Earlier this week, a senior National Security Agency official told US Congress that the NSA had worked on Microsoft’s latest operating system, Windows 7. This spurred a flurry of rumours about the NSA building backdoors into Windows 7, but Microsoft has today categorically denied these claims.
Richard Schaeffer, information assurance director at the NSA, testified before the Senate’s Subcommittee on Terrorism and Homeland Security, and talked about Windows 7, too.
“Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft’s operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector,” Schaeffer told Congress.
“All this was done in coordination with the product release, not months or years later during the product lifecycle,” Schaeffer added, “This will improve the adoption of security advice, as it can be implemented during installation and then later managed through the emerging SCAP standards.”
This is barely interesting news. The NSA has worked with Microsoft before, and in fact, Microsoft isn’t the only company the NSA works with. Cisco, for instance, has built “lawful intercept” into its products, including its Internetworking Operating System ISO and VoIP products.
Marc Rotenberg, the executive director of the Electronics Privacy Information Center, raised a red flag about the NSA’s involvement in Windows 7. “When NSA offers to help the private sector on computer security, the obvious concern is that it will also build in backdoors that enables tracking users and intercepting user communications,” Rotenberg told ComputerWorld, “And private sector firms are reluctant to oppose these ‘suggestions’ since the US government is also their biggest customer and opposition to the NSA could mean to loss of sales.”
Microsoft responded to Rotenberg’s concerns, categorically denying it would build a backdoor into Windows 7 at the NSA’s request. “Microsoft has not and will not put ‘backdoors’ into Windows,” a Microsoft spokesperson told ComputerWorld in a statement.
Some experts on the matter think it is highly unlikely that Microsoft would build backdoors into Windows. “I can’t imagine NSA and Microsoft would do anything deliberate because the repercussions would be enormous if they got caught,” Roger Thompson, chief research officer at AVG Technologies, said, “Having said that, I think we should understand that there is every likelihood that certain foreign governments are constantly looking for vulnerabilities that they can use for targeted attacks. So if they’re poking at us, I think it’s reasonable to assume that we’re doing something similar. But I seriously doubt an official NSA-Microsoft alliance.”
“Would it be surprising to most people that there was a backdoor? No, not with the political agenda of prior administrations,” said Andrew Storms, the director of security operations at nCircle Security, “My gut, though, tells me that Microsoft, as a business, would not want to do that, at least not in a secretive way.”
I also think it is highly unlikely Microsoft would put secret backdoors in Windows. Windows is probably the most prodded and tested piece of software out there, and the existence of a backdoor would get out quickly – and it would mean a devastating blow to Microsoft, especially in a world where, shall we say, the US isn’t particularly popular.
Still, the rumours will persist, as that is the nature of man.
Why bother building back doors into Windows when the front door is always unlocked anyway!?
Yeah yeah… I actually do use Windows, so don’t take that so seriously.
In a restaurant somewhere in the State of Washington:
NSA agent: So, Steve, what’s user U357-E2H3-456T-UI4G doing?
Balmer: (Fiddling with netbook) Hmmm. Gonna have to log into my Google account for this… Oh… he’s still watching porn.
NSA agent: Well, how about X357-UD42-JK56-03T5?
Balmer: Damn this mobile broadband! Sometimes I think that space aliens must be… oh, here he is. It’s porn.
NSA agent: Well, for folks who are major threats to national security, these guys of yours certainly lead boring lives.
Balmer: Yeah. I’ve kinda noticed that. Sometimes I wonder if we aren’t a little to blame… That’s off the record, you understand.
NSA agent: Understood. QUAW-56WE-42W7-H81V?
Balmer: (Tap, tap, tap) Oooo! That’s gay shit!
NSA agent: *sigh* OK. How about 0000-0000-0000-0001?
Balmer: Wha?
NSA agent: 0000-0000-0000-0001.
Balmer: But… that’s…
NSA agent: Yes, I know.
Balmer: Well, OK. (Tap, Tap, Tap) Oh my f–king god! This is just disgusting. It’s Bill getting it on with his wife in front of the webcam! At least, I think that’s her. It’s hard to tell.
(Bleep! Bleep! Bleep!)
NSA agent: What was that?
Balmer: Looks like he just got a text message on his phone on the night stand. It’s from a couple of guys named Medvedev and Putin inviting him to an encrypted virtual teleconference.
(Bzzzzt!)
NSA Agent: What was that?
Balmer: Just the vibrator, I think.
