Slashdot Mirror
Microsoft Denies It Built Backdoor Into Windows 7
CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."
I believe Microsoft anytime that they would not build back doors into the system... If they tried, the backdoor would probably have enough bugs to be unusable.
Besides - doesn't it already state it in the story:
"Microsoft has not and will not put "backdoors" into Windows"
"the agency had worked on the operating system."
Seems pretty clear, MS did NOT put a backdoor into it... ;-)
At least, not intentionally.
Why do people think that the back door is in Win7?
The NSA put the backdoor in the Intel compiler, that's a much better place to put a backdoor or more accurately spread a backdoor
At least people can no longer find it interesting that Microsoft haven't denied building a back door into Windows 7.
It's not like they need to put a back door on it. There will be about 500 exploits found within the next year as it is.
http://twitter.com/OLDTELEGRAM
Odds are the NSA is privy to whatever the current exploits are for windows operating systems anyways. I wouldn't be surprised if they had staff working on breaking into Windows machines if for nothing else than attacks on targets outside the US.
"It's for the RIAA."
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Nah, it's all the front door - javascript through ie
A feeling of having made the same mistake before: Deja Foobar
God: "NOAH!"
Noah: "What!"
God: "Noah, I did not put a backdoor in Windows 7."
Noah: "[...] RIGHT."
The NSA did SELinux (for Linux...) so I don't think it's unreasonable to think they might have helped MS on security issues without doing anything nasty.
'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday.
- of-course you wouldn't. MS is a stand up company, known for ethical behavior, fair treatment of its users, etc. I mean, it would never!
You can't handle the truth.
Please, they have microphones in my clothes, on the desk, in the walls, the fly buzzing by your mouth is their robot!!! Meet me by the dumpster out back around 5pm, come alone.
Unfortunately I have a bad habit of reading things aloud when I read them and by the time I was finished the fly was gone and the man sitting across from me was dead. The government doctor that rushed in the room and gave him pentobarbital in an attempt to revive him said it was due to an aneurysm caused by a robotic fly which he says he sees a lot of so it's nothing for me to look into.
I guess there's no story here after all.
My work here is dung.
That's what she said!
index.dat files.
The NSA work on an operating system? Scandalous!
This is Windows we're talking about here, after all.
of the way this is being pointed out seems to be that your Government had a steering role in security, so the first thing that comes into their heads is "Backdoor". Notice how Microsoft themselves insist that it's only a configuration framework that the NSA has worked on. They want to play down Government participation just as a safe manufacturer would. BUT - big BUT - do the NSA (or some other Dept.) have SOURCE and if so, surely they have tons of 0days up their sleeve anyway? Who else has source? That's what we'd really like to know, M$. I was as shocked as anybody that there is a "Shared Source Initiative" when Win2k leaked, and wondered "Who? How many?" but the news just died. Nobody else asked that, not even on here.
I confess, love Win7, it's beautiful, but will it still be a craporama of exploits which drive the Anti-V/Mal etc whatever ecosystem? I don't run stuff from email, I use only familiar apps known to be spyware-free through years of experience, and I heed UAC when I see it. Stable so far.
Oh, I veered offtopic there, but back ontopic - do the NSA have the source? Who else?? Because then they wouldn't even need to work with M$ to open a backdoor, and the main fears hinted at above would be realised (the Govt. could spy on everyone).
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
NSA: "We wrote a guide and a separate tool to help in enterprise security management"
ComputerWorld: "OMG NSA TROJANED WINDOWS 7"
NSA: "WTF? We made a document and stand-alone download..."
ComputerWorld: "CONSPIRACY!"
NSA: "Uh, we work with linux too you know... SELinux...?"
ComputerWorld: "FRONTPAGE HEADLINE NEWS! WINDOWS 7 BACKDOOR EXISTS!"
Slashdot: "ZOMG! NSA MADE A WINDOWS 7 BACKDOOR!"
and Windows 7 was my idea.
The NSA, CIA or FBI made the backdoor. And then forced Microsoft to include it in the final build of the OS. Microsoft is technically telling the truth.
Remember this: http://en.wikipedia.org/wiki/Magic_Lantern_(software)
Might appeal to many Mac users.
Show the code, let us download, examine, compile, and test the output and then we'll believe you.
Ohhhhhhh SNAP!
An OS that runs on 90% of computers in the world is a de facto strategic weapon.
and Glenn Beck denies he raped a young girl.
At least Microsoft has the balls to say they didn't do it.
He doth protest too much.
Also:
"Microsoft has denied that it has built a backdoor into Windows 7" [...] "the agency had worked on the operating system."
Yeah, they didn't do it, they let the NSA do it.
Just check the sou..
Ah.
Despite many years’ warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying “COME AND GET IT.”
Microsoft cannot believe people have not applied the patch for the problems, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. “Don’t they trust us?” asked marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. “There’s a reason the Unix system on Mac OS X is called Darwin,” said appallingly smug Mac user Arty Phagge.
“It can’t be stupid if everyone else runs it,” said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. “Macs cost more than Windows PCs.”
“Yes,” said Phagge. “Yes, they do.”
