Forgot your password?
typodupeerror
Security Government Intel Privacy Windows Your Rights Online

Microsoft Denies It Built Backdoor Into Windows 7 450

Posted by timothy
from the how-are-your-wife's-bruises? dept.
CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."
This discussion has been archived. No new comments can be posted.

Microsoft Denies It Built Backdoor Into Windows 7

Comments Filter:
  • by beh (4759) * on Thursday November 19, 2009 @06:16PM (#30164744)

    I believe Microsoft anytime that they would not build back doors into the system... If they tried, the backdoor would probably have enough bugs to be unusable.

    Besides - doesn't it already state it in the story:

        "Microsoft has not and will not put "backdoors" into Windows"

        "the agency had worked on the operating system."

    Seems pretty clear, MS did NOT put a backdoor into it... ;-)

    • by Wowsers (1151731) on Thursday November 19, 2009 @07:14PM (#30165578) Journal

      Why would Microsoft build a back door into Win7, when the front door is so wide open?

    • by rkulla (973592) on Thursday November 19, 2009 @07:19PM (#30165654) Homepage
      and it wouldn't work with the "Home" version of Windows, since nothing special ever does.
    • by bug1 (96678) on Thursday November 19, 2009 @07:42PM (#30165962)

      To say it more clearly, the allegation is that NSA put the back door in, microsoft didnt deny it. They are using political speak to make is sound like nobody put back doors in.

      An think about it, what self respecting intelligence agency wouldnt want a back door in windows. Their job is to collect intelligence, and windows is almost everywhere and handles lots of information.

      It might sound paranoid to say windows is bugged by the NSA, but it totally ignorance to suggest they wouldnt want to bug it.

      • by Attila Dimedici (1036002) on Thursday November 19, 2009 @09:31PM (#30167098)

        .

        An think about it, what self respecting intelligence agency wouldnt want a back door in windows. Their job is to collect intelligence, and windows is almost everywhere and handles lots of information.

        It might sound paranoid to say windows is bugged by the NSA, but it totally ignorance to suggest they wouldnt want to bug it.

        You are overlooking the fact that intelligence agencies are, also, usually tasked with preventing (as much as possible) foreign countries from collecting intelligence about the U.S. government. If Windows has a back door that the NSA can use, how would they prevent foreign intelligence agencies from using it? It is a well understood fact that any security vulnerability that is introduced will be discovered by those with nefarious goals (the NSA would not view their own goals as nefarious, but they would consider the goals of many foreign intelligence agents to be nefarious).

        • Re: (Score:3, Interesting)

          by ei4anb (625481)
          "If Windows has a back door that the NSA can use, how would they prevent foreign intelligence agencies from using it?"

          Here's how...

          Lotus Notes had 64bit crypto back when 40bit was the most you could export from the land of the free. Most companies introduced an export version of their product. Lotus did not.

          How did they manage this and be compatible with the reulations? Every time Notes generated a 64bit key it copied 24 of those bits and encrypted them with a key owned by the NSA and sent that with the

      • Re: (Score:3, Insightful)

        by Xest (935314)

        If people can find general small scale security exploits in Windows, what makes you think they'd be able to hide a full blown back door?

        Sorry but it's just fantasy, paranoia. We've had this theory before but no one ever manages to find any traces of this backdoor. If you have it installed you can dissect the OS to your hearts content, you can be rest assured for all the money and skill the NSA have it's nothing compared to the millions of researchers, hackers and criminals that would love nothing more than

    • by HermMunster (972336) on Thursday November 19, 2009 @08:59PM (#30166850)

      Any admittance by Microsoft that they had would probably be deemed by the US government as a national security threat. Thus they are probably prohibited from saying anything other than a denial.

      This is a company that was convicted of predatory criminal monopolistic practices. They were nearly torn in two. Suddenly it all ended for them as if it never happened and they came through with a sweet deal that gave them even greater market share for products (via their voucher system).

      This same company holds the keys to 90% of the world's computers. The NSA has the dubious role of the most massive electronic communication surveillance entity in the world, of the world. Those two joined mean something other than what that denial professes.

      You can rightfully imagine the dismay about their disclosure for any foreign government.

      If you think there is going to be a serious threat of cyber-attack in the next 20 years, then you are more paranoid than all the tin hat wearing conspiracy theorists in all existence (past and present). At least, give the world those 20 years to undo that monopoly instead of using American tax payer dollars propping up that criminally convicted predatory monopolist.

