Slashdot Mirror
Microsoft Denies It Built Backdoor Into Windows 7
CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."
I believe Microsoft anytime that they would not build back doors into the system... If they tried, the backdoor would probably have enough bugs to be unusable.
Besides - doesn't it already state it in the story:
"Microsoft has not and will not put "backdoors" into Windows"
"the agency had worked on the operating system."
Seems pretty clear, MS did NOT put a backdoor into it... ;-)
At least, not intentionally.
Why do people think that the back door is in Win7?
The NSA put the backdoor in the Intel compiler, that's a much better place to put a backdoor or more accurately spread a backdoor
It's not like they need to put a back door on it. There will be about 500 exploits found within the next year as it is.
http://twitter.com/OLDTELEGRAM
Odds are the NSA is privy to whatever the current exploits are for windows operating systems anyways. I wouldn't be surprised if they had staff working on breaking into Windows machines if for nothing else than attacks on targets outside the US.
"It's for the RIAA."
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Nah, it's all the front door - javascript through ie
A feeling of having made the same mistake before: Deja Foobar
God: "NOAH!"
Noah: "What!"
God: "Noah, I did not put a backdoor in Windows 7."
Noah: "[...] RIGHT."
The NSA did SELinux (for Linux...) so I don't think it's unreasonable to think they might have helped MS on security issues without doing anything nasty.
This is true. However, I plan to register microsoftrapedandkilledandembeddedinwindows7ayounggirlin2009.com because they haven't denied that they have not.
'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday.
- of-course you wouldn't. MS is a stand up company, known for ethical behavior, fair treatment of its users, etc. I mean, it would never!
You can't handle the truth.
Please, they have microphones in my clothes, on the desk, in the walls, the fly buzzing by your mouth is their robot!!! Meet me by the dumpster out back around 5pm, come alone.
Unfortunately I have a bad habit of reading things aloud when I read them and by the time I was finished the fly was gone and the man sitting across from me was dead. The government doctor that rushed in the room and gave him pentobarbital in an attempt to revive him said it was due to an aneurysm caused by a robotic fly which he says he sees a lot of so it's nothing for me to look into.
I guess there's no story here after all.
My work here is dung.
NSA: "We wrote a guide and a separate tool to help in enterprise security management"
ComputerWorld: "OMG NSA TROJANED WINDOWS 7"
NSA: "WTF? We made a document and stand-alone download..."
ComputerWorld: "CONSPIRACY!"
NSA: "Uh, we work with linux too you know... SELinux...?"
ComputerWorld: "FRONTPAGE HEADLINE NEWS! WINDOWS 7 BACKDOOR EXISTS!"
Slashdot: "ZOMG! NSA MADE A WINDOWS 7 BACKDOOR!"
and Windows 7 was my idea.
An OS that runs on 90% of computers in the world is a de facto strategic weapon.
> The NSA, CIA or FBI made the backdoor. And then forced Microsoft to include
> it in the final build of the OS.
In that case it might actually work.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Just check the sou..
Ah.
Despite many years’ warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying “COME AND GET IT.”
Microsoft cannot believe people have not applied the patch for the problems, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. “Don’t they trust us?” asked marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. “There’s a reason the Unix system on Mac OS X is called Darwin,” said appallingly smug Mac user Arty Phagge.
“It can’t be stupid if everyone else runs it,” said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. “Macs cost more than Windows PCs.”
“Yes,” said Phagge. “Yes, they do.”
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can’t say we care.
http://rocknerd.co.uk
Of course you can trust the government. I mean, this is the NSA we're talking about. They're on YOUR side.
And as for Microsoft, or any other multinational company for that matter, they have grown to the size that they are because they are 100% honest to goodness hard working souls that, when faced with a decision, will always take the ethically correct side. I mean that's how you get fantastically rich, isn't it? Ask our hard working friends at Goldman Sachs, for example!
I'm shocked that you could even consider that Microsoft could be lying. I mean, what happens if they get caught lying? Surely the "back door" would be right there in the source code for all to see, and they'd be found out right away. Oh, wait... sorry, you don't get to see the source code. But Microsoft apologized for violating the GPL, that makes them GOOD guys. You're not suggesting that if anyone ever DID find out some sort of way to control a Windows machine, all they'd have to do is call it a "security vulnerability" and issue a patch (with a different back door) for it, are you?
