On Thu, 16 Nov 2006 16:28:58 +0000, Doug Mentohl wrote:
> "He urged the government to look at establishing "back door" ways of
> getting around encryption"
>
> "The Home Office later told the BBC News website it is in talks with
> Microsoft"
They can say they're "in talks" all they want. It doesn't mean it's
happening or happened.
> "Computer security specialists have been aware for two years that
> unusual features are contained inside a standard Windows software
> "driver" used for security and encryption functions.
>
> The driver, called ADVAPI.DLL, enables and controls a range of
> security functions .. it turns out that ADVAPI will run special
> programmes inserted and controlled by NSA. As yet, no-one knows what
> these programmes are, or what they do"
>
> http://www.techweb.com/wire/story/TWB19990903S0014
That's simply not true. Try a professional opinion, like Bruce Schnier's.
http://www.schneier.com/crypto-gram-9909.html
"Microsoft has two keys, a primary and a spare. The Crypto-Gram article
talked about attacks based on the fact that a crypto suite is considered
signed if it is signed by EITHER key, and that there is no mechanism for
transitioning from the primary key to the backup. It's stupid cryptography,
but the sort of thing you'd expect out of Microsoft.
Suddenly there's a flurry of press activity because someone notices that
the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is
called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They
can use this ability to drop a Trojaned crypto suite into your computers.
Or so the conspiracy theory goes.
I don't buy it."
also
"I see two possibilities. One, that the backup key is just as Microsoft
says, a backup key. It's called "NSAKEY" for some dumb reason, and that's
that.
Two, that it is actually an NSA key. If the NSA is going to use Microsoft
products for classified traffic, they're going to install their own
cryptography. They're not going to want to show it to anyone, not even
Microsoft. They are going to want to sign their own modules. So the backup
key could also be an NSA internal key, so that they could install strong
cryptography on Microsoft products for their own internal use.
But it's not an NSA key so they can secretly inflict weak cryptography on
the unsuspecting masses. There are just too many smarter things they can do
to the unsuspecting masses."
|
|
