Is MS adding a NSA back door to Vista's SP1?

Discussion in 'The Lounge - Off Topic' started by ffreeloader, Dec 18, 2007.

  1. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Bruce Schneier is reporting that MS has added the same random number generator to SP 1 for Vista that has what cryptography experts have conceded can only be called a backdoor. Here is a quote from his first blog on this random number generator.

    You can read the entire article at the following link.

    http://www.schneier.com/essay-198.html

    Here is what Mr. Schneier has to say about what MS is using for a random number generator in Vista SP1.

    With MS's track record lately of making system changes without people's explicit permission this is something I would think about pretty carefully as they could enable it without your knowledge or consent.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  2. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    Gods Freddie, for someone who doesnt like MS, you seem to spend an awful lot of your free time hunting down negative publicity for MS.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  3. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    That didn't need to be hunted down, its been making the rounds since Bruce made the initial post

    I think the main question is a) what is the MS motive to include it over the other DRNGs? I have a funny feeling it was more at the request of the NSA than anything, possibly explains why its not enabled by default either, whilst the NSA may want it installed, its not really in MS best interest to screw over its clients best interests quite so noisily

    Nice post Freddy, but i'd be keen to see more of YOUR view not just a few lines at the bottom about the MS track record.
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  4. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    This is a big deal Fergal. If a criminal, or a government, gets their hands on the ability to predict seeding of random numbers they can break any SSL, TSL, etc... traffic to and from your computer. That means all of your online shopping would be insecure by default. You might as well broadcast your credit card numbers and all passwords to any thing online in clear text because all anyone would have to do break the encryption was capture a couple of packets and you're private information is now public. That means any pgp or mime encryption of email would be insecure by default. No more public key/private key encryption that would be worth anything.

    This is something that needs to be widely known as it affects everyone who runs Vista as the possibility will always exist that every bit of encrypted traffic from any Vista computer might as well be being sent in clear text.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  5. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I find this one pretty serious, Phoenix. When the experts in encryption, which is over my head, tell me that what they are finding can only be called a backdoor, it worries me. The government has never been good at keeping private information private, and with this thing enabled on a computer there is no such thing.

    The second thing that worries me is what the information about those keys is worth. That information is now of very high value to any and every criminal in the world. A lot of bad guys will be working to figure out how to get to that motherload because it will be worth billions of dollars as nothing encrypted on, or to-and-from, a Vista computer will be secure. If encrypted it will be easily broken.

    The scary thing is that we'll never know if a criminal gets the specific information about those keys either, and once that information is out in the underworld, it's Katy-bar-the-door time.

    Needless to say, I see this as big stuff. The implications are enormous for everyone as you never know when your own personal data will be/would be held on a Vista computer, any Vista computer, and they'll all be suspect now. That's a very scary thing.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  6. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Personal privacy vs. national security has always been at odds. The more power we give our governments over our lives, the less privacy and control we have. It's possible at this point that the concepts of "privacy" and "control" on the individual level are now mere illusions. I read a book in the late 1970s called "The American Police State" (I think...I can find a book by that name online, but it was published in 1988) about the Nixon administration and how political power was misused to spy on American citizens.

    Since September 11, 2001, the terrorist threat has been used as a reason/excuse to increase the government's power to "legally" intrude on the lives of citizens, gathering private information of all kinds, all in the name of "national security". I agree that law enforcement agencies need to have the tools to investigate and prevent crimes, but finding the balance between security and privacy is almost an impossibility. When the government can read our private data in our Internet transactions, we call it "intrusion". When they use that ability to save the lives of thousands or tens of thousands by preventing a terrorist attack, we call it "a good job". How do you have one and not the other?
     
    Certifications: A+ and Network+
  7. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    A perfectly secure society is impossible, and not something anyone would ever want, at least I wouldn't. Much of what is being taken away in terms of privacy is taken away and all that is really achieved is the illusion of security because we aren't, in reality, any more secure than we were before. We just like to think we are because we are told we are.

    The biggest thing about MS including a back door is the criminal possibilities it has. They are huge, and government has always been inept, so the combination is frightening when you think about it.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  8. JonnyMX

    JonnyMX Petabyte Poster

    5,257
    220
    236
    I always assumed that Microsoft had a back door into everything anyway...
     
    Certifications: MCT, MCTS, i-Net+, CIW CI, Prince2, MSP, MCSD
  9. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Why, Johnny, how anti-MS of you.... :twisted:
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  10. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Conversely, a perfectly free society isn't possible either. People expect their government to "take care of them" on some level. Most folks expect that the government officials who inspect their food, for example, will do a good job so we can enjoy a pot roast without fear of food poisoning. We only complain when the government gets into *our* business (not necessarily someone else's).

