Slashdot Mirror
Microsoft Denies It Built Backdoor Into Windows 7
CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."
I believe Microsoft anytime that they would not build back doors into the system... If they tried, the backdoor would probably have enough bugs to be unusable.
Besides - doesn't it already state it in the story:
"Microsoft has not and will not put "backdoors" into Windows"
"the agency had worked on the operating system."
Seems pretty clear, MS did NOT put a backdoor into it... ;-)
At least, not intentionally.
Why do people think that the back door is in Win7?
The NSA put the backdoor in the Intel compiler, that's a much better place to put a backdoor or more accurately spread a backdoor
At least people can no longer find it interesting that Microsoft haven't denied building a back door into Windows 7.
It's not like they need to put a back door on it. There will be about 500 exploits found within the next year as it is.
http://twitter.com/OLDTELEGRAM
Odds are the NSA is privy to whatever the current exploits are for windows operating systems anyways. I wouldn't be surprised if they had staff working on breaking into Windows machines if for nothing else than attacks on targets outside the US.
"It's for the RIAA."
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Nah, it's all the front door - javascript through ie
A feeling of having made the same mistake before: Deja Foobar
God: "NOAH!"
Noah: "What!"
God: "Noah, I did not put a backdoor in Windows 7."
Noah: "[...] RIGHT."
The NSA did SELinux (for Linux...) so I don't think it's unreasonable to think they might have helped MS on security issues without doing anything nasty.
'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday.
- of-course you wouldn't. MS is a stand up company, known for ethical behavior, fair treatment of its users, etc. I mean, it would never!
You can't handle the truth.
Please, they have microphones in my clothes, on the desk, in the walls, the fly buzzing by your mouth is their robot!!! Meet me by the dumpster out back around 5pm, come alone.
Unfortunately I have a bad habit of reading things aloud when I read them and by the time I was finished the fly was gone and the man sitting across from me was dead. The government doctor that rushed in the room and gave him pentobarbital in an attempt to revive him said it was due to an aneurysm caused by a robotic fly which he says he sees a lot of so it's nothing for me to look into.
I guess there's no story here after all.
My work here is dung.
That's what she said!
The NSA work on an operating system? Scandalous!
This is Windows we're talking about here, after all.
NSA: "We wrote a guide and a separate tool to help in enterprise security management"
ComputerWorld: "OMG NSA TROJANED WINDOWS 7"
NSA: "WTF? We made a document and stand-alone download..."
ComputerWorld: "CONSPIRACY!"
NSA: "Uh, we work with linux too you know... SELinux...?"
ComputerWorld: "FRONTPAGE HEADLINE NEWS! WINDOWS 7 BACKDOOR EXISTS!"
Slashdot: "ZOMG! NSA MADE A WINDOWS 7 BACKDOOR!"
and Windows 7 was my idea.
Might appeal to many Mac users.
An OS that runs on 90% of computers in the world is a de facto strategic weapon.
> The NSA, CIA or FBI made the backdoor. And then forced Microsoft to include
> it in the final build of the OS.
In that case it might actually work.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Just check the sou..
Ah.
Despite many years’ warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying “COME AND GET IT.”
Microsoft cannot believe people have not applied the patch for the problems, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. “Don’t they trust us?” asked marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. “There’s a reason the Unix system on Mac OS X is called Darwin,” said appallingly smug Mac user Arty Phagge.
“It can’t be stupid if everyone else runs it,” said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. “Macs cost more than Windows PCs.”
“Yes,” said Phagge. “Yes, they do.”
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can’t say we care.
http://rocknerd.co.uk
Of course you can trust the government. I mean, this is the NSA we're talking about. They're on YOUR side.
And as for Microsoft, or any other multinational company for that matter, they have grown to the size that they are because they are 100% honest to goodness hard working souls that, when faced with a decision, will always take the ethically correct side. I mean that's how you get fantastically rich, isn't it? Ask our hard working friends at Goldman Sachs, for example!
I'm shocked that you could even consider that Microsoft could be lying. I mean, what happens if they get caught lying? Surely the "back door" would be right there in the source code for all to see, and they'd be found out right away. Oh, wait... sorry, you don't get to see the source code. But Microsoft apologized for violating the GPL, that makes them GOOD guys. You're not suggesting that if anyone ever DID find out some sort of way to control a Windows machine, all they'd have to do is call it a "security vulnerability" and issue a patch (with a different back door) for it, are you?
