This is old news, but still, everyone should be aware of it. And on a theoretical basis, the co-creator of UNIX, Ken Thompson wrote a paper on which he explains that it is possible to add a backdoor to a closed source compiler and when you first compile any other compiler (e.g. GCC), any concequent compiles from this new compiler, would include the backdoor by default. Pessimistic thought of the day: nothing is safe. Neither Windows or Unix. I wonder how “safe” the Security-Enhanced Linux from NSA is. It might secure you from others, but does it secure you from NSA itself? ;P Update: More info here (Ms reply on the issue) and here.
NSA Backdoor Key Into All MS OSes Since WIN95 OSR1
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
The title suggests the answer.
To those who would violate others privacy, by all means
show them your backdoor.
That is better than they deserve.
The U.S. government seems to be playing both sides of the fence. Some organizations within it have written papers encouraging the use of more open source software in government. The NSA even released those security enhancements for Linux. Yet open source would make adding a backdoor to the operating system easier to detect.
They want to protect the countries infrastructure from attacks, yet gather intelligence about its citizens and other nations. Windows has steadily been getting better over the years and the NSA itself probably knows how to properly secure it, so maybe they’ll be able to have it both ways.
This is just one more example of the stupid thing that microsoft does, and the evil things that government does.
This makes me so mad.
I hope I don’t “disapear” now.
Ok so how what can we use to stop this cold? The key changing page is (figures) offline.
The article about the existence of the “nsakey” is indeed old, and it was later revealed by other news articles that the variable holding the second key was called “nsakey” because it was suggested by NSA security auditors during a source code review. The suggestion was that Microsoft have a backup key in case MS’s primary key had to be revoked and they needed a way to deploy new versions of the ADVAPI32.DLL library. The second key (the “nsakey”) is indeed posessed only by Microsoft (not the NSA at all), and is locked away for the strict purpose of such a worst-case scenario use.
And in other news… don’t open any email with the subject “Good Times” or your hard drive will be erased! The moon landing was a hoax! Elvis and Michael Jackson have 800-pound alien baby!
NSAKEY, come on. This was dismissed as paranoid bullshit years ago by people who actually think about this stuff.
http://www.counterpane.com/crypto-gram-9909.html#NSAKeyinMicrosoftC…
The compiler backdoor wasn’t “on a theoretical basis”; it’s been done, and Ken Thompson did it himself, providing a login backdoor in early implementations of Unix. The little blurb you linked to even refers to that. Read the paper for more info:
http://www.wbglinks.net/pages/reads/hacksexplained/thompson.html
It was initially compiled by some other compiler, wasn’t it?
The http://www.cryptonym.com/ site isn’t just “down”. It says “This page was left blank intentionally.”. Nothing even shows what webserver software it is, even on 404’s, etc.
I’m sure it’s some sort of coincidence, but that’s the strangest way for a site to be down that I’ve ever seen.
Wether or not this particular case was a hoax or misunderstanding , with Ms’ connections I’d be seriously surprised if Windows didn’t have a backdoor (in case of global thermo-nucleair war or something.)
Besides isn’t it illegal to export strongly encrypted & protected software from the US ? This obviously doesn’t include Windows then 😉
gcc is safe. It self-hosts itself from a minimal stub in assembly, and then uses that to compile the actual gcc binary.
For a fun afternoon, try boot strapping an initial system – bringing up the tool chain, the compiler, and the C library… real interesting, because everything depends on everything else.
If it wasn’t safe, some dedicated and resourceful hacker would’ve already combed through the assembly and found the offending instructions, thereby indelibly imprinting their name into the all-time linux hacker hall of fame.
🙂
NSA Backdoor Key Into All MS OSes Since WIN95 OSR1
You claim this like it’s a huge revelation. First off, it’s not confirmed exactly what NSA_KEY is there for and if it was, you’d have to have some pretty hardcore evidence before making a claim like that. Second, the scant evidence that this might be the case is not even close to new.
May as well put up the headline “Microsoft Ditches Windows For Linux” and then in your first sentence say “Well, not quite, but some people who work at MS use linux.”
Don’t sensationalize your headlines. It cheapens the site in a really bad way.
>You claim this like it’s a huge revelation.