    I'm not defending or attacking Microsoft's actions here and in fact, I'm not really addressing Microsoft at all. What you've started has really opened up a much larger issue in terms of personal freedoms vs. the state's "right" to create security. We all complain about the government getting into our privacy but would roast government officials over a slow fire if they ever let a tragedy like the World Trade Center happen again.

    It's not a perfect world and there are no perfect solutions. Trouble is, how far do we let the pendulum swing, one way or the other?
     
    Certifications: A+ and Network+
  11. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Speak for yourself on that one, Trip. I'm not someone who thinks the government can protect us from every bad thing that could possibly happen, and don't want to compromise my freedoms far so that even the illusion of that is possible.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  12. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    This is why my attitude continues to be the same as it has been since 9/11

    If my life is to end this day due to terrorist action, then so be it, I want no extra security, no extra precaution, just the knowledge that my children will grow up in a free society like I have'

    the scary thing is that by the time I have kids that might not be a possibility, everyones individual life is way to important these days, they care little for their society, just themselves

    I'd be happy to die young knowing that my sacrifice will mean that my kids will be free, (I'd also happily risk my life in an attempt to engage said terrorists, perhaps i will live a little longer, perhaps someone else will!

    The worrying thing is previously when governments have got a little too heavy handed, the people have stood up to it, and taken it back, the British Civil war, the US War of Independence, the French revolution, the fear now is that technology has perhaps given governments an edge, and as they wield a nations military the way they do (to serve them, not the people) who will know if we ever see this sort of strong stand against a corrupt government again?

    OK enough of my OT soapbox :)

    Yes, this is very troubling news, see above! :D
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  13. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I agree, Pheonix. If you have to give away your freedoms to protect them, then the illusion of security is not worth it. We all die some time or other, so trying to avoid death is impossible. If it comes. It comes.

    I would far rather live with known risk and freedoms and privacy, than without privacy or freedom and the illusion of no risk.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  14. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    I'm not speaking for myself. I'm presenting what seems to get the general public view of wanting one's cake and being able to eat it, too. You can't have it both ways.
     
    Certifications: A+ and Network+
  15. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I agree, you can't have it both ways. But at the same time not everyone thinks that way. Not everyone thinks that trading freedom and privacy for the illusion of security is a good thing. The ones I see saying it are the mainstream media. They've had the agenda of more government, bigger government, and a nanny state for at least a couple of decades now. But, just because the mainstream media shouts it doesn't mean the general public believes it in their hearts.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  16. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    All you need is one of these and you will be perfectly safe. :)

    [​IMG]
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  17. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Really? So you think that taking the consensus opinion of world renowned experts in the field of cryptology and security is tin foil hat time? That's a new one on me. Mind explaining how you come to that opinion?

    There hasn't been one expert in this area that has contradicted anything I've said here about the consequences of this new RNG in Vista SP1. They all say this is bad news, and the foremost experts in the field say don't ever enable this RNG in Vista or your ability to encrypt anything securely will be suspect. And once it's suspect, once any encryption method is known to be easily breakable, then it's useless for security.

    You don't believe it? Ask the companies that have had the identities of millions of their customers stolen from their databases because because they continued to use WEP as the security protocol on their wireless networks after it was known to be easily breakable. This RNG makes any encryption on a Vista machine hard drive, or SSH or HTTPS traffic from or to a Vista machine that uses it less secure than WEP.

    Will you want your credit card numbers stored on laptops that for all practical purposes will be storing them in plain text? How about doing online shopping? Are you comfortable transmitting your credit card numbers in clear text?

    Let's see just how unmindful of security you really are. And, since you're making the accusations, why don't you show me the dissenting experts who disagree with me. Show me the experts who say having an RNG in the OS on your computer that's a known backdoor is no big deal.

    Come on, Modey. If you're gonna take a shot at me, take a good one. Really show me up for being a paranoid tool. If you can't, well, we'll know who the real tool is. It will be you.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  18. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    At least from the robot, alien, zombies trying to take control of your thoughts. :tongue
     
    Certifications: A+ and Network+
  19. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Wow, take a chill pill man. I posted the picture as something light hearted, it wasn't aimed at you I didn't even mention you. You need to get over yourself.
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  20. Ropenfold

    Ropenfold Kilobyte Poster

    274
    9
    63
    I wouldn't worry too much about people getting hold of your personal details through Vista, Come and live in Britain where the government will Lose your personal details for you!!! :D

    Sorry Political moment there :oops:
     
    Certifications: BSC (Hons), A+, MCDST, N+, 70-270, 98-364, CLF-C01
    WIP: ISC2 CC, Security+

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.