Microsoft Denies It Built Backdoor Into Windows 7 450
CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."
I have no problem believing MS this time... (Score:5, Funny)
I believe Microsoft anytime that they would not build back doors into the system... If they tried, the backdoor would probably have enough bugs to be unusable.
Besides - doesn't it already state it in the story:
"Microsoft has not and will not put "backdoors" into Windows"
"the agency had worked on the operating system."
Seems pretty clear, MS did NOT put a backdoor into it... ;-)
Re:I have no problem believing MS this time... (Score:5, Funny)
Why would Microsoft build a back door into Win7, when the front door is so wide open?
Re: (Score:3, Funny)
Why would Microsoft build a back door when there are windows ?
Re:I have no problem believing MS this time... (Score:4, Funny)
oblig [krytosvirus.com]
Re:I have no problem believing MS this time... (Score:5, Insightful)
What the "we're able to shut down your computer if we suspect you may not have an authorized version of our software" backdoor isn't enough of a backdoor for them?
Re:I have no problem believing MS this time... (Score:4, Funny)
Because that's the procedure, dammit! This is the government, we follow a procedure! That's why we have three-coat toilet paper, we need 2 copies of every crap!
Re:I have no problem believing MS this time... (Score:4, Insightful)
Why would Microsoft build a back door into Win7, when the front door is so wide open?
Which is exactly why the NSA is contributing. Previously, the NSA would develop their own guide for locking down Windows. With WindowsXP they decided that effort was redundant and instead collaborated with Microsoft on their security guidelines and tools. The NSA also provides penetration and cryptographic expertise.
The NSA has an obvious interest in helping Microsoft produce a secure product as the govt uses it quite heavily. As for backdoors, you don't really need to insert backdoors in the form of undisclosed vulnerabilities. It would not surprise me if the NSA had access to the Microsoft signing keys which would be of great value for compromising a system.
It doesn't have to be used (Score:3, Insightful)
The best backdoors may be something left by some engineer, on purpose or not. Maybe it was just used for testing, to bypass authentication to get work done in an early state, and now it is still there. The thing is, if it's never being used, it's actually very hard to notice it. I have no trouble imagining all kinds of ways NSA could put in some hidden code, to bypass entry at network / OS level somehow. It's not like you have that many levels of security in hardware or software. Once you gain Ring0 or some
Re:I have no problem believing MS this time... (Score:5, Funny)
Re:I have no problem believing MS this time... (Score:5, Insightful)
To say it more clearly, the allegation is that NSA put the back door in, microsoft didnt deny it. They are using political speak to make is sound like nobody put back doors in.
An think about it, what self respecting intelligence agency wouldnt want a back door in windows. Their job is to collect intelligence, and windows is almost everywhere and handles lots of information.
It might sound paranoid to say windows is bugged by the NSA, but it totally ignorance to suggest they wouldnt want to bug it.
Re:I have no problem believing MS this time... (Score:5, Insightful)
.
An think about it, what self respecting intelligence agency wouldnt want a back door in windows. Their job is to collect intelligence, and windows is almost everywhere and handles lots of information.
It might sound paranoid to say windows is bugged by the NSA, but it totally ignorance to suggest they wouldnt want to bug it.
You are overlooking the fact that intelligence agencies are, also, usually tasked with preventing (as much as possible) foreign countries from collecting intelligence about the U.S. government. If Windows has a back door that the NSA can use, how would they prevent foreign intelligence agencies from using it? It is a well understood fact that any security vulnerability that is introduced will be discovered by those with nefarious goals (the NSA would not view their own goals as nefarious, but they would consider the goals of many foreign intelligence agents to be nefarious).
Re: (Score:3, Interesting)
Here's how...
Lotus Notes had 64bit crypto back when 40bit was the most you could export from the land of the free. Most companies introduced an export version of their product. Lotus did not.
How did they manage this and be compatible with the reulations? Every time Notes generated a 64bit key it copied 24 of those bits and encrypted them with a key owned by the NSA and sent that with the
The NSA has helped LInux in the same way, FFS (Score:5, Insightful)
Seriously, you're absolutely correct. The NSA has every incentive to improve the security of Windows, not compromise it. They did the same for Linux, where you can see the changes they made. In the past, they've made suggestions for improvements to encryption algorithms that academic researchers later realized had a sound mathematical basis. The NSA is as much about strengthening computer systems as they are compromising them. Hell, if in a particular situation they want to compromise the security of a system, all they usually have to do is ask (see: AT&T et. al.).