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can’t say we care.
http://rocknerd.co.uk
Of course they built in a backdoor for their own personal uses. Is anyone stupid enough to imagine otherwise? Consider the recent CIA purchase of http://www.wired.com/dangerroom/2009/10/exclusive-us-spies-buy-stake-in-twitter-blog-monitoring-firm/ In-Q-Tel. Or the well-known fact that the CIA has its fingers all over Facebook. Do you suckers believe for one instant that everything you do and write isn't being scribbled into some Internal Security goon's harddrive somewhere? I have a friend who worked for Juniper, and he personally knew that AT&T was buying their equipment to route all its traffic through NSA spook territory before hitting the rest of the web. East Germany represent!
Every day the United States comes closer and closer to becoming the USSR. A disaster in Afghanistan, monitoring its citizens without a warrant, attacking Christianity, Islam, and other religions, use of secret prisons and torture, central economic planning, the list goes on and on and on and on.
And still the rabid conformists, http://www.nature.com/news/2009/090624/full/news.2009.593.html murderers of civilization, take out their Two Minutes Hate on the messenger.
When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.
I for one will not be 'upgrading' to Windows 7. For various reasons, not least of which is that Microsoft is pro-DRM, I plan to have as little exposure to Windows 7 as I can.
Unfortunately, my current employer, and likely any future employers as well, will likely keep using MS products and will eventually installing Windows 7 on all desktop computers.
Then again, my job mostly involves writing embedded software, so my desktop PC only ends up getting used for basic email and web browsing tasks.
...did Windows 7 rape and murder a young girl in 1990? It's a simple question, why won't Microsoft deny that Windows 7 did this?
Of course you can trust the government. I mean, this is the NSA we're talking about. They're on YOUR side.
And as for Microsoft, or any other multinational company for that matter, they have grown to the size that they are because they are 100% honest to goodness hard working souls that, when faced with a decision, will always take the ethically correct side. I mean that's how you get fantastically rich, isn't it? Ask our hard working friends at Goldman Sachs, for example!
I'm shocked that you could even consider that Microsoft could be lying. I mean, what happens if they get caught lying? Surely the "back door" would be right there in the source code for all to see, and they'd be found out right away. Oh, wait... sorry, you don't get to see the source code. But Microsoft apologized for violating the GPL, that makes them GOOD guys. You're not suggesting that if anyone ever DID find out some sort of way to control a Windows machine, all they'd have to do is call it a "security vulnerability" and issue a patch (with a different back door) for it, are you?
Seven puppies were harmed during the making of this post.
You know, its funny, but if the NSA ever got its hooks into a repository, it could do all sorts of fun stuff that way in Linux. We only "trust" Linux because Linux is a huge trust circle. WE trust it because its open, and assume that someone else must have looked at it. But I have about as much idea of what's going on inside of my Ubuntu as I did my Windows, from a backdoor perspective.
This is my sig.
This is a rediculous non-story with an attention seeking headline. Sensationalist.
I think this exact comment has been posted a dozen times in slashdot so far.
This is my sig.
It's kinda hard for Beck to have fun with this controversy when Microsoft jumps the gun and denies it first, huh? Well, I'm still wondering why Ballmer refuses to deny he raped and threw chairs at that girl in 1990....
So they included a back window?
The Tao of math: The numbers you can count are not the real numbers.
MSFT would sell their children's souls to keep Windows on the government's desktop PCs.
But it's only in the goatse edition.
Fixed.
You can stop laughing at my shiny hat now.
I want this account deleted.
All concerns about NSA and Windows 7 could also be applied to SE Linux http://www.nsa.gov/research/selinux/
If Microsoft had assisted the NSA and deliberately buggered their security model for the government's purposes, it would be a federal crime for them to admit it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Guess I registered whyhasntmicrosoftdeniedthewindows7backdoor.com for nought.
The NSA has not a need for a full on back door.
They just need to know the general and specifics about the make,model and type of the types of means Win7 implements and then they delve deep into their big o key ring and use what they already have.
Really what you think their super computers are doing? They are computing tables, hash matches and every key ever possible. Then they go about doing real work of breaking encryption with distributed and finessed brute force.
When have a key making machines why even bother with backdoors? The NSA is patient, it's what makes them good at what they do.
Anyhow I think the NSA doesn't need a back door it just wants to know where all the access points are then they can just lift the whole whatnot off the hinges - from the outside- and do whatever they please at that point.
Im sure they took a bit of a look at bit locker and have or will figure that out. MS already has perhaps given the all the "tells" they probably need to figure out how to reduce the key space. I wonder if MS would hide one well known file outside the locker but encrypted in the same key and NSA can chew on that to find out the key for the whole volume.
Anyhow I admire them, NIST and NSA, for what they try to do. If it keeps Mafia out of banking great. If they can put the next Madoff/Galleon Group behind bars before they make a mess that's a plus as well.
Mr. Potato Head! Mr. Potato Head! Back doors are not secrets!
First against the wall when the revolution comes
"Hi, I'm a PC"
and then the NSA guy with the latex glove enters the scene...
Remember when Microsoft said "Windows Genuine Advantage isn't spyware"? Just because it does the same things spyware does, doesn't mean it's spyware, if you re-define spyware to mean "software that spies on you and phones home, written by someone other than Microsoft". So when their spokesperson says "Microsoft did not put a backdoor into Windows 7" this should be read as "Microsoft did not put remote root-level access code written by someone other than Microsoft into Windows 7".
