-Caveat Lector-
New York Time's Article
September 4, 1999
A Mysterious Component Roils Microsoft
By JOHN MARKOFF
AN FRANCISCO -- A cryptographer for a Canadian software firm, dissecting a
piece of Microsoft security software, made an unexpected find: an element in
the Windows operating system labeled "NSAKey."
When his discovery was made known on his company's Web site Friday, it set
off a firestorm of Orwellian visions in Internet discussion groups.
------------------------------------------------------------------------------
--
Sidebar
For Programmers, a Link to Spy Agency Seemed Likely
(September 4, 1999)
------------------------------------------------------------------------------
--
Was the buried software component, as the cryptographer surmised, a Trojan
horse that gave the National Security Agency a hidden back door into the
world's computers? Or was it merely a Microsoft programmer's remarkably bad
choice of language in a software system designed to protect electronic
communications and commerce?
Microsoft executives insisted that there was no Big Brother feature in the
software. "The big answer is that these charges are completely false," said
Scott Culp, a security product manager at Microsoft.
And the National Security Agency, which gathers electronic signal
intelligence worldwide and is responsible for the security of the
Government's computers, issued a terse three-sentence news release distancing
itself from the controversy, saying, "Questions about specific products
should be addressed to the company."
Microsoft officials acknowledged that the episode was in any case a black eye
for the world's largest software publisher.
"We're going to pay and pay and pay for this," said one of the company's
security experts, who spoke on the grounds that he not be identified.
In recent months Microsoft has become a lightning rod for criticism of its
products' security and has had to deal with several gaffes, including the
discovery last week of a security flaw that exposed the e-mail of users of
its Hotmail service.
------------------------------------------------------------------------------
--
Rumors of a door for U.S. access to the world's computers.
------------------------------------------------------------------------------
--
The latest uproar was set off by Andrew Fernandes, a mathematician in
Research Triangle Park, N.C., who is chief scientist of the Cryptonym
Corporation, a small Canadian software firm that is developing computer
security products.
Fernandes first presented his findings at a technical meeting last month in
Southern California, but word did not spread more broadly until today, when a
news release was posted on the Cryptonym Web site.
In a telephone interview, Fernandes said he had made his discovery while
exploring and trying to replicate the security software in Microsoft's
Windows and Windows NT operating systems.
The operating systems make use of a key -- a large number -- to authenticate
software components, providing confidence that a component is correctly
identified and has not been tampered with. For example, when new encryption
functions are added for security, the key verifies that they comply with
Government regulations.
Cryptographers had previously noted the existence of a second key whose use
they could not account for. What Fernandes found in the program was an
identifying tag, disguised in earlier versions. And the label was "NSAKey."
The discovery shocked him, Fernandes said, adding, "It doesn't make any sense
why they would put in a second key."
He concluded that the key represented a serious security flaw that would
leave Microsoft's operating system vulnerable to intrusion. "The result is
that it is tremendously easier for the N.S.A. to load unauthorized security
services on all copies of Microsoft Windows, and once these security services
are loaded, they can effectively compromise your entire operating system,"
his news release asserted.
But at Microsoft, Culp said the key labeled NSAKey was a backup permitting
Microsoft to authenticate encryption components if the first key was damaged.
And he said the name was simply unfortunate.
------------------------------------------------------------------------------
--
Related Articles
Microsoft Discloses Flaws in Office 2000 Software
(August 20, 1999)
Software Makers Scramble to Address Security Flaw
(August 3, 1999)
Microsoft and Compaq Admit Vulnerability to Security Flaws
(July 31, 1999)
Security Flaw Is Discovered in Several Unix Programs
(July 26, 1999)
Companies That Ignore Online Security Are Risking Customers
(May 3, 1999)
------------------------------------------------------------------------------
--
Because the key insures compliance with Federal export laws, and the
National Security Agency is the authority responsible for reviewing software
and hardware products intended for foreign use, the component has been
referred to colloquially at Microsoft as the "NSA key," he said. But Culp
insisted that the key was not shared with any outside party, including the
N.S.A.
"We protect it with dobermans and barbed wire," he said. "Conspiracy
theorists are worked up about this, but real life is more boring."
Security and privacy experts were generally skeptical about the notion that
Microsoft was cooperating with the nation's electronic intelligence agency.
Microsoft has vocally opposed proposals by law-enforcement and intelligence
agencies that would give them electronic back doors to monitor computer data.
Some security experts said that even if there was no sinister explanation for
the NSAKey, Microsoft should not add components to its security software
system without publicly identifying them.
"They've debased their currency once again by not disclosing this," said Mark
Seiden, chief consultant for the information security group Kroll-Ogara.
Microsoft executives said there had been no reason to publicize the backup
key. "It was not something that anyone had expressed any interest in," Culp
said.
And in any case, the Big Brother that Fernandes said he had discovered turned
out to have an Achilles heel. He said he had been able to develop a small
program that strips out the second key.
------------------------------------------------------------------------------
--
Home | Site Index | Site Search | Forums | Archives | Marketplace
Quick News | Page One Plus | International | National/N.Y. | Business |
Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts |
Automobiles | Books | Diversions | Job Market | Real Estate | Travel
Help/Feedback | Classifieds | Services | New York Today
Copyright 1999 The New York Times Company
DECLARATION & DISCLAIMER
==========
CTRL is a discussion and informational exchange list. Proselyzting propagandic
screeds are not allowed. Substance—not soapboxing! These are sordid matters
and 'conspiracy theory', with its many half-truths, misdirections and outright
frauds is used politically by different groups with major and minor effects
spread throughout the spectrum of time and thought. That being said, CTRL
gives no endorsement to the validity of posts, and always suggests to readers;
be wary of what you read. CTRL gives no credeence to Holocaust denial and
nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://home.ease.lsoft.com/archives/CTRL.html
http:[EMAIL PROTECTED]/
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