NSA Agent: Which one? The Phone?
Balmer: Uhhhh….
NSA Agent: Never mind!
Balmer: I have 15 Google “accept on behalf” minutes left . Should I repsond? I get 5 Bill-voice minutes free.
NSA agent: No. Pan back to the bed.
Balmer: Actually, I think it’s the kitchen.
NSA Agent: Whatever!
Edited 2009-11-20 00:20 UTC
Complete bullshit, you know Ballmer would never use anything from Google.
Everything else… well, don’t know.
Yeah. If Microsoft technology can’t do it, he just does without.
You know, if I were the AntiRockwell here on OSAlert, I’d call him a “Microtard” or something. Maybe a “Soft-tard”?
Take *that*, Balmer! You Google-hating Soft-Tard!
Edited 2009-11-23 20:34 UTC
Why bother talking about totally irrelevant things on the front page?
Of course any company doing international business will deny such claims (whether true or false). Just imagine how much faith customers from other countries (governments, companies, military, etc.) would have, if any company would admit that a government fiddled with their product leaving customers all over the world vulnerable to unfair business practices, espionage and the like.
So does Windows have any backdoors?
Probably. We don’t know.
Will Microsoft ever admit if Windows has backdoors?
Of course not.
Is it worth discussing any press statements from Microsoft about it?
No. Not without any hard facts.
It’s news that Microsoft consulted with the NSA on Win7. The denial is not the news; the consulting is. I might live under a rock, but I didn’t know there was any such government involvement.
I’m happy with Windows, and I welcome this kind of transparency, whether or not there is any such “backdoor.”
“there is no NSA backdoor”
but a frontdoor hidden as a security flaw.
would be “news” if MS confirmed the ‘feature’. “sure we have a NSA (or for whom ever) backdoor in windows”. i think both customers and the NSA wont be too happy with MS saying so.
MS denying the backdoor rumors is not news to me.
AKA, the side entrance…
And what about the unfinished huge Picture Window?
With those 30+ million or whatever lines of code, how would Microsoft even know?
“Hey Frank, do you recognize this source checkin from last week by “YourSecretSanta” claiming he’s fixing up a buffer overflow in the Backdoor service? I don’t remember the code review for that…”
Any sane project is going to use source control.
Unless the NSA is paying people to cover it up – I’m guessing the people regularly working with and reviewing the code regularly might detect something amiss when it gets committed – unless it’s added by a malicious individual in a very sneaky way.
It’s a bad idea for an untrusted developer to be given commit access to a source-controlled codebase and allow them to checkin large amounts of code without peer review – of course many corporations do this all the time, but I have to assume Microsoft has at least put *some* safeguards in place to prevent this as much as possible given their continual public scrutiny.
but… without public source code review…
Does it matter?
I mean, come on… how would we/you ever know?
I was only answering the question that was asked
Whether we can ever know is of course a different question.
Just out of curiosity … what does the UEFI module that windows 7 installs do besides implement compatibility? It would be running outside the OS or from another point of view your OS has migrated closer to your hardware.
It can only install of course if your PC has UEFI… so most are still unaffected
Supposedly this module also has to do with Phoenix support for loading the OS nearly instantly but I would like proof of that. I mean most BIOS related stuff is minuscule and from what I gather the module it istalls to the FW is rather large.
Any comments on that? I would investigate myself but only have dated HW at home.
Ref:
http://www.microsoft.com/whdc/system/platform/firmware/UEFI_Windows…
Part of NSA’s function is securing nation’s computers and with Windows installed on majority of them NSA provides assistance with securing Windows. This is mostly guidelines and results of security tests they run that are provided to Microsoft.
And it’s not just Windows. NSA contributed to SE/Linux.
They share the story with “reporters” at ComputerWorld and they show their disregard for journalistic integrity. Real classy.
That makes me feel so much better. I’ll sleep well tonight, knowing that.
True, but we can 100% review what it is that is in the code they’ve developed.
With Windows its a “Trust Me” kind of thing.
How about a non-secret backdoor?
Microsoft have admitted in the past for XP that an “update to Windows update” can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings.
http://blogs.zdnet.com/hardware/?p=779
If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.
I haven’t heard Microsoft ever claim that this backdoor was removed from either Vista or Windows 7.
PS: I don’t believe there is anything malicious in this … I just note that it exists.
Edited 2009-11-20 02:03 UTC
A backdoor that is easily thwarted by disabling the automatic update service?
