MS Refutes Windows 'Spy Key'

From ricardo dominguez <>
Date Fri, 03 Sep 1999 15:21:21 -0400
Organization The Thing

[: hacktivism :]

from Wired:

you can follow the links to other pages from the above URL.

MS Refutes Windows 'Spy Key'
by Steve Kettmann and James Glave

10:20 a.m.  3.Sep.99.PDT
Microsoft is vehemently denying allegations by a leading cryptographer
its Windows platform contains a backdoor designed to give a US
agency access to personal computers.
Andrew Fernandes, chief scientist for security software company
Cryptonym in
North Carolina, claimed on his Web site early Friday that the National
Security Agency may have access to the core security of most major
operating systems.

"By adding the NSA's key, they have made it easier -- not easy, but
-- for the NSA to install security components on your computer without
authorization or approval," Fernandes said.

But Microsoft denied that the NSA has anything to do with the key.

"The key is a Microsoft key -- it is not shared with any party including
NSA," said Windows NT security product manager Scott Culp. "We don't
backdoors in any products."

Culp said the key was added to signify that it had passed NSA encryption


Fernandes also simultaneously released a program on his site that will
disable the key.

The key exists in all recent versions of the Windows operating systems,
including Windows 95, 98, 2000, and NT.

The issue centers around two keys that ship with all copies of Windows.
keys grant an outside party the access it needs to install security
components without user authorization.

The first key is used by Microsoft to sign its own security service
Until late Thursday, the identity and holder of the second key had
a mystery.

In previous versions of Windows, Fernandes said Microsoft had disguised
holder of the second key by removing identifying symbols. But while
reverse-engineering Windows NT Service Pack 5, Fernandes discovered that

Microsoft left the identifying information intact.

He discovered that the second secret key is labeled "_NSAKEY."

Fernandes and many other security experts take that to stand for the
National Security Agency -- the nation's most powerful intelligence

Microsoft said _NSAKEY signifies that it satisfies security standards.

Through its "signals intelligence" division, the NSA listens in on the
communications of other nations.

The NSA did not immediately respond to a request for comment via fax,
only way the agency communicates with inquiries from the media.

The agency also operates Echelon, a global eavesdropping network that is

reportedly able to intercept just about any form of electronic
communications anywhere in the world.

The agency is forbidden by law from eavesdropping on American citizens.

Marc Briceno, director of the Smartcard Developer Association, said the
inclusion of the key could represent a serious threat to e-commerce.

"The Windows operating-system-security compromise installed by Microsoft
behalf of the NSA in every copy of Windows 95, 98, and NT represents a
serious financial risk to any company using MS Windows in e-commerce
applications," Briceno wrote in an email.

"With the discovery of an NSA backdoor in every copy of the Windows
operating systems sold worldwide, both US and especially non-US users of

Microsoft Windows must assume that the confidentiality of their business

communications has been compromised by the US spy agency," Briceno said.

Briceno coordinated the team that broke the security in GSM cell phones,

demonstrating that the phones are subject to cloning -- a feat the
industry had thought impossible.

In making the discovery, Fernandes said he did not know why the key was

"It could be for espionage. It may not be," he said. "It does not
compromise Windows, it only weakens it.... The only real reason I can
see is
for them to be able to install their own security providers."

But Microsoft's Culp said all cyrptographic software intended for export

must be submitted to a National Security Agency review process. He said
the key was so named to indicate that it had completed that process and
it complied with export regulations.

"The only thing that this key is used for is to ensure that only those
products that meet US export control regulations and have been checked
run under our crypto API (application programming interface)," Culp

"It does not allow anyone to start things, stop services, or allow
[to be executed] remotely," he said.

"It is used to ensure that we and our cryptographic partners comply with

United States crypto export regulations. We are the only ones who have
access to it."

Fernandes made the discovery in early August, he said, but collaborated
the Berlin-based Chaos Computer Club and other experienced hackers
before releasing the information.

"We coordinated this through the worldwide hacker scene," said Andy
Muller-Maguhn of the CCC. "It was important to American hackers that it
only be mentioned in America but also in Europe.

"For American citizens it seems to be normal that the NSA is in their
software. But for countries outside of the United States, it is not. We
don't want to have the NSA in our software."

Coming less than a week after Microsoft was rocked by the embarrassing
that its Hotmail system could be easily penetrated, the latest
could prove damaging to the software giant.

"Say I am at a large bank, and I have the entirety of our operation
on Windows," Fernandes said. "That is a little more serious. The only
who could get in there are the NSA, but that might be bad enough.

"They have to first manage to download a file into your machine. There
be backdoors that allow them to do that.... I would be shocked and
if the NSA bothered with individuals. What is more of a concern is
systems for a large bank or another data center. Or even a Web server

"The result is that it is tremendously easier for the NSA to load
unauthorized security services on all copies of Microsoft Windows, and
these security services are loaded, they can effectively compromise your

entire operating system.

"The US government is currently making it as difficult as possible for
'strong' crypto to be used outside of the US; that they have also
a cryptographic backdoor in the world's most abundant operating system
should send a strong message to foreign IT managers," he said.

But Fernandes did not want to set off a panic -- or at least not for

"I personally don't care if the NSA can get into my machine, because I
they have better ways of spying on me as a person," Fernandes said. "But
I was a CEO of a large bank, that would be a different story."

Before Microsoft's explanation, many leading cryptographers said they
convinced it was a key for the NSA.

"I believe it is an NSA key," said Austin Hill, president of anonymous
Internet service company Zero-Knowledge Systems.

"We walked though it and talked about all the scenarios why it is there,
this was our conclusion," said Hill.

He said that he and Zero Knowledge's chief scientist, Ian Goldberg, did
believe the key's name is a joke placed there by a Microsoft programmer
one possible explanation.

"Microsoft has not shown incredible competence in the area of security,"

Hill added. "We call on Microsoft to learn about open security models
provide independent verification of design. No secure system is based on

security by obscurity."

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: :]