revelarts
06-19-2013, 08:58 AM
In researching the stunning pervasiveness of spying by the government (it’s much more wide spread than you’ve heard even now), we ran across the fact that the FBI wants software programmers to install a backdoor in all software…Digging a little further, we found a 1999 article by leading European computer publication Heise which noted that the NSA had already built a backdoor into all Windows software:
A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors)…
“The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren [an expert in computer security]. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA…
“According to Andrew Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards…”
We have repeatedly pointed out that widespread spying on Americans began prior to 9/11 (http://www.washingtonsblog.com/2012/08/u-s-government-planned-indefinite-detention-of-citizens-long-before-911.html).
Barry Ritholtz (http://www.ritholtz.com/blog/2013/06/government-built-spy-access-into-most-popular-consumer-program-before-911/?) picked this up from Washington’s Blog and as part of his journey as a recovering Republican he’s republished this at his own blog…There certainly aren’t any longtime geeks who are surprised to read details of Microsoft putting in backdoors for the NSA.
http://www.ritholtz.com/blog/2013/06/government-built-spy-access-into-most-popular-consumer-program-before-911/?
http://www.dvorak.org/blog/2013/06/12/our-government-has-been-building-spy-access-into-the-windows-operating-system-since-the-late-1990%E2%80%B2s/
NSA key to Windows: an open question
<tbody>
<tbody>
</tbody>
</tbody>
(CNN) - Microsoft operating systems have a backdoor entrance for the National Security Agency, a cryptography expert said Friday, but the software giant denied the report and other experts differed on it.
The chief scientist at an Internet security company said Microsoft built in a "key" for the nation's most powerful intelligence agency to the cryptographic standard used in Microsoft Windows 95, Windows 98, Windows NT4 and Windows2000.
To use cryptographic applications in Windows, users must load its cryptography architecture in a standard called CryptoAPI.
A year ago, researchers discovered there were two keys, or digital signatures, that allowed the loading of CryptoAPI -- Microsoft had one but the identity of the other keyholder was a mystery.
Andrew Fernandes of Ontario-based Cryptonym Corp. and his colleagues now say the NSA holds the second key because they found that a recent service pack for Windows NT failed to cloak the second key, revealing it as "_NSAKEY."
"In the data security profession, those three initials only mean one thing: National Security Agency," Fernandes said.
Microsoft denied that the key belongs to the NSA, saying instead that the "_NSAKEY" label simply means the cryptography architecture meets the NSA's standards for export.
"These reports are completely false," said Microsoft spokesman Dan Leach.
"The key does not allow any other party to start or stop cryptographic services on anyone's computers.
"So no, the government cannot spy on your computer using Microsoft software. We don't intentionally leave backdoors. Microsoft has consistently opposed key escrow because we feel it is no good for the consumer, for Microsoft and no good for the government."
Fernandes said the NSA key would allow the intelligence agency to load services on users' machines without their authorization, an option it more likely would use against a corporation than an individual.
Fernandes posted a "fix" to the key on his Web site Friday, along with a press release announcing his report on the second key. The NSA failed to return comment on the key.
The alleged NSA key came to light just days after Microsoft squelched a breach to its Web-based e-mail service, Hotmail.
Computer expert: 'a small deal' UC Berkeley's David Wagner, a computer security expert, said the "does not open a massive back door allowing NSA to spy on your computer."
The statement by Cryptonym is "a small deal at least," Wagner said. The only problem he found with the CryptoAPI architecture is that if a Windows systems has a virus, it may make the virus more destructive.
It could be that NSA is making it easier to manage their own computers, Wagner said. Users of Windows 95/98/NT systems should not infer that the NSA is able to spy on any computer using a Windows operating system, he said.
Report shocked crypto experts Fernandes initially gave his report at a cryptography conference in Santa Barbara last month, during a late-night session where a few dozen experts in the audience were "shocked" by the alleged security flaw, said UC Berkeley cryptography researcher Ian Goldberg. Goldberg was at the session where Fernandes discussed his findings.
