Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA backdoor creates security hole in Windows

Posted by ryuzaki0 on from the i-think-i-get-it dept.

A number of people have written in with the news that Cryptonym has found an apparent backdoor for the NSA (called NSAKEY) in all current versions of Windows. However, you can open this backdoor yourself and install your own strong cryto module in place of the built-in one. More details are also online, but to be quite frank, we aren't quite sure on this one-so, if you're more qualified comment, please do so below.Update: 09/03 11:19 by H :Thanks to Jens Hillman for more information from the German Chaos Computer Club. Der Webpage ist auf Deutsch-Babelfish it.

5 of 576 comments (clear)

  1. Some NSA backdoors are explicit by Paul+Crowley · · Score: 5
    First, this is being presented at Crypto '99, not Def Con Two. It's peer reveiewed, guys, it's pretty much bound to be legit.

    Second, every copy of Lotus Notes carries an explicit NSA backdoor, called the "Cryptographic Differential Work Factor". Essentially the point is that part of every secret key is encrypted with the NSA's public key, so where we would have to brute-force 128 bits to get in, they have to brute force only 40. So there's precedent; it's not as implausible as some people here seem to think. It may not be a back door in the simplistic way some people are thinking of, though.

    The algorithm the guy used to find the key is documented in Adi Shamir and Nicko van Somoeren's paper "Playing Hide and Seek with Stored Keys" - you can find a link to the paper here alongside my implementation of the technique described.
    --

    --
    Xenu loves you!
  2. Wait just a second... by wanderingstar · · Score: 5

    Let's all just participate in a little reality check here, folks - just because something is named "NSA" it automatically means it has to do with the United States National Security Agency? As any Windows programmer can tell you, "LSA" in Microsoft parlance means "Local System Authority" - the subsystem that validates your logons. Why the heck shouldn't "NSA" stand for "Network System Authority"? And this is just one possibility... Geeze, the article offers ABSOLUTELY NO PROOF that the key named "NSA" stands for National Security Agency. Think before you fly off the handle.

  3. I don't think it's for spying on people by Anonymous Coward · · Score: 5

    Having used the CryptoAPI for about a year, and having been forced to get Microsoft to sign a CSP (Crypto Service Provider) for me, what it REALLY appears that the _NSAKEY value is for is this: Microsoft wanted to make sure it didn't violate US export law. They asked the US government, which replied, "Make sure that the CryptoAPI doesn't load unapproved cryptographic modules." Microsoft did this by requiring CSP developers to send the DLL to them (you can opt to send just the hash) along with a document stating whether the CSP was exportable or not. Then, someone in the government said, "Well, we want to be able to use our own CSPs in Windows without having to send them to Microsoft." They got Microsoft to add a second DLL verification check using a separate RSA key. For those who don't know, CSPs are DLLs that provide key and certificate management, hashing, and encryption/decryption services to applications. There is a small API of functions that they support. If some boogeyman wanted to spy on you through one, that means that someone would have to get that code onto your machine first, then register it (it's in the Registry under Software/Microsoft/Cryptography/Defaults/Providers ). This still leaves open the possibility that the verification code is being used to verify something else other than a CSP, but that hasn't been shown yet.

  4. Re:Well, this is another argument for getting sour by Anonymous Coward · · Score: 5

    You have no idea, my friend, you have no idea.

    I returned to the private workforce last year aften ten years with a government entity that I cannot list on my resume. I have a cover (State) and some canned recommendations. I learned AIX while I was working for the government, and then discovered Solaris, which I like a lot. This got me a job last year without too many questions.