    • by Xtifr (1323) on Thursday November 19, 2009 @09:02PM (#30166884) Homepage

      "Microsoft has not and will not put "backdoors" into Windows"

      No, no, that's "will not put 'backdoors' into Windows 7"!

      The "7" is important, because chances are high that the backdoors added to WinNT3.5 are still working just fine; no need to add any new ones! :)

      (A lot of people picked up on the "MS didn't add it" vs. "NSA worked on it", but I haven't seen any other comments about possible pre-existing backdoors.)

    • Re: (Score:3, Insightful)

      by mcgrew (92797) *

      'snot funny.

      1. How many lies has microsoft been caught in? Even in court testemony over their abusive monopoly? When a proven liar says something, that something demands solid evidence.
      2. Do you trust the NSA? I don't. How many millions of lines of code are in Windows? Even if Microsoft's telling the truth, they may still be incorrect or mistaken.
      3. There's no way to verify.

      This is one of open source's greatest strengths: it would be pretty hard to slip a back door into an open source program or OS.

      The parent was j

  • Well.. (Score:5, Funny)

    by Anonymous Coward on Thursday November 19, 2009 @06:19PM (#30164784)

    At least, not intentionally.

  • Really people (Score:5, Insightful)

    by jgtg32a (1173373) on Thursday November 19, 2009 @06:20PM (#30164794)
    Why do people think that the back door is in Win7?

    The NSA put the backdoor in the Intel compiler, that's a much better place to put a backdoor or more accurately spread a backdoor
    • Re: (Score:3, Insightful)

      by Tubal-Cain (1289912)
      Who needs a back door when the front door is wide open? ;-)
    • Re:Really people (Score:5, Insightful)

      by ajs (35943) <ajs@@@ajs...com> on Thursday November 19, 2009 @06:54PM (#30165308) Homepage Journal

      Or the network adapter firmware or the encryption libraries or the BIOS or the processor itself. Yeah, there's no reason to poke a hole in the OS itself when so much of what it depends on is at your finger tips.

      What's more, the NSA does have a legitimate reason to be involved. It's the same reason they wrote the SE/Linux extensions. They are required (in their public role) to provide the federal government with analysis and review of software for security purposes. To avoid having the NSA say, "Win 7 is too insecure, don't use it," Microsoft would go to them for review and comments prior to release, and respond to whatever concerns they have.

      People often forget that the NSA has a public function.

      • Re:Really people (Score:5, Insightful)

        by w0mprat (1317953) on Thursday November 19, 2009 @07:36PM (#30165882)
        Seriously take of your tin foil hats. What makes anyone thing NSA needs any cooperation from any vendor? If any lone black hat can pwn thousands and millions of machines from his bedroom, it stands to reason a well resourced organisation with even half-assed methodological inclination can do things that boggle our script kiddie minds. They have very few barriers to whatever they want to do, they don't need Microsofts help.

        I'll leave you with that while I go to make my 30-char SSH password a little longer.
      • Re:Really people (Score:5, Insightful)

        by JohnFen (1641097) on Thursday November 19, 2009 @07:38PM (#30165908)

        People often forget that the NSA has a public function.

        Oh, I don't think anyone is forgetting that at all. It's just that the NSA cannot be trusted, and Microsoft cannot be trusted, and so when the two work together the result is something untrustworthy.

      • Re: (Score:3, Interesting)

        by digitalchinky (650880)

        I was working for a secret shady 3 letter agency way back in the late 90's when the phrase SELinux first hit the internal message boards. My understanding at the time was that its purpose was simply to supply a secure (tamper proof) OS for 'in the field' use - at least that was what it was billed as doing by the few suits that knew anything at all about it. Naturally it evolved from there, I was rather surprised it left the confines of the NSA. A very (very) small handful of people were involved in its crea

  • by FlyingSquidStudios (1031284) on Thursday November 19, 2009 @06:20PM (#30164806) Homepage
    It's not like they need to put a back door on it. There will be about 500 exploits found within the next year as it is.
  • by Misanthrope (49269) on Thursday November 19, 2009 @06:20PM (#30164808)

    Odds are the NSA is privy to whatever the current exploits are for windows operating systems anyways. I wouldn't be surprised if they had staff working on breaking into Windows machines if for nothing else than attacks on targets outside the US.

