Linux Today: Linux News On Internet Time.

Paul Ferris -- Who Has The Key To Your Back Door?

Sep 07, 1999, 13:20 (14 Talkback[s])
(Other stories by Paul Ferris)

[ The opinions expressed by authors on Linux Today are their own. They speak only for themselves and not for Linux Today. ]

By Paul Ferris, Staff Writer

In the past, I've been pretty loud about the problems of proprietary software in regards to security and privacy. My stance is basically this: Free Software with the source code available is more secure because more eyes can examine the code for flaws. Free Software is less privacy compromising for several reasons, usually relating to the fact that it's developed by the people for the people, and because no aspects can be hidden from public scrutiny. No "Registration Wizard" scandals have happened with Linux and FreeBSD for example. The operating systems are too decentralized. Since there is no big beneficiary as a design ideal these things just don't happen.

But what came about over this past weekend went pretty much beyond even my skeptical belief. And with good reason: The hype is way out of proportion with reality. The _NSAKEY problem is not in reality a "back door".

The real issue that is being opened up here is actually that strong encryption can now be digitally signed by just about anyone, when it was legally only supposed to be signed by Microsoft. The problem is that the words "back door" are being used just about everywhere and without justification from what I can tell.

It's not a back door, according to most security experts. What it really is is a flawed system that will unintentionally allow export of 128 bit encryption.

The justification for the outrage lies in the precedent of two huge dis-similar entities: Microsoft and the NSA. Foreign countries have a lot of reasons to mistrust the NSA. Likely a lot of the problems were related to its Echelon project and the scandal surrounding Crypto AG. That gives you enough reason right there if you are living outside of the United States, the words NSA and trust probably don't fit together in your vocabulary.

The second entity in the list, Microsoft, has had so many security breaches this year that I won't even bother to list them here. I did that in a previous article and it was outdated in two days. People don't trust Microsoft for a variety of reasons, ranging from deliberate malicious insertion of programming mechanisms that go against the morality of the Free Software movement, to just simple ineptitude when it comes to Internet security in general. As one of my friends pointed out to me the other day: It doesn't matter, it's bad enough either way.

The problem, in case you haven't ventured near a web browser lately, and have just accidentally clicked upon my article without reading just about every other news topic, is that some security experts found that there were two sets of keys to the security systems that have shipped with most Microsoft products since the Internet became popular. These experts cried foul and said that the NSA likely owned the second set of keys, since they were clearly labeled "_NSAKEY" in the symbolic code.

Virtually overnight, most people reporting news outside of the US cried foul. Microsoft answered the claim with a claim of their own that the keys were not NSA keys - they were a set of "backup" keys inserted there in case the first set was lost. Now we have a second wave of outrage brewing, because this answer doesn't add up as well. A lot of security experts don't believe it.

Microsoft may be right about their reasons for a second key, however. It looks like that very well could be a plausible explanation. Yes, you read that right, I might just be giving them a bit of credit for possibly, and I use the term loosely here, telling the truth.

But the timing couldn't possibly be worse for them. No sooner had the blow torches been fired up regarding the Hotmail and Java engine scandals, but this has to rear its ugly head. I'm sure it would have ridden the waves a bit more smoothly had the seas been allowed to calm somewhat.

Maybe that's why Microsoft wants to call its replacement for Java "cool". It all makes sense now. Hot mail and Hot Java problems could use some kind of a marketing twist to sway the public's attention in some other direction.

Here's where the trouble begins as far as I'm concerned.

How can you trust Microsoft? How can a non-US country trust the NSA? Given the track record of either entity, it's no wonder there is such a stink about this. It may be overblown in the regards to it not being a back door. The problem is that we have no way of knowing if there actually is a back door. Worse yet, given what Microsoft has had to say about the above incident, an even bigger problem arises.

Let's follow this problem to its likely conclusion. If you have sensitive data that you are trying to secure, and lets even go as far as to say that you are an American, who would you trust more? Microsoft or the NSA? Given the past blunders of Microsoft (to learn more on this subject, I recommend VCNET's Boycott Microsoft website) and even the fact that I'm not much of a fan on government intervention, I'd choose the government. By the way, my machine is Linux based and firewalled if that tells you anything about my true choice in the matter.

But, this is reality, remember? Most people are not like me, they run Windows. And here is the crux of the problem - they haven't even had that choice, Microsoft or the Government. Microsoft is calling the shots here. They can install whatever they want. Their operating system is closed off, and no one knows what's in there. Even though this scandal doesn't appear to be a real back door, and I do believe them in regards to that matter, I don't know what to make about what they are saying about the second set of keys.

