In Face of Flame Malware, Microsoft Will Revamp Windows Encryption Keys

coondoggie writes "Starting next month, updated Windows operating systems will reject encryption keys smaller than 1024 bits, which could cause problems for customer applications accessing Web sites and email platforms that use the keys. The cryptographic policy change is part of Microsoft's response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems."

Moles at Microsoft and apple

[noh8rz5]

Fact is, domestic and foreign govt agencies have moles working at Microsoft and apple to insert back doors or defeat encryption at the source. This is how stuff like flame happens. The only way out of this is to use an open source operating system where you can do your own code review, and where one guy doesn't have a bottle neck of control. Same goes for ios vs android.

Re:Moles at Microsoft and apple

[lightknight]

Indeed. Why have a mole try to alter the code, and run the risk of being discovered, when you have a copy of the source, and can find existing bugs to use?

Re:Moles at Microsoft and apple

[drinkypoo]

Citation: my contacts at Microsoft and apple. Obviously I can't name names.

Obviously you can't be taken seriously, either. It's not that I don't believe you, it's that I can't ever cite you.

Re:Moles at Microsoft and apple

[drinkypoo]

Others have come to the same conclusion as noh8rz5

Well, I know this is one of those things annoying people say to be annoying, but the plural of anecdote is not data. I have come to the same conclusion, too, but I don't state it as fact, because there's no citable evidence.

Re:Moles at Microsoft and apple

[phantomfive]

Is there any evidence at all? Really wondering.

Also, I seriously doubt a 'contact' at Apple or Microsoft is going to know about spies.

Re:Moles at Microsoft and apple

[WaffleMonster]

Personally, I use Linux because it's lower maintenance and less overhead, and gets out of my way when I'm working, but if I was a business lead, I'd certainly be avoiding Windows for anything requiring data security. The wonder is that we're not seeing users suing over compromised data/systems.

I know right... What are the chances out of the bazillion open source projects that go into your average linux distribution any of them could be be infiltrated by a three letter agency from this or any other nation... Impossible.... totally ...utterly..... impossible... ..right...?

I know some people will say well its open source others would have the code and just know. Just like they knew about that Debian "SSL patch"... Or any of hundreds of "innocent" security bugs having later been discovered by attackers.

How long was kernel.org compromised? Without anyone knowing?

Re:Er, export restrictions?

[morcego]

IIRC, crypto algorithms that use keys that large qualify as munitions and are subject to ITAR export regulations. Which means a lot of people with legal licenses will be (legally, anyway) prevented from making use of any Windows feature which requires a key length of 1024 bits or more.

Maybe ... we your time machine works and they are all send back to 1997. Because, since then, it is no longer restricted by ITAR and can be freely exported...

Re:1024?

[ebob9]

Posting to remind me to quote this when we're all having discussions about the need to require 16,384bit keys.