    • by BobMcD (601576) on Thursday November 19, 2009 @06:29PM (#30164938)

      Yes, this.

      And if they had smuggled something into it, the testimony before Congress would have been sealed. The fact we know about it without some kind of secret leak means that we can be confident the NSA did not think the disclosure was valuable intel.

      • by sexybomber (740588) <boccilino@@@gmail...com> on Thursday November 19, 2009 @07:34PM (#30165846)
        This too. I've got a really good sense of smell, so I can smell a rat from a mile away. This story's not hiding one. For all the lies the NSA does tell, they're not going to freakin' lie to Congress at every opportunity. Just because the Boy King did it for eight years straight didn't magically render it OK. I dunno if this guy was under oath or not, but still, that's not something you do lightly. Plus, this isn't the Director making the statement, it's one of the lesser Director bureaucritters (I think the dude's title was "Information Assurance Officer" or something); if he's caught lying to Congress, he's gone. He's one of the guys the Director would pin blame on if he ever got caught.

        Wait a second ...

        <paranoia intensity="100%"> But maybe that's what they want me to think ... oh no.
        • They are, in addition to gathering foreign intelligence, tasked with helping secure critical US systems. This means not only things like government systems, but our financial system too.

          Thus far, they seem to do a pretty good job. An example is DES. IBM made DES back in the days when there really wasn't a public field of cryptography. It was more or less a government and math geek thing. Well the NSA consulted on DES. One of the controversial things they did was suggest changes to the S boxes. There was par

    • by amicusNYCL (1538833) on Thursday November 19, 2009 @06:34PM (#30165014)

      I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure, so that those same targets outside of the US cannot get into the US government systems.

      The NSA doesn't need to rely on Windows to gain access to other networks, but considering the fact that many government systems are running Windows, the National Security Agency definitely has an interest in making sure those systems are secure.

      • by ajs (35943) <ajs@@@ajs...com> on Thursday November 19, 2009 @06:59PM (#30165396) Homepage Journal

        I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure

        It's not "likely." It's their job [nsa.gov].

      • by TheRaven64 (641858) on Thursday November 19, 2009 @07:02PM (#30165444) Journal
        The NSA probably has people looking for security holes in Windows and any other widely deployed piece of software, just as they have people looking for weaknesses in widely deployed cryptographic algorithms (and ones they are thinking of deploying). I they need to get into a system, they probably have a few undisclosed vulnerabilities on hand to do so with. They also probably let the companies in question know, if the US government is using the systems in question. The only interesting thing about this is that the NSA has access to the Windows source code for exploit hunting. That's not very interesting though, because the British and Chinese governments do to, and so (I assume) do others.
    • by duffbeer703 (177751) on Thursday November 19, 2009 @07:42PM (#30165968)

      I'd say a more likely NSA "backdoor" would be some sort of subtle flaw in the implementation of an encryption, hash or some other algorithm critical to Windows. NSA spends alot of time and money on cryptanalysis.

      • by cbhacking (979169) <been_out_cruising-slashdot@@@yahoo...com> on Thursday November 19, 2009 @08:39PM (#30166646) Homepage Journal

        Considering that historically the NSA has improved cryptographic implementations against attacks that were (at the time) unknown to the public, I'd say that's almost certainly BS. For example, DES. Even when their modifications appeared to be weakening the encryption algorithm, once the algorithm was a standard and other parties got around to hunting weaknesses for it, it was found that the modified version (which had become the standard) was far more resistant to attack. Turns out the attack had been known but kept secret, yet the algorithm had been modified to make the attack weaker.

        TL;DR: No, the NSA uses their extensive cryptanalysis knowledge to take backdoors *out* of encryption, rather than to put them in. Remember: we (the US, including the government) use it too, and enemy forces might stumble upon any backdoor they leave/put in place.

  • by John Hasler (414242) on Thursday November 19, 2009 @06:20PM (#30164810) Homepage

    "It's for the RIAA."

  • Backdoor? (Score:3, Insightful)

    by ackthpt (218170) on Thursday November 19, 2009 @06:22PM (#30164834) Homepage Journal

    Nah, it's all the front door - javascript through ie

  • by Fishbulb (32296) on Thursday November 19, 2009 @06:23PM (#30164848)

    God: "NOAH!"

