“The question is, would Microsoft have allowed this?” Lotrionte asks. “That’s what would concern me. The intelligence community will try everything, and I often wonder why companies put themselves at risk. I’m thinking if it was operational use and if they were put on notice, that’s interesting.” Sources knowledgeable about the situation say that Microsoft was not notified and did not provide permission for the operation. “If that happened, it would be the end of the company,” one said. “That’s a gamble nobody [at the company] would take.”
Did Microsoft know about the attack (the portion that allowed windows update to be redirected to a local network replacement, with the certificate hash collision)? Seems not, but some argue that government has obligation to notify the company in a case like this that tampers with trusted infrastructure.