Seven puppies were harmed during the making of this post.
The military does. Or did for older version. The military used to have a strict rule that any software run on classified networks (yeah, 98 ran (and probably still does) on such systems as communications, nuclear, and others) had to be open source or they had to be allowed to view the source. I do not know if this still applies.
No comprende? Let me type that a little slower for you...
You know, its funny, but if the NSA ever got its hooks into a repository, it could do all sorts of fun stuff that way in Linux. We only "trust" Linux because Linux is a huge trust circle. WE trust it because its open, and assume that someone else must have looked at it. But I have about as much idea of what's going on inside of my Ubuntu as I did my Windows, from a backdoor perspective.
This is my sig.
I think this exact comment has been posted a dozen times in slashdot so far.
This is my sig.
Microsoft has denied building back doors, but what about rootkits?
So they included a back window?
The Tao of math: The numbers you can count are not the real numbers.
MSFT would sell their children's souls to keep Windows on the government's desktop PCs.
There ya go! Beck would be proud.
But it's only in the goatse edition.
Obama would simply declare all information on the subject a National Security Secret and that would be the last it would see the light of day. Don't be so naive. The US government can do anything we can't stop them from doing, and we can't stop them from doing much.
When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.
Fixed.
You can stop laughing at my shiny hat now.
I want this account deleted.
All concerns about NSA and Windows 7 could also be applied to SE Linux http://www.nsa.gov/research/selinux/
If Microsoft had assisted the NSA and deliberately buggered their security model for the government's purposes, it would be a federal crime for them to admit it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Guess I registered whyhasntmicrosoftdeniedthewindows7backdoor.com for nought.
The NSA has not a need for a full on back door.
They just need to know the general and specifics about the make,model and type of the types of means Win7 implements and then they delve deep into their big o key ring and use what they already have.
Really what you think their super computers are doing? They are computing tables, hash matches and every key ever possible. Then they go about doing real work of breaking encryption with distributed and finessed brute force.
When have a key making machines why even bother with backdoors? The NSA is patient, it's what makes them good at what they do.
Anyhow I think the NSA doesn't need a back door it just wants to know where all the access points are then they can just lift the whole whatnot off the hinges - from the outside- and do whatever they please at that point.
Im sure they took a bit of a look at bit locker and have or will figure that out. MS already has perhaps given the all the "tells" they probably need to figure out how to reduce the key space. I wonder if MS would hide one well known file outside the locker but encrypted in the same key and NSA can chew on that to find out the key for the whole volume.
Anyhow I admire them, NIST and NSA, for what they try to do. If it keeps Mafia out of banking great. If they can put the next Madoff/Galleon Group behind bars before they make a mess that's a plus as well.
That's a comforting belief, but you underestimate the ability of law enforcement to gather evidence that's either illegal or would reveal sources and methods (or in this case, likely both), use that knowledge to "stumble" on some information, and use that information which can be held out as having been legally obtained to bootstrap a warrant.
For an analogy outside computer technology, consider the cop driving up and down the street illegally spying with a FLIR camera; when s/he gets a hit, he just "happens upon" some suspicious persons or "hears an anonymous tip." With that, Jane/Johnny Law obtains a warrant, busts down the door, and seizes the grow operation--that s/he wouldn't have known about but for illegal surveillance. Of course, this approach has backfired at least once.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Mr. Potato Head! Mr. Potato Head! Back doors are not secrets!
First against the wall when the revolution comes
"Hi, I'm a PC"
and then the NSA guy with the latex glove enters the scene...
Why do people think that the back door is in Win7?
I think that the real question is... Why would you care?
I mean, this is the NSA we are talking about. If they put a secrept backdoor to some software, they keep it secret. They won't tell RIAA or your local cops about it. I'd bet quite a lot that even when it comes to suspected terrorists, CIA won't constantly send NSA requests "Hey could you guys check if you can break onto his windows machine? Thx. :)". Actually, I doubt it would even be used for constant breaking into foreign systems. Certainly not over network (too high risks and you don't really want to risk getting caught unless you know exactly what you are looking for and where to find it) and probably not with physical access either (If you carry a laptop with something so important that NSA really wants to retrieve it, you have probably secured it more throughly).
I don't know why would NSA put backdoors to Windows but if they did, it would probably be for wartime, *serious* terrorist suspects (IE: investigating assassination of a president or such) or similar cases. I don't know why should anyone care about such except if you are in charge of cybersecurity of a country potentially hostile to USA (In which case you probably shouldn't trust that much on USA based companies anyways) or if you fear that some non-NSA hackers might find it.
