-Caveat Lector-

Windows Security under fire

In on extraordinary ABC News feature on 3 September, 1999 it was alleged
that every version of Windows 98 and Windows NT contains a special
programme to encrypt sensitive data, from e-mails and documents to
e-commerce transactions over the Internet.

The programme is called the cryptoAPI, and it uses an encryption key,
managed by Microsoft Corporation, to lock and unlock the sensitive data
stored on a computer and sent across the Internet, Instead of having each
application do the number crunching, Windows essentially does it instead,

But there's not just one key - there ore two, In on analysis published on
the Internet, the head of a Canadian security firm, Cryptonym, claims that
the two keys have existed within Windows since the later versions of
Windows 95.

He adds that the second key is labelled 'NSAKEY' within the latest service
pack for Windows NT 4,0, the Windows operating system widely used in
servers and corporate work-stations.

Some analysts hove speculated that the first three letters - NSA - could
stand for America's super secret National Security Agency; an intelligence
organisation charged with cracking codes and encryption schemes.

"We've never known what the second key was for," Cryptonym founder Andrew
Fernandes told ABC News, "but it's certainly possible that it's for low
enforcement or espionage purposes,"

How Windows Crypto Works

Encryption is used to encode e-mail messages, documents and Internet
transactions, In the case of computers, the code con consist of dozens, or
hundreds, of ones and zeros. The lowest government-approved encryption
standard, a code 56 digits long, took 22 hours to break.

The cryptoAPI essentially lets software developers write programmes that
simply plug into Microsoft's encryption scheme, instead of having to write
their own.

Microsoft manages the keys, and can provide access to the data or
transactions at the request of the user, or a duly authorised third-party,

In the case of corporate users, other people within the corporation could
have access to the key as well. But that still didn't answer the question:
why two keys?

Federal Government Want 'Backdoor' Key

The U.S. Commerce Department has maintained strict controls on the export
of strong encryption software. U.S. companies con export these overseas -
provided the U.S. government receives a key to that encryption.

In 1997 U.S. companies were given two years to change their policies to comply.

The government's key is often called the 'backdoor' key, It's unclear
whether the cryptoAPI foils under the Commerce Department regulations, but
when it comes to APIs, Microsoft does not change its encryption schemes to
account for the lows in different nations.

Thus, the two-key scheme isn't just on computers overseas, but also on
machines running in the United States.

"Talk of NSA involvement aside, one could say that Microsoft has complied
with these regulations, and is including two keys," says Peter Tippett,
chairman of ICSA Incorporated, a Reston, Virginia, based security
consulting firm.

Who Has the Second Key?

Meanwhile, Fernandes says he's come up with c way to change the second key
into anything else the user wants. If he or she wants strong, 256-bit
encryption, it can be installed in place of 'NSAKEY.'

This means that virus programmes or hacking exploits con be written to
change the key without the users' knowledge. Thus, if users do not maintain
'safe computing' practices, they could very well find their strong
encryption replaced with no encryption at all, exposing their data to
anyone interested in it. Microsoft and the NSA did not immediately answer
repeated requests by ABC News for comment, but Russ Cooper, a Windows NT
security expert and editor of the Web site NTBugTraq, has reported that the
NSA insisted that Microsoft include the second key, though that could not
be independently confirmed. And then there's the trust issue,

"Microsoft has not been forthcoming on this issue," Fernandes claimed. "If
I don't know anything about this second key, how the hell do I know what
else Microsoft has stuck in their code? We've never known what the second
key was for, but it's certainly possible that it's for low enforcement or
espionage purposes.

"By adding the NSA's key, they have mode it easier - not easy, but easier -
for the NSA to install security components on your computer without your
authorisation or approval," Fernandes said.

Microsoft Refutes Windows 'Spy Key' Allegations

Within 24-hours of the ABC News story,

Microsoft vehemently denied allegations by Fernandes that its Windows
platform contains a backdoor designed to give the NSA access to personal
computers and that the agency has anything to do with the key.

"The key is a Microsoft key - it is not shared with any party including the
NSA," said Windows NT security product manager Scott Culp,

"We don't leave back-doors in any products."

Culp said the key was added to signify that it had passed NSA encryption
standards.

In previous versions of Windows, Fernandes said Microsoft had disguised the
holder of the second key by removing identifying symbols. But while
reverse-engineering Windows NT Service Pock 5, Fernandes discovered that
Microsoft left the identifying information intact and discovered that the
second secret key is labelled 'NSAKEY.'

Microsoft said 'NSAKEY' signifies that it satisfies security standards.

Through its 'signals intelligence' division, the NSA listens in on the
communications of other nations throughout the world, principally from RAF
Menwith Hill, situated in North Yorkshire, England.

