Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ex-NSA Analyst Warns Of NSA Security Backdoors

Posted by Hemos on from the no-trust-closed-source dept.

jagger writes: "In this ZD-Net article ex-NSA analyst Wayne Madison has issued a warning about many proprietary software packages coming bundled with NSA backdoors. This must be very troubling for non-US governments, because it means that they have no security against anyone knowing the backdoor. " This is one of the reasons China has cited in wanting to use Open Source and home-cooked solutions.

7 of 205 comments (clear)

  1. Too much room for abuse by Gurlia · · Score: 5

    *sigh* I can understand why the NSA wants to be able to monitor Internet traffic. National security and all that.

    BUT.

    There is wayyy too much room for abuse.

    1. You have the problem of who guards the guardians. The backdoors are OK as long as the NSA can be trusted not to abuse them by exploiting them when not appropriate. But can you trust the guardians? Who guards the guardians?
    2. You have the problem of leaked information -- how do you know whether some terrorist group or something like that has obtained leaked information about these backdoors? They could be abusing these backdoors to their own ends.
    3. OK, the terrorist part may be overly paranoid. But what stops people from exploiting these backdoors to, say, violate your privacy by keeping logs of what websites you visit?
    4. If things like this become too popular, we might see the day when we're required to only use software that has these backdoors...

    I, for one, wouldn't want my software to be sending data to NSA or any other place without my knowing.

    I'm glad that Open Source is where it's at today. It would be our worst nightmares if Open Source hadn't gained enough widespread acceptance and entities like the NSA lobby for outlawing Open Source software for "security reasons". I mean, it's very conceivable that your local ISP will only grant you access if you install their proprietary software which contains who knows what kinds of backdoors. Good thing open source systems like Linux is so widely available, and not locked into any proprietary vendor, so that ISPs *have* to allow for users to not use their software.

    Thank God for open source software...

    OTOH, I think NSA is shooting themselves in the foot. Foreign goverments aren't gonna put up with this backdoor nonsense in *their* software. So open source is going to become even more attractive, which will be good for all of us.
    ---

    --
    mikre he sophia he tou Mikrosophou.
    1. Re:Too much room for abuse by John+Jorsett · · Score: 5
      I have a question. Does it really matter if they watch you? There are laws covering what they can and cannot use as evidence agianst you. If they had a folder of you doing subversive freaky things....so what? They can't use it unless they had a reason to suspect you in the first place.

      There's a doctrine in U.S. case law, articulated by the Supreme Court as "Fruit of the poisoned tree". It means that you can't use evidence obtained illegally as the reason for going in and collecting legitmate evidence. If you don't know that they're collecting data and you send email talking about your marijuana farm and then the DEA is tipped off (by an 'anonymous' source), this would be a violation of that doctrine, but you'd never be able to prove it.

  2. Sure there is by Anonymous Coward · · Score: 5
    Microsoft cut me off at the intersection of 4th and Main this morning.

    Microsoft always leaves the toilet seat up.

    Microsoft chews with its mouth open.

    Microsoft left its cell phone on during a movie, and answered it when it rang.

    Microsoft snores in bed.

    ...

  3. And the password would be... by blogan · · Score: 5

    seineeweraseipsteivos

  4. In further news... by Shotgun · · Score: 5

    Extremely bloated commercial software may contain full fledged flight simulators and pictures of the software designers. It is also suspected that some software may harbor dancing blue elephants.

    Seriously folks, does it take 30Megs of software to read email. Not only is it likely that large software houses are cooperating with the US gov, it is probable.

    I was working at an AT&T plant as a technician several years ago, and one of our projects was a device about the size of a Palm Pilot. You plug your handset into it, then plug it into your telephone. The person on the other end used a similar device, and with one button press you got instant voice encryption. We built hundreds. I tested a large portion personally. Then I personally helped tear them apart and install the clipper chip after the FEDS moved in. Funny, but we didn't build anymore after that.

    We also built another telephone. It's the one that Harrison Ford uses on Air Force One. Not the little satellite phone, the big white desk phone. We had to count the ICs that did the cryptography for that every morning and evening. The phones had to stay under lock and key at all time. Not that it has any relevancy here, just to note that the FEDs will control cryptography and if you trust anything they approve of, you're going to be tracked.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  5. My NSA Experience by seaan · · Score: 5
    My former company was the USA market leader for hardware security modules (HSM) that perform back-end encryption for banking ATM transactions. I was the chief software architect, and can categorically state that there is no NSA backdoor in that product.

    That is not to say that the NSA did not have some influnce on the design (back before the rules changed and put the FBI and State Department in charge of export procedures). The NSA really discouraged (using the export license stick) the use of triple-DES. The fact they discouraged certain designs types is pretty much public knowledge.

    What is less known, is that the NSA did a through examination of the product. In order to get an export license, the NSA also had to review the product - all specifications, code, manufacturing diagrams, samples devices. They also requested and got our future product plans. It is my impression that the NSA did this future product research everywhere they could.

    So this means the NSA knew all details of any crypto product that was being exported. They knew the specifications, and in some cases the future product directions. I never heard of a case where the NSA would come back after a product evaluation and say "you have a security hole". In summary, even without a formal backdoor, they have (had?) a lot of knowledge.

    PS: When I hear about ex-NSA members joining public companies, I wonder how many of my company's ideas (forcefully obtained by USA export regulations) went with them. You might say, the NSA was all knowing, so their was nothing to steal. The truth is that the NSA was really into military uses (they supposedly passed up developing public key algorithms because they did not have any use for them). Don't under estimate the value of a practical commercial related applied cryptography use.

  6. One real-world example by RebornData · · Score: 5

    Back before export restrictions were loosened (1996), Lotus worked out a "deal" with the NSA that would allow them export 64 bit encryption internationally in Lotus notes. For the international versions, they took 24 bits of the private key and encrypted them with the NSA's public key, so that (in theory) the NSA would get these 24 bits for "free", and would only need to crack the remaining 40 (which was export legal). The theory was that this was ultimately better for their international coverage, since they'd have 64 bit protection from everyone except the US government. (I won't waste space by pointing out the obvious problems with this approach.)

    This was publically announced and the technical details disclosed, so while it isn't great conspiracy fodder, it does point to close collaboration between the NSA and at least one major software company...