This headline is not mine. It is Wade Gilbreath’s, the submitter of this news story.
That Ken Thompson article (which is brilliant, BTW) basically says that ANY program you use that you didn’t hand-code in assembler is vulnerable to manipulation by an outside party. And with modern CPU’s being what they are, that might not even save you as trojans could be in the microcode where you can’t reach them AT ALL. So -NOTHING- is safe. GCC might be trojaned by the EFF, which would make even OpenBSD vulnerable. It’s scary, but it’s also meaningless because 1) it’s 100% pervasive and 2) there really isn’t anything you can realistically do to protect yourself from it.
Mountain out of a molehill. Yes, we could all die from a black hole ripping through our solar system, but since there’s nothing we can do about it, why don’t you NOT post at article about it to generate traffic.
And finally, saying “more info here” and linking to a google search for a single, VERY OBVIOUS keyword is a serious insult to your readers.
At the time NT3.1 and 3.5 was out (W95 wasn’t released yet) 128Bit encryption was an optional package and not available outside the USA. With Win95 and the following consumer Windows versions (98/SE/ME etc…) and with NT4 and the following prof. Windows versions (2k/XP) 128Bit encryption was available worldwide.
This fact leads me to the conclusion that they (MS & US Government) had done something to the OSes so that they don’t care about enrcyption anymore.
Means: They can read what they want.
Regards,
Ralf.
> And finally, saying “more info here” and linking to a google search for a single, VERY OBVIOUS keyword is a serious insult to your readers.
Why don’t you become the editor in chief here then? I am sure you will do fine.
If you feel that you do not like it, you go elsewhere. It is as simple as that.
Are you done now accusing me and assaulting me publicly with a series of comments today?
IF you have a problem with *me*, you email me, you DON’T post here.
ANY subsequent comments I see from you will be moded down. If you continue this way you are talking to all your 5-6 comments today, you will be banned.
If Bruce Schneier says that this claim is pure BS, that should be enough to satisfy anyone. He’s got the rep.
Wrong: The first Windows Version shipped internationally with 128bit encryption was Windows 2000 Service Pack 2 (17-05-2001). Previous versions of Windows only had 56bit encryption. This fact leads me to the conclusion that the whole story is a hoax.
NSAKEY, come on. This was dismissed as paranoid bullshit years ago by people who actually think about this stuff.
http://www.counterpane.com/crypto-gram-9909.html#NSAKeyinMicrosoftC…
The problem is that we have no way of knowing for sure how innocuous this NSAKEY is. Mostly we have Microsoft’s word, and we have some serious questions from Schneier and others of how feasible some of these paranoid NSAKEY allegations are. Ultimately, though, we don’t know, and neither of the parties involved, MS nor the NSA, are particularly trustworthy. That should give us pause.
No, you’re wrong. An 128Bit encryption pack was available for 95/98/NT4, in shape of one 3.5″ Disk. There are links left on the wab about if – search google!
one example:
http://www.pctip.ch/downloads/dl/19100.asp
(german site)
Sorry for you’re wrong information ;p
Ralf.
Yes, an 128Bit encryption pack is available for older versions of the internet explorer running under 95/98/NT4 – but this encryption pack was also released in May 2001!
So: Who is wrong?
http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=www….
“A French intelligence report today accused US secret agents of working with computer giant Microsoft to develop software allowing Washington to spy on communications around the world.”
“The report, drawn up by the Strategic Affairs Delegation (DAS), the intelligence arm of the French Defence Ministry, was quoted in today’s edition of the news-letter Le Monde du Renseignement (Intelligence World).”
“Written by a senior officer at the DAS, the report claims agents from the National Security Agency (NSA) helped install secret programmes on Microsoft software,currently in use in 90 per cent of computers.”
http://linuxtoday.com/news_story.php3?ltsn=2000-02-19-008-05-SC
For the people who dismiss Microsoft’s lack of integrity as paranoia…. explain why the governments of
China
Germany
France
Korea
Japan
Brazil
Argentina
(etc)
Are all moving off of Microsoft or not using Microsoft due to SECURITY issues.
And tell me why Taiwan demanded the Windows source code?
