Slashdot Mirror
No Backdoor in Vista
mytrip wrote to mention a C|Net article stating that Vista will not have a security backdoor after all. From the article: "'The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data,' Niels Ferguson, a developer and cryptographer at Microsoft, wrote Thursday on a corporate blog. 'Over my dead body,' he wrote in his post titled Back-door nonsense."
going to die soon? (nothing personal)
I believe that can be arranged...
I suspect the NSA, (who I seem to recall left a few stray tags lying around in a previous version of Windows' code), would look at you dead-pan and agree.
-FL
"The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data,' Niels Ferguson, a developer and cryptographer at Microsoft, wrote Thursday on a corporate blog. 'Over my dead body,' he wrote in his post titled Back-door nonsense."
I think we would be reading about his dead body if he came out and admitted that there were backdoors being put into Vista.
ability to view the supposed source and ability to put said source to use are required. If you can't verify that the source you're looking at is the source used in the binaries you're using, there's zero point. Chances of MS releasing enough source to be able to rebuild aspects of windows- most likely a few steps shy of zero, at least for now.
'Over my dead body,' he wrote
The problem with closed software is that we have to take his word for it.
- Get me Ferguson... tell him we're going hunting. Yes, hunting. With Cheney.
We have no reason to believe this claim -- doubly so given that Microsoft has lied repeatedly in the past.
..... :)
I'd be willing to bet that even Microsoft would not be willing to go so far as to create intentional "backdoors" in their encryption to facilitate government (Law Enforcement) access. First off I don't think the government (at least those in the UK and the US) have the power to legally force them into doing it, and secondly if they did it voluntarily one would think the public outcry would be deafening and severly damaging to Microsoft (and it seems that "keeping it quiet" would be nearly impossible).
I generally don't trust the government as far as I can throw them, and I don't trust Microsoft much farther than that, but I think the suggestion that they are colluding in something as nefarious as this is a bit in the Tin Foil Hat realm.
Besides how would they "prove" they aren't doing it? release the source? as if
'Over my dead body,' he wrote
"Your terms are acceptable" reply the NSA.
So it's a secret backdoor. :-)
Geek runner, motorcyclist and professional know-it-all
Wikipedia agrees, apparently. http://en.wikipedia.org/wiki/Backdoor
To prevent this day from getting worse, I'll just read ERROR as GOOD TH
... you won't be in the loop if/when it gets compromised.
A quick look at the "Crypto AG" fiasco makes it plain how very much governments want backdoors. "For decades, the US has routinely intercepted and deciphered top secret encrypted messages of 120 countries." Imagine the power some entity would have if it could peek into any Windows system at will - the temptation must be making their toes curl.
Whether or not there is a top-level agreement with top-level spooks it is still unlikely that local lawmen will be allowed to know about it. So what exactly IS Microsoft planning to do when they inevitably get a request to "help" with an encrypted drive?
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
there are heaps of people with access to the source code (ok, maybe not full), such as academic institutions, and infamous examples such as MainSoft, who could prove 'em wrong.
But then we'd have to take the word of some un1337 student haxer at some institution, who just locked down access to their precious copied jewels because some un1337 student haxer at some instituion proved some M$ guy wrong.
Anyway, aren't there multiple reports of backdoors in PGP from various stages of its life? Of course, since its not Stallman-Endorsed(TM) software everyone on Slashdot, fearing executing bash will get them locked up just points and laughs anyway, right?
Here's what he actually wrote:
He's crazy if thinks big corporations would even think twice of doing something over the dead body of one of their workers.
Corporations might think twice, but governments wouldn't.
!#@%*)anks for hanging up the phone, dear.
Let the government wait a week for someone to find a backdoor, just like the rest of us....
-- I care not for your foolish signatures.
strangely silent on the topic of Internet Hearts.
Game: Player 'Donald J Trump' now has AI skill level 'experimental'.
I'd even be willing to bet that the new RSS feed being built into the OS at a low level will provide lots of ways into the Bitlocker.
*rolls on the floor, laughing and scaring the cat*
Jeez, thanks for a good laugh on a Saturday morning. This really ought to be nominated for a Slashdot stupidity hall of fame award.
