Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ex-NSA Analyst Warns Of NSA Security Backdoors

Posted by Hemos on from the no-trust-closed-source dept.

jagger writes: "In this ZD-Net article ex-NSA analyst Wayne Madison has issued a warning about many proprietary software packages coming bundled with NSA backdoors. This must be very troubling for non-US governments, because it means that they have no security against anyone knowing the backdoor. " This is one of the reasons China has cited in wanting to use Open Source and home-cooked solutions.

12 of 205 comments (clear)

  1. Software *may* come bundled... by AdamHaun · · Score: 4

    If you read the article more carefully, you'll see that this guy has been "ex"-NSA for a long time. He probably has no idea of what the current position on software is inside the agency itself. If he did, he certainly wouldn't be allowed to release it.

    If anyone has any actual hard evidence for or against NSA backdoors in commercial software, I'd be very interested in seeing it. Meanwhile, it looks like we'll have to put up with the usual conspiracy stuff.

    --
    Visit the
  2. Too much room for abuse by Gurlia · · Score: 5

    *sigh* I can understand why the NSA wants to be able to monitor Internet traffic. National security and all that.

    BUT.

    There is wayyy too much room for abuse.

    1. You have the problem of who guards the guardians. The backdoors are OK as long as the NSA can be trusted not to abuse them by exploiting them when not appropriate. But can you trust the guardians? Who guards the guardians?
    2. You have the problem of leaked information -- how do you know whether some terrorist group or something like that has obtained leaked information about these backdoors? They could be abusing these backdoors to their own ends.
    3. OK, the terrorist part may be overly paranoid. But what stops people from exploiting these backdoors to, say, violate your privacy by keeping logs of what websites you visit?
    4. If things like this become too popular, we might see the day when we're required to only use software that has these backdoors...

    I, for one, wouldn't want my software to be sending data to NSA or any other place without my knowing.

    I'm glad that Open Source is where it's at today. It would be our worst nightmares if Open Source hadn't gained enough widespread acceptance and entities like the NSA lobby for outlawing Open Source software for "security reasons". I mean, it's very conceivable that your local ISP will only grant you access if you install their proprietary software which contains who knows what kinds of backdoors. Good thing open source systems like Linux is so widely available, and not locked into any proprietary vendor, so that ISPs *have* to allow for users to not use their software.

    Thank God for open source software...

    OTOH, I think NSA is shooting themselves in the foot. Foreign goverments aren't gonna put up with this backdoor nonsense in *their* software. So open source is going to become even more attractive, which will be good for all of us.
    ---

    --
    mikre he sophia he tou Mikrosophou.
    1. Re:Too much room for abuse by John+Jorsett · · Score: 5
      I have a question. Does it really matter if they watch you? There are laws covering what they can and cannot use as evidence agianst you. If they had a folder of you doing subversive freaky things....so what? They can't use it unless they had a reason to suspect you in the first place.

      There's a doctrine in U.S. case law, articulated by the Supreme Court as "Fruit of the poisoned tree". It means that you can't use evidence obtained illegally as the reason for going in and collecting legitmate evidence. If you don't know that they're collecting data and you send email talking about your marijuana farm and then the DEA is tipped off (by an 'anonymous' source), this would be a violation of that doctrine, but you'd never be able to prove it.

  3. Sure there is by Anonymous Coward · · Score: 5
    Microsoft cut me off at the intersection of 4th and Main this morning.

    Microsoft always leaves the toilet seat up.

    Microsoft chews with its mouth open.

    Microsoft left its cell phone on during a movie, and answered it when it rang.

    Microsoft snores in bed.

    ...

  4. /. fodder by "Zow" · · Score: 4

    Oh yah - let's see we've got:

    • The NSA
    • Export restrictions on crypto
    • Microsoft
    • Open Source
    • The FBI
    • Carnivore and
    • Echelon

    all in one story. It's like the story was written to be posted on /. for crying out loud!

    Furthermore, it lacks any real meat. This Madison guy isn't saying that they are doing it: "Ex-spook believes", "applications may have backdoors" (emphasis mine). It's nothing definite - just this one guy's beliefs. And if he used to be an analyst, shouldn't he know this rather than sucumb to conjecture? The article got one thing right though: he's "fuelling conspiracy theories".

    Now I hate MS as much as the next guy, but I also believe in the principle: Don't subscribe to mallice what can be explained by stupidity. I think they gave a reasonable explaination of the whole NSA key thing back when that happened. They also made the very valid point that it's not in their best interests to do something like that because if a foreign nation found out, MS would be skinned alive. Furthermore, I think people give the NSA too much credit - despite all the talented people they have, they're still a government agency and as such tend to resource limited. Can you imagine how much computational power would be required for Echelon to actually do everything that people claim it can? Do you think even the US Government has that type of money and could spend it in a covert manner even if it did? If you do, I think you give bureaucracy too much credit.