In the latter case... NSA certainly knows that Windows has security flaws. If they want to add their own backport(s), their goal is to use something that *isn't* just discovered by others and I think that their experts are probably good enough to make that happen: Yeah, there is always a risk that those backdoors are found by others but that risk is smaller than with other security flaws anyways.
I'm just annoyed that MS isn't using OVAL and XCCDF for their compliance XML.
Read my short stories - You won't regret it.
The original MS response went like this:
.. but the rep made the mistake of typing it on a Win7 machine....
"We were forced by the NSA to leave backdoors into Win7"
Save the Music; Save the World at http://www.TuneTriever.com (Our latest Android game)
I think I see how windows became such a piece of security shit. You see, they have to let the Chinese security associations work on it to get that market share, then the Germans, then the Israelis, and so on, until any script kiddy in his basement can easily defeat the security. Who says windows is not open source?
Living in Chile
Never believe something until it is officially denied. :o)
I am sure he is being honest in his statement that Microsoft has not put backdoors in, but he has avoided answering the question of whether the NSA has put backdoors in Windows 7.
Re: Administration's new encryption policy.
Date: September 28, 1999.
Weldon statement.
We have all seen enough double-talk from the corporations and government over the years... Just because M$ says they didn't put "backdoors" does not mean jack, since the term "backdoor" is widely subject to interpretation. They didn't exactly say ability to remotely access individual systems without users knowledge... As far as being able to track users and attach unique IDs to every install of the OS or IE, thats already there. For the paranoid or anyone who cares, most of the hardware devices used for trafficking information already include the so called Lawful Intercept Capabilities - companies like Cisco, Nokia Siemens, etc... The truly paranoid still have the option to conduct their discreet activities through proxies using spoofed MAC's and various Linux distros running off USB sticks - or so I hear...
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Its more like front-door, amirite?
Or the well-known fact that the CIA has its fingers all over Facebook.
Along with every single Facebook developer. Which is why I don't allow any applications "access" to my data.
Do you suckers believe for one instant that everything you do and write isn't being scribbled into some Internal Security goon's harddrive somewhere? I have a friend who worked for Juniper, and he personally knew that AT&T was buying their equipment to route all its traffic through NSA spook territory before hitting the rest of the web. East Germany represent!
Ah. You've convinced me. I had no idea. Now I know! ...
The NSA has not put a backdoor in Windows. When the intelligence agencies comment on these matters, the answer is always "We will neither confirm or deny...." which always implies that they had some role in the matter. Now that both MS and the NSA have publicly stated that no backdoor was installed in Windows, and is such a departure from the usual PR stance that it is impossible to conclude otherwise that such a backdoor was not and would never have been installed.
Barring my sarcasm, I would think that there is more at stake in securing Windows than putting a backdoor in it. Chances are, if there is a backdoor, than others will find it which makes it a futile effort. I think of it this way. It would be one thing to backdoor Windows, if you wanted to spy on Joe citizen or a terrorist. But, Windows is used throughout businesses within the US: Banks, Utilities, major industry, government, law enforcement, etc. Such a Trojan whether on desktop PCs or on Servers could cause major economic and security repercussions. As others have pointed out, the NSA has released other products to help in security like SE Linux and various encryption algorithms which AFAIK have stood up to independent audits by experts.
They were probably tasked with only looking at certain portions of the Windows code anyways much like they had likely done with previous versions of Windows and maybe other major OSes. There's been plenty of bugs found since in Windows that no matter how much auditing of code in any OS, being found out of planting a Trojan has many more consequences that exploiting holes that are already there anyways.
Hasbro denies it built backdoor into Mr. Potato Head.
The developers should designate one person for compromise testing. It's his job to try to get compromises to the kernel. He will submit a patch to a random developer every 6 months, the developer submits the patch, and if it is missed and gets included in the main tree it triggers a more widespread code audit. Offer a $1000 reward to anyone finding the offending or more dangerous backdoor.
This should keep the developers on their toes and give us some confidence that the code IS being audited properly.
