Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Government Wants a Backdoor Into Windows

Posted by CmdrTaco on from the there-are-plenty-of-worms-available dept.

REBloomfield writes "The BBC is reporting that the British Government is working with Microsoft in order to gain backdoor access to hard drives encrypted by the forthcoming Windows Vista file system. Professor Anderson, professor of security engineering at Cambridge University, urged the Government to contact Microsoft over fears that evidence could be lost by suspects claiming to have forgotten their encryption key."

8 of 598 comments (clear)

  1. China & PGP by eldavojohn · · Score: 5, Informative
    Well, to be fair, a few people do believe that Microsoft has a backdoor built into their OS that would allow the United States Government to shut down all Chinese Government PCs running Windows.

    Oh, and there are a few people who also consider encryption a matter of freedom of speech.

    Funny the U.S. government targets Phil Zimmermann for three years but hardly raises so much as an eye when an encryption enabled OS is distributed. From Mr. Zimmermann's homepage:
    Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide.
    I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner. Does anyone know if this is still enforced? Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.
    --
    My work here is dung.
    1. Re:China & PGP by Your+Anus · · Score: 3, Informative

      In the mid-to-late 1990's the US Government loosened the rules significantly. They recognized that strong encryption is already available outside the US, so export controls are useless. In fact, there is encryption built into the Linux kernel to handle ipsec among other things. The only requirement now is some sort of notice regarding where the encryption product is stored. I'm not sure about commercial products, but the PGP source is exempt under the same rules.

      --

      In the USA, we like stuff watered down, like beer, television, and freedom.
    2. Re:China & PGP by m50d · · Score: 4, Informative
      Funny the U.S. government targets Phil Zimmermann for three years but hardly raises so much as an eye when an encryption enabled OS is distributed.

      Not anymore, they have at last relaxed their restrictions, but they still did for a while - remember Debian nonus mirrors? The weak SSL in versions of IE4 shipped outside the US? OpenSSH having to be developed in Europe? The fact that you still have to download a separate file to get unlimited strength crypto in Java? And officially speaking you still have to notify the US government you're distributing strong encryption.

      I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner.

      He was charged with exporting the munition - the problem wasn't so much that he'd created said encryption tool as that he'd put it on an ftp where $NASTY_REGIME could get it.

      Does anyone know if this is still enforced?

      As I said, officially speaking you have to notify the US government if you are exporting strong crypto from the US, and I think you're not allowed to directly export to anyone on their list of bad guys. In practice I don't think they care any more, crypto is so widely available.

      Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.

      You weren't allowed to export more than 40, and AFAIK that hasn't changed.

      --
      I am trolling
  2. Truecrypt by ivan+kk · · Score: 5, Informative

    Let them try.
    We have alternatives.
    http://www.truecrypt.org/

  3. What's the point when you have RIP? by TheEvilOverlord · · Score: 5, Informative

    I don't really see why the need this anyway.

    The government has the RIP Act (Regulation of Investigatory Powers Act 2000) which allows them to detain you, with a press gagging order if you refuse to hand over the encryption key they need to decrypt your data. If you refuse or claim you have forgotton and they don't believe you, then it's two years in gaol for you sonny jim.

    They only really got this into law because most people don't understand it. Oh and don't forget that since this government came to power the amount of time they can hold you, uncharged, under the terrorism act has gone from 7 to 28 days... and the police want 90! Yes ninety days, 3 months, 2160 hours!

  4. Where will it end? by NimbleSquirrel · · Score: 4, Informative
    Not that I would ever buy Windows Vista, but why would I want Microsoft deciding who gets backdoor keys to my machine?

    I recall some years ago, someone found supposedly secret NSA backdoor keys buried in Windows98. I don't recall if it was actually proven, but I would not be surprised if the NSA already has backdoor keys in 98/ME/XP and now Vista. Now the British Government wants their turn. Where will it end? Once MS bows to the British, surely other governments will also demand backdoor keys. Who decides which of those governments get it?

    Sooner or later, other organisations (like the RIAA and the MPAA) will also want their keys too (if they don't already have them thanks to their DRM chips). Where will MS draw the line? I highly doubt MS would be very open about how many different governments or other organisations really have backdoor keys.

    It is easy for us to say that we'll never use it, or that there are other options out there, but I'm more worried for less computer savvy members of the public who think they are buying a secure system. I know most of those users will never use encryption, but this will set another precident that will further erode all of our rights.

  5. Re:Interesting Points by yo_tuco · · Score: 3, Informative

    "If I remember right, that was part of the reason encryption on OpenBSD was done in Canada."

    Read about it here: http://www.openbsd.org/crypto.html

    From the link:

    "The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden."

    "When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting."

    And a summary of Canada's export controls on cryptographic software here: http://www.efc.ca/pages/doc/crypto-export.html

  6. Re:Private Disk by Anonymous Coward · · Score: 3, Informative

    "The point is that they might use some obscure algorithm nobody knows - which has no guaranteed strength; thus one cannot rely on it. They can also implement standard algorithms such as AES or DES - but were they correctly implemented?"

    It sounds like you haven't done that much research on Truecrypt. It uses industry standard algorithms like Blowfish, Twofish and AES.

    For relying that a piece of software does what it says, you have to rely on Peer review.

    I understand what your saying and how for business use you want to have some certified but if you do your homework you may find that your're able to place just as much trust if not more in OSS project than you can with closed source commercial projects.

    ANyway that's my 2 cents.