Microsoft Denies It Built Backdoor Into Windows 7 450
CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."
Really people (Score:5, Insightful)
The NSA put the backdoor in the Intel compiler, that's a much better place to put a backdoor or more accurately spread a backdoor
On the other hand... (Score:4, Insightful)
Not really necessary (Score:5, Insightful)
Odds are the NSA is privy to whatever the current exploits are for windows operating systems anyways. I wouldn't be surprised if they had staff working on breaking into Windows machines if for nothing else than attacks on targets outside the US.
"We did NOT put in a backdoor for the NSA." (Score:5, Insightful)
"It's for the RIAA."
Backdoor? (Score:3, Insightful)
Nah, it's all the front door - javascript through ie
Re:Really people (Score:3, Insightful)
NSA helped on Linux as well (Score:5, Insightful)
The NSA did SELinux (for Linux...) so I don't think it's unreasonable to think they might have helped MS on security issues without doing anything nasty.
of-course not (Score:2, Insightful)
'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday.
- of-course you wouldn't. MS is a stand up company, known for ethical behavior, fair treatment of its users, etc. I mean, it would never!
Re:Not really necessary (Score:5, Insightful)
Yes, this.
And if they had smuggled something into it, the testimony before Congress would have been sealed. The fact we know about it without some kind of secret leak means that we can be confident the NSA did not think the disclosure was valuable intel.
Idiocy of ComputerWorld and slashdot... (Score:5, Insightful)
ComputerWorld: "OMG NSA TROJANED WINDOWS 7"
NSA: "WTF? We made a document and stand-alone download..."
ComputerWorld: "CONSPIRACY!"
NSA: "Uh, we work with linux too you know... SELinux...?"
ComputerWorld: "FRONTPAGE HEADLINE NEWS! WINDOWS 7 BACKDOOR EXISTS!"
Slashdot: "ZOMG! NSA MADE A WINDOWS 7 BACKDOOR!"
Re:Not really necessary (Score:5, Insightful)
I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure, so that those same targets outside of the US cannot get into the US government systems.
The NSA doesn't need to rely on Windows to gain access to other networks, but considering the fact that many government systems are running Windows, the National Security Agency definitely has an interest in making sure those systems are secure.
Re:of-course not (Score:3, Insightful)
C'mon - name a single thing Microsoft would gain by having a backdoor into any Windows installation. Now count how many ways such a backdoor could bite Microsoft in the ass.
It makes zero business sense to create a backdoor in Windows.
Re:NSA helped on Linux as well (Score:2, Insightful)
Like they are going to take a chance on getting caught doing something untoward in an open source application, where all eyes in the world are watching what they do. A closed source operating system is a completely different matter.
Strategic Defense Initiative (Score:5, Insightful)
No worries (Score:3, Insightful)
Ah.
Re:Really people (Score:5, Insightful)
Or the network adapter firmware or the encryption libraries or the BIOS or the processor itself. Yeah, there's no reason to poke a hole in the OS itself when so much of what it depends on is at your finger tips.
What's more, the NSA does have a legitimate reason to be involved. It's the same reason they wrote the SE/Linux extensions. They are required (in their public role) to provide the federal government with analysis and review of software for security purposes. To avoid having the NSA say, "Win 7 is too insecure, don't use it," Microsoft would go to them for review and comments prior to release, and respond to whatever concerns they have.
People often forget that the NSA has a public function.
Re:Not really necessary (Score:2, Insightful)
Meh. It's reasonably public knowledge that the NSA has people working at Microsoft, IBM, etc. It's actually quite easy to find NSA "agents". Go into any math department in the country, and you're almost guaranteed to meet one or two. And guess what? Microsoft hires people with PhDs in math who know crypto -- and chances are, well over half of the talent pool has worked at NSA at some point.
Also, as FP noted, Microsoft claims that they haven't put any backdoors in, and also admits that the NSA has submitted code -- their statements do not preclude the NSA putting in their own backdoors.