Bush says we don't torture.. ... ehmmm rebooted. Instead they allowed the peephole to be put in. And they can honest say they didn't do it, nor do they know anything about it... its not torture... I mean a backdoor cause the defination of that is nothing that anyone else would think it means. No matter... I'm a Mac.
and we did. so its not a backdoor... its ah... a peephole.... or something. and ya Microsoft didn't put it in.... cause then some employees there would know too much and have to be
Oh,
Of COURSE NOT. They let the NSA do that for them!
RS
Shoes for Industry. Shoes for the Dead.
...it's just another bug that they will be incapable of repairing. Some things never change.
A "back door" that big brother could exploit would not need to be the result of a conspiracy against citizens or anything nefarious on the part of M$, just the usual incompetence.
This is a hacked account, for which the owner can not be held responsible.
Why wouldn't the NSA want windows to be secure? Ummm, see your first point.
There are two types of people in the world: Those who crave closure
Microsoft don't need to have actively created a back door for one to exist, look at the code the call "secure" and how many exploits are found daily for it. This is them supposedly trying NOT to have exploits. They already have back doors for DRM control and instructions to please their real customers ie other companies, as well as their own WGA all for the common enrichment of rights holders. So just because Microsoft don't intentionally create back doors for the NSA means nothing.
Like any other intelligence agency, spying on people who use Windows would be a prime goal, but there's plenty of malware out there to do that, with Microsoft and the security industry formed to fix the holes left by Microsoft's technical incompetence can only fix so much. There's no reason why the NSA couldn't develop their own malware with VB and run it like any other criminals, without any collusion with Microsoft at all.
Given the fact that Windows is as secure as a paper tank at the best of times, and the governments of the world seem to want to insist that people use Windows, it's mot hard to imagine Microsoft suits using the "hey if you force your people to use our software, you can spy on what they do with them much easier" as a reason NOT to support calls for a FOSS / Linux switch.
Given how many crimes Microsoft get away with in more jurisdictions it's also not hard to imagine a meeting where Microsoft agree to turn a blind eye to malware from certain sources in return for cases being dropped, or friendly judges put on the case who will promptly find in favour of Microsoft, and dismiss any logical evidence that they've done anything wrong.
As far as "it's in our interests to make Windows secure as we use it", how much of the US defense network still use Windows? I've noticed some have switched to Linux, while Microsoft had to create a special "secure XP" for them because the regular one wasn't up to the task. How easy would it be for the entire network to switch to Linux to protect itself while endorsing Windows for everyone else as it gives them and easy target to hit if they need to? They could even get Linux to pretend it's Windows when queried so nobody outside would know.
Remember most govt departments are VERY partisan, they don't like to co-operate as much as they should. They don't like sharing stuff that would help everyone because if only they do it and look good, they look even better in comparison to other departments who didn't do it. The contrast is even wider.
While there could be a backdoor, a more rationale conclusion is the involvement of these government agencies is to help insure the O/S has the capability to be highly securable. Very few programmers outside of government have the same security worldview as the NSA/DoD, so MS needs that government expertise to assist them. http://iase.disa.mil/stigs/index.html
My limited understanding of FIPS compliance is such that I thing the likelihood is much higher that the involvement of the NSA is to work with Microsoft (as they have others) to make sure the right libraries are used and so on for FIPS compliance. If you want to sell software to the US Government, it must be FIPS compliant.
The following is my understanding (which is likely flawed in some ways, but I think is fairly close to accurate) of how FIPS works (Taken from a response I wrote to someone else about this).
In all likelihood, this is all about their encryption being FIPS compliant and has nothing to do with backdoors.
The way I understand FIPS (because I got a mini-lesson on it during an SDR as they were doing it for [another software product I work with alot]) you have to use very specific encryption protocols that not only meet the standard for the encryption routine (e.g. RSA, or whatever) and the bit-size, but you have to use one of a specific set of approved implementation libraries.
That means you can use the exact same encrypting schema and key size as FIPS specifies, but if you don't do the encryption with an approved library, you're not compliant.
The rules get weirder from there. If you are required to be FIPS compliant at work, and must send something encrypted, you have to send it to someone who is also FIPS compliant. -- follow this logic now -- if you have to send it to someone who is NOT compliant, even though they use compatible encryption/decryption code and have exchanged keys with you, you CANNOT send them the encrypted file because their libraries are not FIPS compliant. You can, however, send them the file IN THE CLEAR if you decide it's safe to do so.
In other words, FIPS says it is better to send something in the clear if you cannot be sure the other end is FIPS compliant, even if they can decrypt what you're sending.
That's your government at work.