The explanation that it's a backup set of keys just happens to be what they are touting as the truth at the moment. Just last week, they made a big stink about how they wouldn't support server based applications because of security concerns. A couple of days later, since Sun appeared to be doing so well with the media, they changed their tune, and said that they had been planning to release software just like Sun's all along.

Which one is the "truth"? We cannot know. The truth doesn't seem to matter much when marketing issues are at stake.

Years of issues such as this have led to a horrible problem: Microsoft has sunk below the NSA in regards to the trust issue as far as I'm concerned - and I don't appear to be alone with those perceptions. I can understand where a good portion of the world would not like our security agencies looking at anything that was supposed to be encrypted. But the reality is stranger than fiction here: Why have they been so willing to trust Microsoft instead?

To our government: How can you trust software that doesn't provide clear security API's? Microsoft has not even followed through with a scheme that protects the intentions of the government in this case. However misguided they were, or debatable this issue is, export of 128 bit encryption wasn't supposed to be legal. That might be just a "bug" or an "issue" to Microsoft, but it's a pretty big "whoops" on their part. Sorry to say, somebody might have caught that whoops if it were Free Software with open source code.

Of course, the whole world would be able to have 128 bit encryption if the subsystem were open-source, but that's what's happened anyway now hasn't it?

To the NSA: You've entrusted Microsoft with the control of 128 bit encryption, and due to a programming flaw anyone apparently can run it now. Who are you going to trust in the future?

No, of all the things I've been screaming from the rooftops, this one is the most grave. Yes, it's a great illustration for Free Software with open source code. It demonstrates the problem quite well. Possibly we should actually thank Microsoft for being such a bad example in this particular case.

Maybe Microsoft will make available a "service pack" to fix this problem. If they feel like it, that is.

People will likely load it as soon as they can and do nothing else to halt the problem because they have practically no hope of patching their systems without the "help" of Microsoft. There is supposedly a fix, if you look at the security alert that started this whole thing. Given the past track record of things that circumvent Microsoft intentions, I would trust that fix until the next release of a service pack or version upgrade. In other words, what Microsoft doesn't want, doesn't last. They control the product from behind an information firewall: the obscurity of the source code from easy access.

Ask yourself these questions, especially if you have trusted Microsoft in the past. Ask yourself if you want any more "help"? Isn't it time you used a product that doesn't contain hidden interfaces and provides you with more security and less privacy compromising opportunities? Isn't it time you used Linux or FreeBSD? Isn't it time you switched to some new paradigm that allowed you to "help" yourself?

Microsoft would excuse this action as a simple labeling mistake or rather an "unfortunate name", without addressing the true implications of the true problem. This isn't a mistake that can be simply forgotten. We can no longer trust code such as this to run our government institutions. It's simply too insecure, and possibly worse than insecure, it might have real back doors that we cannot know about. We will never know unless the code is up for public scrutiny.

Given the millions of lines of code in Windows 2000, even that task sounds pretty expensive. No, the Microsoft development model has gone from being out-dated to out-tolerated. We can no longer stand for this kind of "development". We as a group of net citizens cannot afford the risks involved.

No matter how much stamping of feet, no matter how much lobbying, it's gone from "The Net" to "All The President's Men". Suddenly, things are not a science fiction movie or a joke. Suddenly, things are very, very, frighteningly real.

The Free Software movement may have its problems. It may make some things more complex. It's costs in this matter far outweigh the alternative.

Without going any further here, I must seriously say that not every Microsoft employee can have bad intentions. They are not a collective of mindless souls. But taken as a group, and given this bad paradigm from which to develop software, their worst actions get branded upon the whole almost in the same manner that a countries actions get branded upon its members.

Given the flagrant abuses of Anti- trust laws that pretty much begged the intelligence of the listener during the recent trial, I can only say that it also appears that some people inside that company feel that they have a different set of laws to go with their small but powerful mini-state.

And what of the excuse - that Microsoft simply put those keys there to better service their customers? Isn't this almost the exact same excuse they gave when they were caught with their "registration wizard", which phoned home user and market sensitive data when the buyer registered Windows 95/98?

It's now time to petition your government to use Free Software with open source code. No longer can we afford to open our mission critical and government operations to these kinds of potential blunders. It's beyond imagination. It's beyond common morality.

We simply cannot afford to let a large corporation have the keys to our sensitive data.

Why? Because there is no way of knowing if this kind of action is beyond Microsoft.