Re:Not really necessary (Score:2, Insightful)
You're assuming those holes aren't left there intentionally as honeypots or convenient excuses for actions that might otherwise be construed as acts of war.
Just sayin'.
The lady doth protest too much, methinks (Score:4, Insightful)
MSFT would sell their children's souls to keep Windows on the government's desktop PCs.
Comment removed (Score:5, Insightful)
Re:Really people (Score:3, Insightful)
>>>Who needs a back door when the front door is wide open?
"That's what she said!"
This is /. minimal sucess and experience with either.
Re:Not really necessary (Score:5, Insightful)
Wait a second
<paranoia intensity="100%"> But maybe that's what they want me to think
Re:Really people (Score:5, Insightful)
I'll leave you with that while I go to make my 30-char SSH password a little longer.
Re:Really people (Score:5, Insightful)
People often forget that the NSA has a public function.
Oh, I don't think anyone is forgetting that at all. It's just that the NSA cannot be trusted, and Microsoft cannot be trusted, and so when the two work together the result is something untrustworthy.
Re:I have no problem believing MS this time... (Score:5, Insightful)
To say it more clearly, the allegation is that NSA put the back door in, microsoft didnt deny it. They are using political speak to make is sound like nobody put back doors in.
An think about it, what self respecting intelligence agency wouldnt want a back door in windows. Their job is to collect intelligence, and windows is almost everywhere and handles lots of information.
It might sound paranoid to say windows is bugged by the NSA, but it totally ignorance to suggest they wouldnt want to bug it.
Re:NSA helped on Linux as well (Score:2, Insightful)
Which is why I trust SELinux less than most other flavors. Sure, I can look at the code, but what are the odds I'm looking at the right part of the code, and even if I am, what are the odds that I'll actually spot a weak point?
Slim.
Re:I have no problem believing MS this time... (Score:3, Insightful)
Never believe something until... (Score:5, Insightful)
Never believe something until it is officially denied. :o)
Re:NSA helped on Linux as well (Score:4, Insightful)
You and thirty thousand other security researchers from every industrialized nation on Earth. That's the thing, 'Open Source Community' contains three important words.
Re:I have no problem believing MS this time... (Score:5, Insightful)
What the "we're able to shut down your computer if we suspect you may not have an authorized version of our software" backdoor isn't enough of a backdoor for them?
Re:I have no problem believing MS this time... (Score:2, Insightful)
Re:Not really necessary (Score:5, Insightful)
Considering that historically the NSA has improved cryptographic implementations against attacks that were (at the time) unknown to the public, I'd say that's almost certainly BS. For example, DES. Even when their modifications appeared to be weakening the encryption algorithm, once the algorithm was a standard and other parties got around to hunting weaknesses for it, it was found that the modified version (which had become the standard) was far more resistant to attack. Turns out the attack had been known but kept secret, yet the algorithm had been modified to make the attack weaker.
TL;DR: No, the NSA uses their extensive cryptanalysis knowledge to take backdoors *out* of encryption, rather than to put them in. Remember: we (the US, including the government) use it too, and enemy forces might stumble upon any backdoor they leave/put in place.
Re:I have no problem believing MS this time... (Score:5, Insightful)
Or another reasonable conclusion: the spokesperson did not, in fact, talk to every single developer who may have worked with the NSA to confirm that no back door was put in, and managed to get independent "third-party" developers to code-review everything to confirm this, thereby saying the truth as s/he knows it, which does not need to line up with objective truth as it really is.
I've failed to keep count of the number of times I see a press release from $work claiming that we do or do not do something that I know damned well falls short of the truth. They don't usually ask me.
Re:I have no problem believing MS this time... (Score:4, Insightful)
Any admittance by Microsoft that they had would probably be deemed by the US government as a national security threat. Thus they are probably prohibited from saying anything other than a denial.
