---

Paul Ferris — Who Has The Key To Your Back Door?

[ The opinions expressed by authors on Linux Today are their
own. They speak only for themselves and not for Linux Today.
]

By Paul
Ferris
, Staff Writer

In the past, I’ve been pretty loud about the problems of
proprietary software in regards to security and
privacy. My
stance is basically this: Free
Software
with the source code available is more secure because
more eyes can examine the code for flaws. Free Software is less
privacy compromising for several reasons, usually relating to the
fact that it’s developed by the people for the people, and because
no aspects can be hidden from public scrutiny. No “Registration
Wizard”
scandals have happened with Linux and FreeBSD for
example. The operating systems are too decentralized. Since there
is no big beneficiary as a design ideal these things just don’t
happen.

But what came about over this past weekend went pretty much
beyond even my skeptical belief. And with good reason: The hype is
way out of proportion with reality. The _NSAKEY problem is not in
reality a “back door”.

The real issue that is being opened up here is actually that
strong encryption can now be digitally signed by just about anyone,
when it was legally only supposed to be signed by Microsoft. The
problem is that the words “back door” are being used just about
everywhere and without justification from what I can tell.

It’s not a back door, according to most security experts. What
it really is is a flawed system that will unintentionally allow
export of 128 bit encryption.

The justification for the outrage lies in the precedent of two
huge dis-similar entities: Microsoft and the NSA. Foreign countries
have a lot of reasons to mistrust the NSA. Likely a lot of the
problems were related to its Echelon
project
and the scandal surrounding Crypto AG. That
gives you enough reason right there if you are living outside of
the United States, the words NSA and trust probably don’t fit
together in your vocabulary.

The second entity in the list, Microsoft, has had so many
security breaches this year that I won’t even bother to list them
here. I did that in a previous article and it was outdated in two
days. People don’t trust Microsoft for a variety of reasons,
ranging from deliberate malicious insertion of programming
mechanisms that go against the morality of the Free Software
movement, to just simple ineptitude when it comes to Internet
security in general. As one of my friends pointed out to me the
other day: It doesn’t matter, it’s bad enough either way.

The problem, in case you haven’t ventured near a web browser
lately, and have just accidentally clicked upon my article without
reading just about every other news topic, is that some security
experts found that there
were two sets of keys to the security systems that have shipped
with most Microsoft products since the Internet became popular
.
These experts cried foul and said that the NSA likely owned the
second set of keys, since they were clearly labeled “_NSAKEY” in
the symbolic code.

Virtually overnight, most people reporting news outside of the
US cried foul. Microsoft answered the claim with a claim of their
own that the keys were not NSA keys – they were a
set of “backup” keys inserted there in case the first set was
lost.
Now we have a second wave of outrage brewing, because
this answer doesn’t add up as well. A lot of security experts don’t
believe it.

Microsoft may be right about their reasons for a second key,
however. It looks like that very well could be a plausible
explanation. Yes, you read that right, I might just be giving them
a bit of credit for possibly, and I use the term loosely here,
telling the truth.

But the timing couldn’t possibly be worse for them. No sooner
had the blow torches been fired up regarding the Hotmail and Java
engine scandals, but this has to rear its ugly head. I’m sure it
would have ridden the waves a bit more smoothly had the seas been
allowed to calm somewhat.

Maybe that’s why Microsoft wants to call its replacement for
Java “cool”. It all makes sense now. Hot mail and Hot Java problems
could use some kind of a marketing twist to sway the public’s
attention in some other direction.

Here’s where the trouble begins as far as I’m concerned.

How can you trust Microsoft? How can a non-US country trust the
NSA? Given the track record of either entity, it’s no wonder there
is such a stink about this. It may be overblown in the regards to
it not being a back door. The problem is that we have no way of
knowing if there actually is a back door. Worse
yet, given what Microsoft has had to say about the above incident,
an even bigger problem arises.

Let’s follow this problem to its likely conclusion. If you have
sensitive data that you are trying to secure, and lets even go as
far as to say that you are an American, who would you trust more?
Microsoft or the NSA? Given the past blunders of Microsoft (to
learn more on this subject, I recommend VCNET’s Boycott Microsoft website) and even
the fact that I’m not much of a fan on government intervention, I’d
choose the government. By the way, my machine is Linux based and
firewalled if that tells you anything about my true choice in the
matter.

But, this is reality, remember? Most people are not like me,
they run Windows. And here is the crux of the problem – they
haven’t even had that choice, Microsoft or the Government.
Microsoft is calling the shots here. They can install whatever they
want. Their operating system is closed off, and no one knows what’s
in there. Even though this scandal doesn’t appear to be a real back
door, and I do believe them in regards to that matter, I don’t know
what to make about what they are saying about the second set of
keys.