    Noah: "What!"

    God: "Noah, I did not put a backdoor in Windows 7."

    Noah: "[...] RIGHT."

  • by prestwich (123353) on Thursday November 19, 2009 @06:24PM (#30164856) Homepage

    The NSA did SELinux (for Linux...) so I don't think it's unreasonable to think they might have helped MS on security issues without doing anything nasty.

  • of-course not (Score:2, Insightful)

    by roman_mir (125474)

    'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday.

    - of-course you wouldn't. MS is a stand up company, known for ethical behavior, fair treatment of its users, etc. I mean, it would never!

    • Re: (Score:3, Insightful)

      by amicusNYCL (1538833)

      C'mon - name a single thing Microsoft would gain by having a backdoor into any Windows installation. Now count how many ways such a backdoor could bite Microsoft in the ass.

      It makes zero business sense to create a backdoor in Windows.

  • I asked them if they had put any backdoors in Windows 7 and the representative said loudly and nervously that that was preposterous and 'patently false' while scribbling something on a piece of paper. He slid it across his desk to me. It read:

    Please, they have microphones in my clothes, on the desk, in the walls, the fly buzzing by your mouth is their robot!!! Meet me by the dumpster out back around 5pm, come alone.

    Unfortunately I have a bad habit of reading things aloud when I read them and by the time I was finished the fly was gone and the man sitting across from me was dead. The government doctor that rushed in the room and gave him pentobarbital in an attempt to revive him said it was due to an aneurysm caused by a robotic fly which he says he sees a lot of so it's nothing for me to look into.

    I guess there's no story here after all.

  • by Anonymous Coward on Thursday November 19, 2009 @06:34PM (#30165006)
    NSA: "We wrote a guide and a separate tool to help in enterprise security management"

    ComputerWorld: "OMG NSA TROJANED WINDOWS 7"

    NSA: "WTF? We made a document and stand-alone download..."

    ComputerWorld: "CONSPIRACY!"

    NSA: "Uh, we work with linux too you know... SELinux...?"

    ComputerWorld: "FRONTPAGE HEADLINE NEWS! WINDOWS 7 BACKDOOR EXISTS!"

    Slashdot: "ZOMG! NSA MADE A WINDOWS 7 BACKDOOR!"
  • by Anonymous Coward on Thursday November 19, 2009 @06:36PM (#30165034)

    and Windows 7 was my idea.

  • by Corson (746347) on Thursday November 19, 2009 @06:41PM (#30165104)
    An OS that runs on 90% of computers in the world is a de facto strategic weapon.
  • No worries (Score:3, Insightful)

    by Jamamala (983884) on Thursday November 19, 2009 @06:46PM (#30165176)
    Just check the sou..
    Ah.
  • by David Gerard (12369) <slashdot AT davidgerard DOT co DOT uk> on Thursday November 19, 2009 @06:48PM (#30165204) Homepage

    Despite many years’ warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with [today.com], millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying “COME AND GET IT.”

    Microsoft cannot believe people have not applied the patch for the problems, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. “Don’t they trust us?” asked marketing marketer Steve Ballmer.

    Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. “There’s a reason the Unix system on Mac OS X is called Darwin,” said appallingly smug Mac user Arty Phagge.

    “It can’t be stupid if everyone else runs it,” said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. “Macs cost more than Windows PCs.”

    “Yes,” said Phagge. “Yes, they do.”

    Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can’t say we care.

  • by Dunbal (464142) on Thursday November 19, 2009 @06:53PM (#30165284)

    Of course you can trust the government. I mean, this is the NSA we're talking about. They're on YOUR side.

          And as for Microsoft, or any other multinational company for that matter, they have grown to the size that they are because they are 100% honest to goodness hard working souls that, when faced with a decision, will always take the ethically correct side. I mean that's how you get fantastically rich, isn't it? Ask our hard working friends at Goldman Sachs, for example!

          I'm shocked that you could even consider that Microsoft could be lying. I mean, what happens if they get caught lying? Surely the "back door" would be right there in the source code for all to see, and they'd be found out right away. Oh, wait... sorry, you don't get to see the source code. But Microsoft apologized for violating the GPL, that makes them GOOD guys. You're not suggesting that if anyone ever DID find out some sort of way to control a Windows machine, all they'd have to do is call it a "security vulnerability" and issue a patch (with a different back door) for it, are you?