I like it in the back door...Apple is better.
Troll?
I would have modded you redundant.
NULL address allowed privilage execape.
Now was the a coding error or intentional we will never know.
Why do people think that the back door is in Win7?
I think that the real question is... Why would you care?
I mean, this is the NSA we are talking about. If they put a secrept backdoor to some software, they keep it secret. They won't tell RIAA or your local cops about it. I'd bet quite a lot that even when it comes to suspected terrorists, CIA won't constantly send NSA requests "Hey could you guys check if you can break onto his windows machine? Thx. :)". Actually, I doubt it would even be used for constant breaking into foreign systems. Certainly not over network (too high risks and you don't really want to risk getting caught unless you know exactly what you are looking for and where to find it) and probably not with physical access either (If you carry a laptop with something so important that NSA really wants to retrieve it, you have probably secured it more throughly).
I don't know why would NSA put backdoors to Windows but if they did, it would probably be for wartime, *serious* terrorist suspects (IE: investigating assassination of a president or such) or similar cases. I don't know why should anyone care about such except if you are in charge of cybersecurity of a country potentially hostile to USA (In which case you probably shouldn't trust that much on USA based companies anyways) or if you fear that some non-NSA hackers might find it.
In the latter case... NSA certainly knows that Windows has security flaws. If they want to add their own backport(s), their goal is to use something that *isn't* just discovered by others and I think that their experts are probably good enough to make that happen: Yeah, there is always a risk that those backdoors are found by others but that risk is smaller than with other security flaws anyways.
I'm just annoyed that MS isn't using OVAL and XCCDF for their compliance XML.
Read my short stories - You won't regret it.
'Microsoft has not and will not (admit to having) put "backdoors" into Windows.'
The original MS response went like this:
.. but the rep made the mistake of typing it on a Win7 machine....
"We were forced by the NSA to leave backdoors into Win7"
Save the Music; Save the World at http://www.TuneTriever.com (Our latest Android game)
I think I see how windows became such a piece of security shit. You see, they have to let the Chinese security associations work on it to get that market share, then the Germans, then the Israelis, and so on, until any script kiddy in his basement can easily defeat the security. Who says windows is not open source?
Living in Chile
Netscape engineers are weenies!
nuff said.
Never believe something until it is officially denied. :o)
I am sure he is being honest in his statement that Microsoft has not put backdoors in, but he has avoided answering the question of whether the NSA has put backdoors in Windows 7.
Re: Administration's new encryption policy.
Date: September 28, 1999.
Weldon statement.
We have all seen enough double-talk from the corporations and government over the years... Just because M$ says they didn't put "backdoors" does not mean jack, since the term "backdoor" is widely subject to interpretation. They didn't exactly say ability to remotely access individual systems without users knowledge... As far as being able to track users and attach unique IDs to every install of the OS or IE, thats already there. For the paranoid or anyone who cares, most of the hardware devices used for trafficking information already include the so called Lawful Intercept Capabilities - companies like Cisco, Nokia Siemens, etc... The truly paranoid still have the option to conduct their discreet activities through proxies using spoofed MAC's and various Linux distros running off USB sticks - or so I hear...
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
After all, they have been so trustworthy in the past.
Its more like front-door, amirite?
The NSA has not put a backdoor in Windows. When the intelligence agencies comment on these matters, the answer is always "We will neither confirm or deny...." which always implies that they had some role in the matter. Now that both MS and the NSA have publicly stated that no backdoor was installed in Windows, and is such a departure from the usual PR stance that it is impossible to conclude otherwise that such a backdoor was not and would never have been installed.
Barring my sarcasm, I would think that there is more at stake in securing Windows than putting a backdoor in it. Chances are, if there is a backdoor, than others will find it which makes it a futile effort. I think of it this way. It would be one thing to backdoor Windows, if you wanted to spy on Joe citizen or a terrorist. But, Windows is used throughout businesses within the US: Banks, Utilities, major industry, government, law enforcement, etc. Such a Trojan whether on desktop PCs or on Servers could cause major economic and security repercussions. As others have pointed out, the NSA has released other products to help in security like SE Linux and various encryption algorithms which AFAIK have stood up to independent audits by experts.
They were probably tasked with only looking at certain portions of the Windows code anyways much like they had likely done with previous versions of Windows and maybe other major OSes. There's been plenty of bugs found since in Windows that no matter how much auditing of code in any OS, being found out of planting a Trojan has many more consequences that exploiting holes that are already there anyways.
Hasbro denies it built backdoor into Mr. Potato Head.
The developers should designate one person for compromise testing. It's his job to try to get compromises to the kernel. He will submit a patch to a random developer every 6 months, the developer submits the patch, and if it is missed and gets included in the main tree it triggers a more widespread code audit. Offer a $1000 reward to anyone finding the offending or more dangerous backdoor.
This should keep the developers on their toes and give us some confidence that the code IS being audited properly.
