How NSA access was built into Windows

Steve Siegfried sos at zjod.net
Tue Jan 16 15:15:03 UTC 2007


On January 14'th, Claude Jones kicked off this thread with a question
about the NSA'a involvement (if any) in SELinux.

I'm a subscriber to Bruce Schneier's CRYPTO-GRAM newsletter (currently
in its 10'th year of publication), the January 15'th edition of which
contained:
   CGNL> 
   CGNL> ** *** ***** ******* *********** *************
   CGNL> 
   CGNL>       NSA Helps Microsoft with Windows Vista
   CGNL> 
   CGNL> 
   CGNL> 
   CGNL> The NSA "helped" Microsoft with Windows Vista.  They're not disclosing 
   CGNL> what they did, of course, but Microsoft insiders have told me that it 
   CGNL> was nothing more than assisting with assurance testing.
   CGNL> 
   CGNL> But I am suspicious.
   CGNL> 
   CGNL> It's called the "equities issue."  Basically, the NSA has two roles: 
   CGNL> eavesdrop on their stuff, and protect our stuff.  When both sides use 
   CGNL> the same stuff -- Windows Vista, for example -- the agency has to decide 
   CGNL> whether to exploit vulnerabilities to eavesdrop on their stuff or close 
   CGNL> the same vulnerabilities to protect our stuff.  In its partnership with 
   CGNL> Microsoft, it could have decided to go either way: to deliberately 
   CGNL> introduce vulnerabilities that it could exploit, or deliberately harden 
   CGNL> the OS to protect its own interests.
   CGNL> 
   CGNL> A few years ago I was ready to believe the NSA recognized we're all 
   CGNL> safer with more secure general-purpose computers and networks, but in 
   CGNL> the post-9/11 take-the-gloves-off eavesdrop-on-everybody environment, I 
   CGNL> simply don't trust the NSA to do the right thing.
   CGNL> 
   CGNL> http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801352.html 
   CGNL> or http://tinyurl.com/ycgv9f
   CGNL> 
   CGNL> Another opinion:
   CGNL> http://www.computerworld.com/blogs/node/4330
   CGNL> 
   CGNL> 
   CGNL> ** *** ***** ******* *********** *************
   CGNL> 

I should point out that Mr. Schneier is founder and CTO of BT Counterpane,
a well respected computer security company, invented the Blowfish and
Twofish algorithms and is often the "go-to guy" for media on computer
security issues.

Now here's the fun part: If you read the two articles Schneier points to,
you'll also find this nugget in the first (from the Washington Post's
online site):

  WP> 
  WP> Other software makers have turned to government agencies for security
  WP> advice, including Apple, which makes the Mac OS X operating system. "We
  WP> work with a number of U.S. government agencies on Mac OS X security and
  WP> collaborated with the NSA on the Mac OS X security configuration guide,"
  WP> said Apple spokesman Anuj Nayar in an e-mail.
  WP> 
  WP> Novell, which sells a Linux-based operating system, also works with
  WP> government agencies on software security issues, spokesman Bruce Lowry
  WP> said in an e-mail, "but we're not in a position to go into specifics of
  WP> the who, what, when types of questions."
  WP> 
  WP> The NSA declined to comment on its security work with other software
  WP> firms, but Sager said Microsoft is the only one "with this kind of
  WP> relationship at this point where there's an acknowledgment publicly."
  WP> 

So it would seem that MS is farther in cahoots with the NSA than most, but
also that Linux (via Novell) isn't exempt from NSA "oversight", either.

Just trying to inject some facts'idly,

-S




More information about the fedora-list mailing list