Go somewhere random
If there actually where a backdoor in vista, would MS admit it? Probably not.
(emphasis mine)
Free Software: Like love, it grows best when given away.
I demand that you give me ONE MILLION DOLLARS.
Failure to give me one million dollars will be considered
an explicit admission by you that you rape babies.
Aside from the obvious "what about buffer overruns?" questions, aimed at the usually poor competence Microsoft shows in writing code, there's also "what about cryptographic strength?" question -- maybe the NSA already has a simple and fast way to break whatever encryption BitLocker will end up using.
And, of course, there may well be several people working at Microsoft who actually work for the NSA or MI-6 or the FSB. (I'd be astonished if there weren't at least a few such people on the Microsoft payroll.) Those people may well do things as described in Reflections on Trusting Trust, without letting their superiors know.
Your assuming he voted for the Government in power, or even voted at all. He may have purchased a copy of Windows and that's as good as a vote in my books.
So, who would you trust more.
Someone in an electoral system that you cannot even bring yourself to take part in.
A company whos product you purchased and used/use.
thank God the internet isn't a human right.
Dw.
Ad *) Or manually
At least with OSS... oh wait... I still have to take a developer's word for it.
Are you trolling?
Obviously, if you had the necessary skills you could audit the code yourself.
Alternatively you could pay someone to audit it for you; or just wait for someone else to blow the whistle.
The point is that it is much harder to hide malicious code when the source is available.
microsoft operating systems begining with windows 95 have never really needed a backdoor, especially since the front door is left wide open.
I sent Neils an invitation to respond to this thread. Don't know if he'll get it, but I found his website on Google (put down that chair Steve....take deep breaths)
Anyhow - he seems quite smart enough to do what the BBC article mentions, but after reading his site a bit, I think the guy would have a real problem if asked to code a backdoor. He seems to be ethical.
Tin hat conspiracy weavers would say that unbeknownst to Neils, who is a front, that there is yet another team coding the backdoor.
And yet, as long as you use a OS that will not release its' source code, suspicions will always lurk about something.
"Let us raise a standard to which the wise and honest can repair" - George Washington
But they left out the rest of his quote.
I was told that I could listen to the radio at a reasonable volume from nine to eleven...
I have been in Mr. Ferguson shoes, left with the choice of putting in a back door demanded by the NSA or quit. To my knowledge, NSA always gets there way. If he won't do it, the next guy will.
The point is that it is much harder to hide malicious code when the source is available.
My point is that it's beyond unrealistic to think that an average person has any way of auditing code, whether it's going through millions of lines themselves, or hiring an extremely expensive hacker to do the same thing. The end result is the same: it's impossible to know what's in either closed or open source code for 99.999% of the population. So, it comes down to a question of who do you trust: college kids who have nothing at stake, or companies that have everything at stake?
I don't respond to AC's.
Developers: We can use your help.
Well, you can take this one guy's word for it in the case of Windows.
Or in the case of OSS you can take the word of the hundreds of developers who want to audit the code themselves (and for something this important, there'll be hundreds of them), where it only takes one person to throw a red flag on bugtraq, and suddenly there's thousands if not tens of thousands of them looking over this code.
Also you could, if you had an especially vested interest, hire some developers to look over it. Say, perhaps, several independant parties including overseas operations. This is a lot better option than the closed source model where you're pretty much limited to decompiling the code (illegal here in these U.S, and still very hard for even a seasoned developer to figure out) or simply trusting the word of this one guy who maybe didn't notice the back door already present, or simply wasn't motivated to look very hard, or maybe has a family member being threatened in some way by the NSA, who knows.
Slay a dragon... over lunch!
First off I don't think the government (at least those in the UK and the US) have the power to legally force them into doing it
Nice government contract you have there. Shame if anything were to happen to it.
After all they don't call it windows for nothing.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
NSA and secret keys added to windows.
Thanks for the link, truthsearch.
-FL
But with OSS it's legal to check...for those who care.
So, it comes down to a question of who do you trust: college kids who have nothing at stake, or companies that have everything at stake?
I find those with nothing at stake to be a little less biased and easier to trust. The company with everything at stake will do what it takes to protect their interests.