This is a company that was convicted of predatory criminal monopolistic practices. They were nearly torn in two. Suddenly it all ended for them as if it never happened and they came through with a sweet deal that gave them even greater market share for products (via their voucher system).
This same company holds the keys to 90% of the world's computers. The NSA has the dubious role of the most massive electronic communication surveillance entity in the world, of the world. Those two joined mean something other than what that denial professes.
You can rightfully imagine the dismay about their disclosure for any foreign government.
If you think there is going to be a serious threat of cyber-attack in the next 20 years, then you are more paranoid than all the tin hat wearing conspiracy theorists in all existence (past and present). At least, give the world those 20 years to undo that monopoly instead of using American tax payer dollars propping up that criminally convicted predatory monopolist.
Re:Not really necessary (Score:5, Insightful)
Re:I have no problem believing MS this time... (Score:5, Insightful)
.
An think about it, what self respecting intelligence agency wouldnt want a back door in windows. Their job is to collect intelligence, and windows is almost everywhere and handles lots of information.
It might sound paranoid to say windows is bugged by the NSA, but it totally ignorance to suggest they wouldnt want to bug it.
You are overlooking the fact that intelligence agencies are, also, usually tasked with preventing (as much as possible) foreign countries from collecting intelligence about the U.S. government. If Windows has a back door that the NSA can use, how would they prevent foreign intelligence agencies from using it? It is a well understood fact that any security vulnerability that is introduced will be discovered by those with nefarious goals (the NSA would not view their own goals as nefarious, but they would consider the goals of many foreign intelligence agents to be nefarious).
Re:Never believe something until... (Score:3, Insightful)
Re:I have no problem believing MS this time... (Score:5, Insightful)
One of the biggest reasons this country is falling apart? On his best night less than 1% of the country is watching his show. You give him way too much credit.
Re:I have no problem believing MS this time... (Score:1, Insightful)
What a steaming pile of shit.
If there were a backdoor, somebody somewhere, very soon after Win7's launch, would notice some suspicious activity on their network. No way such a thing can go undetected. Pure fucking FUD.
It's not a back door... (Score:3, Insightful)
A "back door" that big brother could exploit would not need to be the result of a conspiracy against citizens or anything nefarious on the part of M$, just the usual incompetence.
Re:I have no problem believing MS this time... (Score:5, Insightful)
Whether they did or did not put a back door in windows is arbitrary. What is of concern is a government department doing free work to improve the profitability of a single corporation against the corporate interests of every other competing corporation. Remember the screams coming out of Redmond when the NSA produce SE Linux, taht would be made available for free to all taxpayers.
Now you have the NSA and the department of defence attempting to prop up the security incompetence of a corporation at tax payer expense so that corporation can now turn around and charge their customers for work their customers already paid for.
If M$ is to security incompetent to produce reliable software, no government departments should be steeping ion to to their work for them they should simply stop using their software rather the propping up the company at taxpayer expense.
Besides everybody knows backdoors belong in hardware not software, any tech person with more than half a brain dual boots and uses the Linux side of things for anything they want to keep safe and secure, the windows side is built to power a game console and that's all it should be used for.
The NSA has helped LInux in the same way, FFS (Score:5, Insightful)
Seriously, you're absolutely correct. The NSA has every incentive to improve the security of Windows, not compromise it. They did the same for Linux, where you can see the changes they made. In the past, they've made suggestions for improvements to encryption algorithms that academic researchers later realized had a sound mathematical basis. The NSA is as much about strengthening computer systems as they are compromising them. Hell, if in a particular situation they want to compromise the security of a system, all they usually have to do is ask (see: AT&T et. al.).
The thing is, they know that important information they want to be kept secret is going to exist on Windows machines. On Linux machines. On [x] machine that isn't necessarily controlled directly by the NSA.
And even outside such "National Security" secrets... The NSA may want to listen in on your phone calls, but it doesn't help them at all for every Tom, Dick, and Sally to have their credit card information stolen, their bank acccounts phished and plundered, and so on.