The discovery "highly suggests" that the NSA has a key it could use to enter encrypted items on anybody's Windows operating system, said Goldberg, also chief scientist at Zero-Knowledge Systems.
Zero-Knowledge Systems is about to release a product designed to ensure the privacy of Internet users when they surf the Web, post to newsgroups, send email or chat.
Fernandes said the evidence shows that the NSA is involved in the key but it fails to indicate who owns the key. Even if Microsoft claims the key is its own, Fernandes said he believes the key was put in the Windows products at the request of the NSA.
"They've got their hand in the cookie jar and they're trying to convince you they aren't taking a cookie, they're checking to make sure there's lots of cookies left for you," Fernandes said.
Fernandes, who came up with his results in collaboration with the Berlin-based Chaos Computer Club, said it comes down to an issue of trusting Microsoft.
The security flaw does not give hackers an entrance to Windows-based cryptography services, Fernandes said, because hackers lack the private key.
He called for Microsoft to be more honest about its security infrastructure and the "deal they had to cut with the government to allow the exportation of cryptography in Windows."
Open-source versus 'shrink-wrapped' crypto Alec Muffett, a security consultant for Sun Microsystems' Professional Services, said his operation uses open source cryptography and internal software and that many international companies have decided not to trust Microsoft.
"Any company worth its salt would demand using an open source cryptography as opposed to a shrink-wrapped product which this is," Muffett said.
Open-source code is thought by its adherents to be more secure and a better product since it has been tweaked by many more programmers than a product put out by a single company.
The United States limits the exportation of "strong" cryptography, mainly to make it easier for its intelligence agencies to do its work. For the NSA, that means listening in via its Echelon project to the telephone, fax, cable and other electronic communications of other nations.
It is illegal for the agency to eavesdrop on American citizens, meaning that if the NSA key exists, international businesses are most at risk, Fernandes said.
Still, Muffett said the NSA would be unlikely to conduct massive snooping on businesses outside the United States via a key on Microsoft Windows products -- if it exists. That would take too much work.
Instead, the agency could use a key to obtain a targeted piece of evidence or to trade information with other security agencies outside the United States.
"It's a bit of a conundrum from a political strategy point of view," Muffett said. ...
http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/
http://news.bbc.co.uk/2/hi/sci/tech/437967.stm
http://news.bbc.co.uk/furniture/nothing.gif
Friday, September 3, 1999 Published at 22:18 GMT 23:18 UK
http://news.bbc.co.uk/furniture/black_pixel.gif
http://news.bbc.co.uk/furniture/nothing.gif
Sci/Tech
http://news.bbc.co.uk/furniture/nothing.gif
Windows 'back door' security alert
http://news.bbc.co.uk/olmedia/435000/images/_437967_nsa300.gif
Cryptographers mark up code for a new key found in Windows
http://news.bbc.co.uk/furniture/nothing.gif
By Internet Correspondent Chris Nuttall Cryptographers are sounding the alarm on a major security issue involving Microsoft Windows that could eclipse its Hotmail public relations disaster.
<tbody>
http://news.bbc.co.uk/furniture/video.gif
http://news.bbc.co.uk/furniture/nothing.gif
The BBC's Kathy Riddell: "This has set alarms bells ringing" (http://news.bbc.co.uk/olmedia/435000/video/_438125_riddell7am_vi.ram)
</tbody>
The findings of a computer security expert that America's National Security Agency (NSA) may have been given a back door into every copy of Windows 95, 98, NT4 and 2000 worldwide are being debated across the Internet. Microsoft has issued a strong denial of allegations of misuse of a second encryption "key" in Windows.
"These are just used to ensure that we're compliant with US export regulations," said Scott Culp, Microsoft's security manager for its Windows NT Server software.
"We have not shared the private keys. We do not share our keys."
But cryptographers in the UK described the implications of the findings as "immense". Windows is installed on more than 90% of the world's computers.
Second key for Windows
Andrew Fernandes, Chief Scientist at the Ontario-based Cryptonym Corporation, is credited with discovering the identity of a second key used by Windows for encryption purposes.
<tbody>
http://news.bbc.co.uk/furniture/audio.gif
http://news.bbc.co.uk/furniture/nothing.gif
The BBC's Chris Nuttall: "Windows is used on 90% of the world's computers" (http://news.bbc.co.uk/olmedia/435000/audio/_438125_nuttall.ram)
</tbody>
Caspar Bowden, director of London-based Internet think-tank FIPR, said: "The allegation is that every copy of Windows contains an extra 'magic number' which would permit it to work with encryption modules designed by the US National Security Agency, as well as those approved by Microsoft." The approval mechanism was introduced to ensure that the weak encryption in non-US versions of Windows could not be replaced with stronger software without it being checked against a "key" embedded in Windows, proving that it had been digitally signed off by Microsoft.
Two years ago, cryptographers found an alternative, and apparently superfluous, second embedded key. The new details came to light through debugging information erroneously left in the latest service pack for Windows NT.
Significantly, the key has the data tag "_NSAKEY" giving rise to speculation that the NSA persuaded Microsoft to give it special access to Windows in a secret deal.
Microsoft says it called its function an "NSA key" because the body reviews technical details for the export of data-scrambling software.
MS talked with NSA
It is known that Microsoft negotiated with the NSA on including encryption in its product. The export of strong encryption is banned by the Clinton administration, which fears terrorists and other criminals could turn it against the US.
There are two theories on why this unnecessary second key is included in Windows:
Conspiracy theorists say the key can be used to infiltrate targeted computers. It gives the NSA a direct way of doing this without having to use Microsoft's own key.
A more charitable theory is that Microsoft allowed the NSA a special key to secure the thousands of government computers running Windows.
"The innocent explanation is that the US wished to create bespoke encryption modules for official use on government systems without reference to Microsoft," said Mr Bowden.
"Ironically, introducing the second key has created a major security loophole in a mechanism which was designed to enforce US export controls on strong cryptography."
Microsoft suffered serious embarrassment on Monday when hackers exposed a simple way of breaking into the mailboxes of more than 40 million users of its Hotmail e-mail service.
it's all for your safety.. fighten the evil terrorist... oh-rah... ho-rah
A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors)…
“The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren [an expert in computer security]. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA…
“According to Andrew Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards…”
We have repeatedly pointed out that widespread spying on Americans began prior to 9/11 (http://www.washingtonsblog.com/2012/08/u-s-government-planned-indefinite-detention-of-citizens-long-before-911.html).
Barry Ritholtz (http://www.ritholtz.com/blog/2013/06/government-built-spy-access-into-most-popular-consumer-program-before-911/?) picked this up from Washington’s Blog and as part of his journey as a recovering Republican he’s republished this at his own blog…There certainly aren’t any longtime geeks who are surprised to read details of Microsoft putting in backdoors for the NSA.
http://www.ritholtz.com/blog/2013/06/government-built-spy-access-into-most-popular-consumer-program-before-911/?
http://www.dvorak.org/blog/2013/06/12/our-government-has-been-building-spy-access-into-the-windows-operating-system-since-the-late-1990%E2%80%B2s/
NSA key to Windows: an open question
<tbody>
<tbody>
</tbody>
</tbody>
(CNN) - Microsoft operating systems have a backdoor entrance for the National Security Agency, a cryptography expert said Friday, but the software giant denied the report and other experts differed on it.
The chief scientist at an Internet security company said Microsoft built in a "key" for the nation's most powerful intelligence agency to the cryptographic standard used in Microsoft Windows 95, Windows 98, Windows NT4 and Windows2000.
To use cryptographic applications in Windows, users must load its cryptography architecture in a standard called CryptoAPI.
A year ago, researchers discovered there were two keys, or digital signatures, that allowed the loading of CryptoAPI -- Microsoft had one but the identity of the other keyholder was a mystery.
Andrew Fernandes of Ontario-based Cryptonym Corp. and his colleagues now say the NSA holds the second key because they found that a recent service pack for Windows NT failed to cloak the second key, revealing it as "_NSAKEY."
"In the data security profession, those three initials only mean one thing: National Security Agency," Fernandes said.
Microsoft denied that the key belongs to the NSA, saying instead that the "_NSAKEY" label simply means the cryptography architecture meets the NSA's standards for export.
"These reports are completely false," said Microsoft spokesman Dan Leach.
"The key does not allow any other party to start or stop cryptographic services on anyone's computers.
"So no, the government cannot spy on your computer using Microsoft software. We don't intentionally leave backdoors. Microsoft has consistently opposed key escrow because we feel it is no good for the consumer, for Microsoft and no good for the government."
Fernandes said the NSA key would allow the intelligence agency to load services on users' machines without their authorization, an option it more likely would use against a corporation than an individual.
Fernandes posted a "fix" to the key on his Web site Friday, along with a press release announcing his report on the second key. The NSA failed to return comment on the key.
The alleged NSA key came to light just days after Microsoft squelched a breach to its Web-based e-mail service, Hotmail.
Computer expert: 'a small deal' UC Berkeley's David Wagner, a computer security expert, said the "does not open a massive back door allowing NSA to spy on your computer."
The statement by Cryptonym is "a small deal at least," Wagner said. The only problem he found with the CryptoAPI architecture is that if a Windows systems has a virus, it may make the virus more destructive.
It could be that NSA is making it easier to manage their own computers, Wagner said. Users of Windows 95/98/NT systems should not infer that the NSA is able to spy on any computer using a Windows operating system, he said.
Report shocked crypto experts Fernandes initially gave his report at a cryptography conference in Santa Barbara last month, during a late-night session where a few dozen experts in the audience were "shocked" by the alleged security flaw, said UC Berkeley cryptography researcher Ian Goldberg. Goldberg was at the session where Fernandes discussed his findings.
The discovery "highly suggests" that the NSA has a key it could use to enter encrypted items on anybody's Windows operating system, said Goldberg, also chief scientist at Zero-Knowledge Systems.
Zero-Knowledge Systems is about to release a product designed to ensure the privacy of Internet users when they surf the Web, post to newsgroups, send email or chat.
Fernandes said the evidence shows that the NSA is involved in the key but it fails to indicate who owns the key. Even if Microsoft claims the key is its own, Fernandes said he believes the key was put in the Windows products at the request of the NSA.
"They've got their hand in the cookie jar and they're trying to convince you they aren't taking a cookie, they're checking to make sure there's lots of cookies left for you," Fernandes said.
Fernandes, who came up with his results in collaboration with the Berlin-based Chaos Computer Club, said it comes down to an issue of trusting Microsoft.
The security flaw does not give hackers an entrance to Windows-based cryptography services, Fernandes said, because hackers lack the private key.
He called for Microsoft to be more honest about its security infrastructure and the "deal they had to cut with the government to allow the exportation of cryptography in Windows."
Open-source versus 'shrink-wrapped' crypto Alec Muffett, a security consultant for Sun Microsystems' Professional Services, said his operation uses open source cryptography and internal software and that many international companies have decided not to trust Microsoft.
"Any company worth its salt would demand using an open source cryptography as opposed to a shrink-wrapped product which this is," Muffett said.
Open-source code is thought by its adherents to be more secure and a better product since it has been tweaked by many more programmers than a product put out by a single company.
The United States limits the exportation of "strong" cryptography, mainly to make it easier for its intelligence agencies to do its work. For the NSA, that means listening in via its Echelon project to the telephone, fax, cable and other electronic communications of other nations.
It is illegal for the agency to eavesdrop on American citizens, meaning that if the NSA key exists, international businesses are most at risk, Fernandes said.
Still, Muffett said the NSA would be unlikely to conduct massive snooping on businesses outside the United States via a key on Microsoft Windows products -- if it exists. That would take too much work.
Instead, the agency could use a key to obtain a targeted piece of evidence or to trade information with other security agencies outside the United States.