It is all very real. If you run Microsoft software, you are running Microsoft spyware.
– Red Pill
They say they needed a backup key, but what does that have to do with NSA. Elsewhere they say it was because the NSA was involved in the export approval process. Even so, why would they call it NSA and not “export” or “worldwide” or “Commerce” or something.
As for why they didn’t try to disguise the name, anyone who’s worked on a large software project knows how hard it is to integrate work between engineers from different organizations and geographies. You hope to get it mostly right… some of the “best practices” may have gotten lost in the shuffle.
An article on LinuxToday about the inner workings of Microsoft. Wow, now there’s an unimpeachable source (let’s not even get into the concept of French intelligence 😮 ).
As for the governments of those countries you list moving away from MS products, I think you’ll find that they’re doing so because of LISCENCING issues. Most have already admitted this to be so.
Why would Taiwan demand Windows source code? Geez think about it would ya.
Gee, SofaShark, you’re right. The only legitmate information about Microsoft comes from Microsoft itself!
Maybe I should ask the Big Bad Wolf if he eats sheep, too!
If you actually READ about what I mentioned, you will see that it is about SECURITY issues mainly, not about licenses. Microsoft has started giving away Windows trying to compete with Linux, so there’s no big difference in price.
People in Taiwan already copy the Microsoft CD’s. Same thing in China and much of the Far East. Microsoft products are unaffordable. The government doesn’t need source code to enable people to copy CD’s. But the government doesn’t want Microsoft spying on them. That’s a whole different ballgame.
– Red Pill
I don’t think anyone can say what the second and third key are used for with a 100% certainy. The author certainly brought up a valid point by saying that the next generation chips that can run encrypted instruction sets would have hid this amazing ‘feature’ from snooping eyes.
Just another reason to use a open-source OS whatever it might be. You might not be able to ensure that its 100% trojan free but you can get closer then you can with Windohs or any other closed source project.
No proof that the backdoor actually exist, just proof that a possiblity it might exist. Personally, I doubt Microsoft would give NSA a chance in doing this, especially their non-US market is growing and still no antitrust suite then in the Windows 95 era.
The LinuxToday article is crap. It provides no new proof surrounding that NSA is spying via Windows.
China is moving to Linux because of its cost effectiveness, more security (not because of spyware, Windows till now isn’t built secure…) and national pride. Reason? Why pay so much money to a US corporation when its own companies can make money? 🙂
Germany is moving some bases to Linux to reduce dependance on Microsoft. This isn’t because they don’t want the US to know that they have a secret plan to bomb the whole of that country and blame it on al-Qaeda, but rather not to be a sitting duck to security issues (again, not related to spyware). France is also using the same reason as Germany.
Korea moved to Linux and Hancom Office in some on their offices to support their local companies instead of outside companies. It is government policy.
I’m not sure about Japan, because I haven’t heard not even one article on mass movements to Linux in Japan’s government.
Brazil and Argentina is moving mainly for economic purposes and the fact that Microsoft doesn’t provide much support for that region (i.e. better translations into their version of Portugese and Spanish). Plus countries in this region want to develop their own software companies, and Linux is the best way. This is also the reason used by India.
Trust me, paranoia has little to do with the move away from Microsoft in these governments. Most defence agencies BTW don’t already use Windows. Malaysian’s one for example use Solaris (or was it AIX?) and plans to move to Linux, are you gonna say Solaris has built in spyware for the US?
Oh, I didn’t see this message. China is under huge amount of preassure to crack down on piracy, ever since joining the WTO. But it can’t use legitimate copies on Windows, it is too darn expensive. Guess what is cheaper?
The same goes for every other third world country.
Unless psychic spies are for real, I’m not going to worry to much. My future plan is to use Linux (and maybe BeOS when yellowTab gets around to it) when I need to go online, and Windows for the few things I have left over (games, 3D modeling, and to use my iPod Windows version).
So my Windows box will have zero contact with the outside world. That will keep me safe from the Feds right?
If security is such a big issue, why India dump their Linux plans and went for the Windows donations? Windows was a more convinient proposition, when they don’t have to pay for it. If this paranoia has some truth behind it, India wouldn’t even consider Windows. Especially being a nuclear power, under close scrutiny from the US and its allies, and even more so when Pakistan became a closer ally to the US since Sept 11, they have everything to be afraid of.