    Standard disclaimer - these opinions are entirely my own. My employeer may well disagree with me - I can't speak for them.

    -"Zow"

  5. Microsoft's New Marketting Slogan by gunner800 · · Score: 4
    In big, bright letters on the package: "Now 97% backdoor free!"

    In small print, printed on the backside of the seal you have to break, thereby agreeing to the EULA, "contains less than 3% backdoor code; percentage measured by volume and may not apply to this release as code does not occupy space".


    My mom is not a Karma whore!

  6. And the password would be... by blogan · · Score: 5

    seineeweraseipsteivos

  7. Name 'em by zlite · · Score: 4

    As a journalist, I can tell you that this smells as fishy as they come. I say the guy's a self-promoter hyping himself by exploiting paranoia. If he's brave (and informed) enough to go public with this kind of imflammatory charge, he should be brave and informed enough to be able to name a single app that has such a backdoor (and, no, Carnivore doesn't count. Sheesh!).

    I'll call him on it. Name 'em or shut up.

  8. In further news... by Shotgun · · Score: 5

    Extremely bloated commercial software may contain full fledged flight simulators and pictures of the software designers. It is also suspected that some software may harbor dancing blue elephants.

    Seriously folks, does it take 30Megs of software to read email. Not only is it likely that large software houses are cooperating with the US gov, it is probable.

    I was working at an AT&T plant as a technician several years ago, and one of our projects was a device about the size of a Palm Pilot. You plug your handset into it, then plug it into your telephone. The person on the other end used a similar device, and with one button press you got instant voice encryption. We built hundreds. I tested a large portion personally. Then I personally helped tear them apart and install the clipper chip after the FEDS moved in. Funny, but we didn't build anymore after that.

    We also built another telephone. It's the one that Harrison Ford uses on Air Force One. Not the little satellite phone, the big white desk phone. We had to count the ICs that did the cryptography for that every morning and evening. The phones had to stay under lock and key at all time. Not that it has any relevancy here, just to note that the FEDs will control cryptography and if you trust anything they approve of, you're going to be tracked.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  9. My NSA Experience by seaan · · Score: 5
    My former company was the USA market leader for hardware security modules (HSM) that perform back-end encryption for banking ATM transactions. I was the chief software architect, and can categorically state that there is no NSA backdoor in that product.

    That is not to say that the NSA did not have some influnce on the design (back before the rules changed and put the FBI and State Department in charge of export procedures). The NSA really discouraged (using the export license stick) the use of triple-DES. The fact they discouraged certain designs types is pretty much public knowledge.

    What is less known, is that the NSA did a through examination of the product. In order to get an export license, the NSA also had to review the product - all specifications, code, manufacturing diagrams, samples devices. They also requested and got our future product plans. It is my impression that the NSA did this future product research everywhere they could.

    So this means the NSA knew all details of any crypto product that was being exported. They knew the specifications, and in some cases the future product directions. I never heard of a case where the NSA would come back after a product evaluation and say "you have a security hole". In summary, even without a formal backdoor, they have (had?) a lot of knowledge.

    PS: When I hear about ex-NSA members joining public companies, I wonder how many of my company's ideas (forcefully obtained by USA export regulations) went with them. You might say, the NSA was all knowing, so their was nothing to steal. The truth is that the NSA was really into military uses (they supposedly passed up developing public key algorithms because they did not have any use for them). Don't under estimate the value of a practical commercial related applied cryptography use.

  10. Even opensource can have backdoors by MbM · · Score: 4
    You can audit the C sources all you want. Unless you've built the compiler and it's supporting libraries from the ground up there's always that possibility that someone has inserted a trojan along the way. The famous article dealing with this problem and self replicating trojans is Ken Thompsons's Relflections on Trusting Trust.

    "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. " http://www.acm.org/classics/sep95/

    - MbM
    --
    - MbM
  11. One real-world example by RebornData · · Score: 5

    Back before export restrictions were loosened (1996), Lotus worked out a "deal" with the NSA that would allow them export 64 bit encryption internationally in Lotus notes. For the international versions, they took 24 bits of the private key and encrypted them with the NSA's public key, so that (in theory) the NSA would get these 24 bits for "free", and would only need to crack the remaining 40 (which was export legal). The theory was that this was ultimately better for their international coverage, since they'd have 64 bit protection from everyone except the US government. (I won't waste space by pointing out the obvious problems with this approach.)

    This was publically announced and the technical details disclosed, so while it isn't great conspiracy fodder, it does point to close collaboration between the NSA and at least one major software company...