The thing is, they know that important information they want to be kept secret is going to exist on Windows machines. On Linux machines. On [x] machine that isn't necessarily controlled directly by the NSA.
And even outside such "National Security" secrets... The NSA may want to listen in on your phone calls, but it doesn't help them at all for every Tom, Dick, and Sally to have their credit card information stolen, their bank acccounts phished and plundered, and so on.
Re: (Score:3, Insightful)
If people can find general small scale security exploits in Windows, what makes you think they'd be able to hide a full blown back door?
Sorry but it's just fantasy, paranoia. We've had this theory before but no one ever manages to find any traces of this backdoor. If you have it installed you can dissect the OS to your hearts content, you can be rest assured for all the money and skill the NSA have it's nothing compared to the millions of researchers, hackers and criminals that would love nothing more than
Re:I have no problem believing MS this time... (Score:5, Insightful)
Or another reasonable conclusion: the spokesperson did not, in fact, talk to every single developer who may have worked with the NSA to confirm that no back door was put in, and managed to get independent "third-party" developers to code-review everything to confirm this, thereby saying the truth as s/he knows it, which does not need to line up with objective truth as it really is.
I've failed to keep count of the number of times I see a press release from $work claiming that we do or do not do something that I know damned well falls short of the truth. They don't usually ask me.
Re:I have no problem believing MS this time... (Score:5, Insightful)
Whether they did or did not put a back door in windows is arbitrary. What is of concern is a government department doing free work to improve the profitability of a single corporation against the corporate interests of every other competing corporation. Remember the screams coming out of Redmond when the NSA produce SE Linux, taht would be made available for free to all taxpayers.
Now you have the NSA and the department of defence attempting to prop up the security incompetence of a corporation at tax payer expense so that corporation can now turn around and charge their customers for work their customers already paid for.
If M$ is to security incompetent to produce reliable software, no government departments should be steeping ion to to their work for them they should simply stop using their software rather the propping up the company at taxpayer expense.
Besides everybody knows backdoors belong in hardware not software, any tech person with more than half a brain dual boots and uses the Linux side of things for anything they want to keep safe and secure, the windows side is built to power a game console and that's all it should be used for.
Re:I have no problem believing MS this time... (Score:4, Insightful)
Any admittance by Microsoft that they had would probably be deemed by the US government as a national security threat. Thus they are probably prohibited from saying anything other than a denial.
This is a company that was convicted of predatory criminal monopolistic practices. They were nearly torn in two. Suddenly it all ended for them as if it never happened and they came through with a sweet deal that gave them even greater market share for products (via their voucher system).
This same company holds the keys to 90% of the world's computers. The NSA has the dubious role of the most massive electronic communication surveillance entity in the world, of the world. Those two joined mean something other than what that denial professes.
You can rightfully imagine the dismay about their disclosure for any foreign government.
If you think there is going to be a serious threat of cyber-attack in the next 20 years, then you are more paranoid than all the tin hat wearing conspiracy theorists in all existence (past and present). At least, give the world those 20 years to undo that monopoly instead of using American tax payer dollars propping up that criminally convicted predatory monopolist.
Re:I have no problem believing MS this time... (Score:5, Interesting)
"Microsoft has not and will not put "backdoors" into Windows"
No, no, that's "will not put 'backdoors' into Windows 7"!
The "7" is important, because chances are high that the backdoors added to WinNT3.5 are still working just fine; no need to add any new ones! :)
(A lot of people picked up on the "MS didn't add it" vs. "NSA worked on it", but I haven't seen any other comments about possible pre-existing backdoors.)
Re: (Score:3, Insightful)
'snot funny.
This is one of open source's greatest strengths: it would be pretty hard to slip a back door into an open source program or OS.
The parent was j
Re: (Score:3, Insightful)
Re:I have no problem believing MS this time... (Score:5, Insightful)
One of the biggest reasons this country is falling apart? On his best night less than 1% of the country is watching his show. You give him way too much credit.
Re:I have no problem believing MS this time... (Score:4, Insightful)
Glenn Beck is not the problem; he merely is a symptom of it.