What?
"Your proposal is acceptable."
The higher the technology, the sharper that two-edged sword.
There won't be a backdoor in Vista that they KNOW about. I bet they'll manage to build some in unintentionally.
I mean, why should it be different in Vista than it was 'til now?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
... as it is common Microsoft lore that Balmer can be deadly with furniture.
Mind the frickin' laser...
The problem is transparency.
Would you stake your business or for that matter, you life (as is the case in some regions of the world) on this assumption? Since there is no transparency in Microsoft products, you simply have to take their word for it.
I thought the golden rule of security was that any viable security mechanism should tolerate public scrutiny. Knowing how the software works should not work against the devised scheme itself.
In a society that believes in nothing, fear becomes the only agenda ~ Bill Durodié
Gnupg is open source, so you can verify there are no backdoors
Yes, absolutely. If you're going to use encryption semi-seriously or even professionally, you have no choice but to use open source crypto libraries and apps!
But source code alone is no panacea here: you (or anyone skilled enough -- a.k.a. the community) could discover obvious backdoors, but what about backdoors in some crypto algorithms themselves? Having the source code for this won't help you much. Nothing could really prevent the NSA from working with a crypto implementer to slightly weaken an algorithm, so they could decrypt stuff with less effort than usual. Unless you were a very talented cryptographer, you won't notice the difference.
cpghost at Cordula's Web.
So, you never heard of the likes of KeyGhost...
How often do you check that keyboard cable of yours, by the way?
The moon is not fully subjugated. I demand a second assault wave preceded by a massive nuclear bombardment.
2) You're wrong to state that open source is just about college students and not companies. There are many many companies with an interest in Linux being secure.
3) Why do you assume a company would be trustworthy? Having something to lose makes them vulnerable to government pressure. Look how fast all the search engines caved in to China.
IPMI is very powerful. An IPMI session starts with a Presence ping Any machine with IPMI hardware should answer a "presence ping" on UDP port 663. This identifies an IPMI-capable machine, and returns some vendor info. Anyone can send this. This should work even if the machine is "turned off", as long as it has standby power and is on a LAN.
Then, there's a challenge-response authentication sequence. More on this later.
Once you're in, here are some of the things you can do:
There's more. Much more. Basically, you can remotely take over the machine, turn it on, inventory the hardware, load an operating system, boot it up, and talk to it.
IPMI's back channel can do more than this. With some help from the operating system (and yes, it's supported in Windows) you can do more remote administration functions. This is great for administering your data center remotely. But it has darker implications.
Supposedly, most machines are shipped with IPMI mostly turned off, unavailable until a program is run on the machine to load in the keys that enable it. Supposedly.
Thus, all it takes for IPMI to be a "backdoor" is for a set of secret challenge/response keys to be preloaded into the IPMI chip. There's no way to read those keys. Short of taking the chip apart, gate by gate, there's no way to tell if there's a backdoor in there. Or a set of keys might be loaded by the system integrator before shipping the system. You can't tell. So that's where to put a backdoor, where no one can find it.
There's an open source, OpenIPMI, for sending IPMI commands on Sourceforge. Send "Presence pings" to the machines you have and see if they answer.
Vista will ALWAYS have a backdoor. This the showcase product of the richest man in the world. His and his companie's continued prosperity depends on the good graces of governments. And the governments will always demand a back door to spy on their people.
This is the way that the world works. MS will always deny that there is a backdoor. But it will always be there. If you don't believe it, go to China or any other crypto-fascist dictatorship with advanced technology. Start sending e-mails to foreign websites about subjects like democracy and freedom in general. Request information about local massacres of protesters in freedom demonstrations. Be sure to use encoded with Microsoft's bundled encryption. See how long it takes for the local secret police to arrest you. A week, a month?
Don't gamble your life and freedom on a sucker's bet. Microsoft will always cooperate with local authorities to ensure that Vista will not shield political dissidents. The only people who can be assured that their correspondence actually is private will be Microsoft employees. This is a trade-off that giant monopolistic global corporations always make with the totaltarian governments in the countries that they operate. Regardless of how much they deny it, Microsoft will act no differently.
Count on it.