The Washington Post is reporting about how Microsoft enlisted the National Security Agency’s help in securing the next version of Windows. Sounds good, huh? Looks like Microsoft is doing everything is can to secure Vista. The NSA is the best-of-best when it comes to this stuff, so who better to turn to, right?

Well, there’s a subtle reason why this is not good, and I believe Bruce Schneier offers a good summary as to why this is:

It’s called the “equities issue.” Basically, the NSA has two roles: eavesdrop on their stuff, and protect our stuff. When both sides use the same stuff — Windows Vista, for example — the agency has to decide whether to exploit vulnerabilities to eavesdrop on their stuff or close the same vulnerabilities to protect our stuff. In its partnership with Microsoft, it could have decided to go either way: to deliberately introduce vulnerabilities that it could exploit, or deliberately harden the OS to protect its own interests.

So, which choice did they make? We’ll probably never know, but given the current administration’s feeling about privacy and warrentless eavesdropping, this whole thing doesn’t make me feel any better about Vista security.

The real irony of the whole thing is that this could make Vista seem more secure, when actually the opposite is true. There’s an old saying in the security field: “No security is better than poor security.” When there’s no security, at least people are cautious with their data. With the “illusion” of security, people tend to act as if they are truly secure.

As a side note, this is an example of why security is so hard to get right. In many ways, true security is counter-intuitive… that’s part of what makes this field so interesting.