On Wed, May 24, 2000 at 04:09:45PM -0500, Rick Smith wrote:
> Before continuing, let me state my three opinions that this is based on:
>
> 1) There is a non-zero risk of backdoors in commercial software, but the
> perpetrators are as likely (IMHO more likely) to be outside parties and not
> US agencies like NSA.
>
> 2) A persistent backdoor in Windows would have to be a localized thing with
> limited effects, like a broken RNG, but such a thing might be detectable by
> examining its behavior and/or binary implementation.
>
> 3) A more sophisticated backdoor in Windows would involve a lot of people
> who can't be covered by government secrecy agreements. It would be
> extremely difficult to keep such a thing both functioning and secret for
> more than a few years.
As a certified paraniod I suppose that my perspective may seem a
little far out, but I cannot conceive that the NSA or some even blacker
agency of the US intelligence community has not obtained a complete set
of source code for all major releases and upgrades of Windows and
NT/2000 and probably many major MS applications. Having access to this
would be so fundemental to their ability to do their job that it seems
inconceivable to me that they don't have it.
NSA might have obtained such by outright purchase (since
Microsoft would have no reason to announce the fact, such a thing could
be very quite), by purchase through an intermediary with ties to the US
government, by informal cooperation of someone, or perhaps several
individuals, within Microsoft with or without the knowlage or consent of
senior management, by outright theft by a mole, contractor, or whatever
(tapes smuggled out in briefcases), by intercepting Microsoft
communications, by hacking into Microsoft systems, or even by the same
kind of black bag burglaries that are known to be used to obtain crypto
material from foreign embassies. And it might not be necessary to
obtain the source from Microsoft itself, since there are a handful of
companies that have fairly complete source under co-development
agreements with Microsoft, as well as several universities that have
been given at least some of it. And if the NSA is squeemish about
actually stealing a US IP asset (in the unlikely event they have to
steal it to obtain it), undoubtably other governments haven't been so
scupulous and might be willing to share with NSA, in return for more
access to Echelon data perhaps...
Given that many Microsoft protocols are not publicly documented,
that the DOD depends heavily on Microsoft OS's for many critical
functions, and the obvious truth that it is much easier to understand
how things really work in detail with the aid of source I even if they
are documented I simply cannot believe that NSA and other DOD groups
working with Windows and NT/2000 on critical national security issues
work with their hands tied behind their back and no access to source
code. And for infowar groups responsible for creating trojans and
viruses targeted against specific target foreign users of MS products
having access to source and presumably the ability to compile it into
subtly modified binaries of target DLLs would seem such a natural tool
that I frankly can't believe they work without it.
So if one supposes that NSA or whoever within the US
intelligence community is responsible for creating active attacks on
target foreign MS systems has Windows source, than the equation shifts a
bit. Given complete source and a good team of first rate OS
programmers working in some Md suburb under the very tight security that
NSA is famous for, it seems quite possible to either find existing
security holes in Windows and flag them as "do not fix" or devise very
subtle, very minimal changes to the source that would introduce
exploitable flaws. Such things could be as simple and easy to overlook
as as the recent PGP 5.0 random number generator bug with /dev/urandom -
a one line of code assignment error that completely compromised key
generation under some conditions and wasn't found in an open source
product examined by thousands of trained eyes for about 3 years.
Getting the trojan changes folded back into the development
source might require subverting someone in the bug-fixing and
maintainence end of the Windows development team who would not be
required to have the skills to create or even dimly understand the
carefully crafted tricks but merely enough access to the relevant source
code to implement a bogus bug fix handed him via his contact for one of
the (allegedly) thousands of known Windows bugs. At least in my
experiance, there are always lots of more or less anonymous middle level
people processing SPRs and generating bug fixes for a major product
like Windows, and the often the senior developers rushing to get out a
release don't have time to carefully examine and deeply think about bug
fixes in existing code supplied by these maintainence minions that look
superficially correct.
Note that this does not postulate a master spy capable of
designing, testing and concealing subtle bugs working completely alone
in secret while also playing the part of a senior trusted and highly
talented system programmer with major responsiblities for Windows code -
rather this implies subverting one of the thankless grunts (often
contractors in my experiance) charged with going through piles of
software trouble reports and finding and fixing the obvious bugs that
can be readily fixed by making straightforward changes to the code.
And this guy would not be expected to create, alter, or understand the
bogus corrections - those would come from the talented team at NSA.
I admit that good version control, careful code reviews of
fixes, and traceablity of each change to a specific bug report would
make it harder to pull this off, but at least in my experiance in the
(relatively long) past the pressures to get releases out and features
implemented and debugged were so great that reviewing bug fixes wasn't a
priority, especially if the fixer was trusted as competant.
And presumably the plan would be to insert multiple, or even
many, exploitable hooks so if a few of them got fixed by someone with a
sharp eye the access would not go away.
Of course subverting Microsoft OS source code is not the only
attack, subverting the multi-million gate Pentium processors in subtle
ways could be just as effective or even more effective as such backdoors
would work against other OS's. For example, providing a means by which
an ordinary user level process could momentarily shut off memory
protection and do loads and stores with ring 0 kernel privilages -
perhaps by using a bizzare combination of undocumented op codes and
special values in specific registers - would allow complete perversion
of all system security by the most lowly and untrusted code. If such a
feature exists in Pentiums (even by accident) it would no longer be
necessary to exploit known bugs to obtain access and monitor or modify
security critical system and user threads and routines, it would merely
be necessary to run a lowly untrusted trojan application or even an
email attachment or otherwise propagating worm. And for a NSA with
complete Windows source, figuring out what to jigger with a trojan that
had magic hardware access to all of memory would be very doable and
wouldn't involve any of the risks and ethical and legal problems of
actually introducing bugs into Windows.
Again, perhaps this is the paraniod fantasy of a crazy ex system
programmer, but given that there are certainly highly able folks who
sincerely believe that the security of the US depends on access to
certain computers running Windows or NT, and given that they have
large resources behind them and work in total secrecy with less than
complete review of what they are doing I have to admit that as someone
else has already said, "if I were in charge I'd do that".
--
Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