To be clear, the updates aren’t “pushed” in the sense that your machine is contacted by Microsoft and the updates are installed forcefully – they are pulled – by the automatic update service that can be disabled by the user manually if desired.
Edit: corrected service name
Edited 2009-11-20 02:23 UTC
Not that I use Windows, but anyway that is apparently not quite the whole story.
http://blogs.zdnet.com/hardware/?p=779
I might also add that when I first read about this, that last quoted paragraph was not present, so the rider about but not on systems set to “Never check for updates” is new to me.
Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don’t update.
There’s a *huge* difference between setting the automatic updates setting, and disabling the service entirely.
If you’re worried about someone slipping an update in that might open a door – then any system you use to install updates that you “trust” is just as fragile…
The only relatively sure way to prevent unwanted backdoors is to review the code and compile your OS yourself.
Not a lot of difference, if you then subsequently run a check for updates manually anyway. The only real difference is that you are not using an automatic scheduled timer to check for updates.
The backdoor mechanism is via the stealth updates. The only thing that you can disable is the automatic updates scheduler.
If you don’t periodically manually run a check for updates, your system will not get updated at all. Security risk.
If you do periodically manually run a check for updates, that effectively allows the same stealth backdoor as the automatically scheduled updates. Backdoor.
You can either get owned, or you can get owned.
There is another way.
You could restrict yourself to installing only software which was auditable by people who:
(1) did not write that software, and
(2) are able to read and understand and audit source code, and who
(3) use the same code themselves for their own systems.
Since their interest is your interest, you get the benefit of their audit.
Edited 2009-11-20 03:34 UTC
No one remembers the NSAKey debacle?
http://en.wikipedia.org/wiki/NSAKEY
They’ve been in Windows for years and years.
No, we remember – It’s just the people who understand it never took issue out of “oh noes, there’s a 128 byte key in one DLL used for export licensing”.
Only the tin-foil hat wearing fringe whacko conspiracy nutjob paranoids take this type of sensationalist reporting seriously. File this alongside your “911 truthers”, Who really killed JFK, or how 911 and it’s primary architect were predicted on our currency.
Wow, I had no idea that the Girl Scouts are responsible for the crop circle phenomenon.
Few people do, few even think to ask the question.
Edited 2009-11-20 06:02 UTC
No need to worry, he’s probably going to ring up Alex Jones over at Prisoner Planet claiming there to be a world wide conspiracy involving fluoride, vaccinations, NSA code in Windows and dumbing down of television as to enslave the nation! America unfortunately is filled with conspiracy nuts – the conspiracy theorist suck as individuals so they grasp at straws to explain why they suck.
Edited 2009-11-20 15:37 UTC
While I don’t necessarily personally believe it, it also does not sound implausable that the NSA would want a security back-door in Windows bad enough to at least approach Microsoft about it. Bear in mind, the US Fed’ral Gov’ment hasn’t always been thrilled with its citizens’ ability to keep secrets from it: various bills have arisen in Congress to try to make various types and strengths of encryption illegal, and even to enforce the inclusion of government-held master decryption keys in cryptography schemes. For that matter, bear in mind that large telcoms now are requried to have hardware making it possible for the government to intercept arbitrary calls, based on the same fundamental logic: “the Federal Government should have unrestricted access to information that it deems is of overriding importance” — or, more precisely, “when the federal government decides that access to private information is of vital importance, it should not be technologically possible to prevent access to that information”. (To the best of my knowledge, all those bills have been defeated — but, at least, there is an interest, held by some in the federal government, in having these kinds of back-door keys put in).
I think the idea is at least more plausable than the other kinds of high-octane tinfoil hat that you list.
“Only the tin-foil hat wearing fringe whacko conspiracy nutjob paranoids take this type of sensationalist reporting seriously.”
Ah yes, spoken like a true ameriKan. How did you manage to string together such a long line of impressive words? I see you have been watching a fair amount of Fox News and CNN. Your ignorant comment comes as no surprise. Everyone knows the U.S. has one of the most ignorant, dumb, brain-washed and gullible populations in the world. They will believe anything as long as they hear it on their national news.