BTW: The routines which ARE certified have been fully vetted by many government and non-government people, and do not contain any special code in them that would lead to making decryption by the NSA any easier than it would otherwise be. Since the routines are by nature just implementation of well know encryption standards, the only way to do that would be to interrupt the key pair creation process and use "less random" seeds. I don't believe FIPS specifies the random number generation routine used.
Hope this helps.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Seriously, you're absolutely correct. The NSA has every incentive to improve the security of Windows, not compromise it. They did the same for Linux, where you can see the changes they made. In the past, they've made suggestions for improvements to encryption algorithms that academic researchers later realized had a sound mathematical basis. The NSA is as much about strengthening computer systems as they are compromising them. Hell, if in a particular situation they want to compromise the security of a system, all they usually have to do is ask (see: AT&T et. al.).
The thing is, they know that important information they want to be kept secret is going to exist on Windows machines. On Linux machines. On [x] machine that isn't necessarily controlled directly by the NSA.
And even outside such "National Security" secrets... The NSA may want to listen in on your phone calls, but it doesn't help them at all for every Tom, Dick, and Sally to have their credit card information stolen, their bank acccounts phished and plundered, and so on.
The enemies of Democracy are
I haven't heard of any, although all had plenty of bugs.
This is a company that was convicted of predatory criminal monopolistic practices. They were nearly torn in two.
United States v. Microsoft was a set of consolidated - civil - actions filed against Microsoft Corporation pursuant to the Sherman Antitrust Act on May 18, 1998 by the United States Department of Justice (DOJ) and 20 U.S. states.
The D.C. Circuit Court of Appeals overturned Judge Jackson's rulings against Microsoft. This was partly because the Appellate court had adopted a "drastically altered scope of liability" under which the Remedies could be taken, and also partly due to the interviews Judge Jackson had given to the news media while he was still hearing the case. Judge Jackson did not attend the D.C. Circuit Court of Appeals hearing, in which the appeals court judges accused him of unethical conduct and determined he should have recused himself from the case.
However, the appeals court did not overturn the findings of fact. The D.C. Circuit remanded the case for consideration of a proper remedy under a more limited scope of liability.
The DOJ announced on September 6, 2001 that it was no longer seeking to break up Microsoft and would instead seek a lesser antitrust penalty.
United States vs Microsoft
Antitrust in the states is populist and evangelical. Nothing much happens unless the folks back home want it to happen.
The break up of Microsoft was never a winner politically. Gallup Poll Public Opinion 2000, Volume 1999
If Windows has a back door that the NSA can use, how would they prevent foreign intelligence agencies from using it?
Lock the back door using strong asymmetric cryptography.
Then even if the other intelligence agencies get hold of the source code (or tear the code apart and grok every bit) it does them no good. They have to steal the private key or crack the cypher to open the door.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Then what is Windows Genuine Validation, but a backdoor for Microsoft to shut down copies of Windows and Office that it thinks (often erroneously) are pirated, when the user tries to update?
Who do I disbelieve more, NSA or Microsoft?? Hmmm......
Mod Me Up. You'll make a grown man cry.
What I can't figure out is who do I disbelieve more, NSA or Microsoft?
Mod Me Up. You'll make a grown man cry.
It is called Windows Update. MS can craft a special update for a determinate IP range and destroy any country's economy.
My other signature is a car
What?
Okay, despite careful code analysis of AROS (due to the amount of years of experience I have had in developing, testing and toying with it), I could not find any evidence of the existence of back doors in it.
Change is certain; progress is not obligatory.
Why does the NSA work on Windows? They're paid with tax-money, they're paid for working for the benefit of the tax-payer. When they work on Windows, they work for the benefit of a corporation, that has more than enough money to pay for such development.
The code they produced belongs to the public, because the public paid for it! If Microsoft doesn't open that code, they're stealing from the tax-payer!
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Then again, the front door has no lock set either.....
I am the unwilling control for my Origin.
They are, in addition to gathering foreign intelligence, tasked with helping secure critical US systems. This means not only things like government systems, but our financial system too.
Thus far, they seem to do a pretty good job. An example is DES. IBM made DES back in the days when there really wasn't a public field of cryptography. It was more or less a government and math geek thing. Well the NSA consulted on DES. One of the controversial things they did was suggest changes to the S boxes. There was paranoia that they'd done this to make it easier to crack. Years later, when differential cryptanalysis was made public, it turned out that the S boxes were greatly more resistant to it than had they simply been randomly generated. Sure enough, IBM said that yes, they'd figured this out and told the NSA, who asked them to please keep a lid on it.
