Wired: Debate flares over MS ‘Spy Key’

“Questions lingered Friday over whether or not security experts
overreacted to a scientist’s charge that Microsoft built a backdoor
in Windows for a US spy agency to enter. Microsoft vehemently
denied the claims of Andrew Fernandes, chief scientist for security
software company Cryptonym.”

“But Fernandes stood his ground. ‘Some of the things [Microsoft
said] make sense, some of them don’t,’ he said. …’Their story
only kind of makes sense,’ he added. ‘If that is in fact true, it
means their crypto protocol is poor, there is no other word for
it.’ Crypto expert Marc Briceno did have another word for it:

‘I must say I do not believe Microsoft’s present explanation
that the presence of the _NSAKEY corresponds to standard practices
in software development,’ said Marc Briceno, director of the
Smartcard Developer Association. ‘There is no technical reason for
Microsoft to include a second security module verification key in
their operating system … to mark the passing of export
requirements,’ Briceno said.”

“But John Gilmore, a co-founder of the Electronic Freedom
Foundation, said
that the case was far from clear. Gilmore
quoted Microsoft’s Scott Culp, who said in a previous Wired News
story that the _NSAKEY was only in place ‘to ensure that we and our
cryptographic partners comply with United States crypto export
regulations.’ Gilmore said that the crypto community has always
wondered what exactly the deal was between NSA and Microsoft that
allows the company to plug strong crypto into software that is sold

” ‘This key was part of the quid-pro-quo that NSA extracted to
issue the export license. Let’s hear what the whole quid-pro-quo
was and what the key is *actually* used for,’ Gilmore wrote.”