The agency also operates Echelon, a global eavesdropping network that is
reportedly able to intercept just about any form of electronic
communications anywhere in the world, but is forbidden by law from
eavesdropping on American citizens,

Marc Briceno, director of the Smartcard Developer Association, said the
inclusion of the key could represent a serious threat to e-commerce, "The
Windows operating-system-security compromise installed by Microsoft on
behalf of the NSA in every copy of Windows 95, 98, and NT represents c
serious financial risk to any company using MS Windows in e-commerce
applications," Briceno wrote in an e-mail.

"With the discovery of an NSA backdoor in every copy of the Windows
operating systems sold worldwide, both US end especially non-US users of
Microsoft Windows must assume that the confidentiality of their business
communications has been compromised by the US spy agency," Briceno said.

Briceno coordinated the team that broke the security in GSM cell phones,
demonstrating that the phones ore subject to cloning - a feat the cellular
industry had thought impossible.

But Microsoft's Culp said all cryptography software intended for export
must be submitted to a National Security Agency review process, He said
that the key was so named to indicate that it had completed that process
and that it complied with export regulations.

"The only thing that this key is used for is to ensure that only those
products that meet US export control regulations and have been checked con
run under our crypto API (application programming interface)," Culp said.

"It does not allow anyone to start things, stop services, or allow anything
[to be executed] remotely," he said. "It is used to ensure that we and our
cryptographic partners comply with United States crypto export regulations.
We are the only ones who have access to it."

Fernandes made the discovery in early August, he said, but collaborated
with the Berlin-based Chaos Computer Club and other experienced hackers
worldwide before releasing the information.

"We coordinated this through the worldwide hacker scene," said Andy
Muller-Maguhn of the CCC. "It was important to American hackers that it not
only be mentioned in America but also in Europe.

"For American citizens it seems to be normal that the NSA is in their
software. But for countries outside of the United States, it is not. We
don't wont to have the NSA in our software."

Coming less than a week after Microsoft was rocked by the embarrassing news
that its Hotmail system could be easily penetrated; the latest disclosure
could prove damaging to the software giant,

"Say I am at a large bank, and I have the entirety of our operation working
on Windows," Fernandes said. "That is a little more serious. The only
people who could get in there are the NSA, but that might be bad enough.

"They hove to first manage to download a file into your machine. There may
be back-doors that allow them to do that... I would be shocked and
surprised if the NSA bothered with individuals. What is more of a concern
is security systems for a large bank or another date centre. Or even a Web
server firm.

"The result is that it is tremendously easier for the NSA to load
unauthorised security services on oil copies of Microsoft Windows, and once
these security services are loaded, they con effectively compromise your
entire operating system,

"The US government is currently making it as difficult as possible for
'strong' crypto to be used outside of the US; that they have also installed
a cryptographic backdoor in the world's most abundant operating system
should send a strong message to foreign IT managers," he said

But Fernandes did not want to set off a panic - or at least not for everyone.

"I personally don't care if the NSA con get into my machine, because I
think they have better ways of spying on me as a person," Fernandes said.
But if I was a chief executive officer of a large bank, that would be a
different story."

Before Microsoft's explanation, many leading cryptographers said they were
convinced it was a key for the NSA.

"I believe it is an NSA key,' said Austin Hill, president of anonymous
Internet service company Zero-Knowledge Systems. "We walked though it and
talked about all the scenarios why it is there, and this was our
conclusion," said Hill.

He said that he and Zero Knowledge's chief scientist, Ion Goldberg, did not
believe the key's name is a joke placed there by a Microsoft programmer -
one possible explanation.

"Microsoft has not shown incredible competence in the area of security,"
Hill added. "We cell on Microsoft to learn about open security models that
provide independent verification of design. No secure system is based on
security by obscurity,"

Thanks to: ABC News, Andrew Gingery, Andrew Fernandes, Mark Hall, Robert
Collins, Steve Kettmann, James Glove and the NSA (No Such Agency or Never
Say Anything...)

DECLARATION & DISCLAIMER
==========
CTRL is a discussion and informational exchange list. Proselyzting propagandic
screeds are not allowed. Substance—not soapboxing!  These are sordid matters
and 'conspiracy theory', with its many half-truths, misdirections and outright
frauds is used politically  by different groups with major and minor effects
spread throughout the spectrum of time and thought. That being said, CTRL
gives no endorsement to the validity of posts, and always suggests to readers;
be wary of what you read. CTRL gives no credeence to Holocaust denial and
nazi's need not apply.

Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://home.ease.lsoft.com/archives/CTRL.html

http:[EMAIL PROTECTED]/
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om

Reply via email to