Slashdot Mirror
Ex-NSA Analyst Warns Of NSA Security Backdoors
jagger writes: "In this ZD-Net article ex-NSA analyst Wayne Madison has issued a warning about many proprietary software packages coming bundled with NSA backdoors. This must be very troubling for non-US governments, because it means that they have no security against anyone knowing the backdoor. " This is one of the reasons China has cited in wanting to use Open Source and home-cooked solutions.
If you read the article more carefully, you'll see that this guy has been "ex"-NSA for a long time. He probably has no idea of what the current position on software is inside the agency itself. If he did, he certainly wouldn't be allowed to release it.
If anyone has any actual hard evidence for or against NSA backdoors in commercial software, I'd be very interested in seeing it. Meanwhile, it looks like we'll have to put up with the usual conspiracy stuff.
Visit the
This is not exactly new news, many people may remember how a certain Melissa virus author was tracked due to some serial number in the Microsoft software he was using. (if memory serves correct)
And while I think this is a valid reason to use open source, we should remember that unless we compile the software we use ourselves from our own source that we ourselves have checked, then we can never be sure if there exists a backdoor into our software. I speculate most people are not willing to wade through literally millions of lines of source and compile by hand each program they use to ensure that the "man" is not watching them. However, the article (which refers to the NSA agent as a "spook") does not mention why he is an ex NSA agent. What is the reason he is no longer with the NSA and why is he so freely admitting these facts. Having had clearance in the past I know very well you need to sign many numerous agreements that state you can be imprisoned indefinitely without trial if you violate said agreements. You basically sign over your rights as a US citizen to obtain that kind of security clearance. This story raises some good issues about how much we as citizens should trust our government and our software, as well as raise the ire of many foreign nations using US software. But there is always a nagging doubt in my head when we hear stories from ex employees and there is no knowledge given about why they are ex-employees.
But in general this news is not really new. The government has had backdoors in software as long as software has been around. And this has been shown in the press before to be true.
I do think however this presents those of us in the open source world with a strong argument in favour of open source software with respect to dealing with trusted programs.
Regards...
*sigh* I can understand why the NSA wants to be able to monitor Internet traffic. National security and all that.
BUT.
There is wayyy too much room for abuse.
I, for one, wouldn't want my software to be sending data to NSA or any other place without my knowing.
I'm glad that Open Source is where it's at today. It would be our worst nightmares if Open Source hadn't gained enough widespread acceptance and entities like the NSA lobby for outlawing Open Source software for "security reasons". I mean, it's very conceivable that your local ISP will only grant you access if you install their proprietary software which contains who knows what kinds of backdoors. Good thing open source systems like Linux is so widely available, and not locked into any proprietary vendor, so that ISPs *have* to allow for users to not use their software.
Thank God for open source software...
OTOH, I think NSA is shooting themselves in the foot. Foreign goverments aren't gonna put up with this backdoor nonsense in *their* software. So open source is going to become even more attractive, which will be good for all of us.
---
mikre he sophia he tou Mikrosophou.
you know that there's a problem when CHINA gets it right...
"I hope I don't make a mistake and manage to remain a virgin." - Britney Spears
Even if you have the source, that isn't a 100% guarantee that there aren't any back doors. Surely everyone remembers the famous Ken Thompson article about the back door in login with support in the C compiler, which is even referenced in the Jargon File.
One more drink, and I'll move on. --Dave Matthews Band
Microsoft always leaves the toilet seat up.
Microsoft chews with its mouth open.
Microsoft left its cell phone on during a movie, and answered it when it rang.
Microsoft snores in bed.
Oh yah - let's see we've got:
all in one story. It's like the story was written to be posted on /. for crying out loud!
Furthermore, it lacks any real meat. This Madison guy isn't saying that they are doing it: "Ex-spook believes", "applications may have backdoors" (emphasis mine). It's nothing definite - just this one guy's beliefs. And if he used to be an analyst, shouldn't he know this rather than sucumb to conjecture? The article got one thing right though: he's "fuelling conspiracy theories".
Now I hate MS as much as the next guy, but I also believe in the principle: Don't subscribe to mallice what can be explained by stupidity. I think they gave a reasonable explaination of the whole NSA key thing back when that happened. They also made the very valid point that it's not in their best interests to do something like that because if a foreign nation found out, MS would be skinned alive. Furthermore, I think people give the NSA too much credit - despite all the talented people they have, they're still a government agency and as such tend to resource limited. Can you imagine how much computational power would be required for Echelon to actually do everything that people claim it can? Do you think even the US Government has that type of money and could spend it in a covert manner even if it did? If you do, I think you give bureaucracy too much credit.
Standard disclaimer - these opinions are entirely my own. My employeer may well disagree with me - I can't speak for them.
-"Zow"
In later years, the NSA and other NATO intelligence agencies arranged for subtle defects to be added to the systems sold by Crypto AG.
I wouldn't doubt that the NSA is still trying to get backdoors installed in commercial software. How successful they've been is an open question.
