from geeknews.net

Big Brother FUD
by
Mark Maxey (frank-n-f)

Today I scrolled through the pages of slashdot, geeknews and wired to see
claims stating Microsoft has a backdoor open for the NSA, the National
Security Agency, in the windows source code. Big brother Microsoft working
with the NSA or one the usual overpublicized bugs in Microsoft products I
wondered. The key named _NSAKEY is found in ADVAPI32.DLL by disassembling
the file. In theory the hole may be exploited by replacing _NSAKEY with your
own key, keeping the Windows API security subsystem running by not
corrupting the old one, in turn bypassing the windows security subsystem
completely. This will also allow access to the highest levels of the windows
security. The exploitation of such would be complex and would require some
internal method of rewriting the key. In other words something must be able
to manually overwrite the source without corrupting the subsystem, or
everything lays over and dies. The real deal on the key is the key only
arguably weakens the API cryptography and exploitation of the bug would be
very challenging since the key just can't magically be rewritten. Microsoft
doesn't sign anything that the Export Department, which is likned to the
NSA, doesn't sign. The NSA insisted that their must be a backup key. What if
the Microsoft key were cracked, then what would we do? Windows users would
be forced to use a beaten key. At the Microsoft Press release, Microsoft
stated that the real key in question was the Microsoft Key, or the active
crypto key, that was not shared with any organization, but they must include
the dead NSA key, to comply with export laws. Which, after a bit of research
I have verified that this must be included.

In all of the madness of this situation, there has been one obvious detail
that has been overlooked. Do you think that FBI agents tracking down child
pornographers on the net use their .gov addresses? Hell no, why in the world
would Microsoft or the NSA be so stupid as to name their backdoor after
their agency? Really, think about this for just a second. If you were gonna
go and break into someone's house would you spraypaint insert name was here
on the wall? Probably not, unless you were really really stupid. In reality,
the madness spurred just because a variable name had the letters NSA in it
and no other reason. The rest of the rumor was just propaganda to further
persuade people that they should use an alternative operating system with no
real support. Obviously the people posting these rumors were complete idiots
trying to ruin the Microsoft reputation as the worlds top software
developer.

This so-called security bug really isn't a security issue, but a blatant
personal attack on Microsoft. Everyone it seems with the closed minded,
militant linux syndrome is just aching to make Microsoft look bad even if
they must spread false information. Turning a rumor that is virtually
unfounded into a major media issue is not the way to fight the anti-ms war
people. This event just goes to show how childish people can be when it
comes jealousy. The fact is, most people out there are more than satisfied
with their Microsoft products. But the average, less than savvy, computer
user would truly be scared by the thought of Microsoft buddying up with the
NSA. Not because of a realistic security breach, but because some script
kiddy throws out some technical jargon that is completely unfounded just to
cause fear, uncertainty and doubt in the mindless computer user. Can we say
McCarthyism boys and girls? The security issue in this case was more of a
witch hunt to make Microsoft look bad than a realistic security
compromisation.

This is just my two cents of the matter. Take it as you will, but research
the situation for yourself and you will clearly see what I am speaking of.
Someone that was either stupid and/or motivated to destroy Microsoft's
pristine image saw the variable name NSA in a windows crypto file. The
person immediately connects it as a backdoor to the NSA, the crypto export
control organization, who simply put an unused key in the windows API code
in the case of a security compromise. The fact is, if this was really
exploitable, someone would have noticed it way before now and would have
been using it to their advantage. All in all, a silly situation that got
blown out of proportion because people are paranoid, vengeful and
uninformed.


-- Scott Little, 3:712/848@fidonet | slittle@bbs.slittle.com

--- FMail/2 1.48a+
128/139