than its counterpart degree from Oxford, but Oxford has an international name for itself and trumps pretty much every other university in our meager little country.

Email addresses are the same. My *@kent.ac.uk email address may not compare to one of *@harvard.edu but it will. Harvard will take precedent over Kent, UCL or even NYU and Yale. It’s not to say everyone will act in the same way towards a person’s academic institution; but the one point of information will increase your chances.

It’s a university email address. That automatically shows a level of education that so many still don’t achieve. Any email address associated with a university or academic institution by *.ac.* or *.edu makes you look good from the word go. It can tell a lot about you without having to say a word.

But if you graduate from a lesser-to-a-higher institution such as NYU to post-graduate study at Harvard, use the Harvard email address when sending your resume. It looks better from the start, but don’t miss anything off your resume. The person about to employ you might have graduated at NYU themselves, for example.

Personal email accounts just look trashy

But they do!? The Oatmeal has a hilarious yet true insight into how email addresses translate your computer literacy. I agree in that Gmail accounts do look best from a personal perspective, and Hotmail does look a little bit “I still go on MySpace”, but as I’ve said before, if you wish to overcome the *@hotmail.com stigma but still use the service – get a *@live.com or *@live.co.* address which can also signify your citizenship status (ie. *@live.co.ca for Canada).

Seeing as your email address can identify who you are and who you work for, or rather which organisation or institution you are associated with, those with their own-domain could be at an advantage if you are trying to make an impression.

But your own discretion is important. Identify who you want to work for, the type of people you are applying to, and which account you should use. It does make a difference, and it takes an element of common sense and third-person perspective to determine which email address to use.

And one last thought; if you are using your work email address to pursue other employment opportunities, make sure your current employer cannot read your email. It’s happened, and people can end up losing out altogether.

Permalink • Print • Comment
Next Page »
Made with WordPress and an easy to use WordPress theme • Sky Gold skin by Denis de Bernardy