Vista SP1 Has NSA Backdoor?

[toadeater]

Any thoughts about this?

A US cryptographer is warning that the random number generator Microsoft is bundling with SP1 includes a backdoor exploitable by the National Security Agency.

Random number generators are important because they provide the bedrock for SSL keys, which ensure secure internet communications for web browsing, email and instant messaging. Breaking the random number generator could leave user communications open to interception.

Security blogger Bruce Schneier believes this is precisely what will happen to the

"Dual_EC-DRBG" random number generator employed by Vista.

"There are a bunch of constants - fixed numbers - in the standard used to define the algorithm's elliptic curve," he says on his blog.

"These numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key."

"To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."

Schneier believes that this "secret" second set of numbers are held by the US's National Security Agency, one of the agencies which he claims championed Dual EC-DRBG as a cryptographic standard.

Microsoft hadn't replied to request for comment at the time of publication.

http://www.pcpro.co.uk/news/149133/vista-s...or-exploit.html

[argonite]

This theory relies on the NSA holding the secret key, if they don't, no theory.

[toadeater]

This theory relies on the NSA holding the secret key, if they don't, no theory.

AT&T once said they weren't spying for the NSA, until they were forced to admit that they were. This one is going to be a lot harder to prove, or disprove I guess.

[Argi]

Still, it'd be stupid for anyone (especially Microsoft of all companies) to knowlingly use an RNG algorithm that contains what looks like a backdoor unless they either didn't know or it's intended.

[SirEvan]

I dont know much about cryptography or such, but...couldn't you null-and-void this problem by running a program on your system like peer guardian or something to block any connections to your machine from known ips such as the NSA?

[Argi]

I dont know much about cryptography or such, but...couldn't you null-and-void this problem by running a program on your system like peer guardian or something to block any connections to your machine from known ips such as the NSA?

That's not really the point. ?Apart from the fact that if the NSA wants in your computer PeerGuardian wont save you, if a backdoor exists it's only a matter of time before someone with malicious intent cracks it.

[Chicane-UK Veteran]

I wish they wouldn't pull crap like this :|

[Deathray]

I wish they wouldn't pull crap like this :|

Most major corporations probably do this... you'll just never hear about it unless you're lucky

Plus, it's the NSA... I'm pretty sure they could find a way around our security

[Miuku.]

Plus, it's the NSA... I'm pretty sure they could find a way around our security

Unlikely - they wouldn't be trying to go all out on cracking down on businesses developing high end security products (such as extremely high end encryption) and threatening them to sneak in backdoors if they could just "crack it all".

It's also not that easy to operate in foreign countries, no matter what movies tell you.

[zhangm Supervisor]

Here's the original source. The followup articles are more speculative. BTW, its not that Microsoft is specifically complying or collaborating with the NSA. Its more that the US government is releasing this as one of four encryption standards...

http://www.wired.com/print/politics/securi...itymatters_1115

[hagjohn]

wouldn't surprise me.

[seta-san]

lets keep in mind Microsoft chose to do this. This standard was one of many that were filed with the standards community.

[Evolution]

Doubt it.... any backdoor that exists could be turned around and used by hackers :/

[BigBoy]

Someone ordered too many tin foil hats.

[neufuse Veteran]

So what? Apple probably gives their keys over to the NSA also... just no one has taken the time to figure out if it has or hasn't.. I kinda think anything that is a "major" OS the NSA tries to coax the maker into helping them

[Farchord]

You can tighten a lock all you want, it will never make it 100% secure.

It's a bit like mathematics. You can divide '1' by '2' as much as you want, you will never reach '0', you will always end up with more and more decimals.

[Eric Veteran]

While I can't dismiss this as FUD, I can say it doesn't matter. If the NSA really wants to know what's on your computer, they'll either come in your house and look when you're not there or they'll seize it directly and examine it.

[ichi]

While I can't dismiss this as FUD, I can say it doesn't matter. If the NSA really wants to know what's on your computer, they'll either come in your house and look when you're not there or they'll seize it directly and examine it.

The NSA is an USA agency (or whatever) while Windows is distributed worldwide. Does it really still not matter?

[Pippin666]

That's not really the point. ?Apart from the fact that if the NSA wants in your computer PeerGuardian wont save you, if a backdoor existsit's only a matter of time before someone with malicious intent cracks it.>

That's why backdoor are bullcrap stories.

Pip'

[raskren]

The NSA have a backdoor in Windows XP, SP1, SP2, SP3 as well. And Windows 2000, SP1, SP2, SP3, SP4. And Vista, and Vista SP1.

Do you see how the same bull**** theory keeps getting reiterated over and over again?

[xendrome]

Yea the NSA has a backdoor in every piece of software.... It's called a Federal Search Warrant...

[JonathanVP]

it is true...the NSA can get into your computer anytime they want and download all your pr0n

[Impact]

This is old news. The same article from wired was posted like 3 weeks ago. Also, why is this news? Its been like this for every major Windows release.

[theyarecomingforyou]

Also, why is this news? Its been like this for every major Windows release.

Because the NSA should have no special ability to get into systems, especially for non-US citizens. If this is true then it's yet another case of the US thinking it is superior to the rest of the world. I have more faith in China having access to my personal information than I do the US, which only goes to show how poorly I rate the US government / government agencies.

[neufuse Veteran]

Because the NSA should have no special ability to get into systems, especially for non-US citizens. If this is true then it's yet another case of the US thinking it is superior to the rest of the world. I have more faith in China having access to my personal information than I do the US, which only goes to show how poorly I rate the US government / government agencies.

What do you mean for especially not for non-us citizens... thats the whole point of the NSA :whistle: