New Vista Random Numbers to Include NSA Backdoor? 269
Schneier is reporting that Microsoft has added the new Dual_EC-DRBG random-number generator to Vista SP1. This random-number generator is the same one discussed earlier that may have a secret NSA backdoor built into it.
Given the known problems of Dual_EC_DRBG (Score:5, Interesting)
Now adding the algorithm itself isn't really a backdoor per se, because no one is forcing you to use that particular random number generator. But it is also interesting to note that this isn't the first time Microsoft has been accused of inserting backdoors for the CIA or the NSA. Of course, Microsoft vehemently denies such allegations, but I would assume that they would. Given what the telcos did for the NSA, would anyone be surprised if it really did come out that the NSA actually forced Microsoft to put backdoors in Office or Windows?
No surprise here (Score:2, Interesting)
http://en.wikipedia.org/wiki/NSAKEY [wikipedia.org]
Is this "feature" back-ported to XP SP3, too? (Score:3, Interesting)
SP3 is supposed to have some of Vista's most useful features as well as all previous bug fixes.
Would a shame to ruin a good service pack that speeds up XP by 10%.
Re:From the article (Score:5, Interesting)
=Smidge=
Does anyone who uses Vista... (Score:5, Interesting)
Have any expectation of privacy or security in the first place?
IIRC, some of the key SCOTUS decisions regarding the Fourth Amendment have centered around a person's expectation of privacy. They've argued:
That said, the government could persuasively argue that someone who runs Windows, especially Vista, has no expectation of privacy in the first place:
Now the sad thing is that this does come across as a troll, but sadly, it's true. And it needs to be addressed. For some reason, the /. crowd thinks it is acceptable that a majority of the population uses an OS which is horribly less secure than the ones we ourselves use (Linux, Macs, etc...). We're supposed to be the technical ones who have the solution to these problems, and yet, most /.ers just choose to blame the victim and whine about Microsoft being evil. Granted, we already know that.
Is it really acceptable that our collective rights are surrendered because a major corporation finds more profit in insufficient design and testing of its software? I realize that most of you loathe Windows, but unless we actually do something to fix the social barriers to the adoption of Linux, we can expect that, because Windows is so insecure, our government will be able to convince SCOTUS that a computer user has no "reasonable expectation of privacy".
It doesn't matter so much that this PRNG is insecure. A knowledgeable cryptographer isn't going to trust the OS for random numbers, anyway - unless it is in compliance with some standard to which their code must comply. What matters is that Vista is full of holes, and we're talking about a PRNG which no software of cryptographical consequence is going to use anyway.
Instead, we ought to worry that Windows itself is easily compromised by the government. That is the real problem. Why would you break the PRNG when you can rootkit even a fully patched Vista box with an email?.
Worth Noting (Score:2, Interesting)
Re:You might want to check your facts. (Score:2, Interesting)
I think the argument could be made that Bell was in America when the telephone was invented - not conceived.
Regarding the lightbulb - toss up in my opinion. Edison built the first functional working model. Again, the difference between concept and function.
Point taken on the auto's, so I'll submit to Benz, but one also has to look at the timeline / functionality of Selden and the Duryea's vs. the first model of Benz.
Actually, the Internet is the one on the list that I had the most doubt about because there was a lot of work in England as well, even though we mostly recognize ArpaNet as the Internet's birth. Thanks for the reminder to never count on my memory
Re:Given the known problems of Dual_EC_DRBG (Score:3, Interesting)
For all the talk about closed source, a rather large number of customers, including numerous governments, has read access to the Windows Source code. Don't assume that only MS employees examine it. The number is far broader than is generally supposed.
Re:Fuck You AmeriKKKa! (Score:2, Interesting)
Re:Really... (Score:3, Interesting)
Re:Given the known problems of Dual_EC_DRBG (Score:3, Interesting)
Of course, the presence of DRM itself throws their crypto incompetence into high relief.
Do tell us more about Microsoft's reasonable "standards". Is it anything like what they are doing with kerberos or OOXML?
Re:OK, this is just stupid. (Score:2, Interesting)