  • by tjstork (137384) <todd@bandrowsky.gmail@com> on Thursday November 19, 2009 @06:56PM (#30165348) Homepage Journal

    You know, its funny, but if the NSA ever got its hooks into a repository, it could do all sorts of fun stuff that way in Linux. We only "trust" Linux because Linux is a huge trust circle. WE trust it because its open, and assume that someone else must have looked at it. But I have about as much idea of what's going on inside of my Ubuntu as I did my Windows, from a backdoor perspective.

    • Re: (Score:3, Interesting)

      by John Hasler (414242)

      > But I have about as much idea of what's going on inside of my Ubuntu as I did
      > my Windows, from a backdoor perspective.

      However, hundreds of highly skilled Debian Developers know exactly what is going on inside Debian. And many of them live outside the USA and don't particularly like or trust the US government. Many of those same people are also Ubuntu developers. While it is not inconceivable that some agency (not necessarily of the US government) might slip a trojan in, it is highly unlikely.

      If

      • Re: (Score:3, Interesting)

        Nust choose one of the zillions of existing exploits and be happy.

        This could just as easily be used as an argument for Windows according to Slashdot, which would argue against NSA trying to put a backdoor into Windows.

        OP is still right, though, isn't he? Hundreds of highly skilled Windows developers know exactly what is going on inside Windows just as much as the hundreds of Debian developers know about Debian. Except there are probably more Windows developers. Not all of them "like or trust the US government" and certainly not all of them have been paid off, like it s

      • A test? (Score:5, Interesting)

        by Well-Fed Troll (1267230) on Thursday November 19, 2009 @09:17PM (#30166984)
        The developers should designate one person for compromise testing. It's his job to try to get compromises to the kernel. He will submit a patch to a random developer every 6 months, the developer submits the patch, and if it is missed and gets included in the main tree it triggers a more widespread code audit. Offer a $1000 reward to anyone finding the offending or more dangerous backdoor.
        This should keep the developers on their toes and give us some confidence that the code IS being audited properly.
    • In particular (Score:3, Interesting)

      by Sycraft-fu (314770)

      They could do something evil like the famous C compiler backdoor. You infect only binary components. So no matter how carefully the code is audited, there is nothing in there. However, when said code is compiled on an infected system, it produces infected binaries. So people have the illusion of security with it. They build from source because they want to make sure what they have hasn't been changed, but they tools they use are compromised so the final system is compromised, though no trace is in the code.

  • by Mansing (42708) on Thursday November 19, 2009 @07:04PM (#30165472)

    MSFT would sell their children's souls to keep Windows on the government's desktop PCs.

  • by twoears (1514043) on Thursday November 19, 2009 @07:10PM (#30165532)
    But it's only in the goatse edition.
  • NSA is into many OS' (Score:3, Interesting)

    by icepick72 (834363) on Thursday November 19, 2009 @07:14PM (#30165572)
    All concerns about NSA and Windows 7 could also be applied to SE Linux http://www.nsa.gov/research/selinux/ [nsa.gov]
  • by jcr (53032) <jcr@NoSPaM.mac.com> on Thursday November 19, 2009 @07:22PM (#30165704) Journal

    If Microsoft had assisted the NSA and deliberately buggered their security model for the government's purposes, it would be a federal crime for them to admit it.

    -jcr

  • Joshua (Score:3, Funny)

    by slagheap (734182) on Thursday November 19, 2009 @07:32PM (#30165840)
    Mr. Potato Head! Mr. Potato Head! Back doors are not secrets!
  • by Helldesk Hound (981604) on Thursday November 19, 2009 @08:04PM (#30166252) Homepage

    Never believe something until it is officially denied. :o)

  • by NZheretic (23872) on Thursday November 19, 2009 @08:05PM (#30166266) Homepage Journal
    Transcript of Internet Caucus Panel Discussion. [techlawjournal.com]
    Re: Administration's new encryption policy.
    Date: September 28, 1999.
    Weldon statement. [techlawjournal.com]

    Rep. Curt Weldon [wikipedia.org]: Thank you. Let me see if I can liven things up here in the last couple of minutes of the luncheon. First of all, I apologize for being late. And I thank Bob and the members of the caucus for inviting me here.

    ...

