New Vista Random Numbers to Include NSA Backdoor?

← Back to Stories (view on slashdot.org)

New Vista Random Numbers to Include NSA Backdoor?

Posted by ScuttleMonkey on Monday December 17, 2007 @08:33AM from the advice-is-to-never-enable-it.-Ever. dept.

Schneier is reporting that Microsoft has added the new Dual_EC-DRBG random-number generator to Vista SP1. This random-number generator is the same one discussed earlier that may have a secret NSA backdoor built into it.

12 of 269 comments (clear)

Really... by 2names · 2007-12-17 09:18 · Score: 5, Funny

I guess it's not so secret then, is it?

--
"I'm just here to regulate funkiness."
1. Re:Really... by yo_tuco · 2007-12-17 10:01 · Score: 5, Informative
  
  "Wait... couldn't you just add something to the random number? Or perhaps shift the digits over?"
  
  You can do what TFA said:
  
  "It's possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A."
Given the known problems of Dual_EC_DRBG by morgan_greywolf · 2007-12-17 09:21 · Score: 5, Interesting

Given the known problems of Dual_EC_DRBG, which, from the Bruce Schneier article, include the fact that's slow, that it's got an obvious backdoor, and that it was inexplicably pushed for the NSA for seemingly no reason, why would Microsoft add it to Vista SP1?

Now adding the algorithm itself isn't really a backdoor per se, because no one is forcing you to use that particular random number generator. But it is also interesting to note that this isn't the first time Microsoft has been accused of inserting backdoors for the CIA or the NSA. Of course, Microsoft vehemently denies such allegations, but I would assume that they would. Given what the telcos did for the NSA, would anyone be surprised if it really did come out that the NSA actually forced Microsoft to put backdoors in Office or Windows?

--
My blog
1. Re:Given the known problems of Dual_EC_DRBG by RightSaidFred99 · 2007-12-17 09:30 · Score: 5, Informative
  
  I know this is crazy talk, but maybe there's a simple explanation. Microsoft put it in the OS as an option so that people who want to use it (hmm...government contracts?) can if they so choose. So maybe Microsoft sees the NSA as a "customer" and decided they were important enough to include it for their use and for other government use.
  Insane - I know, they must be "out to get us".
2. Re:Given the known problems of Dual_EC_DRBG by morgan_greywolf · 2007-12-17 09:47 · Score: 5, Insightful
  
  Who even says that at an RNG has to be at the OS level? If NSA or its customers want to use Dual_EC_DRBG, there is nothing stopping them from doing so on Vista or any other OS.
  
  As another poster said, where in the OS is this used? Do you know? Does anyone but Microsoft?
  
  --
  My blog
3. Re:Given the known problems of Dual_EC_DRBG by morgan_greywolf · 2007-12-17 09:53 · Score: 5, Insightful
  
  This random number generator is not used by default. Prove it. Oh, that's right, you can't because you don't have the source code. Unless maybe you're astroturfing. Even then you'd be under an NDA anyhow.
  Other governments are not going to be willing to buy a system with a NSA backdoor. And other governments have replaced Windows with custom Linux distros due to the potential of this very problem. This is a fact that cannot be denied.
  
  --
  My blog
it's true by circletimessquare · 2007-12-17 09:25 · Score: 5, Funny

i seeded the dual_EC-DRBG with the following ASCII strings the and got the following output in ASCII:

missionaccomplished -> LOL

waterboard -> buckshottotheface

osamabinladen -> loofahnotfalafel

iraq -> vietnam

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Clever! by spun · 2007-12-17 09:30 · Score: 5, Insightful

I see what you did there. You implied that anyone who criticizes the US or Vista is a paranoid loony. Now why would you do that? Do you just assume that people will criticize the US? Is the US that worthy of criticism that you have to defend it preemptively? I know that's a popular tactic these days, but is it entirely necessary? Nice how you posted AC, too. You sir are an all-around class act.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Re:From the article by Smidge204 · 2007-12-17 09:36 · Score: 5, Interesting

It's not enabled by default ... until the next Automatic Update rolls around.

=Smidge=
Secret Back door code is pretty easy!! by spineboy · 2007-12-17 09:46 · Score: 5, Funny

Maybe the NSA could have thought a little harder at entering a back door code. Secret sources have revealed the NSA back door code to be.

up, up, down, down, left, right, left, right, B, A

--
..........FULL STOP.
Re:Section Tag by naapo · 2007-12-17 09:56 · Score: 5, Funny

Don't know about our rights online, but I gladly noticed that this was tagged quite appropriately
ahhjeezenotthisshitagain
It was not exactly a dupe, but clearly an "ahhjeezenotthisshitagain".
Re:Article summary follows by Fractal+Dice · 2007-12-17 11:03 · Score: 5, Funny

"Don't worry, our Chinese contractors assure us there are no NSA backdoors"