Working on the Windows NT Development team in the 1990's, I can recall one specific bug for NT 3.5 (or was it NT 3.51):
"The CIA has requested the option to clear out the page file on shutdown." (Pharaphrasing)
Yes *that* CIA.
Today it's an option in Windows: http://support.microsoft.com/kb/314834
I'm sure someone will get their panties up in a bunch over this too, but most people will see that it's a simple straight forward request by a Microsoft Customer to improve the security of Windows Machines.
Bush says we don't torture.. ... ehmmm rebooted. Instead they allowed the peephole to be put in. And they can honest say they didn't do it, nor do they know anything about it... its not torture... I mean a backdoor cause the defination of that is nothing that anyone else would think it means. No matter... I'm a Mac.
and we did. so its not a backdoor... its ah... a peephole.... or something. and ya Microsoft didn't put it in.... cause then some employees there would know too much and have to be
Wheel you know... any one that as download that US Spies list to the computer in the past years as seen as soon as that came into public knowledge that their computers stop working without explication and had to be formatted... only if you'd print it before it crashed you would maintain the list otherwise it would be lost for ever... anyone telling me their is no backdoor can only be joking! They have probably several backdoors included in several places just in case something is detected and have to be fixed.
They put backdoors into every hardware, software they can (including but not limit to: router, OS's, Anti-malware,crypto software, and others)
Mr. Potato Head! Mr. Potato Head! Backdoors are not secrets!
I thought it was the sworn duty of the government to be in everyone's backdoor...
Who needs a backdor when MS has Windows update?
hi all, a clue to the public. all os's have back doors. anyone who believes otherwise is too trusting. here's another one. 90% or more of i.c's have back doors hardwired in them. everyone thinks there not there,but,prove me wrong. have a nice day regards, mike
Oh,
Of COURSE NOT. They let the NSA do that for them!
RS
Shoes for Industry. Shoes for the Dead.
Remember this CNN story in 1999 showing that they found an NSA backdoor? http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/
1) Gather intelligence.
2) Secure government computers (this part is often mixed with work that NIST puts out - but don't kid yourself, its NSA work).
Didn't NSA put out secure linux? Why, with the popularity of Windows, wouldn't NSA want windows to be secure?
Why should they develop a special backdoor if Windows Update fulfills all their needs?
...it's just another bug that they will be incapable of repairing. Some things never change.
A "back door" that big brother could exploit would not need to be the result of a conspiracy against citizens or anything nefarious on the part of M$, just the usual incompetence.
This is a hacked account, for which the owner can not be held responsible.
Microsoft don't need to have actively created a back door for one to exist, look at the code the call "secure" and how many exploits are found daily for it. This is them supposedly trying NOT to have exploits. They already have back doors for DRM control and instructions to please their real customers ie other companies, as well as their own WGA all for the common enrichment of rights holders. So just because Microsoft don't intentionally create back doors for the NSA means nothing.
Like any other intelligence agency, spying on people who use Windows would be a prime goal, but there's plenty of malware out there to do that, with Microsoft and the security industry formed to fix the holes left by Microsoft's technical incompetence can only fix so much. There's no reason why the NSA couldn't develop their own malware with VB and run it like any other criminals, without any collusion with Microsoft at all.
Given the fact that Windows is as secure as a paper tank at the best of times, and the governments of the world seem to want to insist that people use Windows, it's mot hard to imagine Microsoft suits using the "hey if you force your people to use our software, you can spy on what they do with them much easier" as a reason NOT to support calls for a FOSS / Linux switch.
Given how many crimes Microsoft get away with in more jurisdictions it's also not hard to imagine a meeting where Microsoft agree to turn a blind eye to malware from certain sources in return for cases being dropped, or friendly judges put on the case who will promptly find in favour of Microsoft, and dismiss any logical evidence that they've done anything wrong.
As far as "it's in our interests to make Windows secure as we use it", how much of the US defense network still use Windows? I've noticed some have switched to Linux, while Microsoft had to create a special "secure XP" for them because the regular one wasn't up to the task. How easy would it be for the entire network to switch to Linux to protect itself while endorsing Windows for everyone else as it gives them and easy target to hit if they need to? They could even get Linux to pretend it's Windows when queried so nobody outside would know.
Remember most govt departments are VERY partisan, they don't like to co-operate as much as they should. They don't like sharing stuff that would help everyone because if only they do it and look good, they look even better in comparison to other departments who didn't do it. The contrast is even wider.
While there could be a backdoor, a more rationale conclusion is the involvement of these government agencies is to help insure the O/S has the capability to be highly securable. Very few programmers outside of government have the same security worldview as the NSA/DoD, so MS needs that government expertise to assist them. http://iase.disa.mil/stigs/index.html
My limited understanding of FIPS compliance is such that I thing the likelihood is much higher that the involvement of the NSA is to work with Microsoft (as they have others) to make sure the right libraries are used and so on for FIPS compliance. If you want to sell software to the US Government, it must be FIPS compliant.
The following is my understanding (which is likely flawed in some ways, but I think is fairly close to accurate) of how FIPS works (Taken from a response I wrote to someone else about this).
In all likelihood, this is all about their encryption being FIPS compliant and has nothing to do with backdoors.
