Ooops! Old story but not less actual today!?

NSA backdoor creates security hole in Windows

Posted by Hemos on Fri Sep 03, '99 08:43 AM
from the i-think-i-get-it dept.

A number of people have written in with the news that Cryptonym has found an apparent backdoor for the NSA (called NSAKEY) in all current versions of Windows. However, you can open this backdoor yourself and install your own strong cryto module in place of the built-in one. More details are also online, but to be quite frank, we aren't quite sure on this one-so, if you're more qualified comment, please do so below.Update: 09/03 11:19 by H :Thanks to Jens Hillman for more information from the German Chaos Computer Club. Der Webpage ist auf Deutsch-Babelfish it.
#########################################
And here is CNN
#########################################

NSA key to Windows: an open question

ALSO Message Boards: Online privacy Microsoft Sign up for the Computer Connection e-mail service For more computing stories

September 4, 1999
Web posted at: 4:43 p.m. EDT (2043 GMT)

In this story: Computer expert: 'a small deal' Report shocked crypto experts Open-source versus 'shrink-wrapped' crypto RELATED STORIES, SITES

(CNN) - Microsoft operating systems have a backdoor entrance for the National Security Agency, a cryptography expert said Friday, but the software giant denied the report and other experts differed on it.

The chief scientist at an Internet security company said Microsoft built in a "key" for the nation's most powerful intelligence agency to the cryptographic standard used in Microsoft Windows 95, Windows 98, Windows NT4 and Windows2000.

To use cryptographic applications in Windows, users must load its cryptography architecture in a standard called CryptoAPI.

A year ago, researchers discovered there were two keys, or digital signatures, that allowed the loading of CryptoAPI -- Microsoft had one but the identity of the other keyholder was a mystery.

Andrew Fernandes of Ontario-based Cryptonym Corp. and his colleagues now say the NSA holds the second key because they found that a recent service pack for Windows NT failed to cloak the second key, revealing it as "_NSAKEY."

"In the data security profession, those three initials only mean one thing: National Security Agency," Fernandes said.

Microsoft denied that the key belongs to the NSA, saying instead that the "_NSAKEY" label simply means the cryptography architecture meets the NSA's standards for export.

"These reports are completely false," said Microsoft spokesman Dan Leach.

"The key does not allow any other party to start or stop cryptographic services on anyone's computers.

"So no, the government cannot spy on your computer using Microsoft software. We don't intentionally leave backdoors. Microsoft has consistently opposed key escrow because we feel it is no good for the consumer, for Microsoft and no good for the government."

Fernandes said the NSA key would allow the intelligence agency to load services on users' machines without their authorization, an option it more likely would use against a corporation than an individual.

Fernandes posted a "fix" to the key on his Web site Friday, along with a press release announcing his report on the second key. The NSA failed to return comment on the key.

The alleged NSA key came to light just days after Microsoft squelched a breach to its Web-based e-mail service, Hotmail.