    But the point is that when John Hamre [wikipedia.org] briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He assured me that in discussions that he had had with people like Bill Gates and Gerstner from IBM that there would be, kind of a, I don't know whether it's a, unstated ability to get access to systems if we needed it. Now, I want to know if that is part of the policy, or is that just something that we are being assured of, that needs to be spoke. Because, if there is some kind of a tacit understanding, I would like to know what it is.

    Because that is going to be subjected to future administrations, if it is not written down in a clear policy way. I want to know more about this end use certificate. In fact, sitting on the Cox Committee as I did, I saw the fallacy of our end use certificate that we were supposedly getting for HPCs going into China, which didn't work. So, I would like to know what the policies are. So, I guess what I would say is, I am happy that there seems to be a comming together. In fact, when I first got involved with NSA and DOD and CIS, and why can't you sit down with industry, and work this out. In fact, I called Gerstner, and I said, can't you IBM people, and can't you software people get together and find the middle ground, instead of us having to do legislation.

    ...

  • by failedlogic (627314) on Thursday November 19, 2009 @08:51PM (#30166754)

    The NSA has not put a backdoor in Windows. When the intelligence agencies comment on these matters, the answer is always "We will neither confirm or deny...." which always implies that they had some role in the matter. Now that both MS and the NSA have publicly stated that no backdoor was installed in Windows, and is such a departure from the usual PR stance that it is impossible to conclude otherwise that such a backdoor was not and would never have been installed.

    Barring my sarcasm, I would think that there is more at stake in securing Windows than putting a backdoor in it. Chances are, if there is a backdoor, than others will find it which makes it a futile effort. I think of it this way. It would be one thing to backdoor Windows, if you wanted to spy on Joe citizen or a terrorist. But, Windows is used throughout businesses within the US: Banks, Utilities, major industry, government, law enforcement, etc. Such a Trojan whether on desktop PCs or on Servers could cause major economic and security repercussions. As others have pointed out, the NSA has released other products to help in security like SE Linux and various encryption algorithms which AFAIK have stood up to independent audits by experts.

    They were probably tasked with only looking at certain portions of the Windows code anyways much like they had likely done with previous versions of Windows and maybe other major OSes. There's been plenty of bugs found since in Windows that no matter how much auditing of code in any OS, being found out of planting a Trojan has many more consequences that exploiting holes that are already there anyways.

  • by uvajed_ekil (914487) on Thursday November 19, 2009 @11:02PM (#30167608)
    ...it's just another bug that they will be incapable of repairing. Some things never change.

    A "back door" that big brother could exploit would not need to be the result of a conspiracy against citizens or anything nefarious on the part of M$, just the usual incompetence.
  • by AnalPerfume (1356177) on Thursday November 19, 2009 @11:27PM (#30167722)
    Microsoft don't need to have actively created a back door for one to exist, look at the code the call "secure" and how many exploits are found daily for it. This is them supposedly trying NOT to have exploits. They already have back doors for DRM control and instructions to please their real customers ie other companies, as well as their own WGA all for the common enrichment of rights holders. So just because Microsoft don't intentionally create back doors for the NSA means nothing.

    Like any other intelligence agency, spying on people who use Windows would be a prime goal, but there's plenty of malware out there to do that, with Microsoft and the security industry formed to fix the holes left by Microsoft's technical incompetence can only fix so much. There's no reason why the NSA couldn't develop their own malware with VB and run it like any other criminals, without any collusion with Microsoft at all.

    Given the fact that Windows is as secure as a paper tank at the best of times, and the governments of the world seem to want to insist that people use Windows, it's mot hard to imagine Microsoft suits using the "hey if you force your people to use our software, you can spy on what they do with them much easier" as a reason NOT to support calls for a FOSS / Linux switch.

    Given how many crimes Microsoft get away with in more jurisdictions it's also not hard to imagine a meeting where Microsoft agree to turn a blind eye to malware from certain sources in return for cases being dropped, or friendly judges put on the case who will promptly find in favour of Microsoft, and dismiss any logical evidence that they've done anything wrong.

    As far as "it's in our interests to make Windows secure as we use it", how much of the US defense network still use Windows? I've noticed some have switched to Linux, while Microsoft had to create a special "secure XP" for them because the regular one wasn't up to the task. How easy would it be for the entire network to switch to Linux to protect itself while endorsing Windows for everyone else as it gives them and easy target to hit if they need to? They could even get Linux to pretend it's Windows when queried so nobody outside would know.