That said, Beck and his Fox News colleagues are indeed pouring gas on the fire. Other networks are helping by providing coverage to their non-stories. (The vaccine "controversy" being one such non-story that is touted by all networks, believed by liberals and conservatives alike, and has absolutely zero scientific evidence to back it up)
Re: (Score:3, Funny)
Hi, welcome to slashdot!
Re:I have no problem believing MS this time... (Score:4, Funny)
His album "Sea Change" is really great.
Or do you mean the other Beck, the one who's got the TV show and the crying and the blackboard and who is the spiritual leader of all US conservatives?
Well.. (Score:5, Funny)
At least, not intentionally.
Really people (Score:5, Insightful)
The NSA put the backdoor in the Intel compiler, that's a much better place to put a backdoor or more accurately spread a backdoor
Re: (Score:3, Insightful)
Re:Really people (Score:4, Funny)
The back door is usually considered "taboo" and therefore makes people feel like they're "bad-ass" (no pun intended). Plus, it's usually more pleasuring.
Re:Really people (Score:5, Funny)
>>>Who needs a back door when the front door is wide open?
"That's what she said!"
Re: (Score:3, Insightful)
>>>Who needs a back door when the front door is wide open?
"That's what she said!"
This is /. minimal sucess and experience with either.
Re: (Score:3, Funny)
>>>Who needs a back door when the front door is wide open?
"That's what she said!"
This is /. minimal sucess and experience with either.
Thanks. I WAS having a good day; now I'm depressed.
Re:Really people (Score:4, Funny)
along with the proper medical staff and defensive systems.
Re:Really people (Score:5, Insightful)
Or the network adapter firmware or the encryption libraries or the BIOS or the processor itself. Yeah, there's no reason to poke a hole in the OS itself when so much of what it depends on is at your finger tips.
What's more, the NSA does have a legitimate reason to be involved. It's the same reason they wrote the SE/Linux extensions. They are required (in their public role) to provide the federal government with analysis and review of software for security purposes. To avoid having the NSA say, "Win 7 is too insecure, don't use it," Microsoft would go to them for review and comments prior to release, and respond to whatever concerns they have.
People often forget that the NSA has a public function.
Re:Really people (Score:5, Insightful)
I'll leave you with that while I go to make my 30-char SSH password a little longer.
Re:Really people (Score:5, Insightful)
People often forget that the NSA has a public function.
Oh, I don't think anyone is forgetting that at all. It's just that the NSA cannot be trusted, and Microsoft cannot be trusted, and so when the two work together the result is something untrustworthy.
Re:Really people (Score:5, Funny)
They cancel each other out. So it is a positive.
Right?
Re: (Score:3, Interesting)
Re:Really people (Score:4, Informative)
I don't think it is. I think there's an internal compiler they use, not Visual Studio.
On the other hand... (Score:4, Insightful)
Not really necessary (Score:5, Insightful)
Odds are the NSA is privy to whatever the current exploits are for windows operating systems anyways. I wouldn't be surprised if they had staff working on breaking into Windows machines if for nothing else than attacks on targets outside the US.
Re:Not really necessary (Score:5, Insightful)
Yes, this.
And if they had smuggled something into it, the testimony before Congress would have been sealed. The fact we know about it without some kind of secret leak means that we can be confident the NSA did not think the disclosure was valuable intel.
Re:Not really necessary (Score:5, Insightful)
Wait a second
<paranoia intensity="100%"> But maybe that's what they want me to think
It's also contrary to the NSA's mission (Score:3, Insightful)
They are, in addition to gathering foreign intelligence, tasked with helping secure critical US systems. This means not only things like government systems, but our financial system too.
Thus far, they seem to do a pretty good job. An example is DES. IBM made DES back in the days when there really wasn't a public field of cryptography. It was more or less a government and math geek thing. Well the NSA consulted on DES. One of the controversial things they did was suggest changes to the S boxes. There was par
Re:Not really necessary (Score:5, Insightful)
I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure, so that those same targets outside of the US cannot get into the US government systems.
The NSA doesn't need to rely on Windows to gain access to other networks, but considering the fact that many government systems are running Windows, the National Security Agency definitely has an interest in making sure those systems are secure.
Re:Not really necessary (Score:5, Informative)
I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure
It's not "likely." It's their job [nsa.gov].