The way I understand FIPS (because I got a mini-lesson on it during an SDR as they were doing it for [another software product I work with alot]) you have to use very specific encryption protocols that not only meet the standard for the encryption routine (e.g. RSA, or whatever) and the bit-size, but you have to use one of a specific set of approved implementation libraries.
That means you can use the exact same encrypting schema and key size as FIPS specifies, but if you don't do the encryption with an approved library, you're not compliant.
The rules get weirder from there. If you are required to be FIPS compliant at work, and must send something encrypted, you have to send it to someone who is also FIPS compliant. -- follow this logic now -- if you have to send it to someone who is NOT compliant, even though they use compatible encryption/decryption code and have exchanged keys with you, you CANNOT send them the encrypted file because their libraries are not FIPS compliant. You can, however, send them the file IN THE CLEAR if you decide it's safe to do so.
In other words, FIPS says it is better to send something in the clear if you cannot be sure the other end is FIPS compliant, even if they can decrypt what you're sending.
That's your government at work.
BTW: The routines which ARE certified have been fully vetted by many government and non-government people, and do not contain any special code in them that would lead to making decryption by the NSA any easier than it would otherwise be. Since the routines are by nature just implementation of well know encryption standards, the only way to do that would be to interrupt the key pair creation process and use "less random" seeds. I don't believe FIPS specifies the random number generation routine used.
Hope this helps.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Seriously, you're absolutely correct. The NSA has every incentive to improve the security of Windows, not compromise it. They did the same for Linux, where you can see the changes they made. In the past, they've made suggestions for improvements to encryption algorithms that academic researchers later realized had a sound mathematical basis. The NSA is as much about strengthening computer systems as they are compromising them. Hell, if in a particular situation they want to compromise the security of a system, all they usually have to do is ask (see: AT&T et. al.).
The thing is, they know that important information they want to be kept secret is going to exist on Windows machines. On Linux machines. On [x] machine that isn't necessarily controlled directly by the NSA.
And even outside such "National Security" secrets... The NSA may want to listen in on your phone calls, but it doesn't help them at all for every Tom, Dick, and Sally to have their credit card information stolen, their bank acccounts phished and plundered, and so on.
The enemies of Democracy are
I haven't heard of any, although all had plenty of bugs.
This is a company that was convicted of predatory criminal monopolistic practices. They were nearly torn in two.
United States v. Microsoft was a set of consolidated - civil - actions filed against Microsoft Corporation pursuant to the Sherman Antitrust Act on May 18, 1998 by the United States Department of Justice (DOJ) and 20 U.S. states.
The D.C. Circuit Court of Appeals overturned Judge Jackson's rulings against Microsoft. This was partly because the Appellate court had adopted a "drastically altered scope of liability" under which the Remedies could be taken, and also partly due to the interviews Judge Jackson had given to the news media while he was still hearing the case. Judge Jackson did not attend the D.C. Circuit Court of Appeals hearing, in which the appeals court judges accused him of unethical conduct and determined he should have recused himself from the case.
However, the appeals court did not overturn the findings of fact. The D.C. Circuit remanded the case for consideration of a proper remedy under a more limited scope of liability.
The DOJ announced on September 6, 2001 that it was no longer seeking to break up Microsoft and would instead seek a lesser antitrust penalty.
United States vs Microsoft
Antitrust in the states is populist and evangelical. Nothing much happens unless the folks back home want it to happen.
The break up of Microsoft was never a winner politically. Gallup Poll Public Opinion 2000, Volume 1999
If Windows has a back door that the NSA can use, how would they prevent foreign intelligence agencies from using it?
Lock the back door using strong asymmetric cryptography.
Then even if the other intelligence agencies get hold of the source code (or tear the code apart and grok every bit) it does them no good. They have to steal the private key or crack the cypher to open the door.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Then what is Windows Genuine Validation, but a backdoor for Microsoft to shut down copies of Windows and Office that it thinks (often erroneously) are pirated, when the user tries to update?
Who do I disbelieve more, NSA or Microsoft?? Hmmm......
Mod Me Up. You'll make a grown man cry.
What I can't figure out is who do I disbelieve more, NSA or Microsoft?
Mod Me Up. You'll make a grown man cry.
This brings back memory of the NSAKEY conspiracy. Guessing most likely US TLAs are sitting on a whole lot of 0-day which must be used sparingly -- when discovered the door is shut forever.
Given the international audience it would seem to be in MS's best interests to not go there. If they are ever cought in the act it would have a negative effect on sales (especially international market share)
we didn't do it. Honest !
It is called Windows Update. MS can craft a special update for a determinate IP range and destroy any country's economy.
My other signature is a car
Why does the NSA work on Windows? They're paid with tax-money, they're paid for working for the benefit of the tax-payer. When they work on Windows, they work for the benefit of a corporation, that has more than enough money to pay for such development.
The code they produced belongs to the public, because the public paid for it! If Microsoft doesn't open that code, they're stealing from the tax-payer!
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Then again, the front door has no lock set either.....
I am the unwilling control for my Origin.
They are, in addition to gathering foreign intelligence, tasked with helping secure critical US systems. This means not only things like government systems, but our financial system too.