    Remember most govt departments are VERY partisan, they don't like to co-operate as much as they should. They don't like sharing stuff that would help everyone because if only they do it and look good, they look even better in comparison to other departments who didn't do it. The contrast is even wider.
  • by CFD339 (795926) <andrewp@@@thenorth...com> on Friday November 20, 2009 @12:22AM (#30168030) Homepage Journal

    My limited understanding of FIPS compliance is such that I thing the likelihood is much higher that the involvement of the NSA is to work with Microsoft (as they have others) to make sure the right libraries are used and so on for FIPS compliance. If you want to sell software to the US Government, it must be FIPS compliant.

    The following is my understanding (which is likely flawed in some ways, but I think is fairly close to accurate) of how FIPS works (Taken from a response I wrote to someone else about this).

    In all likelihood, this is all about their encryption being FIPS compliant and has nothing to do with backdoors.

    The way I understand FIPS (because I got a mini-lesson on it during an SDR as they were doing it for [another software product I work with alot]) you have to use very specific encryption protocols that not only meet the standard for the encryption routine (e.g. RSA, or whatever) and the bit-size, but you have to use one of a specific set of approved implementation libraries.

    That means you can use the exact same encrypting schema and key size as FIPS specifies, but if you don't do the encryption with an approved library, you're not compliant.

    The rules get weirder from there. If you are required to be FIPS compliant at work, and must send something encrypted, you have to send it to someone who is also FIPS compliant. -- follow this logic now -- if you have to send it to someone who is NOT compliant, even though they use compatible encryption/decryption code and have exchanged keys with you, you CANNOT send them the encrypted file because their libraries are not FIPS compliant. You can, however, send them the file IN THE CLEAR if you decide it's safe to do so.

    In other words, FIPS says it is better to send something in the clear if you cannot be sure the other end is FIPS compliant, even if they can decrypt what you're sending.

    That's your government at work.

    BTW: The routines which ARE certified have been fully vetted by many government and non-government people, and do not contain any special code in them that would lead to making decryption by the NSA any easier than it would otherwise be. Since the routines are by nature just implementation of well know encryption standards, the only way to do that would be to interrupt the key pair creation process and use "less random" seeds. I don't believe FIPS specifies the random number generation routine used.

    Hope this helps.

  • by AlgorithMan (937244) on Friday November 20, 2009 @04:56AM (#30169070) Homepage
    Why does the NSA work on Windows? They're paid with tax-money, they're paid for working for the benefit of the tax-payer. When they work on Windows, they work for the benefit of a corporation, that has more than enough money to pay for such development.

    The code they produced belongs to the public, because the public paid for it! If Microsoft doesn't open that code, they're stealing from the tax-payer!
  • by Fantastic Lad (198284) on Friday November 20, 2009 @06:52AM (#30169574)

    If the NSA wants to know EVERYTHING about you, they have far better ways than installing active spyware on your system to do it.

    There is a record somewhere of everything you've ever downloaded or uploaded. Every Google search you've ever performed. Encryption breaking is pointless because they have the ability to know what you type as you type it. Heck, they probably have the ability to know what you think as you think it.

    Did you know that you can read an RFID tag from orbit? --People know about the max distance a tag can be charged from, and it is indeed a few feet, but the distance from which it can be read is much greater. If the detector is good enough. . .

    Did you know you can use a light bulb as an active antenna? Any bit of circuitry, for that matter, even powered down, still processes EM wave forms and can be used to snoop. The idea of the NSA messing around with malware in order to spy on computer users is like comparing Donkey Kong to today's modern game systems.

    The only reason the NSA might encourage the belief that they have proprietary code built into a Microsoft product would be to mislead people into thinking that they work within the same baby-fences as the rest of us free range serfs.

    -FL

  • It's a GUIDE (Score:3, Informative)

    by MulluskO (305219) on Friday November 20, 2009 @07:47PM (#30179692) Journal

    "Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector,"

    DISA and the NSA produce guides.

    http://iase.disa.mil/stigs/stig/index.html [disa.mil]
    http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml [nsa.gov]

    They're patting one another on the back because they worked on the guide before Windows 7 was released.

"Hello again, Peabody here..." -- Mister Peabody

Working...