Seven puppies were harmed during the making of this post.
The military does. Or did for older version. The military used to have a strict rule that any software run on classified networks (yeah, 98 ran (and probably still does) on such systems as communications, nuclear, and others) had to be open source or they had to be allowed to view the source. I do not know if this still applies.
No comprende? Let me type that a little slower for you...
You know, its funny, but if the NSA ever got its hooks into a repository, it could do all sorts of fun stuff that way in Linux. We only "trust" Linux because Linux is a huge trust circle. WE trust it because its open, and assume that someone else must have looked at it. But I have about as much idea of what's going on inside of my Ubuntu as I did my Windows, from a backdoor perspective.
This is my sig.
MSFT would sell their children's souls to keep Windows on the government's desktop PCs.
But it's only in the goatse edition.
All concerns about NSA and Windows 7 could also be applied to SE Linux http://www.nsa.gov/research/selinux/
If Microsoft had assisted the NSA and deliberately buggered their security model for the government's purposes, it would be a federal crime for them to admit it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The NSA has not a need for a full on back door.
They just need to know the general and specifics about the make,model and type of the types of means Win7 implements and then they delve deep into their big o key ring and use what they already have.
Really what you think their super computers are doing? They are computing tables, hash matches and every key ever possible. Then they go about doing real work of breaking encryption with distributed and finessed brute force.
When have a key making machines why even bother with backdoors? The NSA is patient, it's what makes them good at what they do.
Anyhow I think the NSA doesn't need a back door it just wants to know where all the access points are then they can just lift the whole whatnot off the hinges - from the outside- and do whatever they please at that point.
Im sure they took a bit of a look at bit locker and have or will figure that out. MS already has perhaps given the all the "tells" they probably need to figure out how to reduce the key space. I wonder if MS would hide one well known file outside the locker but encrypted in the same key and NSA can chew on that to find out the key for the whole volume.
Anyhow I admire them, NIST and NSA, for what they try to do. If it keeps Mafia out of banking great. If they can put the next Madoff/Galleon Group behind bars before they make a mess that's a plus as well.
That's a comforting belief, but you underestimate the ability of law enforcement to gather evidence that's either illegal or would reveal sources and methods (or in this case, likely both), use that knowledge to "stumble" on some information, and use that information which can be held out as having been legally obtained to bootstrap a warrant.
For an analogy outside computer technology, consider the cop driving up and down the street illegally spying with a FLIR camera; when s/he gets a hit, he just "happens upon" some suspicious persons or "hears an anonymous tip." With that, Jane/Johnny Law obtains a warrant, busts down the door, and seizes the grow operation--that s/he wouldn't have known about but for illegal surveillance. Of course, this approach has backfired at least once.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Mr. Potato Head! Mr. Potato Head! Back doors are not secrets!
First against the wall when the revolution comes
"Hi, I'm a PC"
and then the NSA guy with the latex glove enters the scene...
Never believe something until it is officially denied. :o)
Re: Administration's new encryption policy.
Date: September 28, 1999.
Weldon statement.
The NSA has not put a backdoor in Windows. When the intelligence agencies comment on these matters, the answer is always "We will neither confirm or deny...." which always implies that they had some role in the matter. Now that both MS and the NSA have publicly stated that no backdoor was installed in Windows, and is such a departure from the usual PR stance that it is impossible to conclude otherwise that such a backdoor was not and would never have been installed.
Barring my sarcasm, I would think that there is more at stake in securing Windows than putting a backdoor in it. Chances are, if there is a backdoor, than others will find it which makes it a futile effort. I think of it this way. It would be one thing to backdoor Windows, if you wanted to spy on Joe citizen or a terrorist. But, Windows is used throughout businesses within the US: Banks, Utilities, major industry, government, law enforcement, etc. Such a Trojan whether on desktop PCs or on Servers could cause major economic and security repercussions. As others have pointed out, the NSA has released other products to help in security like SE Linux and various encryption algorithms which AFAIK have stood up to independent audits by experts.
