Cryptomym.com: Microsoft, the NSA, and YouSep 08, 1999, 03:56 (1 Talkback[s])
Cryptonym's press release, plus full technical details, plus a program to download to replace the "NSA" key on WinNT and Win2k.
"Between Hotmail hacks and browser bugs, Microsoft has a dismal track record in computer security. Most of us accept these minor security flaws and go on with life. But how is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft may have installed a 'back door' for the National Security Agency (NSA - the USA's spy agency) making it orders of magnitude easier for the US government to access their computers?
While investigating the security subsystems of WindowsNT4, Cryptonym's Chief Scientist Andrew Fernandes discovered exactly that - a back door for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in 'RSA'), Andrew was investigating Microsoft's 'CryptoAPI' architecture for security flaws. Since the CryptoAPI is the fundamental building block of cryptographic security in Windows, any flaw in it would open Windows to electronic attack."
"There is good news among the bad, however. It turns out that there is a flaw in the way the 'crypto_verify' function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original components. Since the NSA key is easily replaced, it means that non-US companies are free to install 'strong' crypto services into Windows, without Microsoft's or the NSA's approval. Thus the NSA has effectively removed export control of 'strong' crypto from Windows."