Thus far, they seem to do a pretty good job. An example is DES. IBM made DES back in the days when there really wasn't a public field of cryptography. It was more or less a government and math geek thing. Well the NSA consulted on DES. One of the controversial things they did was suggest changes to the S boxes. There was paranoia that they'd done this to make it easier to crack. Years later, when differential cryptanalysis was made public, it turned out that the S boxes were greatly more resistant to it than had they simply been randomly generated. Sure enough, IBM said that yes, they'd figured this out and told the NSA, who asked them to please keep a lid on it.
Now, many decades later, DES still stands up to scrutiny. It can be brute forced by computers these days, but no magic weakness has been found.
Likewise, AES seems to be immensely secure. It is probably the most analyzed cryptosystem in history and it stands up as secure. The NSA signed off on it too, not only saying it was good to be chosen as AES, but clearing it for use with classified data.
So it seems the NSA DOES take that part of their mission seriously. Thus sticking a backdoor in Windows and lying ot congress about it would not only be dumb, it'd be contrary to their mission.
They'd also be really stupid to think it wouldn't be discovered.
Many universities have it, among other institutions. It isn't open source, but it isn't some huge secret.
Also, who's to say that just because you have the source you can find a backdoor? It could be very cleverly disguised. There's a massive misconception in the OSS community that "many eyes" means "no possibility of problems." No, not so much. Back in 2000 there was a remote exploit discovered in every version of BIND, ever. Somehow, despite many people having looked at it, worked on it, etc, nobody had ever noticed this one. Heck it wasn't even discovered through a source audit, it was discovered through messing with a running DNS server and sending it invalid data.
This idea that so long as something is open source it can't possibly have anything bad in it is just not at all true.
They could do something evil like the famous C compiler backdoor. You infect only binary components. So no matter how carefully the code is audited, there is nothing in there. However, when said code is compiled on an infected system, it produces infected binaries. So people have the illusion of security with it. They build from source because they want to make sure what they have hasn't been changed, but they tools they use are compromised so the final system is compromised, though no trace is in the code.
However, that has the same ultimate problem that a backdoor in Windows, or anything else does: It is susceptible to detection by looking at a running system.
You discover that most security research isn't code auditing. They instead attack a working system in various ways to see if they can cause it to malfunction. After all, a code audit only goes so far. In almost any large project there were a lot of people that looked over the code and tried to find and fix bugs. So if they didn't see it, what makes you think you will? You are not the best programmer in the universe. Also these bugs can often be very tricky, complex interactions that aren't easy to see. The source looks fine and indeed the final code works fine except for a very specific set of circumstances.
Well guess what? Testing like that would have the possibility of picking up the backdoor. This idea that it could be hidden in such a way that security testing would never find it, but that looking at the source would make it immediately obvious is stupid. It just reeks of programmers who have Smartest Motherfucker in the Universe syndrome. You find that syndrome in many areas, but I seem to see it in programmers a whole lot. Basically, they seem to think they are just gods of code. Any bugs in a program they didn't write are because the person was "stupid". THEIR code would never have holes, and if they just saw that "Other Guy's" code they could immediately find and fix the problems. As such they are sure that if code is open it is safe because they are sure they could look at it and determine that in mere minutes if they wanted to.
To me, that says in fact the person is not a good programmer. It tends to be the lowest performers who cannot identify their own limitations and thus believe they are the highest performers.
This would be informative if there was some, well, information on this. What this is would be "wild ass speculation." You have proof of any kind? Otherwise we play a game of which is more likely.
Is it more likely that:
1) MS uses their suite, regarded to be one of the very best around. A suite that is extremely full featured, well documented, maintained, and that they have easy access to the developers of. A suite specifically designed around Windows. A suite that they already have ready to go, no extra development needed.
or
2) A special internal compiler, made just for the sake of being different?
Sorry, but without proof, I'm not buying that they don't use Visual Studio to develop Windows. MS likes using all their own tech, and it is precisely the kind of thing you need for making a big project.
Now you might be correct in that the actual compiling might not be done by the included compiler. Intel makes a superior compiler (it generates more efficient code, even on AMD chips) and MS may well use it... However that compiler plugs right in to Visual Studio. It is one of the reasons it is popular. You buy it and it makes all your VS programs run a bit faster, no effort on your part.
So please, let's see some proof of this "internal compiler."
Why brother putting themselves to the risk when there is the capacity to put one in with windows updates.
I have morals, If you dont like them, I have other ones.
If the NSA wants to know EVERYTHING about you, they have far better ways than installing active spyware on your system to do it.
There is a record somewhere of everything you've ever downloaded or uploaded. Every Google search you've ever performed. Encryption breaking is pointless because they have the ability to know what you type as you type it. Heck, they probably have the ability to know what you think as you think it.
Did you know that you can read an RFID tag from orbit? --People know about the max distance a tag can be charged from, and it is indeed a few feet, but the distance from which it can be read is much greater. If the detector is good enough. . .
Did you know you can use a light bulb as an active antenna? Any bit of circuitry, for that matter, even powered down, still processes EM wave forms and can be used to snoop. The idea of the NSA messing around with malware in order to spy on computer users is like comparing Donkey Kong to today's modern game systems.