    You have no idea how bad it has gotten. Let me fill you in:

    1. Quotas: they are set in (a place in Virginia) and not in the country itself. So, a posting in some countries (Denmark or Finland) where a)no one really likes or dislikes the US - they could care less and have no real interest in providing information and b)there is just not a lot happening (we are not, for instance, likely to be invaded by Belgium any time soon) is the kiss of death to your carreer because there is no real way to make quota. Unless (and this is key), you fake it. If you have ethics, essentially, fully half of all of the postings by quantity require you to commit treason (by compromising national security by falsifying any and all contacts and records) or treat it as dead time for your future. This is the neat part -- everyone knows the system is horribly broken and every senior person there winks at the violations. Why? Whey did it themselves. Shades of grinding back at West Point (cheating, for those who didn't attend a service academy, is called grinding, and almost everyone does it).
    2. Reviews: this has nothing to do with your actual performance in most cases. The station chief doesn't do them -- your immediate boss does. And, just like high school, there is a pecking order and no real control outside of that. Date a secretary that your boss is interested in, your ass is grass. I didn't, but watched someone get transferred into a carreer-ending position for that, with the suggestion in his records that he was compromising security by dating nationals. There is no meritocracy there anymore.
    3. Disregard for security: this happened all the time. People would take home AND MISPLACE TS and worse. We had a person leave his briefcase in a bar. We are lucky that the bartender found it. It had detailed response plans for repelling any c/b/r attacks from a country that I can't name, but if you saw it on a map, would look an awful lot like Iraq. This was serious. It was ignored. And then there are the drinking and drug problems, mostly drinking.
    4. Security: They do not get you a house at the far end of a one way street anymore. You are lucky if they try to keep your cover secret. They won't help you move in, so everyone knows that you are coming in from DC or VA someplace. They won't pay for a damned thing (not salary, which is very low, but things like furnishing a house or flat as if you really were an American marketing exec). And your family is at tremendouw risk if you take them, as a result. This was one of the main reasons I left. I spoke Spanish, I was not going to get another European posting, had studied Latin America, and had done briefings on narcoterrorism for a number of people, for a number or years. I looked at the house that they had picked out for me in Bogota -- on a busy street, with a wide alley, with overlooking apartment buildings in line-of-sight, in a neighborhood with access from FIVE directions. They couldn't have done worse if they tried. There was no way in hell that I was taking my pregnant wife there, and she felt the same way. So we both quit.

    Bitter? Yes, very. But not at the concept, just the execution. At this point, we need to start over.

  5. Doubtful by MenTaLguY · · Score: 5

    "What the @#$% do those 3 lines of code do? Hrmmm, oh well, doesn't look like the section I was trying to find anyway . . ."

    One thing you're forgetting -- generally when package maintainers (Linus, for instance) are reviewing a patch for inclusion in the distribution, they won't accept it unless they understand all the code involved.

    If you tried something clever like spreading the changes across several patches, that wouldn't really work either.

    [Judas] Here's my patch to fix the support for the /dev/blah device
    [Maintainer] Hrm. I'll have a look.
    ...
    [Maintainer] What's this little bit of code here do? I think you could probably shave a couple hundred instructions off here if you left it out, and it looks completely unnecessary.
    [Judas] There's something screwy with the timing; that was the only way I could get it to work
    [Maintainer] Hrm. That seems like a kind of awkward hack to me -- I'd like a solution I could understand better. I just replaced this with a delay loop -- I don't have the blah hardware myself though ... (to mailing list) Hey, could someone with blah hardware give this a try with my modification and see if it still works?
    [Mailing List] Okay... it seems fine. In fact, one of us tried it without the delay loop, and there weren't any problems.
    [Maintainer] (to Judas) I applied your patch; it seems to work fine without the bit of code though, so I just left that part out.
    [Judas] Curses, foiled again!

    As a modest package maintainer myself, I personally read every patch I get. Even if the patch author isn't malicious, the patch could still potentially fail in a catastrophic way due to a stupid logic error or invalid assumptions.

    One thing that some people don't seem to understand about Open Source is that just because some Joe Schmoe produces some code doesn't mean that it'll end up in the official distribution.

    It might be easy to read the code in the official distribution, and it might be easy to modify the code in your own copy, but it's nontrivial to quietly modify the official distribution. To submit a patch is to submit that patch to a lot of direct public scrutiny.


    Berlin-- http://www.berlin-consortium.org
    --

    DNA just wants to be free...