Now, many decades later, DES still stands up to scrutiny. It can be brute forced by computers these days, but no magic weakness has been found.
Likewise, AES seems to be immensely secure. It is probably the most analyzed cryptosystem in history and it stands up as secure. The NSA signed off on it too, not only saying it was good to be chosen as AES, but clearing it for use with classified data.
So it seems the NSA DOES take that part of their mission seriously. Thus sticking a backdoor in Windows and lying ot congress about it would not only be dumb, it'd be contrary to their mission.
They'd also be really stupid to think it wouldn't be discovered.
Many universities have it, among other institutions. It isn't open source, but it isn't some huge secret.
Also, who's to say that just because you have the source you can find a backdoor? It could be very cleverly disguised. There's a massive misconception in the OSS community that "many eyes" means "no possibility of problems." No, not so much. Back in 2000 there was a remote exploit discovered in every version of BIND, ever. Somehow, despite many people having looked at it, worked on it, etc, nobody had ever noticed this one. Heck it wasn't even discovered through a source audit, it was discovered through messing with a running DNS server and sending it invalid data.
This idea that so long as something is open source it can't possibly have anything bad in it is just not at all true.
They could do something evil like the famous C compiler backdoor. You infect only binary components. So no matter how carefully the code is audited, there is nothing in there. However, when said code is compiled on an infected system, it produces infected binaries. So people have the illusion of security with it. They build from source because they want to make sure what they have hasn't been changed, but they tools they use are compromised so the final system is compromised, though no trace is in the code.
However, that has the same ultimate problem that a backdoor in Windows, or anything else does: It is susceptible to detection by looking at a running system.
You discover that most security research isn't code auditing. They instead attack a working system in various ways to see if they can cause it to malfunction. After all, a code audit only goes so far. In almost any large project there were a lot of people that looked over the code and tried to find and fix bugs. So if they didn't see it, what makes you think you will? You are not the best programmer in the universe. Also these bugs can often be very tricky, complex interactions that aren't easy to see. The source looks fine and indeed the final code works fine except for a very specific set of circumstances.
Well guess what? Testing like that would have the possibility of picking up the backdoor. This idea that it could be hidden in such a way that security testing would never find it, but that looking at the source would make it immediately obvious is stupid. It just reeks of programmers who have Smartest Motherfucker in the Universe syndrome. You find that syndrome in many areas, but I seem to see it in programmers a whole lot. Basically, they seem to think they are just gods of code. Any bugs in a program they didn't write are because the person was "stupid". THEIR code would never have holes, and if they just saw that "Other Guy's" code they could immediately find and fix the problems. As such they are sure that if code is open it is safe because they are sure they could look at it and determine that in mere minutes if they wanted to.
To me, that says in fact the person is not a good programmer. It tends to be the lowest performers who cannot identify their own limitations and thus believe they are the highest performers.
This would be informative if there was some, well, information on this. What this is would be "wild ass speculation." You have proof of any kind? Otherwise we play a game of which is more likely.
Is it more likely that:
1) MS uses their suite, regarded to be one of the very best around. A suite that is extremely full featured, well documented, maintained, and that they have easy access to the developers of. A suite specifically designed around Windows. A suite that they already have ready to go, no extra development needed.
or
2) A special internal compiler, made just for the sake of being different?
Sorry, but without proof, I'm not buying that they don't use Visual Studio to develop Windows. MS likes using all their own tech, and it is precisely the kind of thing you need for making a big project.
Now you might be correct in that the actual compiling might not be done by the included compiler. Intel makes a superior compiler (it generates more efficient code, even on AMD chips) and MS may well use it... However that compiler plugs right in to Visual Studio. It is one of the reasons it is popular. You buy it and it makes all your VS programs run a bit faster, no effort on your part.
So please, let's see some proof of this "internal compiler."
If the NSA wants to know EVERYTHING about you, they have far better ways than installing active spyware on your system to do it.
There is a record somewhere of everything you've ever downloaded or uploaded. Every Google search you've ever performed. Encryption breaking is pointless because they have the ability to know what you type as you type it. Heck, they probably have the ability to know what you think as you think it.
Did you know that you can read an RFID tag from orbit? --People know about the max distance a tag can be charged from, and it is indeed a few feet, but the distance from which it can be read is much greater. If the detector is good enough. . .