Re:Not really necessary (Score:5, Insightful)
Re:Not really necessary (Score:4, Interesting)
Re:Not really necessary (Score:5, Interesting)
I'd say a more likely NSA "backdoor" would be some sort of subtle flaw in the implementation of an encryption, hash or some other algorithm critical to Windows. NSA spends alot of time and money on cryptanalysis.
Re:Not really necessary (Score:5, Insightful)
Considering that historically the NSA has improved cryptographic implementations against attacks that were (at the time) unknown to the public, I'd say that's almost certainly BS. For example, DES. Even when their modifications appeared to be weakening the encryption algorithm, once the algorithm was a standard and other parties got around to hunting weaknesses for it, it was found that the modified version (which had become the standard) was far more resistant to attack. Turns out the attack had been known but kept secret, yet the algorithm had been modified to make the attack weaker.
TL;DR: No, the NSA uses their extensive cryptanalysis knowledge to take backdoors *out* of encryption, rather than to put them in. Remember: we (the US, including the government) use it too, and enemy forces might stumble upon any backdoor they leave/put in place.
"We did NOT put in a backdoor for the NSA." (Score:5, Insightful)
"It's for the RIAA."
Backdoor? (Score:3, Insightful)
Nah, it's all the front door - javascript through ie
With props to Bill Cosby (Score:5, Funny)
God: "NOAH!"
Noah: "What!"
God: "Noah, I did not put a backdoor in Windows 7."
Noah: "[...] RIGHT."
NSA helped on Linux as well (Score:5, Insightful)
The NSA did SELinux (for Linux...) so I don't think it's unreasonable to think they might have helped MS on security issues without doing anything nasty.
Re: (Score:2)
Mod parent up. I had the same thought.
Re:NSA helped on Linux as well (Score:4, Informative)
There was quite abit of concern that Microsoft put in a backdoor for the NSA on Windows 95 though Windows 2000.
http://news.bbc.co.uk/2/hi/sci/tech/437967.stm [bbc.co.uk]
It was never confirmed that a backdoor was installed.
Re:NSA helped on Linux as well (Score:5, Informative)
And they also recommended a couple of changes to DES when it was being developed:
http://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html [schneier.com]
Folks at the time thought it was some nefarious backdoor, but a couple of decades later came to realize it actually improved the security of DES.
Re:NSA helped on Linux as well (Score:5, Informative)
DES with twice the key length wasn't proportionally stronger, and the speed of computation was important enough that halving the key length with a negligible impact on strength was well advised.
3DES at 168 bits isn't nearly as strong, cryptographically, as AES or many other modern algorithms. Yet many of these algorithms can use 128-bit keys and 128-bit block sizes. So key size does not make the algorithm.
In hindsight, the NSA is fully validated on DES.
Re:NSA helped on Linux as well (Score:5, Interesting)
where all eyes in the world are watching what they do
I have never looked at the SELinux code.... have you?
More people than MS have Windows source code (Score:3, Insightful)
Many universities have it, among other institutions. It isn't open source, but it isn't some huge secret.
Also, who's to say that just because you have the source you can find a backdoor? It could be very cleverly disguised. There's a massive misconception in the OSS community that "many eyes" means "no possibility of problems." No, not so much. Back in 2000 there was a remote exploit discovered in every version of BIND, ever. Somehow, despite many people having looked at it, worked on it, etc, nobody had ev
Re:NSA helped on Linux as well (Score:4, Insightful)
You and thirty thousand other security researchers from every industrialized nation on Earth. That's the thing, 'Open Source Community' contains three important words.
of-course not (Score:2, Insightful)
'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday.
- of-course you wouldn't. MS is a stand up company, known for ethical behavior, fair treatment of its users, etc. I mean, it would never!
Re: (Score:3, Insightful)
C'mon - name a single thing Microsoft would gain by having a backdoor into any Windows installation. Now count how many ways such a backdoor could bite Microsoft in the ass.
It makes zero business sense to create a backdoor in Windows.
Re: (Score:3, Interesting)
Hum. What's your machine like and what are these games? I haven't seen a VM that runs with the same performance as the native OS. For some games, that doesn't matter. For others, it definitely does.
I Tried to Interview Microsoft About This (Score:5, Funny)
Please, they have microphones in my clothes, on the desk, in the walls, the fly buzzing by your mouth is their robot!!! Meet me by the dumpster out back around 5pm, come alone.