Re:I have no problem believing MS this time... (Score:4, Insightful)
Glenn Beck is not the problem; he merely is a symptom of it.
That said, Beck and his Fox News colleagues are indeed pouring gas on the fire. Other networks are helping by providing coverage to their non-stories. (The vaccine "controversy" being one such non-story that is touted by all networks, believed by liberals and conservatives alike, and has absolutely zero scientific evidence to back it up)
Re:I have no problem believing MS this time... (Score:2, Insightful)
If it was such that it was buried to not present itself until called upon, then yes - easily. You could even have a backdoor that wasn't even active code, that is triggered by a Windows Update targeted at a specific PC (this is very simple, if you have to question the specifics of how this would be implemented, you don't really belong in this discussion).
However, most likely, NSA involvement would be in creating a master key to defeat the encryption and protection algorithms of systems such as Bitlocker built into the OS. Only 2% of users use Bitlocker as their main encryption method? Well then thats 2% more than the NSA can decrypt if they were using Truecrypt, etc.
No backdoors? (Score:1, Insightful)
Then what is Windows Genuine Validation, but a backdoor for Microsoft to shut down copies of Windows and Office that it thinks (often erroneously) are pirated, when the user tries to update?
Re:I have no problem believing MS this time... (Score:4, Insightful)
Why would Microsoft build a back door into Win7, when the front door is so wide open?
Which is exactly why the NSA is contributing. Previously, the NSA would develop their own guide for locking down Windows. With WindowsXP they decided that effort was redundant and instead collaborated with Microsoft on their security guidelines and tools. The NSA also provides penetration and cryptographic expertise.
The NSA has an obvious interest in helping Microsoft produce a secure product as the govt uses it quite heavily. As for backdoors, you don't really need to insert backdoors in the form of undisclosed vulnerabilities. It would not surprise me if the NSA had access to the Microsoft signing keys which would be of great value for compromising a system.
Re:I have no problem believing MS this time... (Score:3, Insightful)
If people can find general small scale security exploits in Windows, what makes you think they'd be able to hide a full blown back door?
Sorry but it's just fantasy, paranoia. We've had this theory before but no one ever manages to find any traces of this backdoor. If you have it installed you can dissect the OS to your hearts content, you can be rest assured for all the money and skill the NSA have it's nothing compared to the millions of researchers, hackers and criminals that would love nothing more than to find that backdoor.
You seem to be taking it a step further and suggesting it's bugged- tell me, if it's for intelligence gathering why is no one seeing any unrecognised outbound traffic on their networking hardware that could be part of this? do you think the NSA have developed a protocol that is invisible to routers but somehow still gets routed? Or do you think every router manufacturer in the world is in on it too and people who have dissected those have just not found it either?
It's a wild conspiracy theory, it's non-sensical and has no basis in reality. The PC is an open platform, you can't just hide that sort of thing from everyone, someone is going to find traces of it, evidence of it.
But get this, here's a bigger reason it's a stupid idea- do you really think the KGB could get this past CSIS, MI5, MI6, the FSB and other foreign intelligence services? Don't you think MI5 would be up in arms if the NSA had access to the data of the UK's biggest companies able to bankrupt them at any moment by leaking their most confidential secrets?
Twist Microsoft's words all you want, but it's pretty clear what they said. It doesn't just sound paranoid, it is paranoid, irrationally so. It is what it is, the guy helped advise Microsoft on security- from the summary at least it doesn't sound like he got close to the source code even.
But then, perhaps I'm a Microsoft/NSA plant right? Surely that's a good explanation to keep yourself convinced of such a ludicrous idea as conspiracy nuts ultimately choose to do?
It's also contrary to the NSA's mission (Score:3, Insightful)
They are, in addition to gathering foreign intelligence, tasked with helping secure critical US systems. This means not only things like government systems, but our financial system too.