Some food for thought for brainwashed narrow-minded half-brained quasi-educated ameriKans like yourself: in mainstream political circles anyone who talks about conspiracies is ridiculed. This ugly habit is dishonest since even a little open-minded study reveals that there have been many conspiracies throughout human history, and that many of them had a great effect. Let’s consider: the burning of Rome by emperor Nero – blamed on the Christians. The Reichstag fire in Nazi Germany by Hitler’s people – blamed on the communists. Moscow apartment bombings in 1999 by the FSB (KGB) – blamed on Chechen rebels and used to justify Russia’s invasion of Chechnya. And then 9/11…? You tell me. When stuff happens abroad everyone immediately suspects a conspiracy, but the U.S. is of course immune to conspiracies. The U.S. government always works in your best interest and would never harm or spy on its own citizens, right? And surely they would not sacrifice 3000 of their own people for oil, war and Middle East domination, right?
Idiot.
Edited 2009-11-21 15:47 UTC
By the way, “deathshadow”, how did you come up with such a fascinating and impressive original username? Maybe you should change it to “moronshadow”?
You were not even able to properly articulate your opinion with clear arguments, but instead resorted to lame, pathetic and juvenile insults against a group of people just because they do not accept the official version of events. You are no better than they are. Can’t refute the message so you try to discredit and ridicule the messenger. This is the ultimate cowardice.
Don’t forget that it is in Linux as well..after all the NSA wrote SELinux…
I think I’ve heard this claim every time a version of Windows has been released, going right back to NT 4.
Give it a rest..Please.
I think it was when they found _NSAKEY in regedit that touched the whole thing off.
Give it a rest people, just wait until service pack 1 is released. I promise that it will block one of the most powerful agencies in history from watching your porn collection!
I didn’t know this was about Swedenl?
Famous saying of prince Alexander Gorchakov
This was highly expected and it’s not a problem related to Microsoft only. Do you think that Google keeps their data off of NSA? Yeah, sure.
The big push in Europe about open-source mostly derives from all these problems. Same applies to other countries like China which obtained to get a special version of Windows (and I bet such version won’t include any NSA backdoor plus a China govt backdoor).
Actually, the NSA and MS conspired to release this rumor so that the “bad guys” would think Win7 is comprimised and switch to Linux, which is where the NSA -really- has their back door.
KRR
Duh, you guys… Believe it or not, Microsoft has a pretty widely used source code access program that provides LOTS of corporate and (US and non-US) government users access to the Windows source code base. They even provide users with (free) short introductory on-site seminars on how the source code base is organized. See: http://www.microsoft.com/resources/sharedsource/windowslp.mspx
If there was any sort of backdoor in Windows, lots of people would know about it pretty quickly… Well, assuming ANYbody can read through millions of lines of source code “quickly”, of course.
– DD
It’s not really that simple. If we assume that someone wanted to put a backdoor in there:
1. The code you read doesn’t necessarily have to be the same as the code you’re executing if you don’t have the possibility to compile it yourself.
2. Even then, you’re not completely safe. See this old thing for explanation:
http://cm.bell-labs.com/who/ken/trust.html
(it’s about introducing a back door in the unix login program that won’t show in the source code and also not show in the compiler source code (although the compiler does the introducing of the back door)
This might seem like a lot of hassle, but if a big company like Microsoft or an organization like the NSA decided that this is what they want, I’m sure they would be able to do what Ken Thompson figured out on his own in 1984.
There is no backdoor. I can tell because a lot of people from NSA and Microsoft would’ve known if there was one and us humans can’t keep secrets anyway so there would be always at least one person telling his wife, friend etc. after which the news would go very fast.
That’s also the reason I don’t believe in conspiracy theory’s. People can’t keep something big for themselves.
Just a lil aside as I noticed a few comments about open source trust. You will never know there is no back door, unless you review the code and compile it yourself. All true… but you know… we trust things all the time.
For all I know the NSA has a secret deal with Honda and my car can explode at the switch of a button by someone at the NSA. I’ll never know. It is located deep in the internals of the fuel injection system. I have as much of a chance of finding it as I do finding the opcodes in a compiled binary.
Do I get the blueprints of the car (design) and watch it being made (implementation)? Just like software. Do I get the source code (design) and do I get to see it being made (compiled)?
The ‘rights’ you get with open source go well beyond what you get in virtually every other industry. You always have to ‘trust’ some person or some company who made the product.
Granted, open source makes it a lot easier to trust. Yet, like I said, it is well beyond the rights you get in almost every other industry.
Sooner or later somebody will discover a bug that can allow an “attacker” to take control of a computer.
Oh, but wait… It’s Not a Bug, It’s a Feature!
You do the math…
Im sure they did categorically deny it. That doesnt mean it isnt there