Unfortunately I have a bad habit of reading things aloud when I read them and by the time I was finished the fly was gone and the man sitting across from me was dead. The government doctor that rushed in the room and gave him pentobarbital in an attempt to revive him said it was due to an aneurysm caused by a robotic fly which he says he sees a lot of so it's nothing for me to look into.
I guess there's no story here after all.
Re:I Tried to Interview Microsoft About This (Score:5, Funny)
MS marketing reps can't write.
Re:I Tried to Interview Microsoft About This (Score:4, Funny)
That story is patently absurd.
Whatever. You're just a patent troll.
Re:I Tried to Interview Microsoft About This (Score:4, Funny)
Idiocy of ComputerWorld and slashdot... (Score:5, Insightful)
ComputerWorld: "OMG NSA TROJANED WINDOWS 7"
NSA: "WTF? We made a document and stand-alone download..."
ComputerWorld: "CONSPIRACY!"
NSA: "Uh, we work with linux too you know... SELinux...?"
ComputerWorld: "FRONTPAGE HEADLINE NEWS! WINDOWS 7 BACKDOOR EXISTS!"
Slashdot: "ZOMG! NSA MADE A WINDOWS 7 BACKDOOR!"
I'm the NSA... (Score:5, Funny)
and Windows 7 was my idea.
Re:I'm the NSA... (Score:5, Funny)
and Windows 7 was my idea.
John Hodgman: "Hi, I'm a PC." ... I guess you know who to choose."
*silence*
John Hodgman: "Oh, and Mac couldn't be here today because Windows 7 fiddled with his brakes. So
A better "I'm a Mac" ad... (Score:5, Funny)
"Hi, I'm a PC"
and then the NSA guy with the latex glove enters the scene...
Strategic Defense Initiative (Score:5, Insightful)
No worries (Score:3, Insightful)
Ah.
Who needs a back door? (Score:5, Funny)
Despite many years’ warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with [today.com], millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying “COME AND GET IT.”
Microsoft cannot believe people have not applied the patch for the problems, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. “Don’t they trust us?” asked marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. “There’s a reason the Unix system on Mac OS X is called Darwin,” said appallingly smug Mac user Arty Phagge.
“It can’t be stupid if everyone else runs it,” said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. “Macs cost more than Windows PCs.”
“Yes,” said Phagge. “Yes, they do.”
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can’t say we care.
Re:Who needs a back door? (Score:5, Funny)
What about all three of the BSD users?
This is silly (Score:4, Funny)
Of course you can trust the government. I mean, this is the NSA we're talking about. They're on YOUR side.
And as for Microsoft, or any other multinational company for that matter, they have grown to the size that they are because they are 100% honest to goodness hard working souls that, when faced with a decision, will always take the ethically correct side. I mean that's how you get fantastically rich, isn't it? Ask our hard working friends at Goldman Sachs, for example!
I'm shocked that you could even consider that Microsoft could be lying. I mean, what happens if they get caught lying? Surely the "back door" would be right there in the source code for all to see, and they'd be found out right away. Oh, wait... sorry, you don't get to see the source code. But Microsoft apologized for violating the GPL, that makes them GOOD guys. You're not suggesting that if anyone ever DID find out some sort of way to control a Windows machine, all they'd have to do is call it a "security vulnerability" and issue a patch (with a different back door) for it, are you?
Probably easier to back door Linux. (Score:5, Interesting)
You know, its funny, but if the NSA ever got its hooks into a repository, it could do all sorts of fun stuff that way in Linux. We only "trust" Linux because Linux is a huge trust circle. WE trust it because its open, and assume that someone else must have looked at it. But I have about as much idea of what's going on inside of my Ubuntu as I did my Windows, from a backdoor perspective.
Re: (Score:3, Interesting)
> But I have about as much idea of what's going on inside of my Ubuntu as I did
> my Windows, from a backdoor perspective.
However, hundreds of highly skilled Debian Developers know exactly what is going on inside Debian. And many of them live outside the USA and don't particularly like or trust the US government. Many of those same people are also Ubuntu developers. While it is not inconceivable that some agency (not necessarily of the US government) might slip a trojan in, it is highly unlikely.
If
Re: (Score:3, Interesting)
Nust choose one of the zillions of existing exploits and be happy.