Tell us why then?
actually you must be joking… ..india dropped windows for linux.
The latest technology from the Feds, codenamed “Copper Cops”, makes it very tough to protect yourself from the Feds.
It turns out the Feds figured out how to transfer the essence of several of their agents into a copper matrix.
Under the new Homeland Security bill, this copper matrix must be included with every network cable sold in the US.
So you should go buy old cables just to be safe. Or the very expensive silver cables — which work faster anyway — still have an exemption from the copper matrix laws.
😉
India chose to get free Microsoft software for some non-key areas.
There is still a massive movement in India to move away from Microsoft and onto Linux.
The politically safe reason is always “cost”. However, security is a very powerful driver in this movement.
Just today, more news came about about an Indian state moving to Linux:
http://slashdot.org/articles/02/11/20/1528204.shtml?tid=106
As India has a vested interest in building software for Microsoft and Microsoft customers, I don’t think we’ll ever see India switch 100% to Linux. However, I believe all key government functions will eventually migrate to Linux.
– Red Pill
Even if NSA doesn’t spy via Microsoft, they can do so whenever they want to.And that’s beacause Microsoft is a single company and if NSA wanted to spy through Microdoft, believe me, they can make them put some NSA key into their software (do it or die policy).But the Linux case is even more comlicated.First, it is open source and second it belongs to no one.
An advice: think better before posting that *shit in the net.
The thing that worries me is not what has happened in the more distant past, but what is yet to come.
The US government reputedly had M$ cold on the abuse of monopoly charges, yet M$ seem to have been punished far more lightly than anyone expected, with ‘security issues’ writ large into the detail of the judgement.
With the amount of US governmental interest in ‘homeland security’, it wouldn’t be particularly surprising if some sort of quid pro quo had been reached between the two parties – After all, monopolists are very good people to have on your side if you want to force a particular feature on a market, as the RIAA and others have recently demonstrated.
Perhaps the most worrying aspect of this is that any such arrangement is likely to have been reached for the highest of motives, viewed from the perspective of M$ and US gov.
G.W. Bush did say that he considered those who aren’t with the USA on ‘The War on Terrorism’ will be considered against it, thereby justifying pretty much anything.
Just because you’re not paranoid, doesn’t mean that they’re not out to get ya!
re. Oh and furthermore…
Anonymous wrote:
> trojans could be in the microcode where you
> can’t reach them AT ALL. So -NOTHING- is safe.
Disassembly.
re. French intelligence agency showed NSA working with Microsoft
Red Pill wrote:
> It is all very real. If you run Microsoft software,
> you are running Microsoft spyware.
Whoops. I thought that was a given here. Besides, I don’t think the masses really care whether MS knows which NFL and pron sites they visit, or how much space on their disk is taken up by mp3’s. [shrug]
Remember the US government made secret deals with the
cable companies to hand over international telegrams.
If you see something like NSAKEY the prudent is to
assume the worst until proven otherwise. Trusting in
this arena is just naive.
I think the link provided on Counterpane http://www.counterpane.com/crypto-gram-9909.html#NSAKeyinMicrosoftC…
sums it up quite nicely. If the NSA did in fact compromise Windows security in any way (which isn’t hard to begin with) they would not have named the key the “NSAKey”. I would expect a much more sophiticated method considering they they are experts in espionage.
Maybe they did in fact make the key. Chances are they haven’t. Fact is: A) You have no way to defeating or getting around it. Unless you use Windows 3.1 or MacOS 8 or an old Amiga or a C64 for example. B) If you’re that paranoid, cancel the internet connection, unplug the computer, sell it and find something else to do with your time.
Besides, wouldn’t hiring foreign workers (from China, India and Pakistan, Russia and Eurpoe for example), who program BIOSes, components of Windows and make other software and hardware used in every day life pose more of a security threat to the US citizens than the “NSAKey”.?
http://slashdot.org/article.pl?sid=02/11/21/1317229&mode=thread&tid…
This post takes the cake. Guess what? You can’t trust ActiveX controls signed by MS afterall. Might as well not surf the net with Windows anyways. Read on.
