Earlier this month the NYT ran a story detailing two years worth of investigations during which a range of U.S. officials, including, eventually, President Obama, confirmed the U.S. had been involved in writing the Stuxnet and Flame malware and siccing them on Iran.
That's far from conclusive proof that the NSA has moved its nonexistent offices to Redmond, Wash. It doesn't rule it out either, however.
Very few malware writers are able to write such clean code that can install on a variety of hardware systems, assess their new environments and download the modules they need to successfully compromise a new network, Kaspersky researchers said.
Stuxnet and Flame are able to do all these things and to get their own updates through Windows Update using a faked Windows Update security certificate.
No other malware writer, hacker or end user has been able to do that before. Knowing it happened this time makes it more apparent that the malware writers know what they are doing and know Microsoft code inside and out.
That's still no evidence that Microsoft could be or has been infiltrated by spies from the U.S. or from other countries.
It does make sense, but so do a lot of conspiracy theories.
Until there's some solid indication Flame came from inside Microsoft, not outside, it's probably safer to write off this string of associative evidence.
Even in his own blog, Hypponen makes fun of those who make fun of Flame as ineffective and unremarkable, but doesn't actually suggest moles at Microsoft are to blame.
In the end it doesn't really matter. The faked certificates and ride-along on Windows Update demonstrate the malware writers have compromised the core software development operations at Microsoft. They don't have to live there to do it; virtual compromise on the code itself would do the job more effectively than putting warm bodied programmers in the middle of highly competitive, highly intelligent, socially awkward Microsofties with a habit of asking the wrong question and insisting on an answer.
The risk of having any such infiltration discovered is far too high to expose the cyberwar version of Seal Team Six to the perils of Redmond.