This could just as easily be used as an argument for Windows according to Slashdot, which would argue against NSA trying to put a backdoor into Windows.
OP is still right, though, isn't he? Hundreds of highly skilled Windows developers know exactly what is going on inside Windows just as much as the hundreds of Debian developers know about Debian. Except there are probably more Windows developers. Not all of them "like or trust the US government" and certainly not all of them have been paid off, like it s
A test? (Score:5, Interesting)
This should keep the developers on their toes and give us some confidence that the code IS being audited properly.
In particular (Score:3, Interesting)
They could do something evil like the famous C compiler backdoor. You infect only binary components. So no matter how carefully the code is audited, there is nothing in there. However, when said code is compiled on an infected system, it produces infected binaries. So people have the illusion of security with it. They build from source because they want to make sure what they have hasn't been changed, but they tools they use are compromised so the final system is compromised, though no trace is in the code.
The lady doth protest too much, methinks (Score:4, Insightful)
MSFT would sell their children's souls to keep Windows on the government's desktop PCs.
Oh sure, there's a back door in Windows 7 (Score:3, Funny)
NSA is into many OS' (Score:3, Interesting)
Comment removed (Score:5, Insightful)
Joshua (Score:3, Funny)
Never believe something until... (Score:5, Insightful)
Never believe something until it is officially denied. :o)
Re: (Score:3, Insightful)
Transcript of Internet Caucus Panel Discussion. (Score:3, Informative)
Re: Administration's new encryption policy.
Date: September 28, 1999.
Weldon statement. [techlawjournal.com]
That's it this confirms it! (Score:3, Interesting)
The NSA has not put a backdoor in Windows. When the intelligence agencies comment on these matters, the answer is always "We will neither confirm or deny...." which always implies that they had some role in the matter. Now that both MS and the NSA have publicly stated that no backdoor was installed in Windows, and is such a departure from the usual PR stance that it is impossible to conclude otherwise that such a backdoor was not and would never have been installed.
Barring my sarcasm, I would think that there is more at stake in securing Windows than putting a backdoor in it. Chances are, if there is a backdoor, than others will find it which makes it a futile effort. I think of it this way. It would be one thing to backdoor Windows, if you wanted to spy on Joe citizen or a terrorist. But, Windows is used throughout businesses within the US: Banks, Utilities, major industry, government, law enforcement, etc. Such a Trojan whether on desktop PCs or on Servers could cause major economic and security repercussions. As others have pointed out, the NSA has released other products to help in security like SE Linux and various encryption algorithms which AFAIK have stood up to independent audits by experts.
They were probably tasked with only looking at certain portions of the Windows code anyways much like they had likely done with previous versions of Windows and maybe other major OSes. There's been plenty of bugs found since in Windows that no matter how much auditing of code in any OS, being found out of planting a Trojan has many more consequences that exploiting holes that are already there anyways.
It's not a back door... (Score:3, Insightful)
A "back door" that big brother could exploit would not need to be the result of a conspiracy against citizens or anything nefarious on the part of M$, just the usual incompetence.
There's more than one way (Score:5, Interesting)
Like any other intelligence agency, spying on people who use Windows would be a prime goal, but there's plenty of malware out there to do that, with Microsoft and the security industry formed to fix the holes left by Microsoft's technical incompetence can only fix so much. There's no reason why the NSA couldn't develop their own malware with VB and run it like any other criminals, without any collusion with Microsoft at all.
Given the fact that Windows is as secure as a paper tank at the best of times, and the governments of the world seem to want to insist that people use Windows, it's mot hard to imagine Microsoft suits using the "hey if you force your people to use our software, you can spy on what they do with them much easier" as a reason NOT to support calls for a FOSS / Linux switch.
Given how many crimes Microsoft get away with in more jurisdictions it's also not hard to imagine a meeting where Microsoft agree to turn a blind eye to malware from certain sources in return for cases being dropped, or friendly judges put on the case who will promptly find in favour of Microsoft, and dismiss any logical evidence that they've done anything wrong.
As far as "it's in our interests to make Windows secure as we use it", how much of the US defense network still use Windows? I've noticed some have switched to Linux, while Microsoft had to create a special "secure XP" for them because the regular one wasn't up to the task. How easy would it be for the entire network to switch to Linux to protect itself while endorsing Windows for everyone else as it gives them and easy target to hit if they need to? They could even get Linux to pretend it's Windows when queried so nobody outside would know.
