Before continuing, let me state my three opinions that this is based on:
1) There is a non-zero risk of backdoors in commercial software, but the
perpetrators are as likely (IMHO more likely) to be outside parties and not
US agencies like NSA.
2) A persistent backdoor in Windows would have to be a localized thing with
limited effects, like a broken RNG, but such a thing might be detectable by
examining its behavior and/or binary implementation.
3) A more sophisticated backdoor in Windows would involve a lot of people
who can't be covered by government secrecy agreements. It would be
extremely difficult to keep such a thing both functioning and secret for
more than a few years.
To continue the discussion, Arnold Reinhold wrote:
>Done properly, there is no way anyone is going to detect a weakened
>RNG by analyzing its output. That is why RNG attacks are so
>attractive.
What if we examine the RNG's binary implementation as well as its output?
Consider what happened to the weak Netscape RNG.
Given that, how would one go about constructing a broken RNG that would
resist detection? I'm not saying it's impossible, but the strategy isn't
clear to me.
>The best answer to [Microsoft secrecy doubts] is a report Lucky Green gave
to this
>list on 9/3/1999 when the _NSAKEY story broke:
>
>"After watching the NSAKEY talk at the Crypto rump session [name elided], by
>his own account at the time the person ultimately responsible for CAPI at
>Microsoft, told a group that even he had not know about the second key. In
>addition, he informed us that access to the Windows source code is heavily
>compartmentalized, making it easy to insert modifications without the
>knowledge of even the respective product managers."
I think this argues in favor of attacking the RNG and against building a
more flexible backdoor, since the latter will involve multiple
compartments, and require interfaces that might not othewise exist or be
used in particular ways. That involves the cooperation of more people.
If access to the actual code is compartmentalized, and interfaces are
poorly documented (it's impossible to document an interface completely,
especially for live code), then Windows software development requires a lot
of collaboration at a personal level. That's the only way things will work
correctly between compartments. Again, this makes it harder to keep things
secret, since more people are involved in trading off functional needs
against existing capabilities.
>I certainly agree that keeping a long-term secret is harder than
>keeping a short term secret. But NSA and Microsoft may well be up to
>the task. One approach might be for Microsoft to hire a few
>programmers who are also on the NSA payroll and place them in
>strategic positions.
The problem is that you're talking about finding some people with top-notch
software development skills that can believably be inserted into Microsoft
under deep cover. They'd have to be able to pursue their backdoor
installation objectives secretly while continuously justifying their work
with other, diversionary explanations. They have to be smart enough to do
all this and have the sort of personality that allows them to continuously
and successfully mislead their co-workers. I think that's where all this
would break down. Where do you find enough such candidates to make it
likely you can actually hire some of them for that job?
Consider also that commercial developers constantly trade off schedule for
functionality. How are these guys going to guarantee that they can keep
their back door working, when some feature crucial to it has been busted to
support something "more important for the next release"? Even if "We need
this for National Security" is a trump-card argument, they *can't* use it
without blowing their cover. And they won't be able to whine to Bill every
time for backup. Some functionality arguments they're just not going to win.
>NSA seems to know how to motivate folks to keep
>their mouths shut.
NSA knows how to apply institutional pressure when they have a lever (i.e.
export controls) and they know how to establish legal pressure through
security classifications. I don't see how either of those would apply. I
suppose those undercover superprogrammers would keep their own activities
secret, since their NSA connection might not look good on their resumes.
NSA would have a hard problem treating the programmers' activities as
classified information, since so much of what they do is in unclassified
environments.
Digression: Is there a potential pilot for a bad TV series here? Something
like Buffy the Vampire Slayer, except that Buffy is a software developer,
her high school is replaced by Microsoft, and vampire slaying involves
secret patches to Windows code. Maybe the Forces of Good are removing
backdoors inserted by other programmers bribed by The Cartel (who needs
SMERSH or KAOS when you have rich and violent drug lords?).
> And the _NSAKEY episode demonstrates that a slip
>up would not be not as damaging to either party's reputation as you
>seem to suppose.
Let me be specific about my own suppositions on this subject:
*Nothing* that Micorsoft does seems to affect their publicly acknowledged
reputation for putting out the innovative, reliable, and secure software
that is, of course, the foundation of America's successful New Economy.
(that's 100% sarcasm, in case you weren't sure)
I doubt that adding a backdoor to Windows will hurt their reputation,
either. But I believe they're going to do the absolute minimum they need to
in order to keep NSA off their back.
>It seems to me that the burden of proof is on Microsoft to convince
>us that their products are uncompromised.
I really, really wish Microsoft as an institution cared what the security
community thought about anything (this is NOT sarcasm). I see little
evidence of such caring.
While I suspect that the open source software concept is the only practical
strategy for healthy long term evolution of software, it doesn't
automatically yield bug-free, vulnerability-free, or backdoor-free
software. At best, it gives us an obvious way to track down trouble after
it pops up. But it doesn't guarantee we'll look for backdoors, or find them
if they're there. Most of us know this, but given the discussion, it seemed
worthwhile to repeat for the general audience.
Rick.
[EMAIL PROTECTED]