They were probably tasked with only looking at certain portions of the Windows code anyways much like they had likely done with previous versions of Windows and maybe other major OSes. There's been plenty of bugs found since in Windows that no matter how much auditing of code in any OS, being found out of planting a Trojan has many more consequences that exploiting holes that are already there anyways.
The developers should designate one person for compromise testing. It's his job to try to get compromises to the kernel. He will submit a patch to a random developer every 6 months, the developer submits the patch, and if it is missed and gets included in the main tree it triggers a more widespread code audit. Offer a $1000 reward to anyone finding the offending or more dangerous backdoor.
This should keep the developers on their toes and give us some confidence that the code IS being audited properly.
...it's just another bug that they will be incapable of repairing. Some things never change.
A "back door" that big brother could exploit would not need to be the result of a conspiracy against citizens or anything nefarious on the part of M$, just the usual incompetence.
This is a hacked account, for which the owner can not be held responsible.
Microsoft don't need to have actively created a back door for one to exist, look at the code the call "secure" and how many exploits are found daily for it. This is them supposedly trying NOT to have exploits. They already have back doors for DRM control and instructions to please their real customers ie other companies, as well as their own WGA all for the common enrichment of rights holders. So just because Microsoft don't intentionally create back doors for the NSA means nothing.
Like any other intelligence agency, spying on people who use Windows would be a prime goal, but there's plenty of malware out there to do that, with Microsoft and the security industry formed to fix the holes left by Microsoft's technical incompetence can only fix so much. There's no reason why the NSA couldn't develop their own malware with VB and run it like any other criminals, without any collusion with Microsoft at all.
Given the fact that Windows is as secure as a paper tank at the best of times, and the governments of the world seem to want to insist that people use Windows, it's mot hard to imagine Microsoft suits using the "hey if you force your people to use our software, you can spy on what they do with them much easier" as a reason NOT to support calls for a FOSS / Linux switch.
Given how many crimes Microsoft get away with in more jurisdictions it's also not hard to imagine a meeting where Microsoft agree to turn a blind eye to malware from certain sources in return for cases being dropped, or friendly judges put on the case who will promptly find in favour of Microsoft, and dismiss any logical evidence that they've done anything wrong.
As far as "it's in our interests to make Windows secure as we use it", how much of the US defense network still use Windows? I've noticed some have switched to Linux, while Microsoft had to create a special "secure XP" for them because the regular one wasn't up to the task. How easy would it be for the entire network to switch to Linux to protect itself while endorsing Windows for everyone else as it gives them and easy target to hit if they need to? They could even get Linux to pretend it's Windows when queried so nobody outside would know.
Remember most govt departments are VERY partisan, they don't like to co-operate as much as they should. They don't like sharing stuff that would help everyone because if only they do it and look good, they look even better in comparison to other departments who didn't do it. The contrast is even wider.
My limited understanding of FIPS compliance is such that I thing the likelihood is much higher that the involvement of the NSA is to work with Microsoft (as they have others) to make sure the right libraries are used and so on for FIPS compliance. If you want to sell software to the US Government, it must be FIPS compliant.
The following is my understanding (which is likely flawed in some ways, but I think is fairly close to accurate) of how FIPS works (Taken from a response I wrote to someone else about this).
In all likelihood, this is all about their encryption being FIPS compliant and has nothing to do with backdoors.
The way I understand FIPS (because I got a mini-lesson on it during an SDR as they were doing it for [another software product I work with alot]) you have to use very specific encryption protocols that not only meet the standard for the encryption routine (e.g. RSA, or whatever) and the bit-size, but you have to use one of a specific set of approved implementation libraries.
That means you can use the exact same encrypting schema and key size as FIPS specifies, but if you don't do the encryption with an approved library, you're not compliant.
The rules get weirder from there. If you are required to be FIPS compliant at work, and must send something encrypted, you have to send it to someone who is also FIPS compliant. -- follow this logic now -- if you have to send it to someone who is NOT compliant, even though they use compatible encryption/decryption code and have exchanged keys with you, you CANNOT send them the encrypted file because their libraries are not FIPS compliant. You can, however, send them the file IN THE CLEAR if you decide it's safe to do so.