The only reason the NSA might encourage the belief that they have proprietary code built into a Microsoft product would be to mislead people into thinking that they work within the same baby-fences as the rest of us free range serfs.
-FL
Seriously... a 'backdoor'?!?? As if they could get away with that! What, is it going to UPnP everyones router or create an outbound tunnel? open ports? as if that wouldn't be entirely obvious! Even if it employed some form of port-knocking its still useless in nearly all cases where people are behind NAT (unless they believe that nobody will notice dodgy tunnels in their port forwards). lol @ paranoid Congressman
But SELinux is open sourced so you can see what NSA put in there.
Hard to put in a backdoor when everyone can see what you wrote.
See what they did is build a keyword subroutine in the indexing system and if the data found hits a certain threshold the OS calls home when the user performs a basic operation such as updating the PC.
So technically it's not a back door.
The best backdoors may be something left by some engineer, on purpose or not. Maybe it was just used for testing, to bypass authentication to get work done in an early state, and now it is still there. The thing is, if it's never being used, it's actually very hard to notice it. I have no trouble imagining all kinds of ways NSA could put in some hidden code, to bypass entry at network / OS level somehow. It's not like you have that many levels of security in hardware or software. Once you gain Ring0 or something similar, your computer is toast.
If it's easy for viruses and hackers, just imagine what a small assembly line could do inside the OS itself! Remember, to crack software often just require to change a few bits (dunno why security is so low.. I would make a VM for running the verification-process, or even the software itself, which scrambled memory in all sorts of random ways *during execution* - but I guess software makers are more greedy than smart..)
Face it, lots of software probably has some backdoors or "hidden" functionality. This is one of the reasons open source is superior. You can still have a compromised compiler or be rooted with a VM, but the chance of that is much slimmer than trusting some binary blob and running as administrator.
However, as desktop, I still favour XP. Haven't tried Win7, and will probably wait until it matures, much like XP which I pretty much like now over both Linux and OS X. The OS itself simply lets me install everything I need and gets out of the way, after installing Firefox, Thunderbird and other portable apps - which can be ported to another computer just by copying the files. Nice setup, and faster than apt-get even, for getting desktop usage done.
Win7 will probably become standard though, as it has enhanced security and you don't have to run as administrator (it's too much of a pain in XP to be a normal user due to buggy sudo-functionality).
But to think Windows or other software has no backdoors, when some companies deliver software with rootkits and spyware, strikes me as very naive.
http://www.debunkingskeptics.com/
Doesn't this whole story belong under http://idle.slashdot.org? Unless such a back door is found, we have no proof that it is there, and no matter how many denials we get from Microsoft and NSA that there is no back door, there is no guarantee there isn't one. The same could be said of SE Linux or MacOS, too, for that matter.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
"Microsoft has not and will not put "backdoors" into Windows"
http://www.cultdeadcow.com/tools/bo.html
Ahh the good old says of popping open cd trays remotely and watching people's ICQ conversations as they reacted.
Microsoft Denies It Deliberately Built Backdoor Into Windows 7
they let them into their Front page extensions.
This one I "verified" myself on a server I had to administer at college.. We very shortly afterwords gutted front page off of it and migrated everything away from Windows for the web server.
http://www.securityfocus.com/advisories/2235
It's my opinion that Microsoft is not lying.
IMO they would have to work with the NSA and deny any involvement (unless after the fact, as all NSA employees are fully aware of) if there was any such thing.
I find it unlikely that Microsoft has built some secret backdoor into Windows that would ALWAYS work precisely as intended and NEVER be discovered or exploited by the hacking community.
And if a backdoor was discovered and the government managed to keep its face unassociated with the inexplicable phenomena that would be rather interesting.
http://xkcd.com/528/
"If any lone black hat can pwn thousands and millions of machines from his bedroom, it stands to reason a well resourced organisation with even half-assed methodological inclination can do things that boggle our script kiddie minds. They have very few barriers to whatever they want to do" - by w0mprat (1317953) on Thursday November 19, @06:36PM (#30165882)
Per my subject-line above? THERE'S A BARRIER, right here:
----
HOW TO SECURE Windows 2000/XP/Server 2003/VISTA/Windows Server 2008/Windows 7, per CIS Tool Guidance & more tools like it (and beyond):
http://www.tcmagazine.com/forums/index.php?s=81bc1c6a14043ef2c95a0ddc8c9de8bd&showtopic=2662
----
AND, "it works"...
(LOL, that quote above? It's per Tony Stark & IRON MAN, in regards to his "Arc Reactor Technology" to Obadiah Stane - because one of its STRONGEST POINTS is a HOSTS file & using a custom one (and I have a way of "making it smaller" (and thus, faster), which is what Mr. Stark did to his "arc reactor" basically, &, "in a cave... with a bunch of scraps" per Obadiah Stane once he stole it from Stark... my technique is known & used by many also, like Mr. Oliver Day of SECURITYFOCUS.COM, for a faster & safer internet experieence no less - & that's just a TINY PART of that guide, but a major one, nevertheless!))
How well does it work?
OK, some testimonials:
----
http://www.xtremepccentral.com/forums/showthread.php?t=28430&page=3 [xtremepccentral.com]
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff!" THRONKA user @ xtremepccentral.com
----
Security on Windows? ENTIRELY DOABLE & POSSIBLE... fairly easily.