Remember most govt departments are VERY partisan, they don't like to co-operate as much as they should. They don't like sharing stuff that would help everyone because if only they do it and look good, they look even better in comparison to other departments who didn't do it. The contrast is even wider.
NOBODY is mentioning FIPS? (Score:5, Interesting)
My limited understanding of FIPS compliance is such that I thing the likelihood is much higher that the involvement of the NSA is to work with Microsoft (as they have others) to make sure the right libraries are used and so on for FIPS compliance. If you want to sell software to the US Government, it must be FIPS compliant.
The following is my understanding (which is likely flawed in some ways, but I think is fairly close to accurate) of how FIPS works (Taken from a response I wrote to someone else about this).
In all likelihood, this is all about their encryption being FIPS compliant and has nothing to do with backdoors.
The way I understand FIPS (because I got a mini-lesson on it during an SDR as they were doing it for [another software product I work with alot]) you have to use very specific encryption protocols that not only meet the standard for the encryption routine (e.g. RSA, or whatever) and the bit-size, but you have to use one of a specific set of approved implementation libraries.
That means you can use the exact same encrypting schema and key size as FIPS specifies, but if you don't do the encryption with an approved library, you're not compliant.
The rules get weirder from there. If you are required to be FIPS compliant at work, and must send something encrypted, you have to send it to someone who is also FIPS compliant. -- follow this logic now -- if you have to send it to someone who is NOT compliant, even though they use compatible encryption/decryption code and have exchanged keys with you, you CANNOT send them the encrypted file because their libraries are not FIPS compliant. You can, however, send them the file IN THE CLEAR if you decide it's safe to do so.
In other words, FIPS says it is better to send something in the clear if you cannot be sure the other end is FIPS compliant, even if they can decrypt what you're sending.
That's your government at work.
BTW: The routines which ARE certified have been fully vetted by many government and non-government people, and do not contain any special code in them that would lead to making decryption by the NSA any easier than it would otherwise be. Since the routines are by nature just implementation of well know encryption standards, the only way to do that would be to interrupt the key pair creation process and use "less random" seeds. I don't believe FIPS specifies the random number generation routine used.
Hope this helps.
Why does the NSA work on Windows? (Score:3, Interesting)
The code they produced belongs to the public, because the public paid for it! If Microsoft doesn't open that code, they're stealing from the tax-payer!
If the NSA wants to know what you're thinking. . . (Score:3, Interesting)
If the NSA wants to know EVERYTHING about you, they have far better ways than installing active spyware on your system to do it.
There is a record somewhere of everything you've ever downloaded or uploaded. Every Google search you've ever performed. Encryption breaking is pointless because they have the ability to know what you type as you type it. Heck, they probably have the ability to know what you think as you think it.
Did you know that you can read an RFID tag from orbit? --People know about the max distance a tag can be charged from, and it is indeed a few feet, but the distance from which it can be read is much greater. If the detector is good enough. . .
Did you know you can use a light bulb as an active antenna? Any bit of circuitry, for that matter, even powered down, still processes EM wave forms and can be used to snoop. The idea of the NSA messing around with malware in order to spy on computer users is like comparing Donkey Kong to today's modern game systems.
The only reason the NSA might encourage the belief that they have proprietary code built into a Microsoft product would be to mislead people into thinking that they work within the same baby-fences as the rest of us free range serfs.
-FL
It's a GUIDE (Score:3, Informative)
DISA and the NSA produce guides.
http://iase.disa.mil/stigs/stig/index.html [disa.mil]
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml [nsa.gov]
They're patting one another on the back because they worked on the guide before Windows 7 was released.
Re:Well (Score:5, Funny)
This is true. However, I plan to register microsoftrapedandkilledandembeddedinwindows7ayounggirlin2009.com because they haven't denied that they have not.
Re: (Score:3, Funny)
> The NSA, CIA or FBI made the backdoor. And then forced Microsoft to include
> it in the final build of the OS.
In that case it might actually work.
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
That's a comforting belief, but you underestimate the ability of law enforcement to gather evidence that's either illegal or would reveal sources and methods (or in this case, likely both), use that knowledge to "stumble" on some information, and u