In other words, FIPS says it is better to send something in the clear if you cannot be sure the other end is FIPS compliant, even if they can decrypt what you're sending.
That's your government at work.
BTW: The routines which ARE certified have been fully vetted by many government and non-government people, and do not contain any special code in them that would lead to making decryption by the NSA any easier than it would otherwise be. Since the routines are by nature just implementation of well know encryption standards, the only way to do that would be to interrupt the key pair creation process and use "less random" seeds. I don't believe FIPS specifies the random number generation routine used.
Hope this helps.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Seriously, you're absolutely correct. The NSA has every incentive to improve the security of Windows, not compromise it. They did the same for Linux, where you can see the changes they made. In the past, they've made suggestions for improvements to encryption algorithms that academic researchers later realized had a sound mathematical basis. The NSA is as much about strengthening computer systems as they are compromising them. Hell, if in a particular situation they want to compromise the security of a system, all they usually have to do is ask (see: AT&T et. al.).
The thing is, they know that important information they want to be kept secret is going to exist on Windows machines. On Linux machines. On [x] machine that isn't necessarily controlled directly by the NSA.
And even outside such "National Security" secrets... The NSA may want to listen in on your phone calls, but it doesn't help them at all for every Tom, Dick, and Sally to have their credit card information stolen, their bank acccounts phished and plundered, and so on.
The enemies of Democracy are
It is called Windows Update. MS can craft a special update for a determinate IP range and destroy any country's economy.
My other signature is a car
Why does the NSA work on Windows? They're paid with tax-money, they're paid for working for the benefit of the tax-payer. When they work on Windows, they work for the benefit of a corporation, that has more than enough money to pay for such development.
The code they produced belongs to the public, because the public paid for it! If Microsoft doesn't open that code, they're stealing from the tax-payer!
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
They are, in addition to gathering foreign intelligence, tasked with helping secure critical US systems. This means not only things like government systems, but our financial system too.
Thus far, they seem to do a pretty good job. An example is DES. IBM made DES back in the days when there really wasn't a public field of cryptography. It was more or less a government and math geek thing. Well the NSA consulted on DES. One of the controversial things they did was suggest changes to the S boxes. There was paranoia that they'd done this to make it easier to crack. Years later, when differential cryptanalysis was made public, it turned out that the S boxes were greatly more resistant to it than had they simply been randomly generated. Sure enough, IBM said that yes, they'd figured this out and told the NSA, who asked them to please keep a lid on it.
Now, many decades later, DES still stands up to scrutiny. It can be brute forced by computers these days, but no magic weakness has been found.
Likewise, AES seems to be immensely secure. It is probably the most analyzed cryptosystem in history and it stands up as secure. The NSA signed off on it too, not only saying it was good to be chosen as AES, but clearing it for use with classified data.
So it seems the NSA DOES take that part of their mission seriously. Thus sticking a backdoor in Windows and lying ot congress about it would not only be dumb, it'd be contrary to their mission.
They'd also be really stupid to think it wouldn't be discovered.
Many universities have it, among other institutions. It isn't open source, but it isn't some huge secret.
Also, who's to say that just because you have the source you can find a backdoor? It could be very cleverly disguised. There's a massive misconception in the OSS community that "many eyes" means "no possibility of problems." No, not so much. Back in 2000 there was a remote exploit discovered in every version of BIND, ever. Somehow, despite many people having looked at it, worked on it, etc, nobody had ever noticed this one. Heck it wasn't even discovered through a source audit, it was discovered through messing with a running DNS server and sending it invalid data.
This idea that so long as something is open source it can't possibly have anything bad in it is just not at all true.
They could do something evil like the famous C compiler backdoor. You infect only binary components. So no matter how carefully the code is audited, there is nothing in there. However, when said code is compiled on an infected system, it produces infected binaries. So people have the illusion of security with it. They build from source because they want to make sure what they have hasn't been changed, but they tools they use are compromised so the final system is compromised, though no trace is in the code.