The explanation that it’s a backup set of keys just happens to
be what they are touting as the truth at the moment. Just last
week, they made a big stink about how they wouldn’t support server
based applications because of security
concerns
. A couple of days later, since Sun appeared to be doing so well with the
media, they changed their tune, and said that they had been
planning to release software just like Sun’s all
along
.

Which one is the “truth”? We cannot know. The truth doesn’t seem
to matter much when marketing issues are at stake.

Years of issues such as this have led to a horrible problem:
Microsoft has sunk below the NSA in regards to the trust issue as
far as I’m concerned – and I don’t appear to be alone with those
perceptions. I can understand where a good portion of the world
would not like our security agencies looking at anything that was
supposed to be encrypted. But the reality is stranger than fiction
here: Why have they been so willing to trust Microsoft
instead?

To our government: How can you trust software that doesn’t
provide clear security API’s? Microsoft has not even followed
through with a scheme that protects the intentions of the
government in this case. However misguided they were, or debatable
this issue is, export of 128 bit encryption wasn’t supposed to be
legal. That might be just a “bug” or an “issue” to Microsoft, but
it’s a pretty big “whoops” on their part. Sorry to say, somebody
might have caught that whoops if it were Free Software with open
source code.

Of course, the whole world would be able to have 128 bit
encryption if the subsystem were open-source, but that’s what’s
happened anyway now hasn’t it?

To the NSA: You’ve entrusted Microsoft with the control of 128
bit encryption, and due to a programming flaw anyone apparently can
run it now. Who are you going to trust in the future?

No, of all the things I’ve been screaming from the rooftops,
this one is the most grave. Yes, it’s a great illustration for Free
Software with open source code. It demonstrates the problem quite
well. Possibly we should actually thank Microsoft for being such a
bad example in this particular case.

Maybe Microsoft will make available a “service pack” to fix this
problem. If they feel like it, that is.

People will likely load it as soon as they can and do nothing
else to halt the problem because they have practically no hope of
patching their systems without the “help” of Microsoft. There is
supposedly a fix, if you look at the security alert that started
this whole thing. Given the past track record of things that
circumvent Microsoft intentions, I would trust that fix until the
next release of a service pack or version upgrade. In other words,
what Microsoft doesn’t want, doesn’t last. They control the product
from behind an information firewall: the obscurity of the source
code from easy access.

Ask yourself these questions, especially if you have trusted
Microsoft in the past. Ask yourself if you want any more “help”?
Isn’t it time you used a product that doesn’t contain hidden
interfaces and provides you with more security and less privacy
compromising opportunities? Isn’t it time you used Linux or
FreeBSD? Isn’t it time you switched to some new paradigm that
allowed you to “help” yourself?

Microsoft would excuse this action as a simple labeling mistake
or rather an “unfortunate name”, without addressing the true
implications of the true problem. This isn’t a mistake that can be
simply forgotten. We can no longer trust code such as this to run
our government institutions. It’s simply too insecure, and possibly
worse than insecure, it might have real back doors that we cannot
know about. We will never know unless the code is up for public
scrutiny.

Given the millions of lines of code in Windows 2000, even that
task sounds pretty expensive. No, the Microsoft development model
has gone from being out-dated to out-tolerated. We can no longer
stand for this kind of “development”. We as a group of net citizens
cannot afford the risks involved.

No matter how much stamping of feet, no matter how much
lobbying, it’s gone from “The Net” to “All The President’s Men”.
Suddenly, things are not a science fiction movie or a joke.
Suddenly, things are very, very, frighteningly real.

The Free Software movement may have its problems. It may make
some things more complex. It’s costs in this matter far outweigh
the alternative.

Without going any further here, I must seriously say that not
every Microsoft employee can have bad intentions. They are not a
collective of mindless souls. But taken as a group, and given this
bad paradigm from which to develop software, their worst actions
get branded upon the whole almost in the same manner that a
countries actions get branded upon its members.

Given the flagrant abuses of Anti- trust laws that pretty much
begged the intelligence of the listener during the recent trial, I
can only say that it also appears that some people inside that
company feel that they have a different set of laws to go with
their small but powerful mini-state.

And what of the excuse – that Microsoft simply put those keys
there to better service their customers? Isn’t this almost the
exact same excuse they gave when they were caught with their
“registration wizard”, which phoned home user and market sensitive
data when the buyer registered Windows 95/98?

It’s now time to petition your government to use Free Software
with open source code. No longer can we afford to open our mission
critical and government operations to these kinds of potential
blunders. It’s beyond imagination. It’s beyond common morality.

We simply cannot afford to let a large corporation have the keys
to our sensitive data.

Why? Because there is no way of knowing if this kind of action
is beyond Microsoft.