"It's a bit of a conundrum from a political strategy point of view," Muffett said. ...
http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/
http://news.bbc.co.uk/2/hi/sci/tech/437967.stm
http://news.bbc.co.uk/furniture/nothing.gif
Friday, September 3, 1999 Published at 22:18 GMT 23:18 UK
http://news.bbc.co.uk/furniture/black_pixel.gif
http://news.bbc.co.uk/furniture/nothing.gif
Sci/Tech
http://news.bbc.co.uk/furniture/nothing.gif
Windows 'back door' security alert
http://news.bbc.co.uk/olmedia/435000/images/_437967_nsa300.gif
Cryptographers mark up code for a new key found in Windows
http://news.bbc.co.uk/furniture/nothing.gif
By Internet Correspondent Chris Nuttall Cryptographers are sounding the alarm on a major security issue involving Microsoft Windows that could eclipse its Hotmail public relations disaster.
<tbody>
http://news.bbc.co.uk/furniture/video.gif
http://news.bbc.co.uk/furniture/nothing.gif
The BBC's Kathy Riddell: "This has set alarms bells ringing" (http://news.bbc.co.uk/olmedia/435000/video/_438125_riddell7am_vi.ram)
</tbody>
The findings of a computer security expert that America's National Security Agency (NSA) may have been given a back door into every copy of Windows 95, 98, NT4 and 2000 worldwide are being debated across the Internet. Microsoft has issued a strong denial of allegations of misuse of a second encryption "key" in Windows.
"These are just used to ensure that we're compliant with US export regulations," said Scott Culp, Microsoft's security manager for its Windows NT Server software.
"We have not shared the private keys. We do not share our keys."
But cryptographers in the UK described the implications of the findings as "immense". Windows is installed on more than 90% of the world's computers.
Second key for Windows
Andrew Fernandes, Chief Scientist at the Ontario-based Cryptonym Corporation, is credited with discovering the identity of a second key used by Windows for encryption purposes.
<tbody>
http://news.bbc.co.uk/furniture/audio.gif
http://news.bbc.co.uk/furniture/nothing.gif
The BBC's Chris Nuttall: "Windows is used on 90% of the world's computers" (http://news.bbc.co.uk/olmedia/435000/audio/_438125_nuttall.ram)
</tbody>
Caspar Bowden, director of London-based Internet think-tank FIPR, said: "The allegation is that every copy of Windows contains an extra 'magic number' which would permit it to work with encryption modules designed by the US National Security Agency, as well as those approved by Microsoft." The approval mechanism was introduced to ensure that the weak encryption in non-US versions of Windows could not be replaced with stronger software without it being checked against a "key" embedded in Windows, proving that it had been digitally signed off by Microsoft.
Two years ago, cryptographers found an alternative, and apparently superfluous, second embedded key. The new details came to light through debugging information erroneously left in the latest service pack for Windows NT.
Significantly, the key has the data tag "_NSAKEY" giving rise to speculation that the NSA persuaded Microsoft to give it special access to Windows in a secret deal.
Microsoft says it called its function an "NSA key" because the body reviews technical details for the export of data-scrambling software.
MS talked with NSA
It is known that Microsoft negotiated with the NSA on including encryption in its product. The export of strong encryption is banned by the Clinton administration, which fears terrorists and other criminals could turn it against the US.
There are two theories on why this unnecessary second key is included in Windows:
Conspiracy theorists say the key can be used to infiltrate targeted computers. It gives the NSA a direct way of doing this without having to use Microsoft's own key.
A more charitable theory is that Microsoft allowed the NSA a special key to secure the thousands of government computers running Windows.
"The innocent explanation is that the US wished to create bespoke encryption modules for official use on government systems without reference to Microsoft," said Mr Bowden.
"Ironically, introducing the second key has created a major security loophole in a mechanism which was designed to enforce US export controls on strong cryptography."
Microsoft suffered serious embarrassment on Monday when hackers exposed a simple way of breaking into the mailboxes of more than 40 million users of its Hotmail e-mail service.
it's all for your safety.. fighten the evil terrorist... oh-rah... ho-rah