However, that has the same ultimate problem that a backdoor in Windows, or anything else does: It is susceptible to detection by looking at a running system.
You discover that most security research isn't code auditing. They instead attack a working system in various ways to see if they can cause it to malfunction. After all, a code audit only goes so far. In almost any large project there were a lot of people that looked over the code and tried to find and fix bugs. So if they didn't see it, what makes you think you will? You are not the best programmer in the universe. Also these bugs can often be very tricky, complex interactions that aren't easy to see. The source looks fine and indeed the final code works fine except for a very specific set of circumstances.
Well guess what? Testing like that would have the possibility of picking up the backdoor. This idea that it could be hidden in such a way that security testing would never find it, but that looking at the source would make it immediately obvious is stupid. It just reeks of programmers who have Smartest Motherfucker in the Universe syndrome. You find that syndrome in many areas, but I seem to see it in programmers a whole lot. Basically, they seem to think they are just gods of code. Any bugs in a program they didn't write are because the person was "stupid". THEIR code would never have holes, and if they just saw that "Other Guy's" code they could immediately find and fix the problems. As such they are sure that if code is open it is safe because they are sure they could look at it and determine that in mere minutes if they wanted to.
To me, that says in fact the person is not a good programmer. It tends to be the lowest performers who cannot identify their own limitations and thus believe they are the highest performers.
If the NSA wants to know EVERYTHING about you, they have far better ways than installing active spyware on your system to do it.
There is a record somewhere of everything you've ever downloaded or uploaded. Every Google search you've ever performed. Encryption breaking is pointless because they have the ability to know what you type as you type it. Heck, they probably have the ability to know what you think as you think it.
Did you know that you can read an RFID tag from orbit? --People know about the max distance a tag can be charged from, and it is indeed a few feet, but the distance from which it can be read is much greater. If the detector is good enough. . .
Did you know you can use a light bulb as an active antenna? Any bit of circuitry, for that matter, even powered down, still processes EM wave forms and can be used to snoop. The idea of the NSA messing around with malware in order to spy on computer users is like comparing Donkey Kong to today's modern game systems.
The only reason the NSA might encourage the belief that they have proprietary code built into a Microsoft product would be to mislead people into thinking that they work within the same baby-fences as the rest of us free range serfs.
-FL
The best backdoors may be something left by some engineer, on purpose or not. Maybe it was just used for testing, to bypass authentication to get work done in an early state, and now it is still there. The thing is, if it's never being used, it's actually very hard to notice it. I have no trouble imagining all kinds of ways NSA could put in some hidden code, to bypass entry at network / OS level somehow. It's not like you have that many levels of security in hardware or software. Once you gain Ring0 or something similar, your computer is toast.
If it's easy for viruses and hackers, just imagine what a small assembly line could do inside the OS itself! Remember, to crack software often just require to change a few bits (dunno why security is so low.. I would make a VM for running the verification-process, or even the software itself, which scrambled memory in all sorts of random ways *during execution* - but I guess software makers are more greedy than smart..)
Face it, lots of software probably has some backdoors or "hidden" functionality. This is one of the reasons open source is superior. You can still have a compromised compiler or be rooted with a VM, but the chance of that is much slimmer than trusting some binary blob and running as administrator.
However, as desktop, I still favour XP. Haven't tried Win7, and will probably wait until it matures, much like XP which I pretty much like now over both Linux and OS X. The OS itself simply lets me install everything I need and gets out of the way, after installing Firefox, Thunderbird and other portable apps - which can be ported to another computer just by copying the files. Nice setup, and faster than apt-get even, for getting desktop usage done.
Win7 will probably become standard though, as it has enhanced security and you don't have to run as administrator (it's too much of a pain in XP to be a normal user due to buggy sudo-functionality).
But to think Windows or other software has no backdoors, when some companies deliver software with rootkits and spyware, strikes me as very naive.
http://www.debunkingskeptics.com/
DISA and the NSA produce guides.
http://iase.disa.mil/stigs/stig/index.html
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
They're patting one another on the back because they worked on the guide before Windows 7 was released.
Too busy staying alive... ~ R.A.