Xerox provided the Soviet embassy in Washington with a photocopy machine that had a "special feature", a well hidden camera that photographed every document that was copied.
Mea navis aericumbens anguillis abundat
In small print, printed on the backside of the seal you have to break, thereby agreeing to the EULA, "contains less than 3% backdoor code; percentage measured by volume and may not apply to this release as code does not occupy space".
My mom is not a Karma whore!
seineeweraseipsteivos
As a journalist, I can tell you that this smells as fishy as they come. I say the guy's a self-promoter hyping himself by exploiting paranoia. If he's brave (and informed) enough to go public with this kind of imflammatory charge, he should be brave and informed enough to be able to name a single app that has such a backdoor (and, no, Carnivore doesn't count. Sheesh!).
I'll call him on it. Name 'em or shut up.
This is a hard story to believe. If there are backdoors, then there has to be a way for the NSA to transfer the information gleaned. Surely someone would have noticed activity like this. RealAudio certainly didn't get away with it for long. Not to mention the likelihood that someone in one of the companies is going to notice and talk. His hedging language ("may have backdoors"), means he has no direct knowledge. If that's the game, I can warn of lots of things the NSA "may" be doing as well. Did you know that the NSA may be secretly running SlashDot? (And apparently deliberately botching the job ...)
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Extremely bloated commercial software may contain full fledged flight simulators and pictures of the software designers. It is also suspected that some software may harbor dancing blue elephants.
Seriously folks, does it take 30Megs of software to read email. Not only is it likely that large software houses are cooperating with the US gov, it is probable.
I was working at an AT&T plant as a technician several years ago, and one of our projects was a device about the size of a Palm Pilot. You plug your handset into it, then plug it into your telephone. The person on the other end used a similar device, and with one button press you got instant voice encryption. We built hundreds. I tested a large portion personally. Then I personally helped tear them apart and install the clipper chip after the FEDS moved in. Funny, but we didn't build anymore after that.
We also built another telephone. It's the one that Harrison Ford uses on Air Force One. Not the little satellite phone, the big white desk phone. We had to count the ICs that did the cryptography for that every morning and evening. The phones had to stay under lock and key at all time. Not that it has any relevancy here, just to note that the FEDs will control cryptography and if you trust anything they approve of, you're going to be tracked.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
That is not to say that the NSA did not have some influnce on the design (back before the rules changed and put the FBI and State Department in charge of export procedures). The NSA really discouraged (using the export license stick) the use of triple-DES. The fact they discouraged certain designs types is pretty much public knowledge.
What is less known, is that the NSA did a through examination of the product. In order to get an export license, the NSA also had to review the product - all specifications, code, manufacturing diagrams, samples devices. They also requested and got our future product plans. It is my impression that the NSA did this future product research everywhere they could.
So this means the NSA knew all details of any crypto product that was being exported. They knew the specifications, and in some cases the future product directions. I never heard of a case where the NSA would come back after a product evaluation and say "you have a security hole". In summary, even without a formal backdoor, they have (had?) a lot of knowledge.
PS: When I hear about ex-NSA members joining public companies, I wonder how many of my company's ideas (forcefully obtained by USA export regulations) went with them. You might say, the NSA was all knowing, so their was nothing to steal. The truth is that the NSA was really into military uses (they supposedly passed up developing public key algorithms because they did not have any use for them). Don't under estimate the value of a practical commercial related applied cryptography use.
- MbM
- MbM
For those who don't see where I'm going: one of the early unix guys (Ken Thompson if I remember right) created a version of login with a backdoor for him to get in. Then he created a C compiler that could tell if login was being compiled and if so insert his backdoor. Then he modified the C compiler to check if it was compiling itself and if so insert both hacks. Soon he was able to (but claims he never did) distribute a C compiler that looked normal, yet would give him access to any machine.
It wouldn't have been hard to put this hack into compilers, so long as they started early and had some assistence. There must be someone at mit who can be bribed (there always is) to put it into any binaries on ftp.gnu.org. Sun is a closed company, and easially bribed to put it into their code. Of course we are today in a maze of unix's, all different. (4 BSDs, SCO, linux, Solaris, Irix, Aix, HPux, and probably others I've forgotten) You get the idea though.
I'm not saying that the NSA and the DOJ are the same thing. I'm not saying they aren't, either.
So you aren't saying anything are you?
DrLunch.com The site that tells you what's for lunch!
Back before export restrictions were loosened (1996), Lotus worked out a "deal" with the NSA that would allow them export 64 bit encryption internationally in Lotus notes. For the international versions, they took 24 bits of the private key and encrypted them with the NSA's public key, so that (in theory) the NSA would get these 24 bits for "free", and would only need to crack the remaining 40 (which was export legal). The theory was that this was ultimately better for their international coverage, since they'd have 64 bit protection from everyone except the US government. (I won't waste space by pointing out the obvious problems with this approach.)
This was publically announced and the technical details disclosed, so while it isn't great conspiracy fodder, it does point to close collaboration between the NSA and at least one major software company...