Debate flares over MS 'Spy Key' by James Glave 3:00 a.m. 4.Sep.99.PDT Questions lingered Friday over whether or not security experts overreacted to a scientist's charge that Microsoft built a backdoor in Windows for a US spy agency to enter. Microsoft vehemently denied the claims of Andrew Fernandes, chief scientist for security software company Cryptonym. "It is a non-story," Microsoft Windows NT security product manager Scott Culp told Wired News. "We don't leave backdoors in any products." ---------------------------------------------------------------------------- ---- See also: MS Denies Windows 'Spy Key' ---------------------------------------------------------------------------- ---- In an early Friday statement posted to his company's Web site, Fernandes had claimed that Microsoft had granted the National Security Agency secret access to the core security of most major Windows operating systems. He made his claims after discovering the name of a key that grants access to the highest level of Windows data-scrambling software code, without the user's permission. The key is named _NSAKEY. The charges seemed to confirm the worst fears of many, and Internet mailing lists erupted early Friday in a Krakatoa of anti-Microsoft sentiment. "Windows is compromised!! Microsoft is in bed with the Federal Government," wrote one poster to a mailing list addressing privacy and crypto issues. The climate was certainly primed for hysteria. Last week, experts uncovered a major flaw in the way Microsoft implements the Java computer language. The company had barely addressed that problem when a gaping hole exposed the private email of potentially millions of Hotmail members -- perhaps the most widespread security incident in the Web history. Microsoft dismissed Friday's charges as nonsense. The company said that the key was named after the spy agency merely to reflect the fact that it had passed a technical review that the agency requires of all security software intended for export. But Fernandes stood his ground. "Some of the things [Microsoft said] make sense, some of them don't," he said. The _NSAKEY is one of two such keys buried deep in the cryptography source code of most Windows operating systems. In other reports, Microsoft said that the _NSAKEY is still a Microsoft-controlled key that will serve as a backup in the event that the first key is compromised. That just doesn't make sense, Fernandes said. "If they lost the first key which is the equivalent to them losing the Windows source code, then that would be okay, they could just start using the backup key." "But if all of Windows was compromised [by a hacker], they would have to reissue all of Windows and overwrite [the second key] on top of all copies of Windows out there, which can happen, but it's unlikely." "Their story only kind of makes sense," he added. "If that is in fact true, it means their crypto protocol is poor, there is no other word for it." Crypto expert Marc Briceno did have another word for it: "feeble." "I must say I do not believe Microsoft's present explanation that the presence of the _NSAKEY corresponds to standard practices in software development," said Marc Briceno, director of the Smartcard Developer Association. "There is no technical reason for Microsoft to include a second security module verification key in their operating system ... to mark the passing of export requirements," Briceno said. But a respected independent Windows NT security consultant said that in the wake of Microsoft's denials, the NSA backdoor allegations amount to conspiracy theories. "There's a bunch of somewhat understandable furor going on over the idea that the NSA might have a backdoor to Windows," wrote Russ Cooper, moderator of the NTBugtraq Windows security resource. "Unfortunately, however, all of this is based on a variable name," he added. Anyone who programs knows that variables might get named anything for a variety of reasons." He said the lion's share of individuals overreacting to the claims are freedom fighters and privacy advocates. "Unfortunately they have a loud voice," he said. "I don't think they are representative of the average person, the real people that populate the Net," he said. "We give away all kinds of things, every day, that sacrifice our privacy. These privacy advocates, I'd put them in the category of the Michigan Militia, the Ruby Ridge folks." But John Gilmore, a co-founder of the Electronic Freedom Foundation, said that the case was far from clear. Gilmore quoted Microsoft's Scott Culp, who said in a previous Wired News story that the _NSAKEY was only in place "to ensure that we and our cryptographic partners comply with United States crypto export regulations." Gilmore said that the crypto community has always wondered what exactly the deal was between NSA and Microsoft that allows the company to plug strong crypto into software that is sold worldwide. Culp's response was "disingenuous but not false," he wrote in an email to Wired News. "This key was part of the quid-pro-quo that NSA extracted to issue the export license. Let's hear what the whole quid-pro-quo was and what the key is *actually* used for," Gilmore wrote. For its part, the NSA isn't telling. In a short faxed reply to a Wired News query about the purpose of the key, the super-secretive agency said the matter was up to Microsoft. "US export control regulations require that cryptographic [application program interfaces] be signed," NSA's public affairs office wrote. "The implementation of this requirement is left up to the company. Specific questions about specific products should be addressed to the company." Related Wired Links: -- Sec. 107. Limitations on exclusive rights: Fair use Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include - (1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work. The fact that a work is unpublished shall not itself bar a finding of fair use if such finding is made upon consideration of all the above factors.
MS Refutes Windows 'Spy Key'.url
Hotmail Accounts Exposed to All.url