Did you know you can use a light bulb as an active antenna? Any bit of circuitry, for that matter, even powered down, still processes EM wave forms and can be used to snoop. The idea of the NSA messing around with malware in order to spy on computer users is like comparing Donkey Kong to today's modern game systems.
The only reason the NSA might encourage the belief that they have proprietary code built into a Microsoft product would be to mislead people into thinking that they work within the same baby-fences as the rest of us free range serfs.
-FL
See what they did is build a keyword subroutine in the indexing system and if the data found hits a certain threshold the OS calls home when the user performs a basic operation such as updating the PC.
So technically it's not a back door.
The best backdoors may be something left by some engineer, on purpose or not. Maybe it was just used for testing, to bypass authentication to get work done in an early state, and now it is still there. The thing is, if it's never being used, it's actually very hard to notice it. I have no trouble imagining all kinds of ways NSA could put in some hidden code, to bypass entry at network / OS level somehow. It's not like you have that many levels of security in hardware or software. Once you gain Ring0 or something similar, your computer is toast.
If it's easy for viruses and hackers, just imagine what a small assembly line could do inside the OS itself! Remember, to crack software often just require to change a few bits (dunno why security is so low.. I would make a VM for running the verification-process, or even the software itself, which scrambled memory in all sorts of random ways *during execution* - but I guess software makers are more greedy than smart..)
Face it, lots of software probably has some backdoors or "hidden" functionality. This is one of the reasons open source is superior. You can still have a compromised compiler or be rooted with a VM, but the chance of that is much slimmer than trusting some binary blob and running as administrator.
However, as desktop, I still favour XP. Haven't tried Win7, and will probably wait until it matures, much like XP which I pretty much like now over both Linux and OS X. The OS itself simply lets me install everything I need and gets out of the way, after installing Firefox, Thunderbird and other portable apps - which can be ported to another computer just by copying the files. Nice setup, and faster than apt-get even, for getting desktop usage done.
Win7 will probably become standard though, as it has enhanced security and you don't have to run as administrator (it's too much of a pain in XP to be a normal user due to buggy sudo-functionality).
But to think Windows or other software has no backdoors, when some companies deliver software with rootkits and spyware, strikes me as very naive.
http://www.debunkingskeptics.com/
that's not a proof...
Doesn't this whole story belong under http://idle.slashdot.org? Unless such a back door is found, we have no proof that it is there, and no matter how many denials we get from Microsoft and NSA that there is no back door, there is no guarantee there isn't one. The same could be said of SE Linux or MacOS, too, for that matter.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
"Microsoft has not and will not put "backdoors" into Windows"
http://www.cultdeadcow.com/tools/bo.html
Ahh the good old says of popping open cd trays remotely and watching people's ICQ conversations as they reacted.
Microsoft Denies It Deliberately Built Backdoor Into Windows 7
It isn't? Here is the source if you don't believe me:
http://aros.sourceforge.net/cgi-bin/nightly-download?20091120/Sources/AROS-20091120-source.tar.bz2
Feel free to verify it yourself too.
Change is certain; progress is not obligatory.
they let them into their Front page extensions.
This one I "verified" myself on a server I had to administer at college.. We very shortly afterwords gutted front page off of it and migrated everything away from Windows for the web server.
http://www.securityfocus.com/advisories/2235
I didn't say it was a back door good sir. :-)
http://xkcd.com/528/
Yeah, that's all I said. There's no smoke without a fire.
They may say it is "unintentional", but many holes stays for years in WinXX unpatched.
You (and many other commenters) seem to ignore that Microsoft's money is ultimately also tax-paying citizen's money. It's just not 'tax money' but the so-called 'income'.
I fail to see any difference between these two kinds of money. No further comments.
DISA and the NSA produce guides.
http://iase.disa.mil/stigs/stig/index.html
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
They're patting one another on the back because they worked on the guide before Windows 7 was released.
Too busy staying alive... ~ R.A.
http://www.fsf.org/blogs/rms/mac-osx-mistakes-and-malfeatures http://www.theregister.co.uk/2009/09/29/stallman_withdraws_apple_backdoor_claim/
Science : Proprietary , Knowledge : Open Source
Good information, a bit ranty, but good. I wish I had a mod point for ya. But nothing much new, blocking a metric asston of IP addresses and even ranges is a well used security method.
It also makes for a very fast internet experience, since adservers etc are just not visible.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.