Thus far, they seem to do a pretty good job. An example is DES. IBM made DES back in the days when there really wasn't a public field of cryptography. It was more or less a government and math geek thing. Well the NSA consulted on DES. One of the controversial things they did was suggest changes to the S boxes. There was paranoia that they'd done this to make it easier to crack. Years later, when differential cryptanalysis was made public, it turned out that the S boxes were greatly more resistant to it than had they simply been randomly generated. Sure enough, IBM said that yes, they'd figured this out and told the NSA, who asked them to please keep a lid on it.
Now, many decades later, DES still stands up to scrutiny. It can be brute forced by computers these days, but no magic weakness has been found.
Likewise, AES seems to be immensely secure. It is probably the most analyzed cryptosystem in history and it stands up as secure. The NSA signed off on it too, not only saying it was good to be chosen as AES, but clearing it for use with classified data.
So it seems the NSA DOES take that part of their mission seriously. Thus sticking a backdoor in Windows and lying ot congress about it would not only be dumb, it'd be contrary to their mission.
They'd also be really stupid to think it wouldn't be discovered.
More people than MS have Windows source code (Score:3, Insightful)
Many universities have it, among other institutions. It isn't open source, but it isn't some huge secret.
Also, who's to say that just because you have the source you can find a backdoor? It could be very cleverly disguised. There's a massive misconception in the OSS community that "many eyes" means "no possibility of problems." No, not so much. Back in 2000 there was a remote exploit discovered in every version of BIND, ever. Somehow, despite many people having looked at it, worked on it, etc, nobody had ever noticed this one. Heck it wasn't even discovered through a source audit, it was discovered through messing with a running DNS server and sending it invalid data.
This idea that so long as something is open source it can't possibly have anything bad in it is just not at all true.
It doesn't have to be used (Score:3, Insightful)
The best backdoors may be something left by some engineer, on purpose or not. Maybe it was just used for testing, to bypass authentication to get work done in an early state, and now it is still there. The thing is, if it's never being used, it's actually very hard to notice it. I have no trouble imagining all kinds of ways NSA could put in some hidden code, to bypass entry at network / OS level somehow. It's not like you have that many levels of security in hardware or software. Once you gain Ring0 or something similar, your computer is toast.
If it's easy for viruses and hackers, just imagine what a small assembly line could do inside the OS itself! Remember, to crack software often just require to change a few bits (dunno why security is so low.. I would make a VM for running the verification-process, or even the software itself, which scrambled memory in all sorts of random ways *during execution* - but I guess software makers are more greedy than smart..)
Face it, lots of software probably has some backdoors or "hidden" functionality. This is one of the reasons open source is superior. You can still have a compromised compiler or be rooted with a VM, but the chance of that is much slimmer than trusting some binary blob and running as administrator.
However, as desktop, I still favour XP. Haven't tried Win7, and will probably wait until it matures, much like XP which I pretty much like now over both Linux and OS X. The OS itself simply lets me install everything I need and gets out of the way, after installing Firefox, Thunderbird and other portable apps - which can be ported to another computer just by copying the files. Nice setup, and faster than apt-get even, for getting desktop usage done.
Win7 will probably become standard though, as it has enhanced security and you don't have to run as administrator (it's too much of a pain in XP to be a normal user due to buggy sudo-functionality).
But to think Windows or other software has no backdoors, when some companies deliver software with rootkits and spyware, strikes me as very naive.
Re:I have no problem believing MS this time... (Score:3, Insightful)
'snot funny.
This is one of open source's greatest strengths: it would be pretty hard to slip a back door into an open source program or OS.
The parent was joking of course, and it would be funny if it weren't so scary. Remember kiddies, if you're a dope dealer or and you keep your customers in a database, or hold politically contrvorsial ideas or thought crimes on your computer, don't use Windows. If you're cheating on your spouse, don't keep pictures of you and your "friend" on a Windows PC.
But actually, we're talking about the NSA here. They probably don't need any back doors. Why do you need a back door when you have a battering ram?