The facts as I see them:
1) Yes, there are two (or three) public/private key pairs.
2) Microsoft states that it exclusively controls the private keys.
My conclusion:
We are only in trouble if Microsoft is lying to us about whether the NSA has access to any of the two (or three) private keys.
What are the odds?
In order for the NSA to force Microsoft to do so legally, the public would have already know about such a initiative and the whole plan would fail. They have to go through places like Congress and the new Homeland Security Department…
Trust me, unless there is some major law changes, this is quite unlikely. Microsoft is quite unlikely to volunteer to open their customers to the NSA.
Most countries using security as a issue (except for China, which traditionally is quite paranoid and suspicious of anything from the West), is because of Microsoft poor security record, not their spyware accusations.
Windows has plenty of known and unknown security issues that haven’t been patched by Microsoft. In fact, until recently, Microsoft couldn’t be bothered with security. By comparison, lesser used altenatives, especially UNIX altenatives, sound more appealing than Windows.
For sure in the future, a few releases from now, Microsoft would fix their issues, but right now, it is a fact that Microsoft is too insecure for mission critical and classified purposes.
—
slackware: what’s the big deal of hiring foreign coders. These people don’t design the system, rather code the system. Code finishers they are mostly. Besides, the governments behind them have better things to do than to try to spy on American computers. They have their own problems, limited amount of money.
Robert, I didn’t notice you post, but no, India accepted Bill Gates’ donation of Windows licenses. For areas they don’t have donations, they use Linux or buy Windows or some UNIX. http://www.salon.com/tech/wire/2002/11/14/india/index.html?x
It is however evitable that some sectors, especially the defence, wouldn’t use Windows.
Rajan,
I have no problem what so ever with forein workers making software or hardware what-so-ever. In fact, some at the university I am attending are more determined, harder-working and have higher grades than their counterparts. I am quite happy using software designed in other countries – in fact I’m probably using more than a few right now.
I was simply making a statement in contrast to the US gov’t having trojaned Windows. Wether or not this is the case – and I am higly doubtful it is the case – having programmers from other countries writing closed source programs should be of more concern to those worried about the NSA making backdoors since no one would know if the latter is the case.
“Gee, SofaShark, you’re right. The only legitmate information about Microsoft comes from Microsoft itself!”
Excuse me? Where did I say that? Is creating straw men your hobby or profession?
“Maybe I should ask the Big Bad Wolf if he eats sheep, too!”
Careful, your paranoia is showing.
“If you actually READ about what I mentioned, you will see that it is about SECURITY issues mainly, not about licenses.”
I have READ about it. Extensively. Economies like Brazil and Argentina are fragile enough at the moment without comitting to huge government contracts with MS, the SE Asian economies that were wiped out at the end of last decade are recovering and looking for cheaper IT alternatives, and first world countries like Germany and Japan are pursuing political and philosophical agendas. I’m sure that security is a concern to some extent with all of the countries you mention, but it is peripheral to the economic aspect.
“Microsoft has started giving away Windows trying to compete with Linux, so there’s no big difference in price.”
Cool! Where can I get my copy?
“People in Taiwan already copy the Microsoft CD’s. Same thing in China and much of the Far East.”
I wasn’t actually alluding to piracy, I was trying to make the point that Taiwan’s interest is purely economic. Why buy the cow when you can get the milk for free?
“Microsoft products are unaffordable.”
Hey, that’s the point I’m trying to make!
rajan r wrote:
“Trust me, unless there is some major law changes, this is quite unlikely. Microsoft is quite unlikely to volunteer to open their customers to the NSA.”
Not to stir the pot, but I believe Windows NT received a C2 security rating in 1995 which opened it up for more use in the public sector. Then, remember the Navy ship in 1997 running NT and NT crashing, crippling the ship.
from time to time,
when i check “netstat -na”, while i am surfing IE 6.0 sp1 on win xp pro.
2 MS address(6*.***.**.**, 2**,**..) appears on my console screen.
the state was ESTABLISHED! only few hours ago.
MS rape me, fook MS.
i check it with this.
http://www.dnsstuff.com/
sorry i forgot the ip addresses, but, it was sure 6*.., 2**..!