APK
P.S.=> On the HOST file part of it, how well IT works? Ok:
----
RESURRECTING THE KILLFILE:
(by Mr. Oliver Day)
http://www.securityfocus.com/columnists/491
PERTINENT EXCERPTS/QUOTES:
"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."
"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."
---
Nuff said, enjoy the read, & KNOW that Windows? It's as securable as ANY OS IS, if not moreso (per its ACL's which OS' like Linux needed "bolted on" via SeLinux, & it didn't come that way originally mind you, Windows does - Windows "problem" is that MS ships it "WIDE OPEN", so "everything just works" especially on mass deployments. Were I MS? I'd do the OPPOSITE - ship it locked down, & totally, until the user tries to do things + then build a nice easy to use interface that asks them "what is it you wanted to do, & you could not?" & then have it "open that particular door" for them only, @ THE USER'S DISCRETION, but then only... not "open by default"))... apk
Like the CIA has secret prisons around the world, NSA / someone wanting to make use of this "de facto strategic weapon" can ask Microsoft to keep some things unpatched till exploited.
Since Microsoft took so much time to come up with a statement, does it mean that they were silent so far, out of clear knowledge of "certain unpatched vulnerabilities"?
Why should not malware authors from Central Europe be contacted by "certain insiders" from North American Govts (let alone just USA) ?
If you're tin-foiling, tin-foil well - spying is not a single vector attack, today. Can it be so simple in this day? It has to be distributed over hardware, software and wetware.
That's what's hard to figure out. And you have cheap supercomps and Second Life-like society simulators too add to the party.
If is a part, Microsoft is a small part of the elaborate multi-disciplinary mechanism.
Yeah, that's all I said. There's no smoke without a fire.
They may say it is "unintentional", but many holes stays for years in WinXX unpatched.
You (and many other commenters) seem to ignore that Microsoft's money is ultimately also tax-paying citizen's money. It's just not 'tax money' but the so-called 'income'.
I fail to see any difference between these two kinds of money. No further comments.
DISA and the NSA produce guides.
http://iase.disa.mil/stigs/stig/index.html
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
They're patting one another on the back because they worked on the guide before Windows 7 was released.
Too busy staying alive... ~ R.A.
http://www.fsf.org/blogs/rms/mac-osx-mistakes-and-malfeatures http://www.theregister.co.uk/2009/09/29/stallman_withdraws_apple_backdoor_claim/
Science : Proprietary , Knowledge : Open Source
Good information, a bit ranty, but good. I wish I had a mod point for ya. But nothing much new, blocking a metric asston of IP addresses and even ranges is a well used security method.
It also makes for a very fast internet experience, since adservers etc are just not visible.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
"Good information, a bit ranty, but good. I wish I had a mod point for ya" - by w0mprat (1317953) on Saturday November 21, @01:34AM (#30182422)
Thank you, but, it's good enough to know others are aware of it. and use it (because it works, & on the SIMPLEST PRINCIPAL IN THE WORLD, which is basically one of: "If you can't go into the kitchen, then you can't get burned", essentially)
----
"But nothing much new, blocking a metric asston of IP addresses and even ranges is a well used security method." - by w0mprat (1317953) on Saturday November 21, @01:34AM (#30182422)
Nothing really "new" @ all is needed though, just wise use of the "old stuff" really: So, just a dose of common sense is all that's required. Simply by protecting one's self vs. known bad sites &/or servers is all this is, in the HOSTS file portion of that guide (but there is a LOT more that goes with that too from that URL I posted, & again, it just works...
(The guide also goes into some other things, that eliminate "PEBKAC" a bit too, in suggesting a form of well, lol, "behavioral modification", in not using javascript on "every site under the sun", & only taking a chance using it where you have no other choice to gain full function on a particular site (such as online banking &/or e-commerce sites for example. This not only aids in protecting folks online, but, it also helps speed you up online yet again, by not processing scripts in webpages, & especially on websites where it's not absolutely needed. Doing so lessens the "surface area of possibles" where you may have gotten an infection as well by doing this practice in combination with HOSTS files usage).
----
"It also makes for a very fast internet experience, since adservers etc are just not visible." - by w0mprat (1317953) on Saturday November 21, @01:34AM (#30182422)
It does. Far better speeds online result, as well as far safer experiences too. Again: It just works... & the rest of that guide I posted in my URL goes into the rest of what is required to secure a Windows system, fully, as well, & once more? IT JUST WORKS.
APK
P.S.=> So, in the end, "thanks for the kind words" etc./et al, & I hope I conveyed my meaning in response well enough... I say that, because (lol - man, headache & all) I had a bit of a "late night" with a good friend of mine here last nite who came over because he has "woman problems" and I have closed out another semester of academia on a good note (grades are doing well, very near to completing a long time/long term goal of mine in the doing of it, another degree on the way that's CSC/CIS related), & I fear I may not be expressing myself as well as I can/should, because of the "celebrating" we did, lol (in other words, I need my coffee today, this is certain... so, that all "said & aside"? I am off to go make a fresh pot, & have @ it... because man - I need it today, this is certain I can assure you, lol)... apk