Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Novell (NOVL) dirt cheap, good buy? -- Ignore unavailable to you. Want to Upgrade?

To: Frederick Smart who wrote (28041)	9/9/1999 9:04:00 AM
From: ToySoldier	Read Replies (2) \| Respond to of 42771

Frederick, With this security backdoor for the US government supposedly built into the MSFT Windows operating systems, I would think that Governments other than the US should and hopefully will impose IMPORT restrictions on the MSFT code for national security violations. Being a Canadian, I would consider a product where a foreign government has access to my system to be a violation that I would expect the Canadian Federal government to protect. I would not expect any different reaction to citizens of other countries throughout the world. Its one thing if the US government and MSFT want to have the ability to spy on their own citizens, but to export a product to other countries that gives them the ability to spy on citizens of other countries angers me greatly - if this is proven to be true. Another point for MSFT to consider is that the other foreign governments may impose import restrictions of MSFT's windows products until their security agencies have access to this same built-in backdoor. I think its time to write a letter to my government representitives responsible for security and ask them how they are going to respond to this clear violation of my rights of protection from abuse by a foreign government. Toy

To: Frederick Smart who wrote (28041)	9/9/1999 12:12:00 PM
From: ToySoldier	Respond to of 42771

Some other reports and opinions on this issue.... zdnet.com cryptonym.com Read the forum comments on the www.securityfocus.com site under "FORUMS" --> "BUTRAQ" --> "ARCHIVE" and in the Sep 3rd date range. Here is one of the comments/posts... To: BugTraq Subject: Re: NSA key in MSFT Crypto API Date: Fri Sep 03 1999 02:15:08 Author: Tim Dierks Message-ID: <001801bef66a$8c125310$8706010a@haruspex.certicom.com> It's not clear to me why being able to sign CSP modules is a risky thing anyway; all it means is that Windows will load and execute your crypto. The mechanism is designed to keep overseas end users from being able to build and install strong crypto libraries. If the NSA has a key, all they can do is vouch for their libraries as export-qualified and thus enable their use. It's not a secret backdoor or anything, and modules need to be on the machine before their signatures are checked. If I can get you to execute code on our Windows machine, I can penetrate your security, period. These authorizing signatures have nothing to do with it. Even if the key belongs to the NSA, I suspect that the NSA just wanted to be able to load classified Crypto Service Providers into Windows and didn't want to have to send said classified software to Microsoft for approval, so they got the key installed so they could approve software in house. - Tim Tim Dierks VP of Engineering, Certicom tdierks@certicom.com 510.780.5409 [Hayward] -- 905.501.3791 [Mississauga] and another comment/posting on this forum... To: BugTraq Subject: Re: NSA key in MSFT Crypto API Date: Thu Sep 02 1999 22:32:19 Author: John Gilmore Message-ID: <199909032032.NAA10419@toad.com> > >http://www.cryptonym.com/hottopics/msft-nsa.html > > Perhaps more interestingly, the program lets you replace the key, too. Microsoft prevents third parties from installing un-authorized crypto code under CAPI by checking the signature on the code. Under their export deal, they refuse to sign anyone's non-US code that does strong crypto. So if you want to add your own strong crypto, you need to sign it with a key that the CAPI recognizes. You could patch out Microsoft's key but then the Microsoft modules won't load properly. It works better to patch out NSA's key with your own -- then you can load both your own crypto code and all the standard MS stuff. John Sounds like more of an opportunity to hack Windows against the Government than a Government spying operation. Not being a security guru myself I would have to say the jury is out as to the real initial intent and the net results of this NSAKEY being revealed. Toy