Microsoft Denies It Built Backdoor Into Windows 7

CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."

Re:NSA helped on Linux as well

[Jeng]

There was quite abit of concern that Microsoft put in a backdoor for the NSA on Windows 95 though Windows 2000.

http://news.bbc.co.uk/2/hi/sci/tech/437967.stm [bbc.co.uk]

It was never confirmed that a backdoor was installed.

Re:NSA helped on Linux as well

[G-Man]

And they also recommended a couple of changes to DES when it was being developed:

http://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html [schneier.com]

Folks at the time thought it was some nefarious backdoor, but a couple of decades later came to realize it actually improved the security of DES.

Re:Not really necessary

[ajs]

I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure

It's not "likely." It's their job [nsa.gov].

Transcript of Internet Caucus Panel Discussion.

[NZheretic]

Transcript of Internet Caucus Panel Discussion. [techlawjournal.com]
Re: Administration's new encryption policy.
Date: September 28, 1999.
Weldon statement. [techlawjournal.com]

Rep. Curt Weldon [wikipedia.org]: Thank you. Let me see if I can liven things up here in the last couple of minutes of the luncheon. First of all, I apologize for being late. And I thank Bob and the members of the caucus for inviting me here.

...

But the point is that when John Hamre [wikipedia.org] briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He assured me that in discussions that he had had with people like Bill Gates and Gerstner from IBM that there would be, kind of a, I don't know whether it's a, unstated ability to get access to systems if we needed it. Now, I want to know if that is part of the policy, or is that just something that we are being assured of, that needs to be spoke. Because, if there is some kind of a tacit understanding, I would like to know what it is.

Because that is going to be subjected to future administrations, if it is not written down in a clear policy way. I want to know more about this end use certificate. In fact, sitting on the Cox Committee as I did, I saw the fallacy of our end use certificate that we were supposedly getting for HPCs going into China, which didn't work. So, I would like to know what the policies are. So, I guess what I would say is, I am happy that there seems to be a comming together. In fact, when I first got involved with NSA and DOD and CIS, and why can't you sit down with industry, and work this out. In fact, I called Gerstner, and I said, can't you IBM people, and can't you software people get together and find the middle ground, instead of us having to do legislation.

...

Re:Not really necessary

[trapnest]

"You are world delivered.... to the NSA."

Re:Really people

[sqlrob]

I don't think it is. I think there's an internal compiler they use, not Visual Studio.

Re:NSA helped on Linux as well

[Anpheus]

DES with twice the key length wasn't proportionally stronger, and the speed of computation was important enough that halving the key length with a negligible impact on strength was well advised.

3DES at 168 bits isn't nearly as strong, cryptographically, as AES or many other modern algorithms. Yet many of these algorithms can use 128-bit keys and 128-bit block sizes. So key size does not make the algorithm.

In hindsight, the NSA is fully validated on DES.

It's a GUIDE

[MulluskO]

"Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector,"

DISA and the NSA produce guides.

http://iase.disa.mil/stigs/stig/index.html [disa.mil]
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml [nsa.gov]

They're patting one another on the back because they worked on the guide before Windows 7 was released.